From 707fb564dea11d9147250c55f59d3a5291334653 Mon Sep 17 00:00:00 2001 From: felixx9 <51174875+felixx9@users.noreply.github.com> Date: Wed, 9 Nov 2022 12:49:20 +0100 Subject: [PATCH 001/915] add how to integrate describe, how to integrate a pad --- docs/configuring-playbook-etherpad.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/configuring-playbook-etherpad.md b/docs/configuring-playbook-etherpad.md index 2ea423ef7..c33beb353 100644 --- a/docs/configuring-playbook-etherpad.md +++ b/docs/configuring-playbook-etherpad.md @@ -59,3 +59,7 @@ If you wish to disable the Etherpad chat button, you can do it by appending `?sh If your Etherpad widget fails to load, this might be due to Dimension generating a Pad name so long, the Etherpad app rejects it. `$roomId_$padName` can end up being longer than 50 characters. You can avoid having this problem by altering the template so it only contains the three word random identifier `$padName`. + +## How to use etherpad + +This is how it works in element. It might work similar in other clients: To integrate a standalone etherpad in a room, create your pad, copy the url and send to the room `/addwidget `. You will then find your integrated etherpad within the right sidebar in the `Widgets` section. From 384da4f34f5257b761013878c1836f383358f170 Mon Sep 17 00:00:00 2001 From: Cody Wyatt Neiman Date: Sun, 30 Oct 2022 19:01:49 -0400 Subject: [PATCH 002/915] Add S3 SSE-C support to synapse-s3-storage-provider --- roles/custom/matrix-synapse/defaults/main.yml | 3 +++ .../templates/synapse/ext/s3-storage-provider/env.j2 | 6 ++++++ .../ext/s3-storage-provider/media_storage_provider.yaml.j2 | 6 ++++++ .../matrix-synapse-s3-storage-provider-migrate.j2 | 6 +++++- 4 files changed, 20 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 54351256a..372ed1cf5 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -810,6 +810,9 @@ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name: '' matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url: '' matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: '' matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: '' +matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled: false +matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key: '' +matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo: 'AES256' matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class: STANDARD matrix_synapse_ext_synapse_s3_storage_provider_config_threadpool_size: 40 # matrix_synapse_ext_synapse_s3_storage_provider_update_db_day_count is a day value (number) for the `s3_media_upload update-db` command. diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 index 6dfcbe418..58d262558 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 @@ -4,6 +4,12 @@ AWS_DEFAULT_REGION={{ matrix_synapse_ext_synapse_s3_storage_provider_config_regi ENDPOINT={{ matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url }} BUCKET={{ matrix_synapse_ext_synapse_s3_storage_provider_config_bucket }} + +{% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %} +SSE_CUSTOMER_KEY={{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key }} +SSE_CUSTOMER_ALGO={{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo }} +{% endif %} + STORAGE_CLASS={{ matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class }} MEDIA_PATH=/matrix-media-store-parent/{{ matrix_synapse_media_store_directory_name }} diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 index 97b0f5f2b..a602b6f9e 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 @@ -9,6 +9,12 @@ config: access_key_id: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id | to_json }} secret_access_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key | to_json }} + + {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %} + sse_customer_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key | to_json }} + sse_customer_algo: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo | to_json }} + {% endif %} + storage_class: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class | to_json }} threadpool_size: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_threadpool_size | to_json }} diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-migrate.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-migrate.j2 index d48ae1229..031c0ea09 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-migrate.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-migrate.j2 @@ -10,4 +10,8 @@ --network={{ matrix_docker_network }} \ --entrypoint=/bin/bash \ {{ matrix_synapse_docker_image_final }} \ - -c 's3_media_upload update-db $UPDATE_DB_DURATION && s3_media_upload --no-progress check-deleted $MEDIA_PATH && s3_media_upload --no-progress upload $MEDIA_PATH $BUCKET --delete --storage-class $STORAGE_CLASS --endpoint-url $ENDPOINT' + {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %} + -c 's3_media_upload update-db $UPDATE_DB_DURATION && s3_media_upload --no-progress check-deleted $MEDIA_PATH && s3_media_upload --no-progress upload $MEDIA_PATH $BUCKET --delete --storage-class $STORAGE_CLASS --endpoint-url $ENDPOINT --sse-customer-algo $SSE_CUSTOMER_ALGO --sse-customer-key $SSE_CUSTOMER_KEY' + {% else %} + -c 's3_media_upload update-db $UPDATE_DB_DURATION && s3_media_upload --no-progress check-deleted $MEDIA_PATH && s3_media_upload --no-progress upload $MEDIA_PATH $BUCKET --delete --storage-class $STORAGE_CLASS --endpoint-url $ENDPOINT + {% endif %} From 98d2df5fcf1ddfcf6c1b33544c353d154cef8358 Mon Sep 17 00:00:00 2001 From: felixx9 <51174875+felixx9@users.noreply.github.com> Date: Sat, 12 Nov 2022 00:31:39 +0100 Subject: [PATCH 003/915] more details, hopefully better understandable wording. To write docs I need to learn a new language (feels like it) --- docs/configuring-playbook-etherpad.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-etherpad.md b/docs/configuring-playbook-etherpad.md index c33beb353..10cd58e0d 100644 --- a/docs/configuring-playbook-etherpad.md +++ b/docs/configuring-playbook-etherpad.md @@ -60,6 +60,8 @@ If you wish to disable the Etherpad chat button, you can do it by appending `?sh If your Etherpad widget fails to load, this might be due to Dimension generating a Pad name so long, the Etherpad app rejects it. `$roomId_$padName` can end up being longer than 50 characters. You can avoid having this problem by altering the template so it only contains the three word random identifier `$padName`. -## How to use etherpad +## How to use Etherpad widgets without an Integration Manager (like Dimension) -This is how it works in element. It might work similar in other clients: To integrate a standalone etherpad in a room, create your pad, copy the url and send to the room `/addwidget `. You will then find your integrated etherpad within the right sidebar in the `Widgets` section. +This is how it works in element, it might work quite similar with other clients: +To integrate a standalone etherpad in a room, create your pad by visiting `https://etherpad.DOMAIN` with your favorite browser and let the magic do the work. When the pad opens, copy the url and send it to the room: `/addwidget `. +You will then find your integrated etherpad within the right sidebar in the `Widgets` section. From adbc09f152c390af8f272a0580a1810983ae592f Mon Sep 17 00:00:00 2001 From: throny Date: Sat, 12 Nov 2022 11:20:43 +0100 Subject: [PATCH 004/915] warn users about upgrading to pg15 when using borg --- docs/maintenance-postgres.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index 52d2d9eed..fce6ad4d0 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -76,6 +76,8 @@ This is because newer Postgres versions cannot start with data generated by olde Upgrades must be performed manually. +**Warning: If you're using Borg Backup you probably don't want to upgrade to Postgres 15 yet as there is currently no support.** + This playbook can upgrade your existing Postgres setup with the following command: ansible-playbook -i inventory/hosts setup.yml --tags=upgrade-postgres From c68def0809aa68cf8a7c0c70b1e3ddad39db105a Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sat, 12 Nov 2022 22:01:31 +0000 Subject: [PATCH 005/915] Update ntfy 1.28.0 -> 1.29.0 --- roles/custom/matrix-ntfy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-ntfy/defaults/main.yml b/roles/custom/matrix-ntfy/defaults/main.yml index 762439806..8b8a89539 100644 --- a/roles/custom/matrix-ntfy/defaults/main.yml +++ b/roles/custom/matrix-ntfy/defaults/main.yml @@ -7,7 +7,7 @@ matrix_ntfy_base_path: "{{ matrix_base_data_path }}/ntfy" matrix_ntfy_config_dir_path: "{{ matrix_ntfy_base_path }}/config" matrix_ntfy_data_path: "{{ matrix_ntfy_base_path }}/data" -matrix_ntfy_version: v1.28.0 +matrix_ntfy_version: v1.29.0 matrix_ntfy_docker_image: "{{ matrix_container_global_registry_prefix }}binwiederhier/ntfy:{{ matrix_ntfy_version }}" matrix_ntfy_docker_image_force_pull: "{{ matrix_ntfy_docker_image.endswith(':latest') }}" From b12cdbd99d381acc587cef7b895cd3ac814a230c Mon Sep 17 00:00:00 2001 From: throny Date: Sat, 12 Nov 2022 23:40:46 +0100 Subject: [PATCH 006/915] Update maintenance-postgres.md --- docs/maintenance-postgres.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index fce6ad4d0..751fb7986 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -76,12 +76,17 @@ This is because newer Postgres versions cannot start with data generated by olde Upgrades must be performed manually. -**Warning: If you're using Borg Backup you probably don't want to upgrade to Postgres 15 yet as there is currently no support.** - This playbook can upgrade your existing Postgres setup with the following command: ansible-playbook -i inventory/hosts setup.yml --tags=upgrade-postgres +**Warning: If you're using Borg Backup keep in mind that there is no official Postgres 15 support yet.** +However, it is possible to use the `latest` or `14` image. Edit `roles/custom/matrix-backup-borg/defaults/main.yml` and adjust the variables accordingly. +```bash +matrix_backup_borg_version: "latest" # or 14 +matrix_backup_borg_supported_postgres_versions: ['12', '13', '14', '15'] +``` + **The old Postgres data directory is backed up** automatically, by renaming it to `/matrix/postgres/data-auto-upgrade-backup`. To rename to a different path, pass some extra flags to the command above, like this: `--extra-vars="postgres_auto_upgrade_backup_data_path=/another/disk/matrix-postgres-before-upgrade"` From f5a09f30b746f1c19dbec3b077f9d3a612ba15e7 Mon Sep 17 00:00:00 2001 From: throny Date: Sat, 12 Nov 2022 23:48:57 +0100 Subject: [PATCH 007/915] Update maintenance-postgres.md --- docs/maintenance-postgres.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index 751fb7986..d22b1648d 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -81,11 +81,8 @@ This playbook can upgrade your existing Postgres setup with the following comman ansible-playbook -i inventory/hosts setup.yml --tags=upgrade-postgres **Warning: If you're using Borg Backup keep in mind that there is no official Postgres 15 support yet.** -However, it is possible to use the `latest` or `14` image. Edit `roles/custom/matrix-backup-borg/defaults/main.yml` and adjust the variables accordingly. -```bash -matrix_backup_borg_version: "latest" # or 14 -matrix_backup_borg_supported_postgres_versions: ['12', '13', '14', '15'] -``` +As long as Alpine Linux is missing packages for postgres15, it is possible to use the `latest` or `14` image of borgmatic. Edit your `vars.yml` and add: +`matrix_backup_borg_version: "latest"` **The old Postgres data directory is backed up** automatically, by renaming it to `/matrix/postgres/data-auto-upgrade-backup`. To rename to a different path, pass some extra flags to the command above, like this: `--extra-vars="postgres_auto_upgrade_backup_data_path=/another/disk/matrix-postgres-before-upgrade"` From a7320e02ff0e208d9e31f11a2dedfae619abcf13 Mon Sep 17 00:00:00 2001 From: Cody Wyatt Neiman Date: Sun, 13 Nov 2022 03:18:53 -0500 Subject: [PATCH 008/915] Adjust sse-c template formatting --- .../ext/s3-storage-provider/media_storage_provider.yaml.j2 | 5 ++--- .../matrix-synapse-s3-storage-provider-migrate.j2 | 5 +---- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 index a602b6f9e..e888e3c53 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 @@ -9,12 +9,11 @@ config: access_key_id: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id | to_json }} secret_access_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key | to_json }} - - {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %} +{% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %} sse_customer_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key | to_json }} sse_customer_algo: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo | to_json }} - {% endif %} +{% endif %} storage_class: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class | to_json }} threadpool_size: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_threadpool_size | to_json }} diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-migrate.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-migrate.j2 index 031c0ea09..4b2386b1a 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-migrate.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-migrate.j2 @@ -11,7 +11,4 @@ --entrypoint=/bin/bash \ {{ matrix_synapse_docker_image_final }} \ {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %} - -c 's3_media_upload update-db $UPDATE_DB_DURATION && s3_media_upload --no-progress check-deleted $MEDIA_PATH && s3_media_upload --no-progress upload $MEDIA_PATH $BUCKET --delete --storage-class $STORAGE_CLASS --endpoint-url $ENDPOINT --sse-customer-algo $SSE_CUSTOMER_ALGO --sse-customer-key $SSE_CUSTOMER_KEY' - {% else %} - -c 's3_media_upload update-db $UPDATE_DB_DURATION && s3_media_upload --no-progress check-deleted $MEDIA_PATH && s3_media_upload --no-progress upload $MEDIA_PATH $BUCKET --delete --storage-class $STORAGE_CLASS --endpoint-url $ENDPOINT - {% endif %} + -c 's3_media_upload update-db $UPDATE_DB_DURATION && s3_media_upload --no-progress check-deleted $MEDIA_PATH && s3_media_upload --no-progress upload $MEDIA_PATH $BUCKET --delete --storage-class $STORAGE_CLASS --endpoint-url $ENDPOINT {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %}--sse-customer-algo $SSE_CUSTOMER_ALGO --sse-customer-key $SSE_CUSTOMER_KEY{% endif %}' From b6bb5731cd2f2da466ea066ca0d6101d8f23d119 Mon Sep 17 00:00:00 2001 From: Cody Wyatt Neiman Date: Sun, 13 Nov 2022 03:20:30 -0500 Subject: [PATCH 009/915] Remove leftover sse-c enabled cmd check --- .../usr-local-bin/matrix-synapse-s3-storage-provider-migrate.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-migrate.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-migrate.j2 index 4b2386b1a..2f0cd0e50 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-migrate.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-migrate.j2 @@ -10,5 +10,4 @@ --network={{ matrix_docker_network }} \ --entrypoint=/bin/bash \ {{ matrix_synapse_docker_image_final }} \ - {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %} -c 's3_media_upload update-db $UPDATE_DB_DURATION && s3_media_upload --no-progress check-deleted $MEDIA_PATH && s3_media_upload --no-progress upload $MEDIA_PATH $BUCKET --delete --storage-class $STORAGE_CLASS --endpoint-url $ENDPOINT {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %}--sse-customer-algo $SSE_CUSTOMER_ALGO --sse-customer-key $SSE_CUSTOMER_KEY{% endif %}' From 1387e776ca482225cca3db955d1687f852b1e586 Mon Sep 17 00:00:00 2001 From: Llasse Date: Sun, 13 Nov 2022 20:40:23 +0100 Subject: [PATCH 010/915] added matrix_ma1sd_container_additional_networks similar to matrix_nginx_proxy_container_additional_networks --- roles/custom/matrix-ma1sd/defaults/main.yml | 7 +++++++ .../matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 | 4 ++++ 2 files changed, 11 insertions(+) diff --git a/roles/custom/matrix-ma1sd/defaults/main.yml b/roles/custom/matrix-ma1sd/defaults/main.yml index 3755a46ab..a606d0d6e 100644 --- a/roles/custom/matrix-ma1sd/defaults/main.yml +++ b/roles/custom/matrix-ma1sd/defaults/main.yml @@ -35,6 +35,13 @@ matrix_ma1sd_systemd_required_services_list: ['docker.service'] # List of systemd services that matrix-ma1sd.service wants matrix_ma1sd_systemd_wanted_services_list: [] +# A list of additional container networks that matrix-ma1sd would be connected to. +# The playbook does not create these networks, so make sure they already exist. +# +# Use this to expose matrix-ma1sd to another docker network, that matrix-ma1sd might have to reach for authentication (e.g. an ldap instance) +# +matrix_ma1sd_container_additional_networks: [] + # Your identity server is private by default. # To ensure maximum discovery, you can make your identity server # also forward lookups to the central matrix.org Identity server diff --git a/roles/custom/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 b/roles/custom/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 index 9dbddbbf1..b9c0839ed 100644 --- a/roles/custom/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 +++ b/roles/custom/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 @@ -38,6 +38,10 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% endfor %} {{ matrix_ma1sd_docker_image }} +{% for network in matrix_ma1sd_container_additional_networks %} +ExecStartPost={{ devture_systemd_docker_base_host_command_sh }} -c 'attempt=0; while [ $attempt -le 29 ]; do attempt=$(( $attempt + 1 )); if [ "`docker inspect -f {{ '{{.State.Running}}' }} matrix-ma1sd 2> /dev/null`" = "true" ]; then break; fi; sleep 1; done; {{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-ma1sd' +{% endfor %} + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-ma1sd 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-ma1sd 2>/dev/null || true' Restart=always From 94f2e06e8300fa059e82508fadc48b2079b7179e Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 15 Nov 2022 15:49:32 +0000 Subject: [PATCH 011/915] Update mautrix-facebook 0.4.0 -> 0.4.1 --- roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml index 719c86dc0..e19fa9deb 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mautrix_facebook_enabled: true matrix_mautrix_facebook_container_image_self_build: false matrix_mautrix_facebook_container_image_self_build_repo: "https://mau.dev/mautrix/facebook.git" -matrix_mautrix_facebook_version: v0.4.0 +matrix_mautrix_facebook_version: v0.4.1 matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}mautrix/facebook:{{ matrix_mautrix_facebook_version }}" matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}" From 25996b4fa965b695cd285259c26151a1791e0b9e Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 15 Nov 2022 15:50:46 +0000 Subject: [PATCH 012/915] Update jitsi stable-7882 -> stable-8044 --- roles/custom/matrix-jitsi/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-jitsi/defaults/main.yml b/roles/custom/matrix-jitsi/defaults/main.yml index e1fcc318a..a80d88823 100644 --- a/roles/custom/matrix-jitsi/defaults/main.yml +++ b/roles/custom/matrix-jitsi/defaults/main.yml @@ -72,7 +72,7 @@ matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false -matrix_jitsi_version: stable-7882 +matrix_jitsi_version: stable-8044 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" From 1c55827ed0a9398918d80618eb5526fb08dc1ded Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 16 Nov 2022 06:17:30 +0000 Subject: [PATCH 013/915] Update mautrix-googlechat 0.3.3 -> 0.4.0 --- roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml index a4b1438b0..9c2d97b2a 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_googlechat_container_image_self_build: false matrix_mautrix_googlechat_container_image_self_build_repo: "https://github.com/mautrix/googlechat.git" matrix_mautrix_googlechat_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_googlechat_version == 'latest' else matrix_mautrix_googlechat_version }}" -matrix_mautrix_googlechat_version: v0.3.3 +matrix_mautrix_googlechat_version: v0.4.0 # See: https://mau.dev/mautrix/googlechat/container_registry matrix_mautrix_googlechat_docker_image: "{{ matrix_mautrix_googlechat_docker_image_name_prefix }}mautrix/googlechat:{{ matrix_mautrix_googlechat_version }}" matrix_mautrix_googlechat_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_googlechat_container_image_self_build else 'dock.mau.dev/' }}" From 40e8ef0c7082700bf787508f48b88a9114e4b3f2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 16 Nov 2022 11:50:02 +0200 Subject: [PATCH 014/915] Do not tell people to use latest Borgmatic - it won't help with Postgres v15 Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2259#issuecomment-1312737960 --- docs/maintenance-postgres.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index d22b1648d..1b8487031 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -81,8 +81,6 @@ This playbook can upgrade your existing Postgres setup with the following comman ansible-playbook -i inventory/hosts setup.yml --tags=upgrade-postgres **Warning: If you're using Borg Backup keep in mind that there is no official Postgres 15 support yet.** -As long as Alpine Linux is missing packages for postgres15, it is possible to use the `latest` or `14` image of borgmatic. Edit your `vars.yml` and add: -`matrix_backup_borg_version: "latest"` **The old Postgres data directory is backed up** automatically, by renaming it to `/matrix/postgres/data-auto-upgrade-backup`. To rename to a different path, pass some extra flags to the command above, like this: `--extra-vars="postgres_auto_upgrade_backup_data_path=/another/disk/matrix-postgres-before-upgrade"` From 9c2dedfdeb40e845e42e2914f03f47ad9b4f86f8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 16 Nov 2022 11:56:22 +0200 Subject: [PATCH 015/915] Reorganize a bit --- docs/configuring-playbook-etherpad.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/docs/configuring-playbook-etherpad.md b/docs/configuring-playbook-etherpad.md index 10cd58e0d..22c782f43 100644 --- a/docs/configuring-playbook-etherpad.md +++ b/docs/configuring-playbook-etherpad.md @@ -41,6 +41,13 @@ If you want to manage and remove old unused pads from Etherpad, you will first n Then from the plugin manager page (`https://etherpad./admin/plugins` or `https://dimension./etherpad/admin/plugins`), install the `adminpads2` plugin. Once installed, you should have a "Manage pads" section in the Admin web-UI. +## How to use Etherpad widgets without an Integration Manager (like Dimension) + +This is how it works in Element, it might work quite similar with other clients: + +To integrate a standalone etherpad in a room, create your pad by visiting `https://etherpad.DOMAIN`. When the pad opens, copy the URL and send a command like this to the room: `/addwidget URL`. You will then find your integrated Etherpad within the right sidebar in the `Widgets` section. + + ## Set Dimension default to the self-hosted Etherpad (optional) If you decided to install [Dimension integration manager](configuring-playbook-dimension.md) alongside Etherpad, the Dimension administrator users can configure the default URL template. @@ -59,9 +66,3 @@ If you wish to disable the Etherpad chat button, you can do it by appending `?sh If your Etherpad widget fails to load, this might be due to Dimension generating a Pad name so long, the Etherpad app rejects it. `$roomId_$padName` can end up being longer than 50 characters. You can avoid having this problem by altering the template so it only contains the three word random identifier `$padName`. - -## How to use Etherpad widgets without an Integration Manager (like Dimension) - -This is how it works in element, it might work quite similar with other clients: -To integrate a standalone etherpad in a room, create your pad by visiting `https://etherpad.DOMAIN` with your favorite browser and let the magic do the work. When the pad opens, copy the url and send it to the room: `/addwidget `. -You will then find your integrated etherpad within the right sidebar in the `Widgets` section. From 79512d5851eb0be10cb0bc0a4d775851b0905323 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 16 Nov 2022 10:47:38 +0000 Subject: [PATCH 016/915] Update mautrix-whatsapp 0.7.1 -> 0.7.2 --- roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 55b7387f1..7c923b065 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_whatsapp_container_image_self_build: false matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git" matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}" -matrix_mautrix_whatsapp_version: v0.7.1 +matrix_mautrix_whatsapp_version: v0.7.2 # See: https://mau.dev/mautrix/whatsapp/container_registry matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}" matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}" From 795dcb112be5fb471ae7c217190e8743b5bfb695 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 16 Nov 2022 19:14:17 +0000 Subject: [PATCH 017/915] Update grafana 9.2.4 -> 9.2.5 --- roles/custom/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-grafana/defaults/main.yml b/roles/custom/matrix-grafana/defaults/main.yml index 7c5e8d993..7f60a8096 100644 --- a/roles/custom/matrix-grafana/defaults/main.yml +++ b/roles/custom/matrix-grafana/defaults/main.yml @@ -5,7 +5,7 @@ matrix_grafana_enabled: true -matrix_grafana_version: 9.2.4 +matrix_grafana_version: 9.2.5 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From 6a71b3fab3653e645ab5a4f4533479dc09c960c4 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 17 Nov 2022 17:22:04 +0000 Subject: [PATCH 018/915] update prometheus 2.40.1 -> 2.40.2 --- roles/custom/matrix-prometheus/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-prometheus/defaults/main.yml b/roles/custom/matrix-prometheus/defaults/main.yml index adc903872..e4c55da9b 100644 --- a/roles/custom/matrix-prometheus/defaults/main.yml +++ b/roles/custom/matrix-prometheus/defaults/main.yml @@ -5,7 +5,7 @@ matrix_prometheus_enabled: false -matrix_prometheus_version: v2.40.1 +matrix_prometheus_version: v2.40.2 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" From 910603394908637c0095110885082ab60a2e67c7 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 18 Nov 2022 06:21:57 +0000 Subject: [PATCH 019/915] Update ntfy 1.29.0 -> 1.29.1 --- roles/custom/matrix-ntfy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-ntfy/defaults/main.yml b/roles/custom/matrix-ntfy/defaults/main.yml index 8b8a89539..66d9a19c6 100644 --- a/roles/custom/matrix-ntfy/defaults/main.yml +++ b/roles/custom/matrix-ntfy/defaults/main.yml @@ -7,7 +7,7 @@ matrix_ntfy_base_path: "{{ matrix_base_data_path }}/ntfy" matrix_ntfy_config_dir_path: "{{ matrix_ntfy_base_path }}/config" matrix_ntfy_data_path: "{{ matrix_ntfy_base_path }}/data" -matrix_ntfy_version: v1.29.0 +matrix_ntfy_version: v1.29.1 matrix_ntfy_docker_image: "{{ matrix_container_global_registry_prefix }}binwiederhier/ntfy:{{ matrix_ntfy_version }}" matrix_ntfy_docker_image_force_pull: "{{ matrix_ntfy_docker_image.endswith(':latest') }}" From 45c04677450b4d9098ab555594757c5357c20b41 Mon Sep 17 00:00:00 2001 From: Warren Bailey Date: Fri, 18 Nov 2022 11:31:40 +0000 Subject: [PATCH 020/915] Sentry DNS setting in Jitsi jvb and jicofo (#2274) * Jitsi control sentry dns using vars * renaming variables * Revert "renaming variables" This reverts commit 4146c48f6a2e71d1b0d3f58c767aea1b2f4f789c. * set to connection string or 0 to disable * Update comments * Use empty string for default Sentry DSN variables Both should work identically, but an empty string seems better Co-authored-by: Slavi Pantaleev --- roles/custom/matrix-jitsi/defaults/main.yml | 6 ++++++ roles/custom/matrix-jitsi/templates/jicofo/env.j2 | 2 +- roles/custom/matrix-jitsi/templates/jvb/env.j2 | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-jitsi/defaults/main.yml b/roles/custom/matrix-jitsi/defaults/main.yml index a80d88823..22b8a7187 100644 --- a/roles/custom/matrix-jitsi/defaults/main.yml +++ b/roles/custom/matrix-jitsi/defaults/main.yml @@ -205,6 +205,9 @@ matrix_jitsi_jicofo_component_secret: '' matrix_jitsi_jicofo_auth_user: focus matrix_jitsi_jicofo_auth_password: '' +# To enable Sentry integration for Jicofo, specify a valid DSN connection string +matrix_jitsi_jicofo_sentry_dsn: '' + matrix_jitsi_jvb_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jvb:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" @@ -220,6 +223,9 @@ matrix_jitsi_jvb_systemd_required_services_list: ['docker.service', 'matrix-jits matrix_jitsi_jvb_auth_user: jvb matrix_jitsi_jvb_auth_password: '' +# To enable Sentry integration for JVB, specify a valid DSN connection string +matrix_jitsi_jvb_sentry_dsn: '' + # STUN servers used by JVB on the server-side, so it can discover its own external IP address. # Pointing this to a STUN server running on the same Docker network may lead to incorrect IP address discovery. matrix_jitsi_jvb_stun_servers: ['meet-jit-si-turnrelay.jitsi.net:443'] diff --git a/roles/custom/matrix-jitsi/templates/jicofo/env.j2 b/roles/custom/matrix-jitsi/templates/jicofo/env.j2 index 1f2cb68c4..65ae1ce1b 100644 --- a/roles/custom/matrix-jitsi/templates/jicofo/env.j2 +++ b/roles/custom/matrix-jitsi/templates/jicofo/env.j2 @@ -27,7 +27,7 @@ JIGASI_SIP_URI JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }} MAX_BRIDGE_PARTICIPANTS OCTO_BRIDGE_SELECTION_STRATEGY -SENTRY_DSN="${JICOFO_SENTRY_DSN:-0}" +SENTRY_DSN={{ matrix_jitsi_jicofo_sentry_dsn }} SENTRY_ENVIRONMENT SENTRY_RELEASE TZ={{ matrix_jitsi_timezone }} diff --git a/roles/custom/matrix-jitsi/templates/jvb/env.j2 b/roles/custom/matrix-jitsi/templates/jvb/env.j2 index 41d343b31..df1a46139 100644 --- a/roles/custom/matrix-jitsi/templates/jvb/env.j2 +++ b/roles/custom/matrix-jitsi/templates/jvb/env.j2 @@ -18,7 +18,7 @@ JVB_OCTO_REGION JVB_WS_DOMAIN JVB_WS_SERVER_ID PUBLIC_URL={{ matrix_jitsi_web_public_url }} -SENTRY_DSN="${JVB_SENTRY_DSN:-0}" +SENTRY_DSN={{ matrix_jitsi_jvb_sentry_dsn }} SENTRY_ENVIRONMENT SENTRY_RELEASE COLIBRI_REST_ENABLED From 84c74136ea5cb48a488be978666a6abc97221f51 Mon Sep 17 00:00:00 2001 From: Warren Bailey Date: Fri, 18 Nov 2022 12:00:27 +0000 Subject: [PATCH 021/915] Provision extra Jitsi JVB services on additional hosts (#2166) * Add task to configure a standalone JVB on a different server * add missing file * set nginx config * update prosody file and expose port 5222 * change variable name to server id * formatting change * use server id of jvb-1 for the main server * adding documentation * adding more jvbs * rename variable * revert file * fix yaml error * minor doc fixes * renaming tags and introducing a common tag * remove duplicates * add mapping for jvb to hostname/ip * missed a jvb_server * Update roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 Co-authored-by: Slavi Pantaleev * PR review comments and additional documentation * iterate on dict items * Update docs/configuring-playbook-jitsi.md Co-authored-by: Slavi Pantaleev * Update docs/configuring-playbook-jitsi.md Co-authored-by: Slavi Pantaleev * Update docs/configuring-playbook-jitsi.md Co-authored-by: Slavi Pantaleev * Update docs/configuring-playbook-jitsi.md Co-authored-by: Slavi Pantaleev * Update docs/configuring-playbook-jitsi.md Co-authored-by: Slavi Pantaleev * Update docs/configuring-playbook-jitsi.md Co-authored-by: Slavi Pantaleev * Update docs/configuring-playbook-jitsi.md Co-authored-by: Slavi Pantaleev * adding documentation around the xmpp setting * add common after * reduce the number of services during init of the additional jvb * remove rogue i * revert change to jitsi init as it's needed * only run the jvb service on the additional jvb host * updating docs * reset default and add documentation about the websocket port * fix issue rather merge with master * add missing role introduced in master * this role is required too * Adding new jitsi jvb playbook, moving setup.yml to matrix.yml and creating soft link * updating documentation * revert accidental change to file * add symlink back to roles to aid running of the jitsi playbook * Remove extra space * Delete useless playbooks/roles symlink * Remove blank lines Co-authored-by: Slavi Pantaleev --- docs/configuring-playbook-jitsi.md | 64 +++++++++++++ playbooks/jitsi_jvb.yml | 12 +++ playbooks/matrix.yml | 95 ++++++++++++++++++ roles/custom/matrix-base/tasks/main.yml | 10 +- .../custom/matrix-base/tasks/sanity_check.yml | 29 ------ .../custom/matrix-base/tasks/system_check.yml | 30 ++++++ roles/custom/matrix-jitsi/defaults/main.yml | 6 +- .../tasks/init_additional_jvb.yml | 5 + roles/custom/matrix-jitsi/tasks/main.yml | 7 ++ .../custom/matrix-jitsi/templates/jvb/env.j2 | 2 +- .../prosody/matrix-jitsi-prosody.service.j2 | 3 + .../matrix-nginx-proxy/defaults/main.yml | 9 ++ .../nginx/conf.d/matrix-jitsi.conf.j2 | 18 +++- setup.yml | 96 +------------------ 14 files changed, 258 insertions(+), 128 deletions(-) create mode 100644 playbooks/jitsi_jvb.yml create mode 100755 playbooks/matrix.yml create mode 100644 roles/custom/matrix-base/tasks/system_check.yml create mode 100644 roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml mode change 100755 => 120000 setup.yml diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index f278e54ec..4c29b3eb8 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -127,6 +127,70 @@ Read how it works [here](https://github.com/jitsi/jitsi-videobridge/blob/master/ You may want to **limit the maximum video resolution**, to save up resources on both server and clients. +## (Optional) Additional JVBs + +By default, a single JVB ([Jitsi VideoBridge](https://github.com/jitsi/jitsi-videobridge)) is deployed on the same host as the Matrix server. To allow more video-conferences to happen at the same time, you may need to provision additional JVB services on other hosts. + +There is an ansible playbook that can be run with the following tag: +` ansible-playbook -i inventory/hosts --limit jitsi_jvb_servers jitsi_jvb.yml --tags=common,setup-additional-jitsi-jvb,start` + +For this role to work you will need an additional section in the ansible hosts file with the details of the JVB hosts, for example: +``` +[jitsi_jvb_servers] + ansible_host= +``` + +Each JVB will require a server id to be set so that it can be uniquely identified and this allows Jitsi to keep track of which conferences are on which JVB. +The server id is set with the variable `matrix_jitsi_jvb_server_id` which ends up as the JVB_WS_SERVER_ID environment variables in the JVB docker container. +This variable can be set via the host file, a parameter to the ansible command or in the `vars.yaml` for the host which will have the additional JVB. For example: + +``` yaml +matrix_jitsi_jvb_server_id: 'jvb-2' +``` + +``` INI +[jitsi_jvb_servers] +jvb-2.example.com ansible_host=192.168.0.2 matrix_jitsi_jvb_server_id=jvb-2 +jvb-3.example.com ansible_host=192.168.0.3 matrix_jitsi_jvb_server_id=jvb-2 +``` + +Note that the server id `jvb-1` is reserved for the JVB instance running on the Matrix host and therefore should not be used as the id of an additional jvb host. + +The additional JVB will also need to expose the colibri web socket port and this can be done with the following variable: + +```yaml +matrix_jitsi_jvb_container_colibri_ws_host_bind_port: 9090 +``` + +The JVB will also need to know where the prosody xmpp server is located, similar to the server id this can be set in the vars for the JVB by using the variable +`matrix_jitsi_xmpp_server`. The Jitsi prosody container is deployed on the matrix server by default so the value can be set to the matrix domain. For example: + +```yaml +matrix_jitsi_xmpp_server: "{{ matrix_domain }}" +``` + +However, it can also be set the ip address of the matrix server. This can be useful if you wish to use a private ip. For example: + +```yaml +matrix_jitsi_xmpp_server: "192.168.0.1" +``` + +The nginx configuration will also need to be updated in order to deal with the additional JVB servers. This is achieved via its own configuration variable +`matrix_nginx_proxy_proxy_jitsi_additional_jvbs`, which contains a dictionary of server ids to ip addresses. + +For example, + +``` yaml +matrix_nginx_proxy_proxy_jitsi_additional_jvbs: + jvb-2: 192.168.0.2 + jvb-3: 192.168.0.3 +``` + + +Applied together this will allow you to provision extra JVB instances which will register themselves with the prosody service and be available for jicofo +to route conferences too. + + ## Apply changes diff --git a/playbooks/jitsi_jvb.yml b/playbooks/jitsi_jvb.yml new file mode 100644 index 000000000..f19800908 --- /dev/null +++ b/playbooks/jitsi_jvb.yml @@ -0,0 +1,12 @@ +--- +- name: "Set up additional Jitsi JVB servers" + hosts: "jitsi_jvb_servers" + become: true + + roles: + - role: galaxy/com.devture.ansible.role.playbook_help + - role: galaxy/com.devture.ansible.role.systemd_docker_base + + - custom/matrix-base + - custom/matrix-jitsi + - custom/matrix-common-after diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml new file mode 100755 index 000000000..2e648732a --- /dev/null +++ b/playbooks/matrix.yml @@ -0,0 +1,95 @@ +--- +- name: "Set up a Matrix server" + hosts: "{{ target if target is defined else 'matrix_servers' }}" + become: true + + roles: + # Most of the roles below are not distributed with the playbook, but downloaded separately using `ansible-galaxy` via the `make roles` command (see `Makefile`). + - role: galaxy/com.devture.ansible.role.playbook_help + + - role: galaxy/com.devture.ansible.role.systemd_docker_base + + - role: custom/matrix_playbook_migration + + - when: devture_timesync_installation_enabled | bool + role: galaxy/com.devture.ansible.role.timesync + tags: + - setup-timesync + - setup-all + + - custom/matrix-base + - custom/matrix-dynamic-dns + - custom/matrix-mailer + - custom/matrix-postgres + - custom/matrix-redis + - custom/matrix-corporal + - custom/matrix-bridge-appservice-discord + - custom/matrix-bridge-appservice-slack + - custom/matrix-bridge-appservice-webhooks + - custom/matrix-bridge-appservice-irc + - custom/matrix-bridge-appservice-kakaotalk + - custom/matrix-bridge-beeper-linkedin + - custom/matrix-bridge-go-skype-bridge + - custom/matrix-bridge-mautrix-facebook + - custom/matrix-bridge-mautrix-twitter + - custom/matrix-bridge-mautrix-hangouts + - custom/matrix-bridge-mautrix-googlechat + - custom/matrix-bridge-mautrix-instagram + - custom/matrix-bridge-mautrix-signal + - custom/matrix-bridge-mautrix-telegram + - custom/matrix-bridge-mautrix-whatsapp + - custom/matrix-bridge-mautrix-discord + - custom/matrix-bridge-mx-puppet-discord + - custom/matrix-bridge-mx-puppet-groupme + - custom/matrix-bridge-mx-puppet-steam + - custom/matrix-bridge-mx-puppet-slack + - custom/matrix-bridge-mx-puppet-twitter + - custom/matrix-bridge-mx-puppet-instagram + - custom/matrix-bridge-sms + - custom/matrix-bridge-heisenbridge + - custom/matrix-bridge-hookshot + - custom/matrix-bot-matrix-reminder-bot + - custom/matrix-bot-matrix-registration-bot + - custom/matrix-bot-maubot + - custom/matrix-bot-buscarron + - custom/matrix-bot-honoroit + - custom/matrix-bot-postmoogle + - custom/matrix-bot-go-neb + - custom/matrix-bot-mjolnir + - custom/matrix-cactus-comments + - custom/matrix-synapse + - custom/matrix-dendrite + - custom/matrix-conduit + - custom/matrix-synapse-admin + - custom/matrix-prometheus-node-exporter + - custom/matrix-prometheus-postgres-exporter + - custom/matrix-prometheus + - custom/matrix-grafana + - custom/matrix-registration + - custom/matrix-client-element + - custom/matrix-client-hydrogen + - custom/matrix-client-cinny + - custom/matrix-jitsi + - custom/matrix-ldap-registration-proxy + - custom/matrix-ma1sd + - custom/matrix-dimension + - custom/matrix-etherpad + - custom/matrix-email2matrix + - custom/matrix-sygnal + - custom/matrix-ntfy + - custom/matrix-nginx-proxy + - custom/matrix-coturn + - custom/matrix-aux + - custom/matrix-postgres-backup + - custom/matrix-backup-borg + - custom/matrix-user-creator + - custom/matrix-common-after + + # This is pretty much last, because we want it to better serve as a "last known good configuration". + # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2217#issuecomment-1301487601 + - when: devture_playbook_state_preserver_enabled | bool + role: galaxy/com.devture.ansible.role.playbook_state_preserver + tags: + - setup-all + + - role: galaxy/com.devture.ansible.role.playbook_runtime_messages diff --git a/roles/custom/matrix-base/tasks/main.yml b/roles/custom/matrix-base/tasks/main.yml index 2205056d8..164bd3539 100644 --- a/roles/custom/matrix-base/tasks/main.yml +++ b/roles/custom/matrix-base/tasks/main.yml @@ -1,18 +1,24 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/sanity_check.yml" +- ansible.builtin.import_tasks: "{{ role_path }}/tasks/system_check.yml" tags: - always +- ansible.builtin.import_tasks: "{{ role_path }}/tasks/sanity_check.yml" + tags: + - setup-all + - ansible.builtin.import_tasks: "{{ role_path }}/tasks/clean_up_old_files.yml" when: run_setup | bool tags: - setup-all + - common - ansible.builtin.import_tasks: "{{ role_path }}/tasks/server_base/setup.yml" when: run_setup | bool tags: - setup-all + - common # This needs to always run, because it populates `matrix_user_uid` and `matrix_user_gid`, # which are required by many other roles. @@ -21,11 +27,13 @@ tags: - always - setup-system-user + - common - ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml" when: run_setup | bool tags: - setup-all + - common - ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_well_known.yml" when: run_setup | bool diff --git a/roles/custom/matrix-base/tasks/sanity_check.yml b/roles/custom/matrix-base/tasks/sanity_check.yml index 5104ba434..f825e19ef 100644 --- a/roles/custom/matrix-base/tasks/sanity_check.yml +++ b/roles/custom/matrix-base/tasks/sanity_check.yml @@ -5,21 +5,6 @@ msg: "You need to set a valid homeserver implementation in `matrix_homeserver_implementation`" when: "matrix_homeserver_implementation not in ['synapse', 'dendrite', 'conduit']" -# We generally support Ansible 2.7.1 and above. -- name: Fail if running on Ansible < 2.7.1 - ansible.builtin.fail: - msg: "You are running on Ansible {{ ansible_version.string }}, which is not supported. See our guide about Ansible: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/ansible.md" - when: - - "(ansible_version.major < 2) or (ansible_version.major == 2 and ansible_version.minor < 7) or (ansible_version.major == 2 and ansible_version.minor == 7 and ansible_version.revision < 1)" - -# Though we do not support Ansible 2.9.6 which is buggy -- name: Fail if running on Ansible 2.9.6 on Ubuntu - ansible.builtin.fail: - msg: "You are running on Ansible {{ ansible_version.string }}, which is not supported. See our guide about Ansible: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/ansible.md" - when: - - ansible_distribution == 'Ubuntu' - - "ansible_version.major == 2 and ansible_version.minor == 9 and ansible_version.revision == 6" - - name: (Deprecation) Catch and report renamed settings ansible.builtin.fail: msg: >- @@ -66,20 +51,6 @@ - "{{ matrix_server_fqn_element }}" when: "item != item | lower" -- name: Fail if using python2 on Archlinux - ansible.builtin.fail: - msg: "Detected that you're using python2 when installing onto Archlinux. Archlinux by default only supports python3." - when: - - ansible_distribution == 'Archlinux' - - ansible_python.version.major != 3 - -- name: Fail if architecture is set incorrectly - ansible.builtin.fail: - msg: "Detected that variable matrix_architecture {{ matrix_architecture }} appears to be set incorrectly. See docs/alternative-architectures.md. Server appears to be {{ ansible_architecture }}." - when: (ansible_architecture == "x86_64" and matrix_architecture != "amd64") or - (ansible_architecture == "aarch64" and matrix_architecture != "arm64") or - (ansible_architecture.startswith("armv") and matrix_architecture != "arm32") - - name: Fail if encountering usage of removed role (mx-puppet-skype) ansible.builtin.fail: msg: >- diff --git a/roles/custom/matrix-base/tasks/system_check.yml b/roles/custom/matrix-base/tasks/system_check.yml new file mode 100644 index 000000000..f1d2fc7b1 --- /dev/null +++ b/roles/custom/matrix-base/tasks/system_check.yml @@ -0,0 +1,30 @@ +--- + +# We generally support Ansible 2.7.1 and above. +- name: Fail if running on Ansible < 2.7.1 + ansible.builtin.fail: + msg: "You are running on Ansible {{ ansible_version.string }}, which is not supported. See our guide about Ansible: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/ansible.md" + when: + - "(ansible_version.major < 2) or (ansible_version.major == 2 and ansible_version.minor < 7) or (ansible_version.major == 2 and ansible_version.minor == 7 and ansible_version.revision < 1)" + +# Though we do not support Ansible 2.9.6 which is buggy +- name: Fail if running on Ansible 2.9.6 on Ubuntu + ansible.builtin.fail: + msg: "You are running on Ansible {{ ansible_version.string }}, which is not supported. See our guide about Ansible: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/ansible.md" + when: + - ansible_distribution == 'Ubuntu' + - "ansible_version.major == 2 and ansible_version.minor == 9 and ansible_version.revision == 6" + +- name: Fail if using python2 on Archlinux + ansible.builtin.fail: + msg: "Detected that you're using python2 when installing onto Archlinux. Archlinux by default only supports python3." + when: + - ansible_distribution == 'Archlinux' + - ansible_python.version.major != 3 + +- name: Fail if architecture is set incorrectly + ansible.builtin.fail: + msg: "Detected that variable matrix_architecture {{ matrix_architecture }} appears to be set incorrectly. See docs/alternative-architectures.md. Server appears to be {{ ansible_architecture }}." + when: (ansible_architecture == "x86_64" and matrix_architecture != "amd64") or + (ansible_architecture == "aarch64" and matrix_architecture != "arm64") or + (ansible_architecture.startswith("armv") and matrix_architecture != "arm32") diff --git a/roles/custom/matrix-jitsi/defaults/main.yml b/roles/custom/matrix-jitsi/defaults/main.yml index 22b8a7187..c2d5948da 100644 --- a/roles/custom/matrix-jitsi/defaults/main.yml +++ b/roles/custom/matrix-jitsi/defaults/main.yml @@ -189,6 +189,8 @@ matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] # Neccessary Port binding for those disabling the integrated nginx proxy matrix_jitsi_prosody_container_http_host_bind_port: '' +matrix_jitsi_prosody_container_jvb_host_bind_port: 5222 + matrix_jitsi_jicofo_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jicofo:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" @@ -218,7 +220,7 @@ matrix_jitsi_jvb_config_path: "{{ matrix_jitsi_jvb_base_path }}/config" matrix_jitsi_jvb_container_extra_arguments: [] # List of systemd services that matrix-jitsi-jvb.service depends on -matrix_jitsi_jvb_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service'] +matrix_jitsi_jvb_systemd_required_services_list: ['docker.service'] matrix_jitsi_jvb_auth_user: jvb matrix_jitsi_jvb_auth_password: '' @@ -233,6 +235,8 @@ matrix_jitsi_jvb_stun_servers: ['meet-jit-si-turnrelay.jitsi.net:443'] matrix_jitsi_jvb_brewery_muc: jvbbrewery matrix_jitsi_jvb_rtp_udp_port: 10000 matrix_jitsi_jvb_rtp_tcp_port: 4443 +matrix_jitsi_jvb_server_id: 'jvb-1' + # Custom configuration to be injected into `custom-sip-communicator.properties`, passed to Jitsi JVB. # This configuration gets appended to the final configuration that Jitsi JVB uses. diff --git a/roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml b/roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml new file mode 100644 index 000000000..e781f5bcc --- /dev/null +++ b/roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml @@ -0,0 +1,5 @@ +--- + +- ansible.builtin.set_fact: + matrix_systemd_services_list: "{{ ['matrix-jitsi-jvb.service'] }}" + when: matrix_jitsi_enabled | bool diff --git a/roles/custom/matrix-jitsi/tasks/main.yml b/roles/custom/matrix-jitsi/tasks/main.yml index 7da6ebf95..be96d944d 100644 --- a/roles/custom/matrix-jitsi/tasks/main.yml +++ b/roles/custom/matrix-jitsi/tasks/main.yml @@ -4,17 +4,23 @@ tags: - always +- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init_additional_jvb.yml" + tags: + - setup-additional-jitsi-jvb + - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_jitsi_enabled | bool" tags: - setup-all - setup-jitsi + - setup-additional-jitsi-jvb - ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml" when: run_setup | bool tags: - setup-all - setup-jitsi + - setup-additional-jitsi-jvb - ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_jitsi_web.yml" when: run_setup | bool @@ -39,3 +45,4 @@ tags: - setup-all - setup-jitsi + - setup-additional-jitsi-jvb diff --git a/roles/custom/matrix-jitsi/templates/jvb/env.j2 b/roles/custom/matrix-jitsi/templates/jvb/env.j2 index df1a46139..4b9ce68f1 100644 --- a/roles/custom/matrix-jitsi/templates/jvb/env.j2 +++ b/roles/custom/matrix-jitsi/templates/jvb/env.j2 @@ -16,7 +16,7 @@ JVB_OCTO_PUBLIC_ADDRESS JVB_OCTO_BIND_PORT JVB_OCTO_REGION JVB_WS_DOMAIN -JVB_WS_SERVER_ID +JVB_WS_SERVER_ID={{ matrix_jitsi_jvb_server_id }} PUBLIC_URL={{ matrix_jitsi_web_public_url }} SENTRY_DSN={{ matrix_jitsi_jvb_sentry_dsn }} SENTRY_ENVIRONMENT diff --git a/roles/custom/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/custom/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 index 0b2592aed..89cec0914 100644 --- a/roles/custom/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ b/roles/custom/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 @@ -20,6 +20,9 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% if matrix_jitsi_prosody_container_http_host_bind_port %} -p {{ matrix_jitsi_prosody_container_http_host_bind_port }}:5280 \ {% endif %} + {% if matrix_jitsi_prosody_container_jvb_host_bind_port %} + -p {{ matrix_jitsi_prosody_container_jvb_host_bind_port }}:5222 \ + {% endif %} --env-file={{ matrix_jitsi_prosody_base_path }}/env \ --mount type=bind,src={{ matrix_jitsi_prosody_config_path }},dst=/config \ --mount type=bind,src={{ matrix_jitsi_prosody_plugins_path }},dst=/prosody-plugins-custom \ diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index b7d4819dd..967a72679 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -667,3 +667,12 @@ matrix_nginx_proxy_synapse_cache_proxy_cache_valid_time: "24h" # http://nginx.org/en/docs/ngx_core_module.html#worker_connections matrix_nginx_proxy_worker_processes: auto matrix_nginx_proxy_worker_connections: 1024 + +# A mapping of JVB server ids to hostname/ipa addresses used to add additional jvb blocks +# to the Jitsi's server configuration (matrix-jitsi.conf) +# Note: avoid using the JVB server id "jvb-1" as this is reserved for the main host. +# Example: +# matrix_nginx_proxy_proxy_jitsi_additional_jvbs: +# jvb-2: 192.168.0.1 +# jvb-3: 192.168.0.2 +matrix_nginx_proxy_proxy_jitsi_additional_jvbs: {} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index aa4b6b446..4d5a4ce7c 100644 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -34,7 +34,7 @@ } # colibri (JVB) websockets - location ~ ^/colibri-ws/([a-zA-Z0-9-\.]+)/(.*) { + location ~ ^/colibri-ws/jvb-1/(.*) { {% if matrix_nginx_proxy_enabled %} resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; set $backend "matrix-jitsi-jvb:9090"; @@ -53,6 +53,22 @@ tcp_nodelay on; } + {% for id, ip_address in matrix_nginx_proxy_proxy_jitsi_additional_jvbs.items() %} + # colibri (JVB) websockets for additional JVBs + location ~ ^/colibri-ws/{{ id | regex_escape }}/(.*) { + proxy_pass http://{{ ip_address }}:9090/colibri-ws/{{ id }}/$1$is_args$args; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_http_version 1.1; + + tcp_nodelay on; + } + {% endfor %} + # XMPP websocket location = /xmpp-websocket { diff --git a/setup.yml b/setup.yml deleted file mode 100755 index 2e648732a..000000000 --- a/setup.yml +++ /dev/null @@ -1,95 +0,0 @@ ---- -- name: "Set up a Matrix server" - hosts: "{{ target if target is defined else 'matrix_servers' }}" - become: true - - roles: - # Most of the roles below are not distributed with the playbook, but downloaded separately using `ansible-galaxy` via the `make roles` command (see `Makefile`). - - role: galaxy/com.devture.ansible.role.playbook_help - - - role: galaxy/com.devture.ansible.role.systemd_docker_base - - - role: custom/matrix_playbook_migration - - - when: devture_timesync_installation_enabled | bool - role: galaxy/com.devture.ansible.role.timesync - tags: - - setup-timesync - - setup-all - - - custom/matrix-base - - custom/matrix-dynamic-dns - - custom/matrix-mailer - - custom/matrix-postgres - - custom/matrix-redis - - custom/matrix-corporal - - custom/matrix-bridge-appservice-discord - - custom/matrix-bridge-appservice-slack - - custom/matrix-bridge-appservice-webhooks - - custom/matrix-bridge-appservice-irc - - custom/matrix-bridge-appservice-kakaotalk - - custom/matrix-bridge-beeper-linkedin - - custom/matrix-bridge-go-skype-bridge - - custom/matrix-bridge-mautrix-facebook - - custom/matrix-bridge-mautrix-twitter - - custom/matrix-bridge-mautrix-hangouts - - custom/matrix-bridge-mautrix-googlechat - - custom/matrix-bridge-mautrix-instagram - - custom/matrix-bridge-mautrix-signal - - custom/matrix-bridge-mautrix-telegram - - custom/matrix-bridge-mautrix-whatsapp - - custom/matrix-bridge-mautrix-discord - - custom/matrix-bridge-mx-puppet-discord - - custom/matrix-bridge-mx-puppet-groupme - - custom/matrix-bridge-mx-puppet-steam - - custom/matrix-bridge-mx-puppet-slack - - custom/matrix-bridge-mx-puppet-twitter - - custom/matrix-bridge-mx-puppet-instagram - - custom/matrix-bridge-sms - - custom/matrix-bridge-heisenbridge - - custom/matrix-bridge-hookshot - - custom/matrix-bot-matrix-reminder-bot - - custom/matrix-bot-matrix-registration-bot - - custom/matrix-bot-maubot - - custom/matrix-bot-buscarron - - custom/matrix-bot-honoroit - - custom/matrix-bot-postmoogle - - custom/matrix-bot-go-neb - - custom/matrix-bot-mjolnir - - custom/matrix-cactus-comments - - custom/matrix-synapse - - custom/matrix-dendrite - - custom/matrix-conduit - - custom/matrix-synapse-admin - - custom/matrix-prometheus-node-exporter - - custom/matrix-prometheus-postgres-exporter - - custom/matrix-prometheus - - custom/matrix-grafana - - custom/matrix-registration - - custom/matrix-client-element - - custom/matrix-client-hydrogen - - custom/matrix-client-cinny - - custom/matrix-jitsi - - custom/matrix-ldap-registration-proxy - - custom/matrix-ma1sd - - custom/matrix-dimension - - custom/matrix-etherpad - - custom/matrix-email2matrix - - custom/matrix-sygnal - - custom/matrix-ntfy - - custom/matrix-nginx-proxy - - custom/matrix-coturn - - custom/matrix-aux - - custom/matrix-postgres-backup - - custom/matrix-backup-borg - - custom/matrix-user-creator - - custom/matrix-common-after - - # This is pretty much last, because we want it to better serve as a "last known good configuration". - # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2217#issuecomment-1301487601 - - when: devture_playbook_state_preserver_enabled | bool - role: galaxy/com.devture.ansible.role.playbook_state_preserver - tags: - - setup-all - - - role: galaxy/com.devture.ansible.role.playbook_runtime_messages diff --git a/setup.yml b/setup.yml new file mode 120000 index 000000000..7acc4c4c9 --- /dev/null +++ b/setup.yml @@ -0,0 +1 @@ +playbooks/matrix.yml \ No newline at end of file From 77451c6a71ac20bbc1abbb62fc1fcd1890235901 Mon Sep 17 00:00:00 2001 From: NullIsNot0 Date: Fri, 18 Nov 2022 15:07:53 +0200 Subject: [PATCH 022/915] Enable location sharing in Element (#2276) * Enable location sharing in Element * Update roles/custom/matrix-client-element/tasks/validate_config.yml Co-authored-by: Slavi Pantaleev * Update roles/custom/matrix-client-element/tasks/setup_install.yml Co-authored-by: Slavi Pantaleev * Rename location sharing vars to be consistent with other vars * Rename style.json to map_style.json * Add m.tile_server section to /.well-known/matrix/client Co-authored-by: Slavi Pantaleev --- .../static-files/well-known/matrix-client.j2 | 5 ++ .../matrix-client-element/defaults/main.yml | 67 +++++++++++++++++++ .../tasks/setup_install.yml | 9 +++ .../tasks/validate_config.yml | 8 +++ .../templates/config.json.j2 | 3 + .../templates/map_style.json.j2 | 18 +++++ .../systemd/matrix-client-element.service.j2 | 3 + 7 files changed, 113 insertions(+) create mode 100644 roles/custom/matrix-client-element/templates/map_style.json.j2 diff --git a/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 b/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 index a4356d1d8..4595bed11 100644 --- a/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 +++ b/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 @@ -25,6 +25,11 @@ "im.vector.riot.jitsi": { "preferredDomain": {{ matrix_client_element_jitsi_preferredDomain|to_json }} } + {% endif %} + {% if matrix_client_element_location_sharing_enabled %}, + "m.tile_server": { + "map_style_url": "https://{{ matrix_server_fqn_element }}/map_style.json" + } {% endif %} , "io.element.e2ee": { diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index a1543b5bb..0bb65ea82 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -135,3 +135,70 @@ matrix_client_element_configuration_extension: "{{ matrix_client_element_configu # Holds the final Element configuration (a combination of the default and its extension). # You most likely don't need to touch this variable. Instead, see `matrix_client_element_configuration_default`. matrix_client_element_configuration: "{{ matrix_client_element_configuration_default | combine(matrix_client_element_configuration_extension, recursive=True) }}" + +# Element Location sharing functionality +# More info: https://element.io/blog/element-launches-e2ee-location-sharing/ +# How to host your own map tile server: https://matrix.org/docs/guides/map-tile-server +matrix_client_element_location_sharing_enabled: false + +# Default Element location sharing map style configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_client_element_location_sharing_map_style_extension_json`) +# or completely replace this variable with your own template. +# +# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. +# This is unlike what it does when looking up YAML template files (no automatic parsing there). +matrix_client_element_location_sharing_map_style_default: "{{ lookup('template', 'templates/map_style.json.j2') }}" + +# Your custom JSON configuration for Element location sharing map style should go to `matrix_client_element_location_sharing_map_style_extension_json`. +# This configuration extends the default starting configuration (`matrix_client_element_location_sharing_map_style_default`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_client_element_location_sharing_map_style_default`. +# +# Example configuration override follows: +# +# matrix_client_element_location_sharing_map_style_extension_json: | +# { +# "sources": { +# "localsource": { +# "tileSize": 512 +# } +# } +# } +# +# Example configuration extension follows: +# +# matrix_client_element_location_sharing_map_style_extension_json: | +# { +# "sources": { +# "anothersource": { +# "attribution": "", +# "tileSize": 256, +# "tiles": ["https://anothertile.example.com/{z}/{x}/{y}.png"], +# "type": "raster" +# } +# } +# } +matrix_client_element_location_sharing_map_style_extension_json: '{}' + +matrix_client_element_location_sharing_map_style_extension: "{{ matrix_client_element_location_sharing_map_style_extension_json | from_json if matrix_client_element_location_sharing_map_style_extension_json | from_json is mapping else {} }}" + +# Holds the final Element location sharing map style configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_client_element_location_sharing_map_style_default`. +matrix_client_element_location_sharing_map_style: "{{ matrix_client_element_location_sharing_map_style_default | combine(matrix_client_element_location_sharing_map_style_extension, recursive=True) }}" + +# Example tile servers configuration +# matrix_client_element_location_sharing_map_style_content_sources_localsource_tiles: ["https://tile.example.com/{z}/{x}/{y}.png"] +# or +# matrix_client_element_location_sharing_map_style_content_sources_localsource_tiles: ["https://s1.example.com/{z}/{x}/{y}.png", "https://s2.example.com/{z}/{x}/{y}.png", "https://s3.example.com/{z}/{x}/{y}.png"] +matrix_client_element_location_sharing_map_style_content_sources_localsource_tiles: [] + +# Map attribution (optional): +# Attribution for OpenStreetMap would be like this: +# matrix_client_element_location_sharing_map_style_content_sources_localsource_attribution: "© OpenStreetMap contributors" +# Leave blank, if map does not require attribution. +matrix_client_element_location_sharing_map_style_content_sources_localsource_attribution: "" diff --git a/roles/custom/matrix-client-element/tasks/setup_install.yml b/roles/custom/matrix-client-element/tasks/setup_install.yml index 0edb0b50e..cff30f4c0 100644 --- a/roles/custom/matrix-client-element/tasks/setup_install.yml +++ b/roles/custom/matrix-client-element/tasks/setup_install.yml @@ -69,6 +69,15 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" +- name: Ensure Element location sharing map style installed + when: matrix_client_element_location_sharing_enabled | bool + ansible.builtin.copy: + content: "{{ matrix_client_element_location_sharing_map_style | to_nice_json }}" + dest: "{{ matrix_client_element_data_path }}/map_style.json" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + - name: Ensure Element config files installed ansible.builtin.template: src: "{{ item.src }}" diff --git a/roles/custom/matrix-client-element/tasks/validate_config.yml b/roles/custom/matrix-client-element/tasks/validate_config.yml index fdf74f07d..0e252db80 100644 --- a/roles/custom/matrix-client-element/tasks/validate_config.yml +++ b/roles/custom/matrix-client-element/tasks/validate_config.yml @@ -8,6 +8,14 @@ with_items: - "matrix_client_element_default_hs_url" +- name: Fail if Element location sharing enabled, but no tile server defined + ansible.builtin.fail: + msg: >- + You need to define at least one map tile server in matrix_client_element_location_sharing_map_style_content_sources_localsource_tiles list + when: + - matrix_client_element_location_sharing_enabled | bool + - matrix_client_element_location_sharing_map_style_content_sources_localsource_tiles | length == 0 + - name: (Deprecation) Catch and report riot-web variables ansible.builtin.fail: msg: >- diff --git a/roles/custom/matrix-client-element/templates/config.json.j2 b/roles/custom/matrix-client-element/templates/config.json.j2 index e34773981..1ae16f416 100644 --- a/roles/custom/matrix-client-element/templates/config.json.j2 +++ b/roles/custom/matrix-client-element/templates/config.json.j2 @@ -36,6 +36,9 @@ "jitsi": { "preferredDomain": {{ matrix_client_element_jitsi_preferredDomain|to_json }} }, + {% endif %} + {% if matrix_client_element_location_sharing_enabled %} + "map_style_url": "https://{{ matrix_server_fqn_element }}/map_style.json", {% endif %} "branding": { "authFooterLinks": {{ matrix_client_element_branding_authFooterLinks|to_json }}, diff --git a/roles/custom/matrix-client-element/templates/map_style.json.j2 b/roles/custom/matrix-client-element/templates/map_style.json.j2 new file mode 100644 index 000000000..1b92df633 --- /dev/null +++ b/roles/custom/matrix-client-element/templates/map_style.json.j2 @@ -0,0 +1,18 @@ +{ + "layers": [ + { + "id": "locallayer", + "source": "localsource", + "type": "raster" + } + ], + "sources": { + "localsource": { + "attribution": {{ matrix_client_element_location_sharing_map_style_content_sources_localsource_attribution|to_json }}, + "tileSize": 256, + "tiles": {{ matrix_client_element_location_sharing_map_style_content_sources_localsource_tiles|to_json }}, + "type": "raster" + } + }, + "version": 8 +} diff --git a/roles/custom/matrix-client-element/templates/systemd/matrix-client-element.service.j2 b/roles/custom/matrix-client-element/templates/systemd/matrix-client-element.service.j2 index 52f3249a9..be96cab78 100644 --- a/roles/custom/matrix-client-element/templates/systemd/matrix-client-element.service.j2 +++ b/roles/custom/matrix-client-element/templates/systemd/matrix-client-element.service.j2 @@ -26,6 +26,9 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name --mount type=bind,src={{ matrix_client_element_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ --mount type=bind,src={{ matrix_client_element_data_path }}/config.json,dst=/app/config.json,ro \ --mount type=bind,src={{ matrix_client_element_data_path }}/config.json,dst=/app/config.{{ matrix_server_fqn_element }}.json,ro \ + {% if matrix_client_element_location_sharing_enabled %} + --mount type=bind,src={{ matrix_client_element_data_path }}/map_style.json,dst=/app/map_style.json,ro \ + {% endif %} {% if matrix_client_element_embedded_pages_home_path is not none %} --mount type=bind,src={{ matrix_client_element_data_path }}/home.html,dst=/app/home.html,ro \ {% endif %} From eec7970689181e70bfd7853182ded343bf862d67 Mon Sep 17 00:00:00 2001 From: Aine Date: Sat, 19 Nov 2022 00:55:03 +0200 Subject: [PATCH 023/915] update postmoogle 0.9.8 -> 0.9.9 --- group_vars/matrix_servers | 4 ++-- .../custom/matrix-bot-postmoogle/defaults/main.yml | 14 +++++++++----- .../custom/matrix-bot-postmoogle/templates/env.j2 | 2 +- 3 files changed, 12 insertions(+), 8 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 7df712479..1c6416bc7 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1255,8 +1255,8 @@ matrix_bot_buscarron_container_image_self_build: "{{ matrix_architecture not in # We don't enable bots by default. matrix_bot_postmoogle_enabled: false matrix_bot_postmoogle_ssl_path: "{{ matrix_ssl_config_dir_path }}" -matrix_bot_postmoogle_tls_cert: "/ssl/live/{{ matrix_bot_postmoogle_domain }}/fullchain.pem" -matrix_bot_postmoogle_tls_key: "/ssl/live/{{ matrix_bot_postmoogle_domain }}/privkey.pem" +matrix_bot_postmoogle_tls_cert: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/live/{{ domain }}/fullchain.pem {% endfor %}" +matrix_bot_postmoogle_tls_key: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/live/{{ domain }}/privkey.pem {% endfor %}" matrix_bot_postmoogle_systemd_required_services_list: | {{ diff --git a/roles/custom/matrix-bot-postmoogle/defaults/main.yml b/roles/custom/matrix-bot-postmoogle/defaults/main.yml index af6c23ac0..9e30d7abb 100644 --- a/roles/custom/matrix-bot-postmoogle/defaults/main.yml +++ b/roles/custom/matrix-bot-postmoogle/defaults/main.yml @@ -9,7 +9,7 @@ matrix_bot_postmoogle_docker_repo: "https://gitlab.com/etke.cc/postmoogle.git" matrix_bot_postmoogle_docker_repo_version: "{{ 'main' if matrix_bot_postmoogle_version == 'latest' else matrix_bot_postmoogle_version }}" matrix_bot_postmoogle_docker_src_files_path: "{{ matrix_base_data_path }}/postmoogle/docker-src" -matrix_bot_postmoogle_version: v0.9.8 +matrix_bot_postmoogle_version: v0.9.9 matrix_bot_postmoogle_docker_image: "{{ matrix_bot_postmoogle_docker_image_name_prefix }}postmoogle:{{ matrix_bot_postmoogle_version }}" matrix_bot_postmoogle_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_postmoogle_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}" matrix_bot_postmoogle_docker_image_force_pull: "{{ matrix_bot_postmoogle_docker_image.endswith(':latest') }}" @@ -108,8 +108,12 @@ matrix_bot_postmoogle_loglevel: 'INFO' # Disable encryption matrix_bot_postmoogle_noencryption: false +# deprecated, use matrix_bot_postmoogle_domains matrix_bot_postmoogle_domain: "{{ matrix_server_fqn_matrix }}" +matrix_bot_postmoogle_domains: + - "{{ matrix_bot_postmoogle_domain }}" # backward compatibility + # Password (passphrase) to encrypt account data matrix_bot_postmoogle_data_secret: "" @@ -126,15 +130,15 @@ matrix_bot_postmoogle_submission_host_bind_port: '587' matrix_bot_postmoogle_ssl_path: "" ## in-container SSL paths -# matrix_bot_postmoogle_tls_cert is the SSL certificate's certificate. -# This is likely set via group_vars/matrix_servers, so you don't need to set it. +# matrix_bot_postmoogle_tls_cert is the SSL certificates' certificates. +# This var is likely set via group_vars/matrix_servers, so you don't need to set certs manually. # If you do need to set it manually, note that this is an in-container path. # To mount a certificates volumes into the container, use matrix_bot_postmoogle_ssl_path # Example value: /ssl/live/{{ matrix_bot_postmoogle_domain }}/fullchain.pem matrix_bot_postmoogle_tls_cert: "" -# matrix_bot_postmoogle_tls_key is the SSL certificate's key. -# This is likely set via group_vars/matrix_servers, so you don't need to set it. +# matrix_bot_postmoogle_tls_key is the SSL certificates' keys. +# This var is likely set via group_vars/matrix_servers, so you don't need to set keys manually. # If you do need to set it manually, note that this is an in-container path. # To mount a certificates volumes into the container, use matrix_bot_postmoogle_ssl_path # Example value: /ssl/live/{{ matrix_bot_postmoogle_domain }}/privkey.pem diff --git a/roles/custom/matrix-bot-postmoogle/templates/env.j2 b/roles/custom/matrix-bot-postmoogle/templates/env.j2 index c81510534..855bd882e 100644 --- a/roles/custom/matrix-bot-postmoogle/templates/env.j2 +++ b/roles/custom/matrix-bot-postmoogle/templates/env.j2 @@ -1,7 +1,7 @@ POSTMOOGLE_LOGIN={{ matrix_bot_postmoogle_login }} POSTMOOGLE_PASSWORD={{ matrix_bot_postmoogle_password }} POSTMOOGLE_HOMESERVER={{ matrix_bot_postmoogle_homeserver }} -POSTMOOGLE_DOMAIN={{ matrix_bot_postmoogle_domain }} +POSTMOOGLE_DOMAINS={{ matrix_bot_postmoogle_domains | join(' ') }} POSTMOOGLE_PORT={{ matrix_bot_postmoogle_port }} POSTMOOGLE_DB_DSN={{ matrix_bot_postmoogle_database_connection_string }} POSTMOOGLE_DB_DIALECT={{ matrix_bot_postmoogle_database_dialect }} From 59a01dabfc0b09b2ac3f8b81a8aecbe47b43bbde Mon Sep 17 00:00:00 2001 From: Dennis Ciba <73284509+DennisCiba@users.noreply.github.com> Date: Sat, 19 Nov 2022 16:18:32 +0100 Subject: [PATCH 024/915] Restructure the list of services in the README.md - Tried to split the list of services into distinct categories - Use tables instead of a list - Dropped "optional" flag, as every service is now optional anyways - Added links to the documentation where docs exist and were missing before - Split "Amazon S3" entry into two entries (Goofys and synapse-s3-storage-provider) - Moved note about not needing all services to the top of the section --- README.md | 211 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 109 insertions(+), 102 deletions(-) diff --git a/README.md b/README.md index 569dbb3f8..3160238fb 100644 --- a/README.md +++ b/README.md @@ -15,137 +15,144 @@ We run all services in [Docker](https://www.docker.com/) containers (see [the co ## Supported services -Using this playbook, you can get the following services configured on your server: +Using this playbook, you can get the following list of services configured on your server. Basically, this playbook aims to get you up-and-running with all the necessities around Matrix, without you having to do anything else. -- (optional, default) a [Synapse](https://github.com/matrix-org/synapse) homeserver - storing your data and managing your presence in the [Matrix](http://matrix.org/) network - -- (optional) a [Conduit](https://conduit.rs) homeserver - storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Conduit is a lightweight open-source server implementation of the Matrix Specification with a focus on easy setup and low system requirements - -- (optional) a [Dendrite](https://github.com/matrix-org/dendrite) homeserver - storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. - -- (optional) [Amazon S3](https://aws.amazon.com/s3/) (or other S3-compatible object store) storage for Synapse's content repository (`media_store`) files using [Goofys](https://github.com/kahing/goofys) or [`synapse-s3-storage-provider`](https://github.com/matrix-org/synapse-s3-storage-provider) - -- (optional, default) [PostgreSQL](https://www.postgresql.org/) database for Synapse. [Using an external PostgreSQL server](docs/configuring-playbook-external-postgres.md) is also possible. - -- (optional, default) a [coturn](https://github.com/coturn/coturn) STUN/TURN server for WebRTC audio/video calls - -- (optional, default) free [Let's Encrypt](https://letsencrypt.org/) SSL certificate, which secures the connection to the Synapse server and the Element web UI - -- (optional, default) an [Element](https://app.element.io/) ([formerly Riot](https://element.io/previously-riot)) web UI, which is configured to connect to your own Synapse server by default - -- (optional) a [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server - -- (optional, default) an [Exim](https://www.exim.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) - -- (optional, default) an [nginx](http://nginx.org/) web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md) - -- (optional, advanced) the [matrix-synapse-rest-auth](https://github.com/ma1uta/matrix-synapse-rest-password-provider) REST authentication password provider module - -- (optional, advanced) the [matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) password provider module - -- (optional, advanced) the [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) LDAP Auth password provider module - -- (optional, advanced) the [matrix-ldap-registration-proxy](https://gitlab.com/activism.international/matrix_ldap_registration_proxy) a proxy that handles Matrix registration requests and forwards them to LDAP. - -- (optional, advanced) the [synapse-simple-antispam](https://github.com/t2bot/synapse-simple-antispam) spam checker module - -- (optional, advanced) the [Matrix Corporal](https://github.com/devture/matrix-corporal) reconciliator and gateway for a managed Matrix server - -- (optional) the [mautrix-discord](https://github.com/mautrix/discord) bridge for bridging your Matrix server to [Discord](https://discord.com/) - see [docs/configuring-playbook-bridge-mautrix-discord.md](docs/configuring-playbook-bridge-mautrix-discord.md) for setup documentation - -- (optional) the [mautrix-telegram](https://github.com/mautrix/telegram) bridge for bridging your Matrix server to [Telegram](https://telegram.org/) - -- (optional) the [mautrix-whatsapp](https://github.com/mautrix/whatsapp) bridge for bridging your Matrix server to [WhatsApp](https://www.whatsapp.com/) - -- (optional) the [mautrix-facebook](https://github.com/mautrix/facebook) bridge for bridging your Matrix server to [Facebook](https://facebook.com/) - -- (optional) the [mautrix-twitter](https://github.com/mautrix/twitter) bridge for bridging your Matrix server to [Twitter](https://twitter.com/) - -- (optional) the [mautrix-hangouts](https://github.com/mautrix/hangouts) bridge for bridging your Matrix server to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) - -- (optional) the [mautrix-googlechat](https://github.com/mautrix/googlechat) bridge for bridging your Matrix server to [Google Chat](https://en.wikipedia.org/wiki/Google_Chat) - -- (optional) the [mautrix-instagram](https://github.com/mautrix/instagram) bridge for bridging your Matrix server to [Instagram](https://instagram.com/) - -- (optional) the [mautrix-signal](https://github.com/mautrix/signal) bridge for bridging your Matrix server to [Signal](https://www.signal.org/) - -- (optional) the [beeper-linkedin](https://github.com/beeper/linkedin) bridge for bridging your Matrix server to [LinkedIn](https://www.linkedin.com/) - -- (optional) the [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) bridge for bridging your Matrix server to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) - -- (optional) the [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) bridge for bridging your Matrix server to [Discord](https://discordapp.com/) - -- (optional) the [matrix-appservice-slack](https://github.com/matrix-org/matrix-appservice-slack) bridge for bridging your Matrix server to [Slack](https://slack.com/) - -- (optional) the [matrix-appservice-webhooks](https://github.com/turt2live/matrix-appservice-webhooks) bridge for slack compatible webhooks ([ConcourseCI](https://concourse-ci.org/), [Slack](https://slack.com/) etc. pp.) - -- (optional) the [matrix-hookshot](https://github.com/Half-Shot/matrix-hookshot) bridge for bridging Matrix to generic webhooks and multiple project management services, such as GitHub, GitLab, Figma, and Jira in particular - -- (optional) the [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) for bridging your Matrix server to SMS - see [docs/configuring-playbook-bridge-matrix-bridge-sms.md](docs/configuring-playbook-bridge-matrix-bridge-sms.md) for setup documentation - -- (optional) the [Heisenbridge](https://github.com/hifi/heisenbridge) for bridging your Matrix server to IRC bouncer-style - see [docs/configuring-playbook-bridge-heisenbridge.md](docs/configuring-playbook-bridge-heisenbridge.md) for setup documentation - -- (optional) the [go-skype-bridge](https://github.com/kelaresg/go-skype-bridge) for bridging your Matrix server to [Skype](https://www.skype.com) - see [docs/configuring-playbook-bridge-go-skype-bridge.md](docs/configuring-playbook-bridge-go-skype-bridge.md) for setup documentation - -- (optional) the [mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) for bridging your Matrix server to [Slack](https://slack.com) - see [docs/configuring-playbook-bridge-mx-puppet-slack.md](docs/configuring-playbook-bridge-mx-puppet-slack.md) for setup documentation +**Note**: the list below is exhaustive. It includes optional or even some advanced components that you will most likely not need. +Sticking with the defaults (which install a subset of the above components) is the best choice, especially for a new installation. +You can always re-run the playbook later to add or remove components. -- (optional) the [mx-puppet-instagram](https://github.com/Sorunome/mx-puppet-instagram) bridge for Instagram-DMs ([Instagram](https://www.instagram.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-instagram.md](docs/configuring-playbook-bridge-mx-puppet-instagram.md) for setup documentation -- (optional) the [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) bridge for Twitter-DMs ([Twitter](https://twitter.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-twitter.md](docs/configuring-playbook-bridge-mx-puppet-twitter.md) for setup documentation +### Homeserver -- (optional) the [mx-puppet-discord](https://github.com/matrix-discord/mx-puppet-discord) bridge for [Discord](https://discordapp.com/) - see [docs/configuring-playbook-bridge-mx-puppet-discord.md](docs/configuring-playbook-bridge-mx-puppet-discord.md) for setup documentation +The homeserver is the backbone of your matrix system. Choose one from the following list. -- (optional) the [mx-puppet-groupme](https://gitlab.com/xangelix-pub/matrix/mx-puppet-groupme) bridge for [GroupMe](https://groupme.com/) - see [docs/configuring-playbook-bridge-mx-puppet-groupme.md](docs/configuring-playbook-bridge-mx-puppet-groupme.md) for setup documentation +| Name | Default? | Description | Documentation | +| ---- | -------- | ----------- | ------------- | +| [Synapse](https://github.com/matrix-org/synapse) | ✓ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network | [Link](docs/configuring-playbook-synapse.md) | +| [Conduit](https://conduit.rs) | x | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Conduit is a lightweight open-source server implementation of the Matrix Specification with a focus on easy setup and low system requirements | [Link](docs/configuring-playbook-conduit.md) | +| [Dendrite](https://github.com/matrix-org/dendrite) | x | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. | - | -- (optional) the [mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) bridge for [Steam](https://steamapp.com/) - see [docs/configuring-playbook-bridge-mx-puppet-steam.md](docs/configuring-playbook-bridge-mx-puppet-steam.md) for setup documentation +### Clients -- (optional) [Email2Matrix](https://github.com/devture/email2matrix) for relaying email messages to Matrix rooms - see [docs/configuring-playbook-email2matrix.md](docs/configuring-playbook-email2matrix.md) for setup documentation +Web clients for matrix that you can host on your own domains. -- (optional) [Dimension](https://github.com/turt2live/matrix-dimension), an open source integrations manager for matrix clients - see [docs/configuring-playbook-dimension.md](docs/configuring-playbook-dimension.md) for setup documentation +| Name | Default? | Description | Documentation | +| ---- | -------- | ----------- | ------------- | +[Element](https://app.element.io/) | ✓ | Web UI, which is configured to connect to your own Synapse server by default | [Link](docs/configuring-playbook-client-element.md) | +| [Hydrogen](https://github.com/vector-im/hydrogen-web) | x | Web client | [Link](docs/configuring-playbook-client-hydrogen.md) | +| [Cinny](https://github.com/ajbura/cinny) | x | Web client | [Link](docs/configuring-playbook-client-cinny.md) | -- (optional) [Etherpad](https://etherpad.org), an open source collaborative text editor - see [docs/configuring-playbook-etherpad.md](docs/configuring-playbook-etherpad.md) for setup documentation -- (optional) [Jitsi](https://jitsi.org/), an open source video-conferencing platform - see [docs/configuring-playbook-jitsi.md](docs/configuring-playbook-jitsi.md) for setup documentation -- (optional) [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) for scheduling one-off & recurring reminders and alarms - see [docs/configuring-playbook-bot-matrix-reminder-bot.md](docs/configuring-playbook-bot-matrix-reminder-bot.md) for setup documentation +### Server Components -- (optional) [matrix-registration-bot](https://github.com/moan0s/matrix-registration-bot) for invitations by creating and managing registration tokens - see [docs/configuring-playbook-bot-matrix-registration-bot.md](docs/configuring-playbook-bot-matrix-registration-bot.md) for setup documentation +Services that run on the server to make the various parts of your installation work. -- (optional) [maubot](https://github.com/maubot/maubot) a plugin-based Matrix bot system - see [docs/configuring-playbook-bot-maubot.md](docs/configuring-playbook-bot-maubot.md) for setup documentation +| Name | Default? | Description | Documentation | +| ---- | -------- | ----------- | ------------- | +| [PostgreSQL](https://www.postgresql.org/)| ✓ | Database for Synapse. [Using an external PostgreSQL server](docs/configuring-playbook-external-postgres.md) is also possible. | [Link](docs/configuring-playbook-external-postgres.md) | +| [Coturn](https://github.com/coturn/coturn) | ✓ | STUN/TURN server for WebRTC audio/video calls | [Link](docs/configuring-playbook-turn.md) | +| [nginx](http://nginx.org/) | ✓ | Web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md) | [Link](docs/configuring-playbook-nginx.md) | +| [Let's Encrypt](https://letsencrypt.org/) | ✓ | Free SSL certificate, which secures the connection to the Synapse server and the Element web UI | [Link](docs/configuring-playbook-ssl-certificates.md) | +| [ma1sd](https://github.com/ma1uta/ma1sd) | x | Matrix Identity Server | [Link](configuring-playbook-ma1sd.md) +| [Exim](https://www.exim.org/) | ✓ | Mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) | - | +| [Dimension](https://github.com/turt2live/matrix-dimension) | x | An open source integrations manager for matrix clients | [Link](docs/configuring-playbook-dimension.md) | +| [Sygnal](https://github.com/matrix-org/sygnal) | x | Push gateway | [Link](docs/configuring-playbook-sygnal.md) | +| [ntfy](https://ntfy.sh) | x | Push notifications server | [Link](docs/configuring-playbook-ntfy.md) | -- (optional) [honoroit](https://gitlab.com/etke.cc/honoroit) helpdesk bot - see [docs/configuring-playbook-bot-honoroit.md](docs/configuring-playbook-bot-honoroit.md) for setup documentation -- (optional) [Postmoogle](https://gitlab.com/etke.cc/postmoogle) email to matrix bot - see [docs/configuring-playbook-bot-postmoogle.md](docs/configuring-playbook-bot-postmoogle.md) for setup documentation +### Authentication -- (optional) [Go-NEB](https://github.com/matrix-org/go-neb) multi functional bot written in Go - see [docs/configuring-playbook-bot-go-neb.md](docs/configuring-playbook-bot-go-neb.md) for setup documentation +Extend and modify how users are authenticated on your homeserver. -- (optional) [Mjolnir](https://github.com/matrix-org/mjolnir), a moderation tool for Matrix - see [docs/configuring-playbook-bot-mjolnir.md](docs/configuring-playbook-bot-mjolnir.md) for setup documentation +| Name | Default? | Description | Documentation | +| ---- | -------- | ----------- | ------------- | +| [matrix-synapse-rest-auth](https://github.com/ma1uta/matrix-synapse-rest-password-provider) (advanced) | x | REST authentication password provider module | [Link](docs/configuring-playbook-rest-auth.md) | +|[matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) (advanced) | x | Password provider module | [Link](docs/configuring-playbook-shared-secret-auth.md) | +| [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) (advanced) | x | LDAP Auth password provider module | [Link](configuring-playbook-ldap-auth.md) | +| [matrix-ldap-registration-proxy](https://gitlab.com/activism.international/matrix_ldap_registration_proxy) (advanced) | x | A proxy that handles Matrix registration requests and forwards them to LDAP. | [Link](docs/configuring-playbook-matrix-ldap-registration-proxy.md) | +| [matrix-registration](https://github.com/ZerataX/matrix-registration) | x | A simple python application to have a token based matrix registration | [Link](docs/configuring-playbook-matrix-registration.md) | -- (optional) [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin), a web UI tool for administrating users and rooms on your Matrix server - see [docs/configuring-playbook-synapse-admin.md](docs/configuring-playbook-synapse-admin.md) for setup documentation -- (optional) [matrix-registration](https://github.com/ZerataX/matrix-registration), a simple python application to have a token based matrix registration - see [docs/configuring-playbook-matrix-registration.md](docs/configuring-playbook-matrix-registration.md) for setup documentation +### File Storage -- (optional) the [Prometheus](https://prometheus.io) time-series database server, the Prometheus [node-exporter](https://prometheus.io/docs/guides/node-exporter/) host metrics exporter, and the [Grafana](https://grafana.com/) web UI - see [Enabling metrics and graphs (Prometheus, Grafana) for your Matrix server](docs/configuring-playbook-prometheus-grafana.md) for setup documentation +Use alternative file storage to the default `media_store` folder. -- (optional) the [Sygnal](https://github.com/matrix-org/sygnal) push gateway - see [Setting up the Sygnal push gateway](docs/configuring-playbook-sygnal.md) for setup documentation +| Name | Default? | Description | Documentation | +| ---- | -------- | ----------- | ------------- | +| [Goofys](https://github.com/kahing/goofys) | x | [Amazon S3](https://aws.amazon.com/s3/) (or other S3-compatible object store) storage for Synapse's content repository (`media_store`) files | [Link](docs/configuring-playbook-s3-goofys.md) | +| [synapse-s3-storage-provider](https://github.com/matrix-org/synapse-s3-storage-provider) | x | [Amazon S3](https://aws.amazon.com/s3/) (or other S3-compatible object store) storage for Synapse's content repository (`media_store`) files | [Link](docs/configuring-playbook-s3.md) | -- (optional) the [ntfy](https://ntfy.sh) push notifications server - see [docs/configuring-playbook-ntfy.md](docs/configuring-playbook-ntfy.md) for setup documentation +### Bridges -- (optional) the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client - see [docs/configuring-playbook-client-hydrogen.md](docs/configuring-playbook-client-hydrogen.md) for setup documentation +Bridges can be used to connect your matrix installation with third-party communication networks. -- (optional) the [Cinny](https://github.com/ajbura/cinny) web client - see [docs/configuring-playbook-client-cinny.md](docs/configuring-playbook-client-cinny.md) for setup documentation +| Name | Default? | Description | Documentation | +| ---- | -------- | ----------- | ------------- | +[mautrix-discord](https://github.com/mautrix/discord) | x | Bridge for bridging your Matrix server to [Discord](https://discord.com/) | [Link](docs/configuring-playbook-bridge-mautrix-discord.md) | +| [mautrix-telegram](https://github.com/mautrix/telegram) | x | Bridge for bridging your Matrix server to [Telegram](https://telegram.org/) | [Link](docs/configuring-playbook-bridge-mautrix-telegram.md) | +| [mautrix-whatsapp](https://github.com/mautrix/whatsapp) | x | Bridge for bridging your Matrix server to [WhatsApp](https://www.whatsapp.com/) | [Link](docs/configuring-playbook-bridge-mautrix-whatsapp.md) | +| [mautrix-facebook](https://github.com/mautrix/facebook) | x | Bridge for bridging your Matrix server to [Facebook](https://facebook.com/) | [Link](docs/configuring-playbook-bridge-mautrix-facebook.md) | +| [mautrix-twitter](https://github.com/mautrix/twitter) | x | Bridge for bridging your Matrix server to [Twitter](https://twitter.com/) | [Link](docs/configuring-playbook-bridge-mautrix-twitter.md) | +| [mautrix-hangouts](https://github.com/mautrix/hangouts) | x | Bridge for bridging your Matrix server to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) | [Link](docs/configuring-playbook-bridge-mautrix-hangouts.md) | +| [mautrix-googlechat](https://github.com/mautrix/googlechat) | x | Bridge for bridging your Matrix server to [Google Chat](https://en.wikipedia.org/wiki/Google_Chat) | [Link](docs/configuring-playbook-bridge-mautrix-googlechat.md) | +| [mautrix-instagram](https://github.com/mautrix/instagram) | x | Bridge for bridging your Matrix server to [Instagram](https://instagram.com/) | [Link](docs/configuring-playbook-bridge-mautrix-instagram.md) | +| [mautrix-signal](https://github.com/mautrix/signal) | x | Bridge for bridging your Matrix server to [Signal](https://www.signal.org/) | [Link](docs/configuring-playbook-bridge-mautrix-signal.md) | +| [beeper-linkedin](https://github.com/beeper/linkedin) | x | Bridge for bridging your Matrix server to [LinkedIn](https://www.linkedin.com/) | [Link](docs/configuring-playbook-bridge-beeper-linkedin.md) | +| [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) | x | Bridge for bridging your Matrix server to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) | [Link](docs/configuring-playbook-bridge-appservice-irc.md) | +| [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) | x | Bridge for bridging your Matrix server to [Discord](https://discordapp.com/) | [Link](docs/configuring-playbook-bridge-appservice-discord.md) | +| [matrix-appservice-slack](https://github.com/matrix-org/matrix-appservice-slack) | x | Bridge for bridging your Matrix server to [Slack](https://slack.com/) | [Link](docs/configuring-playbook-bridge-appservice-slack.md) | +| [matrix-appservice-webhooks](https://github.com/turt2live/matrix-appservice-webhooks) | x | Bridge for slack compatible webhooks ([ConcourseCI](https://concourse-ci.org/), [Slack](https://slack.com/) etc. pp.) | [Link](docs/configuring-playbook-bridge-appservice-webhooks.md) | +| [matrix-hookshot](https://github.com/Half-Shot/matrix-hookshot) | x | Bridge for bridging Matrix to generic webhooks and multiple project management services, such as GitHub, GitLab, Figma, and Jira in particular | [Link](docs/configuring-playbook-bridge-hookshot.md) | +| [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) | x | Bridge for bridging your Matrix server to SMS | [Link](docs/configuring-playbook-bridge-matrix-bridge-sms.md) | +| [Heisenbridge](https://github.com/hifi/heisenbridge) | x | Bridge for bridging your Matrix server to IRC bouncer-style | [Link](docs/configuring-playbook-bridge-heisenbridge.md) | +| [go-skype-bridge](https://github.com/kelaresg/go-skype-bridge) | x | Bridge for bridging your Matrix server to [Skype](https://www.skype.com) | [Link](docs/configuring-playbook-bridge-go-skype-bridge.md) | +| [mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) | x | Bridge for bridging your Matrix server to [Slack](https://slack.com) | [Link](docs/configuring-playbook-bridge-mx-puppet-slack.md) | +| [mx-puppet-instagram](https://github.com/Sorunome/mx-puppet-instagram) | x | Bridge for Instagram-DMs ([Instagram](https://www.instagram.com/)) | [Link](docs/configuring-playbook-bridge-mx-puppet-instagram.md) | +| [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) | x | Bridge for Twitter-DMs ([Twitter](https://twitter.com/)) | [Link](docs/configuring-playbook-bridge-mx-puppet-twitter.md) | +| [mx-puppet-discord](https://github.com/matrix-discord/mx-puppet-discord) | x | Bridge for [Discord](https://discordapp.com/) | [Link](docs/configuring-playbook-bridge-mx-puppet-discord.md) | +| [mx-puppet-groupme](https://gitlab.com/xangelix-pub/matrix/mx-puppet-groupme) | x | Bridge for [GroupMe](https://groupme.com/) | [Link](docs/configuring-playbook-bridge-mx-puppet-groupme.md) | +| [mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) | x | Bridge for [Steam](https://steamapp.com/) | [Link](docs/configuring-playbook-bridge-mx-puppet-steam.md) | +| [Email2Matrix](https://github.com/devture/email2matrix) | x | Bridge for relaying email messages to Matrix rooms | [Link](docs/configuring-playbook-email2matrix.md) | -- (optional) the [Borg](https://borgbackup.org) backup - see [docs/configuring-playbook-backup-borg.md](docs/configuring-playbook-backup-borg.md) for setup documentation -- (optional) the [Buscarron](https://gitlab.com/etke.cc/buscarron) bot - see [docs/configuring-playbook-bot-buscarron.md](docs/configuring-playbook-bot-buscarron.md) for setup documentation +### Bots -- (optional) [Cactus Comments](https://cactus.chat), a federated comment system built on matrix - see [docs/configuring-playbook-cactus-comments.md](docs/configuring-playbook-cactus-comments.md) for setup documentation +Bots provide various additional functionality to your installation. -Basically, this playbook aims to get you up-and-running with all the necessities around Matrix, without you having to do anything else. +| Name | Default? | Description | Documentation | +| ---- | -------- | ----------- | ------------- | +| [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) | x | Bot for scheduling one-off & recurring reminders and alarms | [Link](docs/configuring-playbook-bot-matrix-reminder-bot.md) | +| [matrix-registration-bot](https://github.com/moan0s/matrix-registration-bot) | x | Bot for invitations by creating and managing registration tokens | [Link](docs/configuring-playbook-bot-matrix-registration-bot.md) | +| [maubot](https://github.com/maubot/maubot) | x | A plugin-based Matrix bot system | [Link](docs/configuring-playbook-bot-maubot.md) | +| [honoroit](https://gitlab.com/etke.cc/honoroit) | x | A helpdesk bot | [Link](docs/configuring-playbook-bot-honoroit.md) | +| [Postmoogle](https://gitlab.com/etke.cc/postmoogle) | x | Email to matrix bot | [Link](docs/configuring-playbook-bot-postmoogle.md) | +| [Go-NEB](https://github.com/matrix-org/go-neb) | x | A multi functional bot written in Go | [Link](docs/configuring-playbook-bot-go-neb.md) | +| [Mjolnir](https://github.com/matrix-org/mjolnir) | x | A moderation tool for Matrix | [Link](docs/configuring-playbook-bot-mjolnir.md) | +| [Buscarron](https://gitlab.com/etke.cc/buscarron) | x | Web forms (HTTP POST) to matrix | [Link](docs/configuring-playbook-bot-buscarron.md) | -**Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need. -Sticking with the defaults (which install a subset of the above components) is the best choice, especially for a new installation. -You can always re-run the playbook later to add or remove components. +### Administration + +Services that help you in administrating and monitoring your matrix installation. + + +| Name | Default? | Description | Documentation | +| ---- | -------- | ----------- | ------------- | +| [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin) | x | A web UI tool for administrating users and rooms on your Matrix server | [Link](docs/configuring-playbook-synapse-admin.md) | +| Metrics and Graphs | x | Consists of the [Prometheus](https://prometheus.io) time-series database server, the Prometheus [node-exporter](https://prometheus.io/docs/guides/node-exporter/) host metrics exporter, and the [Grafana](https://grafana.com/) web UI | [Link](docs/configuring-playbook-prometheus-grafana.md) | +| [Borg](https://borgbackup.org) | x | Backups | [Link](docs/configuring-playbook-backup-borg.md) | + +### Misc + +Various services that don't fit any other category. + +| Name | Default? | Description | Documentation | +| ---- | -------- | ----------- | ------------- | +| [synapse-simple-antispam](https://github.com/t2bot/synapse-simple-antispam) (advanced) | x | A spam checker module | [Link](docs/configuring-playbook-synapse-simple-antispam.md) | +| [Matrix Corporal](https://github.com/devture/matrix-corporal) (advanced) | x | Reconciliator and gateway for a managed Matrix server | [Link](docs/configuring-playbook-matrix-corporal.md) | +| [Etherpad](https://etherpad.org) | x | An open source collaborative text editor | [Link](docs/configuring-playbook-etherpad.md) | +| [Jitsi](https://jitsi.org/) | x | An open source video-conferencing platform | [Link](docs/configuring-playbook-jitsi.md) | +| [Cactus Comments](https://cactus.chat) | x | A federated comment system built on matrix | [Link](docs/configuring-playbook-cactus-comments.md) | ## Installation From 7cc668489b86ff48c56f5260ac882a8ec75352cc Mon Sep 17 00:00:00 2001 From: Array in a Matrix Date: Sun, 20 Nov 2022 00:11:21 -0800 Subject: [PATCH 025/915] add auto join option to dendrite config (#2255) * add auto join option to dendrite config * added auto_join_rooms: variable * added "configuring dendrite" entry * created dendite configuration documentation * fixed config path * Update docs/configuring-playbook-dendrite.md Co-authored-by: Slavi Pantaleev * Update docs/configuring-playbook-dendrite.md Co-authored-by: Slavi Pantaleev * Update docs/configuring-playbook-dendrite.md Co-authored-by: Slavi Pantaleev * Update docs/configuring-playbook-dendrite.md Co-authored-by: Slavi Pantaleev * Update docs/configuring-playbook-dendrite.md Co-authored-by: Slavi Pantaleev * Update roles/custom/matrix-dendrite/defaults/main.yml Co-authored-by: Slavi Pantaleev * correction Co-authored-by: Slavi Pantaleev --- docs/configuring-playbook-dendrite.md | 32 +++++++++++++++++++ docs/configuring-playbook.md | 2 ++ .../custom/matrix-dendrite/defaults/main.yml | 2 ++ .../templates/dendrite/dendrite.yaml.j2 | 2 ++ 4 files changed, 38 insertions(+) create mode 100644 docs/configuring-playbook-dendrite.md diff --git a/docs/configuring-playbook-dendrite.md b/docs/configuring-playbook-dendrite.md new file mode 100644 index 000000000..fcd5693de --- /dev/null +++ b/docs/configuring-playbook-dendrite.md @@ -0,0 +1,32 @@ +# Configuring Dendrite (optional) + +By default, this playbook configures the [Synapse](https://github.com/matrix-org/synapse) Matrix server, but you can also use [Dendrite](https://github.com/matrix-org/dendrite). + +**NOTES**: + +- **You can't switch an existing Matrix server's implementation** (e.g. Synapse -> Dendrite). Proceed below only if you're OK with losing data or you're dealing with a server on a new domain name, which hasn't participated in the Matrix federation yet. + +- **homeserver implementations other than Synapse may not be fully functional**. The playbook may also not assist you in an optimal way (like it does with Synapse). Make yourself familiar with the downsides before proceeding + +The playbook provided settings for Dendrite are defined in [`roles/custom/matrix-dendrite/defaults/main.yml`](../roles/custom/matrix-dendrite/defaults/main.yml) and they ultimately end up in the generated `/matrix/dendrite/config/dendrite.yaml` file (on the server). This file is generated from the [`roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2`](../roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2) template. + +**If there's an existing variable** which controls a setting you wish to change, you can simply define that variable in your configuration file (`inventory/host_vars/matrix./vars.yml`) and [re-run the playbook](installing.md) to apply the changes. + +Alternatively, **if there is no pre-defined variable** for a Dendrite setting you wish to change: + +- you can either **request a variable to be created** (or you can submit such a contribution yourself). Keep in mind that it's **probably not a good idea** to create variables for each one of Dendrite's various settings that rarely get used. + +- or, you can **extend and override the default configuration** ([`dendrite.yaml.j2`](../roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2)) by making use of the `matrix_dendrite_configuration_extension_yaml` variable. You can find information about this in [`roles/custom/matrix-dendrite/defaults/main.yml`](../roles/custom/matrix-dendrite/defaults/main.yml). + +- or, if extending the configuration is still not powerful enough for your needs, you can **override the configuration completely** using `matrix_dendrite_configuration` (or `matrix_dendrite_configuration_yaml`). You can find information about this in [`roles/custom/matrix-dendrite/defaults/main.yml`](../roles/custom/matrix-dendrite/defaults/main.yml). + + + +## Installation + +To use Dendrite, you **generally** need the following additional `vars.yml` configuration: + +```yaml +matrix_homeserver_implementation: dendrite +``` + diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 127ab47da..fa00c858d 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -47,6 +47,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Configuring Conduit](configuring-playbook-conduit.md), if you've switched to the [Conduit](https://conduit.rs) homeserver implementation (optional) + - [Configuring Dendrite](configuring-playbook-dendrite.md), if you've switched to the [Dendrite](https://matrix-org.github.io/dendrite) homeserver implementation (optional) + - [Configuring Element](configuring-playbook-client-element.md) (optional) - [Storing Matrix media files on Amazon S3](configuring-playbook-s3.md) (optional) diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index b9dddfe9b..698a1f48d 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -194,3 +194,5 @@ matrix_dendrite_configuration_extension: "{{ matrix_dendrite_configuration_exten # Holds the final Dendrite configuration (a combination of the default and its extension). # You most likely don't need to touch this variable. Instead, see `matrix_dendrite_configuration_yaml`. matrix_dendrite_configuration: "{{ matrix_dendrite_configuration_yaml | from_yaml | combine(matrix_dendrite_configuration_extension, recursive=True) }}" + +matrix_dendrite_userapi_auto_join_rooms: [] diff --git a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index 86a12d7c2..7d99aee55 100644 --- a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -382,6 +382,7 @@ user_api: # is considered to be valid in milliseconds. # The default lifetime is 3600000ms (60 minutes). # openid_token_lifetime_ms: 3600000 + auto_join_rooms: {{ matrix_dendrite_userapi_auto_join_rooms | to_json }} # Not in dendrite-config.yaml, but is in build/docker/config/dendrite.yaml # Configuration for the Push Server API. @@ -414,3 +415,4 @@ tracing: # Logging configuration, in addition to the standard logging that is sent to # stdout by Dendrite. logging: [] + From 424de93f82e16033113f6497be4a1594088234f6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 20 Nov 2022 11:13:23 +0200 Subject: [PATCH 026/915] Remove useless matrix_nginx_proxy_synapse_presence_disabled variable definition --- group_vars/matrix_servers | 2 -- 1 file changed, 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 1c6416bc7..db910f4a5 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1815,8 +1815,6 @@ matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_ret # and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1074 matrix_nginx_proxy_ocsp_stapling_enabled: "{{ matrix_ssl_retrieval_method != 'self-signed' }}" -matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_presence_enabled }}" - matrix_nginx_proxy_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}" matrix_nginx_proxy_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}" matrix_nginx_proxy_synapse_generic_worker_client_server_locations: "{{ matrix_synapse_workers_generic_worker_client_server_endpoints }}" From e9e84341a91fb0013469d74ee8c88c2edb5ad3a5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 20 Nov 2022 16:43:30 +0200 Subject: [PATCH 027/915] Reverse-proxy to Synapse via matrix-synapse-reverse-proxy-companion Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2090 --- CHANGELOG.md | 48 ++++ docs/configuring-playbook-email2matrix.md | 2 +- docs/configuring-playbook-federation.md | 3 + docs/configuring-playbook-own-webserver.md | 31 +-- examples/caddy/matrix-synapse | 4 +- group_vars/matrix_servers | 70 +++--- playbooks/matrix.yml | 1 + .../custom/matrix-corporal/defaults/main.yml | 2 +- .../matrix-nginx-proxy/defaults/main.yml | 23 -- .../tasks/setup_nginx_proxy.yml | 10 +- .../nginx/conf.d/matrix-synapse.conf.j2 | 158 ------------- .../templates/nginx/nginx.conf.j2 | 4 +- .../systemd/matrix-nginx-proxy.service.j2 | 3 - .../defaults/main.yml | 164 ++++++++++++++ .../tasks/init.yml | 6 + .../tasks/main.yml | 19 ++ .../tasks/setup_install.yml | 44 ++++ .../tasks/setup_uninstall.yml | 30 +++ ...ix-synapse-reverse-proxy-companion.conf.j2 | 208 ++++++++++++++++++ .../templates/nginx/conf.d/nginx-http.conf.j2 | 13 ++ .../templates/nginx/nginx.conf.j2 | 66 ++++++ ...synapse-reverse-proxy-companion.service.j2 | 53 +++++ .../tasks/validate_config.yml | 3 + 23 files changed, 720 insertions(+), 245 deletions(-) create mode 100644 roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml create mode 100644 roles/custom/matrix-synapse-reverse-proxy-companion/tasks/init.yml create mode 100644 roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml create mode 100644 roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_install.yml create mode 100644 roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_uninstall.yml create mode 100644 roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 create mode 100644 roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/nginx-http.conf.j2 create mode 100644 roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2 create mode 100755 roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 209e99459..0e11f8ef0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,51 @@ +# 2022-11-20 + +## (Backward Compatibility Break) Changing how reverse-proxying to Synapse works - now via a `matrix-synapse-reverse-proxy-companion` service + +**TLDR**: There's now a `matrix-synapse-reverse-proxy-companion` nginx service, which helps with reverse-proxying to Synapse and its various worker processes (if workers are enabled), so that `matrix-nginx-proxy` can be relieved of this role. `matrix-nginx-proxy` still remains as the public SSL-terminating reverse-proxy in the playbook. `matrix-synapse-reverse-proxy-companion` is just one more reverse-proxy thrown into the mix for convenience. People with a more custom reverse-proxying configuration may be affected - see [Webserver configuration](#webserver-configuration) below. + +### Background + +Previously, `matrix-nginx-proxy` forwarded requests to Synapse directly. When Synapse is running in worker mode, the reverse-proxying configuration is more complicated (different requests need to go to different Synapse worker processes). `matrix-nginx-proxy` had configuration for sending each URL endpoint to the correct Synapse worker responsible for handling it. However, sometimes people like to disable `matrix-nginx-proxy` (for whatever reason) as detailed in [Using your own webserver, instead of this playbook's nginx proxy](docs/configuring-playbook-own-webserver.md). + +Because `matrix-nginx-proxy` was so central to request forwarding, when it was disabled and Synapse was running with workers enabled, there was nothing which could forward requests to the correct place anymore.. which caused [problems such as this one affecting Dimension](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2090). + +### Solution + +From now on, `matrix-nginx-proxy` is relieved of its function of reverse-proxying to Synapse and its various worker processes. +This role is now handled by the new `matrix-synapse-reverse-proxy-companion` nginx service and works even if `matrix-nginx-proxy` is disabled. +The purpose of the new `matrix-synapse-reverse-proxy-companion` service is to: + +- serve as a companion to Synapse and know how to reverse-proxy to Synapse correctly (no matter if workers are enabled or not) + +- provide a unified container address for reaching Synapse (no matter if workers are enabled or not) + - `matrix-synapse-reverse-proxy-companion:8008` for Synapse Client-Server API traffic + - `matrix-synapse-reverse-proxy-companion:8048` for Synapse Server-Server (Federation) API traffic + +- simplify `matrix-nginx-proxy` configuration - it now only needs to send requests to `matrix-synapse-reverse-proxy-companion` or `matrix-dendrite`, etc., without having to worry about workers + +- allow reverse-proxying to Synapse, even if `matrix-nginx-proxy` is disabled + +`matrix-nginx-proxy` still remains as the public SSL-terminating reverse-proxy in the playbook. All traffic goes through it before reaching any of the services. +It's just that now the Synapse traffic is routed through `matrix-synapse-reverse-proxy-companion` like this: + +(`matrix-nginx-proxy` -> `matrix-synapse-reverse-proxy-companion` -> (`matrix-synapse` or some Synapse worker)). + +Various services (like Dimension, etc.) still talk to Synapse via `matrix-nginx-proxy` (e.g. `http://matrix-nginx-proxy:12080`) preferentially. They only talk to Synapse via the reverse-proxy companion (e.g. `http://matrix-synapse-reverse-proxy-companion:8008`) if `matrix-nginx-proxy` is disabled. Services should not be talking to Synapse (e.g. `https://matrix-synapse:8008` directly anymore), because when workers are enabled, that's the Synapse `master` process and may not be serving all URL endpoints needed by the service. + +### Webserver configuration + +- if you're using `matrix-nginx-proxy` (`matrix_nginx_proxy_enabled: true`, which is the default for the playbook), you don't need to do anything + +- if you're using your own `nginx` webserver running on the server, you shouldn't be affected. The `/matrix/nginx/conf.d` configuration and exposed ports that you're relying on will automatically be updated in a way that should work + +- if you're using another local webserver (e.g. Apache, etc.) and haven't changed any ports (`matrix_*_host_bind_port` definitions), you shouldn't be affected. You're likely sending Matrix traffic to `127.0.0.1:8008` and `127.0.0.1:8048`. These ports (`8008` and `8048`) will still be exposed on `127.0.0.1` by default - just not by the `matrix-synapse` container from now on, but by the `matrix-synapse-reverse-proxy-companion` container instead + +- if you've been exposing `matrix-synapse` ports (`matrix_synapse_container_client_api_host_bind_port`, etc.) manually, you should consider exposing `matrix-synapse-reverse-proxy-companion` ports instead + +- if you're running Traefik and reverse-proxying directly to the `matrix-synapse` container, you should start reverse-proxying to the `matrix-synapse-reverse-proxy-companion` container instead. See [our updated Traefik example configuration](docs/configuring-playbook-own-webserver.md#sample-configuration-for-running-behind-traefik-20). Note: we now recommend calling the federation entry point `federation` (instead of `synapse`) and reverse-proxying the federation traffic via `matrix-nginx-proxy`, instead of sending it directly to Synapse (or `matrix-synapse-reverse-proxy-companion`). This makes the configuration simpler. + + # 2022-11-05 ## (Backward Compatibility Break) A new default standalone mode for Etherpad diff --git a/docs/configuring-playbook-email2matrix.md b/docs/configuring-playbook-email2matrix.md index 56e181f1d..d65d2ccdb 100644 --- a/docs/configuring-playbook-email2matrix.md +++ b/docs/configuring-playbook-email2matrix.md @@ -70,7 +70,7 @@ matrix_email2matrix_matrix_mappings: SkipMarkdown: true ``` -You can also set `MatrixHomeserverUrl` to `http://matrix-synapse:8008`, instead of the public `https://matrix.DOMAIN`. +You can also set `MatrixHomeserverUrl` to `http://matrix-synapse-reverse-proxy-companion:8008`, instead of the public `https://matrix.DOMAIN`. However, that's more likely to break in the future if you switch to another server implementation than Synapse. Re-run the playbook (`--tags=setup-email2matrix,start`) and try sending an email to `my-mailbox@matrix.DOMAIN`. diff --git a/docs/configuring-playbook-federation.md b/docs/configuring-playbook-federation.md index 4650b5e2c..5a1e76e5d 100644 --- a/docs/configuring-playbook-federation.md +++ b/docs/configuring-playbook-federation.md @@ -46,6 +46,9 @@ matrix_synapse_federation_port_enabled: false # This removes the `8448` virtual host from the matrix-nginx-proxy reverse-proxy server. matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false + +# This stops the federation port on the synapse-reverse-proxy-companion side (normally `matrix-synapse-reverse-proxy-companion:8048` on the container network). +matrix_synapse_reverse_proxy_companion_federation_api_enabled: false ``` ## Changing the federation port from 8448 to a different port to use a CDN that only accepts 443/80 ports diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 9fd51086b..04e2e4870 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -40,8 +40,8 @@ No matter which external webserver you decide to go with, you'll need to: Here are the variables required for the default configuration (Synapse and Element) ``` - matrix_synapse_container_client_api_host_bind_port: '0.0.0.0:8008' - matrix_synapse_container_federation_api_plain_host_bind_port: '0.0.0.0:8048' + matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: '0.0.0.0:8008' + matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: '0.0.0.0:8048' matrix_client_element_container_http_host_bind_port: "0.0.0.0:8765" ``` @@ -172,31 +172,24 @@ matrix_nginx_proxy_container_extra_arguments: # The Nginx proxy container will receive traffic from these subdomains - '--label "traefik.http.routers.matrix-nginx-proxy.rule=Host(`{{ matrix_server_fqn_matrix }}`,`{{ matrix_server_fqn_element }}`,`{{ matrix_server_fqn_dimension }}`,`{{ matrix_server_fqn_jitsi }}`)"' - # (The 'web-secure' entrypoint must bind to port 443 in Traefik config) - '--label "traefik.http.routers.matrix-nginx-proxy.entrypoints=web-secure"' - # (The 'default' certificate resolver must be defined in Traefik config) - '--label "traefik.http.routers.matrix-nginx-proxy.tls.certResolver=default"' - # The Nginx proxy container uses port 8080 internally - '--label "traefik.http.services.matrix-nginx-proxy.loadbalancer.server.port=8080"' -matrix_synapse_container_extra_arguments: - # May be unnecessary depending on Traefik config, but can't hurt - - '--label "traefik.enable=true"' - - # The Synapse container will receive traffic from this subdomain - - '--label "traefik.http.routers.matrix-synapse.rule=Host(`{{ matrix_server_fqn_matrix }}`)"' - - # (The 'synapse' entrypoint must bind to port 8448 in Traefik config) - - '--label "traefik.http.routers.matrix-synapse.entrypoints=synapse"' - + # Federation + - '--label "traefik.http.routers.matrix-nginx-proxy-federation.rule=Host(`{{ matrix_server_fqn_matrix }}`)"' + # (The 'federation' entrypoint must bind to port 8448 in Traefik config) + - '--label "traefik.http.routers.matrix-nginx-proxy-federation.entrypoints=federation"' # (The 'default' certificate resolver must be defined in Traefik config) - - '--label "traefik.http.routers.matrix-synapse.tls.certResolver=default"' + - '--label "traefik.http.routers.matrix-nginx-proxy-federation.tls.certResolver=default"' + # The Nginx proxy container uses port `matrix_nginx_proxy_proxy_matrix_federation_port (8448) internally + - '--label "traefik.http.services.matrix-nginx-proxy-federation.loadbalancer.server.port={{ matrix_nginx_proxy_proxy_matrix_federation_port }}"' + - '--label "traefik.http.services.matrix-nginx-proxy-federation.loadbalancer.server.scheme={{ 'https' if matrix_nginx_proxy_https_enabled else 'http' }}"' - # The Synapse container uses port 8048 internally - - '--label "traefik.http.services.matrix-synapse.loadbalancer.server.port=8048"' +matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled: true ``` This method uses labels attached to the Nginx and Synapse containers to provide the Traefik Docker provider with the information it needs to proxy `matrix.DOMAIN`, `element.DOMAIN`, `dimension.DOMAIN` and `jitsi.DOMAIN`. Some [static configuration](https://docs.traefik.io/v2.0/reference/static-configuration/file/) is required in Traefik; namely, having endpoints on ports 443 and 8448 and having a certificate resolver. @@ -240,7 +233,7 @@ services: - "--providers.docker.network=traefik" - "--providers.docker.exposedbydefault=false" - "--entrypoints.web-secure.address=:443" - - "--entrypoints.synapse.address=:8448" + - "--entrypoints.federation.address=:8448" - "--certificatesresolvers.default.acme.tlschallenge=true" - "--certificatesresolvers.default.acme.email=YOUR EMAIL" - "--certificatesresolvers.default.acme.storage=/letsencrypt/acme.json" diff --git a/examples/caddy/matrix-synapse b/examples/caddy/matrix-synapse index c1893ebbf..46c48ab65 100644 --- a/examples/caddy/matrix-synapse +++ b/examples/caddy/matrix-synapse @@ -21,11 +21,11 @@ https://matrix.DOMAIN { } # Synapse Client<>Server API - proxy /_matrix matrix-synapse:8008 { + proxy /_matrix matrix-synapse-reverse-proxy-companion:8008 { transparent except /_matrix/identity/ /_matrix/client/r0/user_directory/search } - proxy /_synapse/client matrix-synapse:8008 { + proxy /_synapse/client matrix-synapse-reverse-proxy-companion:8008 { transparent } } diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index db910f4a5..23ce1d3d6 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -57,12 +57,10 @@ devture_playbook_state_preserver_commit_hash_preservation_dst: "{{ matrix_base_d matrix_identity_server_url: "{{ ('https://' + matrix_server_fqn_matrix) if matrix_ma1sd_enabled else None }}" -# If Synapse workers are enabled and matrix-nginx-proxy is disabled, certain APIs may not work over 'http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}'. -# This is because we explicitly disable them for the main Synapse process. matrix_homeserver_container_url: |- {{ 'http://matrix-nginx-proxy:12080' if matrix_nginx_proxy_enabled else { - 'synapse': ('http://matrix-synapse:'+ matrix_synapse_container_client_api_port|string), + 'synapse': ('http://matrix-synapse-reverse-proxy-companion:8008' if matrix_synapse_reverse_proxy_companion_enabled else 'http://matrix-synapse:'+ matrix_synapse_container_client_api_port|string), 'dendrite': ('http://matrix-dendrite:' + matrix_dendrite_http_bind_port|string), 'conduit': ('http://matrix-conduit:' + matrix_conduit_port_number|string), }[matrix_homeserver_implementation] @@ -71,7 +69,7 @@ matrix_homeserver_container_url: |- matrix_homeserver_container_federation_url: |- {{ 'http://matrix-nginx-proxy:12088' if matrix_nginx_proxy_enabled else { - 'synapse': ('http://matrix-synapse:'+ matrix_synapse_container_federation_api_plain_port|string), + 'synapse': ('http://matrix-synapse-reverse-proxy-companion:8048' if matrix_synapse_reverse_proxy_companion_enabled else 'http://matrix-synapse:'+ matrix_synapse_container_federation_api_plain_port|string), 'dendrite': ('http://matrix-dendrite:' + matrix_dendrite_http_bind_port|string), 'conduit': ('http://matrix-conduit:' + matrix_conduit_port_number|string), }[matrix_homeserver_implementation] @@ -1720,6 +1718,7 @@ matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secr # ###################################################################### + ###################################################################### # # matrix-nginx-proxy @@ -1782,10 +1781,10 @@ matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-ngin matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:12088" matrix_nginx_proxy_proxy_synapse_enabled: "{{ matrix_synapse_enabled }}" -matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "matrix-synapse:{{ matrix_synapse_container_client_api_port }}" -matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:{{ matrix_synapse_container_client_api_port }}" -matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:{{matrix_synapse_container_federation_api_plain_port | string}}" -matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "127.0.0.1:{{matrix_synapse_container_federation_api_plain_port | string}}" +matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "{{ 'matrix-synapse-reverse-proxy-companion:8008' if matrix_synapse_reverse_proxy_companion_enabled else 'matrix-synapse:8008' }}" +matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:8008" +matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "{{ 'matrix-synapse-reverse-proxy-companion:8048' if matrix_synapse_reverse_proxy_companion_enabled else 'matrix-synapse:8048' }}" +matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "127.0.0.1:8048" matrix_nginx_proxy_proxy_dendrite_enabled: "{{ matrix_dendrite_enabled }}" matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_http_bind_port | string }}" @@ -1815,24 +1814,14 @@ matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_ret # and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1074 matrix_nginx_proxy_ocsp_stapling_enabled: "{{ matrix_ssl_retrieval_method != 'self-signed' }}" -matrix_nginx_proxy_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}" -matrix_nginx_proxy_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}" -matrix_nginx_proxy_synapse_generic_worker_client_server_locations: "{{ matrix_synapse_workers_generic_worker_client_server_endpoints }}" -matrix_nginx_proxy_synapse_generic_worker_federation_locations: "{{ matrix_synapse_workers_generic_worker_federation_endpoints }}" -matrix_nginx_proxy_synapse_stream_writer_typing_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_typing_stream_worker_client_server_endpoints }}" -matrix_nginx_proxy_synapse_stream_writer_to_device_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_to_device_stream_worker_client_server_endpoints }}" -matrix_nginx_proxy_synapse_stream_writer_account_data_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_account_data_stream_worker_client_server_endpoints }}" -matrix_nginx_proxy_synapse_stream_writer_receipts_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_receipts_stream_worker_client_server_endpoints }}" -matrix_nginx_proxy_synapse_stream_writer_presence_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_presence_stream_worker_client_server_endpoints }}" -matrix_nginx_proxy_synapse_media_repository_locations: "{{matrix_synapse_workers_media_repository_endpoints|default([]) }}" -matrix_nginx_proxy_synapse_user_dir_locations: "{{ matrix_synapse_workers_user_dir_worker_client_server_endpoints|default([]) }}" - matrix_nginx_proxy_systemd_wanted_services_list: | {{ ['matrix-' + matrix_homeserver_implementation + '.service'] + (matrix_synapse_webserving_workers_systemd_services_list if matrix_homeserver_implementation == 'synapse' and matrix_synapse_workers_enabled else []) + + (['matrix-synapse-reverse-proxy-companion.service'] if matrix_synapse_reverse_proxy_companion_enabled else []) + + (['matrix-corporal.service'] if matrix_corporal_enabled else []) + (['matrix-ma1sd.service'] if matrix_ma1sd_enabled else []) @@ -2328,16 +2317,6 @@ matrix_synapse_container_image_self_build: "{{ matrix_architecture not in ['arm6 # When ma1sd is enabled, we can use it to validate phone numbers. It's something that the homeserver cannot do by itself. matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:' + matrix_ma1sd_container_port | string if matrix_ma1sd_enabled else '' }}" -# Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, -# you can expose Synapse's ports to the host. -# -# For exposing the Matrix Client API's port (plain HTTP) to the local host. -matrix_synapse_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:' + matrix_synapse_container_client_api_port | string }}" -# -# For exposing the Matrix Federation API's plain port (plain HTTP) to the local host. -matrix_synapse_container_federation_api_plain_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:' + matrix_synapse_container_federation_api_plain_port | string }}" -# # For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces. matrix_synapse_container_federation_api_tls_host_bind_port: "{{ matrix_federation_public_port if (matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled) else '' }}" # @@ -2426,6 +2405,37 @@ matrix_synapse_app_service_runtime_injected_config_files: "{{ matrix_homeserver_ # ###################################################################### +###################################################################### +# +# matrix-synapse-reverse-proxy-companion +# +###################################################################### + +matrix_synapse_reverse_proxy_companion_enabled: "{{ matrix_synapse_enabled }}" + +matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}" + +matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8008' }}" +matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8048' }}" + +matrix_synapse_reverse_proxy_companion_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}" +matrix_synapse_reverse_proxy_companion_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}" +matrix_synapse_reverse_proxy_companion_synapse_generic_worker_client_server_locations: "{{ matrix_synapse_workers_generic_worker_client_server_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_generic_worker_federation_locations: "{{ matrix_synapse_workers_generic_worker_federation_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_stream_writer_typing_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_typing_stream_worker_client_server_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_stream_writer_to_device_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_to_device_stream_worker_client_server_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_stream_writer_account_data_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_account_data_stream_worker_client_server_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_stream_writer_receipts_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_receipts_stream_worker_client_server_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_presence_stream_worker_client_server_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations: "{{matrix_synapse_workers_media_repository_endpoints|default([]) }}" +matrix_synapse_reverse_proxy_companion_synapse_user_dir_locations: "{{ matrix_synapse_workers_user_dir_worker_client_server_endpoints|default([]) }}" + +###################################################################### +# +# /matrix-synapse-reverse-proxy-companion +# +###################################################################### + ###################################################################### # # matrix-synapse-admin diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 2e648732a..6c7dc3833 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -58,6 +58,7 @@ - custom/matrix-bot-mjolnir - custom/matrix-cactus-comments - custom/matrix-synapse + - custom/matrix-synapse-reverse-proxy-companion - custom/matrix-dendrite - custom/matrix-conduit - custom/matrix-synapse-admin diff --git a/roles/custom/matrix-corporal/defaults/main.yml b/roles/custom/matrix-corporal/defaults/main.yml index 8c391dfbf..1bed88813 100644 --- a/roles/custom/matrix-corporal/defaults/main.yml +++ b/roles/custom/matrix-corporal/defaults/main.yml @@ -37,7 +37,7 @@ matrix_corporal_var_dir_path: "{{ matrix_corporal_base_path }}/var" matrix_corporal_matrix_homeserver_domain_name: "{{ matrix_domain }}" -# Controls where matrix-corporal can reach your Synapse server (e.g. "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}"). +# Controls where matrix-corporal can reach your Synapse server (e.g. "http://matrix-synapse-reverse-proxy-companion:{{ matrix_synapse_container_client_api_port }}"). # If Synapse runs on the same machine, you may need to add its service to `matrix_corporal_systemd_required_services_list`. matrix_corporal_matrix_homeserver_api_endpoint: "" diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 967a72679..886e35131 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -639,29 +639,6 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}'] -# synapse worker activation and endpoint mappings -matrix_nginx_proxy_synapse_workers_enabled: false -matrix_nginx_proxy_synapse_workers_list: [] -matrix_nginx_proxy_synapse_generic_worker_client_server_locations: [] -matrix_nginx_proxy_synapse_generic_worker_federation_locations: [] -matrix_nginx_proxy_synapse_stream_writer_typing_stream_worker_client_server_locations: [] -matrix_nginx_proxy_synapse_stream_writer_to_device_stream_worker_client_server_locations: [] -matrix_nginx_proxy_synapse_stream_writer_account_data_stream_worker_client_server_locations: [] -matrix_nginx_proxy_synapse_stream_writer_receipts_stream_worker_client_server_locations: [] -matrix_nginx_proxy_synapse_stream_writer_presence_stream_worker_client_server_locations: [] -matrix_nginx_proxy_synapse_media_repository_locations: [] -matrix_nginx_proxy_synapse_user_dir_locations: [] - -# synapse content caching -matrix_nginx_proxy_synapse_cache_enabled: false -matrix_nginx_proxy_synapse_cache_path: "{{ '/tmp/synapse-cache' if matrix_nginx_proxy_enabled else matrix_nginx_proxy_data_path + '/synapse-cache' }}" -matrix_nginx_proxy_synapse_cache_keys_zone_name: "STATIC" -matrix_nginx_proxy_synapse_cache_keys_zone_size: "10m" -matrix_nginx_proxy_synapse_cache_inactive_time: "48h" -matrix_nginx_proxy_synapse_cache_max_size_mb: 1024 -matrix_nginx_proxy_synapse_cache_proxy_cache_valid_time: "24h" - - # The amount of worker processes and connections # Consider increasing these when you are expecting high amounts of traffic # http://nginx.org/en/docs/ngx_core_module.html#worker_connections diff --git a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 4a74d3991..50e8ab9b9 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -12,17 +12,15 @@ # - name: Ensure Matrix nginx-proxy paths exist ansible.builtin.file: - path: "{{ item.path }}" + path: "{{ item }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" with_items: - - {path: "{{ matrix_nginx_proxy_base_path }}", when: true} - - {path: "{{ matrix_nginx_proxy_data_path }}", when: true} - - {path: "{{ matrix_nginx_proxy_confd_path }}", when: true} - - {path: "{{ matrix_nginx_proxy_synapse_cache_path }}", when: "{{ matrix_nginx_proxy_synapse_cache_enabled and not matrix_nginx_proxy_enabled }}"} - when: item.when | bool + - "{{ matrix_nginx_proxy_base_path }}" + - "{{ matrix_nginx_proxy_data_path }}" + - "{{ matrix_nginx_proxy_confd_path }}" - name: Ensure Matrix nginx-proxy configured (main config override) ansible.builtin.template: diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index da1893299..4d121e7d9 100644 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -1,70 +1,5 @@ #jinja2: lstrip_blocks: "True" -{% set generic_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'generic_worker') | list %} -{% set stream_writer_typing_stream_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'typing') | list %} -{% set stream_writer_to_device_stream_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'to_device') | list %} -{% set stream_writer_account_data_stream_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'account_data') | list %} -{% set stream_writer_receipts_stream_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'receipts') | list %} -{% set stream_writer_presence_stream_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'presence') | list %} -{% set media_repository_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'media_repository') | list %} -{% set user_dir_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'user_dir') | list %} - -{% macro render_worker_upstream(name, workers, matrix_nginx_proxy_enabled) %} -{% if workers | length > 0 %} - upstream {{ name }} { - {% for worker in workers %} - {% if matrix_nginx_proxy_enabled %} - server "{{ worker.name }}:{{ worker.port }}"; - {% else %} - server "127.0.0.1:{{ worker.port }}"; - {% endif %} - {% endfor %} - } -{% endif %} -{% endmacro %} - -{% macro render_locations_to_upstream(locations, upstream_name) %} - {% for location in locations %} - location ~ {{ location }} { - proxy_pass http://{{ upstream_name }}$request_uri; - proxy_set_header Host $host; - } - {% endfor %} -{% endmacro %} - -{% if matrix_nginx_proxy_synapse_workers_enabled %} - {% if matrix_nginx_proxy_synapse_cache_enabled %} - proxy_cache_path {{ matrix_nginx_proxy_synapse_cache_path }} levels=1:2 keys_zone={{ matrix_nginx_proxy_synapse_cache_keys_zone_name }}:{{ matrix_nginx_proxy_synapse_cache_keys_zone_size }} inactive={{ matrix_nginx_proxy_synapse_cache_inactive_time }} max_size={{ matrix_nginx_proxy_synapse_cache_max_size_mb }}m; - {% endif %} - # Round Robin "upstream" pools for workers - - {% if generic_workers |length > 0 %} - upstream generic_workers_upstream { - # ensures that requests from the same client will always be passed - # to the same server (except when this server is unavailable) - hash $http_x_forwarded_for; - - {% for worker in generic_workers %} - {% if matrix_nginx_proxy_enabled %} - server "{{ worker.name }}:{{ worker.port }}"; - {% else %} - server "127.0.0.1:{{ worker.port }}"; - {% endif %} - {% endfor %} - } - {% endif %} - - {{ render_worker_upstream('stream_writer_typing_stream_workers_upstream', stream_writer_typing_stream_workers, matrix_nginx_proxy_enabled) }} - {{ render_worker_upstream('stream_writer_to_device_stream_workers_upstream', stream_writer_to_device_stream_workers, matrix_nginx_proxy_enabled) }} - {{ render_worker_upstream('stream_writer_account_data_stream_workers_upstream', stream_writer_account_data_stream_workers, matrix_nginx_proxy_enabled) }} - {{ render_worker_upstream('stream_writer_receipts_stream_workers_upstream', stream_writer_receipts_stream_workers, matrix_nginx_proxy_enabled) }} - {{ render_worker_upstream('stream_writer_presence_stream_workers_upstream', stream_writer_presence_stream_workers, matrix_nginx_proxy_enabled) }} - - {{ render_worker_upstream('media_repository_workers_upstream', media_repository_workers, matrix_nginx_proxy_enabled) }} - - {{ render_worker_upstream('user_dir_workers_upstream', user_dir_workers, matrix_nginx_proxy_enabled) }} -{% endif %} - server { listen 12080; {% if matrix_nginx_proxy_enabled %} @@ -77,71 +12,6 @@ server { gzip on; gzip_types text/plain application/json; - {% if matrix_nginx_proxy_synapse_workers_enabled %} - {# Workers redirects BEGIN #} - - {% if generic_workers | length > 0 %} - # https://matrix-org.github.io/synapse/latest/workers.html#synapseappgeneric_worker - {{ render_locations_to_upstream(matrix_nginx_proxy_synapse_generic_worker_client_server_locations, 'generic_workers_upstream') }} - {% endif %} - - {% if stream_writer_typing_stream_workers | length > 0 %} - # https://matrix-org.github.io/synapse/latest/workers.html#the-typing-stream - {{ render_locations_to_upstream(matrix_nginx_proxy_synapse_stream_writer_typing_stream_worker_client_server_locations, 'stream_writer_typing_stream_workers_upstream') }} - {% endif %} - - {% if stream_writer_to_device_stream_workers | length > 0 %} - # https://matrix-org.github.io/synapse/latest/workers.html#the-to_device-stream - {{ render_locations_to_upstream(matrix_nginx_proxy_synapse_stream_writer_to_device_stream_worker_client_server_locations, 'stream_writer_to_device_stream_workers_upstream') }} - {% endif %} - - {% if stream_writer_account_data_stream_workers | length > 0 %} - # https://matrix-org.github.io/synapse/latest/workers.html#the-account_data-stream - {{ render_locations_to_upstream(matrix_nginx_proxy_synapse_stream_writer_account_data_stream_worker_client_server_locations, 'stream_writer_account_data_stream_workers_upstream') }} - {% endif %} - - {% if stream_writer_receipts_stream_workers | length > 0 %} - # https://matrix-org.github.io/synapse/latest/workers.html#the-receipts-stream - {{ render_locations_to_upstream(matrix_nginx_proxy_synapse_stream_writer_receipts_stream_worker_client_server_locations, 'stream_writer_receipts_stream_workers_upstream') }} - {% endif %} - - {% if stream_writer_presence_stream_workers | length > 0 %} - # https://matrix-org.github.io/synapse/latest/workers.html#the-presence-stream - {{ render_locations_to_upstream(matrix_nginx_proxy_synapse_stream_writer_presence_stream_worker_client_server_locations, 'stream_writer_presence_stream_workers_upstream') }} - {% endif %} - - {% if media_repository_workers | length > 0 %} - # https://matrix-org.github.io/synapse/latest/workers.html#synapseappmedia_repository - {% for location in matrix_nginx_proxy_synapse_media_repository_locations %} - location ~ {{ location }} { - proxy_pass http://media_repository_workers_upstream$request_uri; - proxy_set_header Host $host; - - client_body_buffer_size 25M; - client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; - proxy_max_temp_file_size 0; - - {% if matrix_nginx_proxy_synapse_cache_enabled %} - proxy_buffering on; - proxy_cache {{ matrix_nginx_proxy_synapse_cache_keys_zone_name }}; - proxy_cache_valid any {{ matrix_nginx_proxy_synapse_cache_proxy_cache_valid_time }}; - proxy_force_ranges on; - add_header X-Cache-Status $upstream_cache_status; - {% endif %} - } - {% endfor %} - {% endif %} - - {% if user_dir_workers | length > 0 %} - # https://matrix-org.github.io/synapse/latest/workers.html#updating-the-user-directory - # If matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled is set, requests may not reach here, - # but could be captured early on (see `matrix-domain.conf.j2`) and forwarded elsewhere (to an identity server, etc.). - {{ render_locations_to_upstream(matrix_nginx_proxy_synapse_user_dir_locations, 'user_dir_workers_upstream') }} - {% endif %} - {# Workers redirects END #} - {% endif %} - - {% for configuration_block in matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} @@ -180,34 +50,6 @@ server { gzip on; gzip_types text/plain application/json; - {% if matrix_nginx_proxy_synapse_workers_enabled %} - {% if generic_workers | length > 0 %} - # https://matrix-org.github.io/synapse/latest/workers.html#synapseappgeneric_worker - {{ render_locations_to_upstream(matrix_nginx_proxy_synapse_generic_worker_federation_locations, 'generic_workers_upstream') }} - {% endif %} - {% if media_repository_workers | length > 0 %} - # https://matrix-org.github.io/synapse/latest/workers.html#synapseappmedia_repository - {% for location in matrix_nginx_proxy_synapse_media_repository_locations %} - location ~ {{ location }} { - proxy_pass http://media_repository_workers_upstream$request_uri; - proxy_set_header Host $host; - - client_body_buffer_size 25M; - client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; - proxy_max_temp_file_size 0; - - {% if matrix_nginx_proxy_synapse_cache_enabled %} - proxy_buffering on; - proxy_cache {{ matrix_nginx_proxy_synapse_cache_keys_zone_name }}; - proxy_cache_valid any {{ matrix_nginx_proxy_synapse_cache_proxy_cache_valid_time }}; - proxy_force_ranges on; - add_header X-Cache-Status $upstream_cache_status; - {% endif %} - } - {% endfor %} - {% endif %} - {% endif %} - location / { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 index 1084d8cab..5aeeb6f40 100644 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 @@ -42,9 +42,9 @@ http { {% else %} access_log off; {% endif %} - + proxy_connect_timeout {{ matrix_nginx_proxy_connect_timeout }}; - proxy_send_timeout {{ matrix_nginx_proxy_send_timeout }}; + proxy_send_timeout {{ matrix_nginx_proxy_send_timeout }}; proxy_read_timeout {{ matrix_nginx_proxy_read_timeout }}; send_timeout {{ matrix_nginx_send_timeout }}; diff --git a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index ee32be38e..a930d3b1a 100755 --- a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -22,9 +22,6 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name --cap-drop=ALL \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_nginx_proxy_tmp_directory_size_mb }}m \ - {% if matrix_nginx_proxy_synapse_cache_enabled %} - --tmpfs=/tmp/synapse-cache:rw,noexec,nosuid,size={{ matrix_nginx_proxy_tmp_cache_directory_size_mb }}m\ - {% endif %} --network={{ matrix_docker_network }} \ {% if matrix_nginx_proxy_container_http_host_bind_port %} -p {{ matrix_nginx_proxy_container_http_host_bind_port }}:8080 \ diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml new file mode 100644 index 000000000..13a9ca1ec --- /dev/null +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml @@ -0,0 +1,164 @@ +--- + +# matrix-synapse-reverse-proxy companion is a role which brings up a containerized nginx webserver which helps with reverse-proxying to Synapse. +# +# When Synapse is NOT running in worker-mode, reverse-proxying is relatively simple (everything goes to `matrix-synapse:XXXX`). +# +# When Synapse workers are enabled, however, the reverse-proxying configuration is much more complicated. +# Certain requests need to go to certain workers, etc. +# In the past, the main reverse proxy (`matrix-synapse-reverse-proxy-companion`) was handling request routing to the appropriate workers, +# but that only worked well for external requests (from outside of the Matrix server itself). +# +# Without the help of `matrix-synapse-reverse-proxy-companion`, internal services (like Dimension) that would like to talk to Synapse over the container network +# did not have an endpoint for Synapse that they could be pointed to and have it just work. +# If `matrix-synapse-reverse-proxy-companion` was enabled, Dimension could be pointed to its vhost handling Synapse and routing to the appropriate workers, +# but when `matrix-synapse-reverse-proxy-companion` was disabled, this helpful functionality was not available and the best we could do +# is point Dimension to the main Synapse process at `matrix-synapse:XXXX` itself. +# Doing that breaks requests that need to go to specific workers. +# See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2090 +# +# What this role does is, it extracts all the Synapse request routing out of the `matrix-synapse-reverse-proxy-companion` role here, +# and makes the `matrix-synapse-reverse-proxy-companion` container service represent Synapse and route appropriately, +# regardless of whether workers are enabled or disabled. +# All other playbook services can then forget about `matrix-synapse` or `matrix-synapse-whatever-worker`, etc., +# and just use `matrix-synapse-reverse-proxy-companion` as their request destination. + +matrix_synapse_reverse_proxy_companion_enabled: true + +matrix_synapse_reverse_proxy_companion_version: 1.23.2-alpine + +matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion" +matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d" + +# List of systemd services that matrix-synapse-reverse-proxy-companion.service depends on +matrix_synapse_reverse_proxy_companion_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-synapse-reverse-proxy-companion.service wants +matrix_synapse_reverse_proxy_companion_systemd_wanted_services_list: ['matrix-synapse.service'] + +# We use an official nginx image, which we fix-up to run unprivileged. +# An alternative would be an `nginxinc/nginx-unprivileged` image, but +# that is frequently out of date. +matrix_synapse_reverse_proxy_companion_container_image: "{{ matrix_container_global_registry_prefix }}nginx:{{ matrix_synapse_reverse_proxy_companion_version }}" +matrix_synapse_reverse_proxy_companion_container_image_force_pull: "{{ matrix_synapse_reverse_proxy_companion_container_image.endswith(':latest') }}" + +matrix_synapse_reverse_proxy_companion_container_network: "{{ matrix_docker_network }}" + +# A list of additional container networks that matrix-synapse-reverse-proxy-companion would be connected to. +# The playbook does not create these networks, so make sure they already exist. +# +# Use this to expose matrix-synapse-reverse-proxy-companion to another reverse proxy, which runs in a different container network, +# without exposing all other Matrix services to that other reverse-proxy. +# +# For background, see: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1498 +matrix_synapse_reverse_proxy_companion_container_additional_networks: [] + +# Controls whether the matrix-synapse-reverse-proxy-companion container exposes its HTTP Client-Server API port (tcp/8008 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8008"), or empty string to not expose. +matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: '' + +# Controls whether the matrix-synapse-reverse-proxy-companion container exposes its HTTP Federation (Server-Server) API port (tcp/8048 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8048"), or empty string to not expose. +matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: '' + +# The amount of worker processes and connections +# Consider increasing these when you are expecting high amounts of traffic +# http://nginx.org/en/docs/ngx_core_module.html#worker_connections +matrix_synapse_reverse_proxy_companion_worker_processes: auto +matrix_synapse_reverse_proxy_companion_worker_connections: 1024 + +# Option to disable the access log +matrix_synapse_reverse_proxy_companion_access_log_enabled: true + +# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. +matrix_synapse_reverse_proxy_companion_tmp_directory_size_mb: "{{ (matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb | int) * 50 }}" +matrix_synapse_reverse_proxy_companion_tmp_cache_directory_size_mb: "{{ (matrix_synapse_reverse_proxy_companion_synapse_cache_max_size_mb | int) * 2 }}" + +# A list of strings containing additional configuration blocks to add to the nginx server configuration (nginx.conf). +# for big matrixservers to enlarge the number of open files to prevent timeouts +# matrix_synapse_reverse_proxy_companion_additional_configuration_blocks: +# - 'worker_rlimit_nofile 30000;' +matrix_synapse_reverse_proxy_companion_additional_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to the nginx event server configuration (nginx.conf). +matrix_synapse_reverse_proxy_companion_event_additional_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf). +matrix_synapse_reverse_proxy_companion_http_additional_server_configuration_blocks: [] + +# To increase request timeout in NGINX using proxy_read_timeout, proxy_connect_timeout, proxy_send_timeout, send_timeout directives +# Nginx Default: proxy_connect_timeout 60s; #Defines a timeout for establishing a connection with a proxied server +# Nginx Default: proxy_send_timeout 60s; #Sets a timeout for transmitting a request to the proxied server. +# Nginx Default: proxy_read_timeout 60s; #Defines a timeout for reading a response from the proxied server. +# Nginx Default: send_timeout 60s; #Sets a timeout for transmitting a response to the client. +# +# For more information visit: +# http://nginx.org/en/docs/http/ngx_http_proxy_module.html +# http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout +# https://www.nginx.com/resources/wiki/start/topics/examples/fullexample2/ +# +# Here we are sticking with nginx default values change this value carefully. +matrix_synapse_reverse_proxy_companion_proxy_connect_timeout: 60 +matrix_synapse_reverse_proxy_companion_proxy_send_timeout: 60 +matrix_synapse_reverse_proxy_companion_proxy_read_timeout: 60 +matrix_synapse_reverse_proxy_companion_send_timeout: 60 + +# For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter). +# +# Otherwise, we get warnings like this: +# > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/.../fullchain.pem" +# +# We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`. +matrix_synapse_reverse_proxy_companion_http_level_resolver: 127.0.0.11 + +matrix_synapse_reverse_proxy_companion_hostname: "matrix-synapse-reverse-proxy-companion" + +# matrix_synapse_reverse_proxy_companion_client_api_addr specifies the address where the Client-Server API is +matrix_synapse_reverse_proxy_companion_client_api_addr: 'matrix-synapse:{{ matrix_synapse_container_client_api_port }}' +# This needs to be equal or higher than the maximum upload size accepted by Synapse. +matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb: 50 + +# matrix_synapse_reverse_proxy_companion_federation_api_enabled specifies whether reverse proxying for the Federation (Server-Server) API should be done +matrix_synapse_reverse_proxy_companion_federation_api_enabled: true +# matrix_synapse_reverse_proxy_companion_federation_api_addr specifies the address where the Federation (Server-Server) API is +matrix_synapse_reverse_proxy_companion_federation_api_addr: 'matrix-synapse:{{ matrix_synapse_container_federation_api_plain_port }}' +matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb: "{{ (matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb | int) * 3 }}" + +# A list of strings containing additional configuration blocks to add to the nginx vhost handling the Synapse Client-Server API +matrix_synapse_reverse_proxy_companion_synapse_client_api_additional_server_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to the nginx vhost handling the Synapse Federation (Server-Server) API +matrix_synapse_reverse_proxy_companion_synapse_federation_api_additional_server_configuration_blocks: [] + + +# synapse worker activation and endpoint mappings +matrix_synapse_reverse_proxy_companion_synapse_workers_enabled: false +matrix_synapse_reverse_proxy_companion_synapse_workers_list: [] +matrix_synapse_reverse_proxy_companion_synapse_generic_worker_client_server_locations: [] +matrix_synapse_reverse_proxy_companion_synapse_generic_worker_federation_locations: [] +matrix_synapse_reverse_proxy_companion_synapse_stream_writer_typing_stream_worker_client_server_locations: [] +matrix_synapse_reverse_proxy_companion_synapse_stream_writer_to_device_stream_worker_client_server_locations: [] +matrix_synapse_reverse_proxy_companion_synapse_stream_writer_account_data_stream_worker_client_server_locations: [] +matrix_synapse_reverse_proxy_companion_synapse_stream_writer_receipts_stream_worker_client_server_locations: [] +matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_worker_client_server_locations: [] +matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations: [] +matrix_synapse_reverse_proxy_companion_synapse_user_dir_locations: [] + + +# synapse content caching +matrix_synapse_reverse_proxy_companion_synapse_cache_enabled: false +matrix_synapse_reverse_proxy_companion_synapse_cache_path: /tmp/synapse-cache +matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_name: "STATIC" +matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_size: "10m" +matrix_synapse_reverse_proxy_companion_synapse_cache_inactive_time: "48h" +matrix_synapse_reverse_proxy_companion_synapse_cache_max_size_mb: 1024 +matrix_synapse_reverse_proxy_companion_synapse_cache_proxy_cache_valid_time: "24h" + + +# Controls whether matrix-synapse-reverse-proxy-companion trusts an upstream server's X-Forwarded-Proto header. +# The `matrix-synapse-reverse-proxy-companion` does not terminate SSL and always expects to be fronted by another reverse-proxy server (`matrix-nginx-proxy`, etc.). +# As such, it trusts the protocol scheme forwarded by the upstream proxy. +matrix_synapse_reverse_proxy_companion_trust_forwarded_proto: true +matrix_synapse_reverse_proxy_companion_x_forwarded_proto_value: "{{ '$http_x_forwarded_proto' if matrix_synapse_reverse_proxy_companion_trust_forwarded_proto else '$scheme' }}" diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/init.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/init.yml new file mode 100644 index 000000000..879b02419 --- /dev/null +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/init.yml @@ -0,0 +1,6 @@ +--- + +- ansible.builtin.set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse-reverse-proxy-companion.service'] }}" + when: matrix_synapse_reverse_proxy_companion_enabled | bool + diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml new file mode 100644 index 000000000..f8b6660be --- /dev/null +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml @@ -0,0 +1,19 @@ +--- + +- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: run_setup | bool and matrix_synapse_reverse_proxy_companion_enabled | bool + tags: + - setup-all + - setup-synapse-reverse-proxy-companion + - setup-synapse + +- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: run_setup | bool and not matrix_synapse_reverse_proxy_companion_enabled | bool + tags: + - setup-all + - setup-synapse-reverse-proxy-companion + - setup-synapse diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_install.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_install.yml new file mode 100644 index 000000000..ca263b6d4 --- /dev/null +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_install.yml @@ -0,0 +1,44 @@ +--- + +- name: Ensure mtrix-synapse-reverse-proxy-companion paths exist + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_synapse_reverse_proxy_companion_base_path }}" + - "{{ matrix_synapse_reverse_proxy_companion_confd_path }}" + +- name: Ensure matrix-synapse-reverse-proxy-companion configured + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + mode: 0644 + with_items: + - src: "{{ role_path }}/templates/nginx/nginx.conf.j2" + dest: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/nginx.conf" + - src: "{{ role_path }}/templates/nginx/conf.d/nginx-http.conf.j2" + dest: "{{ matrix_synapse_reverse_proxy_companion_confd_path }}/nginx-http.conf" + - src: "{{ role_path }}/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2" + dest: "{{ matrix_synapse_reverse_proxy_companion_confd_path }}/matrix-synapse-reverse-proxy-companion.conf" + +- name: Ensure matrix-synapse-reverse-proxy-companion nginx container image is pulled + community.docker.docker_image: + name: "{{ matrix_synapse_reverse_proxy_companion_container_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_synapse_reverse_proxy_companion_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_reverse_proxy_companion_container_image_force_pull }}" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure matrix-synapse-reverse-proxy-companion.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-reverse-proxy-companion.service" + mode: 0644 diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_uninstall.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_uninstall.yml new file mode 100644 index 000000000..f4531a193 --- /dev/null +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_uninstall.yml @@ -0,0 +1,30 @@ +--- + +- name: Check existence of matrix-synapse-reverse-proxy-companion service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-reverse-proxy-companion.service" + register: matrix_synapse_reverse_proxy_companion_service_stat + +- when: matrix_synapse_reverse_proxy_companion_service_stat.stat.exists | bool + block: + - name: Ensure matrix-synapse-reverse-proxy-companion.service is stopped + ansible.builtin.service: + name: matrix_synapse_reverse_proxy_companion_service_stat + state: stopped + enabled: false + daemon_reload: true + register: stopping_result + + - name: Ensure matrix-synapse-reverse-proxy-companion.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-reverse-proxy-companion.service" + state: absent + + - name: Ensure systemd reloaded after matrix-synapse-reverse-proxy-companion.service removal + ansible.builtin.service: + daemon_reload: true + +- name: Ensure matrix-synapse-reverse-proxy-companion data deleted + ansible.builtin.file: + path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}" + state: absent diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 new file mode 100644 index 000000000..77f782285 --- /dev/null +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 @@ -0,0 +1,208 @@ +#jinja2: lstrip_blocks: "True" + +{% set generic_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'generic_worker') | list %} +{% set stream_writer_typing_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'typing') | list %} +{% set stream_writer_to_device_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'to_device') | list %} +{% set stream_writer_account_data_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'account_data') | list %} +{% set stream_writer_receipts_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'receipts') | list %} +{% set stream_writer_presence_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'presence') | list %} +{% set media_repository_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'media_repository') | list %} +{% set user_dir_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'user_dir') | list %} + +{% macro render_worker_upstream(name, workers) %} +{% if workers | length > 0 %} + upstream {{ name }} { + {% for worker in workers %} + server "{{ worker.name }}:{{ worker.port }}"; + {% endfor %} + } +{% endif %} +{% endmacro %} + +{% macro render_locations_to_upstream(locations, upstream_name) %} + {% for location in locations %} + location ~ {{ location }} { + proxy_pass http://{{ upstream_name }}$request_uri; + proxy_set_header Host $host; + } + {% endfor %} +{% endmacro %} + +{% if matrix_synapse_reverse_proxy_companion_synapse_workers_enabled %} + {% if matrix_synapse_reverse_proxy_companion_synapse_cache_enabled %} + proxy_cache_path {{ matrix_synapse_reverse_proxy_companion_synapse_cache_path }} levels=1:2 keys_zone={{ matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_name }}:{{ matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_size }} inactive={{ matrix_synapse_reverse_proxy_companion_synapse_cache_inactive_time }} max_size={{ matrix_synapse_reverse_proxy_companion_synapse_cache_max_size_mb }}m; + {% endif %} + # Round Robin "upstream" pools for workers + + {% if generic_workers |length > 0 %} + upstream generic_workers_upstream { + # ensures that requests from the same client will always be passed + # to the same server (except when this server is unavailable) + hash $http_x_forwarded_for; + + {% for worker in generic_workers %} + server "{{ worker.name }}:{{ worker.port }}"; + {% endfor %} + } + {% endif %} + + {{ render_worker_upstream('stream_writer_typing_stream_workers_upstream', stream_writer_typing_stream_workers) }} + {{ render_worker_upstream('stream_writer_to_device_stream_workers_upstream', stream_writer_to_device_stream_workers) }} + {{ render_worker_upstream('stream_writer_account_data_stream_workers_upstream', stream_writer_account_data_stream_workers) }} + {{ render_worker_upstream('stream_writer_receipts_stream_workers_upstream', stream_writer_receipts_stream_workers) }} + {{ render_worker_upstream('stream_writer_presence_stream_workers_upstream', stream_writer_presence_stream_workers) }} + + {{ render_worker_upstream('media_repository_workers_upstream', media_repository_workers) }} + + {{ render_worker_upstream('user_dir_workers_upstream', user_dir_workers) }} +{% endif %} + +server { + listen 8008; + server_name {{ matrix_synapse_reverse_proxy_companion_hostname }}; + + server_tokens off; + root /dev/null; + + gzip on; + gzip_types text/plain application/json; + + {% if matrix_synapse_reverse_proxy_companion_synapse_workers_enabled %} + {# Workers redirects BEGIN #} + + {% if generic_workers | length > 0 %} + # https://matrix-org.github.io/synapse/latest/workers.html#synapseappgeneric_worker + {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_generic_worker_client_server_locations, 'generic_workers_upstream') }} + {% endif %} + + {% if stream_writer_typing_stream_workers | length > 0 %} + # https://matrix-org.github.io/synapse/latest/workers.html#the-typing-stream + {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_typing_stream_worker_client_server_locations, 'stream_writer_typing_stream_workers_upstream') }} + {% endif %} + + {% if stream_writer_to_device_stream_workers | length > 0 %} + # https://matrix-org.github.io/synapse/latest/workers.html#the-to_device-stream + {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_to_device_stream_worker_client_server_locations, 'stream_writer_to_device_stream_workers_upstream') }} + {% endif %} + + {% if stream_writer_account_data_stream_workers | length > 0 %} + # https://matrix-org.github.io/synapse/latest/workers.html#the-account_data-stream + {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_account_data_stream_worker_client_server_locations, 'stream_writer_account_data_stream_workers_upstream') }} + {% endif %} + + {% if stream_writer_receipts_stream_workers | length > 0 %} + # https://matrix-org.github.io/synapse/latest/workers.html#the-receipts-stream + {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_receipts_stream_worker_client_server_locations, 'stream_writer_receipts_stream_workers_upstream') }} + {% endif %} + + {% if stream_writer_presence_stream_workers | length > 0 %} + # https://matrix-org.github.io/synapse/latest/workers.html#the-presence-stream + {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_worker_client_server_locations, 'stream_writer_presence_stream_workers_upstream') }} + {% endif %} + + {% if media_repository_workers | length > 0 %} + # https://matrix-org.github.io/synapse/latest/workers.html#synapseappmedia_repository + {% for location in matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations %} + location ~ {{ location }} { + proxy_pass http://media_repository_workers_upstream$request_uri; + proxy_set_header Host $host; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + + {% if matrix_synapse_reverse_proxy_companion_synapse_cache_enabled %} + proxy_buffering on; + proxy_cache {{ matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_name }}; + proxy_cache_valid any {{ matrix_synapse_reverse_proxy_companion_synapse_cache_proxy_cache_valid_time }}; + proxy_force_ranges on; + add_header X-Cache-Status $upstream_cache_status; + {% endif %} + } + {% endfor %} + {% endif %} + + {% if user_dir_workers | length > 0 %} + # https://matrix-org.github.io/synapse/latest/workers.html#updating-the-user-directory + {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_user_dir_locations, 'user_dir_workers_upstream') }} + {% endif %} + {# Workers redirects END #} + {% endif %} + + {% for configuration_block in matrix_synapse_reverse_proxy_companion_synapse_client_api_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + {# Everything else just goes to the API server ##} + location / { + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver {{ matrix_synapse_reverse_proxy_companion_http_level_resolver }} valid=5s; + set $backend "{{ matrix_synapse_reverse_proxy_companion_client_api_addr }}"; + proxy_pass http://$backend; + + proxy_set_header Host $host; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + } +} + +{% if matrix_synapse_reverse_proxy_companion_federation_api_enabled %} +server { + listen 8048; + server_name {{ matrix_synapse_reverse_proxy_companion_hostname }}; + + server_tokens off; + + root /dev/null; + + gzip on; + gzip_types text/plain application/json; + + {% if matrix_synapse_reverse_proxy_companion_synapse_workers_enabled %} + {% if generic_workers | length > 0 %} + # https://matrix-org.github.io/synapse/latest/workers.html#synapseappgeneric_worker + {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_generic_worker_federation_locations, 'generic_workers_upstream') }} + {% endif %} + {% if media_repository_workers | length > 0 %} + # https://matrix-org.github.io/synapse/latest/workers.html#synapseappmedia_repository + {% for location in matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations %} + location ~ {{ location }} { + proxy_pass http://media_repository_workers_upstream$request_uri; + proxy_set_header Host $host; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + + {% if matrix_synapse_reverse_proxy_companion_synapse_cache_enabled %} + proxy_buffering on; + proxy_cache {{ matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_name }}; + proxy_cache_valid any {{ matrix_synapse_reverse_proxy_companion_synapse_cache_proxy_cache_valid_time }}; + proxy_force_ranges on; + add_header X-Cache-Status $upstream_cache_status; + {% endif %} + } + {% endfor %} + {% endif %} + {% endif %} + + {% for configuration_block in matrix_synapse_reverse_proxy_companion_synapse_federation_api_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + location / { + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver {{ matrix_synapse_reverse_proxy_companion_http_level_resolver }} valid=5s; + set $backend "{{ matrix_synapse_reverse_proxy_companion_federation_api_addr }}"; + proxy_pass http://$backend; + + proxy_set_header Host $host; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + } +} +{% endif %} diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/nginx-http.conf.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/nginx-http.conf.j2 new file mode 100644 index 000000000..d53f172dc --- /dev/null +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/nginx-http.conf.j2 @@ -0,0 +1,13 @@ +#jinja2: lstrip_blocks: "True" +# The default is aligned to the CPU's cache size, +# which can sometimes be too low. +# Thus, we ensure a larger bucket size value is used. +server_names_hash_bucket_size 64; + +{% if matrix_synapse_reverse_proxy_companion_http_level_resolver %} +resolver {{ matrix_synapse_reverse_proxy_companion_http_level_resolver }}; +{% endif %} + +{% for configuration_block in matrix_synapse_reverse_proxy_companion_http_additional_server_configuration_blocks %} + {{- configuration_block }} +{% endfor %} diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2 new file mode 100644 index 000000000..a54701b82 --- /dev/null +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2 @@ -0,0 +1,66 @@ +#jinja2: lstrip_blocks: "True" +# This is a custom nginx configuration file that we use in the container (instead of the default one), +# because it allows us to run nginx with a non-root user. +# +# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed. +# +# The following changes have been done compared to a default nginx configuration file: +# - various temp paths are changed to `/tmp`, so that a non-root user can write to them +# - the `user` directive was removed, as we don't want nginx to switch users + +worker_processes {{ matrix_synapse_reverse_proxy_companion_worker_processes }}; +error_log /var/log/nginx/error.log warn; +pid /tmp/nginx.pid; +{% for configuration_block in matrix_synapse_reverse_proxy_companion_additional_configuration_blocks %} + {{- configuration_block }} +{% endfor %} + +events { + worker_connections {{ matrix_synapse_reverse_proxy_companion_worker_connections }}; +{% for configuration_block in matrix_synapse_reverse_proxy_companion_event_additional_configuration_blocks %} + {{- configuration_block }} +{% endfor %} +} + + +http { + proxy_temp_path /tmp/proxy_temp; + client_body_temp_path /tmp/client_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + {% if matrix_synapse_reverse_proxy_companion_access_log_enabled %} + access_log /var/log/nginx/access.log main; + {% else %} + access_log off; + {% endif %} + + proxy_connect_timeout {{ matrix_synapse_reverse_proxy_companion_proxy_connect_timeout }}; + proxy_send_timeout {{ matrix_synapse_reverse_proxy_companion_proxy_send_timeout }}; + proxy_read_timeout {{ matrix_synapse_reverse_proxy_companion_proxy_read_timeout }}; + send_timeout {{ matrix_synapse_reverse_proxy_companion_send_timeout }}; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + server_tokens off; + + #gzip on; + {# Map directive needed for proxied WebSocket upgrades #} + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + include /etc/nginx/conf.d/*.conf; +} diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 new file mode 100755 index 000000000..21bebb4f1 --- /dev/null +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 @@ -0,0 +1,53 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Synapse reverse-proxy companion +{% for service in matrix_synapse_reverse_proxy_companion_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_synapse_reverse_proxy_companion_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-synapse-reverse-proxy-companion 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-synapse-reverse-proxy-companion 2>/dev/null || true' + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} run \ + --rm \ + --name=matrix-synapse-reverse-proxy-companion \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_reverse_proxy_companion_tmp_directory_size_mb }}m \ + {% if matrix_synapse_reverse_proxy_companion_synapse_cache_enabled %} + --tmpfs=/tmp/synapse-cache:rw,noexec,nosuid,size={{ matrix_synapse_reverse_proxy_companion_tmp_cache_directory_size_mb }}m\ + {% endif %} + --network={{ matrix_synapse_reverse_proxy_companion_container_network }} \ + {% if matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port %} + -p {{ matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port }}:8008 \ + {% endif %} + {% if matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port %} + -p {{ matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port }}:8048 \ + {% endif %} + --mount type=bind,src={{ matrix_synapse_reverse_proxy_companion_base_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ + --mount type=bind,src={{ matrix_synapse_reverse_proxy_companion_confd_path }},dst=/etc/nginx/conf.d,ro \ + {{ matrix_synapse_reverse_proxy_companion_container_image }} + +{% for network in matrix_synapse_reverse_proxy_companion_container_additional_networks %} +ExecStartPost={{ devture_systemd_docker_base_host_command_sh }} -c 'attempt=0; while [ $attempt -le 29 ]; do attempt=$(( $attempt + 1 )); if [ "`docker inspect -f {{ '{{.State.Running}}' }} matrix-synapse-reverse-proxy-companion 2> /dev/null`" = "true" ]; then break; fi; sleep 1; done; {{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-synapse-reverse-proxy-companion' +{% endfor %} + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-synapse-reverse-proxy-companion 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-synapse-reverse-proxy-companion 2>/dev/null || true' +ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-synapse-reverse-proxy-companion /usr/sbin/nginx -s reload +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-synapse-reverse-proxy-companion + +[Install] +WantedBy=multi-user.target diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 0b738a57a..6a837605e 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -24,3 +24,6 @@ - {'old': 'matrix_container_retries_delay', 'new': 'devture_playbook_help_container_retries_delay'} - {'old': 'matrix_geturl_retries_count', 'new': 'devture_playbook_help_geturl_retries_count'} - {'old': 'matrix_geturl_retries_delay', 'new': 'devture_playbook_help_geturl_retries_delay'} + + - {'old': 'matrix_nginx_proxy_synapse_cache_path', 'new': 'matrix_synapse_reverse_proxy_companion_synapse_cache_path'} + - {'old': 'matrix_nginx_proxy_synapse_cache_enabled', 'new': 'matrix_synapse_reverse_proxy_companion_synapse_cache_enabled'} From 377e703746f5273f4648ec28b09f5473fb0c242f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 20 Nov 2022 18:01:44 +0200 Subject: [PATCH 028/915] Fixup Traefik example configuration Related to e9e84341a91fb0 --- docs/configuring-playbook-own-webserver.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 04e2e4870..83fd42048 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -187,9 +187,7 @@ matrix_nginx_proxy_container_extra_arguments: - '--label "traefik.http.routers.matrix-nginx-proxy-federation.tls.certResolver=default"' # The Nginx proxy container uses port `matrix_nginx_proxy_proxy_matrix_federation_port (8448) internally - '--label "traefik.http.services.matrix-nginx-proxy-federation.loadbalancer.server.port={{ matrix_nginx_proxy_proxy_matrix_federation_port }}"' - - '--label "traefik.http.services.matrix-nginx-proxy-federation.loadbalancer.server.scheme={{ 'https' if matrix_nginx_proxy_https_enabled else 'http' }}"' - -matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled: true + - '--label "traefik.http.services.matrix-nginx-proxy-federation.loadbalancer.server.scheme={{ "https" if matrix_nginx_proxy_https_enabled else "http" }}"' ``` This method uses labels attached to the Nginx and Synapse containers to provide the Traefik Docker provider with the information it needs to proxy `matrix.DOMAIN`, `element.DOMAIN`, `dimension.DOMAIN` and `jitsi.DOMAIN`. Some [static configuration](https://docs.traefik.io/v2.0/reference/static-configuration/file/) is required in Traefik; namely, having endpoints on ports 443 and 8448 and having a certificate resolver. From 6a870a07b2d5c37b1d83be3a6625101e8b4ef095 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 20 Nov 2022 18:02:50 +0200 Subject: [PATCH 029/915] Fix ansible-lint-reported errors --- roles/custom/matrix-bot-postmoogle/defaults/main.yml | 2 +- .../matrix-synapse-reverse-proxy-companion/tasks/init.yml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/custom/matrix-bot-postmoogle/defaults/main.yml b/roles/custom/matrix-bot-postmoogle/defaults/main.yml index 9e30d7abb..88a712d51 100644 --- a/roles/custom/matrix-bot-postmoogle/defaults/main.yml +++ b/roles/custom/matrix-bot-postmoogle/defaults/main.yml @@ -112,7 +112,7 @@ matrix_bot_postmoogle_noencryption: false matrix_bot_postmoogle_domain: "{{ matrix_server_fqn_matrix }}" matrix_bot_postmoogle_domains: - - "{{ matrix_bot_postmoogle_domain }}" # backward compatibility + - "{{ matrix_bot_postmoogle_domain }}" # backward compatibility # Password (passphrase) to encrypt account data matrix_bot_postmoogle_data_secret: "" diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/init.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/init.yml index 879b02419..b10eca53c 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/init.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/init.yml @@ -3,4 +3,3 @@ - ansible.builtin.set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse-reverse-proxy-companion.service'] }}" when: matrix_synapse_reverse_proxy_companion_enabled | bool - From e360b82e9b9b33b258fac6e3b2a36700f9c647ea Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 20 Nov 2022 18:04:23 +0200 Subject: [PATCH 030/915] Try to fix ansible-lint Github action --- .github/workflows/matrix.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index 8da5b9690..edb5fc648 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -22,3 +22,5 @@ jobs: uses: actions/checkout@v3 - name: Run ansible-lint uses: ansible-community/ansible-lint-action@main + with: + path: "playbooks/matrix.yml" From 4ffb558b6de7786a865c104e4829e01a484b39f6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 20 Nov 2022 18:04:50 +0200 Subject: [PATCH 031/915] Pin ansible-community/ansible-lint-action version --- .github/workflows/matrix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index edb5fc648..a9e8b9906 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -21,6 +21,6 @@ jobs: - name: Check out uses: actions/checkout@v3 - name: Run ansible-lint - uses: ansible-community/ansible-lint-action@main + uses: ansible-community/ansible-lint-action@v6.8.2 with: path: "playbooks/matrix.yml" From 433405d9d3f257fa962e36a76411bf9d69597f4a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 20 Nov 2022 19:13:00 +0200 Subject: [PATCH 032/915] Try to fix ansible-lint Github action --- .config/ansible-lint.yml | 2 +- .github/workflows/matrix.yml | 2 +- Makefile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.config/ansible-lint.yml b/.config/ansible-lint.yml index 22ba92532..00d62f207 100644 --- a/.config/ansible-lint.yml +++ b/.config/ansible-lint.yml @@ -13,4 +13,4 @@ skip_list: # before finally dumping it to a file. - template-instead-of-copy -offline: false +offline: true diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index a9e8b9906..6c7ce3cad 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -23,4 +23,4 @@ jobs: - name: Run ansible-lint uses: ansible-community/ansible-lint-action@v6.8.2 with: - path: "playbooks/matrix.yml" + path: roles/custom diff --git a/Makefile b/Makefile index b7fc41bd7..3379b8fff 100644 --- a/Makefile +++ b/Makefile @@ -8,4 +8,4 @@ roles: ## Pull roles ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force lint: ## Runs ansible-lint against all roles in the playbook - ansible-lint + ansible-lint roles/custom From 8fb51b73fa255cefdc22319c7b569e10b3b43c9c Mon Sep 17 00:00:00 2001 From: Array in a Matrix Date: Sun, 20 Nov 2022 19:30:21 -0500 Subject: [PATCH 033/915] added dendrite config doc link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3160238fb..7cf00607b 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ The homeserver is the backbone of your matrix system. Choose one from the follow | ---- | -------- | ----------- | ------------- | | [Synapse](https://github.com/matrix-org/synapse) | ✓ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network | [Link](docs/configuring-playbook-synapse.md) | | [Conduit](https://conduit.rs) | x | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Conduit is a lightweight open-source server implementation of the Matrix Specification with a focus on easy setup and low system requirements | [Link](docs/configuring-playbook-conduit.md) | -| [Dendrite](https://github.com/matrix-org/dendrite) | x | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. | - | +| [Dendrite](https://github.com/matrix-org/dendrite) | x | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. | [Link](docs/configuring-playbook-dendrite.md) | ### Clients From 7ac27becafd39eecb26a6d5f205724c9c6cd6787 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 22 Nov 2022 08:33:54 +0200 Subject: [PATCH 034/915] Upgrade ddclient (v3.10.0-ls103 -> v3.10.0-ls105) --- roles/custom/matrix-dynamic-dns/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-dynamic-dns/defaults/main.yml b/roles/custom/matrix-dynamic-dns/defaults/main.yml index 77e01d0ee..86129e61f 100644 --- a/roles/custom/matrix-dynamic-dns/defaults/main.yml +++ b/roles/custom/matrix-dynamic-dns/defaults/main.yml @@ -7,7 +7,7 @@ matrix_dynamic_dns_enabled: true # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' -matrix_dynamic_dns_version: v3.10.0-ls103 +matrix_dynamic_dns_version: v3.10.0-ls105 # The docker container to use when in mode matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" From d8f2141eb0fb1333e863a01dfc094fc3fce461eb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 22 Nov 2022 09:01:26 +0200 Subject: [PATCH 035/915] Install Docker via geerlingguy.docker Galaxy role --- docs/ansible.md | 2 +- docs/faq.md | 2 +- group_vars/matrix_servers | 17 ++++++++ playbooks/matrix.yml | 14 +++++++ requirements.yml | 6 +++ roles/custom/matrix-base/defaults/main.yml | 8 ---- roles/custom/matrix-base/tasks/main.yml | 6 --- .../matrix-base/tasks/server_base/setup.yml | 41 ------------------- .../tasks/server_base/setup_archlinux.yml | 16 -------- .../tasks/server_base/setup_debian.yml | 34 --------------- .../tasks/server_base/setup_fedora.yml | 32 --------------- .../tasks/server_base/setup_raspbian.yml | 34 --------------- .../tasks/server_base/setup_redhat.yml | 24 ----------- .../tasks/server_base/setup_redhat8.yml | 37 ----------------- .../tasks/validate_config.yml | 3 ++ 15 files changed, 42 insertions(+), 234 deletions(-) delete mode 100644 roles/custom/matrix-base/tasks/server_base/setup.yml delete mode 100644 roles/custom/matrix-base/tasks/server_base/setup_archlinux.yml delete mode 100644 roles/custom/matrix-base/tasks/server_base/setup_debian.yml delete mode 100644 roles/custom/matrix-base/tasks/server_base/setup_fedora.yml delete mode 100644 roles/custom/matrix-base/tasks/server_base/setup_raspbian.yml delete mode 100644 roles/custom/matrix-base/tasks/server_base/setup_redhat.yml delete mode 100644 roles/custom/matrix-base/tasks/server_base/setup_redhat8.yml diff --git a/docs/ansible.md b/docs/ansible.md index e8a0ddb21..49dbd7eaf 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -53,7 +53,7 @@ You can either [run Ansible in a container on the Matrix server itself](#running To run Ansible in a (Docker) container on the Matrix server itself, you need to have a working Docker installation. Docker is normally installed by the playbook, so this may be a bit of a chicken and egg problem. To solve it: -- you **either** need to install Docker manually first. Follow [the upstream instructions](https://docs.docker.com/engine/install/) for your distribution and consider setting `matrix_docker_installation_enabled: false` in your `vars.yml` file, to prevent the playbook from installing Docker +- you **either** need to install Docker manually first. Follow [the upstream instructions](https://docs.docker.com/engine/install/) for your distribution and consider setting `matrix_playbook_docker_installation_enabled: false` in your `vars.yml` file, to prevent the playbook from installing Docker - **or** you need to run the playbook in another way (e.g. [Running Ansible in a container on another computer (not the Matrix server)](#running-ansible-in-a-container-on-another-computer-not-the-matrix-server)) at least the first time around Once you have a working Docker installation on the server, **clone the playbook** somewhere on the server and configure it as per usual (`inventory/hosts`, `inventory/host_vars/..`, etc.), as described in [configuring the playbook](configuring-playbook.md). diff --git a/docs/faq.md b/docs/faq.md index f2df8698b..d2b88cf66 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -317,7 +317,7 @@ If you've installed [Jitsi](configuring-playbook-jitsi.md) (not installed by def Yes, we can stop installing Docker ourselves. Just use this in your `vars.yml` file: ```yaml -matrix_docker_installation_enabled: true +matrix_playbook_docker_installation_enabled: true ``` ### I run another webserver on the same server where I wish to install Matrix. What now? diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 23ce1d3d6..403188e73 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -9,6 +9,23 @@ # You can also override ANY variable (seen here or in any given role), # by re-defining it in your own configuration file (`inventory/host_vars/matrix.`). +######################################################################## +# # +# Playbook # +# # +######################################################################## + +# Controls whether to install Docker or not +# Also see `devture_docker_sdk_for_python_installation_enabled`. +matrix_playbook_docker_installation_enabled: true + +######################################################################## +# # +# /Playbook # +# # +######################################################################## + + ######################################################################## # # diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 6c7dc3833..1ecfba327 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -11,6 +11,20 @@ - role: custom/matrix_playbook_migration + - when: matrix_playbook_docker_installation_enabled | bool + role: galaxy/geerlingguy.docker + vars: + docker_install_compose: false + tags: + - setup-docker + - setup-all + + - when: devture_docker_sdk_for_python_installation_enabled | bool + role: galaxy/com.devture.ansible.role.docker_sdk_for_python + tags: + - setup-docker + - setup-all + - when: devture_timesync_installation_enabled | bool role: galaxy/com.devture.ansible.role.timesync tags: diff --git a/requirements.yml b/requirements.yml index a57b63a9b..ed4b8fb18 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,5 +1,11 @@ --- +- src: geerlingguy.docker + version: 6.0.3 + +- src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git + version: 7047b40314c1020e97ed3f15b44876fa88faf874 + - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git version: c1f40e82b4d6b072b6f0e885239322bdaaaf554f diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 5c0f16dcf..f0d86c707 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -253,14 +253,6 @@ matrix_well_known_matrix_server_enabled: true # See `matrix_homeserver_admin_contacts`, `matrix_homeserver_support_url`, etc. matrix_well_known_matrix_support_enabled: false -# Controls whether Docker is automatically installed. -# If you change this to false you must install and update Docker manually. You also need to install the docker (https://pypi.org/project/docker/) Python package. -matrix_docker_installation_enabled: true - -# Controls the Docker package that is installed. -# Possible values are "docker-ce" (default) and "docker.io" (Debian). -matrix_docker_package_name: docker-ce - # Variables to Control which parts of our roles run. run_postgres_import: true run_postgres_upgrade: true diff --git a/roles/custom/matrix-base/tasks/main.yml b/roles/custom/matrix-base/tasks/main.yml index 164bd3539..29e97cd17 100644 --- a/roles/custom/matrix-base/tasks/main.yml +++ b/roles/custom/matrix-base/tasks/main.yml @@ -14,12 +14,6 @@ - setup-all - common -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/server_base/setup.yml" - when: run_setup | bool - tags: - - setup-all - - common - # This needs to always run, because it populates `matrix_user_uid` and `matrix_user_gid`, # which are required by many other roles. - ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_matrix_user.yml" diff --git a/roles/custom/matrix-base/tasks/server_base/setup.yml b/roles/custom/matrix-base/tasks/server_base/setup.yml deleted file mode 100644 index d0b9f0b95..000000000 --- a/roles/custom/matrix-base/tasks/server_base/setup.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- - -- ansible.builtin.include_tasks: "{{ role_path }}/tasks/server_base/setup_redhat.yml" - when: ansible_os_family == 'RedHat' and ansible_distribution_major_version | int < 8 - -- ansible.builtin.include_tasks: "{{ role_path }}/tasks/server_base/setup_redhat8.yml" - when: ansible_os_family == 'RedHat' and ansible_distribution_major_version | int > 7 and ansible_distribution_major_version | int < 30 - -- ansible.builtin.include_tasks: "{{ role_path }}/tasks/server_base/setup_fedora.yml" - when: ansible_os_family == 'RedHat' and ansible_distribution_major_version | int > 30 - -- when: ansible_os_family == 'Debian' - block: - # ansible_lsb is only available if lsb-release is installed. - - name: Ensure lsb-release installed - ansible.builtin.apt: - name: - - lsb-release - state: present - update_cache: true - register: lsb_release_installation_result - - - name: Reread ansible_lsb facts if lsb-release got installed - ansible.builtin.setup: - filter: ansible_lsb* - when: lsb_release_installation_result.changed - - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/server_base/setup_debian.yml" - when: (ansible_os_family == 'Debian') and (ansible_lsb.id != 'Raspbian') - - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/server_base/setup_raspbian.yml" - when: (ansible_os_family == 'Debian') and (ansible_lsb.id == 'Raspbian') - -- ansible.builtin.include_tasks: "{{ role_path }}/tasks/server_base/setup_archlinux.yml" - when: ansible_distribution == 'Archlinux' - -- name: Ensure Docker is started and autoruns - ansible.builtin.service: - name: docker - state: started - enabled: true diff --git a/roles/custom/matrix-base/tasks/server_base/setup_archlinux.yml b/roles/custom/matrix-base/tasks/server_base/setup_archlinux.yml deleted file mode 100644 index a93136148..000000000 --- a/roles/custom/matrix-base/tasks/server_base/setup_archlinux.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- - -- name: Install host dependencies - community.general.pacman: - name: - - python-docker - - python-dnspython - state: present - update_cache: true - -- name: Ensure Docker is installed - community.general.pacman: - name: - - docker - state: present - when: matrix_docker_installation_enabled | bool diff --git a/roles/custom/matrix-base/tasks/server_base/setup_debian.yml b/roles/custom/matrix-base/tasks/server_base/setup_debian.yml deleted file mode 100644 index 412a11d02..000000000 --- a/roles/custom/matrix-base/tasks/server_base/setup_debian.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- - -- name: Ensure APT usage dependencies are installed - ansible.builtin.apt: - name: - - apt-transport-https - - ca-certificates - - gnupg - state: present - update_cache: true - -- name: Ensure Docker's APT key is trusted - ansible.builtin.apt_key: - url: "https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg" - id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88 - state: present - register: add_repository_key - ignore_errors: true - when: matrix_docker_installation_enabled | bool and matrix_docker_package_name == 'docker-ce' - -- name: Ensure Docker repository is enabled - ansible.builtin.apt_repository: - repo: "deb [arch={{ matrix_debian_arch }}] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable" - state: present - update_cache: true - when: matrix_docker_installation_enabled | bool and matrix_docker_package_name == 'docker-ce' - -- name: Ensure Docker is installed - ansible.builtin.apt: - name: - - "{{ matrix_docker_package_name }}" - - "python{{ '3' if ansible_python.version.major == 3 else '' }}-docker" - state: present - when: matrix_docker_installation_enabled | bool diff --git a/roles/custom/matrix-base/tasks/server_base/setup_fedora.yml b/roles/custom/matrix-base/tasks/server_base/setup_fedora.yml deleted file mode 100644 index 19d465718..000000000 --- a/roles/custom/matrix-base/tasks/server_base/setup_fedora.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- - -- name: Ensure Docker repository is enabled - ansible.builtin.template: - src: "{{ role_path }}/files/yum.repos.d/{{ item }}" - dest: "/etc/yum.repos.d/docker-ce.repo" - owner: "root" - group: "root" - mode: 0644 - with_items: - - docker-ce-fedora.repo - when: matrix_docker_installation_enabled | bool and matrix_docker_package_name == 'docker-ce' - -- name: Ensure Docker's RPM key is trusted - ansible.builtin.rpm_key: - state: present - key: https://download.docker.com/linux/fedora/gpg - when: matrix_docker_installation_enabled | bool and matrix_docker_package_name == 'docker-ce' - -- name: Ensure Docker is installed - ansible.builtin.yum: - name: - - "{{ matrix_docker_package_name }}" - - python3-pip - state: present - when: matrix_docker_installation_enabled | bool - -- name: Ensure Docker-Py is installed - ansible.builtin.pip: - name: docker-py - state: present - when: matrix_docker_installation_enabled | bool diff --git a/roles/custom/matrix-base/tasks/server_base/setup_raspbian.yml b/roles/custom/matrix-base/tasks/server_base/setup_raspbian.yml deleted file mode 100644 index 6959b39c8..000000000 --- a/roles/custom/matrix-base/tasks/server_base/setup_raspbian.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- - -- name: Ensure APT usage dependencies are installed - ansible.builtin.apt: - name: - - apt-transport-https - - ca-certificates - - gnupg - state: present - update_cache: true - -- name: Ensure Docker's APT key is trusted - ansible.builtin.apt_key: - url: https://download.docker.com/linux/raspbian/gpg - id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88 - state: present - register: add_repository_key - ignore_errors: true - when: matrix_docker_installation_enabled | bool and matrix_docker_package_name == 'docker-ce' - -- name: Ensure Docker repository is enabled - ansible.builtin.apt_repository: - repo: "deb [arch={{ matrix_debian_arch }}] https://download.docker.com/linux/raspbian {{ ansible_distribution_release }} stable" - state: present - update_cache: true - when: matrix_docker_installation_enabled | bool and matrix_docker_package_name == 'docker-ce' - -- name: Ensure Docker is installed - ansible.builtin.apt: - name: - - "{{ matrix_docker_package_name }}" - - "python{{ '3' if ansible_python.version.major == 3 else '' }}-docker" - state: present - when: matrix_docker_installation_enabled | bool diff --git a/roles/custom/matrix-base/tasks/server_base/setup_redhat.yml b/roles/custom/matrix-base/tasks/server_base/setup_redhat.yml deleted file mode 100644 index dbddd9130..000000000 --- a/roles/custom/matrix-base/tasks/server_base/setup_redhat.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- - -- name: Ensure Docker repository is enabled - ansible.builtin.template: - src: "{{ role_path }}/files/yum.repos.d/docker-ce-centos.repo" - dest: "/etc/yum.repos.d/docker-ce.repo" - owner: "root" - group: "root" - mode: 0644 - when: matrix_docker_installation_enabled | bool and matrix_docker_package_name == 'docker-ce' - -- name: Ensure Docker's RPM key is trusted - ansible.builtin.rpm_key: - state: present - key: https://download.docker.com/linux/centos/gpg - when: matrix_docker_installation_enabled | bool and matrix_docker_package_name == 'docker-ce' - -- name: Ensure Docker is installed - ansible.builtin.yum: - name: - - "{{ matrix_docker_package_name }}" - - docker-python - state: present - when: matrix_docker_installation_enabled | bool diff --git a/roles/custom/matrix-base/tasks/server_base/setup_redhat8.yml b/roles/custom/matrix-base/tasks/server_base/setup_redhat8.yml deleted file mode 100644 index c303abb8f..000000000 --- a/roles/custom/matrix-base/tasks/server_base/setup_redhat8.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- - -- name: Ensure Docker repository is enabled - ansible.builtin.template: - src: "{{ role_path }}/files/yum.repos.d/docker-ce-centos.repo" - dest: "/etc/yum.repos.d/docker-ce.repo" - owner: "root" - group: "root" - mode: 0644 - when: matrix_docker_installation_enabled | bool and matrix_docker_package_name == 'docker-ce' - -- name: Ensure Docker's RPM key is trusted - ansible.builtin.rpm_key: - state: present - key: https://download.docker.com/linux/centos/gpg - when: matrix_docker_installation_enabled | bool and matrix_docker_package_name == 'docker-ce' - -- name: Ensure EPEL is installed - ansible.builtin.yum: - name: - - epel-release - state: present - update_cache: true - -- name: Ensure Docker is installed - ansible.builtin.yum: - name: - - "{{ matrix_docker_package_name }}" - - python3-pip - state: present - when: matrix_docker_installation_enabled | bool - -- name: Ensure Docker-Py is installed - ansible.builtin.pip: - name: docker-py - state: present - when: matrix_docker_installation_enabled | bool diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 6a837605e..93f977d1b 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -27,3 +27,6 @@ - {'old': 'matrix_nginx_proxy_synapse_cache_path', 'new': 'matrix_synapse_reverse_proxy_companion_synapse_cache_path'} - {'old': 'matrix_nginx_proxy_synapse_cache_enabled', 'new': 'matrix_synapse_reverse_proxy_companion_synapse_cache_enabled'} + + - {'old': 'matrix_docker_installation_enabled', 'new': 'matrix_playbook_docker_installation_enabled'} + - {'old': 'matrix_docker_package_name', 'new': ''} From a98f249e40a4ba5cc67a66d2a3ac853e19acc120 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 22 Nov 2022 09:02:37 +0200 Subject: [PATCH 036/915] Remove old cleanup tasks --- roles/custom/matrix-base/tasks/clean_up_old_files.yml | 9 --------- roles/custom/matrix-base/tasks/main.yml | 6 ------ 2 files changed, 15 deletions(-) delete mode 100644 roles/custom/matrix-base/tasks/clean_up_old_files.yml diff --git a/roles/custom/matrix-base/tasks/clean_up_old_files.yml b/roles/custom/matrix-base/tasks/clean_up_old_files.yml deleted file mode 100644 index b79c01b3f..000000000 --- a/roles/custom/matrix-base/tasks/clean_up_old_files.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- - -- name: Get rid of old files and directories - ansible.builtin.file: - path: "{{ item }}" - state: absent - with_items: - - "{{ matrix_base_data_path }}/environment-variables" - - "{{ matrix_base_data_path }}/scratchpad" diff --git a/roles/custom/matrix-base/tasks/main.yml b/roles/custom/matrix-base/tasks/main.yml index 29e97cd17..4a8ec7fb2 100644 --- a/roles/custom/matrix-base/tasks/main.yml +++ b/roles/custom/matrix-base/tasks/main.yml @@ -8,12 +8,6 @@ tags: - setup-all -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/clean_up_old_files.yml" - when: run_setup | bool - tags: - - setup-all - - common - # This needs to always run, because it populates `matrix_user_uid` and `matrix_user_gid`, # which are required by many other roles. - ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_matrix_user.yml" From 2ad6bd87c7c798d4c082e171b33bb1f046353b06 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 22 Nov 2022 09:09:11 +0200 Subject: [PATCH 037/915] Determine matrix_architecture automatically --- docs/alternative-architectures.md | 20 ++++++------------- docs/self-building.md | 4 ++-- roles/custom/matrix-base/defaults/main.yml | 2 +- .../custom/matrix-base/tasks/sanity_check.yml | 1 + 4 files changed, 10 insertions(+), 17 deletions(-) diff --git a/docs/alternative-architectures.md b/docs/alternative-architectures.md index c8097b60b..0865de1f0 100644 --- a/docs/alternative-architectures.md +++ b/docs/alternative-architectures.md @@ -1,26 +1,18 @@ # Alternative architectures -As stated in the [Prerequisites](prerequisites.md), currently only `x86_64` is fully supported. However, it is possible to set the target architecture, and some tools can be built on the host or other measures can be used. +As stated in the [Prerequisites](prerequisites.md), currently only `amd64` (`x86_64`) is fully supported. -To that end add the following variable to your `vars.yml` file (see [Configuring playbook](configuring-playbook.md)): +The playbook automatically determines the target server's architecture (the `matrix_architecture` variable) to be one of the following: -```yaml -matrix_architecture: -``` - -Currently supported architectures are the following: -- `amd64` (the default) -- `arm64` +- `amd64` (`x86_64`) - `arm32` +- `arm64` -so for the Raspberry Pi, the following should be in your `vars.yml` file: +Some tools and container images can be built on the host or other measures can be used to install on that architecture. -```yaml -matrix_architecture: "arm32" -``` ## Implementation details For `amd64`, prebuilt container images (see the [container images we use](container-images.md)) are used for all components (except [Hydrogen](configuring-playbook-client-hydrogen.md), which goes through self-building). -For other architectures, components which have a prebuilt image make use of it. If the component is not available for the specific architecture, [self-building](self-building.md) will be used. Not all components support self-building though, so your mileage may vary. +For other architecture (`arm64`, `arm32`), components which have a prebuilt image make use of it. If the component is not available for the specific architecture, [self-building](self-building.md) will be used. Not all components support self-building though, so your mileage may vary. diff --git a/docs/self-building.md b/docs/self-building.md index 3351a1f8f..ad29fc2da 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -6,11 +6,11 @@ The playbook supports self-building of various components, which don't have a co For other architectures (e.g. `arm32`, `arm64`), ready-made container images are used when available. If there's no ready-made image for a specific component and said component supports self-building, an image will be built on the host. Building images like this takes more time and resources (some build tools need to get installed by the playbook to assist building). -To make use of self-building, you don't need to do anything besides change your architecture variable (e.g. `matrix_architecture: arm64`). If a component has an image for the specified architecture, the playbook will use it directly. If not, it will build the image on the server itself. +To make use of self-building, you don't need to do anything. If a component has an image for the specified architecture, the playbook will use it directly. If not, it will build the image on the server itself. Note that **not all components support self-building yet**. -List of roles where self-building the Docker image is currently possible: +Possibly outdated list of roles where self-building the Docker image is currently possible: - `matrix-synapse` - `matrix-synapse-admin` - `matrix-client-element` diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index f0d86c707..534db0785 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -86,7 +86,7 @@ matrix_federation_public_port: 8448 # Recognized values by us are 'amd64', 'arm32' and 'arm64'. # Not all architectures support all services, so your experience (on non-amd64) may vary. # See docs/alternative-architectures.md -matrix_architecture: amd64 +matrix_architecture: "{{ 'amd64' if ansible_architecture == 'x86_64' else ('arm64' if ansible_architecture == 'aarch64' else ('arm32' if ansible_architecture.startswith('armv') else '')) }}" # The architecture for Debian packages. # See: https://wiki.debian.org/SupportedArchitectures diff --git a/roles/custom/matrix-base/tasks/sanity_check.yml b/roles/custom/matrix-base/tasks/sanity_check.yml index f825e19ef..2644d4cfe 100644 --- a/roles/custom/matrix-base/tasks/sanity_check.yml +++ b/roles/custom/matrix-base/tasks/sanity_check.yml @@ -40,6 +40,7 @@ - {'var': matrix_server_fqn_element, 'value': "{{ matrix_server_fqn_element | default('') }}"} - {'var': matrix_homeserver_container_url, 'value': "{{ matrix_homeserver_container_url | default('') }}"} - {'var': matrix_homeserver_container_federation_url, 'value': "{{ matrix_homeserver_container_federation_url | default('') }}"} + - {'var': matrix_architecture, 'value': "{{ matrix_architecture | default('') }}"} when: "item.value is none or item.value == ''" - name: Fail if uppercase domain used From 6f865a7e0b6979d370fae444f84f29cda8d31b4e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 22 Nov 2022 09:23:18 +0200 Subject: [PATCH 038/915] Announce some playbook changes --- CHANGELOG.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0e11f8ef0..d32ec9e08 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,24 @@ +# 2022-11-22 + +# Automatic `matrix_architecture` determination + +From now on, the playbook automatically determines your server's architecture and sets the `matrix_architecture` variable accordingly. +You no longer need to set this variable manually in your `vars.yml` file. + +# Docker and the Docker SDK for Python are now installed via external roles + +We're continuing our effort to make [the playbook use external roles for some things](#the-playbook-now-uses-external-roles-for-some-things), so as to avoid doing everything ourselves and to facilitate code re-use. + +Docker will now be installed on the server via the [geerlingguy.docker](https://github.com/geerlingguy/ansible-role-docker) Ansible role. +If you'd like to manage the Docker installation yourself, you can disable the playbook's installation of Docker by setting `matrix_playbook_docker_installation_enabled: false`. + +The Docker SDK for Python (named `docker-python`, `python-docker`, etc. on the different platforms) is now also installed by another role ([com.devture.ansible.role.docker_sdk_for_python](https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python)). To disable this role and install the necessary tools yourself, use `devture_docker_sdk_for_python_installation_enabled: false`. + +If you're hitting issues with Docker installation or Docker SDK for Python installation, consider reporting bugs or contributing to these other projects. + +These additional roles are downloaded into the playbook directory (to `roles/galaxy`) via an `ansible-galaxy ..` command. `make roles` is an easy shortcut for invoking the `ansible-galaxy` command to download these roles. + + # 2022-11-20 ## (Backward Compatibility Break) Changing how reverse-proxying to Synapse works - now via a `matrix-synapse-reverse-proxy-companion` service From b90956069c80770d7822d5a0f2ebfa8289068cd4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 22 Nov 2022 09:25:29 +0200 Subject: [PATCH 039/915] Fix matrix_architecture sanity check --- roles/custom/matrix-base/tasks/sanity_check.yml | 5 +++++ roles/custom/matrix-base/tasks/system_check.yml | 7 ------- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/roles/custom/matrix-base/tasks/sanity_check.yml b/roles/custom/matrix-base/tasks/sanity_check.yml index 2644d4cfe..3a3a56394 100644 --- a/roles/custom/matrix-base/tasks/sanity_check.yml +++ b/roles/custom/matrix-base/tasks/sanity_check.yml @@ -43,6 +43,11 @@ - {'var': matrix_architecture, 'value': "{{ matrix_architecture | default('') }}"} when: "item.value is none or item.value == ''" +- name: Fail if matrix_architecture is set incorrectly + ansible.builtin.fail: + msg: "Detected that variable matrix_architecture {{ matrix_architecture }} appears to be set incorrectly. See docs/alternative-architectures.md. Server appears to be {{ ansible_architecture }}." + when: matrix_architecture not in ['amd64', 'arm32', 'arm64'] + - name: Fail if uppercase domain used ansible.builtin.fail: msg: "Detected that you're using an uppercase domain name - `{{ item }}`. This will cause trouble. Please use all-lowercase!" diff --git a/roles/custom/matrix-base/tasks/system_check.yml b/roles/custom/matrix-base/tasks/system_check.yml index f1d2fc7b1..909bdb127 100644 --- a/roles/custom/matrix-base/tasks/system_check.yml +++ b/roles/custom/matrix-base/tasks/system_check.yml @@ -21,10 +21,3 @@ when: - ansible_distribution == 'Archlinux' - ansible_python.version.major != 3 - -- name: Fail if architecture is set incorrectly - ansible.builtin.fail: - msg: "Detected that variable matrix_architecture {{ matrix_architecture }} appears to be set incorrectly. See docs/alternative-architectures.md. Server appears to be {{ ansible_architecture }}." - when: (ansible_architecture == "x86_64" and matrix_architecture != "amd64") or - (ansible_architecture == "aarch64" and matrix_architecture != "arm64") or - (ansible_architecture.startswith("armv") and matrix_architecture != "arm32") From b8b5acdb16219ebfa86ed7749c183475d41fe0a7 Mon Sep 17 00:00:00 2001 From: Aine Date: Tue, 22 Nov 2022 15:46:00 +0200 Subject: [PATCH 040/915] fix user creator role --- group_vars/matrix_servers | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 403188e73..163eaab36 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2761,29 +2761,29 @@ matrix_conduit_systemd_required_services_list: | matrix_user_creator_users_auto: | {{ - [{ + ([{ 'username': matrix_bot_matrix_reminder_bot_matrix_user_id_localpart, 'initial_password': matrix_bot_matrix_reminder_bot_matrix_user_password, 'initial_type': 'bot', - }] if matrix_bot_matrix_reminder_bot_enabled else [] + }] if matrix_bot_matrix_reminder_bot_enabled else []) + - [{ + ([{ 'username': matrix_bot_honoroit_login, 'initial_password': matrix_bot_honoroit_password, 'initial_type': 'bot', - }] if matrix_bot_honoroit_enabled else [] + }] if matrix_bot_honoroit_enabled else []) + - [{ + ([{ 'username': matrix_bot_postmoogle_login, 'initial_password': matrix_bot_postmoogle_password, 'initial_type': 'bot', - }] if matrix_bot_postmoogle_enabled else [] + }] if matrix_bot_postmoogle_enabled else []) + - [{ + ([{ 'username': matrix_bot_buscarron_login, 'initial_password': matrix_bot_buscarron_password, 'initial_type': 'bot', - }] if matrix_bot_buscarron_enabled else [] + }] if matrix_bot_buscarron_enabled else []) }} ###################################################################### From e37db0c88865d6c26f4a5db16b477a932bc4f512 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 22 Nov 2022 16:41:14 +0200 Subject: [PATCH 041/915] Upgrade Synapse (v1.71.0 -> v1.72.0) --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 54351256a..c6bf31fd2 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -36,7 +36,7 @@ matrix_synapse_container_image_customizations_dockerfile_body_custom: '' matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}" matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else matrix_container_global_registry_prefix }}" -matrix_synapse_version: v1.71.0 +matrix_synapse_version: v1.72.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From 70be6eb323d46b2d443db1100a4f0b927ce5b232 Mon Sep 17 00:00:00 2001 From: Array in a Matrix Date: Tue, 22 Nov 2022 11:13:53 -0500 Subject: [PATCH 042/915] Update dendrite.yaml.j2 --- .../custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index 7d99aee55..65cb4c2c3 100644 --- a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -416,3 +416,6 @@ tracing: # stdout by Dendrite. logging: [] +# statistics reporting configuration. These statistics contain the server +# name, number of active users and some information on your deployment config. +report_stats: {{ matrix_dendrite_report_stats|to_json }} From 11ea49075d8eec284360d717e1416ee8735bfd9e Mon Sep 17 00:00:00 2001 From: Array in a Matrix Date: Tue, 22 Nov 2022 11:16:19 -0500 Subject: [PATCH 043/915] Update main.yml --- roles/custom/matrix-dendrite/defaults/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index 698a1f48d..f83085341 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -196,3 +196,7 @@ matrix_dendrite_configuration_extension: "{{ matrix_dendrite_configuration_exten matrix_dendrite_configuration: "{{ matrix_dendrite_configuration_yaml | from_yaml | combine(matrix_dendrite_configuration_extension, recursive=True) }}" matrix_dendrite_userapi_auto_join_rooms: [] + +# statistics reporting configuration. These statistics contain the server +# name, number of active users and some information on your deployment config. +matrix_dendrite_report_stats: false From 26c219e1cc24c18f5366ae4b10176397b5ec7bdb Mon Sep 17 00:00:00 2001 From: Array in a Matrix Date: Tue, 22 Nov 2022 11:30:19 -0500 Subject: [PATCH 044/915] Update configuring-playbook-telemetry.md --- docs/configuring-playbook-telemetry.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-telemetry.md b/docs/configuring-playbook-telemetry.md index a97fa59c8..093d2621d 100644 --- a/docs/configuring-playbook-telemetry.md +++ b/docs/configuring-playbook-telemetry.md @@ -12,7 +12,9 @@ growth of the Matrix community, and helps to make Matrix a success. If you'd like to **help by enabling submission of general usage statistics** for your homeserver, add this to your configuration file (`inventory/host_vars/matrix./vars.yml`): ```yaml -matrix_synapse_report_stats: true +matrix_synapse_report_stats: true # for synapse + +matrix_dendrite_report_stats: true # for dendrite ``` From 6c39413e79578cf08fbdf45bde80141a388de64c Mon Sep 17 00:00:00 2001 From: Array in a Matrix Date: Tue, 22 Nov 2022 11:32:03 -0500 Subject: [PATCH 045/915] Update configuring-playbook-telemetry.md --- docs/configuring-playbook-telemetry.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-telemetry.md b/docs/configuring-playbook-telemetry.md index 093d2621d..8e021ed19 100644 --- a/docs/configuring-playbook-telemetry.md +++ b/docs/configuring-playbook-telemetry.md @@ -20,9 +20,9 @@ matrix_dendrite_report_stats: true # for dendrite ## Usage statistics being submitted -When enabled, Synapse will regularly upload a few dozen statistics about your server. +When enabled, your homeserver e will regularly upload a few dozen statistics about your server. This data includes your homeserver's domain, the total number of users, the number of active users, the total number of rooms, and the number of messages sent per day on your homeserver. -See [Synapse's documentation](https://github.com/matrix-org/synapse/blob/develop/docs/usage/administration/monitoring/reporting_homeserver_usage_statistics.md#available-statistics) +See [Synapse's documentation](https://github.com/matrix-org/synapse/blob/develop/docs/usage/administration/monitoring/reporting_homeserver_usage_statistics.md#available-statistics) or [Dendrite's documentation](https://github.com/matrix-org/dendrite/blob/main/docs/FAQ.md#what-is-being-reported-when-enabling-phone-home-statistics) for the full list of statistics that are reported. From 3505f62f026bab702dada4aed67761e78b63dcd4 Mon Sep 17 00:00:00 2001 From: Array in a Matrix Date: Tue, 22 Nov 2022 11:37:46 -0500 Subject: [PATCH 046/915] Update configuring-playbook-telemetry.md --- docs/configuring-playbook-telemetry.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-telemetry.md b/docs/configuring-playbook-telemetry.md index 8e021ed19..74f59dfc8 100644 --- a/docs/configuring-playbook-telemetry.md +++ b/docs/configuring-playbook-telemetry.md @@ -20,7 +20,7 @@ matrix_dendrite_report_stats: true # for dendrite ## Usage statistics being submitted -When enabled, your homeserver e will regularly upload a few dozen statistics about your server. +When enabled, your homeserver will regularly upload a few dozen statistics about your server. This data includes your homeserver's domain, the total number of users, the number of active users, the total number of rooms, and the number of messages sent per day on your homeserver. From 5c4d4dc514e8fe671ab3994e436f80a4709e6391 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 22 Nov 2022 21:41:43 +0000 Subject: [PATCH 047/915] Update element 1.11.14 -> 1.11.15 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 0bb65ea82..eb93691f4 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.14 +matrix_client_element_version: v1.11.15 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 0ea7cb5d1812a88e57c65bc6163455e698efa0d8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 22 Nov 2022 21:36:49 +0200 Subject: [PATCH 048/915] Remove various init.yml files - initialize systemd services, etc., statically (not at runtime) --- group_vars/matrix_servers | 256 +++++++++++++++++- .../custom/matrix-backup-borg/tasks/init.yml | 4 - .../custom/matrix-backup-borg/tasks/main.yml | 4 - roles/custom/matrix-base/defaults/main.yml | 7 + roles/custom/matrix-base/vars/main.yml | 7 - .../matrix-bot-buscarron/tasks/init.yml | 5 - .../matrix-bot-buscarron/tasks/main.yml | 4 - roles/custom/matrix-bot-go-neb/tasks/init.yml | 5 - roles/custom/matrix-bot-go-neb/tasks/main.yml | 4 - .../custom/matrix-bot-honoroit/tasks/init.yml | 5 - .../custom/matrix-bot-honoroit/tasks/main.yml | 4 - .../tasks/init.yml | 5 - .../tasks/main.yml | 4 - .../tasks/init.yml | 5 - .../tasks/main.yml | 4 - roles/custom/matrix-bot-maubot/tasks/init.yml | 5 - .../custom/matrix-bot-mjolnir/tasks/init.yml | 11 - .../custom/matrix-bot-mjolnir/tasks/main.yml | 4 - .../matrix-bot-postmoogle/tasks/init.yml | 5 - .../matrix-bot-postmoogle/tasks/main.yml | 4 - .../tasks/init.yml | 29 -- .../tasks/main.yml | 4 - .../tasks/init.yml | 36 --- .../tasks/main.yml | 4 - .../tasks/init.yml | 28 -- .../tasks/main.yml | 4 - .../tasks/init.yml | 43 --- .../tasks/init.yml | 36 --- .../tasks/init.yml | 22 -- .../tasks/main.yml | 4 - .../tasks/init.yml | 21 -- .../tasks/main.yml | 4 - .../matrix-bridge-heisenbridge/tasks/init.yml | 29 -- .../matrix-bridge-heisenbridge/tasks/main.yml | 4 - .../matrix-bridge-hookshot/tasks/init.yml | 28 -- .../tasks/init.yml | 21 -- .../tasks/main.yml | 3 - .../tasks/init.yml | 27 -- .../tasks/init.yml | 27 -- .../tasks/init.yml | 27 -- .../tasks/init.yml | 28 -- .../tasks/main.yml | 4 - .../tasks/init.yml | 22 -- .../tasks/main.yml | 4 - .../tasks/init.yml | 27 -- .../tasks/init.yml | 29 -- .../tasks/main.yml | 4 - .../tasks/init.yml | 21 -- .../tasks/main.yml | 3 - .../tasks/init.yml | 28 -- .../tasks/main.yml | 4 - .../tasks/init.yml | 28 -- .../tasks/main.yml | 4 - .../tasks/init.yml | 28 -- .../tasks/main.yml | 4 - .../tasks/init.yml | 27 -- .../tasks/init.yml | 28 -- .../tasks/main.yml | 4 - .../tasks/init.yml | 27 -- roles/custom/matrix-bridge-sms/tasks/init.yml | 30 -- roles/custom/matrix-bridge-sms/tasks/main.yml | 4 - .../matrix-cactus-comments/tasks/init.yml | 21 -- .../custom/matrix-client-cinny/tasks/init.yml | 11 - .../custom/matrix-client-cinny/tasks/main.yml | 4 - .../matrix-client-element/tasks/init.yml | 12 - .../matrix-client-element/tasks/main.yml | 4 - .../matrix-client-hydrogen/tasks/init.yml | 11 - .../matrix-client-hydrogen/tasks/main.yml | 4 - roles/custom/matrix-conduit/tasks/init.yml | 5 - roles/custom/matrix-conduit/tasks/main.yml | 4 - roles/custom/matrix-corporal/tasks/init.yml | 11 - roles/custom/matrix-corporal/tasks/main.yml | 4 - roles/custom/matrix-coturn/tasks/init.yml | 15 - roles/custom/matrix-coturn/tasks/main.yml | 4 - .../custom/matrix-dendrite/defaults/main.yml | 16 +- roles/custom/matrix-dendrite/tasks/init.yml | 5 - roles/custom/matrix-dendrite/tasks/main.yml | 4 - roles/custom/matrix-dimension/tasks/init.yml | 4 - roles/custom/matrix-dimension/tasks/main.yml | 4 - .../custom/matrix-dynamic-dns/tasks/init.yml | 11 - .../custom/matrix-dynamic-dns/tasks/main.yml | 4 - .../custom/matrix-email2matrix/tasks/init.yml | 5 - .../custom/matrix-email2matrix/tasks/main.yml | 4 - roles/custom/matrix-etherpad/tasks/init.yml | 4 - roles/custom/matrix-grafana/tasks/init.yml | 5 - roles/custom/matrix-grafana/tasks/main.yml | 4 - roles/custom/matrix-jitsi/tasks/init.yml | 10 - roles/custom/matrix-jitsi/tasks/main.yml | 4 - .../matrix-jitsi/tasks/validate_config.yml | 5 + .../tasks/init.yml | 10 - roles/custom/matrix-ma1sd/tasks/init.yml | 11 - roles/custom/matrix-ma1sd/tasks/main.yml | 4 - roles/custom/matrix-mailer/tasks/init.yml | 11 - roles/custom/matrix-mailer/tasks/main.yml | 4 - .../custom/matrix-nginx-proxy/tasks/init.yml | 9 - .../custom/matrix-nginx-proxy/tasks/main.yml | 3 - roles/custom/matrix-ntfy/tasks/init.yml | 5 - roles/custom/matrix-ntfy/tasks/main.yml | 4 - .../matrix-postgres-backup/tasks/init.yml | 5 - .../matrix-postgres-backup/tasks/main.yml | 4 - roles/custom/matrix-postgres/tasks/init.yml | 5 - roles/custom/matrix-postgres/tasks/main.yml | 4 - .../tasks/init.yml | 4 - .../tasks/init.yml | 4 - roles/custom/matrix-prometheus/tasks/init.yml | 5 - roles/custom/matrix-prometheus/tasks/main.yml | 4 - roles/custom/matrix-redis/tasks/init.yml | 5 - roles/custom/matrix-redis/tasks/main.yml | 4 - .../custom/matrix-registration/tasks/init.yml | 10 - roles/custom/matrix-sygnal/tasks/init.yml | 5 - roles/custom/matrix-sygnal/tasks/main.yml | 4 - .../matrix-synapse-admin/tasks/init.yml | 10 - .../tasks/init.yml | 5 - .../tasks/main.yml | 4 - .../tasks/setup_install.yml | 2 +- roles/custom/matrix-synapse/defaults/main.yml | 16 +- .../tasks/ext/s3-storage-provider/init.yml | 5 - roles/custom/matrix-synapse/tasks/init.yml | 17 -- 118 files changed, 281 insertions(+), 1212 deletions(-) delete mode 100644 roles/custom/matrix-backup-borg/tasks/init.yml delete mode 100644 roles/custom/matrix-base/vars/main.yml delete mode 100644 roles/custom/matrix-bot-buscarron/tasks/init.yml delete mode 100644 roles/custom/matrix-bot-go-neb/tasks/init.yml delete mode 100644 roles/custom/matrix-bot-honoroit/tasks/init.yml delete mode 100644 roles/custom/matrix-bot-matrix-registration-bot/tasks/init.yml delete mode 100644 roles/custom/matrix-bot-matrix-reminder-bot/tasks/init.yml delete mode 100644 roles/custom/matrix-bot-mjolnir/tasks/init.yml delete mode 100644 roles/custom/matrix-bot-postmoogle/tasks/init.yml delete mode 100644 roles/custom/matrix-bridge-appservice-discord/tasks/init.yml delete mode 100644 roles/custom/matrix-bridge-appservice-irc/tasks/init.yml delete mode 100644 roles/custom/matrix-bridge-appservice-kakaotalk/tasks/init.yml delete mode 100644 roles/custom/matrix-bridge-beeper-linkedin/tasks/init.yml delete mode 100644 roles/custom/matrix-bridge-go-skype-bridge/tasks/init.yml delete mode 100644 roles/custom/matrix-bridge-heisenbridge/tasks/init.yml delete mode 100644 roles/custom/matrix-bridge-mautrix-discord/tasks/init.yml delete mode 100644 roles/custom/matrix-bridge-mautrix-instagram/tasks/init.yml delete mode 100644 roles/custom/matrix-bridge-mautrix-signal/tasks/init.yml delete mode 100644 roles/custom/matrix-bridge-mautrix-twitter/tasks/init.yml delete mode 100644 roles/custom/matrix-bridge-mautrix-whatsapp/tasks/init.yml delete mode 100644 roles/custom/matrix-bridge-mx-puppet-discord/tasks/init.yml delete mode 100644 roles/custom/matrix-bridge-mx-puppet-groupme/tasks/init.yml delete mode 100644 roles/custom/matrix-bridge-mx-puppet-instagram/tasks/init.yml delete mode 100644 roles/custom/matrix-bridge-mx-puppet-steam/tasks/init.yml delete mode 100644 roles/custom/matrix-bridge-sms/tasks/init.yml delete mode 100644 roles/custom/matrix-client-cinny/tasks/init.yml delete mode 100644 roles/custom/matrix-client-element/tasks/init.yml delete mode 100644 roles/custom/matrix-client-hydrogen/tasks/init.yml delete mode 100644 roles/custom/matrix-conduit/tasks/init.yml delete mode 100644 roles/custom/matrix-corporal/tasks/init.yml delete mode 100644 roles/custom/matrix-coturn/tasks/init.yml delete mode 100644 roles/custom/matrix-dendrite/tasks/init.yml delete mode 100644 roles/custom/matrix-dimension/tasks/init.yml delete mode 100644 roles/custom/matrix-dynamic-dns/tasks/init.yml delete mode 100644 roles/custom/matrix-email2matrix/tasks/init.yml delete mode 100644 roles/custom/matrix-grafana/tasks/init.yml delete mode 100644 roles/custom/matrix-jitsi/tasks/init.yml delete mode 100644 roles/custom/matrix-ma1sd/tasks/init.yml delete mode 100644 roles/custom/matrix-mailer/tasks/init.yml delete mode 100644 roles/custom/matrix-nginx-proxy/tasks/init.yml delete mode 100644 roles/custom/matrix-ntfy/tasks/init.yml delete mode 100644 roles/custom/matrix-postgres-backup/tasks/init.yml delete mode 100644 roles/custom/matrix-postgres/tasks/init.yml delete mode 100644 roles/custom/matrix-prometheus/tasks/init.yml delete mode 100644 roles/custom/matrix-redis/tasks/init.yml delete mode 100644 roles/custom/matrix-sygnal/tasks/init.yml delete mode 100644 roles/custom/matrix-synapse-reverse-proxy-companion/tasks/init.yml delete mode 100644 roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/init.yml diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 163eaab36..d51f20d4f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -19,6 +19,254 @@ # Also see `devture_docker_sdk_for_python_installation_enabled`. matrix_playbook_docker_installation_enabled: true +# This list is not exhaustive and final. +# Synapse workers are still injected into the list at runtime. +# Additional JVB workers (playbooks/jitsi_jvb.yml -- roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml) override this variable at runtime as well. +matrix_systemd_services_list: | + {{ + (['matrix-backup-borg.timer'] if matrix_backup_borg_enabled else []) + + + (['matrix-bot-buscarron.service'] if matrix_bot_buscarron_enabled else []) + + + (['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled else []) + + + (['matrix-bot-honoroit.service'] if matrix_bot_honoroit_enabled else []) + + + (['matrix-bot-matrix-registration-bot.service'] if matrix_bot_matrix_registration_bot_enabled else []) + + + (['matrix-bot-matrix-reminder-bot.service'] if matrix_bot_matrix_reminder_bot_enabled else []) + + + (['matrix-bot-maubot.service'] if matrix_bot_maubot_enabled else []) + + + (['matrix-bot-mjolnir.service'] if matrix_bot_mjolnir_enabled else []) + + + (['matrix-bot-postmoogle.service'] if matrix_bot_postmoogle_enabled else []) + + + (['matrix-appservice-discord.service'] if matrix_appservice_discord_enabled else []) + + + (['matrix-appservice-irc.service'] if matrix_appservice_irc_enabled else []) + + + (['matrix-appservice-kakaotalk.service', 'matrix-appservice-kakaotalk-node.service'] if matrix_appservice_kakaotalk_enabled else []) + + + (['matrix-appservice-slack.service'] if matrix_appservice_slack_enabled else []) + + + (['matrix-appservice-webhooks.service'] if matrix_appservice_webhooks_enabled else []) + + + (['matrix-beeper-linkedin.service'] if matrix_beeper_linkedin_enabled else []) + + + (['matrix-go-skype-bridge.service'] if matrix_go_skype_bridge_enabled else []) + + + (['matrix-heisenbridge.service'] if matrix_heisenbridge_enabled else []) + + + (['matrix-hookshot.service'] if matrix_hookshot_enabled else []) + + + (['matrix-mautrix-discord.service'] if matrix_mautrix_discord_enabled else []) + + + (['matrix-mautrix-facebook.service'] if matrix_mautrix_facebook_enabled else []) + + + (['matrix-mautrix-googlechat.service'] if matrix_mautrix_googlechat_enabled else []) + + + (['matrix-mautrix-hangouts.service'] if matrix_mautrix_hangouts_enabled else []) + + + (['matrix-mautrix-instagram.service'] if matrix_mautrix_instagram_enabled else []) + + + (['matrix-mautrix-signal.service', 'matrix-mautrix-signal-daemon.service'] if matrix_mautrix_signal_enabled else []) + + + (['matrix-mautrix-telegram.service'] if matrix_mautrix_telegram_enabled else []) + + + (['matrix-mautrix-twitter.service'] if matrix_mautrix_twitter_enabled else []) + + + (['matrix-mautrix-whatsapp.service'] if matrix_mautrix_whatsapp_enabled else []) + + + (['matrix-mx-puppet-discord.service'] if matrix_mx_puppet_discord_enabled else []) + + + (['matrix-mx-puppet-groupme.service'] if matrix_mx_puppet_groupme_enabled else []) + + + (['matrix-mx-puppet-instagram.service'] if matrix_mx_puppet_instagram_enabled else []) + + + (['matrix-mx-puppet-slack.service'] if matrix_mx_puppet_slack_enabled else []) + + + (['matrix-mx-puppet-steam.service'] if matrix_mx_puppet_steam_enabled else []) + + + (['matrix-mx-puppet-twitter.service'] if matrix_mx_puppet_twitter_enabled else []) + + + (['matrix-sms-bridge.service'] if matrix_sms_bridge_enabled else []) + + + (['matrix-cactus-comments.service'] if matrix_cactus_comments_enabled else []) + + + (['matrix-client-cinny.service'] if matrix_client_cinny_enabled else []) + + + (['matrix-client-element.service'] if matrix_client_element_enabled else []) + + + (['matrix-client-hydrogen.service'] if matrix_client_hydrogen_enabled else []) + + + (['matrix-' + matrix_homeserver_implementation + '.service']) + + + (['matrix-corporal.service'] if matrix_corporal_enabled else []) + + + (['matrix-coturn.service'] if matrix_coturn_enabled else []) + + + (['matrix-coturn-reload.timer'] if (matrix_coturn_enabled and matrix_coturn_tls_enabled) else []) + + + (['matrix-dimension.service'] if matrix_dimension_enabled else []) + + + (['matrix-dynamic-dns.service'] if matrix_dynamic_dns_enabled else []) + + + (['matrix-email2matrix.service'] if matrix_email2matrix_enabled else []) + + + (['matrix-etherpad.service'] if matrix_etherpad_enabled else []) + + + (['matrix-grafana.service'] if matrix_grafana_enabled else []) + + + (['matrix-jitsi-web.service', 'matrix-jitsi-prosody.service', 'matrix-jitsi-jicofo.service', 'matrix-jitsi-jvb.service'] if matrix_jitsi_enabled else []) + + + (['matrix-ldap-registration-proxy.service'] if matrix_ldap_registration_proxy_enabled else []) + + + (['matrix-ma1sd.service'] if matrix_ma1sd_enabled else []) + + + (['matrix-mailer.service'] if matrix_mailer_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + + + (matrix_ssl_renewal_systemd_units_list | selectattr('applicable') | map(attribute='name')) + + + (['matrix-ntfy.service'] if matrix_ntfy_enabled else []) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-postgres-backup.service'] if matrix_postgres_backup_enabled else []) + + + (['matrix-prometheus.service'] if matrix_prometheus_enabled else []) + + + (['matrix-prometheus-node-exporter.service'] if matrix_prometheus_node_exporter_enabled else []) + + + (['matrix-prometheus-postgres-exporter.service'] if matrix_prometheus_postgres_exporter_enabled else []) + + + (['matrix-redis'] if matrix_redis_enabled else []) + + + (['matrix-registration.service'] if matrix_registration_enabled else []) + + + (['matrix-sygnal.service'] if matrix_sygnal_enabled else []) + + + (['matrix-goofys.service'] if matrix_s3_media_store_enabled else []) + + + (['matrix-synapse-s3-storage-provider-migrate.timer'] if matrix_synapse_ext_synapse_s3_storage_provider_enabled else []) + + + (['matrix-synapse-admin.service'] if matrix_synapse_admin_enabled else []) + + + (['matrix-synapse-reverse-proxy-companion.service'] if matrix_synapse_reverse_proxy_companion_enabled else []) + }} + +matrix_homeserver_app_service_config_files_auto: | + {{ + (['--mount type=bind,src=' + matrix_appservice_discord_config_path + '/registration.yaml,dst=/matrix-appservice-discord-registration.yaml,ro'] if matrix_appservice_discord_enabled else []) + + + (['--mount type=bind,src=' + matrix_appservice_irc_config_path + '/registration.yaml,dst=/matrix-appservice-irc-registration.yaml,ro'] if matrix_appservice_irc_enabled else []) + + + (['--mount type=bind,src=' + matrix_appservice_kakaotalk_config_path + '/registration.yaml,dst=/matrix-appservice-kakaotalk-registration.yaml,ro'] if matrix_appservice_kakaotalk_enabled else []) + + + (['--mount type=bind,src=' + matrix_appservice_slack_config_path + '/slack-registration.yaml,dst=/matrix-appservice-slack-registration.yaml,ro'] if matrix_appservice_slack_enabled else []) + + + (['--mount type=bind,src=' + matrix_appservice_webhooks_config_path + '/webhooks-registration.yaml,dst=/matrix-appservice-webhooks-registration.yaml,ro'] if matrix_appservice_webhooks_enabled else []) + + + (['--mount type=bind,src=' + matrix_beeper_linkedin_config_path + '/registration.yaml,dst=/matrix-beeper-linkedin-registration.yaml,ro'] if matrix_beeper_linkedin_enabled else []) + + + (['--mount type=bind,src=' + matrix_go_skype_bridge_config_path + '/registration.yaml,dst=/matrix-go-skype-bridge-registration.yaml,ro'] if matrix_go_skype_bridge_enabled else []) + + + (['--mount type=bind,src=' + matrix_heisenbridge_base_path + '/registration.yaml,dst=/heisenbridge-registration.yaml,ro'] if matrix_heisenbridge_enabled else []) + + + (['--mount type=bind,src=' + matrix_hookshot_base_path + '/registration.yml,dst=/hookshot-registration.yml,ro'] if matrix_hookshot_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_discord_config_path + '/registration.yaml,dst=/matrix-mautrix-discord-registration.yaml,ro'] if matrix_mautrix_discord_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_facebook_config_path + '/registration.yaml,dst=/matrix-mautrix-facebook-registration.yaml,ro'] if matrix_mautrix_facebook_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_googlechat_config_path + '/registration.yaml,dst=/matrix-mautrix-googlechat-registration.yaml,ro'] if matrix_mautrix_googlechat_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_hangouts_config_path + '/registration.yaml,dst=/matrix-mautrix-hangouts-registration.yaml,ro'] if matrix_mautrix_hangouts_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_instagram_config_path + '/registration.yaml,dst=/matrix-mautrix-instagram-registration.yaml,ro'] if matrix_mautrix_instagram_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_signal_config_path + '/registration.yaml,dst=/matrix-mautrix-signal-registration.yaml,ro'] if matrix_mautrix_signal_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_telegram_config_path + '/registration.yaml,dst=/matrix-mautrix-telegram-registration.yaml,ro'] if matrix_mautrix_telegram_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_twitter_config_path + '/registration.yaml,dst=/matrix-mautrix-twitter-registration.yaml,ro'] if matrix_mautrix_twitter_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_whatsapp_config_path + '/registration.yaml,dst=/matrix-mautrix-whatsapp-registration.yaml,ro'] if matrix_mautrix_whatsapp_enabled else []) + + + (['--mount type=bind,src=' + matrix_mx_puppet_discord_config_path + '/registration.yaml,dst=/matrix-mx-puppet-discord-registration.yaml,ro'] if matrix_mx_puppet_discord_enabled else []) + + + (['--mount type=bind,src=' + matrix_mx_puppet_groupme_config_path + '/registration.yaml,dst=/matrix-mx-puppet-groupme-registration.yaml,ro'] if matrix_mx_puppet_groupme_enabled else []) + + + (['--mount type=bind,src=' + matrix_mx_puppet_instagram_config_path + '/registration.yaml,dst=/matrix-mx-puppet-instagram-registration.yaml,ro'] if matrix_mx_puppet_instagram_enabled else []) + + + (['--mount type=bind,src=' + matrix_mx_puppet_slack_config_path + '/registration.yaml,dst=/matrix-mx-puppet-slack-registration.yaml,ro'] if matrix_mx_puppet_slack_enabled else []) + + + (['--mount type=bind,src=' + matrix_mx_puppet_steam_config_path + '/registration.yaml,dst=/matrix-mx-puppet-steam-registration.yaml,ro'] if matrix_mx_puppet_steam_enabled else []) + + + (['--mount type=bind,src=' + matrix_mx_puppet_twitter_config_path + '/registration.yaml,dst=/matrix-mx-puppet-twitter-registration.yaml,ro'] if matrix_mx_puppet_twitter_enabled else []) + + + (['--mount type=bind,src=' + matrix_sms_bridge_config_path + '/registration.yaml,dst=/matrix-sms-bridge-registration.yaml,ro'] if matrix_sms_bridge_enabled else []) + + + (['--mount type=bind,src=' + matrix_cactus_comments_app_service_config_file + ',dst=/matrix-cactus-comments.yaml,ro'] if matrix_cactus_comments_enabled else []) + }} + +matrix_homeserver_additional_config_files_auto: | + {{ + (['/matrix-appservice-discord-registration.yaml'] if matrix_appservice_discord_enabled else []) + + + (['/matrix-appservice-irc-registration.yaml'] if matrix_appservice_irc_enabled else []) + + + (['/matrix-appservice-kakaotalk-registration.yaml'] if matrix_appservice_kakaotalk_enabled else []) + + + (['/matrix-appservice-slack-registration.yaml'] if matrix_appservice_slack_enabled else []) + + + (['/matrix-appservice-webhooks-registration.yaml'] if matrix_appservice_webhooks_enabled else []) + + + (['/matrix-beeper-linkedin-registration.yaml'] if matrix_beeper_linkedin_enabled else []) + + + (['/matrix-go-skype-bridge-registration.yaml'] if matrix_go_skype_bridge_enabled else []) + + + (['/heisenbridge-registration.yaml'] if matrix_heisenbridge_enabled else []) + + + (['/hookshot-registration.yml'] if matrix_hookshot_enabled else []) + + + (['/matrix-mautrix-discord-registration.yaml'] if matrix_mautrix_discord_enabled else []) + + + (['/matrix-mautrix-facebook-registration.yaml'] if matrix_mautrix_facebook_enabled else []) + + + (['/matrix-mautrix-googlechat-registration.yaml'] if matrix_mautrix_googlechat_enabled else []) + + + (['/matrix-mautrix-hangouts-registration.yaml'] if matrix_mautrix_hangouts_enabled else []) + + + (['/matrix-mautrix-instagram-registration.yaml'] if matrix_mautrix_instagram_enabled else []) + + + (['/matrix-mautrix-signal-registration.yaml'] if matrix_mautrix_signal_enabled else []) + + + (['/matrix-mautrix-telegram-registration.yaml'] if matrix_mautrix_telegram_enabled else []) + + + (['/matrix-mautrix-twitter-registration.yaml'] if matrix_mautrix_twitter_enabled else []) + + + (['/matrix-mautrix-whatsapp-registration.yaml'] if matrix_mautrix_whatsapp_enabled else []) + + + (['/matrix-mx-puppet-discord-registration.yaml'] if matrix_mx_puppet_discord_enabled else []) + + + (['/matrix-mx-puppet-groupme-registration.yaml'] if matrix_mx_puppet_groupme_enabled else []) + + + (['/matrix-mx-puppet-instagram-registration.yaml'] if matrix_mx_puppet_instagram_enabled else []) + + + (['/matrix-mx-puppet-slack-registration.yaml'] if matrix_mx_puppet_slack_enabled else []) + + + (['/matrix-mx-puppet-steam-registration.yaml'] if matrix_mx_puppet_steam_enabled else []) + + + (['/matrix-mx-puppet-twitter-registration.yaml'] if matrix_mx_puppet_twitter_enabled else []) + + + (['/matrix-sms-bridge-registration.yaml'] if matrix_sms_bridge_enabled else []) + + + (['/matrix-cactus-comments.yaml'] if matrix_cactus_comments_enabled else []) + }} + ######################################################################## # # # /Playbook # @@ -2413,8 +2661,8 @@ matrix_synapse_redis_enabled: "{{ matrix_redis_enabled }}" matrix_synapse_redis_host: "{{ 'matrix-redis' if matrix_redis_enabled else '' }}" matrix_synapse_redis_password: "{{ matrix_redis_connection_password if matrix_redis_enabled else '' }}" -matrix_synapse_container_runtime_injected_arguments: "{{ matrix_homeserver_container_runtime_injected_arguments }}" -matrix_synapse_app_service_runtime_injected_config_files: "{{ matrix_homeserver_app_service_runtime_injected_config_files }}" +matrix_synapse_container_extra_arguments_auto: "{{ matrix_homeserver_container_extra_arguments_auto }}" +matrix_synapse_app_service_config_files_auto: "{{ matrix_homeserver_app_service_config_files_auto }}" ###################################################################### # @@ -2723,8 +2971,8 @@ matrix_dendrite_systemd_wanted_services_list: | (['matrix-coturn.service'] if matrix_coturn_enabled else []) }} -matrix_dendrite_container_runtime_injected_arguments: "{{ matrix_homeserver_container_runtime_injected_arguments }}" -matrix_dendrite_app_service_runtime_injected_config_files: "{{ matrix_homeserver_app_service_runtime_injected_config_files }}" +matrix_dendrite_container_extra_arguments_auto: "{{ matrix_homeserver_container_extra_arguments_auto }}" +matrix_dendrite_app_service_config_files_auto: "{{ matrix_homeserver_app_service_config_files_auto }}" ###################################################################### # diff --git a/roles/custom/matrix-backup-borg/tasks/init.yml b/roles/custom/matrix-backup-borg/tasks/init.yml deleted file mode 100644 index d57f12491..000000000 --- a/roles/custom/matrix-backup-borg/tasks/init.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-backup-borg.timer'] }}" - when: matrix_backup_borg_enabled | bool diff --git a/roles/custom/matrix-backup-borg/tasks/main.yml b/roles/custom/matrix-backup-borg/tasks/main.yml index 5de4559c5..e8c020a47 100644 --- a/roles/custom/matrix-backup-borg/tasks/main.yml +++ b/roles/custom/matrix-backup-borg/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_backup_borg_enabled | bool" tags: diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 534db0785..d54da23ed 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -253,6 +253,13 @@ matrix_well_known_matrix_server_enabled: true # See `matrix_homeserver_admin_contacts`, `matrix_homeserver_support_url`, etc. matrix_well_known_matrix_support_enabled: false +# This will contain a list of enabled services that the playbook is managing. +# Each component is expected to append its service name to this list. +matrix_systemd_services_list: [] + +matrix_homeserver_container_extra_arguments_auto: [] +matrix_homeserver_app_service_config_files_auto: [] + # Variables to Control which parts of our roles run. run_postgres_import: true run_postgres_upgrade: true diff --git a/roles/custom/matrix-base/vars/main.yml b/roles/custom/matrix-base/vars/main.yml deleted file mode 100644 index 3578666f3..000000000 --- a/roles/custom/matrix-base/vars/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# This will contain a list of enabled services that the playbook is managing. -# Each component is expected to append its service name to this list. -matrix_systemd_services_list: [] - -matrix_homeserver_container_runtime_injected_arguments: [] -matrix_homeserver_app_service_runtime_injected_config_files: [] diff --git a/roles/custom/matrix-bot-buscarron/tasks/init.yml b/roles/custom/matrix-bot-buscarron/tasks/init.yml deleted file mode 100644 index a1f5751db..000000000 --- a/roles/custom/matrix-bot-buscarron/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-buscarron.service'] }}" - when: matrix_bot_buscarron_enabled | bool diff --git a/roles/custom/matrix-bot-buscarron/tasks/main.yml b/roles/custom/matrix-bot-buscarron/tasks/main.yml index e6712262f..0d575393f 100644 --- a/roles/custom/matrix-bot-buscarron/tasks/main.yml +++ b/roles/custom/matrix-bot-buscarron/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_bot_buscarron_enabled | bool" tags: diff --git a/roles/custom/matrix-bot-go-neb/tasks/init.yml b/roles/custom/matrix-bot-go-neb/tasks/init.yml deleted file mode 100644 index 9d5b4f896..000000000 --- a/roles/custom/matrix-bot-go-neb/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-go-neb.service'] }}" - when: matrix_bot_go_neb_enabled | bool diff --git a/roles/custom/matrix-bot-go-neb/tasks/main.yml b/roles/custom/matrix-bot-go-neb/tasks/main.yml index 27487ac53..4fc22e591 100644 --- a/roles/custom/matrix-bot-go-neb/tasks/main.yml +++ b/roles/custom/matrix-bot-go-neb/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_bot_go_neb_enabled | bool" tags: diff --git a/roles/custom/matrix-bot-honoroit/tasks/init.yml b/roles/custom/matrix-bot-honoroit/tasks/init.yml deleted file mode 100644 index 1b03373c8..000000000 --- a/roles/custom/matrix-bot-honoroit/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-honoroit.service'] }}" - when: matrix_bot_honoroit_enabled | bool diff --git a/roles/custom/matrix-bot-honoroit/tasks/main.yml b/roles/custom/matrix-bot-honoroit/tasks/main.yml index 5de468fe7..09fab3272 100644 --- a/roles/custom/matrix-bot-honoroit/tasks/main.yml +++ b/roles/custom/matrix-bot-honoroit/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_bot_honoroit_enabled | bool" tags: diff --git a/roles/custom/matrix-bot-matrix-registration-bot/tasks/init.yml b/roles/custom/matrix-bot-matrix-registration-bot/tasks/init.yml deleted file mode 100644 index 91b1f095d..000000000 --- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-matrix-registration-bot.service'] }}" - when: matrix_bot_matrix_registration_bot_enabled | bool diff --git a/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml b/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml index cc162e991..5f44faac5 100644 --- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml +++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_bot_matrix_registration_bot_enabled | bool" tags: diff --git a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/init.yml b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/init.yml deleted file mode 100644 index 0a5ba4821..000000000 --- a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-matrix-reminder-bot.service'] }}" - when: matrix_bot_matrix_reminder_bot_enabled | bool diff --git a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml index 19c3823fa..8340ef67e 100644 --- a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml +++ b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_bot_matrix_reminder_bot_enabled | bool" tags: diff --git a/roles/custom/matrix-bot-maubot/tasks/init.yml b/roles/custom/matrix-bot-maubot/tasks/init.yml index ccb5956e6..f7aec6273 100644 --- a/roles/custom/matrix-bot-maubot/tasks/init.yml +++ b/roles/custom/matrix-bot-maubot/tasks/init.yml @@ -1,10 +1,5 @@ --- -- name: Add maubot to the systemd service list - ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-maubot.service'] }}" - when: matrix_bot_maubot_enabled | bool - - name: Configure nginx for maubot block: - name: Generate Maubot proxying configuration for matrix-nginx-proxy diff --git a/roles/custom/matrix-bot-mjolnir/tasks/init.yml b/roles/custom/matrix-bot-mjolnir/tasks/init.yml deleted file mode 100644 index 2b6053428..000000000 --- a/roles/custom/matrix-bot-mjolnir/tasks/init.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Mjolnir image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_bot_mjolnir_container_image_self_build and matrix_bot_mjolnir_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-mjolnir.service'] }}" - when: matrix_bot_mjolnir_enabled | bool diff --git a/roles/custom/matrix-bot-mjolnir/tasks/main.yml b/roles/custom/matrix-bot-mjolnir/tasks/main.yml index 867201a20..02a22bb1c 100644 --- a/roles/custom/matrix-bot-mjolnir/tasks/main.yml +++ b/roles/custom/matrix-bot-mjolnir/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_bot_mjolnir_enabled | bool" tags: diff --git a/roles/custom/matrix-bot-postmoogle/tasks/init.yml b/roles/custom/matrix-bot-postmoogle/tasks/init.yml deleted file mode 100644 index 16b781713..000000000 --- a/roles/custom/matrix-bot-postmoogle/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-postmoogle.service'] }}" - when: matrix_bot_postmoogle_enabled | bool diff --git a/roles/custom/matrix-bot-postmoogle/tasks/main.yml b/roles/custom/matrix-bot-postmoogle/tasks/main.yml index cbe590e17..4e2ab51b9 100644 --- a/roles/custom/matrix-bot-postmoogle/tasks/main.yml +++ b/roles/custom/matrix-bot-postmoogle/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_bot_postmoogle_enabled | bool" tags: diff --git a/roles/custom/matrix-bridge-appservice-discord/tasks/init.yml b/roles/custom/matrix-bridge-appservice-discord/tasks/init.yml deleted file mode 100644 index 915d73021..000000000 --- a/roles/custom/matrix-bridge-appservice-discord/tasks/init.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-appservice-discord role needs to execute before the matrix-synapse role. - when: "matrix_appservice_discord_enabled and matrix_synapse_role_executed | default(False)" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-discord.service'] }}" - when: matrix_appservice_discord_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_appservice_discord_config_path }}/registration.yaml,dst=/matrix-appservice-discord-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-appservice-discord-registration.yaml"] - }} - when: matrix_appservice_discord_enabled | bool diff --git a/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml b/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml index 7ab8f3a65..249668583 100644 --- a/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_appservice_discord_enabled | bool" tags: diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/init.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/init.yml deleted file mode 100644 index 031271279..000000000 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/init.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the matrix-appservice-irc image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_irc_container_image_self_build and matrix_appservice_irc_enabled" - -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-appservice-irc role needs to execute before the matrix-synapse role. - when: "matrix_appservice_irc_enabled | bool and matrix_synapse_role_executed | default(False)" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-irc.service'] }}" - when: matrix_appservice_irc_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_appservice_irc_config_path }}/registration.yaml,dst=/matrix-appservice-irc-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-appservice-irc-registration.yaml"] - }} - when: matrix_appservice_irc_enabled | bool diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml index 41d2017b0..f66b729ba 100644 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_appservice_irc_enabled | bool" tags: diff --git a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/init.yml b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/init.yml deleted file mode 100644 index 6112b5cce..000000000 --- a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/init.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the appservice-kakaotalk image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_kakaotalk_container_image_self_build and matrix_appservice_kakaotalk_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-kakaotalk.service', 'matrix-appservice-kakaotalk-node.service'] }}" - when: matrix_appservice_kakaotalk_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_appservice_kakaotalk_config_path }}/registration.yaml,dst=/matrix-appservice-kakaotalk-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-appservice-kakaotalk-registration.yaml"] - }} - when: matrix_appservice_kakaotalk_enabled | bool diff --git a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml index dfb286f2c..a4dffd76f 100644 --- a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_appservice_kakaotalk_enabled | bool" tags: diff --git a/roles/custom/matrix-bridge-appservice-slack/tasks/init.yml b/roles/custom/matrix-bridge-appservice-slack/tasks/init.yml index 5d03b24b9..e07f1afc0 100644 --- a/roles/custom/matrix-bridge-appservice-slack/tasks/init.yml +++ b/roles/custom/matrix-bridge-appservice-slack/tasks/init.yml @@ -1,47 +1,4 @@ --- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the matrix-appservice-slack image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_slack_container_image_self_build and matrix_appservice_slack_enabled" - -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-appservice-slack role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-slack.service'] }}" - when: matrix_appservice_slack_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_appservice_slack_config_path }}/slack-registration.yaml,dst=/matrix-appservice-slack-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-appservice-slack-registration.yaml"] - }} - when: matrix_appservice_slack_enabled | bool - -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-appservice-slack role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - when: matrix_appservice_slack_enabled | bool tags: diff --git a/roles/custom/matrix-bridge-appservice-webhooks/tasks/init.yml b/roles/custom/matrix-bridge-appservice-webhooks/tasks/init.yml index 1f8ace9e8..47a298750 100644 --- a/roles/custom/matrix-bridge-appservice-webhooks/tasks/init.yml +++ b/roles/custom/matrix-bridge-appservice-webhooks/tasks/init.yml @@ -1,40 +1,4 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-appservice-webhooks role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-webhooks.service'] }}" - when: matrix_appservice_webhooks_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_appservice_webhooks_config_path }}/webhooks-registration.yaml,dst=/matrix-appservice-webhooks-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-appservice-webhooks-registration.yaml"] - }} - when: matrix_appservice_webhooks_enabled | bool - -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-appservice-webhooks role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - when: matrix_appservice_webhooks_enabled | bool tags: diff --git a/roles/custom/matrix-bridge-beeper-linkedin/tasks/init.yml b/roles/custom/matrix-bridge-beeper-linkedin/tasks/init.yml deleted file mode 100644 index 1208f185b..000000000 --- a/roles/custom/matrix-bridge-beeper-linkedin/tasks/init.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-beeper-linkedin.service'] }}" - when: matrix_beeper_linkedin_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_beeper_linkedin_config_path }}/registration.yaml,dst=/matrix-beeper-linkedin-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-beeper-linkedin-registration.yaml"] - }} - when: matrix_beeper_linkedin_enabled | bool diff --git a/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml b/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml index 8f295d2ca..9ba728f13 100644 --- a/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml +++ b/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_beeper_linkedin_enabled | bool" tags: diff --git a/roles/custom/matrix-bridge-go-skype-bridge/tasks/init.yml b/roles/custom/matrix-bridge-go-skype-bridge/tasks/init.yml deleted file mode 100644 index 58808454f..000000000 --- a/roles/custom/matrix-bridge-go-skype-bridge/tasks/init.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-go-skype-bridge.service'] }}" - when: matrix_go_skype_bridge_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_go_skype_bridge_config_path }}/registration.yaml,dst=/matrix-go-skype-bridge-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-go-skype-bridge-registration.yaml"] - }} - when: matrix_go_skype_bridge_enabled | bool diff --git a/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml b/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml index 39f4b2e52..3b8fdb245 100644 --- a/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml +++ b/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_go_skype_bridge_enabled | bool" tags: diff --git a/roles/custom/matrix-bridge-heisenbridge/tasks/init.yml b/roles/custom/matrix-bridge-heisenbridge/tasks/init.yml deleted file mode 100644 index dd3d4c7d0..000000000 --- a/roles/custom/matrix-bridge-heisenbridge/tasks/init.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-heisenbridge role needs to execute before the matrix-synapse role. - when: "matrix_heisenbridge_enabled and matrix_synapse_role_executed | default(False)" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-heisenbridge.service'] }}" - when: matrix_heisenbridge_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_heisenbridge_base_path }}/registration.yaml,dst=/heisenbridge-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/heisenbridge-registration.yaml"] - }} - when: matrix_heisenbridge_enabled | bool diff --git a/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml b/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml index 6af9813ec..70bc86c31 100644 --- a/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml +++ b/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" when: "run_setup | bool and matrix_heisenbridge_enabled | bool" tags: diff --git a/roles/custom/matrix-bridge-hookshot/tasks/init.yml b/roles/custom/matrix-bridge-hookshot/tasks/init.yml index 63921f311..625e30234 100644 --- a/roles/custom/matrix-bridge-hookshot/tasks/init.yml +++ b/roles/custom/matrix-bridge-hookshot/tasks/init.yml @@ -1,32 +1,4 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-hookshot role needs to execute before the matrix-synapse role. - when: "matrix_hookshot_enabled and matrix_synapse_role_executed | default(False)" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-hookshot.service'] }}" - when: matrix_hookshot_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_hookshot_base_path }}/registration.yml,dst=/hookshot-registration.yml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/hookshot-registration.yml"] - }} - when: matrix_hookshot_enabled | bool - when: matrix_hookshot_enabled | bool block: diff --git a/roles/custom/matrix-bridge-mautrix-discord/tasks/init.yml b/roles/custom/matrix-bridge-mautrix-discord/tasks/init.yml deleted file mode 100644 index 3f94a73ad..000000000 --- a/roles/custom/matrix-bridge-mautrix-discord/tasks/init.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-discord.service'] }}" - when: matrix_mautrix_discord_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mautrix_discord_config_path }}/registration.yaml,dst=/matrix-mautrix-discord-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mautrix-discord-registration.yaml"] - }} - when: matrix_mautrix_discord_enabled | bool diff --git a/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml index 9eaadf684..2b68f1ed4 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml @@ -1,7 +1,4 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_mautrix_discord_enabled | bool" diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/init.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/init.yml index 5565689f4..8a4229af7 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/init.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/init.yml @@ -1,31 +1,4 @@ --- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Mautrix-Facebook image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_facebook_container_image_self_build and matrix_mautrix_facebook_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-facebook.service'] }}" - when: matrix_mautrix_facebook_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mautrix_facebook_config_path }}/registration.yaml,dst=/matrix-mautrix-facebook-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mautrix-facebook-registration.yaml"] - }} - when: matrix_mautrix_facebook_enabled | bool - when: matrix_mautrix_facebook_enabled | bool and matrix_mautrix_facebook_appservice_public_enabled | bool tags: diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/init.yml b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/init.yml index c4ae920c4..17e6094df 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/init.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/init.yml @@ -1,31 +1,4 @@ --- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Mautrix-Google Chat image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_googlechat_container_image_self_build and matrix_mautrix_googlechat_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-googlechat.service'] }}" - when: matrix_mautrix_googlechat_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mautrix_googlechat_config_path }}/registration.yaml,dst=/matrix-mautrix-googlechat-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mautrix-googlechat-registration.yaml"] - }} - when: matrix_mautrix_googlechat_enabled | bool - when: matrix_mautrix_googlechat_enabled | bool tags: diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/init.yml b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/init.yml index 380dc4b38..8850f1cf5 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/init.yml +++ b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/init.yml @@ -1,31 +1,4 @@ --- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Mautrix-Hangouts image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_hangouts_container_image_self_build and matrix_mautrix_hangouts_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-hangouts.service'] }}" - when: matrix_mautrix_hangouts_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mautrix_hangouts_config_path }}/registration.yaml,dst=/matrix-mautrix-hangouts-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mautrix-hangouts-registration.yaml"] - }} - when: matrix_mautrix_hangouts_enabled | bool - when: matrix_mautrix_hangouts_enabled | bool tags: diff --git a/roles/custom/matrix-bridge-mautrix-instagram/tasks/init.yml b/roles/custom/matrix-bridge-mautrix-instagram/tasks/init.yml deleted file mode 100644 index 7ef037e33..000000000 --- a/roles/custom/matrix-bridge-mautrix-instagram/tasks/init.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Mautrix-Instagram image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_instagram_container_image_self_build and matrix_mautrix_instagram_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-instagram.service'] }}" - when: matrix_mautrix_instagram_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mautrix_instagram_config_path }}/registration.yaml,dst=/matrix-mautrix-instagram-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mautrix-instagram-registration.yaml"] - }} - when: matrix_mautrix_instagram_enabled | bool diff --git a/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml index d5becb6d3..403546ff4 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_mautrix_instagram_enabled | bool" tags: diff --git a/roles/custom/matrix-bridge-mautrix-signal/tasks/init.yml b/roles/custom/matrix-bridge-mautrix-signal/tasks/init.yml deleted file mode 100644 index 17ad98a4c..000000000 --- a/roles/custom/matrix-bridge-mautrix-signal/tasks/init.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-signal.service', 'matrix-mautrix-signal-daemon.service'] }}" - when: matrix_mautrix_signal_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mautrix_signal_config_path }}/registration.yaml,dst=/matrix-mautrix-signal-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mautrix-signal-registration.yaml"] - }} - when: matrix_mautrix_signal_enabled | bool diff --git a/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml index 54bdafcda..6b69be288 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_mautrix_signal_enabled | bool" tags: diff --git a/roles/custom/matrix-bridge-mautrix-telegram/tasks/init.yml b/roles/custom/matrix-bridge-mautrix-telegram/tasks/init.yml index f828f7932..d292edc00 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/tasks/init.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/tasks/init.yml @@ -1,31 +1,4 @@ --- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Mautrix-Telegram image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_telegram_container_image_self_build and matrix_mautrix_telegram_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram.service'] }}" - when: matrix_mautrix_telegram_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mautrix_telegram_config_path }}/registration.yaml,dst=/matrix-mautrix-telegram-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mautrix-telegram-registration.yaml"] - }} - when: matrix_mautrix_telegram_enabled | bool - when: matrix_mautrix_telegram_enabled | bool and matrix_mautrix_telegram_appservice_public_enabled | bool tags: diff --git a/roles/custom/matrix-bridge-mautrix-twitter/tasks/init.yml b/roles/custom/matrix-bridge-mautrix-twitter/tasks/init.yml deleted file mode 100644 index 67f0a7dcf..000000000 --- a/roles/custom/matrix-bridge-mautrix-twitter/tasks/init.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-twitter.service'] }}" - when: matrix_mautrix_twitter_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mautrix_twitter_config_path }}/registration.yaml,dst=/matrix-mautrix-twitter-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mautrix-twitter-registration.yaml"] - }} - when: matrix_mautrix_twitter_enabled | bool - -# ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - ansible.builtin.fail: - msg: "To self build Mautrix Twitter image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_twitter_container_image_self_build" diff --git a/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml index 2f0c39b2a..08e840aa5 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_mautrix_twitter_enabled | bool" tags: diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/init.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/init.yml deleted file mode 100644 index 7907c73d0..000000000 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/init.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-whatsapp.service'] }}" - when: matrix_mautrix_whatsapp_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mautrix_whatsapp_config_path }}/registration.yaml,dst=/matrix-mautrix-whatsapp-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mautrix-whatsapp-registration.yaml"] - }} - when: matrix_mautrix_whatsapp_enabled | bool diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml index 4df6fd23b..c5b3b153b 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml @@ -1,7 +1,4 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_mautrix_whatsapp_enabled | bool" diff --git a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/init.yml b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/init.yml deleted file mode 100644 index 9e2a937fe..000000000 --- a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/init.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the mx-puppet-discord image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_discord_container_image_self_build and matrix_mx_puppet_discord_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-discord.service'] }}" - when: matrix_mx_puppet_discord_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mx_puppet_discord_config_path }}/registration.yaml,dst=/matrix-mx-puppet-discord-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mx-puppet-discord-registration.yaml"] - }} - when: matrix_mx_puppet_discord_enabled | bool diff --git a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml index 281092e1a..c65a04e3b 100644 --- a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_mx_puppet_discord_enabled | bool" tags: diff --git a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/init.yml b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/init.yml deleted file mode 100644 index 76d184dd1..000000000 --- a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/init.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the mx-puppet-groupme image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_groupme_container_image_self_build and matrix_mx_puppet_groupme_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-groupme.service'] }}" - when: matrix_mx_puppet_groupme_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mx_puppet_groupme_config_path }}/registration.yaml,dst=/matrix-mx-puppet-groupme-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mx-puppet-groupme-registration.yaml"] - }} - when: matrix_mx_puppet_groupme_enabled | bool diff --git a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml index 8cc557592..f6707d4e3 100644 --- a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_mx_puppet_groupme_enabled | bool" tags: diff --git a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/init.yml b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/init.yml deleted file mode 100644 index 741c32c0f..000000000 --- a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/init.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the mx-puppet-instagram image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_instagram_container_image_self_build and matrix_mx_puppet_instagram_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-instagram.service'] }}" - when: matrix_mx_puppet_instagram_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mx_puppet_instagram_config_path }}/registration.yaml,dst=/matrix-mx-puppet-instagram-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mx-puppet-instagram-registration.yaml"] - }} - when: matrix_mx_puppet_instagram_enabled | bool diff --git a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml index 978577cc3..220fb46fc 100644 --- a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_mx_puppet_instagram_enabled | bool" tags: diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/init.yml b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/init.yml index 9eff170ac..217c733dc 100644 --- a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/init.yml +++ b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/init.yml @@ -1,31 +1,4 @@ --- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the mx-puppet-slack image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_slack_container_image_self_build and matrix_mx_puppet_slack_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-slack.service'] }}" - when: matrix_mx_puppet_slack_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mx_puppet_slack_config_path }}/registration.yaml,dst=/matrix-mx-puppet-slack-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mx-puppet-slack-registration.yaml"] - }} - when: matrix_mx_puppet_slack_enabled | bool - when: matrix_mx_puppet_slack_enabled | bool tags: diff --git a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/init.yml b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/init.yml deleted file mode 100644 index 5f9a5a833..000000000 --- a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/init.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the mx-puppet-steam image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_steam_container_image_self_build and matrix_mx_puppet_steam_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-steam.service'] }}" - when: matrix_mx_puppet_steam_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mx_puppet_steam_config_path }}/registration.yaml,dst=/matrix-mx-puppet-steam-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mx-puppet-steam-registration.yaml"] - }} - when: matrix_mx_puppet_steam_enabled | bool diff --git a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml index 236a7009f..9feb22fb9 100644 --- a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_mx_puppet_steam_enabled | bool" tags: diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/init.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/init.yml index a58cd9ac6..4a0ea6733 100644 --- a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/init.yml +++ b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/init.yml @@ -1,31 +1,4 @@ --- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the mx-puppet-twitter image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_twitter_container_image_self_build and matrix_mx_puppet_twitter_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-twitter.service'] }}" - when: matrix_mx_puppet_twitter_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mx_puppet_twitter_config_path }}/registration.yaml,dst=/matrix-mx-puppet-twitter-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mx-puppet-twitter-registration.yaml"] - }} - when: matrix_mx_puppet_twitter_enabled | bool - when: matrix_mx_puppet_twitter_enabled | bool tags: diff --git a/roles/custom/matrix-bridge-sms/tasks/init.yml b/roles/custom/matrix-bridge-sms/tasks/init.yml deleted file mode 100644 index 3c044c152..000000000 --- a/roles/custom/matrix-bridge-sms/tasks/init.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- - -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-sms-bridge role needs to execute before the matrix-synapse role. - when: "matrix_sms_bridge_enabled and matrix_synapse_role_executed | default(False)" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sms-bridge.service'] }}" - when: matrix_sms_bridge_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_sms_bridge_config_path }}/registration.yaml,dst=/matrix-sms-bridge-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-sms-bridge-registration.yaml"] - }} - when: matrix_sms_bridge_enabled | bool diff --git a/roles/custom/matrix-bridge-sms/tasks/main.yml b/roles/custom/matrix-bridge-sms/tasks/main.yml index 1a6b964ba..4d4895c46 100644 --- a/roles/custom/matrix-bridge-sms/tasks/main.yml +++ b/roles/custom/matrix-bridge-sms/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_sms_bridge_enabled | bool" tags: diff --git a/roles/custom/matrix-cactus-comments/tasks/init.yml b/roles/custom/matrix-cactus-comments/tasks/init.yml index 5067d0254..5e0941074 100644 --- a/roles/custom/matrix-cactus-comments/tasks/init.yml +++ b/roles/custom/matrix-cactus-comments/tasks/init.yml @@ -1,26 +1,5 @@ --- -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-cactus-comments.service'] }}" - when: matrix_cactus_comments_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_cactus_comments_app_service_config_file }},dst=/matrix-cactus-comments.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-cactus-comments.yaml"] - }} - when: matrix_cactus_comments_enabled | bool - - when: matrix_cactus_comments_enabled | bool and matrix_cactus_comments_serve_client_enabled | bool tags: - always diff --git a/roles/custom/matrix-client-cinny/tasks/init.yml b/roles/custom/matrix-client-cinny/tasks/init.yml deleted file mode 100644 index 00e46dc82..000000000 --- a/roles/custom/matrix-client-cinny/tasks/init.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Cinny image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_cinny_container_image_self_build and matrix_client_cinny_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-cinny.service'] }}" - when: matrix_client_cinny_enabled | bool diff --git a/roles/custom/matrix-client-cinny/tasks/main.yml b/roles/custom/matrix-client-cinny/tasks/main.yml index 9eb007810..e0f1579cb 100644 --- a/roles/custom/matrix-client-cinny/tasks/main.yml +++ b/roles/custom/matrix-client-cinny/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_client_cinny_enabled | bool" tags: diff --git a/roles/custom/matrix-client-element/tasks/init.yml b/roles/custom/matrix-client-element/tasks/init.yml deleted file mode 100644 index 7bdad9e1a..000000000 --- a/roles/custom/matrix-client-element/tasks/init.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-element.service'] }}" - when: matrix_client_element_enabled | bool - -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_element_container_image_self_build and matrix_client_element_enabled" diff --git a/roles/custom/matrix-client-element/tasks/main.yml b/roles/custom/matrix-client-element/tasks/main.yml index 53a25afb9..7dbe9ce82 100644 --- a/roles/custom/matrix-client-element/tasks/main.yml +++ b/roles/custom/matrix-client-element/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_client_element_enabled | bool" tags: diff --git a/roles/custom/matrix-client-hydrogen/tasks/init.yml b/roles/custom/matrix-client-hydrogen/tasks/init.yml deleted file mode 100644 index 561018e1a..000000000 --- a/roles/custom/matrix-client-hydrogen/tasks/init.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Hydrogen image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_hydrogen_container_image_self_build and matrix_client_hydrogen_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-hydrogen.service'] }}" - when: matrix_client_hydrogen_enabled | bool diff --git a/roles/custom/matrix-client-hydrogen/tasks/main.yml b/roles/custom/matrix-client-hydrogen/tasks/main.yml index 89133364e..3f5023937 100644 --- a/roles/custom/matrix-client-hydrogen/tasks/main.yml +++ b/roles/custom/matrix-client-hydrogen/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_client_hydrogen_enabled | bool" tags: diff --git a/roles/custom/matrix-conduit/tasks/init.yml b/roles/custom/matrix-conduit/tasks/init.yml deleted file mode 100644 index 5f464e404..000000000 --- a/roles/custom/matrix-conduit/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-conduit.service'] }}" - when: matrix_conduit_enabled | bool diff --git a/roles/custom/matrix-conduit/tasks/main.yml b/roles/custom/matrix-conduit/tasks/main.yml index 623d04582..94e50103c 100644 --- a/roles/custom/matrix-conduit/tasks/main.yml +++ b/roles/custom/matrix-conduit/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/conduit/setup.yml" when: run_setup | bool tags: diff --git a/roles/custom/matrix-corporal/tasks/init.yml b/roles/custom/matrix-corporal/tasks/init.yml deleted file mode 100644 index dffdbe908..000000000 --- a/roles/custom/matrix-corporal/tasks/init.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Matrix Corporal image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_corporal_container_image_self_build and matrix_corporal_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal.service'] }}" - when: matrix_corporal_enabled | bool diff --git a/roles/custom/matrix-corporal/tasks/main.yml b/roles/custom/matrix-corporal/tasks/main.yml index 1699262b1..1021518c7 100644 --- a/roles/custom/matrix-corporal/tasks/main.yml +++ b/roles/custom/matrix-corporal/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_corporal_enabled | bool" tags: diff --git a/roles/custom/matrix-coturn/tasks/init.yml b/roles/custom/matrix-coturn/tasks/init.yml deleted file mode 100644 index 315dfb656..000000000 --- a/roles/custom/matrix-coturn/tasks/init.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the coturn image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_coturn_container_image_self_build and matrix_coturn_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn.service'] }}" - when: matrix_coturn_enabled | bool - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn-reload.timer'] }}" - when: "matrix_coturn_enabled | bool and matrix_coturn_tls_enabled | bool" diff --git a/roles/custom/matrix-coturn/tasks/main.yml b/roles/custom/matrix-coturn/tasks/main.yml index 78f712f01..f2fc66d53 100644 --- a/roles/custom/matrix-coturn/tasks/main.yml +++ b/roles/custom/matrix-coturn/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_coturn_enabled | bool" tags: diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index f83085341..a60c33d26 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -46,15 +46,15 @@ matrix_dendrite_container_https_host_bind_address: "" # Also see `matrix_dendrite_container_arguments` matrix_dendrite_container_extra_arguments: [] -# matrix_dendrite_container_runtime_injected_arguments is a list of extra arguments to pass to the container. -# This list is built during runtime. You're not meant to override this variable. +# matrix_dendrite_container_extra_arguments_auto is a list of extra arguments to pass to the container. +# This list is managed by the playbook. You're not meant to override this variable. # If you'd like to inject your own arguments, see `matrix_dendrite_container_extra_arguments`. -matrix_dendrite_container_runtime_injected_arguments: [] +matrix_dendrite_container_extra_arguments_auto: [] # matrix_dendrite_container_arguments holds the final list of extra arguments to pass to the container. # You're not meant to override this variable. # If you'd like to inject your own arguments, see `matrix_dendrite_container_extra_arguments`. -matrix_dendrite_container_arguments: "{{ matrix_dendrite_container_extra_arguments + matrix_dendrite_container_runtime_injected_arguments }}" +matrix_dendrite_container_arguments: "{{ matrix_dendrite_container_extra_arguments + matrix_dendrite_container_extra_arguments_auto }}" # A list of extra arguments to pass to the container process (`dendrite-monolith` command) # Example: @@ -118,15 +118,15 @@ matrix_dendrite_container_additional_volumes: [] # Also see `matrix_dendrite_app_service_config_files_final` matrix_dendrite_app_service_config_files: [] -# matrix_dendrite_app_service_runtime_injected_config_files is a list of appservice config files. -# This list is built during runtime. You're not meant to override this variable. +# matrix_dendrite_app_service_config_files_auto is a list of appservice config files. +# This list is managed by the playbook. You're not meant to override this variable. # If you'd like to inject your own arguments, see `matrix_dendrite_app_service_config_files`. -matrix_dendrite_app_service_runtime_injected_config_files: [] +matrix_dendrite_app_service_config_files_auto: [] # matrix_dendrite_app_service_config_files_final holds the final list of config files to pass to the container. # You're not meant to override this variable. # If you'd like to inject your own arguments, see `matrix_dendrite_app_service_config_files`. -matrix_dendrite_app_service_config_files_final: "{{ matrix_dendrite_app_service_config_files + matrix_dendrite_app_service_runtime_injected_config_files }}" +matrix_dendrite_app_service_config_files_final: "{{ matrix_dendrite_app_service_config_files + matrix_dendrite_app_service_config_files_auto }}" # Enable exposure of metrics matrix_dendrite_metrics_enabled: false diff --git a/roles/custom/matrix-dendrite/tasks/init.yml b/roles/custom/matrix-dendrite/tasks/init.yml deleted file mode 100644 index 4ce641e9d..000000000 --- a/roles/custom/matrix-dendrite/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dendrite.service'] }}" - when: matrix_dendrite_enabled | bool diff --git a/roles/custom/matrix-dendrite/tasks/main.yml b/roles/custom/matrix-dendrite/tasks/main.yml index d14beb154..639ad6e28 100644 --- a/roles/custom/matrix-dendrite/tasks/main.yml +++ b/roles/custom/matrix-dendrite/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: run_setup | bool tags: diff --git a/roles/custom/matrix-dimension/tasks/init.yml b/roles/custom/matrix-dimension/tasks/init.yml deleted file mode 100644 index c60a2fe2e..000000000 --- a/roles/custom/matrix-dimension/tasks/init.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dimension.service'] }}" - when: matrix_dimension_enabled | bool diff --git a/roles/custom/matrix-dimension/tasks/main.yml b/roles/custom/matrix-dimension/tasks/main.yml index 6eef50d65..38f780e93 100644 --- a/roles/custom/matrix-dimension/tasks/main.yml +++ b/roles/custom/matrix-dimension/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: run_setup | bool tags: diff --git a/roles/custom/matrix-dynamic-dns/tasks/init.yml b/roles/custom/matrix-dynamic-dns/tasks/init.yml deleted file mode 100644 index 9c906441f..000000000 --- a/roles/custom/matrix-dynamic-dns/tasks/init.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Dynamic DNS image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_dynamic_dns_container_image_self_build and matrix_dynamic_dns_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dynamic-dns.service'] }}" - when: "matrix_dynamic_dns_enabled | bool" diff --git a/roles/custom/matrix-dynamic-dns/tasks/main.yml b/roles/custom/matrix-dynamic-dns/tasks/main.yml index 2f33af86e..bec7785c9 100644 --- a/roles/custom/matrix-dynamic-dns/tasks/main.yml +++ b/roles/custom/matrix-dynamic-dns/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_dynamic_dns_enabled | bool" tags: diff --git a/roles/custom/matrix-email2matrix/tasks/init.yml b/roles/custom/matrix-email2matrix/tasks/init.yml deleted file mode 100644 index 02dbc9ee3..000000000 --- a/roles/custom/matrix-email2matrix/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-email2matrix.service'] }}" - when: matrix_email2matrix_enabled | bool diff --git a/roles/custom/matrix-email2matrix/tasks/main.yml b/roles/custom/matrix-email2matrix/tasks/main.yml index 3adbc6466..4339b4db3 100644 --- a/roles/custom/matrix-email2matrix/tasks/main.yml +++ b/roles/custom/matrix-email2matrix/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_email2matrix_enabled | bool" tags: diff --git a/roles/custom/matrix-etherpad/tasks/init.yml b/roles/custom/matrix-etherpad/tasks/init.yml index d35ed375e..159dbe879 100644 --- a/roles/custom/matrix-etherpad/tasks/init.yml +++ b/roles/custom/matrix-etherpad/tasks/init.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-etherpad.service'] }}" - when: matrix_etherpad_enabled | bool - - when: matrix_etherpad_enabled | bool and matrix_etherpad_mode == 'dimension' tags: - always diff --git a/roles/custom/matrix-grafana/tasks/init.yml b/roles/custom/matrix-grafana/tasks/init.yml deleted file mode 100644 index 7b363ee77..000000000 --- a/roles/custom/matrix-grafana/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-grafana.service'] }}" - when: matrix_grafana_enabled | bool diff --git a/roles/custom/matrix-grafana/tasks/main.yml b/roles/custom/matrix-grafana/tasks/main.yml index 34a3f415b..573f792f6 100644 --- a/roles/custom/matrix-grafana/tasks/main.yml +++ b/roles/custom/matrix-grafana/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_grafana_enabled | bool" tags: diff --git a/roles/custom/matrix-jitsi/tasks/init.yml b/roles/custom/matrix-jitsi/tasks/init.yml deleted file mode 100644 index 8606c4b3e..000000000 --- a/roles/custom/matrix-jitsi/tasks/init.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-jitsi-web.service', 'matrix-jitsi-prosody.service', 'matrix-jitsi-jicofo.service', 'matrix-jitsi-jvb.service'] }}" - when: matrix_jitsi_enabled | bool - -- name: Fail if on an unsupported architecture - ansible.builtin.fail: - msg: "Jitsi only supports the amd64 architecture right now. See https://github.com/jitsi/docker-jitsi-meet/issues/1069 and https://github.com/jitsi/docker-jitsi-meet/issues/1214" - when: matrix_jitsi_enabled | bool and matrix_architecture not in ['amd64', 'arm64'] diff --git a/roles/custom/matrix-jitsi/tasks/main.yml b/roles/custom/matrix-jitsi/tasks/main.yml index be96d944d..9aac5eae8 100644 --- a/roles/custom/matrix-jitsi/tasks/main.yml +++ b/roles/custom/matrix-jitsi/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/init_additional_jvb.yml" tags: - setup-additional-jitsi-jvb diff --git a/roles/custom/matrix-jitsi/tasks/validate_config.yml b/roles/custom/matrix-jitsi/tasks/validate_config.yml index df87b7589..258b4864c 100644 --- a/roles/custom/matrix-jitsi/tasks/validate_config.yml +++ b/roles/custom/matrix-jitsi/tasks/validate_config.yml @@ -1,5 +1,10 @@ --- +- name: Fail if on an unsupported architecture + ansible.builtin.fail: + msg: "Jitsi only supports the amd64 architecture right now. See https://github.com/jitsi/docker-jitsi-meet/issues/1069 and https://github.com/jitsi/docker-jitsi-meet/issues/1214" + when: matrix_jitsi_enabled | bool and matrix_architecture not in ['amd64', 'arm64'] + - name: Fail if required Jitsi settings not defined ansible.builtin.fail: msg: >- diff --git a/roles/custom/matrix-ldap-registration-proxy/tasks/init.yml b/roles/custom/matrix-ldap-registration-proxy/tasks/init.yml index 406236095..f035e6579 100644 --- a/roles/custom/matrix-ldap-registration-proxy/tasks/init.yml +++ b/roles/custom/matrix-ldap-registration-proxy/tasks/init.yml @@ -1,14 +1,4 @@ --- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the matrix_ldap_registration_proxy image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ldap_registration_proxy_container_image_self_build and matrix_ldap_registration_proxy_enabled | bool" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ldap-registration-proxy.service'] }}" - when: matrix_ldap_registration_proxy_enabled | bool - when: matrix_ldap_registration_proxy_enabled | bool tags: diff --git a/roles/custom/matrix-ma1sd/tasks/init.yml b/roles/custom/matrix-ma1sd/tasks/init.yml deleted file mode 100644 index 48226aa07..000000000 --- a/roles/custom/matrix-ma1sd/tasks/init.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the ma1sd image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build and matrix_ma1sd_enabled | bool" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd.service'] }}" - when: matrix_ma1sd_enabled | bool diff --git a/roles/custom/matrix-ma1sd/tasks/main.yml b/roles/custom/matrix-ma1sd/tasks/main.yml index f55e7891c..add76bb2d 100644 --- a/roles/custom/matrix-ma1sd/tasks/main.yml +++ b/roles/custom/matrix-ma1sd/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_ma1sd_enabled | bool" tags: diff --git a/roles/custom/matrix-mailer/tasks/init.yml b/roles/custom/matrix-mailer/tasks/init.yml deleted file mode 100644 index 487ed0c9c..000000000 --- a/roles/custom/matrix-mailer/tasks/init.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Matrix Mailer image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mailer_container_image_self_build and matrix_mailer_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mailer.service'] }}" - when: matrix_mailer_enabled | bool diff --git a/roles/custom/matrix-mailer/tasks/main.yml b/roles/custom/matrix-mailer/tasks/main.yml index e49ff26d6..cf9123bf3 100644 --- a/roles/custom/matrix-mailer/tasks/main.yml +++ b/roles/custom/matrix-mailer/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_mailer.yml" when: run_setup | bool tags: diff --git a/roles/custom/matrix-nginx-proxy/tasks/init.yml b/roles/custom/matrix-nginx-proxy/tasks/init.yml deleted file mode 100644 index eb4249cb8..000000000 --- a/roles/custom/matrix-nginx-proxy/tasks/init.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy.service'] }}" - when: matrix_nginx_proxy_enabled | bool - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + [item.name] }}" - when: "item.applicable | bool and item.enableable | bool" - with_items: "{{ matrix_ssl_renewal_systemd_units_list }}" diff --git a/roles/custom/matrix-nginx-proxy/tasks/main.yml b/roles/custom/matrix-nginx-proxy/tasks/main.yml index 9c34d1f56..168608daa 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/main.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/main.yml @@ -1,7 +1,4 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always # Always validating the configuration, even if `matrix_nginx_proxy: false`. # This role performs actions even if the role is disabled, so we need diff --git a/roles/custom/matrix-ntfy/tasks/init.yml b/roles/custom/matrix-ntfy/tasks/init.yml deleted file mode 100644 index 6222ada0c..000000000 --- a/roles/custom/matrix-ntfy/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ntfy.service'] }}" - when: matrix_ntfy_enabled | bool diff --git a/roles/custom/matrix-ntfy/tasks/main.yml b/roles/custom/matrix-ntfy/tasks/main.yml index 200d38c4a..8a4acd7ce 100644 --- a/roles/custom/matrix-ntfy/tasks/main.yml +++ b/roles/custom/matrix-ntfy/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" when: "run_setup | bool and matrix_ntfy_enabled | bool" tags: diff --git a/roles/custom/matrix-postgres-backup/tasks/init.yml b/roles/custom/matrix-postgres-backup/tasks/init.yml deleted file mode 100644 index 5ece870a4..000000000 --- a/roles/custom/matrix-postgres-backup/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-postgres-backup.service'] }}" - when: matrix_postgres_backup_enabled | bool diff --git a/roles/custom/matrix-postgres-backup/tasks/main.yml b/roles/custom/matrix-postgres-backup/tasks/main.yml index 1403fa5b2..4fef6f459 100644 --- a/roles/custom/matrix-postgres-backup/tasks/main.yml +++ b/roles/custom/matrix-postgres-backup/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_postgres_backup_enabled | bool" tags: diff --git a/roles/custom/matrix-postgres/tasks/init.yml b/roles/custom/matrix-postgres/tasks/init.yml deleted file mode 100644 index 659380f10..000000000 --- a/roles/custom/matrix-postgres/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-postgres.service'] }}" - when: matrix_postgres_enabled | bool diff --git a/roles/custom/matrix-postgres/tasks/main.yml b/roles/custom/matrix-postgres/tasks/main.yml index 8e21b3c63..c282b3827 100644 --- a/roles/custom/matrix-postgres/tasks/main.yml +++ b/roles/custom/matrix-postgres/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_postgres_enabled | bool" tags: diff --git a/roles/custom/matrix-prometheus-node-exporter/tasks/init.yml b/roles/custom/matrix-prometheus-node-exporter/tasks/init.yml index 460ab1373..eda1b755d 100644 --- a/roles/custom/matrix-prometheus-node-exporter/tasks/init.yml +++ b/roles/custom/matrix-prometheus-node-exporter/tasks/init.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-prometheus-node-exporter.service'] }}" - when: matrix_prometheus_node_exporter_enabled | bool - - when: matrix_prometheus_node_exporter_enabled | bool and matrix_prometheus_node_exporter_metrics_proxying_enabled | bool block: - name: Fail if matrix-nginx-proxy role already executed diff --git a/roles/custom/matrix-prometheus-postgres-exporter/tasks/init.yml b/roles/custom/matrix-prometheus-postgres-exporter/tasks/init.yml index 20333dce6..d409e2dd1 100644 --- a/roles/custom/matrix-prometheus-postgres-exporter/tasks/init.yml +++ b/roles/custom/matrix-prometheus-postgres-exporter/tasks/init.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-prometheus-postgres-exporter.service'] }}" - when: matrix_prometheus_postgres_exporter_enabled | bool - - when: matrix_prometheus_node_exporter_enabled | bool and matrix_prometheus_node_exporter_metrics_proxying_enabled | bool block: - name: Fail if matrix-nginx-proxy role already executed diff --git a/roles/custom/matrix-prometheus/tasks/init.yml b/roles/custom/matrix-prometheus/tasks/init.yml deleted file mode 100644 index 298536730..000000000 --- a/roles/custom/matrix-prometheus/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-prometheus.service'] }}" - when: matrix_prometheus_enabled | bool diff --git a/roles/custom/matrix-prometheus/tasks/main.yml b/roles/custom/matrix-prometheus/tasks/main.yml index 1a5a37089..61cd86dbc 100644 --- a/roles/custom/matrix-prometheus/tasks/main.yml +++ b/roles/custom/matrix-prometheus/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_prometheus_enabled | bool" tags: diff --git a/roles/custom/matrix-redis/tasks/init.yml b/roles/custom/matrix-redis/tasks/init.yml deleted file mode 100644 index 00154b336..000000000 --- a/roles/custom/matrix-redis/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-redis'] }}" - when: matrix_redis_enabled | bool diff --git a/roles/custom/matrix-redis/tasks/main.yml b/roles/custom/matrix-redis/tasks/main.yml index 1bcac7d6a..51b3e12cc 100644 --- a/roles/custom/matrix-redis/tasks/main.yml +++ b/roles/custom/matrix-redis/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_redis.yml" when: run_setup | bool tags: diff --git a/roles/custom/matrix-registration/tasks/init.yml b/roles/custom/matrix-registration/tasks/init.yml index 2b43dffdf..a295cdfbe 100644 --- a/roles/custom/matrix-registration/tasks/init.yml +++ b/roles/custom/matrix-registration/tasks/init.yml @@ -1,14 +1,4 @@ --- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Matrix Registration image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_registration_container_image_self_build and matrix_registration_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-registration.service'] }}" - when: matrix_registration_enabled | bool - when: matrix_registration_enabled | bool tags: diff --git a/roles/custom/matrix-sygnal/tasks/init.yml b/roles/custom/matrix-sygnal/tasks/init.yml deleted file mode 100644 index dae7a299c..000000000 --- a/roles/custom/matrix-sygnal/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sygnal.service'] }}" - when: matrix_sygnal_enabled | bool diff --git a/roles/custom/matrix-sygnal/tasks/main.yml b/roles/custom/matrix-sygnal/tasks/main.yml index b001bb825..fb25feed8 100644 --- a/roles/custom/matrix-sygnal/tasks/main.yml +++ b/roles/custom/matrix-sygnal/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: run_setup | bool tags: diff --git a/roles/custom/matrix-synapse-admin/tasks/init.yml b/roles/custom/matrix-synapse-admin/tasks/init.yml index c2b2d05f2..78ebbdecb 100644 --- a/roles/custom/matrix-synapse-admin/tasks/init.yml +++ b/roles/custom/matrix-synapse-admin/tasks/init.yml @@ -1,14 +1,4 @@ --- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Synapse Admin image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_admin_container_image_self_build and matrix_synapse_admin_enabled" - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse-admin.service'] }}" - when: matrix_synapse_admin_enabled | bool - when: matrix_synapse_admin_enabled | bool tags: diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/init.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/init.yml deleted file mode 100644 index b10eca53c..000000000 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse-reverse-proxy-companion.service'] }}" - when: matrix_synapse_reverse_proxy_companion_enabled | bool diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml index f8b6660be..65b2c0195 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" when: run_setup | bool and matrix_synapse_reverse_proxy_companion_enabled | bool tags: diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_install.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_install.yml index ca263b6d4..83c1e5e3c 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_install.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_install.yml @@ -1,6 +1,6 @@ --- -- name: Ensure mtrix-synapse-reverse-proxy-companion paths exist +- name: Ensure matrix-synapse-reverse-proxy-companion paths exist ansible.builtin.file: path: "{{ item }}" state: directory diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index c6bf31fd2..f52f414b0 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -101,15 +101,15 @@ matrix_synapse_container_manhole_api_host_bind_port: '' # Also see `matrix_synapse_container_arguments` matrix_synapse_container_extra_arguments: [] -# matrix_synapse_container_runtime_injected_arguments is a list of extra arguments to pass to the container. -# This list is built during runtime. You're not meant to override this variable. +# matrix_synapse_container_extra_arguments_auto is a list of extra arguments to pass to the container. +# This list is managed by the playbook. You're not meant to override this variable. # If you'd like to inject your own arguments, see `matrix_synapse_container_extra_arguments`. -matrix_synapse_container_runtime_injected_arguments: [] +matrix_synapse_container_extra_arguments_auto: [] # matrix_synapse_container_arguments holds the final list of extra arguments to pass to the container. # You're not meant to override this variable. # If you'd like to inject your own arguments, see `matrix_synapse_container_extra_arguments`. -matrix_synapse_container_arguments: "{{ matrix_synapse_container_extra_arguments + matrix_synapse_container_runtime_injected_arguments }}" +matrix_synapse_container_arguments: "{{ matrix_synapse_container_extra_arguments + matrix_synapse_container_extra_arguments_auto }}" # List of systemd services that matrix-synapse.service depends on matrix_synapse_systemd_required_services_list: ['docker.service'] @@ -371,15 +371,15 @@ matrix_synapse_additional_loggers: [] # Also see `matrix_synapse_app_service_config_files_final` matrix_synapse_app_service_config_files: [] -# matrix_synapse_app_service_runtime_injected_config_files is a list of appservice config files. -# This list is built during runtime. You're not meant to override this variable. +# matrix_synapse_app_service_config_files_auto is a list of appservice config files. +# This list is managed by the playbook. You're not meant to override this variable. # If you'd like to inject your own arguments, see `matrix_synapse_app_service_config_files`. -matrix_synapse_app_service_runtime_injected_config_files: [] +matrix_synapse_app_service_config_files_auto: [] # matrix_synapse_app_service_config_files_final holds the final list of config files to pass to the container. # You're not meant to override this variable. # If you'd like to inject your own arguments, see `matrix_synapse_app_service_config_files`. -matrix_synapse_app_service_config_files_final: "{{ matrix_synapse_app_service_config_files + matrix_synapse_app_service_runtime_injected_config_files }}" +matrix_synapse_app_service_config_files_final: "{{ matrix_synapse_app_service_config_files + matrix_synapse_app_service_config_files_auto }}" # This is set dynamically during execution depending on whether # any password providers have been enabled or not. diff --git a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/init.yml b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/init.yml deleted file mode 100644 index 008161cb1..000000000 --- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/init.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse-s3-storage-provider-migrate.timer'] }}" - when: matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool diff --git a/roles/custom/matrix-synapse/tasks/init.yml b/roles/custom/matrix-synapse/tasks/init.yml index 9146936a0..635ef8f2c 100644 --- a/roles/custom/matrix-synapse/tasks/init.yml +++ b/roles/custom/matrix-synapse/tasks/init.yml @@ -1,20 +1,10 @@ --- -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - ansible.builtin.fail: - msg: "To self-build the Synapse image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_container_image_self_build and matrix_synapse_enabled" # Unless `matrix_synapse_workers_enabled_list` is explicitly defined, # we'll generate it dynamically. - ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/init.yml" when: "matrix_synapse_enabled and matrix_synapse_workers_enabled and matrix_synapse_workers_enabled_list | length == 0" -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse.service'] }}" - when: matrix_synapse_enabled | bool - - name: Ensure workers are injected into various places ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/util/inject_worker.yml" with_items: "{{ matrix_synapse_workers_enabled_list }}" @@ -22,13 +12,6 @@ loop_var: matrix_synapse_worker_details when: matrix_synapse_enabled | bool and matrix_synapse_workers_enabled | bool -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys.service'] }}" - when: matrix_s3_media_store_enabled | bool - -- ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/init.yml" - when: matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool - - when: matrix_synapse_enabled | bool and matrix_synapse_metrics_proxying_enabled | bool block: - name: Fail if matrix-nginx-proxy role already executed From 360e643f840108f123d0e384f16f699bc9fc33a5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 23 Nov 2022 08:43:46 +0200 Subject: [PATCH 049/915] Add service priorities - try to stop/start them in an optimal order --- group_vars/matrix_servers | 154 ++++++++++-------- roles/custom/matrix-base/defaults/main.yml | 23 ++- .../matrix-common-after/tasks/start.yml | 18 +- .../custom/matrix-common-after/tasks/stop.yml | 4 +- .../tasks/init_additional_jvb.yml | 2 +- roles/custom/matrix-nginx-proxy/vars/main.yml | 4 + .../tasks/synapse/workers/setup_install.yml | 2 +- .../synapse/workers/util/inject_worker.yml | 2 +- 8 files changed, 123 insertions(+), 86 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index d51f20d4f..ccd7d5d91 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -22,139 +22,159 @@ matrix_playbook_docker_installation_enabled: true # This list is not exhaustive and final. # Synapse workers are still injected into the list at runtime. # Additional JVB workers (playbooks/jitsi_jvb.yml -- roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml) override this variable at runtime as well. -matrix_systemd_services_list: | +# +# Priority levels are like this: +# - core services (the homeserver) get a level of ~1000 +# - services that core services depend on (database, Redis, ntfy, etc.) get a lower level - between 500 and 1000 +# - reverse-proxying services get level 3000 +# - Matrix utility services (bridges, bots) get a level of 2000/2200, so that: +# - they can start before the reverse-proxy +# - so that, when the reverse-proxy is up (Matrix is up), all bots and bridges can be interacted with +# - monitoring services (Prometheus, Grafana, ..) get a level of 4000 - they can start later than all-of-Matrix +# - services which aren't time-sensitive (various crons and timers) get a level of 5000 - they can start later than all-of-Matrix +matrix_systemd_services_list_auto: | {{ - (['matrix-backup-borg.timer'] if matrix_backup_borg_enabled else []) + ([{'name': 'matrix-backup-borg.timer', 'priority': 5000}] if matrix_backup_borg_enabled else []) + - (['matrix-bot-buscarron.service'] if matrix_bot_buscarron_enabled else []) + ([{'name': 'matrix-bot-buscarron.service', 'priority': 2200}] if matrix_bot_buscarron_enabled else []) + - (['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled else []) + ([{'name': 'matrix-bot-go-neb.service', 'priority': 2200}] if matrix_bot_go_neb_enabled else []) + - (['matrix-bot-honoroit.service'] if matrix_bot_honoroit_enabled else []) + ([{'name': 'matrix-bot-honoroit.service', 'priority': 2200}] if matrix_bot_honoroit_enabled else []) + - (['matrix-bot-matrix-registration-bot.service'] if matrix_bot_matrix_registration_bot_enabled else []) + ([{'name': 'matrix-bot-matrix-registration-bot.service', 'priority': 2200}] if matrix_bot_matrix_registration_bot_enabled else []) + - (['matrix-bot-matrix-reminder-bot.service'] if matrix_bot_matrix_reminder_bot_enabled else []) + ([{'name': 'matrix-bot-matrix-reminder-bot.service', 'priority': 2200}] if matrix_bot_matrix_reminder_bot_enabled else []) + - (['matrix-bot-maubot.service'] if matrix_bot_maubot_enabled else []) + ([{'name': 'matrix-bot-maubot.service', 'priority': 2200}] if matrix_bot_maubot_enabled else []) + - (['matrix-bot-mjolnir.service'] if matrix_bot_mjolnir_enabled else []) + ([{'name': 'matrix-bot-mjolnir.service', 'priority': 2200}] if matrix_bot_mjolnir_enabled else []) + - (['matrix-bot-postmoogle.service'] if matrix_bot_postmoogle_enabled else []) + ([{'name': 'matrix-bot-postmoogle.service', 'priority': 2200}] if matrix_bot_postmoogle_enabled else []) + - (['matrix-appservice-discord.service'] if matrix_appservice_discord_enabled else []) + ([{'name': 'matrix-appservice-discord.service', 'priority': 2000}] if matrix_appservice_discord_enabled else []) + - (['matrix-appservice-irc.service'] if matrix_appservice_irc_enabled else []) + ([{'name': 'matrix-appservice-irc.service', 'priority': 2000}] if matrix_appservice_irc_enabled else []) + - (['matrix-appservice-kakaotalk.service', 'matrix-appservice-kakaotalk-node.service'] if matrix_appservice_kakaotalk_enabled else []) + ([{'name': 'matrix-appservice-kakaotalk.service', 'priority': 2000}] if matrix_appservice_kakaotalk_enabled else []) + - (['matrix-appservice-slack.service'] if matrix_appservice_slack_enabled else []) + ([{'name': 'matrix-appservice-kakaotalk-node.service', 'priority': 1900}] if matrix_appservice_kakaotalk_enabled else []) + - (['matrix-appservice-webhooks.service'] if matrix_appservice_webhooks_enabled else []) + ([{'name': 'matrix-appservice-slack.service', 'priority': 2000}] if matrix_appservice_slack_enabled else []) + - (['matrix-beeper-linkedin.service'] if matrix_beeper_linkedin_enabled else []) + ([{'name': 'matrix-appservice-webhooks.service', 'priority': 2000}] if matrix_appservice_webhooks_enabled else []) + - (['matrix-go-skype-bridge.service'] if matrix_go_skype_bridge_enabled else []) + ([{'name': 'matrix-beeper-linkedin.service', 'priority': 2000}] if matrix_beeper_linkedin_enabled else []) + - (['matrix-heisenbridge.service'] if matrix_heisenbridge_enabled else []) + ([{'name': 'matrix-go-skype-bridge.service', 'priority': 2000}] if matrix_go_skype_bridge_enabled else []) + - (['matrix-hookshot.service'] if matrix_hookshot_enabled else []) + ([{'name': 'matrix-heisenbridge.service', 'priority': 2000}] if matrix_heisenbridge_enabled else []) + - (['matrix-mautrix-discord.service'] if matrix_mautrix_discord_enabled else []) + ([{'name': 'matrix-hookshot.service', 'priority': 2000}] if matrix_hookshot_enabled else []) + - (['matrix-mautrix-facebook.service'] if matrix_mautrix_facebook_enabled else []) + ([{'name': 'matrix-mautrix-discord.service', 'priority': 2000}] if matrix_mautrix_discord_enabled else []) + - (['matrix-mautrix-googlechat.service'] if matrix_mautrix_googlechat_enabled else []) + ([{'name': 'matrix-mautrix-facebook.service', 'priority': 2000}] if matrix_mautrix_facebook_enabled else []) + - (['matrix-mautrix-hangouts.service'] if matrix_mautrix_hangouts_enabled else []) + ([{'name': 'matrix-mautrix-googlechat.service', 'priority': 2000}] if matrix_mautrix_googlechat_enabled else []) + - (['matrix-mautrix-instagram.service'] if matrix_mautrix_instagram_enabled else []) + ([{'name': 'matrix-mautrix-hangouts.service', 'priority': 2000}] if matrix_mautrix_hangouts_enabled else []) + - (['matrix-mautrix-signal.service', 'matrix-mautrix-signal-daemon.service'] if matrix_mautrix_signal_enabled else []) + ([{'name': 'matrix-mautrix-instagram.service', 'priority': 2000}] if matrix_mautrix_instagram_enabled else []) + - (['matrix-mautrix-telegram.service'] if matrix_mautrix_telegram_enabled else []) + ([{'name': 'matrix-mautrix-signal.service', 'priority': 2000}] if matrix_mautrix_signal_enabled else []) + - (['matrix-mautrix-twitter.service'] if matrix_mautrix_twitter_enabled else []) + ([{'name': 'matrix-mautrix-signal-daemon.service', 'priority': 1900}] if matrix_mautrix_signal_enabled else []) + - (['matrix-mautrix-whatsapp.service'] if matrix_mautrix_whatsapp_enabled else []) + ([{'name': 'matrix-mautrix-telegram.service', 'priority': 2000}] if matrix_mautrix_telegram_enabled else []) + - (['matrix-mx-puppet-discord.service'] if matrix_mx_puppet_discord_enabled else []) + ([{'name': 'matrix-mautrix-twitter.service', 'priority': 2000}] if matrix_mautrix_twitter_enabled else []) + - (['matrix-mx-puppet-groupme.service'] if matrix_mx_puppet_groupme_enabled else []) + ([{'name': 'matrix-mautrix-whatsapp.service', 'priority': 2000}] if matrix_mautrix_whatsapp_enabled else []) + - (['matrix-mx-puppet-instagram.service'] if matrix_mx_puppet_instagram_enabled else []) + ([{'name': 'matrix-mx-puppet-discord.service', 'priority': 2000}] if matrix_mx_puppet_discord_enabled else []) + - (['matrix-mx-puppet-slack.service'] if matrix_mx_puppet_slack_enabled else []) + ([{'name': 'matrix-mx-puppet-groupme.service', 'priority': 2000}] if matrix_mx_puppet_groupme_enabled else []) + - (['matrix-mx-puppet-steam.service'] if matrix_mx_puppet_steam_enabled else []) + ([{'name': 'matrix-mx-puppet-instagram.service', 'priority': 2000}] if matrix_mx_puppet_instagram_enabled else []) + - (['matrix-mx-puppet-twitter.service'] if matrix_mx_puppet_twitter_enabled else []) + ([{'name': 'matrix-mx-puppet-slack.service', 'priority': 2000}] if matrix_mx_puppet_slack_enabled else []) + - (['matrix-sms-bridge.service'] if matrix_sms_bridge_enabled else []) + ([{'name': 'matrix-mx-puppet-steam.service', 'priority': 2000}] if matrix_mx_puppet_steam_enabled else []) + - (['matrix-cactus-comments.service'] if matrix_cactus_comments_enabled else []) + ([{'name': 'matrix-mx-puppet-twitter.service', 'priority': 2000}] if matrix_mx_puppet_twitter_enabled else []) + - (['matrix-client-cinny.service'] if matrix_client_cinny_enabled else []) + ([{'name': 'matrix-sms-bridge.service', 'priority': 2000}] if matrix_sms_bridge_enabled else []) + - (['matrix-client-element.service'] if matrix_client_element_enabled else []) + ([{'name': 'matrix-cactus-comments.service', 'priority': 2000}] if matrix_cactus_comments_enabled else []) + - (['matrix-client-hydrogen.service'] if matrix_client_hydrogen_enabled else []) + ([{'name': 'matrix-client-cinny.service', 'priority': 2000}] if matrix_client_cinny_enabled else []) + - (['matrix-' + matrix_homeserver_implementation + '.service']) + ([{'name': 'matrix-client-element.service', 'priority': 2000}] if matrix_client_element_enabled else []) + - (['matrix-corporal.service'] if matrix_corporal_enabled else []) + ([{'name': 'matrix-client-hydrogen.service', 'priority': 2000}] if matrix_client_hydrogen_enabled else []) + - (['matrix-coturn.service'] if matrix_coturn_enabled else []) + ([{'name': ('matrix-' + matrix_homeserver_implementation + '.service'), 'priority': 1000}]) + - (['matrix-coturn-reload.timer'] if (matrix_coturn_enabled and matrix_coturn_tls_enabled) else []) + ([{'name': 'matrix-corporal.service', 'priority': 1500}] if matrix_corporal_enabled else []) + - (['matrix-dimension.service'] if matrix_dimension_enabled else []) + ([{'name': 'matrix-coturn.service', 'priority': 4000}] if matrix_coturn_enabled else []) + - (['matrix-dynamic-dns.service'] if matrix_dynamic_dns_enabled else []) + ([{'name': 'matrix-coturn-reload.timer', 'priority': 5000}] if (matrix_coturn_enabled and matrix_coturn_tls_enabled) else []) + - (['matrix-email2matrix.service'] if matrix_email2matrix_enabled else []) + ([{'name': 'matrix-dimension.service', 'priority': 2500}] if matrix_dimension_enabled else []) + - (['matrix-etherpad.service'] if matrix_etherpad_enabled else []) + ([{'name': 'matrix-dynamic-dns.service', 'priority': 5000}] if matrix_dynamic_dns_enabled else []) + - (['matrix-grafana.service'] if matrix_grafana_enabled else []) + ([{'name': 'matrix-email2matrix.service', 'priority': 2000}] if matrix_email2matrix_enabled else []) + - (['matrix-jitsi-web.service', 'matrix-jitsi-prosody.service', 'matrix-jitsi-jicofo.service', 'matrix-jitsi-jvb.service'] if matrix_jitsi_enabled else []) + ([{'name': 'matrix-etherpad.service', 'priority': 4000}] if matrix_etherpad_enabled else []) + - (['matrix-ldap-registration-proxy.service'] if matrix_ldap_registration_proxy_enabled else []) + ([{'name': 'matrix-grafana.service', 'priority': 4000}] if matrix_grafana_enabled else []) + - (['matrix-ma1sd.service'] if matrix_ma1sd_enabled else []) + ([{'name': 'matrix-jitsi-web.service', 'priority': 4200}] if matrix_jitsi_enabled else []) + - (['matrix-mailer.service'] if matrix_mailer_enabled else []) + ([{'name': 'matrix-jitsi-prosody.service', 'priority': 4000}] if matrix_jitsi_enabled else []) + - (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + ([{'name': 'matrix-jitsi-jicofo.service', 'priority': 4100}] if matrix_jitsi_enabled else []) + - (matrix_ssl_renewal_systemd_units_list | selectattr('applicable') | map(attribute='name')) + ([{'name': 'matrix-jitsi-jvb.service', 'priority': 4100}] if matrix_jitsi_enabled else []) + - (['matrix-ntfy.service'] if matrix_ntfy_enabled else []) + ([{'name': 'matrix-ldap-registration-proxy.service', 'priority': 2000}] if matrix_ldap_registration_proxy_enabled else []) + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([{'name': 'matrix-ma1sd.service', 'priority': 2000}] if matrix_ma1sd_enabled else []) + - (['matrix-postgres-backup.service'] if matrix_postgres_backup_enabled else []) + ([{'name': 'matrix-mailer.service', 'priority': 2000}] if matrix_mailer_enabled else []) + - (['matrix-prometheus.service'] if matrix_prometheus_enabled else []) + ([{'name': 'matrix-nginx-proxy.service', 'priority': 3000}] if matrix_nginx_proxy_enabled else []) + - (['matrix-prometheus-node-exporter.service'] if matrix_prometheus_node_exporter_enabled else []) + (matrix_ssl_renewal_systemd_units_list | selectattr('applicable')) + - (['matrix-prometheus-postgres-exporter.service'] if matrix_prometheus_postgres_exporter_enabled else []) + ([{'name': 'matrix-ntfy.service', 'priority': 800}] if matrix_ntfy_enabled else []) + - (['matrix-redis'] if matrix_redis_enabled else []) + ([{'name': 'matrix-postgres.service', 'priority': 500}] if matrix_postgres_enabled else []) + - (['matrix-registration.service'] if matrix_registration_enabled else []) + ([{'name': 'matrix-postgres-backup.service', 'priority': 3000}] if matrix_postgres_backup_enabled else []) + - (['matrix-sygnal.service'] if matrix_sygnal_enabled else []) + ([{'name': 'matrix-prometheus.service', 'priority': 4000}] if matrix_prometheus_enabled else []) + - (['matrix-goofys.service'] if matrix_s3_media_store_enabled else []) + ([{'name': 'matrix-prometheus-node-exporter.service', 'priority': 3900}] if matrix_prometheus_node_exporter_enabled else []) + - (['matrix-synapse-s3-storage-provider-migrate.timer'] if matrix_synapse_ext_synapse_s3_storage_provider_enabled else []) + ([{'name': 'matrix-prometheus-postgres-exporter.service', 'priority': 3900}] if matrix_prometheus_postgres_exporter_enabled else []) + - (['matrix-synapse-admin.service'] if matrix_synapse_admin_enabled else []) + ([{'name': 'matrix-redis', 'priority': 750}] if matrix_redis_enabled else []) + - (['matrix-synapse-reverse-proxy-companion.service'] if matrix_synapse_reverse_proxy_companion_enabled else []) + ([{'name': 'matrix-registration.service', 'priority': 4000}] if matrix_registration_enabled else []) + + + ([{'name': 'matrix-sygnal.service', 'priority': 800}] if matrix_sygnal_enabled else []) + + + ([{'name': 'matrix-goofys.service', 'priority': 800}] if matrix_s3_media_store_enabled else []) + + + ([{'name': 'matrix-synapse-s3-storage-provider-migrate.timer', 'priority': 5000}] if matrix_synapse_ext_synapse_s3_storage_provider_enabled else []) + + + ([{'name': 'matrix-synapse-admin.service', 'priority': 4000}] if matrix_synapse_admin_enabled else []) + + + ([{'name': 'matrix-synapse-reverse-proxy-companion.service', 'priority': 1500}] if matrix_synapse_reverse_proxy_companion_enabled else []) }} matrix_homeserver_app_service_config_files_auto: | diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index d54da23ed..dfaeb69da 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -253,9 +253,26 @@ matrix_well_known_matrix_server_enabled: true # See `matrix_homeserver_admin_contacts`, `matrix_homeserver_support_url`, etc. matrix_well_known_matrix_support_enabled: false -# This will contain a list of enabled services that the playbook is managing. -# Each component is expected to append its service name to this list. -matrix_systemd_services_list: [] +# matrix_systemd_services_list_auto contains a list of systemd services and their priorities. +# This list is managed by the playbook. You're not meant to override this variable. +# To add your own items to the list, use `matrix_systemd_services_list_additional` +matrix_systemd_services_list_auto: [] + +# matrix_systemd_services_list_additional contains your own list of systemd services and their priorities. +# +# Example: +# matrix_systemd_services_list_additional: +# - name: some-service.service +# priority: 1250 +# - name: another-service.service +# priority: 3500 +matrix_systemd_services_list_additional: [] + +# matrix_systemd_services_list contains a list of systemd services and their priorities. +matrix_systemd_services_list: "{{ matrix_systemd_services_list_auto + matrix_systemd_services_list_additional }}" + +# matrix_systemd_services_autostart_enabled controls whether systemd services should auto-start when the system reboots +matrix_systemd_services_autostart_enabled: true matrix_homeserver_container_extra_arguments_auto: [] matrix_homeserver_app_service_config_files_auto: [] diff --git a/roles/custom/matrix-common-after/tasks/start.yml b/roles/custom/matrix-common-after/tasks/start.yml index a781dab75..b79d073a8 100644 --- a/roles/custom/matrix-common-after/tasks/start.yml +++ b/roles/custom/matrix-common-after/tasks/start.yml @@ -1,26 +1,22 @@ --- -- name: Determine whether we should make services autostart - ansible.builtin.set_fact: - matrix_services_autostart_enabled_bool: "{{ true if matrix_services_autostart_enabled | default('') == '' else matrix_services_autostart_enabled | bool }}" - - name: Ensure systemd is reloaded ansible.builtin.service: daemon_reload: true - name: Ensure Matrix services are stopped ansible.builtin.service: - name: "{{ item }}" + name: "{{ item.name }}" state: stopped - with_items: "{{ matrix_systemd_services_list }}" + with_items: "{{ matrix_systemd_services_list | sort (attribute='priority,name', reverse=true) }}" when: not ansible_check_mode - name: Ensure Matrix services are started ansible.builtin.service: - name: "{{ item }}" - enabled: "{{ matrix_services_autostart_enabled_bool }}" + name: "{{ item.name }}" state: started - with_items: "{{ matrix_systemd_services_list }}" + enabled: "{{ matrix_systemd_services_autostart_enabled }}" + with_items: "{{ matrix_systemd_services_list | sort (attribute='priority,name') }}" when: not ansible_check_mode # If we check service state immediately, we may succeed, @@ -48,7 +44,7 @@ If you're on a slow or overloaded server, it may be that services take a longer time to start and that this error is a false-positive. You can consider raising the value of the `matrix_common_after_systemd_service_start_wait_for_timeout_seconds` variable. See `roles/custom/matrix-common-after/defaults/main.yml` for more details about that. - with_items: "{{ matrix_systemd_services_list }}" + with_items: "{{ matrix_systemd_services_list | map(attribute='name') }}" when: - "item.endswith('.service') and (ansible_facts.services[item] | default(none) is none or ansible_facts.services[item].state != 'running')" @@ -59,7 +55,7 @@ # Therefore iterating here manually - name: Fetch systemd information ansible.builtin.systemd: - name: "{{ item }}" + name: "{{ item.name }}" register: systemdstatus with_items: "{{ matrix_systemd_services_list }}" diff --git a/roles/custom/matrix-common-after/tasks/stop.yml b/roles/custom/matrix-common-after/tasks/stop.yml index a343999c6..4fb19ebd6 100644 --- a/roles/custom/matrix-common-after/tasks/stop.yml +++ b/roles/custom/matrix-common-after/tasks/stop.yml @@ -2,6 +2,6 @@ - name: Ensure Matrix services stopped ansible.builtin.service: - name: "{{ item }}" + name: "{{ item.name }}" state: stopped - with_items: "{{ matrix_systemd_services_list }}" + with_items: "{{ matrix_systemd_services_list | sort (attribute='priority,name', reverse=true) }}" diff --git a/roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml b/roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml index e781f5bcc..b3f83d944 100644 --- a/roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml +++ b/roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml @@ -1,5 +1,5 @@ --- - ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ ['matrix-jitsi-jvb.service'] }}" + matrix_systemd_services_list: "{{ [{'name': 'matrix-jitsi-jvb.service', 'priority': 1000}] }}" when: matrix_jitsi_enabled | bool diff --git a/roles/custom/matrix-nginx-proxy/vars/main.yml b/roles/custom/matrix-nginx-proxy/vars/main.yml index 1a9ed929c..06f86649f 100644 --- a/roles/custom/matrix-nginx-proxy/vars/main.yml +++ b/roles/custom/matrix-nginx-proxy/vars/main.yml @@ -7,12 +7,16 @@ matrix_ssl_renewal_systemd_units_list: - name: matrix-ssl-lets-encrypt-certificates-renew.service applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' }}" enableable: false + priority: 5000 - name: matrix-ssl-lets-encrypt-certificates-renew.timer applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' }}" enableable: true + priority: 5000 - name: matrix-ssl-nginx-proxy-reload.service applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' and matrix_nginx_proxy_enabled | bool }}" enableable: false + priority: 5000 - name: matrix-ssl-nginx-proxy-reload.timer applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' and matrix_nginx_proxy_enabled | bool }}" enableable: true + priority: 5000 diff --git a/roles/custom/matrix-synapse/tasks/synapse/workers/setup_install.yml b/roles/custom/matrix-synapse/tasks/synapse/workers/setup_install.yml index 74ca6c358..ca80e4548 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/workers/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/workers/setup_install.yml @@ -27,7 +27,7 @@ state: stopped enabled: false with_items: "{{ matrix_synapse_workers_current_systemd_services.files }}" - when: "not ansible_check_mode and item.path | basename not in matrix_systemd_services_list" + when: "not ansible_check_mode and item.path | basename not in matrix_systemd_services_list | map(attribute='name')" - name: Ensure unnecessary worker systemd services are cleaned ansible.builtin.file: diff --git a/roles/custom/matrix-synapse/tasks/synapse/workers/util/inject_worker.yml b/roles/custom/matrix-synapse/tasks/synapse/workers/util/inject_worker.yml index 4542f19c1..aebcbc899 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/workers/util/inject_worker.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/workers/util/inject_worker.yml @@ -53,7 +53,7 @@ when: "'replication_port' not in matrix_synapse_worker_details" - ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + [matrix_synapse_worker_details.name + '.service'] }}" + matrix_systemd_services_list_auto: "{{ matrix_systemd_services_list_auto + [{'name': (matrix_synapse_worker_details.name + '.service'), 'priority': 1100}] }}" - ansible.builtin.set_fact: matrix_synapse_webserving_workers_systemd_services_list: "{{ matrix_synapse_webserving_workers_systemd_services_list + [matrix_synapse_worker_details.name + '.service'] }}" From eec5de7aba8e43c4c8b6a879abde9a96082ffa10 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 23 Nov 2022 08:55:34 +0200 Subject: [PATCH 050/915] Remove old systemd service checks These are not even caused by Archlinux, but by running buggy Ansible on old Ubuntu while targeting modern servers (like Archlinux, but also others, ..). We shouldn't employ ugly workarounds like this. We should tell people to avoid running buggy Ansible or bad distros like Ubuntu, even. --- .../matrix-common-after/tasks/start.yml | 53 ++++++------------- 1 file changed, 16 insertions(+), 37 deletions(-) diff --git a/roles/custom/matrix-common-after/tasks/start.yml b/roles/custom/matrix-common-after/tasks/start.yml index b79d073a8..60f571bc0 100644 --- a/roles/custom/matrix-common-after/tasks/start.yml +++ b/roles/custom/matrix-common-after/tasks/start.yml @@ -30,40 +30,19 @@ delegate_to: 127.0.0.1 become: false -- when: "ansible_distribution != 'Archlinux'" - block: - - name: Populate service facts - ansible.builtin.service_facts: - - - name: Fail if service isn't detected to be running - ansible.builtin.fail: - msg: >- - {{ item }} was not detected to be running. - It's possible that there's a configuration problem or another service on your server interferes with it (uses the same ports, etc.). - Try running `systemctl status {{ item }}` and `journalctl -fu {{ item }}` on the server to investigate. - If you're on a slow or overloaded server, it may be that services take a longer time to start and that this error is a false-positive. - You can consider raising the value of the `matrix_common_after_systemd_service_start_wait_for_timeout_seconds` variable. - See `roles/custom/matrix-common-after/defaults/main.yml` for more details about that. - with_items: "{{ matrix_systemd_services_list | map(attribute='name') }}" - when: - - "item.endswith('.service') and (ansible_facts.services[item] | default(none) is none or ansible_facts.services[item].state != 'running')" - -- when: "ansible_distribution == 'Archlinux'" - block: - # Currently there is a bug in ansible that renders is incompatible with systemd. - # service_facts is not collecting the data successfully. - # Therefore iterating here manually - - name: Fetch systemd information - ansible.builtin.systemd: - name: "{{ item.name }}" - register: systemdstatus - with_items: "{{ matrix_systemd_services_list }}" - - - name: Fail if service isn't detected to be running - ansible.builtin.fail: - msg: >- - {{ item.item }} was not detected to be running. - It's possible that there's a configuration problem or another service on your server interferes with it (uses the same ports, etc.). - Try running `systemctl status {{ item.item }}` and `journalctl -fu {{ item.item }}` on the server to investigate. - with_items: "{{ systemdstatus.results }}" - when: "item.status['ActiveState'] != 'active'" +- block: + - name: Populate service facts + ansible.builtin.service_facts: + + - name: Fail if service isn't detected to be running + ansible.builtin.fail: + msg: >- + {{ item }} was not detected to be running. + It's possible that there's a configuration problem or another service on your server interferes with it (uses the same ports, etc.). + Try running `systemctl status {{ item }}` and `journalctl -fu {{ item }}` on the server to investigate. + If you're on a slow or overloaded server, it may be that services take a longer time to start and that this error is a false-positive. + You can consider raising the value of the `matrix_common_after_systemd_service_start_wait_for_timeout_seconds` variable. + See `roles/custom/matrix-common-after/defaults/main.yml` for more details about that. + with_items: "{{ matrix_systemd_services_list | map(attribute='name') }}" + when: + - "item.endswith('.service') and (ansible_facts.services[item] | default(none) is none or ansible_facts.services[item].state != 'running')" From 93d4f8d4258c886803664074eed6faafdff96a31 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 23 Nov 2022 10:14:28 +0200 Subject: [PATCH 051/915] Replace matrix-common-after systemd service management with com.devture.ansible.role.systemd_service_manager --- group_vars/matrix_servers | 250 ++++++++++-------- playbooks/matrix.yml | 3 + requirements.yml | 3 + roles/custom/matrix-base/defaults/main.yml | 21 -- .../matrix-common-after/defaults/main.yml | 17 -- .../custom/matrix-common-after/tasks/main.yml | 10 - .../matrix-common-after/tasks/start.yml | 48 ---- .../custom/matrix-common-after/tasks/stop.yml | 7 - .../tasks/init_additional_jvb.yml | 2 +- .../tasks/synapse/workers/setup_install.yml | 2 +- .../synapse/workers/util/inject_worker.yml | 2 +- .../tasks/validate_config.yml | 4 + 12 files changed, 150 insertions(+), 219 deletions(-) delete mode 100644 roles/custom/matrix-common-after/defaults/main.yml delete mode 100644 roles/custom/matrix-common-after/tasks/start.yml delete mode 100644 roles/custom/matrix-common-after/tasks/stop.yml diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index ccd7d5d91..74515ab28 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -19,6 +19,141 @@ # Also see `devture_docker_sdk_for_python_installation_enabled`. matrix_playbook_docker_installation_enabled: true +######################################################################## +# # +# /Playbook # +# # +######################################################################## + +######################################################################## +# # +# base # +# # +######################################################################## + +matrix_homeserver_app_service_config_files_auto: | + {{ + (['--mount type=bind,src=' + matrix_appservice_discord_config_path + '/registration.yaml,dst=/matrix-appservice-discord-registration.yaml,ro'] if matrix_appservice_discord_enabled else []) + + + (['--mount type=bind,src=' + matrix_appservice_irc_config_path + '/registration.yaml,dst=/matrix-appservice-irc-registration.yaml,ro'] if matrix_appservice_irc_enabled else []) + + + (['--mount type=bind,src=' + matrix_appservice_kakaotalk_config_path + '/registration.yaml,dst=/matrix-appservice-kakaotalk-registration.yaml,ro'] if matrix_appservice_kakaotalk_enabled else []) + + + (['--mount type=bind,src=' + matrix_appservice_slack_config_path + '/slack-registration.yaml,dst=/matrix-appservice-slack-registration.yaml,ro'] if matrix_appservice_slack_enabled else []) + + + (['--mount type=bind,src=' + matrix_appservice_webhooks_config_path + '/webhooks-registration.yaml,dst=/matrix-appservice-webhooks-registration.yaml,ro'] if matrix_appservice_webhooks_enabled else []) + + + (['--mount type=bind,src=' + matrix_beeper_linkedin_config_path + '/registration.yaml,dst=/matrix-beeper-linkedin-registration.yaml,ro'] if matrix_beeper_linkedin_enabled else []) + + + (['--mount type=bind,src=' + matrix_go_skype_bridge_config_path + '/registration.yaml,dst=/matrix-go-skype-bridge-registration.yaml,ro'] if matrix_go_skype_bridge_enabled else []) + + + (['--mount type=bind,src=' + matrix_heisenbridge_base_path + '/registration.yaml,dst=/heisenbridge-registration.yaml,ro'] if matrix_heisenbridge_enabled else []) + + + (['--mount type=bind,src=' + matrix_hookshot_base_path + '/registration.yml,dst=/hookshot-registration.yml,ro'] if matrix_hookshot_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_discord_config_path + '/registration.yaml,dst=/matrix-mautrix-discord-registration.yaml,ro'] if matrix_mautrix_discord_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_facebook_config_path + '/registration.yaml,dst=/matrix-mautrix-facebook-registration.yaml,ro'] if matrix_mautrix_facebook_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_googlechat_config_path + '/registration.yaml,dst=/matrix-mautrix-googlechat-registration.yaml,ro'] if matrix_mautrix_googlechat_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_hangouts_config_path + '/registration.yaml,dst=/matrix-mautrix-hangouts-registration.yaml,ro'] if matrix_mautrix_hangouts_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_instagram_config_path + '/registration.yaml,dst=/matrix-mautrix-instagram-registration.yaml,ro'] if matrix_mautrix_instagram_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_signal_config_path + '/registration.yaml,dst=/matrix-mautrix-signal-registration.yaml,ro'] if matrix_mautrix_signal_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_telegram_config_path + '/registration.yaml,dst=/matrix-mautrix-telegram-registration.yaml,ro'] if matrix_mautrix_telegram_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_twitter_config_path + '/registration.yaml,dst=/matrix-mautrix-twitter-registration.yaml,ro'] if matrix_mautrix_twitter_enabled else []) + + + (['--mount type=bind,src=' + matrix_mautrix_whatsapp_config_path + '/registration.yaml,dst=/matrix-mautrix-whatsapp-registration.yaml,ro'] if matrix_mautrix_whatsapp_enabled else []) + + + (['--mount type=bind,src=' + matrix_mx_puppet_discord_config_path + '/registration.yaml,dst=/matrix-mx-puppet-discord-registration.yaml,ro'] if matrix_mx_puppet_discord_enabled else []) + + + (['--mount type=bind,src=' + matrix_mx_puppet_groupme_config_path + '/registration.yaml,dst=/matrix-mx-puppet-groupme-registration.yaml,ro'] if matrix_mx_puppet_groupme_enabled else []) + + + (['--mount type=bind,src=' + matrix_mx_puppet_instagram_config_path + '/registration.yaml,dst=/matrix-mx-puppet-instagram-registration.yaml,ro'] if matrix_mx_puppet_instagram_enabled else []) + + + (['--mount type=bind,src=' + matrix_mx_puppet_slack_config_path + '/registration.yaml,dst=/matrix-mx-puppet-slack-registration.yaml,ro'] if matrix_mx_puppet_slack_enabled else []) + + + (['--mount type=bind,src=' + matrix_mx_puppet_steam_config_path + '/registration.yaml,dst=/matrix-mx-puppet-steam-registration.yaml,ro'] if matrix_mx_puppet_steam_enabled else []) + + + (['--mount type=bind,src=' + matrix_mx_puppet_twitter_config_path + '/registration.yaml,dst=/matrix-mx-puppet-twitter-registration.yaml,ro'] if matrix_mx_puppet_twitter_enabled else []) + + + (['--mount type=bind,src=' + matrix_sms_bridge_config_path + '/registration.yaml,dst=/matrix-sms-bridge-registration.yaml,ro'] if matrix_sms_bridge_enabled else []) + + + (['--mount type=bind,src=' + matrix_cactus_comments_app_service_config_file + ',dst=/matrix-cactus-comments.yaml,ro'] if matrix_cactus_comments_enabled else []) + }} + +matrix_homeserver_additional_config_files_auto: | + {{ + (['/matrix-appservice-discord-registration.yaml'] if matrix_appservice_discord_enabled else []) + + + (['/matrix-appservice-irc-registration.yaml'] if matrix_appservice_irc_enabled else []) + + + (['/matrix-appservice-kakaotalk-registration.yaml'] if matrix_appservice_kakaotalk_enabled else []) + + + (['/matrix-appservice-slack-registration.yaml'] if matrix_appservice_slack_enabled else []) + + + (['/matrix-appservice-webhooks-registration.yaml'] if matrix_appservice_webhooks_enabled else []) + + + (['/matrix-beeper-linkedin-registration.yaml'] if matrix_beeper_linkedin_enabled else []) + + + (['/matrix-go-skype-bridge-registration.yaml'] if matrix_go_skype_bridge_enabled else []) + + + (['/heisenbridge-registration.yaml'] if matrix_heisenbridge_enabled else []) + + + (['/hookshot-registration.yml'] if matrix_hookshot_enabled else []) + + + (['/matrix-mautrix-discord-registration.yaml'] if matrix_mautrix_discord_enabled else []) + + + (['/matrix-mautrix-facebook-registration.yaml'] if matrix_mautrix_facebook_enabled else []) + + + (['/matrix-mautrix-googlechat-registration.yaml'] if matrix_mautrix_googlechat_enabled else []) + + + (['/matrix-mautrix-hangouts-registration.yaml'] if matrix_mautrix_hangouts_enabled else []) + + + (['/matrix-mautrix-instagram-registration.yaml'] if matrix_mautrix_instagram_enabled else []) + + + (['/matrix-mautrix-signal-registration.yaml'] if matrix_mautrix_signal_enabled else []) + + + (['/matrix-mautrix-telegram-registration.yaml'] if matrix_mautrix_telegram_enabled else []) + + + (['/matrix-mautrix-twitter-registration.yaml'] if matrix_mautrix_twitter_enabled else []) + + + (['/matrix-mautrix-whatsapp-registration.yaml'] if matrix_mautrix_whatsapp_enabled else []) + + + (['/matrix-mx-puppet-discord-registration.yaml'] if matrix_mx_puppet_discord_enabled else []) + + + (['/matrix-mx-puppet-groupme-registration.yaml'] if matrix_mx_puppet_groupme_enabled else []) + + + (['/matrix-mx-puppet-instagram-registration.yaml'] if matrix_mx_puppet_instagram_enabled else []) + + + (['/matrix-mx-puppet-slack-registration.yaml'] if matrix_mx_puppet_slack_enabled else []) + + + (['/matrix-mx-puppet-steam-registration.yaml'] if matrix_mx_puppet_steam_enabled else []) + + + (['/matrix-mx-puppet-twitter-registration.yaml'] if matrix_mx_puppet_twitter_enabled else []) + + + (['/matrix-sms-bridge-registration.yaml'] if matrix_sms_bridge_enabled else []) + + + (['/matrix-cactus-comments.yaml'] if matrix_cactus_comments_enabled else []) + }} + +######################################################################## +# # +# /base # +# # +######################################################################## + + +######################################################################## +# # +# com.devture.ansible.role.systemd_service_manager # +# # +######################################################################## + # This list is not exhaustive and final. # Synapse workers are still injected into the list at runtime. # Additional JVB workers (playbooks/jitsi_jvb.yml -- roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml) override this variable at runtime as well. @@ -32,7 +167,7 @@ matrix_playbook_docker_installation_enabled: true # - so that, when the reverse-proxy is up (Matrix is up), all bots and bridges can be interacted with # - monitoring services (Prometheus, Grafana, ..) get a level of 4000 - they can start later than all-of-Matrix # - services which aren't time-sensitive (various crons and timers) get a level of 5000 - they can start later than all-of-Matrix -matrix_systemd_services_list_auto: | +devture_systemd_service_manager_services_list_auto: | {{ ([{'name': 'matrix-backup-borg.timer', 'priority': 5000}] if matrix_backup_borg_enabled else []) + @@ -177,124 +312,13 @@ matrix_systemd_services_list_auto: | ([{'name': 'matrix-synapse-reverse-proxy-companion.service', 'priority': 1500}] if matrix_synapse_reverse_proxy_companion_enabled else []) }} -matrix_homeserver_app_service_config_files_auto: | - {{ - (['--mount type=bind,src=' + matrix_appservice_discord_config_path + '/registration.yaml,dst=/matrix-appservice-discord-registration.yaml,ro'] if matrix_appservice_discord_enabled else []) - + - (['--mount type=bind,src=' + matrix_appservice_irc_config_path + '/registration.yaml,dst=/matrix-appservice-irc-registration.yaml,ro'] if matrix_appservice_irc_enabled else []) - + - (['--mount type=bind,src=' + matrix_appservice_kakaotalk_config_path + '/registration.yaml,dst=/matrix-appservice-kakaotalk-registration.yaml,ro'] if matrix_appservice_kakaotalk_enabled else []) - + - (['--mount type=bind,src=' + matrix_appservice_slack_config_path + '/slack-registration.yaml,dst=/matrix-appservice-slack-registration.yaml,ro'] if matrix_appservice_slack_enabled else []) - + - (['--mount type=bind,src=' + matrix_appservice_webhooks_config_path + '/webhooks-registration.yaml,dst=/matrix-appservice-webhooks-registration.yaml,ro'] if matrix_appservice_webhooks_enabled else []) - + - (['--mount type=bind,src=' + matrix_beeper_linkedin_config_path + '/registration.yaml,dst=/matrix-beeper-linkedin-registration.yaml,ro'] if matrix_beeper_linkedin_enabled else []) - + - (['--mount type=bind,src=' + matrix_go_skype_bridge_config_path + '/registration.yaml,dst=/matrix-go-skype-bridge-registration.yaml,ro'] if matrix_go_skype_bridge_enabled else []) - + - (['--mount type=bind,src=' + matrix_heisenbridge_base_path + '/registration.yaml,dst=/heisenbridge-registration.yaml,ro'] if matrix_heisenbridge_enabled else []) - + - (['--mount type=bind,src=' + matrix_hookshot_base_path + '/registration.yml,dst=/hookshot-registration.yml,ro'] if matrix_hookshot_enabled else []) - + - (['--mount type=bind,src=' + matrix_mautrix_discord_config_path + '/registration.yaml,dst=/matrix-mautrix-discord-registration.yaml,ro'] if matrix_mautrix_discord_enabled else []) - + - (['--mount type=bind,src=' + matrix_mautrix_facebook_config_path + '/registration.yaml,dst=/matrix-mautrix-facebook-registration.yaml,ro'] if matrix_mautrix_facebook_enabled else []) - + - (['--mount type=bind,src=' + matrix_mautrix_googlechat_config_path + '/registration.yaml,dst=/matrix-mautrix-googlechat-registration.yaml,ro'] if matrix_mautrix_googlechat_enabled else []) - + - (['--mount type=bind,src=' + matrix_mautrix_hangouts_config_path + '/registration.yaml,dst=/matrix-mautrix-hangouts-registration.yaml,ro'] if matrix_mautrix_hangouts_enabled else []) - + - (['--mount type=bind,src=' + matrix_mautrix_instagram_config_path + '/registration.yaml,dst=/matrix-mautrix-instagram-registration.yaml,ro'] if matrix_mautrix_instagram_enabled else []) - + - (['--mount type=bind,src=' + matrix_mautrix_signal_config_path + '/registration.yaml,dst=/matrix-mautrix-signal-registration.yaml,ro'] if matrix_mautrix_signal_enabled else []) - + - (['--mount type=bind,src=' + matrix_mautrix_telegram_config_path + '/registration.yaml,dst=/matrix-mautrix-telegram-registration.yaml,ro'] if matrix_mautrix_telegram_enabled else []) - + - (['--mount type=bind,src=' + matrix_mautrix_twitter_config_path + '/registration.yaml,dst=/matrix-mautrix-twitter-registration.yaml,ro'] if matrix_mautrix_twitter_enabled else []) - + - (['--mount type=bind,src=' + matrix_mautrix_whatsapp_config_path + '/registration.yaml,dst=/matrix-mautrix-whatsapp-registration.yaml,ro'] if matrix_mautrix_whatsapp_enabled else []) - + - (['--mount type=bind,src=' + matrix_mx_puppet_discord_config_path + '/registration.yaml,dst=/matrix-mx-puppet-discord-registration.yaml,ro'] if matrix_mx_puppet_discord_enabled else []) - + - (['--mount type=bind,src=' + matrix_mx_puppet_groupme_config_path + '/registration.yaml,dst=/matrix-mx-puppet-groupme-registration.yaml,ro'] if matrix_mx_puppet_groupme_enabled else []) - + - (['--mount type=bind,src=' + matrix_mx_puppet_instagram_config_path + '/registration.yaml,dst=/matrix-mx-puppet-instagram-registration.yaml,ro'] if matrix_mx_puppet_instagram_enabled else []) - + - (['--mount type=bind,src=' + matrix_mx_puppet_slack_config_path + '/registration.yaml,dst=/matrix-mx-puppet-slack-registration.yaml,ro'] if matrix_mx_puppet_slack_enabled else []) - + - (['--mount type=bind,src=' + matrix_mx_puppet_steam_config_path + '/registration.yaml,dst=/matrix-mx-puppet-steam-registration.yaml,ro'] if matrix_mx_puppet_steam_enabled else []) - + - (['--mount type=bind,src=' + matrix_mx_puppet_twitter_config_path + '/registration.yaml,dst=/matrix-mx-puppet-twitter-registration.yaml,ro'] if matrix_mx_puppet_twitter_enabled else []) - + - (['--mount type=bind,src=' + matrix_sms_bridge_config_path + '/registration.yaml,dst=/matrix-sms-bridge-registration.yaml,ro'] if matrix_sms_bridge_enabled else []) - + - (['--mount type=bind,src=' + matrix_cactus_comments_app_service_config_file + ',dst=/matrix-cactus-comments.yaml,ro'] if matrix_cactus_comments_enabled else []) - }} - -matrix_homeserver_additional_config_files_auto: | - {{ - (['/matrix-appservice-discord-registration.yaml'] if matrix_appservice_discord_enabled else []) - + - (['/matrix-appservice-irc-registration.yaml'] if matrix_appservice_irc_enabled else []) - + - (['/matrix-appservice-kakaotalk-registration.yaml'] if matrix_appservice_kakaotalk_enabled else []) - + - (['/matrix-appservice-slack-registration.yaml'] if matrix_appservice_slack_enabled else []) - + - (['/matrix-appservice-webhooks-registration.yaml'] if matrix_appservice_webhooks_enabled else []) - + - (['/matrix-beeper-linkedin-registration.yaml'] if matrix_beeper_linkedin_enabled else []) - + - (['/matrix-go-skype-bridge-registration.yaml'] if matrix_go_skype_bridge_enabled else []) - + - (['/heisenbridge-registration.yaml'] if matrix_heisenbridge_enabled else []) - + - (['/hookshot-registration.yml'] if matrix_hookshot_enabled else []) - + - (['/matrix-mautrix-discord-registration.yaml'] if matrix_mautrix_discord_enabled else []) - + - (['/matrix-mautrix-facebook-registration.yaml'] if matrix_mautrix_facebook_enabled else []) - + - (['/matrix-mautrix-googlechat-registration.yaml'] if matrix_mautrix_googlechat_enabled else []) - + - (['/matrix-mautrix-hangouts-registration.yaml'] if matrix_mautrix_hangouts_enabled else []) - + - (['/matrix-mautrix-instagram-registration.yaml'] if matrix_mautrix_instagram_enabled else []) - + - (['/matrix-mautrix-signal-registration.yaml'] if matrix_mautrix_signal_enabled else []) - + - (['/matrix-mautrix-telegram-registration.yaml'] if matrix_mautrix_telegram_enabled else []) - + - (['/matrix-mautrix-twitter-registration.yaml'] if matrix_mautrix_twitter_enabled else []) - + - (['/matrix-mautrix-whatsapp-registration.yaml'] if matrix_mautrix_whatsapp_enabled else []) - + - (['/matrix-mx-puppet-discord-registration.yaml'] if matrix_mx_puppet_discord_enabled else []) - + - (['/matrix-mx-puppet-groupme-registration.yaml'] if matrix_mx_puppet_groupme_enabled else []) - + - (['/matrix-mx-puppet-instagram-registration.yaml'] if matrix_mx_puppet_instagram_enabled else []) - + - (['/matrix-mx-puppet-slack-registration.yaml'] if matrix_mx_puppet_slack_enabled else []) - + - (['/matrix-mx-puppet-steam-registration.yaml'] if matrix_mx_puppet_steam_enabled else []) - + - (['/matrix-mx-puppet-twitter-registration.yaml'] if matrix_mx_puppet_twitter_enabled else []) - + - (['/matrix-sms-bridge-registration.yaml'] if matrix_sms_bridge_enabled else []) - + - (['/matrix-cactus-comments.yaml'] if matrix_cactus_comments_enabled else []) - }} - ######################################################################## # # -# /Playbook # +# /com.devture.ansible.role.systemd_service_manager # # # ######################################################################## - ######################################################################## # # # com.devture.ansible.role.timesync # diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 1ecfba327..8d2be5cba 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -100,6 +100,9 @@ - custom/matrix-user-creator - custom/matrix-common-after + - when: devture_systemd_service_manager_enabled | bool + role: galaxy/com.devture.ansible.role.systemd_service_manager + # This is pretty much last, because we want it to better serve as a "last known good configuration". # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2217#issuecomment-1301487601 - when: devture_playbook_state_preserver_enabled | bool diff --git a/requirements.yml b/requirements.yml index ed4b8fb18..e8b411a88 100644 --- a/requirements.yml +++ b/requirements.yml @@ -18,5 +18,8 @@ - src: git+https://github.com/devture/com.devture.ansible.role.playbook_state_preserver.git version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 +- src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git + version: 8b6a14d649f8b0e868c7073b34f5d2fda6bde9e0 + - src: git+https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages.git version: f1c78d4e85e875129790c58335d0e44385683f6b diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index dfaeb69da..768bc6ec8 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -253,27 +253,6 @@ matrix_well_known_matrix_server_enabled: true # See `matrix_homeserver_admin_contacts`, `matrix_homeserver_support_url`, etc. matrix_well_known_matrix_support_enabled: false -# matrix_systemd_services_list_auto contains a list of systemd services and their priorities. -# This list is managed by the playbook. You're not meant to override this variable. -# To add your own items to the list, use `matrix_systemd_services_list_additional` -matrix_systemd_services_list_auto: [] - -# matrix_systemd_services_list_additional contains your own list of systemd services and their priorities. -# -# Example: -# matrix_systemd_services_list_additional: -# - name: some-service.service -# priority: 1250 -# - name: another-service.service -# priority: 3500 -matrix_systemd_services_list_additional: [] - -# matrix_systemd_services_list contains a list of systemd services and their priorities. -matrix_systemd_services_list: "{{ matrix_systemd_services_list_auto + matrix_systemd_services_list_additional }}" - -# matrix_systemd_services_autostart_enabled controls whether systemd services should auto-start when the system reboots -matrix_systemd_services_autostart_enabled: true - matrix_homeserver_container_extra_arguments_auto: [] matrix_homeserver_app_service_config_files_auto: [] diff --git a/roles/custom/matrix-common-after/defaults/main.yml b/roles/custom/matrix-common-after/defaults/main.yml deleted file mode 100644 index 51c48c7d0..000000000 --- a/roles/custom/matrix-common-after/defaults/main.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -# Specifies how long to wait between starting systemd services and checking if they're started. -# -# A too low value may lead to a failure, as services may not have enough time to start and potentially fail. -# -# A value higher than 30 seconds (or any multiple of that) may also not work well, because a failing systemd service -# auto-restarts after 30 seconds (`RestartSec=30` in systemd service files). -# Checking if a service is running right after it had potentially restarted in such a way will lead us to -# thinking it's running, while it's merely starting again (and likely to fail again, given that it already did once). -# -# All of the services we manage are also started sequentially, which in itself can take a long time. -# There may be a ~10 second (or even larger) interval between starting the first service and starting the last one. -# This makes it even harder to pick a correct value. Such a 10 second gap and a waiting time of 20 seconds will -# put us right at the "dangerous" 30-second mark. -# -# We can try to measure this gap and adjust our waiting time accordingly, but we currently don't. -matrix_common_after_systemd_service_start_wait_for_timeout_seconds: 15 diff --git a/roles/custom/matrix-common-after/tasks/main.yml b/roles/custom/matrix-common-after/tasks/main.yml index 2cffecb1e..498c83907 100644 --- a/roles/custom/matrix-common-after/tasks/main.yml +++ b/roles/custom/matrix-common-after/tasks/main.yml @@ -1,15 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/start.yml" - when: run_start | bool - tags: - - start - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/stop.yml" - when: run_stop | bool - tags: - - stop - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/run_docker_prune.yml" tags: - run-docker-prune diff --git a/roles/custom/matrix-common-after/tasks/start.yml b/roles/custom/matrix-common-after/tasks/start.yml deleted file mode 100644 index 60f571bc0..000000000 --- a/roles/custom/matrix-common-after/tasks/start.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- - -- name: Ensure systemd is reloaded - ansible.builtin.service: - daemon_reload: true - -- name: Ensure Matrix services are stopped - ansible.builtin.service: - name: "{{ item.name }}" - state: stopped - with_items: "{{ matrix_systemd_services_list | sort (attribute='priority,name', reverse=true) }}" - when: not ansible_check_mode - -- name: Ensure Matrix services are started - ansible.builtin.service: - name: "{{ item.name }}" - state: started - enabled: "{{ matrix_systemd_services_autostart_enabled }}" - with_items: "{{ matrix_systemd_services_list | sort (attribute='priority,name') }}" - when: not ansible_check_mode - -# If we check service state immediately, we may succeed, -# because it takes some time for the service to attempt to start and actually fail. -# -# Waiting too long (30s) may not work for a similar reason, -# as we may run into systemd's automatic restart logic retrying the service. -- name: Wait a bit, so that services can start (or fail) - ansible.builtin.wait_for: - timeout: "{{ matrix_common_after_systemd_service_start_wait_for_timeout_seconds }}" - delegate_to: 127.0.0.1 - become: false - -- block: - - name: Populate service facts - ansible.builtin.service_facts: - - - name: Fail if service isn't detected to be running - ansible.builtin.fail: - msg: >- - {{ item }} was not detected to be running. - It's possible that there's a configuration problem or another service on your server interferes with it (uses the same ports, etc.). - Try running `systemctl status {{ item }}` and `journalctl -fu {{ item }}` on the server to investigate. - If you're on a slow or overloaded server, it may be that services take a longer time to start and that this error is a false-positive. - You can consider raising the value of the `matrix_common_after_systemd_service_start_wait_for_timeout_seconds` variable. - See `roles/custom/matrix-common-after/defaults/main.yml` for more details about that. - with_items: "{{ matrix_systemd_services_list | map(attribute='name') }}" - when: - - "item.endswith('.service') and (ansible_facts.services[item] | default(none) is none or ansible_facts.services[item].state != 'running')" diff --git a/roles/custom/matrix-common-after/tasks/stop.yml b/roles/custom/matrix-common-after/tasks/stop.yml deleted file mode 100644 index 4fb19ebd6..000000000 --- a/roles/custom/matrix-common-after/tasks/stop.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- name: Ensure Matrix services stopped - ansible.builtin.service: - name: "{{ item.name }}" - state: stopped - with_items: "{{ matrix_systemd_services_list | sort (attribute='priority,name', reverse=true) }}" diff --git a/roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml b/roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml index b3f83d944..f5a6e1858 100644 --- a/roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml +++ b/roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml @@ -1,5 +1,5 @@ --- - ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ [{'name': 'matrix-jitsi-jvb.service', 'priority': 1000}] }}" + devture_systemd_service_manager_services_list_auto: "{{ [{'name': 'matrix-jitsi-jvb.service', 'priority': 1000}] }}" when: matrix_jitsi_enabled | bool diff --git a/roles/custom/matrix-synapse/tasks/synapse/workers/setup_install.yml b/roles/custom/matrix-synapse/tasks/synapse/workers/setup_install.yml index ca80e4548..0f2105edd 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/workers/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/workers/setup_install.yml @@ -27,7 +27,7 @@ state: stopped enabled: false with_items: "{{ matrix_synapse_workers_current_systemd_services.files }}" - when: "not ansible_check_mode and item.path | basename not in matrix_systemd_services_list | map(attribute='name')" + when: "not ansible_check_mode and item.path | basename not in devture_systemd_service_manager_services_list | map(attribute='name')" - name: Ensure unnecessary worker systemd services are cleaned ansible.builtin.file: diff --git a/roles/custom/matrix-synapse/tasks/synapse/workers/util/inject_worker.yml b/roles/custom/matrix-synapse/tasks/synapse/workers/util/inject_worker.yml index aebcbc899..27f499d62 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/workers/util/inject_worker.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/workers/util/inject_worker.yml @@ -53,7 +53,7 @@ when: "'replication_port' not in matrix_synapse_worker_details" - ansible.builtin.set_fact: - matrix_systemd_services_list_auto: "{{ matrix_systemd_services_list_auto + [{'name': (matrix_synapse_worker_details.name + '.service'), 'priority': 1100}] }}" + devture_systemd_service_manager_services_list_auto: "{{ devture_systemd_service_manager_services_list_auto + [{'name': (matrix_synapse_worker_details.name + '.service'), 'priority': 1100}] }}" - ansible.builtin.set_fact: matrix_synapse_webserving_workers_systemd_services_list: "{{ matrix_synapse_webserving_workers_systemd_services_list + [matrix_synapse_worker_details.name + '.service'] }}" diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 93f977d1b..49e31ebbb 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -30,3 +30,7 @@ - {'old': 'matrix_docker_installation_enabled', 'new': 'matrix_playbook_docker_installation_enabled'} - {'old': 'matrix_docker_package_name', 'new': ''} + + - {'old': 'matrix_systemd_services_list', 'new': 'devture_systemd_service_manager_services_list_additional'} + - {'old': 'matrix_common_after_systemd_service_start_wait_for_timeout_seconds', 'new': 'devture_systemd_service_manager_up_verification_delay_seconds'} + - {'old': 'matrix_systemd_services_autostart_enabled', 'new': 'devture_systemd_service_manager_services_autostart_enabled'} From ccfaefa4d2f4266f4f0d70b97a6ba81147d8fc43 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 23 Nov 2022 11:45:25 +0200 Subject: [PATCH 052/915] Add service groups --- group_vars/matrix_servers | 140 +++++++++--------- requirements.yml | 2 +- .../tasks/init_additional_jvb.yml | 2 +- roles/custom/matrix-nginx-proxy/vars/main.yml | 4 + .../synapse/workers/util/inject_worker.yml | 2 +- 5 files changed, 77 insertions(+), 73 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 74515ab28..f15096cfc 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -169,147 +169,147 @@ matrix_homeserver_additional_config_files_auto: | # - services which aren't time-sensitive (various crons and timers) get a level of 5000 - they can start later than all-of-Matrix devture_systemd_service_manager_services_list_auto: | {{ - ([{'name': 'matrix-backup-borg.timer', 'priority': 5000}] if matrix_backup_borg_enabled else []) + ([{'name': 'matrix-backup-borg.timer', 'priority': 5000, 'groups': ['matrix', 'backup', 'borg']}] if matrix_backup_borg_enabled else []) + - ([{'name': 'matrix-bot-buscarron.service', 'priority': 2200}] if matrix_bot_buscarron_enabled else []) + ([{'name': 'matrix-bot-buscarron.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'buscarron']}] if matrix_bot_buscarron_enabled else []) + - ([{'name': 'matrix-bot-go-neb.service', 'priority': 2200}] if matrix_bot_go_neb_enabled else []) + ([{'name': 'matrix-bot-go-neb.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'go-neb']}] if matrix_bot_go_neb_enabled else []) + - ([{'name': 'matrix-bot-honoroit.service', 'priority': 2200}] if matrix_bot_honoroit_enabled else []) + ([{'name': 'matrix-bot-honoroit.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'honoroit']}] if matrix_bot_honoroit_enabled else []) + - ([{'name': 'matrix-bot-matrix-registration-bot.service', 'priority': 2200}] if matrix_bot_matrix_registration_bot_enabled else []) + ([{'name': 'matrix-bot-matrix-registration-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'registration-bot']}] if matrix_bot_matrix_registration_bot_enabled else []) + - ([{'name': 'matrix-bot-matrix-reminder-bot.service', 'priority': 2200}] if matrix_bot_matrix_reminder_bot_enabled else []) + ([{'name': 'matrix-bot-matrix-reminder-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'reminder-bot']}] if matrix_bot_matrix_reminder_bot_enabled else []) + - ([{'name': 'matrix-bot-maubot.service', 'priority': 2200}] if matrix_bot_maubot_enabled else []) + ([{'name': 'matrix-bot-maubot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'maubot']}] if matrix_bot_maubot_enabled else []) + - ([{'name': 'matrix-bot-mjolnir.service', 'priority': 2200}] if matrix_bot_mjolnir_enabled else []) + ([{'name': 'matrix-bot-mjolnir.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'mjolnir']}] if matrix_bot_mjolnir_enabled else []) + - ([{'name': 'matrix-bot-postmoogle.service', 'priority': 2200}] if matrix_bot_postmoogle_enabled else []) + ([{'name': 'matrix-bot-postmoogle.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'postmoogle']}] if matrix_bot_postmoogle_enabled else []) + - ([{'name': 'matrix-appservice-discord.service', 'priority': 2000}] if matrix_appservice_discord_enabled else []) + ([{'name': 'matrix-appservice-discord.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'appservice-discord']}] if matrix_appservice_discord_enabled else []) + - ([{'name': 'matrix-appservice-irc.service', 'priority': 2000}] if matrix_appservice_irc_enabled else []) + ([{'name': 'matrix-appservice-irc.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'appservice-irc']}] if matrix_appservice_irc_enabled else []) + - ([{'name': 'matrix-appservice-kakaotalk.service', 'priority': 2000}] if matrix_appservice_kakaotalk_enabled else []) + ([{'name': 'matrix-appservice-kakaotalk.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'appservice-kakaotalk']}] if matrix_appservice_kakaotalk_enabled else []) + - ([{'name': 'matrix-appservice-kakaotalk-node.service', 'priority': 1900}] if matrix_appservice_kakaotalk_enabled else []) + ([{'name': 'matrix-appservice-kakaotalk-node.service', 'priority': 1900, 'groups': ['matrix', 'bridges', 'appservice-kakaotalk', 'appservice-kakaotalk-node']}] if matrix_appservice_kakaotalk_enabled else []) + - ([{'name': 'matrix-appservice-slack.service', 'priority': 2000}] if matrix_appservice_slack_enabled else []) + ([{'name': 'matrix-appservice-slack.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'appservice-slack']}] if matrix_appservice_slack_enabled else []) + - ([{'name': 'matrix-appservice-webhooks.service', 'priority': 2000}] if matrix_appservice_webhooks_enabled else []) + ([{'name': 'matrix-appservice-webhooks.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'appservice-webhooks']}] if matrix_appservice_webhooks_enabled else []) + - ([{'name': 'matrix-beeper-linkedin.service', 'priority': 2000}] if matrix_beeper_linkedin_enabled else []) + ([{'name': 'matrix-beeper-linkedin.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'beeper-linkedin']}] if matrix_beeper_linkedin_enabled else []) + - ([{'name': 'matrix-go-skype-bridge.service', 'priority': 2000}] if matrix_go_skype_bridge_enabled else []) + ([{'name': 'matrix-go-skype-bridge.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'go-skype']}] if matrix_go_skype_bridge_enabled else []) + - ([{'name': 'matrix-heisenbridge.service', 'priority': 2000}] if matrix_heisenbridge_enabled else []) + ([{'name': 'matrix-heisenbridge.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'heisenbridge']}] if matrix_heisenbridge_enabled else []) + - ([{'name': 'matrix-hookshot.service', 'priority': 2000}] if matrix_hookshot_enabled else []) + ([{'name': 'matrix-hookshot.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'hookshot']}] if matrix_hookshot_enabled else []) + - ([{'name': 'matrix-mautrix-discord.service', 'priority': 2000}] if matrix_mautrix_discord_enabled else []) + ([{'name': 'matrix-mautrix-discord.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-discord']}] if matrix_mautrix_discord_enabled else []) + - ([{'name': 'matrix-mautrix-facebook.service', 'priority': 2000}] if matrix_mautrix_facebook_enabled else []) + ([{'name': 'matrix-mautrix-facebook.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-facebook']}] if matrix_mautrix_facebook_enabled else []) + - ([{'name': 'matrix-mautrix-googlechat.service', 'priority': 2000}] if matrix_mautrix_googlechat_enabled else []) + ([{'name': 'matrix-mautrix-googlechat.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-googlechat']}] if matrix_mautrix_googlechat_enabled else []) + - ([{'name': 'matrix-mautrix-hangouts.service', 'priority': 2000}] if matrix_mautrix_hangouts_enabled else []) + ([{'name': 'matrix-mautrix-hangouts.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-hangouts']}] if matrix_mautrix_hangouts_enabled else []) + - ([{'name': 'matrix-mautrix-instagram.service', 'priority': 2000}] if matrix_mautrix_instagram_enabled else []) + ([{'name': 'matrix-mautrix-instagram.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-instagram']}] if matrix_mautrix_instagram_enabled else []) + - ([{'name': 'matrix-mautrix-signal.service', 'priority': 2000}] if matrix_mautrix_signal_enabled else []) + ([{'name': 'matrix-mautrix-signal.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-signal']}] if matrix_mautrix_signal_enabled else []) + - ([{'name': 'matrix-mautrix-signal-daemon.service', 'priority': 1900}] if matrix_mautrix_signal_enabled else []) + ([{'name': 'matrix-mautrix-signal-daemon.service', 'priority': 1900, 'groups': ['matrix', 'bridges', 'mautrix-signal', 'mautrix-signal-daemon']}] if matrix_mautrix_signal_enabled else []) + - ([{'name': 'matrix-mautrix-telegram.service', 'priority': 2000}] if matrix_mautrix_telegram_enabled else []) + ([{'name': 'matrix-mautrix-telegram.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-telegram']}] if matrix_mautrix_telegram_enabled else []) + - ([{'name': 'matrix-mautrix-twitter.service', 'priority': 2000}] if matrix_mautrix_twitter_enabled else []) + ([{'name': 'matrix-mautrix-twitter.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-twitter']}] if matrix_mautrix_twitter_enabled else []) + - ([{'name': 'matrix-mautrix-whatsapp.service', 'priority': 2000}] if matrix_mautrix_whatsapp_enabled else []) + ([{'name': 'matrix-mautrix-whatsapp.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-whatsapp']}] if matrix_mautrix_whatsapp_enabled else []) + - ([{'name': 'matrix-mx-puppet-discord.service', 'priority': 2000}] if matrix_mx_puppet_discord_enabled else []) + ([{'name': 'matrix-mx-puppet-discord.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mx-puppet-discord']}] if matrix_mx_puppet_discord_enabled else []) + - ([{'name': 'matrix-mx-puppet-groupme.service', 'priority': 2000}] if matrix_mx_puppet_groupme_enabled else []) + ([{'name': 'matrix-mx-puppet-groupme.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mx-puppet-groupme']}] if matrix_mx_puppet_groupme_enabled else []) + - ([{'name': 'matrix-mx-puppet-instagram.service', 'priority': 2000}] if matrix_mx_puppet_instagram_enabled else []) + ([{'name': 'matrix-mx-puppet-instagram.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mx-puppet-instagram']}] if matrix_mx_puppet_instagram_enabled else []) + - ([{'name': 'matrix-mx-puppet-slack.service', 'priority': 2000}] if matrix_mx_puppet_slack_enabled else []) + ([{'name': 'matrix-mx-puppet-slack.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mx-puppet-slack']}] if matrix_mx_puppet_slack_enabled else []) + - ([{'name': 'matrix-mx-puppet-steam.service', 'priority': 2000}] if matrix_mx_puppet_steam_enabled else []) + ([{'name': 'matrix-mx-puppet-steam.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mx-puppet-steam']}] if matrix_mx_puppet_steam_enabled else []) + - ([{'name': 'matrix-mx-puppet-twitter.service', 'priority': 2000}] if matrix_mx_puppet_twitter_enabled else []) + ([{'name': 'matrix-mx-puppet-twitter.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mx-puppet-twitter']}] if matrix_mx_puppet_twitter_enabled else []) + - ([{'name': 'matrix-sms-bridge.service', 'priority': 2000}] if matrix_sms_bridge_enabled else []) + ([{'name': 'matrix-sms-bridge.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'sms']}] if matrix_sms_bridge_enabled else []) + - ([{'name': 'matrix-cactus-comments.service', 'priority': 2000}] if matrix_cactus_comments_enabled else []) + ([{'name': 'matrix-cactus-comments.service', 'priority': 2000, 'groups': ['matrix', 'cactus-comments']}] if matrix_cactus_comments_enabled else []) + - ([{'name': 'matrix-client-cinny.service', 'priority': 2000}] if matrix_client_cinny_enabled else []) + ([{'name': 'matrix-client-cinny.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'cinny']}] if matrix_client_cinny_enabled else []) + - ([{'name': 'matrix-client-element.service', 'priority': 2000}] if matrix_client_element_enabled else []) + ([{'name': 'matrix-client-element.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'element']}] if matrix_client_element_enabled else []) + - ([{'name': 'matrix-client-hydrogen.service', 'priority': 2000}] if matrix_client_hydrogen_enabled else []) + ([{'name': 'matrix-client-hydrogen.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'hydrogen']}] if matrix_client_hydrogen_enabled else []) + - ([{'name': ('matrix-' + matrix_homeserver_implementation + '.service'), 'priority': 1000}]) + ([{'name': ('matrix-' + matrix_homeserver_implementation + '.service'), 'priority': 1000, 'groups': ['matrix', 'homeservers', matrix_homeserver_implementation]}]) + - ([{'name': 'matrix-corporal.service', 'priority': 1500}] if matrix_corporal_enabled else []) + ([{'name': 'matrix-corporal.service', 'priority': 1500, 'groups': ['matrix', 'corporal']}] if matrix_corporal_enabled else []) + - ([{'name': 'matrix-coturn.service', 'priority': 4000}] if matrix_coturn_enabled else []) + ([{'name': 'matrix-coturn.service', 'priority': 4000, 'groups': ['matrix', 'coturn']}] if matrix_coturn_enabled else []) + - ([{'name': 'matrix-coturn-reload.timer', 'priority': 5000}] if (matrix_coturn_enabled and matrix_coturn_tls_enabled) else []) + ([{'name': 'matrix-coturn-reload.timer', 'priority': 5000, 'groups': ['matrix', 'coturn']}] if (matrix_coturn_enabled and matrix_coturn_tls_enabled) else []) + - ([{'name': 'matrix-dimension.service', 'priority': 2500}] if matrix_dimension_enabled else []) + ([{'name': 'matrix-dimension.service', 'priority': 2500, 'groups': ['matrix', 'integration-managers', 'dimension']}] if matrix_dimension_enabled else []) + - ([{'name': 'matrix-dynamic-dns.service', 'priority': 5000}] if matrix_dynamic_dns_enabled else []) + ([{'name': 'matrix-dynamic-dns.service', 'priority': 5000, 'groups': ['matrix', 'dynamic-dns']}] if matrix_dynamic_dns_enabled else []) + - ([{'name': 'matrix-email2matrix.service', 'priority': 2000}] if matrix_email2matrix_enabled else []) + ([{'name': 'matrix-email2matrix.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'email2matrix']}] if matrix_email2matrix_enabled else []) + - ([{'name': 'matrix-etherpad.service', 'priority': 4000}] if matrix_etherpad_enabled else []) + ([{'name': 'matrix-etherpad.service', 'priority': 4000, 'groups': ['matrix', 'etherpad']}] if matrix_etherpad_enabled else []) + - ([{'name': 'matrix-grafana.service', 'priority': 4000}] if matrix_grafana_enabled else []) + ([{'name': 'matrix-grafana.service', 'priority': 4000, 'groups': ['matrix', 'monitoring', 'grafana']}] if matrix_grafana_enabled else []) + - ([{'name': 'matrix-jitsi-web.service', 'priority': 4200}] if matrix_jitsi_enabled else []) + ([{'name': 'matrix-jitsi-web.service', 'priority': 4200, 'groups': ['matrix', 'jitsi', 'jitsi-web']}] if matrix_jitsi_enabled else []) + - ([{'name': 'matrix-jitsi-prosody.service', 'priority': 4000}] if matrix_jitsi_enabled else []) + ([{'name': 'matrix-jitsi-prosody.service', 'priority': 4000, 'groups': ['matrix', 'jitsi', 'jitsi-prosody']}] if matrix_jitsi_enabled else []) + - ([{'name': 'matrix-jitsi-jicofo.service', 'priority': 4100}] if matrix_jitsi_enabled else []) + ([{'name': 'matrix-jitsi-jicofo.service', 'priority': 4100, 'groups': ['matrix', 'jitsi', 'jitsi-jicofo']}] if matrix_jitsi_enabled else []) + - ([{'name': 'matrix-jitsi-jvb.service', 'priority': 4100}] if matrix_jitsi_enabled else []) + ([{'name': 'matrix-jitsi-jvb.service', 'priority': 4100, 'groups': ['matrix', 'jitsi', 'jitsi-jvb']}] if matrix_jitsi_enabled else []) + - ([{'name': 'matrix-ldap-registration-proxy.service', 'priority': 2000}] if matrix_ldap_registration_proxy_enabled else []) + ([{'name': 'matrix-ldap-registration-proxy.service', 'priority': 2000, 'groups': ['matrix', 'ldap-registration-proxy']}] if matrix_ldap_registration_proxy_enabled else []) + - ([{'name': 'matrix-ma1sd.service', 'priority': 2000}] if matrix_ma1sd_enabled else []) + ([{'name': 'matrix-ma1sd.service', 'priority': 2000, 'groups': ['matrix', 'ma1sd']}] if matrix_ma1sd_enabled else []) + - ([{'name': 'matrix-mailer.service', 'priority': 2000}] if matrix_mailer_enabled else []) + ([{'name': 'matrix-mailer.service', 'priority': 2000, 'groups': ['matrix', 'mailer']}] if matrix_mailer_enabled else []) + - ([{'name': 'matrix-nginx-proxy.service', 'priority': 3000}] if matrix_nginx_proxy_enabled else []) + ([{'name': 'matrix-nginx-proxy.service', 'priority': 3000, 'groups': ['matrix', 'nginx', 'reverse-proxies']}] if matrix_nginx_proxy_enabled else []) + (matrix_ssl_renewal_systemd_units_list | selectattr('applicable')) + - ([{'name': 'matrix-ntfy.service', 'priority': 800}] if matrix_ntfy_enabled else []) + ([{'name': 'matrix-ntfy.service', 'priority': 800, 'groups': ['matrix', 'ntfy']}] if matrix_ntfy_enabled else []) + - ([{'name': 'matrix-postgres.service', 'priority': 500}] if matrix_postgres_enabled else []) + ([{'name': 'matrix-postgres.service', 'priority': 500, 'groups': ['matrix', 'postgres']}] if matrix_postgres_enabled else []) + - ([{'name': 'matrix-postgres-backup.service', 'priority': 3000}] if matrix_postgres_backup_enabled else []) + ([{'name': 'matrix-postgres-backup.service', 'priority': 3000, 'groups': ['matrix', 'backup', 'postgres-backup']}] if matrix_postgres_backup_enabled else []) + - ([{'name': 'matrix-prometheus.service', 'priority': 4000}] if matrix_prometheus_enabled else []) + ([{'name': 'matrix-prometheus.service', 'priority': 4000, 'groups': ['matrix', 'monitoring', 'prometheus', 'prometheus-core']}] if matrix_prometheus_enabled else []) + - ([{'name': 'matrix-prometheus-node-exporter.service', 'priority': 3900}] if matrix_prometheus_node_exporter_enabled else []) + ([{'name': 'matrix-prometheus-node-exporter.service', 'priority': 3900, 'groups': ['matrix', 'monitoring', 'prometheus', 'prometheus-node-exporters']}] if matrix_prometheus_node_exporter_enabled else []) + - ([{'name': 'matrix-prometheus-postgres-exporter.service', 'priority': 3900}] if matrix_prometheus_postgres_exporter_enabled else []) + ([{'name': 'matrix-prometheus-postgres-exporter.service', 'priority': 3900, 'groups': ['matrix', 'monitoring', 'prometheus', 'prometheus-node-exporters']}] if matrix_prometheus_postgres_exporter_enabled else []) + - ([{'name': 'matrix-redis', 'priority': 750}] if matrix_redis_enabled else []) + ([{'name': 'matrix-redis', 'priority': 750, 'groups': ['matrix', 'redis']}] if matrix_redis_enabled else []) + - ([{'name': 'matrix-registration.service', 'priority': 4000}] if matrix_registration_enabled else []) + ([{'name': 'matrix-registration.service', 'priority': 4000, 'groups': ['matrix', 'registration']}] if matrix_registration_enabled else []) + - ([{'name': 'matrix-sygnal.service', 'priority': 800}] if matrix_sygnal_enabled else []) + ([{'name': 'matrix-sygnal.service', 'priority': 800, 'groups': ['matrix', 'sygnal']}] if matrix_sygnal_enabled else []) + - ([{'name': 'matrix-goofys.service', 'priority': 800}] if matrix_s3_media_store_enabled else []) + ([{'name': 'matrix-goofys.service', 'priority': 800, 'groups': ['matrix', 'goofys']}] if matrix_s3_media_store_enabled else []) + - ([{'name': 'matrix-synapse-s3-storage-provider-migrate.timer', 'priority': 5000}] if matrix_synapse_ext_synapse_s3_storage_provider_enabled else []) + ([{'name': 'matrix-synapse-s3-storage-provider-migrate.timer', 'priority': 5000, 'groups': ['matrix']}] if matrix_synapse_ext_synapse_s3_storage_provider_enabled else []) + - ([{'name': 'matrix-synapse-admin.service', 'priority': 4000}] if matrix_synapse_admin_enabled else []) + ([{'name': 'matrix-synapse-admin.service', 'priority': 4000, 'groups': ['matrix', 'synapse-admin']}] if matrix_synapse_admin_enabled else []) + - ([{'name': 'matrix-synapse-reverse-proxy-companion.service', 'priority': 1500}] if matrix_synapse_reverse_proxy_companion_enabled else []) + ([{'name': 'matrix-synapse-reverse-proxy-companion.service', 'priority': 1500, 'groups': ['matrix', 'homeservers', 'synapse', 'reverse-proxies']}] if matrix_synapse_reverse_proxy_companion_enabled else []) }} ######################################################################## diff --git a/requirements.yml b/requirements.yml index e8b411a88..6c4415f2f 100644 --- a/requirements.yml +++ b/requirements.yml @@ -19,7 +19,7 @@ version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git - version: 8b6a14d649f8b0e868c7073b34f5d2fda6bde9e0 + version: 96c31c43b6937428e3f5d12520f8a41a1b5465d7 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages.git version: f1c78d4e85e875129790c58335d0e44385683f6b diff --git a/roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml b/roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml index f5a6e1858..87420bc49 100644 --- a/roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml +++ b/roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml @@ -1,5 +1,5 @@ --- - ansible.builtin.set_fact: - devture_systemd_service_manager_services_list_auto: "{{ [{'name': 'matrix-jitsi-jvb.service', 'priority': 1000}] }}" + devture_systemd_service_manager_services_list_auto: "{{ [{'name': 'matrix-jitsi-jvb.service', 'priority': 1000, 'groups': ['matrix', 'jitsi', 'jitsi-jvb']}] }}" when: matrix_jitsi_enabled | bool diff --git a/roles/custom/matrix-nginx-proxy/vars/main.yml b/roles/custom/matrix-nginx-proxy/vars/main.yml index 06f86649f..34abf1903 100644 --- a/roles/custom/matrix-nginx-proxy/vars/main.yml +++ b/roles/custom/matrix-nginx-proxy/vars/main.yml @@ -8,15 +8,19 @@ matrix_ssl_renewal_systemd_units_list: applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' }}" enableable: false priority: 5000 + groups: ['matrix', 'nginx', 'ssl', 'reverse-proxies'] - name: matrix-ssl-lets-encrypt-certificates-renew.timer applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' }}" enableable: true priority: 5000 + groups: ['matrix', 'nginx', 'ssl', 'reverse-proxies'] - name: matrix-ssl-nginx-proxy-reload.service applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' and matrix_nginx_proxy_enabled | bool }}" enableable: false priority: 5000 + groups: ['matrix', 'nginx', 'ssl', 'reverse-proxies'] - name: matrix-ssl-nginx-proxy-reload.timer applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' and matrix_nginx_proxy_enabled | bool }}" enableable: true priority: 5000 + groups: ['matrix', 'nginx', 'ssl', 'reverse-proxies'] diff --git a/roles/custom/matrix-synapse/tasks/synapse/workers/util/inject_worker.yml b/roles/custom/matrix-synapse/tasks/synapse/workers/util/inject_worker.yml index 27f499d62..9765be6fc 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/workers/util/inject_worker.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/workers/util/inject_worker.yml @@ -53,7 +53,7 @@ when: "'replication_port' not in matrix_synapse_worker_details" - ansible.builtin.set_fact: - devture_systemd_service_manager_services_list_auto: "{{ devture_systemd_service_manager_services_list_auto + [{'name': (matrix_synapse_worker_details.name + '.service'), 'priority': 1100}] }}" + devture_systemd_service_manager_services_list_auto: "{{ devture_systemd_service_manager_services_list_auto + [{'name': (matrix_synapse_worker_details.name + '.service'), 'priority': 1100, 'groups': ['matrix', 'homeservers', 'synapse']}] }}" - ansible.builtin.set_fact: matrix_synapse_webserving_workers_systemd_services_list: "{{ matrix_synapse_webserving_workers_systemd_services_list + [matrix_synapse_worker_details.name + '.service'] }}" From f696928b7d0d2f514bbbf5230120f959ac25e4f8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 23 Nov 2022 12:18:35 +0200 Subject: [PATCH 053/915] Fix variable typos --- group_vars/matrix_servers | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f15096cfc..6849680ad 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -31,7 +31,7 @@ matrix_playbook_docker_installation_enabled: true # # ######################################################################## -matrix_homeserver_app_service_config_files_auto: | +matrix_homeserver_container_extra_arguments_auto: | {{ (['--mount type=bind,src=' + matrix_appservice_discord_config_path + '/registration.yaml,dst=/matrix-appservice-discord-registration.yaml,ro'] if matrix_appservice_discord_enabled else []) + @@ -86,7 +86,7 @@ matrix_homeserver_app_service_config_files_auto: | (['--mount type=bind,src=' + matrix_cactus_comments_app_service_config_file + ',dst=/matrix-cactus-comments.yaml,ro'] if matrix_cactus_comments_enabled else []) }} -matrix_homeserver_additional_config_files_auto: | +matrix_homeserver_app_service_config_files_auto: | {{ (['/matrix-appservice-discord-registration.yaml'] if matrix_appservice_discord_enabled else []) + From 1bd3a27acd73b13298fc90a3a424e3ff96c5e94b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 23 Nov 2022 13:00:15 +0200 Subject: [PATCH 054/915] Do not try to enable non-enableable matrix_ssl_renewal_systemd_units_list --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6849680ad..c2ed002c2 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -283,7 +283,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-nginx-proxy.service', 'priority': 3000, 'groups': ['matrix', 'nginx', 'reverse-proxies']}] if matrix_nginx_proxy_enabled else []) + - (matrix_ssl_renewal_systemd_units_list | selectattr('applicable')) + (matrix_ssl_renewal_systemd_units_list | selectattr('applicable') | selectattr('enableable')) + ([{'name': 'matrix-ntfy.service', 'priority': 800, 'groups': ['matrix', 'ntfy']}] if matrix_ntfy_enabled else []) + From 54cacc927e0cb1205d00bfe0bc9b6d69ceb865bc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 23 Nov 2022 14:33:07 +0200 Subject: [PATCH 055/915] Upgrade com.devture.ansible.role.docker_sdk_for_python --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 6c4415f2f..71b596cb8 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: 6.0.3 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git - version: 7047b40314c1020e97ed3f15b44876fa88faf874 + version: 6ba3be490b6f4c6f35ea109aeb8e533fa231b3a5 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git version: c1f40e82b4d6b072b6f0e885239322bdaaaf554f From d82988464299ab6afd9ffb96e89c3ea10585e4d7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 23 Nov 2022 14:59:05 +0200 Subject: [PATCH 056/915] Remove some old checks --- roles/custom/matrix-base/tasks/main.yml | 4 ---- .../custom/matrix-base/tasks/system_check.yml | 23 ------------------- 2 files changed, 27 deletions(-) delete mode 100644 roles/custom/matrix-base/tasks/system_check.yml diff --git a/roles/custom/matrix-base/tasks/main.yml b/roles/custom/matrix-base/tasks/main.yml index 4a8ec7fb2..67a3208ed 100644 --- a/roles/custom/matrix-base/tasks/main.yml +++ b/roles/custom/matrix-base/tasks/main.yml @@ -1,9 +1,5 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/system_check.yml" - tags: - - always - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/sanity_check.yml" tags: - setup-all diff --git a/roles/custom/matrix-base/tasks/system_check.yml b/roles/custom/matrix-base/tasks/system_check.yml deleted file mode 100644 index 909bdb127..000000000 --- a/roles/custom/matrix-base/tasks/system_check.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- - -# We generally support Ansible 2.7.1 and above. -- name: Fail if running on Ansible < 2.7.1 - ansible.builtin.fail: - msg: "You are running on Ansible {{ ansible_version.string }}, which is not supported. See our guide about Ansible: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/ansible.md" - when: - - "(ansible_version.major < 2) or (ansible_version.major == 2 and ansible_version.minor < 7) or (ansible_version.major == 2 and ansible_version.minor == 7 and ansible_version.revision < 1)" - -# Though we do not support Ansible 2.9.6 which is buggy -- name: Fail if running on Ansible 2.9.6 on Ubuntu - ansible.builtin.fail: - msg: "You are running on Ansible {{ ansible_version.string }}, which is not supported. See our guide about Ansible: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/ansible.md" - when: - - ansible_distribution == 'Ubuntu' - - "ansible_version.major == 2 and ansible_version.minor == 9 and ansible_version.revision == 6" - -- name: Fail if using python2 on Archlinux - ansible.builtin.fail: - msg: "Detected that you're using python2 when installing onto Archlinux. Archlinux by default only supports python3." - when: - - ansible_distribution == 'Archlinux' - - ansible_python.version.major != 3 From 735bacca89e6525e4218bb7e1a6ad93dd4f899f7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 23 Nov 2022 15:52:58 +0200 Subject: [PATCH 057/915] Do not run matrix-nginx-proxy config injection tasks unless necessary These `init.yml` (now `inject_into_nginx_proxy.yml`) tasks do not need to `always` run. They only need to run for `setup-all` and `setup-nginx-proxy`. Unless we're dealing with these 2 tags, we can spare ourselves a lot of work. This patch also moves the `when` statement from `init.yml` into `main.yml` in an effort to further optimize things by potentially avoiding the extra file include. --- docs/configuring-playbook-bridge-hookshot.md | 2 +- .../{init.yml => inject_into_nginx_proxy.yml} | 0 roles/custom/matrix-bot-maubot/tasks/main.yml | 6 +- .../tasks/init.yml | 48 -------- .../tasks/inject_into_nginx_proxy.yml | 44 +++++++ .../tasks/main.yml | 6 +- .../tasks/init.yml | 50 -------- .../tasks/inject_into_nginx_proxy.yml | 46 +++++++ .../tasks/main.yml | 6 +- .../matrix-bridge-hookshot/tasks/init.yml | 113 ------------------ .../tasks/inject_into_nginx_proxy.yml | 111 +++++++++++++++++ .../matrix-bridge-hookshot/tasks/main.yml | 6 +- .../tasks/init.yml | 48 -------- .../tasks/inject_into_nginx_proxy.yml | 44 +++++++ .../tasks/main.yml | 6 +- .../tasks/init.yml | 47 -------- .../tasks/inject_into_nginx_proxy.yml | 43 +++++++ .../tasks/main.yml | 6 +- .../tasks/init.yml | 47 -------- .../tasks/inject_into_nginx_proxy.yml | 44 +++++++ .../tasks/main.yml | 6 +- .../tasks/init.yml | 47 -------- .../tasks/inject_into_nginx_proxy.yml | 44 +++++++ .../tasks/main.yml | 7 +- .../tasks/init.yml | 48 -------- .../tasks/inject_into_nginx_proxy.yml | 44 +++++++ .../tasks/main.yml | 6 +- .../tasks/init.yml | 48 -------- .../tasks/inject_into_nginx_proxy.yml | 44 +++++++ .../tasks/main.yml | 6 +- .../{init.yml => inject_into_nginx_proxy.yml} | 5 +- .../matrix-cactus-comments/tasks/main.yml | 6 +- roles/custom/matrix-etherpad/tasks/init.yml | 50 -------- .../tasks/inject_into_nginx_proxy.yml | 46 +++++++ roles/custom/matrix-etherpad/tasks/main.yml | 6 +- .../tasks/init.yml | 47 -------- .../tasks/inject_into_nginx_proxy.yml | 44 +++++++ .../tasks/main.yml | 6 +- .../tasks/init.yml | 37 ------ .../tasks/inject_into_nginx_proxy.yml | 35 ++++++ .../tasks/main.yml | 6 +- .../tasks/init.yml | 37 ------ .../tasks/inject_into_nginx_proxy.yml | 35 ++++++ .../tasks/main.yml | 6 +- .../custom/matrix-registration/tasks/init.yml | 59 --------- .../tasks/inject_into_nginx_proxy.yml | 55 +++++++++ .../custom/matrix-registration/tasks/main.yml | 6 +- .../matrix-synapse-admin/tasks/init.yml | 50 -------- .../tasks/inject_into_nginx_proxy.yml | 46 +++++++ .../matrix-synapse-admin/tasks/main.yml | 6 +- .../{init.yml => inject_into_nginx_proxy.yml} | 8 +- roles/custom/matrix-synapse/tasks/main.yml | 15 ++- .../{init.yml => inject_into_nginx_proxy.yml} | 0 53 files changed, 813 insertions(+), 821 deletions(-) rename roles/custom/matrix-bot-maubot/tasks/{init.yml => inject_into_nginx_proxy.yml} (100%) delete mode 100644 roles/custom/matrix-bridge-appservice-slack/tasks/init.yml create mode 100644 roles/custom/matrix-bridge-appservice-slack/tasks/inject_into_nginx_proxy.yml delete mode 100644 roles/custom/matrix-bridge-appservice-webhooks/tasks/init.yml create mode 100644 roles/custom/matrix-bridge-appservice-webhooks/tasks/inject_into_nginx_proxy.yml delete mode 100644 roles/custom/matrix-bridge-hookshot/tasks/init.yml create mode 100644 roles/custom/matrix-bridge-hookshot/tasks/inject_into_nginx_proxy.yml delete mode 100644 roles/custom/matrix-bridge-mautrix-facebook/tasks/init.yml create mode 100644 roles/custom/matrix-bridge-mautrix-facebook/tasks/inject_into_nginx_proxy.yml delete mode 100644 roles/custom/matrix-bridge-mautrix-googlechat/tasks/init.yml create mode 100644 roles/custom/matrix-bridge-mautrix-googlechat/tasks/inject_into_nginx_proxy.yml delete mode 100644 roles/custom/matrix-bridge-mautrix-hangouts/tasks/init.yml create mode 100644 roles/custom/matrix-bridge-mautrix-hangouts/tasks/inject_into_nginx_proxy.yml delete mode 100644 roles/custom/matrix-bridge-mautrix-telegram/tasks/init.yml create mode 100644 roles/custom/matrix-bridge-mautrix-telegram/tasks/inject_into_nginx_proxy.yml delete mode 100644 roles/custom/matrix-bridge-mx-puppet-slack/tasks/init.yml create mode 100644 roles/custom/matrix-bridge-mx-puppet-slack/tasks/inject_into_nginx_proxy.yml delete mode 100644 roles/custom/matrix-bridge-mx-puppet-twitter/tasks/init.yml create mode 100644 roles/custom/matrix-bridge-mx-puppet-twitter/tasks/inject_into_nginx_proxy.yml rename roles/custom/matrix-cactus-comments/tasks/{init.yml => inject_into_nginx_proxy.yml} (93%) delete mode 100644 roles/custom/matrix-etherpad/tasks/init.yml create mode 100644 roles/custom/matrix-etherpad/tasks/inject_into_nginx_proxy.yml delete mode 100644 roles/custom/matrix-ldap-registration-proxy/tasks/init.yml create mode 100644 roles/custom/matrix-ldap-registration-proxy/tasks/inject_into_nginx_proxy.yml delete mode 100644 roles/custom/matrix-prometheus-node-exporter/tasks/init.yml create mode 100644 roles/custom/matrix-prometheus-node-exporter/tasks/inject_into_nginx_proxy.yml delete mode 100644 roles/custom/matrix-prometheus-postgres-exporter/tasks/init.yml create mode 100644 roles/custom/matrix-prometheus-postgres-exporter/tasks/inject_into_nginx_proxy.yml delete mode 100644 roles/custom/matrix-registration/tasks/init.yml create mode 100644 roles/custom/matrix-registration/tasks/inject_into_nginx_proxy.yml delete mode 100644 roles/custom/matrix-synapse-admin/tasks/init.yml create mode 100644 roles/custom/matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml rename roles/custom/matrix-synapse/tasks/{init.yml => inject_into_nginx_proxy.yml} (92%) rename roles/custom/matrix-synapse/tasks/synapse/workers/{init.yml => inject_into_nginx_proxy.yml} (100%) diff --git a/docs/configuring-playbook-bridge-hookshot.md b/docs/configuring-playbook-bridge-hookshot.md index 5cd4dd4c0..89ab07682 100644 --- a/docs/configuring-playbook-bridge-hookshot.md +++ b/docs/configuring-playbook-bridge-hookshot.md @@ -54,7 +54,7 @@ Unless indicated otherwise, the following endpoints are reachable on your `matri | widgets | `/hookshot/widgetapi/` | `matrix_hookshot_widgets_endpoint` | Widgets | | metrics | `/metrics/hookshot` | `matrix_hookshot_metrics_enabled` and `matrix_hookshot_metrics_proxying_enabled`. Requires `/metrics/*` endpoints to also be enabled via `matrix_nginx_proxy_proxy_matrix_metrics_enabled` (see the `matrix-nginx-proxy` role). Read more in the [Metrics section](#metrics) below. | Prometheus | -See also `matrix_hookshot_matrix_nginx_proxy_configuration` in [init.yml](/roles/custom/matrix-bridge-hookshot/tasks/init.yml). +See also `matrix_hookshot_matrix_nginx_proxy_configuration` in [init.yml](/roles/custom/matrix-bridge-hookshot/tasks/inject_into_nginx_proxy.yml). The different listeners are also reachable *internally* in the docker-network via the container's name (configured by `matrix_hookshot_container_url`) and on different ports (e.g. `matrix_hookshot_appservice_port`). Read [main.yml](/roles/custom/matrix-bridge-hookshot/defaults/main.yml) in detail for more info. diff --git a/roles/custom/matrix-bot-maubot/tasks/init.yml b/roles/custom/matrix-bot-maubot/tasks/inject_into_nginx_proxy.yml similarity index 100% rename from roles/custom/matrix-bot-maubot/tasks/init.yml rename to roles/custom/matrix-bot-maubot/tasks/inject_into_nginx_proxy.yml diff --git a/roles/custom/matrix-bot-maubot/tasks/main.yml b/roles/custom/matrix-bot-maubot/tasks/main.yml index 773f4b9fa..5e48eed97 100644 --- a/roles/custom/matrix-bot-maubot/tasks/main.yml +++ b/roles/custom/matrix-bot-maubot/tasks/main.yml @@ -1,8 +1,10 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" +- when: matrix_bot_maubot_enabled | bool + ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - - always + - setup-all + - setup-nginx-proxy - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup|bool and matrix_bot_maubot_enabled|bool" diff --git a/roles/custom/matrix-bridge-appservice-slack/tasks/init.yml b/roles/custom/matrix-bridge-appservice-slack/tasks/init.yml deleted file mode 100644 index e07f1afc0..000000000 --- a/roles/custom/matrix-bridge-appservice-slack/tasks/init.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- - -- when: matrix_appservice_slack_enabled | bool - tags: - - always - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append Slack Appservice's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-bridge-appservice-slack role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate Matrix Appservice Slack proxying configuration for matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_appservice_slack_matrix_nginx_proxy_configuration: | - location {{ matrix_appservice_slack_public_endpoint }} { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_appservice_slack_appservice_url }}:{{ matrix_appservice_slack_slack_port }}"; - proxy_pass $backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_appservice_slack_slack_port }}; - {% endif %} - } - - - name: Register Slack Appservice proxying configuration with matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) - + - [matrix_appservice_slack_matrix_nginx_proxy_configuration] - }} - -- name: Warn about reverse-proxying if matrix-nginx-proxy not used - ansible.builtin.debug: - msg: >- - NOTE: You've enabled the Matrix Slack bridge but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_appservice_slack_public_endpoint }}` - URL endpoint to the matrix-appservice-slack container. - You can expose the container's port using the `matrix_appservice_slack_container_http_host_bind_port` variable. - when: "matrix_appservice_slack_enabled | bool and not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-appservice-slack/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-appservice-slack/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..4ddcb954d --- /dev/null +++ b/roles/custom/matrix-bridge-appservice-slack/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,44 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append Slack Appservice's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-appservice-slack role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate Matrix Appservice Slack proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_appservice_slack_matrix_nginx_proxy_configuration: | + location {{ matrix_appservice_slack_public_endpoint }} { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_appservice_slack_appservice_url }}:{{ matrix_appservice_slack_slack_port }}"; + proxy_pass $backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_appservice_slack_slack_port }}; + {% endif %} + } + +- name: Register Slack Appservice proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) + + + [matrix_appservice_slack_matrix_nginx_proxy_configuration] + }} + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled the Matrix Slack bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_appservice_slack_public_endpoint }}` + URL endpoint to the matrix-appservice-slack container. + You can expose the container's port using the `matrix_appservice_slack_container_http_host_bind_port` variable. + when: "matrix_appservice_slack_enabled | bool and not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml b/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml index cd83f61fb..608b02195 100644 --- a/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml @@ -1,8 +1,10 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" +- when: matrix_appservice_slack_enabled | bool + ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - - always + - setup-all + - setup-nginx-proxy - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_appservice_slack_enabled | bool" diff --git a/roles/custom/matrix-bridge-appservice-webhooks/tasks/init.yml b/roles/custom/matrix-bridge-appservice-webhooks/tasks/init.yml deleted file mode 100644 index 47a298750..000000000 --- a/roles/custom/matrix-bridge-appservice-webhooks/tasks/init.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- - -- when: matrix_appservice_webhooks_enabled | bool - tags: - - always - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append webhooks Appservice's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-bridge-appservice-webhooks role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate Matrix Appservice webhooks proxying configuration for matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_appservice_webhooks_matrix_nginx_proxy_configuration: | - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - location ~ ^{{ matrix_appservice_webhooks_public_endpoint }}/(.*)$ { - resolver 127.0.0.11 valid=5s; - set $backend "matrix-appservice-webhooks:{{ matrix_appservice_webhooks_matrix_port }}"; - proxy_pass http://$backend/$1; - } - {% else %} - {# Generic configuration for use outside of our container setup #} - location {{ matrix_appservice_webhooks_public_endpoint }}/ { - proxy_pass http://127.0.0.1:{{ matrix_appservice_webhooks_matrix_port }}/; - } - {% endif %} - - - name: Register webhooks Appservice proxying configuration with matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) - + - [matrix_appservice_webhooks_matrix_nginx_proxy_configuration] - }} - -- name: Warn about reverse-proxying if matrix-nginx-proxy not used - ansible.builtin.debug: - msg: >- - NOTE: You've enabled the Matrix webhooks bridge but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_appservice_webhooks_public_endpoint }}` - URL endpoint to the matrix-appservice-webhooks container. - You can expose the container's port using the `matrix_appservice_webhooks_container_http_host_bind_port` variable. - when: "matrix_appservice_webhooks_enabled | bool and not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-appservice-webhooks/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-appservice-webhooks/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..2e4ad18e4 --- /dev/null +++ b/roles/custom/matrix-bridge-appservice-webhooks/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,46 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append webhooks Appservice's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-appservice-webhooks role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate Matrix Appservice webhooks proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_appservice_webhooks_matrix_nginx_proxy_configuration: | + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + location ~ ^{{ matrix_appservice_webhooks_public_endpoint }}/(.*)$ { + resolver 127.0.0.11 valid=5s; + set $backend "matrix-appservice-webhooks:{{ matrix_appservice_webhooks_matrix_port }}"; + proxy_pass http://$backend/$1; + } + {% else %} + {# Generic configuration for use outside of our container setup #} + location {{ matrix_appservice_webhooks_public_endpoint }}/ { + proxy_pass http://127.0.0.1:{{ matrix_appservice_webhooks_matrix_port }}/; + } + {% endif %} + +- name: Register webhooks Appservice proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) + + + [matrix_appservice_webhooks_matrix_nginx_proxy_configuration] + }} + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled the Matrix webhooks bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_appservice_webhooks_public_endpoint }}` + URL endpoint to the matrix-appservice-webhooks container. + You can expose the container's port using the `matrix_appservice_webhooks_container_http_host_bind_port` variable. + when: "matrix_appservice_webhooks_enabled | bool and not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml b/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml index 30f05469c..24908e83a 100644 --- a/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml @@ -1,8 +1,10 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" +- when: matrix_appservice_webhooks_enabled | bool + ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - - always + - setup-all + - setup-nginx-proxy - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_appservice_webhooks_enabled | bool" diff --git a/roles/custom/matrix-bridge-hookshot/tasks/init.yml b/roles/custom/matrix-bridge-hookshot/tasks/init.yml deleted file mode 100644 index 625e30234..000000000 --- a/roles/custom/matrix-bridge-hookshot/tasks/init.yml +++ /dev/null @@ -1,113 +0,0 @@ ---- - -- when: matrix_hookshot_enabled | bool - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append hookshot's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-bridge-hookshot role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate Matrix hookshot proxying configuration for matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_hookshot_matrix_nginx_proxy_configuration: | - location ~ ^{{ matrix_hookshot_appservice_endpoint }}/(.*)$ { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_appservice_port }}"; - proxy_pass http://$backend/$1; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_hookshot_appservice_port }}/$1; - {% endif %} - proxy_set_header Host $host; - } - {% if matrix_hookshot_provisioning_enabled %} - location ~ ^{{ matrix_hookshot_provisioning_endpoint }}/(.*)$ { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_provisioning_port }}"; - proxy_pass http://$backend{{ matrix_hookshot_provisioning_internal }}/$1$is_args$args; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_hookshot_provisioning_port }}{{ matrix_hookshot_provisioning_internal }}/$1$is_args$args; - {% endif %} - proxy_set_header Host $host; - } - {% endif %} - {% if matrix_hookshot_widgets_enabled %} - location ~ ^{{ matrix_hookshot_widgets_endpoint }}/(.*)$ { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_widgets_port }}"; - proxy_pass http://$backend{{ matrix_hookshot_widgets_internal }}/$1$is_args$args; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_hookshot_widgets_port }}{{ matrix_hookshot_widgets_internal }}/$1$is_args$args; - {% endif %} - proxy_set_header Host $host; - } - {% endif %} - location ~ ^{{ matrix_hookshot_webhook_endpoint }}/(.*)$ { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_webhook_port }}"; - proxy_pass http://$backend/$1$is_args$args; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_hookshot_webhook_port }}/$1$is_args$args; - {% endif %} - proxy_set_header Host $host; - } - - - name: Register hookshot proxying configuration with matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) - + - [matrix_hookshot_matrix_nginx_proxy_configuration] - }} - - - name: Generate hookshot metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/hookshot) - ansible.builtin.set_fact: - matrix_hookshot_matrix_nginx_proxy_metrics_configuration_matrix_domain: | - location /metrics/hookshot { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_metrics_port }}"; - proxy_pass http://$backend/metrics; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_hookshot_metrics_port }}/metrics; - {% endif %} - } - when: matrix_hookshot_metrics_enabled | bool and matrix_hookshot_metrics_proxying_enabled | bool - - - name: Register hookshot metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/hookshot) - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) - + - [matrix_hookshot_matrix_nginx_proxy_metrics_configuration_matrix_domain] - }} - when: matrix_hookshot_metrics_enabled | bool and matrix_hookshot_metrics_proxying_enabled | bool - -- name: Warn about reverse-proxying if matrix-nginx-proxy not used - ansible.builtin.debug: - msg: >- - NOTE: You've enabled the hookshot bridge but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_hookshot_public_endpoint }}` - URL endpoint to the matrix-hookshot container. - You can expose the container's ports using the `matrix_hookshot_container_http_host_bind_ports` variable. - when: "matrix_hookshot_enabled | bool and not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-hookshot/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-hookshot/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..5712489c3 --- /dev/null +++ b/roles/custom/matrix-bridge-hookshot/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,111 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append hookshot's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-hookshot role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate Matrix hookshot proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_hookshot_matrix_nginx_proxy_configuration: | + location ~ ^{{ matrix_hookshot_appservice_endpoint }}/(.*)$ { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_appservice_port }}"; + proxy_pass http://$backend/$1; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_hookshot_appservice_port }}/$1; + {% endif %} + proxy_set_header Host $host; + } + {% if matrix_hookshot_provisioning_enabled %} + location ~ ^{{ matrix_hookshot_provisioning_endpoint }}/(.*)$ { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_provisioning_port }}"; + proxy_pass http://$backend{{ matrix_hookshot_provisioning_internal }}/$1$is_args$args; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_hookshot_provisioning_port }}{{ matrix_hookshot_provisioning_internal }}/$1$is_args$args; + {% endif %} + proxy_set_header Host $host; + } + {% endif %} + {% if matrix_hookshot_widgets_enabled %} + location ~ ^{{ matrix_hookshot_widgets_endpoint }}/(.*)$ { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_widgets_port }}"; + proxy_pass http://$backend{{ matrix_hookshot_widgets_internal }}/$1$is_args$args; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_hookshot_widgets_port }}{{ matrix_hookshot_widgets_internal }}/$1$is_args$args; + {% endif %} + proxy_set_header Host $host; + } + {% endif %} + location ~ ^{{ matrix_hookshot_webhook_endpoint }}/(.*)$ { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_webhook_port }}"; + proxy_pass http://$backend/$1$is_args$args; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_hookshot_webhook_port }}/$1$is_args$args; + {% endif %} + proxy_set_header Host $host; + } + +- name: Register hookshot proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) + + + [matrix_hookshot_matrix_nginx_proxy_configuration] + }} + +- name: Generate hookshot metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/hookshot) + ansible.builtin.set_fact: + matrix_hookshot_matrix_nginx_proxy_metrics_configuration_matrix_domain: | + location /metrics/hookshot { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_metrics_port }}"; + proxy_pass http://$backend/metrics; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_hookshot_metrics_port }}/metrics; + {% endif %} + } + when: matrix_hookshot_metrics_enabled | bool and matrix_hookshot_metrics_proxying_enabled | bool + +- name: Register hookshot metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/hookshot) + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + + + [matrix_hookshot_matrix_nginx_proxy_metrics_configuration_matrix_domain] + }} + when: matrix_hookshot_metrics_enabled | bool and matrix_hookshot_metrics_proxying_enabled | bool + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled the hookshot bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_hookshot_public_endpoint }}` + URL endpoint to the matrix-hookshot container. + You can expose the container's ports using the `matrix_hookshot_container_http_host_bind_ports` variable. + when: "not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-hookshot/tasks/main.yml b/roles/custom/matrix-bridge-hookshot/tasks/main.yml index 99febe114..5d93af3a5 100644 --- a/roles/custom/matrix-bridge-hookshot/tasks/main.yml +++ b/roles/custom/matrix-bridge-hookshot/tasks/main.yml @@ -1,8 +1,10 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" +- when: matrix_hookshot_enabled | bool + ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - - always + - setup-all + - setup-nginx-proxy - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_hookshot_enabled | bool" diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/init.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/init.yml deleted file mode 100644 index 8a4229af7..000000000 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/init.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- - -- when: matrix_mautrix_facebook_enabled | bool and matrix_mautrix_facebook_appservice_public_enabled | bool - tags: - - always - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append Mautrix Facebook's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-facebook role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate Mautrix Facebook proxying configuration for matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_mautrix_facebook_matrix_nginx_proxy_configuration: | - location {{ matrix_mautrix_facebook_public_endpoint }} { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-mautrix-facebook:29319"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:9008; - {% endif %} - } - - - name: Register Mautrix Facebook proxying configuration with matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) - + - [matrix_mautrix_facebook_matrix_nginx_proxy_configuration] - }} - - - name: Warn about reverse-proxying if matrix-nginx-proxy not used - ansible.builtin.debug: - msg: >- - NOTE: You've enabled the Mautrix Facebook bridge but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_mautrix_facebook_public_endpoint }}` - URL endpoint to the matrix-mautrix-facebook container. - You can expose the container's port using the `matrix_mautrix_facebook_container_http_host_bind_port` variable. - when: "not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..b9f95cb7d --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,44 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append Mautrix Facebook's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-facebook role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate Mautrix Facebook proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_mautrix_facebook_matrix_nginx_proxy_configuration: | + location {{ matrix_mautrix_facebook_public_endpoint }} { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-facebook:29319"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:9008; + {% endif %} + } + +- name: Register Mautrix Facebook proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) + + + [matrix_mautrix_facebook_matrix_nginx_proxy_configuration] + }} + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled the Mautrix Facebook bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_mautrix_facebook_public_endpoint }}` + URL endpoint to the matrix-mautrix-facebook container. + You can expose the container's port using the `matrix_mautrix_facebook_container_http_host_bind_port` variable. + when: "not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml index 3ef2cb233..f166cc5eb 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml @@ -1,8 +1,10 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" +- when: matrix_mautrix_facebook_enabled | bool and matrix_mautrix_facebook_appservice_public_enabled | bool + ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - - always + - setup-all + - setup-nginx-proxy - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_mautrix_facebook_enabled | bool" diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/init.yml b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/init.yml deleted file mode 100644 index 17e6094df..000000000 --- a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/init.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- - -- when: matrix_mautrix_googlechat_enabled | bool - tags: - - always - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append Mautrix googlechat's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-googlechat role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate Mautrix googlechat proxying configuration for matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_mautrix_googlechat_matrix_nginx_proxy_configuration: | - location {{ matrix_mautrix_googlechat_public_endpoint }} { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-mautrix-googlechat:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:9007; - {% endif %} - } - - name: Register Mautrix googlechat proxying configuration with matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) - + - [matrix_mautrix_googlechat_matrix_nginx_proxy_configuration] - }} - -- name: Warn about reverse-proxying if matrix-nginx-proxy not used - ansible.builtin.debug: - msg: >- - NOTE: You've enabled the Mautrix googlechat bridge but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_mautrix_googlechat_public_endpoint }}` - URL endpoint to the matrix-mautrix-googlechat container. - You can expose the container's port using the `matrix_mautrix_googlechat_container_http_host_bind_port` variable. - when: "matrix_mautrix_googlechat_enabled | bool and not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..6a417b61e --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,43 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append Mautrix googlechat's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-googlechat role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate Mautrix googlechat proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_mautrix_googlechat_matrix_nginx_proxy_configuration: | + location {{ matrix_mautrix_googlechat_public_endpoint }} { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-googlechat:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:9007; + {% endif %} + } +- name: Register Mautrix googlechat proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) + + + [matrix_mautrix_googlechat_matrix_nginx_proxy_configuration] + }} + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled the Mautrix googlechat bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_mautrix_googlechat_public_endpoint }}` + URL endpoint to the matrix-mautrix-googlechat container. + You can expose the container's port using the `matrix_mautrix_googlechat_container_http_host_bind_port` variable. + when: "matrix_mautrix_googlechat_enabled | bool and not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml index 070abfcd9..e20422a72 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml @@ -1,8 +1,10 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" +- when: matrix_mautrix_googlechat_enabled | bool + ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - - always + - setup-all + - setup-nginx-proxy - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_mautrix_googlechat_enabled | bool" diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/init.yml b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/init.yml deleted file mode 100644 index 8850f1cf5..000000000 --- a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/init.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- - -- when: matrix_mautrix_hangouts_enabled | bool - tags: - - always - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append Mautrix Hangouts's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-hangouts role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate Mautrix Hangouts proxying configuration for matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_mautrix_hangouts_matrix_nginx_proxy_configuration: | - location {{ matrix_mautrix_hangouts_public_endpoint }} { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-mautrix-hangouts:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:9007; - {% endif %} - } - - name: Register Mautrix Hangouts proxying configuration with matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) - + - [matrix_mautrix_hangouts_matrix_nginx_proxy_configuration] - }} - -- name: Warn about reverse-proxying if matrix-nginx-proxy not used - ansible.builtin.debug: - msg: >- - NOTE: You've enabled the Mautrix Hangouts bridge but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_mautrix_hangouts_public_endpoint }}` - URL endpoint to the matrix-mautrix-hangouts container. - You can expose the container's port using the `matrix_mautrix_hangouts_container_http_host_bind_port` variable. - when: "matrix_mautrix_hangouts_enabled | bool and not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..b5696c841 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,44 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append Mautrix Hangouts's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-hangouts role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate Mautrix Hangouts proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_mautrix_hangouts_matrix_nginx_proxy_configuration: | + location {{ matrix_mautrix_hangouts_public_endpoint }} { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-hangouts:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:9007; + {% endif %} + } + +- name: Register Mautrix Hangouts proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) + + + [matrix_mautrix_hangouts_matrix_nginx_proxy_configuration] + }} + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled the Mautrix Hangouts bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_mautrix_hangouts_public_endpoint }}` + URL endpoint to the matrix-mautrix-hangouts container. + You can expose the container's port using the `matrix_mautrix_hangouts_container_http_host_bind_port` variable. + when: "matrix_mautrix_hangouts_enabled | bool and not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml index d69136899..a1b7115bd 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml @@ -1,8 +1,10 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" +- when: matrix_mautrix_hangouts_enabled | bool + ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - - always + - setup-all + - setup-nginx-proxy - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_mautrix_hangouts_enabled | bool" diff --git a/roles/custom/matrix-bridge-mautrix-telegram/tasks/init.yml b/roles/custom/matrix-bridge-mautrix-telegram/tasks/init.yml deleted file mode 100644 index d292edc00..000000000 --- a/roles/custom/matrix-bridge-mautrix-telegram/tasks/init.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- - -- when: matrix_mautrix_telegram_enabled | bool and matrix_mautrix_telegram_appservice_public_enabled | bool - tags: - - always - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append Mautrix Telegram's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-telegram role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate Mautrix Telegram proxying configuration for matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_mautrix_telegram_matrix_nginx_proxy_configuration: | - location {{ matrix_mautrix_telegram_public_endpoint }} { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-mautrix-telegram:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:9006; - {% endif %} - } - - - name: Register Mautrix Telegram proxying configuration with matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) - + - [matrix_mautrix_telegram_matrix_nginx_proxy_configuration] - }} - - name: Warn about reverse-proxying if matrix-nginx-proxy not used - ansible.builtin.debug: - msg: >- - NOTE: You've enabled the Mautrix Telegram bridge but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_mautrix_telegram_public_endpoint }}` - URL endpoint to the matrix-mautrix-telegram container. - You can expose the container's port using the `matrix_mautrix_telegram_container_http_host_bind_port` variable. - when: "not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-mautrix-telegram/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mautrix-telegram/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..7bbd15518 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-telegram/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,44 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append Mautrix Telegram's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-telegram role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate Mautrix Telegram proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_mautrix_telegram_matrix_nginx_proxy_configuration: | + location {{ matrix_mautrix_telegram_public_endpoint }} { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-telegram:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:9006; + {% endif %} + } + +- name: Register Mautrix Telegram proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) + + + [matrix_mautrix_telegram_matrix_nginx_proxy_configuration] + }} + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled the Mautrix Telegram bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_mautrix_telegram_public_endpoint }}` + URL endpoint to the matrix-mautrix-telegram container. + You can expose the container's port using the `matrix_mautrix_telegram_container_http_host_bind_port` variable. + when: "not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml index 471f0cf13..d4a5f8054 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml @@ -1,7 +1,10 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" + +- when: matrix_mautrix_telegram_enabled | bool and matrix_mautrix_telegram_appservice_public_enabled | bool + ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - - always + - setup-all + - setup-nginx-proxy - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_mautrix_telegram_enabled | bool" diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/init.yml b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/init.yml deleted file mode 100644 index 217c733dc..000000000 --- a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/init.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- - -- when: matrix_mx_puppet_slack_enabled | bool - tags: - - always - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append Slack Appservice's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-mx-puppet-slack role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate Matrix MX Puppet Slack proxying configuration for matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_mx_puppet_slack_matrix_nginx_proxy_configuration: | - location {{ matrix_mx_puppet_slack_redirect_path }} { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_mx_puppet_slack_appservice_address }}"; - proxy_pass $backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_mx_puppet_slack_appservice_port }}; - {% endif %} - } - - - name: Register Slack Appservice proxying configuration with matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) - + - [matrix_mx_puppet_slack_matrix_nginx_proxy_configuration] - }} - -- name: Warn about reverse-proxying if matrix-nginx-proxy not used - ansible.builtin.debug: - msg: >- - NOTE: You've enabled the Matrix Slack bridge but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_mx_puppet_slack_redirect_path }}` - URL endpoint to the matrix-mx-puppet-slack container. - You can expose the container's port using the `matrix_appservice_slack_container_http_host_bind_port` variable. - when: "matrix_mx_puppet_slack_enabled | bool and not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..c4e82a5b5 --- /dev/null +++ b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,44 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append Slack Appservice's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-mx-puppet-slack role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate Matrix MX Puppet Slack proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_mx_puppet_slack_matrix_nginx_proxy_configuration: | + location {{ matrix_mx_puppet_slack_redirect_path }} { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_mx_puppet_slack_appservice_address }}"; + proxy_pass $backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_mx_puppet_slack_appservice_port }}; + {% endif %} + } + +- name: Register Slack Appservice proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) + + + [matrix_mx_puppet_slack_matrix_nginx_proxy_configuration] + }} + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled the Matrix Slack bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_mx_puppet_slack_redirect_path }}` + URL endpoint to the matrix-mx-puppet-slack container. + You can expose the container's port using the `matrix_appservice_slack_container_http_host_bind_port` variable. + when: "not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml index 869afc497..8850e6bcb 100644 --- a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml @@ -1,8 +1,10 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" +- when: matrix_mx_puppet_slack_enabled | bool + ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - - always + - setup-all + - setup-nginx-proxy - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_mx_puppet_slack_enabled | bool" diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/init.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/init.yml deleted file mode 100644 index 4a0ea6733..000000000 --- a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/init.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- - -- when: matrix_mx_puppet_twitter_enabled | bool - tags: - - always - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append Twitter Appservice's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-mx-puppet-twitter role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate Matrix MX Puppet Twitter proxying configuration for matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_mx_puppet_twitter_matrix_nginx_proxy_configuration: | - location {{ matrix_mx_puppet_twitter_webhook_path }} { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_mx_puppet_twitter_appservice_address }}"; - proxy_pass $backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_mx_puppet_twitter_appservice_port }}; - {% endif %} - } - - - name: Register Twitter Appservice proxying configuration with matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) - + - [matrix_mx_puppet_twitter_matrix_nginx_proxy_configuration] - }} - -- name: Warn about reverse-proxying if matrix-nginx-proxy not used - ansible.builtin.debug: - msg: >- - NOTE: You've enabled the Matrix Twitter bridge but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_mx_puppet_twitter_redirect_path }}` - URL endpoint to the matrix-mx-puppet-twitter container. - You can expose the container's port using the `matrix_mx_puppet_twitter_container_http_host_bind_port` variable. - when: "matrix_mx_puppet_twitter_enabled | bool and not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..df2b76feb --- /dev/null +++ b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,44 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append Twitter Appservice's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-mx-puppet-twitter role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate Matrix MX Puppet Twitter proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_mx_puppet_twitter_matrix_nginx_proxy_configuration: | + location {{ matrix_mx_puppet_twitter_webhook_path }} { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_mx_puppet_twitter_appservice_address }}"; + proxy_pass $backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_mx_puppet_twitter_appservice_port }}; + {% endif %} + } + +- name: Register Twitter Appservice proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) + + + [matrix_mx_puppet_twitter_matrix_nginx_proxy_configuration] + }} + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled the Matrix Twitter bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_mx_puppet_twitter_redirect_path }}` + URL endpoint to the matrix-mx-puppet-twitter container. + You can expose the container's port using the `matrix_mx_puppet_twitter_container_http_host_bind_port` variable. + when: "not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml index 20e4f6862..87f947096 100644 --- a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml @@ -1,8 +1,10 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" +- when: matrix_mx_puppet_twitter_enabled | bool + ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - - always + - setup-all + - setup-nginx-proxy - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_mx_puppet_twitter_enabled | bool" diff --git a/roles/custom/matrix-cactus-comments/tasks/init.yml b/roles/custom/matrix-cactus-comments/tasks/inject_into_nginx_proxy.yml similarity index 93% rename from roles/custom/matrix-cactus-comments/tasks/init.yml rename to roles/custom/matrix-cactus-comments/tasks/inject_into_nginx_proxy.yml index 5e0941074..a1da604c9 100644 --- a/roles/custom/matrix-cactus-comments/tasks/init.yml +++ b/roles/custom/matrix-cactus-comments/tasks/inject_into_nginx_proxy.yml @@ -1,9 +1,6 @@ --- -- when: matrix_cactus_comments_enabled | bool and matrix_cactus_comments_serve_client_enabled | bool - tags: - - always - block: +- block: - name: Fail if matrix-nginx-proxy role already executed ansible.builtin.fail: msg: >- diff --git a/roles/custom/matrix-cactus-comments/tasks/main.yml b/roles/custom/matrix-cactus-comments/tasks/main.yml index 857e2db19..4bef51535 100644 --- a/roles/custom/matrix-cactus-comments/tasks/main.yml +++ b/roles/custom/matrix-cactus-comments/tasks/main.yml @@ -1,8 +1,10 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" +- when: matrix_cactus_comments_enabled | bool and matrix_cactus_comments_serve_client_enabled | bool + ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - - always + - setup-all + - setup-nginx-proxy - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_cactus_comments_enabled | bool" diff --git a/roles/custom/matrix-etherpad/tasks/init.yml b/roles/custom/matrix-etherpad/tasks/init.yml deleted file mode 100644 index 159dbe879..000000000 --- a/roles/custom/matrix-etherpad/tasks/init.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- - -- when: matrix_etherpad_enabled | bool and matrix_etherpad_mode == 'dimension' - tags: - - always - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append Etherpad's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-etherpad role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate Etherpad proxying configuration for matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_etherpad_matrix_nginx_proxy_configuration: | - rewrite ^{{ matrix_etherpad_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_etherpad_public_endpoint }}/ permanent; - - location {{ matrix_etherpad_public_endpoint }}/ { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - proxy_pass http://matrix-etherpad:9001/; - {# These are proxy directives needed specifically by Etherpad #} - proxy_buffering off; - proxy_http_version 1.1; # recommended with keepalive connections - proxy_pass_header Server; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; # for EP to set secure cookie flag when https is used - # WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - {% else %} - {# Generic configuration for use outside of our container setup #} - # A good guide for setting up your Etherpad behind nginx: - # https://docs.gandi.net/en/cloud/tutorials/etherpad_lite.html - proxy_pass http://127.0.0.1:9001/; - {% endif %} - } - - - name: Register Etherpad proxying configuration with matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks | default([]) - + - [matrix_etherpad_matrix_nginx_proxy_configuration] - }} diff --git a/roles/custom/matrix-etherpad/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-etherpad/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..e32cdf964 --- /dev/null +++ b/roles/custom/matrix-etherpad/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,46 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append Etherpad's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-etherpad role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate Etherpad proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_etherpad_matrix_nginx_proxy_configuration: | + rewrite ^{{ matrix_etherpad_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_etherpad_public_endpoint }}/ permanent; + + location {{ matrix_etherpad_public_endpoint }}/ { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + proxy_pass http://matrix-etherpad:9001/; + {# These are proxy directives needed specifically by Etherpad #} + proxy_buffering off; + proxy_http_version 1.1; # recommended with keepalive connections + proxy_pass_header Server; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; # for EP to set secure cookie flag when https is used + # WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + {% else %} + {# Generic configuration for use outside of our container setup #} + # A good guide for setting up your Etherpad behind nginx: + # https://docs.gandi.net/en/cloud/tutorials/etherpad_lite.html + proxy_pass http://127.0.0.1:9001/; + {% endif %} + } + +- name: Register Etherpad proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks | default([]) + + + [matrix_etherpad_matrix_nginx_proxy_configuration] + }} diff --git a/roles/custom/matrix-etherpad/tasks/main.yml b/roles/custom/matrix-etherpad/tasks/main.yml index caf0dda50..a2c9e077b 100644 --- a/roles/custom/matrix-etherpad/tasks/main.yml +++ b/roles/custom/matrix-etherpad/tasks/main.yml @@ -1,8 +1,10 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" +- when: matrix_etherpad_enabled | bool and matrix_etherpad_mode == 'dimension' + ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - - always + - setup-all + - setup-nginx-proxy - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: run_setup | bool and matrix_etherpad_enabled | bool diff --git a/roles/custom/matrix-ldap-registration-proxy/tasks/init.yml b/roles/custom/matrix-ldap-registration-proxy/tasks/init.yml deleted file mode 100644 index f035e6579..000000000 --- a/roles/custom/matrix-ldap-registration-proxy/tasks/init.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- - -- when: matrix_ldap_registration_proxy_enabled | bool - tags: - - always - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append Matrix LDAP registration proxy's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-telegram role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate Matrix LDAP registration proxy proxying configuration for matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_ldap_registration_proxy_matrix_nginx_proxy_configuration: | - location {{ matrix_ldap_registration_proxy_registration_endpoint }} { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_ldap_registration_proxy_registration_addr_with_container }}"; - proxy_pass http://$backend/register; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_ldap_registration_proxy_registration_addr_sans_container }}/register; - {% endif %} - } - - - name: Register Matrix LDAP registration proxy proxying configuration with matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) - + - [matrix_ldap_registration_proxy_matrix_nginx_proxy_configuration] - }} - - name: Warn about reverse-proxying if matrix-nginx-proxy not used - ansible.builtin.debug: - msg: >- - NOTE: You've enabled the Matrix LDAP registration proxy bridge but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_ldap_registration_proxy_public_endpoint }}` - URL endpoint to the matrix-ldap-proxy container. - You can expose the container's port using the `matrix_ldap_registration_proxy_container_http_host_bind_port` variable. - when: "not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-ldap-registration-proxy/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-ldap-registration-proxy/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..472503c9a --- /dev/null +++ b/roles/custom/matrix-ldap-registration-proxy/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,44 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append Matrix LDAP registration proxy's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-telegram role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate Matrix LDAP registration proxy proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_ldap_registration_proxy_matrix_nginx_proxy_configuration: | + location {{ matrix_ldap_registration_proxy_registration_endpoint }} { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_ldap_registration_proxy_registration_addr_with_container }}"; + proxy_pass http://$backend/register; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_ldap_registration_proxy_registration_addr_sans_container }}/register; + {% endif %} + } + +- name: Register Matrix LDAP registration proxy proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) + + + [matrix_ldap_registration_proxy_matrix_nginx_proxy_configuration] + }} + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled the Matrix LDAP registration proxy bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_ldap_registration_proxy_public_endpoint }}` + URL endpoint to the matrix-ldap-proxy container. + You can expose the container's port using the `matrix_ldap_registration_proxy_container_http_host_bind_port` variable. + when: "not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml b/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml index 5815774ec..1bba9ad1d 100644 --- a/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml +++ b/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml @@ -1,8 +1,10 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" +- when: matrix_ldap_registration_proxy_enabled | bool + ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - - always + - setup-all + - setup-nginx-proxy - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_ldap_registration_proxy_enabled | bool" diff --git a/roles/custom/matrix-prometheus-node-exporter/tasks/init.yml b/roles/custom/matrix-prometheus-node-exporter/tasks/init.yml deleted file mode 100644 index eda1b755d..000000000 --- a/roles/custom/matrix-prometheus-node-exporter/tasks/init.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- - -- when: matrix_prometheus_node_exporter_enabled | bool and matrix_prometheus_node_exporter_metrics_proxying_enabled | bool - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append node-exporter's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-prometheus-node-exporter role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate node-exporter metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/node-exporter) - ansible.builtin.set_fact: - matrix_prometheus_node_exporter_nginx_metrics_configuration_block: | - location /metrics/node-exporter { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-prometheus-node-exporter:9100"; - proxy_pass http://$backend/metrics; - {% elif matrix_prometheus_node_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host != '' %} - proxy_pass http://{{ matrix_prometheus_node_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host }}/metrics; - {% else %} - return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; - {% endif %} - } - - - name: Register node-exporter metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/node-exporter) - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) - + - [matrix_prometheus_node_exporter_nginx_metrics_configuration_block] - }} diff --git a/roles/custom/matrix-prometheus-node-exporter/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-prometheus-node-exporter/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..24e05ed8d --- /dev/null +++ b/roles/custom/matrix-prometheus-node-exporter/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,35 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append node-exporter's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-prometheus-node-exporter role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate node-exporter metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/node-exporter) + ansible.builtin.set_fact: + matrix_prometheus_node_exporter_nginx_metrics_configuration_block: | + location /metrics/node-exporter { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-prometheus-node-exporter:9100"; + proxy_pass http://$backend/metrics; + {% elif matrix_prometheus_node_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host != '' %} + proxy_pass http://{{ matrix_prometheus_node_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host }}/metrics; + {% else %} + return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; + {% endif %} + } + +- name: Register node-exporter metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/node-exporter) + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + + + [matrix_prometheus_node_exporter_nginx_metrics_configuration_block] + }} diff --git a/roles/custom/matrix-prometheus-node-exporter/tasks/main.yml b/roles/custom/matrix-prometheus-node-exporter/tasks/main.yml index 81b0c7022..145adfdd0 100644 --- a/roles/custom/matrix-prometheus-node-exporter/tasks/main.yml +++ b/roles/custom/matrix-prometheus-node-exporter/tasks/main.yml @@ -1,8 +1,10 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" +- when: matrix_prometheus_node_exporter_enabled | bool and matrix_prometheus_node_exporter_metrics_proxying_enabled | bool + ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - - always + - setup-all + - setup-nginx-proxy - ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup.yml" tags: diff --git a/roles/custom/matrix-prometheus-postgres-exporter/tasks/init.yml b/roles/custom/matrix-prometheus-postgres-exporter/tasks/init.yml deleted file mode 100644 index d409e2dd1..000000000 --- a/roles/custom/matrix-prometheus-postgres-exporter/tasks/init.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- - -- when: matrix_prometheus_node_exporter_enabled | bool and matrix_prometheus_node_exporter_metrics_proxying_enabled | bool - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append postgres-exporter's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-prometheus-postgres-exporter role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate postgres-exporter metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/postgres-exporter) - ansible.builtin.set_fact: - matrix_prometheus_postgres_exporter_nginx_metrics_configuration_block: | - location /metrics/postgres-exporter { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-prometheus-postgres-exporter:9187"; - proxy_pass http://$backend/metrics; - {% elif matrix_prometheus_postgres_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host != '' %} - proxy_pass http://{{ matrix_prometheus_postgres_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host }}/metrics; - {% else %} - return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; - {% endif %} - } - - - name: Register postgres-exporter metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/postgres-exporter) - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) - + - [matrix_prometheus_postgres_exporter_nginx_metrics_configuration_block] - }} diff --git a/roles/custom/matrix-prometheus-postgres-exporter/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-prometheus-postgres-exporter/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..121efc17b --- /dev/null +++ b/roles/custom/matrix-prometheus-postgres-exporter/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,35 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append postgres-exporter's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-prometheus-postgres-exporter role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate postgres-exporter metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/postgres-exporter) + ansible.builtin.set_fact: + matrix_prometheus_postgres_exporter_nginx_metrics_configuration_block: | + location /metrics/postgres-exporter { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-prometheus-postgres-exporter:9187"; + proxy_pass http://$backend/metrics; + {% elif matrix_prometheus_postgres_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host != '' %} + proxy_pass http://{{ matrix_prometheus_postgres_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host }}/metrics; + {% else %} + return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; + {% endif %} + } + +- name: Register postgres-exporter metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/postgres-exporter) + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + + + [matrix_prometheus_postgres_exporter_nginx_metrics_configuration_block] + }} diff --git a/roles/custom/matrix-prometheus-postgres-exporter/tasks/main.yml b/roles/custom/matrix-prometheus-postgres-exporter/tasks/main.yml index 434735877..59911efbe 100644 --- a/roles/custom/matrix-prometheus-postgres-exporter/tasks/main.yml +++ b/roles/custom/matrix-prometheus-postgres-exporter/tasks/main.yml @@ -1,8 +1,10 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" +- when: matrix_prometheus_node_exporter_enabled | bool and matrix_prometheus_node_exporter_metrics_proxying_enabled | bool + ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - - always + - setup-all + - setup-nginx-proxy - ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup.yml" tags: diff --git a/roles/custom/matrix-registration/tasks/init.yml b/roles/custom/matrix-registration/tasks/init.yml deleted file mode 100644 index a295cdfbe..000000000 --- a/roles/custom/matrix-registration/tasks/init.yml +++ /dev/null @@ -1,59 +0,0 @@ ---- - -- when: matrix_registration_enabled | bool - tags: - - always - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append matrix-registration's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-registration role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate matrix-registration proxying configuration for matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_registration_matrix_nginx_proxy_configuration: | - rewrite ^{{ matrix_registration_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_registration_public_endpoint }}/ permanent; - rewrite ^{{ matrix_registration_public_endpoint }}/$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_registration_public_endpoint }}/register redirect; - - location ~ ^{{ matrix_registration_public_endpoint }}/(.*) { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-registration:5000"; - proxy_pass http://$backend/$1; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:8767/$1; - {% endif %} - - {# - Workaround matrix-registration serving the background image at /static - (see https://github.com/ZerataX/matrix-registration/issues/47) - #} - sub_filter_once off; - sub_filter_types text/css; - sub_filter "/static/" "{{ matrix_registration_public_endpoint }}/static/"; - } - - - name: Register matrix-registration proxying configuration with matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) - + - [matrix_registration_matrix_nginx_proxy_configuration] - }} - -- name: Warn about reverse-proxying if matrix-nginx-proxy not used - ansible.builtin.debug: - msg: >- - NOTE: You've enabled the matrix-registration tool but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_registration_public_endpoint }}` - URL endpoint to the matrix-registration container. - You can expose the container's port using the `matrix_registration_container_http_host_bind_port` variable. - when: "matrix_registration_enabled | bool and not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-registration/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-registration/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..ac8f4c96a --- /dev/null +++ b/roles/custom/matrix-registration/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,55 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append matrix-registration's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-registration role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate matrix-registration proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_registration_matrix_nginx_proxy_configuration: | + rewrite ^{{ matrix_registration_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_registration_public_endpoint }}/ permanent; + rewrite ^{{ matrix_registration_public_endpoint }}/$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_registration_public_endpoint }}/register redirect; + + location ~ ^{{ matrix_registration_public_endpoint }}/(.*) { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-registration:5000"; + proxy_pass http://$backend/$1; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:8767/$1; + {% endif %} + + {# + Workaround matrix-registration serving the background image at /static + (see https://github.com/ZerataX/matrix-registration/issues/47) + #} + sub_filter_once off; + sub_filter_types text/css; + sub_filter "/static/" "{{ matrix_registration_public_endpoint }}/static/"; + } + +- name: Register matrix-registration proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) + + + [matrix_registration_matrix_nginx_proxy_configuration] + }} + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled the matrix-registration tool but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_registration_public_endpoint }}` + URL endpoint to the matrix-registration container. + You can expose the container's port using the `matrix_registration_container_http_host_bind_port` variable. + when: "not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-registration/tasks/main.yml b/roles/custom/matrix-registration/tasks/main.yml index 99b89e3da..1b129b2c9 100644 --- a/roles/custom/matrix-registration/tasks/main.yml +++ b/roles/custom/matrix-registration/tasks/main.yml @@ -1,8 +1,10 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" +- when: matrix_registration_enabled | bool + ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - - always + - setup-all + - setup-nginx-proxy - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_registration_enabled | bool" diff --git a/roles/custom/matrix-synapse-admin/tasks/init.yml b/roles/custom/matrix-synapse-admin/tasks/init.yml deleted file mode 100644 index 78ebbdecb..000000000 --- a/roles/custom/matrix-synapse-admin/tasks/init.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- - -- when: matrix_synapse_admin_enabled | bool - tags: - - always - block: - - name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append Synapse Admin's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-synapse-admin role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - - name: Generate Synapse Admin proxying configuration for matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_synapse_admin_matrix_nginx_proxy_configuration: | - rewrite ^{{ matrix_synapse_admin_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_synapse_admin_public_endpoint }}/ permanent; - - location ~ ^{{ matrix_synapse_admin_public_endpoint }}/(.*) { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-synapse-admin:80"; - proxy_pass http://$backend/$1; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:8766/$1; - {% endif %} - } - - - name: Register Synapse Admin proxying configuration with matrix-nginx-proxy - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) - + - [matrix_synapse_admin_matrix_nginx_proxy_configuration] - }} - -- name: Warn about reverse-proxying if matrix-nginx-proxy not used - ansible.builtin.debug: - msg: >- - NOTE: You've enabled the Synapse Admin tool but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_synapse_admin_public_endpoint }}` - URL endpoint to the matrix-synapse-admin container. - You can expose the container's port using the `matrix_synapse_admin_container_http_host_bind_port` variable. - when: "matrix_synapse_admin_enabled | bool and not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..6a4af859c --- /dev/null +++ b/roles/custom/matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,46 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append Synapse Admin's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-synapse-admin role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate Synapse Admin proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_synapse_admin_matrix_nginx_proxy_configuration: | + rewrite ^{{ matrix_synapse_admin_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_synapse_admin_public_endpoint }}/ permanent; + + location ~ ^{{ matrix_synapse_admin_public_endpoint }}/(.*) { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-synapse-admin:80"; + proxy_pass http://$backend/$1; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:8766/$1; + {% endif %} + } + +- name: Register Synapse Admin proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) + + + [matrix_synapse_admin_matrix_nginx_proxy_configuration] + }} + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled the Synapse Admin tool but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_synapse_admin_public_endpoint }}` + URL endpoint to the matrix-synapse-admin container. + You can expose the container's port using the `matrix_synapse_admin_container_http_host_bind_port` variable. + when: "not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-synapse-admin/tasks/main.yml b/roles/custom/matrix-synapse-admin/tasks/main.yml index 0c6bd942c..fed3dec64 100644 --- a/roles/custom/matrix-synapse-admin/tasks/main.yml +++ b/roles/custom/matrix-synapse-admin/tasks/main.yml @@ -1,8 +1,10 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" +- when: matrix_synapse_admin_enabled | bool + ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - - always + - setup-all + - setup-nginx-proxy - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: run_setup | bool diff --git a/roles/custom/matrix-synapse/tasks/init.yml b/roles/custom/matrix-synapse/tasks/inject_into_nginx_proxy.yml similarity index 92% rename from roles/custom/matrix-synapse/tasks/init.yml rename to roles/custom/matrix-synapse/tasks/inject_into_nginx_proxy.yml index 635ef8f2c..f3ce0bf8f 100644 --- a/roles/custom/matrix-synapse/tasks/init.yml +++ b/roles/custom/matrix-synapse/tasks/inject_into_nginx_proxy.yml @@ -2,17 +2,17 @@ # Unless `matrix_synapse_workers_enabled_list` is explicitly defined, # we'll generate it dynamically. -- ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/init.yml" - when: "matrix_synapse_enabled and matrix_synapse_workers_enabled and matrix_synapse_workers_enabled_list | length == 0" +- ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/inject_into_nginx_proxy.yml" + when: "matrix_synapse_workers_enabled | bool and matrix_synapse_workers_enabled_list | length == 0" - name: Ensure workers are injected into various places ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/util/inject_worker.yml" with_items: "{{ matrix_synapse_workers_enabled_list }}" loop_control: loop_var: matrix_synapse_worker_details - when: matrix_synapse_enabled | bool and matrix_synapse_workers_enabled | bool + when: matrix_synapse_workers_enabled | bool -- when: matrix_synapse_enabled | bool and matrix_synapse_metrics_proxying_enabled | bool +- when: matrix_synapse_metrics_proxying_enabled | bool block: - name: Fail if matrix-nginx-proxy role already executed ansible.builtin.fail: diff --git a/roles/custom/matrix-synapse/tasks/main.yml b/roles/custom/matrix-synapse/tasks/main.yml index 7068dcefc..0cd35eb6e 100644 --- a/roles/custom/matrix-synapse/tasks/main.yml +++ b/roles/custom/matrix-synapse/tasks/main.yml @@ -1,8 +1,19 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" +- when: matrix_synapse_enabled | bool + ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - - always + - setup-all + - setup-synapse + - start + - start-all + - start-group + - restart + - restart-all + - restart-group + - stop + - stop-all + - stop-group - ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" when: run_setup | bool and matrix_synapse_enabled | bool diff --git a/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml b/roles/custom/matrix-synapse/tasks/synapse/workers/inject_into_nginx_proxy.yml similarity index 100% rename from roles/custom/matrix-synapse/tasks/synapse/workers/init.yml rename to roles/custom/matrix-synapse/tasks/synapse/workers/inject_into_nginx_proxy.yml From 07c23b7cb0512951a9a5a553a177443819a25109 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 23 Nov 2022 16:13:07 +0200 Subject: [PATCH 058/915] Remove matrix_synapse_role_executed and various tasks that check it This was useful when the order of these roles in relation to Synapse mattered (when we were injecting stuff into Synapse variables during runtime). This is no longer the case since 0ea7cb5d1812a88, so all of this can be removed. --- .../tasks/setup_install.yml | 8 -------- .../tasks/setup_install.yml | 7 ------- .../tasks/setup_install.yml | 8 -------- .../tasks/setup_install.yml | 8 -------- .../tasks/setup_install.yml | 8 -------- .../tasks/setup_install.yml | 8 -------- .../tasks/setup_install.yml | 8 -------- .../tasks/setup_install.yml | 7 ------- .../matrix-bridge-mautrix-signal/tasks/setup_install.yml | 8 -------- .../tasks/setup_install.yml | 8 -------- .../tasks/setup_install.yml | 8 -------- .../tasks/setup_install.yml | 8 -------- .../tasks/setup_install.yml | 8 -------- .../tasks/setup_install.yml | 8 -------- .../tasks/setup_install.yml | 9 --------- .../tasks/setup_install.yml | 8 -------- .../tasks/setup_install.yml | 8 -------- .../tasks/setup_install.yml | 8 -------- roles/custom/matrix-synapse/tasks/main.yml | 6 ------ roles/custom/matrix-synapse/vars/main.yml | 3 --- 20 files changed, 152 deletions(-) diff --git a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/setup_install.yml b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/setup_install.yml index 2f5b6be15..89a0de0b7 100644 --- a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-matrix-appservice-kakaotalk role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - name: Ensure matrix-appservice-kakaotalk image is pulled community.docker.docker_image: name: "{{ matrix_appservice_kakaotalk_docker_image }}" diff --git a/roles/custom/matrix-bridge-beeper-linkedin/tasks/setup_install.yml b/roles/custom/matrix-bridge-beeper-linkedin/tasks/setup_install.yml index 8784b6311..1dff0912b 100644 --- a/roles/custom/matrix-bridge-beeper-linkedin/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-beeper-linkedin/tasks/setup_install.yml @@ -1,12 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-beeper-linkedin role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - name: Ensure Beeper LinkedIn paths exists ansible.builtin.file: path: "{{ item.path }}" diff --git a/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml b/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml index 68718ccf3..de1d0cb5e 100644 --- a/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-go-skype-bridge role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - ansible.builtin.set_fact: matrix_go_skype_bridge_requires_restart: false diff --git a/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_install.yml index 06bae8dd0..3864c3b57 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mautrix-discord role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - ansible.builtin.set_fact: matrix_mautrix_discord_requires_restart: false diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index 50a024270..4e3f16e62 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mautrix-facebook role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - ansible.builtin.set_fact: matrix_mautrix_facebook_requires_restart: false diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml index daadcba24..095d6cccd 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mautrix-googlechat role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - ansible.builtin.set_fact: matrix_mautrix_googlechat_requires_restart: false diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index a846a7b06..e4a43c0ba 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mautrix-hangouts role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - ansible.builtin.set_fact: matrix_mautrix_hangouts_requires_restart: false diff --git a/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_install.yml index 19a2ff9ae..878bdceb5 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_install.yml @@ -1,11 +1,4 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mautrix-instagram role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - name: Ensure Mautrix instagram image is pulled community.docker.docker_image: diff --git a/roles/custom/matrix-bridge-mautrix-signal/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-signal/tasks/setup_install.yml index f5a162a3c..c2f518f37 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mautrix-signal role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - name: Ensure Mautrix Signal image is pulled community.docker.docker_image: name: "{{ matrix_mautrix_signal_docker_image }}" diff --git a/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index ba9c450fa..c4c485817 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mautrix-telegram role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - ansible.builtin.set_fact: matrix_mautrix_telegram_requires_restart: false diff --git a/roles/custom/matrix-bridge-mautrix-twitter/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-twitter/tasks/setup_install.yml index c3ab2d4e7..f68360beb 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mautrix-twitter role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - ansible.builtin.set_fact: matrix_mautrix_twitter_requires_restart: false diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml index 6b376946d..4338a691f 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mautrix-whatsapp role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - ansible.builtin.set_fact: matrix_mautrix_whatsapp_requires_restart: false diff --git a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml index 3b119745c..097e0b69b 100644 --- a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mx-puppet-discord role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - name: Ensure MX Puppet Discord paths exist ansible.builtin.file: path: "{{ item.path }}" diff --git a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml index 400de9c58..9022492f9 100644 --- a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mx-puppet-groupme role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - name: Ensure MX Puppet Groupme paths exist ansible.builtin.file: path: "{{ item.path }}" diff --git a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml index c98535e3b..640fd6e34 100644 --- a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml @@ -1,14 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mx-puppet-instagram role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - - ansible.builtin.set_fact: matrix_mx_puppet_instagram_requires_restart: false diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml index e5d837633..4f8da659e 100644 --- a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mx-puppet-slack role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - name: Ensure MX Puppet Slack paths exist ansible.builtin.file: path: "{{ item.path }}" diff --git a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml index 988544691..14258f2e7 100644 --- a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mx-puppet-steam role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - name: Ensure MX Puppet Steam paths exist ansible.builtin.file: path: "{{ item.path }}" diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml index d5ebec74e..2ae45d260 100644 --- a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mx-puppet-twitter role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - name: Ensure MX Puppet Twitter paths exist ansible.builtin.file: path: "{{ item.path }}" diff --git a/roles/custom/matrix-synapse/tasks/main.yml b/roles/custom/matrix-synapse/tasks/main.yml index 0cd35eb6e..87c76ab79 100644 --- a/roles/custom/matrix-synapse/tasks/main.yml +++ b/roles/custom/matrix-synapse/tasks/main.yml @@ -60,9 +60,3 @@ when: run_synapse_rust_synapse_compress_state | bool tags: - rust-synapse-compress-state - -- name: Mark matrix-synapse role as executed - ansible.builtin.set_fact: - matrix_synapse_role_executed: true - tags: - - always diff --git a/roles/custom/matrix-synapse/vars/main.yml b/roles/custom/matrix-synapse/vars/main.yml index 4da284106..18bb5e18d 100644 --- a/roles/custom/matrix-synapse/vars/main.yml +++ b/roles/custom/matrix-synapse/vars/main.yml @@ -3,9 +3,6 @@ matrix_synapse_client_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/client/versions" matrix_synapse_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version" -# Tells whether this role had executed or not. Toggled to `true` during runtime. -matrix_synapse_role_executed: false - matrix_synapse_media_store_directory_name: "{{ matrix_synapse_media_store_path | basename }}" # A Synapse generic worker can handle both federation and client-server API endpoints. From 8c180306ab8b7c813db8d307f1640444ed1b28f3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 23 Nov 2022 16:14:59 +0200 Subject: [PATCH 059/915] Remove unnecessary matrix_conduit_role_executed --- roles/custom/matrix-conduit/tasks/main.yml | 6 ------ roles/custom/matrix-conduit/vars/main.yml | 3 --- 2 files changed, 9 deletions(-) diff --git a/roles/custom/matrix-conduit/tasks/main.yml b/roles/custom/matrix-conduit/tasks/main.yml index 94e50103c..85ad539b7 100644 --- a/roles/custom/matrix-conduit/tasks/main.yml +++ b/roles/custom/matrix-conduit/tasks/main.yml @@ -5,9 +5,3 @@ tags: - setup-all - setup-conduit - -- name: Mark matrix-conduit role as executed - ansible.builtin.set_fact: - matrix_conduit_role_executed: true - tags: - - always diff --git a/roles/custom/matrix-conduit/vars/main.yml b/roles/custom/matrix-conduit/vars/main.yml index f6cc471bf..ad60e1c3e 100644 --- a/roles/custom/matrix-conduit/vars/main.yml +++ b/roles/custom/matrix-conduit/vars/main.yml @@ -1,6 +1,3 @@ --- matrix_conduit_client_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/client/versions" matrix_conduit_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version" - -# Tells whether this role had executed or not. Toggled to `true` during runtime. -matrix_conduit_role_executed: false From dd4f8df9056bcb7a5b23f8ef68f8ee50f956bc67 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 23 Nov 2022 16:15:33 +0200 Subject: [PATCH 060/915] Remove unnecessary matrix_dendrite_role_executed --- roles/custom/matrix-dendrite/tasks/main.yml | 6 ------ roles/custom/matrix-dendrite/vars/main.yml | 3 --- 2 files changed, 9 deletions(-) diff --git a/roles/custom/matrix-dendrite/tasks/main.yml b/roles/custom/matrix-dendrite/tasks/main.yml index 639ad6e28..5a5b04dee 100644 --- a/roles/custom/matrix-dendrite/tasks/main.yml +++ b/roles/custom/matrix-dendrite/tasks/main.yml @@ -30,9 +30,3 @@ when: run_self_check | bool and matrix_dendrite_enabled | bool tags: - self-check - -- name: Mark matrix-dendrite role as executed - ansible.builtin.set_fact: - matrix_dendrite_role_executed: true - tags: - - always diff --git a/roles/custom/matrix-dendrite/vars/main.yml b/roles/custom/matrix-dendrite/vars/main.yml index fcf020c2c..1e7aa378b 100644 --- a/roles/custom/matrix-dendrite/vars/main.yml +++ b/roles/custom/matrix-dendrite/vars/main.yml @@ -2,9 +2,6 @@ matrix_dendrite_client_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/client/versions" matrix_dendrite_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version" -# Tells whether this role had executed or not. Toggled to `true` during runtime. -matrix_dendrite_role_executed: false - matrix_dendrite_media_store_parent_path: "{{ matrix_dendrite_media_store_path | dirname }}" matrix_dendrite_media_store_directory_name: "{{ matrix_dendrite_media_store_path | basename }}" From 4d881477a34a144a8d31d6c47825a752376019d1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 23 Nov 2022 16:56:39 +0200 Subject: [PATCH 061/915] Add matrix_homeserver_enabled variable We need this to control whether `('matrix-' + matrix_homeserver_implementation + '.service')` would get injected into `devture_systemd_service_manager_services_list_auto` --- group_vars/matrix_servers | 2 +- roles/custom/matrix-base/defaults/main.yml | 10 ++++++++++ roles/custom/matrix-base/tasks/main.yml | 2 +- .../tasks/{sanity_check.yml => validate_config.yml} | 0 4 files changed, 12 insertions(+), 2 deletions(-) rename roles/custom/matrix-base/tasks/{sanity_check.yml => validate_config.yml} (100%) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c2ed002c2..b53ad0e88 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -249,7 +249,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-client-hydrogen.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'hydrogen']}] if matrix_client_hydrogen_enabled else []) + - ([{'name': ('matrix-' + matrix_homeserver_implementation + '.service'), 'priority': 1000, 'groups': ['matrix', 'homeservers', matrix_homeserver_implementation]}]) + ([{'name': ('matrix-' + matrix_homeserver_implementation + '.service'), 'priority': 1000, 'groups': ['matrix', 'homeservers', matrix_homeserver_implementation]}] if matrix_homeserver_enabled else []) + ([{'name': 'matrix-corporal.service', 'priority': 1500, 'groups': ['matrix', 'corporal']}] if matrix_corporal_enabled else []) + diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 768bc6ec8..34d8c65b2 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -1,4 +1,5 @@ --- + # The bare domain name which represents your Matrix identity. # Matrix user ids for your server will be of the form (`@user:`). # @@ -12,6 +13,15 @@ matrix_domain: ~ # Example value: "@someone:{{ matrix_domain }}" matrix_admin: '' +# matrix_homeserver_enabled controls whether to enable the homeserver systemd service, etc. +# +# Unless you're wrapping this playbook in another one +# where you optionally wish to disable homeserver integration, you don't need to use this. +# +# Note: disabling this does not mean that a homeserver won't get installed. +# Whether homeserver software is installed depends on other (`matrix_HOMESERVER_enabled`) variables - see `group_vars/matrix_servers`. +matrix_homeserver_enabled: true + # Homeserver admin contacts and support page as per MSC 1929 # See: https://github.com/matrix-org/matrix-spec-proposals/pull/1929 # Users in form: diff --git a/roles/custom/matrix-base/tasks/main.yml b/roles/custom/matrix-base/tasks/main.yml index 67a3208ed..97f0381d1 100644 --- a/roles/custom/matrix-base/tasks/main.yml +++ b/roles/custom/matrix-base/tasks/main.yml @@ -1,6 +1,6 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/sanity_check.yml" +- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" tags: - setup-all diff --git a/roles/custom/matrix-base/tasks/sanity_check.yml b/roles/custom/matrix-base/tasks/validate_config.yml similarity index 100% rename from roles/custom/matrix-base/tasks/sanity_check.yml rename to roles/custom/matrix-base/tasks/validate_config.yml From 787a82d6e81693ad649399c0e44b92fc66adf172 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 23 Nov 2022 17:07:52 +0200 Subject: [PATCH 062/915] Combine matrix user/group set_fact calls into one --- roles/custom/matrix-base/tasks/setup_matrix_user.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/roles/custom/matrix-base/tasks/setup_matrix_user.yml b/roles/custom/matrix-base/tasks/setup_matrix_user.yml index 0435b7a3c..0c9086e59 100644 --- a/roles/custom/matrix-base/tasks/setup_matrix_user.yml +++ b/roles/custom/matrix-base/tasks/setup_matrix_user.yml @@ -7,10 +7,6 @@ state: present register: matrix_group -- name: Set Matrix Group GID Variable - ansible.builtin.set_fact: - matrix_user_gid: "{{ matrix_group.gid }}" - - name: Ensure Matrix user is created ansible.builtin.user: name: "{{ matrix_user_username }}" @@ -22,6 +18,7 @@ system: true register: matrix_user -- name: Set Matrix Group UID Variable +- name: Initialize matrix_user_uid and matrix_user_gid ansible.builtin.set_fact: matrix_user_uid: "{{ matrix_user.uid }}" + matrix_user_gid: "{{ matrix_group.gid }}" From e05b4c78c72eaf46bef1a703995f6aa08ff89bc5 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 23 Nov 2022 16:02:28 +0000 Subject: [PATCH 063/915] Update grafana 9.2.5 -> 9.2.6 --- roles/custom/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-grafana/defaults/main.yml b/roles/custom/matrix-grafana/defaults/main.yml index 7f60a8096..fa55c9c2e 100644 --- a/roles/custom/matrix-grafana/defaults/main.yml +++ b/roles/custom/matrix-grafana/defaults/main.yml @@ -5,7 +5,7 @@ matrix_grafana_enabled: true -matrix_grafana_version: 9.2.5 +matrix_grafana_version: 9.2.6 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From 86f495f461a15cdff3193c71f8a3ce345e5a63cd Mon Sep 17 00:00:00 2001 From: Jaden Down <24631328+jpdown@users.noreply.github.com> Date: Wed, 23 Nov 2022 19:08:52 -0600 Subject: [PATCH 064/915] Add service declaration to sample traefik config --- docs/configuring-playbook-own-webserver.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 83fd42048..76d485877 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -176,6 +176,8 @@ matrix_nginx_proxy_container_extra_arguments: - '--label "traefik.http.routers.matrix-nginx-proxy.entrypoints=web-secure"' # (The 'default' certificate resolver must be defined in Traefik config) - '--label "traefik.http.routers.matrix-nginx-proxy.tls.certResolver=default"' + # Traefik requires that we declare which service this router is using + - '--label "traefik.http.routers.matrix-nginx-proxy.service=matrix-nginx-proxy"' # The Nginx proxy container uses port 8080 internally - '--label "traefik.http.services.matrix-nginx-proxy.loadbalancer.server.port=8080"' @@ -185,6 +187,8 @@ matrix_nginx_proxy_container_extra_arguments: - '--label "traefik.http.routers.matrix-nginx-proxy-federation.entrypoints=federation"' # (The 'default' certificate resolver must be defined in Traefik config) - '--label "traefik.http.routers.matrix-nginx-proxy-federation.tls.certResolver=default"' + # Traefik requires that we declare which service this router is using + - '--label "traefik.http.routers.matrix-nginx-proxy-federation.service=matrix-nginx-proxy-federation"' # The Nginx proxy container uses port `matrix_nginx_proxy_proxy_matrix_federation_port (8448) internally - '--label "traefik.http.services.matrix-nginx-proxy-federation.loadbalancer.server.port={{ matrix_nginx_proxy_proxy_matrix_federation_port }}"' - '--label "traefik.http.services.matrix-nginx-proxy-federation.loadbalancer.server.scheme={{ "https" if matrix_nginx_proxy_https_enabled else "http" }}"' From 7c2a7a8eb621ef24af21d36109bc66a24932ac0d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 24 Nov 2022 11:33:30 +0200 Subject: [PATCH 065/915] Replace most import_tasks calls with include_tasks for improved performance --- requirements.yml | 6 +- roles/custom/matrix-aux/tasks/main.yml | 4 +- .../custom/matrix-backup-borg/tasks/main.yml | 19 ++- .../matrix-bot-buscarron/tasks/main.yml | 19 ++- roles/custom/matrix-bot-go-neb/tasks/main.yml | 22 ++-- .../custom/matrix-bot-honoroit/tasks/main.yml | 19 ++- .../tasks/main.yml | 19 ++- .../tasks/main.yml | 19 ++- roles/custom/matrix-bot-maubot/tasks/main.yml | 25 ++-- .../custom/matrix-bot-mjolnir/tasks/main.yml | 19 ++- .../matrix-bot-postmoogle/tasks/main.yml | 19 ++- .../tasks/main.yml | 19 ++- .../tasks/main.yml | 19 ++- .../tasks/main.yml | 19 ++- .../tasks/main.yml | 24 ++-- .../tasks/main.yml | 24 ++-- .../tasks/main.yml | 19 ++- .../tasks/main.yml | 19 ++- .../matrix-bridge-heisenbridge/tasks/main.yml | 12 +- .../matrix-bridge-hookshot/tasks/main.yml | 24 ++-- .../tasks/main.yml | 19 ++- .../tasks/main.yml | 24 ++-- .../tasks/main.yml | 24 ++-- .../tasks/main.yml | 24 ++-- .../tasks/main.yml | 19 ++- .../tasks/main.yml | 19 ++- .../tasks/main.yml | 24 ++-- .../tasks/main.yml | 19 ++- .../tasks/main.yml | 19 ++- .../tasks/main.yml | 19 ++- .../tasks/main.yml | 19 ++- .../tasks/main.yml | 19 ++- .../tasks/main.yml | 24 ++-- .../tasks/main.yml | 19 ++- .../tasks/main.yml | 24 ++-- roles/custom/matrix-bridge-sms/tasks/main.yml | 19 ++- .../matrix-cactus-comments/tasks/main.yml | 24 ++-- .../custom/matrix-client-cinny/tasks/main.yml | 28 ++--- .../matrix-client-cinny/tasks/self_check.yml | 2 + .../matrix-client-element/tasks/main.yml | 39 ++---- .../tasks/migrate_riot_web.yml | 37 ------ .../tasks/self_check.yml | 2 + .../matrix-client-hydrogen/tasks/main.yml | 26 ++-- .../tasks/self_check.yml | 2 + .../custom/matrix-common-after/tasks/main.yml | 3 +- .../matrix-conduit/tasks/conduit/setup.yml | 7 -- roles/custom/matrix-conduit/tasks/main.yml | 8 +- .../tasks/{conduit => }/setup_install.yml | 0 .../tasks/{conduit => }/setup_uninstall.yml | 0 roles/custom/matrix-corporal/tasks/main.yml | 22 ++-- ...self_check_corporal.yml => self_check.yml} | 2 + .../{setup_corporal.yml => setup_install.yml} | 64 +--------- .../matrix-corporal/tasks/setup_uninstall.yml | 38 ++++++ roles/custom/matrix-coturn/tasks/main.yml | 19 ++- roles/custom/matrix-dendrite/tasks/main.yml | 34 +++--- .../matrix-dendrite/tasks/register_user.yml | 1 + .../tasks/self_check_client_api.yml | 2 + .../tasks/self_check_federation_api.yml | 2 + roles/custom/matrix-dimension/tasks/main.yml | 19 ++- .../custom/matrix-dynamic-dns/tasks/main.yml | 22 ++-- .../tasks/{install.yml => setup_install.yml} | 0 .../{uninstall.yml => setup_uninstall.yml} | 0 .../custom/matrix-email2matrix/tasks/main.yml | 19 ++- roles/custom/matrix-etherpad/tasks/main.yml | 24 ++-- roles/custom/matrix-grafana/tasks/main.yml | 14 ++- .../tasks/{setup.yml => setup_install.yml} | 45 ------- .../matrix-grafana/tasks/setup_uninstall.yml | 21 ++++ roles/custom/matrix-jitsi/tasks/main.yml | 53 +++++---- .../matrix-jitsi/tasks/setup_jitsi_base.yml | 10 +- ...ofo.yml => setup_jitsi_jicofo_install.yml} | 53 +-------- .../tasks/setup_jitsi_jicofo_uninstall.yml | 26 ++++ ...si_jvb.yml => setup_jitsi_jvb_install.yml} | 55 +-------- .../tasks/setup_jitsi_jvb_uninstall.yml | 26 ++++ .../tasks/setup_jitsi_prosody.yml | 99 ---------------- .../tasks/setup_jitsi_prosody_install.yml | 45 +++++++ .../tasks/setup_jitsi_prosody_uninstall.yml | 26 ++++ ...si_web.yml => setup_jitsi_web_install.yml} | 54 +-------- .../tasks/setup_jitsi_web_uninstall.yml | 26 ++++ .../tasks/main.yml | 24 ++-- roles/custom/matrix-ma1sd/tasks/main.yml | 27 ++--- .../{self_check_ma1sd.yml => self_check.yml} | 2 + roles/custom/matrix-mailer/tasks/main.yml | 8 +- .../{setup_mailer.yml => setup_install.yml} | 58 +-------- .../matrix-mailer/tasks/setup_uninstall.yml | 35 ++++++ .../custom/matrix-nginx-proxy/tasks/main.yml | 6 +- roles/custom/matrix-ntfy/tasks/main.yml | 19 ++- roles/custom/matrix-ntfy/tasks/self_check.yml | 2 + .../matrix-postgres-backup/tasks/main.yml | 15 +-- .../tasks/setup_install.yml | 57 +++++++++ .../tasks/setup_postgres_backup.yml | 112 ------------------ .../tasks/setup_uninstall.yml | 43 +++++++ .../tasks/main.yml | 12 +- .../tasks/setup.yml | 59 --------- .../tasks/setup_install.yml | 19 +++ .../tasks/setup_uninstall.yml | 25 ++++ .../tasks/main.yml | 12 +- .../tasks/setup.yml | 59 --------- .../tasks/setup_install.yml | 19 +++ .../tasks/setup_uninstall.yml | 21 ++++ roles/custom/matrix-prometheus/tasks/main.yml | 19 ++- roles/custom/matrix-redis/tasks/main.yml | 8 +- .../matrix-redis/tasks/setup_install.yml | 49 ++++++++ .../custom/matrix-redis/tasks/setup_redis.yml | 104 ---------------- .../matrix-redis/tasks/setup_uninstall.yml | 31 +++++ .../custom/matrix-registration/tasks/main.yml | 34 +++--- roles/custom/matrix-sygnal/tasks/main.yml | 19 ++- .../matrix-synapse-admin/tasks/main.yml | 19 +-- .../tasks/{setup.yml => setup_install.yml} | 51 +------- .../tasks/setup_uninstall.yml | 27 +++++ .../tasks/main.yml | 13 +- roles/custom/matrix-synapse/tasks/main.yml | 61 +++++----- .../tasks/self_check_client_api.yml | 2 + .../tasks/self_check_federation_api.yml | 2 + .../custom/matrix-user-creator/tasks/main.yml | 5 +- .../matrix_playbook_migration/tasks/main.yml | 3 +- 115 files changed, 1152 insertions(+), 1631 deletions(-) delete mode 100644 roles/custom/matrix-client-element/tasks/migrate_riot_web.yml delete mode 100644 roles/custom/matrix-conduit/tasks/conduit/setup.yml rename roles/custom/matrix-conduit/tasks/{conduit => }/setup_install.yml (100%) rename roles/custom/matrix-conduit/tasks/{conduit => }/setup_uninstall.yml (100%) rename roles/custom/matrix-corporal/tasks/{self_check_corporal.yml => self_check.yml} (96%) rename roles/custom/matrix-corporal/tasks/{setup_corporal.yml => setup_install.yml} (53%) create mode 100644 roles/custom/matrix-corporal/tasks/setup_uninstall.yml rename roles/custom/matrix-dynamic-dns/tasks/{install.yml => setup_install.yml} (100%) rename roles/custom/matrix-dynamic-dns/tasks/{uninstall.yml => setup_uninstall.yml} (100%) rename roles/custom/matrix-grafana/tasks/{setup.yml => setup_install.yml} (65%) create mode 100644 roles/custom/matrix-grafana/tasks/setup_uninstall.yml rename roles/custom/matrix-jitsi/tasks/{setup_jitsi_jicofo.yml => setup_jitsi_jicofo_install.yml} (52%) create mode 100644 roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo_uninstall.yml rename roles/custom/matrix-jitsi/tasks/{setup_jitsi_jvb.yml => setup_jitsi_jvb_install.yml} (50%) create mode 100644 roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb_uninstall.yml delete mode 100644 roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody.yml create mode 100644 roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_install.yml create mode 100644 roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_uninstall.yml rename roles/custom/matrix-jitsi/tasks/{setup_jitsi_web.yml => setup_jitsi_web_install.yml} (53%) create mode 100644 roles/custom/matrix-jitsi/tasks/setup_jitsi_web_uninstall.yml rename roles/custom/matrix-ma1sd/tasks/{self_check_ma1sd.yml => self_check.yml} (95%) rename roles/custom/matrix-mailer/tasks/{setup_mailer.yml => setup_install.yml} (57%) create mode 100644 roles/custom/matrix-mailer/tasks/setup_uninstall.yml create mode 100644 roles/custom/matrix-postgres-backup/tasks/setup_install.yml delete mode 100644 roles/custom/matrix-postgres-backup/tasks/setup_postgres_backup.yml create mode 100644 roles/custom/matrix-postgres-backup/tasks/setup_uninstall.yml delete mode 100644 roles/custom/matrix-prometheus-node-exporter/tasks/setup.yml create mode 100644 roles/custom/matrix-prometheus-node-exporter/tasks/setup_install.yml create mode 100644 roles/custom/matrix-prometheus-node-exporter/tasks/setup_uninstall.yml delete mode 100644 roles/custom/matrix-prometheus-postgres-exporter/tasks/setup.yml create mode 100644 roles/custom/matrix-prometheus-postgres-exporter/tasks/setup_install.yml create mode 100644 roles/custom/matrix-prometheus-postgres-exporter/tasks/setup_uninstall.yml create mode 100644 roles/custom/matrix-redis/tasks/setup_install.yml delete mode 100644 roles/custom/matrix-redis/tasks/setup_redis.yml create mode 100644 roles/custom/matrix-redis/tasks/setup_uninstall.yml rename roles/custom/matrix-synapse-admin/tasks/{setup.yml => setup_install.yml} (50%) create mode 100644 roles/custom/matrix-synapse-admin/tasks/setup_uninstall.yml diff --git a/requirements.yml b/requirements.yml index 71b596cb8..0d77588a6 100644 --- a/requirements.yml +++ b/requirements.yml @@ -13,13 +13,13 @@ version: 327d2e17f5189ac2480d6012f58cf64a2b46efba - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git - version: 461ace97fcf0e36c76747b36fcad8587d9b072f5 + version: 660f384f176a9ea3b5cc702bde39e7dc10bf6186 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_state_preserver.git version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git - version: 96c31c43b6937428e3f5d12520f8a41a1b5465d7 + version: 6ccb88ac5fc27e1e70afcd48278ade4b564a9096 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages.git - version: f1c78d4e85e875129790c58335d0e44385683f6b + version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6 diff --git a/roles/custom/matrix-aux/tasks/main.yml b/roles/custom/matrix-aux/tasks/main.yml index df7c77d0c..63ef998a8 100644 --- a/roles/custom/matrix-aux/tasks/main.yml +++ b/roles/custom/matrix-aux/tasks/main.yml @@ -1,7 +1,7 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup.yml" - when: run_stop | bool +- block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup.yml" tags: - setup-all - setup-aux-files diff --git a/roles/custom/matrix-backup-borg/tasks/main.yml b/roles/custom/matrix-backup-borg/tasks/main.yml index e8c020a47..0c8a9b7e4 100644 --- a/roles/custom/matrix-backup-borg/tasks/main.yml +++ b/roles/custom/matrix-backup-borg/tasks/main.yml @@ -1,19 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_backup_borg_enabled | bool" - tags: - - setup-all - - setup-backup-borg +- block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup | bool and matrix_backup_borg_enabled | bool" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_backup_borg_enabled | bool" - tags: - - setup-all - - setup-backup-borg + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup | bool and matrix_backup_borg_enabled | bool" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_backup_borg_enabled | bool" + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup | bool and not matrix_backup_borg_enabled | bool" tags: - setup-all - setup-backup-borg diff --git a/roles/custom/matrix-bot-buscarron/tasks/main.yml b/roles/custom/matrix-bot-buscarron/tasks/main.yml index 0d575393f..b12579541 100644 --- a/roles/custom/matrix-bot-buscarron/tasks/main.yml +++ b/roles/custom/matrix-bot-buscarron/tasks/main.yml @@ -1,19 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_bot_buscarron_enabled | bool" - tags: - - setup-all - - setup-bot-buscarron +- block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup | bool and matrix_bot_buscarron_enabled | bool" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_bot_buscarron_enabled | bool" - tags: - - setup-all - - setup-bot-buscarron + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup | bool and matrix_bot_buscarron_enabled | bool" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_bot_buscarron_enabled | bool" + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup | bool and not matrix_bot_buscarron_enabled | bool" tags: - setup-all - setup-bot-buscarron diff --git a/roles/custom/matrix-bot-go-neb/tasks/main.yml b/roles/custom/matrix-bot-go-neb/tasks/main.yml index 4fc22e591..1955eee83 100644 --- a/roles/custom/matrix-bot-go-neb/tasks/main.yml +++ b/roles/custom/matrix-bot-go-neb/tasks/main.yml @@ -1,19 +1,17 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_bot_go_neb_enabled | bool" - tags: - - setup-all - - setup-bot-go-neb +- block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup | bool and matrix_bot_go_neb_enabled | bool" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_bot_go_neb_enabled | bool" - tags: - - setup-all - - setup-bot-go-neb + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup | bool and matrix_bot_go_neb_enabled | bool" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_bot_go_neb_enabled | bool" + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup | bool and not matrix_bot_go_neb_enabled | bool" tags: - setup-all - setup-bot-go-neb + + + diff --git a/roles/custom/matrix-bot-honoroit/tasks/main.yml b/roles/custom/matrix-bot-honoroit/tasks/main.yml index 09fab3272..fde2b6e3b 100644 --- a/roles/custom/matrix-bot-honoroit/tasks/main.yml +++ b/roles/custom/matrix-bot-honoroit/tasks/main.yml @@ -1,19 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_bot_honoroit_enabled | bool" - tags: - - setup-all - - setup-bot-honoroit +- block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup | bool and matrix_bot_honoroit_enabled | bool" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_bot_honoroit_enabled | bool" - tags: - - setup-all - - setup-bot-honoroit + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup | bool and matrix_bot_honoroit_enabled | bool" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_bot_honoroit_enabled | bool" + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup | bool and not matrix_bot_honoroit_enabled | bool" tags: - setup-all - setup-bot-honoroit diff --git a/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml b/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml index 5f44faac5..d0c7a1578 100644 --- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml +++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml @@ -1,19 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_bot_matrix_registration_bot_enabled | bool" - tags: - - setup-all - - setup-bot-matrix-registration-bot +- block: + - when: matrix_bot_matrix_registration_bot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_bot_matrix_registration_bot_enabled | bool" - tags: - - setup-all - - setup-bot-matrix-registration-bot + - when: matrix_bot_matrix_registration_bot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_bot_matrix_registration_bot_enabled | bool" + - when: not matrix_bot_matrix_registration_bot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-bot-matrix-registration-bot diff --git a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml index 8340ef67e..091b0cc18 100644 --- a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml +++ b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml @@ -1,19 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_bot_matrix_reminder_bot_enabled | bool" - tags: - - setup-all - - setup-bot-matrix-reminder-bot +- block: + - when: matrix_bot_matrix_reminder_bot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_bot_matrix_reminder_bot_enabled | bool" - tags: - - setup-all - - setup-bot-matrix-reminder-bot + - when: matrix_bot_matrix_reminder_bot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_bot_matrix_reminder_bot_enabled | bool" + - when: not matrix_bot_matrix_reminder_bot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-bot-matrix-reminder-bot diff --git a/roles/custom/matrix-bot-maubot/tasks/main.yml b/roles/custom/matrix-bot-maubot/tasks/main.yml index 5e48eed97..917fea776 100644 --- a/roles/custom/matrix-bot-maubot/tasks/main.yml +++ b/roles/custom/matrix-bot-maubot/tasks/main.yml @@ -1,25 +1,22 @@ --- -- when: matrix_bot_maubot_enabled | bool - ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" +- block: + - when: matrix_bot_maubot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - setup-all - setup-nginx-proxy -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup|bool and matrix_bot_maubot_enabled|bool" - tags: - - setup-all - - setup-bot-maubot -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup|bool and matrix_bot_maubot_enabled|bool" - tags: - - setup-all - - setup-bot-maubot +- block: + - when: matrix_bot_maubot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_bot_maubot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup|bool and not matrix_bot_maubot_enabled|bool" + - when: not matrix_bot_maubot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-bot-maubot diff --git a/roles/custom/matrix-bot-mjolnir/tasks/main.yml b/roles/custom/matrix-bot-mjolnir/tasks/main.yml index 02a22bb1c..25e9d74db 100644 --- a/roles/custom/matrix-bot-mjolnir/tasks/main.yml +++ b/roles/custom/matrix-bot-mjolnir/tasks/main.yml @@ -1,19 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_bot_mjolnir_enabled | bool" - tags: - - setup-all - - setup-bot-mjolnir +- block: + - when: matrix_bot_mjolnir_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_bot_mjolnir_enabled | bool" - tags: - - setup-all - - setup-bot-mjolnir + - when: matrix_bot_mjolnir_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_bot_mjolnir_enabled | bool" + - when: not matrix_bot_mjolnir_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-bot-mjolnir diff --git a/roles/custom/matrix-bot-postmoogle/tasks/main.yml b/roles/custom/matrix-bot-postmoogle/tasks/main.yml index 4e2ab51b9..62623c4d5 100644 --- a/roles/custom/matrix-bot-postmoogle/tasks/main.yml +++ b/roles/custom/matrix-bot-postmoogle/tasks/main.yml @@ -1,19 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_bot_postmoogle_enabled | bool" - tags: - - setup-all - - setup-bot-postmoogle +- block: + - when: matrix_bot_postmoogle_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_bot_postmoogle_enabled | bool" - tags: - - setup-all - - setup-bot-postmoogle + - when: matrix_bot_postmoogle_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_bot_postmoogle_enabled | bool" + - when: not matrix_bot_postmoogle_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-bot-postmoogle diff --git a/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml b/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml index 249668583..6627d6103 100644 --- a/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml @@ -1,19 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_appservice_discord_enabled | bool" - tags: - - setup-all - - setup-appservice-discord +- block: + - when: matrix_appservice_discord_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_appservice_discord_enabled | bool" - tags: - - setup-all - - setup-appservice-discord + - when: matrix_appservice_discord_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_appservice_discord_enabled | bool" + - when: not matrix_appservice_discord_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-appservice-discord diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml index f66b729ba..b994ddb04 100644 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml @@ -1,19 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_appservice_irc_enabled | bool" - tags: - - setup-all - - setup-appservice-irc +- block: + - when: matrix_appservice_irc_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_appservice_irc_enabled | bool" - tags: - - setup-all - - setup-appservice-irc + - when: matrix_appservice_irc_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_appservice_irc_enabled | bool" + - when: not matrix_appservice_irc_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-appservice-irc diff --git a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml index a4dffd76f..be24d778e 100644 --- a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml @@ -1,19 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_appservice_kakaotalk_enabled | bool" - tags: - - setup-all - - setup-appservice-kakaotalk +- block: + - when: matrix_appservice_kakaotalk_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_appservice_kakaotalk_enabled | bool" - tags: - - setup-all - - setup-appservice-kakaotalk + - when: matrix_appservice_kakaotalk_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_appservice_kakaotalk_enabled | bool" + - when: not matrix_appservice_kakaotalk_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-appservice-kakaotalk diff --git a/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml b/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml index 608b02195..277e41776 100644 --- a/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml @@ -1,25 +1,21 @@ --- -- when: matrix_appservice_slack_enabled | bool - ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" +- block: + - when: matrix_appservice_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - setup-all - setup-nginx-proxy -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_appservice_slack_enabled | bool" - tags: - - setup-all - - setup-appservice-slack +- block: + - when: matrix_appservice_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_appservice_slack_enabled | bool" - tags: - - setup-all - - setup-appservice-slack + - when: matrix_appservice_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_appservice_slack_enabled | bool" + - when: not matrix_appservice_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-appservice-slack diff --git a/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml b/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml index 24908e83a..97793d88d 100644 --- a/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml @@ -1,25 +1,21 @@ --- -- when: matrix_appservice_webhooks_enabled | bool - ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" +- block: + - when: matrix_appservice_webhooks_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - setup-all - setup-nginx-proxy -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_appservice_webhooks_enabled | bool" - tags: - - setup-all - - setup-appservice-webhooks +- block: + - when: matrix_appservice_webhooks_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_appservice_webhooks_enabled | bool" - tags: - - setup-all - - setup-appservice-webhooks + - when: matrix_appservice_webhooks_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_appservice_webhooks_enabled | bool" + - when: not matrix_appservice_webhooks_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-appservice-webhooks diff --git a/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml b/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml index 9ba728f13..57dcc2a33 100644 --- a/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml +++ b/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml @@ -1,19 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_beeper_linkedin_enabled | bool" - tags: - - setup-all - - setup-beeper-linkedin +- block: + - when: matrix_beeper_linkedin_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup and matrix_beeper_linkedin_enabled" - tags: - - setup-all - - setup-beeper-linkedin + - when: matrix_beeper_linkedin_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup and not matrix_beeper_linkedin_enabled" + - when: not matrix_beeper_linkedin_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-beeper-linkedin diff --git a/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml b/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml index 3b8fdb245..cc41f4bd2 100644 --- a/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml +++ b/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml @@ -1,19 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_go_skype_bridge_enabled | bool" - tags: - - setup-all - - setup-go-skype-bridge +- block: + - when: matrix_go_skype_bridge_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_go_skype_bridge_enabled | bool" - tags: - - setup-all - - setup-go-skype-bridge + - when: matrix_go_skype_bridge_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_go_skype_bridge_enabled | bool" + - when: not matrix_go_skype_bridge_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-go-skype-bridge diff --git a/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml b/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml index 70bc86c31..38b891cff 100644 --- a/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml +++ b/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml @@ -1,13 +1,11 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_heisenbridge_enabled | bool" - tags: - - setup-all - - setup-heisenbridge +- block: + - when: matrix_heisenbridge_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_heisenbridge_enabled | bool" + - when: not matrix_heisenbridge_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-heisenbridge diff --git a/roles/custom/matrix-bridge-hookshot/tasks/main.yml b/roles/custom/matrix-bridge-hookshot/tasks/main.yml index 5d93af3a5..505b86ed3 100644 --- a/roles/custom/matrix-bridge-hookshot/tasks/main.yml +++ b/roles/custom/matrix-bridge-hookshot/tasks/main.yml @@ -1,25 +1,21 @@ --- -- when: matrix_hookshot_enabled | bool - ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" +- block: + - when: matrix_hookshot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - setup-all - setup-nginx-proxy -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_hookshot_enabled | bool" - tags: - - setup-all - - setup-hookshot +- block: + - when: matrix_hookshot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_hookshot_enabled | bool" - tags: - - setup-all - - setup-hookshot + - when: matrix_hookshot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_hookshot_enabled | bool" + - when: not matrix_hookshot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-hookshot diff --git a/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml index 2b68f1ed4..5c38db0a2 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml @@ -1,19 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mautrix_discord_enabled | bool" - tags: - - setup-all - - setup-mautrix-discord +- block: + - when: matrix_mautrix_discord_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup and matrix_mautrix_discord_enabled" - tags: - - setup-all - - setup-mautrix-discord + - when: matrix_mautrix_discord_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup and not matrix_mautrix_discord_enabled" + - when: not matrix_mautrix_discord_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-mautrix-discord diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml index f166cc5eb..9e17b87b9 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml @@ -1,25 +1,21 @@ --- -- when: matrix_mautrix_facebook_enabled | bool and matrix_mautrix_facebook_appservice_public_enabled | bool - ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" +- block: + - when: matrix_mautrix_facebook_enabled | bool and matrix_mautrix_facebook_appservice_public_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - setup-all - setup-nginx-proxy -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mautrix_facebook_enabled | bool" - tags: - - setup-all - - setup-mautrix-facebook +- block: + - when: matrix_mautrix_facebook_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_mautrix_facebook_enabled | bool" - tags: - - setup-all - - setup-mautrix-facebook + - when: matrix_mautrix_facebook_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_mautrix_facebook_enabled | bool" + - when: not matrix_mautrix_facebook_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-mautrix-facebook diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml index e20422a72..9bdc30610 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml @@ -1,25 +1,21 @@ --- -- when: matrix_mautrix_googlechat_enabled | bool - ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" +- block: + - when: matrix_mautrix_googlechat_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - setup-all - setup-nginx-proxy -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mautrix_googlechat_enabled | bool" - tags: - - setup-all - - setup-mautrix-googlechat +- block: + - when: matrix_mautrix_googlechat_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_mautrix_googlechat_enabled | bool" - tags: - - setup-all - - setup-mautrix-googlechat + - when: matrix_mautrix_googlechat_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_mautrix_googlechat_enabled | bool" + - when: not matrix_mautrix_googlechat_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-mautrix-googlechat diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml index a1b7115bd..cce772214 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml @@ -1,25 +1,21 @@ --- -- when: matrix_mautrix_hangouts_enabled | bool - ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" +- block: + - when: matrix_mautrix_hangouts_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - setup-all - setup-nginx-proxy -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mautrix_hangouts_enabled | bool" - tags: - - setup-all - - setup-mautrix-hangouts +- block: + - when: matrix_mautrix_hangouts_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_mautrix_hangouts_enabled | bool" - tags: - - setup-all - - setup-mautrix-hangouts + - when: matrix_mautrix_hangouts_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_mautrix_hangouts_enabled | bool" + - when: not matrix_mautrix_hangouts_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-mautrix-hangouts diff --git a/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml index 403546ff4..f559c69d7 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml @@ -1,19 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mautrix_instagram_enabled | bool" - tags: - - setup-all - - setup-mautrix-instagram +- block: + - when: matrix_mautrix_instagram_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_mautrix_instagram_enabled | bool" - tags: - - setup-all - - setup-mautrix-instagram + - when: matrix_mautrix_instagram_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_mautrix_instagram_enabled | bool" + - when: not matrix_mautrix_instagram_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-mautrix-instagram diff --git a/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml index 6b69be288..a4cd677b8 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml @@ -1,19 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mautrix_signal_enabled | bool" - tags: - - setup-all - - setup-mautrix-signal +- block: + - when: matrix_mautrix_signal_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_mautrix_signal_enabled | bool" - tags: - - setup-all - - setup-mautrix-signal + - when: matrix_mautrix_signal_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_mautrix_signal_enabled | bool" + - when: not matrix_mautrix_signal_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-mautrix-signal diff --git a/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml index d4a5f8054..a62efb7a5 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml @@ -1,25 +1,21 @@ --- -- when: matrix_mautrix_telegram_enabled | bool and matrix_mautrix_telegram_appservice_public_enabled | bool - ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" +- block: + - when: matrix_mautrix_telegram_enabled | bool and matrix_mautrix_telegram_appservice_public_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - setup-all - setup-nginx-proxy -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mautrix_telegram_enabled | bool" - tags: - - setup-all - - setup-mautrix-telegram +- block: + - when: matrix_mautrix_telegram_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_mautrix_telegram_enabled | bool" - tags: - - setup-all - - setup-mautrix-telegram + - when: matrix_mautrix_telegram_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_mautrix_telegram_enabled | bool" + - when: not matrix_mautrix_telegram_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-mautrix-telegram diff --git a/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml index 08e840aa5..aee0daf7d 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml @@ -1,19 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mautrix_twitter_enabled | bool" - tags: - - setup-all - - setup-mautrix-twitter +- block: + - when: matrix_mautrix_twitter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_mautrix_twitter_enabled | bool" - tags: - - setup-all - - setup-mautrix-twitter + - when: matrix_mautrix_twitter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_mautrix_twitter_enabled | bool" + - when: not matrix_mautrix_twitter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-mautrix-twitter diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml index c5b3b153b..4d2342502 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml @@ -1,19 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mautrix_whatsapp_enabled | bool" - tags: - - setup-all - - setup-mautrix-whatsapp +- block: + - when: matrix_mautrix_whatsapp_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup and matrix_mautrix_whatsapp_enabled" - tags: - - setup-all - - setup-mautrix-whatsapp + - when: matrix_mautrix_whatsapp_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup and not matrix_mautrix_whatsapp_enabled" + - when: not matrix_mautrix_whatsapp_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-mautrix-whatsapp diff --git a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml index c65a04e3b..a77f22650 100644 --- a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml @@ -1,19 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mx_puppet_discord_enabled | bool" - tags: - - setup-all - - setup-mx-puppet-discord +- block: + - when: matrix_mx_puppet_discord_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_mx_puppet_discord_enabled | bool" - tags: - - setup-all - - setup-mx-puppet-discord + - when: matrix_mx_puppet_discord_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_mx_puppet_discord_enabled | bool" + - when: not matrix_mx_puppet_discord_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-mx-puppet-discord diff --git a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml index f6707d4e3..6f2a03875 100644 --- a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml @@ -1,19 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mx_puppet_groupme_enabled | bool" - tags: - - setup-all - - setup-mx-puppet-groupme +- block: + - when: matrix_mx_puppet_groupme_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_mx_puppet_groupme_enabled | bool" - tags: - - setup-all - - setup-mx-puppet-groupme + - when: matrix_mx_puppet_groupme_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_mx_puppet_groupme_enabled | bool" + - when: not matrix_mx_puppet_groupme_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-mx-puppet-groupme diff --git a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml index 220fb46fc..620b0da57 100644 --- a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml @@ -1,19 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mx_puppet_instagram_enabled | bool" - tags: - - setup-all - - setup-mx-puppet-instagram +- block: + - when: matrix_mx_puppet_instagram_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_mx_puppet_instagram_enabled | bool" - tags: - - setup-all - - setup-mx-puppet-instagram + - when: matrix_mx_puppet_instagram_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_mx_puppet_instagram_enabled | bool" + - when: not matrix_mx_puppet_instagram_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-mx-puppet-instagram diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml index 8850e6bcb..2fe8ea420 100644 --- a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml @@ -1,25 +1,21 @@ --- -- when: matrix_mx_puppet_slack_enabled | bool - ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" +- block: + - when: matrix_mx_puppet_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - setup-all - setup-nginx-proxy -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mx_puppet_slack_enabled | bool" - tags: - - setup-all - - setup-mx-puppet-slack +- block: + - when: matrix_mx_puppet_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_mx_puppet_slack_enabled | bool" - tags: - - setup-all - - setup-mx-puppet-slack + - when: matrix_mx_puppet_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_mx_puppet_slack_enabled | bool" + - when: not matrix_mx_puppet_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-mx-puppet-slack diff --git a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml index 9feb22fb9..a6cab2b0b 100644 --- a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml @@ -1,19 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mx_puppet_steam_enabled | bool" - tags: - - setup-all - - setup-mx-puppet-steam +- block: + - when: matrix_mx_puppet_steam_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_mx_puppet_steam_enabled | bool" - tags: - - setup-all - - setup-mx-puppet-steam + - when: matrix_mx_puppet_steam_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_mx_puppet_steam_enabled | bool" + - when: not matrix_mx_puppet_steam_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-mx-puppet-steam diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml index 87f947096..3e1fe73c9 100644 --- a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml @@ -1,25 +1,21 @@ --- -- when: matrix_mx_puppet_twitter_enabled | bool - ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" +- block: + - when: matrix_mx_puppet_twitter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - setup-all - setup-nginx-proxy -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mx_puppet_twitter_enabled | bool" - tags: - - setup-all - - setup-mx-puppet-twitter +- block: + - when: matrix_mx_puppet_twitter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_mx_puppet_twitter_enabled | bool" - tags: - - setup-all - - setup-mx-puppet-twitter + - when: matrix_mx_puppet_twitter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_mx_puppet_twitter_enabled | bool" + - when: not matrix_mx_puppet_twitter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-mx-puppet-twitter diff --git a/roles/custom/matrix-bridge-sms/tasks/main.yml b/roles/custom/matrix-bridge-sms/tasks/main.yml index 4d4895c46..a802054c6 100644 --- a/roles/custom/matrix-bridge-sms/tasks/main.yml +++ b/roles/custom/matrix-bridge-sms/tasks/main.yml @@ -1,19 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_sms_bridge_enabled | bool" - tags: - - setup-all - - setup-matrix-sms-bridge +- block: + - when: matrix_sms_bridge_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_sms_bridge_enabled | bool" - tags: - - setup-all - - setup-matrix-sms-bridge + - when: matrix_sms_bridge_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_sms_bridge_enabled | bool" + - when: not matrix_sms_bridge_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-matrix-sms-bridge diff --git a/roles/custom/matrix-cactus-comments/tasks/main.yml b/roles/custom/matrix-cactus-comments/tasks/main.yml index 4bef51535..dab5a1209 100644 --- a/roles/custom/matrix-cactus-comments/tasks/main.yml +++ b/roles/custom/matrix-cactus-comments/tasks/main.yml @@ -1,25 +1,21 @@ --- -- when: matrix_cactus_comments_enabled | bool and matrix_cactus_comments_serve_client_enabled | bool - ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" +- block: + - when: matrix_cactus_comments_enabled | bool and matrix_cactus_comments_serve_client_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - setup-all - setup-nginx-proxy -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_cactus_comments_enabled | bool" - tags: - - setup-all - - setup-cactus-comments +- block: + - when: matrix_cactus_comments_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_cactus_comments_enabled | bool" - tags: - - setup-all - - setup-cactus-comments + - when: matrix_cactus_comments_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_cactus_comments_enabled | bool" + - when: not matrix_cactus_comments_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-cactus-comments diff --git a/roles/custom/matrix-client-cinny/tasks/main.yml b/roles/custom/matrix-client-cinny/tasks/main.yml index e0f1579cb..c67116e67 100644 --- a/roles/custom/matrix-client-cinny/tasks/main.yml +++ b/roles/custom/matrix-client-cinny/tasks/main.yml @@ -1,26 +1,20 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_client_cinny_enabled | bool" - tags: - - setup-all - - setup-client-cinny +- block: + - when: matrix_client_cinny_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_client_cinny_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_client_cinny_enabled | bool" + - when: not matrix_client_cinny_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-client-cinny -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check.yml" - delegate_to: 127.0.0.1 - become: false - when: "run_self_check | bool and matrix_client_cinny_enabled | bool" +- block: + - when: matrix_client_cinny_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" tags: - self-check - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_client_cinny_enabled | bool" - tags: - - setup-all - - setup-client-cinny diff --git a/roles/custom/matrix-client-cinny/tasks/self_check.yml b/roles/custom/matrix-client-cinny/tasks/self_check.yml index e0f9bfc1e..c1c6195e0 100644 --- a/roles/custom/matrix-client-cinny/tasks/self_check.yml +++ b/roles/custom/matrix-client-cinny/tasks/self_check.yml @@ -11,6 +11,8 @@ register: matrix_client_cinny_self_check_result check_mode: false ignore_errors: true + delegate_to: 127.0.0.1 + become: false - name: Fail if Cinny not working ansible.builtin.fail: diff --git a/roles/custom/matrix-client-element/tasks/main.yml b/roles/custom/matrix-client-element/tasks/main.yml index 7dbe9ce82..b75a3d5dc 100644 --- a/roles/custom/matrix-client-element/tasks/main.yml +++ b/roles/custom/matrix-client-element/tasks/main.yml @@ -1,38 +1,23 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_client_element_enabled | bool" - tags: - - setup-all - - setup-client-element +- block: + - when: matrix_client_element_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/prepare_themes.yml" - when: run_setup | bool - tags: - - setup-all - - setup-client-element + - when: matrix_client_element_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/prepare_themes.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/migrate_riot_web.yml" - when: run_setup | bool - tags: - - setup-all - - setup-client-element - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_client_element_enabled | bool" - tags: - - setup-all - - setup-client-element + - when: matrix_client_element_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_client_element_enabled | bool" + - when: not matrix_client_element_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-client-element -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check.yml" - delegate_to: 127.0.0.1 - become: false - when: "run_self_check | bool and matrix_client_element_enabled | bool" +- block: + - when: matrix_client_element_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" tags: - self-check diff --git a/roles/custom/matrix-client-element/tasks/migrate_riot_web.yml b/roles/custom/matrix-client-element/tasks/migrate_riot_web.yml deleted file mode 100644 index bb62b7ce5..000000000 --- a/roles/custom/matrix-client-element/tasks/migrate_riot_web.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- - -- name: Check existence of matrix-riot-web.service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-riot-web.service" - register: matrix_client_riot_web_service_stat - when: "matrix_client_element_enabled | bool" - -- name: Ensure matrix-riot-web is stopped - ansible.builtin.service: - name: matrix-riot-web - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_client_element_enabled | bool and matrix_client_riot_web_service_stat.stat.exists" - -- name: Ensure matrix-riot-web.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-riot-web.service" - state: absent - when: "matrix_client_element_enabled | bool and matrix_client_riot_web_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-riot-web.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_client_element_enabled | bool and matrix_client_riot_web_service_stat.stat.exists" - -- name: Check existence of /matrix/riot-web - ansible.builtin.stat: - path: "/matrix/riot-web" - register: matrix_client_riot_web_dir_stat - when: "matrix_client_element_enabled | bool" - -- name: Relocate /matrix/riot-web to /matrix/client-element - ansible.builtin.command: "mv /matrix/riot-web /matrix/client-element" - when: "matrix_client_element_enabled | bool and matrix_client_riot_web_dir_stat.stat.exists" diff --git a/roles/custom/matrix-client-element/tasks/self_check.yml b/roles/custom/matrix-client-element/tasks/self_check.yml index 031bb5f90..c336e4b65 100644 --- a/roles/custom/matrix-client-element/tasks/self_check.yml +++ b/roles/custom/matrix-client-element/tasks/self_check.yml @@ -11,6 +11,8 @@ register: matrix_client_element_self_check_result check_mode: false ignore_errors: true + delegate_to: 127.0.0.1 + become: false - name: Fail if Element not working ansible.builtin.fail: diff --git a/roles/custom/matrix-client-hydrogen/tasks/main.yml b/roles/custom/matrix-client-hydrogen/tasks/main.yml index 3f5023937..220a4d130 100644 --- a/roles/custom/matrix-client-hydrogen/tasks/main.yml +++ b/roles/custom/matrix-client-hydrogen/tasks/main.yml @@ -1,26 +1,20 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_client_hydrogen_enabled | bool" - tags: - - setup-all - - setup-client-hydrogen +- block: + - when: matrix_client_hydrogen_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_client_hydrogen_enabled | bool" - tags: - - setup-all - - setup-client-hydrogen + - when: matrix_client_hydrogen_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_client_hydrogen_enabled | bool" + - when: not matrix_client_hydrogen_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-client-hydrogen -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check.yml" - delegate_to: 127.0.0.1 - become: false - when: "run_self_check | bool and matrix_client_hydrogen_enabled | bool" +- block: + - when: matrix_client_hydrogen_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" tags: - self-check diff --git a/roles/custom/matrix-client-hydrogen/tasks/self_check.yml b/roles/custom/matrix-client-hydrogen/tasks/self_check.yml index 978e531f2..478f0dc86 100644 --- a/roles/custom/matrix-client-hydrogen/tasks/self_check.yml +++ b/roles/custom/matrix-client-hydrogen/tasks/self_check.yml @@ -11,6 +11,8 @@ register: matrix_client_hydrogen_self_check_result check_mode: false ignore_errors: true + delegate_to: 127.0.0.1 + become: false - name: Fail if Hydrogen not working ansible.builtin.fail: diff --git a/roles/custom/matrix-common-after/tasks/main.yml b/roles/custom/matrix-common-after/tasks/main.yml index 498c83907..fe23e467b 100644 --- a/roles/custom/matrix-common-after/tasks/main.yml +++ b/roles/custom/matrix-common-after/tasks/main.yml @@ -1,5 +1,6 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/run_docker_prune.yml" +- block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/run_docker_prune.yml" tags: - run-docker-prune diff --git a/roles/custom/matrix-conduit/tasks/conduit/setup.yml b/roles/custom/matrix-conduit/tasks/conduit/setup.yml deleted file mode 100644 index 425d0f7e9..000000000 --- a/roles/custom/matrix-conduit/tasks/conduit/setup.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/conduit/setup_install.yml" - when: "matrix_conduit_enabled | bool" - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/conduit/setup_uninstall.yml" - when: "not matrix_conduit_enabled | bool" diff --git a/roles/custom/matrix-conduit/tasks/main.yml b/roles/custom/matrix-conduit/tasks/main.yml index 85ad539b7..e731f21a8 100644 --- a/roles/custom/matrix-conduit/tasks/main.yml +++ b/roles/custom/matrix-conduit/tasks/main.yml @@ -1,7 +1,11 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/conduit/setup.yml" - when: run_setup | bool +- block: + - when: matrix_conduit_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + + - when: not matrix_conduit_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-conduit diff --git a/roles/custom/matrix-conduit/tasks/conduit/setup_install.yml b/roles/custom/matrix-conduit/tasks/setup_install.yml similarity index 100% rename from roles/custom/matrix-conduit/tasks/conduit/setup_install.yml rename to roles/custom/matrix-conduit/tasks/setup_install.yml diff --git a/roles/custom/matrix-conduit/tasks/conduit/setup_uninstall.yml b/roles/custom/matrix-conduit/tasks/setup_uninstall.yml similarity index 100% rename from roles/custom/matrix-conduit/tasks/conduit/setup_uninstall.yml rename to roles/custom/matrix-conduit/tasks/setup_uninstall.yml diff --git a/roles/custom/matrix-corporal/tasks/main.yml b/roles/custom/matrix-corporal/tasks/main.yml index 1021518c7..3f18ed0cf 100644 --- a/roles/custom/matrix-corporal/tasks/main.yml +++ b/roles/custom/matrix-corporal/tasks/main.yml @@ -1,20 +1,20 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_corporal_enabled | bool" - tags: - - setup-all - - setup-corporal +- block: + - when: matrix_corporal_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_corporal_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_corporal.yml" - when: run_setup | bool + - when: not matrix_corporal_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-corporal -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check_corporal.yml" - delegate_to: 127.0.0.1 - become: false - when: "run_self_check | bool and matrix_corporal_enabled | bool" +- block: + - when: matrix_corporal_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" tags: - self-check diff --git a/roles/custom/matrix-corporal/tasks/self_check_corporal.yml b/roles/custom/matrix-corporal/tasks/self_check.yml similarity index 96% rename from roles/custom/matrix-corporal/tasks/self_check_corporal.yml rename to roles/custom/matrix-corporal/tasks/self_check.yml index 3ddda8e04..bf0e768b4 100644 --- a/roles/custom/matrix-corporal/tasks/self_check_corporal.yml +++ b/roles/custom/matrix-corporal/tasks/self_check.yml @@ -11,6 +11,8 @@ check_mode: false register: result_corporal_client_api ignore_errors: true + delegate_to: 127.0.0.1 + become: false - name: Fail if Matrix Corporal HTTP gateway not working ansible.builtin.fail: diff --git a/roles/custom/matrix-corporal/tasks/setup_corporal.yml b/roles/custom/matrix-corporal/tasks/setup_install.yml similarity index 53% rename from roles/custom/matrix-corporal/tasks/setup_corporal.yml rename to roles/custom/matrix-corporal/tasks/setup_install.yml index 3f6ac86cd..e257d0118 100644 --- a/roles/custom/matrix-corporal/tasks/setup_corporal.yml +++ b/roles/custom/matrix-corporal/tasks/setup_install.yml @@ -1,9 +1,5 @@ --- -# -# Tasks related to setting up matrix-corporal -# - - name: Ensure Matrix Corporal paths exist ansible.builtin.file: path: "{{ item }}" @@ -15,7 +11,6 @@ - "{{ matrix_corporal_config_dir_path }}" - "{{ matrix_corporal_cache_dir_path }}" - "{{ matrix_corporal_var_dir_path }}" - when: matrix_corporal_enabled | bool - name: Ensure Matrix Corporal repository is present on self-build ansible.builtin.git: @@ -26,7 +21,7 @@ become: true become_user: "{{ matrix_user_username }}" register: matrix_corporal_git_pull_results - when: "matrix_corporal_enabled | bool and matrix_corporal_container_image_self_build | bool" + when: matrix_corporal_container_image_self_build | bool - name: Ensure Matrix Corporal Docker image is built community.docker.docker_image: @@ -38,7 +33,7 @@ dockerfile: etc/docker/Dockerfile path: "{{ matrix_corporal_container_src_files_path }}" pull: true - when: "matrix_corporal_enabled | bool and matrix_corporal_container_image_self_build | bool" + when: matrix_corporal_container_image_self_build | bool - name: Ensure Matrix Corporal Docker image is pulled community.docker.docker_image: @@ -46,7 +41,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_corporal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_corporal_docker_image_force_pull }}" - when: "matrix_corporal_enabled | bool and not matrix_corporal_container_image_self_build | bool" + when: not matrix_corporal_container_image_self_build | bool register: result retries: "{{ devture_playbook_help_container_retries_count }}" delay: "{{ devture_playbook_help_container_retries_delay }}" @@ -59,7 +54,6 @@ mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: matrix_corporal_enabled | bool - name: Ensure matrix-corporal.service installed ansible.builtin.template: @@ -67,55 +61,3 @@ dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-corporal.service" mode: 0644 register: matrix_corporal_systemd_service_result - when: matrix_corporal_enabled | bool - -- name: Ensure systemd reloaded after matrix-corporal.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_corporal_enabled | bool and matrix_corporal_systemd_service_result.changed" - - -# -# Tasks related to getting rid of matrix-corporal (if it was previously enabled) -# - -- name: Check existence of matrix-corporal service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-corporal.service" - register: matrix_corporal_service_stat - when: "not matrix_corporal_enabled | bool" - -- name: Ensure matrix-corporal is stopped - ansible.builtin.service: - name: matrix-corporal - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "not matrix_corporal_enabled | bool and matrix_corporal_service_stat.stat.exists" - -- name: Ensure matrix-corporal.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-corporal.service" - state: absent - when: "not matrix_corporal_enabled | bool and matrix_corporal_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-corporal.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_corporal_enabled | bool and matrix_corporal_service_stat.stat.exists" - -- name: Ensure matrix-corporal files don't exist - ansible.builtin.file: - path: "{{ item }}" - state: absent - with_items: - - "{{ devture_systemd_docker_base_systemd_path }}/matrix-corporal.service" - - "{{ matrix_corporal_config_dir_path }}/config.json" - when: "not matrix_corporal_enabled | bool" - -- name: Ensure Matrix Corporal Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_corporal_docker_image }}" - state: absent - when: "not matrix_corporal_enabled | bool" diff --git a/roles/custom/matrix-corporal/tasks/setup_uninstall.yml b/roles/custom/matrix-corporal/tasks/setup_uninstall.yml new file mode 100644 index 000000000..81e1b751d --- /dev/null +++ b/roles/custom/matrix-corporal/tasks/setup_uninstall.yml @@ -0,0 +1,38 @@ +--- + +- name: Check existence of matrix-corporal service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-corporal.service" + register: matrix_corporal_service_stat + +- when: matrix_corporal_service_stat.stat.exists | bool + block: + - name: Ensure matrix-corporal is stopped + ansible.builtin.service: + name: matrix-corporal + state: stopped + enabled: false + daemon_reload: true + register: stopping_result + + - name: Ensure matrix-corporal.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-corporal.service" + state: absent + + - name: Ensure systemd reloaded after matrix-corporal.service removal + ansible.builtin.service: + daemon_reload: true + +- name: Ensure matrix-corporal files don't exist + ansible.builtin.file: + path: "{{ item }}" + state: absent + with_items: + - "{{ devture_systemd_docker_base_systemd_path }}/matrix-corporal.service" + - "{{ matrix_corporal_config_dir_path }}/config.json" + +- name: Ensure Matrix Corporal Docker image doesn't exist + community.docker.docker_image: + name: "{{ matrix_corporal_docker_image }}" + state: absent diff --git a/roles/custom/matrix-coturn/tasks/main.yml b/roles/custom/matrix-coturn/tasks/main.yml index f2fc66d53..393ed6915 100644 --- a/roles/custom/matrix-coturn/tasks/main.yml +++ b/roles/custom/matrix-coturn/tasks/main.yml @@ -1,19 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_coturn_enabled | bool" - tags: - - setup-all - - setup-coturn +- block: + - when: matrix_coturn_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_coturn_enabled | bool" - tags: - - setup-all - - setup-coturn + - when: matrix_coturn_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_coturn_enabled | bool" + - when: not matrix_coturn_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-coturn diff --git a/roles/custom/matrix-dendrite/tasks/main.yml b/roles/custom/matrix-dendrite/tasks/main.yml index 5a5b04dee..62057ded2 100644 --- a/roles/custom/matrix-dendrite/tasks/main.yml +++ b/roles/custom/matrix-dendrite/tasks/main.yml @@ -1,32 +1,26 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: run_setup | bool - tags: - - setup-all - - setup-dendrite +- block: + - when: matrix_dendrite_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_dendrite.yml" - when: run_setup | bool + - when: matrix_dendrite_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_dendrite.yml" tags: - setup-all - setup-dendrite -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/register_user.yml" - when: run_dendrite_register_user | bool and matrix_dendrite_enabled | bool - tags: - - register-user +- block: + - when: matrix_dendrite_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_client_api.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check_client_api.yml" - delegate_to: 127.0.0.1 - become: false - when: run_self_check | bool and matrix_dendrite_enabled | bool + - when: matrix_dendrite_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml" tags: - self-check -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml" - delegate_to: 127.0.0.1 - become: false - when: run_self_check | bool and matrix_dendrite_enabled | bool +- block: + - when: matrix_dendrite_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/register_user.yml" tags: - - self-check + - register-user diff --git a/roles/custom/matrix-dendrite/tasks/register_user.yml b/roles/custom/matrix-dendrite/tasks/register_user.yml index d37e633bf..6b4de7e93 100644 --- a/roles/custom/matrix-dendrite/tasks/register_user.yml +++ b/roles/custom/matrix-dendrite/tasks/register_user.yml @@ -1,4 +1,5 @@ --- + - name: Fail if playbook called incorrectly ansible.builtin.fail: msg: "The `username` variable needs to be provided to this playbook, via --extra-vars" diff --git a/roles/custom/matrix-dendrite/tasks/self_check_client_api.yml b/roles/custom/matrix-dendrite/tasks/self_check_client_api.yml index 99b6cb40d..f6eb602c6 100644 --- a/roles/custom/matrix-dendrite/tasks/self_check_client_api.yml +++ b/roles/custom/matrix-dendrite/tasks/self_check_client_api.yml @@ -7,6 +7,8 @@ register: result_matrix_dendrite_client_api ignore_errors: true check_mode: false + delegate_to: 127.0.0.1 + become: false - name: Fail if Matrix Client API not working ansible.builtin.fail: diff --git a/roles/custom/matrix-dendrite/tasks/self_check_federation_api.yml b/roles/custom/matrix-dendrite/tasks/self_check_federation_api.yml index 25b2871ce..bba20ff16 100644 --- a/roles/custom/matrix-dendrite/tasks/self_check_federation_api.yml +++ b/roles/custom/matrix-dendrite/tasks/self_check_federation_api.yml @@ -7,6 +7,8 @@ register: result_matrix_dendrite_federation_api ignore_errors: true check_mode: false + delegate_to: 127.0.0.1 + become: false - name: Fail if Matrix Federation API not working ansible.builtin.fail: diff --git a/roles/custom/matrix-dimension/tasks/main.yml b/roles/custom/matrix-dimension/tasks/main.yml index 38f780e93..5d6f54432 100644 --- a/roles/custom/matrix-dimension/tasks/main.yml +++ b/roles/custom/matrix-dimension/tasks/main.yml @@ -1,19 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: run_setup | bool - tags: - - setup-all - - setup-dimension +- block: + - when: matrix_dimension_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: run_setup | bool and matrix_dimension_enabled | bool - tags: - - setup-all - - setup-dimension + - when: matrix_dimension_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: run_setup | bool and not matrix_dimension_enabled | bool + - when: not matrix_dimension_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-dimension diff --git a/roles/custom/matrix-dynamic-dns/tasks/main.yml b/roles/custom/matrix-dynamic-dns/tasks/main.yml index bec7785c9..6f5a35a5e 100644 --- a/roles/custom/matrix-dynamic-dns/tasks/main.yml +++ b/roles/custom/matrix-dynamic-dns/tasks/main.yml @@ -1,19 +1,21 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_dynamic_dns_enabled | bool" +- block: + - when: matrix_appservice_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - setup-all - - setup-dynamic-dns + - setup-nginx-proxy -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/install.yml" - when: "run_setup | bool and matrix_dynamic_dns_enabled | bool" - tags: - - setup-all - - setup-dynamic-dns +- block: + - when: matrix_dynamic_dns_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_dynamic_dns_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/uninstall.yml" - when: "run_setup | bool and not matrix_dynamic_dns_enabled | bool" + - when: not matrix_dynamic_dns_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-dynamic-dns diff --git a/roles/custom/matrix-dynamic-dns/tasks/install.yml b/roles/custom/matrix-dynamic-dns/tasks/setup_install.yml similarity index 100% rename from roles/custom/matrix-dynamic-dns/tasks/install.yml rename to roles/custom/matrix-dynamic-dns/tasks/setup_install.yml diff --git a/roles/custom/matrix-dynamic-dns/tasks/uninstall.yml b/roles/custom/matrix-dynamic-dns/tasks/setup_uninstall.yml similarity index 100% rename from roles/custom/matrix-dynamic-dns/tasks/uninstall.yml rename to roles/custom/matrix-dynamic-dns/tasks/setup_uninstall.yml diff --git a/roles/custom/matrix-email2matrix/tasks/main.yml b/roles/custom/matrix-email2matrix/tasks/main.yml index 4339b4db3..c3e21d94d 100644 --- a/roles/custom/matrix-email2matrix/tasks/main.yml +++ b/roles/custom/matrix-email2matrix/tasks/main.yml @@ -1,19 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_email2matrix_enabled | bool" - tags: - - setup-all - - setup-email2matrix +- block: + - when: matrix_email2matrix_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_email2matrix_enabled | bool" - tags: - - setup-all - - setup-email2matrix + - when: matrix_email2matrix_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_email2matrix_enabled | bool" + - when: not matrix_email2matrix_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-email2matrix diff --git a/roles/custom/matrix-etherpad/tasks/main.yml b/roles/custom/matrix-etherpad/tasks/main.yml index a2c9e077b..46a04a48b 100644 --- a/roles/custom/matrix-etherpad/tasks/main.yml +++ b/roles/custom/matrix-etherpad/tasks/main.yml @@ -1,25 +1,21 @@ --- -- when: matrix_etherpad_enabled | bool and matrix_etherpad_mode == 'dimension' - ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" +- block: + - when: matrix_etherpad_enabled | bool and matrix_etherpad_mode == 'dimension' + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - setup-all - setup-nginx-proxy -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: run_setup | bool and matrix_etherpad_enabled | bool - tags: - - setup-all - - setup-etherpad +- block: + - when: matrix_etherpad_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: run_setup | bool and matrix_etherpad_enabled | bool - tags: - - setup-all - - setup-etherpad + - when: matrix_etherpad_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: run_setup | bool and not matrix_etherpad_enabled | bool + - when: not matrix_etherpad_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-etherpad diff --git a/roles/custom/matrix-grafana/tasks/main.yml b/roles/custom/matrix-grafana/tasks/main.yml index 573f792f6..fc1f3dc6f 100644 --- a/roles/custom/matrix-grafana/tasks/main.yml +++ b/roles/custom/matrix-grafana/tasks/main.yml @@ -1,12 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_grafana_enabled | bool" - tags: - - setup-all - - setup-grafana +- block: + - when: matrix_grafana_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_grafana_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup.yml" + - when: not matrix_grafana_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-grafana diff --git a/roles/custom/matrix-grafana/tasks/setup.yml b/roles/custom/matrix-grafana/tasks/setup_install.yml similarity index 65% rename from roles/custom/matrix-grafana/tasks/setup.yml rename to roles/custom/matrix-grafana/tasks/setup_install.yml index eabd25e5f..86a6b04b8 100644 --- a/roles/custom/matrix-grafana/tasks/setup.yml +++ b/roles/custom/matrix-grafana/tasks/setup_install.yml @@ -1,16 +1,11 @@ --- -# -# Tasks related to setting up matrix-grafana -# - - name: Ensure matrix-grafana image is pulled community.docker.docker_image: name: "{{ matrix_grafana_docker_image }}" source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_grafana_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_grafana_docker_image_force_pull }}" - when: "matrix_grafana_enabled | bool" register: result retries: "{{ devture_playbook_help_container_retries_count }}" delay: "{{ devture_playbook_help_container_retries_delay }}" @@ -31,7 +26,6 @@ - "{{ matrix_grafana_config_path }}/provisioning/dashboards" - "{{ matrix_grafana_config_path }}/dashboards" - "{{ matrix_grafana_data_path }}" - when: matrix_grafana_enabled | bool - name: Ensure grafana.ini present ansible.builtin.template: @@ -40,7 +34,6 @@ mode: 0440 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: matrix_grafana_enabled | bool - name: Ensure provisioning/datasources/default.yaml present ansible.builtin.template: @@ -49,7 +42,6 @@ mode: 0440 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: matrix_grafana_enabled | bool - name: Ensure provisioning/dashboards/default.yaml present ansible.builtin.template: @@ -58,7 +50,6 @@ mode: 0440 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: matrix_grafana_enabled | bool - name: Ensure dashboard(s) downloaded ansible.builtin.get_url: @@ -69,7 +60,6 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" with_items: "{{ matrix_grafana_dashboard_download_urls }}" - when: matrix_grafana_enabled | bool register: result retries: "{{ devture_playbook_help_geturl_retries_count }}" delay: "{{ devture_playbook_help_geturl_retries_delay }}" @@ -81,38 +71,3 @@ dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-grafana.service" mode: 0644 register: matrix_grafana_systemd_service_result - when: matrix_grafana_enabled | bool - -- name: Ensure systemd reloaded after matrix-grafana.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_grafana_enabled | bool and matrix_grafana_systemd_service_result.changed" - -# -# Tasks related to getting rid of matrix-grafana (if it was previously enabled) -# - -- name: Check existence of matrix-grafana service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-grafana.service" - register: matrix_grafana_service_stat - -- name: Ensure matrix-grafana is stopped - ansible.builtin.service: - name: matrix-grafana - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "not matrix_grafana_enabled | bool and matrix_grafana_service_stat.stat.exists" - -- name: Ensure matrix-grafana.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-grafana.service" - state: absent - when: "not matrix_grafana_enabled | bool and matrix_grafana_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-grafana.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_grafana_enabled | bool and matrix_grafana_service_stat.stat.exists" diff --git a/roles/custom/matrix-grafana/tasks/setup_uninstall.yml b/roles/custom/matrix-grafana/tasks/setup_uninstall.yml new file mode 100644 index 000000000..6c054ff09 --- /dev/null +++ b/roles/custom/matrix-grafana/tasks/setup_uninstall.yml @@ -0,0 +1,21 @@ +--- + +- name: Check existence of matrix-grafana service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-grafana.service" + register: matrix_grafana_service_stat + +- when: matrix_grafana_service_stat.stat.exists | bool + block: + - name: Ensure matrix-grafana is stopped + ansible.builtin.service: + name: matrix-grafana + state: stopped + enabled: false + daemon_reload: true + register: stopping_result + + - name: Ensure matrix-grafana.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-grafana.service" + state: absent diff --git a/roles/custom/matrix-jitsi/tasks/main.yml b/roles/custom/matrix-jitsi/tasks/main.yml index 9aac5eae8..8a2b9e43e 100644 --- a/roles/custom/matrix-jitsi/tasks/main.yml +++ b/roles/custom/matrix-jitsi/tasks/main.yml @@ -1,43 +1,50 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init_additional_jvb.yml" +- block: + - when: matrix_jitsi_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/init_additional_jvb.yml" tags: - setup-additional-jitsi-jvb -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_jitsi_enabled | bool" - tags: - - setup-all - - setup-jitsi - - setup-additional-jitsi-jvb +- block: + - when: matrix_jitsi_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml" - when: run_setup | bool + - when: matrix_jitsi_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml" tags: - setup-all - setup-jitsi - setup-additional-jitsi-jvb -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_jitsi_web.yml" - when: run_setup | bool - tags: - - setup-all - - setup-jitsi +- block: + - when: matrix_jitsi_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_web_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_jitsi_prosody.yml" - when: run_setup | bool - tags: - - setup-all - - setup-jitsi + - when: not matrix_jitsi_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_web_uninstall.yml" + + - when: matrix_jitsi_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_prosody_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_jitsi_jicofo.yml" - when: run_setup | bool + - when: not matrix_jitsi_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_prosody_uninstall.yml" + + - when: matrix_jitsi_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jicofo_install.yml" + + - when: not matrix_jitsi_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jicofo_uninstall.yml" tags: - setup-all - setup-jitsi -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb.yml" - when: run_setup | bool +- block: + - when: matrix_jitsi_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb_install.yml" + + - when: not matrix_jitsi_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb_uninstall.yml" tags: - setup-all - setup-jitsi diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_base.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_base.yml index c52c19021..d273b425a 100644 --- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_base.yml +++ b/roles/custom/matrix-jitsi/tasks/setup_jitsi_base.yml @@ -4,10 +4,6 @@ name: custom/matrix-base tasks_from: ensure_openssl_installed -# -# Tasks related to setting up jitsi -# - - name: Ensure Matrix jitsi base path exists ansible.builtin.file: path: "{{ item.path }}" @@ -17,8 +13,4 @@ group: "{{ matrix_user_groupname }}" with_items: - {path: "{{ matrix_jitsi_base_path }}", when: true} - when: matrix_jitsi_enabled | bool and item.when - -# -# Tasks related to getting rid of jitsi (if it was previously enabled) -# + when: item.when | bool diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo_install.yml similarity index 52% rename from roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo.yml rename to roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo_install.yml index d93953086..6782ecd5b 100644 --- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo.yml +++ b/roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo_install.yml @@ -1,9 +1,5 @@ --- -# -# Tasks related to setting up jitsi-jicofo -# - - name: Ensure Matrix jitsi-jicofo path exists ansible.builtin.file: path: "{{ item.path }}" @@ -14,7 +10,7 @@ with_items: - {path: "{{ matrix_jitsi_jicofo_base_path }}", when: true} - {path: "{{ matrix_jitsi_jicofo_config_path }}", when: true} - when: matrix_jitsi_enabled | bool and item.when + when: item.when | bool - name: Ensure jitsi-jicofo Docker image is pulled community.docker.docker_image: @@ -22,7 +18,6 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_jitsi_jicofo_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_jicofo_docker_image_force_pull }}" - when: matrix_jitsi_enabled | bool register: result retries: "{{ devture_playbook_help_container_retries_count }}" delay: "{{ devture_playbook_help_container_retries_delay }}" @@ -47,7 +42,6 @@ with_items: - sip-communicator.properties - logging.properties - when: matrix_jitsi_enabled | bool - name: Ensure matrix-jitsi-jicofo.service installed ansible.builtin.template: @@ -55,48 +49,3 @@ dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jicofo.service" mode: 0644 register: matrix_jitsi_jicofo_systemd_service_result - when: matrix_jitsi_enabled | bool - -- name: Ensure systemd reloaded after matrix-jitsi-jicofo.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_jitsi_enabled and matrix_jitsi_jicofo_systemd_service_result.changed" - -# -# Tasks related to getting rid of jitsi-jicofo (if it was previously enabled) -# - -- name: Check existence of matrix-jitsi-jicofo service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jicofo.service" - register: matrix_jitsi_jicofo_service_stat - when: "not matrix_jitsi_enabled | bool" - -- name: Ensure matrix-jitsi-jicofo is stopped - ansible.builtin.service: - name: matrix-jitsi-jicofo - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "not matrix_jitsi_enabled | bool and matrix_jitsi_jicofo_service_stat.stat.exists" - -- name: Ensure matrix-jitsi-jicofo.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jicofo.service" - state: absent - when: "not matrix_jitsi_enabled | bool and matrix_jitsi_jicofo_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-jitsi-jicofo.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_jitsi_enabled | bool and matrix_jitsi_jicofo_service_stat.stat.exists" - -- name: Ensure Matrix jitsi-jicofo paths doesn't exist - ansible.builtin.file: - path: "{{ matrix_jitsi_jicofo_base_path }}" - state: absent - when: "not matrix_jitsi_enabled | bool" - -# Intentionally not removing the Docker image when uninstalling. -# We can't be sure it had been pulled by us in the first place. diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo_uninstall.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo_uninstall.yml new file mode 100644 index 000000000..8e76ddea3 --- /dev/null +++ b/roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo_uninstall.yml @@ -0,0 +1,26 @@ +--- + +- name: Check existence of matrix-jitsi-jicofo service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jicofo.service" + register: matrix_jitsi_jicofo_service_stat + +- when: matrix_jitsi_jicofo_service_stat.stat.exists | bool + block: + - name: Ensure matrix-jitsi-jicofo is stopped + ansible.builtin.service: + name: matrix-jitsi-jicofo + state: stopped + enabled: false + daemon_reload: true + register: stopping_result + + - name: Ensure matrix-jitsi-jicofo.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jicofo.service" + state: absent + + - name: Ensure Matrix jitsi-jicofo paths doesn't exist + ansible.builtin.file: + path: "{{ matrix_jitsi_jicofo_base_path }}" + state: absent diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb_install.yml similarity index 50% rename from roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb.yml rename to roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb_install.yml index 966572af5..356b40680 100644 --- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb.yml +++ b/roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb_install.yml @@ -1,9 +1,5 @@ --- -# -# Tasks related to setting up jitsi-jvb -# - - name: Ensure Matrix jitsi-jvb path exists ansible.builtin.file: path: "{{ item.path }}" @@ -14,7 +10,7 @@ with_items: - {path: "{{ matrix_jitsi_jvb_base_path }}", when: true} - {path: "{{ matrix_jitsi_jvb_config_path }}", when: true} - when: matrix_jitsi_enabled | bool and item.when + when: item.when | bool - name: Ensure jitsi-jvb Docker image is pulled community.docker.docker_image: @@ -22,7 +18,6 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_jitsi_jvb_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_jvb_docker_image_force_pull }}" - when: matrix_jitsi_enabled | bool register: result retries: "{{ devture_playbook_help_container_retries_count }}" delay: "{{ devture_playbook_help_container_retries_delay }}" @@ -38,7 +33,6 @@ with_items: - custom-sip-communicator.properties - logging.properties - when: matrix_jitsi_enabled | bool - name: Ensure jitsi-jvb environment variables file created ansible.builtin.template: @@ -47,56 +41,9 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" mode: 0640 - when: matrix_jitsi_enabled | bool - name: Ensure matrix-jitsi-jvb.service installed ansible.builtin.template: src: "{{ role_path }}/templates/jvb/matrix-jitsi-jvb.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jvb.service" mode: 0644 - register: matrix_jitsi_jvb_systemd_service_result - when: matrix_jitsi_enabled | bool - -- name: Ensure systemd reloaded after matrix-jitsi-jvb.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_jitsi_enabled and matrix_jitsi_jvb_systemd_service_result.changed" - -# -# Tasks related to getting rid of jitsi-jvb (if it was previously enabled) -# - -- name: Check existence of matrix-jitsi-jvb service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jvb.service" - register: matrix_jitsi_jvb_service_stat - when: "not matrix_jitsi_enabled | bool" - -- name: Ensure matrix-jitsi-jvb is stopped - ansible.builtin.service: - name: matrix-jitsi-jvb - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "not matrix_jitsi_enabled | bool and matrix_jitsi_jvb_service_stat.stat.exists" - -- name: Ensure matrix-jitsi-jvb.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jvb.service" - state: absent - when: "not matrix_jitsi_enabled | bool and matrix_jitsi_jvb_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-jitsi-jvb.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_jitsi_enabled | bool and matrix_jitsi_jvb_service_stat.stat.exists" - -- name: Ensure Matrix jitsi-jvb paths doesn't exist - ansible.builtin.file: - path: "{{ matrix_jitsi_jvb_base_path }}" - state: absent - when: "not matrix_jitsi_enabled | bool" - -# Intentionally not removing the Docker image when uninstalling. -# We can't be sure it had been pulled by us in the first place. diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb_uninstall.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb_uninstall.yml new file mode 100644 index 000000000..f883a3a2f --- /dev/null +++ b/roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb_uninstall.yml @@ -0,0 +1,26 @@ +--- + +- name: Check existence of matrix-jitsi-jvb service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jvb.service" + register: matrix_jitsi_jvb_service_stat + +- when: matrix_jitsi_jvb_service_stat.stat.exists | bool + block: + - name: Ensure matrix-jitsi-jvb is stopped + ansible.builtin.service: + name: matrix-jitsi-jvb + state: stopped + enabled: false + daemon_reload: true + register: stopping_result + + - name: Ensure matrix-jitsi-jvb.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jvb.service" + state: absent + + - name: Ensure Matrix jitsi-jvb paths doesn't exist + ansible.builtin.file: + path: "{{ matrix_jitsi_jvb_base_path }}" + state: absent diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody.yml deleted file mode 100644 index 1a1656b2c..000000000 --- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody.yml +++ /dev/null @@ -1,99 +0,0 @@ ---- - -# -# Tasks related to setting up jitsi-prosody -# - -- name: Ensure Matrix jitsi-prosody environment exists - ansible.builtin.file: - path: "{{ item.path }}" - state: directory - mode: 0777 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - {path: "{{ matrix_jitsi_prosody_base_path }}", when: true} - - {path: "{{ matrix_jitsi_prosody_config_path }}", when: true} - - {path: "{{ matrix_jitsi_prosody_plugins_path }}", when: true} - when: matrix_jitsi_enabled | bool and item.when - -- name: Ensure jitsi-prosody Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_jitsi_prosody_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_jitsi_prosody_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_prosody_docker_image_force_pull }}" - when: matrix_jitsi_enabled | bool - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure jitsi-prosody environment variables file is created - ansible.builtin.template: - src: "{{ role_path }}/templates/prosody/env.j2" - dest: "{{ matrix_jitsi_prosody_base_path }}/env" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0640 - when: matrix_jitsi_enabled | bool - -- name: Ensure matrix-jitsi-prosody.service file is installed - ansible.builtin.template: - src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-prosody.service" - mode: 0644 - register: matrix_jitsi_prosody_systemd_service_result - when: matrix_jitsi_enabled | bool - -- name: Ensure systemd service is reloaded after matrix-jitsi-prosody.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_jitsi_enabled and matrix_jitsi_prosody_systemd_service_result.changed" - -- name: Ensure authentication is properly configured - ansible.builtin.include_tasks: - file: "{{ role_path }}/tasks/util/setup_jitsi_auth.yml" - when: - - matrix_jitsi_enabled | bool - - matrix_jitsi_enable_auth | bool - - -# -# Tasks related to getting rid of jitsi-prosody (if it was previously enabled) -# - -- name: Ensure matrix-jitsi-prosody.service file exists - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-prosody.service" - register: matrix_jitsi_prosody_service_stat - when: "not matrix_jitsi_enabled | bool" - -- name: Ensure matrix-jitsi-prosody is stopped - ansible.builtin.service: - name: matrix-jitsi-prosody - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "not matrix_jitsi_enabled | bool and matrix_jitsi_prosody_service_stat.stat.exists" - -- name: Ensure matrix-jitsi-prosody.service file doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-prosody.service" - state: absent - when: "not matrix_jitsi_enabled | bool and matrix_jitsi_prosody_service_stat.stat.exists" - -- name: Ensure systemd is reloaded after matrix-jitsi-prosody.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_jitsi_enabled | bool and matrix_jitsi_prosody_service_stat.stat.exists" - -- name: Ensure Matrix jitsi-prosody paths doesn't exist - ansible.builtin.file: - path: "{{ matrix_jitsi_prosody_base_path }}" - state: absent - when: "not matrix_jitsi_enabled | bool" - -# Intentionally not removing the Docker image when uninstalling. -# We can't be sure it had been pulled by us in the first place. diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_install.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_install.yml new file mode 100644 index 000000000..785811666 --- /dev/null +++ b/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_install.yml @@ -0,0 +1,45 @@ +--- + +- name: Ensure Matrix jitsi-prosody environment exists + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0777 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {path: "{{ matrix_jitsi_prosody_base_path }}", when: true} + - {path: "{{ matrix_jitsi_prosody_config_path }}", when: true} + - {path: "{{ matrix_jitsi_prosody_plugins_path }}", when: true} + when: item.when | bool + +- name: Ensure jitsi-prosody Docker image is pulled + community.docker.docker_image: + name: "{{ matrix_jitsi_prosody_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_jitsi_prosody_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_prosody_docker_image_force_pull }}" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure jitsi-prosody environment variables file is created + ansible.builtin.template: + src: "{{ role_path }}/templates/prosody/env.j2" + dest: "{{ matrix_jitsi_prosody_base_path }}/env" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + mode: 0640 + +- name: Ensure matrix-jitsi-prosody.service file is installed + ansible.builtin.template: + src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-prosody.service" + mode: 0644 + register: matrix_jitsi_prosody_systemd_service_result + +- name: Ensure authentication is properly configured + ansible.builtin.include_tasks: + file: "{{ role_path }}/tasks/util/setup_jitsi_auth.yml" + when: matrix_jitsi_enable_auth | bool diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_uninstall.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_uninstall.yml new file mode 100644 index 000000000..3fd44f72d --- /dev/null +++ b/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_uninstall.yml @@ -0,0 +1,26 @@ +--- + +- name: Check if matrix-jitsi-prosody.service file exists + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-prosody.service" + register: matrix_jitsi_prosody_service_stat + +- when: matrix_jitsi_prosody_service_stat.stat.exists | bool + block: + - name: Ensure matrix-jitsi-prosody is stopped + ansible.builtin.service: + name: matrix-jitsi-prosody + state: stopped + enabled: false + daemon_reload: true + register: stopping_result + + - name: Ensure matrix-jitsi-prosody.service file doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-prosody.service" + state: absent + + - name: Ensure Matrix jitsi-prosody paths doesn't exist + ansible.builtin.file: + path: "{{ matrix_jitsi_prosody_base_path }}" + state: absent diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_web.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_web_install.yml similarity index 53% rename from roles/custom/matrix-jitsi/tasks/setup_jitsi_web.yml rename to roles/custom/matrix-jitsi/tasks/setup_jitsi_web_install.yml index b6d3241b5..710b2b0ca 100644 --- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_web.yml +++ b/roles/custom/matrix-jitsi/tasks/setup_jitsi_web_install.yml @@ -1,9 +1,5 @@ --- -# -# Tasks related to setting up jitsi-web -# - - name: Ensure Matrix jitsi-web path exists ansible.builtin.file: path: "{{ item.path }}" @@ -16,7 +12,7 @@ - {path: "{{ matrix_jitsi_web_config_path }}", when: true} - {path: "{{ matrix_jitsi_web_transcripts_path }}", when: true} - {path: "{{ matrix_jitsi_web_crontabs_path }}", when: true} - when: matrix_jitsi_enabled | bool and item.when + when: item.when | bool - name: Ensure jitsi-web Docker image is pulled community.docker.docker_image: @@ -24,7 +20,6 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_jitsi_web_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_web_docker_image_force_pull }}" - when: matrix_jitsi_enabled | bool register: result retries: "{{ devture_playbook_help_container_retries_count }}" delay: "{{ devture_playbook_help_container_retries_delay }}" @@ -37,7 +32,6 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" mode: 0640 - when: matrix_jitsi_enabled | bool - name: Ensure jitsi-web configuration files created ansible.builtin.template: @@ -49,7 +43,6 @@ with_items: - custom-config.js - custom-interface_config.js - when: matrix_jitsi_enabled | bool - name: Ensure matrix-jitsi-web.service installed ansible.builtin.template: @@ -57,48 +50,3 @@ dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-web.service" mode: 0644 register: matrix_jitsi_web_systemd_service_result - when: matrix_jitsi_enabled | bool - -- name: Ensure systemd reloaded after matrix-jitsi-web.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_jitsi_enabled and matrix_jitsi_web_systemd_service_result.changed" - -# -# Tasks related to getting rid of jitsi-web (if it was previously enabled) -# - -- name: Check existence of matrix-jitsi-web service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-web.service" - register: matrix_jitsi_web_service_stat - when: "not matrix_jitsi_enabled | bool" - -- name: Ensure matrix-jitsi-web is stopped - ansible.builtin.service: - name: matrix-jitsi-web - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "not matrix_jitsi_enabled | bool and matrix_jitsi_web_service_stat.stat.exists" - -- name: Ensure matrix-jitsi-web.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-web.service" - state: absent - when: "not matrix_jitsi_enabled | bool and matrix_jitsi_web_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-jitsi-web.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_jitsi_enabled | bool and matrix_jitsi_web_service_stat.stat.exists" - -- name: Ensure Matrix jitsi-web paths doesn't exist - ansible.builtin.file: - path: "{{ matrix_jitsi_web_base_path }}" - state: absent - when: "not matrix_jitsi_enabled | bool" - -# Intentionally not removing the Docker image when uninstalling. -# We can't be sure it had been pulled by us in the first place. diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_web_uninstall.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_web_uninstall.yml new file mode 100644 index 000000000..7c99c2802 --- /dev/null +++ b/roles/custom/matrix-jitsi/tasks/setup_jitsi_web_uninstall.yml @@ -0,0 +1,26 @@ +--- + +- name: Check existence of matrix-jitsi-web service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-web.service" + register: matrix_jitsi_web_service_stat + +- when: matrix_jitsi_web_service_stat.stat.exists | bool + block: + - name: Ensure matrix-jitsi-web is stopped + ansible.builtin.service: + name: matrix-jitsi-web + state: stopped + enabled: false + daemon_reload: true + register: stopping_result + + - name: Ensure matrix-jitsi-web.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-web.service" + state: absent + + - name: Ensure Matrix jitsi-web paths doesn't exist + ansible.builtin.file: + path: "{{ matrix_jitsi_web_base_path }}" + state: absent diff --git a/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml b/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml index 1bba9ad1d..758bea97a 100644 --- a/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml +++ b/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml @@ -1,25 +1,21 @@ --- -- when: matrix_ldap_registration_proxy_enabled | bool - ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" +- block: + - when: matrix_ldap_registration_proxy_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - setup-all - setup-nginx-proxy -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_ldap_registration_proxy_enabled | bool" - tags: - - setup-all - - setup-matrix-ldap-registration-proxy +- block: + - when: matrix_ldap_registration_proxy_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_ldap_registration_proxy_enabled | bool" - tags: - - setup-all - - setup-matrix-ldap-registration-proxy + - when: matrix_ldap_registration_proxy_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_ldap_registration_proxy_enabled | bool" + - when: not matrix_ldap_registration_proxy_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-matrix-ldap-registration-proxy diff --git a/roles/custom/matrix-ma1sd/tasks/main.yml b/roles/custom/matrix-ma1sd/tasks/main.yml index add76bb2d..c1208f749 100644 --- a/roles/custom/matrix-ma1sd/tasks/main.yml +++ b/roles/custom/matrix-ma1sd/tasks/main.yml @@ -1,26 +1,19 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_ma1sd_enabled | bool" - tags: - - setup-all - - setup-ma1sd +- block: + - when: matrix_ma1sd_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_ma1sd_enabled | bool" - tags: - - setup-all - - setup-ma1sd + - when: matrix_ma1sd_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_ma1sd_enabled | bool" + - when: not matrix_ma1sd_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - - setup-all - setup-ma1sd -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check_ma1sd.yml" - delegate_to: 127.0.0.1 - become: false - when: "run_self_check | bool and matrix_ma1sd_enabled | bool" +- block: + - when: matrix_ma1sd_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" tags: - self-check diff --git a/roles/custom/matrix-ma1sd/tasks/self_check_ma1sd.yml b/roles/custom/matrix-ma1sd/tasks/self_check.yml similarity index 95% rename from roles/custom/matrix-ma1sd/tasks/self_check_ma1sd.yml rename to roles/custom/matrix-ma1sd/tasks/self_check.yml index 6fde9dd2f..66765727e 100644 --- a/roles/custom/matrix-ma1sd/tasks/self_check_ma1sd.yml +++ b/roles/custom/matrix-ma1sd/tasks/self_check.yml @@ -11,6 +11,8 @@ check_mode: false register: result_ma1sd ignore_errors: true + delegate_to: 127.0.0.1 + become: false - name: Fail if ma1sd Identity Service not working ansible.builtin.fail: diff --git a/roles/custom/matrix-mailer/tasks/main.yml b/roles/custom/matrix-mailer/tasks/main.yml index cf9123bf3..2c2a03675 100644 --- a/roles/custom/matrix-mailer/tasks/main.yml +++ b/roles/custom/matrix-mailer/tasks/main.yml @@ -1,7 +1,11 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_mailer.yml" - when: run_setup | bool +- block: + - when: matrix_mailer_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + + - when: not matrix_mailer_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-mailer diff --git a/roles/custom/matrix-mailer/tasks/setup_mailer.yml b/roles/custom/matrix-mailer/tasks/setup_install.yml similarity index 57% rename from roles/custom/matrix-mailer/tasks/setup_mailer.yml rename to roles/custom/matrix-mailer/tasks/setup_install.yml index 5d81565a2..113551657 100644 --- a/roles/custom/matrix-mailer/tasks/setup_mailer.yml +++ b/roles/custom/matrix-mailer/tasks/setup_install.yml @@ -1,9 +1,5 @@ --- -# -# Tasks related to setting up the mailer -# - - name: Ensure mailer base path exists ansible.builtin.file: path: "{{ item.path }}" @@ -14,14 +10,13 @@ with_items: - {path: "{{ matrix_mailer_base_path }}", when: true} - {path: "{{ matrix_mailer_container_image_self_build_src_files_path }}", when: "{{ matrix_mailer_container_image_self_build }}"} - when: "matrix_mailer_enabled | bool and item.when" + when: item.when | bool - name: Ensure mailer environment variables file created ansible.builtin.template: src: "{{ role_path }}/templates/env-mailer.j2" dest: "{{ matrix_mailer_base_path }}/env-mailer" mode: 0640 - when: matrix_mailer_enabled | bool - name: Ensure exim-relay repository is present on self-build ansible.builtin.git: @@ -32,7 +27,7 @@ become: true become_user: "{{ matrix_user_username }}" register: matrix_mailer_git_pull_results - when: "matrix_mailer_enabled | bool and matrix_mailer_container_image_self_build | bool" + when: matrix_mailer_container_image_self_build | bool - name: Ensure exim-relay Docker image is built community.docker.docker_image: @@ -44,7 +39,7 @@ dockerfile: Dockerfile path: "{{ matrix_mailer_container_image_self_build_src_files_path }}" pull: true - when: "matrix_mailer_enabled | bool and matrix_mailer_container_image_self_build | bool" + when: matrix_mailer_container_image_self_build | bool - name: Ensure exim-relay image is pulled community.docker.docker_image: @@ -52,7 +47,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mailer_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_docker_image_force_pull }}" - when: "matrix_mailer_enabled | bool and not matrix_mailer_container_image_self_build | bool" + when: "not matrix_mailer_container_image_self_build | bool" register: result retries: "{{ devture_playbook_help_container_retries_count }}" delay: "{{ devture_playbook_help_container_retries_delay }}" @@ -64,51 +59,8 @@ dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mailer.service" mode: 0644 register: matrix_mailer_systemd_service_result - when: matrix_mailer_enabled | bool - name: Ensure systemd reloaded after matrix-mailer.service installation ansible.builtin.service: daemon_reload: true - when: "matrix_mailer_enabled | bool and matrix_mailer_systemd_service_result.changed" - -# -# Tasks related to getting rid of the mailer (if it was previously enabled) -# - -- name: Check existence of matrix-mailer service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mailer.service" - register: matrix_mailer_service_stat - when: "not matrix_mailer_enabled | bool" - -- name: Ensure matrix-mailer is stopped - ansible.builtin.service: - name: matrix-mailer - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "not matrix_mailer_enabled | bool and matrix_mailer_service_stat.stat.exists" - -- name: Ensure matrix-mailer.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mailer.service" - state: absent - when: "not matrix_mailer_enabled | bool and matrix_mailer_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mailer.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_mailer_enabled | bool and matrix_mailer_service_stat.stat.exists" - -- name: Ensure Matrix mailer environment variables path doesn't exist - ansible.builtin.file: - path: "{{ matrix_mailer_base_path }}" - state: absent - when: "not matrix_mailer_enabled | bool" - -- name: Ensure mailer Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_mailer_docker_image }}" - state: absent - when: "not matrix_mailer_enabled | bool" + when: matrix_mailer_systemd_service_result.changed | bool diff --git a/roles/custom/matrix-mailer/tasks/setup_uninstall.yml b/roles/custom/matrix-mailer/tasks/setup_uninstall.yml new file mode 100644 index 000000000..d8fb65c30 --- /dev/null +++ b/roles/custom/matrix-mailer/tasks/setup_uninstall.yml @@ -0,0 +1,35 @@ +--- + +- name: Check existence of matrix-mailer service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mailer.service" + register: matrix_mailer_service_stat + +- when: matrix_mailer_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mailer is stopped + ansible.builtin.service: + name: matrix-mailer + state: stopped + enabled: false + daemon_reload: true + register: stopping_result + + - name: Ensure matrix-mailer.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mailer.service" + state: absent + + - name: Ensure systemd reloaded after matrix-mailer.service removal + ansible.builtin.service: + daemon_reload: true + +- name: Ensure Matrix mailer path doesn't exist + ansible.builtin.file: + path: "{{ matrix_mailer_base_path }}" + state: absent + +- name: Ensure mailer Docker image doesn't exist + community.docker.docker_image: + name: "{{ matrix_mailer_docker_image }}" + state: absent diff --git a/roles/custom/matrix-nginx-proxy/tasks/main.yml b/roles/custom/matrix-nginx-proxy/tasks/main.yml index 168608daa..7ead49700 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/main.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/main.yml @@ -22,10 +22,8 @@ - setup-all - setup-nginx-proxy -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check_well_known.yml" - delegate_to: 127.0.0.1 - become: false - when: run_self_check | bool +- block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_well_known.yml" tags: - self-check diff --git a/roles/custom/matrix-ntfy/tasks/main.yml b/roles/custom/matrix-ntfy/tasks/main.yml index 8a4acd7ce..1c2c266e1 100644 --- a/roles/custom/matrix-ntfy/tasks/main.yml +++ b/roles/custom/matrix-ntfy/tasks/main.yml @@ -1,20 +1,17 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_ntfy_enabled | bool" - tags: - - setup-all - - setup-ntfy +- block: + - when: matrix_ntfy_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_ntfy_enabled | bool" + - when: not matrix_ntfy_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-ntfy -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check.yml" - delegate_to: 127.0.0.1 - become: false - when: "run_self_check | bool and matrix_ntfy_enabled | bool" +- block: + - when: matrix_ntfy_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" tags: - self-check diff --git a/roles/custom/matrix-ntfy/tasks/self_check.yml b/roles/custom/matrix-ntfy/tasks/self_check.yml index 02529f35e..bdbd666a0 100644 --- a/roles/custom/matrix-ntfy/tasks/self_check.yml +++ b/roles/custom/matrix-ntfy/tasks/self_check.yml @@ -14,6 +14,8 @@ register: matrix_ntfy_self_check_result check_mode: false ignore_errors: true + delegate_to: 127.0.0.1 + become: false - name: Fail if ntfy not working ansible.builtin.fail: diff --git a/roles/custom/matrix-postgres-backup/tasks/main.yml b/roles/custom/matrix-postgres-backup/tasks/main.yml index 4fef6f459..1408f695c 100644 --- a/roles/custom/matrix-postgres-backup/tasks/main.yml +++ b/roles/custom/matrix-postgres-backup/tasks/main.yml @@ -1,13 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_postgres_backup_enabled | bool" - tags: - - setup-all - - setup-postgres-backup +- block: + - when: matrix_postgres_backup_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_postgres_backup_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_postgres_backup.yml" - when: run_setup | bool + - when: not matrix_postgres_backup_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-postgres-backup diff --git a/roles/custom/matrix-postgres-backup/tasks/setup_install.yml b/roles/custom/matrix-postgres-backup/tasks/setup_install.yml new file mode 100644 index 000000000..d26fff6e4 --- /dev/null +++ b/roles/custom/matrix-postgres-backup/tasks/setup_install.yml @@ -0,0 +1,57 @@ +--- + + +- ansible.builtin.import_role: + name: custom/matrix-postgres + tasks_from: detect_existing_postgres_version + when: 'matrix_postgres_backup_postgres_data_path != ""' + +# If we have found an existing version (installed from before), we use its corresponding Docker image. +# If not, we install using the latest Postgres. +# +# Upgrading is supposed to be performed separately and explicitly (see `upgrade_postgres.yml`). +- ansible.builtin.set_fact: + matrix_postgres_backup_docker_image_to_use: "{{ matrix_postgres_backup_docker_image_latest if matrix_postgres_backup_detected_version_corresponding_docker_image | default('') == '' else matrix_postgres_backup_detected_version_corresponding_docker_image }}" + +- name: Ensure postgres backup Docker image is pulled + community.docker.docker_image: + name: "{{ matrix_postgres_backup_docker_image_to_use }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_postgres_backup_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_postgres_backup_docker_image_force_pull }}" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure Postgres backup paths exist + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: 0700 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_postgres_backup_path }}" + +- name: Ensure Postgres environment variables file created + ansible.builtin.template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_postgres_backup_path }}/{{ item }}" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + mode: 0640 + with_items: + - "env-postgres-backup" + +- name: Ensure matrix-postgres-backup.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-postgres-backup.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-postgres-backup.service" + mode: 0644 + register: matrix_postgres_backup_systemd_service_result + +- name: Ensure systemd reloaded after matrix-postgres-backup.service installation + ansible.builtin.service: + daemon_reload: true + when: matrix_postgres_backup_systemd_service_result.changed | bool diff --git a/roles/custom/matrix-postgres-backup/tasks/setup_postgres_backup.yml b/roles/custom/matrix-postgres-backup/tasks/setup_postgres_backup.yml deleted file mode 100644 index 6066ee491..000000000 --- a/roles/custom/matrix-postgres-backup/tasks/setup_postgres_backup.yml +++ /dev/null @@ -1,112 +0,0 @@ ---- - -# -# Tasks related to setting up postgres backup -# -- ansible.builtin.import_role: - name: custom/matrix-postgres - tasks_from: detect_existing_postgres_version - when: 'matrix_postgres_backup_enabled | bool and matrix_postgres_backup_postgres_data_path != ""' - -# If we have found an existing version (installed from before), we use its corresponding Docker image. -# If not, we install using the latest Postgres. -# -# Upgrading is supposed to be performed separately and explicitly (see `upgrade_postgres.yml`). -- ansible.builtin.set_fact: - matrix_postgres_backup_docker_image_to_use: "{{ matrix_postgres_backup_docker_image_latest if matrix_postgres_backup_detected_version_corresponding_docker_image | default('') == '' else matrix_postgres_backup_detected_version_corresponding_docker_image }}" - when: matrix_postgres_backup_enabled | bool - -- name: Ensure postgres backup Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_postgres_backup_docker_image_to_use }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_postgres_backup_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_postgres_backup_docker_image_force_pull }}" - when: matrix_postgres_backup_enabled | bool - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure Postgres backup paths exist - ansible.builtin.file: - path: "{{ item }}" - state: directory - mode: 0700 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_postgres_backup_path }}" - when: matrix_postgres_backup_enabled | bool - -- name: Ensure Postgres environment variables file created - ansible.builtin.template: - src: "{{ role_path }}/templates/{{ item }}.j2" - dest: "{{ matrix_postgres_backup_path }}/{{ item }}" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0640 - with_items: - - "env-postgres-backup" - when: matrix_postgres_backup_enabled | bool - -- name: Ensure matrix-postgres-backup.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-postgres-backup.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-postgres-backup.service" - mode: 0644 - register: matrix_postgres_backup_systemd_service_result - when: matrix_postgres_backup_enabled | bool - -- name: Ensure systemd reloaded after matrix-postgres-backup.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_postgres_backup_enabled | bool and matrix_postgres_backup_systemd_service_result.changed" - -# -# Tasks related to getting rid of postgres backup (if it was previously enabled) -# - -- name: Check existence of matrix-postgres-backup service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-postgres-backup.service" - register: matrix_postgres_backup_service_stat - when: "not matrix_postgres_backup_enabled | bool" - -- name: Ensure matrix-postgres-backup is stopped - ansible.builtin.service: - name: matrix-postgres-backup - state: stopped - enabled: false - daemon_reload: true - when: "not matrix_postgres_backup_enabled | bool and matrix_postgres_backup_service_stat.stat.exists" - -- name: Ensure matrix-postgres-backup.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-postgres-backup.service" - state: absent - when: "not matrix_postgres_backup_enabled | bool and matrix_postgres_backup_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-postgres-backup.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_postgres_backup_enabled | bool and matrix_postgres_backup_service_stat.stat.exists" - -- name: Check existence of matrix-postgres-backup backup path - ansible.builtin.stat: - path: "{{ matrix_postgres_backup_path }}" - register: matrix_postgres_backup_path_stat - when: "not matrix_postgres_backup_enabled | bool" - -# We just want to notify the user. Deleting data is too destructive. -- name: Inject warning if matrix-postgres backup data remains - ansible.builtin.set_fact: - devture_playbook_runtime_messages_list: | - {{ - devture_playbook_runtime_messages_list | default([]) - + - [ - "NOTE: You are not using the local backup service to backup the PostgreSQL database, but some old data remains from before in `{{ matrix_postgres_backup_path }}`. Feel free to delete it." - ] - }} - when: "not matrix_postgres_backup_enabled | bool and matrix_postgres_backup_path_stat.stat.exists" diff --git a/roles/custom/matrix-postgres-backup/tasks/setup_uninstall.yml b/roles/custom/matrix-postgres-backup/tasks/setup_uninstall.yml new file mode 100644 index 000000000..0b3709ebe --- /dev/null +++ b/roles/custom/matrix-postgres-backup/tasks/setup_uninstall.yml @@ -0,0 +1,43 @@ +--- + +- name: Check existence of matrix-postgres-backup service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-postgres-backup.service" + register: matrix_postgres_backup_service_stat + + +- when: matrix_postgres_backup_service_stat.stat.exists | bool + block: + - name: Ensure matrix-postgres-backup is stopped + ansible.builtin.service: + name: matrix-postgres-backup + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-postgres-backup.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-postgres-backup.service" + state: absent + + - name: Ensure systemd reloaded after matrix-postgres-backup.service removal + ansible.builtin.service: + daemon_reload: true + +- name: Check existence of matrix-postgres-backup backup path + ansible.builtin.stat: + path: "{{ matrix_postgres_backup_path }}" + register: matrix_postgres_backup_path_stat + +# We just want to notify the user. Deleting data is too destructive. +- name: Inject warning if matrix-postgres backup data remains + ansible.builtin.set_fact: + devture_playbook_runtime_messages_list: | + {{ + devture_playbook_runtime_messages_list | default([]) + + + [ + "NOTE: You are not using the local backup service to backup the PostgreSQL database, but some old data remains from before in `{{ matrix_postgres_backup_path }}`. Feel free to delete it." + ] + }} + when: matrix_postgres_backup_path_stat.stat.exists | bool diff --git a/roles/custom/matrix-prometheus-node-exporter/tasks/main.yml b/roles/custom/matrix-prometheus-node-exporter/tasks/main.yml index 145adfdd0..c86cdad73 100644 --- a/roles/custom/matrix-prometheus-node-exporter/tasks/main.yml +++ b/roles/custom/matrix-prometheus-node-exporter/tasks/main.yml @@ -1,12 +1,18 @@ --- -- when: matrix_prometheus_node_exporter_enabled | bool and matrix_prometheus_node_exporter_metrics_proxying_enabled | bool - ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" +- block: + - when: matrix_prometheus_node_exporter_enabled | bool and matrix_prometheus_node_exporter_metrics_proxying_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - setup-all - setup-nginx-proxy -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup.yml" +- block: + - when: matrix_prometheus_node_exporter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + + - when: not matrix_prometheus_node_exporter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-prometheus-node-exporter diff --git a/roles/custom/matrix-prometheus-node-exporter/tasks/setup.yml b/roles/custom/matrix-prometheus-node-exporter/tasks/setup.yml deleted file mode 100644 index 0b0c5704a..000000000 --- a/roles/custom/matrix-prometheus-node-exporter/tasks/setup.yml +++ /dev/null @@ -1,59 +0,0 @@ ---- - -# -# Tasks related to setting up matrix-prometheus-node-exporter -# - -- name: Ensure matrix-prometheus-node-exporter image is pulled - community.docker.docker_image: - name: "{{ matrix_prometheus_node_exporter_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_prometheus_node_exporter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_prometheus_node_exporter_docker_image_force_pull }}" - when: "matrix_prometheus_node_exporter_enabled | bool" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure matrix-prometheus-node-exporter.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-prometheus-node-exporter.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-node-exporter.service" - mode: 0644 - register: matrix_prometheus_node_exporter_systemd_service_result - when: matrix_prometheus_node_exporter_enabled | bool - -- name: Ensure systemd reloaded after matrix-prometheus.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_prometheus_node_exporter_enabled | bool and matrix_prometheus_node_exporter_systemd_service_result.changed" - -# -# Tasks related to getting rid of matrix-prometheus-node-exporter (if it was previously enabled) -# - -- name: Check existence of matrix-prometheus-node-exporter service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-node-exporter.service" - register: matrix_prometheus_node_exporter_service_stat - -- name: Ensure matrix-prometheus-node-exporter is stopped - ansible.builtin.service: - name: matrix-prometheus-node-exporter - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "not matrix_prometheus_node_exporter_enabled | bool and matrix_prometheus_node_exporter_service_stat.stat.exists" - -- name: Ensure matrix-prometheus-node-exporter.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-node-exporter.service" - state: absent - when: "not matrix_prometheus_node_exporter_enabled | bool and matrix_prometheus_node_exporter_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-prometheus-node-exporter.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_prometheus_node_exporter_enabled | bool and matrix_prometheus_node_exporter_service_stat.stat.exists" diff --git a/roles/custom/matrix-prometheus-node-exporter/tasks/setup_install.yml b/roles/custom/matrix-prometheus-node-exporter/tasks/setup_install.yml new file mode 100644 index 000000000..3c0af96b9 --- /dev/null +++ b/roles/custom/matrix-prometheus-node-exporter/tasks/setup_install.yml @@ -0,0 +1,19 @@ +--- + +- name: Ensure matrix-prometheus-node-exporter image is pulled + community.docker.docker_image: + name: "{{ matrix_prometheus_node_exporter_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_prometheus_node_exporter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_prometheus_node_exporter_docker_image_force_pull }}" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure matrix-prometheus-node-exporter.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-prometheus-node-exporter.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-node-exporter.service" + mode: 0644 + register: matrix_prometheus_node_exporter_systemd_service_result diff --git a/roles/custom/matrix-prometheus-node-exporter/tasks/setup_uninstall.yml b/roles/custom/matrix-prometheus-node-exporter/tasks/setup_uninstall.yml new file mode 100644 index 000000000..7239c0ac1 --- /dev/null +++ b/roles/custom/matrix-prometheus-node-exporter/tasks/setup_uninstall.yml @@ -0,0 +1,25 @@ +--- + +- name: Check existence of matrix-prometheus-node-exporter service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-node-exporter.service" + register: matrix_prometheus_node_exporter_service_stat + +- when: matrix_prometheus_node_exporter_service_stat.stat.exists | bool + block: + - name: Ensure matrix-prometheus-node-exporter is stopped + ansible.builtin.service: + name: matrix-prometheus-node-exporter + state: stopped + enabled: false + daemon_reload: true + register: stopping_result + + - name: Ensure matrix-prometheus-node-exporter.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-node-exporter.service" + state: absent + + - name: Ensure systemd reloaded after matrix-prometheus-node-exporter.service removal + ansible.builtin.service: + daemon_reload: true diff --git a/roles/custom/matrix-prometheus-postgres-exporter/tasks/main.yml b/roles/custom/matrix-prometheus-postgres-exporter/tasks/main.yml index 59911efbe..2e06fdd57 100644 --- a/roles/custom/matrix-prometheus-postgres-exporter/tasks/main.yml +++ b/roles/custom/matrix-prometheus-postgres-exporter/tasks/main.yml @@ -1,12 +1,18 @@ --- -- when: matrix_prometheus_node_exporter_enabled | bool and matrix_prometheus_node_exporter_metrics_proxying_enabled | bool - ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" +- block: + - when: matrix_prometheus_postgres_exporter_enabled | bool and matrix_prometheus_postgres_exporter_metrics_proxying_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - setup-all - setup-nginx-proxy -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup.yml" +- block: + - when: matrix_prometheus_postgres_exporter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + + - when: not matrix_prometheus_postgres_exporter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-prometheus-postgres-exporter diff --git a/roles/custom/matrix-prometheus-postgres-exporter/tasks/setup.yml b/roles/custom/matrix-prometheus-postgres-exporter/tasks/setup.yml deleted file mode 100644 index 1ab157994..000000000 --- a/roles/custom/matrix-prometheus-postgres-exporter/tasks/setup.yml +++ /dev/null @@ -1,59 +0,0 @@ ---- - -# -# Tasks related to setting up matrix-prometheus-postgres-exporter -# - -- name: Ensure matrix-prometheus-postgres-exporter image is pulled - community.docker.docker_image: - name: "{{ matrix_prometheus_postgres_exporter_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_prometheus_postgres_exporter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_prometheus_postgres_exporter_docker_image_force_pull }}" - when: "matrix_prometheus_postgres_exporter_enabled | bool" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure matrix-prometheus-postgres-exporter.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-prometheus-postgres-exporter.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-postgres-exporter.service" - mode: 0644 - register: matrix_prometheus_postgres_exporter_systemd_service_result - when: matrix_prometheus_postgres_exporter_enabled | bool - -- name: Ensure systemd reloaded after matrix-prometheus.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_prometheus_postgres_exporter_enabled | bool and matrix_prometheus_postgres_exporter_systemd_service_result.changed" - -# -# Tasks related to getting rid of matrix-prometheus-postgres-exporter (if it was previously enabled) -# - -- name: Check existence of matrix-prometheus-postgres-exporter service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-postgres-exporter.service" - register: matrix_prometheus_postgres_exporter_service_stat - -- name: Ensure matrix-prometheus-postgres-exporter is stopped - ansible.builtin.service: - name: matrix-prometheus-postgres-exporter - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "not matrix_prometheus_postgres_exporter_enabled | bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists" - -- name: Ensure matrix-prometheus-postgres-exporter.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-postgres-exporter.service" - state: absent - when: "not matrix_prometheus_postgres_exporter_enabled | bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-prometheus-postgres-exporter.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_prometheus_postgres_exporter_enabled | bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists" diff --git a/roles/custom/matrix-prometheus-postgres-exporter/tasks/setup_install.yml b/roles/custom/matrix-prometheus-postgres-exporter/tasks/setup_install.yml new file mode 100644 index 000000000..ee0f9bef7 --- /dev/null +++ b/roles/custom/matrix-prometheus-postgres-exporter/tasks/setup_install.yml @@ -0,0 +1,19 @@ +--- + +- name: Ensure matrix-prometheus-postgres-exporter image is pulled + community.docker.docker_image: + name: "{{ matrix_prometheus_postgres_exporter_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_prometheus_postgres_exporter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_prometheus_postgres_exporter_docker_image_force_pull }}" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure matrix-prometheus-postgres-exporter.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-prometheus-postgres-exporter.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-postgres-exporter.service" + mode: 0644 + register: matrix_prometheus_postgres_exporter_systemd_service_result diff --git a/roles/custom/matrix-prometheus-postgres-exporter/tasks/setup_uninstall.yml b/roles/custom/matrix-prometheus-postgres-exporter/tasks/setup_uninstall.yml new file mode 100644 index 000000000..b3fdfd591 --- /dev/null +++ b/roles/custom/matrix-prometheus-postgres-exporter/tasks/setup_uninstall.yml @@ -0,0 +1,21 @@ +--- + +- name: Check existence of matrix-prometheus-postgres-exporter service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-postgres-exporter.service" + register: matrix_prometheus_postgres_exporter_service_stat + +- when: matrix_prometheus_postgres_exporter_service_stat.stat.exists | bool + block: + - name: Ensure matrix-prometheus-postgres-exporter is stopped + ansible.builtin.service: + name: matrix-prometheus-postgres-exporter + state: stopped + enabled: false + daemon_reload: true + register: stopping_result + + - name: Ensure matrix-prometheus-postgres-exporter.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-postgres-exporter.service" + state: absent diff --git a/roles/custom/matrix-prometheus/tasks/main.yml b/roles/custom/matrix-prometheus/tasks/main.yml index 61cd86dbc..737f656b3 100644 --- a/roles/custom/matrix-prometheus/tasks/main.yml +++ b/roles/custom/matrix-prometheus/tasks/main.yml @@ -1,19 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_prometheus_enabled | bool" - tags: - - setup-all - - setup-prometheus +- block: + - when: matrix_prometheus_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_prometheus_enabled | bool" - tags: - - setup-all - - setup-prometheus + - when: matrix_prometheus_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_prometheus_enabled | bool" + - when: not matrix_prometheus_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-prometheus diff --git a/roles/custom/matrix-redis/tasks/main.yml b/roles/custom/matrix-redis/tasks/main.yml index 51b3e12cc..da2f1dcbc 100644 --- a/roles/custom/matrix-redis/tasks/main.yml +++ b/roles/custom/matrix-redis/tasks/main.yml @@ -1,7 +1,11 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_redis.yml" - when: run_setup | bool +- block: + - when: matrix_redis_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + + - when: not matrix_redis_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-redis diff --git a/roles/custom/matrix-redis/tasks/setup_install.yml b/roles/custom/matrix-redis/tasks/setup_install.yml new file mode 100644 index 000000000..1384c042c --- /dev/null +++ b/roles/custom/matrix-redis/tasks/setup_install.yml @@ -0,0 +1,49 @@ +--- + +- name: Ensure redis Docker image is pulled + community.docker.docker_image: + name: "{{ matrix_redis_docker_image_to_use }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_redis_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_redis_docker_image_force_pull }}" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure redis paths exist + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: 0700 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - "{{ matrix_redis_base_path }}" + - "{{ matrix_redis_data_path }}" + +# We do this as a separate task, because: +# - we'd like to do it for the data path only, not for the base path (which contains root-owned environment variable files we'd like to leave as-is) +# - we need to do it without `mode`, or we risk making certain `.conf` and other files's executable bit to flip to true +- name: Ensure redis data path ownership is correct + ansible.builtin.file: + path: "{{ matrix_redis_data_path }}" + state: directory + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + recurse: true + +- name: Ensure redis environment variables file created + ansible.builtin.template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_redis_base_path }}/{{ item }}" + mode: 0644 + with_items: + - "redis.conf" + +- name: Ensure matrix-redis.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-redis.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-redis.service" + mode: 0644 + register: matrix_redis_systemd_service_result diff --git a/roles/custom/matrix-redis/tasks/setup_redis.yml b/roles/custom/matrix-redis/tasks/setup_redis.yml deleted file mode 100644 index b1b4c0b5c..000000000 --- a/roles/custom/matrix-redis/tasks/setup_redis.yml +++ /dev/null @@ -1,104 +0,0 @@ ---- - -# -# Tasks related to setting up an internal redis server -# - -- name: Ensure redis Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_redis_docker_image_to_use }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_redis_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_redis_docker_image_force_pull }}" - when: matrix_redis_enabled | bool - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure redis paths exist - ansible.builtin.file: - path: "{{ item }}" - state: directory - mode: 0700 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - with_items: - - "{{ matrix_redis_base_path }}" - - "{{ matrix_redis_data_path }}" - when: matrix_redis_enabled | bool - -# We do this as a separate task, because: -# - we'd like to do it for the data path only, not for the base path (which contains root-owned environment variable files we'd like to leave as-is) -# - we need to do it without `mode`, or we risk making certain `.conf` and other files's executable bit to flip to true -- name: Ensure redis data path ownership is correct - ansible.builtin.file: - path: "{{ matrix_redis_data_path }}" - state: directory - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - recurse: true - when: matrix_redis_enabled | bool - -- name: Ensure redis environment variables file created - ansible.builtin.template: - src: "{{ role_path }}/templates/{{ item }}.j2" - dest: "{{ matrix_redis_base_path }}/{{ item }}" - mode: 0644 - with_items: - - "redis.conf" - when: matrix_redis_enabled | bool - -- name: Ensure matrix-redis.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-redis.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-redis.service" - mode: 0644 - register: matrix_redis_systemd_service_result - when: matrix_redis_enabled | bool - -- name: Ensure systemd reloaded after matrix-redis.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_redis_enabled | bool and matrix_redis_systemd_service_result.changed" - -# -# Tasks related to getting rid of the internal redis server (if it was previously enabled) -# - -- name: Check existence of matrix-redis service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-redis.service" - register: matrix_redis_service_stat - when: "not matrix_redis_enabled | bool" - -- name: Ensure matrix-redis is stopped - ansible.builtin.service: - name: matrix-redis - state: stopped - enabled: false - daemon_reload: true - when: "not matrix_redis_enabled | bool and matrix_redis_service_stat.stat.exists" - -- name: Ensure matrix-redis.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-redis.service" - state: absent - when: "not matrix_redis_enabled | bool and matrix_redis_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-redis.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_redis_enabled | bool and matrix_redis_service_stat.stat.exists" - -- name: Check existence of matrix-redis local data path - ansible.builtin.stat: - path: "{{ matrix_redis_data_path }}" - register: matrix_redis_data_path_stat - when: "not matrix_redis_enabled | bool" - -# We just want to notify the user. Deleting data is too destructive. -- name: Notify if matrix-redis local data remains - ansible.builtin.debug: - msg: "Note: You are not using a local redis instance, but some old data remains from before in `{{ matrix_redis_data_path }}`. Feel free to delete it." - when: "not matrix_redis_enabled | bool and matrix_redis_data_path_stat.stat.exists" diff --git a/roles/custom/matrix-redis/tasks/setup_uninstall.yml b/roles/custom/matrix-redis/tasks/setup_uninstall.yml new file mode 100644 index 000000000..e2bbc9e44 --- /dev/null +++ b/roles/custom/matrix-redis/tasks/setup_uninstall.yml @@ -0,0 +1,31 @@ +--- + +- name: Check existence of matrix-redis service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-redis.service" + register: matrix_redis_service_stat + +- when: matrix_redis_service_stat.stat.exists | bool + block: + - name: Ensure matrix-redis is stopped + ansible.builtin.service: + name: matrix-redis + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-redis.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-redis.service" + state: absent + +- name: Check existence of matrix-redis local data path + ansible.builtin.stat: + path: "{{ matrix_redis_data_path }}" + register: matrix_redis_data_path_stat + +# We just want to notify the user. Deleting data is too destructive. +- name: Notify if matrix-redis local data remains + ansible.builtin.debug: + msg: "Note: You are not using a local redis instance, but some old data remains from before in `{{ matrix_redis_data_path }}`. Feel free to delete it." + when: matrix_redis_data_path_stat.stat.exists | bool diff --git a/roles/custom/matrix-registration/tasks/main.yml b/roles/custom/matrix-registration/tasks/main.yml index 1b129b2c9..ee1101829 100644 --- a/roles/custom/matrix-registration/tasks/main.yml +++ b/roles/custom/matrix-registration/tasks/main.yml @@ -1,35 +1,33 @@ --- -- when: matrix_registration_enabled | bool - ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" +- block: + - when: matrix_registration_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - setup-all - setup-nginx-proxy -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_registration_enabled | bool" - tags: - - setup-all - - setup-matrix-registration +- block: + - when: matrix_registration_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_registration_enabled | bool" - tags: - - setup-all - - setup-matrix-registration + - when: matrix_registration_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_registration_enabled | bool" + - when: not matrix_registration_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-matrix-registration -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/generate_token.yml" - when: "run_setup | bool and matrix_registration_enabled | bool" +- block: + - when: matrix_registration_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/generate_token.yml" tags: - generate-matrix-registration-token -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/list_tokens.yml" - when: "run_setup | bool and matrix_registration_enabled | bool" +- block: + - when: matrix_registration_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/list_tokens.yml" tags: - list-matrix-registration-tokens diff --git a/roles/custom/matrix-sygnal/tasks/main.yml b/roles/custom/matrix-sygnal/tasks/main.yml index fb25feed8..146774883 100644 --- a/roles/custom/matrix-sygnal/tasks/main.yml +++ b/roles/custom/matrix-sygnal/tasks/main.yml @@ -1,19 +1,14 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: run_setup | bool - tags: - - setup-all - - setup-sygnal +- block: + - when: matrix_sygnal_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: run_setup | bool and matrix_sygnal_enabled | bool - tags: - - setup-all - - setup-sygnal + - when: matrix_sygnal_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: run_setup | bool and not matrix_sygnal_enabled | bool + - when: not matrix_sygnal_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-sygnal diff --git a/roles/custom/matrix-synapse-admin/tasks/main.yml b/roles/custom/matrix-synapse-admin/tasks/main.yml index fed3dec64..632ec7836 100644 --- a/roles/custom/matrix-synapse-admin/tasks/main.yml +++ b/roles/custom/matrix-synapse-admin/tasks/main.yml @@ -1,18 +1,21 @@ --- -- when: matrix_synapse_admin_enabled | bool - ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" +- block: + - when: matrix_synapse_admin_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - setup-all - setup-nginx-proxy -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: run_setup | bool - tags: - - setup-all - - setup-synapse-admin +- block: + - when: matrix_synapse_admin_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_synapse_admin_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup.yml" + - when: not matrix_synapse_admin_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-synapse-admin diff --git a/roles/custom/matrix-synapse-admin/tasks/setup.yml b/roles/custom/matrix-synapse-admin/tasks/setup_install.yml similarity index 50% rename from roles/custom/matrix-synapse-admin/tasks/setup.yml rename to roles/custom/matrix-synapse-admin/tasks/setup_install.yml index 56cee4987..57e591486 100644 --- a/roles/custom/matrix-synapse-admin/tasks/setup.yml +++ b/roles/custom/matrix-synapse-admin/tasks/setup_install.yml @@ -1,16 +1,12 @@ --- -# -# Tasks related to setting up matrix-synapse-admin -# - - name: Ensure matrix-synapse-admin image is pulled community.docker.docker_image: name: "{{ matrix_synapse_admin_docker_image }}" source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_synapse_admin_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_admin_docker_image_force_pull }}" - when: "matrix_synapse_admin_enabled | bool and not matrix_synapse_admin_container_image_self_build | bool" + when: not matrix_synapse_admin_container_image_self_build | bool register: result retries: "{{ devture_playbook_help_container_retries_count }}" delay: "{{ devture_playbook_help_container_retries_delay }}" @@ -25,7 +21,7 @@ become: true become_user: "{{ matrix_user_username }}" register: matrix_synapse_admin_git_pull_results - when: "matrix_synapse_admin_enabled | bool and matrix_synapse_admin_container_image_self_build | bool" + when: matrix_synapse_admin_container_image_self_build | bool - name: Ensure matrix-synapse-admin Docker image is built community.docker.docker_image: @@ -37,7 +33,7 @@ dockerfile: Dockerfile path: "{{ matrix_synapse_admin_docker_src_files_path }}" pull: true - when: "matrix_synapse_admin_enabled | bool and matrix_synapse_admin_container_image_self_build | bool" + when: matrix_synapse_admin_container_image_self_build | bool - name: Ensure matrix-synapse-admin.service installed ansible.builtin.template: @@ -45,44 +41,3 @@ dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-admin.service" mode: 0644 register: matrix_synapse_admin_systemd_service_result - when: matrix_synapse_admin_enabled | bool - -- name: Ensure systemd reloaded after matrix-synapse-admin.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_synapse_admin_enabled | bool and matrix_synapse_admin_systemd_service_result.changed" - -# -# Tasks related to getting rid of matrix-synapse-admin (if it was previously enabled) -# - -- name: Check existence of matrix-synapse-admin service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-admin.service" - register: matrix_synapse_admin_service_stat - -- name: Ensure matrix-synapse-admin is stopped - ansible.builtin.service: - name: matrix-synapse-admin - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "not matrix_synapse_admin_enabled | bool and matrix_synapse_admin_service_stat.stat.exists" - -- name: Ensure matrix-synapse-admin.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-admin.service" - state: absent - when: "not matrix_synapse_admin_enabled | bool and matrix_synapse_admin_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-synapse-admin.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_synapse_admin_enabled | bool and matrix_synapse_admin_service_stat.stat.exists" - -- name: Ensure matrix-synapse-admin Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_synapse_admin_docker_image }}" - state: absent - when: "not matrix_synapse_admin_enabled | bool" diff --git a/roles/custom/matrix-synapse-admin/tasks/setup_uninstall.yml b/roles/custom/matrix-synapse-admin/tasks/setup_uninstall.yml new file mode 100644 index 000000000..96509874a --- /dev/null +++ b/roles/custom/matrix-synapse-admin/tasks/setup_uninstall.yml @@ -0,0 +1,27 @@ +--- + +- name: Check existence of matrix-synapse-admin service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-admin.service" + register: matrix_synapse_admin_service_stat + +- when: matrix_synapse_admin_service_stat.stat.exists | bool + block: + - name: Ensure matrix-synapse-admin is stopped + ansible.builtin.service: + name: matrix-synapse-admin + state: stopped + enabled: false + daemon_reload: true + register: stopping_result + + - name: Ensure matrix-synapse-admin.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-admin.service" + state: absent + + - name: Ensure matrix-synapse-admin Docker image doesn't exist + community.docker.docker_image: + name: "{{ matrix_synapse_admin_docker_image }}" + state: absent + when: "not matrix_synapse_admin_enabled | bool" diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml index 65b2c0195..e07869d21 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml @@ -1,14 +1,11 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: run_setup | bool and matrix_synapse_reverse_proxy_companion_enabled | bool - tags: - - setup-all - - setup-synapse-reverse-proxy-companion - - setup-synapse +- block: + - when: matrix_synapse_reverse_proxy_companion_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: run_setup | bool and not matrix_synapse_reverse_proxy_companion_enabled | bool + - when: not matrix_synapse_reverse_proxy_companion_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-synapse-reverse-proxy-companion diff --git a/roles/custom/matrix-synapse/tasks/main.yml b/roles/custom/matrix-synapse/tasks/main.yml index 87c76ab79..1e9122167 100644 --- a/roles/custom/matrix-synapse/tasks/main.yml +++ b/roles/custom/matrix-synapse/tasks/main.yml @@ -1,7 +1,8 @@ --- -- when: matrix_synapse_enabled | bool - ansible.builtin.import_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" +- block: + - when: matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - setup-all - setup-synapse @@ -15,48 +16,48 @@ - stop-all - stop-group -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: run_setup | bool and matrix_synapse_enabled | bool - tags: - - setup-all - - setup-synapse +- block: + - when: matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_synapse.yml" - when: run_setup | bool + - when: matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_synapse.yml" + + - when: not matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-synapse -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/import_media_store.yml" - when: run_synapse_import_media_store | bool +- block: + - when: matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/import_media_store.yml" tags: - import-synapse-media-store -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/register_user.yml" - when: run_synapse_register_user | bool and matrix_synapse_enabled | bool +- block: + - when: matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/register_user.yml" tags: - register-user -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check_client_api.yml" - delegate_to: 127.0.0.1 - become: false - when: run_self_check | bool - tags: - - self-check - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml" - delegate_to: 127.0.0.1 - become: false - when: run_self_check | bool +- block: + - when: matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/update_user_password.yml" tags: - - self-check + - rust-synapse-compress-state -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/update_user_password.yml" - when: run_synapse_update_user_password | bool and matrix_synapse_enabled | bool +- block: + - when: matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/rust-synapse-compress-state/main.yml" tags: - update-user-password -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/rust-synapse-compress-state/main.yml" - when: run_synapse_rust_synapse_compress_state | bool +- block: + - when: matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_client_api.yml" + + - when: matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml" tags: - - rust-synapse-compress-state + - self-check diff --git a/roles/custom/matrix-synapse/tasks/self_check_client_api.yml b/roles/custom/matrix-synapse/tasks/self_check_client_api.yml index 1c03ba5b0..7ec3fb09b 100644 --- a/roles/custom/matrix-synapse/tasks/self_check_client_api.yml +++ b/roles/custom/matrix-synapse/tasks/self_check_client_api.yml @@ -9,6 +9,8 @@ ignore_errors: true check_mode: false when: matrix_synapse_enabled | bool + delegate_to: 127.0.0.1 + become: false - name: Fail if Matrix Client API not working ansible.builtin.fail: diff --git a/roles/custom/matrix-synapse/tasks/self_check_federation_api.yml b/roles/custom/matrix-synapse/tasks/self_check_federation_api.yml index 80ec4fc21..fde73dae0 100644 --- a/roles/custom/matrix-synapse/tasks/self_check_federation_api.yml +++ b/roles/custom/matrix-synapse/tasks/self_check_federation_api.yml @@ -9,6 +9,8 @@ ignore_errors: true check_mode: false when: matrix_synapse_enabled | bool + delegate_to: 127.0.0.1 + become: false - name: Fail if Matrix Federation API not working ansible.builtin.fail: diff --git a/roles/custom/matrix-user-creator/tasks/main.yml b/roles/custom/matrix-user-creator/tasks/main.yml index ba20504f7..2198b3ebf 100644 --- a/roles/custom/matrix-user-creator/tasks/main.yml +++ b/roles/custom/matrix-user-creator/tasks/main.yml @@ -1,7 +1,8 @@ --- -- when: matrix_user_creator_users | length > 0 - ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup.yml" +- block: + - when: matrix_user_creator_users | length > 0 + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup.yml" tags: # This role intentionally doesn't do work on a `setup-all` tag. # If it did, the initial installation (`--tags=setup-all`) would also potentially polute the database with data, diff --git a/roles/custom/matrix_playbook_migration/tasks/main.yml b/roles/custom/matrix_playbook_migration/tasks/main.yml index c346a759b..caa42bfdb 100644 --- a/roles/custom/matrix_playbook_migration/tasks/main.yml +++ b/roles/custom/matrix_playbook_migration/tasks/main.yml @@ -1,5 +1,6 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" +- block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" tags: - setup-all From d29b0aeddb0b5fdc0f2ed5927bd12411b33df262 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 24 Nov 2022 15:19:42 +0200 Subject: [PATCH 066/915] Replace even more import_tasks calls with include_tasks --- roles/custom/matrix-base/tasks/main.yml | 15 ++-- .../tasks/setup_install.yml | 2 +- .../tasks/setup_install.yml | 2 +- .../matrix-dendrite/tasks/dendrite/setup.yml | 7 -- .../tasks/dendrite/setup_uninstall.yml | 30 ------- roles/custom/matrix-dendrite/tasks/main.yml | 5 +- .../matrix-dendrite/tasks/setup_dendrite.yml | 15 ---- .../tasks/{dendrite => }/setup_install.yml | 19 +++-- .../matrix-dendrite/tasks/setup_uninstall.yml | 25 ++++++ .../matrix-ma1sd/tasks/migrate_mxisd.yml | 80 ------------------- .../matrix-ma1sd/tasks/setup_install.yml | 3 - .../tasks/ext/encryption-disabler/setup.yml | 7 -- .../{setup.yml => setup_install.yml} | 1 - .../tasks/ext/mjolnir-antispam/setup.yml | 7 -- .../tasks/ext/rest-auth/setup.yml | 7 -- .../tasks/ext/s3-storage-provider/setup.yml | 10 --- .../custom/matrix-synapse/tasks/ext/setup.yml | 77 ++++++++++++++++-- .../tasks/ext/shared-secret-auth/setup.yml | 7 -- .../ext/synapse-simple-antispam/setup.yml | 7 -- .../matrix-synapse/tasks/goofys/setup.yml | 12 ++- roles/custom/matrix-synapse/tasks/main.yml | 7 +- 21 files changed, 132 insertions(+), 213 deletions(-) delete mode 100644 roles/custom/matrix-dendrite/tasks/dendrite/setup.yml delete mode 100644 roles/custom/matrix-dendrite/tasks/dendrite/setup_uninstall.yml delete mode 100644 roles/custom/matrix-dendrite/tasks/setup_dendrite.yml rename roles/custom/matrix-dendrite/tasks/{dendrite => }/setup_install.yml (90%) create mode 100644 roles/custom/matrix-dendrite/tasks/setup_uninstall.yml delete mode 100644 roles/custom/matrix-ma1sd/tasks/migrate_mxisd.yml delete mode 100644 roles/custom/matrix-synapse/tasks/ext/encryption-disabler/setup.yml rename roles/custom/matrix-synapse/tasks/ext/ldap-auth/{setup.yml => setup_install.yml} (79%) delete mode 100644 roles/custom/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml delete mode 100644 roles/custom/matrix-synapse/tasks/ext/rest-auth/setup.yml delete mode 100644 roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup.yml delete mode 100644 roles/custom/matrix-synapse/tasks/ext/shared-secret-auth/setup.yml delete mode 100644 roles/custom/matrix-synapse/tasks/ext/synapse-simple-antispam/setup.yml diff --git a/roles/custom/matrix-base/tasks/main.yml b/roles/custom/matrix-base/tasks/main.yml index 97f0381d1..7eeb2cdc5 100644 --- a/roles/custom/matrix-base/tasks/main.yml +++ b/roles/custom/matrix-base/tasks/main.yml @@ -1,26 +1,27 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" +- block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" tags: - setup-all # This needs to always run, because it populates `matrix_user_uid` and `matrix_user_gid`, # which are required by many other roles. -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_matrix_user.yml" - when: run_setup | bool +- block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_user.yml" tags: - always - setup-system-user - common -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml" - when: run_setup | bool +- block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml" tags: - setup-all - common -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_well_known.yml" - when: run_setup | bool +- block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_well_known.yml" tags: - setup-all - setup-ma1sd diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml index 32d87408d..7b58f81ec 100644 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -60,7 +60,7 @@ - when: "matrix_appservice_irc_nedb_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/migrate_nedb_to_postgres.yml" + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/migrate_nedb_to_postgres.yml" - ansible.builtin.set_fact: matrix_appservice_irc_requires_restart: true diff --git a/roles/custom/matrix-bridge-appservice-slack/tasks/setup_install.yml b/roles/custom/matrix-bridge-appservice-slack/tasks/setup_install.yml index 2c7140851..f1751012c 100644 --- a/roles/custom/matrix-bridge-appservice-slack/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-appservice-slack/tasks/setup_install.yml @@ -26,7 +26,7 @@ - when: "matrix_appservice_slack_nedb_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.import_tasks: "{{ role_path }}/tasks/migrate_nedb_to_postgres.yml" + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/migrate_nedb_to_postgres.yml" - ansible.builtin.set_fact: matrix_appservice_slack_requires_restart: true diff --git a/roles/custom/matrix-dendrite/tasks/dendrite/setup.yml b/roles/custom/matrix-dendrite/tasks/dendrite/setup.yml deleted file mode 100644 index 1a8497294..000000000 --- a/roles/custom/matrix-dendrite/tasks/dendrite/setup.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/dendrite/setup_install.yml" - when: matrix_dendrite_enabled | bool - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/dendrite/setup_uninstall.yml" - when: "not matrix_dendrite_enabled | bool" diff --git a/roles/custom/matrix-dendrite/tasks/dendrite/setup_uninstall.yml b/roles/custom/matrix-dendrite/tasks/dendrite/setup_uninstall.yml deleted file mode 100644 index ce3e34769..000000000 --- a/roles/custom/matrix-dendrite/tasks/dendrite/setup_uninstall.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- - -- name: Check existence of matrix-dendrite service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dendrite.service" - register: matrix_dendrite_service_stat - -- name: Ensure matrix-dendrite is stopped - ansible.builtin.service: - name: matrix-dendrite - state: stopped - daemon_reload: true - register: stopping_result - when: "matrix_dendrite_service_stat.stat.exists" - -- name: Ensure matrix-dendrite.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dendrite.service" - state: absent - when: "matrix_dendrite_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-dendrite.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_dendrite_service_stat.stat.exists" - -- name: Ensure Dendrite Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_dendrite_docker_image }}" - state: absent diff --git a/roles/custom/matrix-dendrite/tasks/main.yml b/roles/custom/matrix-dendrite/tasks/main.yml index 62057ded2..b59d3cadb 100644 --- a/roles/custom/matrix-dendrite/tasks/main.yml +++ b/roles/custom/matrix-dendrite/tasks/main.yml @@ -5,7 +5,10 @@ ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_dendrite_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_dendrite.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + + - when: not matrix_dendrite_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-dendrite diff --git a/roles/custom/matrix-dendrite/tasks/setup_dendrite.yml b/roles/custom/matrix-dendrite/tasks/setup_dendrite.yml deleted file mode 100644 index f74f08c2d..000000000 --- a/roles/custom/matrix-dendrite/tasks/setup_dendrite.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: Ensure Dendrite paths exist - ansible.builtin.file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - {path: "{{ matrix_dendrite_config_dir_path }}", when: true} - - {path: "{{ matrix_dendrite_ext_path }}", when: true} - - {path: "{{ matrix_dendrite_nats_storage_path }}", when: true} - when: "matrix_dendrite_enabled | bool and item.when" - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/dendrite/setup.yml" diff --git a/roles/custom/matrix-dendrite/tasks/dendrite/setup_install.yml b/roles/custom/matrix-dendrite/tasks/setup_install.yml similarity index 90% rename from roles/custom/matrix-dendrite/tasks/dendrite/setup_install.yml rename to roles/custom/matrix-dendrite/tasks/setup_install.yml index aec7f77b4..1c557e7f7 100644 --- a/roles/custom/matrix-dendrite/tasks/dendrite/setup_install.yml +++ b/roles/custom/matrix-dendrite/tasks/setup_install.yml @@ -1,4 +1,17 @@ --- + +- name: Ensure Dendrite paths exist + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_dendrite_config_dir_path }}" + - "{{ matrix_dendrite_ext_path }}" + - "{{ matrix_dendrite_nats_storage_path }}" + # This will throw a Permission Denied error if already mounted using fuse - name: Check Dendrite media store path ansible.builtin.stat: @@ -67,12 +80,6 @@ src: "{{ role_path }}/templates/dendrite/systemd/matrix-dendrite.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dendrite.service" mode: 0644 - register: matrix_dendrite_systemd_service_result - -- name: Ensure systemd reloaded after matrix-dendrite.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_dendrite_systemd_service_result.changed | bool" - name: Ensure matrix-dendrite-create-account script created ansible.builtin.template: diff --git a/roles/custom/matrix-dendrite/tasks/setup_uninstall.yml b/roles/custom/matrix-dendrite/tasks/setup_uninstall.yml new file mode 100644 index 000000000..e37b219c3 --- /dev/null +++ b/roles/custom/matrix-dendrite/tasks/setup_uninstall.yml @@ -0,0 +1,25 @@ +--- + +- name: Check existence of matrix-dendrite service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dendrite.service" + register: matrix_dendrite_service_stat + +- when: matrix_dendrite_service_stat.stat.exists | bool + block: + - name: Ensure matrix-dendrite is stopped + ansible.builtin.service: + name: matrix-dendrite + state: stopped + daemon_reload: true + register: stopping_result + + - name: Ensure matrix-dendrite.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dendrite.service" + state: absent + + - name: Ensure Dendrite Docker image doesn't exist + community.docker.docker_image: + name: "{{ matrix_dendrite_docker_image }}" + state: absent diff --git a/roles/custom/matrix-ma1sd/tasks/migrate_mxisd.yml b/roles/custom/matrix-ma1sd/tasks/migrate_mxisd.yml deleted file mode 100644 index ee7228959..000000000 --- a/roles/custom/matrix-ma1sd/tasks/migrate_mxisd.yml +++ /dev/null @@ -1,80 +0,0 @@ ---- - -# This task is for migrating existing mxisd data when transitioning to the ma1sd fork. - -- name: Check for existent mxisd data - ansible.builtin.stat: - path: "{{ matrix_base_data_path }}/mxisd/data" - register: ma1sd_migrate_mxisd_data_dir_stat - -- name: Warn if mxisd data detected - ansible.builtin.debug: - msg: > - You seem to have an existing mxisd folder in `{{ matrix_base_data_path }}/mxisd`. - We are going to migrate it to ma1sd and rename the folder to mxisd.migrated. - when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" - -- name: Check existence of old matrix-mxisd service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mxisd.service" - register: matrix_mxisd_service_stat - -- name: Ensure matrix-mxisd is stopped - ansible.builtin.service: - name: matrix-mxisd - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mxisd_service_stat.stat.exists" - -- name: Check existence of matrix-ma1sd service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ma1sd.service" - register: matrix_ma1sd_service_stat - when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" - -- name: Ensure matrix-ma1sd is stopped - ansible.builtin.service: - name: matrix-ma1sd - state: stopped - daemon_reload: true - when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists and matrix_ma1sd_service_stat.stat.exists" - -# We use shell commands for the migration, because the Ansible copy module cannot -# recursively copy remote directories (like `/matrix/mxisd/data/sign.key`) in older versions of Ansible. -- when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" - block: - - name: Copy mxisd data files to ma1sd folder - ansible.builtin.command: - cmd: "cp -ar {{ matrix_base_data_path }}/mxisd/data {{ matrix_ma1sd_base_path }}" - register: matrix_ma1sd_migrate_mxisd_data_files_copying_result - changed_when: matrix_ma1sd_migrate_mxisd_data_files_copying_result.rc == 0 - - - name: Check existence of mxisd.db file - ansible.builtin.stat: - path: "{{ matrix_ma1sd_data_path }}/mxisd.db" - register: matrix_ma1sd_mxisd_db_stat - - - name: Rename database (mxisd.db -> ma1sd.db) - ansible.builtin.command: - cmd: "mv {{ matrix_ma1sd_data_path }}/mxisd.db {{ matrix_ma1sd_data_path }}/ma1sd.db" - register: matrix_ma1sd_migrate_mxisd_move_db_result - changed_when: matrix_ma1sd_migrate_mxisd_move_db_result.rc == 0 - when: "matrix_ma1sd_mxisd_db_stat.stat.exists" - - - name: Rename mxisd folder - ansible.builtin.command: - cmd: "mv {{ matrix_base_data_path }}/mxisd {{ matrix_base_data_path }}/mxisd.migrated" - register: matrix_ma1sd_migrate_mxisd_move_directory_result - changed_when: matrix_ma1sd_migrate_mxisd_move_directory_result.rc == 0 - -- name: Ensure outdated matrix-mxisd.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mxisd.service" - state: absent - when: "matrix_mxisd_service_stat.stat.exists" - -- name: Ensure systemd reloaded after removing outdated matrix-mxisd.service - ansible.builtin.service: - daemon_reload: true - when: "matrix_mxisd_service_stat.stat.exists" diff --git a/roles/custom/matrix-ma1sd/tasks/setup_install.yml b/roles/custom/matrix-ma1sd/tasks/setup_install.yml index b9668a053..9b86008ae 100644 --- a/roles/custom/matrix-ma1sd/tasks/setup_install.yml +++ b/roles/custom/matrix-ma1sd/tasks/setup_install.yml @@ -13,9 +13,6 @@ - {path: "{{ matrix_ma1sd_docker_src_files_path }}", when: "{{ matrix_ma1sd_container_image_self_build }}"} when: "item.when | bool" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/migrate_mxisd.yml" - - # These (SQLite -> Postgres) migration tasks are usually at the top, # but we'd like to run them after `migrate_mxisd.yml`, which requires the ma1sd paths to exist. - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-synapse/tasks/ext/encryption-disabler/setup.yml b/roles/custom/matrix-synapse/tasks/ext/encryption-disabler/setup.yml deleted file mode 100644 index e0e61df8e..000000000 --- a/roles/custom/matrix-synapse/tasks/ext/encryption-disabler/setup.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_install.yml" - when: matrix_synapse_ext_encryption_disabler_enabled | bool - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_uninstall.yml" - when: "not matrix_synapse_ext_encryption_disabler_enabled | bool" diff --git a/roles/custom/matrix-synapse/tasks/ext/ldap-auth/setup.yml b/roles/custom/matrix-synapse/tasks/ext/ldap-auth/setup_install.yml similarity index 79% rename from roles/custom/matrix-synapse/tasks/ext/ldap-auth/setup.yml rename to roles/custom/matrix-synapse/tasks/ext/ldap-auth/setup_install.yml index 5d648c848..c13a04044 100644 --- a/roles/custom/matrix-synapse/tasks/ext/ldap-auth/setup.yml +++ b/roles/custom/matrix-synapse/tasks/ext/ldap-auth/setup_install.yml @@ -9,4 +9,3 @@ + [{'name': 'ldap_auth_provider', 'level': 'INFO'}] }} - when: matrix_synapse_ext_password_provider_ldap_enabled | bool diff --git a/roles/custom/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml b/roles/custom/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml deleted file mode 100644 index 1a3e097dc..000000000 --- a/roles/custom/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_install.yml" - when: matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled | bool - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_uninstall.yml" - when: "not matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled | bool" diff --git a/roles/custom/matrix-synapse/tasks/ext/rest-auth/setup.yml b/roles/custom/matrix-synapse/tasks/ext/rest-auth/setup.yml deleted file mode 100644 index 6df360ce9..000000000 --- a/roles/custom/matrix-synapse/tasks/ext/rest-auth/setup.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup_install.yml" - when: matrix_synapse_ext_password_provider_rest_auth_enabled | bool - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup_uninstall.yml" - when: "not matrix_synapse_ext_password_provider_rest_auth_enabled | bool" diff --git a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup.yml b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup.yml deleted file mode 100644 index aefa49fe4..000000000 --- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/validate_config.yml" - when: matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/setup_install.yml" - when: matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/setup_uninstall.yml" - when: not matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool diff --git a/roles/custom/matrix-synapse/tasks/ext/setup.yml b/roles/custom/matrix-synapse/tasks/ext/setup.yml index 6cf1afaa4..eea2da377 100644 --- a/roles/custom/matrix-synapse/tasks/ext/setup.yml +++ b/roles/custom/matrix-synapse/tasks/ext/setup.yml @@ -1,15 +1,78 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup.yml" +# encryption-disabler +- block: + - when: matrix_synapse_ext_encryption_disabler_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup.yml" + - when: not matrix_synapse_ext_encryption_disabler_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_uninstall.yml" + tags: + - setup-all + - setup-synapse -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup.yml" +# rest-auth +- block: + - when: matrix_synapse_ext_password_provider_rest_auth_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/ldap-auth/setup.yml" + - when: not matrix_synapse_ext_password_provider_rest_auth_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup_uninstall.yml" + tags: + - setup-all + - setup-synapse -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup.yml" +# shared-secret-auth +- block: + - when: matrix_synapse_ext_password_provider_shared_secret_auth_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup.yml" + - when: not matrix_synapse_ext_password_provider_shared_secret_auth_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup_uninstall.yml" + tags: + - setup-all + - setup-synapse -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/setup.yml" +# ldap-auth +- block: + - when: matrix_synapse_ext_password_provider_ldap_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/ldap-auth/setup_install.yml" + tags: + - setup-all + - setup-synapse + +# synapse-simple-antispam +- block: + - when: matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup_install.yml" + + - when: not matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup_uninstall.yml" + tags: + - setup-all + - setup-synapse + +# mjolnir-antispam +- block: + - when: matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_install.yml" + + - when: not matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_uninstall.yml" + tags: + - setup-all + - setup-synapse + +# s3-storage-provider +- block: + - when: matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/validate_config.yml" + + - when: matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/setup_install.yml" + + - when: not matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/setup_uninstall.yml" + tags: + - setup-all + - setup-synapse diff --git a/roles/custom/matrix-synapse/tasks/ext/shared-secret-auth/setup.yml b/roles/custom/matrix-synapse/tasks/ext/shared-secret-auth/setup.yml deleted file mode 100644 index 6dc385d37..000000000 --- a/roles/custom/matrix-synapse/tasks/ext/shared-secret-auth/setup.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup_install.yml" - when: matrix_synapse_ext_password_provider_shared_secret_auth_enabled | bool - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup_uninstall.yml" - when: "not matrix_synapse_ext_password_provider_shared_secret_auth_enabled | bool" diff --git a/roles/custom/matrix-synapse/tasks/ext/synapse-simple-antispam/setup.yml b/roles/custom/matrix-synapse/tasks/ext/synapse-simple-antispam/setup.yml deleted file mode 100644 index 038eea749..000000000 --- a/roles/custom/matrix-synapse/tasks/ext/synapse-simple-antispam/setup.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup_install.yml" - when: matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled | bool - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup_uninstall.yml" - when: "not matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled | bool" diff --git a/roles/custom/matrix-synapse/tasks/goofys/setup.yml b/roles/custom/matrix-synapse/tasks/goofys/setup.yml index 2f9eaa870..d8768d89d 100644 --- a/roles/custom/matrix-synapse/tasks/goofys/setup.yml +++ b/roles/custom/matrix-synapse/tasks/goofys/setup.yml @@ -1,7 +1,11 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/goofys/setup_install.yml" - when: matrix_s3_media_store_enabled | bool +- block: + - when: matrix_s3_media_store_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/goofys/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/goofys/setup_uninstall.yml" - when: "not matrix_s3_media_store_enabled | bool" + - when: not matrix_s3_media_store_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/goofys/setup_uninstall.yml" + tags: + - setup-all + - setup-synapse diff --git a/roles/custom/matrix-synapse/tasks/main.yml b/roles/custom/matrix-synapse/tasks/main.yml index 1e9122167..208be5006 100644 --- a/roles/custom/matrix-synapse/tasks/main.yml +++ b/roles/custom/matrix-synapse/tasks/main.yml @@ -20,11 +20,8 @@ - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - - when: matrix_synapse_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_synapse.yml" - - - when: not matrix_synapse_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + # This handles both install and uninstal. It's quite messy and should be reworked. + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_synapse.yml" tags: - setup-all - setup-synapse From 2e7b5c7b02bc1561fb613f04f0b0a086e1a851f6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 24 Nov 2022 16:27:11 +0200 Subject: [PATCH 067/915] Untangle the setup import/include mess in matrix-synapse --- .../ext/{setup.yml => setup_install.yml} | 18 ------- .../tasks/ext/setup_uninstall.yml | 52 +++++++++++++++++++ .../matrix-synapse/tasks/goofys/setup.yml | 11 ---- .../tasks/inject_into_nginx_proxy.yml | 2 +- roles/custom/matrix-synapse/tasks/main.yml | 7 ++- .../{setup_synapse.yml => setup_install.yml} | 33 ++++++++++-- .../matrix-synapse/tasks/setup_uninstall.yml | 27 ++++++++++ .../{inject_into_nginx_proxy.yml => init.yml} | 0 .../tasks/synapse/workers/setup.yml | 21 -------- 9 files changed, 113 insertions(+), 58 deletions(-) rename roles/custom/matrix-synapse/tasks/ext/{setup.yml => setup_install.yml} (63%) create mode 100644 roles/custom/matrix-synapse/tasks/ext/setup_uninstall.yml delete mode 100644 roles/custom/matrix-synapse/tasks/goofys/setup.yml rename roles/custom/matrix-synapse/tasks/{setup_synapse.yml => setup_install.yml} (51%) create mode 100644 roles/custom/matrix-synapse/tasks/setup_uninstall.yml rename roles/custom/matrix-synapse/tasks/synapse/workers/{inject_into_nginx_proxy.yml => init.yml} (100%) delete mode 100644 roles/custom/matrix-synapse/tasks/synapse/workers/setup.yml diff --git a/roles/custom/matrix-synapse/tasks/ext/setup.yml b/roles/custom/matrix-synapse/tasks/ext/setup_install.yml similarity index 63% rename from roles/custom/matrix-synapse/tasks/ext/setup.yml rename to roles/custom/matrix-synapse/tasks/ext/setup_install.yml index eea2da377..a24138038 100644 --- a/roles/custom/matrix-synapse/tasks/ext/setup.yml +++ b/roles/custom/matrix-synapse/tasks/ext/setup_install.yml @@ -4,9 +4,6 @@ - block: - when: matrix_synapse_ext_encryption_disabler_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_install.yml" - - - when: not matrix_synapse_ext_encryption_disabler_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_uninstall.yml" tags: - setup-all - setup-synapse @@ -15,9 +12,6 @@ - block: - when: matrix_synapse_ext_password_provider_rest_auth_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup_install.yml" - - - when: not matrix_synapse_ext_password_provider_rest_auth_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup_uninstall.yml" tags: - setup-all - setup-synapse @@ -26,9 +20,6 @@ - block: - when: matrix_synapse_ext_password_provider_shared_secret_auth_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup_install.yml" - - - when: not matrix_synapse_ext_password_provider_shared_secret_auth_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup_uninstall.yml" tags: - setup-all - setup-synapse @@ -45,9 +36,6 @@ - block: - when: matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup_install.yml" - - - when: not matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup_uninstall.yml" tags: - setup-all - setup-synapse @@ -56,9 +44,6 @@ - block: - when: matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_install.yml" - - - when: not matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_uninstall.yml" tags: - setup-all - setup-synapse @@ -70,9 +55,6 @@ - when: matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/setup_install.yml" - - - when: not matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/setup_uninstall.yml" tags: - setup-all - setup-synapse diff --git a/roles/custom/matrix-synapse/tasks/ext/setup_uninstall.yml b/roles/custom/matrix-synapse/tasks/ext/setup_uninstall.yml new file mode 100644 index 000000000..cca6c1b8a --- /dev/null +++ b/roles/custom/matrix-synapse/tasks/ext/setup_uninstall.yml @@ -0,0 +1,52 @@ +--- + +# encryption-disabler +- block: + - when: not matrix_synapse_ext_encryption_disabler_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_uninstall.yml" + tags: + - setup-all + - setup-synapse + +# rest-auth +- block: + - when: not matrix_synapse_ext_password_provider_rest_auth_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup_uninstall.yml" + tags: + - setup-all + - setup-synapse + +# shared-secret-auth +- block: + - when: not matrix_synapse_ext_password_provider_shared_secret_auth_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup_uninstall.yml" + tags: + - setup-all + - setup-synapse + +# ldap-auth has no uninstall tasks + + +# synapse-simple-antispam +- block: + - when: not matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup_uninstall.yml" + tags: + - setup-all + - setup-synapse + +# mjolnir-antispam +- block: + - when: not matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_uninstall.yml" + tags: + - setup-all + - setup-synapse + +# s3-storage-provider +- block: + - when: not matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/setup_uninstall.yml" + tags: + - setup-all + - setup-synapse diff --git a/roles/custom/matrix-synapse/tasks/goofys/setup.yml b/roles/custom/matrix-synapse/tasks/goofys/setup.yml deleted file mode 100644 index d8768d89d..000000000 --- a/roles/custom/matrix-synapse/tasks/goofys/setup.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- - -- block: - - when: matrix_s3_media_store_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/goofys/setup_install.yml" - - - when: not matrix_s3_media_store_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/goofys/setup_uninstall.yml" - tags: - - setup-all - - setup-synapse diff --git a/roles/custom/matrix-synapse/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-synapse/tasks/inject_into_nginx_proxy.yml index f3ce0bf8f..0b1273c16 100644 --- a/roles/custom/matrix-synapse/tasks/inject_into_nginx_proxy.yml +++ b/roles/custom/matrix-synapse/tasks/inject_into_nginx_proxy.yml @@ -2,7 +2,7 @@ # Unless `matrix_synapse_workers_enabled_list` is explicitly defined, # we'll generate it dynamically. -- ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/inject_into_nginx_proxy.yml" +- ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/init.yml" when: "matrix_synapse_workers_enabled | bool and matrix_synapse_workers_enabled_list | length == 0" - name: Ensure workers are injected into various places diff --git a/roles/custom/matrix-synapse/tasks/main.yml b/roles/custom/matrix-synapse/tasks/main.yml index 208be5006..a133f6504 100644 --- a/roles/custom/matrix-synapse/tasks/main.yml +++ b/roles/custom/matrix-synapse/tasks/main.yml @@ -20,8 +20,11 @@ - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - # This handles both install and uninstal. It's quite messy and should be reworked. - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_synapse.yml" + - when: matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + + - when: not matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-synapse diff --git a/roles/custom/matrix-synapse/tasks/setup_synapse.yml b/roles/custom/matrix-synapse/tasks/setup_install.yml similarity index 51% rename from roles/custom/matrix-synapse/tasks/setup_synapse.yml rename to roles/custom/matrix-synapse/tasks/setup_install.yml index 13a5819e1..3d56177cf 100644 --- a/roles/custom/matrix-synapse/tasks/setup_synapse.yml +++ b/roles/custom/matrix-synapse/tasks/setup_install.yml @@ -16,12 +16,35 @@ # We handle matrix_synapse_media_store_path elsewhere (in ./synapse/setup_install.yml), # because if it's using Goofys and it's already mounted (from before), # trying to chown/chmod it here will cause trouble. - when: "(matrix_synapse_enabled | bool or matrix_s3_media_store_enabled | bool) and item.when" + when: item.when | bool -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ext/setup.yml" +- block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/setup_install.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/synapse/workers/setup.yml" + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/setup_uninstall.yml" + tags: + - setup-all + - setup-synapse -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/synapse/setup.yml" +- block: + - when: matrix_synapse_workers_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/setup_install.yml" + tags: + - setup-all + - setup-synapse -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/goofys/setup.yml" +- block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/setup_install.yml" + tags: + - setup-all + - setup-synapse + +- block: + - when: matrix_s3_media_store_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/goofys/setup_install.yml" + + - when: not matrix_s3_media_store_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/goofys/setup_uninstall.yml" + tags: + - setup-all + - setup-synapse diff --git a/roles/custom/matrix-synapse/tasks/setup_uninstall.yml b/roles/custom/matrix-synapse/tasks/setup_uninstall.yml new file mode 100644 index 000000000..72b64c879 --- /dev/null +++ b/roles/custom/matrix-synapse/tasks/setup_uninstall.yml @@ -0,0 +1,27 @@ +--- + +- block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/setup_uninstall.yml" + tags: + - setup-all + - setup-synapse + +- block: + - when: not matrix_synapse_workers_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/setup_uninstall.yml" + tags: + - setup-all + - setup-synapse + +- block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/setup_uninstall.yml" + tags: + - setup-all + - setup-synapse + +- block: + - when: not matrix_s3_media_store_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/goofys/setup_uninstall.yml" + tags: + - setup-all + - setup-synapse diff --git a/roles/custom/matrix-synapse/tasks/synapse/workers/inject_into_nginx_proxy.yml b/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml similarity index 100% rename from roles/custom/matrix-synapse/tasks/synapse/workers/inject_into_nginx_proxy.yml rename to roles/custom/matrix-synapse/tasks/synapse/workers/init.yml diff --git a/roles/custom/matrix-synapse/tasks/synapse/workers/setup.yml b/roles/custom/matrix-synapse/tasks/synapse/workers/setup.yml deleted file mode 100644 index 1458cc0a2..000000000 --- a/roles/custom/matrix-synapse/tasks/synapse/workers/setup.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- - -# A previous version of the worker setup used this. -# This is a temporary cleanup for people who ran that version. -- name: Ensure old matrix-synapse.service.wants directory is gone - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse.service.wants" - state: absent - -# Same. This was part of a previous version of the worker setup. -# No longer necessary. -- name: Ensure matrix-synapse-worker-write-pid script is removed - ansible.builtin.file: - path: "{{ matrix_local_bin_path }}/matrix-synapse-worker-write-pid" - state: absent - -- ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/setup_install.yml" - when: "matrix_synapse_enabled | bool and matrix_synapse_workers_enabled | bool" - -- ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/setup_uninstall.yml" - when: "not matrix_synapse_workers_enabled | bool" From c37cf424277f31dba3e01907f9f3fb68f8ee0fe1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 24 Nov 2022 17:06:31 +0200 Subject: [PATCH 068/915] Do not delete and re-create Synapse worker configs needlessly We had checks to avoid stopping/deleting systemd services for workers that used to exist and will continue to exist, but we were deleting config files for workers each time.. Only to recreate them again later. This lead to: - too many misleading "changed" tasks - too much unnecessary work - potential failures during playbook execution possibly leaving the system in a bad state (no worker config files) --- .../tasks/synapse/workers/setup_install.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-synapse/tasks/synapse/workers/setup_install.yml b/roles/custom/matrix-synapse/tasks/synapse/workers/setup_install.yml index 0f2105edd..d6c50397e 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/workers/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/workers/setup_install.yml @@ -7,12 +7,16 @@ use_regex: true register: matrix_synapse_workers_current_config_files +- set_fact: + matrix_synapse_enabled_worker_names: "{{ matrix_synapse_workers_enabled_list | map(attribute='name') }}" + # This also deletes some things which we need. They will be recreated below. -- name: Ensure previous worker configs are cleaned +- name: Ensure unnecessary worker configs are cleaned ansible.builtin.file: path: "{{ item.path }}" state: absent with_items: "{{ matrix_synapse_workers_current_config_files.files }}" + when: "not ansible_check_mode and (item.path | basename | replace ('worker.', '') | replace('.yaml', '')) not in matrix_synapse_enabled_worker_names" - name: Determine current worker systemd services ansible.builtin.find: @@ -27,13 +31,14 @@ state: stopped enabled: false with_items: "{{ matrix_synapse_workers_current_systemd_services.files }}" - when: "not ansible_check_mode and item.path | basename not in devture_systemd_service_manager_services_list | map(attribute='name')" + when: "not ansible_check_mode and (item.path | basename | replace('.service', '')) not in matrix_synapse_enabled_worker_names" - name: Ensure unnecessary worker systemd services are cleaned ansible.builtin.file: path: "{{ item.path }}" state: absent with_items: "{{ matrix_synapse_workers_current_systemd_services.files }}" + when: "not ansible_check_mode and (item.path | basename | replace('.service', '')) not in matrix_synapse_enabled_worker_names" - name: Ensure creation of worker systemd service files and configuration files ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/util/setup_files_for_worker.yml" From 663a17ea10ad6b8a7e7c91131b5a8f1376a50653 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 24 Nov 2022 17:39:34 +0200 Subject: [PATCH 069/915] Fix ansible-lint-reported errors --- roles/custom/matrix-bot-go-neb/tasks/main.yml | 3 --- .../matrix-synapse/tasks/synapse/workers/setup_install.yml | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/roles/custom/matrix-bot-go-neb/tasks/main.yml b/roles/custom/matrix-bot-go-neb/tasks/main.yml index 1955eee83..7c8f2455e 100644 --- a/roles/custom/matrix-bot-go-neb/tasks/main.yml +++ b/roles/custom/matrix-bot-go-neb/tasks/main.yml @@ -12,6 +12,3 @@ tags: - setup-all - setup-bot-go-neb - - - diff --git a/roles/custom/matrix-synapse/tasks/synapse/workers/setup_install.yml b/roles/custom/matrix-synapse/tasks/synapse/workers/setup_install.yml index d6c50397e..85ddf3b94 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/workers/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/workers/setup_install.yml @@ -7,7 +7,7 @@ use_regex: true register: matrix_synapse_workers_current_config_files -- set_fact: +- ansible.builtin.set_fact: matrix_synapse_enabled_worker_names: "{{ matrix_synapse_workers_enabled_list | map(attribute='name') }}" # This also deletes some things which we need. They will be recreated below. From 9c0cf5481ab6961ef9c2377fee374188bb5528a3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 24 Nov 2022 18:42:01 +0200 Subject: [PATCH 070/915] Try to be more helpful when matrix_homeserver_generic_secret_key appears to be undefined --- roles/custom/matrix-base/tasks/validate_config.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/custom/matrix-base/tasks/validate_config.yml b/roles/custom/matrix-base/tasks/validate_config.yml index 3a3a56394..b3c7fb18c 100644 --- a/roles/custom/matrix-base/tasks/validate_config.yml +++ b/roles/custom/matrix-base/tasks/validate_config.yml @@ -25,6 +25,8 @@ The `matrix_homeserver_generic_secret_key` variable must be defined and have a non-null and non-empty value. If you're observing this error on a new installation, you should ensure that the `matrix_homeserver_generic_secret_key` is defined. + If you think you've defined it, but are still getting this error, then it's likely that you have a typo + in your domain name in `inventory/hosts` or in one of the directories leading up to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file. If you're observing this error on an existing homeserver installation, you can fix it easily and in a backward-compatible way by adding `{% raw %}matrix_homeserver_generic_secret_key: "{{ matrix_synapse_macaroon_secret_key }}"{% endraw %}` From 140acfcc5f368d0e4341961076955592e0aafec0 Mon Sep 17 00:00:00 2001 From: Karmanyaah Malhotra Date: Thu, 24 Nov 2022 14:12:43 -0500 Subject: [PATCH 071/915] Exempt Matrix server from ntfy rate limit (#2135) * Exempt Matrix server from ntfy rate limit Add the matrix fqdn and localhost to ntfy's exemption list. Also allow all ntfy rate limits to be configured through Ansible variables. * Fix names and formatting * fixes * tabs not spaces * Lint * Use raw tags instead of bracket soup --- roles/custom/matrix-ntfy/defaults/main.yml | 8 ++++++++ roles/custom/matrix-ntfy/templates/ntfy/server.yml.j2 | 7 +++++++ .../matrix-ntfy/templates/systemd/matrix-ntfy.service.j2 | 5 +++-- 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-ntfy/defaults/main.yml b/roles/custom/matrix-ntfy/defaults/main.yml index 66d9a19c6..981eba362 100644 --- a/roles/custom/matrix-ntfy/defaults/main.yml +++ b/roles/custom/matrix-ntfy/defaults/main.yml @@ -14,6 +14,14 @@ matrix_ntfy_docker_image_force_pull: "{{ matrix_ntfy_docker_image.endswith(':lat # Public facing base URL of the ntfy service matrix_ntfy_base_url: "https://{{ matrix_server_fqn_ntfy }}" +# Rate limits + +matrix_ntfy_global_topic_limit: 15000 # default +matrix_ntfy_visitor_subscription_limit: 30 # default +matrix_ntfy_visitor_request_limit_burst: 60 # default +matrix_ntfy_visitor_request_limit_replenish: "5s" # default + + # Controls whether the container exposes its HTTP port (tcp/80 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:2586"), or empty string to not expose. diff --git a/roles/custom/matrix-ntfy/templates/ntfy/server.yml.j2 b/roles/custom/matrix-ntfy/templates/ntfy/server.yml.j2 index 096991a70..9815fd6b4 100644 --- a/roles/custom/matrix-ntfy/templates/ntfy/server.yml.j2 +++ b/roles/custom/matrix-ntfy/templates/ntfy/server.yml.j2 @@ -2,3 +2,10 @@ base_url: {{ matrix_ntfy_base_url }} behind_proxy: true cache_file: /data/cache.db listen-http: :8080 + +# Rate Limits +global-topic-limit: {{ matrix_ntfy_global_topic_limit | to_json }} +visitor-subscription-limit: {{ matrix_ntfy_visitor_subscription_limit | to_json }} + +visitor-request-limit-burst: {{ matrix_ntfy_visitor_request_limit_burst | to_json }} +visitor-request-limit-replenish: "{{ matrix_ntfy_visitor_request_limit_replenish }}" diff --git a/roles/custom/matrix-ntfy/templates/systemd/matrix-ntfy.service.j2 b/roles/custom/matrix-ntfy/templates/systemd/matrix-ntfy.service.j2 index a10cb5844..5c2feac01 100644 --- a/roles/custom/matrix-ntfy/templates/systemd/matrix-ntfy.service.j2 +++ b/roles/custom/matrix-ntfy/templates/systemd/matrix-ntfy.service.j2 @@ -11,11 +11,12 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-ntfy 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-ntfy 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-ntfy \ +ExecStart={{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-ntfy \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ + --env NTFY_VISITOR_REQUEST_LIMIT_EXEMPT_HOSTS={{matrix_server_fqn_matrix}},localhost,$(docker network inspect {{matrix_docker_network}} -f "{% raw %}{{ (index .IPAM.Config 0).Subnet }}{% endraw %}") \ {% for arg in matrix_ntfy_container_extra_arguments %} {{ arg }} \ {% endfor %} @@ -26,7 +27,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name --mount type=bind,src={{ matrix_ntfy_config_dir_path }},dst=/etc/ntfy,ro \ --mount type=bind,src={{ matrix_ntfy_data_path }},dst=/data \ {{ matrix_ntfy_docker_image }} \ - serve + serve' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-ntfy 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-ntfy 2>/dev/null || true' From b59981f03cb397489507723aeca14855c6bb505a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 25 Nov 2022 06:17:02 +0200 Subject: [PATCH 072/915] Remove incorrectly places task Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2297 --- roles/custom/matrix-dynamic-dns/tasks/main.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/roles/custom/matrix-dynamic-dns/tasks/main.yml b/roles/custom/matrix-dynamic-dns/tasks/main.yml index 6f5a35a5e..8f7956503 100644 --- a/roles/custom/matrix-dynamic-dns/tasks/main.yml +++ b/roles/custom/matrix-dynamic-dns/tasks/main.yml @@ -1,12 +1,5 @@ --- -- block: - - when: matrix_appservice_slack_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: - - setup-all - - setup-nginx-proxy - - block: - when: matrix_dynamic_dns_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" From 42f3c3cbf635672c812bbd01a2c7279ac3aef745 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 25 Nov 2022 10:22:25 +0200 Subject: [PATCH 073/915] Improve command for connecting to additional container networks --- .../matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 | 2 +- .../templates/systemd/matrix-nginx-proxy.service.j2 | 2 +- .../systemd/matrix-synapse-reverse-proxy-companion.service.j2 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 b/roles/custom/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 index b9c0839ed..19bd5720c 100644 --- a/roles/custom/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 +++ b/roles/custom/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 @@ -39,7 +39,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {{ matrix_ma1sd_docker_image }} {% for network in matrix_ma1sd_container_additional_networks %} -ExecStartPost={{ devture_systemd_docker_base_host_command_sh }} -c 'attempt=0; while [ $attempt -le 29 ]; do attempt=$(( $attempt + 1 )); if [ "`docker inspect -f {{ '{{.State.Running}}' }} matrix-ma1sd 2> /dev/null`" = "true" ]; then break; fi; sleep 1; done; {{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-ma1sd' +ExecStartPost={{ devture_systemd_docker_base_host_command_sh }} -c 'container_name=matrix-ma1sd; network_name={{ network }}; attempt=0; while [ $attempt -le 29 ]; do attempt=$(( $attempt + 1 )); if [ "`{{ devture_systemd_docker_base_host_command_docker }} inspect -f {{ '{{.State.Running}}' }} $container_name 2> /dev/null`" = "true" ]; then break; fi; sleep 1; done; {{ devture_systemd_docker_base_host_command_docker }} network connect $network_name $container_name' {% endfor %} ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-ma1sd 2>/dev/null || true' diff --git a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index a930d3b1a..0a7e90522 100755 --- a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -48,7 +48,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {{ matrix_nginx_proxy_docker_image }} {% for network in matrix_nginx_proxy_container_additional_networks %} -ExecStartPost={{ devture_systemd_docker_base_host_command_sh }} -c 'attempt=0; while [ $attempt -le 29 ]; do attempt=$(( $attempt + 1 )); if [ "`docker inspect -f {{ '{{.State.Running}}' }} matrix-nginx-proxy 2> /dev/null`" = "true" ]; then break; fi; sleep 1; done; {{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-nginx-proxy' +ExecStartPost={{ devture_systemd_docker_base_host_command_sh }} -c 'container_name=matrix-nginx-proxy; network_name={{ network }}; attempt=0; while [ $attempt -le 29 ]; do attempt=$(( $attempt + 1 )); if [ "`{{ devture_systemd_docker_base_host_command_docker }} inspect -f {{ '{{.State.Running}}' }} $container_name 2> /dev/null`" = "true" ]; then break; fi; sleep 1; done; {{ devture_systemd_docker_base_host_command_docker }} network connect $network_name $container_name' {% endfor %} ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-nginx-proxy 2>/dev/null || true' diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 index 21bebb4f1..2b548ef8c 100755 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 @@ -39,7 +39,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run \ {{ matrix_synapse_reverse_proxy_companion_container_image }} {% for network in matrix_synapse_reverse_proxy_companion_container_additional_networks %} -ExecStartPost={{ devture_systemd_docker_base_host_command_sh }} -c 'attempt=0; while [ $attempt -le 29 ]; do attempt=$(( $attempt + 1 )); if [ "`docker inspect -f {{ '{{.State.Running}}' }} matrix-synapse-reverse-proxy-companion 2> /dev/null`" = "true" ]; then break; fi; sleep 1; done; {{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-synapse-reverse-proxy-companion' +ExecStartPost={{ devture_systemd_docker_base_host_command_sh }} -c 'container_name=matrix-synapse-reverse-proxy-companion; network_name={{ network }}; attempt=0; while [ $attempt -le 29 ]; do attempt=$(( $attempt + 1 )); if [ "`{{ devture_systemd_docker_base_host_command_docker }} inspect -f {{ '{{.State.Running}}' }} $container_name 2> /dev/null`" = "true" ]; then break; fi; sleep 1; done; {{ devture_systemd_docker_base_host_command_docker }} network connect $network_name $container_name' {% endfor %} ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-synapse-reverse-proxy-companion 2>/dev/null || true' From 34c01da9d2c7ac2d057506f68b221aab72dec746 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 25 Nov 2022 11:41:16 +0200 Subject: [PATCH 074/915] Ensure consistent password_hash results regardless of whether crypt or passlib is used MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ansible recently started showing warnings about `crypt` being deprecated. If one installs `passlib`, the `password_hash` values that are generated would be different by default. With this patch, we ensure consistency regardless of which one is used. After this patch, password hashes (and UUIDs derived from them) will change once, but they should be stable after that. These hashes changing is not a problem, because the playbook changes all references to the new values. Changes are only a problem if they're done partially and with different tools. For example: - `--tags=setup-COMPONENT` with `passlib` - `--tags=setup-postgres` with `crypt` (no `passlib`) If so, the Postgres database password's value will differ for the configuration generated for `COMPONENT`. The `rounds=` value is arbitrary. It doesn't matter what it is, as long as it's different than the default for `crypt` (5000) and the default for `passlib` for `sha512` (656000). Source (https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_filters.html): > To ensure idempotency, specify rounds to be neither crypt’s nor passlib’s default, which is 5000 for crypt and a variable value (535000 for sha256, 656000 for sha512) for passlib --- group_vars/matrix_servers | 190 +++++++++++++++++++------------------- 1 file changed, 95 insertions(+), 95 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index b53ad0e88..dd0c730c0 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -422,14 +422,14 @@ matrix_appservice_discord_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_appservice_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'discord.as.token') | to_uuid }}" +matrix_appservice_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'discord.as.token', rounds=655555) | to_uuid }}" -matrix_appservice_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'discord.hs.token') | to_uuid }}" +matrix_appservice_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'discord.hs.token', rounds=655555) | to_uuid }}" # We only make this use Postgres if our own Postgres server is enabled. # It's only then (for now) that we can automatically create the necessary database and user for this service. matrix_appservice_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_appservice_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.discord.db') | to_uuid }}" +matrix_appservice_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.discord.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -454,12 +454,12 @@ matrix_appservice_webhooks_container_image_self_build: "{{ matrix_architecture ! # matrix-appservice-webhooks' client-server port to the local host. matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_webhooks_matrix_port) }}" -matrix_appservice_webhooks_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.as.token') | to_uuid }}" +matrix_appservice_webhooks_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.as.token', rounds=655555) | to_uuid }}" matrix_appservice_webhooks_homeserver_url: "{{ matrix_homeserver_container_url }}" -matrix_appservice_webhooks_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.hs.token') | to_uuid }}" +matrix_appservice_webhooks_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.hs.token', rounds=655555) | to_uuid }}" -matrix_appservice_webhooks_id_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.id.token') | to_uuid }}" +matrix_appservice_webhooks_id_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.id.token', rounds=655555) | to_uuid }}" matrix_appservice_webhooks_systemd_required_services_list: | {{ @@ -493,12 +493,12 @@ matrix_appservice_slack_container_image_self_build: "{{ matrix_architecture not # matrix-appservice-slack's client-server port to the local host. matrix_appservice_slack_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_slack_slack_port) }}" -matrix_appservice_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.as.token') | to_uuid }}" +matrix_appservice_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.as.token', rounds=655555) | to_uuid }}" matrix_appservice_slack_homeserver_url: "{{ matrix_homeserver_container_url }}" -matrix_appservice_slack_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.hs.token') | to_uuid }}" +matrix_appservice_slack_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.hs.token', rounds=655555) | to_uuid }}" -matrix_appservice_slack_id_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.id.token') | to_uuid }}" +matrix_appservice_slack_id_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.id.token', rounds=655555) | to_uuid }}" matrix_appservice_slack_systemd_required_services_list: | {{ @@ -511,7 +511,7 @@ matrix_appservice_slack_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_appservice_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'nedb' }}" -matrix_appservice_slack_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.slack.db') | to_uuid }}" +matrix_appservice_slack_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.slack.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -548,12 +548,12 @@ matrix_appservice_irc_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_appservice_irc_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'irc.as.token') | to_uuid }}" +matrix_appservice_irc_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'irc.as.token', rounds=655555) | to_uuid }}" -matrix_appservice_irc_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'irc.hs.token') | to_uuid }}" +matrix_appservice_irc_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'irc.hs.token', rounds=655555) | to_uuid }}" matrix_appservice_irc_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'nedb' }}" -matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.irc.db') | to_uuid }}" +matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.irc.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -584,14 +584,14 @@ matrix_appservice_kakaotalk_systemd_required_services_list: | (['matrix-postgres.service'] if matrix_postgres_enabled else []) }} -matrix_appservice_kakaotalk_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.kakao.hs') | to_uuid }}" +matrix_appservice_kakaotalk_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.kakao.hs', rounds=655555) | to_uuid }}" -matrix_appservice_kakaotalk_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.kakao.hs') | to_uuid }}" +matrix_appservice_kakaotalk_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.kakao.hs', rounds=655555) | to_uuid }}" matrix_appservice_kakaotalk_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" matrix_appservice_kakaotalk_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_appservice_kakaotalk_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.kakao.db') | to_uuid }}" +matrix_appservice_kakaotalk_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.kakao.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -622,15 +622,15 @@ matrix_beeper_linkedin_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_beeper_linkedin_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'linked.as.token') | to_uuid }}" +matrix_beeper_linkedin_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'linked.as.token', rounds=655555) | to_uuid }}" -matrix_beeper_linkedin_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'linked.hs.token') | to_uuid }}" +matrix_beeper_linkedin_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'linked.hs.token', rounds=655555) | to_uuid }}" matrix_beeper_linkedin_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" matrix_beeper_linkedin_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" -matrix_beeper_linkedin_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maulinkedin.db') | to_uuid }}" +matrix_beeper_linkedin_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maulinkedin.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -660,15 +660,15 @@ matrix_go_skype_bridge_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_go_skype_bridge_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'skype.as.token') | to_uuid }}" +matrix_go_skype_bridge_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'skype.as.token', rounds=655555) | to_uuid }}" -matrix_go_skype_bridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'skype.hs.token') | to_uuid }}" +matrix_go_skype_bridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'skype.hs.token', rounds=655555) | to_uuid }}" matrix_go_skype_bridge_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_go_skype_bridge_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_go_skype_bridge_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'goskype.db') | to_uuid }}" +matrix_go_skype_bridge_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'goskype.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -698,11 +698,11 @@ matrix_mautrix_facebook_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_facebook_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'fb.as.token') | to_uuid }}" +matrix_mautrix_facebook_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'fb.as.token', rounds=655555) | to_uuid }}" -matrix_mautrix_facebook_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'fb.hs.token') | to_uuid }}" +matrix_mautrix_facebook_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'fb.hs.token', rounds=655555) | to_uuid }}" -matrix_mautrix_facebook_public_endpoint: "/{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'facebook') | to_uuid }}" +matrix_mautrix_facebook_public_endpoint: "/{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'facebook', rounds=655555) | to_uuid }}" matrix_mautrix_facebook_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9008' }}" @@ -713,7 +713,7 @@ matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. matrix_mautrix_facebook_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_facebook_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.fb.db') | to_uuid }}" +matrix_mautrix_facebook_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.fb.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -744,9 +744,9 @@ matrix_mautrix_hangouts_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_hangouts_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ho.as.token') | to_uuid }}" +matrix_mautrix_hangouts_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ho.as.token', rounds=655555) | to_uuid }}" -matrix_mautrix_hangouts_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ho.hs.token') | to_uuid }}" +matrix_mautrix_hangouts_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ho.hs.token', rounds=655555) | to_uuid }}" matrix_mautrix_hangouts_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" @@ -754,7 +754,7 @@ matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_hangouts_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_hangouts_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.hangouts.db') | to_uuid }}" +matrix_mautrix_hangouts_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.hangouts.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -785,9 +785,9 @@ matrix_mautrix_googlechat_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_googlechat_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gc.as.token') | to_uuid }}" +matrix_mautrix_googlechat_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gc.as.token', rounds=655555) | to_uuid }}" -matrix_mautrix_googlechat_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gc.hs.token') | to_uuid }}" +matrix_mautrix_googlechat_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gc.hs.token', rounds=655555) | to_uuid }}" matrix_mautrix_googlechat_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" @@ -795,7 +795,7 @@ matrix_mautrix_googlechat_login_shared_secret: "{{ matrix_synapse_ext_password_p # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_googlechat_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_googlechat_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.gc.db') | to_uuid }}" +matrix_mautrix_googlechat_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.gc.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -826,9 +826,9 @@ matrix_mautrix_instagram_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_instagram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ig.as.token') | to_uuid }}" +matrix_mautrix_instagram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ig.as.token', rounds=655555) | to_uuid }}" -matrix_mautrix_instagram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ig.hs.token') | to_uuid }}" +matrix_mautrix_instagram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ig.hs.token', rounds=655555) | to_uuid }}" matrix_mautrix_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -837,7 +837,7 @@ matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_presence_enabled if # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. matrix_mautrix_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_instagram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.ig.db') | to_uuid }}" +matrix_mautrix_instagram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.ig.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -872,14 +872,14 @@ matrix_mautrix_signal_homeserver_domain: '{{ matrix_domain }}' matrix_mautrix_signal_homeserver_address: "{{ matrix_homeserver_container_url }}" -matrix_mautrix_signal_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'si.hs.token') | to_uuid }}" +matrix_mautrix_signal_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'si.hs.token', rounds=655555) | to_uuid }}" -matrix_mautrix_signal_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'si.as.token') | to_uuid }}" +matrix_mautrix_signal_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'si.as.token', rounds=655555) | to_uuid }}" matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" matrix_mautrix_signal_database_engine: 'postgres' -matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.signal.db') | to_uuid }}" +matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.signal.db', rounds=655555) | to_uuid }}" matrix_mautrix_signal_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" matrix_mautrix_signal_daemon_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" @@ -915,11 +915,11 @@ matrix_mautrix_telegram_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_telegram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegr.as.token') | to_uuid }}" +matrix_mautrix_telegram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegr.as.token', rounds=655555) | to_uuid }}" -matrix_mautrix_telegram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegr.hs.token') | to_uuid }}" +matrix_mautrix_telegram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegr.hs.token', rounds=655555) | to_uuid }}" -matrix_mautrix_telegram_public_endpoint: "/{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegram') | to_uuid }}" +matrix_mautrix_telegram_public_endpoint: "/{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegram', rounds=655555) | to_uuid }}" matrix_mautrix_telegram_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9006' }}" @@ -927,7 +927,7 @@ matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_telegram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_telegram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.telegram.db') | to_uuid }}" +matrix_mautrix_telegram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.telegram.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -957,14 +957,14 @@ matrix_mautrix_twitter_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_twitter_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'twt.as.token') | to_uuid }}" +matrix_mautrix_twitter_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'twt.as.token', rounds=655555) | to_uuid }}" -matrix_mautrix_twitter_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'twt.hs.token') | to_uuid }}" +matrix_mautrix_twitter_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'twt.hs.token', rounds=655555) | to_uuid }}" matrix_mautrix_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" matrix_mautrix_twitter_database_hostname: "{{ 'matrix-postgres' if matrix_postgres_enabled else '' }}" -matrix_mautrix_twitter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.twt.db') | to_uuid if matrix_postgres_enabled else '' }}" +matrix_mautrix_twitter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.twt.db', rounds=655555) | to_uuid if matrix_postgres_enabled else '' }}" ###################################################################### # @@ -994,15 +994,15 @@ matrix_mautrix_whatsapp_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_whatsapp_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'whats.as.token') | to_uuid }}" +matrix_mautrix_whatsapp_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'whats.as.token', rounds=655555) | to_uuid }}" -matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'whats.hs.token') | to_uuid }}" +matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'whats.hs.token', rounds=655555) | to_uuid }}" matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_whatsapp_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mauwhatsapp.db') | to_uuid }}" +matrix_mautrix_whatsapp_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mauwhatsapp.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -1032,15 +1032,15 @@ matrix_mautrix_discord_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudisc.as.tok') | to_uuid }}" +matrix_mautrix_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudisc.as.tok', rounds=655555) | to_uuid }}" -matrix_mautrix_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudisc.hs.tok') | to_uuid }}" +matrix_mautrix_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudisc.hs.tok', rounds=655555) | to_uuid }}" matrix_mautrix_discord_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudiscord.db') | to_uuid }}" +matrix_mautrix_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudiscord.db', rounds=655555) | to_uuid }}" # Enabling bridge.restricted_rooms for this bridge does not work well with Conduit, so we disable it by default. # This will be fixed in the upcoming `0.5.0` release of conduit. @@ -1070,10 +1070,10 @@ matrix_sms_bridge_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_sms_bridge_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'sms.as.token') | to_uuid }}" +matrix_sms_bridge_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'sms.as.token', rounds=655555) | to_uuid }}" matrix_sms_bridge_homeserver_port: "{{ matrix_synapse_container_client_api_port }}" -matrix_sms_bridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'sms.hs.token') | to_uuid }}" +matrix_sms_bridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'sms.hs.token', rounds=655555) | to_uuid }}" ###################################################################### # @@ -1090,9 +1090,9 @@ matrix_sms_bridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_ # We don't enable bridges by default. matrix_heisenbridge_enabled: false -matrix_heisenbridge_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'heisen.as.tok') | to_uuid }}" +matrix_heisenbridge_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'heisen.as.tok', rounds=655555) | to_uuid }}" -matrix_heisenbridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'heisen.hs.tok') | to_uuid }}" +matrix_heisenbridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'heisen.hs.tok', rounds=655555) | to_uuid }}" matrix_heisenbridge_systemd_wanted_services_list: | {{ @@ -1118,9 +1118,9 @@ matrix_hookshot_enabled: false matrix_hookshot_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" -matrix_hookshot_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'hookshot.as.tok') | to_uuid }}" +matrix_hookshot_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'hookshot.as.tok', rounds=655555) | to_uuid }}" -matrix_hookshot_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'hookshot.hs.tok') | to_uuid }}" +matrix_hookshot_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'hookshot.hs.tok', rounds=655555) | to_uuid }}" matrix_hookshot_systemd_wanted_services_list: | {{ @@ -1180,15 +1180,15 @@ matrix_mx_puppet_slack_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}" +matrix_mx_puppet_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxslk.as.tok', rounds=655555) | to_uuid }}" -matrix_mx_puppet_slack_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxslk.hs.tok') | to_uuid }}" +matrix_mx_puppet_slack_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxslk.hs.tok', rounds=655555) | to_uuid }}" matrix_mx_puppet_slack_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_slack_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.slack.db') | to_uuid }}" +matrix_mx_puppet_slack_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.slack.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -1218,9 +1218,9 @@ matrix_mx_puppet_twitter_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_twitter_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxtwt.as.tok') | to_uuid }}" +matrix_mx_puppet_twitter_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxtwt.as.tok', rounds=655555) | to_uuid }}" -matrix_mx_puppet_twitter_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxtwt.hs.tok') | to_uuid }}" +matrix_mx_puppet_twitter_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxtwt.hs.tok', rounds=655555) | to_uuid }}" matrix_mx_puppet_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -1228,7 +1228,7 @@ matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ '' if matrix_nginx_p # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_twitter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.twitter.db') | to_uuid }}" +matrix_mx_puppet_twitter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.twitter.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -1259,15 +1259,15 @@ matrix_mx_puppet_instagram_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_instagram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxig.as.tok') | to_uuid }}" +matrix_mx_puppet_instagram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxig.as.tok', rounds=655555) | to_uuid }}" -matrix_mx_puppet_instagram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxig.hs.tok') | to_uuid }}" +matrix_mx_puppet_instagram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxig.hs.tok', rounds=655555) | to_uuid }}" matrix_mx_puppet_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_instagram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.ig.db') | to_uuid }}" +matrix_mx_puppet_instagram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.ig.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -1297,15 +1297,15 @@ matrix_mx_puppet_discord_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxdsc.as.tok') | to_uuid }}" +matrix_mx_puppet_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxdsc.as.tok', rounds=655555) | to_uuid }}" -matrix_mx_puppet_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxdsc.hs.tok') | to_uuid }}" +matrix_mx_puppet_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxdsc.hs.tok', rounds=655555) | to_uuid }}" matrix_mx_puppet_discord_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.dsc.db') | to_uuid }}" +matrix_mx_puppet_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.dsc.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -1335,15 +1335,15 @@ matrix_mx_puppet_steam_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_steam_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxste.as.tok') | to_uuid }}" +matrix_mx_puppet_steam_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxste.as.tok', rounds=655555) | to_uuid }}" -matrix_mx_puppet_steam_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxste.hs.tok') | to_uuid }}" +matrix_mx_puppet_steam_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxste.hs.tok', rounds=655555) | to_uuid }}" matrix_mx_puppet_steam_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_steam_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_steam_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.steam.db') | to_uuid }}" +matrix_mx_puppet_steam_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.steam.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -1373,15 +1373,15 @@ matrix_mx_puppet_groupme_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_groupme_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxgro.as.tok') | to_uuid }}" +matrix_mx_puppet_groupme_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxgro.as.tok', rounds=655555) | to_uuid }}" -matrix_mx_puppet_groupme_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxgro.hs.tok') | to_uuid }}" +matrix_mx_puppet_groupme_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxgro.hs.tok', rounds=655555) | to_uuid }}" matrix_mx_puppet_groupme_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_groupme_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_groupme_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.groupme.db') | to_uuid }}" +matrix_mx_puppet_groupme_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.groupme.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -1411,7 +1411,7 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_bot_matrix_reminder_bot_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'reminder.bot.db') | to_uuid }}" +matrix_bot_matrix_reminder_bot_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'reminder.bot.db', rounds=655555) | to_uuid }}" matrix_bot_matrix_reminder_bot_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### @@ -1482,7 +1482,7 @@ matrix_bot_maubot_management_interface_http_bind_port: "{{ '' if matrix_nginx_pr # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_maubot_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_bot_maubot_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.dsc.db') | to_uuid }}" +matrix_bot_maubot_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.dsc.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -1513,7 +1513,7 @@ matrix_bot_honoroit_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_honoroit_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'honoroit.bot.db') | to_uuid }}" +matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'honoroit.bot.db', rounds=655555) | to_uuid }}" matrix_bot_honoroit_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" ###################################################################### @@ -1544,7 +1544,7 @@ matrix_bot_buscarron_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_buscarron_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_bot_buscarron_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'buscarron.bot.db') | to_uuid }}" +matrix_bot_buscarron_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'buscarron.bot.db', rounds=655555) | to_uuid }}" matrix_bot_buscarron_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" ###################################################################### @@ -1576,7 +1576,7 @@ matrix_bot_postmoogle_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_postmoogle_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_bot_postmoogle_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'postmoogle.db') | to_uuid }}" +matrix_bot_postmoogle_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'postmoogle.db', rounds=655555) | to_uuid }}" matrix_bot_postmoogle_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" @@ -1692,8 +1692,8 @@ matrix_backup_borg_systemd_required_services_list: | matrix_cactus_comments_enabled: false # Derive secret values from homeserver secret -matrix_cactus_comments_as_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'cactus.as.token') | to_uuid }}" -matrix_cactus_comments_hs_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'cactus.hs.token') | to_uuid }}" +matrix_cactus_comments_as_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'cactus.as.token', rounds=655555) | to_uuid }}" +matrix_cactus_comments_hs_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'cactus.hs.token', rounds=655555) | to_uuid }}" matrix_cactus_comments_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}" matrix_cactus_comments_systemd_required_services_list: | @@ -1763,7 +1763,7 @@ matrix_coturn_container_image_self_build: "{{ matrix_architecture not in ['amd64 matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" -matrix_coturn_turn_static_auth_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'coturn.sas') | to_uuid }}" +matrix_coturn_turn_static_auth_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'coturn.sas', rounds=655555) | to_uuid }}" matrix_coturn_tls_enabled: "{{ matrix_ssl_retrieval_method != 'none' }}" matrix_coturn_tls_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/fullchain.pem" @@ -1815,7 +1815,7 @@ matrix_dimension_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_dimension_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_dimension_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dimension.db') | to_uuid }}" +matrix_dimension_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dimension.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -1842,7 +1842,7 @@ matrix_etherpad_systemd_required_services_list: | (['matrix-postgres.service'] if matrix_postgres_enabled else []) }} -matrix_etherpad_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'etherpad.db') | to_uuid }}" +matrix_etherpad_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'etherpad.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -1897,9 +1897,9 @@ matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ '' if matrix_nginx_pro matrix_jitsi_prosody_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:5280' }}" -matrix_jitsi_jibri_xmpp_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jibri') | to_uuid }}" -matrix_jitsi_jicofo_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jicofo') | to_uuid }}" -matrix_jitsi_jvb_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jvb') | to_uuid }}" +matrix_jitsi_jibri_xmpp_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jibri', rounds=655555) | to_uuid }}" +matrix_jitsi_jicofo_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jicofo', rounds=655555) | to_uuid }}" +matrix_jitsi_jvb_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jvb', rounds=655555) | to_uuid }}" matrix_jitsi_web_stun_servers: | {{ @@ -2019,7 +2019,7 @@ matrix_ma1sd_systemd_wanted_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_ma1sd_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ma1sd.db') | to_uuid }}" +matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ma1sd.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -2638,9 +2638,9 @@ matrix_synapse_container_manhole_api_host_bind_port: "{{ '127.0.0.1:9000' if mat # For exposing the Synapse worker (and metrics) ports to the local host. matrix_synapse_workers_container_host_bind_address: "{{ '127.0.0.1' if (matrix_synapse_workers_enabled and not matrix_nginx_proxy_enabled) else '' }}" -matrix_synapse_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'synapse.db') | to_uuid }}" +matrix_synapse_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'synapse.db', rounds=655555) | to_uuid }}" -matrix_synapse_macaroon_secret_key: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'synapse.mac') | to_uuid }}" +matrix_synapse_macaroon_secret_key: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'synapse.mac', rounds=655555) | to_uuid }}" # We do not enable TLS in Synapse by default. # TLS is handled by the matrix-nginx-proxy, which proxies the requests to Synapse. @@ -2820,7 +2820,7 @@ matrix_prometheus_scraper_hookshot_targets: "{{ [matrix_hookshot_container_url | ###################################################################### matrix_prometheus_postgres_exporter_enabled: false -matrix_prometheus_postgres_exporter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'prometheus.pg.db') | to_uuid }}" +matrix_prometheus_postgres_exporter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'prometheus.pg.db', rounds=655555) | to_uuid }}" matrix_prometheus_postgres_exporter_systemd_required_services_list: | {{ @@ -2918,7 +2918,7 @@ matrix_registration_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_registration_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_registration_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mx.registr.db') | to_uuid }}" +matrix_registration_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mx.registr.db', rounds=655555) | to_uuid }}" ###################################################################### # @@ -2975,9 +2975,9 @@ matrix_dendrite_container_https_host_bind_address: "{{ '' if matrix_nginx_proxy_ matrix_dendrite_sync_api_real_ip_header: "{{ 'X-Forwarded-For' if matrix_nginx_proxy_enabled else '' }}" -matrix_dendrite_registration_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.rss') | to_uuid }}" +matrix_dendrite_registration_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.rss', rounds=655555) | to_uuid }}" -matrix_dendrite_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.db') | to_uuid }}" +matrix_dendrite_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.db', rounds=655555) | to_uuid }}" # Even if TURN doesn't support TLS (it does by default), # it doesn't hurt to try a secure connection anyway. From 61f67d8f0a8117b8dc0071b643876702443d4173 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 25 Nov 2022 16:02:51 +0200 Subject: [PATCH 075/915] Add install-* tags for quicker runs --- roles/custom/matrix-aux/tasks/main.yml | 2 ++ .../custom/matrix-backup-borg/tasks/main.yml | 6 ++++ roles/custom/matrix-base/tasks/main.yml | 9 ++++++ .../matrix-bot-buscarron/tasks/main.yml | 6 ++++ roles/custom/matrix-bot-go-neb/tasks/main.yml | 6 ++++ .../custom/matrix-bot-honoroit/tasks/main.yml | 6 ++++ .../tasks/main.yml | 6 ++++ .../tasks/main.yml | 6 ++++ roles/custom/matrix-bot-maubot/tasks/main.yml | 9 +++++- .../custom/matrix-bot-mjolnir/tasks/main.yml | 6 ++++ .../matrix-bot-postmoogle/tasks/main.yml | 6 ++++ .../tasks/main.yml | 6 ++++ .../tasks/main.yml | 7 +++++ .../tasks/main.yml | 6 ++++ .../tasks/main.yml | 8 +++++ .../tasks/main.yml | 8 +++++ .../tasks/main.yml | 6 ++++ .../tasks/main.yml | 7 +++++ .../matrix-bridge-heisenbridge/tasks/main.yml | 6 ++++ .../matrix-bridge-hookshot/tasks/main.yml | 8 +++++ .../tasks/main.yml | 6 ++++ .../tasks/main.yml | 8 +++++ .../tasks/main.yml | 8 +++++ .../tasks/main.yml | 8 +++++ .../tasks/main.yml | 6 ++++ .../tasks/main.yml | 6 ++++ .../tasks/main.yml | 8 +++++ .../tasks/main.yml | 6 ++++ .../tasks/main.yml | 6 ++++ .../tasks/main.yml | 6 ++++ .../tasks/main.yml | 6 ++++ .../tasks/main.yml | 6 ++++ .../tasks/main.yml | 8 +++++ .../tasks/main.yml | 6 ++++ .../tasks/main.yml | 8 +++++ roles/custom/matrix-bridge-sms/tasks/main.yml | 6 ++++ .../matrix-cactus-comments/tasks/main.yml | 8 +++++ .../custom/matrix-client-cinny/tasks/main.yml | 6 ++++ .../matrix-client-element/tasks/main.yml | 6 ++++ .../matrix-client-hydrogen/tasks/main.yml | 6 ++++ roles/custom/matrix-conduit/tasks/main.yml | 6 ++++ roles/custom/matrix-corporal/tasks/main.yml | 6 ++++ roles/custom/matrix-coturn/tasks/main.yml | 6 ++++ roles/custom/matrix-dendrite/tasks/main.yml | 6 ++++ roles/custom/matrix-dimension/tasks/main.yml | 6 ++++ .../custom/matrix-dynamic-dns/tasks/main.yml | 6 ++++ .../custom/matrix-email2matrix/tasks/main.yml | 6 ++++ roles/custom/matrix-etherpad/tasks/main.yml | 8 +++++ roles/custom/matrix-grafana/tasks/main.yml | 6 ++++ roles/custom/matrix-jitsi/tasks/main.yml | 30 +++++++++++++++---- .../tasks/main.yml | 8 +++++ roles/custom/matrix-ma1sd/tasks/main.yml | 6 ++++ roles/custom/matrix-mailer/tasks/main.yml | 6 ++++ .../custom/matrix-nginx-proxy/tasks/main.yml | 7 +++++ roles/custom/matrix-ntfy/tasks/main.yml | 6 ++++ .../matrix-postgres-backup/tasks/main.yml | 6 ++++ roles/custom/matrix-postgres/tasks/main.yml | 2 ++ .../tasks/main.yml | 8 +++++ .../tasks/main.yml | 8 +++++ roles/custom/matrix-prometheus/tasks/main.yml | 6 ++++ roles/custom/matrix-redis/tasks/main.yml | 6 ++++ .../custom/matrix-registration/tasks/main.yml | 8 +++++ roles/custom/matrix-sygnal/tasks/main.yml | 6 ++++ .../matrix-synapse-admin/tasks/main.yml | 8 +++++ .../tasks/main.yml | 8 +++++ roles/custom/matrix-synapse/tasks/main.yml | 6 ++++ .../matrix_playbook_migration/tasks/main.yml | 1 + 67 files changed, 449 insertions(+), 7 deletions(-) diff --git a/roles/custom/matrix-aux/tasks/main.yml b/roles/custom/matrix-aux/tasks/main.yml index 63ef998a8..57db09653 100644 --- a/roles/custom/matrix-aux/tasks/main.yml +++ b/roles/custom/matrix-aux/tasks/main.yml @@ -5,3 +5,5 @@ tags: - setup-all - setup-aux-files + - install-all + - install-aux-files diff --git a/roles/custom/matrix-backup-borg/tasks/main.yml b/roles/custom/matrix-backup-borg/tasks/main.yml index 0c8a9b7e4..88d120c04 100644 --- a/roles/custom/matrix-backup-borg/tasks/main.yml +++ b/roles/custom/matrix-backup-borg/tasks/main.yml @@ -6,7 +6,13 @@ - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" when: "run_setup | bool and matrix_backup_borg_enabled | bool" + tags: + - setup-all + - setup-backup-borg + - install-all + - install-backup-borg +- block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" when: "run_setup | bool and not matrix_backup_borg_enabled | bool" tags: diff --git a/roles/custom/matrix-base/tasks/main.yml b/roles/custom/matrix-base/tasks/main.yml index 7eeb2cdc5..c67e20908 100644 --- a/roles/custom/matrix-base/tasks/main.yml +++ b/roles/custom/matrix-base/tasks/main.yml @@ -4,6 +4,7 @@ - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" tags: - setup-all + - install-all # This needs to always run, because it populates `matrix_user_uid` and `matrix_user_gid`, # which are required by many other roles. @@ -18,6 +19,7 @@ - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml" tags: - setup-all + - install-all - common - block: @@ -27,4 +29,11 @@ - setup-ma1sd - setup-synapse - setup-dendrite + - setup-conduit - setup-nginx-proxy + - install-all + - install-ma1sd + - install-synapse + - install-dendrite + - install-conduit + - install-nginx-proxy diff --git a/roles/custom/matrix-bot-buscarron/tasks/main.yml b/roles/custom/matrix-bot-buscarron/tasks/main.yml index b12579541..b4a58e910 100644 --- a/roles/custom/matrix-bot-buscarron/tasks/main.yml +++ b/roles/custom/matrix-bot-buscarron/tasks/main.yml @@ -6,7 +6,13 @@ - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" when: "run_setup | bool and matrix_bot_buscarron_enabled | bool" + tags: + - setup-all + - setup-bot-buscarron + - install-all + - install-bot-buscarron +- block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" when: "run_setup | bool and not matrix_bot_buscarron_enabled | bool" tags: diff --git a/roles/custom/matrix-bot-go-neb/tasks/main.yml b/roles/custom/matrix-bot-go-neb/tasks/main.yml index 7c8f2455e..126f6ae03 100644 --- a/roles/custom/matrix-bot-go-neb/tasks/main.yml +++ b/roles/custom/matrix-bot-go-neb/tasks/main.yml @@ -6,7 +6,13 @@ - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" when: "run_setup | bool and matrix_bot_go_neb_enabled | bool" + tags: + - setup-all + - setup-bot-go-neb + - install-all + - install-bot-go-neb +- block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" when: "run_setup | bool and not matrix_bot_go_neb_enabled | bool" tags: diff --git a/roles/custom/matrix-bot-honoroit/tasks/main.yml b/roles/custom/matrix-bot-honoroit/tasks/main.yml index fde2b6e3b..d4dcbce4b 100644 --- a/roles/custom/matrix-bot-honoroit/tasks/main.yml +++ b/roles/custom/matrix-bot-honoroit/tasks/main.yml @@ -6,7 +6,13 @@ - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" when: "run_setup | bool and matrix_bot_honoroit_enabled | bool" + tags: + - setup-all + - setup-bot-honoroit + - install-all + - install-bot-honoroit +- block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" when: "run_setup | bool and not matrix_bot_honoroit_enabled | bool" tags: diff --git a/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml b/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml index d0c7a1578..90ee56ccf 100644 --- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml +++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_bot_matrix_registration_bot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-bot-matrix-registration-bot + - install-all + - install-bot-matrix-registration-bot +- block: - when: not matrix_bot_matrix_registration_bot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml index 091b0cc18..22c014de6 100644 --- a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml +++ b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_bot_matrix_reminder_bot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-bot-matrix-reminder-bot + - install-all + - install-bot-matrix-reminder-bot +- block: - when: not matrix_bot_matrix_reminder_bot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-bot-maubot/tasks/main.yml b/roles/custom/matrix-bot-maubot/tasks/main.yml index 917fea776..95fad19e5 100644 --- a/roles/custom/matrix-bot-maubot/tasks/main.yml +++ b/roles/custom/matrix-bot-maubot/tasks/main.yml @@ -6,7 +6,8 @@ tags: - setup-all - setup-nginx-proxy - + - install-all + - install-nginx-proxy - block: - when: matrix_bot_maubot_enabled | bool @@ -14,7 +15,13 @@ - when: matrix_bot_maubot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-bot-maubot + - install-all + - install-bot-maubot +- block: - when: not matrix_bot_maubot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-bot-mjolnir/tasks/main.yml b/roles/custom/matrix-bot-mjolnir/tasks/main.yml index 25e9d74db..def5c9f05 100644 --- a/roles/custom/matrix-bot-mjolnir/tasks/main.yml +++ b/roles/custom/matrix-bot-mjolnir/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_bot_mjolnir_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-bot-mjolnir + - install-all + - install-bot-mjolnir +- block: - when: not matrix_bot_mjolnir_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-bot-postmoogle/tasks/main.yml b/roles/custom/matrix-bot-postmoogle/tasks/main.yml index 62623c4d5..a6bc76a35 100644 --- a/roles/custom/matrix-bot-postmoogle/tasks/main.yml +++ b/roles/custom/matrix-bot-postmoogle/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_bot_postmoogle_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-bot-postmoogle + - install-all + - install-bot-postmoogle +- block: - when: not matrix_bot_postmoogle_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml b/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml index 6627d6103..926fe3670 100644 --- a/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_appservice_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-appservice-discord + - install-all + - install-appservice-discord +- block: - when: not matrix_appservice_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml index b994ddb04..3f84171e3 100644 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml @@ -6,9 +6,16 @@ - when: matrix_appservice_irc_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-appservice-irc + - install-all + - install-appservice-irc +- block: - when: not matrix_appservice_irc_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-appservice-irc + diff --git a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml index be24d778e..14a30e65b 100644 --- a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_appservice_kakaotalk_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-appservice-kakaotalk + - install-all + - install-appservice-kakaotalk +- block: - when: not matrix_appservice_kakaotalk_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml b/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml index 277e41776..41e2679ed 100644 --- a/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml @@ -6,6 +6,8 @@ tags: - setup-all - setup-nginx-proxy + - install-all + - install-nginx-proxy - block: - when: matrix_appservice_slack_enabled | bool @@ -13,7 +15,13 @@ - when: matrix_appservice_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-appservice-slack + - install-all + - install-appservice-slack +- block: - when: not matrix_appservice_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml b/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml index 97793d88d..ae36cf700 100644 --- a/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml @@ -6,6 +6,8 @@ tags: - setup-all - setup-nginx-proxy + - install-all + - install-nginx-proxy - block: - when: matrix_appservice_webhooks_enabled | bool @@ -13,7 +15,13 @@ - when: matrix_appservice_webhooks_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-appservice-webhooks + - install-all + - install-appservice-webhooks +- block: - when: not matrix_appservice_webhooks_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml b/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml index 57dcc2a33..502280428 100644 --- a/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml +++ b/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_beeper_linkedin_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-beeper-linkedin + - install-all + - install-beeper-linkedin +- block: - when: not matrix_beeper_linkedin_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml b/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml index cc41f4bd2..fa9fd87e9 100644 --- a/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml +++ b/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml @@ -6,9 +6,16 @@ - when: matrix_go_skype_bridge_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-go-skype-bridge + - install-all + - install-go-skype-bridge +- block: - when: not matrix_go_skype_bridge_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-go-skype-bridge + diff --git a/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml b/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml index 38b891cff..0d8354cf9 100644 --- a/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml +++ b/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml @@ -3,7 +3,13 @@ - block: - when: matrix_heisenbridge_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-heisenbridge + - install-all + - install-heisenbridge +- block: - when: not matrix_heisenbridge_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-bridge-hookshot/tasks/main.yml b/roles/custom/matrix-bridge-hookshot/tasks/main.yml index 505b86ed3..c7ffc3041 100644 --- a/roles/custom/matrix-bridge-hookshot/tasks/main.yml +++ b/roles/custom/matrix-bridge-hookshot/tasks/main.yml @@ -6,6 +6,8 @@ tags: - setup-all - setup-nginx-proxy + - install-all + - install-nginx-proxy - block: - when: matrix_hookshot_enabled | bool @@ -13,7 +15,13 @@ - when: matrix_hookshot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-hookshot + - install-all + - install-hookshot +- block: - when: not matrix_hookshot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml index 5c38db0a2..cc90f2fae 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_mautrix_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-mautrix-discord + - install-all + - install-mautrix-discord +- block: - when: not matrix_mautrix_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml index 9e17b87b9..fa7cec7dc 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml @@ -6,6 +6,8 @@ tags: - setup-all - setup-nginx-proxy + - install-all + - install-nginx-proxy - block: - when: matrix_mautrix_facebook_enabled | bool @@ -13,7 +15,13 @@ - when: matrix_mautrix_facebook_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-mautrix-facebook + - install-all + - install-mautrix-facebook +- block: - when: not matrix_mautrix_facebook_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml index 9bdc30610..917ba7a9d 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml @@ -6,6 +6,8 @@ tags: - setup-all - setup-nginx-proxy + - install-all + - install-nginx-proxy - block: - when: matrix_mautrix_googlechat_enabled | bool @@ -13,7 +15,13 @@ - when: matrix_mautrix_googlechat_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-mautrix-googlechat + - install-all + - install-mautrix-googlechat +- block: - when: not matrix_mautrix_googlechat_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml index cce772214..e9d8048c7 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml @@ -6,6 +6,8 @@ tags: - setup-all - setup-nginx-proxy + - install-all + - install-nginx-proxy - block: - when: matrix_mautrix_hangouts_enabled | bool @@ -13,7 +15,13 @@ - when: matrix_mautrix_hangouts_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-mautrix-hangouts + - install-all + - install-mautrix-hangouts +- block: - when: not matrix_mautrix_hangouts_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml index f559c69d7..2bd0417ee 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_mautrix_instagram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-mautrix-instagram + - install-all + - install-mautrix-instagram +- block: - when: not matrix_mautrix_instagram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml index a4cd677b8..0c0a1239f 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_mautrix_signal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-mautrix-signal + - install-all + - install-mautrix-signal +- block: - when: not matrix_mautrix_signal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml index a62efb7a5..3c8e6d044 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml @@ -6,6 +6,8 @@ tags: - setup-all - setup-nginx-proxy + - install-all + - install-nginx-proxy - block: - when: matrix_mautrix_telegram_enabled | bool @@ -13,7 +15,13 @@ - when: matrix_mautrix_telegram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-mautrix-telegram + - install-all + - install-mautrix-telegram +- block: - when: not matrix_mautrix_telegram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml index aee0daf7d..f8dbc28be 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_mautrix_twitter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-mautrix-twitter + - install-all + - install-mautrix-twitter +- block: - when: not matrix_mautrix_twitter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml index 4d2342502..fdb654315 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_mautrix_whatsapp_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-mautrix-whatsapp + - install-all + - install-mautrix-whatsapp +- block: - when: not matrix_mautrix_whatsapp_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml index a77f22650..c1403dfa3 100644 --- a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_mx_puppet_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-mx-puppet-discord + - install-all + - install-mx-puppet-discord +- block: - when: not matrix_mx_puppet_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml index 6f2a03875..ab5b0d445 100644 --- a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_mx_puppet_groupme_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-mx-puppet-groupme + - install-all + - install-mx-puppet-groupme +- block: - when: not matrix_mx_puppet_groupme_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml index 620b0da57..3cf027736 100644 --- a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_mx_puppet_instagram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-mx-puppet-instagram + - install-all + - install-mx-puppet-instagram +- block: - when: not matrix_mx_puppet_instagram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml index 2fe8ea420..3d6e722bf 100644 --- a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml @@ -6,6 +6,8 @@ tags: - setup-all - setup-nginx-proxy + - install-all + - install-nginx-proxy - block: - when: matrix_mx_puppet_slack_enabled | bool @@ -13,7 +15,13 @@ - when: matrix_mx_puppet_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-mx-puppet-slack + - install-all + - install-mx-puppet-slack +- block: - when: not matrix_mx_puppet_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml index a6cab2b0b..6eacc6fc8 100644 --- a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_mx_puppet_steam_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-mx-puppet-steam + - install-all + - install-mx-puppet-steam +- block: - when: not matrix_mx_puppet_steam_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml index 3e1fe73c9..85c06f04b 100644 --- a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml @@ -6,6 +6,8 @@ tags: - setup-all - setup-nginx-proxy + - install-all + - install-nginx-proxy - block: - when: matrix_mx_puppet_twitter_enabled | bool @@ -13,7 +15,13 @@ - when: matrix_mx_puppet_twitter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-mx-puppet-twitter + - install-all + - install-mx-puppet-twitter +- block: - when: not matrix_mx_puppet_twitter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-bridge-sms/tasks/main.yml b/roles/custom/matrix-bridge-sms/tasks/main.yml index a802054c6..f9bd502c7 100644 --- a/roles/custom/matrix-bridge-sms/tasks/main.yml +++ b/roles/custom/matrix-bridge-sms/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_sms_bridge_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-matrix-sms-bridge + - install-all + - install-matrix-sms-bridge +- block: - when: not matrix_sms_bridge_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-cactus-comments/tasks/main.yml b/roles/custom/matrix-cactus-comments/tasks/main.yml index dab5a1209..c6108e91f 100644 --- a/roles/custom/matrix-cactus-comments/tasks/main.yml +++ b/roles/custom/matrix-cactus-comments/tasks/main.yml @@ -6,6 +6,8 @@ tags: - setup-all - setup-nginx-proxy + - install-all + - install-nginx-proxy - block: - when: matrix_cactus_comments_enabled | bool @@ -13,7 +15,13 @@ - when: matrix_cactus_comments_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-cactus-comments + - install-all + - install-cactus-comments +- block: - when: not matrix_cactus_comments_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-client-cinny/tasks/main.yml b/roles/custom/matrix-client-cinny/tasks/main.yml index c67116e67..1e6d47590 100644 --- a/roles/custom/matrix-client-cinny/tasks/main.yml +++ b/roles/custom/matrix-client-cinny/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_client_cinny_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-client-cinny + - install-all + - install-client-cinny +- block: - when: not matrix_client_cinny_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-client-element/tasks/main.yml b/roles/custom/matrix-client-element/tasks/main.yml index b75a3d5dc..89e50ba70 100644 --- a/roles/custom/matrix-client-element/tasks/main.yml +++ b/roles/custom/matrix-client-element/tasks/main.yml @@ -9,7 +9,13 @@ - when: matrix_client_element_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-client-element + - install-all + - install-client-element +- block: - when: not matrix_client_element_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-client-hydrogen/tasks/main.yml b/roles/custom/matrix-client-hydrogen/tasks/main.yml index 220a4d130..9bb8bc080 100644 --- a/roles/custom/matrix-client-hydrogen/tasks/main.yml +++ b/roles/custom/matrix-client-hydrogen/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_client_hydrogen_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-client-hydrogen + - install-all + - install-client-hydrogen +- block: - when: not matrix_client_hydrogen_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-conduit/tasks/main.yml b/roles/custom/matrix-conduit/tasks/main.yml index e731f21a8..d733ac08b 100644 --- a/roles/custom/matrix-conduit/tasks/main.yml +++ b/roles/custom/matrix-conduit/tasks/main.yml @@ -3,7 +3,13 @@ - block: - when: matrix_conduit_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-conduit + - install-all + - install-conduit +- block: - when: not matrix_conduit_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-corporal/tasks/main.yml b/roles/custom/matrix-corporal/tasks/main.yml index 3f18ed0cf..c4c7b7fc1 100644 --- a/roles/custom/matrix-corporal/tasks/main.yml +++ b/roles/custom/matrix-corporal/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_corporal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-corporal + - install-all + - install-corporal +- block: - when: not matrix_corporal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-coturn/tasks/main.yml b/roles/custom/matrix-coturn/tasks/main.yml index 393ed6915..45ce9fd9e 100644 --- a/roles/custom/matrix-coturn/tasks/main.yml +++ b/roles/custom/matrix-coturn/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_coturn_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-coturn + - install-all + - install-coturn +- block: - when: not matrix_coturn_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-dendrite/tasks/main.yml b/roles/custom/matrix-dendrite/tasks/main.yml index b59d3cadb..0e88ec510 100644 --- a/roles/custom/matrix-dendrite/tasks/main.yml +++ b/roles/custom/matrix-dendrite/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_dendrite_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-dendrite + - install-all + - install-dendrite +- block: - when: not matrix_dendrite_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-dimension/tasks/main.yml b/roles/custom/matrix-dimension/tasks/main.yml index 5d6f54432..efd0f8d47 100644 --- a/roles/custom/matrix-dimension/tasks/main.yml +++ b/roles/custom/matrix-dimension/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_dimension_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-dimension + - install-all + - install-dimension +- block: - when: not matrix_dimension_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-dynamic-dns/tasks/main.yml b/roles/custom/matrix-dynamic-dns/tasks/main.yml index 8f7956503..ae7503b73 100644 --- a/roles/custom/matrix-dynamic-dns/tasks/main.yml +++ b/roles/custom/matrix-dynamic-dns/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_dynamic_dns_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-dynamic-dns + - install-all + - install-dynamic-dns +- block: - when: not matrix_dynamic_dns_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-email2matrix/tasks/main.yml b/roles/custom/matrix-email2matrix/tasks/main.yml index c3e21d94d..8fac77ce2 100644 --- a/roles/custom/matrix-email2matrix/tasks/main.yml +++ b/roles/custom/matrix-email2matrix/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_email2matrix_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-email2matrix + - install-all + - install-email2matrix +- block: - when: not matrix_email2matrix_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-etherpad/tasks/main.yml b/roles/custom/matrix-etherpad/tasks/main.yml index 46a04a48b..eaafd98a9 100644 --- a/roles/custom/matrix-etherpad/tasks/main.yml +++ b/roles/custom/matrix-etherpad/tasks/main.yml @@ -6,6 +6,8 @@ tags: - setup-all - setup-nginx-proxy + - install-all + - install-nginx-proxy - block: - when: matrix_etherpad_enabled | bool @@ -13,7 +15,13 @@ - when: matrix_etherpad_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-etherpad + - install-all + - install-etherpad +- block: - when: not matrix_etherpad_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-grafana/tasks/main.yml b/roles/custom/matrix-grafana/tasks/main.yml index fc1f3dc6f..263d894fe 100644 --- a/roles/custom/matrix-grafana/tasks/main.yml +++ b/roles/custom/matrix-grafana/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_grafana_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-grafana + - install-all + - install-grafana +- block: - when: not matrix_grafana_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-jitsi/tasks/main.yml b/roles/custom/matrix-jitsi/tasks/main.yml index 8a2b9e43e..d7dc66232 100644 --- a/roles/custom/matrix-jitsi/tasks/main.yml +++ b/roles/custom/matrix-jitsi/tasks/main.yml @@ -5,6 +5,7 @@ ansible.builtin.include_tasks: "{{ role_path }}/tasks/init_additional_jvb.yml" tags: - setup-additional-jitsi-jvb + - install-additional-jitsi-jvb - block: - when: matrix_jitsi_enabled | bool @@ -16,22 +17,31 @@ - setup-all - setup-jitsi - setup-additional-jitsi-jvb + - install-all + - install-jitsi + - install-additional-jitsi-jvb - block: - when: matrix_jitsi_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_web_install.yml" - - when: not matrix_jitsi_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_web_uninstall.yml" - - when: matrix_jitsi_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_prosody_install.yml" - - when: not matrix_jitsi_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_prosody_uninstall.yml" - - when: matrix_jitsi_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jicofo_install.yml" + tags: + - setup-all + - setup-jitsi + - install-all + - install-jitsi + +- block: + - when: not matrix_jitsi_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_web_uninstall.yml" + + - when: not matrix_jitsi_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_prosody_uninstall.yml" - when: not matrix_jitsi_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jicofo_uninstall.yml" @@ -42,7 +52,15 @@ - block: - when: matrix_jitsi_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb_install.yml" + tags: + - setup-all + - setup-jitsi + - setup-additional-jitsi-jvb + - install-all + - install-jitsi + - install-additional-jitsi-jvb +- block: - when: not matrix_jitsi_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb_uninstall.yml" tags: diff --git a/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml b/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml index 758bea97a..9309113fe 100644 --- a/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml +++ b/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml @@ -6,6 +6,8 @@ tags: - setup-all - setup-nginx-proxy + - install-all + - install-nginx-proxy - block: - when: matrix_ldap_registration_proxy_enabled | bool @@ -13,7 +15,13 @@ - when: matrix_ldap_registration_proxy_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-matrix-ldap-registration-proxy + - install-all + - install-matrix-ldap-registration-proxy +- block: - when: not matrix_ldap_registration_proxy_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-ma1sd/tasks/main.yml b/roles/custom/matrix-ma1sd/tasks/main.yml index c1208f749..a65cf371e 100644 --- a/roles/custom/matrix-ma1sd/tasks/main.yml +++ b/roles/custom/matrix-ma1sd/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_ma1sd_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-ma1sd + - install-all + - install-ma1sd +- block: - when: not matrix_ma1sd_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-mailer/tasks/main.yml b/roles/custom/matrix-mailer/tasks/main.yml index 2c2a03675..b269f63e7 100644 --- a/roles/custom/matrix-mailer/tasks/main.yml +++ b/roles/custom/matrix-mailer/tasks/main.yml @@ -3,7 +3,13 @@ - block: - when: matrix_mailer_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-mailer + - install-all + - install-mailer +- block: - when: not matrix_mailer_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-nginx-proxy/tasks/main.yml b/roles/custom/matrix-nginx-proxy/tasks/main.yml index 7ead49700..39cec7e53 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/main.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/main.yml @@ -8,6 +8,8 @@ tags: - setup-all - setup-nginx-proxy + - install-all + - install-nginx-proxy - ansible.builtin.import_tasks: "{{ role_path }}/tasks/ssl/main.yml" when: run_setup | bool @@ -15,12 +17,17 @@ - setup-all - setup-nginx-proxy - setup-ssl + - install-all + - install-nginx-proxy + - install-ssl - ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_nginx_proxy.yml" when: run_setup | bool tags: - setup-all - setup-nginx-proxy + - install-all + - install-nginx-proxy - block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_well_known.yml" diff --git a/roles/custom/matrix-ntfy/tasks/main.yml b/roles/custom/matrix-ntfy/tasks/main.yml index 1c2c266e1..85d80841d 100644 --- a/roles/custom/matrix-ntfy/tasks/main.yml +++ b/roles/custom/matrix-ntfy/tasks/main.yml @@ -3,7 +3,13 @@ - block: - when: matrix_ntfy_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-ntfy + - install-all + - install-ntfy +- block: - when: not matrix_ntfy_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-postgres-backup/tasks/main.yml b/roles/custom/matrix-postgres-backup/tasks/main.yml index 1408f695c..4db5c82ee 100644 --- a/roles/custom/matrix-postgres-backup/tasks/main.yml +++ b/roles/custom/matrix-postgres-backup/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_postgres_backup_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-postgres-backup + - install-all + - install-postgres-backup +- block: - when: not matrix_postgres_backup_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-postgres/tasks/main.yml b/roles/custom/matrix-postgres/tasks/main.yml index c282b3827..02f53b73a 100644 --- a/roles/custom/matrix-postgres/tasks/main.yml +++ b/roles/custom/matrix-postgres/tasks/main.yml @@ -5,12 +5,14 @@ tags: - setup-all - setup-postgres + - install-postgres - ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_postgres.yml" when: run_setup | bool tags: - setup-all - setup-postgres + - install-postgres - ansible.builtin.import_tasks: "{{ role_path }}/tasks/import_postgres.yml" when: run_postgres_import | bool diff --git a/roles/custom/matrix-prometheus-node-exporter/tasks/main.yml b/roles/custom/matrix-prometheus-node-exporter/tasks/main.yml index c86cdad73..6a0cd8307 100644 --- a/roles/custom/matrix-prometheus-node-exporter/tasks/main.yml +++ b/roles/custom/matrix-prometheus-node-exporter/tasks/main.yml @@ -6,11 +6,19 @@ tags: - setup-all - setup-nginx-proxy + - install-all + - install-nginx-proxy - block: - when: matrix_prometheus_node_exporter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-prometheus-node-exporter + - install-all + - install-prometheus-node-exporter +- block: - when: not matrix_prometheus_node_exporter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-prometheus-postgres-exporter/tasks/main.yml b/roles/custom/matrix-prometheus-postgres-exporter/tasks/main.yml index 2e06fdd57..2cea06049 100644 --- a/roles/custom/matrix-prometheus-postgres-exporter/tasks/main.yml +++ b/roles/custom/matrix-prometheus-postgres-exporter/tasks/main.yml @@ -6,11 +6,19 @@ tags: - setup-all - setup-nginx-proxy + - install-all + - install-nginx-proxy - block: - when: matrix_prometheus_postgres_exporter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-prometheus-postgres-exporter + - install-all + - install-prometheus-postgres-exporter +- block: - when: not matrix_prometheus_postgres_exporter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-prometheus/tasks/main.yml b/roles/custom/matrix-prometheus/tasks/main.yml index 737f656b3..59371d4d4 100644 --- a/roles/custom/matrix-prometheus/tasks/main.yml +++ b/roles/custom/matrix-prometheus/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_prometheus_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-prometheus + - install-all + - install-prometheus +- block: - when: not matrix_prometheus_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-redis/tasks/main.yml b/roles/custom/matrix-redis/tasks/main.yml index da2f1dcbc..296400059 100644 --- a/roles/custom/matrix-redis/tasks/main.yml +++ b/roles/custom/matrix-redis/tasks/main.yml @@ -3,7 +3,13 @@ - block: - when: matrix_redis_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-redis + - install-all + - install-redis +- block: - when: not matrix_redis_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-registration/tasks/main.yml b/roles/custom/matrix-registration/tasks/main.yml index ee1101829..bebcebc0b 100644 --- a/roles/custom/matrix-registration/tasks/main.yml +++ b/roles/custom/matrix-registration/tasks/main.yml @@ -6,6 +6,8 @@ tags: - setup-all - setup-nginx-proxy + - install-all + - install-nginx-proxy - block: - when: matrix_registration_enabled | bool @@ -13,7 +15,13 @@ - when: matrix_registration_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-matrix-registration + - install-all + - install-matrix-registration +- block: - when: not matrix_registration_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-sygnal/tasks/main.yml b/roles/custom/matrix-sygnal/tasks/main.yml index 146774883..ed8015262 100644 --- a/roles/custom/matrix-sygnal/tasks/main.yml +++ b/roles/custom/matrix-sygnal/tasks/main.yml @@ -6,7 +6,13 @@ - when: matrix_sygnal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-sygnal + - install-all + - install-sygnal +- block: - when: not matrix_sygnal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-synapse-admin/tasks/main.yml b/roles/custom/matrix-synapse-admin/tasks/main.yml index 632ec7836..0b1664cf1 100644 --- a/roles/custom/matrix-synapse-admin/tasks/main.yml +++ b/roles/custom/matrix-synapse-admin/tasks/main.yml @@ -6,6 +6,8 @@ tags: - setup-all - setup-nginx-proxy + - install-all + - install-nginx-proxy - block: - when: matrix_synapse_admin_enabled | bool @@ -13,7 +15,13 @@ - when: matrix_synapse_admin_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-synapse-admin + - install-all + - install-synapse-admin +- block: - when: not matrix_synapse_admin_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml index e07869d21..0dba0b9c7 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml @@ -3,7 +3,15 @@ - block: - when: matrix_synapse_reverse_proxy_companion_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-synapse-reverse-proxy-companion + - setup-synapse + - install-all + - install-synapse-reverse-proxy-companion + - install-synapse +- block: - when: not matrix_synapse_reverse_proxy_companion_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix-synapse/tasks/main.yml b/roles/custom/matrix-synapse/tasks/main.yml index a133f6504..bd048d73a 100644 --- a/roles/custom/matrix-synapse/tasks/main.yml +++ b/roles/custom/matrix-synapse/tasks/main.yml @@ -22,7 +22,13 @@ - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-synapse + - install-all + - install-synapse +- block: - when: not matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: diff --git a/roles/custom/matrix_playbook_migration/tasks/main.yml b/roles/custom/matrix_playbook_migration/tasks/main.yml index caa42bfdb..491fabcd0 100644 --- a/roles/custom/matrix_playbook_migration/tasks/main.yml +++ b/roles/custom/matrix_playbook_migration/tasks/main.yml @@ -4,3 +4,4 @@ - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" tags: - setup-all + - install-all From 8456657f212a75494949a95cf0f6ad9385c66312 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 25 Nov 2022 16:15:19 +0200 Subject: [PATCH 076/915] Announce install-* tags --- CHANGELOG.md | 23 +++++++++++++++++++++++ docs/installing.md | 14 ++++++++++---- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d32ec9e08..fb347c42f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,26 @@ +# 2022-11-25 + +## 2x-5x performance improvements in playbook runtime + +**TLDR**: the playbook is 2x faster for running `--tags=setup-all` (and various other tags). It also has new `--tags=install-*` tags (like `--tags=install-all`), which skip uninstallation tasks and bring an additional 2.5x speedup. In total, the playbook can maintain your server 5 times faster. + +Our [etke.cc managed Matrix hosting service](https://etke.cc) runs maintenance against hundreds of servers, so the playbook being fast means a lot. +The [etke.cc Ansible playbook](https://gitlab.com/etke.cc/ansible) (which is an extension of this one) is growing to support more and more services (besides just Matrix), so the Matrix playbook being leaner prevents runtimes from becoming too slow and improves the customer experience. + +Even when running `ansible-playbook` manually (as most of us here do), it's beneficial not to waste time and CPU resources. + +Recently, a few large optimizations have been done to this playbook and its external roles (see [The playbook now uses external roles for some things](#the-playbook-now-uses-external-roles-for-some-things) and don't forget to run `make roles`): + +1. Replacing Ansible `import_tasks` calls with `include_tasks`, which decreased runtime in half. Using `import_tasks` is slower and causes Ansible to go through and skip way too many tasks (tasks which could have been skipped altogether by not having Ansible include them in the first place). On an experimental VM, **deployment time was decreased from ~530 seconds to ~250 seconds**. + +2. Introducing new `install-*` tags (`install-all` and `install-COMPONENT`, e.g. `install-synapse`, `install-bot-postmoogle`), which only run Ansible tasks pertaining to installation, while skipping uninstallation tasks. In most cases, people are maintaining the same setup or they're *adding* new components. Removing components is rare. Running thousands of uninstallation tasks each time is wasteful. On an experimental VM, **deployment time was decreased from ~250 seconds (`--tags=setup-all`) to ~100 seconds (`--tags=install-all`)**. + +You can still use `--tags=setup-all`. In fact, that's the best way to ensure your server is reconciled with the `vars.yml` configuration. + +If you know you haven't uninstalled any services since the last time you ran the playbook, you could run `--tags=install-all` instead and benefit from quicker runtimes. +It should be noted that a service may become "eligible for uninstallation" even if your `vars.yml` file remains the same. In rare cases, we toggle services from being auto-installed to being optional, like we did on the 17th of March 2022 when we made [ma1sd not get installed by default](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#compatibility-break-ma1sd-identity-server-no-longer-installed-by-default). In such rare cases, you'd also need to run `--tags=setup-all`. + + # 2022-11-22 # Automatic `matrix_architecture` determination diff --git a/docs/installing.md b/docs/installing.md index 53a86585c..3bbc9a44c 100644 --- a/docs/installing.md +++ b/docs/installing.md @@ -13,17 +13,21 @@ The general command syntax is: `ansible-playbook -i inventory/hosts setup.yml -- Here are some playbook tags that you should be familiar with: -- `setup-all` - runs all setup tasks for all components, but does not start/restart services +- `setup-all` - runs all setup tasks (installation and uninstallation) for all components, but does not start/restart services + +- `install-all` - like `setup-all`, but skips uninstallation tasks. Useful for maintaining your setup quickly when its components remain unchanged. If you adjust your `vars.yml` to remove components, you'd need to run `setup-all` though, or these components will still remain installed - `setup-SERVICE` (e.g. `setup-bot-postmoogle`) - runs the setup tasks only for a given role, but does not start/restart services. You can discover these additional tags in each role (`roles/*/main.yml`). Running per-component setup tasks is **not recommended**, as components sometimes depend on each other and running just the setup tasks for a given component may not be enough. For example, setting up the [mautrix-telegram bridge](configuring-playbook-bridge-mautrix-telegram.md), in addition to the `setup-mautrix-telegram` tag, requires database changes (the `setup-postgres` tag) as well as reverse-proxy changes (the `setup-nginx-proxy` tag). +- `install-SERVICE` (e.g. `install-bot-postmoogle`) - like `setup-SERVICE`, but skips uninstallation tasks. See `install-all` above for additional information. + - `start` - starts all systemd services and makes them start automatically in the future - `stop` - stops all systemd services - `ensure-matrix-users-created` - a special tag which ensures that all special users needed by the playbook (for bots, etc.) are created -`setup-*` tags **do not start services** automatically, because you may wish to do things before starting services, such as importing a database dump, restoring data from another server, etc. +`setup-*` tags and `install-*` tags **do not start services** automatically, because you may wish to do things before starting services, such as importing a database dump, restoring data from another server, etc. ## 1. Installing Matrix @@ -40,7 +44,7 @@ There 2 ways to start the installation process - depending on whether you're [In If this is **a brand new** Matrix server and you **won't be importing old data into it**, run all these tags: ```sh -ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,ensure-matrix-users-created,start +ansible-playbook -i inventory/hosts setup.yml --tags=install-all,ensure-matrix-users-created,start ``` This will do a full installation and start all Matrix services. @@ -56,7 +60,7 @@ Starting its services or messing with its database now will affect your data imp To do the installation **without** starting services, run only the `setup-all` tag: ```sh -ansible-playbook -i inventory/hosts setup.yml --tags=setup-all +ansible-playbook -i inventory/hosts setup.yml --tags=install-all ``` When this command completes, services won't be running yet. @@ -82,6 +86,8 @@ Proceed to [Maintaining your setup in the future](#2-maintaining-your-setup-in-t Feel free to **re-run the setup command any time** you think something is off with the server configuration. Ansible will take your configuration and update your server to match. +Note that if you remove components from `vars.yml`, or if we switch some component from being installed by default to not being installed by default anymore, you'd need to run the setup command with `--tags=setup-all` instead of `--tags=install-all`. See [Playbook tags introduction](#playbook-tags-introduction) + ## 3. Finalize the installation From a04f6f4e3d641f62bf63aa5b4915cdc21637e70c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 25 Nov 2022 17:17:54 +0200 Subject: [PATCH 077/915] Optimize uninstall tasks a bit - forego removing Docker images - it's not effective anyway, because it only removes the last version.. which is a drop in the bucket, usually - do not reload systemd - it's none of our business. `--tags=start`, etc., handle this - combine all uninstall tasks under a single block, which only runs if we detect traces (a leftover systemd .service file) of the component. If no such .service is detected, we skip them all. This may lead to incorect cleanup in rare cases, but is good enough for the most part. --- .../tasks/setup_uninstall.yml | 50 +++++---------- .../tasks/setup_uninstall.yml | 43 +++++-------- .../tasks/setup_uninstall.yml | 43 +++++-------- .../tasks/setup_uninstall.yml | 43 +++++-------- .../tasks/setup_uninstall.yml | 43 +++++-------- .../tasks/setup_uninstall.yml | 43 +++++-------- .../tasks/setup_uninstall.yml | 43 +++++-------- .../tasks/setup_uninstall.yml | 43 +++++-------- .../tasks/setup_uninstall.yml | 43 +++++-------- .../tasks/setup_uninstall.yml | 29 ++++----- .../tasks/setup_uninstall.yml | 29 ++++----- .../tasks/setup_uninstall.yml | 11 +--- .../tasks/setup_uninstall.yml | 29 ++++----- .../tasks/setup_uninstall.yml | 29 ++++----- .../tasks/setup_uninstall.yml | 29 ++++----- .../tasks/setup_uninstall.yml | 29 ++++----- .../tasks/setup_uninstall.yml | 29 ++++----- .../tasks/setup_uninstall.yml | 29 ++++----- .../tasks/setup_uninstall.yml | 29 ++++----- .../tasks/setup_uninstall.yml | 29 ++++----- .../tasks/setup_uninstall.yml | 29 ++++----- .../tasks/setup_uninstall.yml | 29 ++++----- .../tasks/setup_uninstall.yml | 29 ++++----- .../tasks/setup_uninstall.yml | 54 +++++++--------- .../tasks/setup_uninstall.yml | 29 ++++----- .../tasks/setup_uninstall.yml | 27 ++++---- .../tasks/setup_uninstall.yml | 29 ++++----- .../tasks/setup_uninstall.yml | 29 ++++----- .../tasks/setup_uninstall.yml | 29 ++++----- .../tasks/setup_uninstall.yml | 29 ++++----- .../tasks/setup_uninstall.yml | 29 ++++----- .../tasks/setup_uninstall.yml | 29 ++++----- .../tasks/setup_uninstall.yml | 29 ++++----- .../tasks/setup_uninstall.yml | 43 +++++-------- .../tasks/setup_uninstall.yml | 43 +++++-------- .../tasks/setup_uninstall.yml | 43 +++++-------- .../tasks/setup_uninstall.yml | 43 +++++-------- .../matrix-conduit/tasks/setup_uninstall.yml | 33 ++++------ .../matrix-corporal/tasks/setup_uninstall.yml | 24 +++---- .../matrix-coturn/tasks/setup_uninstall.yml | 63 ++++++++----------- .../matrix-dendrite/tasks/setup_uninstall.yml | 6 -- .../tasks/setup_uninstall.yml | 43 +++++-------- .../tasks/setup_uninstall.yml | 32 ++++------ .../tasks/setup_uninstall.yml | 43 +++++-------- .../matrix-etherpad/tasks/setup_uninstall.yml | 43 +++++-------- .../matrix-grafana/tasks/setup_uninstall.yml | 1 - .../tasks/setup_jitsi_jicofo_uninstall.yml | 1 - .../tasks/setup_jitsi_jvb_uninstall.yml | 1 - .../tasks/setup_jitsi_prosody_uninstall.yml | 1 - .../tasks/setup_jitsi_web_uninstall.yml | 1 - .../tasks/setup_uninstall.yml | 43 +++++-------- .../matrix-ma1sd/tasks/setup_uninstall.yml | 43 +++++-------- .../matrix-mailer/tasks/setup_uninstall.yml | 18 ++---- .../tasks/setup_nginx_proxy.yml | 1 - .../matrix-ntfy/tasks/setup_uninstall.yml | 43 +++++-------- .../tasks/setup_uninstall.yml | 4 -- .../tasks/setup_uninstall.yml | 5 -- .../tasks/setup_uninstall.yml | 1 - .../tasks/setup_uninstall.yml | 30 ++++----- .../tasks/setup_uninstall.yml | 35 ++++------- .../matrix-sygnal/tasks/setup_uninstall.yml | 43 +++++-------- .../tasks/setup_uninstall.yml | 7 --- .../tasks/setup_uninstall.yml | 13 ++-- .../s3-storage-provider/setup_uninstall.yml | 5 -- .../tasks/goofys/setup_uninstall.yml | 43 +++++-------- .../tasks/synapse/setup_uninstall.yml | 48 +++++--------- 66 files changed, 733 insertions(+), 1208 deletions(-) diff --git a/roles/custom/matrix-backup-borg/tasks/setup_uninstall.yml b/roles/custom/matrix-backup-borg/tasks/setup_uninstall.yml index c4c1028d4..3d8b08ef4 100644 --- a/roles/custom/matrix-backup-borg/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-backup-borg/tasks/setup_uninstall.yml @@ -1,41 +1,25 @@ --- + - name: Check existence of matrix-backup-borg service ansible.builtin.stat: path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-backup-borg.service" register: matrix_backup_borg_service_stat -- name: Ensure matrix-backup-borg is stopped - ansible.builtin.service: - name: matrix-backup-borg - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_backup_borg_service_stat.stat.exists | bool" - -- name: Ensure matrix-backup-borg.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-backup-borg.service" - state: absent - when: "matrix_backup_borg_service_stat.stat.exists | bool" - -- name: Ensure matrix-backup-borg.timer doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-backup-borg.timer" - state: absent - when: "matrix_backup_borg_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-backup-borg.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_backup_borg_service_stat.stat.exists | bool" +- when: matrix_backup_borg_service_stat.stat.exists | bool + block: + - name: Ensure matrix-backup-borg is stopped + ansible.builtin.service: + name: matrix-backup-borg + state: stopped + enabled: false + daemon_reload: true -- name: Ensure Matrix borg paths don't exist - ansible.builtin.file: - path: "{{ matrix_backup_borg_base_path }}" - state: absent + - name: Ensure matrix-backup-borg.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-backup-borg.service" + state: absent -- name: Ensure borg Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_backup_borg_docker_image }}" - state: absent + - name: Ensure matrix-backup-borg.timer doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-backup-borg.timer" + state: absent diff --git a/roles/custom/matrix-bot-buscarron/tasks/setup_uninstall.yml b/roles/custom/matrix-bot-buscarron/tasks/setup_uninstall.yml index cb3333bf2..26d920f48 100644 --- a/roles/custom/matrix-bot-buscarron/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bot-buscarron/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-buscarron.service" register: matrix_bot_buscarron_service_stat -- name: Ensure matrix-buscarron is stopped - ansible.builtin.service: - name: matrix-bot-buscarron - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_bot_buscarron_service_stat.stat.exists | bool" +- when: matrix_bot_buscarron_service_stat.stat.exists | bool + block: + - name: Ensure matrix-buscarron is stopped + ansible.builtin.service: + name: matrix-bot-buscarron + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-bot-buscarron.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-buscarron.service" - state: absent - when: "matrix_bot_buscarron_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-bot-buscarron.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_buscarron_service_stat.stat.exists | bool" - -- name: Ensure Matrix buscarron paths don't exist - ansible.builtin.file: - path: "{{ matrix_bot_buscarron_base_path }}" - state: absent + - name: Ensure matrix-bot-buscarron.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-buscarron.service" + state: absent -- name: Ensure buscarron Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_bot_buscarron_docker_image }}" - state: absent + - name: Ensure Matrix buscarron paths don't exist + ansible.builtin.file: + path: "{{ matrix_bot_buscarron_base_path }}" + state: absent diff --git a/roles/custom/matrix-bot-go-neb/tasks/setup_uninstall.yml b/roles/custom/matrix-bot-go-neb/tasks/setup_uninstall.yml index d5caa86b7..cc5f9fa57 100644 --- a/roles/custom/matrix-bot-go-neb/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bot-go-neb/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-go-neb.service" register: matrix_bot_go_neb_service_stat -- name: Ensure matrix-go-neb is stopped - ansible.builtin.service: - name: matrix-bot-go-neb - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_bot_go_neb_service_stat.stat.exists | bool" +- when: matrix_bot_go_neb_service_stat.stat.exists | bool + block: + - name: Ensure matrix-go-neb is stopped + ansible.builtin.service: + name: matrix-bot-go-neb + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-bot-go-neb.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-go-neb.service" - state: absent - when: "matrix_bot_go_neb_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-bot-go-neb.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_go_neb_service_stat.stat.exists | bool" - -- name: Ensure Matrix go-neb paths don't exist - ansible.builtin.file: - path: "{{ matrix_bot_go_neb_base_path }}" - state: absent + - name: Ensure matrix-bot-go-neb.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-go-neb.service" + state: absent -- name: Ensure go-neb Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_bot_go_neb_docker_image }}" - state: absent + - name: Ensure Matrix go-neb paths don't exist + ansible.builtin.file: + path: "{{ matrix_bot_go_neb_base_path }}" + state: absent diff --git a/roles/custom/matrix-bot-honoroit/tasks/setup_uninstall.yml b/roles/custom/matrix-bot-honoroit/tasks/setup_uninstall.yml index 0fa83a02d..757345861 100644 --- a/roles/custom/matrix-bot-honoroit/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bot-honoroit/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-honoroit.service" register: matrix_bot_honoroit_service_stat -- name: Ensure matrix-honoroit is stopped - ansible.builtin.service: - name: matrix-bot-honoroit - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_bot_honoroit_service_stat.stat.exists | bool" +- when: matrix_bot_honoroit_service_stat.stat.exists | bool + block: + - name: Ensure matrix-honoroit is stopped + ansible.builtin.service: + name: matrix-bot-honoroit + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-bot-honoroit.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-honoroit.service" - state: absent - when: "matrix_bot_honoroit_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-bot-honoroit.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_honoroit_service_stat.stat.exists | bool" - -- name: Ensure Matrix honoroit paths don't exist - ansible.builtin.file: - path: "{{ matrix_bot_honoroit_base_path }}" - state: absent + - name: Ensure matrix-bot-honoroit.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-honoroit.service" + state: absent -- name: Ensure honoroit Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_bot_honoroit_docker_image }}" - state: absent + - name: Ensure Matrix honoroit paths don't exist + ansible.builtin.file: + path: "{{ matrix_bot_honoroit_base_path }}" + state: absent diff --git a/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_uninstall.yml b/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_uninstall.yml index c7ee13652..b83ea783b 100644 --- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-matrix-registration-bot.service" register: matrix_bot_matrix_registration_bot_service_stat -- name: Ensure matrix-matrix-registration-bot is stopped - ansible.builtin.service: - name: matrix-bot-matrix-registration-bot - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_bot_matrix_registration_bot_service_stat.stat.exists | bool" +- when: matrix_bot_matrix_registration_bot_service_stat.stat.exists | bool + block: + - name: Ensure matrix-matrix-registration-bot is stopped + ansible.builtin.service: + name: matrix-bot-matrix-registration-bot + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-bot-matrix-registration-bot.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-matrix-registration-bot.service" - state: absent - when: "matrix_bot_matrix_registration_bot_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-bot-matrix-registration-bot.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_matrix_registration_bot_service_stat.stat.exists | bool" - -- name: Ensure Matrix matrix-registration-bot paths don't exist - ansible.builtin.file: - path: "{{ matrix_bot_matrix_registration_bot_base_path }}" - state: absent + - name: Ensure matrix-bot-matrix-registration-bot.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-matrix-registration-bot.service" + state: absent -- name: Ensure matrix-registration-bot Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_bot_matrix_registration_bot_docker_image }}" - state: absent + - name: Ensure Matrix matrix-registration-bot paths don't exist + ansible.builtin.file: + path: "{{ matrix_bot_matrix_registration_bot_base_path }}" + state: absent diff --git a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_uninstall.yml b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_uninstall.yml index 1b940f32e..512c0f2dd 100644 --- a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-matrix-reminder-bot.service" register: matrix_bot_matrix_reminder_bot_service_stat -- name: Ensure matrix-matrix-reminder-bot is stopped - ansible.builtin.service: - name: matrix-bot-matrix-reminder-bot - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_bot_matrix_reminder_bot_service_stat.stat.exists | bool" +- when: matrix_bot_matrix_reminder_bot_service_stat.stat.exists | bool + block: + - name: Ensure matrix-matrix-reminder-bot is stopped + ansible.builtin.service: + name: matrix-bot-matrix-reminder-bot + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-bot-matrix-reminder-bot.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-matrix-reminder-bot.service" - state: absent - when: "matrix_bot_matrix_reminder_bot_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-bot-matrix-reminder-bot.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_matrix_reminder_bot_service_stat.stat.exists | bool" - -- name: Ensure Matrix matrix-reminder-bot paths don't exist - ansible.builtin.file: - path: "{{ matrix_bot_matrix_reminder_bot_base_path }}" - state: absent + - name: Ensure matrix-bot-matrix-reminder-bot.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-matrix-reminder-bot.service" + state: absent -- name: Ensure matrix-reminder-bot Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_bot_matrix_reminder_bot_docker_image }}" - state: absent + - name: Ensure Matrix matrix-reminder-bot paths don't exist + ansible.builtin.file: + path: "{{ matrix_bot_matrix_reminder_bot_base_path }}" + state: absent diff --git a/roles/custom/matrix-bot-maubot/tasks/setup_uninstall.yml b/roles/custom/matrix-bot-maubot/tasks/setup_uninstall.yml index 33b8fc149..9d7695763 100644 --- a/roles/custom/matrix-bot-maubot/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bot-maubot/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-maubot.service" register: matrix_bot_maubot_service_stat -- name: Ensure matrix-bot-maubot is stopped - ansible.builtin.service: - name: matrix-bot-maubot - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_bot_maubot_service_stat.stat.exists | bool" +- when: matrix_bot_maubot_service_stat.stat.exists | bool + block: + - name: Ensure matrix-bot-maubot is stopped + ansible.builtin.service: + name: matrix-bot-maubot + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-bot-maubot.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-maubot.service" - state: absent - when: "matrix_bot_maubot_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-bot-maubot.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_maubot_service_stat.stat.exists | bool" - -- name: Ensure Matrix maubot paths don't exist - ansible.builtin.file: - path: "{{ matrix_bot_maubot_base_path }}" - state: absent + - name: Ensure matrix-bot-maubot.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-maubot.service" + state: absent -- name: Ensure maubot Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_bot_maubot_docker_image }}" - state: absent + - name: Ensure Matrix maubot paths don't exist + ansible.builtin.file: + path: "{{ matrix_bot_maubot_base_path }}" + state: absent diff --git a/roles/custom/matrix-bot-mjolnir/tasks/setup_uninstall.yml b/roles/custom/matrix-bot-mjolnir/tasks/setup_uninstall.yml index 708a7bb01..06be71e15 100644 --- a/roles/custom/matrix-bot-mjolnir/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bot-mjolnir/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-mjolnir.service" register: matrix_bot_mjolnir_service_stat -- name: Ensure matrix-bot-mjolnir is stopped - ansible.builtin.service: - name: matrix-bot-mjolnir - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_bot_mjolnir_service_stat.stat.exists | bool" +- when: matrix_bot_mjolnir_service_stat.stat.exists | bool + block: + - name: Ensure matrix-bot-mjolnir is stopped + ansible.builtin.service: + name: matrix-bot-mjolnir + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-bot-mjolnir.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-mjolnir.service" - state: absent - when: "matrix_bot_mjolnir_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-bot-mjolnir.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_mjolnir_service_stat.stat.exists | bool" - -- name: Ensure matrix-bot-mjolnir paths don't exist - ansible.builtin.file: - path: "{{ matrix_bot_mjolnir_base_path }}" - state: absent + - name: Ensure matrix-bot-mjolnir.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-mjolnir.service" + state: absent -- name: Ensure mjolnir Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_bot_mjolnir_docker_image }}" - state: absent + - name: Ensure matrix-bot-mjolnir paths don't exist + ansible.builtin.file: + path: "{{ matrix_bot_mjolnir_base_path }}" + state: absent diff --git a/roles/custom/matrix-bot-postmoogle/tasks/setup_uninstall.yml b/roles/custom/matrix-bot-postmoogle/tasks/setup_uninstall.yml index 198df7d78..93e00dda2 100644 --- a/roles/custom/matrix-bot-postmoogle/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bot-postmoogle/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-postmoogle.service" register: matrix_bot_postmoogle_service_stat -- name: Ensure matrix-postmoogle is stopped - ansible.builtin.service: - name: matrix-bot-postmoogle - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_bot_postmoogle_service_stat.stat.exists | bool" +- when: matrix_bot_postmoogle_service_stat.stat.exists | bool + block: + - name: Ensure matrix-postmoogle is stopped + ansible.builtin.service: + name: matrix-bot-postmoogle + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-bot-postmoogle.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-postmoogle.service" - state: absent - when: "matrix_bot_postmoogle_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-bot-postmoogle.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_postmoogle_service_stat.stat.exists | bool" - -- name: Ensure Matrix postmoogle paths don't exist - ansible.builtin.file: - path: "{{ matrix_bot_postmoogle_base_path }}" - state: absent + - name: Ensure matrix-bot-postmoogle.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-postmoogle.service" + state: absent -- name: Ensure postmoogle Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_bot_postmoogle_docker_image }}" - state: absent + - name: Ensure Matrix postmoogle paths don't exist + ansible.builtin.file: + path: "{{ matrix_bot_postmoogle_base_path }}" + state: absent diff --git a/roles/custom/matrix-bridge-appservice-discord/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-appservice-discord/tasks/setup_uninstall.yml index 50d108fa5..ca2354c63 100644 --- a/roles/custom/matrix-bridge-appservice-discord/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-appservice-discord/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-discord.service" register: matrix_appservice_discord_service_stat -- name: Ensure matrix-appservice-discord is stopped - ansible.builtin.service: - name: matrix-appservice-discord - state: stopped - enabled: false - daemon_reload: true - when: "matrix_appservice_discord_service_stat.stat.exists" +- when: matrix_appservice_discord_service_stat.stat.exists | bool + block: + - name: Ensure matrix-appservice-discord is stopped + ansible.builtin.service: + name: matrix-appservice-discord + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-appservice-discord.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-discord.service" - state: absent - when: "matrix_appservice_discord_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-appservice-discord.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_appservice_discord_service_stat.stat.exists" + - name: Ensure matrix-appservice-discord.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-discord.service" + state: absent diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_uninstall.yml index 8921d48e1..f16d3763f 100644 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-irc.service" register: matrix_appservice_irc_service_stat -- name: Ensure matrix-appservice-irc is stopped - ansible.builtin.service: - name: matrix-appservice-irc - state: stopped - enabled: false - daemon_reload: true - when: "matrix_appservice_irc_service_stat.stat.exists" +- when: matrix_appservice_irc_service_stat.stat.exists | bool + block: + - name: Ensure matrix-appservice-irc is stopped + ansible.builtin.service: + name: matrix-appservice-irc + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-appservice-irc.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-irc.service" - state: absent - when: "matrix_appservice_irc_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-appservice-irc.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_appservice_irc_service_stat.stat.exists" + - name: Ensure matrix-appservice-irc.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-irc.service" + state: absent diff --git a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/setup_uninstall.yml index 8e46d80f9..e258b9ab2 100644 --- a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/setup_uninstall.yml @@ -11,7 +11,7 @@ state: stopped enabled: false daemon_reload: true - when: "matrix_appservice_kakaotalk_service_stat.stat.exists" + when: matrix_appservice_kakaotalk_service_stat.stat.exists | bool - name: Check existence of matrix-appservice-kakaotalk-node service ansible.builtin.stat: @@ -24,7 +24,7 @@ state: stopped enabled: false daemon_reload: true - when: "matrix_appservice_kakaotalk_node_service_stat.stat.exists" + when: matrix_appservice_kakaotalk_node_service_stat.stat.exists | bool - name: Ensure matrix-appservice-kakaotalk.service files don't exist ansible.builtin.file: @@ -33,9 +33,4 @@ with_items: - "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-kakaotalk-node.service" - "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-kakaotalk.service" - when: "matrix_appservice_kakaotalk_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-appservice-kakaotalk service files removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_appservice_kakaotalk_service_stat.stat.exists or matrix_appservice_kakaotalk_node_service_stat.stat.exists" + when: matrix_appservice_kakaotalk_service_stat.stat.exists | bool or matrix_appservice_kakaotalk_node_service_stat.stat.exists | bool diff --git a/roles/custom/matrix-bridge-appservice-slack/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-appservice-slack/tasks/setup_uninstall.yml index 434f90676..51c77fef0 100644 --- a/roles/custom/matrix-bridge-appservice-slack/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-appservice-slack/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-slack.service" register: matrix_appservice_slack_service_stat -- name: Ensure matrix-appservice-slack is stopped - ansible.builtin.service: - name: matrix-appservice-slack - state: stopped - enabled: false - daemon_reload: true - when: "matrix_appservice_slack_service_stat.stat.exists" +- when: matrix_appservice_slack_service_stat.stat.exists | bool + block: + - name: Ensure matrix-appservice-slack is stopped + ansible.builtin.service: + name: matrix-appservice-slack + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-appservice-slack.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-slack.service" - state: absent - when: "matrix_appservice_slack_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-appservice-slack.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_appservice_slack_service_stat.stat.exists" + - name: Ensure matrix-appservice-slack.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-slack.service" + state: absent diff --git a/roles/custom/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml index 960fe58b0..c47b724cf 100644 --- a/roles/custom/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-webhooks.service" register: matrix_appservice_webhooks_service_stat -- name: Ensure matrix-appservice-webhooks is stopped - ansible.builtin.service: - name: matrix-appservice-webhooks - state: stopped - enabled: false - daemon_reload: true - when: "matrix_appservice_webhooks_service_stat.stat.exists" +- when: matrix_appservice_webhooks_service_stat.stat.exists | bool + block: + - name: Ensure matrix-appservice-webhooks is stopped + ansible.builtin.service: + name: matrix-appservice-webhooks + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-appservice-webhooks.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-webhooks.service" - state: absent - when: "matrix_appservice_webhooks_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-appservice-webhooks.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_appservice_webhooks_service_stat.stat.exists" + - name: Ensure matrix-appservice-webhooks.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-webhooks.service" + state: absent diff --git a/roles/custom/matrix-bridge-beeper-linkedin/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-beeper-linkedin/tasks/setup_uninstall.yml index 4a75a4c7a..4d3334692 100644 --- a/roles/custom/matrix-bridge-beeper-linkedin/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-beeper-linkedin/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-beeper-linkedin.service" register: matrix_beeper_linkedin_service_stat -- name: Ensure matrix-beeper-linkedin is stopped - ansible.builtin.service: - name: matrix-beeper-linkedin - state: stopped - enabled: false - daemon_reload: true - when: "matrix_beeper_linkedin_service_stat.stat.exists" +- when: matrix_beeper_linkedin_service_stat.stat.exists | bool + block: + - name: Ensure matrix-beeper-linkedin is stopped + ansible.builtin.service: + name: matrix-beeper-linkedin + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-beeper-linkedin.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-beeper-linkedin.service" - state: absent - when: "matrix_beeper_linkedin_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-beeper-linkedin.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_beeper_linkedin_service_stat.stat.exists" + - name: Ensure matrix-beeper-linkedin.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-beeper-linkedin.service" + state: absent diff --git a/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_uninstall.yml index 975b25ab4..d7b5999a1 100644 --- a/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "/etc/systemd/system/matrix-go-skype-bridge.service" register: matrix_go_skype_bridge_service_stat -- name: Ensure matrix-go-skype-bridge is stopped - ansible.builtin.service: - name: matrix-go-skype-bridge - state: stopped - enabled: false - daemon_reload: true - when: "matrix_go_skype_bridge_service_stat.stat.exists" +- when: matrix_go_skype_bridge_service_stat.stat.exists | bool + block: + - name: Ensure matrix-go-skype-bridge is stopped + ansible.builtin.service: + name: matrix-go-skype-bridge + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-go-skype-bridge.service doesn't exist - ansible.builtin.file: - path: "/etc/systemd/system/matrix-go-skype-bridge.service" - state: absent - when: "matrix_go_skype_bridge_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-go-skype-bridge.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_go_skype_bridge_service_stat.stat.exists" + - name: Ensure matrix-go-skype-bridge.service doesn't exist + ansible.builtin.file: + path: "/etc/systemd/system/matrix-go-skype-bridge.service" + state: absent diff --git a/roles/custom/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml index 688ff9d47..090427ca3 100644 --- a/roles/custom/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-heisenbridge.service" register: matrix_heisenbridge_service_stat -- name: Ensure matrix-heisenbridge is stopped - ansible.builtin.service: - name: matrix-heisenbridge - state: stopped - enabled: false - daemon_reload: true - when: "matrix_heisenbridge_service_stat.stat.exists" +- when: matrix_heisenbridge_service_stat.stat.exists | bool + block: + - name: Ensure matrix-heisenbridge is stopped + ansible.builtin.service: + name: matrix-heisenbridge + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-heisenbridge.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-heisenbridge.service" - state: absent - when: "matrix_heisenbridge_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-heisenbridge.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_heisenbridge_service_stat.stat.exists" + - name: Ensure matrix-heisenbridge.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-heisenbridge.service" + state: absent diff --git a/roles/custom/matrix-bridge-hookshot/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-hookshot/tasks/setup_uninstall.yml index 2028a34e1..b4c72d38a 100644 --- a/roles/custom/matrix-bridge-hookshot/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-hookshot/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-hookshot.service" register: matrix_hookshot_service_stat -- name: Ensure matrix-hookshot is stopped - ansible.builtin.service: - name: matrix-hookshot - state: stopped - enabled: false - daemon_reload: true - when: "matrix_hookshot_service_stat.stat.exists" +- when: matrix_hookshot_service_stat.stat.exists | bool + block: + - name: Ensure matrix-hookshot is stopped + ansible.builtin.service: + name: matrix-hookshot + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-hookshot.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-hookshot.service" - state: absent - when: "matrix_hookshot_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-hookshot.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_hookshot_service_stat.stat.exists" + - name: Ensure matrix-hookshot.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-hookshot.service" + state: absent diff --git a/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_uninstall.yml index d75f51647..ade37c2f8 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-discord.service" register: matrix_mautrix_discord_service_stat -- name: Ensure matrix-mautrix-discord is stopped - ansible.builtin.service: - name: matrix-mautrix-discord - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mautrix_discord_service_stat.stat.exists" +- when: matrix_mautrix_discord_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mautrix-discord is stopped + ansible.builtin.service: + name: matrix-mautrix-discord + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mautrix-discord.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-discord.service" - state: absent - when: "matrix_mautrix_discord_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mautrix-discord.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_discord_service_stat.stat.exists" + - name: Ensure matrix-mautrix-discord.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-discord.service" + state: absent diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_uninstall.yml index fb235b54a..566da5b71 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-facebook.service" register: matrix_mautrix_facebook_service_stat -- name: Ensure matrix-mautrix-facebook is stopped - ansible.builtin.service: - name: matrix-mautrix-facebook - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mautrix_facebook_service_stat.stat.exists" +- when: matrix_mautrix_facebook_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mautrix-facebook is stopped + ansible.builtin.service: + name: matrix-mautrix-facebook + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mautrix-facebook.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-facebook.service" - state: absent - when: "matrix_mautrix_facebook_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mautrix-facebook.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_facebook_service_stat.stat.exists" + - name: Ensure matrix-mautrix-facebook.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-facebook.service" + state: absent diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_uninstall.yml index 37a4e6751..12b486308 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-googlechat.service" register: matrix_mautrix_googlechat_service_stat -- name: Ensure matrix-mautrix-googlechat is stopped - ansible.builtin.service: - name: matrix-mautrix-googlechat - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mautrix_googlechat_service_stat.stat.exists" +- when: matrix_mautrix_googlechat_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mautrix-googlechat is stopped + ansible.builtin.service: + name: matrix-mautrix-googlechat + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mautrix-googlechat.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-googlechat.service" - state: absent - when: "matrix_mautrix_googlechat_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mautrix-googlechat.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_googlechat_service_stat.stat.exists" + - name: Ensure matrix-mautrix-googlechat.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-googlechat.service" + state: absent diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_uninstall.yml index b7ff72393..02d7183f6 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-hangouts.service" register: matrix_mautrix_hangouts_service_stat -- name: Ensure matrix-mautrix-hangouts is stopped - ansible.builtin.service: - name: matrix-mautrix-hangouts - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mautrix_hangouts_service_stat.stat.exists" +- when: matrix_mautrix_hangouts_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mautrix-hangouts is stopped + ansible.builtin.service: + name: matrix-mautrix-hangouts + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mautrix-hangouts.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-hangouts.service" - state: absent - when: "matrix_mautrix_hangouts_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mautrix-hangouts.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_hangouts_service_stat.stat.exists" + - name: Ensure matrix-mautrix-hangouts.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-hangouts.service" + state: absent diff --git a/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_uninstall.yml index a029a90ac..6ac0f6d52 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_uninstall.yml @@ -4,21 +4,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-instagram.service" register: matrix_mautrix_instagram_service_stat -- name: Ensure matrix-mautrix-instagram is stopped - ansible.builtin.service: - name: matrix-mautrix-instagram - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mautrix_instagram_service_stat.stat.exists" +- when: matrix_mautrix_instagram_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mautrix-instagram is stopped + ansible.builtin.service: + name: matrix-mautrix-instagram + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mautrix-instagram.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-instagram.service" - state: absent - when: "matrix_mautrix_instagram_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mautrix-instagram.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_instagram_service_stat.stat.exists" + - name: Ensure matrix-mautrix-instagram.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-instagram.service" + state: absent diff --git a/roles/custom/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml index d98d28ba7..8cc0b419c 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml @@ -6,19 +6,19 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-signal-daemon.service" register: matrix_mautrix_signal_daemon_service_stat -- name: Ensure matrix-mautrix-signal-daemon is stopped - ansible.builtin.service: - name: matrix-mautrix-signal-daemon - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mautrix_signal_daemon_service_stat.stat.exists" +- when: matrix_mautrix_signal_daemon_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mautrix-signal-daemon is stopped + ansible.builtin.service: + name: matrix-mautrix-signal-daemon + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mautrix-signal-daemon.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-signal-daemon.service" - state: absent - when: "matrix_mautrix_signal_daemon_service_stat.stat.exists" + - name: Ensure matrix-mautrix-signal-daemon.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-signal-daemon.service" + state: absent # Bridge service - name: Check existence of matrix-mautrix-signal service @@ -26,22 +26,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-signal.service" register: matrix_mautrix_signal_service_stat -- name: Ensure matrix-mautrix-signal is stopped - ansible.builtin.service: - name: matrix-mautrix-signal - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mautrix_signal_service_stat.stat.exists" - -- name: Ensure matrix-mautrix-signal.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-signal.service" - state: absent - when: "matrix_mautrix_signal_service_stat.stat.exists" +- when: matrix_mautrix_signal_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mautrix-signal is stopped + ansible.builtin.service: + name: matrix-mautrix-signal + state: stopped + enabled: false + daemon_reload: true -# All services -- name: Ensure systemd reloaded after matrix-mautrix-signal_X.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_signal_service_stat.stat.exists or matrix_mautrix_signal_daemon_service_stat.stat.exists" + - name: Ensure matrix-mautrix-signal.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-signal.service" + state: absent diff --git a/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_uninstall.yml index 90ca01951..ebb7e5db2 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-telegram.service" register: matrix_mautrix_telegram_service_stat -- name: Ensure matrix-mautrix-telegram is stopped - ansible.builtin.service: - name: matrix-mautrix-telegram - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mautrix_telegram_service_stat.stat.exists" +- when: matrix_mautrix_telegram_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mautrix-telegram is stopped + ansible.builtin.service: + name: matrix-mautrix-telegram + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mautrix-telegram.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-telegram.service" - state: absent - when: "matrix_mautrix_telegram_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mautrix-telegram.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_telegram_service_stat.stat.exists" + - name: Ensure matrix-mautrix-telegram.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-telegram.service" + state: absent diff --git a/roles/custom/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml index 5f6b14916..2a73e4818 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml @@ -5,20 +5,15 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-twitter.service" register: matrix_mautrix_twitter_service_stat -- name: Ensure matrix-mautrix-twitter is stopped - ansible.builtin.service: - name: matrix-mautrix-twitter - state: stopped - daemon_reload: true - when: "matrix_mautrix_twitter_service_stat.stat.exists" +- when: matrix_mautrix_twitter_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mautrix-twitter is stopped + ansible.builtin.service: + name: matrix-mautrix-twitter + state: stopped + daemon_reload: true -- name: Ensure matrix-mautrix-twitter.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-twitter.service" - state: absent - when: "matrix_mautrix_twitter_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mautrix-twitter.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_twitter_service_stat.stat.exists" + - name: Ensure matrix-mautrix-twitter.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-twitter.service" + state: absent diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_uninstall.yml index ff2150011..98607b945 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-whatsapp.service" register: matrix_mautrix_whatsapp_service_stat -- name: Ensure matrix-mautrix-whatsapp is stopped - ansible.builtin.service: - name: matrix-mautrix-whatsapp - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mautrix_whatsapp_service_stat.stat.exists" +- when: matrix_mautrix_whatsapp_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mautrix-whatsapp is stopped + ansible.builtin.service: + name: matrix-mautrix-whatsapp + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mautrix-whatsapp.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-whatsapp.service" - state: absent - when: "matrix_mautrix_whatsapp_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mautrix-whatsapp.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_whatsapp_service_stat.stat.exists" + - name: Ensure matrix-mautrix-whatsapp.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-whatsapp.service" + state: absent diff --git a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_uninstall.yml index 585c6c856..c1ed9ec36 100644 --- a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "/etc/systemd/system/matrix-mx-puppet-discord.service" register: matrix_mx_puppet_discord_service_stat -- name: Ensure matrix-mx-puppet-discord is stopped - ansible.builtin.service: - name: matrix-mx-puppet-discord - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mx_puppet_discord_service_stat.stat.exists" +- when: matrix_mx_puppet_discord_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mx-puppet-discord is stopped + ansible.builtin.service: + name: matrix-mx-puppet-discord + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mx-puppet-discord.service doesn't exist - ansible.builtin.file: - path: "/etc/systemd/system/matrix-mx-puppet-discord.service" - state: absent - when: "matrix_mx_puppet_discord_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mx-puppet-discord.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mx_puppet_discord_service_stat.stat.exists" + - name: Ensure matrix-mx-puppet-discord.service doesn't exist + ansible.builtin.file: + path: "/etc/systemd/system/matrix-mx-puppet-discord.service" + state: absent diff --git a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_uninstall.yml index 5ded61070..ce0823e6e 100644 --- a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "/etc/systemd/system/matrix-mx-puppet-groupme.service" register: matrix_mx_puppet_groupme_service_stat -- name: Ensure matrix-mx-puppet-groupme is stopped - ansible.builtin.service: - name: matrix-mx-puppet-groupme - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mx_puppet_groupme_service_stat.stat.exists" +- when: matrix_mx_puppet_groupme_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mx-puppet-groupme is stopped + ansible.builtin.service: + name: matrix-mx-puppet-groupme + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mx-puppet-groupme.service doesn't exist - ansible.builtin.file: - path: "/etc/systemd/system/matrix-mx-puppet-groupme.service" - state: absent - when: "matrix_mx_puppet_groupme_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mx-puppet-groupme.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mx_puppet_groupme_service_stat.stat.exists" + - name: Ensure matrix-mx-puppet-groupme.service doesn't exist + ansible.builtin.file: + path: "/etc/systemd/system/matrix-mx-puppet-groupme.service" + state: absent diff --git a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_uninstall.yml index 2d5a98aa4..943c0556a 100644 --- a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "/etc/systemd/system/matrix-mx-puppet-instagram.service" register: matrix_mx_puppet_instagram_service_stat -- name: Ensure matrix-mx-puppet-instagram is stopped - ansible.builtin.service: - name: matrix-mx-puppet-instagram - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mx_puppet_instagram_service_stat.stat.exists" +- when: matrix_mx_puppet_instagram_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mx-puppet-instagram is stopped + ansible.builtin.service: + name: matrix-mx-puppet-instagram + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mx-puppet-instagram.service doesn't exist - ansible.builtin.file: - path: "/etc/systemd/system/matrix-mx-puppet-instagram.service" - state: absent - when: "matrix_mx_puppet_instagram_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mx-puppet-instagram.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mx_puppet_instagram_service_stat.stat.exists" + - name: Ensure matrix-mx-puppet-instagram.service doesn't exist + ansible.builtin.file: + path: "/etc/systemd/system/matrix-mx-puppet-instagram.service" + state: absent diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml index 3f91b467b..444939198 100644 --- a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "/etc/systemd/system/matrix-mx-puppet-slack.service" register: matrix_mx_puppet_slack_service_stat -- name: Ensure matrix-mx-puppet-slack is stopped - ansible.builtin.service: - name: matrix-mx-puppet-slack - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mx_puppet_slack_service_stat.stat.exists" +- when: matrix_mx_puppet_slack_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mx-puppet-slack is stopped + ansible.builtin.service: + name: matrix-mx-puppet-slack + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mx-puppet-slack.service doesn't exist - ansible.builtin.file: - path: "/etc/systemd/system/matrix-mx-puppet-slack.service" - state: absent - when: "matrix_mx_puppet_slack_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mx-puppet-slack.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mx_puppet_slack_service_stat.stat.exists" + - name: Ensure matrix-mx-puppet-slack.service doesn't exist + ansible.builtin.file: + path: "/etc/systemd/system/matrix-mx-puppet-slack.service" + state: absent diff --git a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_uninstall.yml index d88e54722..75d0ebc0f 100644 --- a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "/etc/systemd/system/matrix-mx-puppet-steam.service" register: matrix_mx_puppet_steam_service_stat -- name: Ensure matrix-mx-puppet-steam is stopped - ansible.builtin.service: - name: matrix-mx-puppet-steam - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mx_puppet_steam_service_stat.stat.exists" +- when: matrix_mx_puppet_steam_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mx-puppet-steam is stopped + ansible.builtin.service: + name: matrix-mx-puppet-steam + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mx-puppet-steam.service doesn't exist - ansible.builtin.file: - path: "/etc/systemd/system/matrix-mx-puppet-steam.service" - state: absent - when: "matrix_mx_puppet_steam_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mx-puppet-steam.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mx_puppet_steam_service_stat.stat.exists" + - name: Ensure matrix-mx-puppet-steam.service doesn't exist + ansible.builtin.file: + path: "/etc/systemd/system/matrix-mx-puppet-steam.service" + state: absent diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_uninstall.yml index 6db13de08..c529f0b34 100644 --- a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "/etc/systemd/system/matrix-mx-puppet-twitter.service" register: matrix_mx_puppet_twitter_service_stat -- name: Ensure matrix-mx-puppet-twitter is stopped - ansible.builtin.service: - name: matrix-mx-puppet-twitter - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mx_puppet_twitter_service_stat.stat.exists" +- when: matrix_mx_puppet_twitter_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mx-puppet-twitter is stopped + ansible.builtin.service: + name: matrix-mx-puppet-twitter + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mx-puppet-twitter.service doesn't exist - ansible.builtin.file: - path: "/etc/systemd/system/matrix-mx-puppet-twitter.service" - state: absent - when: "matrix_mx_puppet_twitter_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mx-puppet-twitter.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mx_puppet_twitter_service_stat.stat.exists" + - name: Ensure matrix-mx-puppet-twitter.service doesn't exist + ansible.builtin.file: + path: "/etc/systemd/system/matrix-mx-puppet-twitter.service" + state: absent diff --git a/roles/custom/matrix-cactus-comments/tasks/setup_uninstall.yml b/roles/custom/matrix-cactus-comments/tasks/setup_uninstall.yml index bd46f252b..e3a5f3909 100644 --- a/roles/custom/matrix-cactus-comments/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-cactus-comments/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-cactus-comments.service" register: matrix_cactus_comments_service_stat -- name: Ensure cactus comments is stopped - ansible.builtin.service: - name: matrix-cactus-comments - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_cactus_comments_service_stat.stat.exists | bool" +- when: matrix_cactus_comments_service_stat.stat.exists | bool + block: + - name: Ensure cactus comments is stopped + ansible.builtin.service: + name: matrix-cactus-comments + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-cactus-comments.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-cactus-comments.service" - state: absent - when: "matrix_cactus_comments_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-cactus-comments.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_cactus_comments_service_stat.stat.exists | bool" - -- name: Ensure Matrix cactus comments paths don't exist - ansible.builtin.file: - path: "{{ matrix_cactus_comments_base_path }}" - state: absent + - name: Ensure matrix-cactus-comments.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-cactus-comments.service" + state: absent -- name: Ensure cactus comments Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_cactus_comments_docker_image }}" - state: absent + - name: Ensure Matrix cactus comments paths don't exist + ansible.builtin.file: + path: "{{ matrix_cactus_comments_base_path }}" + state: absent diff --git a/roles/custom/matrix-client-cinny/tasks/setup_uninstall.yml b/roles/custom/matrix-client-cinny/tasks/setup_uninstall.yml index 5b67e819e..a73825623 100644 --- a/roles/custom/matrix-client-cinny/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-client-cinny/tasks/setup_uninstall.yml @@ -4,32 +4,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-cinny.service" register: matrix_client_cinny_service_stat -- name: Ensure matrix-client-cinny is stopped - ansible.builtin.service: - name: matrix-client-cinny - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_client_cinny_service_stat.stat.exists | bool" +- when: matrix_client_cinny_service_stat.stat.exists | bool + block: + - name: Ensure matrix-client-cinny is stopped + ansible.builtin.service: + name: matrix-client-cinny + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-client-cinny.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-cinny.service" - state: absent - when: "matrix_client_cinny_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-client-cinny.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_client_cinny_service_stat.stat.exists | bool" - -- name: Ensure Cinny paths doesn't exist - ansible.builtin.file: - path: "{{ matrix_client_cinny_data_path }}" - state: absent + - name: Ensure matrix-client-cinny.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-cinny.service" + state: absent -- name: Ensure Cinny Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_client_cinny_docker_image }}" - state: absent + - name: Ensure Cinny paths doesn't exist + ansible.builtin.file: + path: "{{ matrix_client_cinny_data_path }}" + state: absent diff --git a/roles/custom/matrix-client-element/tasks/setup_uninstall.yml b/roles/custom/matrix-client-element/tasks/setup_uninstall.yml index 3a1de4094..e1b25caa6 100644 --- a/roles/custom/matrix-client-element/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-client-element/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-element.service" register: matrix_client_element_service_stat -- name: Ensure matrix-client-element is stopped - ansible.builtin.service: - name: matrix-client-element - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_client_element_service_stat.stat.exists | bool" +- when: matrix_client_element_service_stat.stat.exists | bool + block: + - name: Ensure matrix-client-element is stopped + ansible.builtin.service: + name: matrix-client-element + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-client-element.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-element.service" - state: absent - when: "matrix_client_element_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-client-element.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_client_element_service_stat.stat.exists | bool" - -- name: Ensure Element paths doesn't exist - ansible.builtin.file: - path: "{{ matrix_client_element_data_path }}" - state: absent + - name: Ensure matrix-client-element.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-element.service" + state: absent -- name: Ensure Element Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_client_element_docker_image }}" - state: absent + - name: Ensure Element paths doesn't exist + ansible.builtin.file: + path: "{{ matrix_client_element_data_path }}" + state: absent diff --git a/roles/custom/matrix-client-hydrogen/tasks/setup_uninstall.yml b/roles/custom/matrix-client-hydrogen/tasks/setup_uninstall.yml index 090ce5673..d6caa5b97 100644 --- a/roles/custom/matrix-client-hydrogen/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-client-hydrogen/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-hydrogen.service" register: matrix_client_hydrogen_service_stat -- name: Ensure matrix-client-hydrogen is stopped - ansible.builtin.service: - name: matrix-client-hydrogen - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_client_hydrogen_service_stat.stat.exists | bool" +- when: matrix_client_hydrogen_service_stat.stat.exists | bool + block: + - name: Ensure matrix-client-hydrogen is stopped + ansible.builtin.service: + name: matrix-client-hydrogen + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-client-hydrogen.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-hydrogen.service" - state: absent - when: "matrix_client_hydrogen_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-client-hydrogen.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_client_hydrogen_service_stat.stat.exists | bool" - -- name: Ensure Hydrogen paths doesn't exist - ansible.builtin.file: - path: "{{ matrix_client_hydrogen_data_path }}" - state: absent + - name: Ensure matrix-client-hydrogen.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-hydrogen.service" + state: absent -- name: Ensure Hydrogen Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_client_hydrogen_docker_image }}" - state: absent + - name: Ensure Hydrogen paths doesn't exist + ansible.builtin.file: + path: "{{ matrix_client_hydrogen_data_path }}" + state: absent diff --git a/roles/custom/matrix-conduit/tasks/setup_uninstall.yml b/roles/custom/matrix-conduit/tasks/setup_uninstall.yml index efe7d40a0..1745ff973 100644 --- a/roles/custom/matrix-conduit/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-conduit/tasks/setup_uninstall.yml @@ -5,26 +5,15 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduit.service" register: matrix_conduit_service_stat -- name: Ensure matrix-conduit is stopped - ansible.builtin.systemd: - name: matrix-conduit - state: stopped - daemon_reload: true - register: stopping_result - when: "matrix_conduit_service_stat.stat.exists" +- when: matrix_conduit_service_stat.stat.exists | bool + block: + - name: Ensure matrix-conduit is stopped + ansible.builtin.systemd: + name: matrix-conduit + state: stopped + daemon_reload: true -- name: Ensure matrix-conduit.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduit.service" - state: absent - when: "matrix_conduit_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-conduit.service removal - ansible.builtin.systemd: - daemon_reload: true - when: "matrix_conduit_service_stat.stat.exists" - -- name: Ensure Conduit Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_conduit_docker_image }}" - state: absent + - name: Ensure matrix-conduit.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduit.service" + state: absent diff --git a/roles/custom/matrix-corporal/tasks/setup_uninstall.yml b/roles/custom/matrix-corporal/tasks/setup_uninstall.yml index 81e1b751d..6c6e8063a 100644 --- a/roles/custom/matrix-corporal/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-corporal/tasks/setup_uninstall.yml @@ -13,26 +13,16 @@ state: stopped enabled: false daemon_reload: true - register: stopping_result - name: Ensure matrix-corporal.service doesn't exist ansible.builtin.file: path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-corporal.service" state: absent - - name: Ensure systemd reloaded after matrix-corporal.service removal - ansible.builtin.service: - daemon_reload: true - -- name: Ensure matrix-corporal files don't exist - ansible.builtin.file: - path: "{{ item }}" - state: absent - with_items: - - "{{ devture_systemd_docker_base_systemd_path }}/matrix-corporal.service" - - "{{ matrix_corporal_config_dir_path }}/config.json" - -- name: Ensure Matrix Corporal Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_corporal_docker_image }}" - state: absent + - name: Ensure matrix-corporal files don't exist + ansible.builtin.file: + path: "{{ item }}" + state: absent + with_items: + - "{{ devture_systemd_docker_base_systemd_path }}/matrix-corporal.service" + - "{{ matrix_corporal_config_dir_path }}/config.json" diff --git a/roles/custom/matrix-coturn/tasks/setup_uninstall.yml b/roles/custom/matrix-coturn/tasks/setup_uninstall.yml index bf71b90ae..e747ff094 100644 --- a/roles/custom/matrix-coturn/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-coturn/tasks/setup_uninstall.yml @@ -6,42 +6,33 @@ register: matrix_coturn_service_stat when: "not matrix_coturn_enabled | bool" -- name: Ensure matrix-coturn is stopped - ansible.builtin.service: - name: matrix-coturn - state: stopped - enabled: false - daemon_reload: true - when: "matrix_coturn_service_stat.stat.exists | bool" +- when: matrix_coturn_service_stat.stat.exists | bool + block: + - name: Ensure matrix-coturn is stopped + ansible.builtin.service: + name: matrix-coturn + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-coturn-reload.timer is stopped - ansible.builtin.service: - name: matrix-coturn - state: stopped - enabled: false - daemon_reload: true - failed_when: false - when: "matrix_coturn_service_stat.stat.exists | bool" + - name: Ensure matrix-coturn-reload.timer is stopped + ansible.builtin.service: + name: matrix-coturn + state: stopped + enabled: false + daemon_reload: true + failed_when: false -- name: Ensure systemd units don't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/{{ item }}" - state: absent - register: matrix_coturn_systemd_unit_uninstallation_result - with_items: - - matrix-coturn.service - - matrix-coturn-reload.service - - matrix-coturn-reload.timer + - name: Ensure systemd units don't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/{{ item }}" + state: absent + with_items: + - matrix-coturn.service + - matrix-coturn-reload.service + - matrix-coturn-reload.timer -- name: Ensure systemd reloaded after unit removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_coturn_systemd_unit_uninstallation_result.changed | bool" - -- name: Ensure Matrix coturn paths don't exist - ansible.builtin.file: - path: "{{ matrix_coturn_base_path }}" - state: absent - -# Intentionally not removing the Docker image when uninstalling. -# We can't be sure it had been pulled by us in the first place. + - name: Ensure Matrix coturn paths don't exist + ansible.builtin.file: + path: "{{ matrix_coturn_base_path }}" + state: absent diff --git a/roles/custom/matrix-dendrite/tasks/setup_uninstall.yml b/roles/custom/matrix-dendrite/tasks/setup_uninstall.yml index e37b219c3..e5479684c 100644 --- a/roles/custom/matrix-dendrite/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-dendrite/tasks/setup_uninstall.yml @@ -12,14 +12,8 @@ name: matrix-dendrite state: stopped daemon_reload: true - register: stopping_result - name: Ensure matrix-dendrite.service doesn't exist ansible.builtin.file: path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dendrite.service" state: absent - - - name: Ensure Dendrite Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_dendrite_docker_image }}" - state: absent diff --git a/roles/custom/matrix-dimension/tasks/setup_uninstall.yml b/roles/custom/matrix-dimension/tasks/setup_uninstall.yml index 8a5f5c755..239e4d892 100644 --- a/roles/custom/matrix-dimension/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-dimension/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dimension.service" register: matrix_dimension_service_stat -- name: Ensure matrix-dimension is stopped - ansible.builtin.service: - name: matrix-dimension - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_dimension_service_stat.stat.exists | bool" +- when: matrix_dimension_service_stat.stat.exists | bool + block: + - name: Ensure matrix-dimension is stopped + ansible.builtin.service: + name: matrix-dimension + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-dimension.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dimension.service" - state: absent - when: "matrix_dimension_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-dimension.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_dimension_service_stat.stat.exists | bool" - -- name: Ensure Dimension base directory doesn't exist - ansible.builtin.file: - path: "{{ matrix_dimension_base_path }}" - state: absent + - name: Ensure matrix-dimension.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dimension.service" + state: absent -- name: Ensure Dimension Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_dimension_docker_image }}" - state: absent + - name: Ensure Dimension base directory doesn't exist + ansible.builtin.file: + path: "{{ matrix_dimension_base_path }}" + state: absent diff --git a/roles/custom/matrix-dynamic-dns/tasks/setup_uninstall.yml b/roles/custom/matrix-dynamic-dns/tasks/setup_uninstall.yml index 7b4e76671..8f9f1b040 100644 --- a/roles/custom/matrix-dynamic-dns/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-dynamic-dns/tasks/setup_uninstall.yml @@ -5,24 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dynamic-dns.service" register: matrix_dynamic_dns_service_stat -- name: Ensure matrix-dynamic-dns is stopped - ansible.builtin.service: - name: matrix-dynamic-dns - state: stopped - enabled: false - daemon_reload: true - when: "matrix_dynamic_dns_service_stat.stat.exists" +- when: matrix_dynamic_dns_service_stat.stat.exists | bool + block: + - name: Ensure matrix-dynamic-dns is stopped + ansible.builtin.service: + name: matrix-dynamic-dns + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-dynamic-dns.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dynamic-dns.service" - state: absent - when: "matrix_dynamic_dns_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-dynamic-dns.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_dynamic_dns_service_stat.stat.exists" - -# Intentionally not removing the Docker image when uninstalling. -# We can't be sure it had been pulled by us in the first place. + - name: Ensure matrix-dynamic-dns.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dynamic-dns.service" + state: absent diff --git a/roles/custom/matrix-email2matrix/tasks/setup_uninstall.yml b/roles/custom/matrix-email2matrix/tasks/setup_uninstall.yml index c9600d0c9..e95ce6617 100644 --- a/roles/custom/matrix-email2matrix/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-email2matrix/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-email2matrix.service" register: matrix_email2matrix_service_stat -- name: Ensure matrix-email2matrix is stopped - ansible.builtin.service: - name: matrix-email2matrix - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_email2matrix_service_stat.stat.exists | bool" +- when: matrix_email2matrix_service_stat.stat.exists | bool + block: + - name: Ensure matrix-email2matrix is stopped + ansible.builtin.service: + name: matrix-email2matrix + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-email2matrix.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-email2matrix.service" - state: absent - when: "matrix_email2matrix_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-email2matrix.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_email2matrix_service_stat.stat.exists | bool" - -- name: Ensure Email2Matrix data path doesn't exist - ansible.builtin.file: - path: "{{ matrix_email2matrix_base_path }}" - state: absent + - name: Ensure matrix-email2matrix.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-email2matrix.service" + state: absent -- name: Ensure Email2Matrix Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_email2matrix_docker_image }}" - state: absent + - name: Ensure Email2Matrix data path doesn't exist + ansible.builtin.file: + path: "{{ matrix_email2matrix_base_path }}" + state: absent diff --git a/roles/custom/matrix-etherpad/tasks/setup_uninstall.yml b/roles/custom/matrix-etherpad/tasks/setup_uninstall.yml index 7d93b9ab2..e03829845 100644 --- a/roles/custom/matrix-etherpad/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-etherpad/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-etherpad.service" register: matrix_etherpad_service_stat -- name: Ensure matrix-etherpad is stopped - ansible.builtin.service: - name: matrix-etherpad - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_etherpad_service_stat.stat.exists | bool" +- when: matrix_etherpad_service_stat.stat.exists | bool + block: + - name: Ensure matrix-etherpad is stopped + ansible.builtin.service: + name: matrix-etherpad + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-etherpad.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-etherpad.service" - state: absent - when: "matrix_etherpad_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-etherpad.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_etherpad_service_stat.stat.exists | bool" - -- name: Ensure Etherpad base directory doesn't exist - ansible.builtin.file: - path: "{{ matrix_etherpad_base_path }}" - state: absent + - name: Ensure matrix-etherpad.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-etherpad.service" + state: absent -- name: Ensure Etherpad Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_etherpad_docker_image }}" - state: absent + - name: Ensure Etherpad base directory doesn't exist + ansible.builtin.file: + path: "{{ matrix_etherpad_base_path }}" + state: absent diff --git a/roles/custom/matrix-grafana/tasks/setup_uninstall.yml b/roles/custom/matrix-grafana/tasks/setup_uninstall.yml index 6c054ff09..12c3cde93 100644 --- a/roles/custom/matrix-grafana/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-grafana/tasks/setup_uninstall.yml @@ -13,7 +13,6 @@ state: stopped enabled: false daemon_reload: true - register: stopping_result - name: Ensure matrix-grafana.service doesn't exist ansible.builtin.file: diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo_uninstall.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo_uninstall.yml index 8e76ddea3..6ddd89375 100644 --- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo_uninstall.yml +++ b/roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo_uninstall.yml @@ -13,7 +13,6 @@ state: stopped enabled: false daemon_reload: true - register: stopping_result - name: Ensure matrix-jitsi-jicofo.service doesn't exist ansible.builtin.file: diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb_uninstall.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb_uninstall.yml index f883a3a2f..e3d7094f0 100644 --- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb_uninstall.yml +++ b/roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb_uninstall.yml @@ -13,7 +13,6 @@ state: stopped enabled: false daemon_reload: true - register: stopping_result - name: Ensure matrix-jitsi-jvb.service doesn't exist ansible.builtin.file: diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_uninstall.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_uninstall.yml index 3fd44f72d..4907b2a1d 100644 --- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_uninstall.yml +++ b/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_uninstall.yml @@ -13,7 +13,6 @@ state: stopped enabled: false daemon_reload: true - register: stopping_result - name: Ensure matrix-jitsi-prosody.service file doesn't exist ansible.builtin.file: diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_web_uninstall.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_web_uninstall.yml index 7c99c2802..1707d7e9b 100644 --- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_web_uninstall.yml +++ b/roles/custom/matrix-jitsi/tasks/setup_jitsi_web_uninstall.yml @@ -13,7 +13,6 @@ state: stopped enabled: false daemon_reload: true - register: stopping_result - name: Ensure matrix-jitsi-web.service doesn't exist ansible.builtin.file: diff --git a/roles/custom/matrix-ldap-registration-proxy/tasks/setup_uninstall.yml b/roles/custom/matrix-ldap-registration-proxy/tasks/setup_uninstall.yml index ed19ad9c1..1d99b4062 100644 --- a/roles/custom/matrix-ldap-registration-proxy/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-ldap-registration-proxy/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ldap-registration-proxy.service" register: matrix_ldap_registration_proxy_service_stat -- name: Ensure matrix-matrix_ldap_registration_proxy is stopped - ansible.builtin.service: - name: matrix-matrix_ldap_registration_proxy - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_ldap_registration_proxy_service_stat.stat.exists | bool" +- when: matrix_ldap_registration_proxy_service_stat.stat.exists | bool + block: + - name: Ensure matrix-matrix_ldap_registration_proxy is stopped + ansible.builtin.service: + name: matrix-matrix_ldap_registration_proxy + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-ldap-registration-proxy.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ldap-registration-proxy.service" - state: absent - when: "matrix_ldap_registration_proxy_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-ldap-registration-proxy.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_ldap_registration_proxy_service_stat.stat.exists | bool" - -- name: Ensure Matrix matrix_ldap_registration_proxy paths don't exist - ansible.builtin.file: - path: "{{ matrix_ldap_registration_proxy_base_path }}" - state: absent + - name: Ensure matrix-ldap-registration-proxy.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ldap-registration-proxy.service" + state: absent -- name: Ensure matrix_ldap_registration_proxy Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_ldap_registration_proxy_docker_image }}" - state: absent + - name: Ensure Matrix matrix_ldap_registration_proxy paths don't exist + ansible.builtin.file: + path: "{{ matrix_ldap_registration_proxy_base_path }}" + state: absent diff --git a/roles/custom/matrix-ma1sd/tasks/setup_uninstall.yml b/roles/custom/matrix-ma1sd/tasks/setup_uninstall.yml index c7e8bf633..b27df269e 100644 --- a/roles/custom/matrix-ma1sd/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-ma1sd/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ma1sd.service" register: matrix_ma1sd_service_stat -- name: Ensure matrix-ma1sd is stopped - ansible.builtin.service: - name: matrix-ma1sd - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_ma1sd_service_stat.stat.exists | bool" +- when: matrix_ma1sd_service_stat.stat.exists | bool + block: + - name: Ensure matrix-ma1sd is stopped + ansible.builtin.service: + name: matrix-ma1sd + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-ma1sd.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ma1sd.service" - state: absent - when: "matrix_ma1sd_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-ma1sd.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_ma1sd_service_stat.stat.exists | bool" - -- name: Ensure Matrix ma1sd paths don't exist - ansible.builtin.file: - path: "{{ matrix_ma1sd_base_path }}" - state: absent + - name: Ensure matrix-ma1sd.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ma1sd.service" + state: absent -- name: Ensure ma1sd Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_ma1sd_docker_image }}" - state: absent + - name: Ensure Matrix ma1sd paths don't exist + ansible.builtin.file: + path: "{{ matrix_ma1sd_base_path }}" + state: absent diff --git a/roles/custom/matrix-mailer/tasks/setup_uninstall.yml b/roles/custom/matrix-mailer/tasks/setup_uninstall.yml index d8fb65c30..fce8a4362 100644 --- a/roles/custom/matrix-mailer/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-mailer/tasks/setup_uninstall.yml @@ -13,23 +13,13 @@ state: stopped enabled: false daemon_reload: true - register: stopping_result - name: Ensure matrix-mailer.service doesn't exist ansible.builtin.file: path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mailer.service" state: absent - - name: Ensure systemd reloaded after matrix-mailer.service removal - ansible.builtin.service: - daemon_reload: true - -- name: Ensure Matrix mailer path doesn't exist - ansible.builtin.file: - path: "{{ matrix_mailer_base_path }}" - state: absent - -- name: Ensure mailer Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_mailer_docker_image }}" - state: absent + - name: Ensure Matrix mailer path doesn't exist + ansible.builtin.file: + path: "{{ matrix_mailer_base_path }}" + state: absent diff --git a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 50e8ab9b9..af086298e 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -239,7 +239,6 @@ state: stopped enabled: false daemon_reload: true - register: stopping_result when: "not matrix_nginx_proxy_enabled | bool and matrix_nginx_proxy_service_stat.stat.exists" - name: Ensure matrix-nginx-proxy.service doesn't exist diff --git a/roles/custom/matrix-ntfy/tasks/setup_uninstall.yml b/roles/custom/matrix-ntfy/tasks/setup_uninstall.yml index e0eedfd83..afd826f8d 100644 --- a/roles/custom/matrix-ntfy/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-ntfy/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ntfy.service" register: matrix_ntfy_service_stat -- name: Ensure matrix-ntfy is stopped - ansible.builtin.service: - name: matrix-ntfy - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_ntfy_service_stat.stat.exists" +- when: matrix_ntfy_service_stat.stat.exists | bool + block: + - name: Ensure matrix-ntfy is stopped + ansible.builtin.service: + name: matrix-ntfy + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-ntfy.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ntfy.service" - state: absent - when: "matrix_ntfy_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-ntfy.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_ntfy_service_stat.stat.exists" - -- name: Ensure matrix-ntfy path doesn't exist - ansible.builtin.file: - path: "{{ matrix_ntfy_base_path }}" - state: absent + - name: Ensure matrix-ntfy.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ntfy.service" + state: absent -- name: Ensure ntfy Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_ntfy_docker_image }}" - state: absent + - name: Ensure matrix-ntfy path doesn't exist + ansible.builtin.file: + path: "{{ matrix_ntfy_base_path }}" + state: absent diff --git a/roles/custom/matrix-postgres-backup/tasks/setup_uninstall.yml b/roles/custom/matrix-postgres-backup/tasks/setup_uninstall.yml index 0b3709ebe..61b6840c8 100644 --- a/roles/custom/matrix-postgres-backup/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-postgres-backup/tasks/setup_uninstall.yml @@ -20,10 +20,6 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-postgres-backup.service" state: absent - - name: Ensure systemd reloaded after matrix-postgres-backup.service removal - ansible.builtin.service: - daemon_reload: true - - name: Check existence of matrix-postgres-backup backup path ansible.builtin.stat: path: "{{ matrix_postgres_backup_path }}" diff --git a/roles/custom/matrix-prometheus-node-exporter/tasks/setup_uninstall.yml b/roles/custom/matrix-prometheus-node-exporter/tasks/setup_uninstall.yml index 7239c0ac1..b5ef4f0f7 100644 --- a/roles/custom/matrix-prometheus-node-exporter/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-prometheus-node-exporter/tasks/setup_uninstall.yml @@ -13,13 +13,8 @@ state: stopped enabled: false daemon_reload: true - register: stopping_result - name: Ensure matrix-prometheus-node-exporter.service doesn't exist ansible.builtin.file: path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-node-exporter.service" state: absent - - - name: Ensure systemd reloaded after matrix-prometheus-node-exporter.service removal - ansible.builtin.service: - daemon_reload: true diff --git a/roles/custom/matrix-prometheus-postgres-exporter/tasks/setup_uninstall.yml b/roles/custom/matrix-prometheus-postgres-exporter/tasks/setup_uninstall.yml index b3fdfd591..bdf720428 100644 --- a/roles/custom/matrix-prometheus-postgres-exporter/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-prometheus-postgres-exporter/tasks/setup_uninstall.yml @@ -13,7 +13,6 @@ state: stopped enabled: false daemon_reload: true - register: stopping_result - name: Ensure matrix-prometheus-postgres-exporter.service doesn't exist ansible.builtin.file: diff --git a/roles/custom/matrix-prometheus/tasks/setup_uninstall.yml b/roles/custom/matrix-prometheus/tasks/setup_uninstall.yml index 5fe145fc3..9d13d2160 100644 --- a/roles/custom/matrix-prometheus/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-prometheus/tasks/setup_uninstall.yml @@ -5,22 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus.service" register: matrix_prometheus_service_stat -- name: Ensure matrix-prometheus is stopped - ansible.builtin.service: - name: matrix-prometheus - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_prometheus_service_stat.stat.exists | bool" +- when: matrix_prometheus_service_stat.stat.exists | bool + block: + - name: Ensure matrix-prometheus is stopped + ansible.builtin.service: + name: matrix-prometheus + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-prometheus.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus.service" - state: absent - when: "matrix_prometheus_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-prometheus.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_prometheus_service_stat.stat.exists | bool" + - name: Ensure matrix-prometheus.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus.service" + state: absent diff --git a/roles/custom/matrix-registration/tasks/setup_uninstall.yml b/roles/custom/matrix-registration/tasks/setup_uninstall.yml index 623db421e..97c144358 100644 --- a/roles/custom/matrix-registration/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-registration/tasks/setup_uninstall.yml @@ -5,27 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-registration.service" register: matrix_registration_service_stat -- name: Ensure matrix-registration is stopped - ansible.builtin.service: - name: matrix-registration - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_registration_service_stat.stat.exists | bool" +- when: matrix_registration_service_stat.stat.exists | bool + block: + - name: Ensure matrix-registration is stopped + ansible.builtin.service: + name: matrix-registration + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-registration.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-registration.service" - state: absent - when: "matrix_registration_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-registration.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_registration_service_stat.stat.exists | bool" - -- name: Ensure matrix-registration Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_registration_docker_image }}" - state: absent + - name: Ensure matrix-registration.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-registration.service" + state: absent diff --git a/roles/custom/matrix-sygnal/tasks/setup_uninstall.yml b/roles/custom/matrix-sygnal/tasks/setup_uninstall.yml index e398f7a99..5f01daf1f 100644 --- a/roles/custom/matrix-sygnal/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-sygnal/tasks/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-sygnal.service" register: matrix_sygnal_service_stat -- name: Ensure matrix-sygnal is stopped - ansible.builtin.service: - name: matrix-sygnal - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_sygnal_service_stat.stat.exists | bool" +- when: matrix_sygnal_service_stat.stat.exists | bool + block: + - name: Ensure matrix-sygnal is stopped + ansible.builtin.service: + name: matrix-sygnal + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-sygnal.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-sygnal.service" - state: absent - when: "matrix_sygnal_service_stat.stat.exists | bool" - -- name: Ensure systemd reloaded after matrix-sygnal.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_sygnal_service_stat.stat.exists | bool" - -- name: Ensure Sygnal base directory doesn't exist - ansible.builtin.file: - path: "{{ matrix_sygnal_base_path }}" - state: absent + - name: Ensure matrix-sygnal.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-sygnal.service" + state: absent -- name: Ensure Sygnal Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_sygnal_docker_image }}" - state: absent + - name: Ensure Sygnal base directory doesn't exist + ansible.builtin.file: + path: "{{ matrix_sygnal_base_path }}" + state: absent diff --git a/roles/custom/matrix-synapse-admin/tasks/setup_uninstall.yml b/roles/custom/matrix-synapse-admin/tasks/setup_uninstall.yml index 96509874a..3828b7359 100644 --- a/roles/custom/matrix-synapse-admin/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-synapse-admin/tasks/setup_uninstall.yml @@ -13,15 +13,8 @@ state: stopped enabled: false daemon_reload: true - register: stopping_result - name: Ensure matrix-synapse-admin.service doesn't exist ansible.builtin.file: path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-admin.service" state: absent - - - name: Ensure matrix-synapse-admin Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_synapse_admin_docker_image }}" - state: absent - when: "not matrix_synapse_admin_enabled | bool" diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_uninstall.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_uninstall.yml index f4531a193..bb1b534cf 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_uninstall.yml @@ -13,18 +13,13 @@ state: stopped enabled: false daemon_reload: true - register: stopping_result - name: Ensure matrix-synapse-reverse-proxy-companion.service doesn't exist ansible.builtin.file: path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-reverse-proxy-companion.service" state: absent - - name: Ensure systemd reloaded after matrix-synapse-reverse-proxy-companion.service removal - ansible.builtin.service: - daemon_reload: true - -- name: Ensure matrix-synapse-reverse-proxy-companion data deleted - ansible.builtin.file: - path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}" - state: absent + - name: Ensure matrix-synapse-reverse-proxy-companion data deleted + ansible.builtin.file: + path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}" + state: absent diff --git a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_uninstall.yml b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_uninstall.yml index a828070c9..d664d75fc 100644 --- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_uninstall.yml +++ b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_uninstall.yml @@ -9,11 +9,6 @@ - matrix-synapse-s3-storage-provider-migrate.service register: matrix_synapse_s3_storage_provider_migrate_sevice_removal -- name: Ensure systemd reloaded after matrix-synapse-s3-storage-provider-migrate.service removal - ansible.builtin.service: - daemon_reload: true - when: matrix_synapse_s3_storage_provider_migrate_sevice_removal.changed | bool - - name: Ensure s3-storage-provider files don't exist ansible.builtin.file: path: "{{ item }}" diff --git a/roles/custom/matrix-synapse/tasks/goofys/setup_uninstall.yml b/roles/custom/matrix-synapse/tasks/goofys/setup_uninstall.yml index ddfa5cf60..252877dee 100644 --- a/roles/custom/matrix-synapse/tasks/goofys/setup_uninstall.yml +++ b/roles/custom/matrix-synapse/tasks/goofys/setup_uninstall.yml @@ -5,32 +5,21 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-goofys.service" register: matrix_goofys_service_stat -- name: Ensure matrix-goofys is stopped - ansible.builtin.service: - name: matrix-goofys - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_goofys_service_stat.stat.exists" +- when: matrix_goofys_service_stat.stat.exists | bool + block: + - name: Ensure matrix-goofys is stopped + ansible.builtin.service: + name: matrix-goofys + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-goofys.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-goofys.service" - state: absent - when: "matrix_goofys_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-goofys.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_goofys_service_stat.stat.exists" - -- name: Ensure goofys environment variables file doesn't exist - ansible.builtin.file: - path: "{{ matrix_synapse_config_dir_path }}/env-goofys" - state: absent + - name: Ensure matrix-goofys.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-goofys.service" + state: absent -- name: Ensure Goofys Docker image doesn't exist - community.docker.docker_image: - name: "{{ matrix_s3_goofys_docker_image }}" - state: absent + - name: Ensure goofys environment variables file doesn't exist + ansible.builtin.file: + path: "{{ matrix_synapse_config_dir_path }}/env-goofys" + state: absent diff --git a/roles/custom/matrix-synapse/tasks/synapse/setup_uninstall.yml b/roles/custom/matrix-synapse/tasks/synapse/setup_uninstall.yml index 17fa8a4fa..7f0815224 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/setup_uninstall.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/setup_uninstall.yml @@ -5,36 +5,22 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse.service" register: matrix_synapse_service_stat -- name: Ensure matrix-synapse is stopped - ansible.builtin.service: - name: matrix-synapse - state: stopped - enabled: false - daemon_reload: true - register: stopping_result - when: "matrix_synapse_service_stat.stat.exists" +- when: matrix_synapse_service_stat.stat.exists | bool + block: + - name: Ensure matrix-synapse is stopped + ansible.builtin.service: + name: matrix-synapse + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-synapse.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse.service" - state: absent - when: "matrix_synapse_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-synapse.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_synapse_service_stat.stat.exists" - -- name: Ensure Synapse Docker image doesn't exist - community.docker.docker_image: - name: "{{ item }}" - state: absent - with_items: - - "{{ matrix_synapse_docker_image_final }}" - - "{{ matrix_synapse_docker_image }}" + - name: Ensure matrix-synapse.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse.service" + state: absent -- name: Ensure sample prometheus.yml for external scraping is deleted - ansible.builtin.file: - path: "{{ matrix_synapse_base_path }}/external_prometheus.yml.example" - state: absent - when: "not matrix_synapse_metrics_proxying_enabled | bool" + - name: Ensure sample prometheus.yml for external scraping is deleted + ansible.builtin.file: + path: "{{ matrix_synapse_base_path }}/external_prometheus.yml.example" + state: absent + when: "not matrix_synapse_metrics_proxying_enabled | bool" From fa523c647205e3b15715f11d5c8aa436e46be320 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 25 Nov 2022 17:36:42 +0200 Subject: [PATCH 078/915] Remove blank lines --- roles/custom/matrix-bridge-appservice-irc/tasks/main.yml | 1 - roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml index 3f84171e3..1cc6b35c4 100644 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml @@ -18,4 +18,3 @@ tags: - setup-all - setup-appservice-irc - diff --git a/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml b/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml index fa9fd87e9..5bf9236b5 100644 --- a/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml +++ b/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml @@ -18,4 +18,3 @@ tags: - setup-all - setup-go-skype-bridge - From 16c18b0344b3007551bb968b9a94514c99552d00 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 25 Nov 2022 18:59:01 +0200 Subject: [PATCH 079/915] Upgrade Hydrogen (v0.3.4 -> v0.3.5) --- roles/custom/matrix-client-hydrogen/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-hydrogen/defaults/main.yml b/roles/custom/matrix-client-hydrogen/defaults/main.yml index 80bdb021e..ac0d8289a 100644 --- a/roles/custom/matrix-client-hydrogen/defaults/main.yml +++ b/roles/custom/matrix-client-hydrogen/defaults/main.yml @@ -8,7 +8,7 @@ matrix_client_hydrogen_enabled: true matrix_client_hydrogen_container_image_self_build: true matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" -matrix_client_hydrogen_version: v0.3.4 +matrix_client_hydrogen_version: v0.3.5 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" From 504d4a4134ec23e67b0345c2cb86970d102af5cd Mon Sep 17 00:00:00 2001 From: Array in a Matrix Date: Fri, 25 Nov 2022 23:27:43 -0800 Subject: [PATCH 080/915] Add dendrite captcha config to doc and hCaptcha (#2290) * added dendrite captcha options * added hcaptcha doc * proper url * Apply suggestions from code review Co-authored-by: Slavi Pantaleev * Update main.yml * renamed captcha vars to new naming scheme * change vars to new format * Rename back some incorrect renamed variables These variables are either not just part of the `client_api` subsection, or are not even part of that section at all. They shouldn't have been renamed in baaef2ed616e2645550d9 * Fix up naming inconsistencies Some of these variables had been renamed in one place, but not in other places, so it couldn't have worked that way. * Add validation/deprecation for renamed Dendrite variables Related to 4097898f885cf4c73, baaef2ed616e2645550, 68f4418092fa8ad and a0b4a0ae6b2f1f18 Co-authored-by: Slavi Pantaleev --- docs/configuring-captcha.md | 35 +++++++++++++++++-- group_vars/matrix_servers | 8 ++--- .../custom/matrix-dendrite/defaults/main.yml | 28 ++++++++------- .../matrix-dendrite/tasks/validate_config.yml | 15 ++++++-- .../templates/dendrite/dendrite.yaml.j2 | 25 +++++++------ 5 files changed, 78 insertions(+), 33 deletions(-) diff --git a/docs/configuring-captcha.md b/docs/configuring-captcha.md index d137cf99e..173b34fe7 100644 --- a/docs/configuring-captcha.md +++ b/docs/configuring-captcha.md @@ -2,9 +2,11 @@ # Overview Captcha can be enabled for this home server. This file explains how to do that. -The captcha mechanism used is Google's [ReCaptcha](https://www.google.com/recaptcha/). This requires API keys from Google. +The captcha mechanism used is Google's [ReCaptcha](https://www.google.com/recaptcha/). This requires API keys from Google. If your homeserver is Dendrite then [hCapcha](https://www.hcaptcha.com) can be used instead. -## Getting keys +## ReCaptcha + +### Getting keys Requires a site/secret key pair from: @@ -12,12 +14,39 @@ Requires a site/secret key pair from: Must be a reCAPTCHA **v2** key using the "I'm not a robot" Checkbox option -## Setting ReCaptcha Keys +### Setting ReCaptcha keys Once registered as above, set the following values: ```yaml +# for Synapse matrix_synapse_enable_registration_captcha: true matrix_synapse_recaptcha_public_key: 'YOUR_SITE_KEY' matrix_synapse_recaptcha_private_key: 'YOUR_SECRET_KEY' + +# for Dendrite +matrix_dendrite_client_api_enable_registration_captcha: true +matrix_dendrite_client_api_recaptcha_public_key: 'YOUR_SITE_KEY' +matrix_dendrite_client_api_recaptcha_private_key: 'YOUR_SECRET_KEY' +``` + +## hCaptcha + +### Getting keys + +Requires a site/secret key pair from: + + + +### Setting hCaptcha keys + +```yaml +matrix_dendrite_client_api_enable_registration_captcha: true +matrix_dendrite_client_api_recaptcha_public_key: 'YOUR_SITE_KEY' +matrix_dendrite_client_api_recaptcha_private_key: 'YOUR_SECRET_KEY' + +matrix_dendrite_client_api_recaptcha_siteverify_api: 'https://hcaptcha.com/siteverify' +matrix_dendrite_client_api_recaptcha_api_js_url: 'https://js.hcaptcha.com/1/api.js' +matrix_dendrite_client_api_recaptcha_form_field: 'h-captcha-response' +matrix_dendrite_client_api_recaptcha_sitekey_class: 'h-captcha' ``` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index dd0c730c0..cf9c71933 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1474,7 +1474,7 @@ matrix_bot_maubot_registration_shared_secret: |- {{ { 'synapse': matrix_synapse_registration_shared_secret, - 'dendrite': matrix_dendrite_registration_shared_secret, + 'dendrite': matrix_dendrite_client_api_registration_shared_secret, }[matrix_homeserver_implementation] }} @@ -2898,7 +2898,7 @@ matrix_registration_shared_secret: |- {{ { 'synapse': matrix_synapse_registration_shared_secret, - 'dendrite': matrix_dendrite_registration_shared_secret, + 'dendrite': matrix_dendrite_client_api_registration_shared_secret, 'conduit': '', }[matrix_homeserver_implementation] }} @@ -2975,13 +2975,13 @@ matrix_dendrite_container_https_host_bind_address: "{{ '' if matrix_nginx_proxy_ matrix_dendrite_sync_api_real_ip_header: "{{ 'X-Forwarded-For' if matrix_nginx_proxy_enabled else '' }}" -matrix_dendrite_registration_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.rss', rounds=655555) | to_uuid }}" +matrix_dendrite_client_api_registration_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.rss', rounds=655555) | to_uuid }}" matrix_dendrite_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.db', rounds=655555) | to_uuid }}" # Even if TURN doesn't support TLS (it does by default), # it doesn't hurt to try a secure connection anyway. -matrix_dendrite_turn_uris: | +matrix_dendrite_client_api_turn_uris: | {{ [ 'turns:' + matrix_server_fqn_matrix + '?transport=udp', diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index a60c33d26..ba84d4300 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -76,7 +76,7 @@ matrix_dendrite_systemd_wanted_services_list: [] # matrix_dendrite_template_dendrite_config: "{{ playbook_dir }}/inventory/host_vars//dendrite.yaml.j2" matrix_dendrite_template_dendrite_config: "{{ role_path }}/templates/dendrite/dendrite.yaml.j2" -matrix_dendrite_registration_shared_secret: '' +matrix_dendrite_client_api_registration_shared_secret: '' matrix_dendrite_allow_guest_access: false matrix_dendrite_max_file_size_bytes: 10485760 @@ -89,18 +89,21 @@ matrix_dendrite_sync_api_real_ip_header: '' matrix_dendrite_tmp_directory_size_mb: 500 # Rate limits -matrix_dendrite_rate_limiting_enabled: true -matrix_dendrite_rate_limiting_threshold: 20 -matrix_dendrite_rate_limiting_cooloff_ms: 500 +matrix_dendrite_client_api_rate_limiting_enabled: true +matrix_dendrite_client_api_rate_limiting_threshold: 20 +matrix_dendrite_client_api_rate_limiting_cooloff_ms: 500 # Controls whether people with access to the homeserver can register by themselves. -matrix_dendrite_registration_disabled: true +matrix_dendrite_client_api_registration_disabled: true # reCAPTCHA API for validating registration attempts -matrix_dendrite_enable_registration_captcha: false -matrix_dendrite_recaptcha_public_key: "" -matrix_dendrite_recaptcha_private_key: "" -matrix_dendrite_recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" +matrix_dendrite_client_api_enable_registration_captcha: false +matrix_dendrite_client_api_recaptcha_public_key: "" +matrix_dendrite_client_api_recaptcha_private_key: "" +matrix_dendrite_client_api_recaptcha_siteverify_api: "" +matrix_dendrite_client_api_recaptcha_api_js_url: "" +matrix_dendrite_client_api_recaptcha_form_field: "" +matrix_dendrite_client_api_recaptcha_sitekey_class: "" # A list of additional "volumes" to mount in the container. # This list gets populated dynamically based on Dendrite extensions that have been enabled. @@ -147,11 +150,10 @@ matrix_dendrite_userapi_database: "dendrite_userapi" matrix_dendrite_pushserver_database: "dendrite_pushserver" matrix_dendrite_mscs_database: "dendrite_mscs" -matrix_dendrite_turn_uris: [] -matrix_dendrite_turn_shared_secret: "" -matrix_dendrite_turn_allow_guests: false +matrix_dendrite_client_api_turn_uris: [] +matrix_dendrite_client_api_turn_client_api_shared_secret: "" +matrix_dendrite_client_api_turn_allow_guests: false -# Controls whether the self-check feature should validate TLS certificates. matrix_dendrite_disable_tls_validation: false matrix_dendrite_trusted_id_servers: diff --git a/roles/custom/matrix-dendrite/tasks/validate_config.yml b/roles/custom/matrix-dendrite/tasks/validate_config.yml index 390da9380..7ca31b0d5 100644 --- a/roles/custom/matrix-dendrite/tasks/validate_config.yml +++ b/roles/custom/matrix-dendrite/tasks/validate_config.yml @@ -5,7 +5,7 @@ You need to define a required configuration setting (`{{ item }}`) for using Dendrite. when: "vars[item] == ''" with_items: - - "matrix_dendrite_registration_shared_secret" + - "matrix_dendrite_client_api_registration_shared_secret" - name: (Deprecation) Catch and report renamed settings ansible.builtin.fail: @@ -13,4 +13,15 @@ Your configuration contains a variable, which now has a different name. Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). when: "item.old in vars" - with_items: [] + with_items: + - {'old': 'matrix_dendrite_enable_registration_captcha', 'new': 'matrix_dendrite_client_api_enable_registration_captcha'} + - {'old': 'matrix_dendrite_recaptcha_public_key', 'new': 'matrix_dendrite_client_api_recaptcha_public_key'} + - {'old': 'matrix_dendrite_recaptcha_private_key', 'new': 'matrix_dendrite_client_api_recaptcha_private_key'} + - {'old': 'matrix_dendrite_registration_disabled', 'new': 'matrix_dendrite_client_api_registration_disabled'} + - {'old': 'matrix_dendrite_registration_shared_secret', 'new': 'matrix_dendrite_client_api_registration_shared_secret'} + - {'old': 'matrix_dendrite_turn_uris', 'new': 'matrix_dendrite_client_api_turn_uris'} + - {'old': 'matrix_dendrite_turn_client_api_shared_secret', 'new': 'matrix_dendrite_client_api_turn_client_api_shared_secret'} + - {'old': 'matrix_dendrite_turn_allow_guests', 'new': 'matrix_dendrite_client_api_turn_allow_guests'} + - {'old': 'matrix_dendrite_rate_limiting_enabled', 'new': 'matrix_dendrite_client_api_rate_limiting_enabled'} + - {'old': 'matrix_dendrite_rate_limiting_threshold', 'new': 'matrix_dendrite_client_api_rate_limiting_threshold'} + - {'old': 'matrix_dendrite_rate_limiting_cooloff_ms', 'new': 'matrix_dendrite_client_api_rate_limiting_cooloff_ms'} diff --git a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index 65cb4c2c3..005f9bd64 100644 --- a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -175,7 +175,7 @@ client_api: # Prevents new users from being able to register on this homeserver, except when # using the registration shared secret below. - registration_disabled: {{ matrix_dendrite_registration_disabled|to_json }} + registration_disabled: {{ matrix_dendrite_client_api_registration_disabled | to_json }} # Prevents new guest accounts from being created. Guest registration is also # disabled implicitly by setting 'registration_disabled' above. @@ -183,22 +183,25 @@ client_api: # If set, allows registration by anyone who knows the shared secret, regardless of # whether registration is otherwise disabled. - registration_shared_secret: {{ matrix_dendrite_registration_shared_secret | string|to_json }} + registration_shared_secret: {{ matrix_dendrite_client_api_registration_shared_secret | string | to_json }} # Whether to require reCAPTCHA for registration. - enable_registration_captcha: {{ matrix_dendrite_enable_registration_captcha|to_json }} + enable_registration_captcha: {{ matrix_dendrite_client_api_enable_registration_captcha | to_json }} # Settings for ReCAPTCHA. - recaptcha_public_key: {{ matrix_dendrite_recaptcha_public_key|to_json }} - recaptcha_private_key: {{ matrix_dendrite_recaptcha_private_key|to_json }} + recaptcha_public_key: {{ matrix_dendrite_client_api_recaptcha_public_key | to_json }} + recaptcha_private_key: {{ matrix_dendrite_client_api_recaptcha_private_key | to_json }} recaptcha_bypass_secret: "" - recaptcha_siteverify_api: {{ matrix_dendrite_recaptcha_siteverify_api|to_json }} + recaptcha_siteverify_api: {{ matrix_dendrite_client_api_recaptcha_siteverify_api | to_json }} + recaptcha_api_js_url: {{ matrix_dendrite_client_api_recaptcha_api_js_url | to_json }} + recaptcha_form_field: {{ matrix_dendrite_client_api_recaptcha_form_field | to_json }} + recaptcha_sitekey_class: {{ matrix_dendrite_client_api_recaptcha_sitekey_class | to_json }} # TURN server information that this homeserver should send to clients. turn: turn_user_lifetime: "" - turn_uris: {{ matrix_dendrite_turn_uris|to_json }} - turn_shared_secret: {{ matrix_dendrite_turn_shared_secret|to_json }} + turn_uris: {{ matrix_dendrite_client_api_turn_uris | to_json }} + turn_shared_secret: {{ matrix_dendrite_client_api_turn_shared_secret | to_json }} turn_username: "" turn_password: "" @@ -206,9 +209,9 @@ client_api: # threshold number of "slots" have been taken by requests from a specific # host. Each "slot" will be released after the cooloff time in milliseconds. rate_limiting: - enabled: {{ matrix_dendrite_rate_limiting_enabled|to_json }} - threshold: {{ matrix_dendrite_rate_limiting_threshold|to_json }} - cooloff_ms: {{ matrix_dendrite_rate_limiting_cooloff_ms|to_json }} + enabled: {{ matrix_dendrite_client_api_rate_limiting_enabled | to_json }} + threshold: {{ matrix_dendrite_client_api_rate_limiting_threshold | to_json }} + cooloff_ms: {{ matrix_dendrite_client_api_rate_limiting_cooloff_ms | to_json }} exempt_user_ids: # - "@user:domain.com" From fe4c2d73f491b8ffa5a5e734fb9766f9c82cdbb7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 26 Nov 2022 16:45:07 +0200 Subject: [PATCH 081/915] Update Ansible version requirements Tests were carried out like this: - `virtualenv3 env` - `./env/bin/pip install ansible==4.10.0 ansible-core==2.11.7` - `./env/bin/ansible-playbook .....` The lowest version of `ansible-core` available on PyPI right now is 2.11.0. That version has trouble with `ansible==4.0.0` though. The errors we were hitting seemed to be resolved by others online by using `ansible==4.10.0` instead, which has a minimum `ansible-core` requirement of `2.11.7`, so that's what we went with. Older versions of Ansible may work, but.. I'm having trouble installing them and don't want to spend too much time on digging through ancient versions and testing them out. People should just learn to run up-to-date software. --- docs/ansible.md | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/docs/ansible.md b/docs/ansible.md index 49dbd7eaf..221222830 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -9,19 +9,14 @@ If your local computer cannot run Ansible, you can also run Ansible on some serv ## Supported Ansible versions -Ansible 2.7.1 or newer is required ([last discussion about Ansible versions](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/743)). - -Note: Ubuntu 20.04 ships with Ansible 2.9.6 which is a buggy version (see this [bug](https://bugs.launchpad.net/ubuntu/+source/ansible/+bug/1880359)), which can't be used in combination with a host running new systemd (more details in [#517](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/517), [#669](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/669)). If this problem affects you, you can: avoid running Ubuntu 20.04 on your host; run Ansible from another machine targeting your host; or try to upgrade to a newer Ansible version (see below). - - -## Checking your Ansible version +To manually check which version of Ansible you're on, run: `ansible --version`. -In most cases, you won't need to worry about the Ansible version. -The playbook will try to detect it and tell you if you're on an unsupported version. +For the **best experience**, we recommend getting the **latest version of Ansible available**. -To manually check which version of Ansible you're on, run: `ansible --version`. +We're not sure what's the minimum version of Ansible that can run this playbook successfully. +The lowest version that we've confirmed (on 2022-11-26) to be working fine is: `ansible-core` (`2.11.7`) combined with `ansible` (`4.10.0`). -If you're on an old version of Ansible, you should [upgrade Ansible to a newer version](#upgrading-ansible) or [use Ansible via Docker](#using-ansible-via-docker). +If your distro ships with an Ansible version older than this, you may run into issues. Consider [Upgrading Ansible](#upgrading-ansible) or [using Ansible via Docker](#using-ansible-via-docker). ## Upgrading Ansible From e9765ae4a5ed60d2864a32ed458aa8939fa5ca0b Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Sat, 26 Nov 2022 16:16:56 +0100 Subject: [PATCH 082/915] Update docs on how to use synapse & keycloak OIDC Use up-to-date example from synapse docs Add link to keycloak website Add link to synapse docs on OIDC --- docs/configuring-playbook-synapse.md | 32 +++++++++++++++++----------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/docs/configuring-playbook-synapse.md b/docs/configuring-playbook-synapse.md index 2e14f1ad4..b3414d8f1 100644 --- a/docs/configuring-playbook-synapse.md +++ b/docs/configuring-playbook-synapse.md @@ -56,21 +56,27 @@ Certain Synapse administration tasks (managing users and rooms, etc.) can be per If you'd like to use OpenID Connect authentication with Synapse, you'll need some additional reverse-proxy configuration (see [our nginx reverse-proxy doc page](configuring-playbook-nginx.md#synapse-openid-connect-for-single-sign-on)). +This example configuration is for [keycloak](https://www.keycloak.org/), an opensource Identity Provider maintained by Red Hat. + +For more detailed documentation on available options and how to setup keycloak, see the [Synapse documentation on OpenID Connect with keycloak](https://github.com/matrix-org/synapse/blob/develop/docs/openid.md#keycloak). + In case you encounter errors regarding the parsing of the variables, you can try to add `{% raw %}` and `{% endraw %}` blocks around them. For example ; ``` - - idp_id: keycloak - idp_name: "Keycloak" - issuer: "https://url.ix/auth/realms/x" - client_id: "matrix" - client_secret: "{{ vault_synapse_keycloak }}" - scopes: ["openid", "profile"] - authorization_endpoint: "https://url.ix/auth/realms/x/protocol/openid-connect/auth" - token_endpoint: "https://url.ix/auth/realms/x/protocol/openid-connect/token" - userinfo_endpoint: "https://url.ix/auth/realms/x/protocol/openid-connect/userinfo" - user_mapping_provider: - config: - display_name_template: "{% raw %}{{ user.given_name }}{% endraw %} {% raw %}{{ user.family_name }}{% endraw %}" - email_template: "{% raw %}{{ user.email }}{% endraw %}" +matrix_synapse_configuration_extension_yaml: | + oidc_providers: + - idp_id: keycloak + idp_name: "My KeyCloak server" + issuer: "https://url.ix/auth/realms/{realm_name}" + client_id: "matrix" + client_secret: "{{ vault_synapse_keycloak }}" + scopes: ["openid", "profile"] + user_mapping_provider: + config: + localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}" + display_name_template: "{% raw %}{{ user.name }}{% endraw %}" + email_template: "{% raw %}{{ user.email }}{% endraw %}" + allow_existing_users: true # Optional + backchannel_logout_enabled: true # Optional ``` From 71de7cd8cd814c9a6632bd03dcc3d0ca250efc4e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 26 Nov 2022 18:51:27 +0200 Subject: [PATCH 083/915] Simplify matrix_backup_borg_postgresql_databases definition There was no need to add `synapse` to the list manually and then add all other additional databases. When the `synapse` database was the main database, this made sense. Since a long time ago already, ALL databases are "additional" databases, so the `synapse` database is part of that list. We could additional add the main (`matrix`) database to this list, but there's probably no point in backing that one up. --- group_vars/matrix_servers | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index cf9c71933..2bcb22da5 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1655,14 +1655,7 @@ matrix_backup_borg_postgresql_databases_hostname: "{{ matrix_postgres_connection matrix_backup_borg_postgresql_databases_username: "{{ matrix_postgres_connection_username }}" matrix_backup_borg_postgresql_databases_password: "{{ matrix_postgres_connection_password }}" matrix_backup_borg_postgresql_databases_port: "{{ matrix_postgres_connection_port }}" -matrix_backup_borg_postgresql_databases: | - {{ - (([{ - 'name': matrix_synapse_database_database - }] if (matrix_synapse_enabled and matrix_synapse_database_database == matrix_postgres_db_name and matrix_synapse_database_host == 'matrix-postgres') else []) - + - matrix_postgres_additional_databases)|map(attribute='name') | list - }} +matrix_backup_borg_postgresql_databases: "{{ matrix_postgres_additional_databases | map(attribute='name') if matrix_postgres_enabled else [] }}" matrix_backup_borg_location_source_directories: - "{{ matrix_base_data_path }}" matrix_backup_borg_location_exclude_patterns: | From 018a609e4715b07cd2a26ce424fd502973679e1d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 26 Nov 2022 18:57:45 +0200 Subject: [PATCH 084/915] Simplify matrix_postgres_backup_databases definition Related to 71de7cd8cd814c9a6 --- group_vars/matrix_servers | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 2bcb22da5..940a52e68 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2932,15 +2932,7 @@ matrix_postgres_backup_connection_password: "{{ matrix_postgres_connection_passw matrix_postgres_backup_postgres_data_path: "{{ matrix_postgres_data_path if matrix_postgres_enabled else '' }}" -# the default matrix synapse databse is not always part of the matrix_postgres_additional_databases variable thus we have to add it if the default database is used -matrix_postgres_backup_databases: | - {{ - (([{ - 'name': matrix_synapse_database_database - }] if (matrix_synapse_enabled and matrix_synapse_database_database == matrix_postgres_db_name and matrix_synapse_database_host == 'matrix-postgres') else []) - + - matrix_postgres_additional_databases)|map(attribute='name') | list - }} +matrix_postgres_backup_databases: "{{ matrix_postgres_additional_databases | map(attribute='name') if matrix_postgres_enabled else [] }}" ###################################################################### # From ea0c9ed71d9e447033cdcd7f316cc31c36384c6f Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sat, 26 Nov 2022 18:48:04 +0000 Subject: [PATCH 085/915] update mautrix-telegram 0.12.1 -> 0.12.2 --- roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml index 0f52cc222..6f2137e47 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -16,7 +16,7 @@ matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git" matrix_mautrix_telegram_docker_repo_version: "{{ 'master' if matrix_mautrix_telegram_version == 'latest' else matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" -matrix_mautrix_telegram_version: v0.12.1 +matrix_mautrix_telegram_version: v0.12.2 # See: https://mau.dev/mautrix/telegram/container_registry matrix_mautrix_telegram_docker_image: "dock.mau.dev/mautrix/telegram:{{ matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}" From dd9ae0d25c49d4a476445c5ec8fb4f9f28e0139c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 27 Nov 2022 07:24:24 +0200 Subject: [PATCH 086/915] Fix accidentally swapped tags (rust-synapse-compress-state and update-user-password) --- roles/custom/matrix-synapse/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-synapse/tasks/main.yml b/roles/custom/matrix-synapse/tasks/main.yml index bd048d73a..3485e894e 100644 --- a/roles/custom/matrix-synapse/tasks/main.yml +++ b/roles/custom/matrix-synapse/tasks/main.yml @@ -51,13 +51,13 @@ - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/update_user_password.yml" tags: - - rust-synapse-compress-state + - update-user-password - block: - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/rust-synapse-compress-state/main.yml" tags: - - update-user-password + - rust-synapse-compress-state - block: - when: matrix_synapse_enabled | bool From 04b9483f0d9e562398e75242452a3a166cc8b001 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 27 Nov 2022 07:23:41 +0200 Subject: [PATCH 087/915] Switch from matrix-postgres to com.devture.ansible.role.postgres --- .../configuring-playbook-external-postgres.md | 2 +- examples/vars.yml | 2 +- group_vars/matrix_servers | 328 ++++++++++-------- playbooks/matrix.yml | 4 +- requirements.yml | 3 + .../tasks/setup_install.yml | 12 +- .../tasks/setup_install.yml | 4 +- .../tasks/setup_install.yml | 4 +- .../tasks/setup_install.yml | 4 +- .../tasks/setup_install.yml | 4 +- .../tasks/setup_install.yml | 4 +- .../tasks/migrate_nedb_to_postgres.yml | 12 +- .../tasks/migrate_nedb_to_postgres.yml | 12 +- .../tasks/setup_install.yml | 4 +- .../tasks/setup_install.yml | 4 +- .../tasks/setup_install.yml | 4 +- .../tasks/setup_install.yml | 4 +- .../tasks/setup_install.yml | 4 +- .../tasks/setup_install.yml | 4 +- .../tasks/setup_install.yml | 4 +- .../tasks/setup_install.yml | 4 +- .../tasks/setup_install.yml | 4 +- .../tasks/setup_install.yml | 4 +- .../tasks/setup_install.yml | 4 +- .../tasks/setup_install.yml | 4 +- .../tasks/setup_install.yml | 4 +- .../matrix-dimension/tasks/setup_install.yml | 4 +- .../matrix-etherpad/tasks/validate_config.yml | 2 +- .../matrix-ma1sd/tasks/setup_install.yml | 4 +- .../tasks/setup_install.yml | 2 +- .../custom/matrix-postgres/defaults/main.yml | 133 ------- .../detect_existing_postgres_version.yml | 75 ---- .../tasks/import_generic_sqlite_db.yml | 102 ------ .../matrix-postgres/tasks/import_postgres.yml | 114 ------ .../tasks/import_synapse_sqlite_db.yml | 89 ----- roles/custom/matrix-postgres/tasks/main.yml | 43 --- .../tasks/migrate_db_to_postgres.yml | 176 ---------- .../tasks/migrate_postgres_data_directory.yml | 78 ----- .../matrix-postgres/tasks/run_vacuum.yml | 96 ----- .../matrix-postgres/tasks/setup_postgres.yml | 215 ------------ .../tasks/upgrade_postgres.yml | 188 ---------- .../tasks/util/create_additional_database.yml | 41 --- .../util/create_additional_databases.yml | 23 -- .../matrix-postgres/tasks/validate_config.yml | 39 --- .../templates/env-postgres-psql.j2 | 8 - .../templates/env-postgres-server.j2 | 7 - .../init-additional-db-user-and-role.sql.j2 | 19 - .../systemd/matrix-postgres.service.j2 | 46 --- .../matrix-change-user-admin-status.j2 | 19 - .../matrix-postgres-cli-non-interactive.j2 | 12 - .../usr-local-bin/matrix-postgres-cli.j2 | 13 - ...trix-postgres-update-user-password-hash.j2 | 16 - .../tasks/setup_install.yml | 4 +- .../compress_room.yml | 10 +- .../rust-synapse-compress-state/main.yml | 16 +- .../tasks/update_user_password.yml | 34 +- .../tasks/validate_config.yml | 12 + 57 files changed, 287 insertions(+), 1800 deletions(-) delete mode 100644 roles/custom/matrix-postgres/defaults/main.yml delete mode 100644 roles/custom/matrix-postgres/tasks/detect_existing_postgres_version.yml delete mode 100644 roles/custom/matrix-postgres/tasks/import_generic_sqlite_db.yml delete mode 100644 roles/custom/matrix-postgres/tasks/import_postgres.yml delete mode 100644 roles/custom/matrix-postgres/tasks/import_synapse_sqlite_db.yml delete mode 100644 roles/custom/matrix-postgres/tasks/main.yml delete mode 100644 roles/custom/matrix-postgres/tasks/migrate_db_to_postgres.yml delete mode 100644 roles/custom/matrix-postgres/tasks/migrate_postgres_data_directory.yml delete mode 100644 roles/custom/matrix-postgres/tasks/run_vacuum.yml delete mode 100644 roles/custom/matrix-postgres/tasks/setup_postgres.yml delete mode 100644 roles/custom/matrix-postgres/tasks/upgrade_postgres.yml delete mode 100644 roles/custom/matrix-postgres/tasks/util/create_additional_database.yml delete mode 100644 roles/custom/matrix-postgres/tasks/util/create_additional_databases.yml delete mode 100644 roles/custom/matrix-postgres/tasks/validate_config.yml delete mode 100644 roles/custom/matrix-postgres/templates/env-postgres-psql.j2 delete mode 100644 roles/custom/matrix-postgres/templates/env-postgres-server.j2 delete mode 100644 roles/custom/matrix-postgres/templates/sql/init-additional-db-user-and-role.sql.j2 delete mode 100644 roles/custom/matrix-postgres/templates/systemd/matrix-postgres.service.j2 delete mode 100644 roles/custom/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 delete mode 100644 roles/custom/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli-non-interactive.j2 delete mode 100644 roles/custom/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 delete mode 100644 roles/custom/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 diff --git a/docs/configuring-playbook-external-postgres.md b/docs/configuring-playbook-external-postgres.md index 1f1a30e49..d3c16cd97 100644 --- a/docs/configuring-playbook-external-postgres.md +++ b/docs/configuring-playbook-external-postgres.md @@ -10,7 +10,7 @@ If you'd like to use an external PostgreSQL server that you manage, you can edit If you'd like to use an external Postgres server, use a custom `vars.yml` configuration like this: ```yaml -matrix_postgres_enabled: false +devture_postgres_enabled: false # Rewire Synapse to use your external Postgres server matrix_synapse_database_host: "your-postgres-server-hostname" diff --git a/examples/vars.yml b/examples/vars.yml index e1b6cf054..732d7eedd 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -35,4 +35,4 @@ matrix_ssl_lets_encrypt_support_email: '' # # The playbook creates additional Postgres users and databases (one for each enabled service) # using this superuser account. -matrix_postgres_connection_password: '' +devture_postgres_connection_password: '' diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 940a52e68..2e86eea57 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -287,7 +287,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-ntfy.service', 'priority': 800, 'groups': ['matrix', 'ntfy']}] if matrix_ntfy_enabled else []) + - ([{'name': 'matrix-postgres.service', 'priority': 500, 'groups': ['matrix', 'postgres']}] if matrix_postgres_enabled else []) + ([{'name': (devture_postgres_identifier + '.service'), 'priority': 500, 'groups': ['matrix', 'postgres']}] if devture_postgres_enabled else []) + ([{'name': 'matrix-postgres-backup.service', 'priority': 3000, 'groups': ['matrix', 'backup', 'postgres-backup']}] if matrix_postgres_backup_enabled else []) + @@ -417,7 +417,7 @@ matrix_appservice_discord_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -428,7 +428,7 @@ matrix_appservice_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_ # We only make this use Postgres if our own Postgres server is enabled. # It's only then (for now) that we can automatically create the necessary database and user for this service. -matrix_appservice_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_appservice_discord_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" matrix_appservice_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.discord.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -509,8 +509,8 @@ matrix_appservice_slack_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_appservice_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'nedb' }}" +# Postgres is the default, except if not using internal Postgres server +matrix_appservice_slack_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'nedb' }}" matrix_appservice_slack_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.slack.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -552,7 +552,7 @@ matrix_appservice_irc_appservice_token: "{{ '%s' | format(matrix_homeserver_gene matrix_appservice_irc_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'irc.hs.token', rounds=655555) | to_uuid }}" -matrix_appservice_irc_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'nedb' }}" +matrix_appservice_irc_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'nedb' }}" matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.irc.db', rounds=655555) | to_uuid }}" @@ -581,7 +581,7 @@ matrix_appservice_kakaotalk_systemd_required_services_list: | + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) }} matrix_appservice_kakaotalk_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.kakao.hs', rounds=655555) | to_uuid }}" @@ -590,7 +590,7 @@ matrix_appservice_kakaotalk_homeserver_token: "{{ '%s' | format(matrix_homeserve matrix_appservice_kakaotalk_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -matrix_appservice_kakaotalk_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_appservice_kakaotalk_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" matrix_appservice_kakaotalk_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.kakao.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -617,7 +617,7 @@ matrix_beeper_linkedin_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -655,7 +655,7 @@ matrix_go_skype_bridge_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -666,8 +666,8 @@ matrix_go_skype_bridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_gen matrix_go_skype_bridge_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_go_skype_bridge_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +# Postgres is the default, except if not using internal Postgres server +matrix_go_skype_bridge_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" matrix_go_skype_bridge_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'goskype.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -693,7 +693,7 @@ matrix_mautrix_facebook_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -712,7 +712,7 @@ matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. -matrix_mautrix_facebook_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_mautrix_facebook_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" matrix_mautrix_facebook_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.fb.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -739,7 +739,7 @@ matrix_mautrix_hangouts_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -752,8 +752,8 @@ matrix_mautrix_hangouts_container_http_host_bind_port: "{{ '' if matrix_nginx_pr matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_mautrix_hangouts_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +# Postgres is the default, except if not using internal Postgres server +matrix_mautrix_hangouts_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" matrix_mautrix_hangouts_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.hangouts.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -780,7 +780,7 @@ matrix_mautrix_googlechat_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -793,8 +793,8 @@ matrix_mautrix_googlechat_container_http_host_bind_port: "{{ '' if matrix_nginx_ matrix_mautrix_googlechat_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_mautrix_googlechat_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +# Postgres is the default, except if not using internal Postgres server +matrix_mautrix_googlechat_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" matrix_mautrix_googlechat_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.gc.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -821,7 +821,7 @@ matrix_mautrix_instagram_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -836,7 +836,7 @@ matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_presence_enabled if # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. -matrix_mautrix_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_mautrix_instagram_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" matrix_mautrix_instagram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.ig.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -861,7 +861,7 @@ matrix_mautrix_signal_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + @@ -910,7 +910,7 @@ matrix_mautrix_telegram_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -925,8 +925,8 @@ matrix_mautrix_telegram_container_http_host_bind_port: "{{ '' if matrix_nginx_pr matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_mautrix_telegram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +# Postgres is the default, except if not using internal Postgres server +matrix_mautrix_telegram_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" matrix_mautrix_telegram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.telegram.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -952,7 +952,7 @@ matrix_mautrix_twitter_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -963,8 +963,8 @@ matrix_mautrix_twitter_homeserver_token: "{{ '%s' | format(matrix_homeserver_gen matrix_mautrix_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -matrix_mautrix_twitter_database_hostname: "{{ 'matrix-postgres' if matrix_postgres_enabled else '' }}" -matrix_mautrix_twitter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.twt.db', rounds=655555) | to_uuid if matrix_postgres_enabled else '' }}" +matrix_mautrix_twitter_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" +matrix_mautrix_twitter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.twt.db', rounds=655555) | to_uuid if devture_postgres_enabled else '' }}" ###################################################################### # @@ -989,7 +989,7 @@ matrix_mautrix_whatsapp_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -1000,8 +1000,8 @@ matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_homeserver_ge matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +# Postgres is the default, except if not using internal Postgres server +matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" matrix_mautrix_whatsapp_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mauwhatsapp.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -1027,7 +1027,7 @@ matrix_mautrix_discord_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -1038,8 +1038,8 @@ matrix_mautrix_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_gen matrix_mautrix_discord_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_mautrix_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +# Postgres is the default, except if not using internal Postgres server +matrix_mautrix_discord_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" matrix_mautrix_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudiscord.db', rounds=655555) | to_uuid }}" # Enabling bridge.restricted_rooms for this bridge does not work well with Conduit, so we disable it by default. @@ -1175,7 +1175,7 @@ matrix_mx_puppet_slack_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -1186,8 +1186,8 @@ matrix_mx_puppet_slack_homeserver_token: "{{ '%s' | format(matrix_homeserver_gen matrix_mx_puppet_slack_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_mx_puppet_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +# Postgres is the default, except if not using internal Postgres server +matrix_mx_puppet_slack_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" matrix_mx_puppet_slack_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.slack.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -1213,7 +1213,7 @@ matrix_mx_puppet_twitter_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -1226,8 +1226,8 @@ matrix_mx_puppet_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_pr matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_mx_puppet_twitter_appservice_port) }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_mx_puppet_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +# Postgres is the default, except if not using internal Postgres server +matrix_mx_puppet_twitter_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" matrix_mx_puppet_twitter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.twitter.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -1254,7 +1254,7 @@ matrix_mx_puppet_instagram_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -1265,8 +1265,8 @@ matrix_mx_puppet_instagram_homeserver_token: "{{ '%s' | format(matrix_homeserver matrix_mx_puppet_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_mx_puppet_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +# Postgres is the default, except if not using internal Postgres server +matrix_mx_puppet_instagram_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" matrix_mx_puppet_instagram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.ig.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -1292,7 +1292,7 @@ matrix_mx_puppet_discord_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -1303,8 +1303,8 @@ matrix_mx_puppet_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_g matrix_mx_puppet_discord_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_mx_puppet_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +# Postgres is the default, except if not using internal Postgres server +matrix_mx_puppet_discord_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" matrix_mx_puppet_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.dsc.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -1330,7 +1330,7 @@ matrix_mx_puppet_steam_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -1341,8 +1341,8 @@ matrix_mx_puppet_steam_homeserver_token: "{{ '%s' | format(matrix_homeserver_gen matrix_mx_puppet_steam_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_mx_puppet_steam_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +# Postgres is the default, except if not using internal Postgres server +matrix_mx_puppet_steam_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" matrix_mx_puppet_steam_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.steam.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -1368,7 +1368,7 @@ matrix_mx_puppet_groupme_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -1379,8 +1379,8 @@ matrix_mx_puppet_groupme_homeserver_token: "{{ '%s' | format(matrix_homeserver_g matrix_mx_puppet_groupme_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_mx_puppet_groupme_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +# Postgres is the default, except if not using internal Postgres server +matrix_mx_puppet_groupme_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" matrix_mx_puppet_groupme_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.groupme.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -1404,13 +1404,13 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +# Postgres is the default, except if not using internal Postgres server +matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" matrix_bot_matrix_reminder_bot_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'reminder.bot.db', rounds=655555) | to_uuid }}" matrix_bot_matrix_reminder_bot_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" @@ -1465,7 +1465,7 @@ matrix_bot_maubot_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -1480,8 +1480,8 @@ matrix_bot_maubot_registration_shared_secret: |- matrix_bot_maubot_management_interface_http_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' + matrix_bot_maubot_management_interface_port | string) }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_bot_maubot_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +# Postgres is the default, except if not using internal Postgres server +matrix_bot_maubot_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" matrix_bot_maubot_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.dsc.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -1504,15 +1504,15 @@ matrix_bot_honoroit_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_bot_honoroit_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +# Postgres is the default, except if not using internal Postgres server +matrix_bot_honoroit_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'honoroit.bot.db', rounds=655555) | to_uuid }}" matrix_bot_honoroit_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" @@ -1535,15 +1535,15 @@ matrix_bot_buscarron_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_bot_buscarron_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +# Postgres is the default, except if not using internal Postgres server +matrix_bot_buscarron_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" matrix_bot_buscarron_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'buscarron.bot.db', rounds=655555) | to_uuid }}" matrix_bot_buscarron_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" @@ -1569,13 +1569,13 @@ matrix_bot_postmoogle_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-synapse.service'] if matrix_synapse_enabled else []) }} -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_bot_postmoogle_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +# Postgres is the default, except if not using internal Postgres server +matrix_bot_postmoogle_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" matrix_bot_postmoogle_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'postmoogle.db', rounds=655555) | to_uuid }}" matrix_bot_postmoogle_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" @@ -1631,7 +1631,7 @@ matrix_bot_mjolnir_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -1649,26 +1649,31 @@ matrix_bot_mjolnir_systemd_required_services_list: | ###################################################################### matrix_backup_borg_enabled: false + matrix_backup_borg_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}" -matrix_backup_borg_postgresql_enabled: "{{ matrix_postgres_enabled }}" -matrix_backup_borg_postgresql_databases_hostname: "{{ matrix_postgres_connection_hostname }}" -matrix_backup_borg_postgresql_databases_username: "{{ matrix_postgres_connection_username }}" -matrix_backup_borg_postgresql_databases_password: "{{ matrix_postgres_connection_password }}" -matrix_backup_borg_postgresql_databases_port: "{{ matrix_postgres_connection_port }}" -matrix_backup_borg_postgresql_databases: "{{ matrix_postgres_additional_databases | map(attribute='name') if matrix_postgres_enabled else [] }}" + +matrix_backup_borg_postgresql_enabled: "{{ devture_postgres_enabled }}" +matrix_backup_borg_postgresql_databases_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_backup_borg_postgresql_databases_username: "{{ devture_postgres_connection_username if devture_postgres_enabled else '' }}" +matrix_backup_borg_postgresql_databases_password: "{{ devture_postgres_connection_password if devture_postgres_enabled else '' }}" +matrix_backup_borg_postgresql_databases_port: "{{ devture_postgres_connection_port if devture_postgres_enabled else 5432 }}" +matrix_backup_borg_postgresql_databases: "{{ devture_postgres_additional_databases | map(attribute='name') if devture_postgres_enabled else [] }}" + matrix_backup_borg_location_source_directories: - "{{ matrix_base_data_path }}" + matrix_backup_borg_location_exclude_patterns: | {{ ([matrix_synapse_media_store_path + '/local_thumbnails', matrix_synapse_media_store_path + '/remote_thumbnail', matrix_synapse_media_store_path + '/url_cache', matrix_synapse_media_store_path + '/url_cache_thumbnails'] if matrix_homeserver_implementation == 'synapse' else []) + - ([matrix_postgres_data_path] if matrix_postgres_enabled else []) + ([devture_postgres_data_path] if devture_postgres_enabled else []) }} + matrix_backup_borg_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) }} ###################################################################### @@ -1801,13 +1806,13 @@ matrix_dimension_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_dimension_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +# Postgres is the default, except if not using internal Postgres server +matrix_dimension_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" matrix_dimension_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dimension.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -1826,15 +1831,17 @@ matrix_etherpad_enabled: false matrix_etherpad_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9001' }}" -matrix_etherpad_base_url: "{{ 'https://'+ matrix_server_fqn_dimension + matrix_etherpad_public_endpoint if matrix_etherpad_mode == 'dimension' else 'https://' + matrix_server_fqn_etherpad + '/' }}" +matrix_etherpad_base_url: "{{ 'https://' + matrix_server_fqn_dimension + matrix_etherpad_public_endpoint if matrix_etherpad_mode == 'dimension' else 'https://' + matrix_server_fqn_etherpad + '/' }}" matrix_etherpad_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) }} +matrix_etherpad_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" + matrix_etherpad_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'etherpad.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -1998,20 +2005,20 @@ matrix_ma1sd_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval matrix_ma1sd_systemd_required_services_list: | {{ - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) }} matrix_ma1sd_systemd_wanted_services_list: | {{ (['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-' + matrix_homeserver_implementation + '.service']) + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-mailer.service'] if matrix_mailer_enabled else []) }} -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_ma1sd_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +# Postgres is the default, except if not using internal Postgres server +matrix_ma1sd_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ma1sd.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -2204,29 +2211,49 @@ matrix_ssl_pre_obtaining_required_service_name: "{{ 'matrix-dynamic-dns' if matr # ###################################################################### -###################################################################### -# -# matrix-postgres -# -###################################################################### +######################################################################## +# # +# com.devture.ansible.role.postgres # +# # +######################################################################## + +# To completely disable installing Postgres, use `devture_postgres_enabled: false`. + +devture_postgres_identifier: matrix-postgres + +devture_postgres_architecture: "{{ matrix_architecture }}" + +devture_postgres_base_path: "{{ matrix_base_data_path }}/postgres" -matrix_postgres_enabled: true +devture_postgres_container_network: "{{ matrix_docker_network }}" -matrix_postgres_architecture: "{{ matrix_architecture }}" +devture_postgres_uid: "{{ matrix_user_uid }}" +devture_postgres_gid: "{{ matrix_user_gid }}" -# We unset this if internal Postgres disabled, which will cascade to some other variables -# and tell users they need to set it (either here or in those variables). -matrix_postgres_connection_hostname: "{{ 'matrix-postgres' if matrix_postgres_enabled else '' }}" +devture_postgres_connection_username: matrix +devture_postgres_db_name: matrix -matrix_postgres_pgloader_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" +devture_postgres_vacuum_default_databases_list: | + {{ + ( + ([devture_postgres_db_name]) + + + (devture_postgres_additional_databases | map(attribute='name')) + ) | unique + }} -matrix_postgres_additional_databases: | +devture_postgres_systemd_services_to_stop_for_maintenance_list: | + {{ + ['matrix-' + matrix_homeserver_implementation + '.service'] + }} + +devture_postgres_additional_databases: | {{ ([{ 'name': matrix_synapse_database_database, 'username': matrix_synapse_database_user, 'password': matrix_synapse_database_password, - }] if (matrix_synapse_enabled and matrix_synapse_database_database != matrix_postgres_db_name and matrix_synapse_database_host == 'matrix-postgres') else []) + }] if (matrix_synapse_enabled and matrix_synapse_database_host == devture_postgres_identifier) else []) + ([{ 'name': matrix_dendrite_federationapi_database, @@ -2260,206 +2287,201 @@ matrix_postgres_additional_databases: | 'name': matrix_dendrite_mscs_database, 'username': matrix_dendrite_database_user, 'password': matrix_dendrite_database_password, - }] if (matrix_dendrite_enabled and matrix_dendrite_database_hostname == 'matrix-postgres') else []) + }] if (matrix_dendrite_enabled and matrix_dendrite_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_ma1sd_database_name, 'username': matrix_ma1sd_database_username, 'password': matrix_ma1sd_database_password, - }] if (matrix_ma1sd_enabled and matrix_ma1sd_database_engine == 'postgres' and matrix_ma1sd_database_hostname == 'matrix-postgres') else []) + }] if (matrix_ma1sd_enabled and matrix_ma1sd_database_engine == 'postgres' and matrix_ma1sd_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_bot_matrix_reminder_bot_database_name, 'username': matrix_bot_matrix_reminder_bot_database_username, 'password': matrix_bot_matrix_reminder_bot_database_password, - }] if (matrix_bot_matrix_reminder_bot_enabled and matrix_bot_matrix_reminder_bot_database_engine == 'postgres' and matrix_bot_matrix_reminder_bot_database_hostname == 'matrix-postgres') else []) + }] if (matrix_bot_matrix_reminder_bot_enabled and matrix_bot_matrix_reminder_bot_database_engine == 'postgres' and matrix_bot_matrix_reminder_bot_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_bot_honoroit_database_name, 'username': matrix_bot_honoroit_database_username, 'password': matrix_bot_honoroit_database_password, - }] if (matrix_bot_honoroit_enabled and matrix_bot_honoroit_database_engine == 'postgres' and matrix_bot_honoroit_database_hostname == 'matrix-postgres') else []) + }] if (matrix_bot_honoroit_enabled and matrix_bot_honoroit_database_engine == 'postgres' and matrix_bot_honoroit_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_bot_postmoogle_database_name, 'username': matrix_bot_postmoogle_database_username, 'password': matrix_bot_postmoogle_database_password, - }] if (matrix_bot_postmoogle_enabled and matrix_bot_postmoogle_database_engine == 'postgres' and matrix_bot_postmoogle_database_hostname == 'matrix-postgres') else []) + }] if (matrix_bot_postmoogle_enabled and matrix_bot_postmoogle_database_engine == 'postgres' and matrix_bot_postmoogle_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_bot_maubot_database_name, 'username': matrix_bot_maubot_database_username, 'password': matrix_bot_maubot_database_password, - }] if (matrix_bot_maubot_enabled and matrix_bot_maubot_database_engine == 'postgres' and matrix_bot_maubot_database_hostname == 'matrix-postgres') else []) + }] if (matrix_bot_maubot_enabled and matrix_bot_maubot_database_engine == 'postgres' and matrix_bot_maubot_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_bot_buscarron_database_name, 'username': matrix_bot_buscarron_database_username, 'password': matrix_bot_buscarron_database_password, - }] if (matrix_bot_buscarron_enabled and matrix_bot_buscarron_database_engine == 'postgres' and matrix_bot_buscarron_database_hostname == 'matrix-postgres') else []) + }] if (matrix_bot_buscarron_enabled and matrix_bot_buscarron_database_engine == 'postgres' and matrix_bot_buscarron_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_registration_database_name, 'username': matrix_registration_database_username, 'password': matrix_registration_database_password, - }] if (matrix_registration_enabled and matrix_registration_database_engine == 'postgres' and matrix_registration_database_hostname == 'matrix-postgres') else []) + }] if (matrix_registration_enabled and matrix_registration_database_engine == 'postgres' and matrix_registration_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_appservice_discord_database_name, 'username': matrix_appservice_discord_database_username, 'password': matrix_appservice_discord_database_password, - }] if (matrix_appservice_discord_enabled and matrix_appservice_discord_database_engine == 'postgres' and matrix_appservice_discord_database_hostname == 'matrix-postgres') else []) + }] if (matrix_appservice_discord_enabled and matrix_appservice_discord_database_engine == 'postgres' and matrix_appservice_discord_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_appservice_slack_database_name, 'username': matrix_appservice_slack_database_username, 'password': matrix_appservice_slack_database_password, - }] if (matrix_appservice_slack_enabled and matrix_appservice_slack_database_engine == 'postgres' and matrix_appservice_slack_database_hostname == 'matrix-postgres') else []) + }] if (matrix_appservice_slack_enabled and matrix_appservice_slack_database_engine == 'postgres' and matrix_appservice_slack_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_appservice_irc_database_name, 'username': matrix_appservice_irc_database_username, 'password': matrix_appservice_irc_database_password, - }] if (matrix_appservice_irc_enabled and matrix_appservice_irc_database_engine == 'postgres' and matrix_appservice_irc_database_hostname == 'matrix-postgres') else []) + }] if (matrix_appservice_irc_enabled and matrix_appservice_irc_database_engine == 'postgres' and matrix_appservice_irc_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_appservice_kakaotalk_database_name, 'username': matrix_appservice_kakaotalk_database_username, 'password': matrix_appservice_kakaotalk_database_password, - }] if (matrix_appservice_kakaotalk_enabled and matrix_appservice_kakaotalk_database_engine == 'postgres' and matrix_appservice_kakaotalk_database_hostname == 'matrix-postgres') else []) + }] if (matrix_appservice_kakaotalk_enabled and matrix_appservice_kakaotalk_database_engine == 'postgres' and matrix_appservice_kakaotalk_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_beeper_linkedin_database_name, 'username': matrix_beeper_linkedin_database_username, 'password': matrix_beeper_linkedin_database_password, - }] if (matrix_beeper_linkedin_enabled and matrix_beeper_linkedin_database_engine == 'postgres' and matrix_beeper_linkedin_database_hostname == 'matrix-postgres') else []) + }] if (matrix_beeper_linkedin_enabled and matrix_beeper_linkedin_database_engine == 'postgres' and matrix_beeper_linkedin_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_go_skype_bridge_database_name, 'username': matrix_go_skype_bridge_database_username, 'password': matrix_go_skype_bridge_database_password, - }] if (matrix_go_skype_bridge_enabled and matrix_go_skype_bridge_database_engine == 'postgres' and matrix_go_skype_bridge_database_hostname == 'matrix-postgres') else []) + }] if (matrix_go_skype_bridge_enabled and matrix_go_skype_bridge_database_engine == 'postgres' and matrix_go_skype_bridge_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_mautrix_facebook_database_name, 'username': matrix_mautrix_facebook_database_username, 'password': matrix_mautrix_facebook_database_password, - }] if (matrix_mautrix_facebook_enabled and matrix_mautrix_facebook_database_engine == 'postgres' and matrix_mautrix_facebook_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mautrix_facebook_enabled and matrix_mautrix_facebook_database_engine == 'postgres' and matrix_mautrix_facebook_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_mautrix_hangouts_database_name, 'username': matrix_mautrix_hangouts_database_username, 'password': matrix_mautrix_hangouts_database_password, - }] if (matrix_mautrix_hangouts_enabled and matrix_mautrix_hangouts_database_engine == 'postgres' and matrix_mautrix_hangouts_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mautrix_hangouts_enabled and matrix_mautrix_hangouts_database_engine == 'postgres' and matrix_mautrix_hangouts_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_mautrix_googlechat_database_name, 'username': matrix_mautrix_googlechat_database_username, 'password': matrix_mautrix_googlechat_database_password, - }] if (matrix_mautrix_googlechat_enabled and matrix_mautrix_googlechat_database_engine == 'postgres' and matrix_mautrix_googlechat_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mautrix_googlechat_enabled and matrix_mautrix_googlechat_database_engine == 'postgres' and matrix_mautrix_googlechat_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_mautrix_instagram_database_name, 'username': matrix_mautrix_instagram_database_username, 'password': matrix_mautrix_instagram_database_password, - }] if (matrix_mautrix_instagram_enabled and matrix_mautrix_instagram_database_engine == 'postgres' and matrix_mautrix_instagram_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mautrix_instagram_enabled and matrix_mautrix_instagram_database_engine == 'postgres' and matrix_mautrix_instagram_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_mautrix_signal_database_name, 'username': matrix_mautrix_signal_database_username, 'password': matrix_mautrix_signal_database_password, - }] if (matrix_mautrix_signal_enabled and matrix_mautrix_signal_database_engine == 'postgres' and matrix_mautrix_signal_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mautrix_signal_enabled and matrix_mautrix_signal_database_engine == 'postgres' and matrix_mautrix_signal_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_mautrix_telegram_database_name, 'username': matrix_mautrix_telegram_database_username, 'password': matrix_mautrix_telegram_database_password, - }] if (matrix_mautrix_telegram_enabled and matrix_mautrix_telegram_database_engine == 'postgres' and matrix_mautrix_telegram_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mautrix_telegram_enabled and matrix_mautrix_telegram_database_engine == 'postgres' and matrix_mautrix_telegram_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_mautrix_twitter_database_name, 'username': matrix_mautrix_twitter_database_username, 'password': matrix_mautrix_twitter_database_password, - }] if (matrix_mautrix_twitter_enabled and matrix_mautrix_twitter_database_engine == 'postgres' and matrix_mautrix_twitter_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mautrix_twitter_enabled and matrix_mautrix_twitter_database_engine == 'postgres' and matrix_mautrix_twitter_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_mautrix_whatsapp_database_name, 'username': matrix_mautrix_whatsapp_database_username, 'password': matrix_mautrix_whatsapp_database_password, - }] if (matrix_mautrix_whatsapp_enabled and matrix_mautrix_whatsapp_database_engine == 'postgres' and matrix_mautrix_whatsapp_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mautrix_whatsapp_enabled and matrix_mautrix_whatsapp_database_engine == 'postgres' and matrix_mautrix_whatsapp_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_mautrix_discord_database_name, 'username': matrix_mautrix_discord_database_username, 'password': matrix_mautrix_discord_database_password, - }] if (matrix_mautrix_discord_enabled and matrix_mautrix_discord_database_engine == 'postgres' and matrix_mautrix_discord_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mautrix_discord_enabled and matrix_mautrix_discord_database_engine == 'postgres' and matrix_mautrix_discord_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_mx_puppet_slack_database_name, 'username': matrix_mx_puppet_slack_database_username, 'password': matrix_mx_puppet_slack_database_password, - }] if (matrix_mx_puppet_slack_enabled and matrix_mx_puppet_slack_database_engine == 'postgres' and matrix_mx_puppet_slack_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mx_puppet_slack_enabled and matrix_mx_puppet_slack_database_engine == 'postgres' and matrix_mx_puppet_slack_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_mx_puppet_twitter_database_name, 'username': matrix_mx_puppet_twitter_database_username, 'password': matrix_mx_puppet_twitter_database_password, - }] if (matrix_mx_puppet_twitter_enabled and matrix_mx_puppet_twitter_database_engine == 'postgres' and matrix_mx_puppet_twitter_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mx_puppet_twitter_enabled and matrix_mx_puppet_twitter_database_engine == 'postgres' and matrix_mx_puppet_twitter_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_mx_puppet_instagram_database_name, 'username': matrix_mx_puppet_instagram_database_username, 'password': matrix_mx_puppet_instagram_database_password, - }] if (matrix_mx_puppet_instagram_enabled and matrix_mx_puppet_instagram_database_engine == 'postgres' and matrix_mx_puppet_instagram_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mx_puppet_instagram_enabled and matrix_mx_puppet_instagram_database_engine == 'postgres' and matrix_mx_puppet_instagram_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_mx_puppet_discord_database_name, 'username': matrix_mx_puppet_discord_database_username, 'password': matrix_mx_puppet_discord_database_password, - }] if (matrix_mx_puppet_discord_enabled and matrix_mx_puppet_discord_database_engine == 'postgres' and matrix_mx_puppet_discord_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mx_puppet_discord_enabled and matrix_mx_puppet_discord_database_engine == 'postgres' and matrix_mx_puppet_discord_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_mx_puppet_steam_database_name, 'username': matrix_mx_puppet_steam_database_username, 'password': matrix_mx_puppet_steam_database_password, - }] if (matrix_mx_puppet_steam_enabled and matrix_mx_puppet_steam_database_engine == 'postgres' and matrix_mx_puppet_steam_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mx_puppet_steam_enabled and matrix_mx_puppet_steam_database_engine == 'postgres' and matrix_mx_puppet_steam_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_mx_puppet_groupme_database_name, 'username': matrix_mx_puppet_groupme_database_username, 'password': matrix_mx_puppet_groupme_database_password, - }] if (matrix_mx_puppet_groupme_enabled and matrix_mx_puppet_groupme_database_engine == 'postgres' and matrix_mx_puppet_groupme_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mx_puppet_groupme_enabled and matrix_mx_puppet_groupme_database_engine == 'postgres' and matrix_mx_puppet_groupme_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_dimension_database_name, 'username': matrix_dimension_database_username, 'password': matrix_dimension_database_password, - }] if (matrix_dimension_enabled and matrix_dimension_database_engine == 'postgres' and matrix_dimension_database_hostname == 'matrix-postgres') else []) + }] if (matrix_dimension_enabled and matrix_dimension_database_engine == 'postgres' and matrix_dimension_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_etherpad_database_name, 'username': matrix_etherpad_database_username, 'password': matrix_etherpad_database_password, - }] if (matrix_etherpad_enabled and matrix_etherpad_database_engine == 'postgres' and matrix_etherpad_database_hostname == 'matrix-postgres') else []) + }] if (matrix_etherpad_enabled and matrix_etherpad_database_engine == 'postgres' and matrix_etherpad_database_hostname == devture_postgres_identifier) else []) + ([{ 'name': matrix_prometheus_postgres_exporter_database_name, 'username': matrix_prometheus_postgres_exporter_database_username, 'password': matrix_prometheus_postgres_exporter_database_password, - }] if (matrix_prometheus_postgres_exporter_enabled and matrix_prometheus_postgres_exporter_database_hostname == 'matrix-postgres') else []) + }] if (matrix_prometheus_postgres_exporter_enabled and matrix_prometheus_postgres_exporter_database_hostname == devture_postgres_identifier) else []) }} -matrix_postgres_systemd_services_to_stop_for_maintenance_list: | - {{ - ['matrix-' + matrix_homeserver_implementation + '.service'] - }} - -###################################################################### -# -# /matrix-postgres -# -###################################################################### +######################################################################## +# # +# /com.devture.ansible.role.postgres # +# # +######################################################################## ###################################################################### # @@ -2681,7 +2703,7 @@ matrix_synapse_systemd_required_services_list: | {{ (['docker.service']) + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-goofys.service'] if matrix_s3_media_store_enabled else []) }} @@ -2819,7 +2841,7 @@ matrix_prometheus_postgres_exporter_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) }} ###################################################################### @@ -2906,11 +2928,11 @@ matrix_registration_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) }} -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_registration_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +# Postgres is the default, except if not using internal Postgres server +matrix_registration_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" matrix_registration_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mx.registr.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -2925,14 +2947,14 @@ matrix_registration_database_password: "{{ '%s' | format(matrix_homeserver_gener # ###################################################################### -matrix_postgres_backup_connection_hostname: "{{ matrix_postgres_connection_hostname }}" -matrix_postgres_backup_connection_port: "{{ matrix_postgres_connection_port }}" -matrix_postgres_backup_connection_username: "{{ matrix_postgres_connection_username }}" -matrix_postgres_backup_connection_password: "{{ matrix_postgres_connection_password }}" +matrix_postgres_backup_connection_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_postgres_backup_connection_port: "{{ devture_postgres_connection_port if devture_postgres_enabled else 5432 }}" +matrix_postgres_backup_connection_username: "{{ devture_postgres_connection_username if devture_postgres_enabled else '' }}" +matrix_postgres_backup_connection_password: "{{ devture_postgres_connection_password if devture_postgres_enabled else '' }}" -matrix_postgres_backup_postgres_data_path: "{{ matrix_postgres_data_path if matrix_postgres_enabled else '' }}" +matrix_postgres_backup_postgres_data_path: "{{ devture_postgres_data_path if devture_postgres_enabled else '' }}" -matrix_postgres_backup_databases: "{{ matrix_postgres_additional_databases | map(attribute='name') if matrix_postgres_enabled else [] }}" +matrix_postgres_backup_databases: "{{ devture_postgres_additional_databases | map(attribute='name') if devture_postgres_enabled else [] }}" ###################################################################### # @@ -2990,7 +3012,7 @@ matrix_dendrite_systemd_required_services_list: | {{ (['docker.service']) + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-goofys.service'] if matrix_s3_media_store_enabled else []) }} diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 8d2be5cba..d97b92831 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -34,7 +34,9 @@ - custom/matrix-base - custom/matrix-dynamic-dns - custom/matrix-mailer - - custom/matrix-postgres + + - role: galaxy/com.devture.ansible.role.postgres + - custom/matrix-redis - custom/matrix-corporal - custom/matrix-bridge-appservice-discord diff --git a/requirements.yml b/requirements.yml index 0d77588a6..69c733f09 100644 --- a/requirements.yml +++ b/requirements.yml @@ -18,6 +18,9 @@ - src: git+https://github.com/devture/com.devture.ansible.role.playbook_state_preserver.git version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 +- src: git+https://github.com/devture/com.devture.ansible.role.postgres.git + version: f9f0519b2ccc6da7e0480c7cdfe8a67814728243 + - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git version: 6ccb88ac5fc27e1e70afcd48278ade4b564a9096 diff --git a/roles/custom/matrix-backup-borg/tasks/setup_install.yml b/roles/custom/matrix-backup-borg/tasks/setup_install.yml index d12229e20..142bf38c9 100644 --- a/roles/custom/matrix-backup-borg/tasks/setup_install.yml +++ b/roles/custom/matrix-backup-borg/tasks/setup_install.yml @@ -5,22 +5,22 @@ - name: Fail with matrix_backup_borg_version advice if Postgres not enabled ansible.builtin.fail: msg: >- - You are not running a built-in Postgres server (`matrix_postgres_enabled: false`), so auto-detecting its version and setting `matrix_backup_borg_version` automatically based on that cannot happen. + You are not running a built-in Postgres server (`devture_postgres_enabled: false`), so auto-detecting its version and setting `matrix_backup_borg_version` automatically based on that cannot happen. Consider setting `matrix_backup_borg_version` to your Postgres version manually. - when: not matrix_postgres_enabled + when: not devture_postgres_enabled - ansible.builtin.import_role: - name: custom/matrix-postgres + name: galaxy/com.devture.ansible.role.postgres tasks_from: detect_existing_postgres_version - name: Fail if detected Postgres version is unsupported ansible.builtin.fail: - msg: "You cannot use borg backup with such an old version ({{ matrix_postgres_detected_version }}) of Postgres. Consider upgrading - link to docs for upgrading Postgres: docs/maintenance-postgres.md#upgrading-postgresql" - when: "matrix_postgres_detected_version not in matrix_backup_borg_supported_postgres_versions" + msg: "You cannot use borg backup with such an old version ({{ devture_postgres_detected_version }}) of Postgres. Consider upgrading - link to docs for upgrading Postgres: docs/maintenance-postgres.md#upgrading-postgresql" + when: "devture_postgres_detected_version not in matrix_backup_borg_supported_postgres_versions" - name: Set the correct borg backup version to use ansible.builtin.set_fact: - matrix_backup_borg_version: "{{ matrix_postgres_detected_version }}" + matrix_backup_borg_version: "{{ devture_postgres_detected_version }}" - name: Ensure borg paths exist ansible.builtin.file: diff --git a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml index 156813def..ca304efb8 100644 --- a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml @@ -12,7 +12,7 @@ - when: "matrix_bot_buscarron_sqlite_database_path_local_stat_result.stat.exists | bool" block: - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + devture_postgres_db_migration_request: src: "{{ matrix_bot_buscarron_sqlite_database_path_local }}" dst: "{{ matrix_bot_buscarron_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -21,7 +21,7 @@ systemd_services_to_stop: ['matrix-bot-buscarron.service'] - ansible.builtin.import_role: - name: custom/matrix-postgres + name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml b/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml index 05dcd7c7c..245e641c2 100644 --- a/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml @@ -12,7 +12,7 @@ - when: "matrix_bot_honoroit_sqlite_database_path_local_stat_result.stat.exists | bool" block: - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + devture_postgres_db_migration_request: src: "{{ matrix_bot_honoroit_sqlite_database_path_local }}" dst: "{{ matrix_bot_honoroit_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -21,7 +21,7 @@ systemd_services_to_stop: ['matrix-bot-honoroit.service'] - ansible.builtin.import_role: - name: custom/matrix-postgres + name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml index 00e25c361..d9ff942ec 100644 --- a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml @@ -13,7 +13,7 @@ - when: "matrix_bot_matrix_reminder_bot_sqlite_database_path_local_stat_result.stat.exists | bool" block: - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + devture_postgres_db_migration_request: src: "{{ matrix_bot_matrix_reminder_bot_sqlite_database_path_local }}" dst: "{{ matrix_bot_matrix_reminder_bot_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -22,7 +22,7 @@ systemd_services_to_stop: ['matrix-bot-matrix-reminder-bot.service'] - ansible.builtin.import_role: - name: custom/matrix-postgres + name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-bot-postmoogle/tasks/setup_install.yml b/roles/custom/matrix-bot-postmoogle/tasks/setup_install.yml index 993cf8e5b..403814d64 100644 --- a/roles/custom/matrix-bot-postmoogle/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-postmoogle/tasks/setup_install.yml @@ -9,7 +9,7 @@ - when: "matrix_bot_postmoogle_sqlite_database_path_local_stat_result.stat.exists | bool" block: - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + devture_postgres_db_migration_request: src: "{{ matrix_bot_postmoogle_sqlite_database_path_local }}" dst: "{{ matrix_bot_postmoogle_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -18,7 +18,7 @@ systemd_services_to_stop: ['matrix-bot-postmoogle.service'] - ansible.builtin.import_role: - name: custom/matrix-postgres + name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml b/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml index f04e7f69e..bb6c85511 100644 --- a/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml @@ -13,7 +13,7 @@ - when: "matrix_appservice_discord_sqlite_database_path_local_stat_result.stat.exists | bool" block: - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + devture_postgres_db_migration_request: src: "{{ matrix_appservice_discord_sqlite_database_path_local }}" dst: "{{ matrix_appservice_discord_database_connString }}" caller: "{{ role_path | basename }}" @@ -22,7 +22,7 @@ systemd_services_to_stop: ['matrix-appservice-discord.service'] - ansible.builtin.import_role: - name: custom/matrix-postgres + name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml index 9dda24019..79978ecd3 100644 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml +++ b/roles/custom/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml @@ -2,8 +2,8 @@ - name: Fail if Postgres not enabled ansible.builtin.fail: - msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot migrate." - when: "not matrix_postgres_enabled | bool" + msg: "Postgres via the com.devture.ansible.role.postgres role is not enabled (`devture_postgres_enabled`). Cannot migrate." + when: "not devture_postgres_enabled | bool" # Defaults @@ -14,19 +14,19 @@ # Actual import work -- name: Ensure matrix-postgres is started +- name: Ensure Postgres is started ansible.builtin.service: - name: matrix-postgres + name: "{{ devture_postgres_identifier }}" state: started daemon_reload: true - register: matrix_postgres_service_start_result + register: postgres_service_start_result - name: Wait a bit, so that Postgres can start ansible.builtin.wait_for: timeout: "{{ postgres_start_wait_time }}" delegate_to: 127.0.0.1 become: false - when: "matrix_postgres_service_start_result.changed | bool" + when: postgres_service_start_result.changed | bool - name: Check existence of matrix-appservice-irc service ansible.builtin.stat: diff --git a/roles/custom/matrix-bridge-appservice-slack/tasks/migrate_nedb_to_postgres.yml b/roles/custom/matrix-bridge-appservice-slack/tasks/migrate_nedb_to_postgres.yml index 0ed3e18b2..58c125ab9 100644 --- a/roles/custom/matrix-bridge-appservice-slack/tasks/migrate_nedb_to_postgres.yml +++ b/roles/custom/matrix-bridge-appservice-slack/tasks/migrate_nedb_to_postgres.yml @@ -2,8 +2,8 @@ - name: Fail if Postgres not enabled ansible.builtin.fail: - msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot migrate." - when: "not matrix_postgres_enabled | bool" + msg: "Postgres via the com.devture.ansible.role.postgres role is not enabled (`devture_postgres_enabled`). Cannot migrate." + when: "not devture_postgres_enabled | bool" # Defaults @@ -14,19 +14,19 @@ # Actual import work -- name: Ensure matrix-postgres is started +- name: Ensure Postgres is started ansible.builtin.service: - name: matrix-postgres + name: "{{ devture_postgres_identifier }}" state: started daemon_reload: true - register: matrix_postgres_service_start_result + register: postgres_service_start_result - name: Wait a bit, so that Postgres can start ansible.builtin.wait_for: timeout: "{{ postgres_start_wait_time }}" delegate_to: 127.0.0.1 become: false - when: "matrix_postgres_service_start_result.changed | bool" + when: "postgres_service_start_result.changed | bool" - name: Ensure matrix-appservice-slack is stopped ansible.builtin.service: diff --git a/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml b/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml index de1d0cb5e..1a89d648c 100644 --- a/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml @@ -13,7 +13,7 @@ - when: "matrix_go_skype_bridge_sqlite_database_path_local_stat_result.stat.exists | bool" block: - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + devture_postgres_db_migration_request: src: "{{ matrix_go_skype_bridge_sqlite_database_path_local }}" dst: "{{ matrix_go_skype_bridge_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -23,7 +23,7 @@ pgloader_options: ['--with "quote identifiers"'] - ansible.builtin.import_role: - name: custom/matrix-postgres + name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_install.yml index 3864c3b57..b6d388ca2 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_install.yml @@ -13,7 +13,7 @@ - when: "matrix_mautrix_discord_sqlite_database_path_local_stat_result.stat.exists | bool" block: - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + devture_postgres_db_migration_request: src: "{{ matrix_mautrix_discord_sqlite_database_path_local }}" dst: "{{ matrix_mautrix_discord_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -23,7 +23,7 @@ pgloader_options: ['--with "quote identifiers"'] - ansible.builtin.import_role: - name: custom/matrix-postgres + name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index 4e3f16e62..b2801de87 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -13,7 +13,7 @@ - when: "matrix_mautrix_facebook_sqlite_database_path_local_stat_result.stat.exists | bool" block: - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + devture_postgres_db_migration_request: src: "{{ matrix_mautrix_facebook_sqlite_database_path_local }}" dst: "{{ matrix_mautrix_facebook_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -22,7 +22,7 @@ systemd_services_to_stop: ['matrix-mautrix-facebook.service'] - ansible.builtin.import_role: - name: custom/matrix-postgres + name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml index 095d6cccd..87e379ea0 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml @@ -13,7 +13,7 @@ - when: "matrix_mautrix_googlechat_sqlite_database_path_local_stat_result.stat.exists | bool" block: - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + devture_postgres_db_migration_request: src: "{{ matrix_mautrix_googlechat_sqlite_database_path_local }}" dst: "{{ matrix_mautrix_googlechat_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -22,7 +22,7 @@ systemd_services_to_stop: ['matrix-mautrix-googlechat.service'] - ansible.builtin.import_role: - name: custom/matrix-postgres + name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index e4a43c0ba..23cf24c6a 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -13,7 +13,7 @@ - when: "matrix_mautrix_hangouts_sqlite_database_path_local_stat_result.stat.exists | bool" block: - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + devture_postgres_db_migration_request: src: "{{ matrix_mautrix_hangouts_sqlite_database_path_local }}" dst: "{{ matrix_mautrix_hangouts_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -22,7 +22,7 @@ systemd_services_to_stop: ['matrix-mautrix-hangouts.service'] - ansible.builtin.import_role: - name: custom/matrix-postgres + name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index c4c485817..76ccf6bbc 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -13,7 +13,7 @@ - when: "matrix_mautrix_telegram_sqlite_database_path_local_stat_result.stat.exists | bool" block: - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + devture_postgres_db_migration_request: src: "{{ matrix_mautrix_telegram_sqlite_database_path_local }}" dst: "{{ matrix_mautrix_telegram_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -22,7 +22,7 @@ systemd_services_to_stop: ['matrix-mautrix-telegram.service'] - ansible.builtin.import_role: - name: custom/matrix-postgres + name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml index 4338a691f..37915f077 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml @@ -13,7 +13,7 @@ - when: "matrix_mautrix_whatsapp_sqlite_database_path_local_stat_result.stat.exists | bool" block: - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + devture_postgres_db_migration_request: src: "{{ matrix_mautrix_whatsapp_sqlite_database_path_local }}" dst: "{{ matrix_mautrix_whatsapp_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -23,7 +23,7 @@ pgloader_options: ['--with "quote identifiers"'] - ansible.builtin.import_role: - name: custom/matrix-postgres + name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml index 097e0b69b..d7cac52c3 100644 --- a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml @@ -47,7 +47,7 @@ - when: "matrix_mx_puppet_discord_sqlite_database_path_local_stat_result.stat.exists | bool" block: - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + devture_postgres_db_migration_request: src: "{{ matrix_mx_puppet_discord_sqlite_database_path_local }}" dst: "{{ matrix_mx_puppet_discord_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -56,7 +56,7 @@ systemd_services_to_stop: ['matrix-mx-puppet-discord.service'] - ansible.builtin.import_role: - name: custom/matrix-postgres + name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml index 9022492f9..1f3dd3d3f 100644 --- a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml @@ -45,7 +45,7 @@ - when: "matrix_mx_puppet_groupme_sqlite_database_path_local_stat_result.stat.exists | bool" block: - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + devture_postgres_db_migration_request: src: "{{ matrix_mx_puppet_groupme_sqlite_database_path_local }}" dst: "{{ matrix_mx_puppet_groupme_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -54,7 +54,7 @@ systemd_services_to_stop: ['matrix-mx-puppet-groupme.service'] - ansible.builtin.import_role: - name: custom/matrix-postgres + name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml index 640fd6e34..730c34e60 100644 --- a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml @@ -13,7 +13,7 @@ - when: "matrix_mx_puppet_instagram_sqlite_database_path_local_stat_result.stat.exists | bool" block: - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + devture_postgres_db_migration_request: src: "{{ matrix_mx_puppet_instagram_sqlite_database_path_local }}" dst: "{{ matrix_mx_puppet_instagram_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -22,7 +22,7 @@ systemd_services_to_stop: ['matrix-mx-puppet-instagram.service'] - ansible.builtin.import_role: - name: custom/matrix-postgres + name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml index 4f8da659e..9d2bcc618 100644 --- a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml @@ -41,7 +41,7 @@ - when: "matrix_mx_puppet_slack_sqlite_database_path_local_stat_result.stat.exists | bool" block: - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + devture_postgres_db_migration_request: src: "{{ matrix_mx_puppet_slack_sqlite_database_path_local }}" dst: "{{ matrix_mx_puppet_slack_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -50,7 +50,7 @@ systemd_services_to_stop: ['matrix-mx-puppet-slack.service'] - ansible.builtin.import_role: - name: custom/matrix-postgres + name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml index 14258f2e7..aff6dd952 100644 --- a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml @@ -45,7 +45,7 @@ - when: "matrix_mx_puppet_steam_sqlite_database_path_local_stat_result.stat.exists | bool" block: - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + devture_postgres_db_migration_request: src: "{{ matrix_mx_puppet_steam_sqlite_database_path_local }}" dst: "{{ matrix_mx_puppet_steam_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -54,7 +54,7 @@ systemd_services_to_stop: ['matrix-mx-puppet-steam.service'] - ansible.builtin.import_role: - name: custom/matrix-postgres + name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml index 2ae45d260..c948c48dc 100644 --- a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml @@ -45,7 +45,7 @@ - when: "matrix_mx_puppet_twitter_sqlite_database_path_local_stat_result.stat.exists | bool" block: - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + devture_postgres_db_migration_request: src: "{{ matrix_mx_puppet_twitter_sqlite_database_path_local }}" dst: "{{ matrix_mx_puppet_twitter_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -54,7 +54,7 @@ systemd_services_to_stop: ['matrix-mx-puppet-twitter.service'] - ansible.builtin.import_role: - name: custom/matrix-postgres + name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-dimension/tasks/setup_install.yml b/roles/custom/matrix-dimension/tasks/setup_install.yml index 2aeb1e2a7..e1340d250 100644 --- a/roles/custom/matrix-dimension/tasks/setup_install.yml +++ b/roles/custom/matrix-dimension/tasks/setup_install.yml @@ -52,7 +52,7 @@ - {'table': 'dimension_bridges', 'column': 'isPublic', 'default': ''} - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + devture_postgres_db_migration_request: src: "{{ matrix_dimension_sqlite_database_path_local }}" dst: "{{ matrix_dimension_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -64,7 +64,7 @@ additional_psql_statements_db_name: "{{ matrix_dimension_database_name }}" - ansible.builtin.import_role: - name: custom/matrix-postgres + name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-etherpad/tasks/validate_config.yml b/roles/custom/matrix-etherpad/tasks/validate_config.yml index 10ddc5843..646648945 100644 --- a/roles/custom/matrix-etherpad/tasks/validate_config.yml +++ b/roles/custom/matrix-etherpad/tasks/validate_config.yml @@ -4,7 +4,7 @@ ansible.builtin.fail: msg: >- Etherpad requires a dedicated Postgres database. Please enable the built in one, or configure an external DB by redefining "matrix_etherpad_database_hostname" - when: matrix_etherpad_database_hostname == "matrix-postgres" and not matrix_postgres_enabled + when: matrix_etherpad_database_hostname == '' - name: Fail if wrong mode selected ansible.builtin.fail: diff --git a/roles/custom/matrix-ma1sd/tasks/setup_install.yml b/roles/custom/matrix-ma1sd/tasks/setup_install.yml index 9b86008ae..e60b664e8 100644 --- a/roles/custom/matrix-ma1sd/tasks/setup_install.yml +++ b/roles/custom/matrix-ma1sd/tasks/setup_install.yml @@ -28,7 +28,7 @@ - when: "matrix_ma1sd_sqlite_database_path_local_stat_result.stat.exists | bool" block: - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + devture_postgres_db_migration_request: src: "{{ matrix_ma1sd_sqlite_database_path_local }}" dst: "{{ matrix_ma1sd_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -38,7 +38,7 @@ pgloader_options: ['--with "quote identifiers"'] - ansible.builtin.import_role: - name: custom/matrix-postgres + name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-postgres-backup/tasks/setup_install.yml b/roles/custom/matrix-postgres-backup/tasks/setup_install.yml index d26fff6e4..ba374affd 100644 --- a/roles/custom/matrix-postgres-backup/tasks/setup_install.yml +++ b/roles/custom/matrix-postgres-backup/tasks/setup_install.yml @@ -2,7 +2,7 @@ - ansible.builtin.import_role: - name: custom/matrix-postgres + name: galaxy/com.devture.ansible.role.postgres tasks_from: detect_existing_postgres_version when: 'matrix_postgres_backup_postgres_data_path != ""' diff --git a/roles/custom/matrix-postgres/defaults/main.yml b/roles/custom/matrix-postgres/defaults/main.yml deleted file mode 100644 index 5a0cdb6c6..000000000 --- a/roles/custom/matrix-postgres/defaults/main.yml +++ /dev/null @@ -1,133 +0,0 @@ ---- -# Project source code URL: https://github.com/postgres/postgres - -# Controls if the Postgres server managed by the playbook is enabled. -# You can turn it off and use an external Postgres server by setting this to `false`. -# Doing this has various downsides. See `docs/configuring-playbook-external-postgres.md` to learn more. -matrix_postgres_enabled: true - -matrix_postgres_connection_hostname: "matrix-postgres" -matrix_postgres_connection_port: 5432 -matrix_postgres_connection_username: "matrix" -matrix_postgres_connection_password: "" -matrix_postgres_db_name: "matrix" - -matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres" -matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data" - -# matrix_postgres_systemd_services_to_stop_for_maintenance_list specifies the list of systemd services to stop before vacuuming or upgrading. -# These services will be restarted after the operation completes. -matrix_postgres_systemd_services_to_stop_for_maintenance_list: [] - -matrix_postgres_architecture: amd64 - -# matrix_postgres_docker_image_suffix controls whether we use Alpine-based images (`-alpine`) or the normal Debian-based images. -# Alpine-based Postgres images are smaller and we usually prefer them, but they don't work on ARM32 (tested on a Raspberry Pi 3 running Raspbian 10.7). -# On ARM32, `-alpine` images fail with the following error: -# > LOG: startup process (PID 37) was terminated by signal 11: Segmentation fault -matrix_postgres_docker_image_suffix: "{{ '-alpine' if matrix_postgres_architecture in ['amd64', 'arm64'] else '' }}" - -matrix_postgres_docker_image_v9: "{{ matrix_container_global_registry_prefix }}postgres:9.6.24{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v10: "{{ matrix_container_global_registry_prefix }}postgres:10.22{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v11: "{{ matrix_container_global_registry_prefix }}postgres:11.17{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v12: "{{ matrix_container_global_registry_prefix }}postgres:12.12{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v13: "{{ matrix_container_global_registry_prefix }}postgres:13.8{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v14: "{{ matrix_container_global_registry_prefix }}postgres:14.5{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v15: "{{ matrix_container_global_registry_prefix }}postgres:15.0{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v15 }}" - -# This variable is assigned at runtime. Overriding its value has no effect. -matrix_postgres_docker_image_to_use: '{{ matrix_postgres_docker_image_latest }}' - -matrix_postgres_docker_image_force_pull: "{{ matrix_postgres_docker_image_to_use.endswith(':latest') }}" - -# A list of extra arguments to pass to the container -matrix_postgres_container_extra_arguments: [] - -# A list of extra arguments to pass to the postgres process -# e.g. "-c 'max_connections=200'" -matrix_postgres_process_extra_arguments: [] - -# Controls whether the matrix-postgres container exposes a port (tcp/5432 in the -# container) that can be used to access the database from outside the container (e.g. with psql) -# -# psql postgresql://username:password@localhost:/database_name -# -# Takes an ":" or "" value (e.g. "127.0.0.1:5432"), or empty string to not expose. -matrix_postgres_container_postgres_bind_port: "" - -# A list of additional (databases and their credentials) to create. -# -# Example: -# matrix_postgres_additional_databases: -# - name: matrix_appservice_discord -# username: matrix_appservice_discord -# password: some_password -# - name: matrix_appservice_slack -# username: matrix_appservice_slack -# password: some_password -matrix_postgres_additional_databases: [] - -# A list of roles/users to avoid creating when importing (or upgrading) the database. -# If a dump file contains the roles and they've also been created beforehand (see `matrix_postgres_additional_databases`), -# importing would fail. -# We either need to not create them or to ignore the `CREATE ROLE` statements in the dump. -matrix_postgres_import_roles_to_ignore: | - {{ - ( - [matrix_postgres_connection_username] - + - matrix_postgres_additional_databases|map(attribute='username') | list - ) | unique - }} - -# When importing an existing Postgres database (when restoring a backup) or when doing a Postgres upgrade (which dumps & restores), we'd like to avoid: -# - creating users (`CREATE ROLE ..`) -# - updating passwords for users (`ALTER ROLE matrix WITH SUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN NOREPLICATION NOBYPASSRLS PASSWORD 'md5...`) -# -# Both of these operations are done by the playbook anyway. -# Updating passwords is especially undesirable, because older versions hash passwords using md5 and export them as md5 hashes in the dump file, -# which is unsupported by default by newer Postgres versions (v14+). -# When users are created and passwords are set by the playbook, they end up hashed as `scram-sha-256` on Postgres v14+. -# If an md5-hashed password is restored on top, Postgres v14+ will refuse to authenticate users with it by default. -# -# We also allow for the role name to be quoted, which is rare, but might happen for role names which are special keywords (e.g. `default`). -matrix_postgres_import_roles_ignore_regex: "^(CREATE|ALTER) ROLE \\\"?({{ matrix_postgres_import_roles_to_ignore | join('|') }})\\\"?(;| WITH)" # noqa jinja[spacing] - -# A list of databases to avoid creating when importing (or upgrading) the database. -# If a dump file contains the databases and they've also been created beforehand (see `matrix_postgres_additional_databases`), -# importing would fail. -# We either need to not create them or to ignore the `CREATE DATABASE` statements in the dump. -matrix_postgres_import_databases_to_ignore: | - {{ - ( - [matrix_postgres_db_name] - + - matrix_postgres_additional_databases|map(attribute='name') | list - ) | unique - }} - -# We also allow for the database name to be quoted, which is rare, but might happen for database names which are special keywords (e.g. `default`). -matrix_postgres_import_databases_ignore_regex: "^CREATE DATABASE \\\"?({{ matrix_postgres_import_databases_to_ignore | join('|') }})\\\"?\\s" # noqa jinja[spacing] - -# The number of seconds to wait after starting `matrix-postgres.service` -# and before trying to run queries for creating additional databases/users against it. -# -# For most (subsequent) runs, Postgres would already be running, so no waiting will be happening at all. -# -# On ARM, we wait some more. ARM32 devices are especially known for being slow. -# ARM64 likely don't need such a long delay, but it doesn't hurt too much having it. -matrix_postgres_additional_databases_postgres_start_wait_timeout_seconds: "{{ 45 if matrix_postgres_architecture in ['arm32', 'arm64'] else 15 }}" - - -matrix_postgres_pgloader_container_image_self_build: false -matrix_postgres_pgloader_container_image_self_build_repo: "https://github.com/illagrenan/pgloader-docker.git" -matrix_postgres_pgloader_container_image_self_build_repo_branch: "v{{ matrix_postgres_pgloader_docker_image_tag }}" -matrix_postgres_pgloader_container_image_self_build_src_path: "{{ matrix_postgres_base_path }}/pgloader-container-src" - -# We use illagrenan/pgloader, instead of the more official dimitri/pgloader image, -# because the official one only provides a `latest` tag. -matrix_postgres_pgloader_docker_image: "{{ matrix_postgres_pgloader_docker_image_name_prefix }}illagrenan/pgloader:{{ matrix_postgres_pgloader_docker_image_tag }}" -matrix_postgres_pgloader_docker_image_name_prefix: "{{ 'localhost/' if matrix_postgres_pgloader_container_image_self_build else matrix_container_global_registry_prefix }}" -matrix_postgres_pgloader_docker_image_tag: "3.6.2" -matrix_postgres_pgloader_docker_image_force_pull: "{{ matrix_postgres_pgloader_docker_image.endswith(':latest') }}" diff --git a/roles/custom/matrix-postgres/tasks/detect_existing_postgres_version.yml b/roles/custom/matrix-postgres/tasks/detect_existing_postgres_version.yml deleted file mode 100644 index 1be8291b6..000000000 --- a/roles/custom/matrix-postgres/tasks/detect_existing_postgres_version.yml +++ /dev/null @@ -1,75 +0,0 @@ ---- - -# This utility aims to determine if there is some existing Postgres version in use or not. -# If there is, it also tries to detect the Docker image that corresponds to that version. -# -# This utility is intentionally not in `tasks/util`, because if it were, it wouldn't be possible -# to include it in other roles via the import_role module: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/import_role_module.html - - -- name: Fail detection if expectation fails (Postgres not enabled) - ansible.builtin.fail: - msg: "Trying to detect the version of the built-in Postgres server, but Postgres installation is not enabled (`matrix_postgres_enabled: false`)" - when: not matrix_postgres_enabled - -- name: Initialize Postgres version determination variables (default to empty) - ansible.builtin.set_fact: - matrix_postgres_detection_pg_version_path: "{{ matrix_postgres_data_path }}/PG_VERSION" - matrix_postgres_detected_existing: false - matrix_postgres_detected_version: "" - matrix_postgres_detected_version_corresponding_docker_image: "" - -- name: Determine existing Postgres version (check PG_VERSION file) - ansible.builtin.stat: - path: "{{ matrix_postgres_detection_pg_version_path }}" - register: result_pg_version_stat - -- ansible.builtin.set_fact: - matrix_postgres_detected_existing: true - when: "result_pg_version_stat.stat.exists" - -- name: Determine existing Postgres version (read PG_VERSION file) - ansible.builtin.slurp: - src: "{{ matrix_postgres_detection_pg_version_path }}" - register: result_pg_version - when: matrix_postgres_detected_existing | bool - -- name: Determine existing Postgres version (make sense of PG_VERSION file) - ansible.builtin.set_fact: - matrix_postgres_detected_version: "{{ result_pg_version['content'] | b64decode | replace('\n', '') }}" - when: matrix_postgres_detected_existing | bool - -- name: Determine corresponding Docker image to detected version (assume default of latest) - ansible.builtin.set_fact: - matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_latest }}" - when: "matrix_postgres_detected_version != ''" - -- name: Determine corresponding Docker image to detected version (use 9.x, if detected) - ansible.builtin.set_fact: - matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v9 }}" - when: "matrix_postgres_detected_version.startswith('9.')" - -- name: Determine corresponding Docker image to detected version (use 10.x, if detected) - ansible.builtin.set_fact: - matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v10 }}" - when: "matrix_postgres_detected_version == '10' or matrix_postgres_detected_version.startswith('10.')" - -- name: Determine corresponding Docker image to detected version (use 11.x, if detected) - ansible.builtin.set_fact: - matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v11 }}" - when: "matrix_postgres_detected_version == '11' or matrix_postgres_detected_version.startswith('11.')" - -- name: Determine corresponding Docker image to detected version (use 12.x, if detected) - ansible.builtin.set_fact: - matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v12 }}" - when: "matrix_postgres_detected_version == '12' or matrix_postgres_detected_version.startswith('12.')" - -- name: Determine corresponding Docker image to detected version (use 13.x, if detected) - ansible.builtin.set_fact: - matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v13 }}" - when: "matrix_postgres_detected_version == '13' or matrix_postgres_detected_version.startswith('13.')" - -- name: Determine corresponding Docker image to detected version (use 14.x, if detected) - ansible.builtin.set_fact: - matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v14 }}" - when: "matrix_postgres_detected_version == '14' or matrix_postgres_detected_version.startswith('14.')" diff --git a/roles/custom/matrix-postgres/tasks/import_generic_sqlite_db.yml b/roles/custom/matrix-postgres/tasks/import_generic_sqlite_db.yml deleted file mode 100644 index c3fff5208..000000000 --- a/roles/custom/matrix-postgres/tasks/import_generic_sqlite_db.yml +++ /dev/null @@ -1,102 +0,0 @@ ---- - -# Pre-checks - -- name: Fail if Postgres not enabled - ansible.builtin.fail: - msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot import." - when: "not matrix_postgres_enabled | bool" - -- name: Fail if playbook called incorrectly - ansible.builtin.fail: - msg: "The `sqlite_database_path` variable needs to be provided to this playbook, via --extra-vars" - when: "sqlite_database_path is not defined or sqlite_database_path.startswith('<')" - -- name: Check if the provided SQLite database file exists - ansible.builtin.stat: - path: "{{ sqlite_database_path }}" - register: sqlite_database_path_stat_result - -- name: Fail if provided SQLite database file doesn't exist - ansible.builtin.fail: - msg: "File cannot be found on the server at {{ sqlite_database_path }}" - when: "not sqlite_database_path_stat_result.stat.exists" - -# We either expect `postgres_db_connection_string` specifying a full Postgres database connection string, -# or `postgres_connection_string_variable_name`, specifying a name of a variable, which contains a valid connection string. - -- when: 'postgres_connection_string_variable_name is defined' - block: - - name: Fail if postgres_connection_string_variable_name points to an undefined variable - ansible.builtin.fail: - msg: "postgres_connection_string_variable_name is defined, but there is no variable with the name `{{ postgres_connection_string_variable_name }}`" - when: "postgres_connection_string_variable_name not in vars" - - - name: Get Postgres connection string from variable - ansible.builtin.set_fact: - postgres_db_connection_string: "{{ lookup('vars', postgres_connection_string_variable_name) }}" - -- name: Fail if playbook called incorrectly - ansible.builtin.fail: - msg: >- - Either a `postgres_db_connection_string` variable or a `postgres_connection_string_variable_name` needs to be provided to this playbook, via `--extra-vars`. - Example: `--extra-vars="postgres_db_connection_string=postgresql://username:password@localhost:/database_name"` or `--extra-vars="postgres_connection_string_variable_name=matrix_appservice_discord_database_connString"` - when: "postgres_db_connection_string is not defined or not postgres_db_connection_string.startswith('postgresql://')" - - -# Defaults - -- name: Set postgres_start_wait_time, if not provided - ansible.builtin.set_fact: - postgres_start_wait_time: 15 - when: "postgres_start_wait_time | default('') == ''" - - -# Actual import work - -- name: Ensure matrix-postgres is started - ansible.builtin.service: - name: matrix-postgres - state: started - daemon_reload: true - register: matrix_postgres_service_start_result - -- name: Wait a bit, so that Postgres can start - ansible.builtin.wait_for: - timeout: "{{ postgres_start_wait_time }}" - delegate_to: 127.0.0.1 - become: false - when: "matrix_postgres_service_start_result.changed | bool" - -- name: Import SQLite database from {{ sqlite_database_path }} into Postgres # noqa name[template] - ansible.builtin.command: - cmd: >- - {{ devture_systemd_docker_base_host_command_docker }} run - --rm - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --network={{ matrix_docker_network }} - --mount type=bind,src={{ sqlite_database_path }},dst=/in.db,ro - --entrypoint=/bin/sh - {{ matrix_postgres_pgloader_docker_image }} - -c - 'pgloader /in.db {{ postgres_db_connection_string }}' - register: matrix_postgres_import_generic_sqlite_db_import_result - changed_when: matrix_postgres_import_generic_sqlite_db_import_result.rc == 0 - -- name: Archive SQLite database ({{ sqlite_database_path }} -> {{ sqlite_database_path }}.backup) # noqa name[template] - ansible.builtin.command: - cmd: "mv {{ sqlite_database_path }} {{ sqlite_database_path }}.backup" - register: matrix_postgres_import_generic_sqlite_db_move_result - changed_when: matrix_postgres_import_generic_sqlite_db_move_result.rc == 0 - -- name: Inject result - ansible.builtin.set_fact: - devture_playbook_runtime_messages_list: | - {{ - devture_playbook_runtime_messages_list | default([]) - + - [ - "NOTE: Your SQLite database file has been imported into Postgres. The original file has been moved from `{{ sqlite_database_path }}` to `{{ sqlite_database_path }}.backup`. When you've confirmed that the import went well and everything works, you should be able to safely delete this file." - ] - }} diff --git a/roles/custom/matrix-postgres/tasks/import_postgres.yml b/roles/custom/matrix-postgres/tasks/import_postgres.yml deleted file mode 100644 index d21333adc..000000000 --- a/roles/custom/matrix-postgres/tasks/import_postgres.yml +++ /dev/null @@ -1,114 +0,0 @@ ---- - -# Pre-checks - -- name: Fail if Postgres not enabled - ansible.builtin.fail: - msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot import." - when: "not matrix_postgres_enabled | bool" - -- name: Fail if playbook called incorrectly - ansible.builtin.fail: - msg: "The `server_path_postgres_dump` variable needs to be provided to this playbook, via --extra-vars" - when: "server_path_postgres_dump is not defined or server_path_postgres_dump.startswith('<')" - -- name: Check if the provided Postgres dump file exists - ansible.builtin.stat: - path: "{{ server_path_postgres_dump }}" - register: result_server_path_postgres_dump_stat - -- name: Fail if provided Postgres dump file doesn't exists - ansible.builtin.fail: - msg: "File cannot be found on the server at {{ server_path_postgres_dump }}" - when: "not result_server_path_postgres_dump_stat.stat.exists" - - -# Defaults - -- name: Set postgres_start_wait_time, if not provided - ansible.builtin.set_fact: - postgres_start_wait_time: 15 - when: "postgres_start_wait_time | default('') == ''" - -- name: Set postgres_import_wait_time, if not provided - ansible.builtin.set_fact: - postgres_import_wait_time: "{{ 7 * 86400 }}" - when: "postgres_import_wait_time | default('') == ''" - -# By default, we connect and import into the main (`matrix`) database. -# Single-database dumps for Synapse may wish to import into `synapse` instead. -- name: Set postgres_default_import_database, if not provided - ansible.builtin.set_fact: - postgres_default_import_database: "{{ matrix_postgres_db_name }}" - when: "postgres_default_import_database | default('') == ''" - -# Actual import work - -- name: Ensure matrix-postgres is started - ansible.builtin.service: - name: matrix-postgres - state: started - daemon_reload: true - register: matrix_postgres_import_start_result - -- name: Wait a bit, so that Postgres can start - when: matrix_postgres_import_start_result.changed | bool - ansible.builtin.wait_for: - timeout: "{{ postgres_start_wait_time }}" - delegate_to: 127.0.0.1 - become: false - -- ansible.builtin.import_tasks: tasks/detect_existing_postgres_version.yml - -- name: Abort, if no existing Postgres version detected - ansible.builtin.fail: - msg: "Could not find existing Postgres installation" - when: "not matrix_postgres_detected_existing | bool" - -# Starting the database container had automatically created the default -# role (`matrix_postgres_connection_username`) and database (`matrix_postgres_db_name`). -# The dump most likely contains those same entries and would try to re-create them, leading to errors. -# We need to skip over those lines. -- name: Generate Postgres database import command - ansible.builtin.set_fact: - matrix_postgres_import_command: >- - {{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-postgres-import - --log-driver=none - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --network={{ matrix_docker_network }} - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql - --mount type=bind,src={{ server_path_postgres_dump }},dst=/{{ server_path_postgres_dump | basename }},ro - --entrypoint=/bin/sh - {{ matrix_postgres_docker_image_latest }} - -c "cat /{{ server_path_postgres_dump | basename }} | - {{ 'gunzip |' if server_path_postgres_dump.endswith('.gz') else '' }} - grep -vE '{{ matrix_postgres_import_roles_ignore_regex }}' | - grep -vE '{{ matrix_postgres_import_databases_ignore_regex }}' | - psql -v ON_ERROR_STOP=1 -h matrix-postgres --dbname={{ postgres_default_import_database }}" - tags: - - skip_ansible_lint - -# This is a hack. -# See: https://ansibledaily.com/print-to-standard-output-without-escaping/ -# -# We want to run `debug: msg=".."`, but that dumps it as JSON and escapes double quotes within it, -# which ruins the command (`matrix_postgres_import_command`) -- name: Note about Postgres importing alternative - ansible.builtin.set_fact: - dummy: true - with_items: - - >- - Importing Postgres database using the following command: `{{ matrix_postgres_import_command }}`. - If this crashes, you can stop Postgres (`systemctl stop matrix-postgres`), - delete its existing data (`rm -rf {{ matrix_postgres_data_path }}/*`), start it again (`systemctl start matrix-postgres`) - and manually run the above import command directly on the server. - -- name: Perform Postgres database import - ansible.builtin.command: - cmd: "{{ matrix_postgres_import_command }}" - async: "{{ postgres_import_wait_time }}" - poll: 10 - register: matrix_postgres_import_postgres_command_result - failed_when: not matrix_postgres_import_postgres_command_result.finished or matrix_postgres_import_postgres_command_result.rc != 0 - changed_when: matrix_postgres_import_postgres_command_result.finished and matrix_postgres_import_postgres_command_result.rc == 0 diff --git a/roles/custom/matrix-postgres/tasks/import_synapse_sqlite_db.yml b/roles/custom/matrix-postgres/tasks/import_synapse_sqlite_db.yml deleted file mode 100644 index b885ea975..000000000 --- a/roles/custom/matrix-postgres/tasks/import_synapse_sqlite_db.yml +++ /dev/null @@ -1,89 +0,0 @@ ---- - -# Pre-checks - -- name: Fail if Postgres not enabled - ansible.builtin.fail: - msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot import." - when: "not matrix_postgres_enabled | bool" - -- name: Fail if playbook called incorrectly - ansible.builtin.fail: - msg: "The `server_path_homeserver_db` variable needs to be provided to this playbook, via --extra-vars" - when: "server_path_homeserver_db is not defined or server_path_homeserver_db.startswith('<')" - -- name: Check if the provided SQLite homeserver.db file exists - ansible.builtin.stat: - path: "{{ server_path_homeserver_db }}" - register: result_server_path_homeserver_db_stat - -- name: Fail if provided SQLite homeserver.db file doesn't exist - ansible.builtin.fail: - msg: "File cannot be found on the server at {{ server_path_homeserver_db }}" - when: "not result_server_path_homeserver_db_stat.stat.exists" - - -# Defaults - -- name: Set postgres_start_wait_time, if not provided - ansible.builtin.set_fact: - postgres_start_wait_time: 15 - when: "postgres_start_wait_time | default('') == ''" - - -# Actual import work - -- name: Ensure matrix-postgres is stopped - ansible.builtin.service: - name: matrix-postgres - state: stopped - daemon_reload: true - -- name: Ensure postgres data is wiped out - ansible.builtin.file: - path: "{{ matrix_postgres_data_path }}" - state: absent - -- name: Ensure postgres data path exists - ansible.builtin.file: - path: "{{ matrix_postgres_data_path }}" - state: directory - mode: 0700 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure matrix-postgres is started - ansible.builtin.service: - name: matrix-postgres - state: restarted - daemon_reload: true - -- name: Wait a bit, so that Postgres can start - ansible.builtin.wait_for: - timeout: "{{ postgres_start_wait_time }}" - delegate_to: 127.0.0.1 - become: false - -# We don't use the `docker_container` module, because using it with `cap_drop` requires -# a very recent version, which is not available for a lot of people yet. -# -# Also, some old `docker_container` versions were buggy and would leave containers behind -# on failure, which we had to work around to allow retries (by re-running the playbook). -- name: Import SQLite database into Postgres - ansible.builtin.command: - cmd: | - docker run - --rm - --name=matrix-synapse-migrate - --log-driver=none - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --network={{ matrix_docker_network }} - --entrypoint=python - --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data - --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/matrix-media-store-parent/media-store - --mount type=bind,src={{ server_path_homeserver_db }},dst=/{{ server_path_homeserver_db | basename }} - {{ matrix_synapse_docker_image_final }} - /usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db | basename }} --postgres-config /data/homeserver.yaml - register: matrix_postgres_import_synapse_sqlite_db_result - changed_when: matrix_postgres_import_synapse_sqlite_db_result.rc == 0 diff --git a/roles/custom/matrix-postgres/tasks/main.yml b/roles/custom/matrix-postgres/tasks/main.yml deleted file mode 100644 index 02f53b73a..000000000 --- a/roles/custom/matrix-postgres/tasks/main.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_postgres_enabled | bool" - tags: - - setup-all - - setup-postgres - - install-postgres - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_postgres.yml" - when: run_setup | bool - tags: - - setup-all - - setup-postgres - - install-postgres - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/import_postgres.yml" - when: run_postgres_import | bool - tags: - - import-postgres - -# The `run_postgres_import_sqlite_db` variable had better be renamed to be consistent, -# but that's a breaking change which may cause trouble for people. -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/import_synapse_sqlite_db.yml" - when: run_postgres_import_sqlite_db | bool - tags: - - import-synapse-sqlite-db - -# Perhaps we need a new variable here, instead of `run_postgres_import_sqlite_db`. -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/import_generic_sqlite_db.yml" - when: run_postgres_import_sqlite_db | bool - tags: - - import-generic-sqlite-db - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/upgrade_postgres.yml" - when: run_postgres_upgrade | bool - tags: - - upgrade-postgres - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/run_vacuum.yml" - when: run_postgres_vacuum | bool - tags: - - run-postgres-vacuum diff --git a/roles/custom/matrix-postgres/tasks/migrate_db_to_postgres.yml b/roles/custom/matrix-postgres/tasks/migrate_db_to_postgres.yml deleted file mode 100644 index dca284ad1..000000000 --- a/roles/custom/matrix-postgres/tasks/migrate_db_to_postgres.yml +++ /dev/null @@ -1,176 +0,0 @@ ---- - -- name: Fail if Postgres not enabled - ansible.builtin.fail: - msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot migrate." - when: "not matrix_postgres_enabled | bool" - -- name: Fail if util called incorrectly (missing matrix_postgres_db_migration_request) - ansible.builtin.fail: - msg: "The `matrix_postgres_db_migration_request` variable needs to be provided to this util." - when: "matrix_postgres_db_migration_request is not defined" - -- name: Fail if util called incorrectly (invalid matrix_postgres_db_migration_request) - ansible.builtin.fail: - msg: "The `matrix_postgres_db_migration_request` variable needs to contain `{{ item }}`." - with_items: - - src - - dst - - caller - - engine_variable_name - - systemd_services_to_stop - when: "item not in matrix_postgres_db_migration_request" - -- name: Check if the provided source database file exists - ansible.builtin.stat: - path: "{{ matrix_postgres_db_migration_request.src }}" - register: matrix_postgres_db_migration_request_src_stat_result - -- name: Fail if provided source database file doesn't exist - ansible.builtin.fail: - msg: "File cannot be found on the server at {{ matrix_postgres_db_migration_request.src }}" - when: "not matrix_postgres_db_migration_request_src_stat_result.stat.exists" - -- when: "matrix_postgres_pgloader_container_image_self_build | bool" - block: - - name: Ensure pgloader repository is present on self-build - ansible.builtin.git: - repo: "{{ matrix_postgres_pgloader_container_image_self_build_repo }}" - dest: "{{ matrix_postgres_pgloader_container_image_self_build_src_path }}" - version: "{{ matrix_postgres_pgloader_container_image_self_build_repo_branch }}" - force: "yes" - become: true - become_user: "{{ matrix_user_username }}" - register: matrix_postgres_pgloader_git_pull_results - - # If `stable` is used, we hit an error when processing /opt/src/pgloader/build/quicklisp/dists/quicklisp/software/uax-15-20201220-git/data/CompositionExclusions.txt: - # > the octet sequence #(194) cannot be decoded - # - # The issue is described here and is not getting fixed for months: https://github.com/dimitri/pgloader/pull/1179 - # - # Although we're not using the dimitri/pgloader image, the one we're using suffers from the same problem. - - name: Switch pgloader base image from Debian stable (likely 10.x/Buster) to Bullseye - ansible.builtin.lineinfile: - path: "{{ matrix_postgres_pgloader_container_image_self_build_src_path }}/Dockerfile" - regexp: "{{ item.match }}" - line: "{{ item.replace }}" - with_items: - - match: '^FROM debian:stable-slim as builder$' - replace: 'FROM debian:bullseye-slim as builder' - - match: '^FROM debian:stable-slim$' - replace: 'FROM debian:bullseye-slim' - - - name: Ensure pgloader Docker image is built - community.docker.docker_image: - name: "{{ matrix_postgres_pgloader_docker_image }}" - source: build - force_source: "{{ matrix_postgres_pgloader_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_postgres_pgloader_git_pull_results.changed }}" - build: - dockerfile: Dockerfile - path: "{{ matrix_postgres_pgloader_container_image_self_build_src_path }}" - pull: true - -- name: Ensure pgloader Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_postgres_pgloader_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_postgres_pgloader_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_postgres_pgloader_docker_image_force_pull }}" - when: "not matrix_postgres_pgloader_container_image_self_build" - -# Defaults - -- name: Set postgres_start_wait_time, if not provided - ansible.builtin.set_fact: - postgres_start_wait_time: 15 - when: "postgres_start_wait_time | default('') == ''" - -# Actual import work - -# matrix-postgres is most likely started already -- name: Ensure matrix-postgres is started - ansible.builtin.service: - name: matrix-postgres - state: started - daemon_reload: true - register: matrix_postgres_service_start_result - -- name: Wait a bit, so that Postgres can start - ansible.builtin.wait_for: - timeout: "{{ postgres_start_wait_time }}" - delegate_to: 127.0.0.1 - become: false - when: "matrix_postgres_service_start_result.changed | bool" - -# We only stop services here, leaving it to the caller to start them later. -# -# We can't start them, because they probably need to be reconfigured too (changing the configuration from using SQLite to Postgres, etc.), -# before starting. -# -# Since the caller will be starting them, it might make sense to leave stopping to it as well. -# However, we don't do it, because it's simpler having it here, and it also gets to happen only if we'll be doing an import. -# If we bailed out (somewhere above), nothing would have gotten stopped. It's nice to leave this running in such cases. -- name: Ensure systemd services blocking the database import are stopped - ansible.builtin.service: - name: "{{ item }}" - state: stopped - failed_when: false - with_items: "{{ matrix_postgres_db_migration_request.systemd_services_to_stop }}" - -- name: Import {{ matrix_postgres_db_migration_request.engine_old }} database from {{ matrix_postgres_db_migration_request.src }} into Postgres # noqa name[template] - ansible.builtin.command: - cmd: >- - {{ devture_systemd_docker_base_host_command_docker }} run - --rm - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --network={{ matrix_docker_network }} - --mount type=bind,src={{ matrix_postgres_db_migration_request.src }},dst=/in.db,ro - --entrypoint=/bin/sh - {{ matrix_postgres_pgloader_docker_image }} - -c - 'pgloader {{ matrix_postgres_db_migration_request.pgloader_options | default([]) | join(' ') }} /in.db {{ matrix_postgres_db_migration_request.dst }}' - register: matrix_postgres_migrate_db_to_postgres_import_result - changed_when: matrix_postgres_migrate_db_to_postgres_import_result.rc == 0 - -- when: "matrix_postgres_db_migration_request.additional_psql_statements_list | default([]) | length > 0" - block: - - ansible.builtin.import_role: - name: custom/matrix-postgres - tasks_from: detect_existing_postgres_version - - - ansible.builtin.set_fact: - matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_latest if matrix_postgres_detected_version_corresponding_docker_image == '' else matrix_postgres_detected_version_corresponding_docker_image }}" - - - name: Execute additional Postgres SQL migration statements - ansible.builtin.command: - cmd: >- - {{ devture_systemd_docker_base_host_command_docker }} run - --rm - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql - --network={{ matrix_docker_network }} - {{ matrix_postgres_docker_image_to_use }} - psql --host=matrix-postgres --dbname={{ matrix_postgres_db_migration_request.additional_psql_statements_db_name }} --command='{{ item }}' - with_items: "{{ matrix_postgres_db_migration_request.additional_psql_statements_list }}" - register: matrix_postgres_migrate_db_to_postgres_additional_queries_result - changed_when: matrix_postgres_migrate_db_to_postgres_additional_queries_result.rc == 0 - -- name: Archive {{ matrix_postgres_db_migration_request.engine_old }} database ({{ matrix_postgres_db_migration_request.src }} -> {{ matrix_postgres_db_migration_request.src }}.backup) # noqa name[template] - ansible.builtin.command: - cmd: "mv {{ matrix_postgres_db_migration_request.src }} {{ matrix_postgres_db_migration_request.src }}.backup" - register: matrix_postgres_migrate_db_to_postgres_move_result - changed_when: matrix_postgres_migrate_db_to_postgres_move_result.rc == 0 - -- name: Inject result - ansible.builtin.set_fact: - devture_playbook_runtime_messages_list: | - {{ - devture_playbook_runtime_messages_list | default([]) - + - [ - "NOTE: Your {{ matrix_postgres_db_migration_request.engine_old }} database file has been imported into Postgres. The original database file has been moved from `{{ matrix_postgres_db_migration_request.src }}` to `{{ matrix_postgres_db_migration_request.src }}.backup`. When you've confirmed that the import went well and everything works, you should be able to safely delete this file." - ] - }} diff --git a/roles/custom/matrix-postgres/tasks/migrate_postgres_data_directory.yml b/roles/custom/matrix-postgres/tasks/migrate_postgres_data_directory.yml deleted file mode 100644 index 062a05c4a..000000000 --- a/roles/custom/matrix-postgres/tasks/migrate_postgres_data_directory.yml +++ /dev/null @@ -1,78 +0,0 @@ ---- - -# We used to store Postgres data directly under `/matrix/postgres` (what is now considered `matrix_postgres_base_path`). -# -# From now on, we expect to store Postgres data one directory below now (`/matrix/postgres/data` - `matrix_postgres_data_path`). -# We wish to use the base directory for other purposes (storing environment variable files, etc.). -# Mixing those with the Postgres data is no good and it leads to Postgres's `initdb` complaining to initialize -# a database in a non-empty directory. -# -# For this reason, we store the Postgres data in `/matrix/postgres/data` and need to relocate any installations -# which still store it in the parent directory (`/matrix/postgres`). -# -# This utility is intentionally not in `tasks/util`, because if it were, it wouldn't be possible -# to include it in other roles via the import_role module: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/import_role_module.html - -- name: Check if old Postgres data directory is used - ansible.builtin.stat: - path: "{{ matrix_postgres_base_path }}/PG_VERSION" - register: result_pg_old_data_dir_stat - -- name: Warn if old Postgres data directory detected - ansible.builtin.debug: - msg: > - Found that you have Postgres data in `{{ matrix_postgres_base_path }}`. - From now on, Postgres data is supposed to be stored in `{{ matrix_postgres_data_path }}` instead. - We'll stop Postgres and relocate the files there for you. - when: "result_pg_old_data_dir_stat.stat.exists" - -# We should stop Postgres first, before building a list of files, -# as to ignore any `postmaster.pid` files, etc. -- name: Ensure matrix-postgres is stopped - ansible.builtin.service: - name: matrix-postgres - state: stopped - daemon_reload: true - when: "result_pg_old_data_dir_stat.stat.exists" - -- name: Find files and directories in old Postgres data path - ansible.builtin.find: - paths: "{{ matrix_postgres_base_path }}" - file_type: any - excludes: ["data"] - register: "result_pg_old_data_dir_find" - when: "result_pg_old_data_dir_stat.stat.exists" - -- name: Ensure new Postgres data path exists - ansible.builtin.file: - path: "{{ matrix_postgres_data_path }}" - state: directory - mode: 0700 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: "result_pg_old_data_dir_stat.stat.exists" - -- when: "result_pg_old_data_dir_stat.stat.exists" - block: - - name: Relocate Postgres data files from old directory to new - ansible.builtin.command: - cmd: "mv {{ item.path }} {{ matrix_postgres_data_path }}/{{ item.path | basename }}" - with_items: "{{ result_pg_old_data_dir_find.files }}" - register: matrix_postgres_migrate_postgres_data_directory_move_result - changed_when: matrix_postgres_migrate_postgres_data_directory_move_result.rc == 0 - -# Intentionally not starting matrix-postgres here. -# It likely needs to be updated to point to the new directory. -# In fact, let's even get rid of the outdated service, to ensure no one will start it -# and have it initialize a new database. - -- name: Ensure outdated matrix-postgres.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-postgres.service" - state: absent - when: "result_pg_old_data_dir_stat.stat.exists" - -- name: Ensure systemd reloaded after getting rid of outdated matrix-postgres.service - ansible.builtin.service: - daemon_reload: true - when: "result_pg_old_data_dir_stat.stat.exists" diff --git a/roles/custom/matrix-postgres/tasks/run_vacuum.yml b/roles/custom/matrix-postgres/tasks/run_vacuum.yml deleted file mode 100644 index dfa4be7a3..000000000 --- a/roles/custom/matrix-postgres/tasks/run_vacuum.yml +++ /dev/null @@ -1,96 +0,0 @@ ---- - -# Pre-checks - -- name: Fail if Postgres not enabled - ansible.builtin.fail: - msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot run vacuum." - when: "not matrix_postgres_enabled | bool" - - -# Defaults - -- name: Set postgres_start_wait_time, if not provided - ansible.builtin.set_fact: - postgres_start_wait_time: 15 - when: "postgres_start_wait_time | default('') == ''" - -- name: Set postgres_vacuum_wait_time, if not provided - ansible.builtin.set_fact: - postgres_vacuum_wait_time: "{{ 7 * 86400 }}" - when: "postgres_vacuum_wait_time | default('') == ''" - - -# Actual vacuuming work - -- name: Ensure matrix-postgres is started - ansible.builtin.service: - name: matrix-postgres - state: started - daemon_reload: true - register: matrix_postgres_vacuum_start_result - -- name: Wait a bit, so that Postgres can start - when: matrix_postgres_vacuum_start_result.changed | bool - ansible.builtin.wait_for: - timeout: "{{ postgres_start_wait_time }}" - delegate_to: 127.0.0.1 - become: false - -- ansible.builtin.import_tasks: tasks/detect_existing_postgres_version.yml - -- name: Abort, if no existing Postgres version detected - ansible.builtin.fail: - msg: "Could not find existing Postgres installation" - when: "not matrix_postgres_detected_existing | bool" - -- name: Generate Postgres database vacuum command - ansible.builtin.set_fact: - matrix_postgres_vacuum_command: >- - {{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-postgres-synapse-vacuum - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --network={{ matrix_docker_network }} - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql - {{ matrix_postgres_docker_image_latest }} - psql -v ON_ERROR_STOP=1 -h matrix-postgres {{ matrix_synapse_database_database }} -c 'VACUUM FULL VERBOSE' - -- name: Note about Postgres vacuum alternative - ansible.builtin.debug: - msg: >- - Running vacuum with the following Postgres ansible.builtin.command: `{{ matrix_postgres_vacuum_command }}`. - If this crashes, you can stop all processes (`systemctl stop matrix-*`), - start Postgres only (`systemctl start matrix-postgres`) - and manually run the above command directly on the server. - -- name: Populate service facts - ansible.builtin.service_facts: - -- ansible.builtin.set_fact: - matrix_postgres_synapse_was_running: "{{ ansible_facts.services['matrix-synapse.service'] | default(none) is not none and ansible_facts.services['matrix-synapse.service'].state == 'running' }}" - -- name: Ensure services are stopped - ansible.builtin.service: - name: "{{ item }}" - state: stopped - daemon_reload: true - with_items: "{{ matrix_postgres_systemd_services_to_stop_for_maintenance_list }}" - -- name: Run Postgres vacuum command - ansible.builtin.command: "{{ matrix_postgres_vacuum_command }}" - async: "{{ postgres_vacuum_wait_time }}" - poll: 10 - register: matrix_postgres_synapse_vacuum_result - failed_when: not matrix_postgres_synapse_vacuum_result.finished or matrix_postgres_synapse_vacuum_result.rc != 0 - changed_when: matrix_postgres_synapse_vacuum_result.finished and matrix_postgres_synapse_vacuum_result.rc == 0 - -# Intentionally show the results -- ansible.builtin.debug: - var: "matrix_postgres_synapse_vacuum_result" - -- name: Ensure services are started - ansible.builtin.service: - name: "{{ item }}" - state: started - daemon_reload: true - with_items: "{{ matrix_postgres_systemd_services_to_stop_for_maintenance_list }}" diff --git a/roles/custom/matrix-postgres/tasks/setup_postgres.yml b/roles/custom/matrix-postgres/tasks/setup_postgres.yml deleted file mode 100644 index bba0d7989..000000000 --- a/roles/custom/matrix-postgres/tasks/setup_postgres.yml +++ /dev/null @@ -1,215 +0,0 @@ ---- - -# -# Tasks related to setting up an internal postgres server -# - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/migrate_postgres_data_directory.yml" - when: matrix_postgres_enabled | bool - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/detect_existing_postgres_version.yml" - when: matrix_postgres_enabled | bool - -# If we have found an existing version (installed from before), we use its corresponding Docker image. -# If not, we install using the latest Postgres. -# -# Upgrading is supposed to be performed separately and explicitly (see `upgrade_postgres.yml`). -- ansible.builtin.set_fact: - matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_latest if matrix_postgres_detected_version_corresponding_docker_image == '' else matrix_postgres_detected_version_corresponding_docker_image }}" - when: matrix_postgres_enabled | bool - -- name: Abort if on an unsupported Postgres version - ansible.builtin.fail: - msg: "You're on Postgres {{ matrix_postgres_detected_version }}, which is no longer supported. To upgrade, see docs/maintenance-postgres.md" - when: "matrix_postgres_enabled | bool and matrix_postgres_detected_version.startswith('9.')" - -- name: Inject warning if on an old version of Postgres - ansible.builtin.set_fact: - devture_playbook_runtime_messages_list: | - {{ - devture_playbook_runtime_messages_list | default([]) - + - [ - "NOTE: Your setup is on an old Postgres version ({{ matrix_postgres_docker_image_to_use }}), while {{ matrix_postgres_docker_image_latest }} is supported. You can upgrade using --tags=upgrade-postgres" - ] - }} - when: "matrix_postgres_enabled | bool and matrix_postgres_docker_image_to_use != matrix_postgres_docker_image_latest" - -# Even if we don't run the internal server, we still need this for running the CLI -- name: Ensure postgres Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_postgres_docker_image_to_use }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_postgres_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_postgres_docker_image_force_pull }}" - when: matrix_postgres_enabled | bool - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure Postgres paths exist - ansible.builtin.file: - path: "{{ item }}" - state: directory - mode: 0700 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_postgres_base_path }}" - - "{{ matrix_postgres_data_path }}" - when: matrix_postgres_enabled | bool - -# We do this as a separate task, because: -# - we'd like to do it for the data path only, not for the base path (which contains root-owned environment variable files we'd like to leave as-is) -# - we need to do it without `mode`, or we risk making certain `.conf` and other files's executable bit to flip to true -- name: Ensure Postgres data path ownership is correct - ansible.builtin.file: - path: "{{ matrix_postgres_data_path }}" - state: directory - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - recurse: true - when: matrix_postgres_enabled | bool - -- name: Ensure Postgres environment variables file created - ansible.builtin.template: - src: "{{ role_path }}/templates/{{ item }}.j2" - dest: "{{ matrix_postgres_base_path }}/{{ item }}" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0640 - with_items: - - "env-postgres-psql" - - "env-postgres-server" - when: matrix_postgres_enabled | bool - -- name: Ensure matrix-postgres-cli script created - ansible.builtin.template: - src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-cli.j2" - dest: "{{ matrix_local_bin_path }}/matrix-postgres-cli" - mode: 0755 - when: matrix_postgres_enabled | bool - -- name: Ensure matrix-postgres-cli-non-interactive script created - ansible.builtin.template: - src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-cli-non-interactive.j2" - dest: "{{ matrix_local_bin_path }}/matrix-postgres-cli-non-interactive" - mode: 0755 - when: matrix_postgres_enabled | bool - -- name: Ensure matrix-change-user-admin-status script created - ansible.builtin.template: - src: "{{ role_path }}/templates/usr-local-bin/matrix-change-user-admin-status.j2" - dest: "{{ matrix_local_bin_path }}/matrix-change-user-admin-status" - mode: 0755 - when: matrix_postgres_enabled | bool - -- name: (Migration) Ensure old matrix-make-user-admin script deleted - ansible.builtin.file: - path: "{{ matrix_local_bin_path }}/matrix-make-user-admin" - state: absent - when: matrix_postgres_enabled | bool - -- name: Ensure matrix-postgres-update-user-password-hash script created - ansible.builtin.template: - src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2" - dest: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash" - mode: 0755 - when: matrix_postgres_enabled | bool - -- name: Ensure matrix-postgres.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-postgres.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-postgres.service" - mode: 0644 - register: matrix_postgres_systemd_service_result - when: matrix_postgres_enabled | bool - -- name: Ensure systemd reloaded after matrix-postgres.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_postgres_enabled | bool and matrix_postgres_systemd_service_result.changed" - -- ansible.builtin.include_tasks: - file: "{{ role_path }}/tasks/util/create_additional_databases.yml" - apply: - tags: - - always - when: "matrix_postgres_enabled | bool and matrix_postgres_additional_databases|length > 0" - -- name: Check existence of matrix-postgres backup data path - ansible.builtin.stat: - path: "{{ matrix_postgres_data_path }}-auto-upgrade-backup" - register: matrix_postgres_data_backup_path_stat - when: "matrix_postgres_enabled | bool" - -- name: Inject warning if backup data remains - ansible.builtin.set_fact: - devture_playbook_runtime_messages_list: | - {{ - devture_playbook_runtime_messages_list | default([]) - + - [ - "NOTE: You have some Postgres backup data in `{{ matrix_postgres_data_path }}-auto-upgrade-backup`, which was created during the last major Postgres update you ran. If your setup works well after this upgrade, feel free to delete this whole directory." - ] - }} - when: "matrix_postgres_enabled | bool and matrix_postgres_data_backup_path_stat.stat.exists" - - -# -# Tasks related to getting rid of the internal postgres server (if it was previously enabled) -# - -- name: Check existence of matrix-postgres service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-postgres.service" - register: matrix_postgres_service_stat - when: "not matrix_postgres_enabled | bool" - -- name: Ensure matrix-postgres is stopped - ansible.builtin.service: - name: matrix-postgres - state: stopped - daemon_reload: true - when: "not matrix_postgres_enabled | bool and matrix_postgres_service_stat.stat.exists" - -- name: Ensure matrix-postgres.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-postgres.service" - state: absent - when: "not matrix_postgres_enabled | bool and matrix_postgres_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-postgres.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_postgres_enabled | bool and matrix_postgres_service_stat.stat.exists" - -- name: Check existence of matrix-postgres local data path - ansible.builtin.stat: - path: "{{ matrix_postgres_data_path }}" - register: matrix_postgres_data_path_stat - when: "not matrix_postgres_enabled | bool" - -# We just want to notify the user. Deleting data is too destructive. -- name: Inject warning if matrix-postgres local data remains - ansible.builtin.set_fact: - devture_playbook_runtime_messages_list: | - {{ - devture_playbook_runtime_messages_list | default([]) - + - [ - "NOTE: You are not using a local PostgreSQL database, but some old data remains from before in `{{ matrix_postgres_data_path }}`. Feel free to delete it." - ] - }} - when: "not matrix_postgres_enabled | bool and matrix_postgres_data_path_stat.stat.exists" - -- name: Remove Postgres scripts - ansible.builtin.file: - path: "{{ matrix_local_bin_path }}/{{ item }}" - state: absent - with_items: - - matrix-postgres-cli - - matrix-change-user-admin-status - - matrix-postgres-update-user-password-hash - when: "not matrix_postgres_enabled | bool" diff --git a/roles/custom/matrix-postgres/tasks/upgrade_postgres.yml b/roles/custom/matrix-postgres/tasks/upgrade_postgres.yml deleted file mode 100644 index d5f7e6c37..000000000 --- a/roles/custom/matrix-postgres/tasks/upgrade_postgres.yml +++ /dev/null @@ -1,188 +0,0 @@ ---- - -- name: Set default postgres_dump_dir, if not provided - ansible.builtin.set_fact: - postgres_dump_dir: "/tmp" - when: "postgres_dump_dir | default('') == ''" - -- name: Set postgres_dump_name, if not provided - ansible.builtin.set_fact: - postgres_dump_name: "matrix-postgres-dump.sql.gz" - when: "postgres_dump_name | default('') == ''" - -- name: Set postgres_auto_upgrade_backup_data_path, if not provided - ansible.builtin.set_fact: - postgres_auto_upgrade_backup_data_path: "{{ matrix_postgres_data_path }}-auto-upgrade-backup" - when: "postgres_auto_upgrade_backup_data_path | default('') == ''" - -- name: Set postgres_start_wait_time, if not provided - ansible.builtin.set_fact: - postgres_start_wait_time: 15 - when: "postgres_start_wait_time | default('') == ''" - -- name: Set postgres_force_upgrade, if not provided - ansible.builtin.set_fact: - postgres_force_upgrade: false - when: "postgres_force_upgrade | default('') == ''" - -- name: Fail, if trying to upgrade external Postgres database - ansible.builtin.fail: - msg: "Your configuration indicates that you're not using Postgres from this role. There is nothing to upgrade." - when: "not matrix_postgres_enabled | bool" - -- name: Check Postgres auto-upgrade backup data directory - ansible.builtin.stat: - path: "{{ postgres_auto_upgrade_backup_data_path }}" - register: result_auto_upgrade_path - -- name: Abort, if existing Postgres auto-upgrade data path detected - ansible.builtin.fail: - msg: "Detected that a left-over {{ postgres_auto_upgrade_backup_data_path }} exists. You should rename it to {{ matrix_postgres_data_path }} if the previous upgrade went wrong, or delete it if it went well." - when: "result_auto_upgrade_path.stat.exists" - -- ansible.builtin.import_tasks: tasks/detect_existing_postgres_version.yml - -- name: Abort, if no existing Postgres version detected - ansible.builtin.fail: - msg: "Could not find existing Postgres installation" - when: "not matrix_postgres_detected_existing | bool" - -- name: Abort, if already at latest Postgres version - ansible.builtin.fail: - msg: "You are already running the latest Postgres version supported ({{ matrix_postgres_docker_image_latest }}). Nothing to do" - when: "matrix_postgres_detected_version_corresponding_docker_image == matrix_postgres_docker_image_latest and not postgres_force_upgrade" - -- ansible.builtin.debug: - msg: "Upgrading database from {{ matrix_postgres_detected_version_corresponding_docker_image }} to {{ matrix_postgres_docker_image_latest }}" - -- name: Ensure services are stopped - ansible.builtin.service: - name: "{{ item }}" - state: stopped - daemon_reload: true - with_items: "{{ matrix_postgres_systemd_services_to_stop_for_maintenance_list }}" - -- name: Ensure matrix-postgres is started - ansible.builtin.service: - name: matrix-postgres - state: started - daemon_reload: true - -- name: Wait a bit, so that Postgres can start - ansible.builtin.wait_for: - timeout: "{{ postgres_start_wait_time }}" - delegate_to: 127.0.0.1 - become: false - -# We dump all databases, roles, etc. -# -# Because we'll be importing into a new container which initializes the default -# role (`matrix_postgres_connection_username`) and database (`matrix_postgres_db_name`) by itself on startup, -# we need to remove these from the dump, or we'll get errors saying these already exist. -- name: Perform Postgres database dump - ansible.builtin.command: - cmd: >- - {{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-postgres-dump - --log-driver=none - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --network={{ matrix_docker_network }} - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql - --entrypoint=/bin/sh - --mount type=bind,src={{ postgres_dump_dir }},dst=/out - {{ matrix_postgres_detected_version_corresponding_docker_image }} - -c "pg_dumpall -h matrix-postgres - {{ '| gzip -c ' if postgres_dump_name.endswith('.gz') else '' }} - > /out/{{ postgres_dump_name }}" - register: matrix_postgres_upgrade_postgres_dump_command_result - changed_when: matrix_postgres_upgrade_postgres_dump_command_result.rc == 0 - tags: - - skip_ansible_lint - -- name: Ensure matrix-postgres is stopped - ansible.builtin.service: - name: matrix-postgres - state: stopped - -- name: Rename existing Postgres data directory - ansible.builtin.command: - cmd: "mv {{ matrix_postgres_data_path }} {{ postgres_auto_upgrade_backup_data_path }}" - register: matrix_postgres_upgrade_postgres_move_command_result - changed_when: matrix_postgres_upgrade_postgres_move_command_result.rc == 0 - -- ansible.builtin.debug: - msg: "NOTE: Your Postgres data directory has been moved from `{{ matrix_postgres_data_path }}` to `{{ postgres_auto_upgrade_backup_data_path }}`. In the event of failure, you can move it back and run the playbook with --tags=setup-postgres to restore operation." - -- ansible.builtin.import_tasks: tasks/setup_postgres.yml - -- name: Ensure matrix-postgres autoruns and is restarted - ansible.builtin.service: - name: matrix-postgres - enabled: true - state: restarted - daemon_reload: true - -- name: Wait a bit, so that Postgres can start - ansible.builtin.wait_for: - timeout: "{{ postgres_start_wait_time }}" - delegate_to: 127.0.0.1 - become: false - -# Starting the database container had automatically created the default -# role (`matrix_postgres_connection_username`) and database (`matrix_postgres_db_name`). -# The dump most likely contains those same entries and would try to re-create them, leading to errors. -# We need to skip over those lines. -- name: Generate Postgres database import command - ansible.builtin.set_fact: - matrix_postgres_import_command: >- - {{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-postgres-import - --log-driver=none - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --network={{ matrix_docker_network }} - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql - --entrypoint=/bin/sh - --mount type=bind,src={{ postgres_dump_dir }},dst=/in,ro - {{ matrix_postgres_docker_image_latest }} - -c "cat /in/{{ postgres_dump_name }} | - {{ 'gunzip |' if postgres_dump_name.endswith('.gz') else '' }} - grep -vE '{{ matrix_postgres_import_roles_ignore_regex }}' | - grep -vE '{{ matrix_postgres_import_databases_ignore_regex }}' | - psql -v ON_ERROR_STOP=1 -h matrix-postgres" - tags: - - skip_ansible_lint - -# This is a hack. -# See: https://ansibledaily.com/print-to-standard-output-without-escaping/ -# -# We want to run `debug: msg=".."`, but that dumps it as JSON and escapes double quotes within it, -# which ruins the command (`matrix_postgres_import_command`) -- name: Note about Postgres importing - ansible.builtin.set_fact: - dummy: true - with_items: - - >- - Importing Postgres database using the following command: `{{ matrix_postgres_import_command }}`. - If this crashes, you can stop Postgres (`systemctl stop matrix-postgres`), - delete the new database data (`rm -rf {{ matrix_postgres_data_path }}`) - and restore the automatically-made backup (`mv {{ postgres_auto_upgrade_backup_data_path }} {{ matrix_postgres_data_path }}`). - -- name: Perform Postgres database import - ansible.builtin.command: - cmd: "{{ matrix_postgres_import_command }}" - register: matrix_postgres_upgrade_postgres_import_command_result - changed_when: matrix_postgres_upgrade_postgres_import_command_result.rc == 0 - -- name: Delete Postgres database dump file - ansible.builtin.file: - path: "{{ postgres_dump_dir }}/{{ postgres_dump_name }}" - state: absent - -- name: Ensure services are started - ansible.builtin.service: - name: "{{ item }}" - state: started - daemon_reload: true - with_items: "{{ matrix_postgres_systemd_services_to_stop_for_maintenance_list }}" - -- ansible.builtin.debug: - msg: "NOTE: Your old Postgres data directory is preserved at `{{ postgres_auto_upgrade_backup_data_path }}`. You might want to get rid of it once you've confirmed that all is well." diff --git a/roles/custom/matrix-postgres/tasks/util/create_additional_database.yml b/roles/custom/matrix-postgres/tasks/util/create_additional_database.yml deleted file mode 100644 index ce441ee13..000000000 --- a/roles/custom/matrix-postgres/tasks/util/create_additional_database.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- - -# It'd be better if this is belonged to `validate_config.yml`, but it would have to be some loop-within-a-loop there, -# and that's ugly. We also don't expect this to catch errors often. It's more of a defensive last-minute check. -- name: Fail if additional database data appears invalid - ansible.builtin.fail: - msg: "Additional database definition ({{ additional_db }} lacks a required key: {{ item }}" - when: "item not in additional_db" - with_items: "{{ ['name', 'username', 'password'] }}" - -# The SQL statements that we'll run against Postgres are stored in a file that others can't read. -# This file will be mounted into the container and fed to Postgres. -# This way, we avoid passing sensitive data around in CLI commands that other users on the system can see. -- name: Create additional database initialization SQL file for {{ additional_db.name }} - ansible.builtin.template: - src: "{{ role_path }}/templates/sql/init-additional-db-user-and-role.sql.j2" - dest: "/tmp/matrix-postgres-init-additional-db-user-and-role.sql" - mode: 0600 - owner: "{{ matrix_user_uid }}" - group: "{{ matrix_user_gid }}" - -- name: Execute Postgres additional database initialization SQL file for {{ additional_db.name }} - ansible.builtin.command: - cmd: >- - {{ devture_systemd_docker_base_host_command_docker }} run - --rm - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql - --network {{ matrix_docker_network }} - --mount type=bind,src=/tmp/matrix-postgres-init-additional-db-user-and-role.sql,dst=/matrix-postgres-init-additional-db-user-and-role.sql,ro - --entrypoint=/bin/sh - {{ matrix_postgres_docker_image_to_use }} - -c - 'psql -h {{ matrix_postgres_connection_hostname }} --file=/matrix-postgres-init-additional-db-user-and-role.sql' - changed_when: true - -- name: Delete additional database initialization SQL file for {{ additional_db.name }} - ansible.builtin.file: - path: /tmp/matrix-postgres-init-additional-db-user-and-role.sql - state: absent diff --git a/roles/custom/matrix-postgres/tasks/util/create_additional_databases.yml b/roles/custom/matrix-postgres/tasks/util/create_additional_databases.yml deleted file mode 100644 index 7fe5713e1..000000000 --- a/roles/custom/matrix-postgres/tasks/util/create_additional_databases.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- - -- name: Ensure matrix-postgres is started - ansible.builtin.service: - name: matrix-postgres - state: started - daemon_reload: true - register: matrix_postgres_service_start_result - -- name: Wait a bit, so that Postgres can start - ansible.builtin.wait_for: - timeout: "{{ matrix_postgres_additional_databases_postgres_start_wait_timeout_seconds }}" - delegate_to: 127.0.0.1 - become: false - when: "matrix_postgres_service_start_result.changed | bool" - -- name: Create additional Postgres user and database - ansible.builtin.include_tasks: "{{ role_path }}/tasks/util/create_additional_database.yml" - with_items: "{{ matrix_postgres_additional_databases }}" - loop_control: - loop_var: additional_db - # Suppress logging to avoid dumping the credentials to the shell - no_log: true diff --git a/roles/custom/matrix-postgres/tasks/validate_config.yml b/roles/custom/matrix-postgres/tasks/validate_config.yml deleted file mode 100644 index a6225632c..000000000 --- a/roles/custom/matrix-postgres/tasks/validate_config.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- - -- name: (Deprecation) Warn about matrix_postgres_use_external usage - ansible.builtin.fail: - msg: > - The `matrix_postgres_use_external` variable defined in your configuration is not used by this playbook anymore! - You'll need to adapt to the new way of using an external Postgres server. - It's a combination of `matrix_postgres_enabled: false` and specifying Postgres connection - details in a few `matrix_postgres_connection_` variables. - See the "Using an external PostgreSQL server (optional)" documentation page. - when: "'matrix_postgres_use_external' in vars" - -# This is separate (from the other required variables below), -# because we'd like to have a friendlier message for our existing users. -- name: Fail if matrix_postgres_connection_password not defined - ansible.builtin.fail: - msg: >- - The playbook no longer has a default Postgres password defined in the `matrix_postgres_connection_password` variable, among lots of other Postgres changes. - You need to perform multiple manual steps to resolve this. - See our changelog for more details: - https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-postgres-changes-that-require-manual-intervention - when: "matrix_postgres_connection_password == ''" - -- name: Fail if required Postgres settings not defined - ansible.builtin.fail: - msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" - with_items: - - "matrix_postgres_connection_hostname" - - "matrix_postgres_connection_port" - - "matrix_postgres_connection_username" - - "matrix_postgres_connection_password" - - "matrix_postgres_db_name" - -- name: Fail if Postgres password length exceeded - ansible.builtin.fail: - msg: "The maximum `matrix_postgres_connection_password` length is 99 characters" - when: "matrix_postgres_connection_password | length > 99" diff --git a/roles/custom/matrix-postgres/templates/env-postgres-psql.j2 b/roles/custom/matrix-postgres/templates/env-postgres-psql.j2 deleted file mode 100644 index 220589874..000000000 --- a/roles/custom/matrix-postgres/templates/env-postgres-psql.j2 +++ /dev/null @@ -1,8 +0,0 @@ -#jinja2: lstrip_blocks: "True" -PGUSER={{ matrix_postgres_connection_username }} -PGPASSWORD={{ matrix_postgres_connection_password }} -PGDATABASE={{ matrix_postgres_db_name }} -# Prevent errors like this: -# > could not save history to file "//.psql_history": Permission denied -# .. due to Postgres not being able to write to the filesystem. -PSQL_HISTORY=/dev/null diff --git a/roles/custom/matrix-postgres/templates/env-postgres-server.j2 b/roles/custom/matrix-postgres/templates/env-postgres-server.j2 deleted file mode 100644 index 06feb82a6..000000000 --- a/roles/custom/matrix-postgres/templates/env-postgres-server.j2 +++ /dev/null @@ -1,7 +0,0 @@ -#jinja2: lstrip_blocks: "True" -POSTGRES_USER={{ matrix_postgres_connection_username }} -POSTGRES_PASSWORD={{ matrix_postgres_connection_password }} -POSTGRES_DB={{ matrix_postgres_db_name }} -# Synapse refuses to run if collation is not C. -# See https://github.com/matrix-org/synapse/issues/6722 -POSTGRES_INITDB_ARGS=--lc-collate C --lc-ctype C --encoding UTF8 diff --git a/roles/custom/matrix-postgres/templates/sql/init-additional-db-user-and-role.sql.j2 b/roles/custom/matrix-postgres/templates/sql/init-additional-db-user-and-role.sql.j2 deleted file mode 100644 index a5a3385b6..000000000 --- a/roles/custom/matrix-postgres/templates/sql/init-additional-db-user-and-role.sql.j2 +++ /dev/null @@ -1,19 +0,0 @@ --- `CREATE USER` does not support `IF NOT EXISTS`, so we use this workaround to prevent an error and raise a notice instead. --- Seen here: https://stackoverflow.com/a/49858797 -DO $$ -BEGIN - CREATE USER "{{ additional_db.username }}"; - EXCEPTION WHEN DUPLICATE_OBJECT THEN - RAISE NOTICE 'not creating user "{{ additional_db.username }}", since it already exists'; -END -$$; - --- This is useful for initial user creation (since we don't assign a password above) and for handling subsequent password changes --- TODO - we should escape quotes in the password. -ALTER ROLE "{{ additional_db.username }}" PASSWORD '{{ additional_db.password }}'; - --- This will generate an error on subsequent execution -CREATE DATABASE "{{ additional_db.name }}" WITH LC_CTYPE 'C' LC_COLLATE 'C' OWNER "{{ additional_db.username }}"; - --- This is useful for changing the database owner subsequently -ALTER DATABASE "{{ additional_db.name }}" OWNER TO "{{ additional_db.username }}"; diff --git a/roles/custom/matrix-postgres/templates/systemd/matrix-postgres.service.j2 b/roles/custom/matrix-postgres/templates/systemd/matrix-postgres.service.j2 deleted file mode 100644 index e63267a3e..000000000 --- a/roles/custom/matrix-postgres/templates/systemd/matrix-postgres.service.j2 +++ /dev/null @@ -1,46 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix Postgres server -After=docker.service -Requires=docker.service -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-postgres 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-postgres 2>/dev/null || true' - -# We need /dev/shm to be larger than the default to allow VACUUM to work. -# See: -# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1362 -# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1268 -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-postgres \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --tmpfs=/tmp:rw,noexec,nosuid,size=100m \ - --tmpfs=/run/postgresql:rw,noexec,nosuid,size=100m \ - --shm-size=256m \ - --network={{ matrix_docker_network }} \ - {% if matrix_postgres_container_postgres_bind_port %} - -p {{ matrix_postgres_container_postgres_bind_port }}:5432 \ - {% endif %} - --env-file={{ matrix_postgres_base_path }}/env-postgres-server \ - --mount type=bind,src={{ matrix_postgres_data_path }},dst=/var/lib/postgresql/data \ - --mount type=bind,src=/etc/passwd,dst=/etc/passwd,ro \ - {% for arg in matrix_postgres_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_postgres_docker_image_to_use }} \ - postgres {{ matrix_postgres_process_extra_arguments|join(' ') }} - -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-postgres 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-postgres 2>/dev/null || true' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-postgres - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 b/roles/custom/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 deleted file mode 100644 index f378a10f5..000000000 --- a/roles/custom/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 +++ /dev/null @@ -1,19 +0,0 @@ -#jinja2: lstrip_blocks: "True" -#!/bin/bash - -if [ $# -ne 2 ]; then - echo "Usage: "$0" <0/1>" - echo "Usage: 0 = non-admin" - echo "Usage: 1 = admin" - exit 1 -fi - -docker run \ - -i \ - --rm \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ - --network {{ matrix_docker_network }} \ - {{ matrix_postgres_docker_image_to_use }} \ - psql -h {{ matrix_postgres_connection_hostname }} --dbname={{ matrix_synapse_database_database }} -c "UPDATE users set admin=$2 WHERE name like '@$1:{{ matrix_domain }}'" diff --git a/roles/custom/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli-non-interactive.j2 b/roles/custom/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli-non-interactive.j2 deleted file mode 100644 index 012bb327f..000000000 --- a/roles/custom/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli-non-interactive.j2 +++ /dev/null @@ -1,12 +0,0 @@ -#jinja2: lstrip_blocks: "True" -#!/bin/bash - -docker run \ - --rm \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ - --network {{ matrix_docker_network }} \ - {{ matrix_postgres_docker_image_to_use }} \ - psql -h {{ matrix_postgres_connection_hostname }} \ - "$@" diff --git a/roles/custom/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 b/roles/custom/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 deleted file mode 100644 index de09a4eb2..000000000 --- a/roles/custom/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 +++ /dev/null @@ -1,13 +0,0 @@ -#jinja2: lstrip_blocks: "True" -#!/bin/bash - -docker run \ - -it \ - --rm \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ - --network {{ matrix_docker_network }} \ - {{ matrix_postgres_docker_image_to_use }} \ - psql -h {{ matrix_postgres_connection_hostname }} \ - "$@" diff --git a/roles/custom/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 b/roles/custom/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 deleted file mode 100644 index 0fbf4f21b..000000000 --- a/roles/custom/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 +++ /dev/null @@ -1,16 +0,0 @@ -#jinja2: lstrip_blocks: "True" -#!/bin/bash - -if [ $# -ne 2 ]; then - echo "Usage: "$0" " - exit 1 -fi - -docker run \ - --rm \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ - --network {{ matrix_docker_network }} \ - {{ matrix_postgres_docker_image_to_use }} \ - psql -h {{ matrix_postgres_connection_hostname }} --dbname={{ matrix_synapse_database_database }} -c "UPDATE users set password_hash='$2' WHERE name = '@$1:{{ matrix_domain }}'" diff --git a/roles/custom/matrix-registration/tasks/setup_install.yml b/roles/custom/matrix-registration/tasks/setup_install.yml index 04b2db3ef..a2f5c2838 100644 --- a/roles/custom/matrix-registration/tasks/setup_install.yml +++ b/roles/custom/matrix-registration/tasks/setup_install.yml @@ -13,7 +13,7 @@ - when: "matrix_registration_sqlite_database_path_local_stat_result.stat.exists | bool" block: - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + devture_postgres_db_migration_request: src: "{{ matrix_registration_sqlite_database_path_local }}" dst: "{{ matrix_registration_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -27,7 +27,7 @@ additional_psql_statements_db_name: "{{ matrix_registration_database_name }}" - ansible.builtin.import_role: - name: custom/matrix-postgres + name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml b/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml index e5cf8e8ec..dba057751 100644 --- a/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml +++ b/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml @@ -31,15 +31,15 @@ ansible.builtin.set_fact: matrix_synapse_rust_synapse_compress_state_psql_import_command: >- {{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-rust-synapse-compress-state-psql-import - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --user={{ devture_postgres_uid }}:{{ devture_postgres_gid }} --cap-drop=ALL - --network={{ matrix_docker_network }} - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql + --network={{ devture_postgres_container_network }} + --env-file={{ devture_postgres_base_path }}/env-postgres-psql --mount type=bind,src={{ matrix_synapse_rust_synapse_compress_state_base_path }},dst=/work,ro --entrypoint=/bin/sh - {{ matrix_postgres_docker_image_latest }} + {{ devture_postgres_container_image_latest }} -c "cat /work/state-compressor.sql | - psql -v ON_ERROR_STOP=1 -h matrix-postgres -d {{ matrix_synapse_database_database }}" + psql -v ON_ERROR_STOP=1 -h {{ devture_postgres_identifier }} -d {{ matrix_synapse_database_database }}" - name: Import compression SQL into Postgres ansible.builtin.command: "{{ matrix_synapse_rust_synapse_compress_state_psql_import_command }}" diff --git a/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/main.yml b/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/main.yml index 17124e251..45716ef03 100644 --- a/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/main.yml +++ b/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/main.yml @@ -3,8 +3,8 @@ - name: Fail if Postgres not enabled ansible.builtin.fail: - msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot use rust-synapse-compress-state." - when: "not matrix_postgres_enabled | bool" + msg: "Postgres via the com.devture.ansible.role.postgres role is not enabled (`devture_postgres_enabled`). Cannot use rust-synapse-compress-state." + when: "not devture_postgres_enabled | bool" # Defaults @@ -53,17 +53,11 @@ delay: "{{ devture_playbook_help_container_retries_delay }}" until: result is not failed -- name: Generate rust-synapse-compress-state room find command + +- name: Generate rust-synapse-compress-state room find SQL command ansible.builtin.set_fact: matrix_synapse_rust_synapse_compress_state_find_rooms_command: >- - {{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-rust-synapse-compress-state-find-rooms - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --network={{ matrix_docker_network }} - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql - {{ matrix_postgres_docker_image_latest }} - psql -v ON_ERROR_STOP=1 -h matrix-postgres {{ matrix_synapse_database_database }} -c - 'SELECT array_to_json(array_agg(row_to_json (r))) FROM (SELECT room_id, count(*) AS count FROM state_groups_state GROUP BY room_id HAVING count(*) > {{ matrix_synapse_rust_synapse_compress_state_min_state_groups_required }} ORDER BY count DESC) r;' + {{ devture_postgres_bin_path }}/cli-non-interactive --dbname={{ matrix_synapse_database_database | quote }} -c "SELECT array_to_json(array_agg(row_to_json (r))) FROM (SELECT room_id, count(*) AS count FROM state_groups_state GROUP BY room_id HAVING count(*) > {{ matrix_synapse_rust_synapse_compress_state_min_state_groups_required }} ORDER BY count DESC) r;" - name: Find rooms eligible for compression with rust-synapse-compress-state ansible.builtin.command: "{{ matrix_synapse_rust_synapse_compress_state_find_rooms_command }}" diff --git a/roles/custom/matrix-synapse/tasks/update_user_password.yml b/roles/custom/matrix-synapse/tasks/update_user_password.yml index 3ddc4b8de..799c15a81 100644 --- a/roles/custom/matrix-synapse/tasks/update_user_password.yml +++ b/roles/custom/matrix-synapse/tasks/update_user_password.yml @@ -10,37 +10,43 @@ msg: "The `password` variable needs to be provided to this playbook, via --extra-vars" when: "password is not defined or password == ''" -- name: Fail if not using matrix-postgres container +- name: Fail if not using integrated Postgres database ansible.builtin.fail: - msg: "This command is working only when matrix-postgres container is being used" - when: "not matrix_postgres_enabled | bool" + msg: "This command is working only when Postgres is installed via the the integrated com.devture.ansible.role.postgres role" + when: "not devture_postgres_enabled | bool" -- name: Ensure matrix-synapse is started +- name: Ensure Postgres is started ansible.builtin.service: - name: matrix-synapse + name: "{{ devture_postgres_identifier }}" state: started daemon_reload: true - register: start_result + register: postgres_start_result -- name: Ensure matrix-postgres is started +- name: Ensure Synapse is started ansible.builtin.service: - name: matrix-postgres + name: matrix-synapse state: started daemon_reload: true - register: postgres_start_result - + register: synapse_start_result -- name: Wait a while, so that Matrix Synapse can manage to start +- name: Wait a while, so that Synapse and/or Postgres can manage to start ansible.builtin.pause: seconds: 7 - when: "start_result.changed or postgres_start_result.changed" + when: "synapse_start_result.changed or postgres_start_result.changed" -- name: Generate password hash +- name: Generate user password hash ansible.builtin.shell: "{{ devture_systemd_docker_base_host_command_docker }} exec matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password | quote }}" register: password_hash changed_when: false +- name: Generate user password-change SQL command + ansible.builtin.set_fact: + matrix_synapse_user_password_change_command: >- + {{ devture_postgres_bin_path }}/cli-non-interactive --dbname={{ matrix_synapse_database_database | quote }} -c "UPDATE users SET password_hash='{{ password_hash.stdout }}' WHERE name = '@{{ username }}:{{ matrix_domain }}'" + - name: Update user password hash - ansible.builtin.command: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash {{ username | quote }} {{ password_hash.stdout | quote }}" + ansible.builtin.command: + cmd: "{{ matrix_synapse_user_password_change_command }}" register: matrix_synapse_update_user_password_result changed_when: matrix_synapse_update_user_password_result.rc == 0 + failed_when: "matrix_synapse_update_user_password_result.rc != 0 or matrix_synapse_update_user_password_result.stdout != 'UPDATE 1'" diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 49e31ebbb..00c88192a 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -34,3 +34,15 @@ - {'old': 'matrix_systemd_services_list', 'new': 'devture_systemd_service_manager_services_list_additional'} - {'old': 'matrix_common_after_systemd_service_start_wait_for_timeout_seconds', 'new': 'devture_systemd_service_manager_up_verification_delay_seconds'} - {'old': 'matrix_systemd_services_autostart_enabled', 'new': 'devture_systemd_service_manager_services_autostart_enabled'} + +- name: (Deprecation) Catch and report matrix_postgres variables + ansible.builtin.fail: + msg: |- + The matrix-postgres role in the playbook has been replaced with the com.devture.ansible.role.postgres role (https://github.com/devture/com.devture.ansible.role.postgres). + The new role is pretty much the same, but uses differently named variables. + + Please change your configuration (vars.yml) to rename all matrix-postgres variables (`matrix_postgres_*` -> `devture_postgres_*`). + Note that `matrix_postgres_backup_*` variables (used by the `matrix-postgres-backup` role) need to remain as they are for now. Do not rename those! + + The following variables in your configuration need to be renamed: {{ vars | dict2items | rejectattr('key', 'match', 'matrix_postgres_backup_') | selectattr('key', 'match', 'matrix_postgres_.*') | map (attribute='key') | join(', ') }} + when: "vars | dict2items | rejectattr('key', 'match', 'matrix_postgres_backup_') | selectattr('key', 'match', 'matrix_postgres_.*') | list | items2dict" From eedf5ad94d4e9d15c44b86cf6d4d75441f64810c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 27 Nov 2022 08:23:43 +0200 Subject: [PATCH 088/915] Remove some hardcoded matrix-postgres references --- group_vars/matrix_servers | 11 +++++++++++ roles/custom/matrix-bot-honoroit/defaults/main.yml | 2 +- .../matrix-bot-honoroit/tasks/validate_config.yml | 11 ++++++----- .../matrix-bot-matrix-reminder-bot/defaults/main.yml | 2 +- .../tasks/validate_config.yml | 11 ++++++----- roles/custom/matrix-bot-maubot/defaults/main.yml | 2 +- .../matrix-bot-maubot/tasks/validate_config.yml | 11 ++++++----- .../tasks/validate_config.yml | 2 +- .../matrix-bridge-mx-puppet-discord/defaults/main.yml | 2 +- .../tasks/validate_config.yml | 11 ++++++----- .../matrix-bridge-mx-puppet-groupme/defaults/main.yml | 2 +- .../tasks/validate_config.yml | 11 ++++++----- .../defaults/main.yml | 2 +- .../tasks/validate_config.yml | 11 ++++++----- .../matrix-bridge-mx-puppet-slack/defaults/main.yml | 2 +- .../tasks/validate_config.yml | 11 ++++++----- .../matrix-bridge-mx-puppet-steam/defaults/main.yml | 2 +- .../tasks/validate_config.yml | 11 ++++++----- .../matrix-bridge-mx-puppet-twitter/defaults/main.yml | 2 +- .../tasks/validate_config.yml | 11 ++++++----- roles/custom/matrix-dendrite/defaults/main.yml | 2 +- .../custom/matrix-dendrite/tasks/validate_config.yml | 3 ++- .../dendrite/systemd/matrix-dendrite.service.j2 | 4 ++-- 23 files changed, 80 insertions(+), 59 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 2e86eea57..30b6f1d73 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1188,6 +1188,7 @@ matrix_mx_puppet_slack_login_shared_secret: "{{ matrix_synapse_ext_password_prov # Postgres is the default, except if not using internal Postgres server matrix_mx_puppet_slack_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mx_puppet_slack_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" matrix_mx_puppet_slack_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.slack.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -1228,6 +1229,7 @@ matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ '' if matrix_nginx_p # Postgres is the default, except if not using internal Postgres server matrix_mx_puppet_twitter_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mx_puppet_twitter_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" matrix_mx_puppet_twitter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.twitter.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -1267,6 +1269,7 @@ matrix_mx_puppet_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_ # Postgres is the default, except if not using internal Postgres server matrix_mx_puppet_instagram_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mx_puppet_instagram_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" matrix_mx_puppet_instagram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.ig.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -1305,6 +1308,7 @@ matrix_mx_puppet_discord_login_shared_secret: "{{ matrix_synapse_ext_password_pr # Postgres is the default, except if not using internal Postgres server matrix_mx_puppet_discord_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mx_puppet_discord_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" matrix_mx_puppet_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.dsc.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -1343,6 +1347,7 @@ matrix_mx_puppet_steam_login_shared_secret: "{{ matrix_synapse_ext_password_prov # Postgres is the default, except if not using internal Postgres server matrix_mx_puppet_steam_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mx_puppet_steam_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" matrix_mx_puppet_steam_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.steam.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -1381,6 +1386,7 @@ matrix_mx_puppet_groupme_login_shared_secret: "{{ matrix_synapse_ext_password_pr # Postgres is the default, except if not using internal Postgres server matrix_mx_puppet_groupme_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mx_puppet_groupme_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" matrix_mx_puppet_groupme_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.groupme.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -1411,6 +1417,7 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: | # Postgres is the default, except if not using internal Postgres server matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_bot_matrix_reminder_bot_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" matrix_bot_matrix_reminder_bot_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'reminder.bot.db', rounds=655555) | to_uuid }}" matrix_bot_matrix_reminder_bot_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" @@ -1482,6 +1489,7 @@ matrix_bot_maubot_management_interface_http_bind_port: "{{ '' if matrix_nginx_pr # Postgres is the default, except if not using internal Postgres server matrix_bot_maubot_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_bot_maubot_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" matrix_bot_maubot_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.dsc.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -1513,6 +1521,7 @@ matrix_bot_honoroit_systemd_required_services_list: | # Postgres is the default, except if not using internal Postgres server matrix_bot_honoroit_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_bot_honoroit_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'honoroit.bot.db', rounds=655555) | to_uuid }}" matrix_bot_honoroit_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" @@ -2984,6 +2993,8 @@ matrix_dendrite_sync_api_real_ip_header: "{{ 'X-Forwarded-For' if matrix_nginx_p matrix_dendrite_client_api_registration_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.rss', rounds=655555) | to_uuid }}" +matrix_dendrite_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" + matrix_dendrite_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.db', rounds=655555) | to_uuid }}" # Even if TURN doesn't support TLS (it does by default), diff --git a/roles/custom/matrix-bot-honoroit/defaults/main.yml b/roles/custom/matrix-bot-honoroit/defaults/main.yml index 3510f4732..186ef3f4e 100644 --- a/roles/custom/matrix-bot-honoroit/defaults/main.yml +++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml @@ -43,7 +43,7 @@ matrix_bot_honoroit_sqlite_database_path_in_container: "/data/bot.db" matrix_bot_honoroit_database_username: 'honoroit' matrix_bot_honoroit_database_password: 'some-password' -matrix_bot_honoroit_database_hostname: 'matrix-postgres' +matrix_bot_honoroit_database_hostname: '' matrix_bot_honoroit_database_port: 5432 matrix_bot_honoroit_database_name: 'honoroit' diff --git a/roles/custom/matrix-bot-honoroit/tasks/validate_config.yml b/roles/custom/matrix-bot-honoroit/tasks/validate_config.yml index 0057e3c2c..228db8abc 100644 --- a/roles/custom/matrix-bot-honoroit/tasks/validate_config.yml +++ b/roles/custom/matrix-bot-honoroit/tasks/validate_config.yml @@ -1,10 +1,11 @@ --- -- name: Fail if required settings not defined +- name: Fail if required honoroit settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_bot_honoroit_password" - - "matrix_bot_honoroit_roomid" + - {'name': 'matrix_bot_honoroit_password', when: true} + - {'name': 'matrix_bot_honoroit_roomid', when: true} + - {'name': 'matrix_bot_honoroit_database_hostname', when: "{{ matrix_bot_honoroit_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bot-matrix-reminder-bot/defaults/main.yml b/roles/custom/matrix-bot-matrix-reminder-bot/defaults/main.yml index 610a43a32..03f117679 100644 --- a/roles/custom/matrix-bot-matrix-reminder-bot/defaults/main.yml +++ b/roles/custom/matrix-bot-matrix-reminder-bot/defaults/main.yml @@ -44,7 +44,7 @@ matrix_bot_matrix_reminder_bot_sqlite_database_path_in_container: "/data/bot.db" matrix_bot_matrix_reminder_bot_database_username: 'matrix_reminder_bot' matrix_bot_matrix_reminder_bot_database_password: 'some-password' -matrix_bot_matrix_reminder_bot_database_hostname: 'matrix-postgres' +matrix_bot_matrix_reminder_bot_database_hostname: '' matrix_bot_matrix_reminder_bot_database_port: 5432 matrix_bot_matrix_reminder_bot_database_name: 'matrix_reminder_bot' diff --git a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/validate_config.yml b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/validate_config.yml index 54f38dd51..f6e7afdf6 100644 --- a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/validate_config.yml +++ b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/validate_config.yml @@ -1,15 +1,16 @@ --- -- name: Fail if required settings not defined +- name: Fail if required matrix-reminder-bot settings not defined ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_bot_matrix_reminder_bot_matrix_user_password" - - "matrix_bot_matrix_reminder_bot_reminders_timezone" + - {'name': 'matrix_bot_matrix_reminder_bot_matrix_user_password', when: true} + - {'name': 'matrix_bot_matrix_reminder_bot_reminders_timezone', when: true} + - {'name': 'matrix_bot_matrix_reminder_bot_database_hostname', when: "{{ matrix_bot_matrix_reminder_bot_database_engine == 'postgres' }}"} -- name: (Deprecation) Catch and report renamed settings +- name: (Deprecation) Catch and report renamed matrix-reminder-bot settings ansible.builtin.fail: msg: >- Your configuration contains a variable, which now has a different name. diff --git a/roles/custom/matrix-bot-maubot/defaults/main.yml b/roles/custom/matrix-bot-maubot/defaults/main.yml index 0a73d92e0..71353914b 100644 --- a/roles/custom/matrix-bot-maubot/defaults/main.yml +++ b/roles/custom/matrix-bot-maubot/defaults/main.yml @@ -27,7 +27,7 @@ matrix_bot_maubot_sqlite_database_path_in_container: "/data/maubot.db" matrix_bot_maubot_database_username: matrix_bot_maubot matrix_bot_maubot_database_password: ~ -matrix_bot_maubot_database_hostname: 'matrix-postgres' +matrix_bot_maubot_database_hostname: '' matrix_bot_maubot_database_port: 5432 matrix_bot_maubot_database_name: matrix_bot_maubot diff --git a/roles/custom/matrix-bot-maubot/tasks/validate_config.yml b/roles/custom/matrix-bot-maubot/tasks/validate_config.yml index 5b28d9c0e..d8bac550a 100644 --- a/roles/custom/matrix-bot-maubot/tasks/validate_config.yml +++ b/roles/custom/matrix-bot-maubot/tasks/validate_config.yml @@ -1,10 +1,11 @@ --- -- name: Fail if required settings not defined +- name: Fail if required maubot settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - matrix_bot_maubot_unshared_secret - - matrix_bot_maubot_admins + - {'name': 'matrix_bot_maubot_unshared_secret', when: true} + - {'name': 'matrix_bot_maubot_admins', when: true} + - {'name': 'matrix_bot_maubot_database_hostname', when: "{{ matrix_bot_maubot_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-mautrix-twitter/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-twitter/tasks/validate_config.yml index 326dca83a..a97d292f2 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/tasks/validate_config.yml @@ -1,6 +1,6 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mautrix-twitter settings not defined ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`). diff --git a/roles/custom/matrix-bridge-mx-puppet-discord/defaults/main.yml b/roles/custom/matrix-bridge-mx-puppet-discord/defaults/main.yml index 771af9922..be6911570 100644 --- a/roles/custom/matrix-bridge-mx-puppet-discord/defaults/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-discord/defaults/main.yml @@ -66,7 +66,7 @@ matrix_mx_puppet_discord_sqlite_database_path_in_container: "/data/database.db" matrix_mx_puppet_discord_database_username: matrix_mx_puppet_discord matrix_mx_puppet_discord_database_password: ~ -matrix_mx_puppet_discord_database_hostname: 'matrix-postgres' +matrix_mx_puppet_discord_database_hostname: '' matrix_mx_puppet_discord_database_port: 5432 matrix_mx_puppet_discord_database_name: matrix_mx_puppet_discord diff --git a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/validate_config.yml b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/validate_config.yml index e73a868a5..4526198a0 100644 --- a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/validate_config.yml @@ -1,10 +1,11 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mx-puppet-discord settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mx_puppet_discord_appservice_token" - - "matrix_mx_puppet_discord_homeserver_token" + - {'name': 'matrix_mx_puppet_discord_appservice_token', when: true} + - {'name': 'matrix_mx_puppet_discord_homeserver_token', when: true} + - {'name': 'matrix_mx_puppet_discord_database_hostname', when: "{{ matrix_mx_puppet_discord_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-mx-puppet-groupme/defaults/main.yml b/roles/custom/matrix-bridge-mx-puppet-groupme/defaults/main.yml index 59b8c1936..ca9d7668f 100644 --- a/roles/custom/matrix-bridge-mx-puppet-groupme/defaults/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-groupme/defaults/main.yml @@ -62,7 +62,7 @@ matrix_mx_puppet_groupme_sqlite_database_path_in_container: "/data/database.db" matrix_mx_puppet_groupme_database_username: matrix_mx_puppet_groupme matrix_mx_puppet_groupme_database_password: ~ -matrix_mx_puppet_groupme_database_hostname: 'matrix-postgres' +matrix_mx_puppet_groupme_database_hostname: '' matrix_mx_puppet_groupme_database_port: 5432 matrix_mx_puppet_groupme_database_name: matrix_mx_puppet_groupme diff --git a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/validate_config.yml b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/validate_config.yml index d091de6dc..60d8fffd2 100644 --- a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/validate_config.yml @@ -1,10 +1,11 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mx-puppet-groupme settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mx_puppet_groupme_appservice_token" - - "matrix_mx_puppet_groupme_homeserver_token" + - {'name': 'matrix_mx_puppet_groupme_appservice_token', when: true} + - {'name': 'matrix_mx_puppet_groupme_homeserver_token', when: true} + - {'name': 'matrix_mx_puppet_groupme_database_hostname', when: "{{ matrix_mx_puppet_groupme_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-mx-puppet-instagram/defaults/main.yml b/roles/custom/matrix-bridge-mx-puppet-instagram/defaults/main.yml index aae6eb5a7..0f6dd4438 100644 --- a/roles/custom/matrix-bridge-mx-puppet-instagram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-instagram/defaults/main.yml @@ -56,7 +56,7 @@ matrix_mx_puppet_instagram_sqlite_database_path_in_container: "/data/database.db matrix_mx_puppet_instagram_database_username: matrix_mx_puppet_instagram matrix_mx_puppet_instagram_database_password: ~ -matrix_mx_puppet_instagram_database_hostname: 'matrix-postgres' +matrix_mx_puppet_instagram_database_hostname: '' matrix_mx_puppet_instagram_database_port: 5432 matrix_mx_puppet_instagram_database_name: matrix_mx_puppet_instagram diff --git a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/validate_config.yml b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/validate_config.yml index 383fe5021..77be870f9 100644 --- a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/validate_config.yml @@ -1,10 +1,11 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mx-puppet-instagram settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mx_puppet_instagram_appservice_token" - - "matrix_mx_puppet_instagram_homeserver_token" + - {'name': 'matrix_mx_puppet_instagram_appservice_token', when: true} + - {'name': 'matrix_mx_puppet_instagram_homeserver_token', when: true} + - {'name': 'matrix_mx_puppet_instagram_database_hostname', when: "{{ matrix_mx_puppet_instagram_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/custom/matrix-bridge-mx-puppet-slack/defaults/main.yml index eae0b933b..b428c40bd 100644 --- a/roles/custom/matrix-bridge-mx-puppet-slack/defaults/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -70,7 +70,7 @@ matrix_mx_puppet_slack_sqlite_database_path_in_container: "/data/database.db" matrix_mx_puppet_slack_database_username: matrix_mx_puppet_slack matrix_mx_puppet_slack_database_password: ~ -matrix_mx_puppet_slack_database_hostname: 'matrix-postgres' +matrix_mx_puppet_slack_database_hostname: '' matrix_mx_puppet_slack_database_port: 5432 matrix_mx_puppet_slack_database_name: matrix_mx_puppet_slack diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml index ea917f97e..f3c9d1ebc 100644 --- a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml @@ -1,10 +1,11 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mx-puppet-slack settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mx_puppet_slack_appservice_token" - - "matrix_mx_puppet_slack_homeserver_token" + - {'name': 'matrix_mx_puppet_slack_appservice_token', when: true} + - {'name': 'matrix_mx_puppet_slack_homeserver_token', when: true} + - {'name': 'matrix_mx_puppet_slack_database_hostname', when: "{{ matrix_mx_puppet_slack_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-mx-puppet-steam/defaults/main.yml b/roles/custom/matrix-bridge-mx-puppet-steam/defaults/main.yml index 895411624..9efedb13b 100644 --- a/roles/custom/matrix-bridge-mx-puppet-steam/defaults/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-steam/defaults/main.yml @@ -62,7 +62,7 @@ matrix_mx_puppet_steam_sqlite_database_path_in_container: "/data/database.db" matrix_mx_puppet_steam_database_username: matrix_mx_puppet_steam matrix_mx_puppet_steam_database_password: ~ -matrix_mx_puppet_steam_database_hostname: 'matrix-postgres' +matrix_mx_puppet_steam_database_hostname: '' matrix_mx_puppet_steam_database_port: 5432 matrix_mx_puppet_steam_database_name: matrix_mx_puppet_steam diff --git a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/validate_config.yml b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/validate_config.yml index 2e54d6ffa..b25345dc6 100644 --- a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/validate_config.yml @@ -1,10 +1,11 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mx-puppet-steam settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mx_puppet_steam_appservice_token" - - "matrix_mx_puppet_steam_homeserver_token" + - {'name': 'matrix_mx_puppet_steam_appservice_token', when: true} + - {'name': 'matrix_mx_puppet_steam_homeserver_token', when: true} + - {'name': 'matrix_mx_puppet_steam_database_hostname', when: "{{ matrix_mx_puppet_steam_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/defaults/main.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/defaults/main.yml index 73674220f..8e5e82f06 100644 --- a/roles/custom/matrix-bridge-mx-puppet-twitter/defaults/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-twitter/defaults/main.yml @@ -71,7 +71,7 @@ matrix_mx_puppet_twitter_sqlite_database_path_in_container: "/data/database.db" matrix_mx_puppet_twitter_database_username: mx_puppet_twitter matrix_mx_puppet_twitter_database_password: ~ -matrix_mx_puppet_twitter_database_hostname: 'matrix-postgres' +matrix_mx_puppet_twitter_database_hostname: '' matrix_mx_puppet_twitter_database_port: 5432 matrix_mx_puppet_twitter_database_name: matrix_mx_puppet_twitter diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/validate_config.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/validate_config.yml index b5b7ef5b7..373c1ccb8 100644 --- a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/validate_config.yml @@ -1,10 +1,11 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mx-puppet-twitter settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mx_puppet_twitter_appservice_token" - - "matrix_mx_puppet_twitter_homeserver_token" + - {'name': 'matrix_mx_puppet_twitter_appservice_token', when: true} + - {'name': 'matrix_mx_puppet_twitter_homeserver_token', when: true} + - {'name': 'matrix_mx_puppet_twitter_database_hostname', when: "{{ matrix_mx_puppet_twitter_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index ba84d4300..dac77bc1f 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -138,7 +138,7 @@ matrix_dendrite_metrics_password: "metrics" # Postgres database information matrix_dendrite_database_str: "postgresql://{{ matrix_dendrite_database_user }}:{{ matrix_dendrite_database_password }}@{{ matrix_dendrite_database_hostname }}" -matrix_dendrite_database_hostname: "matrix-postgres" +matrix_dendrite_database_hostname: '' matrix_dendrite_database_user: "dendrite" matrix_dendrite_database_password: "itsasecret" matrix_dendrite_federationapi_database: "dendrite_federationapi" diff --git a/roles/custom/matrix-dendrite/tasks/validate_config.yml b/roles/custom/matrix-dendrite/tasks/validate_config.yml index 7ca31b0d5..9b1466e1e 100644 --- a/roles/custom/matrix-dendrite/tasks/validate_config.yml +++ b/roles/custom/matrix-dendrite/tasks/validate_config.yml @@ -5,7 +5,8 @@ You need to define a required configuration setting (`{{ item }}`) for using Dendrite. when: "vars[item] == ''" with_items: - - "matrix_dendrite_client_api_registration_shared_secret" + - matrix_dendrite_client_api_registration_shared_secret + - matrix_dendrite_database_hostname - name: (Deprecation) Catch and report renamed settings ansible.builtin.fail: diff --git a/roles/custom/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/custom/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 index b83f00bc4..4649c3a31 100644 --- a/roles/custom/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 +++ b/roles/custom/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -16,8 +16,8 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-dendrite 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-dendrite 2>/dev/null || true' -{% if 'matrix-postgres.service' in matrix_dendrite_systemd_required_services_list %} -# Dendrite is too quick to start in relation to its matrix-postgres dependency. +{% if (devture_postgres_identifier + '.service') in matrix_dendrite_systemd_required_services_list %} +# Dendrite is too quick to start in relation to its Postgres dependency. # Delay Dendrite startup to avoid failing with: "failed to connect to accounts db" ("pq: the database system is starting up"). ExecStartPre={{ matrix_host_command_sleep }} 5 {% endif %} From 3d5d843418c2d4b5d481a82c2c9cf1163aaaaead Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 27 Nov 2022 08:31:54 +0200 Subject: [PATCH 089/915] Replace some devture_postgres_identifier instances with devture_postgres_connection_hostname --- group_vars/matrix_servers | 91 ++++++++++--------- .../matrix-postgres-backup/defaults/main.yml | 2 +- roles/custom/matrix-synapse/defaults/main.yml | 2 +- .../compress_room.yml | 2 +- 4 files changed, 49 insertions(+), 48 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 30b6f1d73..7bc13c754 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -963,7 +963,7 @@ matrix_mautrix_twitter_homeserver_token: "{{ '%s' | format(matrix_homeserver_gen matrix_mautrix_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -matrix_mautrix_twitter_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" +matrix_mautrix_twitter_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_mautrix_twitter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.twt.db', rounds=655555) | to_uuid if devture_postgres_enabled else '' }}" ###################################################################### @@ -1188,7 +1188,7 @@ matrix_mx_puppet_slack_login_shared_secret: "{{ matrix_synapse_ext_password_prov # Postgres is the default, except if not using internal Postgres server matrix_mx_puppet_slack_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_slack_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" +matrix_mx_puppet_slack_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_mx_puppet_slack_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.slack.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -1229,7 +1229,7 @@ matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ '' if matrix_nginx_p # Postgres is the default, except if not using internal Postgres server matrix_mx_puppet_twitter_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_twitter_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" +matrix_mx_puppet_twitter_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_mx_puppet_twitter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.twitter.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -1269,7 +1269,7 @@ matrix_mx_puppet_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_ # Postgres is the default, except if not using internal Postgres server matrix_mx_puppet_instagram_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_instagram_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" +matrix_mx_puppet_instagram_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_mx_puppet_instagram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.ig.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -1308,7 +1308,7 @@ matrix_mx_puppet_discord_login_shared_secret: "{{ matrix_synapse_ext_password_pr # Postgres is the default, except if not using internal Postgres server matrix_mx_puppet_discord_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_discord_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" +matrix_mx_puppet_discord_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_mx_puppet_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.dsc.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -1347,7 +1347,7 @@ matrix_mx_puppet_steam_login_shared_secret: "{{ matrix_synapse_ext_password_prov # Postgres is the default, except if not using internal Postgres server matrix_mx_puppet_steam_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_steam_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" +matrix_mx_puppet_steam_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_mx_puppet_steam_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.steam.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -1386,7 +1386,7 @@ matrix_mx_puppet_groupme_login_shared_secret: "{{ matrix_synapse_ext_password_pr # Postgres is the default, except if not using internal Postgres server matrix_mx_puppet_groupme_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_groupme_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" +matrix_mx_puppet_groupme_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_mx_puppet_groupme_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.groupme.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -1417,7 +1417,7 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: | # Postgres is the default, except if not using internal Postgres server matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" -matrix_bot_matrix_reminder_bot_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" +matrix_bot_matrix_reminder_bot_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_bot_matrix_reminder_bot_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'reminder.bot.db', rounds=655555) | to_uuid }}" matrix_bot_matrix_reminder_bot_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" @@ -1489,7 +1489,7 @@ matrix_bot_maubot_management_interface_http_bind_port: "{{ '' if matrix_nginx_pr # Postgres is the default, except if not using internal Postgres server matrix_bot_maubot_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" -matrix_bot_maubot_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" +matrix_bot_maubot_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_bot_maubot_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.dsc.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -1521,7 +1521,7 @@ matrix_bot_honoroit_systemd_required_services_list: | # Postgres is the default, except if not using internal Postgres server matrix_bot_honoroit_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" -matrix_bot_honoroit_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" +matrix_bot_honoroit_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'honoroit.bot.db', rounds=655555) | to_uuid }}" matrix_bot_honoroit_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" @@ -1849,7 +1849,7 @@ matrix_etherpad_systemd_required_services_list: | ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) }} -matrix_etherpad_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" +matrix_etherpad_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_etherpad_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'etherpad.db', rounds=655555) | to_uuid }}" @@ -2262,7 +2262,7 @@ devture_postgres_additional_databases: | 'name': matrix_synapse_database_database, 'username': matrix_synapse_database_user, 'password': matrix_synapse_database_password, - }] if (matrix_synapse_enabled and matrix_synapse_database_host == devture_postgres_identifier) else []) + }] if (matrix_synapse_enabled and matrix_synapse_database_host == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_dendrite_federationapi_database, @@ -2296,193 +2296,193 @@ devture_postgres_additional_databases: | 'name': matrix_dendrite_mscs_database, 'username': matrix_dendrite_database_user, 'password': matrix_dendrite_database_password, - }] if (matrix_dendrite_enabled and matrix_dendrite_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_dendrite_enabled and matrix_dendrite_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_ma1sd_database_name, 'username': matrix_ma1sd_database_username, 'password': matrix_ma1sd_database_password, - }] if (matrix_ma1sd_enabled and matrix_ma1sd_database_engine == 'postgres' and matrix_ma1sd_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_ma1sd_enabled and matrix_ma1sd_database_engine == 'postgres' and matrix_ma1sd_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_bot_matrix_reminder_bot_database_name, 'username': matrix_bot_matrix_reminder_bot_database_username, 'password': matrix_bot_matrix_reminder_bot_database_password, - }] if (matrix_bot_matrix_reminder_bot_enabled and matrix_bot_matrix_reminder_bot_database_engine == 'postgres' and matrix_bot_matrix_reminder_bot_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_bot_matrix_reminder_bot_enabled and matrix_bot_matrix_reminder_bot_database_engine == 'postgres' and matrix_bot_matrix_reminder_bot_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_bot_honoroit_database_name, 'username': matrix_bot_honoroit_database_username, 'password': matrix_bot_honoroit_database_password, - }] if (matrix_bot_honoroit_enabled and matrix_bot_honoroit_database_engine == 'postgres' and matrix_bot_honoroit_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_bot_honoroit_enabled and matrix_bot_honoroit_database_engine == 'postgres' and matrix_bot_honoroit_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_bot_postmoogle_database_name, 'username': matrix_bot_postmoogle_database_username, 'password': matrix_bot_postmoogle_database_password, - }] if (matrix_bot_postmoogle_enabled and matrix_bot_postmoogle_database_engine == 'postgres' and matrix_bot_postmoogle_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_bot_postmoogle_enabled and matrix_bot_postmoogle_database_engine == 'postgres' and matrix_bot_postmoogle_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_bot_maubot_database_name, 'username': matrix_bot_maubot_database_username, 'password': matrix_bot_maubot_database_password, - }] if (matrix_bot_maubot_enabled and matrix_bot_maubot_database_engine == 'postgres' and matrix_bot_maubot_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_bot_maubot_enabled and matrix_bot_maubot_database_engine == 'postgres' and matrix_bot_maubot_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_bot_buscarron_database_name, 'username': matrix_bot_buscarron_database_username, 'password': matrix_bot_buscarron_database_password, - }] if (matrix_bot_buscarron_enabled and matrix_bot_buscarron_database_engine == 'postgres' and matrix_bot_buscarron_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_bot_buscarron_enabled and matrix_bot_buscarron_database_engine == 'postgres' and matrix_bot_buscarron_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_registration_database_name, 'username': matrix_registration_database_username, 'password': matrix_registration_database_password, - }] if (matrix_registration_enabled and matrix_registration_database_engine == 'postgres' and matrix_registration_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_registration_enabled and matrix_registration_database_engine == 'postgres' and matrix_registration_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_appservice_discord_database_name, 'username': matrix_appservice_discord_database_username, 'password': matrix_appservice_discord_database_password, - }] if (matrix_appservice_discord_enabled and matrix_appservice_discord_database_engine == 'postgres' and matrix_appservice_discord_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_appservice_discord_enabled and matrix_appservice_discord_database_engine == 'postgres' and matrix_appservice_discord_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_appservice_slack_database_name, 'username': matrix_appservice_slack_database_username, 'password': matrix_appservice_slack_database_password, - }] if (matrix_appservice_slack_enabled and matrix_appservice_slack_database_engine == 'postgres' and matrix_appservice_slack_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_appservice_slack_enabled and matrix_appservice_slack_database_engine == 'postgres' and matrix_appservice_slack_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_appservice_irc_database_name, 'username': matrix_appservice_irc_database_username, 'password': matrix_appservice_irc_database_password, - }] if (matrix_appservice_irc_enabled and matrix_appservice_irc_database_engine == 'postgres' and matrix_appservice_irc_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_appservice_irc_enabled and matrix_appservice_irc_database_engine == 'postgres' and matrix_appservice_irc_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_appservice_kakaotalk_database_name, 'username': matrix_appservice_kakaotalk_database_username, 'password': matrix_appservice_kakaotalk_database_password, - }] if (matrix_appservice_kakaotalk_enabled and matrix_appservice_kakaotalk_database_engine == 'postgres' and matrix_appservice_kakaotalk_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_appservice_kakaotalk_enabled and matrix_appservice_kakaotalk_database_engine == 'postgres' and matrix_appservice_kakaotalk_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_beeper_linkedin_database_name, 'username': matrix_beeper_linkedin_database_username, 'password': matrix_beeper_linkedin_database_password, - }] if (matrix_beeper_linkedin_enabled and matrix_beeper_linkedin_database_engine == 'postgres' and matrix_beeper_linkedin_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_beeper_linkedin_enabled and matrix_beeper_linkedin_database_engine == 'postgres' and matrix_beeper_linkedin_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_go_skype_bridge_database_name, 'username': matrix_go_skype_bridge_database_username, 'password': matrix_go_skype_bridge_database_password, - }] if (matrix_go_skype_bridge_enabled and matrix_go_skype_bridge_database_engine == 'postgres' and matrix_go_skype_bridge_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_go_skype_bridge_enabled and matrix_go_skype_bridge_database_engine == 'postgres' and matrix_go_skype_bridge_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mautrix_facebook_database_name, 'username': matrix_mautrix_facebook_database_username, 'password': matrix_mautrix_facebook_database_password, - }] if (matrix_mautrix_facebook_enabled and matrix_mautrix_facebook_database_engine == 'postgres' and matrix_mautrix_facebook_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_mautrix_facebook_enabled and matrix_mautrix_facebook_database_engine == 'postgres' and matrix_mautrix_facebook_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mautrix_hangouts_database_name, 'username': matrix_mautrix_hangouts_database_username, 'password': matrix_mautrix_hangouts_database_password, - }] if (matrix_mautrix_hangouts_enabled and matrix_mautrix_hangouts_database_engine == 'postgres' and matrix_mautrix_hangouts_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_mautrix_hangouts_enabled and matrix_mautrix_hangouts_database_engine == 'postgres' and matrix_mautrix_hangouts_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mautrix_googlechat_database_name, 'username': matrix_mautrix_googlechat_database_username, 'password': matrix_mautrix_googlechat_database_password, - }] if (matrix_mautrix_googlechat_enabled and matrix_mautrix_googlechat_database_engine == 'postgres' and matrix_mautrix_googlechat_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_mautrix_googlechat_enabled and matrix_mautrix_googlechat_database_engine == 'postgres' and matrix_mautrix_googlechat_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mautrix_instagram_database_name, 'username': matrix_mautrix_instagram_database_username, 'password': matrix_mautrix_instagram_database_password, - }] if (matrix_mautrix_instagram_enabled and matrix_mautrix_instagram_database_engine == 'postgres' and matrix_mautrix_instagram_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_mautrix_instagram_enabled and matrix_mautrix_instagram_database_engine == 'postgres' and matrix_mautrix_instagram_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mautrix_signal_database_name, 'username': matrix_mautrix_signal_database_username, 'password': matrix_mautrix_signal_database_password, - }] if (matrix_mautrix_signal_enabled and matrix_mautrix_signal_database_engine == 'postgres' and matrix_mautrix_signal_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_mautrix_signal_enabled and matrix_mautrix_signal_database_engine == 'postgres' and matrix_mautrix_signal_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mautrix_telegram_database_name, 'username': matrix_mautrix_telegram_database_username, 'password': matrix_mautrix_telegram_database_password, - }] if (matrix_mautrix_telegram_enabled and matrix_mautrix_telegram_database_engine == 'postgres' and matrix_mautrix_telegram_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_mautrix_telegram_enabled and matrix_mautrix_telegram_database_engine == 'postgres' and matrix_mautrix_telegram_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mautrix_twitter_database_name, 'username': matrix_mautrix_twitter_database_username, 'password': matrix_mautrix_twitter_database_password, - }] if (matrix_mautrix_twitter_enabled and matrix_mautrix_twitter_database_engine == 'postgres' and matrix_mautrix_twitter_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_mautrix_twitter_enabled and matrix_mautrix_twitter_database_engine == 'postgres' and matrix_mautrix_twitter_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mautrix_whatsapp_database_name, 'username': matrix_mautrix_whatsapp_database_username, 'password': matrix_mautrix_whatsapp_database_password, - }] if (matrix_mautrix_whatsapp_enabled and matrix_mautrix_whatsapp_database_engine == 'postgres' and matrix_mautrix_whatsapp_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_mautrix_whatsapp_enabled and matrix_mautrix_whatsapp_database_engine == 'postgres' and matrix_mautrix_whatsapp_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mautrix_discord_database_name, 'username': matrix_mautrix_discord_database_username, 'password': matrix_mautrix_discord_database_password, - }] if (matrix_mautrix_discord_enabled and matrix_mautrix_discord_database_engine == 'postgres' and matrix_mautrix_discord_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_mautrix_discord_enabled and matrix_mautrix_discord_database_engine == 'postgres' and matrix_mautrix_discord_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mx_puppet_slack_database_name, 'username': matrix_mx_puppet_slack_database_username, 'password': matrix_mx_puppet_slack_database_password, - }] if (matrix_mx_puppet_slack_enabled and matrix_mx_puppet_slack_database_engine == 'postgres' and matrix_mx_puppet_slack_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_mx_puppet_slack_enabled and matrix_mx_puppet_slack_database_engine == 'postgres' and matrix_mx_puppet_slack_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mx_puppet_twitter_database_name, 'username': matrix_mx_puppet_twitter_database_username, 'password': matrix_mx_puppet_twitter_database_password, - }] if (matrix_mx_puppet_twitter_enabled and matrix_mx_puppet_twitter_database_engine == 'postgres' and matrix_mx_puppet_twitter_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_mx_puppet_twitter_enabled and matrix_mx_puppet_twitter_database_engine == 'postgres' and matrix_mx_puppet_twitter_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mx_puppet_instagram_database_name, 'username': matrix_mx_puppet_instagram_database_username, 'password': matrix_mx_puppet_instagram_database_password, - }] if (matrix_mx_puppet_instagram_enabled and matrix_mx_puppet_instagram_database_engine == 'postgres' and matrix_mx_puppet_instagram_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_mx_puppet_instagram_enabled and matrix_mx_puppet_instagram_database_engine == 'postgres' and matrix_mx_puppet_instagram_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mx_puppet_discord_database_name, 'username': matrix_mx_puppet_discord_database_username, 'password': matrix_mx_puppet_discord_database_password, - }] if (matrix_mx_puppet_discord_enabled and matrix_mx_puppet_discord_database_engine == 'postgres' and matrix_mx_puppet_discord_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_mx_puppet_discord_enabled and matrix_mx_puppet_discord_database_engine == 'postgres' and matrix_mx_puppet_discord_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mx_puppet_steam_database_name, 'username': matrix_mx_puppet_steam_database_username, 'password': matrix_mx_puppet_steam_database_password, - }] if (matrix_mx_puppet_steam_enabled and matrix_mx_puppet_steam_database_engine == 'postgres' and matrix_mx_puppet_steam_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_mx_puppet_steam_enabled and matrix_mx_puppet_steam_database_engine == 'postgres' and matrix_mx_puppet_steam_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mx_puppet_groupme_database_name, 'username': matrix_mx_puppet_groupme_database_username, 'password': matrix_mx_puppet_groupme_database_password, - }] if (matrix_mx_puppet_groupme_enabled and matrix_mx_puppet_groupme_database_engine == 'postgres' and matrix_mx_puppet_groupme_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_mx_puppet_groupme_enabled and matrix_mx_puppet_groupme_database_engine == 'postgres' and matrix_mx_puppet_groupme_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_dimension_database_name, 'username': matrix_dimension_database_username, 'password': matrix_dimension_database_password, - }] if (matrix_dimension_enabled and matrix_dimension_database_engine == 'postgres' and matrix_dimension_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_dimension_enabled and matrix_dimension_database_engine == 'postgres' and matrix_dimension_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_etherpad_database_name, 'username': matrix_etherpad_database_username, 'password': matrix_etherpad_database_password, - }] if (matrix_etherpad_enabled and matrix_etherpad_database_engine == 'postgres' and matrix_etherpad_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_etherpad_enabled and matrix_etherpad_database_engine == 'postgres' and matrix_etherpad_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_prometheus_postgres_exporter_database_name, 'username': matrix_prometheus_postgres_exporter_database_username, 'password': matrix_prometheus_postgres_exporter_database_password, - }] if (matrix_prometheus_postgres_exporter_enabled and matrix_prometheus_postgres_exporter_database_hostname == devture_postgres_identifier) else []) + }] if (matrix_prometheus_postgres_exporter_enabled and matrix_prometheus_postgres_exporter_database_hostname == devture_postgres_connection_hostname) else []) }} @@ -2662,6 +2662,7 @@ matrix_synapse_container_manhole_api_host_bind_port: "{{ '127.0.0.1:9000' if mat # For exposing the Synapse worker (and metrics) ports to the local host. matrix_synapse_workers_container_host_bind_address: "{{ '127.0.0.1' if (matrix_synapse_workers_enabled and not matrix_nginx_proxy_enabled) else '' }}" +matrix_synapse_database_host: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_synapse_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'synapse.db', rounds=655555) | to_uuid }}" matrix_synapse_macaroon_secret_key: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'synapse.mac', rounds=655555) | to_uuid }}" @@ -2993,7 +2994,7 @@ matrix_dendrite_sync_api_real_ip_header: "{{ 'X-Forwarded-For' if matrix_nginx_p matrix_dendrite_client_api_registration_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.rss', rounds=655555) | to_uuid }}" -matrix_dendrite_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" +matrix_dendrite_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_dendrite_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.db', rounds=655555) | to_uuid }}" diff --git a/roles/custom/matrix-postgres-backup/defaults/main.yml b/roles/custom/matrix-postgres-backup/defaults/main.yml index abdfa74c5..8e45a8e25 100644 --- a/roles/custom/matrix-postgres-backup/defaults/main.yml +++ b/roles/custom/matrix-postgres-backup/defaults/main.yml @@ -3,7 +3,7 @@ matrix_postgres_backup_enabled: false -matrix_postgres_backup_connection_hostname: "matrix-postgres" +matrix_postgres_backup_connection_hostname: '' matrix_postgres_backup_connection_port: 5432 matrix_postgres_backup_connection_username: "matrix" matrix_postgres_backup_connection_password: "" diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index f52f414b0..9a93a437e 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -681,7 +681,7 @@ matrix_synapse_sentry_dsn: "" # Postgres database information matrix_synapse_database_txn_limit: 0 -matrix_synapse_database_host: "matrix-postgres" +matrix_synapse_database_host: '' matrix_synapse_database_port: 5432 matrix_synapse_database_user: "synapse" matrix_synapse_database_password: "" diff --git a/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml b/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml index dba057751..4eafad1fb 100644 --- a/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml +++ b/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml @@ -39,7 +39,7 @@ --entrypoint=/bin/sh {{ devture_postgres_container_image_latest }} -c "cat /work/state-compressor.sql | - psql -v ON_ERROR_STOP=1 -h {{ devture_postgres_identifier }} -d {{ matrix_synapse_database_database }}" + psql -v ON_ERROR_STOP=1 -h {{ devture_postgres_connection_hostname }} -d {{ matrix_synapse_database_database }}" - name: Import compression SQL into Postgres ansible.builtin.command: "{{ matrix_synapse_rust_synapse_compress_state_psql_import_command }}" From 7b43ef34b776be1704e19c010292db6470de0940 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 27 Nov 2022 09:16:18 +0200 Subject: [PATCH 090/915] Remove more hardcoded matrix-postgres references --- docs/importing-postgres.md | 4 +- docs/maintenance-postgres.md | 2 +- docs/updating-users-passwords.md | 2 +- group_vars/matrix_servers | 159 ++++++++++-------- .../matrix-backup-borg/defaults/main.yml | 2 +- .../tasks/validate_config.yml | 11 +- .../matrix-bot-buscarron/defaults/main.yml | 2 +- .../tasks/validate_config.yml | 9 +- .../matrix-bot-postmoogle/defaults/main.yml | 2 +- .../tasks/validate_config.yml | 9 +- .../defaults/main.yml | 2 +- .../tasks/validate_config.yml | 17 +- .../defaults/main.yml | 4 +- .../tasks/validate_config.yml | 9 +- .../defaults/main.yml | 2 +- .../tasks/validate_config.yml | 11 +- .../defaults/main.yml | 4 +- .../tasks/validate_config.yml | 17 +- .../defaults/main.yml | 4 +- .../tasks/validate_config.yml | 11 +- .../defaults/main.yml | 2 +- .../tasks/validate_config.yml | 11 +- .../defaults/main.yml | 2 +- .../tasks/validate_config.yml | 11 +- .../defaults/main.yml | 2 +- .../tasks/validate_config.yml | 13 +- .../defaults/main.yml | 2 +- .../tasks/validate_config.yml | 16 +- .../defaults/main.yml | 2 +- .../tasks/validate_config.yml | 16 +- .../defaults/main.yml | 2 +- .../tasks/validate_config.yml | 11 +- .../defaults/main.yml | 2 +- .../tasks/validate_config.yml | 15 +- .../defaults/main.yml | 2 +- .../tasks/validate_config.yml | 17 +- .../defaults/main.yml | 2 +- .../tasks/validate_config.yml | 11 +- .../defaults/main.yml | 2 +- .../tasks/validate_config.yml | 12 +- .../custom/matrix-dimension/defaults/main.yml | 2 +- .../tasks/validate_config.yml | 10 +- .../custom/matrix-etherpad/defaults/main.yml | 2 +- .../matrix-etherpad/tasks/validate_config.yml | 10 +- roles/custom/matrix-ma1sd/defaults/main.yml | 2 +- .../matrix-ma1sd/tasks/validate_config.yml | 9 +- .../tasks/validate_config.yml | 2 +- .../defaults/main.yml | 2 +- .../tasks/main.yml | 3 + .../tasks/validate_config.yml | 9 + .../matrix-registration/defaults/main.yml | 2 +- .../tasks/validate_config.yml | 11 +- 52 files changed, 275 insertions(+), 225 deletions(-) create mode 100644 roles/custom/matrix-prometheus-postgres-exporter/tasks/validate_config.yml diff --git a/docs/importing-postgres.md b/docs/importing-postgres.md index fe3817f53..a44afdcfb 100644 --- a/docs/importing-postgres.md +++ b/docs/importing-postgres.md @@ -97,9 +97,9 @@ Once the database is clear and the ownership of the tables has been fixed in the Check, if `--dbname` is set to `synapse` (not `matrix`) and replace paths (or even better, copy this line from your terminal) ``` -/usr/bin/env docker run --rm --name matrix-postgres-import --log-driver=none --user=998:1001 --cap-drop=ALL --network=matrix --env-file=/matrix/postgres/env-postgres-psql --mount type=bind,src=/migration/synapse_dump.sql,dst=/synapse_dump.sql,ro --entrypoint=/bin/sh docker.io/postgres:14.1-alpine -c "cat /synapse_dump.sql | grep -vE '^(CREATE|ALTER) ROLE (matrix)(;| WITH)' | grep -vE '^CREATE DATABASE (matrix)\s' | psql -v ON_ERROR_STOP=1 -h matrix-postgres --dbname=synapse" +/usr/bin/env docker run --rm --name matrix-postgres-import --log-driver=none --user=998:1001 --cap-drop=ALL --network=matrix --env-file=/matrix/postgres/env-postgres-psql --mount type=bind,src=/migration/synapse_dump.sql,dst=/synapse_dump.sql,ro --entrypoint=/bin/sh docker.io/postgres:15.0-alpine -c "cat /synapse_dump.sql | grep -vE '^(CREATE|ALTER) ROLE (matrix)(;| WITH)' | grep -vE '^CREATE DATABASE (matrix)\s' | psql -v ON_ERROR_STOP=1 -h matrix-postgres --dbname=synapse" ``` ### Hints -To open psql terminal run `/usr/local/bin/matrix-postgres-cli` +To open psql terminal run `/matrix/postgres/bin/cli` diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index 1b8487031..cf7f5eeb5 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -16,7 +16,7 @@ Table of contents: ## Getting a database terminal -You can use the `/usr/local/bin/matrix-postgres-cli` tool to get interactive terminal access ([psql](https://www.postgresql.org/docs/11/app-psql.html)) to the PostgreSQL server. +You can use the `/matrix/postgres/bin/cli` tool to get interactive terminal access ([psql](https://www.postgresql.org/docs/11/app-psql.html)) to the PostgreSQL server. If you are using an [external Postgres server](configuring-playbook-external-postgres.md), the above tool will not be available. diff --git a/docs/updating-users-passwords.md b/docs/updating-users-passwords.md index 2ea20d2f6..30aa8c99a 100644 --- a/docs/updating-users-passwords.md +++ b/docs/updating-users-passwords.md @@ -1,6 +1,6 @@ # Updating users passwords -## Option 1 (if you are using the default matrix-postgres container): +## Option 1 (if you are using the integrated Postgres database): You can reset a user's password via the Ansible playbook (make sure to edit the `` and `` part below): diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 7bc13c754..a2c245141 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -429,6 +429,7 @@ matrix_appservice_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_ # We only make this use Postgres if our own Postgres server is enabled. # It's only then (for now) that we can automatically create the necessary database and user for this service. matrix_appservice_discord_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_appservice_discord_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_appservice_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.discord.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -511,6 +512,7 @@ matrix_appservice_slack_systemd_required_services_list: | # Postgres is the default, except if not using internal Postgres server matrix_appservice_slack_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'nedb' }}" +matrix_appservice_slack_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_appservice_slack_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.slack.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -553,6 +555,7 @@ matrix_appservice_irc_appservice_token: "{{ '%s' | format(matrix_homeserver_gene matrix_appservice_irc_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'irc.hs.token', rounds=655555) | to_uuid }}" matrix_appservice_irc_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'nedb' }}" +matrix_appservice_irc_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.irc.db', rounds=655555) | to_uuid }}" @@ -591,6 +594,7 @@ matrix_appservice_kakaotalk_homeserver_token: "{{ '%s' | format(matrix_homeserve matrix_appservice_kakaotalk_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" matrix_appservice_kakaotalk_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_appservice_kakaotalk_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_appservice_kakaotalk_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.kakao.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -630,6 +634,7 @@ matrix_beeper_linkedin_login_shared_secret: "{{ matrix_synapse_ext_password_prov matrix_beeper_linkedin_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" +matrix_beeper_linkedin_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_beeper_linkedin_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maulinkedin.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -668,6 +673,7 @@ matrix_go_skype_bridge_login_shared_secret: "{{ matrix_synapse_ext_password_prov # Postgres is the default, except if not using internal Postgres server matrix_go_skype_bridge_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_go_skype_bridge_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_go_skype_bridge_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'goskype.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -676,6 +682,51 @@ matrix_go_skype_bridge_database_password: "{{ '%s' | format(matrix_homeserver_ge # ###################################################################### + +###################################################################### +# +# matrix-bridge-mautrix-discord +# +###################################################################### + +# We don't enable bridges by default. +matrix_mautrix_discord_enabled: false + +matrix_mautrix_discord_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" + +matrix_mautrix_discord_systemd_required_services_list: | + {{ + ['docker.service'] + + + ['matrix-' + matrix_homeserver_implementation + '.service'] + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + }} + +matrix_mautrix_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudisc.as.tok', rounds=655555) | to_uuid }}" + +matrix_mautrix_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudisc.hs.tok', rounds=655555) | to_uuid }}" + +matrix_mautrix_discord_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" + +# Postgres is the default, except if not using internal Postgres server +matrix_mautrix_discord_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mautrix_discord_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_mautrix_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudiscord.db', rounds=655555) | to_uuid }}" + +# Enabling bridge.restricted_rooms for this bridge does not work well with Conduit, so we disable it by default. +# This will be fixed in the upcoming `0.5.0` release of conduit. +matrix_mautrix_discord_bridge_restricted_rooms: "{{ false if matrix_homeserver_implementation == 'conduit' else true }}" + +###################################################################### +# +# /matrix-bridge-mautrix-discord +# +###################################################################### + + ###################################################################### # # matrix-bridge-mautrix-facebook @@ -713,6 +764,7 @@ matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. matrix_mautrix_facebook_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mautrix_facebook_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_mautrix_facebook_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.fb.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -724,16 +776,16 @@ matrix_mautrix_facebook_database_password: "{{ '%s' | format(matrix_homeserver_g ###################################################################### # -# matrix-bridge-mautrix-hangouts +# matrix-bridge-mautrix-googlechat # ###################################################################### # We don't enable bridges by default. -matrix_mautrix_hangouts_enabled: false +matrix_mautrix_googlechat_enabled: false -matrix_mautrix_hangouts_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" +matrix_mautrix_googlechat_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" -matrix_mautrix_hangouts_systemd_required_services_list: | +matrix_mautrix_googlechat_systemd_required_services_list: | {{ ['docker.service'] + @@ -744,37 +796,38 @@ matrix_mautrix_hangouts_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_hangouts_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ho.as.token', rounds=655555) | to_uuid }}" +matrix_mautrix_googlechat_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gc.as.token', rounds=655555) | to_uuid }}" -matrix_mautrix_hangouts_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ho.hs.token', rounds=655555) | to_uuid }}" +matrix_mautrix_googlechat_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gc.hs.token', rounds=655555) | to_uuid }}" -matrix_mautrix_hangouts_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" +matrix_mautrix_googlechat_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" -matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" +matrix_mautrix_googlechat_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using internal Postgres server -matrix_mautrix_hangouts_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" -matrix_mautrix_hangouts_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.hangouts.db', rounds=655555) | to_uuid }}" +matrix_mautrix_googlechat_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mautrix_googlechat_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_mautrix_googlechat_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.gc.db', rounds=655555) | to_uuid }}" ###################################################################### # -# /matrix-bridge-mautrix-hangouts +# /matrix-bridge-mautrix-googlechat # ###################################################################### ###################################################################### # -# matrix-bridge-mautrix-googlechat +# matrix-bridge-mautrix-hangouts # ###################################################################### # We don't enable bridges by default. -matrix_mautrix_googlechat_enabled: false +matrix_mautrix_hangouts_enabled: false -matrix_mautrix_googlechat_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" +matrix_mautrix_hangouts_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" -matrix_mautrix_googlechat_systemd_required_services_list: | +matrix_mautrix_hangouts_systemd_required_services_list: | {{ ['docker.service'] + @@ -785,21 +838,22 @@ matrix_mautrix_googlechat_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_googlechat_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gc.as.token', rounds=655555) | to_uuid }}" +matrix_mautrix_hangouts_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ho.as.token', rounds=655555) | to_uuid }}" -matrix_mautrix_googlechat_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gc.hs.token', rounds=655555) | to_uuid }}" +matrix_mautrix_hangouts_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ho.hs.token', rounds=655555) | to_uuid }}" -matrix_mautrix_googlechat_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" +matrix_mautrix_hangouts_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" -matrix_mautrix_googlechat_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" +matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using internal Postgres server -matrix_mautrix_googlechat_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" -matrix_mautrix_googlechat_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.gc.db', rounds=655555) | to_uuid }}" +matrix_mautrix_hangouts_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mautrix_hangouts_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_mautrix_hangouts_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.hangouts.db', rounds=655555) | to_uuid }}" ###################################################################### # -# /matrix-bridge-mautrix-googlechat +# /matrix-bridge-mautrix-hangouts # ###################################################################### @@ -837,6 +891,7 @@ matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_presence_enabled if # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. matrix_mautrix_instagram_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mautrix_instagram_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_mautrix_instagram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.ig.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -879,6 +934,7 @@ matrix_mautrix_signal_appservice_token: "{{ '%s' | format(matrix_homeserver_gene matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" matrix_mautrix_signal_database_engine: 'postgres' +matrix_mautrix_signal_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.signal.db', rounds=655555) | to_uuid }}" matrix_mautrix_signal_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" @@ -927,6 +983,7 @@ matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using internal Postgres server matrix_mautrix_telegram_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mautrix_telegram_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_mautrix_telegram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.telegram.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -1002,6 +1059,7 @@ matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using internal Postgres server matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mautrix_whatsapp_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_mautrix_whatsapp_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mauwhatsapp.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -1010,48 +1068,6 @@ matrix_mautrix_whatsapp_database_password: "{{ '%s' | format(matrix_homeserver_g # ###################################################################### -###################################################################### -# -# matrix-bridge-mautrix-discord -# -###################################################################### - -# We don't enable bridges by default. -matrix_mautrix_discord_enabled: false - -matrix_mautrix_discord_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" - -matrix_mautrix_discord_systemd_required_services_list: | - {{ - ['docker.service'] - + - ['matrix-' + matrix_homeserver_implementation + '.service'] - + - ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) - + - (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) - }} - -matrix_mautrix_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudisc.as.tok', rounds=655555) | to_uuid }}" - -matrix_mautrix_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudisc.hs.tok', rounds=655555) | to_uuid }}" - -matrix_mautrix_discord_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" - -# Postgres is the default, except if not using internal Postgres server -matrix_mautrix_discord_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" -matrix_mautrix_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudiscord.db', rounds=655555) | to_uuid }}" - -# Enabling bridge.restricted_rooms for this bridge does not work well with Conduit, so we disable it by default. -# This will be fixed in the upcoming `0.5.0` release of conduit. -matrix_mautrix_discord_bridge_restricted_rooms: "{{ false if matrix_homeserver_implementation == 'conduit' else true }}" - -###################################################################### -# -# /matrix-bridge-mautrix-discord -# -###################################################################### - ###################################################################### # # matrix-sms-bridge @@ -1540,6 +1556,8 @@ matrix_bot_honoroit_container_image_self_build: "{{ matrix_architecture not in [ # We don't enable bots by default. matrix_bot_buscarron_enabled: false +matrix_bot_buscarron_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" + matrix_bot_buscarron_systemd_required_services_list: | {{ ['docker.service'] @@ -1553,8 +1571,8 @@ matrix_bot_buscarron_systemd_required_services_list: | # Postgres is the default, except if not using internal Postgres server matrix_bot_buscarron_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_bot_buscarron_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_bot_buscarron_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'buscarron.bot.db', rounds=655555) | to_uuid }}" -matrix_bot_buscarron_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" ###################################################################### # @@ -1570,6 +1588,9 @@ matrix_bot_buscarron_container_image_self_build: "{{ matrix_architecture not in # We don't enable bots by default. matrix_bot_postmoogle_enabled: false + +matrix_bot_postmoogle_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" + matrix_bot_postmoogle_ssl_path: "{{ matrix_ssl_config_dir_path }}" matrix_bot_postmoogle_tls_cert: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/live/{{ domain }}/fullchain.pem {% endfor %}" matrix_bot_postmoogle_tls_key: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/live/{{ domain }}/privkey.pem {% endfor %}" @@ -1585,10 +1606,9 @@ matrix_bot_postmoogle_systemd_required_services_list: | # Postgres is the default, except if not using internal Postgres server matrix_bot_postmoogle_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_bot_postmoogle_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_bot_postmoogle_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'postmoogle.db', rounds=655555) | to_uuid }}" -matrix_bot_postmoogle_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" - ###################################################################### # # /matrix-bot-postmoogle @@ -1822,6 +1842,7 @@ matrix_dimension_systemd_required_services_list: | # Postgres is the default, except if not using internal Postgres server matrix_dimension_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_dimension_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_dimension_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dimension.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -1850,7 +1871,6 @@ matrix_etherpad_systemd_required_services_list: | }} matrix_etherpad_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" - matrix_etherpad_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'etherpad.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -2028,6 +2048,7 @@ matrix_ma1sd_systemd_wanted_services_list: | # Postgres is the default, except if not using internal Postgres server matrix_ma1sd_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_ma1sd_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ma1sd.db', rounds=655555) | to_uuid }}" ###################################################################### @@ -2845,6 +2866,7 @@ matrix_prometheus_scraper_hookshot_targets: "{{ [matrix_hookshot_container_url | ###################################################################### matrix_prometheus_postgres_exporter_enabled: false +matrix_prometheus_postgres_exporter_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_prometheus_postgres_exporter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'prometheus.pg.db', rounds=655555) | to_uuid }}" matrix_prometheus_postgres_exporter_systemd_required_services_list: | @@ -2943,6 +2965,7 @@ matrix_registration_systemd_required_services_list: | # Postgres is the default, except if not using internal Postgres server matrix_registration_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_registration_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_registration_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mx.registr.db', rounds=655555) | to_uuid }}" ###################################################################### diff --git a/roles/custom/matrix-backup-borg/defaults/main.yml b/roles/custom/matrix-backup-borg/defaults/main.yml index de086ebd9..fbeb11670 100644 --- a/roles/custom/matrix-backup-borg/defaults/main.yml +++ b/roles/custom/matrix-backup-borg/defaults/main.yml @@ -39,7 +39,7 @@ matrix_backup_borg_location_source_directories: [] matrix_backup_borg_postgresql_enabled: true matrix_backup_borg_supported_postgres_versions: ['12', '13', '14'] matrix_backup_borg_postgresql_databases: [] -matrix_backup_borg_postgresql_databases_hostname: "matrix-postgres" +matrix_backup_borg_postgresql_databases_hostname: '' matrix_backup_borg_postgresql_databases_username: "matrix" matrix_backup_borg_postgresql_databases_password: "" matrix_backup_borg_postgresql_databases_port: 5432 diff --git a/roles/custom/matrix-backup-borg/tasks/validate_config.yml b/roles/custom/matrix-backup-borg/tasks/validate_config.yml index 66e487dd9..bb6cd4151 100644 --- a/roles/custom/matrix-backup-borg/tasks/validate_config.yml +++ b/roles/custom/matrix-backup-borg/tasks/validate_config.yml @@ -1,12 +1,13 @@ --- -- name: Fail if required settings not defined +- name: Fail if required backup-borg settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_backup_borg_ssh_key_private" - - "matrix_backup_borg_location_repositories" + - {'name': 'matrix_backup_borg_ssh_key_private', when: true} + - {'name': 'matrix_backup_borg_location_repositories', when: true} + - {'name': 'matrix_backup_borg_postgresql_databases_hostname', when: "{{ matrix_backup_borg_postgresql_enabled }}"} - name: Fail if encryption passphrase is undefined unless repository is unencrypted ansible.builtin.fail: diff --git a/roles/custom/matrix-bot-buscarron/defaults/main.yml b/roles/custom/matrix-bot-buscarron/defaults/main.yml index 21d9a4a39..290248e0a 100644 --- a/roles/custom/matrix-bot-buscarron/defaults/main.yml +++ b/roles/custom/matrix-bot-buscarron/defaults/main.yml @@ -43,7 +43,7 @@ matrix_bot_buscarron_sqlite_database_path_in_container: "/data/bot.db" matrix_bot_buscarron_database_username: 'buscarron' matrix_bot_buscarron_database_password: 'some-password' -matrix_bot_buscarron_database_hostname: 'matrix-postgres' +matrix_bot_buscarron_database_hostname: '' matrix_bot_buscarron_database_port: 5432 matrix_bot_buscarron_database_name: 'buscarron' diff --git a/roles/custom/matrix-bot-buscarron/tasks/validate_config.yml b/roles/custom/matrix-bot-buscarron/tasks/validate_config.yml index 04238012a..3547fc037 100644 --- a/roles/custom/matrix-bot-buscarron/tasks/validate_config.yml +++ b/roles/custom/matrix-bot-buscarron/tasks/validate_config.yml @@ -1,9 +1,10 @@ --- -- name: Fail if required settings not defined +- name: Fail if required Buscarron settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_bot_buscarron_password" + - {'name': 'matrix_bot_buscarron_password', when: true} + - {'name': 'matrix_bot_buscarron_database_hostname', when: "{{ matrix_bot_buscarron_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bot-postmoogle/defaults/main.yml b/roles/custom/matrix-bot-postmoogle/defaults/main.yml index 88a712d51..24bf7cf2e 100644 --- a/roles/custom/matrix-bot-postmoogle/defaults/main.yml +++ b/roles/custom/matrix-bot-postmoogle/defaults/main.yml @@ -42,7 +42,7 @@ matrix_bot_postmoogle_sqlite_database_path_in_container: "/data/bot.db" matrix_bot_postmoogle_database_username: 'postmoogle' matrix_bot_postmoogle_database_password: 'some-password' -matrix_bot_postmoogle_database_hostname: 'matrix-postgres' +matrix_bot_postmoogle_database_hostname: '' matrix_bot_postmoogle_database_port: 5432 matrix_bot_postmoogle_database_name: 'postmoogle' diff --git a/roles/custom/matrix-bot-postmoogle/tasks/validate_config.yml b/roles/custom/matrix-bot-postmoogle/tasks/validate_config.yml index b5d9d1ed2..1e31bd4f6 100644 --- a/roles/custom/matrix-bot-postmoogle/tasks/validate_config.yml +++ b/roles/custom/matrix-bot-postmoogle/tasks/validate_config.yml @@ -1,9 +1,10 @@ --- -- name: Fail if required settings not defined +- name: Fail if required Postmoogle settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_bot_postmoogle_password" + - {'name': 'matrix_bot_postmoogle_password', when: true} + - {'name': 'matrix_bot_postmoogle_database_hostname', when: "{{ matrix_bot_postmoogle_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-appservice-discord/defaults/main.yml b/roles/custom/matrix-bridge-appservice-discord/defaults/main.yml index 9e061d678..ec194855e 100644 --- a/roles/custom/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/custom/matrix-bridge-appservice-discord/defaults/main.yml @@ -60,7 +60,7 @@ matrix_appservice_discord_sqlite_database_path_in_container: "/data/discord.db" matrix_appservice_discord_database_username: 'matrix_appservice_discord' matrix_appservice_discord_database_password: 'some-password' -matrix_appservice_discord_database_hostname: 'matrix-postgres' +matrix_appservice_discord_database_hostname: '' matrix_appservice_discord_database_port: 5432 matrix_appservice_discord_database_name: 'matrix_appservice_discord' diff --git a/roles/custom/matrix-bridge-appservice-discord/tasks/validate_config.yml b/roles/custom/matrix-bridge-appservice-discord/tasks/validate_config.yml index e005f162b..fab6a5b6e 100644 --- a/roles/custom/matrix-bridge-appservice-discord/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-appservice-discord/tasks/validate_config.yml @@ -1,16 +1,17 @@ --- -- name: Fail if required settings not defined +- name: Fail if required appservice-discord settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_appservice_discord_client_id" - - "matrix_appservice_discord_bot_token" - - "matrix_appservice_discord_appservice_token" - - "matrix_appservice_discord_homeserver_token" - - "matrix_appservice_discord_homeserver_domain" + - {'name': 'matrix_appservice_discord_client_id', when: true} + - {'name': 'matrix_appservice_discord_bot_token', when: true} + - {'name': 'matrix_appservice_discord_appservice_token', when: true} + - {'name': 'matrix_appservice_discord_homeserver_token', when: true} + - {'name': 'matrix_appservice_discord_homeserver_domain', when: true} + - {'name': 'matrix_appservice_discord_database_hostname', when: "{{ matrix_appservice_discord_database_engine == 'postgres' }}"} - name: (Deprecation) Catch and report renamed appservice-discord variables ansible.builtin.fail: diff --git a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml index d54a7685d..5e8c11910 100644 --- a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml @@ -29,8 +29,8 @@ matrix_appservice_irc_appservice_address: 'http://matrix-appservice-irc:9999' matrix_appservice_irc_database_engine: nedb matrix_appservice_irc_database_username: matrix_appservice_irc -matrix_appservice_irc_database_password: ~ -matrix_appservice_irc_database_hostname: 'matrix-postgres' +matrix_appservice_irc_database_password: 'some-password' +matrix_appservice_irc_database_hostname: '' matrix_appservice_irc_database_port: 5432 matrix_appservice_irc_database_name: matrix_appservice_irc diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/validate_config.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/validate_config.yml index f0d887c8f..0c4c6c29d 100644 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-appservice-irc/tasks/validate_config.yml @@ -3,11 +3,12 @@ - name: Fail if required settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_appservice_irc_appservice_token" - - "matrix_appservice_irc_homeserver_token" + - {'name': 'matrix_appservice_irc_appservice_token', when: true} + - {'name': 'matrix_appservice_irc_homeserver_token', when: true} + - {'name': 'matrix_appservice_irc_database_hostname', when: "{{ matrix_appservice_irc_database_engine == 'postgres' }}"} # Our base configuration (`matrix_appservice_irc_configuration_yaml`) is not enough to # let the playbook run without errors. diff --git a/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml b/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml index f27f75c55..681695073 100644 --- a/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml +++ b/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml @@ -90,7 +90,7 @@ matrix_appservice_kakaotalk_sqlite_database_path_in_container: "/data/appservice matrix_appservice_kakaotalk_database_username: 'matrix_appservice_kakaotalk' matrix_appservice_kakaotalk_database_password: 'some-password' -matrix_appservice_kakaotalk_database_hostname: 'matrix-postgres' +matrix_appservice_kakaotalk_database_hostname: '' matrix_appservice_kakaotalk_database_port: 5432 matrix_appservice_kakaotalk_database_name: 'matrix_appservice_kakaotalk' diff --git a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/validate_config.yml b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/validate_config.yml index 4f838e7a5..63b173395 100644 --- a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/validate_config.yml @@ -1,10 +1,11 @@ --- -- name: Fail if required settings not defined +- name: Fail if required appservice-kakaotalk settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_appservice_kakaotalk_appservice_token" - - "matrix_appservice_kakaotalk_homeserver_token" + - {'name': 'matrix_appservice_kakaotalk_appservice_token', when: true} + - {'name': 'matrix_appservice_kakaotalk_homeserver_token', when: true} + - {'name': 'matrix_appservice_kakaotalk_database_hostname', when: "{{ matrix_appservice_kakaotalk_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-appservice-slack/defaults/main.yml b/roles/custom/matrix-bridge-appservice-slack/defaults/main.yml index b5fbc13f9..8884edd6b 100644 --- a/roles/custom/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/custom/matrix-bridge-appservice-slack/defaults/main.yml @@ -57,8 +57,8 @@ matrix_appservice_slack_id_token: '' matrix_appservice_slack_database_engine: nedb matrix_appservice_slack_database_username: matrix_appservice_slack -matrix_appservice_slack_database_password: ~ -matrix_appservice_slack_database_hostname: 'matrix-postgres' +matrix_appservice_slack_database_password: 'some-passsword' +matrix_appservice_slack_database_hostname: '' matrix_appservice_slack_database_port: 5432 matrix_appservice_slack_database_name: matrix_appservice_slack diff --git a/roles/custom/matrix-bridge-appservice-slack/tasks/validate_config.yml b/roles/custom/matrix-bridge-appservice-slack/tasks/validate_config.yml index e00eb6d4a..ef97635ec 100644 --- a/roles/custom/matrix-bridge-appservice-slack/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-appservice-slack/tasks/validate_config.yml @@ -1,16 +1,17 @@ --- -- name: Fail if required settings not defined +- name: Fail if required appservice-slack settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_appservice_slack_control_room_id" - - "matrix_appservice_slack_appservice_token" - - "matrix_appservice_slack_homeserver_url" - - "matrix_appservice_slack_homeserver_token" - - "matrix_appservice_slack_id_token" + - {'name': 'matrix_appservice_slack_control_room_id', when: true} + - {'name': 'matrix_appservice_slack_appservice_token', when: true} + - {'name': 'matrix_appservice_slack_homeserver_url', when: true} + - {'name': 'matrix_appservice_slack_homeserver_token', when: true} + - {'name': 'matrix_appservice_slack_id_token', when: true} + - {'name': 'matrix_appservice_slack_database_hostname', when: "{{ matrix_appservice_slack_database_engine == 'postgres' }}"} - name: (Deprecation) Catch and report renamed settings ansible.builtin.fail: diff --git a/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml b/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml index 4f3d554b3..92d9b2e18 100644 --- a/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml +++ b/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml @@ -55,8 +55,8 @@ matrix_beeper_linkedin_appservice_bot_username: linkedinbot matrix_beeper_linkedin_database_engine: "postgres" matrix_beeper_linkedin_database_username: 'matrix_beeper_linkedin' -matrix_beeper_linkedin_database_password: "" -matrix_beeper_linkedin_database_hostname: 'matrix-postgres' +matrix_beeper_linkedin_database_password: 'some-password' +matrix_beeper_linkedin_database_hostname: '' matrix_beeper_linkedin_database_port: 5432 matrix_beeper_linkedin_database_name: 'matrix_beeper_linkedin' diff --git a/roles/custom/matrix-bridge-beeper-linkedin/tasks/validate_config.yml b/roles/custom/matrix-bridge-beeper-linkedin/tasks/validate_config.yml index 61489b7c6..59d56ca85 100644 --- a/roles/custom/matrix-bridge-beeper-linkedin/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-beeper-linkedin/tasks/validate_config.yml @@ -1,10 +1,11 @@ --- -- name: Fail if required settings not defined +- name: Fail if required beeper-linkedin settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_beeper_linkedin_appservice_token" - - "matrix_beeper_linkedin_homeserver_token" + - {'name': 'matrix_beeper_linkedin_appservice_token', when: true} + - {'name': 'matrix_beeper_linkedin_homeserver_token', when: true} + - {'name': 'matrix_beeper_linkedin_database_hostname', when: "{{ matrix_beeper_linkedin_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml b/roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml index a6f7aa9d3..e3cdea4bb 100644 --- a/roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml +++ b/roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml @@ -56,7 +56,7 @@ matrix_go_skype_bridge_sqlite_database_path_in_container: "/data/go-skype-bridge matrix_go_skype_bridge_database_username: 'matrix_go_skype_bridge' matrix_go_skype_bridge_database_password: 'some-password' -matrix_go_skype_bridge_database_hostname: 'matrix-postgres' +matrix_go_skype_bridge_database_hostname: '' matrix_go_skype_bridge_database_port: 5432 matrix_go_skype_bridge_database_name: 'matrix_go_skype_bridge' diff --git a/roles/custom/matrix-bridge-go-skype-bridge/tasks/validate_config.yml b/roles/custom/matrix-bridge-go-skype-bridge/tasks/validate_config.yml index d681299f2..c9b3c2ffd 100644 --- a/roles/custom/matrix-bridge-go-skype-bridge/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-go-skype-bridge/tasks/validate_config.yml @@ -1,10 +1,11 @@ --- -- name: Fail if required settings not defined +- name: Fail if required go-skype-bridge settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_go_skype_bridge_appservice_token" - - "matrix_go_skype_bridge_homeserver_token" + - {'name': 'matrix_go_skype_bridge_appservice_token', when: true} + - {'name': 'matrix_go_skype_bridge_homeserver_token', when: true} + - {'name': 'matrix_go_skype_bridge_database_hostname', when: "{{ matrix_go_skype_bridge_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml index 7163954a4..bb8846f5f 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml @@ -67,7 +67,7 @@ matrix_mautrix_discord_sqlite_database_path_in_container: "/data/mautrix-discord matrix_mautrix_discord_database_username: 'matrix_mautrix_discord' matrix_mautrix_discord_database_password: 'some-password' -matrix_mautrix_discord_database_hostname: 'matrix-postgres' +matrix_mautrix_discord_database_hostname: '' matrix_mautrix_discord_database_port: 5432 matrix_mautrix_discord_database_name: 'matrix_mautrix_discord' diff --git a/roles/custom/matrix-bridge-mautrix-discord/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-discord/tasks/validate_config.yml index 4ba7e1270..8f4fe29e4 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/tasks/validate_config.yml @@ -1,10 +1,11 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mautrix-discord settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mautrix_discord_appservice_token" - - "matrix_mautrix_discord_homeserver_token" + - {'name': 'matrix_mautrix_discord_appservice_token', when: true} + - {'name': 'matrix_mautrix_discord_homeserver_token', when: true} + - {'name': 'matrix_mautrix_discord_database_hostname', when: "{{ matrix_mautrix_discord_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml index e19fa9deb..989720140 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -74,7 +74,7 @@ matrix_mautrix_facebook_sqlite_database_path_in_container: "/data/mautrix-facebo matrix_mautrix_facebook_database_username: 'matrix_mautrix_facebook' matrix_mautrix_facebook_database_password: 'some-password' -matrix_mautrix_facebook_database_hostname: 'matrix-postgres' +matrix_mautrix_facebook_database_hostname: '' matrix_mautrix_facebook_database_port: 5432 matrix_mautrix_facebook_database_name: 'matrix_mautrix_facebook' diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/validate_config.yml index 04e45c319..d61981a67 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/validate_config.yml @@ -1,14 +1,15 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mautrix-facebook settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mautrix_facebook_public_endpoint" - - "matrix_mautrix_facebook_appservice_token" - - "matrix_mautrix_facebook_homeserver_token" + - {'name': 'matrix_mautrix_facebook_public_endpoint', when: true} + - {'name': 'matrix_mautrix_facebook_appservice_token', when: true} + - {'name': 'matrix_mautrix_facebook_homeserver_token', when: true} + - {'name': 'matrix_mautrix_facebook_database_hostname', when: "{{ matrix_mautrix_facebook_database_engine == 'postgres' }}"} - when: "matrix_mautrix_facebook_database_engine == 'sqlite' and matrix_mautrix_facebook_docker_image.endswith(':da1b4ec596e334325a1589e70829dea46e73064b')" block: diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml index 9c2d97b2a..f432cc637 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml @@ -68,7 +68,7 @@ matrix_mautrix_googlechat_sqlite_database_path_in_container: "/data/mautrix-goog matrix_mautrix_googlechat_database_username: 'matrix_mautrix_googlechat' matrix_mautrix_googlechat_database_password: 'some-password' -matrix_mautrix_googlechat_database_hostname: 'matrix-postgres' +matrix_mautrix_googlechat_database_hostname: '' matrix_mautrix_googlechat_database_port: 5432 matrix_mautrix_googlechat_database_name: 'matrix_mautrix_googlechat' diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/validate_config.yml index fc36472eb..06cb8de76 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/validate_config.yml @@ -1,14 +1,12 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mautrix-googlechat settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mautrix_googlechat_public_endpoint" - - "matrix_mautrix_googlechat_appservice_token" - - "matrix_mautrix_googlechat_homeserver_token" -- ansible.builtin.debug: - msg: - - '`matrix_mautrix_googlechat_homeserver_domain` == {{ matrix_mautrix_googlechat_homeserver_domain }}' + - {'name': 'matrix_mautrix_googlechat_public_endpoint', when: true} + - {'name': 'matrix_mautrix_googlechat_appservice_token', when: true} + - {'name': 'matrix_mautrix_googlechat_homeserver_token', when: true} + - {'name': 'matrix_mautrix_googlechat_database_hostname', when: "{{ matrix_mautrix_googlechat_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-hangouts/defaults/main.yml index 8b338fd76..27f3e5930 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -65,7 +65,7 @@ matrix_mautrix_hangouts_sqlite_database_path_in_container: "/data/mautrix-hangou matrix_mautrix_hangouts_database_username: 'matrix_mautrix_hangouts' matrix_mautrix_hangouts_database_password: 'some-password' -matrix_mautrix_hangouts_database_hostname: 'matrix-postgres' +matrix_mautrix_hangouts_database_hostname: '' matrix_mautrix_hangouts_database_port: 5432 matrix_mautrix_hangouts_database_name: 'matrix_mautrix_hangouts' diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/validate_config.yml index c80586e09..11635642c 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/validate_config.yml @@ -1,14 +1,12 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mautrix-hangouts settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mautrix_hangouts_public_endpoint" - - "matrix_mautrix_hangouts_appservice_token" - - "matrix_mautrix_hangouts_homeserver_token" -- ansible.builtin.debug: - msg: - - '`matrix_mautrix_hangouts_homeserver_domain` == {{ matrix_mautrix_hangouts_homeserver_domain }}' + - {'name': 'matrix_mautrix_hangouts_public_endpoint', when: true} + - {'name': 'matrix_mautrix_hangouts_appservice_token', when: true} + - {'name': 'matrix_mautrix_hangouts_homeserver_token', when: true} + - {'name': 'matrix_mautrix_hangouts_database_hostname', when: "{{ matrix_mautrix_hangouts_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml index dcdf6723d..75b996562 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml @@ -55,7 +55,7 @@ matrix_mautrix_instagram_database_engine: 'postgres' matrix_mautrix_instagram_database_username: 'matrix_mautrix_instagram' matrix_mautrix_instagram_database_password: 'some-password' -matrix_mautrix_instagram_database_hostname: 'matrix-postgres' +matrix_mautrix_instagram_database_hostname: '' matrix_mautrix_instagram_database_port: 5432 matrix_mautrix_instagram_database_name: 'matrix_mautrix_instagram' diff --git a/roles/custom/matrix-bridge-mautrix-instagram/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-instagram/tasks/validate_config.yml index 99f7b0156..51bedf683 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/tasks/validate_config.yml @@ -1,9 +1,10 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mautrix-instagram settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mautrix_instagram_appservice_token" - - "matrix_mautrix_instagram_homeserver_token" + - {'name': 'matrix_mautrix_instagram_appservice_token', when: true} + - {'name': 'matrix_mautrix_instagram_homeserver_token', when: true} + - {'name': 'matrix_mautrix_instagram_database_hostname', when: "{{ matrix_mautrix_instagram_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml index 24ba9b39d..736c45575 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml @@ -76,7 +76,7 @@ matrix_mautrix_signal_database_engine: 'postgres' matrix_mautrix_signal_database_username: 'matrix_mautrix_signal' matrix_mautrix_signal_database_password: 'some-password' -matrix_mautrix_signal_database_hostname: 'matrix-postgres' +matrix_mautrix_signal_database_hostname: '' matrix_mautrix_signal_database_port: 5432 matrix_mautrix_signal_database_name: 'matrix_mautrix_signal' diff --git a/roles/custom/matrix-bridge-mautrix-signal/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-signal/tasks/validate_config.yml index ea2c1c430..5cabf18c5 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/tasks/validate_config.yml @@ -1,15 +1,16 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mautrix-signal settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mautrix_signal_homeserver_domain" - - "matrix_mautrix_signal_homeserver_address" - - "matrix_mautrix_signal_homeserver_token" - - "matrix_mautrix_signal_appservice_token" + - {'name': 'matrix_mautrix_signal_homeserver_domain', when: true} + - {'name': 'matrix_mautrix_signal_homeserver_address', when: true} + - {'name': 'matrix_mautrix_signal_homeserver_token', when: true} + - {'name': 'matrix_mautrix_signal_appservice_token', when: true} + - {'name': 'matrix_mautrix_signal_database_hostname', when: "{{ matrix_mautrix_signal_database_engine == 'postgres' }}"} - name: (Deprecation) Fail if matrix_mautrix_signal_bridge_permissions specified as YAML string, instead of a dictionary ansible.builtin.fail: diff --git a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml index 6f2137e47..5d2c0c88c 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -95,7 +95,7 @@ matrix_mautrix_telegram_sqlite_database_path_in_container: "/data/mautrix-telegr matrix_mautrix_telegram_database_username: 'matrix_mautrix_telegram' matrix_mautrix_telegram_database_password: 'some-password' -matrix_mautrix_telegram_database_hostname: 'matrix-postgres' +matrix_mautrix_telegram_database_hostname: '' matrix_mautrix_telegram_database_port: 5432 matrix_mautrix_telegram_database_name: 'matrix_mautrix_telegram' diff --git a/roles/custom/matrix-bridge-mautrix-telegram/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-telegram/tasks/validate_config.yml index 9711448bf..16ebf37dc 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/tasks/validate_config.yml @@ -1,16 +1,17 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mautrix-telegram settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mautrix_telegram_api_id" - - "matrix_mautrix_telegram_api_hash" - - "matrix_mautrix_telegram_public_endpoint" - - "matrix_mautrix_telegram_appservice_token" - - "matrix_mautrix_telegram_homeserver_token" + - {'name': 'matrix_mautrix_telegram_api_id', when: true} + - {'name': 'matrix_mautrix_telegram_api_hash', when: true} + - {'name': 'matrix_mautrix_telegram_public_endpoint', when: true} + - {'name': 'matrix_mautrix_telegram_appservice_token', when: true} + - {'name': 'matrix_mautrix_telegram_homeserver_token', when: true} + - {'name': 'matrix_mautrix_telegram_database_hostname', when: "{{ matrix_mautrix_telegram_database_engine == 'postgres' }}"} - name: (Deprecation) Catch and report renamed Telegram variables ansible.builtin.fail: diff --git a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml index 684b889ac..22475596a 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -54,7 +54,7 @@ matrix_mautrix_twitter_federate_rooms: true matrix_mautrix_twitter_database_engine: 'postgres' matrix_mautrix_twitter_database_username: 'matrix_mautrix_twitter' -matrix_mautrix_twitter_database_password: '' +matrix_mautrix_twitter_database_password: 'some-password' matrix_mautrix_twitter_database_hostname: '' matrix_mautrix_twitter_database_port: 5432 matrix_mautrix_twitter_database_name: 'matrix_mautrix_twitter' diff --git a/roles/custom/matrix-bridge-mautrix-twitter/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-twitter/tasks/validate_config.yml index a97d292f2..cfd408a7b 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/tasks/validate_config.yml @@ -3,10 +3,9 @@ - name: Fail if required mautrix-twitter settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mautrix_twitter_appservice_token" - - "matrix_mautrix_twitter_homeserver_token" - - "matrix_mautrix_twitter_database_hostname" - - "matrix_mautrix_twitter_database_password" + - {'name': 'matrix_mautrix_twitter_appservice_token', when: true} + - {'name': 'matrix_mautrix_twitter_homeserver_token', when: true} + - {'name': 'matrix_mautrix_twitter_database_hostname', when: "{{ matrix_mautrix_twitter_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 7c923b065..186c62970 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -61,7 +61,7 @@ matrix_mautrix_whatsapp_sqlite_database_path_in_container: "/data/mautrix-whatsa matrix_mautrix_whatsapp_database_username: 'matrix_mautrix_whatsapp' matrix_mautrix_whatsapp_database_password: 'some-password' -matrix_mautrix_whatsapp_database_hostname: 'matrix-postgres' +matrix_mautrix_whatsapp_database_hostname: '' matrix_mautrix_whatsapp_database_port: 5432 matrix_mautrix_whatsapp_database_name: 'matrix_mautrix_whatsapp' diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/validate_config.yml index 863dc926f..0a6a38cd7 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/validate_config.yml @@ -1,14 +1,14 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mautrix-whatsapp settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mautrix_whatsapp_appservice_token" - - "matrix_mautrix_whatsapp_homeserver_token" - + - {'name': 'matrix_mautrix_whatsapp_appservice_token', when: true} + - {'name': 'matrix_mautrix_whatsapp_homeserver_token', when: true} + - {'name': 'matrix_mautrix_whatsapp_database_hostname', when: "{{ matrix_mautrix_whatsapp_database_engine == 'postgres' }}"} - name: (Deprecation) Catch and report renamed settings ansible.builtin.fail: diff --git a/roles/custom/matrix-dimension/defaults/main.yml b/roles/custom/matrix-dimension/defaults/main.yml index ea1dde108..4be76fd1e 100644 --- a/roles/custom/matrix-dimension/defaults/main.yml +++ b/roles/custom/matrix-dimension/defaults/main.yml @@ -65,7 +65,7 @@ matrix_dimension_sqlite_database_path_in_container: "dimension.db" matrix_dimension_database_username: 'matrix_dimension' matrix_dimension_database_password: 'some-password' -matrix_dimension_database_hostname: 'matrix-postgres' +matrix_dimension_database_hostname: '' matrix_dimension_database_port: 5432 matrix_dimension_database_name: 'matrix_dimension' diff --git a/roles/custom/matrix-dimension/tasks/validate_config.yml b/roles/custom/matrix-dimension/tasks/validate_config.yml index 5af0ba6d6..8f681e082 100644 --- a/roles/custom/matrix-dimension/tasks/validate_config.yml +++ b/roles/custom/matrix-dimension/tasks/validate_config.yml @@ -1,11 +1,13 @@ --- + - name: Fail if required Dimension settings not defined ansible.builtin.fail: - msg: >- - You need to define a required configuration setting (`{{ item }}`) for using Dimension. + msg: > + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_dimension_access_token" - when: "matrix_dimension_enabled and vars[item] == ''" + - {'name': 'matrix_dimension_access_token', when: true} + - {'name': 'matrix_dimension_database_hostname', when: "{{ matrix_dimension_database_engine == 'postgres' }}"} - name: (Deprecation) Catch and report renamed Dimension variables ansible.builtin.fail: diff --git a/roles/custom/matrix-etherpad/defaults/main.yml b/roles/custom/matrix-etherpad/defaults/main.yml index 540b2a518..874e9a300 100644 --- a/roles/custom/matrix-etherpad/defaults/main.yml +++ b/roles/custom/matrix-etherpad/defaults/main.yml @@ -45,7 +45,7 @@ matrix_etherpad_database_engine: 'postgres' matrix_etherpad_database_username: 'matrix_etherpad' matrix_etherpad_database_password: 'some-password' -matrix_etherpad_database_hostname: 'matrix-postgres' +matrix_etherpad_database_hostname: '' matrix_etherpad_database_port: 5432 matrix_etherpad_database_name: 'matrix_etherpad' diff --git a/roles/custom/matrix-etherpad/tasks/validate_config.yml b/roles/custom/matrix-etherpad/tasks/validate_config.yml index 646648945..2bc773a63 100644 --- a/roles/custom/matrix-etherpad/tasks/validate_config.yml +++ b/roles/custom/matrix-etherpad/tasks/validate_config.yml @@ -1,10 +1,12 @@ --- -- name: Fail if no database is configured for Etherpad +- name: Fail if required Etherpad settings not defined ansible.builtin.fail: - msg: >- - Etherpad requires a dedicated Postgres database. Please enable the built in one, or configure an external DB by redefining "matrix_etherpad_database_hostname" - when: matrix_etherpad_database_hostname == '' + msg: > + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" + with_items: + - {'name': 'matrix_etherpad_database_hostname', when: true} - name: Fail if wrong mode selected ansible.builtin.fail: diff --git a/roles/custom/matrix-ma1sd/defaults/main.yml b/roles/custom/matrix-ma1sd/defaults/main.yml index a606d0d6e..9dc32ce7b 100644 --- a/roles/custom/matrix-ma1sd/defaults/main.yml +++ b/roles/custom/matrix-ma1sd/defaults/main.yml @@ -64,7 +64,7 @@ matrix_ma1sd_sqlite_database_path_in_container: "/var/ma1sd/ma1sd.db" matrix_ma1sd_database_username: 'matrix_ma1sd' matrix_ma1sd_database_password: 'some-password' -matrix_ma1sd_database_hostname: 'matrix-postgres' +matrix_ma1sd_database_hostname: '' matrix_ma1sd_database_port: 5432 matrix_ma1sd_database_name: 'matrix_ma1sd' diff --git a/roles/custom/matrix-ma1sd/tasks/validate_config.yml b/roles/custom/matrix-ma1sd/tasks/validate_config.yml index af12dd3f1..b490a5c62 100644 --- a/roles/custom/matrix-ma1sd/tasks/validate_config.yml +++ b/roles/custom/matrix-ma1sd/tasks/validate_config.yml @@ -42,11 +42,12 @@ - name: Fail if required ma1sd settings not defined ansible.builtin.fail: msg: > - You need to define a required configuration setting (`{{ item }}`) for using ma1sd. - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_ma1sd_threepid_medium_email_connectors_smtp_host" - - "matrix_ma1sd_dns_overwrite_homeserver_client_value" + - {'name': 'matrix_ma1sd_threepid_medium_email_connectors_smtp_host', when: true} + - {'name': 'matrix_ma1sd_dns_overwrite_homeserver_client_value', when: true} + - {'name': 'matrix_ma1sd_database_hostname', when: "{{ matrix_ma1sd_database_engine == 'postgres' }}"} - name: (Deprecation) Catch and report renamed ma1sd variables ansible.builtin.fail: diff --git a/roles/custom/matrix-postgres-backup/tasks/validate_config.yml b/roles/custom/matrix-postgres-backup/tasks/validate_config.yml index aab68eafa..285328c23 100644 --- a/roles/custom/matrix-postgres-backup/tasks/validate_config.yml +++ b/roles/custom/matrix-postgres-backup/tasks/validate_config.yml @@ -1,6 +1,6 @@ --- -- name: Fail if required Postgres settings not defined +- name: Fail if required postgres-backup settings not defined ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`). diff --git a/roles/custom/matrix-prometheus-postgres-exporter/defaults/main.yml b/roles/custom/matrix-prometheus-postgres-exporter/defaults/main.yml index f0cbfede9..5fc8e9196 100644 --- a/roles/custom/matrix-prometheus-postgres-exporter/defaults/main.yml +++ b/roles/custom/matrix-prometheus-postgres-exporter/defaults/main.yml @@ -24,7 +24,7 @@ matrix_prometheus_postgres_exporter_systemd_wanted_services_list: [] # details for connecting to the database matrix_prometheus_postgres_exporter_database_username: 'matrix_prometheus_postgres_exporter' matrix_prometheus_postgres_exporter_database_password: 'some-password' -matrix_prometheus_postgres_exporter_database_hostname: 'matrix-postgres' +matrix_prometheus_postgres_exporter_database_hostname: '' matrix_prometheus_postgres_exporter_database_port: 5432 matrix_prometheus_postgres_exporter_database_name: 'matrix_prometheus_postgres_exporter' diff --git a/roles/custom/matrix-prometheus-postgres-exporter/tasks/main.yml b/roles/custom/matrix-prometheus-postgres-exporter/tasks/main.yml index 2cea06049..7ff6d15ae 100644 --- a/roles/custom/matrix-prometheus-postgres-exporter/tasks/main.yml +++ b/roles/custom/matrix-prometheus-postgres-exporter/tasks/main.yml @@ -10,6 +10,9 @@ - install-nginx-proxy - block: + - when: matrix_prometheus_postgres_exporter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + - when: matrix_prometheus_postgres_exporter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" tags: diff --git a/roles/custom/matrix-prometheus-postgres-exporter/tasks/validate_config.yml b/roles/custom/matrix-prometheus-postgres-exporter/tasks/validate_config.yml new file mode 100644 index 000000000..6acf784f2 --- /dev/null +++ b/roles/custom/matrix-prometheus-postgres-exporter/tasks/validate_config.yml @@ -0,0 +1,9 @@ +--- + +- name: Fail if required prometheus-postgres-exporter settings not defined + ansible.builtin.fail: + msg: > + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_prometheus_postgres_exporter_database_hostname diff --git a/roles/custom/matrix-registration/defaults/main.yml b/roles/custom/matrix-registration/defaults/main.yml index 1e53ae982..c7a45fad0 100644 --- a/roles/custom/matrix-registration/defaults/main.yml +++ b/roles/custom/matrix-registration/defaults/main.yml @@ -52,7 +52,7 @@ matrix_registration_sqlite_database_path_in_container: "/data/db.sqlite3" matrix_registration_database_username: 'matrix_registration' matrix_registration_database_password: 'some-password' -matrix_registration_database_hostname: 'matrix-postgres' +matrix_registration_database_hostname: '' matrix_registration_database_port: 5432 matrix_registration_database_name: 'matrix_registration' diff --git a/roles/custom/matrix-registration/tasks/validate_config.yml b/roles/custom/matrix-registration/tasks/validate_config.yml index eb140d31e..167c7c5c7 100644 --- a/roles/custom/matrix-registration/tasks/validate_config.yml +++ b/roles/custom/matrix-registration/tasks/validate_config.yml @@ -3,12 +3,13 @@ - name: Fail if required matrix-registration settings not defined ansible.builtin.fail: msg: > - You need to define a required configuration setting (`{{ item }}`) for using matrix-registration. - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_registration_shared_secret" - - "matrix_registration_admin_secret" - - "matrix_registration_server_location" + - {'name': 'matrix_registration_shared_secret', when: true} + - {'name': 'matrix_registration_admin_secret', when: true} + - {'name': 'matrix_registration_server_location', when: true} + - {'name': 'matrix_registration_database_hostname', when: "{{ matrix_registration_database_engine == 'postgres' }}"} - name: (Deprecation) Catch and report renamed settings ansible.builtin.fail: From 72744f9db90fe9024a4b9a0e3d28f0a4a06f34e6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 27 Nov 2022 09:26:18 +0200 Subject: [PATCH 091/915] /usr/local/bin/matrix-synapse-register-user -> /matrix/synapse/bin/register-user --- docs/registering-users.md | 2 +- roles/custom/matrix-synapse/defaults/main.yml | 1 + roles/custom/matrix-synapse/tasks/register_user.yml | 3 ++- roles/custom/matrix-synapse/tasks/setup_install.yml | 1 + .../matrix-synapse/tasks/synapse/setup_install.yml | 12 +++--------- .../register-user.j2} | 0 6 files changed, 8 insertions(+), 11 deletions(-) rename roles/custom/matrix-synapse/templates/synapse/{usr-local-bin/matrix-synapse-register-user.j2 => bin/register-user.j2} (100%) diff --git a/docs/registering-users.md b/docs/registering-users.md index 90c065bfe..83f31a22e 100644 --- a/docs/registering-users.md +++ b/docs/registering-users.md @@ -23,7 +23,7 @@ ansible-playbook -i inventory/hosts setup.yml --extra-vars='username= +/matrix/synapse/bin/register-user ``` **Note**: `` is just a plain username (like `john`), not your full `@:` identifier. diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 9a93a437e..d643400c4 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -55,6 +55,7 @@ matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage" matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store" matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" +matrix_synapse_bin_path: "{{ matrix_synapse_base_path }}/bin" matrix_synapse_ext_s3_storage_provider_path: "{{ matrix_synapse_base_path }}/ext/s3-storage-provider" matrix_synapse_container_client_api_port: 8008 diff --git a/roles/custom/matrix-synapse/tasks/register_user.yml b/roles/custom/matrix-synapse/tasks/register_user.yml index 817484495..215409593 100644 --- a/roles/custom/matrix-synapse/tasks/register_user.yml +++ b/roles/custom/matrix-synapse/tasks/register_user.yml @@ -28,6 +28,7 @@ when: "start_result.changed" - name: Register user - ansible.builtin.command: "{{ matrix_local_bin_path }}/matrix-synapse-register-user {{ username | quote }} {{ password | quote }} {{ '1' if admin == 'yes' else '0' }}" + ansible.builtin.command: + cmd: "{{ matrix_synapse_bin_path }}/register-user {{ username | quote }} {{ password | quote }} {{ '1' if admin == 'yes' else '0' }}" register: matrix_synapse_register_user_result changed_when: matrix_synapse_register_user_result.rc == 0 diff --git a/roles/custom/matrix-synapse/tasks/setup_install.yml b/roles/custom/matrix-synapse/tasks/setup_install.yml index 3d56177cf..0be0fd2fb 100644 --- a/roles/custom/matrix-synapse/tasks/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/setup_install.yml @@ -10,6 +10,7 @@ with_items: - {path: "{{ matrix_synapse_config_dir_path }}", when: true} - {path: "{{ matrix_synapse_ext_path }}", when: true} + - {path: "{{ matrix_synapse_bin_path }}", when: true} - {path: "{{ matrix_synapse_docker_src_files_path }}", when: "{{ matrix_synapse_container_image_self_build }}"} - {path: "{{ matrix_synapse_customized_docker_src_files_path }}", when: "{{ matrix_synapse_container_image_customizations_enabled }}"} - {path: "{{ matrix_synapse_ext_s3_storage_provider_path }}", when: "{{ matrix_synapse_ext_synapse_s3_storage_provider_enabled }}"} diff --git a/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml b/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml index 429179de4..2c6f05b7f 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml @@ -127,17 +127,11 @@ src: "{{ role_path }}/templates/synapse/systemd/matrix-synapse.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse.service" mode: 0644 - register: matrix_synapse_systemd_service_result -- name: Ensure systemd reloaded after matrix-synapse.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_synapse_systemd_service_result.changed" - -- name: Ensure matrix-synapse-register-user script created +- name: Ensure register-user script created ansible.builtin.template: - src: "{{ role_path }}/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2" - dest: "{{ matrix_local_bin_path }}/matrix-synapse-register-user" + src: "{{ role_path }}/templates/synapse/bin/register-user.j2" + dest: "{{ matrix_synapse_bin_path }}/register-user" mode: 0755 - name: Generate sample prometheus.yml for external scraping diff --git a/roles/custom/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2 b/roles/custom/matrix-synapse/templates/synapse/bin/register-user.j2 similarity index 100% rename from roles/custom/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2 rename to roles/custom/matrix-synapse/templates/synapse/bin/register-user.j2 From 735e7355a506c6be384e27b9944d1db649cbf7da Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 27 Nov 2022 09:28:29 +0200 Subject: [PATCH 092/915] Rename variable (matrix_synapse_ext_s3_storage_provider_path -> matrix_synapse_ext_s3_storage_provider_base_path) --- roles/custom/matrix-synapse/defaults/main.yml | 7 +++++-- .../tasks/ext/s3-storage-provider/setup_install.yml | 6 +++--- .../tasks/ext/s3-storage-provider/setup_uninstall.yml | 2 +- roles/custom/matrix-synapse/tasks/setup_install.yml | 2 +- roles/custom/matrix-synapse/tasks/validate_config.yml | 1 + .../matrix-synapse-s3-storage-provider-migrate.j2 | 4 ++-- .../matrix-synapse-s3-storage-provider-shell.j2 | 4 ++-- 7 files changed, 15 insertions(+), 11 deletions(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index d643400c4..c1f6b99a5 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -49,14 +49,17 @@ matrix_synapse_docker_image_customized: "localhost/matrixdotorg/synapse:{{ matri matrix_synapse_docker_image_final: "{{ matrix_synapse_docker_image_customized if matrix_synapse_container_image_customizations_enabled else matrix_synapse_docker_image }} " matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" + matrix_synapse_docker_src_files_path: "{{ matrix_synapse_base_path }}/docker-src" matrix_synapse_customized_docker_src_files_path: "{{ matrix_synapse_base_path }}/customized-docker-src" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage" matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store" -matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" matrix_synapse_bin_path: "{{ matrix_synapse_base_path }}/bin" -matrix_synapse_ext_s3_storage_provider_path: "{{ matrix_synapse_base_path }}/ext/s3-storage-provider" + +matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" + +matrix_synapse_ext_s3_storage_provider_base_path: "{{ matrix_synapse_base_path }}/ext/s3-storage-provider" matrix_synapse_container_client_api_port: 8008 diff --git a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_install.yml index 684fb2c99..b64bf6d2c 100644 --- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_install.yml @@ -10,12 +10,12 @@ - name: Ensure s3-storage-provider env file installed ansible.builtin.template: src: "{{ role_path }}/templates/synapse/ext/s3-storage-provider/env.j2" - dest: "{{ matrix_synapse_ext_s3_storage_provider_path }}/env" + dest: "{{ matrix_synapse_ext_s3_storage_provider_base_path }}/env" mode: 0640 - name: Ensure s3-storage-provider data path exists ansible.builtin.file: - path: "{{ matrix_synapse_ext_s3_storage_provider_path }}/data" + path: "{{ matrix_synapse_ext_s3_storage_provider_base_path }}/data" state: directory mode: 0750 owner: "{{ matrix_user_username }}" @@ -24,7 +24,7 @@ - name: Ensure s3-storage-provider database.yaml file installed ansible.builtin.template: src: "{{ role_path }}/templates/synapse/ext/s3-storage-provider/database.yaml.j2" - dest: "{{ matrix_synapse_ext_s3_storage_provider_path }}/data/database.yaml" + dest: "{{ matrix_synapse_ext_s3_storage_provider_base_path }}/data/database.yaml" mode: 0640 - name: Ensure s3-storage-provider scripts installed diff --git a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_uninstall.yml b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_uninstall.yml index d664d75fc..a112a37c6 100644 --- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_uninstall.yml +++ b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_uninstall.yml @@ -16,4 +16,4 @@ with_items: - "{{ matrix_local_bin_path }}/matrix-synapse-s3-storage-provider-shell" - "{{ matrix_local_bin_path }}/matrix-synapse-s3-storage-provider-migrate" - - "{{ matrix_synapse_ext_s3_storage_provider_path }}" + - "{{ matrix_synapse_ext_s3_storage_provider_base_path }}" diff --git a/roles/custom/matrix-synapse/tasks/setup_install.yml b/roles/custom/matrix-synapse/tasks/setup_install.yml index 0be0fd2fb..28fbc41de 100644 --- a/roles/custom/matrix-synapse/tasks/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/setup_install.yml @@ -13,7 +13,7 @@ - {path: "{{ matrix_synapse_bin_path }}", when: true} - {path: "{{ matrix_synapse_docker_src_files_path }}", when: "{{ matrix_synapse_container_image_self_build }}"} - {path: "{{ matrix_synapse_customized_docker_src_files_path }}", when: "{{ matrix_synapse_container_image_customizations_enabled }}"} - - {path: "{{ matrix_synapse_ext_s3_storage_provider_path }}", when: "{{ matrix_synapse_ext_synapse_s3_storage_provider_enabled }}"} + - {path: "{{ matrix_synapse_ext_s3_storage_provider_base_path }}", when: "{{ matrix_synapse_ext_synapse_s3_storage_provider_enabled }}"} # We handle matrix_synapse_media_store_path elsewhere (in ./synapse/setup_install.yml), # because if it's using Goofys and it's already mounted (from before), # trying to chown/chmod it here will cause trouble. diff --git a/roles/custom/matrix-synapse/tasks/validate_config.yml b/roles/custom/matrix-synapse/tasks/validate_config.yml index 0758c88fb..0f63211d0 100644 --- a/roles/custom/matrix-synapse/tasks/validate_config.yml +++ b/roles/custom/matrix-synapse/tasks/validate_config.yml @@ -59,6 +59,7 @@ - {'old': 'matrix_synapse_workers_frontend_proxy_workers_count', 'new': ''} - {'old': 'matrix_synapse_workers_frontend_proxy_workers_port_range_start', 'new': ''} - {'old': 'matrix_synapse_workers_frontend_proxy_workers_metrics_range_start', 'new': ''} + - {'old': 'matrix_synapse_ext_s3_storage_provider_path', 'new': 'matrix_synapse_ext_s3_storage_provider_base_path'} - name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml ansible.builtin.fail: diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-migrate.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-migrate.j2 index d48ae1229..70518eb48 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-migrate.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-migrate.j2 @@ -3,9 +3,9 @@ {{ devture_systemd_docker_base_host_command_docker }} run \ --rm \ - --env-file={{ matrix_synapse_ext_s3_storage_provider_path }}/env \ + --env-file={{ matrix_synapse_ext_s3_storage_provider_base_path }}/env \ --mount type=bind,src={{ matrix_synapse_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ - --mount type=bind,src={{ matrix_synapse_ext_s3_storage_provider_path }}/data,dst=/data \ + --mount type=bind,src={{ matrix_synapse_ext_s3_storage_provider_base_path }}/data,dst=/data \ --workdir=/data \ --network={{ matrix_docker_network }} \ --entrypoint=/bin/bash \ diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-shell.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-shell.j2 index b46e89b73..00717705f 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-shell.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-shell.j2 @@ -4,9 +4,9 @@ {{ devture_systemd_docker_base_host_command_docker }} run \ -it \ --rm \ - --env-file={{ matrix_synapse_ext_s3_storage_provider_path }}/env \ + --env-file={{ matrix_synapse_ext_s3_storage_provider_base_path }}/env \ --mount type=bind,src={{ matrix_synapse_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ - --mount type=bind,src={{ matrix_synapse_ext_s3_storage_provider_path }}/data,dst=/data \ + --mount type=bind,src={{ matrix_synapse_ext_s3_storage_provider_base_path }}/data,dst=/data \ --workdir=/data \ --network={{ matrix_docker_network }} \ --entrypoint=/bin/bash \ From 7c5c3aedc4416209a0a1c361620e1159ce6384b0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 27 Nov 2022 09:34:46 +0200 Subject: [PATCH 093/915] Put s3-storage-provider scripts under /matrix/synapse/ext/s3-storage-provider/bin, not /usr/local/bin --- ...ng-playbook-synapse-s3-storage-provider.md | 8 ++--- roles/custom/matrix-synapse/defaults/main.yml | 1 + .../ext/s3-storage-provider/setup_install.yml | 32 +++++++++---------- .../s3-storage-provider/setup_uninstall.yml | 6 +--- .../matrix-synapse/tasks/setup_install.yml | 3 ++ .../migrate.j2} | 0 .../shell.j2} | 0 ...pse-s3-storage-provider-migrate.service.j2 | 2 +- 8 files changed, 25 insertions(+), 27 deletions(-) rename roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/{usr-local-bin/matrix-synapse-s3-storage-provider-migrate.j2 => bin/migrate.j2} (100%) rename roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/{usr-local-bin/matrix-synapse-s3-storage-provider-shell.j2 => bin/shell.j2} (100%) diff --git a/docs/configuring-playbook-synapse-s3-storage-provider.md b/docs/configuring-playbook-synapse-s3-storage-provider.md index 2dba264be..a06d658f4 100644 --- a/docs/configuring-playbook-synapse-s3-storage-provider.md +++ b/docs/configuring-playbook-synapse-s3-storage-provider.md @@ -62,7 +62,7 @@ Migrating your existing data can happen in multiple ways: Instead of using `s3_media_upload` directly, which is very slow and painful for an initial data migration, we recommend [using another tool in combination with `s3_media_upload`](#using-another-tool-in-combination-with-s3_media_upload). -To copy your existing files, SSH into the server and run `/usr/local/bin/matrix-synapse-s3-storage-provider-shell`. +To copy your existing files, SSH into the server and run `/matrix/synapse/ext/s3-storage-provider/bin/shell`. This launches a Synapse container, which has access to the local media store, Postgres database, S3 store and has some convenient environment variables configured for you to use (`MEDIA_PATH`, `BUCKET`, `ENDPOINT`, `UPDATE_DB_DAYS`, etc). @@ -76,12 +76,12 @@ Then use the following commands (`$` values come from environment variables - th The `s3_media_upload upload` command may take a lot of time to complete. -Instead of running the above commands manually in the shell, you can also run the `/usr/local/bin/matrix-synapse-s3-storage-provider-migrate` script which will run the same commands automatically. We demonstrate how to do it manually, because: +Instead of running the above commands manually in the shell, you can also run the `/matrix/synapse/ext/s3-storage-provider/bin/migrate` script which will run the same commands automatically. We demonstrate how to do it manually, because: - it's what the upstream project demonstrates and it teaches you how to use the `s3_media_upload` tool - allows you to check and verify the output of each command, to catch mistakes - includes progress bars and detailed output for each command -- allows you to easily interrupt slow-running commands, etc. (the `/usr/local/bin/matrix-synapse-s3-storage-provider-migrate` starts a container without interactive TTY support, so `Ctrl+C` may not work and you and require killing via `docker kill ..`) +- allows you to easily interrupt slow-running commands, etc. (the `/matrix/synapse/ext/s3-storage-provider/bin/migrate` starts a container without interactive TTY support, so `Ctrl+C` may not work and you and require killing via `docker kill ..`) ### Using another tool in combination with `s3_media_upload` @@ -119,7 +119,7 @@ As described in [How it works?](#how-it-works) above, when new media is uploaded By default, we periodically ensure that all local files are uploaded to S3 and are then removed from the local filesystem. This is done automatically using: -- the `/usr/local/bin/matrix-synapse-s3-storage-provider-migrate` script +- the `/matrix/synapse/ext/s3-storage-provider/bin/migrate` script - .. invoked via the `matrix-synapse-s3-storage-provider-migrate.service` service - .. triggered by the `matrix-synapse-s3-storage-provider-migrate.timer` timer, every day at 05:00 diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index c1f6b99a5..1a9b18a71 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -60,6 +60,7 @@ matrix_synapse_bin_path: "{{ matrix_synapse_base_path }}/bin" matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" matrix_synapse_ext_s3_storage_provider_base_path: "{{ matrix_synapse_base_path }}/ext/s3-storage-provider" +matrix_synapse_ext_s3_storage_provider_bin_path: "{{ matrix_synapse_ext_s3_storage_provider_base_path }}/bin" matrix_synapse_container_client_api_port: 8008 diff --git a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_install.yml index b64bf6d2c..11958f45e 100644 --- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_install.yml @@ -7,19 +7,22 @@ # # Below are additional tasks for setting up various helper scripts, etc. -- name: Ensure s3-storage-provider env file installed - ansible.builtin.template: - src: "{{ role_path }}/templates/synapse/ext/s3-storage-provider/env.j2" - dest: "{{ matrix_synapse_ext_s3_storage_provider_base_path }}/env" - mode: 0640 - -- name: Ensure s3-storage-provider data path exists +- name: Ensure s3-storage-provider paths exists ansible.builtin.file: - path: "{{ matrix_synapse_ext_s3_storage_provider_base_path }}/data" + path: "{{ item }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_synapse_ext_s3_storage_provider_base_path }}" + - "{{ matrix_synapse_ext_s3_storage_provider_bin_path }}" + +- name: Ensure s3-storage-provider env file installed + ansible.builtin.template: + src: "{{ role_path }}/templates/synapse/ext/s3-storage-provider/env.j2" + dest: "{{ matrix_synapse_ext_s3_storage_provider_base_path }}/env" + mode: 0640 - name: Ensure s3-storage-provider database.yaml file installed ansible.builtin.template: @@ -29,12 +32,12 @@ - name: Ensure s3-storage-provider scripts installed ansible.builtin.template: - src: "{{ role_path }}/templates/synapse/ext/s3-storage-provider/usr-local-bin/{{ item }}.j2" - dest: "{{ matrix_local_bin_path }}/{{ item }}" + src: "{{ role_path }}/templates/synapse/ext/s3-storage-provider/bin/{{ item }}.j2" + dest: "{{ matrix_synapse_ext_s3_storage_provider_bin_path }}/{{ item }}" mode: 0750 with_items: - - matrix-synapse-s3-storage-provider-shell - - matrix-synapse-s3-storage-provider-migrate + - shell + - migrate - name: Ensure matrix-synapse-s3-storage-provider-migrate.service and timer are installed ansible.builtin.template: @@ -45,8 +48,3 @@ - matrix-synapse-s3-storage-provider-migrate.service - matrix-synapse-s3-storage-provider-migrate.timer register: matrix_synapse_s3_storage_provider_systemd_service_result - -- name: Ensure systemd reloaded after matrix-synapse-s3-storage-provider-migrate.service installation - ansible.builtin.service: - daemon_reload: true - when: matrix_synapse_s3_storage_provider_systemd_service_result.changed | bool diff --git a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_uninstall.yml b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_uninstall.yml index a112a37c6..83e8a0f7d 100644 --- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_uninstall.yml +++ b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_uninstall.yml @@ -11,9 +11,5 @@ - name: Ensure s3-storage-provider files don't exist ansible.builtin.file: - path: "{{ item }}" + path: "{{ matrix_synapse_ext_s3_storage_provider_base_path }}" state: absent - with_items: - - "{{ matrix_local_bin_path }}/matrix-synapse-s3-storage-provider-shell" - - "{{ matrix_local_bin_path }}/matrix-synapse-s3-storage-provider-migrate" - - "{{ matrix_synapse_ext_s3_storage_provider_base_path }}" diff --git a/roles/custom/matrix-synapse/tasks/setup_install.yml b/roles/custom/matrix-synapse/tasks/setup_install.yml index 28fbc41de..d1ef7ed4c 100644 --- a/roles/custom/matrix-synapse/tasks/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/setup_install.yml @@ -13,7 +13,10 @@ - {path: "{{ matrix_synapse_bin_path }}", when: true} - {path: "{{ matrix_synapse_docker_src_files_path }}", when: "{{ matrix_synapse_container_image_self_build }}"} - {path: "{{ matrix_synapse_customized_docker_src_files_path }}", when: "{{ matrix_synapse_container_image_customizations_enabled }}"} + - {path: "{{ matrix_synapse_ext_s3_storage_provider_base_path }}", when: "{{ matrix_synapse_ext_synapse_s3_storage_provider_enabled }}"} + - {path: "{{ matrix_synapse_ext_s3_storage_provider_bin_path }}", when: "{{ matrix_synapse_ext_synapse_s3_storage_provider_enabled }}"} + # We handle matrix_synapse_media_store_path elsewhere (in ./synapse/setup_install.yml), # because if it's using Goofys and it's already mounted (from before), # trying to chown/chmod it here will cause trouble. diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-migrate.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/migrate.j2 similarity index 100% rename from roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-migrate.j2 rename to roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/migrate.j2 diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-shell.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/shell.j2 similarity index 100% rename from roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-shell.j2 rename to roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/shell.j2 diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/systemd/matrix-synapse-s3-storage-provider-migrate.service.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/systemd/matrix-synapse-s3-storage-provider-migrate.service.j2 index 159681a0e..626c83857 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/systemd/matrix-synapse-s3-storage-provider-migrate.service.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/systemd/matrix-synapse-s3-storage-provider-migrate.service.j2 @@ -4,4 +4,4 @@ Description=Migrates locally-stored Synapse media store files to S3 [Service] Type=oneshot Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStart={{ matrix_local_bin_path }}/matrix-synapse-s3-storage-provider-migrate +ExecStart={{ matrix_synapse_ext_s3_storage_provider_bin_path }}/migrate From 40cf9cd72c0373faccc4eae70165faaafa20393b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 27 Nov 2022 09:41:03 +0200 Subject: [PATCH 094/915] /usr/local/bin/matrix-dendrite-create-account -> /matrix/dendrite/bin/create-account --- roles/custom/matrix-dendrite/defaults/main.yml | 1 + roles/custom/matrix-dendrite/tasks/register_user.yml | 2 +- roles/custom/matrix-dendrite/tasks/setup_install.yml | 9 ++++++--- roles/custom/matrix-dendrite/tasks/setup_uninstall.yml | 7 +++++-- .../create-account.j2} | 0 5 files changed, 13 insertions(+), 6 deletions(-) rename roles/custom/matrix-dendrite/templates/dendrite/{usr-local-bin/matrix-dendrite-create-account.j2 => bin/create-account.j2} (100%) diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index dac77bc1f..370545187 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -14,6 +14,7 @@ matrix_dendrite_config_dir_path: "{{ matrix_dendrite_base_path }}/config" matrix_dendrite_storage_path: "{{ matrix_dendrite_base_path }}/storage" matrix_dendrite_media_store_path: "{{ matrix_dendrite_storage_path }}/media-store" matrix_dendrite_nats_storage_path: "{{ matrix_dendrite_base_path }}/nats" +matrix_dendrite_bin_path: "{{ matrix_dendrite_base_path }}/bin" matrix_dendrite_ext_path: "{{ matrix_dendrite_base_path }}/ext" # By default, we make Dendrite only serve HTTP (not HTTPS). diff --git a/roles/custom/matrix-dendrite/tasks/register_user.yml b/roles/custom/matrix-dendrite/tasks/register_user.yml index 6b4de7e93..1e2fc100f 100644 --- a/roles/custom/matrix-dendrite/tasks/register_user.yml +++ b/roles/custom/matrix-dendrite/tasks/register_user.yml @@ -29,6 +29,6 @@ - name: Register user ansible.builtin.command: - cmd: "{{ matrix_local_bin_path }}/matrix-dendrite-create-account {{ username | quote }} {{ password | quote }} {{ '1' if admin == 'yes' else '0' }}" + cmd: "{{ {{ matrix_dendrite_bin_path }} }}/create-account {{ username | quote }} {{ password | quote }} {{ '1' if admin == 'yes' else '0' }}" register: matrix_dendrite_register_user_result changed_when: matrix_dendrite_register_user_result.rc == 0 diff --git a/roles/custom/matrix-dendrite/tasks/setup_install.yml b/roles/custom/matrix-dendrite/tasks/setup_install.yml index 1c557e7f7..c516c5b7c 100644 --- a/roles/custom/matrix-dendrite/tasks/setup_install.yml +++ b/roles/custom/matrix-dendrite/tasks/setup_install.yml @@ -9,6 +9,7 @@ group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_dendrite_config_dir_path }}" + - "{{ matrix_dendrite_bin_path }}" - "{{ matrix_dendrite_ext_path }}" - "{{ matrix_dendrite_nats_storage_path }}" @@ -81,8 +82,10 @@ dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dendrite.service" mode: 0644 -- name: Ensure matrix-dendrite-create-account script created +- name: Ensure Dendrite scripts created ansible.builtin.template: - src: "{{ role_path }}/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2" - dest: "{{ matrix_local_bin_path }}/matrix-dendrite-create-account" + src: "{{ role_path }}/templates/dendrite/bin/{{ item }}.j2" + dest: "{{ matrix_dendrite_bin_path }}/{{ item }}" mode: 0750 + with_items: + - create-account diff --git a/roles/custom/matrix-dendrite/tasks/setup_uninstall.yml b/roles/custom/matrix-dendrite/tasks/setup_uninstall.yml index e5479684c..f6a537b30 100644 --- a/roles/custom/matrix-dendrite/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-dendrite/tasks/setup_uninstall.yml @@ -13,7 +13,10 @@ state: stopped daemon_reload: true - - name: Ensure matrix-dendrite.service doesn't exist + - name: Ensure Dendrite paths don't exist ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dendrite.service" + path: "{{ item }}" state: absent + with_items: + - "{{ devture_systemd_docker_base_systemd_path }}/matrix-dendrite.service" + - "{{ matrix_dendrite_bin_path }}" diff --git a/roles/custom/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 b/roles/custom/matrix-dendrite/templates/dendrite/bin/create-account.j2 similarity index 100% rename from roles/custom/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 rename to roles/custom/matrix-dendrite/templates/dendrite/bin/create-account.j2 From c9281482614255bf7d2f9571d30c10338e709ffb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 27 Nov 2022 09:43:25 +0200 Subject: [PATCH 095/915] Make uninstall tasks for Synapse delete bin/ --- .../matrix-synapse/tasks/synapse/setup_uninstall.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-synapse/tasks/synapse/setup_uninstall.yml b/roles/custom/matrix-synapse/tasks/synapse/setup_uninstall.yml index 7f0815224..6b8ae5a01 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/setup_uninstall.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/setup_uninstall.yml @@ -14,10 +14,13 @@ enabled: false daemon_reload: true - - name: Ensure matrix-synapse.service doesn't exist + - name: Ensure Synapse paths don't exist ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse.service" + path: "{{ item }}" state: absent + with_items: + - "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse.service" + - "{{ matrix_synapse_bin_path }}" - name: Ensure sample prometheus.yml for external scraping is deleted ansible.builtin.file: From fb86f6d5e73406a369b41f5444a104d3adbfb7b0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 27 Nov 2022 09:47:02 +0200 Subject: [PATCH 096/915] /usr/local/bin/matrix-remove-all -> /matrix/bin/remove-all --- docs/uninstalling.md | 4 +--- roles/custom/matrix-base/defaults/main.yml | 2 ++ roles/custom/matrix-base/tasks/setup_matrix_base.yml | 9 +++++---- .../matrix-remove-all.j2 => bin/remove-all.j2} | 2 -- 4 files changed, 8 insertions(+), 9 deletions(-) rename roles/custom/matrix-base/templates/{usr-local-bin/matrix-remove-all.j2 => bin/remove-all.j2} (92%) diff --git a/docs/uninstalling.md b/docs/uninstalling.md index 73af01d91..73a414ede 100644 --- a/docs/uninstalling.md +++ b/docs/uninstalling.md @@ -12,7 +12,7 @@ ## Uninstalling using a script -Installing places a `/usr/local/bin/matrix-remove-all` script on the server. +Installing places a `/matrix/bin/remove-all` script on the server. You can run it to to have it uninstall things for you automatically (see below). **Use with caution!** @@ -25,8 +25,6 @@ If you prefer to uninstall manually, run these commands (most are meant to be ex - delete the Matrix-related systemd `.service` and `.timer` files (`rm -f /etc/systemd/system/matrix*.{service,timer}`) and reload systemd (`systemctl daemon-reload`) -- delete some helper scripts (`rm -f /usr/local/bin/matrix*`) - - delete some cached Docker images (`docker system prune -a`) or just delete them all (`docker rmi $(docker images -aq)`) - delete the Docker networks: `docker network rm matrix matrix-coturn` (might have been deleted already if you ran the `docker system prune` command) diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 34d8c65b2..33805e51e 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -117,6 +117,8 @@ matrix_user_gid: ~ matrix_base_data_path: "/matrix" matrix_base_data_path_mode: "750" +matrix_bin_path: "{{ matrix_base_data_path }}/bin" + matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files" # This is now unused. We keep it so that cleanup tasks can use it. diff --git a/roles/custom/matrix-base/tasks/setup_matrix_base.yml b/roles/custom/matrix-base/tasks/setup_matrix_base.yml index f954bd796..3d95af020 100644 --- a/roles/custom/matrix-base/tasks/setup_matrix_base.yml +++ b/roles/custom/matrix-base/tasks/setup_matrix_base.yml @@ -1,6 +1,6 @@ --- -- name: Ensure Matrix base path exists +- name: Ensure Matrix base paths exists ansible.builtin.file: path: "{{ item }}" state: directory @@ -9,14 +9,15 @@ group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_base_data_path }}" + - "{{ matrix_bin_path }}" - name: Ensure Matrix network is created in Docker community.docker.docker_network: name: "{{ matrix_docker_network }}" driver: bridge -- name: Ensure matrix-remove-all script created +- name: Ensure remove-all script created ansible.builtin.template: - src: "{{ role_path }}/templates/usr-local-bin/matrix-remove-all.j2" - dest: "{{ matrix_local_bin_path }}/matrix-remove-all" + src: "{{ role_path }}/templates/bin/remove-all.j2" + dest: "{{ matrix_bin_path }}/remove-all" mode: 0750 diff --git a/roles/custom/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 b/roles/custom/matrix-base/templates/bin/remove-all.j2 similarity index 92% rename from roles/custom/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 rename to roles/custom/matrix-base/templates/bin/remove-all.j2 index f9b174e57..5dd862aea 100644 --- a/roles/custom/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 +++ b/roles/custom/matrix-base/templates/bin/remove-all.j2 @@ -23,8 +23,6 @@ else systemctl daemon-reload - echo "Remove matrix scripts" - find {{ matrix_local_bin_path }}/ -name "matrix-*" -delete echo "Remove unused Docker images and resources" docker system prune -af echo "Remove Docker matrix network (should be gone already, but ..)" From 707e909b9b2b122be15f6b376c720496ae84430b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 27 Nov 2022 09:53:23 +0200 Subject: [PATCH 097/915] /usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew -> /matrix/ssl/bin/lets-encrypt-certificates-renew --- roles/custom/matrix-base/defaults/main.yml | 6 ------ .../matrix-base/tasks/validate_config.yml | 1 + .../matrix-coturn/tasks/setup_install.yml | 6 ------ .../matrix-nginx-proxy/defaults/main.yml | 1 + .../matrix-nginx-proxy/tasks/ssl/main.yml | 1 + .../tasks/ssl/setup_ssl_lets_encrypt.yml | 19 +++---------------- .../lets-encrypt-certificates-renew.j2} | 0 ...lets-encrypt-certificates-renew.service.j2 | 2 +- 8 files changed, 7 insertions(+), 29 deletions(-) rename roles/custom/matrix-nginx-proxy/templates/{usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 => bin/lets-encrypt-certificates-renew.j2} (100%) diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 33805e51e..63aee58ac 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -121,12 +121,6 @@ matrix_bin_path: "{{ matrix_base_data_path }}/bin" matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files" -# This is now unused. We keep it so that cleanup tasks can use it. -# To be removed in the future. -matrix_cron_path: "/etc/cron.d" - -matrix_local_bin_path: "/usr/local/bin" - matrix_host_command_sleep: "/usr/bin/env sleep" matrix_host_command_chown: "/usr/bin/env chown" matrix_host_command_fusermount: "/usr/bin/env fusermount" diff --git a/roles/custom/matrix-base/tasks/validate_config.yml b/roles/custom/matrix-base/tasks/validate_config.yml index b3c7fb18c..b3551e2e3 100644 --- a/roles/custom/matrix-base/tasks/validate_config.yml +++ b/roles/custom/matrix-base/tasks/validate_config.yml @@ -17,6 +17,7 @@ - {'old': 'hostname_matrix', 'new': 'matrix_server_fqn_matrix'} - {'old': 'hostname_riot', 'new': 'matrix_server_fqn_element'} - {'old': 'matrix_server_fqn_riot', 'new': 'matrix_server_fqn_element'} + - {'old': 'matrix_local_bin_path', 'new': ''} # We have a dedicated check for this variable, because we'd like to have a custom (friendlier) message. - name: Fail if matrix_homeserver_generic_secret_key is undefined diff --git a/roles/custom/matrix-coturn/tasks/setup_install.yml b/roles/custom/matrix-coturn/tasks/setup_install.yml index 31b5446cb..ab94db27e 100644 --- a/roles/custom/matrix-coturn/tasks/setup_install.yml +++ b/roles/custom/matrix-coturn/tasks/setup_install.yml @@ -1,11 +1,5 @@ --- -# This is a cleanup/migration task. It can be removed some time in the future. -- name: (Migration) Remove deprecated cronjob - ansible.builtin.file: - path: "{{ matrix_cron_path }}/matrix-coturn-ssl-reload" - state: absent - - name: Ensure Matrix Coturn path exists ansible.builtin.file: path: "{{ item.path }}" diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 886e35131..0830d4f41 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -573,6 +573,7 @@ matrix_ssl_lets_encrypt_key_type: rsa matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" +matrix_ssl_bin_dir_path: "{{ matrix_ssl_base_path }}/bin" # If you'd like to start some service before a certificate is obtained, specify it here. # This could be something like `matrix-dynamic-dns`, etc. diff --git a/roles/custom/matrix-nginx-proxy/tasks/ssl/main.yml b/roles/custom/matrix-nginx-proxy/tasks/ssl/main.yml index e9d270cfe..6eff8cbf7 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/ssl/main.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/ssl/main.yml @@ -24,6 +24,7 @@ with_items: - "{{ matrix_ssl_log_dir_path }}" - "{{ matrix_ssl_config_dir_path }}" + - "{{ matrix_ssl_bin_dir_path }}" when: "matrix_ssl_retrieval_method != 'none'" diff --git a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml index 77361f3ff..a1b14e3b2 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -1,17 +1,4 @@ --- - -# This is a cleanup/migration task, because of to the new way we manage cronjobs (`cron` module) and the new script name. -# This migration task can be removed some time in the future. -- name: (Migration) Remove deprecated Let's Encrypt SSL certificate management files - ansible.builtin.file: - path: "{{ item }}" - state: absent - with_items: - - "{{ matrix_local_bin_path }}/matrix-ssl-certificates-renew" - - "{{ matrix_cron_path }}/matrix-ssl-certificate-renewal" - - "{{ matrix_cron_path }}/matrix-nginx-proxy-periodic-restarter" - - "/etc/cron.d/matrix-ssl-lets-encrypt" - # # Tasks related to setting up Let's Encrypt's management of certificates # @@ -36,8 +23,8 @@ - name: Ensure Let's Encrypt SSL renewal script installed ansible.builtin.template: - src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2" - dest: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" + src: "{{ role_path }}/templates/bin/lets-encrypt-certificates-renew.j2" + dest: "{{ matrix_ssl_bin_dir_path }}/lets-encrypt-certificates-renew" mode: 0755 - name: Ensure SSL renewal systemd units installed @@ -63,5 +50,5 @@ - name: Ensure Let's Encrypt SSL renewal script removed ansible.builtin.file: - path: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" + path: "{{ matrix_ssl_bin_dir_path }}/lets-encrypt-certificates-renew" state: absent diff --git a/roles/custom/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 b/roles/custom/matrix-nginx-proxy/templates/bin/lets-encrypt-certificates-renew.j2 similarity index 100% rename from roles/custom/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 rename to roles/custom/matrix-nginx-proxy/templates/bin/lets-encrypt-certificates-renew.j2 diff --git a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 index c7f372d9a..b2f07aca7 100644 --- a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 @@ -4,4 +4,4 @@ Description=Renews Let's Encrypt SSL certificates [Service] Type=oneshot Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStart={{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew +ExecStart={{ matrix_ssl_bin_dir_path }}/lets-encrypt-certificates-renew From 2688e8bfc3d9fb14f08f6b28432691b0dff1ff14 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 27 Nov 2022 10:02:45 +0200 Subject: [PATCH 098/915] Optimize initial installation by not reloading systemd after each .service install We expect `--tags=start` to handle systemd reloading, so we don't need to do it manually each time we install/uninstall a .service file. --- .../matrix-bot-buscarron/tasks/setup_install.yml | 7 +------ .../matrix-bot-go-neb/tasks/setup_install.yml | 6 +----- .../matrix-bot-honoroit/tasks/setup_install.yml | 6 +----- .../tasks/setup_install.yml | 11 ----------- .../tasks/setup_install.yml | 6 +----- .../matrix-bot-maubot/tasks/setup_install.yml | 6 ------ .../matrix-bot-mjolnir/tasks/setup_install.yml | 6 +----- .../matrix-bot-postmoogle/tasks/setup_install.yml | 5 ----- .../tasks/setup_install.yml | 6 +----- .../tasks/setup_install.yml | 6 +----- .../tasks/setup_install.yml | 6 ------ .../tasks/setup_install.yml | 7 +------ .../tasks/setup_install.yml | 6 ------ .../tasks/setup_install.yml | 6 ------ .../tasks/setup_install.yml | 6 +----- .../tasks/setup_install.yml | 6 ------ .../tasks/setup_install.yml | 6 ------ .../tasks/setup_install.yml | 6 +----- .../tasks/setup_install.yml | 7 +------ .../tasks/setup_install.yml | 7 +------ .../tasks/setup_install.yml | 7 +------ .../tasks/setup_install.yml | 6 ------ .../tasks/setup_install.yml | 6 ------ .../tasks/setup_install.yml | 7 +------ .../tasks/setup_install.yml | 7 +------ .../tasks/setup_install.yml | 7 +------ .../tasks/setup_install.yml | 7 +------ .../tasks/setup_install.yml | 7 +------ .../tasks/setup_install.yml | 7 +------ .../tasks/setup_install.yml | 7 +------ .../tasks/setup_install.yml | 7 +------ .../tasks/setup_install.yml | 7 +------ .../matrix-bridge-sms/tasks/setup_install.yml | 6 ------ .../tasks/setup_install.yml | 11 ----------- .../matrix-client-cinny/tasks/setup_install.yml | 6 ------ .../matrix-client-element/tasks/setup_install.yml | 6 ------ .../tasks/setup_install.yml | 6 ------ .../custom/matrix-conduit/tasks/setup_install.yml | 6 ------ .../matrix-dimension/tasks/setup_install.yml | 7 +------ .../matrix-dynamic-dns/tasks/setup_install.yml | 6 ------ .../matrix-email2matrix/tasks/setup_install.yml | 6 ------ .../matrix-etherpad/tasks/setup_install.yml | 6 ------ .../tasks/setup_install.yml | 15 --------------- roles/custom/matrix-ma1sd/tasks/setup_install.yml | 7 +------ .../custom/matrix-mailer/tasks/setup_install.yml | 6 ------ .../tasks/setup_nginx_proxy.yml | 11 ----------- roles/custom/matrix-ntfy/tasks/setup_install.yml | 6 ------ .../tasks/setup_install.yml | 6 ------ .../matrix-prometheus/tasks/setup_install.yml | 6 ------ .../matrix-registration/tasks/setup_install.yml | 7 +------ .../custom/matrix-sygnal/tasks/setup_install.yml | 6 ------ .../matrix-synapse/tasks/goofys/setup_install.yml | 6 ------ 52 files changed, 25 insertions(+), 327 deletions(-) diff --git a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml index ca304efb8..e8cffa93a 100644 --- a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml @@ -89,15 +89,10 @@ src: "{{ role_path }}/templates/systemd/matrix-bot-buscarron.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-buscarron.service" mode: 0644 - register: matrix_bot_buscarron_systemd_service_result - -- name: Ensure systemd reloaded after matrix-bot-buscarron.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_buscarron_systemd_service_result.changed | bool" - name: Ensure matrix-bot-buscarron.service restarted, if necessary ansible.builtin.service: name: "matrix-bot-buscarron.service" state: restarted + daemon_reload: true when: "matrix_bot_buscarron_requires_restart | bool" diff --git a/roles/custom/matrix-bot-go-neb/tasks/setup_install.yml b/roles/custom/matrix-bot-go-neb/tasks/setup_install.yml index 70aec14ad..1db16b911 100644 --- a/roles/custom/matrix-bot-go-neb/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-go-neb/tasks/setup_install.yml @@ -42,13 +42,9 @@ mode: 0644 register: matrix_bot_go_neb_systemd_service_result -- name: Ensure systemd reloaded after matrix-bot-go-neb.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_go_neb_systemd_service_result.changed | bool" - - name: Ensure matrix-bot-go-neb.service restarted, if necessary ansible.builtin.service: name: "matrix-bot-go-neb.service" state: restarted + daemon_reload: true when: "matrix_bot_go_neb_requires_restart | bool" diff --git a/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml b/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml index 245e641c2..85a11510f 100644 --- a/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml @@ -91,13 +91,9 @@ mode: 0644 register: matrix_bot_honoroit_systemd_service_result -- name: Ensure systemd reloaded after matrix-bot-honoroit.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_honoroit_systemd_service_result.changed | bool" - - name: Ensure matrix-bot-honoroit.service restarted, if necessary ansible.builtin.service: name: "matrix-bot-honoroit.service" state: restarted + daemon_reload: true when: "matrix_bot_honoroit_requires_restart | bool" diff --git a/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_install.yml b/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_install.yml index 3838fa079..515cd9973 100644 --- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_install.yml @@ -61,14 +61,3 @@ src: "{{ role_path }}/templates/systemd/matrix-bot-matrix-registration-bot.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-matrix-registration-bot.service" mode: 0644 - register: matrix_bot_matrix_registration_bot_systemd_service_result - -- name: Ensure systemd reloaded after matrix-bot-matrix-registration-bot.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_matrix_registration_bot_systemd_service_result.changed | bool" - -- name: Ensure matrix-bot-matrix-registration-bot.service restarted, if necessary - ansible.builtin.service: - name: "matrix-bot-matrix-registration-bot.service" - state: restarted diff --git a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml index d9ff942ec..89cff9171 100644 --- a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml @@ -92,13 +92,9 @@ mode: 0644 register: matrix_bot_matrix_reminder_bot_systemd_service_result -- name: Ensure systemd reloaded after matrix-bot-matrix-reminder-bot.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_matrix_reminder_bot_systemd_service_result.changed | bool" - - name: Ensure matrix-bot-matrix-reminder-bot.service restarted, if necessary ansible.builtin.service: name: "matrix-bot-matrix-reminder-bot.service" state: restarted + daemon_reload: true when: "matrix_bot_matrix_reminder_bot_requires_restart | bool" diff --git a/roles/custom/matrix-bot-maubot/tasks/setup_install.yml b/roles/custom/matrix-bot-maubot/tasks/setup_install.yml index 22f53b6fe..97f189c45 100644 --- a/roles/custom/matrix-bot-maubot/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-maubot/tasks/setup_install.yml @@ -65,9 +65,3 @@ src: "{{ role_path }}/templates/systemd/matrix-bot-maubot.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-maubot.service" mode: 0644 - register: matrix_bot_maubot_systemd_service_result - -- name: Ensure systemd reloaded after matrix-bot-maubot.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_maubot_systemd_service_result.changed|bool" diff --git a/roles/custom/matrix-bot-mjolnir/tasks/setup_install.yml b/roles/custom/matrix-bot-mjolnir/tasks/setup_install.yml index 995e3b2be..3088fe8bd 100644 --- a/roles/custom/matrix-bot-mjolnir/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-mjolnir/tasks/setup_install.yml @@ -66,13 +66,9 @@ mode: 0644 register: matrix_bot_mjolnir_systemd_service_result -- name: Ensure systemd reloaded after matrix-bot-mjolnir.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_mjolnir_systemd_service_result.changed | bool" - - name: Ensure matrix-bot-mjolnir.service restarted, if necessary ansible.builtin.service: name: "matrix-bot-mjolnir.service" state: restarted + daemon_reload: true when: "matrix_bot_mjolnir_requires_restart | bool" diff --git a/roles/custom/matrix-bot-postmoogle/tasks/setup_install.yml b/roles/custom/matrix-bot-postmoogle/tasks/setup_install.yml index 403814d64..f0c09166b 100644 --- a/roles/custom/matrix-bot-postmoogle/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-postmoogle/tasks/setup_install.yml @@ -86,8 +86,3 @@ dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-postmoogle.service" mode: 0644 register: matrix_bot_postmoogle_systemd_service_result - -- name: Ensure systemd reloaded after matrix-bot-postmoogle.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_bot_postmoogle_systemd_service_result.changed | bool" diff --git a/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml b/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml index bb6c85511..1a222e198 100644 --- a/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml @@ -109,13 +109,9 @@ mode: 0644 register: matrix_appservice_discord_systemd_service_result -- name: Ensure systemd reloaded after matrix-appservice-discord.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_appservice_discord_systemd_service_result.changed" - - name: Ensure matrix-appservice-discord.service restarted, if necessary ansible.builtin.service: name: "matrix-appservice-discord.service" state: restarted + daemon_reload: true when: "matrix_appservice_discord_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml index 7b58f81ec..43dce01ab 100644 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -199,13 +199,9 @@ mode: 0644 register: matrix_appservice_irc_systemd_service_result -- name: Ensure systemd reloaded after matrix-appservice-irc.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_appservice_irc_systemd_service_result.changed" - - name: Ensure matrix-appservice-irc.service restarted, if necessary ansible.builtin.service: name: "matrix-appservice-irc.service" state: restarted + daemon_reload: true when: "matrix_appservice_irc_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/setup_install.yml b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/setup_install.yml index 89a0de0b7..bcf213cde 100644 --- a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/setup_install.yml @@ -109,9 +109,3 @@ src: "{{ role_path }}/templates/systemd/matrix-appservice-kakaotalk.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-kakaotalk.service" mode: 0644 - register: matrix_appservice_kakaotalk_systemd_service_result - -- name: Ensure systemd reloaded after matrix-appservice-kakaotalk.service or matrix-appservice-kakaotalk-node.service installation - ansible.builtin.service: - daemon_reload: true - when: matrix_appservice_kakaotalk_node_systemd_service_result.changed or matrix_appservice_kakaotalk_systemd_service_result.changed diff --git a/roles/custom/matrix-bridge-appservice-slack/tasks/setup_install.yml b/roles/custom/matrix-bridge-appservice-slack/tasks/setup_install.yml index f1751012c..9a72f69d0 100644 --- a/roles/custom/matrix-bridge-appservice-slack/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-appservice-slack/tasks/setup_install.yml @@ -87,15 +87,10 @@ src: "{{ role_path }}/templates/systemd/matrix-appservice-slack.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-slack.service" mode: 0644 - register: matrix_appservice_slack_systemd_service_result - -- name: Ensure systemd reloaded after matrix-appservice-slack.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_appservice_slack_systemd_service_result.changed" - name: Ensure matrix-appservice-slack.service restarted, if necessary ansible.builtin.service: name: "matrix-appservice-slack.service" state: restarted + daemon_reload: true when: "matrix_appservice_slack_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-appservice-webhooks/tasks/setup_install.yml b/roles/custom/matrix-bridge-appservice-webhooks/tasks/setup_install.yml index 734b6e60c..194ef0176 100644 --- a/roles/custom/matrix-bridge-appservice-webhooks/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-appservice-webhooks/tasks/setup_install.yml @@ -86,9 +86,3 @@ src: "{{ role_path }}/templates/systemd/matrix-appservice-webhooks.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-webhooks.service" mode: 0644 - register: matrix_appservice_webhooks_systemd_service_result - -- name: Ensure systemd reloaded after matrix-appservice-webhooks.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_appservice_webhooks_systemd_service_result.changed" diff --git a/roles/custom/matrix-bridge-beeper-linkedin/tasks/setup_install.yml b/roles/custom/matrix-bridge-beeper-linkedin/tasks/setup_install.yml index 1dff0912b..e553b9122 100644 --- a/roles/custom/matrix-bridge-beeper-linkedin/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-beeper-linkedin/tasks/setup_install.yml @@ -88,9 +88,3 @@ src: "{{ role_path }}/templates/systemd/matrix-beeper-linkedin.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-beeper-linkedin.service" mode: 0644 - register: matrix_beeper_linkedin_systemd_service_result - -- name: Ensure systemd reloaded after matrix-beeper-linkedin.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_beeper_linkedin_systemd_service_result.changed" diff --git a/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml b/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml index 1a89d648c..874b3dffd 100644 --- a/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml @@ -128,13 +128,9 @@ mode: 0644 register: matrix_go_skype_bridge_systemd_service_result -- name: Ensure systemd reloaded after matrix-go-skype-bridge.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_go_skype_bridge_systemd_service_result.changed" - - name: Ensure matrix-go-skype-bridge.service restarted, if necessary ansible.builtin.service: name: "matrix-go-skype-bridge.service" state: restarted + daemon_reload: true when: "matrix_go_skype_bridge_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-heisenbridge/tasks/setup_install.yml b/roles/custom/matrix-bridge-heisenbridge/tasks/setup_install.yml index 9a0cac354..23b7de5d9 100644 --- a/roles/custom/matrix-bridge-heisenbridge/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-heisenbridge/tasks/setup_install.yml @@ -34,9 +34,3 @@ src: "{{ role_path }}/templates/systemd/matrix-heisenbridge.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-heisenbridge.service" mode: 0644 - register: matrix_heisenbridge_systemd_service_result - -- name: Ensure systemd reloaded after matrix-heisenbridge.service installation - ansible.builtin.service: - daemon_reload: true - when: matrix_heisenbridge_systemd_service_result.changed diff --git a/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml b/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml index e13af1986..2afed50b8 100644 --- a/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml @@ -110,9 +110,3 @@ src: "{{ role_path }}/templates/systemd/matrix-hookshot.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-hookshot.service" mode: 0644 - register: matrix_hookshot_systemd_service_result - -- name: Ensure systemd reloaded after matrix-hookshot.service installation - ansible.builtin.service: - daemon_reload: true - when: matrix_hookshot_systemd_service_result.changed diff --git a/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_install.yml index b6d388ca2..1d613fb60 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_install.yml @@ -101,13 +101,9 @@ mode: 0644 register: matrix_mautrix_discord_systemd_service_result -- name: Ensure systemd reloaded after matrix-mautrix-discord.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_discord_systemd_service_result.changed" - - name: Ensure matrix-mautrix-discord.service restarted, if necessary ansible.builtin.service: name: "matrix-mautrix-discord.service" state: restarted + daemon_reload: true when: "matrix_mautrix_discord_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index b2801de87..676ee0fa7 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -116,15 +116,10 @@ src: "{{ role_path }}/templates/systemd/matrix-mautrix-facebook.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-facebook.service" mode: 0644 - register: matrix_mautrix_facebook_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mautrix-facebook.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_facebook_systemd_service_result.changed" - name: Ensure matrix-mautrix-facebook.service restarted, if necessary ansible.builtin.service: name: "matrix-mautrix-facebook.service" state: restarted + daemon_reload: true when: "matrix_mautrix_facebook_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml index 87e379ea0..eeeea1c54 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml @@ -116,15 +116,10 @@ src: "{{ role_path }}/templates/systemd/matrix-mautrix-googlechat.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-googlechat.service" mode: 0644 - register: matrix_mautrix_googlechat_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mautrix-googlechat.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_googlechat_systemd_service_result.changed" - name: Ensure matrix-mautrix-googlechat.service restarted, if necessary ansible.builtin.service: name: "matrix-mautrix-googlechat.service" state: restarted + daemon_reload: true when: "matrix_mautrix_googlechat_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index 23cf24c6a..990443061 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -116,15 +116,10 @@ src: "{{ role_path }}/templates/systemd/matrix-mautrix-hangouts.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-hangouts.service" mode: 0644 - register: matrix_mautrix_hangouts_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mautrix-hangouts.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_hangouts_systemd_service_result.changed" - name: Ensure matrix-mautrix-hangouts.service restarted, if necessary ansible.builtin.service: name: "matrix-mautrix-hangouts.service" state: restarted + daemon_reload: true when: "matrix_mautrix_hangouts_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_install.yml index 878bdceb5..68891c9eb 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_install.yml @@ -70,9 +70,3 @@ src: "{{ role_path }}/templates/systemd/matrix-mautrix-instagram.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-instagram.service" mode: 0644 - register: matrix_mautrix_instagram_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mautrix-instagram.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_instagram_systemd_service_result.changed" diff --git a/roles/custom/matrix-bridge-mautrix-signal/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-signal/tasks/setup_install.yml index c2f518f37..41e6394f1 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/tasks/setup_install.yml @@ -121,9 +121,3 @@ src: "{{ role_path }}/templates/systemd/matrix-mautrix-signal.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-signal.service" mode: 0644 - register: matrix_mautrix_signal_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mautrix-signal.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_signal_systemd_service_result.changed or matrix_mautrix_signal_daemon_systemd_service_result.changed" diff --git a/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index 76ccf6bbc..0fdd064ea 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -141,15 +141,10 @@ src: "{{ role_path }}/templates/systemd/matrix-mautrix-telegram.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-telegram.service" mode: 0644 - register: matrix_mautrix_telegram_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mautrix-telegram.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_telegram_systemd_service_result.changed" - name: Ensure matrix-mautrix-telegram.service restarted, if necessary ansible.builtin.service: name: "matrix-mautrix-telegram.service" state: restarted + daemon_reload: true when: "matrix_mautrix_telegram_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mautrix-twitter/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-twitter/tasks/setup_install.yml index f68360beb..d5c26c2b5 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/tasks/setup_install.yml @@ -72,15 +72,10 @@ src: "{{ role_path }}/templates/systemd/matrix-mautrix-twitter.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-twitter.service" mode: 0644 - register: matrix_mautrix_twitter_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mautrix-twitter.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_twitter_systemd_service_result.changed" - name: Ensure matrix-mautrix-twitter.service restarted, if necessary ansible.builtin.service: name: "matrix-mautrix-twitter.service" state: restarted + daemon_reload: true when: "matrix_mautrix_twitter_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml index 37915f077..4d33e5ce0 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml @@ -126,15 +126,10 @@ src: "{{ role_path }}/templates/systemd/matrix-mautrix-whatsapp.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-whatsapp.service" mode: 0644 - register: matrix_mautrix_whatsapp_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mautrix-whatsapp.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_whatsapp_systemd_service_result.changed" - name: Ensure matrix-mautrix-whatsapp.service restarted, if necessary ansible.builtin.service: name: "matrix-mautrix-whatsapp.service" state: restarted + daemon_reload: true when: "matrix_mautrix_whatsapp_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml index d7cac52c3..b038b6913 100644 --- a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml @@ -118,15 +118,10 @@ src: "{{ role_path }}/templates/systemd/matrix-mx-puppet-discord.service.j2" dest: "/etc/systemd/system/matrix-mx-puppet-discord.service" mode: 0644 - register: matrix_mx_puppet_discord_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mx-puppet-discord.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mx_puppet_discord_systemd_service_result.changed" - name: Ensure matrix-mx-puppet-discord.service restarted, if necessary ansible.builtin.service: name: "matrix-mx-puppet-discord.service" state: restarted + daemon_reload: true when: "matrix_mx_puppet_discord_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml index 1f3dd3d3f..fa7025aab 100644 --- a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml @@ -116,15 +116,10 @@ src: "{{ role_path }}/templates/systemd/matrix-mx-puppet-groupme.service.j2" dest: "/etc/systemd/system/matrix-mx-puppet-groupme.service" mode: 0644 - register: matrix_mx_puppet_groupme_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mx-puppet-groupme.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mx_puppet_groupme_systemd_service_result.changed" - name: Ensure matrix-mx-puppet-groupme.service restarted, if necessary ansible.builtin.service: name: "matrix-mx-puppet-groupme.service" state: restarted + daemon_reload: true when: "matrix_mx_puppet_groupme_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml index 730c34e60..8aca95624 100644 --- a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml @@ -98,15 +98,10 @@ src: "{{ role_path }}/templates/systemd/matrix-mx-puppet-instagram.service.j2" dest: "/etc/systemd/system/matrix-mx-puppet-instagram.service" mode: 0644 - register: matrix_mx_puppet_instagram_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mx-puppet-instagram.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mx_puppet_instagram_systemd_service_result.changed" - name: Ensure matrix-mx-puppet-instagram.service restarted, if necessary ansible.builtin.service: name: "matrix-mx-puppet-instagram.service" state: restarted + daemon_reload: true when: "matrix_mx_puppet_instagram_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml index 9d2bcc618..3768a46e4 100644 --- a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml @@ -116,15 +116,10 @@ src: "{{ role_path }}/templates/systemd/matrix-mx-puppet-slack.service.j2" dest: "/etc/systemd/system/matrix-mx-puppet-slack.service" mode: 0644 - register: matrix_mx_puppet_slack_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mx-puppet-slack.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mx_puppet_slack_systemd_service_result.changed" - name: Ensure matrix-mx-puppet-slack.service restarted, if necessary ansible.builtin.service: name: "matrix-mx-puppet-slack.service" state: restarted + daemon_reload: true when: "matrix_mx_puppet_slack_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml index aff6dd952..40503c39d 100644 --- a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml @@ -116,15 +116,10 @@ src: "{{ role_path }}/templates/systemd/matrix-mx-puppet-steam.service.j2" dest: "/etc/systemd/system/matrix-mx-puppet-steam.service" mode: 0644 - register: matrix_mx_puppet_steam_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mx-puppet-steam.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mx_puppet_steam_systemd_service_result.changed" - name: Ensure matrix-mx-puppet-steam.service restarted, if necessary ansible.builtin.service: name: "matrix-mx-puppet-steam.service" state: restarted + daemon_reload: true when: "matrix_mx_puppet_steam_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml index c948c48dc..dddcd87e8 100644 --- a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml @@ -116,15 +116,10 @@ src: "{{ role_path }}/templates/systemd/matrix-mx-puppet-twitter.service.j2" dest: "/etc/systemd/system/matrix-mx-puppet-twitter.service" mode: 0644 - register: matrix_mx_puppet_twitter_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mx-puppet-twitter.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mx_puppet_twitter_systemd_service_result.changed" - name: Ensure matrix-mx-puppet-twitter.service restarted, if necessary ansible.builtin.service: name: "matrix-mx-puppet-twitter.service" state: restarted + daemon_reload: true when: "matrix_mx_puppet_twitter_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-sms/tasks/setup_install.yml b/roles/custom/matrix-bridge-sms/tasks/setup_install.yml index 2050797af..b3d78a342 100644 --- a/roles/custom/matrix-bridge-sms/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-sms/tasks/setup_install.yml @@ -51,9 +51,3 @@ src: "{{ role_path }}/templates/systemd/matrix-sms-bridge.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-sms-bridge.service" mode: 0644 - register: matrix_sms_bridge_systemd_service_result - -- name: Ensure systemd reloaded after matrix-sms-bridge.service installation - ansible.builtin.service: - daemon_reload: true - when: matrix_sms_bridge_systemd_service_result.changed diff --git a/roles/custom/matrix-cactus-comments/tasks/setup_install.yml b/roles/custom/matrix-cactus-comments/tasks/setup_install.yml index 8de14d19b..8a8bf3261 100644 --- a/roles/custom/matrix-cactus-comments/tasks/setup_install.yml +++ b/roles/custom/matrix-cactus-comments/tasks/setup_install.yml @@ -125,14 +125,3 @@ src: "{{ role_path }}/templates/systemd/matrix-cactus-comments.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-cactus-comments.service" mode: 0644 - register: matrix_cactus_comments_systemd_service_result - -- name: Ensure systemd reloaded after matrix-cactus-comments.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_cactus_comments_systemd_service_result.changed | bool" - -- name: Ensure matrix-cactus-comments.service restarted, if necessary - ansible.builtin.service: - name: "matrix-cactus-comments.service" - state: restarted diff --git a/roles/custom/matrix-client-cinny/tasks/setup_install.yml b/roles/custom/matrix-client-cinny/tasks/setup_install.yml index 09b117be8..46458f0b0 100644 --- a/roles/custom/matrix-client-cinny/tasks/setup_install.yml +++ b/roles/custom/matrix-client-cinny/tasks/setup_install.yml @@ -69,9 +69,3 @@ src: "{{ role_path }}/templates/systemd/matrix-client-cinny.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-cinny.service" mode: 0644 - register: matrix_client_cinny_systemd_service_result - -- name: Ensure systemd reloaded after matrix-client-cinny.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_client_cinny_systemd_service_result.changed | bool" diff --git a/roles/custom/matrix-client-element/tasks/setup_install.yml b/roles/custom/matrix-client-element/tasks/setup_install.yml index cff30f4c0..16f75ab47 100644 --- a/roles/custom/matrix-client-element/tasks/setup_install.yml +++ b/roles/custom/matrix-client-element/tasks/setup_install.yml @@ -104,9 +104,3 @@ src: "{{ role_path }}/templates/systemd/matrix-client-element.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-element.service" mode: 0644 - register: matrix_client_element_systemd_service_result - -- name: Ensure systemd reloaded after matrix-client-element.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_client_element_systemd_service_result.changed | bool" diff --git a/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml b/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml index 6905081ad..7a886a88f 100644 --- a/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml +++ b/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml @@ -73,9 +73,3 @@ src: "{{ role_path }}/templates/systemd/matrix-client-hydrogen.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-hydrogen.service" mode: 0644 - register: matrix_client_hydrogen_systemd_service_result - -- name: Ensure systemd reloaded after matrix-client-hydrogen.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_client_hydrogen_systemd_service_result.changed | bool" diff --git a/roles/custom/matrix-conduit/tasks/setup_install.yml b/roles/custom/matrix-conduit/tasks/setup_install.yml index ebc5447b2..ef47c620c 100644 --- a/roles/custom/matrix-conduit/tasks/setup_install.yml +++ b/roles/custom/matrix-conduit/tasks/setup_install.yml @@ -39,9 +39,3 @@ src: "{{ role_path }}/templates/conduit/systemd/matrix-conduit.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduit.service" mode: 0644 - register: matrix_conduit_systemd_service_result - -- name: Ensure systemd reloaded after matrix-conduit.service installation - ansible.builtin.systemd: - daemon_reload: true - when: "matrix_conduit_systemd_service_result.changed | bool" diff --git a/roles/custom/matrix-dimension/tasks/setup_install.yml b/roles/custom/matrix-dimension/tasks/setup_install.yml index e1340d250..f22561911 100644 --- a/roles/custom/matrix-dimension/tasks/setup_install.yml +++ b/roles/custom/matrix-dimension/tasks/setup_install.yml @@ -126,15 +126,10 @@ src: "{{ role_path }}/templates/systemd/matrix-dimension.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dimension.service" mode: 0644 - register: matrix_dimension_systemd_service_result - -- name: Ensure systemd reloaded after matrix-dimension.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_dimension_systemd_service_result.changed | bool" - name: Ensure matrix-dimension.service restarted, if necessary ansible.builtin.service: name: "matrix-dimension.service" state: restarted + daemon_reload: true when: "matrix_dimension_requires_restart | bool" diff --git a/roles/custom/matrix-dynamic-dns/tasks/setup_install.yml b/roles/custom/matrix-dynamic-dns/tasks/setup_install.yml index 2367e9cb1..e64cc0a7d 100644 --- a/roles/custom/matrix-dynamic-dns/tasks/setup_install.yml +++ b/roles/custom/matrix-dynamic-dns/tasks/setup_install.yml @@ -61,9 +61,3 @@ src: "{{ role_path }}/templates/systemd/matrix-dynamic-dns.service.j2" dest: "/etc/systemd/system/matrix-dynamic-dns.service" mode: 0644 - register: matrix_dynamic_dns_systemd_service_result - -- name: Ensure systemd reloaded after matrix-dynamic-dns.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_dynamic_dns_systemd_service_result.changed" diff --git a/roles/custom/matrix-email2matrix/tasks/setup_install.yml b/roles/custom/matrix-email2matrix/tasks/setup_install.yml index 740506338..8cfbc5ea3 100644 --- a/roles/custom/matrix-email2matrix/tasks/setup_install.yml +++ b/roles/custom/matrix-email2matrix/tasks/setup_install.yml @@ -61,9 +61,3 @@ src: "{{ role_path }}/templates/systemd/matrix-email2matrix.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-email2matrix.service" mode: 0644 - register: matrix_email2matrix_systemd_service_result - -- name: Ensure systemd reloaded after matrix-email2matrix.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_email2matrix_systemd_service_result.changed | bool" diff --git a/roles/custom/matrix-etherpad/tasks/setup_install.yml b/roles/custom/matrix-etherpad/tasks/setup_install.yml index bb5e0e53e..d4e2952e9 100644 --- a/roles/custom/matrix-etherpad/tasks/setup_install.yml +++ b/roles/custom/matrix-etherpad/tasks/setup_install.yml @@ -32,9 +32,3 @@ src: "{{ role_path }}/templates/systemd/matrix-etherpad.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-etherpad.service" mode: 0644 - register: matrix_etherpad_systemd_service_result - -- name: Ensure systemd reloaded after matrix-etherpad.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_etherpad_systemd_service_result.changed | bool" diff --git a/roles/custom/matrix-ldap-registration-proxy/tasks/setup_install.yml b/roles/custom/matrix-ldap-registration-proxy/tasks/setup_install.yml index 3ac8f9b8d..3814b1391 100644 --- a/roles/custom/matrix-ldap-registration-proxy/tasks/setup_install.yml +++ b/roles/custom/matrix-ldap-registration-proxy/tasks/setup_install.yml @@ -12,9 +12,6 @@ - {path: "{{ matrix_ldap_registration_proxy_docker_src_files_path }}", when: true} when: "item.when | bool" -- ansible.builtin.set_fact: - matrix_ldap_registration_proxy_requires_restart: false - - name: Ensure matrix_ldap_registration_proxy repository is present on self-build ansible.builtin.git: repo: "{{ matrix_ldap_registration_proxy_container_image_self_build_repo }}" @@ -49,15 +46,3 @@ src: "{{ role_path }}/templates/systemd/matrix-ldap-registration-proxy.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ldap-registration-proxy.service" mode: 0644 - register: matrix_ldap_registration_proxy_systemd_service_result - -- name: Ensure systemd reloaded after matrix-ldap-registration-proxy.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_ldap_registration_proxy_systemd_service_result.changed | bool" - -- name: Ensure matrix-ldap-registration-proxy.service restarted, if necessary - ansible.builtin.service: - name: "matrix-ldap-registration-proxy.service" - state: restarted - when: "matrix_ldap_registration_proxy_requires_restart | bool" diff --git a/roles/custom/matrix-ma1sd/tasks/setup_install.yml b/roles/custom/matrix-ma1sd/tasks/setup_install.yml index e60b664e8..d0385a7fd 100644 --- a/roles/custom/matrix-ma1sd/tasks/setup_install.yml +++ b/roles/custom/matrix-ma1sd/tasks/setup_install.yml @@ -156,15 +156,10 @@ src: "{{ role_path }}/templates/systemd/matrix-ma1sd.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ma1sd.service" mode: 0644 - register: matrix_ma1sd_systemd_service_result - -- name: Ensure systemd reloaded after matrix-ma1sd.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_ma1sd_systemd_service_result.changed | bool" - name: Ensure matrix-ma1sd.service restarted, if necessary ansible.builtin.service: name: "matrix-ma1sd.service" state: restarted + daemon_reload: true when: "matrix_ma1sd_requires_restart | bool" diff --git a/roles/custom/matrix-mailer/tasks/setup_install.yml b/roles/custom/matrix-mailer/tasks/setup_install.yml index 113551657..c03d0af64 100644 --- a/roles/custom/matrix-mailer/tasks/setup_install.yml +++ b/roles/custom/matrix-mailer/tasks/setup_install.yml @@ -58,9 +58,3 @@ src: "{{ role_path }}/templates/systemd/matrix-mailer.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mailer.service" mode: 0644 - register: matrix_mailer_systemd_service_result - -- name: Ensure systemd reloaded after matrix-mailer.service installation - ansible.builtin.service: - daemon_reload: true - when: matrix_mailer_systemd_service_result.changed | bool diff --git a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index af086298e..dd11721a0 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -214,14 +214,8 @@ src: "{{ role_path }}/templates/systemd/matrix-nginx-proxy.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-nginx-proxy.service" mode: 0644 - register: matrix_nginx_proxy_systemd_service_result when: matrix_nginx_proxy_enabled | bool -- name: Ensure systemd reloaded after matrix-nginx-proxy.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_nginx_proxy_enabled and matrix_nginx_proxy_systemd_service_result.changed" - # # Tasks related to getting rid of matrix-nginx-proxy (if it was previously enabled) @@ -247,11 +241,6 @@ state: absent when: "not matrix_nginx_proxy_enabled | bool and matrix_nginx_proxy_service_stat.stat.exists" -- name: Ensure systemd reloaded after matrix-nginx-proxy.service removal - ansible.builtin.service: - daemon_reload: true - when: "not matrix_nginx_proxy_enabled | bool and matrix_nginx_proxy_service_stat.stat.exists" - - name: Ensure Matrix nginx-proxy configuration for matrix domain deleted ansible.builtin.file: path: "{{ matrix_nginx_proxy_confd_path }}/matrix-domain.conf" diff --git a/roles/custom/matrix-ntfy/tasks/setup_install.yml b/roles/custom/matrix-ntfy/tasks/setup_install.yml index 5ad8e507d..38adb122e 100644 --- a/roles/custom/matrix-ntfy/tasks/setup_install.yml +++ b/roles/custom/matrix-ntfy/tasks/setup_install.yml @@ -36,9 +36,3 @@ src: "{{ role_path }}/templates/systemd/matrix-ntfy.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ntfy.service" mode: 0644 - register: matrix_ntfy_systemd_service_result - -- name: Ensure systemd reloaded after matrix-ntfy.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_ntfy_systemd_service_result.changed" diff --git a/roles/custom/matrix-postgres-backup/tasks/setup_install.yml b/roles/custom/matrix-postgres-backup/tasks/setup_install.yml index ba374affd..1057e3851 100644 --- a/roles/custom/matrix-postgres-backup/tasks/setup_install.yml +++ b/roles/custom/matrix-postgres-backup/tasks/setup_install.yml @@ -49,9 +49,3 @@ src: "{{ role_path }}/templates/systemd/matrix-postgres-backup.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-postgres-backup.service" mode: 0644 - register: matrix_postgres_backup_systemd_service_result - -- name: Ensure systemd reloaded after matrix-postgres-backup.service installation - ansible.builtin.service: - daemon_reload: true - when: matrix_postgres_backup_systemd_service_result.changed | bool diff --git a/roles/custom/matrix-prometheus/tasks/setup_install.yml b/roles/custom/matrix-prometheus/tasks/setup_install.yml index 8c18ce664..1d3d66694 100644 --- a/roles/custom/matrix-prometheus/tasks/setup_install.yml +++ b/roles/custom/matrix-prometheus/tasks/setup_install.yml @@ -50,9 +50,3 @@ src: "{{ role_path }}/templates/systemd/matrix-prometheus.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus.service" mode: 0644 - register: matrix_prometheus_systemd_service_result - -- name: Ensure systemd reloaded after matrix-prometheus.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_prometheus_systemd_service_result.changed | bool" diff --git a/roles/custom/matrix-registration/tasks/setup_install.yml b/roles/custom/matrix-registration/tasks/setup_install.yml index a2f5c2838..21b678e88 100644 --- a/roles/custom/matrix-registration/tasks/setup_install.yml +++ b/roles/custom/matrix-registration/tasks/setup_install.yml @@ -103,15 +103,10 @@ src: "{{ role_path }}/templates/systemd/matrix-registration.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-registration.service" mode: 0644 - register: matrix_registration_systemd_service_result - -- name: Ensure systemd reloaded after matrix-registration.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_registration_systemd_service_result.changed | bool" - name: Ensure matrix-registration.service restarted, if necessary ansible.builtin.service: name: "matrix-registration.service" state: restarted + daemon_reload: true when: "matrix_registration_requires_restart | bool" diff --git a/roles/custom/matrix-sygnal/tasks/setup_install.yml b/roles/custom/matrix-sygnal/tasks/setup_install.yml index 27424314f..7c9caf38e 100644 --- a/roles/custom/matrix-sygnal/tasks/setup_install.yml +++ b/roles/custom/matrix-sygnal/tasks/setup_install.yml @@ -36,9 +36,3 @@ src: "{{ role_path }}/templates/systemd/matrix-sygnal.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-sygnal.service" mode: 0644 - register: matrix_sygnal_systemd_service_result - -- name: Ensure systemd reloaded after matrix-sygnal.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_sygnal_systemd_service_result.changed | bool" diff --git a/roles/custom/matrix-synapse/tasks/goofys/setup_install.yml b/roles/custom/matrix-synapse/tasks/goofys/setup_install.yml index 7649beb4c..e758d0dd8 100644 --- a/roles/custom/matrix-synapse/tasks/goofys/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/goofys/setup_install.yml @@ -43,9 +43,3 @@ src: "{{ role_path }}/templates/goofys/systemd/matrix-goofys.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-goofys.service" mode: 0644 - register: matrix_goofys_systemd_service_result - -- name: Ensure systemd reloaded after matrix-goofys.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_goofys_systemd_service_result.changed" From d1b2fd50bef5c71a0b8c8042d8f7ff811111adda Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 27 Nov 2022 10:04:03 +0200 Subject: [PATCH 099/915] Remove manual service enablement/start for backup-borg This is done via devture_systemd_service_manager_services_list_auto already. --- .../matrix-backup-borg/tasks/setup_install.yml | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/roles/custom/matrix-backup-borg/tasks/setup_install.yml b/roles/custom/matrix-backup-borg/tasks/setup_install.yml index 142bf38c9..56a4f3c90 100644 --- a/roles/custom/matrix-backup-borg/tasks/setup_install.yml +++ b/roles/custom/matrix-backup-borg/tasks/setup_install.yml @@ -105,19 +105,3 @@ src: "{{ role_path }}/templates/systemd/matrix-backup-borg.timer.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-backup-borg.timer" mode: 0644 - register: matrix_backup_borg_systemd_timer_result - -- name: Ensure systemd reloaded after matrix-backup-borg.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_backup_borg_systemd_service_result.changed | bool" - -- name: Ensure matrix-backup-borg.service enabled - ansible.builtin.service: - enabled: true - name: matrix-backup-borg.service - -- name: Ensure matrix-backup-borg.timer enabled - ansible.builtin.service: - enabled: true - name: matrix-backup-borg.timer From 3d1ea3e79ea9a89c05d022ef6a75f2a9dc897a9b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 27 Nov 2022 10:10:00 +0200 Subject: [PATCH 100/915] Auto-delete old matrix scripts from /usr/local/bin --- .../tasks/cleanup_usr_local_bin.yml | 14 ++++++++++++++ .../matrix_playbook_migration/tasks/main.yml | 6 ++++++ 2 files changed, 20 insertions(+) create mode 100644 roles/custom/matrix_playbook_migration/tasks/cleanup_usr_local_bin.yml diff --git a/roles/custom/matrix_playbook_migration/tasks/cleanup_usr_local_bin.yml b/roles/custom/matrix_playbook_migration/tasks/cleanup_usr_local_bin.yml new file mode 100644 index 000000000..e7abd4710 --- /dev/null +++ b/roles/custom/matrix_playbook_migration/tasks/cleanup_usr_local_bin.yml @@ -0,0 +1,14 @@ +--- + +- name: Find leftover matrix scripts in /usr/local/bin + ansible.builtin.find: + path: "/usr/local/bin" + patterns: "^matrix-.*" + use_regex: true + register: matrix_usr_local_bin_files_result + +- name: Ensure /usr/local/bin does not contain matrix scripts + ansible.builtin.file: + path: "{{ item.path }}" + state: absent + with_items: "{{ matrix_usr_local_bin_files_result.files }}" diff --git a/roles/custom/matrix_playbook_migration/tasks/main.yml b/roles/custom/matrix_playbook_migration/tasks/main.yml index 491fabcd0..96b68b60d 100644 --- a/roles/custom/matrix_playbook_migration/tasks/main.yml +++ b/roles/custom/matrix_playbook_migration/tasks/main.yml @@ -5,3 +5,9 @@ tags: - setup-all - install-all + +- block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/cleanup_usr_local_bin.yml" + tags: + - setup-all + - install-all From 4bb3a38de62af5585c75ef2397807daf70d55273 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 27 Nov 2022 11:24:53 +0200 Subject: [PATCH 101/915] Upgrade com.devture.ansible.role.postgres --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 69c733f09..951bb5e1d 100644 --- a/requirements.yml +++ b/requirements.yml @@ -19,7 +19,7 @@ version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git - version: f9f0519b2ccc6da7e0480c7cdfe8a67814728243 + version: 0985b594b17942e7aa6346d8967c02c3686cecb1 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git version: 6ccb88ac5fc27e1e70afcd48278ade4b564a9096 From 910cd9adf0db78f8b90ee1834211198ab7793a5d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 27 Nov 2022 11:27:01 +0200 Subject: [PATCH 102/915] Replace import_role calls with include_role calls --- roles/custom/matrix-backup-borg/tasks/setup_install.yml | 2 +- roles/custom/matrix-bot-buscarron/tasks/setup_install.yml | 2 +- roles/custom/matrix-bot-honoroit/tasks/setup_install.yml | 2 +- .../matrix-bot-matrix-reminder-bot/tasks/setup_install.yml | 2 +- roles/custom/matrix-bot-postmoogle/tasks/setup_install.yml | 2 +- .../matrix-bridge-appservice-discord/tasks/setup_install.yml | 2 +- .../custom/matrix-bridge-appservice-irc/tasks/setup_install.yml | 2 +- .../matrix-bridge-go-skype-bridge/tasks/setup_install.yml | 2 +- roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml | 2 +- .../matrix-bridge-mautrix-discord/tasks/setup_install.yml | 2 +- .../matrix-bridge-mautrix-facebook/tasks/setup_install.yml | 2 +- .../matrix-bridge-mautrix-googlechat/tasks/setup_install.yml | 2 +- .../matrix-bridge-mautrix-hangouts/tasks/setup_install.yml | 2 +- .../matrix-bridge-mautrix-telegram/tasks/setup_install.yml | 2 +- .../matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml | 2 +- .../matrix-bridge-mx-puppet-discord/tasks/setup_install.yml | 2 +- .../matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml | 2 +- .../matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml | 2 +- .../matrix-bridge-mx-puppet-slack/tasks/setup_install.yml | 2 +- .../matrix-bridge-mx-puppet-steam/tasks/setup_install.yml | 2 +- .../matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml | 2 +- roles/custom/matrix-dimension/tasks/setup_install.yml | 2 +- roles/custom/matrix-jitsi/tasks/setup_jitsi_base.yml | 2 +- roles/custom/matrix-ma1sd/tasks/setup_install.yml | 2 +- .../matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml | 2 +- roles/custom/matrix-postgres-backup/tasks/setup_install.yml | 2 +- roles/custom/matrix-registration/tasks/setup_install.yml | 2 +- roles/custom/matrix-synapse/tasks/goofys/setup_install.yml | 2 +- 28 files changed, 28 insertions(+), 28 deletions(-) diff --git a/roles/custom/matrix-backup-borg/tasks/setup_install.yml b/roles/custom/matrix-backup-borg/tasks/setup_install.yml index 56a4f3c90..647aabf40 100644 --- a/roles/custom/matrix-backup-borg/tasks/setup_install.yml +++ b/roles/custom/matrix-backup-borg/tasks/setup_install.yml @@ -9,7 +9,7 @@ Consider setting `matrix_backup_borg_version` to your Postgres version manually. when: not devture_postgres_enabled - - ansible.builtin.import_role: + - ansible.builtin.include_role: name: galaxy/com.devture.ansible.role.postgres tasks_from: detect_existing_postgres_version diff --git a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml index e8cffa93a..f255b141c 100644 --- a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml @@ -20,7 +20,7 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-bot-buscarron.service'] - - ansible.builtin.import_role: + - ansible.builtin.include_role: name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres diff --git a/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml b/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml index 85a11510f..f71f2416b 100644 --- a/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml @@ -20,7 +20,7 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-bot-honoroit.service'] - - ansible.builtin.import_role: + - ansible.builtin.include_role: name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres diff --git a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml index 89cff9171..466335471 100644 --- a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml @@ -21,7 +21,7 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-bot-matrix-reminder-bot.service'] - - ansible.builtin.import_role: + - ansible.builtin.include_role: name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres diff --git a/roles/custom/matrix-bot-postmoogle/tasks/setup_install.yml b/roles/custom/matrix-bot-postmoogle/tasks/setup_install.yml index f0c09166b..cede2d35d 100644 --- a/roles/custom/matrix-bot-postmoogle/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-postmoogle/tasks/setup_install.yml @@ -17,7 +17,7 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-bot-postmoogle.service'] - - ansible.builtin.import_role: + - ansible.builtin.include_role: name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres diff --git a/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml b/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml index 1a222e198..bf5ecf42b 100644 --- a/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml @@ -21,7 +21,7 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-appservice-discord.service'] - - ansible.builtin.import_role: + - ansible.builtin.include_role: name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml index 43dce01ab..a5fdacded 100644 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -1,6 +1,6 @@ --- -- ansible.builtin.import_role: +- ansible.builtin.include_role: name: custom/matrix-base tasks_from: ensure_openssl_installed diff --git a/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml b/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml index 874b3dffd..fd36600b9 100644 --- a/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml @@ -22,7 +22,7 @@ systemd_services_to_stop: ['matrix-go-skype-bridge.service'] pgloader_options: ['--with "quote identifiers"'] - - ansible.builtin.import_role: + - ansible.builtin.include_role: name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres diff --git a/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml b/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml index 2afed50b8..e9b277ce4 100644 --- a/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml @@ -1,6 +1,6 @@ --- -- ansible.builtin.import_role: +- ansible.builtin.include_role: name: custom/matrix-base tasks_from: ensure_openssl_installed diff --git a/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_install.yml index 1d613fb60..d83101ebc 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_install.yml @@ -22,7 +22,7 @@ systemd_services_to_stop: ['matrix-mautrix-discord.service'] pgloader_options: ['--with "quote identifiers"'] - - ansible.builtin.import_role: + - ansible.builtin.include_role: name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index 676ee0fa7..6e8f62cd4 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -21,7 +21,7 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mautrix-facebook.service'] - - ansible.builtin.import_role: + - ansible.builtin.include_role: name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml index eeeea1c54..d3eee66cb 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml @@ -21,7 +21,7 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mautrix-googlechat.service'] - - ansible.builtin.import_role: + - ansible.builtin.include_role: name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index 990443061..ee0534af8 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -21,7 +21,7 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mautrix-hangouts.service'] - - ansible.builtin.import_role: + - ansible.builtin.include_role: name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres diff --git a/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index 0fdd064ea..23a092dcf 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -21,7 +21,7 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mautrix-telegram.service'] - - ansible.builtin.import_role: + - ansible.builtin.include_role: name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml index 4d33e5ce0..fd961ec12 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml @@ -22,7 +22,7 @@ systemd_services_to_stop: ['matrix-mautrix-whatsapp.service'] pgloader_options: ['--with "quote identifiers"'] - - ansible.builtin.import_role: + - ansible.builtin.include_role: name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres diff --git a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml index b038b6913..d2cb83c40 100644 --- a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml @@ -55,7 +55,7 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mx-puppet-discord.service'] - - ansible.builtin.import_role: + - ansible.builtin.include_role: name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres diff --git a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml index fa7025aab..b174f0e0b 100644 --- a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml @@ -53,7 +53,7 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mx-puppet-groupme.service'] - - ansible.builtin.import_role: + - ansible.builtin.include_role: name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres diff --git a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml index 8aca95624..ce3ecc6f6 100644 --- a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml @@ -21,7 +21,7 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mx-puppet-instagram.service'] - - ansible.builtin.import_role: + - ansible.builtin.include_role: name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml index 3768a46e4..e2fb6b51b 100644 --- a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml @@ -49,7 +49,7 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mx-puppet-slack.service'] - - ansible.builtin.import_role: + - ansible.builtin.include_role: name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres diff --git a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml index 40503c39d..6bf2edc7b 100644 --- a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml @@ -53,7 +53,7 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mx-puppet-steam.service'] - - ansible.builtin.import_role: + - ansible.builtin.include_role: name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml index dddcd87e8..71b1b5750 100644 --- a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml @@ -53,7 +53,7 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mx-puppet-twitter.service'] - - ansible.builtin.import_role: + - ansible.builtin.include_role: name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres diff --git a/roles/custom/matrix-dimension/tasks/setup_install.yml b/roles/custom/matrix-dimension/tasks/setup_install.yml index f22561911..e44cc73fb 100644 --- a/roles/custom/matrix-dimension/tasks/setup_install.yml +++ b/roles/custom/matrix-dimension/tasks/setup_install.yml @@ -63,7 +63,7 @@ additional_psql_statements_list: "{{ matrix_dimension_pgloader_additional_psql_statements_list }}" additional_psql_statements_db_name: "{{ matrix_dimension_database_name }}" - - ansible.builtin.import_role: + - ansible.builtin.include_role: name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_base.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_base.yml index d273b425a..68be1efb7 100644 --- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_base.yml +++ b/roles/custom/matrix-jitsi/tasks/setup_jitsi_base.yml @@ -1,6 +1,6 @@ --- -- ansible.builtin.import_role: +- ansible.builtin.include_role: name: custom/matrix-base tasks_from: ensure_openssl_installed diff --git a/roles/custom/matrix-ma1sd/tasks/setup_install.yml b/roles/custom/matrix-ma1sd/tasks/setup_install.yml index d0385a7fd..492cbf416 100644 --- a/roles/custom/matrix-ma1sd/tasks/setup_install.yml +++ b/roles/custom/matrix-ma1sd/tasks/setup_install.yml @@ -37,7 +37,7 @@ systemd_services_to_stop: ['matrix-ma1sd.service'] pgloader_options: ['--with "quote identifiers"'] - - ansible.builtin.import_role: + - ansible.builtin.include_role: name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres diff --git a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml index 7ebdec790..b17e4e565 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml @@ -1,6 +1,6 @@ --- -- ansible.builtin.import_role: +- ansible.builtin.include_role: name: custom/matrix-base tasks_from: ensure_openssl_installed when: "matrix_ssl_retrieval_method == 'self-signed'" diff --git a/roles/custom/matrix-postgres-backup/tasks/setup_install.yml b/roles/custom/matrix-postgres-backup/tasks/setup_install.yml index 1057e3851..fee5d3ff1 100644 --- a/roles/custom/matrix-postgres-backup/tasks/setup_install.yml +++ b/roles/custom/matrix-postgres-backup/tasks/setup_install.yml @@ -1,7 +1,7 @@ --- -- ansible.builtin.import_role: +- ansible.builtin.include_role: name: galaxy/com.devture.ansible.role.postgres tasks_from: detect_existing_postgres_version when: 'matrix_postgres_backup_postgres_data_path != ""' diff --git a/roles/custom/matrix-registration/tasks/setup_install.yml b/roles/custom/matrix-registration/tasks/setup_install.yml index 21b678e88..a3a4bddc8 100644 --- a/roles/custom/matrix-registration/tasks/setup_install.yml +++ b/roles/custom/matrix-registration/tasks/setup_install.yml @@ -26,7 +26,7 @@ - ALTER TABLE tokens ALTER COLUMN ex_date TYPE TIMESTAMP WITHOUT TIME ZONE; additional_psql_statements_db_name: "{{ matrix_registration_database_name }}" - - ansible.builtin.import_role: + - ansible.builtin.include_role: name: galaxy/com.devture.ansible.role.postgres tasks_from: migrate_db_to_postgres diff --git a/roles/custom/matrix-synapse/tasks/goofys/setup_install.yml b/roles/custom/matrix-synapse/tasks/goofys/setup_install.yml index e758d0dd8..7fd4659d7 100644 --- a/roles/custom/matrix-synapse/tasks/goofys/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/goofys/setup_install.yml @@ -1,6 +1,6 @@ --- -- ansible.builtin.import_role: +- ansible.builtin.include_role: name: custom/matrix-base tasks_from: ensure_fuse_installed From 4b111d05d5b23b9df3c80f328b625ddd1e1c92db Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 28 Nov 2022 07:44:59 +0200 Subject: [PATCH 103/915] Pass devture_postgres_db_migration_request to com.devture.ansible.role.postgres in a cleaner way --- .../custom/matrix-bot-buscarron/tasks/setup_install.yml | 9 ++++----- roles/custom/matrix-bot-honoroit/tasks/setup_install.yml | 9 ++++----- .../tasks/setup_install.yml | 9 ++++----- .../custom/matrix-bot-postmoogle/tasks/setup_install.yml | 9 ++++----- .../tasks/setup_install.yml | 9 ++++----- .../tasks/setup_install.yml | 9 ++++----- .../tasks/setup_install.yml | 9 ++++----- .../tasks/setup_install.yml | 9 ++++----- .../tasks/setup_install.yml | 9 ++++----- .../tasks/setup_install.yml | 9 ++++----- .../tasks/setup_install.yml | 9 ++++----- .../tasks/setup_install.yml | 9 ++++----- .../tasks/setup_install.yml | 9 ++++----- .../tasks/setup_install.yml | 9 ++++----- .../tasks/setup_install.yml | 9 ++++----- .../tasks/setup_install.yml | 9 ++++----- .../tasks/setup_install.yml | 9 ++++----- .../tasks/setup_install.yml | 9 ++++----- roles/custom/matrix-dimension/tasks/setup_install.yml | 9 ++++----- roles/custom/matrix-ma1sd/tasks/setup_install.yml | 9 ++++----- roles/custom/matrix-registration/tasks/setup_install.yml | 9 ++++----- 21 files changed, 84 insertions(+), 105 deletions(-) diff --git a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml index f255b141c..6ae0f9b92 100644 --- a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml @@ -11,7 +11,10 @@ - when: "matrix_bot_buscarron_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: devture_postgres_db_migration_request: src: "{{ matrix_bot_buscarron_sqlite_database_path_local }}" dst: "{{ matrix_bot_buscarron_database_connection_string }}" @@ -20,10 +23,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-bot-buscarron.service'] - - ansible.builtin.include_role: - name: galaxy/com.devture.ansible.role.postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_bot_buscarron_requires_restart: true diff --git a/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml b/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml index f71f2416b..f7b264a83 100644 --- a/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml @@ -11,7 +11,10 @@ - when: "matrix_bot_honoroit_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: devture_postgres_db_migration_request: src: "{{ matrix_bot_honoroit_sqlite_database_path_local }}" dst: "{{ matrix_bot_honoroit_database_connection_string }}" @@ -20,10 +23,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-bot-honoroit.service'] - - ansible.builtin.include_role: - name: galaxy/com.devture.ansible.role.postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_bot_honoroit_requires_restart: true diff --git a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml index 466335471..39bf63e64 100644 --- a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml @@ -12,7 +12,10 @@ - when: "matrix_bot_matrix_reminder_bot_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: devture_postgres_db_migration_request: src: "{{ matrix_bot_matrix_reminder_bot_sqlite_database_path_local }}" dst: "{{ matrix_bot_matrix_reminder_bot_database_connection_string }}" @@ -21,10 +24,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-bot-matrix-reminder-bot.service'] - - ansible.builtin.include_role: - name: galaxy/com.devture.ansible.role.postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_bot_matrix_reminder_bot_requires_restart: true diff --git a/roles/custom/matrix-bot-postmoogle/tasks/setup_install.yml b/roles/custom/matrix-bot-postmoogle/tasks/setup_install.yml index cede2d35d..ed2bcc9d6 100644 --- a/roles/custom/matrix-bot-postmoogle/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-postmoogle/tasks/setup_install.yml @@ -8,7 +8,10 @@ - when: "matrix_bot_postmoogle_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: devture_postgres_db_migration_request: src: "{{ matrix_bot_postmoogle_sqlite_database_path_local }}" dst: "{{ matrix_bot_postmoogle_database_connection_string }}" @@ -17,10 +20,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-bot-postmoogle.service'] - - ansible.builtin.include_role: - name: galaxy/com.devture.ansible.role.postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_bot_postmoogle_requires_restart: true diff --git a/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml b/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml index bf5ecf42b..4a6419edd 100644 --- a/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml @@ -12,7 +12,10 @@ - when: "matrix_appservice_discord_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: devture_postgres_db_migration_request: src: "{{ matrix_appservice_discord_sqlite_database_path_local }}" dst: "{{ matrix_appservice_discord_database_connString }}" @@ -21,10 +24,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-appservice-discord.service'] - - ansible.builtin.include_role: - name: galaxy/com.devture.ansible.role.postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_appservice_discord_requires_restart: true diff --git a/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml b/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml index fd36600b9..6146637f5 100644 --- a/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml @@ -12,7 +12,10 @@ - when: "matrix_go_skype_bridge_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: devture_postgres_db_migration_request: src: "{{ matrix_go_skype_bridge_sqlite_database_path_local }}" dst: "{{ matrix_go_skype_bridge_database_connection_string }}" @@ -22,10 +25,6 @@ systemd_services_to_stop: ['matrix-go-skype-bridge.service'] pgloader_options: ['--with "quote identifiers"'] - - ansible.builtin.include_role: - name: galaxy/com.devture.ansible.role.postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_go_skype_bridge_requires_restart: true diff --git a/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_install.yml index d83101ebc..f16422f7a 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/tasks/setup_install.yml @@ -12,7 +12,10 @@ - when: "matrix_mautrix_discord_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: devture_postgres_db_migration_request: src: "{{ matrix_mautrix_discord_sqlite_database_path_local }}" dst: "{{ matrix_mautrix_discord_database_connection_string }}" @@ -22,10 +25,6 @@ systemd_services_to_stop: ['matrix-mautrix-discord.service'] pgloader_options: ['--with "quote identifiers"'] - - ansible.builtin.include_role: - name: galaxy/com.devture.ansible.role.postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_mautrix_discord_requires_restart: true diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index 6e8f62cd4..758a5feda 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -12,7 +12,10 @@ - when: "matrix_mautrix_facebook_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: devture_postgres_db_migration_request: src: "{{ matrix_mautrix_facebook_sqlite_database_path_local }}" dst: "{{ matrix_mautrix_facebook_database_connection_string }}" @@ -21,10 +24,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mautrix-facebook.service'] - - ansible.builtin.include_role: - name: galaxy/com.devture.ansible.role.postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_mautrix_facebook_requires_restart: true diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml index d3eee66cb..c1258471c 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml @@ -12,7 +12,10 @@ - when: "matrix_mautrix_googlechat_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: devture_postgres_db_migration_request: src: "{{ matrix_mautrix_googlechat_sqlite_database_path_local }}" dst: "{{ matrix_mautrix_googlechat_database_connection_string }}" @@ -21,10 +24,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mautrix-googlechat.service'] - - ansible.builtin.include_role: - name: galaxy/com.devture.ansible.role.postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_mautrix_googlechat_requires_restart: true diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index ee0534af8..f8fdb023d 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -12,7 +12,10 @@ - when: "matrix_mautrix_hangouts_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: devture_postgres_db_migration_request: src: "{{ matrix_mautrix_hangouts_sqlite_database_path_local }}" dst: "{{ matrix_mautrix_hangouts_database_connection_string }}" @@ -21,10 +24,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mautrix-hangouts.service'] - - ansible.builtin.include_role: - name: galaxy/com.devture.ansible.role.postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_mautrix_hangouts_requires_restart: true diff --git a/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index 23a092dcf..383d48275 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -12,7 +12,10 @@ - when: "matrix_mautrix_telegram_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: devture_postgres_db_migration_request: src: "{{ matrix_mautrix_telegram_sqlite_database_path_local }}" dst: "{{ matrix_mautrix_telegram_database_connection_string }}" @@ -21,10 +24,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mautrix-telegram.service'] - - ansible.builtin.include_role: - name: galaxy/com.devture.ansible.role.postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_mautrix_telegram_requires_restart: true diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml index fd961ec12..1cf883c56 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml @@ -12,7 +12,10 @@ - when: "matrix_mautrix_whatsapp_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: devture_postgres_db_migration_request: src: "{{ matrix_mautrix_whatsapp_sqlite_database_path_local }}" dst: "{{ matrix_mautrix_whatsapp_database_connection_string }}" @@ -22,10 +25,6 @@ systemd_services_to_stop: ['matrix-mautrix-whatsapp.service'] pgloader_options: ['--with "quote identifiers"'] - - ansible.builtin.include_role: - name: galaxy/com.devture.ansible.role.postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_mautrix_whatsapp_requires_restart: true diff --git a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml index d2cb83c40..8bf19f80e 100644 --- a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml @@ -46,7 +46,10 @@ - when: "matrix_mx_puppet_discord_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: devture_postgres_db_migration_request: src: "{{ matrix_mx_puppet_discord_sqlite_database_path_local }}" dst: "{{ matrix_mx_puppet_discord_database_connection_string }}" @@ -55,10 +58,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mx-puppet-discord.service'] - - ansible.builtin.include_role: - name: galaxy/com.devture.ansible.role.postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_mx_puppet_discord_requires_restart: true diff --git a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml index b174f0e0b..9db25e864 100644 --- a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml @@ -44,7 +44,10 @@ - when: "matrix_mx_puppet_groupme_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: devture_postgres_db_migration_request: src: "{{ matrix_mx_puppet_groupme_sqlite_database_path_local }}" dst: "{{ matrix_mx_puppet_groupme_database_connection_string }}" @@ -53,10 +56,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mx-puppet-groupme.service'] - - ansible.builtin.include_role: - name: galaxy/com.devture.ansible.role.postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_mx_puppet_groupme_requires_restart: true diff --git a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml index ce3ecc6f6..be68d9fc1 100644 --- a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml @@ -12,7 +12,10 @@ - when: "matrix_mx_puppet_instagram_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: devture_postgres_db_migration_request: src: "{{ matrix_mx_puppet_instagram_sqlite_database_path_local }}" dst: "{{ matrix_mx_puppet_instagram_database_connection_string }}" @@ -21,10 +24,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mx-puppet-instagram.service'] - - ansible.builtin.include_role: - name: galaxy/com.devture.ansible.role.postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_mx_puppet_instagram_requires_restart: true diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml index e2fb6b51b..e75d47e57 100644 --- a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml @@ -40,7 +40,10 @@ - when: "matrix_mx_puppet_slack_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: devture_postgres_db_migration_request: src: "{{ matrix_mx_puppet_slack_sqlite_database_path_local }}" dst: "{{ matrix_mx_puppet_slack_database_connection_string }}" @@ -49,10 +52,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mx-puppet-slack.service'] - - ansible.builtin.include_role: - name: galaxy/com.devture.ansible.role.postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_mx_puppet_slack_requires_restart: true diff --git a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml index 6bf2edc7b..ca2de4480 100644 --- a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml @@ -44,7 +44,10 @@ - when: "matrix_mx_puppet_steam_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: devture_postgres_db_migration_request: src: "{{ matrix_mx_puppet_steam_sqlite_database_path_local }}" dst: "{{ matrix_mx_puppet_steam_database_connection_string }}" @@ -53,10 +56,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mx-puppet-steam.service'] - - ansible.builtin.include_role: - name: galaxy/com.devture.ansible.role.postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_mx_puppet_steam_requires_restart: true diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml index 71b1b5750..a84502056 100644 --- a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml @@ -44,7 +44,10 @@ - when: "matrix_mx_puppet_twitter_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: devture_postgres_db_migration_request: src: "{{ matrix_mx_puppet_twitter_sqlite_database_path_local }}" dst: "{{ matrix_mx_puppet_twitter_database_connection_string }}" @@ -53,10 +56,6 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mx-puppet-twitter.service'] - - ansible.builtin.include_role: - name: galaxy/com.devture.ansible.role.postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_mx_puppet_twitter_requires_restart: true diff --git a/roles/custom/matrix-dimension/tasks/setup_install.yml b/roles/custom/matrix-dimension/tasks/setup_install.yml index e44cc73fb..26617f7a3 100644 --- a/roles/custom/matrix-dimension/tasks/setup_install.yml +++ b/roles/custom/matrix-dimension/tasks/setup_install.yml @@ -51,7 +51,10 @@ - {'table': 'dimension_bridges', 'column': 'isEnabled', 'default': ''} - {'table': 'dimension_bridges', 'column': 'isPublic', 'default': ''} - - ansible.builtin.set_fact: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: devture_postgres_db_migration_request: src: "{{ matrix_dimension_sqlite_database_path_local }}" dst: "{{ matrix_dimension_database_connection_string }}" @@ -63,10 +66,6 @@ additional_psql_statements_list: "{{ matrix_dimension_pgloader_additional_psql_statements_list }}" additional_psql_statements_db_name: "{{ matrix_dimension_database_name }}" - - ansible.builtin.include_role: - name: galaxy/com.devture.ansible.role.postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_dimension_requires_restart: true diff --git a/roles/custom/matrix-ma1sd/tasks/setup_install.yml b/roles/custom/matrix-ma1sd/tasks/setup_install.yml index 492cbf416..6fe20342b 100644 --- a/roles/custom/matrix-ma1sd/tasks/setup_install.yml +++ b/roles/custom/matrix-ma1sd/tasks/setup_install.yml @@ -27,7 +27,10 @@ - when: "matrix_ma1sd_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: devture_postgres_db_migration_request: src: "{{ matrix_ma1sd_sqlite_database_path_local }}" dst: "{{ matrix_ma1sd_database_connection_string }}" @@ -37,10 +40,6 @@ systemd_services_to_stop: ['matrix-ma1sd.service'] pgloader_options: ['--with "quote identifiers"'] - - ansible.builtin.include_role: - name: galaxy/com.devture.ansible.role.postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_ma1sd_requires_restart: true diff --git a/roles/custom/matrix-registration/tasks/setup_install.yml b/roles/custom/matrix-registration/tasks/setup_install.yml index a3a4bddc8..9278f2ef8 100644 --- a/roles/custom/matrix-registration/tasks/setup_install.yml +++ b/roles/custom/matrix-registration/tasks/setup_install.yml @@ -12,7 +12,10 @@ - when: "matrix_registration_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: devture_postgres_db_migration_request: src: "{{ matrix_registration_sqlite_database_path_local }}" dst: "{{ matrix_registration_database_connection_string }}" @@ -26,10 +29,6 @@ - ALTER TABLE tokens ALTER COLUMN ex_date TYPE TIMESTAMP WITHOUT TIME ZONE; additional_psql_statements_db_name: "{{ matrix_registration_database_name }}" - - ansible.builtin.include_role: - name: galaxy/com.devture.ansible.role.postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_registration_requires_restart: true From 0d322a5c86f3d001de3cf1bde76c215fe4938bed Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 28 Nov 2022 08:09:57 +0200 Subject: [PATCH 104/915] Announce matrix-postgres replacement and /usr/local/bin cleanup --- CHANGELOG.md | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fb347c42f..8bd1210d7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,34 @@ +# 2022-11-28 + +## matrix-postgres has been replaced by the com.devture.ansible.role.postgres external role + +**TLDR**: the tasks that install the integrated Postgres server now live in an external role - [com.devture.ansible.role.postgres](https://github.com/devture/com.devture.ansible.role.postgres). You'll need to run `make roles` to install it, and to also rename your `matrix_postgres`-prefixed variables to use a `devture_postgres` prefix (e.g. `matrix_postgres_connection_password` -> `devture_postgres_connection_password`). All your data will still be there! Some scripts have moved (`/usr/local/bin/matrix-postgres-cli` -> `/matrix/postgres/bin/cli`). + +The `matrix-postgres` role that has been part of the playbook for a long time has been replaced with the [com.devture.ansible.role.postgres](https://github.com/devture/com.devture.ansible.role.postgres) role. This was done as part of our work to [use external roles for some things](#the-playbook-now-uses-external-roles-for-some-things) for better code re-use and maintainability. + +The new role is an upgraded version of the old `matrix-postgres` role with these notable differences: + +- it uses different names for its variables (`matrix_postgres` -> `devture_postgres`) +- when [Vacuuming PostgreSQL](docs/maintenance-postgres.md#vacuuming-postgresql), it will vacuum all your databases, not just the Synapse one + +You'll need to run `make roles` to install the new role. You would also need to rename your `matrix_postgres`-prefixed variables to use a `devture_postgres` prefix. + +Note: the systemd service still remains the same - `matrix-postgres.service`. Your data will still be in `/matrix/postgres`, etc. +Postgres-related scripts will be moved to `/matrix/postgres/bin` (`/usr/local/bin/matrix-postgres-cli` -> `/matrix/postgres/bin/cli`, etc). Also see [The playbook no longer installs scripts in /usr/local/bin](#the-playbook-no-longer-installs-scripts-in-usrlocalbin). + +## The playbook no longer installs scripts to /usr/local/bin + +The locations of various scripts installed by the playbook have changed. + +The playbook no longer contaminates your `/usr/local/bin` directory. +All scripts installed by the playbook now live in `bin/` directories under `/matrix`. Some examples are below: + +- `/usr/local/bin/matrix-remove-all` -> `/matrix/bin/remove-all` +- `/usr/local/bin/matrix-postgres-cli` -> `/matrix/postgres/bin/cli` +- `/usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew` -> `/matrix/ssl/bin/lets-encrypt-certificates-renew` +- `/usr/local/bin/matrix-synapse-register-user` -> `/matrix/synapse/bin/register-user` + + # 2022-11-25 ## 2x-5x performance improvements in playbook runtime From 81054bb19c8f115e3a8eeda0cc55d09aa55a63fa Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 28 Nov 2022 09:05:22 +0200 Subject: [PATCH 105/915] Upgrade com.devture.ansible.role.postgres --- group_vars/matrix_servers | 9 --------- requirements.yml | 2 +- 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index a2c245141..988488c73 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2263,15 +2263,6 @@ devture_postgres_gid: "{{ matrix_user_gid }}" devture_postgres_connection_username: matrix devture_postgres_db_name: matrix -devture_postgres_vacuum_default_databases_list: | - {{ - ( - ([devture_postgres_db_name]) - + - (devture_postgres_additional_databases | map(attribute='name')) - ) | unique - }} - devture_postgres_systemd_services_to_stop_for_maintenance_list: | {{ ['matrix-' + matrix_homeserver_implementation + '.service'] diff --git a/requirements.yml b/requirements.yml index 951bb5e1d..64551b9ed 100644 --- a/requirements.yml +++ b/requirements.yml @@ -19,7 +19,7 @@ version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git - version: 0985b594b17942e7aa6346d8967c02c3686cecb1 + version: e55623caa4c33fa22e897966f4def7ae04dc8261 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git version: 6ccb88ac5fc27e1e70afcd48278ade4b564a9096 From 5b266471270b20dd3dd4721d99f32f035b29670f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 28 Nov 2022 09:24:25 +0200 Subject: [PATCH 106/915] Upgrade Certbot (v1.31.0 -> v2.0.0) and switch to new default key type (ecdsa) More details about the new key type can be found here: https://eff-certbot.readthedocs.io/en/stable/using.html#rsa-and-ecdsa-keys Existing RSA-based keys will continue to renew as RSA until manual action is taken. Example from the documentation above: > certbot renew --key-type ecdsa --cert-name example.com --force-renewal In the future, we may add a command which does this automatically for all domains. --- roles/custom/matrix-nginx-proxy/defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 0830d4f41..839211e01 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -554,7 +554,7 @@ matrix_ssl_lets_encrypt_staging: false # Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#changing-the-acme-server matrix_ssl_lets_encrypt_server: '' -matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.31.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v2.0.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ @@ -567,8 +567,8 @@ matrix_ssl_lets_encrypt_support_email: ~ matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port: '80' # Specify key type of the private key algorithm. -# Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#using-ecdsa-keys -matrix_ssl_lets_encrypt_key_type: rsa +# Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#rsa-and-ecdsa-keys +matrix_ssl_lets_encrypt_key_type: ecdsa matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" From 4b2d30a474d0bd9f2ff9f61f104238592b27058e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 28 Nov 2022 18:33:18 +0200 Subject: [PATCH 107/915] Fix matrix_dendrite_client_api_turn_shared_secret not being defined Regression since https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2290 --- group_vars/matrix_servers | 2 +- roles/custom/matrix-dendrite/defaults/main.yml | 2 +- roles/custom/matrix-dendrite/tasks/validate_config.yml | 3 ++- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 988488c73..f2b307b19 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3026,7 +3026,7 @@ matrix_dendrite_client_api_turn_uris: | else [] }} -matrix_dendrite_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}" +matrix_dendrite_client_api_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}" matrix_dendrite_disable_tls_validation: "{{ true if matrix_ssl_retrieval_method == 'self-signed' else false }}" diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index 370545187..67a485e97 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -152,7 +152,7 @@ matrix_dendrite_pushserver_database: "dendrite_pushserver" matrix_dendrite_mscs_database: "dendrite_mscs" matrix_dendrite_client_api_turn_uris: [] -matrix_dendrite_client_api_turn_client_api_shared_secret: "" +matrix_dendrite_client_api_turn_shared_secret: "" matrix_dendrite_client_api_turn_allow_guests: false matrix_dendrite_disable_tls_validation: false diff --git a/roles/custom/matrix-dendrite/tasks/validate_config.yml b/roles/custom/matrix-dendrite/tasks/validate_config.yml index 9b1466e1e..53c17498c 100644 --- a/roles/custom/matrix-dendrite/tasks/validate_config.yml +++ b/roles/custom/matrix-dendrite/tasks/validate_config.yml @@ -21,7 +21,8 @@ - {'old': 'matrix_dendrite_registration_disabled', 'new': 'matrix_dendrite_client_api_registration_disabled'} - {'old': 'matrix_dendrite_registration_shared_secret', 'new': 'matrix_dendrite_client_api_registration_shared_secret'} - {'old': 'matrix_dendrite_turn_uris', 'new': 'matrix_dendrite_client_api_turn_uris'} - - {'old': 'matrix_dendrite_turn_client_api_shared_secret', 'new': 'matrix_dendrite_client_api_turn_client_api_shared_secret'} + - {'old': 'matrix_dendrite_turn_client_api_shared_secret', 'new': 'matrix_dendrite_client_api_turn_shared_secret'} + - {'old': 'matrix_dendrite_client_api_turn_client_api_shared_secret', 'new': 'matrix_dendrite_client_api_turn_shared_secret'} - {'old': 'matrix_dendrite_turn_allow_guests', 'new': 'matrix_dendrite_client_api_turn_allow_guests'} - {'old': 'matrix_dendrite_rate_limiting_enabled', 'new': 'matrix_dendrite_client_api_rate_limiting_enabled'} - {'old': 'matrix_dendrite_rate_limiting_threshold', 'new': 'matrix_dendrite_client_api_rate_limiting_threshold'} From 8c5e34b37fdf831a71a4f1fd3afd54a66802591f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 29 Nov 2022 08:20:36 +0200 Subject: [PATCH 108/915] Upgrade ddclient (v3.10.0-ls105 -> v3.10.0-ls106) --- roles/custom/matrix-dynamic-dns/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-dynamic-dns/defaults/main.yml b/roles/custom/matrix-dynamic-dns/defaults/main.yml index 86129e61f..95e197f3f 100644 --- a/roles/custom/matrix-dynamic-dns/defaults/main.yml +++ b/roles/custom/matrix-dynamic-dns/defaults/main.yml @@ -7,7 +7,7 @@ matrix_dynamic_dns_enabled: true # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' -matrix_dynamic_dns_version: v3.10.0-ls105 +matrix_dynamic_dns_version: v3.10.0-ls106 # The docker container to use when in mode matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" From d5e8d2a93946b8553e9fa2dc32cc207090275609 Mon Sep 17 00:00:00 2001 From: Array in a Matrix Date: Tue, 29 Nov 2022 11:58:00 -0500 Subject: [PATCH 109/915] update dendrite --- roles/custom/matrix-dendrite/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index 67a485e97..32f262ad5 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -6,7 +6,7 @@ matrix_dendrite_enabled: true matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "docker.io/" -matrix_dendrite_docker_image_tag: "v0.10.7" +matrix_dendrite_docker_image_tag: "v0.10.8" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" From b25385dffd422f52f7685ad964a9862ffa4b8d28 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 29 Nov 2022 20:16:29 +0200 Subject: [PATCH 110/915] Upgrade com.devture.ansible.role.postgres --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 64551b9ed..c8daa6504 100644 --- a/requirements.yml +++ b/requirements.yml @@ -19,7 +19,7 @@ version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git - version: e55623caa4c33fa22e897966f4def7ae04dc8261 + version: b547c81ed69a659be22016df35cc0d82cb444a76 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git version: 6ccb88ac5fc27e1e70afcd48278ade4b564a9096 From 3424a1169dbb9c78d4a6b3f8a644f35011762118 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A1szl=C3=B3=20V=C3=A1rady?= Date: Wed, 30 Nov 2022 02:44:15 +0100 Subject: [PATCH 111/915] Fix Docker installation typo in FAQ --- docs/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/faq.md b/docs/faq.md index d2b88cf66..25d02e7ce 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -317,7 +317,7 @@ If you've installed [Jitsi](configuring-playbook-jitsi.md) (not installed by def Yes, we can stop installing Docker ourselves. Just use this in your `vars.yml` file: ```yaml -matrix_playbook_docker_installation_enabled: true +matrix_playbook_docker_installation_enabled: false ``` ### I run another webserver on the same server where I wish to install Matrix. What now? From 7e2e2626a042246962b1c4ec90988af332671ebd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 30 Nov 2022 08:13:39 +0200 Subject: [PATCH 112/915] Make hookshot variable names consistent with the rest of the playbook Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2256 --- docs/configuring-playbook-bridge-hookshot.md | 2 +- .../matrix-bridge-hookshot/defaults/main.yml | 39 ++++++----- .../tasks/validate_config.yml | 56 ++++++++++----- .../templates/config.yml.j2 | 69 +++++++++---------- 4 files changed, 94 insertions(+), 72 deletions(-) diff --git a/docs/configuring-playbook-bridge-hookshot.md b/docs/configuring-playbook-bridge-hookshot.md index 89ab07682..54f6636b9 100644 --- a/docs/configuring-playbook-bridge-hookshot.md +++ b/docs/configuring-playbook-bridge-hookshot.md @@ -93,4 +93,4 @@ To explicitly enable metrics, use `matrix_hookshot_metrics_enabled: true`. This ### Collision with matrix-appservice-webhooks -If you are also running [matrix-appservice-webhooks](configuring-playbook-bridge-appservice-webhooks.md), it reserves its namespace by the default setting `matrix_appservice_webhooks_user_prefix: '_webhook_'`. You should take care if you modify its or hookshot's prefix that they do not collide with each other's namespace (default `matrix_hookshot_generic_user_id_prefix: '_webhooks_'`). +If you are also running [matrix-appservice-webhooks](configuring-playbook-bridge-appservice-webhooks.md), it reserves its namespace by the default setting `matrix_appservice_webhooks_user_prefix: '_webhook_'`. You should take care if you modify its or hookshot's prefix that they do not collide with each other's namespace (default `matrix_hookshot_generic_userIdPrefix: '_webhooks_'`). diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 4e6965847..a81d4706a 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -52,7 +52,7 @@ matrix_hookshot_webhook_endpoint: "{{ matrix_hookshot_public_endpoint }}/webhook # You need to create a GitHub app to enable this and fill in the empty variables below # https://matrix-org.github.io/matrix-hookshot/setup/github.html matrix_hookshot_github_enabled: false -matrix_hookshot_github_appid: '' +matrix_hookshot_github_auth_id: '' # Set this variable to the contents of the generated and downloaded GitHub private key: # matrix_hookshot_github_private_key: | # -----BEGIN RSA PRIVATE KEY----- @@ -61,7 +61,7 @@ matrix_hookshot_github_appid: '' # Alternatively, leave it empty and do it manually or use matrix-aux instead, see docs/matrix-bridge-hookshot.md for info. matrix_hookshot_github_private_key: '' matrix_hookshot_github_private_key_file: 'private-key.pem' -matrix_hookshot_github_secret: '' # "Webhook secret" on the GitHub App page +matrix_hookshot_github_webhook_secret: '' # "Webhook secret" on the GitHub App page matrix_hookshot_github_oauth_enabled: false # You need to configure oauth settings only when you have enabled oauth (optional) matrix_hookshot_github_oauth_id: '' # "Client ID" on the GitHub App page @@ -69,14 +69,17 @@ matrix_hookshot_github_oauth_secret: '' # "Client Secret" on the GitHub App pag # Default value of matrix_hookshot_github_oauth_endpoint: "/hookshot/webhooks/oauth" matrix_hookshot_github_oauth_endpoint: "{{ matrix_hookshot_webhook_endpoint }}/oauth" matrix_hookshot_github_oauth_uri: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_github_oauth_endpoint }}" + # These are the default settings mentioned here and don't need to be modified: https://matrix-org.github.io/matrix-hookshot/usage/room_configuration/github_repo.html#configuration -matrix_hookshot_github_ignore_hooks: "{}" -matrix_hookshot_github_command_prefix: '!gh' -matrix_hookshot_github_showIssueRoomLink: false # noqa var-naming -matrix_hookshot_github_pr_diff: "{enabled: false, maxLines: 5}" -matrix_hookshot_github_including_labels: '' -matrix_hookshot_github_excluding_labels: '' -matrix_hookshot_github_hotlink_prefix: "#" +matrix_hookshot_github_defaultOptions_ignoreHooks: {} # noqa var-naming +matrix_hookshot_github_defaultOptions_commandPrefix: '!gh' # noqa var-naming +matrix_hookshot_github_defaultOptions_showIssueRoomLink: false # noqa var-naming +matrix_hookshot_github_defaultOptions_prDiff: # noqa var-naming + enabled: false + maxLines: 5 +matrix_hookshot_github_defaultOptions_includingLabels: '' # noqa var-naming +matrix_hookshot_github_defaultOptions_excludingLabels: '' # noqa var-naming +matrix_hookshot_github_defaultOptions_hotlinkIssues_prefix: "#" # noqa var-naming matrix_hookshot_gitlab_enabled: true @@ -91,7 +94,7 @@ matrix_hookshot_gitlab_instances: url: https://gitlab.com # This will be the "Secret token" you have to enter into all GitLab instances for authentication -matrix_hookshot_gitlab_secret: '' +matrix_hookshot_gitlab_webhook_secret: '' matrix_hookshot_figma_enabled: false @@ -104,17 +107,17 @@ matrix_hookshot_figma_publicUrl: "{{ matrix_hookshot_urlprefix }}{{ matrix_hooks # teamId: your-team-id # accessToken: your-personal-access-token # passcode: your-webhook-passcode - +matrix_hookshot_figma_instances: {} matrix_hookshot_jira_enabled: false # Get the these values from https://matrix-org.github.io/matrix-hookshot/setup/jira.html#jira-oauth -matrix_hookshot_jira_secret: '' +matrix_hookshot_jira_webhook_secret: '' matrix_hookshot_jira_oauth_enabled: false -matrix_hookshot_jira_oauth_id: '' -matrix_hookshot_jira_oauth_secret: '' +matrix_hookshot_jira_oauth_client_id: '' +matrix_hookshot_jira_oauth_client_secret: '' # Default value of matrix_hookshot_jira_oauth_endpoint: "/hookshot/webhooks/jira/oauth" matrix_hookshot_jira_oauth_endpoint: "{{ matrix_hookshot_webhook_endpoint }}/jira/oauth" -matrix_hookshot_jira_oauth_uri: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_jira_oauth_endpoint }}" +matrix_hookshot_jira_oauth_redirect_uri: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_jira_oauth_endpoint }}" # No need to change these @@ -122,10 +125,10 @@ matrix_hookshot_generic_enabled: true # Default value of matrix_hookshot_generic_endpoint: "/hookshot/webhooks" matrix_hookshot_generic_endpoint: "{{ matrix_hookshot_webhook_endpoint }}" # urlprefix gets updated with protocol & port in group_vars/matrix_servers -matrix_hookshot_generic_urlprefix: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_generic_endpoint }}" -matrix_hookshot_generic_allow_js_transformation_functions: false +matrix_hookshot_generic_urlPrefix: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_generic_endpoint }}" +matrix_hookshot_generic_allowJsTransformationFunctions: false # If you're also using matrix-appservice-webhooks, take care that these prefixes don't overlap -matrix_hookshot_generic_user_id_prefix: '_webhooks_' +matrix_hookshot_generic_userIdPrefix: '_webhooks_' matrix_hookshot_feeds_enabled: true diff --git a/roles/custom/matrix-bridge-hookshot/tasks/validate_config.yml b/roles/custom/matrix-bridge-hookshot/tasks/validate_config.yml index 3392f1b64..91d29eceb 100644 --- a/roles/custom/matrix-bridge-hookshot/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-hookshot/tasks/validate_config.yml @@ -1,5 +1,34 @@ --- +- name: (Deprecation) Catch and report renamed Hookshot variables + ansible.builtin.fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_hookshot_feeds_interval', 'new': 'matrix_hookshot_feeds_pollIntervalSeconds'} + - {'old': 'matrix_hookshot_generic_urlprefix', 'new': 'matrix_hookshot_generic_urlPrefix'} + - {'old': 'matrix_hookshot_generic_allow_js_transformation_functions', 'new': 'matrix_hookshot_generic_allowJsTransformationFunctions'} + - {'old': 'matrix_hookshot_generic_user_id_prefix', 'new': 'matrix_hookshot_generic_userIdPrefix'} + - {'old': 'matrix_hookshot_github_secret', 'new': 'matrix_hookshot_github_webhook_secret'} + - {'old': 'matrix_hookshot_github_appid', 'new': 'matrix_hookshot_github_auth_id'} + - {'old': 'matrix_hookshot_github_oauth_id', 'new': 'matrix_hookshot_github_oauth_client_id'} + - {'old': 'matrix_hookshot_github_oauth_secret', 'new': 'matrix_hookshot_github_oauth_client_secret'} + - {'old': 'matrix_hookshot_github_oauth_uri', 'new': 'matrix_hookshot_github_oauth_redirect_uri'} + - {'old': 'matrix_hookshot_github_ignore_hooks', 'new': 'matrix_hookshot_github_defaultOptions_ignoreHooks'} + - {'old': 'matrix_hookshot_github_command_prefix', 'new': 'matrix_hookshot_github_defaultOptions_commandPrefix'} + - {'old': 'matrix_hookshot_github_showIssueRoomLink', 'new': 'matrix_hookshot_github_defaultOptions_showIssueRoomLink'} + - {'old': 'matrix_hookshot_github_pr_diff', 'new': 'matrix_hookshot_github_defaultOptions_prDiff'} + - {'old': 'matrix_hookshot_github_including_labels', 'new': 'matrix_hookshot_github_defaultOptions_includingLabels'} + - {'old': 'matrix_hookshot_github_excluding_labels', 'new': 'matrix_hookshot_github_defaultOptions_excludingLabels'} + - {'old': 'matrix_hookshot_github_hotlink_prefix', 'new': 'matrix_hookshot_github_defaultOptions_hotlinkIssues_prefix'} + - {'old': 'matrix_hookshot_jira_secret', 'new': 'matrix_hookshot_jira_webhook_secret'} + - {'old': 'matrix_hookshot_jira_oauth_id', 'new': 'matrix_hookshot_jira_oauth_client_id'} + - {'old': 'matrix_hookshot_jira_oauth_secret', 'new': 'matrix_hookshot_jira_oauth_client_secret'} + - {'old': 'matrix_hookshot_jira_oauth_uri', 'new': 'matrix_hookshot_jira_oauth_client_secret'} + - {'old': 'matrix_hookshot_gitlab_secret', 'new': 'matrix_hookshot_gitlab_webhook_secret'} + - name: Fail if required settings not defined ansible.builtin.fail: msg: >- @@ -15,8 +44,8 @@ You need to define a required configuration setting (`{{ item }}`) to enable GitHub. when: "matrix_hookshot_github_enabled and vars[item] == ''" with_items: - - "matrix_hookshot_github_appid" - - "matrix_hookshot_github_secret" + - "matrix_hookshot_github_auth_id" + - "matrix_hookshot_github_webhook_secret" - name: Fail if required GitHub OAuth settings not defined ansible.builtin.fail: @@ -24,8 +53,8 @@ You need to define a required configuration setting (`{{ item }}`) to enable GitHub OAuth. when: "matrix_hookshot_github_oauth_enabled and vars[item] == ''" with_items: - - "matrix_hookshot_github_oauth_id" - - "matrix_hookshot_github_oauth_secret" + - "matrix_hookshot_github_oauth_client_id" + - "matrix_hookshot_github_oauth_client_secret" - name: Fail if required Jira settings not defined ansible.builtin.fail: @@ -33,7 +62,7 @@ You need to define a required configuration setting (`{{ item }}`) to enable Jira. when: "matrix_hookshot_jira_enabled and vars[item] == ''" with_items: - - "matrix_hookshot_jira_secret" + - "matrix_hookshot_jira_webhook_secret" - name: Fail if required Jira OAuth settings not defined ansible.builtin.fail: @@ -41,14 +70,14 @@ You need to define a required configuration setting (`{{ item }}`) to enable Jira OAuth. when: "matrix_hookshot_jira_oauth_enabled and vars[item] == ''" with_items: - - "matrix_hookshot_jira_oauth_id" - - "matrix_hookshot_jira_oauth_secret" + - "matrix_hookshot_jira_oauth_client_id" + - "matrix_hookshot_jira_oauth_client_secret" - name: Fail if required Figma settings not defined ansible.builtin.fail: msg: >- - You need to define at least one Figma instance to enable Figma. - when: "matrix_hookshot_figma_enabled and matrix_hookshot_figma_instances is undefined" + You need to define at least one Figma instance in `matrix_hookshot_figma_instances` to enable Figma. + when: "matrix_hookshot_figma_enabled and matrix_hookshot_figma_instances | length == 0" - name: Fail if required provisioning settings not defined ansible.builtin.fail: @@ -58,15 +87,6 @@ with_items: - "matrix_hookshot_provisioning_secret" -- name: (Deprecation) Catch and report renamed Hookshot variables - ansible.builtin.fail: - msg: >- - Your configuration contains a variable, which now has a different name. - Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - when: "item.old in vars" - with_items: - - {'old': 'matrix_hookshot_feeds_interval', 'new': 'matrix_hookshot_feeds_pollIntervalSeconds'} - - name: (Deprecation) Catch and report old metrics usage ansible.builtin.fail: msg: >- diff --git a/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 b/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 index 527afafaf..2eded104d 100644 --- a/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 +++ b/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 @@ -14,69 +14,68 @@ github: auth: # Authentication for the GitHub App. # - id: {{ matrix_hookshot_github_appid }} + id: {{ matrix_hookshot_github_auth_id | to_json }} privateKeyFile: /data/{{ matrix_hookshot_github_private_key_file }} webhook: # Webhook settings for the GitHub app. # - secret: {{ matrix_hookshot_github_secret|to_json }} + secret: {{ matrix_hookshot_github_webhook_secret | to_json }} {% if matrix_hookshot_github_oauth_enabled %} oauth: # (Optional) Settings for allowing users to sign in via OAuth. # - client_id: {{ matrix_hookshot_github_oauth_id }} - client_secret: {{ matrix_hookshot_github_oauth_secret|to_json }} - redirect_uri: {{ matrix_hookshot_github_oauth_uri }} + client_id: {{ matrix_hookshot_github_oauth_client_id | to_json }} + client_secret: {{ matrix_hookshot_github_oauth_client_secret | to_json }} + redirect_uri: {{ matrix_hookshot_github_oauth_redirect_uri | to_json }} {% endif %} defaultOptions: # (Optional) Default options for GitHub connections. # - ignoreHooks: {{ matrix_hookshot_github_ignore_hooks }} - commandPrefix: "{{ matrix_hookshot_github_command_prefix }}" - showIssueRoomLink: {{ matrix_hookshot_github_showIssueRoomLink }} - prDiff: {{ matrix_hookshot_github_pr_diff }} - includingLabels:{{ matrix_hookshot_github_including_labels }} - excludingLabels: {{ matrix_hookshot_github_excluding_labels }} + ignoreHooks: {{ matrix_hookshot_github_defaultOptions_ignoreHooks | to_json }} + commandPrefix: {{ matrix_hookshot_github_defaultOptions_commandPrefix | to_json }} + showIssueRoomLink: {{ matrix_hookshot_github_defaultOptions_showIssueRoomLink | to_json }} + prDiff: {{ matrix_hookshot_github_defaultOptions_prDiff | to_json }} + includingLabels: {{ matrix_hookshot_github_defaultOptions_includingLabels | to_json }} + excludingLabels: {{ matrix_hookshot_github_defaultOptions_excludingLabels | to_json }} hotlinkIssues: - prefix: "{{ matrix_hookshot_github_hotlink_prefix }}" + prefix: {{ matrix_hookshot_github_defaultOptions_hotlinkIssues_prefix | to_json }} {% endif %} {% if matrix_hookshot_gitlab_enabled %} gitlab: # (Optional) Configure this to enable GitLab support # - instances: - {{ matrix_hookshot_gitlab_instances }} + instances: {{ matrix_hookshot_gitlab_instances | to_json }} webhook: - secret: {{ matrix_hookshot_gitlab_secret|to_json }} + secret: {{ matrix_hookshot_gitlab_webhook_secret | to_json }} {% endif %} {% if matrix_hookshot_figma_enabled %} figma: # (Optional) Configure this to enable Figma support # - publicUrl: {{ matrix_hookshot_figma_publicUrl }} - instances: {{ matrix_hookshot_figma_instances }} + publicUrl: {{ matrix_hookshot_figma_publicUrl | to_json }} + instances: {{ matrix_hookshot_figma_instances | to_json }} {% endif %} {% if matrix_hookshot_jira_enabled %} jira: # (Optional) Configure this to enable Jira support # webhook: - secret: {{ matrix_hookshot_jira_secret|to_json }} + secret: {{ matrix_hookshot_jira_webhook_secret | to_json }} {% if matrix_hookshot_jira_oauth_enabled %} oauth: - client_id: {{ matrix_hookshot_jira_oauth_id|to_json }} - client_secret: {{ matrix_hookshot_jira_oauth_secret|to_json }} - redirect_uri: {{ matrix_hookshot_jira_oauth_uri }} + client_id: {{ matrix_hookshot_jira_oauth_client_id | to_json }} + client_secret: {{ matrix_hookshot_jira_oauth_client_secret | to_json }} + redirect_uri: {{ matrix_hookshot_jira_oauth_redirect_uri | to_json }} {% endif %} {% endif %} {% if matrix_hookshot_generic_enabled %} generic: # (Optional) Support for generic webhook events. `allowJsTransformationFunctions` will allow users to write short transformation snippets in code, and thus is unsafe in untrusted environments # - enabled: {{ matrix_hookshot_generic_enabled }} - urlPrefix: {{ matrix_hookshot_generic_urlprefix }} - allowJsTransformationFunctions: {{ matrix_hookshot_generic_allow_js_transformation_functions }} - userIdPrefix: {{ matrix_hookshot_generic_user_id_prefix|to_json }} + enabled: {{ matrix_hookshot_generic_enabled | to_json }} + urlPrefix: {{ matrix_hookshot_generic_urlPrefix | to_json }} + allowJsTransformationFunctions: {{ matrix_hookshot_generic_allowJsTransformationFunctions | to_json }} + userIdPrefix: {{ matrix_hookshot_generic_userIdPrefix | to_json }} {% endif %} {% if matrix_hookshot_feeds_enabled %} feeds: @@ -90,7 +89,7 @@ feeds: provisioning: # (Optional) Provisioning API for integration managers # - secret: {{ matrix_hookshot_provisioning_secret|to_json }} + secret: {{ matrix_hookshot_provisioning_secret | to_json }} {% endif %} passFile: # A passkey used to encrypt tokens stored inside the bridge. @@ -100,12 +99,12 @@ passFile: bot: # (Optional) Define profile information for the bot user # - displayname: {{ matrix_hookshot_bot_displayname }} - avatar: {{ matrix_hookshot_bot_avatar }} + displayname: {{ matrix_hookshot_bot_displayname | to_json }} + avatar: {{ matrix_hookshot_bot_avatar | to_json }} metrics: # (Optional) Prometheus metrics support # - enabled: {{ matrix_hookshot_metrics_enabled }} + enabled: {{ matrix_hookshot_metrics_enabled | to_json }} logging: # (Optional) Logging settings. You can have a severity debug,info,warn,error # @@ -114,20 +113,20 @@ logging: widgets: # (Optional) EXPERIMENTAL support for complimentary widgets # - addToAdminRooms: {{ matrix_hookshot_widgets_addToAdminRooms }} + addToAdminRooms: {{ matrix_hookshot_widgets_addToAdminRooms | to_json }} {% if matrix_hookshot_widgets_roomSetupWidget_enabled %} roomSetupWidget: - addOnInvite: {{ matrix_hookshot_widgets_roomSetupWidget_addOnInvite }} + addOnInvite: {{ matrix_hookshot_widgets_roomSetupWidget_addOnInvite | to_json }} {% endif %} {% if not matrix_hookshot_widgets_disallowedIpRanges is in [None, ''] %} - disallowedIpRanges: {{ matrix_hookshot_widgets_disallowedIpRanges }} + disallowedIpRanges: {{ matrix_hookshot_widgets_disallowedIpRanges | to_json }} {% endif %} - publicUrl: {{ matrix_hookshot_widgets_publicUrl }} + publicUrl: {{ matrix_hookshot_widgets_publicUrl | to_json }} branding: - widgetTitle: {{ matrix_hookshot_widgets_branding_widgetTitle }} + widgetTitle: {{ matrix_hookshot_widgets_branding_widgetTitle | to_json }} {% endif %} {% if matrix_hookshot_permissions %} -permissions: {{ matrix_hookshot_permissions }} +permissions: {{ matrix_hookshot_permissions | to_json }} {% endif %} listeners: # (Optional) HTTP Listener configuration. From 84f306b236e50b04240d4cb7b466e547d1a01189 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 30 Nov 2022 08:16:33 +0200 Subject: [PATCH 113/915] Add support for enableHttpGet and waitForComplete Hookshot options Supersedes https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2256 --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 4 +++- roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index a81d4706a..30f3eba3c 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -122,13 +122,15 @@ matrix_hookshot_jira_oauth_redirect_uri: "{{ matrix_hookshot_urlprefix }}{{ matr # No need to change these matrix_hookshot_generic_enabled: true +matrix_hookshot_generic_enableHttpGet: false # Default value of matrix_hookshot_generic_endpoint: "/hookshot/webhooks" matrix_hookshot_generic_endpoint: "{{ matrix_hookshot_webhook_endpoint }}" # urlprefix gets updated with protocol & port in group_vars/matrix_servers matrix_hookshot_generic_urlPrefix: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_generic_endpoint }}" -matrix_hookshot_generic_allowJsTransformationFunctions: false # If you're also using matrix-appservice-webhooks, take care that these prefixes don't overlap matrix_hookshot_generic_userIdPrefix: '_webhooks_' +matrix_hookshot_generic_allowJsTransformationFunctions: false +matrix_hookshot_generic_waitForComplete: false matrix_hookshot_feeds_enabled: true diff --git a/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 b/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 index 2eded104d..4138f5995 100644 --- a/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 +++ b/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 @@ -73,9 +73,11 @@ generic: # (Optional) Support for generic webhook events. `allowJsTransformationFunctions` will allow users to write short transformation snippets in code, and thus is unsafe in untrusted environments # enabled: {{ matrix_hookshot_generic_enabled | to_json }} + enableHttpGet: {{ matrix_hookshot_generic_enableHttpGet | to_json }} urlPrefix: {{ matrix_hookshot_generic_urlPrefix | to_json }} - allowJsTransformationFunctions: {{ matrix_hookshot_generic_allowJsTransformationFunctions | to_json }} userIdPrefix: {{ matrix_hookshot_generic_userIdPrefix | to_json }} + allowJsTransformationFunctions: {{ matrix_hookshot_generic_allowJsTransformationFunctions | to_json }} + waitForComplete: {{ matrix_hookshot_generic_waitForComplete | to_json }} {% endif %} {% if matrix_hookshot_feeds_enabled %} feeds: From 4a62df2ea3057484c4d35b3fce0ae7a6f547e2e6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 30 Nov 2022 08:18:41 +0200 Subject: [PATCH 114/915] Make Hookshot logging-level configurable --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 ++ roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 30f3eba3c..09d214fe9 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -146,6 +146,8 @@ matrix_hookshot_provisioning_enabled: false matrix_hookshot_provisioning_internal: "/v1" matrix_hookshot_provisioning_endpoint: "{{ matrix_hookshot_public_endpoint }}{{ matrix_hookshot_provisioning_internal }}" +# Valid logging levels are: debug, info, warn, error +matrix_hookshot_logging_level: warn matrix_hookshot_widgets_enabled: true matrix_hookshot_widgets_port: 9003 diff --git a/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 b/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 index 4138f5995..c3b0bbd48 100644 --- a/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 +++ b/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 @@ -110,7 +110,7 @@ metrics: logging: # (Optional) Logging settings. You can have a severity debug,info,warn,error # - level: warn + level: {{ matrix_hookshot_logging_level | to_json }} {% if matrix_hookshot_widgets_enabled %} widgets: # (Optional) EXPERIMENTAL support for complimentary widgets From bc64d8ed9a69f0a7226df7ef611ad367886aed10 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 30 Nov 2022 08:32:29 +0200 Subject: [PATCH 115/915] Upgrade prometheus-node-exporter (v1.4.0 -> v1.5.0) --- roles/custom/matrix-prometheus-node-exporter/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-prometheus-node-exporter/defaults/main.yml b/roles/custom/matrix-prometheus-node-exporter/defaults/main.yml index 9b89519c5..070e86164 100644 --- a/roles/custom/matrix-prometheus-node-exporter/defaults/main.yml +++ b/roles/custom/matrix-prometheus-node-exporter/defaults/main.yml @@ -5,7 +5,7 @@ matrix_prometheus_node_exporter_enabled: false -matrix_prometheus_node_exporter_version: v1.4.0 +matrix_prometheus_node_exporter_version: v1.5.0 matrix_prometheus_node_exporter_docker_image: "{{ matrix_container_global_registry_prefix }}prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}" matrix_prometheus_node_exporter_docker_image_force_pull: "{{ matrix_prometheus_node_exporter_docker_image.endswith(':latest') }}" From de979bc6a22a99384f17b07c4bf44c3a221deb9b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 30 Nov 2022 09:42:06 +0200 Subject: [PATCH 116/915] Upgrade com.devture.ansible.role.postgres --- group_vars/matrix_servers | 6 +++--- requirements.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f2b307b19..915833971 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1686,7 +1686,7 @@ matrix_backup_borg_postgresql_databases_hostname: "{{ devture_postgres_connectio matrix_backup_borg_postgresql_databases_username: "{{ devture_postgres_connection_username if devture_postgres_enabled else '' }}" matrix_backup_borg_postgresql_databases_password: "{{ devture_postgres_connection_password if devture_postgres_enabled else '' }}" matrix_backup_borg_postgresql_databases_port: "{{ devture_postgres_connection_port if devture_postgres_enabled else 5432 }}" -matrix_backup_borg_postgresql_databases: "{{ devture_postgres_additional_databases | map(attribute='name') if devture_postgres_enabled else [] }}" +matrix_backup_borg_postgresql_databases: "{{ devture_postgres_managed_databases | map(attribute='name') if devture_postgres_enabled else [] }}" matrix_backup_borg_location_source_directories: - "{{ matrix_base_data_path }}" @@ -2268,7 +2268,7 @@ devture_postgres_systemd_services_to_stop_for_maintenance_list: | ['matrix-' + matrix_homeserver_implementation + '.service'] }} -devture_postgres_additional_databases: | +devture_postgres_managed_databases_auto: | {{ ([{ 'name': matrix_synapse_database_database, @@ -2978,7 +2978,7 @@ matrix_postgres_backup_connection_password: "{{ devture_postgres_connection_pass matrix_postgres_backup_postgres_data_path: "{{ devture_postgres_data_path if devture_postgres_enabled else '' }}" -matrix_postgres_backup_databases: "{{ devture_postgres_additional_databases | map(attribute='name') if devture_postgres_enabled else [] }}" +matrix_postgres_backup_databases: "{{ devture_postgres_managed_databases | map(attribute='name') if devture_postgres_enabled else [] }}" ###################################################################### # diff --git a/requirements.yml b/requirements.yml index c8daa6504..f7b72d1a2 100644 --- a/requirements.yml +++ b/requirements.yml @@ -19,7 +19,7 @@ version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git - version: b547c81ed69a659be22016df35cc0d82cb444a76 + version: 381feb7f671c60e8875298102a7c9b41242979ee - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git version: 6ccb88ac5fc27e1e70afcd48278ade4b564a9096 From 65019a57744a636da21ab97f29666f9b21475df8 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 30 Nov 2022 08:30:50 +0000 Subject: [PATCH 117/915] Update prometheus 2.40.2 -> 2.40.4 --- roles/custom/matrix-prometheus/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-prometheus/defaults/main.yml b/roles/custom/matrix-prometheus/defaults/main.yml index e4c55da9b..a6f221102 100644 --- a/roles/custom/matrix-prometheus/defaults/main.yml +++ b/roles/custom/matrix-prometheus/defaults/main.yml @@ -5,7 +5,7 @@ matrix_prometheus_enabled: false -matrix_prometheus_version: v2.40.2 +matrix_prometheus_version: v2.40.4 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" From d37adfba4e546e4bda3b93d6ccfddf30d54b27b4 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 30 Nov 2022 08:48:07 +0000 Subject: [PATCH 118/915] Update grafana 9.2.6 -> 9.2.7 --- roles/custom/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-grafana/defaults/main.yml b/roles/custom/matrix-grafana/defaults/main.yml index fa55c9c2e..fb1d66b16 100644 --- a/roles/custom/matrix-grafana/defaults/main.yml +++ b/roles/custom/matrix-grafana/defaults/main.yml @@ -5,7 +5,7 @@ matrix_grafana_enabled: true -matrix_grafana_version: 9.2.6 +matrix_grafana_version: 9.2.7 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From 4eed49f9312dca2af4cafde6905ece965dc13843 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 30 Nov 2022 10:59:25 +0200 Subject: [PATCH 119/915] Replace custom/matrix-postgres-backup role with galaxy/com.devture.ansible.role.postgres_backup This role is usable on its own and it's not tied to Matrix, so extracting it out into an independent role that we install via ansible-galaxy makes sense. This also fixes the confusion from the other day, where `matrix_postgres_*` had to be renamed to `devture_postgres_*` (unless it was about `matrix_postgres_backup_*`). We now can safely say that ALL `matrix_postgres_*` variables need to be renamed. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2305 --- CHANGELOG.md | 9 +++ docs/configuring-playbook-postgres-backup.md | 17 +++--- group_vars/matrix_servers | 59 ++++++++++++------- playbooks/matrix.yml | 5 +- requirements.yml | 3 + .../matrix-postgres-backup/defaults/main.yml | 45 -------------- .../matrix-postgres-backup/tasks/main.yml | 20 ------- .../tasks/setup_install.yml | 51 ---------------- .../tasks/setup_uninstall.yml | 39 ------------ .../tasks/validate_config.yml | 27 --------- .../templates/env-postgres-backup.j2 | 12 ---- .../systemd/matrix-postgres-backup.service.j2 | 31 ---------- .../tasks/validate_config.yml | 10 ++-- 13 files changed, 69 insertions(+), 259 deletions(-) delete mode 100644 roles/custom/matrix-postgres-backup/defaults/main.yml delete mode 100644 roles/custom/matrix-postgres-backup/tasks/main.yml delete mode 100644 roles/custom/matrix-postgres-backup/tasks/setup_install.yml delete mode 100644 roles/custom/matrix-postgres-backup/tasks/setup_uninstall.yml delete mode 100644 roles/custom/matrix-postgres-backup/tasks/validate_config.yml delete mode 100644 roles/custom/matrix-postgres-backup/templates/env-postgres-backup.j2 delete mode 100644 roles/custom/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 8bd1210d7..3be19f005 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2022-11-30 + +## matrix-postgres-backup has been replaced by the com.devture.ansible.role.postgres_backup external role + +Just like we've [replaced Postgres with an external role](#matrix-postgres-has-been-replaced-by-the-comdevtureansiblerolepostgres-external-role) on 2022-11-28, we're now replacing `matrix-postgres-backup` with an external role - [com.devture.ansible.role.postgres_backup](https://github.com/devture/com.devture.ansible.role.postgres_backup). + +You'll need to rename your `matrix_postgres_backup`-prefixed variables such that they use a `devture_postgres_backup` prefix. + + # 2022-11-28 ## matrix-postgres has been replaced by the com.devture.ansible.role.postgres external role diff --git a/docs/configuring-playbook-postgres-backup.md b/docs/configuring-playbook-postgres-backup.md index 75b599c88..2510ecc11 100644 --- a/docs/configuring-playbook-postgres-backup.md +++ b/docs/configuring-playbook-postgres-backup.md @@ -1,6 +1,6 @@ # Setting up postgres backup (optional) -The playbook can install and configure [docker-postgres-backup-local](https://github.com/prodrigestivill/docker-postgres-backup-local) for you. +The playbook can install and configure [docker-postgres-backup-local](https://github.com/prodrigestivill/docker-postgres-backup-local) for you via the [com.devture.ansible.role.postgres_backup](https://github.com/devture/com.devture.ansible.role.postgres_backup) Ansible role. For a more complete backup solution (one that includes not only Postgres, but also other configuration/data files), you may wish to look into [borg backup](configuring-playbook-backup-borg.md) instead. @@ -10,7 +10,7 @@ For a more complete backup solution (one that includes not only Postgres, but al Minimal working configuration (`inventory/host_vars/matrix.DOMAIN/vars.yml`) to enable Postgres backup: ```yaml -matrix_postgres_backup_enabled: true +devture_postgres_backup_enabled: true ``` Refer to the table below for additional configuration variables and their default values. @@ -18,12 +18,13 @@ Refer to the table below for additional configuration variables and their defaul | Name | Default value | Description | | :-------------------------------- | :--------------------------- | :--------------------------------------------------------------- | -|`matrix_postgres_backup_enabled`|`false`|Set to true to use [docker-postgres-backup-local](https://github.com/prodrigestivill/docker-postgres-backup-local) to create automatic database backups| -|`matrix_postgres_backup_schedule`| `'@daily'` |Cron-schedule specifying the interval between postgres backups.| -|`matrix_postgres_backup_keep_days`|`7`|Number of daily backups to keep| -|`matrix_postgres_backup_keep_weeks`|`4`|Number of weekly backups to keep| -|`matrix_postgres_backup_keep_months`|`12`|Number of monthly backups to keep| -|`matrix_postgres_backup_path` | `"{{ matrix_base_data_path }}/postgres-backup"` | Storagepath for the database backups| +|`devture_postgres_backup_enabled`|`false`|Set to true to use [docker-postgres-backup-local](https://github.com/prodrigestivill/docker-postgres-backup-local) to create automatic database backups| +|`devture_postgres_backup_schedule`| `'@daily'` |Cron-schedule specifying the interval between postgres backups.| +|`devture_postgres_backup_keep_days`|`7`|Number of daily backups to keep| +|`devture_postgres_backup_keep_weeks`|`4`|Number of weekly backups to keep| +|`devture_postgres_backup_keep_months`|`12`|Number of monthly backups to keep| +|`devture_postgres_base_path` | `"{{ matrix_base_data_path }}/postgres-backup"` | Base path for postgres-backup. Also see `devture_postgres_data_path` | +|`devture_postgres_data_path` | `"{{ devture_postgres_base_path }}/data"` | Storage path for postgres-backup database backups | ## Installing diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 915833971..6824d8921 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -289,7 +289,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': (devture_postgres_identifier + '.service'), 'priority': 500, 'groups': ['matrix', 'postgres']}] if devture_postgres_enabled else []) + - ([{'name': 'matrix-postgres-backup.service', 'priority': 3000, 'groups': ['matrix', 'backup', 'postgres-backup']}] if matrix_postgres_backup_enabled else []) + ([{'name': (devture_postgres_backup_identifier + '.service'), 'priority': 3000, 'groups': ['matrix', 'backup', 'postgres-backup']}] if devture_postgres_backup_enabled else []) + ([{'name': 'matrix-prometheus.service', 'priority': 4000, 'groups': ['matrix', 'monitoring', 'prometheus', 'prometheus-core']}] if matrix_prometheus_enabled else []) + @@ -2241,6 +2241,7 @@ matrix_ssl_pre_obtaining_required_service_name: "{{ 'matrix-dynamic-dns' if matr # ###################################################################### + ######################################################################## # # # com.devture.ansible.role.postgres # @@ -2504,6 +2505,42 @@ devture_postgres_managed_databases_auto: | # # ######################################################################## + +######################################################################## +# # +# com.devture.ansible.role.postgres_backup # +# # +######################################################################## + +devture_postgres_backup_enabled: false + +devture_postgres_backup_identifier: matrix-postgres-backup + +devture_postgres_backup_architecture: "{{ matrix_architecture }}" + +devture_postgres_backup_base_path: "{{ matrix_base_data_path }}/postgres-backup" + +devture_postgres_backup_container_network: "{{ matrix_docker_network }}" + +devture_postgres_backup_uid: "{{ matrix_user_uid }}" +devture_postgres_backup_gid: "{{ matrix_user_gid }}" + +devture_postgres_backup_connection_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +devture_postgres_backup_connection_port: "{{ devture_postgres_connection_port if devture_postgres_enabled else 5432 }}" +devture_postgres_backup_connection_username: "{{ devture_postgres_connection_username if devture_postgres_enabled else '' }}" +devture_postgres_backup_connection_password: "{{ devture_postgres_connection_password if devture_postgres_enabled else '' }}" + +devture_postgres_backup_postgres_data_path: "{{ devture_postgres_data_path if devture_postgres_enabled else '' }}" + +devture_postgres_backup_databases: "{{ devture_postgres_managed_databases | map(attribute='name') if devture_postgres_enabled else [] }}" + +######################################################################## +# # +# /com.devture.ansible.role.postgres_backup # +# # +######################################################################## + + ###################################################################### # # matrix-sygnal @@ -2965,26 +3002,6 @@ matrix_registration_database_password: "{{ '%s' | format(matrix_homeserver_gener # ###################################################################### -###################################################################### -# -# matrix-postgres-backup -# -###################################################################### - -matrix_postgres_backup_connection_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" -matrix_postgres_backup_connection_port: "{{ devture_postgres_connection_port if devture_postgres_enabled else 5432 }}" -matrix_postgres_backup_connection_username: "{{ devture_postgres_connection_username if devture_postgres_enabled else '' }}" -matrix_postgres_backup_connection_password: "{{ devture_postgres_connection_password if devture_postgres_enabled else '' }}" - -matrix_postgres_backup_postgres_data_path: "{{ devture_postgres_data_path if devture_postgres_enabled else '' }}" - -matrix_postgres_backup_databases: "{{ devture_postgres_managed_databases | map(attribute='name') if devture_postgres_enabled else [] }}" - -###################################################################### -# -# /matrix-postgres-backup -# -###################################################################### ###################################################################### # diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index d97b92831..5b6f1ccea 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -97,8 +97,11 @@ - custom/matrix-nginx-proxy - custom/matrix-coturn - custom/matrix-aux - - custom/matrix-postgres-backup + + - role: galaxy/com.devture.ansible.role.postgres_backup + - custom/matrix-backup-borg + - custom/matrix-user-creator - custom/matrix-common-after diff --git a/requirements.yml b/requirements.yml index f7b72d1a2..0711fa4e0 100644 --- a/requirements.yml +++ b/requirements.yml @@ -21,6 +21,9 @@ - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git version: 381feb7f671c60e8875298102a7c9b41242979ee +- src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git + version: 77b1f9ae1aafa31c9078178c1036bf744c99d08b + - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git version: 6ccb88ac5fc27e1e70afcd48278ade4b564a9096 diff --git a/roles/custom/matrix-postgres-backup/defaults/main.yml b/roles/custom/matrix-postgres-backup/defaults/main.yml deleted file mode 100644 index 8e45a8e25..000000000 --- a/roles/custom/matrix-postgres-backup/defaults/main.yml +++ /dev/null @@ -1,45 +0,0 @@ ---- -# Project source code URL: https://github.com/prodrigestivill/docker-postgres-backup-local - -matrix_postgres_backup_enabled: false - -matrix_postgres_backup_connection_hostname: '' -matrix_postgres_backup_connection_port: 5432 -matrix_postgres_backup_connection_username: "matrix" -matrix_postgres_backup_connection_password: "" - -matrix_postgres_backup_extra_opts: "-Z9 --schema=public --blobs" -matrix_postgres_backup_schedule: "@daily" -matrix_postgres_backup_keep_days: 7 -matrix_postgres_backup_keep_weeks: 4 -matrix_postgres_backup_keep_months: 12 -matrix_postgres_backup_healthcheck_port: "8080" -matrix_postgres_backup_databases: [] -matrix_postgres_backup_path: "{{ matrix_base_data_path }}/postgres-backup" - -# Specifies where the Postgres data is. -# We use this to autodetect the Postgres version during playbook runtime (by parsing the `PG_VERSION` file contained there). -# You can leave this empty to prevent auto-detection. -matrix_postgres_backup_postgres_data_path: "" - -matrix_postgres_backup_architecture: amd64 - -# matrix_postgres_backup_docker_image_distro controls whether we use Alpine-based images (`-alpine`) or the normal Debian-based images. -# Alpine-based Postgres images are smaller and we usually prefer them, but they don't work on ARM32 (tested on a Raspberry Pi 3 running Raspbian 10.7). -# On ARM32, `-alpine` images fail with the following error: -# > LOG: startup process (PID 37) was terminated by signal 11: Segmentation fault -matrix_postgres_backup_docker_image_distro: "{{ 'alpine' if matrix_postgres_backup_architecture in ['amd64', 'arm64'] else 'debian' }}" - -matrix_postgres_backup_docker_image_v9: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:9.6-{{ matrix_postgres_backup_docker_image_distro }}-2aa03d1" -matrix_postgres_backup_docker_image_v10: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:10-{{ matrix_postgres_backup_docker_image_distro }}-2cf00a5" -matrix_postgres_backup_docker_image_v11: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:11-{{ matrix_postgres_backup_docker_image_distro }}-2cf00a5" -matrix_postgres_backup_docker_image_v12: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:12-{{ matrix_postgres_backup_docker_image_distro }}-2cf00a5" -matrix_postgres_backup_docker_image_v13: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:13-{{ matrix_postgres_backup_docker_image_distro }}-2cf00a5" -matrix_postgres_backup_docker_image_v14: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:14-{{ matrix_postgres_backup_docker_image_distro }}-2cf00a5" -matrix_postgres_backup_docker_image_v15: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:15-{{ matrix_postgres_backup_docker_image_distro }}-2cf00a5" -matrix_postgres_backup_docker_image_latest: "{{ matrix_postgres_backup_docker_image_v15 }}" - -# This variable is assigned at runtime. Overriding its value has no effect. -matrix_postgres_backup_docker_image_to_use: '{{ matrix_postgres_backup_docker_image_latest }}' - -matrix_postgres_backup_docker_image_force_pull: "{{ matrix_postgres_backup_docker_image_to_use.endswith(':latest') }}" diff --git a/roles/custom/matrix-postgres-backup/tasks/main.yml b/roles/custom/matrix-postgres-backup/tasks/main.yml deleted file mode 100644 index 4db5c82ee..000000000 --- a/roles/custom/matrix-postgres-backup/tasks/main.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- - -- block: - - when: matrix_postgres_backup_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - - - when: matrix_postgres_backup_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: - - setup-all - - setup-postgres-backup - - install-all - - install-postgres-backup - -- block: - - when: not matrix_postgres_backup_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-postgres-backup diff --git a/roles/custom/matrix-postgres-backup/tasks/setup_install.yml b/roles/custom/matrix-postgres-backup/tasks/setup_install.yml deleted file mode 100644 index fee5d3ff1..000000000 --- a/roles/custom/matrix-postgres-backup/tasks/setup_install.yml +++ /dev/null @@ -1,51 +0,0 @@ ---- - - -- ansible.builtin.include_role: - name: galaxy/com.devture.ansible.role.postgres - tasks_from: detect_existing_postgres_version - when: 'matrix_postgres_backup_postgres_data_path != ""' - -# If we have found an existing version (installed from before), we use its corresponding Docker image. -# If not, we install using the latest Postgres. -# -# Upgrading is supposed to be performed separately and explicitly (see `upgrade_postgres.yml`). -- ansible.builtin.set_fact: - matrix_postgres_backup_docker_image_to_use: "{{ matrix_postgres_backup_docker_image_latest if matrix_postgres_backup_detected_version_corresponding_docker_image | default('') == '' else matrix_postgres_backup_detected_version_corresponding_docker_image }}" - -- name: Ensure postgres backup Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_postgres_backup_docker_image_to_use }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_postgres_backup_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_postgres_backup_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure Postgres backup paths exist - ansible.builtin.file: - path: "{{ item }}" - state: directory - mode: 0700 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_postgres_backup_path }}" - -- name: Ensure Postgres environment variables file created - ansible.builtin.template: - src: "{{ role_path }}/templates/{{ item }}.j2" - dest: "{{ matrix_postgres_backup_path }}/{{ item }}" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0640 - with_items: - - "env-postgres-backup" - -- name: Ensure matrix-postgres-backup.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-postgres-backup.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-postgres-backup.service" - mode: 0644 diff --git a/roles/custom/matrix-postgres-backup/tasks/setup_uninstall.yml b/roles/custom/matrix-postgres-backup/tasks/setup_uninstall.yml deleted file mode 100644 index 61b6840c8..000000000 --- a/roles/custom/matrix-postgres-backup/tasks/setup_uninstall.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- - -- name: Check existence of matrix-postgres-backup service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-postgres-backup.service" - register: matrix_postgres_backup_service_stat - - -- when: matrix_postgres_backup_service_stat.stat.exists | bool - block: - - name: Ensure matrix-postgres-backup is stopped - ansible.builtin.service: - name: matrix-postgres-backup - state: stopped - enabled: false - daemon_reload: true - - - name: Ensure matrix-postgres-backup.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-postgres-backup.service" - state: absent - -- name: Check existence of matrix-postgres-backup backup path - ansible.builtin.stat: - path: "{{ matrix_postgres_backup_path }}" - register: matrix_postgres_backup_path_stat - -# We just want to notify the user. Deleting data is too destructive. -- name: Inject warning if matrix-postgres backup data remains - ansible.builtin.set_fact: - devture_playbook_runtime_messages_list: | - {{ - devture_playbook_runtime_messages_list | default([]) - + - [ - "NOTE: You are not using the local backup service to backup the PostgreSQL database, but some old data remains from before in `{{ matrix_postgres_backup_path }}`. Feel free to delete it." - ] - }} - when: matrix_postgres_backup_path_stat.stat.exists | bool diff --git a/roles/custom/matrix-postgres-backup/tasks/validate_config.yml b/roles/custom/matrix-postgres-backup/tasks/validate_config.yml deleted file mode 100644 index 285328c23..000000000 --- a/roles/custom/matrix-postgres-backup/tasks/validate_config.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- - -- name: Fail if required postgres-backup settings not defined - ansible.builtin.fail: - msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" - with_items: - - "matrix_postgres_backup_connection_hostname" - - "matrix_postgres_backup_connection_username" - - "matrix_postgres_backup_connection_password" - - "matrix_postgres_backup_connection_port" - - "matrix_postgres_backup_schedule" - - "matrix_postgres_backup_keep_days" - - "matrix_postgres_backup_keep_weeks" - - "matrix_postgres_backup_keep_months" - - "matrix_postgres_backup_path" - - "matrix_postgres_backup_databases" - -- name: (Deprecation) Catch and report renamed settings - ansible.builtin.fail: - msg: >- - Your configuration contains a variable, which now has a different name. - Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - when: "item.old in vars" - with_items: - - {'old': 'matrix_postgres_backup_docker_image_suffix', 'new': 'matrix_postgres_backup_docker_image_distro'} diff --git a/roles/custom/matrix-postgres-backup/templates/env-postgres-backup.j2 b/roles/custom/matrix-postgres-backup/templates/env-postgres-backup.j2 deleted file mode 100644 index 5a3a1ffd6..000000000 --- a/roles/custom/matrix-postgres-backup/templates/env-postgres-backup.j2 +++ /dev/null @@ -1,12 +0,0 @@ -#jinja2: lstrip_blocks: "True" -POSTGRES_USER={{ matrix_postgres_backup_connection_username }} -POSTGRES_PASSWORD={{ matrix_postgres_backup_connection_password }} -POSTGRES_HOST={{ matrix_postgres_backup_connection_hostname }} -POSTGRES_DB={{ matrix_postgres_backup_databases|join(', ') }} -POSTGRES_EXTRA_OPTS={{ matrix_postgres_backup_extra_opts }} -SCHEDULE={{ matrix_postgres_backup_schedule }} -BACKUP_KEEP_DAYS={{ matrix_postgres_backup_keep_days }} -BACKUP_KEEP_WEEKS={{ matrix_postgres_backup_keep_weeks }} -BACKUP_KEEP_MONTHS={{ matrix_postgres_backup_keep_months }} -HEALTHCHECK_PORT={{ matrix_postgres_backup_healthcheck_port }} -POSTGRES_PORT={{ matrix_postgres_backup_connection_port }} \ No newline at end of file diff --git a/roles/custom/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 b/roles/custom/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 deleted file mode 100644 index 618eb548e..000000000 --- a/roles/custom/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 +++ /dev/null @@ -1,31 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Automatic Backup of Matrix Postgres server -After=docker.service -Requires=docker.service -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} stop matrix-postgres-backup -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-postgres-backup 2>/dev/null || true' - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-postgres-backup \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --network={{ matrix_docker_network }} \ - --env-file={{ matrix_postgres_backup_path }}/env-postgres-backup \ - --mount type=bind,src={{ matrix_postgres_backup_path }},dst=/backups \ - {{ matrix_postgres_backup_docker_image_to_use }} - -ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} stop matrix-postgres-backup -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-postgres-backup 2>/dev/null || true' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-postgres-backup - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 00c88192a..f4ce2bdca 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -41,8 +41,10 @@ The matrix-postgres role in the playbook has been replaced with the com.devture.ansible.role.postgres role (https://github.com/devture/com.devture.ansible.role.postgres). The new role is pretty much the same, but uses differently named variables. - Please change your configuration (vars.yml) to rename all matrix-postgres variables (`matrix_postgres_*` -> `devture_postgres_*`). - Note that `matrix_postgres_backup_*` variables (used by the `matrix-postgres-backup` role) need to remain as they are for now. Do not rename those! + The matrix-postgres-backup role in the playbook has been replaced with the com.devture.ansible.role.postgres_backup role (https://github.com/devture/com.devture.ansible.role.postgres_backup). + The new role is pretty much the same, but uses differently named variables. + + Please change your configuration (vars.yml) to rename all `matrix_postgres`-prefixed variables (`matrix_postgres_*` -> `devture_postgres_*`). - The following variables in your configuration need to be renamed: {{ vars | dict2items | rejectattr('key', 'match', 'matrix_postgres_backup_') | selectattr('key', 'match', 'matrix_postgres_.*') | map (attribute='key') | join(', ') }} - when: "vars | dict2items | rejectattr('key', 'match', 'matrix_postgres_backup_') | selectattr('key', 'match', 'matrix_postgres_.*') | list | items2dict" + The following variables in your configuration need to be renamed: {{ vars | dict2items | selectattr('key', 'match', 'matrix_postgres_.*') | map (attribute='key') | join(', ') }} + when: "vars | dict2items | selectattr('key', 'match', 'matrix_postgres_.*') | list | items2dict" From d5ea17d66f7d4da735285c81779b03e3787570e4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 30 Nov 2022 11:18:39 +0200 Subject: [PATCH 120/915] Make postgres-backup priority start later --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6824d8921..f816a08f8 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -289,7 +289,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': (devture_postgres_identifier + '.service'), 'priority': 500, 'groups': ['matrix', 'postgres']}] if devture_postgres_enabled else []) + - ([{'name': (devture_postgres_backup_identifier + '.service'), 'priority': 3000, 'groups': ['matrix', 'backup', 'postgres-backup']}] if devture_postgres_backup_enabled else []) + ([{'name': (devture_postgres_backup_identifier + '.service'), 'priority': 5000, 'groups': ['matrix', 'backup', 'postgres-backup']}] if devture_postgres_backup_enabled else []) + ([{'name': 'matrix-prometheus.service', 'priority': 4000, 'groups': ['matrix', 'monitoring', 'prometheus', 'prometheus-core']}] if matrix_prometheus_enabled else []) + From 0a018ac22bc46a8562444cd5651067eeb83c5513 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 30 Nov 2022 11:22:00 +0200 Subject: [PATCH 121/915] Add internal Postgres instance (if enabled) to postgres-backup dependencies --- group_vars/matrix_servers | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f816a08f8..71bd18812 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2520,6 +2520,13 @@ devture_postgres_backup_architecture: "{{ matrix_architecture }}" devture_postgres_backup_base_path: "{{ matrix_base_data_path }}/postgres-backup" +devture_postgres_backup_systemd_required_services_list: | + {{ + (['docker.service']) + + + ([(devture_postgres_identifier + '.service')] if devture_postgres_enabled else []) + }} + devture_postgres_backup_container_network: "{{ matrix_docker_network }}" devture_postgres_backup_uid: "{{ matrix_user_uid }}" From dc817f30cef022362254e02c075df85c80c908f0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 30 Nov 2022 11:50:21 +0200 Subject: [PATCH 122/915] Upgrade Grafana (9.2.7 -> 9.3.0) --- roles/custom/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-grafana/defaults/main.yml b/roles/custom/matrix-grafana/defaults/main.yml index fb1d66b16..2aacd23d3 100644 --- a/roles/custom/matrix-grafana/defaults/main.yml +++ b/roles/custom/matrix-grafana/defaults/main.yml @@ -5,7 +5,7 @@ matrix_grafana_enabled: true -matrix_grafana_version: 9.2.7 +matrix_grafana_version: 9.3.0 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From e3d21e8096bf59ce6af8f3e09a21c71da0b2c6ea Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 30 Nov 2022 11:55:23 +0200 Subject: [PATCH 123/915] Rename some default Hookshot variables Fixup for 7e2e2626a042246962b1c Some references were left unrenamed which caused `validate_config.yml` to trigger. --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 09d214fe9..b06db2806 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -64,11 +64,11 @@ matrix_hookshot_github_private_key_file: 'private-key.pem' matrix_hookshot_github_webhook_secret: '' # "Webhook secret" on the GitHub App page matrix_hookshot_github_oauth_enabled: false # You need to configure oauth settings only when you have enabled oauth (optional) -matrix_hookshot_github_oauth_id: '' # "Client ID" on the GitHub App page -matrix_hookshot_github_oauth_secret: '' # "Client Secret" on the GitHub App page +matrix_hookshot_github_oauth_client_id: '' # "Client ID" on the GitHub App page +matrix_hookshot_github_oauth_client_secret: '' # "Client Secret" on the GitHub App page # Default value of matrix_hookshot_github_oauth_endpoint: "/hookshot/webhooks/oauth" matrix_hookshot_github_oauth_endpoint: "{{ matrix_hookshot_webhook_endpoint }}/oauth" -matrix_hookshot_github_oauth_uri: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_github_oauth_endpoint }}" +matrix_hookshot_github_oauth_redirect_uri: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_github_oauth_endpoint }}" # These are the default settings mentioned here and don't need to be modified: https://matrix-org.github.io/matrix-hookshot/usage/room_configuration/github_repo.html#configuration matrix_hookshot_github_defaultOptions_ignoreHooks: {} # noqa var-naming From 8ca6cdd016a35377ca5d2693b9c2fd719cf21db0 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 30 Nov 2022 12:25:51 +0000 Subject: [PATCH 124/915] fix hookshot role --- .../custom/matrix-bridge-hookshot/templates/registration.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/templates/registration.yml.j2 b/roles/custom/matrix-bridge-hookshot/templates/registration.yml.j2 index d076ea108..87509a127 100644 --- a/roles/custom/matrix-bridge-hookshot/templates/registration.yml.j2 +++ b/roles/custom/matrix-bridge-hookshot/templates/registration.yml.j2 @@ -18,7 +18,7 @@ namespaces: exclusive: true {% endif %} {% if matrix_hookshot_generic_enabled %} - - regex: "@{{ matrix_hookshot_generic_user_id_prefix }}.*:{{ matrix_domain }}" # Where foobar is your homeserver's domain // depending on userIdPrefix setting in conf + - regex: "@{{ matrix_hookshot_generic_userIdPrefix }}.*:{{ matrix_domain }}" # Where foobar is your homeserver's domain // depending on userIdPrefix setting in conf exclusive: true {% endif %} aliases: From ea401170e11bab53b57dce555eb47ddaa06b4879 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 1 Dec 2022 15:16:33 +0000 Subject: [PATCH 125/915] Update prometheus 2.40.4 -> 2.40.5 --- roles/custom/matrix-prometheus/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-prometheus/defaults/main.yml b/roles/custom/matrix-prometheus/defaults/main.yml index a6f221102..77e7fb1af 100644 --- a/roles/custom/matrix-prometheus/defaults/main.yml +++ b/roles/custom/matrix-prometheus/defaults/main.yml @@ -5,7 +5,7 @@ matrix_prometheus_enabled: false -matrix_prometheus_version: v2.40.4 +matrix_prometheus_version: v2.40.5 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" From 9e9303015906d3824ba7bc80a521cf4d6c5be7c3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 1 Dec 2022 23:29:33 +0200 Subject: [PATCH 126/915] Upgrade Grafana (9.3.0 -> 9.3.1) --- roles/custom/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-grafana/defaults/main.yml b/roles/custom/matrix-grafana/defaults/main.yml index 2aacd23d3..49f2eb511 100644 --- a/roles/custom/matrix-grafana/defaults/main.yml +++ b/roles/custom/matrix-grafana/defaults/main.yml @@ -5,7 +5,7 @@ matrix_grafana_enabled: true -matrix_grafana_version: 9.3.0 +matrix_grafana_version: 9.3.1 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From a353bda7a1df55862bcda00109b514ac731d3dba Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 1 Dec 2022 23:30:09 +0200 Subject: [PATCH 127/915] Upgrade appservice-slack (2.0.1 -> 2.0.2) --- roles/custom/matrix-bridge-appservice-slack/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-appservice-slack/defaults/main.yml b/roles/custom/matrix-bridge-appservice-slack/defaults/main.yml index 8884edd6b..6fb6d7e7f 100644 --- a/roles/custom/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/custom/matrix-bridge-appservice-slack/defaults/main.yml @@ -11,7 +11,7 @@ matrix_appservice_slack_docker_src_files_path: "{{ matrix_base_data_path }}/apps # matrix_appservice_slack_version used to contain the full Docker image tag (e.g. `release-X.X.X`). # It's a bare version number now. We try to somewhat retain compatibility below. -matrix_appservice_slack_version: 2.0.1 +matrix_appservice_slack_version: 2.0.2 matrix_appservice_slack_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-slack:{{ matrix_appservice_slack_docker_image_tag }}" matrix_appservice_slack_docker_image_tag: "{{ 'latest' if matrix_appservice_slack_version == 'latest' else ('release-' + matrix_appservice_slack_version) }}" matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}" From d59bbfdfc9acdc6b9436c7a393bea269b1f0cc1e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 2 Dec 2022 19:14:29 +0200 Subject: [PATCH 128/915] Upgrade Hookshot (2.4.0 -> 2.5.0) --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index b06db2806..14c0e6df3 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 2.4.0 +matrix_hookshot_version: 2.5.0 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" @@ -135,7 +135,7 @@ matrix_hookshot_generic_waitForComplete: false matrix_hookshot_feeds_enabled: true matrix_hookshot_feeds_pollIntervalSeconds: 600 # noqa var-naming -matrix_hookshot_feeds_pollTimeoutSeconds: 10 # noqa var-naming +matrix_hookshot_feeds_pollTimeoutSeconds: 30 # noqa var-naming # There is no need to edit ports. use matrix_hookshot_container_http_host_bind_ports below to expose ports instead. From 4589f9405385b0b9f34a567583d79159f73b68eb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 2 Dec 2022 19:17:35 +0200 Subject: [PATCH 129/915] Upgrade Postgres (minor versions upgrade) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 0711fa4e0..eef5b0543 100644 --- a/requirements.yml +++ b/requirements.yml @@ -19,7 +19,7 @@ version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git - version: 381feb7f671c60e8875298102a7c9b41242979ee + version: e75973e3a4edc12dfc3e880e43b12ebecbf82c61 - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git version: 77b1f9ae1aafa31c9078178c1036bf744c99d08b From ceb2c3027701e104b361e3c42f20e737a0117aa2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 3 Dec 2022 15:37:17 +0200 Subject: [PATCH 130/915] Upgrade mautrix-signal (v0.4.1 -> v0.4.2) --- roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml index 736c45575..18681feb5 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml @@ -9,7 +9,7 @@ matrix_mautrix_signal_docker_repo: "https://mau.dev/mautrix/signal.git" matrix_mautrix_signal_docker_repo_version: "{{ 'master' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}" matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src" -matrix_mautrix_signal_version: v0.4.1 +matrix_mautrix_signal_version: v0.4.2 matrix_mautrix_signal_daemon_version: 0.23.0 # See: https://mau.dev/mautrix/signal/container_registry matrix_mautrix_signal_docker_image: "dock.mau.dev/mautrix/signal:{{ matrix_mautrix_signal_version }}" From b31731ebf843fb3e873a4599f19791b4c5685349 Mon Sep 17 00:00:00 2001 From: Quentin Young Date: Sun, 4 Dec 2022 01:14:20 -0500 Subject: [PATCH 131/915] fix s3 storage provider not ensuring data dir This path is accessed by the s3 storage provider stuff and needs to be ensured. Broken by 7c5c3aedc --- roles/custom/matrix-synapse/defaults/main.yml | 1 + roles/custom/matrix-synapse/tasks/setup_install.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 1a9b18a71..ca8a095c1 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -61,6 +61,7 @@ matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" matrix_synapse_ext_s3_storage_provider_base_path: "{{ matrix_synapse_base_path }}/ext/s3-storage-provider" matrix_synapse_ext_s3_storage_provider_bin_path: "{{ matrix_synapse_ext_s3_storage_provider_base_path }}/bin" +matrix_synapse_ext_s3_storage_provider_data_path: "{{ matrix_synapse_ext_s3_storage_provider_base_path }}/data" matrix_synapse_container_client_api_port: 8008 diff --git a/roles/custom/matrix-synapse/tasks/setup_install.yml b/roles/custom/matrix-synapse/tasks/setup_install.yml index d1ef7ed4c..921df753e 100644 --- a/roles/custom/matrix-synapse/tasks/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/setup_install.yml @@ -16,6 +16,7 @@ - {path: "{{ matrix_synapse_ext_s3_storage_provider_base_path }}", when: "{{ matrix_synapse_ext_synapse_s3_storage_provider_enabled }}"} - {path: "{{ matrix_synapse_ext_s3_storage_provider_bin_path }}", when: "{{ matrix_synapse_ext_synapse_s3_storage_provider_enabled }}"} + - {path: "{{ matrix_synapse_ext_s3_storage_provider_data_path }}", when: "{{ matrix_synapse_ext_synapse_s3_storage_provider_enabled }}"} # We handle matrix_synapse_media_store_path elsewhere (in ./synapse/setup_install.yml), # because if it's using Goofys and it's already mounted (from before), From 7464604ddd119aa72be7b17f51bf226b7aca166e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 4 Dec 2022 10:17:55 +0200 Subject: [PATCH 132/915] Make use of matrix_synapse_ext_s3_storage_provider_data_path in a few more places --- .../tasks/ext/s3-storage-provider/setup_install.yml | 2 +- .../templates/synapse/ext/s3-storage-provider/bin/migrate.j2 | 2 +- .../templates/synapse/ext/s3-storage-provider/bin/shell.j2 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_install.yml index 11958f45e..c892e0b6f 100644 --- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_install.yml @@ -27,7 +27,7 @@ - name: Ensure s3-storage-provider database.yaml file installed ansible.builtin.template: src: "{{ role_path }}/templates/synapse/ext/s3-storage-provider/database.yaml.j2" - dest: "{{ matrix_synapse_ext_s3_storage_provider_base_path }}/data/database.yaml" + dest: "{{ matrix_synapse_ext_s3_storage_provider_data_path }}/database.yaml" mode: 0640 - name: Ensure s3-storage-provider scripts installed diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/migrate.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/migrate.j2 index 70518eb48..6ce085f29 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/migrate.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/migrate.j2 @@ -5,7 +5,7 @@ --rm \ --env-file={{ matrix_synapse_ext_s3_storage_provider_base_path }}/env \ --mount type=bind,src={{ matrix_synapse_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ - --mount type=bind,src={{ matrix_synapse_ext_s3_storage_provider_base_path }}/data,dst=/data \ + --mount type=bind,src={{ matrix_synapse_ext_s3_storage_provider_data_path }},dst=/data \ --workdir=/data \ --network={{ matrix_docker_network }} \ --entrypoint=/bin/bash \ diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/shell.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/shell.j2 index 00717705f..a54948826 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/shell.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/shell.j2 @@ -6,7 +6,7 @@ --rm \ --env-file={{ matrix_synapse_ext_s3_storage_provider_base_path }}/env \ --mount type=bind,src={{ matrix_synapse_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ - --mount type=bind,src={{ matrix_synapse_ext_s3_storage_provider_base_path }}/data,dst=/data \ + --mount type=bind,src={{ matrix_synapse_ext_s3_storage_provider_data_path }},dst=/data \ --workdir=/data \ --network={{ matrix_docker_network }} \ --entrypoint=/bin/bash \ From 64145990790906428a59d17aa9d46c67eb5b5614 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 5 Dec 2022 09:46:11 +0200 Subject: [PATCH 133/915] Upgrade Coturn (4.6.0 -> 4.6.1) --- roles/custom/matrix-coturn/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index b2aff9844..3a125de48 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -8,7 +8,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}" matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" -matrix_coturn_version: 4.6.0-r0 +matrix_coturn_version: 4.6.1-r0 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" From b2a40effaf2451afff851f95b00395ff08e3aff1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 5 Dec 2022 10:02:54 +0200 Subject: [PATCH 134/915] Fix Element self-building by switching to docker-buildx Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2318 --- .../tasks/setup_install.yml | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/roles/custom/matrix-client-element/tasks/setup_install.yml b/roles/custom/matrix-client-element/tasks/setup_install.yml index 16f75ab47..813b4da04 100644 --- a/roles/custom/matrix-client-element/tasks/setup_install.yml +++ b/roles/custom/matrix-client-element/tasks/setup_install.yml @@ -50,16 +50,13 @@ when: "matrix_client_element_container_image_self_build | bool and matrix_client_element_container_image_self_build_low_memory_system_patch_enabled | bool" - name: Ensure Element Docker image is built - community.docker.docker_image: - name: "{{ matrix_client_element_docker_image }}" - source: build - force_source: "{{ matrix_client_element_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_element_git_pull_results.changed }}" - build: - dockerfile: Dockerfile - path: "{{ matrix_client_element_docker_src_files_path }}" - pull: true - when: "matrix_client_element_container_image_self_build | bool" + ansible.builtin.command: + cmd: |- + {{ devture_systemd_docker_base_host_command_docker }} buildx build + --tag={{ matrix_client_element_docker_image }} + --file={{ matrix_client_element_docker_src_files_path }}/Dockerfile + {{ matrix_client_element_docker_src_files_path }} + when: matrix_client_element_container_image_self_build | bool - name: Ensure Element configuration installed ansible.builtin.copy: From d8df03dfc90b10fd8c939ff5d8d5f6ae821ba9e5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 5 Dec 2022 11:46:22 +0200 Subject: [PATCH 135/915] Mark Postgres v15 as supported for borg backup Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2257 Fixed in https://gitlab.com/etke.cc/borgmatic/-/commit/d134cd7c4c0aadecc2c00df45bd8371e248aa81f (thanks to `alpine:latest` now being `alpine:3.17.0`, which includes Postgres v15) --- roles/custom/matrix-backup-borg/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-backup-borg/defaults/main.yml b/roles/custom/matrix-backup-borg/defaults/main.yml index fbeb11670..472abe976 100644 --- a/roles/custom/matrix-backup-borg/defaults/main.yml +++ b/roles/custom/matrix-backup-borg/defaults/main.yml @@ -37,7 +37,7 @@ matrix_backup_borg_location_source_directories: [] # postgres db backup matrix_backup_borg_postgresql_enabled: true -matrix_backup_borg_supported_postgres_versions: ['12', '13', '14'] +matrix_backup_borg_supported_postgres_versions: ['12', '13', '14', '15'] matrix_backup_borg_postgresql_databases: [] matrix_backup_borg_postgresql_databases_hostname: '' matrix_backup_borg_postgresql_databases_username: "matrix" From 1f1a3dfc3807a3cbc115904c15d6cd2235d1d97a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 5 Dec 2022 14:42:02 +0200 Subject: [PATCH 136/915] Ensure database port is passed to Borg as an integer Without this, it's a string and borg says: > At 'hooks.postgresql_databases[INDEX_HERE].port': '5432' is not of type 'integer' > /etc/borgmatic/config.yaml /etc/borgmatic.d /tmp/.config/borgmatic/config.yaml /tmp/.config/borgmatic.d: No valid configuration files found .. and fails to do anything. --- roles/custom/matrix-backup-borg/templates/config.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-backup-borg/templates/config.yaml.j2 b/roles/custom/matrix-backup-borg/templates/config.yaml.j2 index 210b7a65a..105c0ce1f 100644 --- a/roles/custom/matrix-backup-borg/templates/config.yaml.j2 +++ b/roles/custom/matrix-backup-borg/templates/config.yaml.j2 @@ -34,7 +34,7 @@ hooks: hostname: {{ matrix_backup_borg_postgresql_databases_hostname|to_json }} username: {{ matrix_backup_borg_postgresql_databases_username|to_json }} password: {{ matrix_backup_borg_postgresql_databases_password|to_json }} - port: {{ matrix_backup_borg_postgresql_databases_port|to_json }} + port: {{ matrix_backup_borg_postgresql_databases_port | int | to_json }} {% endfor %} {% endif %} after_backup: From 64b03c2dfdcbe9f8794045cae6387306269e52b7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 5 Dec 2022 14:56:38 +0200 Subject: [PATCH 137/915] Fix backup-borg repository initialization for borgmatic 1.7+ (or borg 2.0) --- .../templates/systemd/matrix-backup-borg.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-backup-borg/templates/systemd/matrix-backup-borg.service.j2 b/roles/custom/matrix-backup-borg/templates/systemd/matrix-backup-borg.service.j2 index 533f6e42f..8048c2e48 100644 --- a/roles/custom/matrix-backup-borg/templates/systemd/matrix-backup-borg.service.j2 +++ b/roles/custom/matrix-backup-borg/templates/systemd/matrix-backup-borg.service.j2 @@ -31,7 +31,7 @@ ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} run --rm --n {{ arg }} \ {% endfor %} {{ matrix_backup_borg_docker_image }} \ - sh -c "borgmatic --init --encryption {{ matrix_backup_borg_encryption }}" + sh -c "borgmatic rcreate --encryption {{ matrix_backup_borg_encryption }}" ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-backup-borg \ --log-driver=none \ From 7b123907e05e2837bb8f101ef3d9d9a789bdb118 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 5 Dec 2022 15:15:47 +0200 Subject: [PATCH 138/915] Fix borg repository URL format Reference: https://borgbackup.readthedocs.io/en/stable/usage/general.html#repository-urls Otherwise, we'd get: > /etc/borgmatic.d/config.yaml: Remote repository paths without ssh:// syntax are deprecated. Interpreting "user@hostname:matrix" as "ssh://user@hostname/./matrix" --- docs/configuring-playbook-backup-borg.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-backup-borg.md b/docs/configuring-playbook-backup-borg.md index f3cfc6def..b6b5cb096 100644 --- a/docs/configuring-playbook-backup-borg.md +++ b/docs/configuring-playbook-backup-borg.md @@ -40,7 +40,7 @@ Minimal working configuration (`inventory/host_vars/matrix.DOMAIN/vars.yml`) to ```yaml matrix_backup_borg_enabled: true matrix_backup_borg_location_repositories: - - USER@HOST:REPO + - ssh://USER@HOST/./REPO matrix_backup_borg_storage_encryption_passphrase: "PASSPHRASE" matrix_backup_borg_ssh_key_private: | -----BEGIN OPENSSH PRIVATE KEY----- From 8005557061c0e795be334d47ae8f6669ecf4ab8c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 5 Dec 2022 15:28:07 +0200 Subject: [PATCH 139/915] Give backup-borg container more permissions to perform the backup Running with a user (like `matrix:matrix`) fails if Etherpad is enabled, because `/matrix/etherpad` is owned by `matrix_etherpad_user_uid`/`matrix_etherpad_user_gid` (`5001:5001`). The `matrix` user can't acccess the Etherpad directory for this reason and Borgmatic fails when trying to make a backup. There may be other things under `/matrix` which similarly use non-`matrix:matrix` permissions. Another workaround might have been to add `/matrix/etherpad` (and potentially other things) to `matrix_backup_borg_location_exclude_patterns`, but: - that means Etherpad won't be backed up - not great - only excluding Etherpad may not be enough. There may be other files we need to exclude as well --- Running with `root` is still not enough though. We need at least the `CAP_DAC_OVERRIDE` capability, or we won't be able to read the `/etc/borgmatic.d/config.yaml` configuration file (owned by `matrix:matrix` with `0640` permissions). --- Additionally, it seems like the backup process tries to write to at least a few directories: - `/root/.borgmatic` - `/root/.ssh` - `/root/.config` > [Errno 30] Read-only file system: '/root/.borgmatic' > Error while creating a backup. > /etc/borgmatic.d/config.yaml: Error running configuration file We either need to stop mounting the container filesystem as readonly (remove `--read-only`) or to allow writing via a `tmpfs`. I've gone the `tmpfs` route which seems to work. In any case, the mounted source directories (`matrix_backup_borg_location_source_directories`) are read-only regardless, so our actual source files are protected from unintentional changes. --- .../templates/systemd/matrix-backup-borg.service.j2 | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-backup-borg/templates/systemd/matrix-backup-borg.service.j2 b/roles/custom/matrix-backup-borg/templates/systemd/matrix-backup-borg.service.j2 index 8048c2e48..760fd5749 100644 --- a/roles/custom/matrix-backup-borg/templates/systemd/matrix-backup-borg.service.j2 +++ b/roles/custom/matrix-backup-borg/templates/systemd/matrix-backup-borg.service.j2 @@ -33,12 +33,16 @@ ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} run --rm --n {{ matrix_backup_borg_docker_image }} \ sh -c "borgmatic rcreate --encryption {{ matrix_backup_borg_encryption }}" +# The `CAP_DAC_OVERRIDE` capability is required, so that `root` in the container +# can read the `/etc/borgmatic.d/config.yaml` (`{{ matrix_backup_borg_config_path }}/config.yaml`) file, +# owned by `matrix:matrix` on the filesystem. ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-backup-borg \ --log-driver=none \ --cap-drop=ALL \ + --cap-add=CAP_DAC_OVERRIDE \ --read-only \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --network={{ matrix_docker_network }} \ + --tmpfs=/root:rw,noexec,nosuid,size=100m \ --tmpfs=/tmp:rw,noexec,nosuid,size=100m \ --mount type=bind,src={{ matrix_backup_borg_config_path }}/passwd,dst=/etc/passwd,ro \ --mount type=bind,src={{ matrix_backup_borg_config_path }},dst=/etc/borgmatic.d,ro \ From b1c77f9bf29e42949988daaf58ac2114579e7a83 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 5 Dec 2022 15:45:33 +0200 Subject: [PATCH 140/915] Add comment to matrix-backup-borg.service Related to 8005557061c0e795be334 --- .../templates/systemd/matrix-backup-borg.service.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/custom/matrix-backup-borg/templates/systemd/matrix-backup-borg.service.j2 b/roles/custom/matrix-backup-borg/templates/systemd/matrix-backup-borg.service.j2 index 760fd5749..900369b9d 100644 --- a/roles/custom/matrix-backup-borg/templates/systemd/matrix-backup-borg.service.j2 +++ b/roles/custom/matrix-backup-borg/templates/systemd/matrix-backup-borg.service.j2 @@ -36,6 +36,9 @@ ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} run --rm --n # The `CAP_DAC_OVERRIDE` capability is required, so that `root` in the container # can read the `/etc/borgmatic.d/config.yaml` (`{{ matrix_backup_borg_config_path }}/config.yaml`) file, # owned by `matrix:matrix` on the filesystem. +# +# `/root` is mountes as temporary filesystem, because we're using `--read-only` and because +# Borgmatic tries to write to at least a few paths under `/root` (`.config`, `.ssh`, `.borgmatic`). ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-backup-borg \ --log-driver=none \ --cap-drop=ALL \ From 7f2cdd9889f419e35c955effe978e8ac4a59b5ec Mon Sep 17 00:00:00 2001 From: felixx9 <51174875+felixx9@users.noreply.github.com> Date: Tue, 6 Dec 2022 08:47:54 +0100 Subject: [PATCH 141/915] matrix_ to devture_ I'm not sure, but this should be changed to devture_postgres_... !? https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#2022-11-28 ```yaml matrix_postgres_process_extra_arguments: [ "-c 'max_connections=200'" ] ``` --- docs/configuring-playbook-synapse.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-synapse.md b/docs/configuring-playbook-synapse.md index 50860a178..cf60da764 100644 --- a/docs/configuring-playbook-synapse.md +++ b/docs/configuring-playbook-synapse.md @@ -37,7 +37,7 @@ If you'd like more customization power, you can start with one of the presets an If you increase worker counts too much, you may need to increase the maximum number of Postgres connections too (example): ```yaml -matrix_postgres_process_extra_arguments: [ +devture_postgres_process_extra_arguments: [ "-c 'max_connections=200'" ] ``` From 9ab2a72e86f7ae0d3420784ca3ad7dc34c77c68c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 6 Dec 2022 10:12:31 +0200 Subject: [PATCH 142/915] More matrix_postgres -> devture_postgres changes Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2319 --- docs/maintenance-postgres.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index cf7f5eeb5..f2ca907da 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -99,7 +99,7 @@ Example: `--extra-vars="postgres_dump_name=matrix-postgres-dump.sql"` ## Tuning PostgreSQL -PostgreSQL can be tuned to make it run faster. This is done by passing extra arguments to Postgres with the `matrix_postgres_process_extra_arguments` variable. You should use a website like https://pgtune.leopard.in.ua/ or information from https://wiki.postgresql.org/wiki/Tuning_Your_PostgreSQL_Server to determine what Postgres settings you should change. +PostgreSQL can be tuned to make it run faster. This is done by passing extra arguments to Postgres with the `devture_postgres_process_extra_arguments` variable. You should use a website like https://pgtune.leopard.in.ua/ or information from https://wiki.postgresql.org/wiki/Tuning_Your_PostgreSQL_Server to determine what Postgres settings you should change. **Note**: the configuration generator at https://pgtune.leopard.in.ua/ adds spaces around the `=` sign, which is invalid. You'll need to remove it manually (`max_connections = 300` -> `max_connections=300`) @@ -109,7 +109,7 @@ These are not recommended values and they may not work well for you. This is jus Here is an example config for a small 2 core server with 4GB of RAM and SSD storage: ``` -matrix_postgres_process_extra_arguments: [ +devture_postgres_process_extra_arguments: [ "-c shared_buffers=128MB", "-c effective_cache_size=2304MB", "-c effective_io_concurrency=100", @@ -120,7 +120,7 @@ matrix_postgres_process_extra_arguments: [ Here is an example config for a 4 core server with 8GB of RAM on a Virtual Private Server (VPS); the paramters have been configured using https://pgtune.leopard.in.ua with the following setup: PostgreSQL version 12, OS Type: Linux, DB Type: Mixed type of application, Data Storage: SSD storage: ``` -matrix_postgres_process_extra_arguments: [ +devture_postgres_process_extra_arguments: [ "-c max_connections=100", "-c shared_buffers=2GB", "-c effective_cache_size=6GB", @@ -142,7 +142,7 @@ matrix_postgres_process_extra_arguments: [ Here is an example config for a large 6 core server with 24GB of RAM: ``` -matrix_postgres_process_extra_arguments: [ +devture_postgres_process_extra_arguments: [ "-c max_connections=40", "-c shared_buffers=1536MB", "-c checkpoint_completion_target=0.7", From 84d529b54226002920a1cacedc19dc7ad18e85bd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 6 Dec 2022 15:47:07 +0200 Subject: [PATCH 143/915] Upgrade Synapse (v1.72.0 -> v1.73.0) Synapse Worker configuration updates are coming later. --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index ca8a095c1..08fbd7b6d 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -36,7 +36,7 @@ matrix_synapse_container_image_customizations_dockerfile_body_custom: '' matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}" matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else matrix_container_global_registry_prefix }}" -matrix_synapse_version: v1.72.0 +matrix_synapse_version: v1.73.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From 135bb5af3e4c0c2cca6e70a18910647ce45896e7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 6 Dec 2022 15:47:35 +0200 Subject: [PATCH 144/915] Do not specify send_federation in Synapse config It's unnecessary when `federation_sender_instances` is populated. Source: https://github.com/matrix-org/synapse/commit/6acb6d772a77a4398c112d82118c5b79755a91cb --- roles/custom/matrix-synapse/defaults/main.yml | 5 ----- roles/custom/matrix-synapse/tasks/validate_config.yml | 2 ++ .../matrix-synapse/templates/synapse/homeserver.yaml.j2 | 6 ------ 3 files changed, 2 insertions(+), 11 deletions(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 08fbd7b6d..e096bc857 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -569,11 +569,6 @@ matrix_synapse_workers_federation_sender_workers_metrics_range_start: 19400 # Adjusting this value manually is generally not necessary. matrix_synapse_federation_sender_instances: [] -# matrix_synapse_send_federation controls if the main Synapse process should send federation traffic or if it should be left to federation_sender workers (see `matrix_synapse_federation_sender_instances`). -# This is allowed if workers are disabled, or they are enabled, but there are no federation sender workers. -# Adjusting this value manually is generally not necessary. -matrix_synapse_send_federation: "{{ not matrix_synapse_workers_enabled or (matrix_synapse_workers_enabled_list | selectattr('type', 'equalto', 'federation_sender') | list | length == 0) }}" - matrix_synapse_workers_media_repository_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['media_repository_workers_count'] }}" matrix_synapse_workers_media_repository_workers_port_range_start: 18551 matrix_synapse_workers_media_repository_workers_metrics_range_start: 19551 diff --git a/roles/custom/matrix-synapse/tasks/validate_config.yml b/roles/custom/matrix-synapse/tasks/validate_config.yml index 0f63211d0..c0a9a7299 100644 --- a/roles/custom/matrix-synapse/tasks/validate_config.yml +++ b/roles/custom/matrix-synapse/tasks/validate_config.yml @@ -60,6 +60,8 @@ - {'old': 'matrix_synapse_workers_frontend_proxy_workers_port_range_start', 'new': ''} - {'old': 'matrix_synapse_workers_frontend_proxy_workers_metrics_range_start', 'new': ''} - {'old': 'matrix_synapse_ext_s3_storage_provider_path', 'new': 'matrix_synapse_ext_s3_storage_provider_base_path'} + - {'old': 'matrix_synapse_send_federation', 'new': ''} + - name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml ansible.builtin.fail: diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 9b02346cf..c8fea7065 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2836,12 +2836,6 @@ opentracing: ## Workers ## -# Disables sending of outbound federation transactions on the main process. -# Uncomment if using a federation sender worker. -# -#send_federation: false -send_federation: {{ matrix_synapse_send_federation | to_json }} - # It is possible to run multiple federation sender workers, in which case the # work is balanced across them. # From 663fe29ddb935682cc5c6a1567b342b6ef4d097c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 6 Dec 2022 15:49:56 +0200 Subject: [PATCH 145/915] Do not specify start_pushers in Synapse config It's unnecessary when `pusher_instances` is populated. Source: https://github.com/matrix-org/synapse/commit/6acb6d772a77a4398c112d82118c5b79755a91cb --- roles/custom/matrix-synapse/defaults/main.yml | 5 ----- roles/custom/matrix-synapse/tasks/validate_config.yml | 1 + .../matrix-synapse/templates/synapse/homeserver.yaml.j2 | 1 - 3 files changed, 1 insertion(+), 6 deletions(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index e096bc857..19c6d2b14 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -554,11 +554,6 @@ matrix_synapse_workers_pusher_workers_metrics_range_start: 19200 # Adjusting this value manually is generally not necessary. matrix_synapse_federation_pusher_instances: [] -# matrix_synapse_start_pushers controls if the main Synapse process should push out notifications or if it should be left to pusher workers (see `matrix_synapse_federation_pusher_instances`). -# This is enabled if workers are disabled, or if they are enabled, but there are no pusher workers. -# Adjusting this value manually is generally not necessary. -matrix_synapse_start_pushers: "{{ not matrix_synapse_workers_enabled or (matrix_synapse_workers_enabled_list | selectattr('type', 'equalto', 'pusher') | list | length == 0) }}" - # matrix_synapse_workers_federation_sender_workers_count controls the number of federation sender workers to spawn. # See https://matrix-org.github.io/synapse/latest/workers.html#synapseappfederation_sender matrix_synapse_workers_federation_sender_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['federation_sender_workers_count'] }}" diff --git a/roles/custom/matrix-synapse/tasks/validate_config.yml b/roles/custom/matrix-synapse/tasks/validate_config.yml index c0a9a7299..56f12bf67 100644 --- a/roles/custom/matrix-synapse/tasks/validate_config.yml +++ b/roles/custom/matrix-synapse/tasks/validate_config.yml @@ -61,6 +61,7 @@ - {'old': 'matrix_synapse_workers_frontend_proxy_workers_metrics_range_start', 'new': ''} - {'old': 'matrix_synapse_ext_s3_storage_provider_path', 'new': 'matrix_synapse_ext_s3_storage_provider_base_path'} - {'old': 'matrix_synapse_send_federation', 'new': ''} + - {'old': 'matrix_synapse_start_pushers', 'new': ''} - name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index c8fea7065..3767a3fc8 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2853,7 +2853,6 @@ federation_sender_instances: {{ matrix_synapse_federation_sender_instances | to_ {% if matrix_synapse_federation_pusher_instances | length > 0 %} pusher_instances: {{ matrix_synapse_federation_pusher_instances | to_json }} {% endif %} -start_pushers: {{ matrix_synapse_start_pushers | to_json }} # When using workers this should be a map from `worker_name` to the # HTTP replication listener of the worker, if configured. From 13e739910445c25d3b7437c1c643086effa01068 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 6 Dec 2022 15:52:16 +0200 Subject: [PATCH 146/915] Handle /timestamp_to_event via Synapse workers Related to https://github.com/matrix-org/synapse/commit/8f10c8b054fc970838be9ae6f1f5aea95f166c98 --- roles/custom/matrix-synapse/vars/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/custom/matrix-synapse/vars/main.yml b/roles/custom/matrix-synapse/vars/main.yml index 18bb5e18d..46277c872 100644 --- a/roles/custom/matrix-synapse/vars/main.yml +++ b/roles/custom/matrix-synapse/vars/main.yml @@ -134,6 +134,7 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/federation/(v1|v2)/send_leave/ - ^/_matrix/federation/(v1|v2)/invite/ - ^/_matrix/federation/v1/event_auth/ + - ^/_matrix/federation/v1/timestamp_to_event/ - ^/_matrix/federation/v1/exchange_third_party_invite/ - ^/_matrix/federation/v1/user/devices/ - ^/_matrix/key/v2/query @@ -161,6 +162,7 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$ - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/ - ^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$ + - ^/_matrix/client/v1/rooms/.*/timestamp_to_event$ - ^/_matrix/client/(api/v1|r0|v3|unstable)/search$ # Encryption requests From 9edc7da67d7a00c984b2777c34ee50290f92345b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 6 Dec 2022 15:53:38 +0200 Subject: [PATCH 147/915] Do not specify now-unnecessary worker_main_http_uri Synapse worker setting Related to - https://github.com/matrix-org/synapse/commit/c15e9a0edb696990365ac5a4e5be847b5ae23921 - https://github.com/matrix-org/synapse/commit/01a052789266179c70c10ea6a6253c64fd9990d2 --- roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2 | 4 ---- 1 file changed, 4 deletions(-) diff --git a/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2 index 2b0df98dd..f0e6fe90a 100644 --- a/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2 @@ -10,10 +10,6 @@ worker_replication_host: matrix-synapse worker_replication_http_port: {{ matrix_synapse_replication_http_port }} {% endif %} -{% if matrix_synapse_worker_details.type == 'generic_worker' %} -worker_main_http_uri: http://matrix-synapse:{{ matrix_synapse_container_client_api_port }} -{% endif %} - {% set http_resources = [] %} {% if matrix_synapse_worker_details.type == 'user_dir' %} From ba4580a1fd2045db86b40c0b78d342db5b4f40d5 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 6 Dec 2022 14:50:56 +0000 Subject: [PATCH 148/915] Update element v1.11.15 -> v1.11.16 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index eb93691f4..480e41a43 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.15 +matrix_client_element_version: v1.11.16 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From ba13231c58479d4a2de8f25594c5c2ecc6261344 Mon Sep 17 00:00:00 2001 From: Aine Date: Tue, 6 Dec 2022 22:51:17 +0200 Subject: [PATCH 149/915] update postmoogle 0.9.9 -> 0.9.10 --- .../matrix-bot-postmoogle/defaults/main.yml | 33 +++++++++++-------- .../matrix-bot-postmoogle/templates/env.j2 | 8 ++++- 2 files changed, 26 insertions(+), 15 deletions(-) diff --git a/roles/custom/matrix-bot-postmoogle/defaults/main.yml b/roles/custom/matrix-bot-postmoogle/defaults/main.yml index 24bf7cf2e..14795d1f3 100644 --- a/roles/custom/matrix-bot-postmoogle/defaults/main.yml +++ b/roles/custom/matrix-bot-postmoogle/defaults/main.yml @@ -9,7 +9,7 @@ matrix_bot_postmoogle_docker_repo: "https://gitlab.com/etke.cc/postmoogle.git" matrix_bot_postmoogle_docker_repo_version: "{{ 'main' if matrix_bot_postmoogle_version == 'latest' else matrix_bot_postmoogle_version }}" matrix_bot_postmoogle_docker_src_files_path: "{{ matrix_base_data_path }}/postmoogle/docker-src" -matrix_bot_postmoogle_version: v0.9.9 +matrix_bot_postmoogle_version: v0.9.10 matrix_bot_postmoogle_docker_image: "{{ matrix_bot_postmoogle_docker_image_name_prefix }}postmoogle:{{ matrix_bot_postmoogle_version }}" matrix_bot_postmoogle_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_postmoogle_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}" matrix_bot_postmoogle_docker_image_force_pull: "{{ matrix_bot_postmoogle_docker_image.endswith(':latest') }}" @@ -78,18 +78,6 @@ matrix_bot_postmoogle_prefix: '!pm' # Max email size in megabytes, including attachments matrix_bot_postmoogle_maxsize: '1024' -# DEPRECATED, use !pm users instead -# A list of whitelisted users allowed to use the bridge. -# If not defined, everyone is allowed. -# Example set of rules: -# matrix_bot_postmoogle_users: -# - @someone:example.com -# - @another:example.com -# - @bot.*:example.com -# - @*:another.com -matrix_bot_postmoogle_users: - - "@*:{{ matrix_domain }}" - # A list of admins # Example set of rules: # matrix_bot_postmoogle_admins: @@ -99,9 +87,17 @@ matrix_bot_postmoogle_users: # - @*:another.com matrix_bot_postmoogle_admins: "{{ [matrix_admin] if matrix_admin else [] }}" -# Sentry DSN +# Sentry DSN. Deprecated, use matrix_bot_postmoogle_monitoring_sentry_dsn matrix_bot_postmoogle_sentry: '' +# Sentry integration +matrix_bot_postmoogle_monitoring_sentry_dsn: "{{ matrix_bot_postmoogle_sentry }}" +matrix_bot_postmoogle_monitoring_sentry_rate: 20 + +# healthchecks.io integration +matrix_bot_postmoogle_monitoring_healthchecks_uuid: '' +matrix_bot_postmoogle_monitoring_healthchecks_duration: 60 + # Log level matrix_bot_postmoogle_loglevel: 'INFO' @@ -147,6 +143,15 @@ matrix_bot_postmoogle_tls_key: "" # Mandatory TLS, even on plain SMTP port matrix_bot_postmoogle_tls_required: false +# trusted proxies +matrix_bot_postmoogle_proxies: [] + +# reserved mailboxes +matrix_bot_postmoogle_mailboxes_reserved: [] + +# mailbox activation flow +matrix_bot_postmoogle_mailboxes_activation: none + # Additional environment variables to pass to the postmoogle container # # Example: diff --git a/roles/custom/matrix-bot-postmoogle/templates/env.j2 b/roles/custom/matrix-bot-postmoogle/templates/env.j2 index 855bd882e..3b22040b7 100644 --- a/roles/custom/matrix-bot-postmoogle/templates/env.j2 +++ b/roles/custom/matrix-bot-postmoogle/templates/env.j2 @@ -7,7 +7,6 @@ POSTMOOGLE_DB_DSN={{ matrix_bot_postmoogle_database_connection_string }} POSTMOOGLE_DB_DIALECT={{ matrix_bot_postmoogle_database_dialect }} POSTMOOGLE_PREFIX={{ matrix_bot_postmoogle_prefix }} POSTMOOGLE_MAXSIZE={{ matrix_bot_postmoogle_maxsize }} -POSTMOOGLE_SENTRY={{ matrix_bot_postmoogle_sentry }} POSTMOOGLE_LOGLEVEL={{ matrix_bot_postmoogle_loglevel }} POSTMOOGLE_NOENCRYPTION={{ matrix_bot_postmoogle_noencryption }} POSTMOOGLE_ADMINS={{ matrix_bot_postmoogle_admins | join(' ') }} @@ -16,5 +15,12 @@ POSTMOOGLE_TLS_CERT={{ matrix_bot_postmoogle_tls_cert }} POSTMOOGLE_TLS_KEY={{ matrix_bot_postmoogle_tls_key }} POSTMOOGLE_TLS_REQUIRED={{ matrix_bot_postmoogle_tls_required }} POSTMOOGLE_DATA_SECRET={{ matrix_bot_postmoogle_data_secret }} +POSTMOOGLE_PROXIES={{ matrix_bot_postmoogle_proxies }} +POSTMOOGLE_MONITORING_SENTRY_DSN={{ matrix_bot_postmoogle_monitoring_sentry_dsn }} +POSTMOOGLE_MONITORING_SENTRY_RATE={{ matrix_bot_postmoogle_monitoring_sentry_rate }} +POSTMOOGLE_MONITORING_HEALTHCHECKS_UUID={{ matrix_bot_postmoogle_monitoring_healthchecks_uuid }} +POSTMOOGLE_MONITORING_HEALTHCHECKS_DURATION={{ matrix_bot_postmoogle_monitoring_healthchecks_duration }} +POSTMOOGLE_MAILBOXES_RESERVED={{ matrix_bot_postmoogle_mailboxes_reserved }} +POSTMOOGLE_MAILBOXES_ACTIVATION={{ matrix_bot_postmoogle_mailboxes_activation }} {{ matrix_bot_postmoogle_environment_variables_extension }} From fda65a0a5659641eb3c198e4ef7d8865db2deaff Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 7 Dec 2022 11:38:47 +0000 Subject: [PATCH 150/915] postmoogle - add missing join()s --- roles/custom/matrix-bot-postmoogle/templates/env.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-bot-postmoogle/templates/env.j2 b/roles/custom/matrix-bot-postmoogle/templates/env.j2 index 3b22040b7..072d12dad 100644 --- a/roles/custom/matrix-bot-postmoogle/templates/env.j2 +++ b/roles/custom/matrix-bot-postmoogle/templates/env.j2 @@ -15,12 +15,12 @@ POSTMOOGLE_TLS_CERT={{ matrix_bot_postmoogle_tls_cert }} POSTMOOGLE_TLS_KEY={{ matrix_bot_postmoogle_tls_key }} POSTMOOGLE_TLS_REQUIRED={{ matrix_bot_postmoogle_tls_required }} POSTMOOGLE_DATA_SECRET={{ matrix_bot_postmoogle_data_secret }} -POSTMOOGLE_PROXIES={{ matrix_bot_postmoogle_proxies }} +POSTMOOGLE_PROXIES={{ matrix_bot_postmoogle_proxies | join(' ') }} POSTMOOGLE_MONITORING_SENTRY_DSN={{ matrix_bot_postmoogle_monitoring_sentry_dsn }} POSTMOOGLE_MONITORING_SENTRY_RATE={{ matrix_bot_postmoogle_monitoring_sentry_rate }} POSTMOOGLE_MONITORING_HEALTHCHECKS_UUID={{ matrix_bot_postmoogle_monitoring_healthchecks_uuid }} POSTMOOGLE_MONITORING_HEALTHCHECKS_DURATION={{ matrix_bot_postmoogle_monitoring_healthchecks_duration }} -POSTMOOGLE_MAILBOXES_RESERVED={{ matrix_bot_postmoogle_mailboxes_reserved }} +POSTMOOGLE_MAILBOXES_RESERVED={{ matrix_bot_postmoogle_mailboxes_reserved | join(' ') }} POSTMOOGLE_MAILBOXES_ACTIVATION={{ matrix_bot_postmoogle_mailboxes_activation }} {{ matrix_bot_postmoogle_environment_variables_extension }} From 8ebf18a885cd0920137ed683f1f47cad6536f82e Mon Sep 17 00:00:00 2001 From: ikkemaniac Date: Wed, 7 Dec 2022 15:58:36 +0100 Subject: [PATCH 151/915] add prometheus-nginxlog-exporter role (#2315) * add prometheus-nginxlog-exporter role * Rename matrix_prometheus_nginxlog_exporter_container_url to matrix_prometheus_nginxlog_exporter_container_hostname * avoid referencing variables from other roles, handover info using group_vars/matrix_servers * fix: stop service when uninstalling fix: typo move available arch's into a var fix: text * fix: prometheus enabled condition Co-authored-by: ikkemaniac --- ...configuring-playbook-prometheus-grafana.md | 5 + ...onfiguring-playbook-prometheus-nginxlog.md | 59 + group_vars/matrix_servers | 28 + playbooks/matrix.yml | 1 + .../templates/nginx/nginx.conf.j2 | 13 +- .../defaults/main.yml | 49 + .../examples/grafana.png | Bin 0 -> 136574 bytes .../examples/metrics.png | Bin 0 -> 128982 bytes .../tasks/inject_into_nginx_proxy.yml | 31 + .../tasks/main.yml | 29 + .../tasks/setup_install.yml | 47 + .../tasks/setup_uninstall.yml | 39 + .../tasks/validate_config.yml | 32 + .../templates/nginx-proxy.json | 1705 +++++++++++++++++ .../prometheus-nginxlog-exporter.yaml.j2 | 37 + ...ix-prometheus-nginxlog-exporter.service.j2 | 46 + .../templates/prometheus.yml.j2 | 7 + .../templates/nginx/nginx.conf.j2 | 13 +- 18 files changed, 2139 insertions(+), 2 deletions(-) create mode 100644 docs/configuring-playbook-prometheus-nginxlog.md create mode 100644 roles/custom/matrix-prometheus-nginxlog-exporter/defaults/main.yml create mode 100644 roles/custom/matrix-prometheus-nginxlog-exporter/examples/grafana.png create mode 100644 roles/custom/matrix-prometheus-nginxlog-exporter/examples/metrics.png create mode 100644 roles/custom/matrix-prometheus-nginxlog-exporter/tasks/inject_into_nginx_proxy.yml create mode 100644 roles/custom/matrix-prometheus-nginxlog-exporter/tasks/main.yml create mode 100644 roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_install.yml create mode 100644 roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_uninstall.yml create mode 100644 roles/custom/matrix-prometheus-nginxlog-exporter/tasks/validate_config.yml create mode 100644 roles/custom/matrix-prometheus-nginxlog-exporter/templates/nginx-proxy.json create mode 100644 roles/custom/matrix-prometheus-nginxlog-exporter/templates/prometheus-nginxlog-exporter.yaml.j2 create mode 100644 roles/custom/matrix-prometheus-nginxlog-exporter/templates/systemd/matrix-prometheus-nginxlog-exporter.service.j2 diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index f86566a94..0b785c359 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -15,6 +15,9 @@ matrix_prometheus_node_exporter_enabled: true # You can remove this, if unnecessary. matrix_prometheus_postgres_exporter_enabled: true +# You can remove this, if unnecessary. +matrix_prometheus_nginxlog_exporter_enabled: true + matrix_grafana_enabled: true matrix_grafana_anonymous_access: false @@ -39,6 +42,7 @@ Name | Description `matrix_prometheus_enabled`|[Prometheus](https://prometheus.io) is a time series database. It holds all the data we're going to talk about. `matrix_prometheus_node_exporter_enabled`|[Node Exporter](https://prometheus.io/docs/guides/node-exporter/) is an addon of sorts to Prometheus that collects generic system information such as CPU, memory, filesystem, and even system temperatures `matrix_prometheus_postgres_exporter_enabled`|[Postgres Exporter](configuring-playbook-prometheus-postgres.md) is an addon of sorts to expose Postgres database metrics to Prometheus. +`matrix_prometheus_nginxlog_exporter_enabled`|[NGINX Log Exporter](configuring-playbook-prometheus-nginxlog.md) is an addon of sorts to expose NGINX logs to Prometheus. `matrix_grafana_enabled`|[Grafana](https://grafana.com/) is the visual component. It shows (on the `stats.` subdomain) the dashboards with the graphs that we're interested in `matrix_grafana_anonymous_access`|By default you need to log in to see graphs. If you want to publicly share your graphs (e.g. when asking for help in [`#synapse:matrix.org`](https://matrix.to/#/#synapse:matrix.org?via=matrix.org&via=privacytools.io&via=mozilla.org)) you'll want to enable this option. `matrix_grafana_default_admin_user`
`matrix_grafana_default_admin_password`|By default Grafana creates a user with `admin` as the username and password. If you feel this is insecure and you want to change it beforehand, you can do that here @@ -73,6 +77,7 @@ Name | Description `matrix_prometheus_node_exporter_enabled`|Set this to `true` to enable the node (general system stats) exporter (locally, on the container network) `matrix_prometheus_node_exporter_metrics_proxying_enabled`|Set this to `true` to expose the node (general system stats) metrics on `https://matrix.DOMAIN/metrics/node-exporter` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`) `matrix_prometheus_postgres_exporter_enabled`|Set this to `true` to enable the [Postgres exporter](configuring-playbook-prometheus-postgres.md) (locally, on the container network) +`matrix_prometheus_nginxlog_exporter_enabled`|Set this to `true` to enable the [NGINX Log exporter](configuring-playbook-prometheus-nginxlog.md) (locally, on the container network) `matrix_prometheus_postgres_exporter_metrics_proxying_enabled`|Set this to `true` to expose the [Postgres exporter](configuring-playbook-prometheus-postgres.md) metrics on `https://matrix.DOMAIN/metrics/postgres-exporter` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`) `matrix_bridge_hookshot_metrics_enabled`|Set this to `true` to make [Hookshot](configuring-playbook-bridge-hookshot.md) expose metrics (locally, on the container network) `matrix_bridge_hookshot_metrics_proxying_enabled`|Set this to `true` to expose the [Hookshot](configuring-playbook-bridge-hookshot.md) metrics on `https://matrix.DOMAIN/metrics/hookshot` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`) diff --git a/docs/configuring-playbook-prometheus-nginxlog.md b/docs/configuring-playbook-prometheus-nginxlog.md new file mode 100644 index 000000000..832efbd8d --- /dev/null +++ b/docs/configuring-playbook-prometheus-nginxlog.md @@ -0,0 +1,59 @@ +# Enabling metrics and graphs for NginX logs (optional) + +It can be useful to have some (visual) insight into NignX logs. + +This adds [prometheus-nginxlog-exporter](https://github.com/martin-helmich/prometheus-nginxlog-exporter/) to your matrix deployment. +It will provide a prometheus 'metrics' endpoint exposing data from both the `matrix-nginx-proxy` and `matrix-synapse-reverse-proxy-companion` logs and automatically aggregates the data with prometheus. +Optionally it visualizes the data, if [`matrix-grafana`](configuring-playbook-prometheus-grafana.md) is enabled, by means of a dedicated Grafana dashboard named `NGINX PROXY` + +You can enable this role by adding the following settings in your configuration file (`inventory/host_vars/matrix./vars.yml`): + +```yaml +matrix_prometheus_nginxlog_exporter_enabled: true + +# required depency +matrix_prometheus_enabled: true + +# optional for visualization +matrix_grafana_enabled: true +``` + +x | Prerequisites | Variable | Description +|:--:|:--:|:--:|:--| +**REQUIRED** | `matrix-prometheus`| `matrix_prometheus_enabled`|[Prometheus](https://prometheus.io) is a time series database. It holds all the data we're going to talk about. +_Optional_ | [`matrix-grafana`](configuring-playbook-prometheus-grafana.md) | [`matrix_grafana_enabled`](configuring-playbook-prometheus-grafana.md)|[Grafana](https://grafana.com) is the visual component. It shows (on the `stats.` subdomain) graphs that we're interested in. When enabled the `NGINX PROXY` dashboard is automatically added. + +## Docker Image Compatibility + +At the moment of writing only images for `amd64` and `arm64` architectures are available + +The playbook currently does not support building an image. +You can however use a custom-build image by setting +```yaml +matrix_prometheus_nginxlog_exporter_docker_image_arch_check_enabled: false +matrix_prometheus_nginxlog_exporter_docker_image: path/to/docker/image:tag +``` + +## Security and privacy + +Metrics and resulting graphs can contain a lot of information. NginX logs contain information like IP address, URLs, UserAgents and more. This information can reveal usage patterns and could be considered Personally Identifiable Information (PII). Think about this before enabling (anonymous) access. +Please make sure you change the default Grafana password. + +## Save metrics on an external Prometheus server + +The playbook will automatically integrate the metrics into the Prometheus server provided with this playbook. You can choose to save data on an external Prometheus instance. + +The metrics of this role will be exposed on `https://matrix.DOMAIN/metrics/nginxlog` when setting +```yaml +matrix_prometheus_nginxlog_exporter_metrics_proxying_enabled: true + +# required dependency +matrix_nginx_proxy_proxy_matrix_metrics_enabled: true +``` +The playbook can provide a single endpoint (`https://matrix.DOMAIN/metrics/*`), under which various services may expose their metrics (e.g. `/metrics/node-exporter`, `/metrics/postgres-exporter`, `/metrics/nginxlog`, etc). To enable this `/metrics/*` feature, use `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. To protect access using [Basic Authentication](https://en.wikipedia.org/wiki/Basic_access_authentication), see `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled`. + +The following variables may be of interest: + +Name | Description +-----|---------- +`matrix_nginx_proxy_proxy_matrix_metrics_enabled`|Set this to `true` to enable metrics exposure for various services on `https://matrix.DOMAIN/metrics/*`. Refer to the individual `matrix_SERVICE_metrics_proxying_enabled` variables below for exposing metrics for each individual service. \ No newline at end of file diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 71bd18812..e3f63bb33 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -297,6 +297,8 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-prometheus-postgres-exporter.service', 'priority': 3900, 'groups': ['matrix', 'monitoring', 'prometheus', 'prometheus-node-exporters']}] if matrix_prometheus_postgres_exporter_enabled else []) + + ([{'name': (matrix_prometheus_nginxlog_exporter_container_hostname + '.service'), 'priority': 3900, 'groups': ['matrix', 'monitoring', 'prometheus', 'prometheus-node-exporters']}] if matrix_prometheus_postgres_exporter_enabled else []) + + ([{'name': 'matrix-redis', 'priority': 750, 'groups': ['matrix', 'redis']}] if matrix_redis_enabled else []) + ([{'name': 'matrix-registration.service', 'priority': 4000, 'groups': ['matrix', 'registration']}] if matrix_registration_enabled else []) @@ -2235,6 +2237,9 @@ matrix_ssl_architecture: "{{ matrix_ssl_pre_obtaining_required_service_name: "{{ 'matrix-dynamic-dns' if matrix_dynamic_dns_enabled else '' }}" +matrix_nginx_proxy_access_log_syslog_integration_enabled: "{{ matrix_prometheus_nginxlog_exporter_enabled }}" +matrix_nginx_proxy_access_log_syslog_integration_server_port: "{{ (matrix_prometheus_nginxlog_exporter_container_hostname | string +':'+ matrix_prometheus_nginxlog_exporter_container_syslog_port | string) | default('') }}" + ###################################################################### # # /matrix-nginx-proxy @@ -2820,6 +2825,9 @@ matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_wor matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations: "{{matrix_synapse_workers_media_repository_endpoints|default([]) }}" matrix_synapse_reverse_proxy_companion_synapse_user_dir_locations: "{{ matrix_synapse_workers_user_dir_worker_client_server_endpoints|default([]) }}" +matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_enabled: "{{ matrix_prometheus_nginxlog_exporter_enabled }}" +matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_server_port: "{{ (matrix_prometheus_nginxlog_exporter_container_hostname | string +':'+ matrix_prometheus_nginxlog_exporter_container_syslog_port | string) | default('') }}" + ###################################################################### # # /matrix-synapse-reverse-proxy-companion @@ -2861,6 +2869,20 @@ matrix_prometheus_node_exporter_enabled: false # ###################################################################### +###################################################################### +# +# matrix-prometheus-nginxlog-exporter +# +###################################################################### + +matrix_prometheus_nginxlog_exporter_enabled: false + +###################################################################### +# +# /matrix-prometheus-nginxlog-exporter +# +###################################################################### + ###################################################################### # # matrix-prometheus @@ -2888,6 +2910,10 @@ matrix_prometheus_scraper_postgres_targets: "{{ ['matrix-prometheus-postgres-exp matrix_prometheus_scraper_hookshot_enabled: "{{ matrix_hookshot_metrics_enabled|default(false) }}" matrix_prometheus_scraper_hookshot_targets: "{{ [matrix_hookshot_container_url | string +':'+ matrix_hookshot_metrics_port | string] if matrix_hookshot_metrics_enabled else [] }}" +matrix_prometheus_scraper_nginxlog_enabled: "{{ matrix_prometheus_nginxlog_exporter_enabled }}" +matrix_prometheus_scraper_nginxlog_server_port: "{{ (matrix_prometheus_nginxlog_exporter_container_hostname | string +':'+ matrix_prometheus_nginxlog_exporter_container_syslog_port | string) +| default('') }}" + ###################################################################### # # /matrix-prometheus @@ -2937,6 +2963,8 @@ matrix_grafana_dashboard_download_urls: | (matrix_prometheus_node_exporter_dashboard_urls if matrix_prometheus_node_exporter_enabled else []) + (matrix_prometheus_postgres_exporter_dashboard_urls if matrix_prometheus_postgres_exporter_enabled else []) + + + (matrix_prometheus_nginxlog_exporter_dashboard_urls if matrix_prometheus_nginxlog_exporter_enabled else []) }} matrix_grafana_default_home_dashboard_path: |- diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 5b6f1ccea..92e027fb5 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -80,6 +80,7 @@ - custom/matrix-synapse-admin - custom/matrix-prometheus-node-exporter - custom/matrix-prometheus-postgres-exporter + - custom/matrix-prometheus-nginxlog-exporter - custom/matrix-prometheus - custom/matrix-grafana - custom/matrix-registration diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 index 5aeeb6f40..6b56878a1 100644 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 @@ -39,7 +39,18 @@ http { {% if matrix_nginx_proxy_access_log_enabled %} access_log /var/log/nginx/access.log main; - {% else %} + {% endif %} + + {% if matrix_nginx_proxy_access_log_syslog_integration_enabled %} + log_format prometheus_fmt 'matrix-nginx-proxy $server_name - $upstream_addr - $remote_addr - $remote_user [$time_local] ' + '$host "$request" ' + '$status "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log syslog:server={{ matrix_nginx_proxy_access_log_syslog_integration_server_port }},tag=matrix_nginx_proxy prometheus_fmt; + {% endif %} + + {% if not matrix_nginx_proxy_access_log_enabled and not matrix_nginx_proxy_access_log_syslog_integration_enabled %} access_log off; {% endif %} diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/defaults/main.yml b/roles/custom/matrix-prometheus-nginxlog-exporter/defaults/main.yml new file mode 100644 index 000000000..2e85d6298 --- /dev/null +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/defaults/main.yml @@ -0,0 +1,49 @@ +--- +# prometheus-nginxlog-exporter exports nginx logs in a prometheus usable format on a `/metrics/ endpoint +# See: https://github.com/martin-helmich/prometheus-nginxlog-exporter/ + +matrix_prometheus_nginxlog_exporter_enabled: true +matrix_prometheus_nginxlog_exporter_version: v1.10.0 + +matrix_prometheus_nginxlog_exporter_container_hostname: 'matrix-prometheus-nginxlog-exporter' +matrix_prometheus_nginxlog_exporter_container_metrics_port: '4040' +matrix_prometheus_nginxlog_exporter_container_syslog_port: '6514' + +matrix_prometheus_nginxlog_exporter_docker_image_arch: ['amd64', 'arm64'] +matrix_prometheus_nginxlog_exporter_docker_image_name_prefix: "{{ 'ghcr.io/martin-helmich/' }}" +matrix_prometheus_nginxlog_exporter_docker_image_tag: "{{ 'latest' if matrix_prometheus_nginxlog_exporter_version == 'master' else matrix_prometheus_nginxlog_exporter_version }}-{{ matrix_architecture }}" +matrix_prometheus_nginxlog_exporter_docker_image: "{{ matrix_prometheus_nginxlog_exporter_docker_image_name_prefix }}prometheus-nginxlog-exporter/exporter:{{ matrix_prometheus_nginxlog_exporter_docker_image_tag }}" +matrix_prometheus_nginxlog_exporter_docker_image_force_pull: "{{ matrix_prometheus_nginxlog_exporter_docker_image.endswith(':latest') }}" +matrix_prometheus_nginxlog_exporter_docker_image_arch_check_enabled: true + +# Controls whether prometheus-nginxlog-exporter metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/nginxlog`. +# This will only take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`. +# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. +matrix_prometheus_nginxlog_exporter_metrics_proxying_enabled: false + +# matrix_prometheus_nginxlog_exporter_dashboard_urls contains a list of URLs with Grafana dashboard definitions. +# If the Grafana role is enabled, these dashboards will be downloaded. +matrix_prometheus_nginxlog_exporter_dashboard_urls: [] + +matrix_prometheus_nginxlog_exporter_base_path: "{{ matrix_base_data_path }}/prometheus-nginxlog-exporter" +matrix_prometheus_nginxlog_exporter_config_path: "{{ matrix_prometheus_nginxlog_exporter_base_path }}/config" + +# A list of extra docker arguments to pass to the container +matrix_prometheus_nginxlog_exporter_container_extra_arguments: [] + +# List of systemd services that matrix-prometheus_nginxlog_exporter.service depends on +matrix_prometheus_nginxlog_exporter_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-prometheus_nginxlog_exporter.service wants +matrix_prometheus_nginxlog_exporter_systemd_wanted_services_list: [] + +# Controls whether the matrix-prometheus_nginxlog_exporter container exposes its HTTP port (tcp/4040 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:4040"), or empty string to not expose. +matrix_prometheus_nginxlog_exporter_container_http_host_bind_port: '' + +# Controls whether the matrix-prometheus_nginxlog_exporter container exposes its SYSLOG port (udp/6514 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:6514"), or empty string to not expose. +# NOTE: is an UDP connection! +matrix_prometheus_nginxlog_exporter_container_syslog_host_bind_port: '' diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/examples/grafana.png b/roles/custom/matrix-prometheus-nginxlog-exporter/examples/grafana.png new file mode 100644 index 0000000000000000000000000000000000000000..49fa021134bb147e7efc13eab28c5a3396a373f6 GIT binary patch literal 136574 zcmbTdV|Zju+cug^H1Wg}+qOMH$C}tSC$_DQ&53PiV%xSRwv*lW^M23$etZAieN-Pw ztzK2Vy6RG0=Xr%I$Vni=;lP1`fgu7Ue<*>0L8O7+tzV%*R}x-!zJdNgI*9;OzJgv} zUyZ}Sz=*&AKZI4>GS4<#wb9K!{#;LuGn~!Z_#x7U!39JZE-gz()u#NAVbjeIKcPq& zJ8*S9p-A61l#!Ror!Zrj>0fRqY4Xd>S1%d;GHZ}RfBR|#E?hd>&v&^*TfKd8cIIkY z%(vy9KHnf_75ti5P{2wJXlp|f{RS!gpSHs&T6GHce>%e7f?h)Tc7oHRCo)@}Eb{lUw2C0cKqQ8@OcrjRq(p`Wo;*O~K{|kovzJA{E?tW4QnG3DMUDak8|3J0guJ|F2<| z&Tt80n@z^4=$q}<6%*B!ED{ow6mqE^L#G-VY1Zovn0^4X;+^enw;>i>&PsAx+WJAG z3eI_fxAV2?)YLmzVc#vuI;ACWSdod-C0C;JHBW~<@h`ltHr1#0K|F^CC(-5QxL^PP z4}+N4qQj5hbLI_hZVkN?3;19d7u_1Hp@cj=qy0GYbDxv{n zk%1e_mu*_;>kM_YOpuHLP+-dR2KS>TsQ zJt1rFPAMH$*>Whm5Ql=`s)u}c>#^xu>MRKuE279Qn`+KN=?pivAh;hUB{#W^i)OYt zpZ_+(FrB}^+zRl>h|dr$Wb?g@aPlo4!qMucPL=TzjPCnxk=iI?bQR^MIs!UT#Ew7M zE415l)V)W>XdmFm`p~wUYu5aC;|rXM?aS3|t*CiVkKv0dLNbYp#|X0fZH2)NVB)Y;`k;)%@1I&bfG zlhii#`>(Xt4vx06$fY+c`@;Tq`*_35vUJy|1HE5e^XAAG4SyUsIXHj|RdX^~&Z{>( z2cvfiPyIHD55C-@4MvF;AB*ehySl$-yneq5Q+T*oqlfG0<)0dx%jgLV-Pv8=j(NQJ zz1L!w18&}^X=qq5(CUip=-^0IYO*JmCf2Q3eGKvB+~`ediqArQ_~U)lL~+tO*&RV=^4V=)l1oyqKU zyPoqYjo3}^vYWtOPMt^C^uj*atciLhM}(Yz!DcfhmiBnP{*b=3XL{b;lxLTE*!CyR z0tntf_-ETFxK6^baBCKXqqjtFRx1&1MI-g5k!kAuJ zR(H9*dxGm_b@6kzd9ydU$>|L5lgi(YCDmD;(yy;~M;(ZMakDu7VtT>nRk{8N-d6_)k`Aig?oUUKm9{ZPu2tk&^db6&}@w%)7`*qxyhwN=~>2xYiM|4er z0wCI_D)98|I>7IMdm4L6)ln|>&~VHVACGj!07wl8-v@JTvs<_&_lva2@3!Rv3g8Kv%FVag zQ+M9mr)LL3IvT8k@ZSPS)mU0`q>H-*K7yAnA}(A(zmNbvJ<`n6PA&_nbmyz|;pv{* z(;t!IxdltSg;mNq0R7CISW$6gRDx!Hu}KuykpK?ppSt3dSu{3A!x~Y#OIdpnGtBrzJ_xZ(XpNG|CZAfOD;{+-f*isV-2dl3e zDmEd^Ejp+$k0FLsP5@Zvv2eau^OT#%lqTHRZoa?=?$9T<9<(>lmF5cF<_HYEj-Gn> z%_9XDErM)8{3$p-U_4t^YL`A-<(QT#!1yR-%Sn7Ip!SyVcc9J3QAX5$sYH8z_*VbX zC$HKA2hEB0a(zrR?oy4z9u7yvYxdM9Yl@n0SCCE0P#S;9Or=FwBz=4Of}l_TC%s#8 zQp$XT=M%~cw^mA`mfY?^G0e7`J4W@#IbieS%qiLTk@>Rgj*5{1S?q!%HdvXjQofj` z77?_hKFf|6BUUVPuUuGZ1S=s(Xr?n`%xV0BmGr(aDLX3!&5LchW?~d0Rqp4jo?pPQWA&dX}d&I62lm%;}@({Ydt1tKqd>yPqn~gbv_N`s+JrY7K^v$ ziY9-20qt1N#zdBKvFP*(>dXl$ydJN|**9$L6PXO2`Wn@G26HyeK|#LO8m7kgSexTt z;co68dmwKqmooey*mONNdO3Z_s5Mh$#6AW7IZ|C~|M7jbM9M?2cfg8E*;H^0EkOe9 z_#mcJ`|UmC11bI8V&t=s>G*ty48o4`f($wCOA18k|v8nv;CK!4j+t-ZIMT zzCsK>|A4cz=SwuM{A0-T0pyZElqXYMk$Vc4&py{ovg#d<=jr>ajtS~(fJx(OTe~4?yrQF?IU0pf50pHA2I-eZXQSZ74ZPL@DUTnG?>CmiPjOl5!RjU$R zyMm_6TkJ-wX|-=V&EWDcg6l>Q0znfdpGOJ zEPt3U-Nv6Ho7a__F~<+?0m7p-msaDYm>#FiqsScB8klwlTpusW3QSz=q(24i-wD^0fSgq?g)geiY{#^>D-v1259 zZ69>0+V!e|J^`Y69-6VfX(yZMEGdnb%rV3lrjwOggOfqKr|hRL*K^HQ%P84_^`hKE z#oXC@5)34-e3JpS1c_>7wPe;ik$Sz%jah?p$j!p!t<$cP%6BeO#zQG%vqVX;7P(pum$ch(SS6<(p+4u^FF z9V}aW;mv}`x4IkWkt`b82k7iv6?6QZphs&xCx81|-42Vi(pSwZmq5W@WV1Fn?+yFg z5{1piz;tApF9sT$i(_Dzgb*Ie-QT!?DX%%+W)3kEY1C+q3M~QGKd5&f1$t6Ix7Sx# zd~j8@&vYRU6gi;an#qn!70i*>S&VsrJPk+%$_I`w3YWC1t#G1~hXM|7M#nzsn8Tx@ zqpMn-<_wpKX7{??$puk5qAMPzMP8rL4K`&O-H zuO$7;F){VH%Cw{$juHd1tz`Mv-sZW}@#R+K)#bx^$Aw$Bw`X;GH_Y(F@p>(6q4nW@ z66#Ai4NpwfTU>#dUIN~AMth_FZg)!>w_jOP)S`^TCfwfUbCOV&W& z?qsQ_O}*#mF#OFxN+$D*wfzBsUf}kdPh^v>jQ0`ip&Nyh@u~bzE(^W_A?WKmU3qjou;!Wc zkC3C?g#in3l;A2qQU0tL>U+h|oVh^Ir zqR`Obba`t~f_R=XS~#X_OzXgFAo*_nwpX1 zD>?=Mq(!w3Gcr^10;hGbmL48Fpq`tD3zZB*C;~xDu~}%Z4Hw8&fC&ibgoQ^}&2{nq z6A-Xh9)P?EZ0y&8rJ-(|*O%q#mN^K%Z_C)RA)4bFu-aS?Ft4OQrZ3AayR7zP-n>nJ zG_oW#y|^SEF7`w`XvGD%@dZ6$j|UTv)*L*}vChJ2JrFt2>OZx78mJ^?U*>8r&zr3w zu6-{I>@I%V?r(+AL-UJ6DU7xVt+ecLT5{;{wiGb06B&M*KKv*$04IA@g+#!Sd3=y{ zAj;@3**jbF4LJ1>T8N34mm8wI=ImPkF2#Tv{e{rXMNmt`=Q&vvK#$GiO7XFRlF8oK zJH#Ghqi4HQR>1ilBH))JL25mIvfknr)%iLVr`~JQ?l-v5pCUTG++X^Ym+*%dSt26D+d- z+4C2k1Snq9&cv;;+q!T}iH?pI2l?+}Gnih|UQ6OO;Q3m2WFeW(PWRm0oD_et<>5L+ zVn*hZ2@0hG9J0H#E`d0d3JpeXo`aEDVJ0ovA#%Tdt2=&{Vt$|%+B}&7-8o*ThVP(Z z>(=}N|L;}cc$5;{J60Wfb~w|wYDORbNjB=BLQp%{`K4hP-%O8|UdEMEX)3nf=}dHJ ztmUamr_pg1^H}F(d*7QX`1!0PsKwAqjEFm|u7ujUaG)fzw+?BxrqwJw02F%ibMG!m13MuwI+w?u+esRrnUj5mNVV`T?`R)70JNcW_jv2xj5S5}hn4 zuYWmN5+KS%yeIHigWx=KaM5>s?^f^@ZAwr?Qtt(Eju3k+eLJatzj_k=9_`c3om&x# zll|2n;jCSUCdUm zS$W9KN&>69OD{NPRi}qp4i1?%4*L(Kd;ks0e5Li0pEy#J7#tBr-JC5@c{48!Yb1SY zaoTsJVBE(8f%tPZq^e?n#4X%8r`lv&g7tYVQs_lk;OXMq$y+P+c=}`|Sb2+pr z1wZu0Ezt>3R4wxqis$M*&S{E{mh7u^>&uc0>M?)8LqAg=!>}4(*?(z+K_x(eQ-4jB z0;;GdU{CYMnPGK|6Z%@0-z%DFxi>(Us0hE#pP)UxJk5<3I5+lN%~?_EG zudqFw%QvI!jmW-a_wkr7dZHG*sb~v4z)0NLK0Tg~q=w!|>No>geXaZWwuRfcC7gaq zFkvZQbSP6LvoKUi@yr+yuX`+34^|pU;3SNW9B2F%cv5D+{Vh6ZF_|fo@2w{I7K*g{ zcY*##TKcrnIvaGWnZxtA@JBzy=S5%InYrmf$Xwx1`<#+=mwfMDsL5bG(m?TFph!e0 zMP1|ppLk*W; zRE^&I;53=EBO-nj%%DzpnuU*HL|x$F;zrBkFBumV7pwjK_(tH+q&e03B_bb;g~R2+ z{5*YoV=V>Reda7&N;E!m#+-~PJtDC<>U%WNnq`e}5y0Z;coc#xS=p_;eDA>L=yWeM zpXx^@uU7e%mJQ%A8=bY<6GKlYK$nQ*L!9Ytq;B*bj3Y~@#<%7vNbTu8K4 zSVWuK(CG^IN^td*uLlRx1ClG9@-+@TuC)zV0*dlZ(we_N{L+o(rPjG(;=JDTPywO+ zXkq@jUr)mh32lJg?sAR84omIM(Xe|BmJZ*7^^_nXJ!gy)6-)b7QEuT6v;lJsQIsFm%U!k`~pwQj1Apfi%z8ff-4W zb?0$MCmgOZh2IQ2NRSBletXZC-0G(1`ic~WOl7v2%Yw?>?X@Frw$} z0|hzXLw^erG*AQq5t}Sw2U69fgvEMNQ$ho9GS<>1f4bo!7*yyuhZ$7M?JW2nO|KsE z30ADjYmx*1M#nSttZ4>nU>_x5aHtxkb>=oXe$3UkI_&YZyV#f=MBE1lzM*4)0@i-3 zFopVGZT*^;fl7%P8L#*dVjwL;AwbcrfX#`O$BMz@AKvtC{~G&suQs>!pL3lDP(y)< zQ8SVoq`BHU8xGFSl%+x58VyA1_}5ZtN6YQ(z=oD`vQuF>yP%~+TQ<8xur@v%4j18B zJ)&J1suToN*b@sk&dFX9lZ0RQEC6u02vMACwW>Ikfe^)}i5FIuKS}G-8QkujcS&j0 zgr;McLjYyts#47xb7anS9pfs?wzAzMdS;)64YYYkFD=uyAZ z+w-Xo&QFZy_o!UJX}U3&1!Zxhz2s98 zQ@7OS6pCdRHrCg#PtJzA-rGm@xb&QJJO?CYkGT(EUs^|Vjh)<=2!o2Ki2%X$5*Ke# zK|!)7N9Irw{*S%aj@_VO+~}?(6fBOcRQ1uQkv#3X6)qz|Cd$sC+<((5Z;%%_5F>}$ zw{AyY&pXo_{Pv8d%WG$BLL_5OTu<^sfLBn~!D5qyQ;@-w28N4kO?E?wa_D$?0o37;8`_ahb0yY}3ip)yQ!w zX_^9aCLDCHY2Z2I#O6JHklkJPO;B{HQKsl4(73p;cX0Z|2g58M_@_}(L9g3K?j8yz z`4i-Z3q#hYx3GJM4EldgIJq@ml6R)*!vI|zxqhcL8c~~fl-(36+fR(d4nJz+(0o$~ z1>WK+VKJ$WlPp>%yQ)9NHc#Pl^KR#TnL0Nx9&DH8wS~#^4aufTh*p+2{|0($Rd6&l zNv1L#V)%CMuI1X_{&}=cz2dL$%#vJx0oO93Q9~VP5}K~Q8W`SvXBw+}P4BhxEN?EY zu)n;zGMAn4NLpS_oyEeWkp&V_`^I#oC#R(Ua48q&V=_UwV0c(AnJ*y^{*@FJH4A9-g_|2 zBsXBD^fyUGsYW?)Q>7!yPLYVww^I?tGMg>Uy=SQ(P7n=t>8F>E$b?-fMtLnAC`V^@ zpZ-%O$JC|`DK0*K@-KV2yssO6Q2#Z<(Y3d+QhM>-P3VzdwaMkkWp9CK7W0(xL7=Xvxo2xyGw3-}}v? z>;9bMj4#ruSgD+9tS>xT4b~n9PRtoe7#`VHn!2sXckbR)9}$NhTr4_njI+~dPYSxO zuGsFaJjQ0R+n{vRllj@e-uZeH2`tuo`dj|ndby?OjggtMK$^M0aurxabMwlW4v0aZ zz!q{Gu*v@t3@8dB1LO)0j6VA8yy3fI!CR;~Db&z@w!<&M6h&I8-ziHP=uK*skC8N0 z;BfrJrRccFkZ+7MIZB_>@Mega*G7|rz`VJ*<2@=W!wV1b7DxR9E5NVnk??!=dx4L^ zNr)%gimid-Ip{D@7^yDLf8 zF4kysoxj7YEfMPc?W>0=-b7vO^}*5-_TwxhL55(+_D%XquT6MCz(At3xDtYzkuuZz zhX#4*Q;iX%UajpGcBde+7n6S}8c*%f+Sk)LyT};a5lrL9%v)hN$eU6KO=Qt*O?!tRz95T%)6y2CKES59Is8ql2wy6KV6`nm-ap zinzTAJmO+Fn9sIa0>@mP;`4J?@|51Plk^bDQZ(^ZviWwAtM#83A^K|_h&P;@bK(!z`~mA^!rZTDpa&p$vaD=asmZrr|z^TykWZXKyUmS*BXvM zofdoH9V;jZA9Nd%*9A4{NDQJBIt|sQ6-R2$ukevWv$e<&Z|B_3bsg>LX^DmC=#3DA zLEq&16M{ zGG)ht&uQE5qMN&JgBy6b&?IWUw_C( zU7HbugR5z>|7I{y$=or#5^ep;Gp(Wop|5ma2O5X`_jtm>PG1rE`_%O4>G7V-_QRNi zLb8ZKKx|E^DoDs(&fY-i+o(?&gNh7DR^$98v=$4d7=z5&HN|6bq=g={O=4&?a6#}Z z>a7hM+MqlG-cxaGp5M@axd6FSNuZeLkETAg+r(Tw1SlKfJnM^2MA2=3db&5Ht1|#s z4duOISY|RWf?-QQU`_{{i5N~KfIE+Ls1+W6CUx|&;UJH=w>@(ngufx0u_MpC(hP5d z-^Y~z*y%i~!o>tk{=#Dp7qG>CYjsDXy!2XC6^7#;0T}NI-yR~y?)__T0^sGT9Xg|B%9|j!5SkwLb^Md!RZ?ig}mgKzVa`+^Zmuq$>TZqq(ah$iW?`H zDG$|7f!Se_#uUlkH9~shrc-IU&JcdmH^J6gcz7?33L8!%z+K8@-Vp2)Z6L9LOKQM$ z{A@Ac`cqF4>UVK58Uc#b;{`t`F{5Fc4+`&?8gOiWCxrf0xe^*(Dwa+I9G+Klu&~UQ zyDDI{LO~Fu1<6mMsM_(E$ikUm&{RCyKtYU*oKV@M&(4dHyc7kjw_w|Hz;Px3nUg$Y zRL^|0*M_7`5?%Q)4h|3H{;?$zNL94X3-c|YWPu!FUczf-`C2f^h!DJl+c=iXkfz(q zpUNdpU1csGG|c<><9#H%yTqqg#o!!TX{XmH7dhC>)E!*~`CR6i(%rBAifToVFM~Iq_>1h_hJrikN13g%kEhMn%x9 z%oT={qPjZxE6j3#yceIryM^Y7ru!>(R2D@aA!KJw6O08{KYMA>VM58h)kHybZW>On z7oWKPwLwxdfy`wwYM-oP=S_XM5S78-iuWFyGV1St-s1em>;i6-ligSA>m{nb!$zUG z8tofTjlX?UMjv#z0kH=5%TlSt=wO=oc>Jtr;3o0yta1PYCyh+c_R*=W)p*|AHUas%HRDr>18?wh_7{uJu zwSmEy5&doB5q6iIrk7nCAnc0O=C2HgorbT(P0@@wHjCSLP}0(wr;HUn)6)R*7xF$R zlR=*C2}-`7C`V2mxl_{sL3T<_k0_ZeA58|*#oI4bg4a@UX^d=q;Yo|DyRlOtZPXX0MC*jIwKeA>$MGn(vS29;jZN0$ZJEmutq-(BDbsl6xg9Nb7p{Dz^Rmc4P&sUzpi=(0G zGJe=m?)FTRwb$FtWz2!2ST?cR!#??I-8SetgF{O)R84Ff&L z5}-E>cw&R7*X@K)+q==%=!mX7+p&JA*j;kH!xY9v`w5krH}EbUpTrABWV6l8theVa z{W{CzwoFe`_KeBs!x5Ok?=2@eXMmqI{WjYLQ|}sYy)u~Ib6EwU@@N@0k?m7p&`<0G z-(H{yD?81-!5omSMTg)JKIVE$O}pCZK;A1j@be#l>FP3xHiZ?WU@vzkjKFc4l5xm= zoam;>3{B9kfs*ODRB+(n{z0Lk7)V#lpwqRN*Bh5J4W#@Ok~6_6=n#H=Wv+8E&j=-( zG{-u-tmSV(VoS++CV2^tZ`YY?jFRpal4a&&WY!0BvQ>-xu0@9G{y-P*|H0MDMT$1@ zoMlyu%a-W(XXaNObG$og0RP&f!^Btp{ngR}ZJW&;jt?C`t7E<+pvYLlDYj^tM7UfR z!Qv-bM<#1UY!vmeq9SuLnVhvoB%3kSMjLWbCoueCm%!yr(7%yWk>d#IqQ7qkyrccT zkDWW>YS<0uDUrF^X%pkYW{kxVlCP3}6-ejwlrJZ1ZUE%f)+-+fN{1Z`0 z!O;XMvuP(V5)~7w39oK|<4-^7M%4JckOxSw0xf+;O8Or*jS!&u^?YBs=ZYtcU*^+} zfvDl(;e-1BB*9`rC9E27=t1tf;l_Ld#8o(LxbKTE2p#2n1P$8qYDSoP*bH|1V%507 zudYbI45N0N;m+mF^JtjM3F0A;8m}?L3~J;|Y5@aRUNZ3eV4h|?bLrhn)wsKyd5h=J ziOMsb8a|}t<&TP!wsuxFaX~Z(5S2?edlQs!qs#Ot+HPEKF*h_anm(xE_H1BdzXEZw zpS^wR+ah6b`2Kw^6wXm zokRbrrwjj!j@jZ|--?K2NGk?HH-r@(o6J zc$(pAVx|$Y3ZNxt)esoKdq@S3m=q5NJD)Z((A^SpVdJD!tFzDvBOu>ioX0@l+ zCe~nz^U~p!ZDKI7{!GL7A!ca|4Y%@eMQJoeD!YHxh@*nuXi1~)=eUOAJ&Ku?vT(h$ z9-$z}_Dl~fAxDc#dx+yGD#n8jgJE}fzd$i_WOXcv!BB-Nd)nF@17aa1yIp|jAA_K1 zaHmzxNQSf3ULO$)DY3~f_^yP%B9`XhE8P)Z<<#ul9DK22nt+Yz4ttHCc)@^8GA~Z_ zLv~u#IQ^%O`jx8f5%$kcy$v|rzV7@=hZ_-lJ(qsmw{C60XLndaq9d zqStKSOu~XPE`m<`EpB!gmK(C z9$H^v7GTgZoK|ZZNY2>k>s|9y!HbPQ*)Ou!HIwBEb*;HtfV2X(p5~8t$db$FDrhVu z8T0V)FdOtH^6E~FOfukcyUg}mkR#pHTg>s))%|rS4&fo6oA$*sTHVrrEYe3kb#?N| zgKqd0(Bddp9YLo&_m5B%%lpRQ^U|e{ByZc=-LU6Tz>`CPXf%=0qnb(7UoClbK_WvN zyEw2L9UhH2@>_w@l1K68{(4VoegF=CtI^>C6b6D28+Lts?Q(rTq8eR^S=Lz^zONw4 zvb0NccRWZkmWHbPDaI(}gVz_>>o_h17x3jZ$})|=AY7Us>XFJc*i(0v$s?CM-)&c7 zwsvZ1rS98RMz4M=BjH-*iJMqbjz)Ow`YC-s&x7ltQ{rJ`>P-F*!&hYDxtu(0p|op& z_UlgvMslh9^Y!+W2OXQz*zTE5bi1FoC6?GvW=l{Q?F=Qy^W(kU1Z=bA(d-6ZK0gSq zHEKQ@?yUj}4to3R{_I~+guG&0o^kXJY19ATgyHrw=j`#@B@^8h^FBMqbo)h3D|W1@ zY1aJ6ba|H*M}ZyHfRn&rCuT8>JoYbiIf(x|u!j>R|h|_TZe}1YwQ-UtaV2t!3e8&F>6s>q|U` z#T87C_H}NN;}D~!j*hanqZgEa>EV`I(PU|9(69g}t8ckc+OTHrvqM-OPFXsom$3gn z#=QjSCT#aO3q>wh*@?D5oJIWUZR_goxz*Jl4+A5ucNfO^XOvGJh}hh&lUe_;tKZnE zBA_&qYt=8T!Id+NHN+K1WAnNO;79pUs)^PajWwWYShxeZ9{)=HFT>l%ms+P$#z0A9 z5(!S8FST!2*S(`*JlsjGJo~gv#S%nA=iq26S+F!7S$&+dW;S5K0V&G!-Dpkf*8;9*j@=xQ!;syQ0e^=a>-gyn|nE`~N8kw2N+g5#4@pNg@VLCe9 zb8++T9q+3^{9iM(FSL^>|5gG$MSyN~^=yemgrRWt(p-%Jnzglc8M6q8GXI|z)LrF~ zV$8G53pAtagq{Nt%VA(bL8L>&+BmcMy|dX|9?^g62A;;s)Br_Nzr_m{61j(`LL)!M z>g2nB+hn+4XqxF}qwsoqDrWr4qgO!u`x98YV9A^&W5VEczlwo}hxfFEd#S=T!ocFj1Q{j(#I?$q!FRf9F{#!$FfqhRiQb8xC_z%7kL;9~yJXw{fEx2M1M3Idg zESh54P-G+|^kvw6){h^M0|u?B-Gzuj0bXYTDe#xx(Vj1Lgds5{Eqtf0-kCEDj06sc zd02oO74cV*^8^J+S?S7~C$QbFpY<0@o|4Y^zMvgem;%Zqj0Dk*rB3{&Od}^xRjbya zcIvF7Gh#{RqmKYh+}g^0@BoGJ7a62MuD?18{HAM!MQzD+8C@ZbK(!y~xvJ$Be>W>e zgS{NK$}}EN`3u`(1VLL|Vm4tCJ;*n2`7>>d&giI1v3J01{~_ zuik2+g|%LPqObQkBgSRPnoR%SNdQH<)e@Bq?Kh2euoUV!n+J!+Y7$}pE1MSgWvvw} z*1fr$`c_t=y1FA1T6*5+P<2jq!;@9&v*w_SwsJ^=O6g<&O8-|3wQ8V@-&rOd4yWUQ zF-yuao@7d*`i}ERT~uXsa>j_m0(QPVp;V{F^`6wXpze^6==D>c|A=i1rwAf9XjTI>(1I_`Cu7&KYqe`U*3sMDH3D{;k|gp@Tp zgHw5Uj5SwDBcqpxhim6}J4m%$IGKo&H>3X)wvdc69P&TP5!6P?ef8)4)GlhyVDAJL8Y&BxJrYQT;(`o%ja58E*o*W8U|^t@W%^ z#PW?yG}|+4kOpcXGg#L(GnG_2>}#hV09?W7=pJDsM83FG%V@Z@KRO}u+3C~A@gg($ zpvn15M1Y|jDX$Am{My!mqX=fxMwiigVcudfWCX18!%twJz}|S3-U!>5lIbR2U{xQ% zZ;LtcI21XrtI!~*oc>(N=N!U-gITM$E<;3*-`kNJ=A2f7{2lXT*2g0|tgUPr-+TQo z5F-YP3*U$Rqv8Bxrv^V_UJJs<0~3}V%CG`+Jk!?ib+|n^mR^$A<0o&Mce1#0=uce> z7~1fm#!-TNxsmslJD*PU_LhF)*4Qd>zU631WRyECw>=YKuE{mv-~0Z$JC6yJMOtz2 z{r3F&s@=-)vii@mNF(_-AfHLu9zT+;vn{PIm1W2miiUzv1{>1O!EV*w)+L2D3L6vY zQ6^{v>!HsoF-1=;T95;}{Q=ali6SHPh=FIu!Q(fZwb*6kT9etn3O6@r%KCFMwTu1^ zW%iIWuLK9SJ$Gk)y(G)18qTLS*bSzB)E zvhOe7msk!Lp=(V&avNG-+cg;%pPC5jVeX_!!R6SP!! zWy@8x%Q3x4X25vMJdHHM*i`5^@J_2ZP4@SR8(z61 zq)EomA$J6ni~vQT!?~At+xE^34wjh}y*lWKQCm9`B#}wZ!O>RK)fS^ZO?gJSGF;M*Fpp&dnYkL>tj0Y*-={BY$Y^d^bk8NCYqDOC&lo|Q!hHT6R!OH_| zFZ+{VA$SCHa>e>Z!{7A)+95;5xY|p;7z*wgV_tOmYxKUKK!ywA^QLq)oqe%C(Dkka zQhVk=#tUNdPjPDYs^c!&I((?YLlfU0mO;|Wu8GT2u<)B9!u~`$KaRW{L9_qbub&&l9pwm&h@{*hntcu*-1P#se48;&!3M;?z*mL5n4`DbHpr76+U zzQ{pvvebQw#dux8Ez!rYA$TSD2^ZMU6eheJy#~E?CDGO6yvq3&A01n?v<)Bc`H*|v zYW=X%)t^tewFlk$ELy&{clmVak2<7JtC&C#mSVSVzIUvFb7DXx;!z3c8{K*V-0aO=& zhJ}^#_v6Jg5E#zD0$DGLoX)0b6uvcfUs2RRaLb^J&!bOk=4kYYhPPQ;9tAlkrL>mU zJ+DcdlDB{eJ3(<}wP2C0w|2uVon3W!R;P!q`L_eSnam7~fM?dme>u0wdH8dR;3s)ZW`Ir2N3j_B zM%RxI7xW6PN*dqa5lA}w8gw?<#P-K-IPJ@M$3Dcy2Ts~;45%Q_WvP~b0Uar*9RVU) zf{s%)Pkq11C^kz@Yep$Nw<`o>`t7z7tgR!L=H;&)1%#K=v0CD0p|+?Q_iQ16uV{C8 ztZ)mz#qidiNJB#KrCMUP~bUj}9S1g@=+sx;+7o++4d#nDi+RR>>waHdRPxMBn?gv{dsb2nV0q@n4#5dP{ZxLid;^stw zG*ui;8J>xL!1E{DV0_IjepQiX+!|P!&|41j5TVcr@$FeRw+j=V7~BsVcnVR~+M*Uy zQ4TnIg*8pq9{}J8S98)hfzh@34L;U)>GC4Auod^DL4WkuiZhNJV!QFF&lLYB=M8Su zbRBeE zh<U8-!@tlW{89cIBMQ?LZ@UsY>IvtM z|Dyj|+_=?IxR`HzM)X!3uf1rT$5~_ukROP`RyIZO5Y^z6Bpn&Ta(Z5u-Om*2@P^*q zt`Kp=6D=>&=&$fd7)!ac=Z+28+}hdM8wn;=3g61e$cUiULf+4n?~JLXaFQv7^@e!{ zdYtj*%Ybom`;Y|`7a`>BA@2lj9k9-NxWB;$*z1)ykAl=B`dT3QgY4@>IwNd z8~pFc*(R>sNwXp;z?0zU3LE}IO5>0ml0Y|DMt%H;ZC=BU3+Ro)@rx` zOnq3I;bSeiN+0*8T;;cFL)H~IeIx_08{c6CE?0k~EeuLx^teLv8#?uno|)co`*JgZ zY^cE}k$n?x@>DiC$Lr>?9@*Dky`kNKOD5lsTQINZgJNeqSuu6Ec0(z-3v&|*92x!z zV<;hUr30XCb?@RPw&NsFD-C>=9IHW2)A-R0`=i>dqI!hGzLUAh9T!&Xk$gkEt0ztk zGv3vk7pv(bGLo~k6H#^rj^P%Q71NjumMoOQT#}5JUr_xPv5qw_ErAwjpjNtNrJQzI z`DMiBTOf~>#bJAt-Vjzti3okOvBD7}EOPs+;??QaHRadd_X-fG3MyIw8P>JWW!1wv z=)f*}Y&}9>@o29wb}O}?YE;hhj)R>>M1M0o$%?7C9$x~oyVSVb4Vl|A;mPnmD4T4= zr~B$TU0!>s`3dXvB?V+1f7w!BngKC}ik5Vph?#U`ZU+=`L)VI@O!@<<}&~+xnv-O$PKlq}# zG?+rcUPH2^5TbGf$)|#j_I=`TLx!wHag{a_Msv24UhY9Mc>m=BJW~(hdv3FT(7p`{ z3eO%9Dyu@Qz}ZNsqC#uex~c|FB9xhOarqO|Vh?oTBa!=DQYN~jRNBhEBKGiFu-d(w z;WI-u^NoaeO?{*|1in3SoT0m}lhEdM{l`}Nmi?ChColrRsUQfW-gWB&&bKPJsXhsG ziBD5ag34J^e62xnf+wcW>deu@Wg&m5)kD&Mo|*(gXpZ zc_&H#>fC1ET&^G zXTmO@Uy)pKShyrr?H9#58(Fk!VK(}w>MYK5DSk%=X^6}e`0YN1TFwBtz_BU|p2 zPqWLaf`XP+Fr-gY*F9WhKpYV<UO`=dYRdM{ygit`{;P>)uD5PIe0v_|)oU?3;E7d2wQ3&5XK# zQXSJ$`}5IlZ}>61(swU5LV(VihBkMU6eLseHQz+uic9mfz9Q5OZZvb+GC)mZSxW~m zZqzP)2edSWQrU=(Hk=8AUp^#ODKWF|m54*>=R!i2cME^8@KYeK zCDX=6cVb;McIS6Aqb;-L8^%J-mu!LY(jtl%z?Cs~UIJn$5w*@b)Ax4G(;oM}uE+?* z@r$KL57w&~@oD+QgbqM`nba9E=%%rthAm0oZAq>Uulzm2(=0Jxss@}6%;0jorSSL1 zuJ*gN-g3tAo(M^7b~A0q6bU;TB}*H3G#P`i-`%g32pK-y-*n1ov|P*!N_nIe*sH*1 zxG&mC!I3aLRlw!kZM@vdGlRy?4nS@`(N!})qa!udyF(yORUE~<@G?{{UUGeG=xl{XtD3k}|DkGy zk7@HJB~|j%g#%vNGEmz@#yc>5y85IZjkb6s-?5k@A_8Cd_f*))@Q=KGQ}wnf=%W&R z!$q@Eo-H!bbYbnMpDH~^w(x>M34RhxNq6y75A4<5t2A5k`$~lLPc}Jv9IpWGa#jAH z8j1=+%;fW*1wRqJri3}?RlY^eAkime^`a6|IqUvF-ZV0qBm)Ys=JsfjF`bIkgXR2P z21wV)9!FO&S73?!k>7kJe24cFDUVO^Y#kk+RJx2H1O<&avXH?VvR9DcnN36Q({|wY zM;2@u1~N4tx5Btfy2K5G7Tk@rPb9p-<=|T)3w{sw9R}@FG&??w0;3c-QP?!>+{qZ&z9b z$l;i>v$NHzEWa9Oa%R506)089>~{10(R{pE|pNP7L z26Chl{rx{OJHNuKv)K5F{UV+&Q%YE@Jv45%S}#pGUTjUn7+G3R9t$5$YpOOhbNl(o zB(Fq*6AqOvk5T5KWy*r1cr&qv0HP+m{M!?Im?SW#2ctzIrB4~)M?XGko<362aU0bFz(4fl#hX8Vy)4;o0q5_MN+ zXQE)E2X~x1gi=Vg-&nSmc?K1h@e}!fH^DO8?dkH_U3O&#ek-T)1^#Or+0)#Hk)+tz z{^(q|PcR5x6ViX?)gQH9plOEycdLn${*`rU0~h4|WBZ^vzmG}(ND=`>|L2C}BwzoP z`4kiNMd2S+`w#4EJABY~!cdN9XoC5-2~9FG($}M^=mE5UO7xge4FAl~KVKQKVVM4& z4#wtNJP3#bge+m+RT{rqI%!9Wd3Kaeaj9&Kl&zQ^Dxk2pN*w@S8K|3AZ1l>8U5G2joFV9=r;s(JK^{lTyytZO~>1COU+d>gQ{80CLlC< zs?vKx*)L^}r|`qcy~VtqJ-=utwh=8i!N3d?LBnvcf`pLah~{Adf=ME?0v1rtcIRTphUG$3!<& z3-Jj(UpQ~l;xL!Ej;ODnobWtxT(g%s`d9rDB?Jbuvc>- z(wn$bIWIBu&rB(I=fcPOJo|8eOr6b8J{o(}>Qh*FpGm=3X&*9lYi!k5>Ft!a9NZp{ zRc4h7wpYg7=d=)pZi`wReIKEDMCjGD34I8) z_DA02r($IdkBwEFoIHh2GBXqX_U)U5v^4WU8)?kLa*{%m84`}`4_l`(`r%^MoZ%r9 z1AUR1UFm`HVBNd!yZZ-mT562g6YexSD-W~nt?u;F4F*b!{B^~8xDi;>PYaK%es3HR zUzIBEa0kvZX0qM(^?`cSOm7h*81A7TvzI@%_@V(l%aHoYw5v`_mviQ z`j-|7uULXr?;F`uSMiOh%vuwmMAPBtx#bfH0^-hUrc)>RY-)tZj%ddxB5f!8h$;ij{#)cZ#J)m}War(xm z`*<-QHp-B+p2-*%;u{x^9-<#Q_7tjCZ;ZONgf7$mot9?Y`;cw6JoRfi3I+%JeL#5b2{*z$_mVuAQ+TGFNNAnhu{J_Nw*zGi`F+@sQvrljwV^m zw9(#1mY6;OOSSCG>y9Pf?)Y*VO|%1|64P_DNp|Hwck{5hv7p#re!AGPkOxjCftQ-Y z)dkSnJ+ND+$qZM#&T}3v=rmy_@<=hKQocY`*Q@aQib~gLwWP^U&96v$1Cj0CNlq5{ z)oiQX`_qZ1rM!UZLYch?rAisDp{hpiVDYBz!Nw&R1s>CdQb=oclS4;uT!w1X2-?&k zn6CC#_T&H}mY*8+e!&C8x-22PfZL5GuN1bYr)A!Yi60Zujoc2Cz3@65YD$IE7P z*UV5ffb3A=63+INaSA3(=4(s|o~-kHM^ost+w*O*^-0s#dYf**!6&865itYTd|&k5 zpsf;}mgpEgQAQ|`#|fS?Uh9?rUcWCBZ|{Xj;NkqrLRWIFMuVV4GU9#uSW2S_w}*mf29tV1eRZpGA^$L3p zRV?6BXB8f=Xhfz}?sLw^)b(uyI;AD{y^b?iF4+2q_)5Z>>@2>-7-%HWQWh=U>RWo` z5eI*>-l$;ETo@wKnj44qa_>bLw;|3`NX@}K)?TJ(N#YH+#gTWK zGAU%xw!D*mD3FGXNywWwWZoOV9E${P7W45~Jre#N-5~eD#prvJ83(7im-t?*$El^B zV5m`1>$3Y8Y3IqV$c7k@nr#ak;giEJ=kh9-r+tYg#yHL=ARtwV$a_fwc%lG>pGmH5 z)D@{yP5q_yO1aCK$;60;`nE`@UVCHtmMYYBSZ7$rgO;}|5#x97f`utl8LG4!ynwV> zSRhL0ET>dM^z(Fh^O|I{`SqbTuIHv2h7FGxtZdcU^4Lk&^nU9zXC=p|AGiFkE^#k2 zTvdmc5cI;R!ytZwbyq7H3kWKEaH;$>rKZ)C>eBGT&0%_WC*5 ze935^Lk{%qsZjQHx%cwZHwZ<@#L;Kuv2UO*0?=(ePHfKPAvtP=X=+?zXD~EMGN~`8 zL~hJ|<#RZc^E+wB6W*Fi-~Cb3o$(k)v{phfU!bdTqCk#dmjL_EMqoD{~S0SfG(4a(;ce{+Z(kRi*XPRihw| z6w!%Gk%_(xlcT{A%?JeuX3asiJhKs|2K8Rh)i@4YYJ(Ik1_y`wXHTM5x>%mT{m#n;=|B?e>^WpIA{Ztk6V>uJ`gU zxWK`(9)2&^BHmL0n%Km%=w9xS4KLsas12~2DvX9Cl2of+*Ap#`D%#y-Ke=ZZ)t&ii zBTywS#hGcxviY@VCb{$E@4h?>d{10z1M${J$^~<=#{4=%Fg#AJ#e);?YPGj;LwfNm z%;uJ7$`7`Wwzj+VAfAw&GC{u-PUr>=Nf0Ye3XtlAY_PHE!ypEZ-^oN z@sd!`XMrADnspzOC$2Nfj;RnDC`LgdJ(%JON}r7$Ve5GnjwN4 z2^Z`+Zzc0_zdXD?Q2kf}tb6+%yeV73@-p@L_?BjqsFMXqrI;`q%u1Fu&*qEDGYbTY zoj55@5f~g~@B^OYn072wI@KV;{oo>Y5miNxjVG=T@EBvWLh9*Yb=7JBR-SYmt>!50 zBm6A0s$bvyU zu&^*&*0z+N>RO~KN33o6%GZ^tMkwq~RqLqX_cq>SKV!1IFdF7r zx{w*tzhg+;ma<#}g|i4qbM@S|))V4w7WUfP@2y_{77E{;zkOLi6oDL{kIzxw!bm!? z_?8bJ!FkgX!dwgGIm8`D3$x4;f06Qm5HC6Qs13wlzmOi+aD=DM8*IaO04$GeHyX)x z!K1k`vhACUBt+5GPPWc&&sItE_-KtaR>1JuXQFV2Vib}hVh#`ehBZ*5H8=6(u;mxk z&TO#y&FgiWPLhB37jOnS6hf}Vs&e$eyFE+HCi^=eI;f!YBtj86YBzjuz-XSxvONNs{)G{J32KZ~!<`Zka#85a?* z9i0tk;rSVqisN2Wxm-l1dt@Z`VuN#o?NpO z!m$Je87XmCU=ukx4A5PIcriQ0CBw;>xFEwt;X>$gJtR@=T)6j0zKMso4c9W7TymNT z>;=V0qix8G$_+D4<^7C?l{6GaYbl#@LQ7`ApabQ9NVK#$Sg&hOHA7D7~Wyuv&u!EcFD$zs8#RB>y%(_>6(DM z-!i}+Wr?jrT3)^~-|0!2_Qf6Dx%xn1s%&Jt^_Dr~xQ22z_Vf}VgT;a5aNMOW$@O>w z91~q}KHa0`^&#)8@F`guHK`M(-NS#T^xq6_yMPKDL32m7eAGvAdd2Y4%B@uPw+O&r%>f zyhqo6n&ShtjH=qYN*A3y zf)F70W5If4tLgRqV*x>7m)?>M<@u$fpf-ZgA}ZhJVsw$q_Mt!oCZ}H#>&pOiu)9FK z_$-|Fu6O8oWgFP4&WkrxSMj7N3X4JKbj#Mg783KT>QBIPWrhsYaNKH{7vsl^ zfdQT#=989rhD_4kQ&XXKYcImK;*4FQ@Lq?HXnUg9r*arqL1{o8+h`YVemAEw!QFnK zm7aS0R0Q~R(d=7eqD7%K%jwEzhU)xkV6+U!1j_$D z^zv2}0)i7A)*MZhx7mzG8=OH+QM(62<$2We7}Q|~PH)XIV--&V$VIM3i;mYFud4uy z)WV4@K5O;36cd@xdhi?156wAdt%Vx(l*ZV7$KR>}=(Jx>JE_X@b5UF#m@ZVm&E_-R zk+aTna_FTPC78XMG{nBcfP~A^G zvz|9@WzCz}+T1<=ZCSUAc-o+9lIFTUVIMi0Cf#Ux=oN3}mKM?D@aI#cEG|DwRo^T< zi0Jh-O;RM=_U$thy1=pdV*$!+^ z2P}C}NE$KcVIjmyyNffRj_c=UE@?_<8~@;5NcKHp!LBNAf8kF=>FC_tyok4Ts%k6V z$^(OgDA4X2$H(cfcI_pk{VY*-2IR(2iL$&Gk@}&sbIt{2vg^x(oR+HGF$fT%nz%?g zo^~LCj$Cc;ReGbZ!yApXOI3-k%|hcCo}q0caIa4~ML4}a;qEZ`?@GmhM#K3TmlK#V z4{c)D!<#ZyPEY8Q@2q~YyXGr>W+Bo@YB$H1ipL|Jt$L5|&H_#~)Y*cD@5b8Evp?4K zgGRO86lO2xxNxBrGtS=43xJ7Xw5qrLP6sb|L&hIh+ReK^6AU7}p2_8ZC%^ODbF(Hi zCN*7RQPz_Bz3Tia#yh1yNVa|bN?zgNri*JHM`*r%N8s^%E=N~TKg@JF<>EDn;XrdD zxyB-p6Z@CG{Ek*{1m55}SiDWcj23M?DJB1{Y+Bq`2vwey%ms8l2XCzan}##+!2Fs+ z`C!ItNZbYOJ&>r=JN4`Qg~8Ii8z$o3!meyGqrCk&QCka~3O0X*vRGbwp?=%yvub=$u(LeJUh|kw7zH19ANlEo)_>XhEqt|aQwdYTzG%#Z z|E*(RmTzlIuN`m`XoJ1j4xnF<@zaP!G{9i=T>Qx8lA|-h)+Ut5Wksa0Rxa{Lhm3FJ z_SP}XzsKAX3q7RHe#C!(>E93u~3NOooD=kvOe z(=2@yHq58#_kch{Qqdj=ia=6gVicxB+s+B<;R`s7>ri3x* z(k+tTp)xWo{NO{-l(VtXeZ6hQQlPIk-k>M0O|LnbN)~it-Jc!7^c)mXrdt$?#Ti>0 z!mwpp4XLuZ%eIa{V%ZfYJ6snIc&Yg5S3i7Sv=9b`o)*m0=$j$t)fL|?Dt9@N>5M6< z(QT){KrBO1AWV?hby!R_{{&6~D(Qq~eM4`>!y3UaDd2T5B!}PTk03zfjMY07_Z$7czh5#0c}qAdEj=H#aAu zzGur+#x~h}TNrHtWSlQ;gl%XPnyB%*qpD=lQpz>4JXqD}a&%tXDa?DaLd;3tT-Y@a z<(UmNCc@%4BQ3MOyTH@nOZxzEu^$?nFU&{tyMN?n>%m}-EUTooP`i``BVo7VUOb+A z&HNL$H$i9lk!*}+&1Wlahs-()tU!!N{p(Gs$TUHnaK6rIy$mL!EtpO#Nx57%r4aRx zAp5N`55T7EsNpbHj_C15LeyH-rYhF$4z7H=q}S$Xnek;pwkqyVdG|@z-AHggF=jio z^P_%^@DS8GSJr%#>eUR{&Bc%n_>8KEDS5=$I}6}RG{(o{p>pyr>NTc3&O};b%!rLDCI*?1S-b%FZm5AUL=&JnCohKOVV8lg*KT zh^gLMR7abnih7Eb(L_`Q1%a`-cGHIsQrh~9 z$sp`8l{Q^vGP8w7>aWF^ph;5Z-!Nc|BPRCeefiLC;=r-$B#MZVoZ^oNGO~FTFk;Xh znu+oM8&Gx?kTkwu%uYFo{szhfGoCK_2 zZ|&WOIG5}b<} zht)Fq0hApeZ3hCqsW`&?Q@g(zysV_e;v@7L87V2&+tC~&7Lc1j z^&bGK`zq$@xJtGmY$``5Z$qu*-hjV7p`+!_MrUpDPj>y?-Pisq^4C|Dhw~U8**b%N zb;5ui!=Pt>yKFX^&iey=d#ue(4)@dR4;j$V&=ZA2xUmc>pK)6W#}dD6Yfd{D=|PCL|hlgdpzKDVD;fp2c4zlRTx8>jI2o-r-v z$~##zXx_cfl>;oh*S+nq{!ErX_SA+VSL^K74H|-Hv9i1ldpf1y;cc~Fahf(g?VpXTjqg(@yCZ#XV%7qX4+$s&4*Ry(YC#(6$CzM0fP0j8Ta{|EnF;4r$9 zPxUU6U#)@Xj=@B9BN9(aqv-&T)9I?{+-R%mbOqIyF{6J5)_o*s$Dq1h3F?1jXL$ZS zmag&MzH}U%gg#=gU4 zA#g~pNjOQ#n_T5(IGL2sd;3;ry)-h1P?|A7WSBdzY%ngX@X(^b3kyoArjW5E8AvO# z@#yuxIFp|sKeK50NAcHnNUF0Q3pY7F^>_OOSKFv&7{hGz_{oMYzOf{{7%hE z^WLfFi`!o;Bv0{PmhEJ=4m3+ts9Vafp)(gfkC2Cdb!Gom_`UZ>Q--XGupi>JMQeIw z{OUH<)j!$|;)w?ChGuQ&tF@QK2J!!n*t$US$hq0?96Lg+aGYQ?-$xhl(-;aaS!l{Y z&raF0R10XEx~;If5`2tfgBDOJ!ECqU_&xg|R9NQC5}H5HshbaB&@XLGw(8EFl(Mu} zX?tSsq$S(k>;8qAjsBMo75+Z;`Dsfl?MsFFW7?ka<8t zB+@8$4|=ga%RYAm6&x6F?P9}_#ui)SB1kkTotg~YC6v{BJzTL=Z3_Z;nn%e#oky^8 z#2)>o*ut#VU$LI0OB!>2!Ic|--Z=T&%iW(vf4TZ02gXDN#;9>dY14aO`=PI_%zTOy z>u#Y$_l&R2HSm}{5tqc2a_M9I0?)@8X$|Qj2aI7 z(!i?BJIs{un5l*+`y9B?;zkC2x~Pyn>*5-Yo z1_#Tr=u2P#oJRaXUxOXtR8~#|u9y>uY58*oq7Ji@oMTn+(cgaiUN(B8iosWjtm($g zeiN)fM{zX&M^f&BW{!XvBT39KJeowk5g#ETTf~_?k?GpVjzqN8n_s-O=0r9IWs){5b_d zsvTs5lEt@N(1g2Ce4 zSRhJc8sX|&z{>=6h?G>@D+r5~?(~F(Fx<@{r$G&iyZxju(pw}uIWFgJ`@q3!IhgAz zvXb*sDTV7Fw>lLA+*NQZ_M}iQU-V5#aNc#-)?NjsF{RWmIuGXgW2c|2<}3Ng)s1Qn z$Mpfpi+k~nS6hU-4?WG+CgH65$@3VR#qD>Yh>lYmzr#^I6x=B*EQighGF!3M6QuC6 zptxQlLA6h%l;@Xk_lGOO-nU4!Gk^o`mh6&hdp|=I3@-Q`qq;k7m>eF-*{oOlcF{>L zSfRt?=w@Xd(R1yF)-pcg6)rhbYNaUVH=Gz@L}2v?3Ypl^v)^cH zveUh+kiJP z&d~8&%RrUsgbUQ3=NSSTb^c<35PcN?`7jN3%)+*|$Xnj2{s{@}V3mZu*`b7FRX8r? ziPfnrs{_`pY)}woOo#3}8u^gcMn_4cieFAHmFqNR zM(grQra8P{)%l_r)-1&KoW&|PeIfFxKVUDG9&b%8hNK^!y$&a6S?D`@(HjIJuD?X) z+cQDB9O`9>`m%fV&4F%_Hy0CEg}jUpJHu(8%|4Crlvb5$vv%vtF*7A|YInf8X=tFK z1ceP&35Vi{DAs&dG6-x7iXreNR;XOTV=HyTJKY2x#JE;d3WQgk`ZZL&o)3!OB#wH60QL_o7>O1TXqJ)*`THNL%Zsp-(9t2& zlGH>ij7e9KBa2M!XcGBf^c6}5bbdd){>Z<`neu0)1#_CA+&(xnoSM9Z4OliM1dU&)YXug?1M3>sQsRs)WV-T6A-D_29L zA7<8X+awyjg-8YE63zazYhBUVP5}RdWmPIqX}ZU0gzC2HC_Fd2^KsQG#$etuiDOE| z@{kK{p2gIW1Fd~&f9>V-(zW3Z_y_h`Mf|53v7KEdyjwlH-|ERr;ycve;^VK_z(+@( zcH=hks#C%DKl>kQQ6H?jM82VE6y4!`FSjB#i67NH8RS=UCqby+J)5fZ=gcJ1>AKt3 z?Db7-H?A`6dT)I4NmQc*^@E1H;guAtz4H`WypBZouUp&K#8+G$&kM4y_LPok*&{s@ zc;m50PvN5PI1+N=C`EOoCxH@?TzT7bR7T#IiA$G9&a&#j z_055WA$hvy@6MRY`Fr@?gy1!%`>9G`GGh>v@n^i``dCn5X26-@OgeI`AU^iP3bLCc ze)srU;8Z`+P?Dlewb3cg`$-wz#FHcErSq(IY<3D;-)-O&`` zeBuK~Dtap{UK7qMZ|}$|u6Ou5k7LHK%ei6Z=?pJJI&3?Z<_HG6Ejz>a-I3SxcYng> zR-N_?Ta}3w(&bZ?{k7oW%#d3tc)@>v_VddXnW20W^b78eP-|@fr^cx+u(3O&kvnJ{ zBmV`=QktL1F*#G8C)Y82Xju_1gp#36?XvSD+X3ge@|ntph{W*@;1qhiTJbH_l)lQ0 z)-gDYb?&g$gR2&MiPS+9HHNojwKbejyj^9RX!Rx6vtV5M=b&$Yx+tb0fi-@IrE%OCEvY?q$p} zp=NS#IJyp_$Dv!9>Ci-p0n%zg5ruA_P1wElg8>E8w`?SU>p3(~-93yE*T%zKxoe6z zXv@NTyPBvSbf|5cjM4vS!)MsJh}zvamm}d32q5rs{2nCqi5+3B<)A0b~-DJIIm*;Jw^Yb&F+=IH$fza3?>uB!AG9+qVP zL^KTRqBR$Ea2L&-3O?38s3t)Oo+&xN&z1328h0OBUYb7y55^_WzE$D*lt| z?GJa$r<5$F%a?7SMrV?*;#Gn+H|(LiIFuUlOi zdqx_6`*45ca*P;5rZeofsYJ0=+{=TY{MG-6%*9{R|J!8#-#N4r83P_#3;R};HB}#D zF<1T&w9E11y8VUW?J8w!YOf{0+u!uGmK%vkgUK(<45)W4)G^QV`&JW42Viy)Djm3Y zJQ2CM=xlCFn%s^DF@L^W$SzXsbdz=&2?_dT++Vd=J~36)RFMJz8zSsN;Fz2REdW47 z!kxtY{}4|aZoD$)iLuf_WWocl@w%_hNngVMZa*;p$i{G!@ZUj`8-O)Yp8jGxvUfW_ z25y9zInj0De+J$IK8um++Z)I~HdOcT?p>RXJWb2#S=NBS^~|oifA@c>5XzPOe<;a` zEHPlimgD!lZ*4^|hAkMd6UL2}&&cBfX&hS(%gIRqgg+-dv($n^WG+O&W%k4cjx2T+ z0ckQK@&MuN0d?wbIHEsn=WPKy>y99P{>&D{Xr##8qlPrn*QZ5W>t}RkC}lx0SPHMB z;r$c&Jc|-=#B;B+#?ue7?TkU+lnx~R6xc}EHg>52W*w-cz$c(@u2s>BwXfAzdHvzf zI(gF(4H471crU+?r(Ns3RP$!ME)AJCsh=J<7+lMynoQGCu`-aXM={OV&};D;F1Q$Q zn`L+lX<8^HDWMZs&z1*!c8a}u7|a}j<6w!=!7EW zm+DEL!6uqCi#U1u#iQ_=R6C8hiB4C$+vaxk-6CM5>aZo7K?_EWe`}!!CJzh`b@MU} zM7q=-P%iHBs$)$5$}w_Xsv_nM^b}MW0$HlprFWy0x@7mMB#K-c44$(^DO4+L5$KT>lY816Jz2 zqLB3um!w3}7;JC^t^2RXPFor0F8J=A2Tb9J>(Uby=*V-Ca=SYfKZ!0&>{(gA-#q{$zR~;o zo=H4yG(T#;pV`JU+!$Hj0q`V2d6ybz6V)P)A@h02_Il88Z>b%x+yjy6kbNOFXDbO9 zd}Ov0J)d37@tNOLe;4*&my^YdXaM$K((lnL$saEfN6o8N`KO}RY>)|W%meDR-m@d( z6S0AoV|)#&36oe0kn^3iJ7?;l1}va14nn?b2GXi2l>|mwv54i3h_c&a@zv7kxgL+x zB<7+E26=BZ-v0P5ZMNtQ@M}_n&4l6ZicjJPy!i_bQJlaz@_8^`x#MU*1#7QalZ(#C z?UxQb&yIvB2|ZSSsfFWzTSl!W(fC9)``z9-f6`kYhj4^IaKMw~fb)Qnsxci6f3^16 zR*JJDmecv*+?D3Jh_ebL)-8o840lm7z?>ww9qcQet9^YLZnBiRbDz(1pHv&p3M)ZM zZq$-X9u=G88%IDxR)4uLv97)VeFS%;+V%i%rfqXRVS-PU1+&xN0hgny+?}5ae&vsD zE_DMH5gxAx)e?6ZS9z1-RJzgKXv{~2pUN4L1_IJj^p>ezSz12Z7UuvGHx)8wLKBTN zH!`7xb}s}9;i~|#D5CY2Cu3Be#q-8`#2poKLyHS zR}`yfNJfJRSI-nYXKlz1A|6y3ZvM42b+#*6u=sp0v3U=jm&=&Dz)-R9MGnoiu81uN z(p^@j>A2ppxwP0TZ@cYnh=?C43Zr9~ViLw7Z(owMl!ICr86*PvqygL<5o9K)w&j=W zeIdJmJ1Z7!Aw>|?8zl*mMlZ9|uG%-iRv4Gx*%C{p%mx`PPg7*5C-t{q=4!){ALR<| zCb$lbCj?lG8TJB;T^k?s)%loY>r+N)?#frz=`q)!Pb+0=EDBnEcYs zHI@ZF1g@yb?6cKJKQaA@jJVA9dY+$DeKtpBXfp>dqu-y?JxCrsf)st@j_>AzhA)!l z&5$>Ml)m&O-Nt|cbeSRdEiT)1XwFz};1X@-cvn9uZ+fiU-f?5@xq;_9%dCB$9(IN@ z#Q3IKJxqF2v*rB_jj^UU)RmO#^8;^qbvhnvgrB#^@ZFPs#<6vEEs`Vk5#ad+a}Q-x zJ|dO0qnyhtu7uNr@>Rkd{5z>K2Refzn(+qkzt#l3Be86-?y1>8C{!6qvJ$(T#oQeh zzrO{*r@2Lw3QS-QE0|S(yEz|8=3zCW0=)bU4XD^aP$RDvpOwi1`w*enT3gS68 z1!LXI<&}q#Qv0czwiT1USzWyokW2mIiUw{Jm;K=PYmkW6G{z#4+(xmYDn+B5Nq_w5 z`-bj4$->vrY$j)ex4oYG6~06f--g1Z$i)n1$?m&10Z2?WJd~*SQ>Ly)4hKCB^W|Og zK$W%{o1|UufI1O|fHV;qtLIo@00)YEaCn3Sp=eRBfjFb@C_MA<1?8a++XFIYnelQR zTY&B9vsM^c=(lc>u8VQ#r7Sx-8TnSIl*0^w#ej(#PSW?Gu6mD|Pu8oxI4fe8qvM?% zi-`utc|yT6zm(99;n0N3MeWx&)4~QEq9yt@b%BBI5bP`ifep5F23XeW#KBZZ8GDBM z1}N#a95KGqac+te6rdgRPqz~Ca$NAu86(hmyzvOgpolm6X(LXPo zI%}mq=CSs&wsR++x7_^TR0xg?e!;|+dj}evE(;HJ^V6y?wH>pOn7)z18ZO>aS@}Vi zB4pHGaxeRr-c9ElSmH6%n<6xTbHmOn2ajDmJQQssv_g2)%Bt#y*Ciq7%JHz~9(Wfa zD)c*Ro6W6_CLM}Qryq;;@HidP+g>~hrnm@m9XF2o95!Imu^~jVzvGMryJoApQAxpM z`!w58=Mt*WFA?!m7r_>oAq^)cuSy~;td1+Av0%Zh@dsa|l&yKc%Cn+?j((kLsf3h~ zh)t|+B3FCArJ*{bd%Up+r~f#OllM{lM##+k3sx6MHlujeN#j;Dd)pyenRCglkn}1O z@2ONIi~izuE5)Sn=>o@{^RY8*z%@OKfraYI{(i>xYqn$VRbr#V=;Y)iIL=ySME8pm z4Rh1+&xttK3eaJKX3e0-Vx(X=f0k@5N1b$9Z+!KIKYFV~Y90hx%dvc!SZ1>OhL*6D z`FH;MZ#JKk3?7d2!sII|>I6UJ=!pUtWF30HoI>G3#GPk9HO}vSNUj@=WHW~g%-EkT zl^iY=$eNKvvsHc@TlMT?S32{?^Y)aD#uz+(|CQ~12yqn}8agtX-MX;c@8a*MeK%Qi zN4IV>Yd43ENWURDI_%Kne)%3F5NjA>Lc&^M|A^Rreicv2W3z(Amx#HG5hLW4XyfF} z=&I*@*lwP0abgvNP$-6^+j9CDuhF?4^&M%a!r%yT*`#)3Ivzl)nSekZRYx(`$MuZ5 z^sTkee2;hSU3%-%g6s5nsh$?1mFCE-=5NUyBjyw>XgKdV3l!Ph6&Q@Ce6P`1BisSj z0f+NYGJ`o8#Kai0*&2FdEowHz)HdfjO|P{F?sVpqiI!hISylv$h^a=ZF4NP;gPi#0 zwhlL9Ew>}0YtYy#N5xpInaq0*B?HSoLX~&_ase9q+PyzV*{VFu31+INI`iZs%xKi) zR(6eyYI(2IpVTszJ4XZ;e|21c7mzqVZ=Yhto44YcihZ_GZ zXQw==;*q8jVC-g6r}; z;pWjy8`orVy_bby;re=;pX6Myt~r0ez2MkyYaf|{Rq4$KopQ4~=_JFk-3_r_lGY*H zOuu;vel=S372VQNYS(Z2nJYeyh6N^fs1zvpy~`yVimfA7jwKzTv5#;O7PX{8r80XH zzuYj2y;Fx}ucka#GKQNLuTQ;^Oj1|klCRkC#zsYii~I-MF?_3g1PJam9F48QbGv@D z7PuQiqGIkjex)0!9j{K4)~L2kwL^DaM(e_Hwisef$*K%Rg!X znv4L^iqaqDdH4A!(3`B2;oDk2hG6R4$67sT37sfnFsMf^t&T-Qw#yCTp)PAYY#u;k zvs+NyjN%NB`*@l*xWh8EvZhU=Al5Y4c$~COxx5ajB-XZLVDj_Kg}HGvS;{o7I(p#k0g3q*{N@OjIYI95j8)G#!g?;w+BXDE`zA2T7ij{u_^!xt zJ$3Y=p`On0fbd73F`icIcO|hFsT7v++^<}mWARWqR zQ>e=8qF;EqR-Xa$0}88C?yQHuGMU7yXw3(@pmZ1!15t|=); z1bgc8o$t>W5br}J?|#0t*jWBcPdDY_$Exs_2W=owQVlIQrY{FF><8h zH{bB6Vy(X9O#W%r*8+>^pddvk#{_h+d-`=+Mf}%=!WL^767=U1ZGcbT4E>nc`JH54ep?VL=Yo#ViI)zPndnokp zzLORIB)!T}w%T8~dVe@wrmtMQ)hTF+fWlrs{T2a&` z%S}VK$F30TR^iVe-v<-N!|7k{^#t9$$_8WUD{UCV&z^sqOMFI=o-QfB&f*N$?_f=Y zO|H@DWN|9TPT^e`U^s<8#b^j~s!#zFtf3)^(!~N+g};>%LY)vl+#8*;PCE8cjHtq{mWbbOs9lyE$AKKmnD5`F08wCTrD4>EQNrD8) zIVS~FG6E_&C&@Wy5ReQ*<2&RH@8gMuW%u}qF}3S15bzV~*eAs=?JwBq{vUpA zNRyi{PZ*^=0MmGIX4;?T45;evYu3rFo(E1SrLITx+KIYifr#U%EA`*|oS$Z^O*=fB zxBU~BSbc!!-L;LlGbI&_72avS`Fl_D6#KHN?ZD3gb73jB@6F4tMt}U|iC@%{olkPx z^(cj^aOsTI77zuQsH!ij&n;bhOjPblwgvTwJOrT)>zTWZIs z?U^QYlw|HpHL~kL;OjpWubCxRz|m}L;1dVav23O8Vn+4m@tV=)l4S0O8=}M#x#5}~ z`dn2nf4i*2$XiR?tNxTTA(ST9V+y`HVYlNgqnV3|=eYe#OXr6h6S?1n|K$Xx^fgp) z;1(*?Qv##5FojG|ISUif=!FYkO zHowD0U!zOKL~?zu4r%|=Ij3+LMk>F<(ExV?Fy~pj7r*UmgMN$(w=rlXoOE*iw}V1E zFPRw*ojsw{&$@iMbswB`(Dd1feP`rGE8Hzr!-*M1HkmWmYS#0Iyk)DByvT-|++vrk%i@UBo$b~6 zSG&f`gHU=Z{6Mx^IF586+k1(ej}p$qTi4kApljaxpmi-U@pQgHL*&pDyuF}yJx4t_ z#_VSnkzWb%*C!ESD{+$nL-}usT~C_tdqY_of&StVzGWV zGoxB#WQ-;q2~4p6kZ5+OF1lu_UsZ(lU^K)1YO#`Xut1r`XS%`3ZthwAE^W(E1*LPe z4Dr2c;aU)dP&b$vI_u{$I8aZK+99Iuz}9UU7dELQ)1p=ynnakwlDNzs;NnVyS3j36 z4-FmTlBc7z`rKUa+!YZ{i(^t_J1)XlT3Om#Uy4ZJGkbYke8DiZ4Yv8jEHtll4D7-| z29?qcj>swQnVO<~7D~#uflxfZ?(O|)$JHwKdW~XH$s8!2n4_a(hAp$Q%(qLc>H0)I zJ7ad^8Ai40_XA%9kbNry$>Y@?(tIx!TE9MI)b$0s8)cmfewMvU$L&rtS2b63`bUY_ zsOadh_VvB#YR28_$!+Y{F#0#JRN}_T%>z7X)n+|9l*t;aOtbikwQm{voz#hFf-YtW zDt&CgUeX{k7(Fcl5HB8TV4hxih+|0P*f!o{FjU*$FB48Cq?k1&S)@h)u(?@e4e55Y z1+v$mw> zoAwu-FQSYI;VaJE7C&2m0IbZC?)7T|h)TFMKy964@v9L~M`U3F)5H97SYa zCp+`Y;6m*$3V;o>+pu{`-)XxA8s02|B2lEbt7By2Z6!mb3xr-M&itD*4Y#}A<37W78H24_XQr@f4{1Iaay1sIZn zj-!&3+heSRbM3l|U-UU_jr+d{A%K)K__rqpCJHaA^E(~HCG%~fzntNZ+4V|!x8!oP zL0#&0Vu?*6adNp-TEC;tO9-mq^z}1K}nUyoBhL?jW1Oysh^TjjJ ztRZVGr~6atI1)Lm@R`&rjed}N8Nyd&%_p0)Niv`6T#WYqxUDHJF53I`RQ4h>1T3}| z?6sV&ZMh9EY4c><^0Z^aG-{u!e_x%QpOc#=01>D%<82+pv4#D%Ej}r~ePJyXZgh)p zkkNH2A6dSaeEMn(xKF9FiR4OYMmwsr*F|lgYp+yny%h_F%d{3M4h~LlfB(|j_a`s< zQh($-WZ0UlBm8z+ln0v&&kb+q<+-8u^!3p@7M0f4@-CQm;7#dHc5=V^g(>4dnYC?+ z(h23?$;f@v$29KjBrxSqc@aC zrTsgqE!6j%&0zvH1n`xCl_8{Zsa|%?a@otUBu=wYUoNwEW%lc$Xjmko(KNCX@kvtY zch6%@%?+V(Men`T(6u}+TR6?fBRLuz7dNe%|5D-RfR78WW$nl^*=iq6nK~b+>7MM$ zFG~FUuDHvhaXXj;2V{`fcz4)A*F89?S*-)|z_055^6R#y4ad#zWcI4xR|_mx2769O ztvWWi?40G+p65SzXWh30k1T+b>YHvno8->59uAvXmQi%f-kUkK5k&TIgu2)XCUaZp zZ2X{mesa|oxI1s#$+~|jDY(B@5t@FA-Ew(s=HIzEyO+lX$|W4BE^mv;@#-Q_aY^94 z)@4d8D;ue`oWpvd#tIZ;XVU^*n>v#bMjBA6s=jUUXPm7+G9z+0`AB)fqTZYUl5~Wn zd@8qp-f*xyBLQk-?C%#`G2T;Rwol_XaJA9#25~tdFD*So0x>S&EWU zw?vd*)N$hno;Rqn?v0ajGi*NPF!t2`Quu*rQS)mDY!V;b5N{WUW`@X!Yd->jTR~)8 z|AkG$q?0*AwaoLAiJmlv>U{RD(<*}vUuH_m4E@r}QOnU!*CAIqLpmXbGf)2I%a<>j zD`TSAs+~LrE-XNhzt7e+_gvdO_~RSA*lM|)H%!%R&3PB*n%@8xd?0xUDC#c&d;kvdNlX;N9h& zI_8^40yK0HYX+GpFec}B5ImmH1D7&)5v~lRYo-N0G1NuK7U^sT|62FNX_tXo63sK9 zQ*gz#PEkNfNdi)E<`Fwc^d^USk2SyJ)@Le?P(r9xYX2S8wU;2nv?uABgONw)dP_MehW%M5n8+z|CwGm(TqW8lc zA+5V&Gn}X@Nt*9|i%@60YYBA}@ za@0d0<V;P?w*tyF-n_TOKvWLf)6`}}MR~Ys zFND7JrP688NAaXnSBxy}^_MVG8TI!^_*t$Gfz`6lC6^p`pPduSM{ywVhNo zlL6jn`qLzW`&@54Fsx5Di#ed$EekulyYlAzwp4hSljDRh*ufx7W@Sup!b|g{r4utq zL%-Xyu{jIg#z>vSt<^9r4W(20D$WGp1o#)Ih-i{F@YRn9QLw<0gLwJ)CU{eB&yuOd z-E^|F{BAoj!As(~9D38KxIr;|e~@wVVLx+0RWe93wft!l6}gC@r$y0uck4e&WJyfd z!~+K6cv?7WIprr@2hRSz#!^pcABLv0F%^B@h zFFSrT>M}LCX?_@-R#jDPL?BhbbTbJ=zq*yDp)d#IJ}?C- zc52olP#NNs<;W#}{bBNARhm#FLx-*$)M{4YE{QzdjT&2?pm=K%4c{Hayp4NBs2Kyc z{8uuM;yAN(r#=OgPfu05cnC;;;lKr5Z;W^7>|yx^69Ygt1KsNc;Dw|()zq&K*!}}H zacsBs*&SqYK&g7Yik4!@^C6Y%JfVC)thaLOu|I&drC&)T`_hT*(6!7sQrI^wTYiB7 zxa2YMV~}2Ym@r=7CUk$mxtN0FI`0LWVt_e*o$ZN#_4aRDyvDY9Su=3pan}-7U*%Cz z83@|%kR2jqlguL>BA`w#`H+e8AZp<$SouK%%|vz4bulg4cSF!cq)oV%H!Q;pG_W1E z!BUB+6LAvS;tleR0lD}A!qZ#1uY-O$x6rDiZ@soa4IX8_Uf3>wqK?}S04d_4n<}nj zwV|l`ZeBo55+D|VTEwRYl-Kl$hON_p~oL1-FxX#vu5UT4`|&t~lRleDg{?bRg) zFPBUc*n*Tu!Wx4%IcWeg+h3~$ZBhO4@OuqF27Y*r+$uktq_)v3EwkD9`R^6zE0pe4 zz1#uG`d=;$(4WoQ5MCxLCspH8U%&zA{<_bpD>VOCvI=Rly7eluTn>{={|8`1aYV00 zxOTfJYhBi*d!3lvAKG;>yQ+VMvcJGCwuUd8>4SiDXNeWfX@-kVu(9)U+WOF zi>3Qb9H1LA^q;qNh&=D(XWBiL&9w!H9SJyBA0pN-)Yl3g6xf$aSV5(w-l$cUNz#pPfcy;JG&b z8PJZIr6DbvIJs=jtZKACdmmy9-ueE2facjGHCB$Ggo(P(AIFx6-8gMX8f&cqEHvR9 z^2Rruw4wCkjta;(A|3>OKfy}!~xn9ynMl^u!)L%d7wC8VE--#VVw$JX6cb;RJ zF)SxEZ5p_GRmuTw>jR{wp|HlEU1jxA{PH&QX1V=7FhIO2Ai)0tI(HGei?NR^O8_;m zsn8&8P%PE2u{9%$ssg80gU!I$7-88kT?hX80@~RzxBu`^!NKiDe8Iym9kUFu7xV?1 z4aZZCP)#aonljx*el7QPzT@0&2F2o9zME1>wAU!#xW6Ibe+=KtJgGQXHN?a1XJee% z;>1sDoCS(_l(H%RupR((RZe%J};M7*zjKT5uxvBIAxP8rn|7rbL*Jds)D=y zUy(b|bdI^G?w58@3o(y z6%3FVNH)1*Y|S(!-$Wl`peD0&n(*C*)UwtJaWi|op#KFS3~fW%cZoQy|B_AOG}Jbw z_h4S@24xz`K{FnAR@RnIFXZ;&_GEe;+!!!L&p;ZGz#O}ZK=6F zFdx_MhZ~)U{hCfI`&(J6j@OU=wQwPucR3=1w@d$vcmk_^YLe!Cdg=^Fq0aFdn#knn z_S|TZ1I;mdUqhMa5TZ(8k-vf+1}Sx7?BjokKzT|iYtx&QDcI<{jVJgb7rdz}1L|xm zVJF~yBMZ|f-Q^CGE0H7>qX1s=05L@RRp4 zVmRen|AEB1O`CWd!0V%3nMyg$M&M4MS9HthY=F7o8nWoA9cHy~F1i|MsHi{!*84s4 zRd5W0l#i&wGr70>VOITKj5yYVMMQo1W}pPt3O|wkUAe7 zT@97$iov#ihLyCOQO=dcbPJ-^acxA~v^Hqj7ZisSjC^1dYyy%f> z$XLD*O7i{w6LI+zJV5>4G6>x^>*egiR#XEKHE42srEWES;dpXq8T{3~yi~{i_bk9- zKvm=3LJR8q$(4s__a1e5WbQt-`K61~x%QLV#p)JzP(+gO*?!o^ot>|l^(-oN4rTL% z8lZuPxd{cU!^Ci}fUkyLGlkq}zscvfegAv0NWf$KOcH*}z{uzT&}Xr`sPS{-pblC3 zIr9s7uH%>fg;D(5>;4{vJ!1v5-kW5y>+N@RYD&sZMNl3QwX7S)>VxR`RMkaO2VNt+ zz>2@~8@B!xzi$H$i!wuxNa>pc18rbG`VhpM{&1K$4-de&)@ukzrxdP^+Ndg7xqE7BgN)zg~7v+^bu4RD4WU z(m6_ELjN|cPjhCAkz_$1KZ^5-f#^xo^P<;>qIaGIsg(fbFY)v`WyAEgXvKEqJ1NdgoZ=Ry zA01|tF8pqvM#cUGCRJM+8isBauL_N63<$azLQ;bsD7bG4WG3~|Ejn4_{KMK* zqO?={aLhPUX@fBHD{z<#8z&5fs>AT8dhLlq3V-hv$nk>lvR)}Z=Yx7v(AWQnr5=6H zFONg?#+X{enHEVm&K%VKtavg^Yy?zy03`q+$v%E&2DyFaZ9>$lkFNPx04L_}Yf{Fu zFBXPP7;Vk($yHq|?Aj3fy)B4m9fL@^1j^hw-7Pf!7KK%p$X(kV4KdV?YJlr5B>Uh& z9`7&fNhzySn|5h^oPEzb*xvz=Ktc~k1&kVpXB9=Q~A9x9naZE=w`kB z$dlA$!`ccg7oY~7^(pO|I{rnYc1V$f=r+f8p;@ z@Z+1a{IUMhP|dw2G%^shfG5f{xb zH)h(9Nx!G--Q7lz#9n8e2lc&Y)zUhAnB!!-yMHPFy%E;BM1B?o=J6edm=lk#iy6i1 zZ2)wQ02*u(iyYgHC@y)(*iyAfYB2Gr&6kSH&rA0S9;Pxc+KV}KI{dOz;&Cvl3 zul87(qzlx{T{ptO%!M3^Y83ey`O|oNKVfI2%f|@1t7^I>tD3aKUHX&RDzv!e77^DRCFyZMJ**~Y-?oW5lr*V7M~*HDNabZ<0cC|-egukxI@E>WiVlx zl3z`U<3Hm$-TQekf^~;WSt3GAGUwr7^}g(?G7j{BCi8n~oR+FySPq;j>bb+a8$G?f zXsz>4zYxTgS+CYJY;iH^?~Tuu`3*8}c35{fE@F;iy%MMT+IU$X4S#ecC-jO&h#@ofcE>e&p2h&k{?L%7lBuz;Y8Kfs|U>PaH#%gN}8;xu^5qdul!i>f@lM1^+$ z>KMVC8vF_#Juw}*r!u;13&GX4H(wo`c=b_UYR|%JC`YNR`$QV1U`kE1Ck^|K1NB$5 zv3dEZlZY?hHq?rI3VM*zuNYgTT%vWGT=uN4bUJ9tQPDI5VQRT&?X1t9h~XgdUL^h) z3;V{1n63M@;m!Uk$o3rbDl$JyYyPc(;0lA@8_W%d^j%GGG-Ib-RKjZW36fHCP!A*~ z-X`B`MsGGYZY>Xz3<88N)~QOf&vP=7QQM5yNxV;denn*c=6sx0^a{l@op`2n!b|oiOjDEt&G4;^|NJIalz!SeOLB4r^=t?oAX4WMn0E_sb z?ZaU0%Eog+_?CX{bX|rpo>MkAOzLbdN~Gxc4799{p;nv4e=%%ILQZz`l-A$L+KJ2dlqT4%+eIevp3K|94I5e`XK=q2j>_ zX=6^%jDyf3_hHW@-}FCI{SPSN0n}a0*v*9owa+j4e80!B-|kfBxi*rOm1R9FTl0`^ ztWuH#O`GS#D>C8%rW&m5w*}mXJ027$f6$4}TfOK++)GA}xcDDWQJRev{VgjF+Zn&FiE8XnN%y8(;K+6Nnv>jYg$g4kaCd3O-|evv zzTHD71cKFGBKsKo;H7$tCKI3W^kkKcLh^44v;T-d ziwcT^X)6P2tf%$57mM=dLVQjN*R$dY(6|nga0bzSrFRQbDiw+9DSKZjDwTKyYLYGO_N9p4+(kyl5Kp@wY zvyG9k)joz|y5qCA6flS$iRZ8d;I*GzxvnT6kNWjd)3x#RJ}fMTR-Sya&Y`ME0Y$#^ z6xrcmdbG2L}@dgbv->CO@-W{5$n8 zkdI{}b7b^=x~tg~UMK(U_O^l-ZpTY2E3C`OgX>de4A*lVt2MLSzgn4r_sX2tMU!~U zFj~Q!66;!h28zGy@z%J)w+h;;vi}Zok02^m4RD$?u==6lyC>`iyH)nQ@Y0eo9PxK4 zVDf8uxR)G~mIliZLkDleLJfPweS?w#=FT(g&Y&%O_W7H~TPE0oUZHXc*=qV&NN$=- z%7D6O`?e#3tiY5_bl>LXPq){+!>)uI zyL<%35Esh~aR+U$b}Kv(+(xjZw$GjLbuh{Rbm2zK+8Pa>fYMi;W1E?M@Q1f`XJ(}d zfrfRa4|tGUs_*FBl$$!$5y?hURMlqfvfR+HQ`xlCL+gN;f$|D6(38+-!&2Bn|T z^(?XIFGc#h$=!R~L6ZRtE_mk?Jb6fNoYjQx&k+VX&e!7=bINW1&8Ky}A07m&Glpp=;jFn6 zMty|>$D-?K>2kRrPd(blEC2m~h5*YZKrA%BqMHV8oinPExs)cW#L)~Nh-=pC z#4#F7#ApRn-JN3vnZdM+86kgiyT#z3yjt&YKPaBk`^Ge{l5C0KVQtVDRme1A@=V&k zj3kq^;U|@|Y+7d4ay_f_J)=JmmrB9F2%@5;1_i$Ic%uuhSJNtL09IY%*o-rqp5Cp` zD?(36t{d-@)fOO#@a;}%^(XTrOCz+~f@7sozx>|~d-SJp-SnoG#{X7h<+TD!mvwi) zkt*Pz3%nNf{X{w5w)|#mLCIA-2%)w{W0vlh0|clModPzm*G2x-sCBgDz|JD?nJgwQ zm1%ZO1W!42+3~_(2Q7;h35FLjmc1KwxwCrZckmD>i~r?_Djym3(H38(m@$|ZWNv>o z)7mD6UU#yCPUyUib={=;ig=o1EH4+%V`In5cpz{`wd>&M9D{)RNR9qYad3BH38?f5 z-KSsgc_3e|qv=;oU{FjHyKWg_;{lt0?A>5MDrvr&ud{Q3f}T498TqV0Z0=QQi! z6=nOD@8x4tfQ>%q&th?FCI>*jwR1!nYr!ulefW#6*o^xo9?H*ZKL2FPLpj$-Fs5+Q z6|uPgDowXPd2yoBzKOmB+myX%~G$siDjM~%f~*RgYOOhF&p z4Fx#aL+luXxXgb|%V3h&6GaFjowWVc!PLx2SaZ9wCGf>5PCeGKdriSSGp-Xn*)AYs z2aS^cBe9Z&oCkh)j}U`k`rw)*sozB3i=X#%AAYJFqpwOk%CA-5E4 z|HgGWb4oqH!v5|@SC81wYU zu%fQzc+Jj(*eGS=%w^zOpwWEG;6Pa8yjogM)p?3rynX5MA2MN|3AtIeY-@qPWZaf2 z(7P;1VsCO|*r)v{;`ru>rtNQ{rGtiTYxV`g-ag~p5Wg7>elZjrg}?TenwvTh}P z46dMx!Z8M^wY(6Vux8ekM^dsE40a_1kvHBImjlzgyU*uaIp6=_boT0@&o>(Qxy6vP z`O<`%irQ}Nn~yF3=e_8J7(#2oHznxxr90}oC~MIymavGcnyhh;6kEx=kDT~?NTofE zw`2A$XmV?LBi^d&6@|jzXxRibfZUWs?@elvMs}Uii*qhXz?zAv!k>aXTBqw_|0nz` zx?#fBMU0sRBGkVlDoELE1+OWJnS1fqWjCW=cR0jH{co*;p-w(*P+zcuVS#J4*yVU^U|HZ6;*42{pH49~KB~s_RjkDxbgcTS1()XVhati6!NoNT& zv|jzG@cpO4e9K5LoMEelo7bPp5*JWDd3Cy!9v^*w-|I#|M@af= zbjwjI-rV;!zI%!;dh7eG%7PBM?m_A7qytt<%QZVoKNiWV73#<6M7oi#h7oLn*OUav zytk??(7{vFZQIAlaOb~;puWbN_jC0+E<%(xTn#SuuWX5wv%Qbb)X)pZTp6v9m!H6?R1bKa= z+F78*0-yfga3kM5u`sbnIC=@M|06V+0b#+5?{AtDwoc$@C+^1)Ge4d#KS-=6t=nm{ zkvUycrvbg?_OTSXRFPC>CAd48v(3Zp5WYcO25~Qe?k&RE6MChDbUqBcS^h-F_0ir+ zp`9;lihtz9iZ+!CQ_SoAnvrU(aV?YyKU1bw)#`cf>^Zcs5uRXsk|0R5E&7={VS0Q; z-6rN~4IkRG1>d{Py3;gXpfX4yK2VZSr3rgW%gKMXzSZr?nEh^uuYk21SH4tOX?d`t za_OSL6= z>At12>mzgv6tMxz8rwltH|LXPhPwHT!MO!5)}>07Ein#f({C>{Y#e3=xyBB@`p&90 z>kuVo^F3CICwp=Q<3n`Y?0!RHdMpvA#7_-6Y+po^ifzMIhpk6sMvas^ROvzO2P#KPtCdwsab;a#h*)*RqRDI?$7$fakNXIYRDMHBb! z7H&_uBf?T98@cP;;`Y{|gYcv3>QLu(iu1JB=-o}YdGNNT3p)#KE$1aLYa)~5aiBp) z&J{as<>Fnxi><%qW9D+4PMYX&^*(2-SS+F?Y(C&Hx6XJ=Djem_u6V>Kal)nJO!vC! zz`DRiiN;tHbyaya`)>QHvwj!8AX4FnP;$$~B4#t`IThR%lS@szZMz0*p+5lM?VWo+ zlttdi!w6G|EJ3{GGMd-T&sWwwx&_-~e_Cq|;(btF>@zyJq z6l2@LTHGVjv}z5wUe!3t7$Yr_JaNBfBypD1NqjQuAbn5VxM=VtsPmK@n@n>ntW- z>(qNB5P5O+NIF`phGXMgtMW@+SCWO5V!6@X4Ps>>E7uYhrd2;)u z1I%kriJ9+$DUnvYBX9rJ1n1FP8uQJsVLXR9FODt?&o8b{PnJeVs&9_vT5U799Dg@6 zc`FnUt?l8zl)JNndvYJSshpnXY(VP=N45}fk!aX@@UJYg|KK}v-D%#Il9P9YG=nBp z;{`t4aTQ;Qpav&dBeiK*Sa%~%#+?1kxeP3YtoB!aN#EMN*h~l z<6D{#$F6>F8l#}hV&*Q(YLq1{hvkUW#W0Ri%e_l==G9^4p}StHOM+n!N@k>w;ZK~e zlzD3TtvAh_tk-6*=07!kWI@(^{6RuoebqWOYq_v>KEhgH*N9*}T62}V`Odu@yo0Kv zYWbjne6BuR(!e6EQ!Q||v-7+6j@a%Z3qfV(aa7pFDXgMV=<41sc<#iW7^%IpIT810 z-Q~!$n`jELQe+_L#<5#C*!g2?KxBrb^&GLg0zVw}(WZTtiXd;2I`V{{^0eR*>{-n) z^A&rOP&qY(wS=v`Do7A2)Hp}Cp~?QxQnIY#kv6{!6R}2caPaC7xrXlWGlDIQP49c$r%wN8r(}ImFIKlUGFjtT# zXk-W@0&bm=eCczi6L@?>S2;{`&$Mn*crlfH(`MOWTGEs!VN;!Dbz0u@nEDnMj5qz= zrl-M(0t#(WiO0w1RXO{ovhlWy(ZhK{YpBKM@7(VO&0vlHC+Rk_T z=_C9T%(@hTnJJk-g?rXE$h&GsU&=N$k*Atq79H%J0() z+sSI)v8#SZo{nn1)OUe;yl`^zy zXprWxyoN}=WII$^i((h=f&$s)sN~`WSPl0=@L)?d?|b$+3QLpb&{a#K){j?(pGH0^ z9EP5d)x53Y3R2fzEY|fr65ce%FU)_w3S+WHDci39=6E6+ccB}*$M2PI*TTbmguv=V z4#YoH*2$T{xSTOCoC*w%gpt3lsT;Mt|~xoTdJQ0I?lDjHlkC-H2?fxU^NKMsr?k&^zIQ&N9P zI8Jffc(=kVL|9p14hxv*pK(dpy1A*+=*okL^Mp=mCK}`x8Jv}H2L(B>9%~sjxwEjy z&4Skl#1uijjI`Zv;)I-4E=;t9s)i`>rlcZr#|HJLm)Hsg&m56l8}5!C7u+ES>drD2 z{OQA?Z|%JHJ$0Na=L%tL{Rmt7$%uNsM#DS1jeN08b)92~4bt;(Tt{ZYs(a|Fs&xIA zMr4({{Xy6$Jew`){Rd62_znU zSI6?x+}JF#fi?@SOgPbq>gfd4Xcp=G+=@y6%p46Xk2*fGC&zDsWTx61JhEJR-n~2S z{xrldIj)>r$S2F0;eF$a!Cjjlxr=7K9`Bamp2c#4y)ET1Wv*5gfVOPomGSRcfTrRMGh42F zt~HngK~49v4S{8Li49GBN>jQC2e(4yupu@vK4Xq+HwRyv?YBxL+9~Ok^3JQ4t`57E zJ#~|cQ;X)w*cM|k+ZwyPvL#w8)mI$+PWiB}EG=_meySu>f??_0OHE0ce5+~69YZX_ z#)}!|*yg8@b#=K6INitrQv1dTLdH|I7V@HQcXG;-E2-lm-AuF=c@xu>HJ(_ zYt~&Ra_sJ>bCYRa!__hO`n7xEWYYt|iFYTK10cv|5|g`$Ek&f7az){JHfWk^g~n}t zV*VR>l3RVMSju}NW1DabngrzZ}*~xj%)XI zSjS0H;5hPQ%~6{>#88V7FXMe>eP_46=FbFs`n)Y^HxYdIOVMPR&G=+fB_T z90#J8TJw^Us2#AS7tOrFMkE{^nHM(~+>|8^Q4u-8(h^$V4RyA`DFdnRaQMTad&aM= zVG?v+x4Dp^*qS%6($w*~*~7%I;TF zi4#jUMt6^7o(!(4JlvY}Cd3UYogA`#K%pUTM)T3`p2fA7Ix3{p+(9oqi9CaAyqk69 zN+mA(1T%T1az0yBJFwo_0!xpr_l()&(N@$zC0YOvbb7c+Fxb{hpCZan$_&0^7w_0U za_Co0sWf3OA+Nl98Kz#fsjzANX#FfuZ&$aoQs^1UD*E_t>!6fNPq!qf#FtX{+K(;J z88*Wqqv3xi8U|0d$NTgNUImg_jI$zQQKr!%l#VQ?1nYSa$V;akEhiMUnSSWKHzLKF ziSFf<(ut*d)cWO+WFs4p0L4WhZgH=Hf-k zcP>eVog<$xXc;Xj4ZBZkHR-J@oIhc7Wpv)tndi-^dx^=lNgFAQFeFPnptPaY0w?n! z+dd7n6ISfVzlfN>P;UQ&T?7rvR&D&XjH%JnxBtry+c50FhrG@)WiBY zltDLx(u4rg|MYDYugwX$LH&%=3wIHwwZ~0OG#mwGGLoWlkrj>4UuQ(dtAr>DVfg#4 zRfy71;Tmi7X)hmE)fN)KcKDA5*m&N2dcC3h{;ki;qLfl)It3|j5_xxDvX!`%FXiV8 zV(i&z1;ltB@f>dJsG)8VS=m*$AWUJ&Y72HNGn3KgRU)hIBb@6q;fiQD0o0Qmt}E{! zWqaYb6SIGhm$z#YB}e08^zq61T5m)?RsXh~by$=-Z03==nts-s$0iIRE7UBaQm-4d zh(fUn^M;D?V#`UeU%zgg#$1Wml%Ny)7;=Z2o`O$7R@pdll;x9h#gkNewNF-RQ81w- zi1S3?E0cq!Tb5}@ZT0Q1)#ACHXK>~!21XqgnPqU1oh_@%q4N&qT6q*6y;1qG_G<7E zGUdQCZeLva^1gP<80W@BYH$u(LhP;tIQy?{Q>oDC3H`b`?lyaf^1E)_2)=jk&JA4B z@ii~$YL?map>r!?7CG&R39taP{YSkPuzDTJeW7_)v^64^Sz_Ts=X(?zn$$yqy*r5xV`Sw@Hco9fPZt^x@_>X*7DN}m}aI-0XL!cp%lHc(WK-o z_Jr`vC%5#$wqwP{=AF(XcG7jl-dh-AeLoyJv``aww7p5T{FPtZ)pI$Aj`{ClX09JF zki&#Zx&u=gbSc+$Hw9A?ars|sbi2-SMH$@rNoPRCw@x11PwW3QMlv()j^Vt>g8}Kn z7kOzPzCJ%xea?fyksB8STYZJw^B{Mk{)p}<$I_sEfsQk@2{!OvNCt~4(r-^_{#D{U z@maCkx{SOIW_~SuVcSj5S(m6D?pDo6)8DQSEh2MMVFyoemxxfo?bQdKl(aZ&7}J=wybp}6 zE`Lu3%6Z*G*FuBIoY>mf;FT9~ey*lF+sLSC8_iS4_UD3e5uI(Dw1UMnMqfDSD$ZZf z3|-yMo_bedv4|rK&V&^zj`pOqs+^^7zEaA8rfhFbm4^p8WY+GGqaLd*MBU_Tv}cR& zlhf&pYbqpB4}wCy=Du-Q=+gyFO&mROTc~IEYA1UankSD%Y8ftex;;f0TIR9ga-7VurC3yz9rJZ7bl5fO45Ufen{TJ#oPZl7v@^f+Bg4|8E zy65>K<8`jg77ux9iDE{w3=$<;I5Z;eE`L2s?)BiR*v>-OV~6uVU>?GVNwxad%HSlU7PIXT&zB@> zjo}6RKgSTolATg<9wKBYhu8^8Nw^mqhH0a^`o{8a-iU+aQ!e$*jHSO7gc4kN*4Eyp z^*X%$X_=E2+uc)Ym0wNPZe=<3{uYC}-9k5fx3JJ9g8`P(CtY~;QfOH@Ww+t;{Z+*M z%(aTE;;oATS1Tlq8Sh$%a1VLYQqUx=d0iZMxpaHXzXy!2Bl?iWfs3d{a*5}4m7fq&xJvvvE` z_cMdc3%w~{laLfXHkSvha4W?Z!mnR{Mo@a%7C~0d^#`C$?n3LzmdnGTdrovEE-|$< zO5da)kRAHO1G^RI4bwV_{x8r!e2|te=4yaE^|-3TjuDZ?07WL_82Sa|y3w*-wlJgZ zdB#$UEWHxMaoldv3tbkTa+-doR7JZjvbXwU<9(D4K5J0T80&t6QxhIWwhvyc$kucJ z%}Hyo5*!&6EFUlTm$M?sP1_46aR}Y}*mFxQ)l_Y%I~cNh-)s3KwDg#yj;J1De;&N! zySE#KA?%glmPxbFoXv}-aKc+7w3jWVe@b;9DVua(yPAm*R()0f_$xvldwy+dhvc#ZO0h--k$EnF zu@r+ruZpSn^xcRR2 zg;_PKM)GXK-J)FdIdCYtsm6mNvltY7(S{HY;uw@6~j-iMVCXSc<4 zMtK&z$S+_?|E0(4Z{5BAmh{nI(S>Op#gSCsdS2*BY5wz1QAKiDdBN;e{e3%b)kz3S zv;5Pleo8*$PLB@4c@34kV%hp{MQPmEmcOeec?U!F$rH0BMsn>>kyM-;9h7X@e~9S+ zS+1m)QEI&=Q{ki6cn4U z?yNXeyVV4JFpxWP^e}lN+MO3te&Z6~!pPjB$-GEz*5(FO#L7pK`!3Uj!*X&}#e2)7 z$*0ujo5!EbrbCZn98{@f=uh-EAf#J+ysazQ73-SQjMJ{jY)5CSOM(5>Ci1^Tzdr_c z!5|5VjJ|>%JfOJ~iEEfe`7QYmd3*2;UnB_x&adN%b2rEL3-zX$ZVTr~N;1J~s4*lj z6Bf+~%CF?~xZfE)V~SThbxWh=Pxg=V8!VsjU?8YK_+ZA2kM2Al`{}rD^vO7r@jM*! zqLF9Frx$Z$EV@@$Q`98R=&j(PK|i~4Sf7wZ`6w>;a&K^LZ0TnI!VTUE3yKyJH*Xq; zhjFrJ21c6LSZUD2TNu%OLPP>NB3RN-on34Mc6J(S@iHTzhpF~=CL|4tw0H@W;Crb`V1E?q9OG~?)YOZW7;RTnew%MXmYlV`6yiyc0)L2uT1 zSl@P%7owI6sJ$yJNH`V;p~2yyTngR(ln)($8%^iQl2Y#QkR*XUZJO<9oyU<=(-iO3 z19$%?n*4Z4xaf2`FiJ_UB@)Es=x!J2Kd?(~XIL#q zib`Vn3y1TM6Dl?<@-Vw1lUU9QqcDEMdm<=wf@Ra`(am*NK z=k@kbb`zGjUl!@q!X8!ZnUx)jd&KU`<_y9gX`4N$!{$ot9;Y@+y9|VHP2TEwKS=L; z{rP%SHaIPiB~p=Jy6!TqzKJ1gN+HCKxRV~g(ufgXL6D+)KAsXwu&W~l2x%Q$t}{X_ z`nao@L@*LZMb>23AEj1aYJ_q!2n;{0ez-WbK3Dfwm6y3aYX=hxDIIs2WKoED$d37TUZP|EaS|i5z?5BR{M6)P2*en#~(Vd z)v*8s(9^biUKL4rBZG1S*_6@`k|fm+8N&*T(W#CLS-*OD6lKl_SFTW(eHd^j0np4Z z287JnjJ2d^m#qA$RY~b5joQ*)P3d=oE)U&-FaqnOQ?f)O%bFb>{|W=k_Jc=RL-BeA&dgm+w`%)7SW&LoZo@;l}w)Bcp^ zI-nVY(iQ;_@f@fdCa{?_ecMkr-#fT)hiZFSusS%ox@DBnQx){(@l|X@ej0zT$(C!c zS-ZR@qkd+mcmV7dLo1{xbvR3pJnL_nsYn%AS-|{8Bmaf-XnjO_54kdHzoUW;Sz$Jl zeG#F(FQ0ied#oe#u{h=8;X^{deaLz*ZR1A7>SN&Z?%}oJ88kn^O8Vq||FoF_#)yeK zdvRCcu!)%ylJPDwPSe-CY?){VELG4)c=0=fzT9vXT&65Fwe3gu&HMz%PiLetv?q#{ zV?VuKi5YGA!@inMFfEqT1eoCsWFL~YB+D+_ojf`(8b?T)ofr0rIftX|3hb=zZfjaI zG!tkvF?v|4?>zVn5H1S7ZmFkj&+0r8y2FYeZ%GXMp~+yb0iHVgj~0uljFQR~R6>~jW;+1cCKE0lIV1$?=0Ci&Y{Vujt^>>HTioO`)2=p3lQ-TWvC>6~O_Xx2gU(f(6t7>+ z$HK z@vcKg%AaJ;f7pcKnjSA+iHeTVi`ps8Tk9~j%s(t>q%fVxAeOYVmn)j#RSaS3p2pGG z3)U!Ii1ee{dlLBa{fSa`{v^bZv2Bw&FjuQ)pi>Hg_NlGu3wfTT#CKy8aY-I!6#TdD z2UPQ#_hK=t*OrrM##tBXJD5|iJO z(6XNU6#3Aflx$s>eg9ALy^ae>MWQvEo05}h!8 zgNO3KJq+3^MnnomUb0^jd!dv3Ssy%1>&i8I##XTNsBM~TanfGXKAQF!%EUDwI9xB7 zAX;k9Jc-H%)eLoK2t1_lPt;e%U@IPHQP3y{@lJnfvL*HgG3L7MGL1cZ;Wkpx^>C1% zx+tV*8{7hR21ufitp$P?58DM zf3Tq`D=+)O<&7~O*Q-oPW|P4Z6yxY7V3%j83nOGTM>u7UC|DEmI;qsbLLk*SxyU?l zgvI}|SamUJ@Ll><>ok^jg^n$CNTwmVXKd!9^VDc#-e4M`-tSc91tkcczp&ABl%)8BgY&&Cc97Q07B3K!>C@y#oq`PMY|TkDc-7lEqo^srz6bE|421nwtvY ze>*G%dUZ0MQ?bCBI z-)j`#l<|}`@{_)oPN}9H`mcag%vkAET@*eCs97uoceK`Vu!+@#ST&sHs@*oml;=l} za0p{@P$EAmU4C?ACRgl3kL1`MAL77rlo$tF^u2d?u6jT!hYKwKtePVUQC!H-cci9h zgWmI7eLsl|fx~F4c!<6vpI?&|7()^%+)H0vRx&kxK@s-FND%zE@ul|t{azM6_t0FJ7P54|EgEicTm3*zvVoRkR9Ayz*SQAoNpq-vD#YuchuxW}`N{0kn`w3fGd=7_#>?gGM@!=BigR%398Ig_8@IImH){a3DwOG(5| zUfck)Q@OUtB`Kvb5hGJZ**Ns~D1qFN^|)tIF$1V85Uei!HeK~dnGG1y zy{H-O6pY94(q`w5XtR)&i=5%su2Z7LtkoyaX;KDxjhb>NErk1(W#nh)1B zUTr`W*VTCV;Ty*NA?32CWz<%p(xrpy=zS8Yo%&mh36a=#mze(^43a$n?o*7jL{(@_ z-WRYj{H6@1sNQkG}kGvZJ8-Jv@x`EVSJI#u5`V2F8Xf~suJhH%5wbL zb(@xkWOnz2UioT=X~nT;I`dJWcFOc6Tqpfn*boyGM7|N(DEbPMx3aRMzkd7JEVuR9 zS!h_;P!Y<0RBS90Pa{G0qIhOVv^;khsO|^ZYJ=@gTcvB(!q0y|lWc^_R-22yhVI~a zpN+ZDp8-gxI^yq}+%?`yiqGZ1E}(GKUNJ8)tb)^#nxPtmbC;lR-vJC0$^Z&SABy&uyd{Y*qxQ{gGwPiGrv@l+A9I$hA|B9wipV!H}d15$m7ch>oZS+u_;oHYl+ z(V7fw6g{y@JrE>|YV*8eT(_Q+@o-P-`SmtTTMwNz7XhVT{S{#M*`iS-&CoZJ1&;7L zf#%od#;{)Z-~428Tp1r$E1O(_azUn%k&#U7?w)wRP2H8LUFZv(+dZh!;6hiB$2w?i zAhuX5ER*(cbnR)hN5NPqZHQdI&EfNnW-KXGO@=_xw^(^&Mw-;tQCN^Cl(p6d9iOs;ywOiWyDpX8{a zsE5A=x{4@a8}4#OR0g-1EgzmXz1UpXQo;(Mi^Qdd_9U3dJy}C5Do($)fH2b7?Yn<2 zVe;FbMr&m@+Fpc>Q2K||+EIPBNB@nPbJUlL2SxxOp-i7?jSUwek?5b&#??21zuE~> zrd_9rhqjKQe>q*KG`r5XuwHLV2Zy>Z=(QAo`nKJm$;&MD8-u{wTR5Yns>HBDUSA!5Opa>2!;=5MH z=CBmg(ZS_$eV^DSf%)*)kDUoDR;kcQOlHu(94!Gf+uuBQ;*tE4VkJA|1QK9^XfXf)cUcQ=BG}HUg!RMvM*dHw_*^B!W6HJ=0+RhWC>R+R+)YvQD3RM=;{?mPI)<3$Ku!jViZ_*Ki=br zfC2`XAc?GuNNc|+P^-!Sp3$@$ej0Rb@$-5=Cm8mMK`3oIr0Rck5Tnf)@ZD0nwYYNnf@0Jl% z>=mnG@nYkYdby;8?e6W?sSZu|IDKWy%2;e>jA%4!IkM?U;Eql0S}!)B-kr>u@9Zf? z;IahH6pUOOF6#YrO2*LCLbfuC;P}-`FodNRGZ-01I1^kqsdLNffFY&)?golTYzoi( zaA-pKUs?b|9%#6~HjDw20O%k0N7V`W>G5rWETrV*mxtYaoby&6zArQHH~YRL$$tW% z;Nks_uH@Js_5J{kAKE?Iv}OEocf#$sS1H`r*LV4NCF}(*UZLOEo&IqD-W)9AOkDKN z6)IGmEpuG+E?H*Gk2lZ=-$71GOFMpgcf#d3F~~zTk@5q??E+i$EV<7hW3Q#5QDeNw z-qX_)5*D_%=FT9ML<#q;f>XJvInwMM;5pl-HnlT{mY0}_2F_@BunOgP>1#(&59SHm z{n1H|qH3$~0{)sza3~GDK|xs2;PmteZ@%KAV22eKV?94ZuXQ-aGnW8zjnUeb zY{t;2GeFqg9udi9KEIrE_Xus2k+70NTH#oMvuQCgGlP4}dhWTv{;uR?@jE!!%A3y{ zFEFTs&e$*voIScc!z9LQEOzqN8#`h7bLHCt_bC4p8ij70oh=Eg%XTvS505+?d#^^ES+AD*7V} z_r{~SfJ-1#m+7-l$GJhdDgLbX$hEM&{u>pWBcD5&=jyNk*QVZvv6nz7_yL`oofXep zXnW$@*P`I#$F`KmT@8l8w29+Lk?b9SuHfZy;-rJ&be7bkB*PQ zGZQ)Hf{)GP`5DMtkujwPLuCrKM&UxmPYM~CaZYFMW72lU{$iyPOg_txon)%_b2SwB}fu7>T@O-zCi96o)PkN6(T1&#JoYUDw`yKTY+cuy+F3=T)>V5QF4 zofFmkC{yWq(!e> z9=vDZF-TIf9!_hi*sQj^5p=PAPQ>CXH75RLvJzG4Bha&@i8$@d5LvE zDg}xXma^T>1QnR#kv|H#ax!C0IuOw;zm3be!LxqMpP)k$jN6C`M%RizL^nCVK)YUS zj5sy>;}!|!biJ%;R_J#MSz9A`KAd+=SK9>be|Gq{A-5O_V|7L9ouz^0IxTRNXD-re zjkZuy8eM#g3(WT!yQ+s@_NCaZ79ja#**w>?dBZym9(Y`@r11;w=9G10lkC0*7vz?O z29lqUTny3;rfTLu8JnG0P=R8hiuT;QUsC(3f}s9r5*gg}+QyT#W{!X|%&NWFFB*bo zB;)-6>^gx3qoSZ2RKi`{7%%iB0az=P3Na%;|w4D>wn z_bBdx#y6gsTKVhFXnwQMMV8k#`Y-XBA0?BTB3}K?h&q|w?J%GxxkE}$S)b=6GS4JZ zceMe7Mly-CD6Su1eRSLh{VBGNp5PjCi?R2^>ez4@}RY~b!cel_T8z*$)e-H z>LKlh+f@Zjsk=w1{vdW|U+k4Wdm1NS zgg83u^Jso+bq!%=50SCl5ThT(M|g)%rOCb@pX$uT>PByl@)xW(IZFYt(&lXK_n$Yl z0(aCR_~~a|XQ)glV(UG&b!5hScQ3~D&!y)>Pq7x4u#G!*)p1-07`U<$VDst2ONioq z@P_iRP?v9H0!&tZEn8`CaqURUEg>2XC!pvw8HtxJs4~Ib?LPG1EO|b#9VO=64HYBU zsC}Icq|jMvhkOtgYXW67OdQ}Mh{$WdZA8n4O&7xTcH&5%N|6WZu6NInX*Z)McIYBf z&U(=9!qgS|8&WPJ)0qx8z_(d|oSaLmTnaarrk#paaYZlDqRRBg&^Oips5)b{S~B+o ze=9dc`F~O#sHMsO%ts-&yX)c7b}tYGJQe#Uz!6o61Xegh1%0J6Kg+hdB{C{;&M&;P zy1>(%I0&9Vz*`FXEJmcWeDg`*qD8E(tX%*v&hzSRkwAG`0$@3sZ1{dI!aEo6NTurg zY_@=^6TkYR1GhN#q8v3!W~k`+0d?>;x1l|(ibq@%*pbG?Qvx|7xJT$jQBuQgIXsgS^+oQ?mUJ&Jp1I=|tJU{NvpS znNks1oG?#|*VbT^si8$DtwLC)@HEZ9*SlR};(f=nw_RL8IA-2w zoXMBoA14MOPIN>TcyVZmX=uB-gLEhm!%fud6mmuSd^|g^@(v{P$-$K2(+wURSfS|6!k+|c{57`eWy|)h)}xbab|>nF$&?$O*WB(<%MCauPieypqrs!I@3)=ZUK( zKSO3+5%bPM5WwxC46JE!WkA@la9VKtRSu{Q90m*C;&1^zS5%;l%!xMNlZO~uVkzd$VjBn{r7iW6T=+^7kZFI3%PZ^>4D5l%@3L=~fOMT*lomBeA-CJx} zKk+|Byg6`?-f?? z@a(ERDVx7KaTi%D82*;rg67BJ4&{?iR5|C#+#r89-WZC;?0m*YFOYSPV5g$8xeFVg zJ%5Lz!Cx>w+bT>sIt%|y+~#X|aX(6m2uod6sf9LQKFX^UAegwK z5;0S>Jy!1Kc4j)iDEudr*H%@DGA2JkD*+A;sef*TT(|W^vA`HZ2K2;YEFjbNdl3rl zE^{OYQiXsuf5OVPjbQB{`gi!#i@TC|QbdVj``)LD^)R3Ke5nOl3$x>K0Z^!47&U=x zQS|m#GsM&JqEcYCd1hP?CDrV%v{+(iSC1keX7v#g(6@mt>}#jx63kYauHGekOvM9;VIP`{^zXe!1UtDSV`Uk8U!})MF^S^n+9T zez82U(g(JZ$BhYnFITIzyK1~WUI&zG-z(IJz^Rq%L3drD4mLS0N1IB6^PCT4VqzZE z+Rs*ga5`CvR4ZSBxO}+kZ1Q|yxAJ+4wC&LA3ff#ixnw*hwON0jPoPxvFHd*9Q3QZ! zAAMYc%-7x)v!MA+cMJ7XS*#$e)PC-4w6EfF#X0q+^n5dauxY0{P{?2~A2UoI1lWSG zu(8ofI9Zf6b|S!T$0}4U7Vl6b7`w<;8?|0;fuQ7N5}F3P#G3z`a#1!#wE-O5#{bwM zvDtAvhwAPKzC?&1;=e`laW%F6Ne9k-nBfE%oAl))mh+MI+cfnr4>v5`wH8Hn_!ZAD z9~vbu)A+_|bD`B+U}>Bx&_VWVb+fZFCJ2sx*{2p(6+KO!& z8D#QSLc%LC$CocdPj8GKp{3-044AMtKall?Ig9Q(b7RQCVLYgi1Vel=0-gj zV6_g959a$HPGaDb1IZXPkCkZBm08)Q&TY|JLbwPD%3T$$8j6)FECz?1(JMBAQSCCu z-KcM0pd8cL+O{wP3OYMG<_hMG)2JJ?FLS7F^?5396NK2GX4if0el1^-PoBaE;cPkj z=Hj=kCv|zZzQ^4us=2_EP9zIVivKX}YfoFp6@a_~thj&{x8=HBx zGa+Xq!&~FiVVal(xwCzR9eky z;Nr#1+|Gxl1z6TXzkOEEz~Lwd&z*X$WIFI$Bsva`@Z!bKjaNN|-8uB#NF4Pir=ClM zN{l&7BIAtTcbFa(V`y;W*7C7S}>LDsr`cS&L-;8&)U6IaAIp^sciZnJU- zsq;Z2YSdG;1A^|%<}~u;;!h4sEMRz(zUBbXI7>%%Bi8h-v+F_|ZkR#Czz|!`z-?sM zo><=N{t9x6ChzAsirK;frmB6f_v+N%;x|eXB#KQ&(Svck(Z6(*&`hdvA&qpBU^`zy z0-GhPgv5{ts5SvO7CZyIsgGdt2$}@3mA$ZV?(POVDs-lWd?AiFm+;)g@h&T)rJS~8 zT5ZWEJ*Vch4HJ^){p@HpMxy@(H~IR>%|C#+x~hS+m$TX=DAgXbJBO=%Ln}ZmkDQ6A z;BD>?o6-#BNaqy5L6!ba*9Fw%-%-)4S=E49-57oK(t?-~y0DI+Olhrkc|3Q|`{evt z9ANbUN-8n#&&}$xH(d&(KbQL!t2g;vPT4hXBd@QadjSLH)r}m2Ue@8 z>2CYAp^^|ys<9z%PpJVNT#Cu>dNA-(1kBaEK17oW#W{?KZ>d`FL1s$kYi4gjmLp>@ zQlvrO1bkGGu6MSjXt#cdmbrf#+nJH-SsKIj*GEaqX#u-#dj=B#PZ@$kEe(mtKTebJ ziLnl8-a3XhzcrmG4XH$9^&PH`q`Oj*v=&xfUD?Akr2m4XV5OH3ZR?`iK?akvPKn*i zEi>ILwBzs}CL86|FR!~8GHqB81Wnug>y+xHakRQe^Ev|pbD{X>Qai4fRM@0t*mYg^ zJ>(l}6v9!2#4EToj!=-6AK=1kqBO*HWE~vwEdxL7JR#PiNf(Aq3h0V#GZR@>&WSBB zI4IYlZa{?ictry%W?rkwAA+bLL;I1TLR>+&1ge9=&l38M z4&a&|zi{mcx`UkZ{6?-@N)@A;{T?FWoX)4AgePiy^bt*JGH)HG{;ozNVROS5_i<9P zPHvnvsr{?>9wfDI@c!Ps?i=M$e5&(soDc9{nJwaEWKA#?2NJ6kV(Z`~%@RtqGMZkH znRS7!#D$~(V9YVbaiJ{q`;`vQS~?5x=B}B~2Prtz3Y2$@btT{P)Z~^*6DY~PM^W$# zB0EYus)W&Ah*GC2P0mM#b&RIA-+mZq7oVBY`Z%04AWL_}u@$+olJJk}?@j~tWF2J42D<)dlY3Tev4y%Nt0^;6i<|1T8Zs9SESPe|pa z753ekoT&1ru@TpN(fNd}J1Vu>uZd0#p)RTYG^M+tgSa#_-ZgFV;T52SRR^qj)5|vZ z+e(X2B|KTTJu6lzG9@!_Mb)r-fNbwH&=dXbj&ri!e~c=Gn5l)sf7vuGnJZR0eDgW1P%Ko%iD2*`OQZpdifx0f32dj@Cl3ugsr2+8 zc05v}oQh5S1BpyexQ#0PWF8p4Bi;AV{NY;1<{dZ{atoSvdP+n-%v#*-ok(Piy{&S_ zpBRI~qpUCn?`mM}=RdG8(f`%4|6d*Z|1UcBvfZ!9%clR*u}l1wF4v7tY?eJ7*v9=Q zK6O>)UwkUShQiKb-rxWb;?_7hHHHpF=1Fh(5kB>bK@Q9FeKd~XnhIZ1NGkP!N^{m? z!j_eDe`IY}b5ldg&G%19go!;ccuddkTc$kw2*UtfO2bepYCMKL|2w(r-X|!s7KR;) zMQV!*frYlU(ZzV5eKiQTIY+%4%2*S#?e?btdNAYn&GH|%(~H7zahqm9^pYP^nFV z?R1TBmR7gFH+_b=mq<~$7+#uwv!k~VS##9CFW2kI!Z`-0k{K!$!x)P_^fxD9rNx}S z)*F89d}{L&$a*2eQtqi{J700lR_anR1GWWYlc_>i?zh^IDS3|)=cqu|c&^y_v=-&c zlvYQaZu%qBlJ>mG*EsiojuIGt?6c22{}rgZo+E?39GTYex#t4cwEYEpqD?}kGswC@ ze5Qt+z{zYXTaUH4Y^!hWt94VNkN3Zmv6q`DB&krLBdPN0^yVt@HJsmS2N_jQi>dF8 zz0_0rW<76WSJmCna3+@S`(tM+d#6$bchj!C*6p6}2*%`H@vv?rrDs`3Bn{u7H= zC95xKK{y4sPhobe*Dsmi!bj5m(FI%4*vOJ_RG9;#;2=FzM3i2ga(5TDK6gHN7 zvwX8qC`ufo7~NfO%t)^NF7!Z!e4wb13BZVr|?f z-LWuCLnj9GfP1pB2FQkE;hAN8Ld~Syz#VS$iB3`?rWEOS9l{b3&9m8ZlGbyG=eeW% zuV&(%#!uBaknQw!^7#J{(1Kq+b291P;~jA}Qn91aI^3ojyxT>2d6VD#-UH`$oxYy; z`v_0tnA=MdSM+D3FX;DITbtj_kg>(rUx#}>*Z$EKAwLvJyHp@XurxNL6zo}r+D}={ zSOe5}D33JSNNT>rTSrKxul>j(FkQ}V>^w~_mHa(aitCa3HeAz+@msl6X+mrtEEk;i zlu~ofkWdjJ)^v6pE`icLT|2xyFdrHcaeMF40VcSjEvc7>oh-QE7XZ3TYWcn+bxhn{ zRKY*_1@;?vPAazx~n&`G^ciw*AL* z?2a6i{uz)#p3?j#WBK{_M@_lJgdye{p<*%uS&wts3KFXr#q7Bi)Nct#)d}FL7~A|q zY4Pbu*QD`lip=&VT`32=OD*xMTtirnU{&-z%L*0c`n|A}KBu3n$iTGV+cg1Gjxqv| z>*JUB_<8a*qs^q#xmRlz9@p22vqJgh>sI9HV~*JMdxa$fE8|e-S2!Qc_26lNCq=WP zLnkUC7sG#Bkhb55Cluh}>a`+;VoSKlpgu>YAv8u$|CyGUSq)15Ch(~cS2#D?-))0qKDLCeI$Bx3ls2QPQjV~?+Vg+zJS(NVdO^@~!cuE`2`pXwJ z91d5)b3OB#H!{UpuP{%Pf1^0O&3hOmU^@4M`$X=P=l0A;-+E3|tRU(7WOZnd-{1Gu z;U`QmP%YbqZ8lA<}7lOF=DrGj}|qyga#l{+LJ3 z;OUT#ao8+}thK_c)&+fhcJqvImGu8Z+)0}_sb`B%E$*U&*2KAkq^1p_v=5g2PkTYV zSc;Y|o|ygm#3#Al@KKDAqlMoKWb_WKb*y+=>Ib0Z0+CU|RP~->9fagcUNTU(d&QA_ zp>aU_8V`ni{e5{=XLBY`sNYPIVhu8X^iOI2n^EiCPl60vN!V?9rb1~qDR0Krd=U{3Ez==vmvYf9)-@;Yl zjc1?zS(-gsf<7|n5T=mXezZJd)_IfUdA?=3`;}GNdzSx2S+x}`$_z79up&zL$Zx~$ zA0~jVk`qwXHABfb*p~Cz*y(CwXkeaFBEF8rXic`>HY3J7DB(kCZoT1Yh)Nq-JY8dq zXzLAi7H~Ln?|vttfbD5@ZgQk_wsvsAdnqtL%S6&NwbE2ANSgC>4qG;Ci4sRaBA_>{ zo+W9!#h$8(qx!nocr%)%q1B3*tq4apIcd8!2zVzX#J`oU@BewGke19rakcO6(!_Ak z)msvw@l19euAQCH1{Gc&pX!>&Cv7%=u#f7Ad(M~20)njAQER6^vQS8?y?d zZuc;!ykip5y44$C|C7ps*q+3FL@CWhVczttWcXVrhTJmuXCxV{$%~ZdTO6J=`ueau z*p8mqyYS_mm(Oh3RW1vltdY0*^y9kHzOe%VTgSnu@$0VGws{8rskmm92L`O|u zB2t{tOb9d&`mIy5#V7j(51T%&ssF-xy7x~zEQoRI;tbC5$xlfjIi+`|ar+{hZdf>K zMP`g_nW4Q;Zg>w$s%HA)zGrxvo8h!}(ThR}hP6-khv-%tbS*OGdMMk)S{D#mR=2%*Tz|N_IKf^MEV_=CZrsj`_H^75JH&*_mbC7Uvglj$wRC4+rl&cdHA7u-4!OldN;@~@IuFSmUV;rj@??#7PDIuG_7D1L1loQppVky;NeTEw zoKAR`X>w`bQZHscTk1CFLPb0D`irL%R4FzeuU(EF<19vvlaK5K`}9J|UX(wb*-UUZ z{+=ONAE=CKE>ARO^P)%9@&Mx$%Mq*1)&u9P_4bu83U73?K-!yUQ^fX-$X9{tR>FAKT|{zumxxf zoQ+Ro07LjSI&#Oa^(dAlGTf(W{%CX4Ll(Z2iPMRkVh z?|1aocY0^$mivy7sq1$$bZ`Tx%IgbPH!_@;<%@mxgnZs&M>jCmdip774|>Ft2BI5{ z**V_#)z`jqN6^^t|0XdXJGkPJE3CQ|q(4xjcXP5|moW3zrHy^6eZ0@FK1<~bc<5Qj zVmBfTH=i&U7JZ5~@v_}^w)2RqeMSP=4N@e`-ELo6F&K|suQop}{O)t%jx1$p_TQnQ zH$F-0!1Yn2iAMW)v2a`7mR>5~`8&cs`MMF_*5LH8awkr?lgRe9e$C+;azp14a&$Fg zcu(One$#P3wt&}To`e>O2Z8gRdIFy{9cQv5jNth_thBNz=2K@=S~UM_1`9H-FwnQs zH^#!b@OdqDr2mUmgiq4e0cUO9OhMTmyO(B{|V@`8hddoX! zM=DsaZf6WoWaVh-Fi-aW4WIJD7WYvH!=aALH@0ZduTX+A^RDSdySsgg>gySCP3R`? zhwRN7ft%LNZ_I8xn@_X$FO0iMjZ0G#o54KT1};aNoS(27)e&oL^&_D&z~)#UG-o*< zF;3Ov4@3odk(lH00!jt6hDP*(15;fH=x7lpkL;Sa*wyek$O5^CQ9NIDUPW%sUh0c} z?5Ftpc9UexA#|n{R$k@6&01O8-6N%@){vU zKlj4t&~y7x3h)l$s+asMgP%9>b8xVhKa|1K4u-`=C1jaFcDJ61 z8Xrl%UX_8`9AD1cY8O7aegW5IPk(y%iDlrJQ)t*DEA(xJ&vO~h-pgC|Vl%K6+v70- z@(1ON@^9rSg=2(nncfxZ18qb)UXUAgZYlIC)-lQ?U$i~(SysK)bG_a`2pzQL#MpV~ zH)Jb`EISHfZ9<-59XVKHapK5<8vIzN_x5@JEHn1R7b+m^fd{y z>o&gkB`L!&r#tEqk)k1KI?vYY=@FMkS*@VPwR;;lz3D-(7DEb`V}k5K{9gMFuT-E5 z_W0Cybe^+1Hhr&Gs93d$=@lk40~;*XzqPgE2GG%<*ul|Vo+cMQgson0`uN9F`0`us zNfM+hTMfbX2uo6yEqL8j>I7p*e4oCI6;-~-4I*V3aEu+^X|mxuT?&!6s|z?7T@Ta% z7YMF;FhVN_3VGIB%gyheS3VGrj5IS;qrf8lI35aGd-bYu;mvH#;%Bo51ZdxLb6v44 zG91<7Gg&c~52VPR7=@>Bm_rRlZe(7V(XKLN_VYQX>ryaxfRkC2Kkz4)GH?ONFg7P% zFQYq=mLLga(YEUGMR8(k* z21x63wDySGtfhd_Vft+!dcaj-c$HyInbjM-nKhx;`=V5HT2Yq86Dnj?4O}0VbuV(* zAw#yaS$G)pc1J;OSAwjY0-*!MefFHKhLko2o-Ft8kL1eie!d-5s}Hrz@Iv3)WygrY z^OR%szDysMRLl45nNznv~u=de00N%>A>x(8(Xg!%*=PckMW|}L50=N6nt;o zU0Qm{c#B&r(9Z9{n`MC5m87T^D?Z5!qvq+C^U}pP#PAZBSdQD8+m1yn zx=IH6rJ*xu{M5hT#|5p=<1*-#w+eprU=2q<570>Rf&gFh*e*|1G5+W?B6?O=Kl)n9 z;&bbKxqzXZRLjCA{Dt9LZni7_zVssM&t0bIg?qZw5X{Z?TX7rx2ON;Y2Gv;ms}H*P z2o;U~_+0D6UaT3870$uf{8*1nC z!8dYmbjzGKI)UhFmrk2<0Pq*^R5~#^VFv*yTJg&Wp0gdCJU$~1{eFD|^ITiI`RhlX z>dg=WH(lFs< zLJyyDrBuU2<;r*Uv-y?hkfV@RisM5ZiVp5hg$(Nr0%QD?Z0P6b zPQ3e4!=~4&2h)1*ZAQNuuq%ft>BIQ_L05k7u+^uxmB2^7EOIao71k}`wJObY78FeZ zkG$<4e@{qr&qgqDwe%inyu`%dH;ml{q5w>Ecq15S@&LWnE_^sW)yGUX9`LuS?sC)} zcAtW01yD;k5~_%Hwpz;dgU11bQEgyDRd!?j(RgHse|gW)2ez|e$sq+qzoH2&Um~$| zUOaLijZ@X#{5oqs!8>3Jsax-+up6&GWNdK#QrQx5w@n#!YT$P=iBV$|9kBd!S)4Z1 ztxU7dZ>s6ju->bH&*e_)gE(+HS|R?X&RIs%*R0g%)2xf7Q=^Uhw{q>(V&iYO7rjA< zrUH5j;7aDGE3@Xs^5E*h<2kkV31ZCP+~eRzYVqywo(XOeGn7N$z^U88<$&@P|IWX^ zO)`%VTmkTJixU$(h?ZL2Yb7S0DX1&zR0NO`6Q>IwKI1^83gnj5gpG|wuEK)rF6Q$w zv()|phYL0_Kvw$DPDAP_rk*&(bB^tUCy<4uWeM&S;iUm;PB&0OgU* zQ-p>L70!eBi|IZyujUvDyB7g|fV*O%@b@~png2Y2|D#@l3)22=q>=tI|J==2No*)^ zJ=wo4j&+5i7SEw&KQ1*flpS2BJa+GNX<+f6Zq6QS0Or8o6d*3rrvGK&hq&?xz8Usd za8v~N2cREC75w1z`0Vxf_mV%Sot6n=QxhdsRZUAuiHM0U%1TO@nYfqP?<9$dYl`a| zOY0d+aH+cV(BW+D2V8$>>v8A>^|`53dB;1%xTwDdt{cGXv*+084gI8ReO#*J z_$;8&G_6>evlVmdc6nw98FD$@DYv(RRUlbb77}8ORJa9O(ef_jg8Y3vn8SW%+*Yyv zN?du9&_Z(7RFs>+77xN`rvKr4x?FMFBk%i!xA0#Mk8OM`_#Z$EUpE9~w)?lhuvw-J=g#{c`jv zHo^Am2^{VRuAX1BI6`p%Y2v?q^3h|R;)1+$j_*-@IF89KxSWxN=#r`ueB1~)_!>jf zpdT6j^ThyKMh~2kzw*>FxFxW$oBv$QVc@LHNJ!&8Vk7_vv$&<(q`a=Fp5Z~l*4!=4HXl?B%cQcn5hX)HMGS`TBQ&>h7? zmfhb}F1$WESHG^sYng`{O!ltynC#JRYk3@ zv5^PK9gK`&@C2UmzWR=k?$BL1@71n1GvUZL=|uDsUGdE~{l{yL{RB-H9mO&o2e2Lo z3-r#I(p8!A!OzgK9^k3WJr=`q_Dv28$Lu*T{)v2Mi%5Iqi~?}LVha<+Z?FFu`YmG< zcP@Bl8TsnfT%ZoLw3DO^4GA4(`f!8`Vllh13lBPHG0ty|pb*4xhWJRpd!P^~i zSVMY`YaRGJiiUSKK?hw7{&+wIy)1lOn2Lr=-W=2PG_QG_7k7U?N4w>}G^*fsCUx#? zK8P}W$6LJGm`i^ALki%Fet~~?J%$iDXzxmJO^U4_o#X=c#Rh(uJyihNoddb*Hnq&; zd;;HTk(f^wefLjxgLYmS172)>gC;F$rx_?5SI?C-P}ug)-03-VeEt`4ZyglZ)2$1W zUjl?+!5xCTy9W(UaF;Mh@Zb(11h?SM1b26LmkByJfkA=?clb8RIp@B0&wEdOb^p0k zQN;{<_ujpF$+Mnb-7ORlwz}3-0Jiu596s83Cr4v5bw)X4Hi+c6Hf(e#HiH=b2_nH- zRl4n;?$EchpYqIfe|$(wzqf1A?q^OBag(>?4V zFK$&I7~cMXExNfoJ-Dg6xNB?r1jtAXvoKDoWRdV6)*ioD?MSf@Eix^^h$Opc_X~Vy z$RDfc=Su^%TZ}x&4sSdfy41G!uP3z@J4>@@JU>!C%|NX1PV37RCFy<0K~5I2paFyH zX}uzr5`Lr~;q!P4rgs;4|JE2;w%Tv8xE|4nK5;?$M=)ay>F#P;$gd|z0#Iciqmc* z%nR>5YO>wEzy)N6H-sxYMj-}m!L_^T&bg!_<>ChK#fjGh&m5{*ya!y+lE1{S%@^~V@xks7O8y#iqo;Z=5E6 z(#|Cxb|&kbS3QZED|EV{6Z+CoL{dsEQREcse!lz2i{?m43HBR?gS$kMsgpAKGKeJ3 zgX5;=jp@#(oayRrN1Ewp4Fd#s(V*+SmJcsoa`Xn_&~%m^KlwL{RFn<)ex;82)``op z9RT6Gk5Jk7Qnzt{Fa@jkoa7P^!Q@LSXPeUC6QUUuJt>$I+23U5=Y zqS@;1Nsd_12d+Zt_n!+(x*lk=uPX1l43jx-P^{iF<2;E-yS{(GX}#}MygRL-@Fey` zg+4Gu5_t^j-X^--Bi>*>LHuEUFzo zh}(JO1Jo1PzqXVX13K8|ax~+esnM_-{Sd6*Ynj8#cE2L4aGU#T(0mT5ph|0&L*%BB zsAm8?Ho@sT;53pgdZLZYQ8UExIk2=#u&Rs*w7E+b@_|0}mJ|$jC5J^X5H>gylGX1O z=*iCy+INw$YMc~Y(RAJt z1ihD*o~$kdz=@^Olit0!pTpz;ty)|r*&>pA@NSA`w-5y2{AUL0f zGCH>L3W)pt?A;S$#Q;=MADANU4R`u(7_C$2Xi{<;L%0Fj1APxNt;4v>lz6zXHp7lM_-i|>G%$G zwNumHS7B2V#<$-2kGa969*xh!ck&ehO&_C3LGOPG9`l2u=OZPe=g^Wg8d)T9AwQRA zf}PHglGxc#2v=Rm29R=UFpY>!yak;Q@B&m7V_F2VUi=B8W|t zmloQZ+~9WMK(|%aGUSl4Z4Y9hHItwt&LF#*B%9GLDM{}>EuXAQ68R(z7@BC}sUOjL z%^cdk-<4~lchXl2aUk}{*V3p_rHpD4dk#CGM6sBhY&6AJq;;uPFw=tO?D;$@4hU8k zK%f)dJE=OWE_L(NwySH_Xp@ho7;1JM83c8w^0wqo+umZMxSU4;${#HvkgCk?Zu1#E zerF_{5qn{F@UOkE*ExOVwj!F*&6C($dl6n?aEaj8u?B8cYb6QJa7Gx|U#t2xzt^~y z0)e@NF>lpvTT}~x@X+{8u=Sb}PdwZl&R4*mRpJ*U!B3~TtWj{anu?Q zqLQ>T{qQY}oSy}|Jbnpe_o4NOixrD$@nh0K*_b;JGZJ#?beFRTS)C|B}8)%ywk1fHl*6qgK8w+h!%){v< zOswHNm;I}`<%t+q$WlV!Y9kx~>E zKJx$1S^&YgfjUQ_bJR(A7oI4<-G-p^-(SLjO}HUPXa{`@DN|S4&$eiA@SQOmmK@Mp z+^qcl|K?V)0fRH>3ltO?i3{yNvY=N)$!9G-L%*gSrg>#NCsP$L$Q&C8d%gy^n)Gxd zHo@j03!)mD0{wbpdY2EOkQx-8>ZrUj(<)oCksFV=#)n`bVy3+$dl^k;Dam@7qFrR$ z`CFkAsKy52Z@G@04Ud_pR)Op^tLP~c<^R|WWOL3qsVt0tvrdDcf0q>h|IS4Jg$wu} zv+Vze4LWhYeDOv9)5?*@?lGSGm45;M`fqT(_Beje?+-bR>(wRv$6rHb1^rxIT_>Yv zW{S#oWNj6d^;GrpRua#eOaAL4FCu(OTGv`I$*!h*u%^5ZROPYhbd49d|G-;qID{Ie%*ae33`dp~Ne|>D`f1zsN&)gNVmXpGB z&)vPow)Wc**n?tZa1EqgXJwY-_}F^uI$L1`NwG*z%1-^u$T&wybMOY-Wx~fN;zE~M z=vin0prO-rz6Z4*w+j8sa%6lN9eacSYR#km&~-E%6D3GhoANJ-qbMP^W&XOTsLN#! zY&Fo>n_Y!HEAxlSF`fF6Iy&~fvhbTBeA}KK9`>2}4pd&iWpsakzaKfi3?8J*lm<5X zQRH+Tx{#VVJ$n{!XN#)!6)Cu0>mMSSS$_HfUHW`X+SUe-O1D6BPiM`yqQ_v%T&diKf|KfY%v zG+(k8my~#HR3U2D-w`=Foi_gJ9=TdRf&iybQ_al$<)wDGfLp}4a5vj!-5gePTL_np z3=R8x)uOF6AN&!I=JhqO{&ZcIf%@Su_49vXvi?WyUFZg+WQvUW@&*5PDe|1xJ|FOE zDRq!PvwiR-} zf9GvjcBCcqtNx}@qRGSHHj}{nBj+7@1beAr8-r9GaP+q5q_Yl247L|Aub{3aR{w@F zDB67C4Ei#-r&PNt{Tg|T!|^KFeDlHM@<8A78i4Yq4zH{La?Up&Fh;7t2!HmL8DoWF zYYM%v|C6G~;8m%u3ac5w%RYa4N7X`}M)hy>Y4U8?-KRFo2g!KU_$Yam(iD>k`_pdd z#5u3U1m0HP$1wSLinQ|uc9zE}m26vWTTEv2l zItycRQiL`wBiJK|*@NJbx7R!jgQE!0-1h%f%i_mv%YNyJ$*Lf6S6RJjTU?k1a6kmGOog3QrD931_0TUWR-;0loC`>MLi zsbEE|;SCTg)5Uk~U#@Nf#z;;W&clH9?@WjRuFdm&3y?D?_`uD?U`_Y1?U6;~b|0qB zB_+v|#5KfnyAf%Y?yX_?hg;1st>PmbiU&FvPxTzpW*YhJw(D8Ry zFgK&y)rWT+#*6;x9^;bbZEJE$DeeOIH|K~yOF754TaFSPCVRo0n}HThCnwf*zjdj` z`1?(4?<$N4o`YOVWL>xc9vrDwIiD(^{5ur^y9t-mmhWKkOiAHOEjFKi>j*;re2=F8 za^1jzwiXXxnj(lvS$RMGd}BW58?4RL-@>^{!ONSJDSX1~rY331$q~w|a3{n$1k!W@V@L90a;s{;^aaVzPkFOC9IdzoY9V#2IwbKIZ<7wLgja-)b5!LJB+Lp^e}wP zDKj;LxJZkL^ZSngR_N7XDo3gWfrWQ6W0c7Qi^^4l`T9Q$w0oJbY2USA_Z@M?rclMm zpxS+Z*l{LK(&k!d)mKCU@%3F=)Azbh(D&WZ0DxP|pND}k zACI=LMjbFaybGFv2ry|mtE&&~(~Uk%8MD}QaX~}t*R}15H6a{Qi0#gHu@Q9+ZeE0k zZ_`cR)zwy)sra&jI(+^VsRqZ#&65mVVa3)g)R>`_pC-J+!o%hqf-|l@cD0%h42_S| z2-3DZpe^2fDNM{i$Y-qM7S40hJN26RtfTB(k@>al8|z{!#@T0zSDxn-v;ISPzBbl+ z-8dh**FHVz+$8_(y1+B0#7u&R5mXam#E4M)o^1coc$IG{RHxg1gB422gP)&0r)OZ= z_#qMXv*TzKPR2BvyHvOCi^r*m@!b{DsHYzdFt&i=qzIq3H^L+-pU_I zE>Ulh=6kPGb<%7Vybe&<}C&Mr<7aDAkUJM@Xz-L)e1*ngJD{D|;5?ZK5~JKcrc;_gC7 zPA>c!y8LK-u)tkplNe%S(hoO#Ppi5mV_L1F7_ z6P!I@$`piY`n+TS(Z*nN{JgEB+#QgToD8Ys<8!YnREC-gghp)drmH^9SO8Iq-8gdf za_B`4vx21L=L?!SQD34;Ro{5=UEs5K6R3O(D@BJVcKpg;L$l6X+8(PlXbzk79kpPj)>D9$Wo$D z_~W793)p;E=R0=E^UXW~Jh}rea#TPashI}#+1b2IKD!b{R%W!|EZ6rx7$Ch@Ccgp; zd)h7@zy<9VRgE<5G&Q-!Az#u(p6oZd7n^(l(y@~N>}eW|-W2m$D)?4>U{12x9RuT7 z*xEtiyPcvr#KzASw2qIrc`qyc=Q?%4zG;Y>;$Hq;{$FFwtZR(wqLh|(VZWY#ARKaz zeC~c+mlDh2dGRD({73u8wcex-x?v!EW0fNr3y<6|JennyEq3=7|IrWN+1ThmP@d&@%uK8F`@r_gV~D!74(weAj1GymR?r8ka% z4+Zu!{YG$0%Uvl9j6F@I+`S#C9%-B7yZO16UwEs+2=fa2gb#>K{!eyRA zZ=^x#lAlWf+1@$zg@ojiOW2xgKB8Ilb8c9@w3y4Wlrx|I^zfCx168Inr8)kAfP=}Bt~xN- zPJU?S5=0TOLEZX^R0YTl^Ko?e3@ey^8_XyzNrgIN`}pDK5YdRLK}O_yZr9%cVNJBp zjl@pWbF8*bHtjD$=7`|gYz0=K6b`D$puv#H2Ctye%#WVi)W_pTYgmPCzKApEqC!O6!VTp7IYzZ z^a<@+m6W${2Kg-vI#)mgDh38)8+e&(=ay>E=3E#3mu@S9i4q=9xsz&s`H|Vy^8om2 z?y9*zxeUy*R}wSYOIJFfttee7N4HGsz1dGF45 zn@`rlP}5rIDS!pO1*tsgEPFNFDNz9h)1v<+Nwj~OLtP@E58)=;V#|) z7je&HH%@glxFaPzBo`gTl$Oui@^@JNQ&&Icq?=qy_d67eSFWJ za78=w7e2E8^gw{tX+vT$JSV%5z6nMLgLsC;yn-{CJ^`N_*|}Y{b2pBGXAHlVzw6s4`nJ9J z9Dqg)82~foR(>LZo0*v@QxYBd51bOkb5Uz)xnS3<`X@80^NJSYkVsKqWCIWc-?OAU zQsEslue@ffgV>}+5}3FzBvZZdpu(xSt$ZzvZS50qAfy)X!l-dfa4xdAsR${+UtfF9 zWpOpjbcZ0(BAJ#`Mz9&Ep^_AqBo%xF`*ALRR9DTnm^H{7&df-*8SWU}{|;&j^_1r; zjQlz)t!7^R`$YdUxkOO)z+ul7RQPd#XVIp|5OiU_Tk>dk?0qa!c5h_<3X0>}9O;_{ zWcq{ETHJybj%|p0zrc*ZRN5Jq4M* z@u!gc=gJ~HDZ|5Zq<$wK+8=I8)OqA3d7g*ETmL3hN;+2o99^TfvX5#p{h&guDU}W# z-LEk%`HqcNWMzxNp9f7_5Wme+RuRy0b6r~dGm2QupoNq`1W3(SZvg{MF>@&A|AdSJ zdp_9R-Wu^*l1SwuSL4DOLpS(;>iAJVu=8o}(YM%y0ik7QJvPR)%K=4M^cH{ZQ?jzi zJ(&@c&S<&dQTrcgtw!{{36P3}^bbF=dc_MqpZ4YMKPzH)9cv%tUlQV^@ zf6cUb6_?DA3wx>?E5Hk%dZ}VqKaw)-Tr}qk41EERjJCByq}nA3SNqnA=(DuFM)zJI zPcV7K5l2NJi)%ja8H}ZzJUG^%KhWvFSk)8N@@YWyab^8F-ZaYv;LGHo^>%a>G`OdQ zDE6Jx8d9~gZBVBLFquRP7A1%J>9@$<|`<)k`xKcysY1R=<;cOZ-y zE`Slh4=5uU>b00M!`hR*kH_F80V-H9Wb-7Ax9~&!?F&Y-QviC{vWw;)E=UOwC9mj= zofN!n*?yF6p1CE+$v#KKw(iy+aR+68H*1In>L?9a40EagCd^o`NOnJ5eY%KDBcDngETs)rQsK*HhC^{);v|0Wf8(Del$4s!f6qgq@5 zV0xe707R#5f_BdbEXtJjrS4u&syeMO-SlssO;PWG3cy%#8jSD!XuT#uqu(CCjP|lH z>Ba%yA~1b+_>HNTtZf}9aPF)Ik; zce(@BdCEixfZC=I8DN7PlkaxTHlxxGK3rPU>+#ys4owg{{4*-|0 z-~7t)F?KkXdVNF6FQoRl20|ajcWGwLHNP61G+*y|XsnX~kbeyW{fCVSG8Ux&({G4K zN`GT-2#t$pWTZdVv~m$i7NDg9qYf~!Kp0r0K)%M%=Oq24lAL$I2qO)a?7k&@-tja< z&p^Lh-HkSM(4p@rQviXJDsl7>qZ5-If->YDnoJ~fM?Rq#WBTQ(MLe^H104&^y(f6X zx@aVp|E$&h2C!nF0#jh9KWDUgr<(l<9~&h^h91SGC>;B6oaYr#0)r+K+*A&4y$&?7 zu9u9zBzcmK`XPA9?m;)s5(WQ>89GUY_>ssN{InUtW#=<=w?rt5ireNc}hbF8SWZsrh4OWuYU;w$xH39Nom*V zx|$M*Cur{qIEIxSt?DCH69Gh6G3kKLM+!Rz&FLvg6%i9Ca3)N_8pJ4|i%1C_T zsA^CYC40B^hJs?JQyT>p>(O1-V70M`0ET(a)KBAtj1`VVee_B1pC=zUX$ItQbyMtN zOadbg>$jlUDAPnO0TKN;0%i297@)NDFV32;bRIg@`?m9azj{(;R#UL{M*Bg;g7ahdCbNjE{-!`wiT=QMq$KEl zMOI|n^1`)%Zo4qyte_vb#^V93Q%33pf}Da5?3AyAF6+*Z1W)yyHFoCmO{=M9O=&Jf zE=qwwLWL5=-rIU5FnQ5BE9!cWp8AR3{e8{2_3^56-CmJ#l7y-OJOHg!Nx0YWNqv7> zW_s_#j|<zt^m}&3KRN-)j4E^MdAE-0H6?l)VXB zO+~OaY7>9k)y0e+Q3CSDM%=R7Z8HqP@nqER_qJQ_Bt-wVpBxnXyc_SlftozA4?0p z9&I+Z`|@MwozhrT$bgv7@gKQhdHV&&xX2|h3Q031BAK^#jpM&e>uf9#m2bp{7EDzb zJxZG?2|buPI(paB$=B2M*YQ0mYXM73X(*!A=7)hK%9Kp@;{$C;IHK_N7kV#szv#GE z0r-actD`5EC(}n}3{XfTntCD}7X#k#&a>GPK|8tvL>}F#U&r|kRis^|SF8Ek*19W5 z=Kkk{EWe}up1o035zo!0@+D>>vf>yT8L|4`WD-A>Gv>+H#Z(GC{wopF@Mu$> zWR|^a#zC$q@+~R$uD9Vw_dyHI57w)UhPfQR%aTkq8`D0T)9rpd7pEp_MNEdv)VnzV zTP+=dKbGD^_Jpt*x^Wc1$Amf3QI>{wS0D2g{USf{jfUZjq;wdwPzFPjh}ewZctw*8 z_^qZ?@t3epl1Dw0_a@15R_b}f*{+-~VaMwSZyg2tEyM=QQy}qZ1`rL~xONZ?f0f~m z2{ZYJA3lr0|y&Y_|ICYf()Kg@-f-qXx3ph2q`lW*m$MJ)!ZstUfor+9oF7SHnX`p!4Q!iQK3$tFcE_ru+< zCT@$0isox^aCcrn*|j0-48uTx`i%GV{LOHCz+;obS+oDlF_<=0J2g>RGDa4YXTu^Y zqEc0ntK1pPJ}+cP!vOe7omW2!_1T^jMZ;~$SP7jX!7P&0-g8m9K_!mC9wG7kl;*ai30Maq0 z>7^hk2Wcfn*~$s%wcytHHka<@#3&2^XzpcW7w+mUYMskHv|X!JhT4t|i}fF+!GF=5 zW2ij1EE zJegMm$IuWxEmNzU8eq=sbBrMLilHbL_IX=}`XNRDu!tMy`Hwg;VH95!eJv}{IV2j_ z&fy}5;hkRX=9kT^L}_C4dbaM^vZ~6y;Y24YvU$=E*wh*W(#8gFa|h)Yet1cSun=`@ zjKQISyx7Swrs@_m?h=Wq3+D}D+qxFvP3t}UQTmTHq{l^hF}10>sX*^Vh>Vg_Uh)7d zov!Ex0Yq9g_qMX{(pSRP;IZx~0f^e%xLBot8}WIx*$3Rnx>Rwqqz|?!jVzUF08ycz z0LcI~ZX^$@mRi6b51oa+$pk+CJio%-x#g1Rj!{}(J4FTtIs*{gogzS?9zO-ny%arX zudKY17w9`E>P#kHD$%vf-z(7(vFa|b%a|i1T7e3Y%-1y&o{hcZ$eCFK?83?Oy_(_N zle5T~`H()UpFK0?H*XL43$uX{vrTTGirdIgyC^( z(|(#%E22cV9#uuXR!`mb=AkXwV_?!9xRBUWtN*tg$k+P|!H_Rs43|zTfZ&yTwDdbYmV@2&il>r}!*vj_HumOqd%bRf13^WMkjIQtrK)|h<# zq9UG!pY=ZE?(QEU$d3Z$XEPXn&b#ycdoRDDEPFW@XdPYnImkCax%DxCd6$A_LIZI< zYYyAm)Q?gaT{QFP60rC_45*(h9}mG7*vd{2TgIz+3hf-P#u7Kc)kT3w7Ht|MlW7rFN@f?W`p zoh_*I?1g4(6wKW8Ioqh6%-9=XK0a}#-$DUC!=LEmA18Cvvv4T~P=!^a(gU`8_erl{ zzQ>3R)%7L?&lcHX6QcR0q<|%vKHQ;S&mdtD0Pa;PFp$`D5W{82YkeMsTB2EIywZw} zFY5bG%?eo7*Y_FVoXt<-3v_@Y3PUhY-JyE{*cFYPbvP$lcy9f=do9W*g}cL8JHh}`);(y_`$oIdeWmpB3Ts6TYK@dcI~~$BIe7;Mj2OC7R%TO)IkF5-7Y*te z4VB@MS+&M;keFt3d%2zfQAwBOhsZdr(O&7|q9Qu#iFIk$H! z`D0nG2|lBqji0wYTmr~^f8qy+L>fPTmYpCqwgPyrbCFV?3ilX>^xjkjEDpYjQR$=Y z$otkg?0&E-kzkZ?&?TO4=izN;NL>&wSqlZV%M%$0khJR)17sV`CH6FwlmR+5t7Z$e zT5x<<-+Pc6S3xC`vG%L)<@lJ zzPI%wsvTX+1kEPU1x7nMBEa42swgO43w-ybJZ%TJEA1rJyhNyRz!EdJZ4$#`DaiLG znFxz*hRw!TzzT7kt_tt?;H-wBDjHXcH75kix2hUv2Fv$P0$GNkj%ayzeElfJzE&p> zyG-IPH#+FB-mx#c;)m5FcUvb-mif_3h}?YZyGG=(a`KsX_ae+JSUa6LyJDVc**VA` z_;~F>UtS_{=fPqLJ1;IS$pOEp_Iy3OxA^P)IbmJVj`ia2jx>Y zTP>0dU^*MrFBg-+J$HK;q7k*Q23+YxEwAB+1)>VBmd9h--FK8ZRdhh%Mffev^2}Bh zspm#}E>xLH#|rwBenNhmAI+T|9rT^YB^mD&>Zuj%Zd|%2W~Bq6{I(qT-p)Qz$csQQ z)1Ama{jS-E!~cqAyA1&ffY+a-lAMkq<{RItvL2B2dRWcjTS(-jqkVx;S+lz%`h!(> zC@D(MEj@8K?Jb~k)KB9Cw4;~fG@H13+`Cw4*b%flIpgvuVzEcE#{)tf+~-c-7m-N2 zFH^*xuCzID7y$ETrcaXn(u4zU&sth>Ny`m(^ispskzw0@oEJReqYvBn_bX}kGPmG4 zs+M{G`bBT)OOx?rCrS0uP-vNgBnzs}*-?Z)Srk49wtdvBM>_qDKYPr5QbEcN7x8=O`uTQcUrU!e*YjH#4jBhU@juv!6cJ3*qIp%PE6&nnbZc< zYvF98QbeCe zm}Mb^O%N@4C)HiO8p&p{P^|Ll8eXa5kOMJGi?Ih)yk?GFIaruXGdagyL_qkb%v?-d zcxV%641Ao<;wiyw^_@y{yic+Jkko=GCSI9$r%8_|)6RrDQ5|W4CUFJZI(UofD2mAN zr0RIvy67QsFxOgOeQ`#3w$0Ey7g&2FU-y>YGlwXzk!LolT&cYM_#nP~xrKr!%397w zG2d(}v85C{IT6N^=B-@NbMWX|$O5}mWqdoVY9koyS{iZ$qCffQue7IjBdo%2 zG2{39ej9RnJOwSgbTaR*G4*tJuO*@t%}=7Oq5L)()ikh>IF%U$Z-v(O4|cZ4m;D$~ zbxlo&d1@{8k3WnPS&jN7&{unuMIm-mRrR*n*w{JmRu}eA8C8%OGde}j*XBfwbdIzM z@+`SsD^WP#e>M3kdr7(!!PU3RT(8)z+SPD^?roOVyDQ7Wsv&CLn_)_mIVBaX`)b*d z#g4-j&Pc~zp^biXO4d_EG^8>M2E>nF$#0=BHkY(h=ljUGi@`A&#E zbnD_%xmL4GXVYgwrk9xW zMwS)QUpfmcJ=k-V4d1m@!1a}O))T3`3RBySJOT~T>3&zcoqk935!IZ7{|q0twid%o zr!tbT9{FZZDSfXhjdqFyo+G%lSC!A7qE!p+x-Yo~VzJhJo$fu%-g-Cer0=qcN@vSm zwTN3R8nW_JWJ3@Orw^}_C(Y#6yKmXVEWUq6yNhG=3#K4IurD}u5j5Z_Df>c+b41Xl{`!>9Rai?F?`(lLO#wn^L9ec2j;hR$kKJKkF(-q5 zp}I`e8T!YAU=XP4J#&mK)Va5z#H-Y+tu%jzu6@ZVY33D-Hf0RUOp8`)^~zNadT4+} zdlqe*2A7-|7z@mAy?7Or2P(1}7S2Fxc+`tLC+N`feuiC#J!K~&s9Af)A$^SFJS37J zDBR!ELuvhb(v?Pl|_q_}#n?e9<`yH!l z%-MXdeOgqVEpit8kDMZovmnCSZaE7@^HG;Ngt|%!P3dqhV_c072=Wu7G7Fx}ZS0!% zRkl@x@Q}BriXn_ zEt7eck2-0Gb_d!>PS9?&<`6y!dizG^&FkFqat~pngW&{Qh^>_lU9o5%2TdJZB8J@x z9$jdHN~E-;18?bDg4Cjdvf1e;*D;T99wsMN$di@1aYC1RnzHreJPf$rzR!l|UWqM& zmrKvx8v-+H6Z*uwW}IPoMS+^^sTM{(HJz3nH>xgguD5F+s?eNI*=_(DkgiBtsTJU* zP3byIRQO+mj-dxP5lZ+omt%-rK0kgeadg8=fW+>xL7ZU8Z25NDC`eXup(>kNKK~59 z#S}c8LHeZm+;m~Eb>J}FdZxb6X~yg>r*xf`3}7P>XYbmz`wFrZhXjvWBE{2ZW0o#( z3L}!I*9*?Awka|iJt4aN5l@5t3K;COwb74-ViT`S%(y7O7_?%TR}zD5bIYJQpq*(w zo0QVmgn^3ZPr8pM-aD&I4W8-)E>}^5+BXf&EyE~W!qr5UzwX=3yHDp!Ct9~5No#(P zPBl6BmcAi;J$H3lr|u_jI>}9Pe6UNpXUN)?C1RU>V?!(QJGun@_0-S|Z+pgMotIW` zJ#(e44I|5M<*2eDE=4T)dLPAn^}2|}(YXanKmPh^t^;k1)qz-*+PA?M^z&i2H!$>K z1)nmYAoEwc&=znIN(w0{=|R6vK$2b)aSaZEOI##+CaiH}O9>{>BqFF}SR~hsUM{(% zdX^(30VQ$MpdQa<3GC$><(V}O_$Ha1SS2GtqWi&vX*jz@xv*WEU}iF_l=j8&#OPVR zgS>sjjGhgVx;$B+H0UXU1je&N>o=U5B?))m4ssniw=j8ttLF#Qm z$o@Fz6%HrnTjTCbfxWdZHX4>SEllDjJoyc#&6h=(Oat!|^GO)jZ?(gO+P|P3sC5-T z5OjFmi6yl0=*Tr;nt&A(fB$+;#L{2#Yof*eu$9H0R!WL`TAkIXK!Bm7xyD@aCa|+f zyrI~xw9v3BtM3=Kkbz(@hG6jZViUQY2i4#^wY$B0?`v;^qgEU4$PYsoX?xxrV*^fP z=W9bmew(ar32bgEcCGvmx7VoHhzct=*`FWBKc?j&a~Nqc7dqZiQo3I+MgNf4Vb;Bt z(etelIOVnMMz(jj#@Vhh-7$g7e1OO=IWD4(rd`U*%^S1HRI=eOij-?%;dHR{S8!F7 zp`m*}M^tx*)J2wEXudc}*Uayww-`>?V1^*-?4 zwctY+6@#mwo2`cIn^sev0F;1Y@`3_yE$xrwmGeuy89iWSv@oK|ca zQjdWLDEc<6N{zP`KSR!9uXM1m#pbYeZdCWH^Q>uqg*6wdfA+@sttfqZYZ1vN3!?@S zPbRg~b55TdQ-EyMCiPk;cU^Qre_LrRcJuod$Zg*j@-M9S%)sSYj?`aG{wm9x@GD-R z**Mi)9I=B-bx~Z!y_OW|KvC$Q;(m8^b^3M8;nCq?(n-)r%LOFmlHXe0@ccI}oSUR* zTodKN3eJo@AJ{&^R&4H~>ZS3PApI@aQ`_v)P@dg3l!CckPxV#p(Wd&lwfiq#8#v+^ zHnmdJ)yQMMxfFs17E%tgRvy5-4&1ZuppQ4!Z+2PIBn-4eq734SK4OlziU{)%M~fc6 z1S)#hn=A}BuV6~+QGQEbEnP`Qs)K`r-<3Nocp!iuCgK30(IR`XZ>^(pcD;ba?!;IW zruOzr%X}}B4|XIb-*L_`b5>m|8`5{98qZaI#g+qwR68;Lj()9V2Z`E63oEAb_O!vb z+S5E~NPBF~>ihll^AT}d|0CS9H$L%)Y;(2^&wl)zZ5cXEJ4zu!n3IKB#htVDH6MTYo(Ox%F=@Ja^8DmF4n4e z8~ly&ivBTtwx`sTg8hhnrUkGMt#3hq<4yD6xLWb4d?yjnh%Sg zkfm`wrJ5Qp!=|a?Vj{5|;u4n62L|nF*w&?z&IcKZ<;}O18hN|9T||-)TIM*y*mzqogFeFx~x*?qc!sE$)5$ zXFai(erz%>bgB<`W4i!Wp;U%71Ct2p zr_wb#kN(8oKeFguh@F3u1JI3iJKc?eciEA-Aj1>4&C4F8^WQ;TBDReaKT^L;1Gklo z%r;M~M}a(hup$BXiMn0u4#T*xAJ=mPn{nS;l4M73kzWEPj{yYL_ffzKlBNj$M=qZE zMpj@#Lt*&%`g@7IhYtJzv5$8@>{JR`0}%orG!S*q2|o1C3EIhd0e7cHgVcCnf4u{a z((42k=MH4}ueNT*;~Z8lr%Ptg4DDA~Egsp407g+=h~ln)zHDYYb+Tkulk9tcgN5`i znPZa?MPfU{%?R}CTL#>(#R9U9`wQgoB&PhV52#b-3R$c9Y0ucU(vkTsH$K7z?XyLo zi+D%Br|Tv2V>0O9dS-@t zpNzv4U#&pV!5NkN_u9K7cIS8Rg1x8eYHK5s3_UWNn+0Y|b;hQ5;&zrxc)$5IH>bPI zdbFO8?;+iuC_+z894}U^jey3?w^*-Gr)-oOGwhqUU~}bZ0?TfTcUb zYAC*Gdora=W=ESP5L-KuvxKIc^CXR+?l<02UJEErXZP>gvWEx6;a4+wO>slpi?i+h%a}j$!*`pYNt{jMK^* za@-)1*T(CDNVlho(6aiaL>z9$#;sx^_v0qs#mH3 zxvBDcnyJGL<9A`}x{Cq_@gCuzA!mvj8tJ4l5_xm)uS-##$ait~A5+msYE2doQ)v{Z zv~RXCMQ(oikTyRe!I_Vxj^i2mB6Mc2;&DOOPWuc?fsDsL|M~|P+1p7snp8-`1GcU_ z*H}`e5`-%<`R+R3T8Q#OG`Tz5MC7sCgAT%Lpdq!{>cqOX;^5XlJKVC7R-TZs{L64A zBY0qS;O_bqSi@({cQ9S!{xi$#LK z!3V+Bi{)O97s+aT4%0DTDFtXVKgn5<#JrSSS_jc%EA&W0Gi3GF-7u%v)OP27@EyFS zEl_7erL5B@{k2gb?t)NI}eD1S%dA>_36(97B}Zds)-@{1wQba=WV zMflc>kVvBSp}cTB9x=D0Q4`KiNvcvZv0cEI|P)KtQGhe5V{h1*ooB<4K8 z(6B_klRiiU7Zicuml;adcMG%Y?WlpHUJ1ofLswn)q;1o0b?Ym$^95vs&m6Y`%He>; zjhiR(kHcjRt1>R_U3#!0zs*x`s=% z?P7hTt_j{EPg0PmdsbFf?X!+(hE|9M}GqaZb4BE3ZTe^QVdARdHTHQ=5&rufj&xsNa$%z(B zRw*Dw?hMU|+DJ0m-pDBDv{1B|YQLYeoMXAVhbQ*vts1@K5xxDSMVMCo?8&fN<{od> zyoFqMgK#M+RpXMS2Xr`U42(X}c)QZ-+2>(Tbcz}bn6$Qk!+cfp<;SnmA!5%pW6v`* za=)Pr-kh<+Y7%uYLsi65mFc11{inqH)>tybTNjD&Nz3H?p$xa>e)w&pap1R~)yZ%D z(CY!IvjFVVOG9+I+3rQwQ()25!pL~@HmXMua9MRm{W5(c((GHGcdSBkD@3*f z(9_?tU+3?|yd##6j`VcAuj8fN7u~Fdohm^S2YC%7vR*eVJ7D3ZyU}ZCET^!82q7Yu zRDj!c&8wm(dM)gEIYt65byZbY7gt1Zi>g=EnaSX`-W8O|MwR%FR=TF@@*bPPgxDMF@yw7pj-k{&7Kq9<&PVB2$%rL%PI&A#gp>?k>pvf^ij1ZmT& z%<8kog4vgD2OHtwGOKv(A^W98k2o6yN3F!Z^>`Lpr#R|+%34f6|b`QIrrW7@zxiODq3T%IfwK< z$LK@+Y8MB6sja&C&GcZvF7cn#>7k+ewshScl#F6Z$OaO;PbgtD?S1}$QRT8CXwc9L zFYc}tJ%j=}bSCn;tsn^`=&yYyhKQ8!vu4W1AhW#ChzPOIM|AsLFC+Rx1C^P4-K2=D z;f6H%pS)}&bkHgFTmXstjv|)x1j3t-U(e^AGmh`!t5_l|K$Ue0&k42Ttdkp5BATk_ z6Y$9Ij^_`2hqm8LlU{DL<5#QHm@1Ix8LT{7jkOk7zyQe?WuG}C#+N6({QRyXzQI+m zsTU3ftm9e&s41SA!zFdP1Rt>kW5~gwA47CnShCdGC^(rrr=T54xM|Av&CnL6ymLCL z$X@@0(m_C7()hz_7eDX+lZhx@`~*kNnn8y$; zqlP|x3G>Y&VMps~7?3gp&vzQ^8Omueg~j@8IA214QA!u1#F}&z=sJ~_4@PU0ax%=O z@PR}b4btOejL0MVWme?-FX1`m(pt5RR zF01W2E>4fYwx~z`RCdOExq2^g?et0L$+My)maR(oQ|{hd>B0R z0F0kc7ntmFo(%VQX6nIxAA_P@T zslYw^?g2;;($~xvzBR@*U?#sYrpgG!x&EKGus_prb7m?k%L)#S5NV^X=33B9$C~~U znStqCQ5i|CKGeDOXSkW3;}Y%U^wj;Kja-XIkKqf6#+TIGnJN5L#_Y9=RRvwmNE=}f z6C5#BS2?;yf1-lX!qUbxTh)!lvg*W(5dEmig{7`)(V`&h=JI{;Z&&>I zKmT;Qi~;N09r9xUkrhZB+X`ep?~s_7KM*z?zR>sF@O&aCTqVH#Aig^~1(P0|bI{ZVlUp@pGnQ}pNE=zt}U>t}Yu`|jt5Q=Z$i zJv^x@2oMCsT_J!Gw?td31r6xoQ=~u}C#krH#0SXE{`Ey!{uXf4TixLH-|obMWS&*; z$e2&)IszcApoRP`W({URuADK$(MYy9UlIY78T{kY#XoP7G=Tq2)V&$5vyXV2N%PBD^KVMX%;{yx=%5BX1R%220R|s0jloc_fYXcI&nQewH ztNv2!phtr2RS(_E7%`S~e!_A*M};)S)=gqcA`j+Fr`EXrnTMNMzPOQ5Hek1iLDQ@d zVjvL)EK+aCyuMZ@U@jscYY~&O??gblI3Mnttk~j~*LE=j$XK2un@?k8TJI&OoDN-e zq#-tt+M;0nR)U-_TiWHg-JJ=2A6oy=+H%+C4{ae8Z5>B@?SE_5J#~w<;g%nn1>RP5 z#I8t!Tp#HFiX^MMJDWYT0ox z;%uE-xJTiI`9^QrzR%Uh3H-{&3-(d34LigJLraBVc#Ehjfj4SVOyfIS>lC5nDPmogvM(RY{PCm<#2|=m`|P{=t0u zoP+J_6%Y3%bkDLJqx6d`R59o}Ql?g?u(pnN)}UBMH0eu>=VH%xz)|b+0&V)(rw4qs zk-|}GjhY%U5m@bLjsSpHiN^*#ME_fmJW*Fti?5_CQA%X4&BJo&b5imAj9A`zMvaH* zy3>T^DHtV%^V$Uk(pq(-2;wTebf!hwYoXrUM{`M zSkYrYH1(M3-3o3ohqqE@5Bol~Ebc!7?XUt6D;E=f_B$y(%sVN{oCgmPmCaxfq8(Wy zCfxLgqttOb$)|cD!qt1fZQhox_;#Cem)hLrgFJ*< zCdV}yTiDLsgz534^G-o|zU7$PF^&B7!9$O)yS4T`r&XLvZsNo1)A|0pm3B96D;MZH zR88x?>LL-}h0;`srU+ zpNiX?fIWt~w4MchkseJJaihh+!WWEa8oeZs8QKoTl^&mCd&@sHyFooZ3&r&(y-e|$gH^Q9(%u?nDzV;u3@de)Ff|kq7UIO;UDF{^hgRpy|U@# zHv`ync|B0~Y4ByI4sQ&tML{`DbuBpwOe-ai=N8?yjkn#GfVaL5pKAbnF09vl(Af3f zz}B+85KZKBh70b=ui~`BuC^*_cC$^2&aP9hvy|MpQ+Z!#V?G5CtQgJcbi4DsZ~$iF zz^A$c6FO|g9NdZZc>TzceH#6rmZ0;kL2|UV(3^NZ@OsCA{et37eb3~KovFspmDo7! z7npy7z0Vvb$MHLFOw{b05C%NcXkMK0jfm3wwxx5o`vFuij@)sov3t86{4Qjluj@+( z+Ro~fpWaucJ#5NCD7fM?2{)o74|S%^R7)Hl^*pa9A63s9F7@H8%x?MtEjKSUvOn() zwiwkJJs-g^jz9J?)h|ugy}-mal9o-`dpaO!0k6Qtqa%$rYO^h0uva9S!i%uf*2jy( zCkNRZm-~6ME%?@_eV=1Jh4Hh;i-U{99%9$$q*XOF1fzY(Lx&?a-UQaI+dg!+>$7M} z85d|e_a{fsDQ(fMb5gsH14CWSHcoLpPgZh-vV03*$%Of8dX6&ve&}QQo~}N`^6P3U zN97K$kT(9{BBt!b>$Y!>CQJ0Z{0eAn!w>I|)sO3Gb>G51xvkvIhPWLfKkfi9Fe2@B zKcWr0j%3(BWpCWo{O|9>ABFn_ zUv3z%&^>nczPCA~(z>6$+C_X6Vd2GW&rF)$%=x%P&`15Y;Wz}2N36Rb$-i3$HuE0x z+7nv=pXt@sls(=j%PMDVp5D>P-d)K$Y*hT86x~ix4$d0AkWFRNg22MJ^ zzVUqYfD-iy@#DVgf|~v4_m=#^YivHBT_PUfeXbm@l$$H(>y}R2v_9Nv{yQ*^p!IF% zR^vXd!QC)6fMPZ7l#nlyQ(bS&$|Yznms~d2E6Hb#Wpn-QLMhPV(xbzqYc7ArC-wGu zoD-V4w`hXE#&!po5rOXjy%*}+59#JD(nWjZ`isBKEc21$QV)KGp6i15E+}Bt zNM5ez%K8CMC8Eh1w}!`^-EKlNCcAjEhxbvI+OZmM%{x?uhv1Fx0Lq}zeLc#0ySn^Hx&x~4rp!fAF zrtF-LJ*lW_U*o}AV1=+pE?Q)HAjTuzAltdd#{*?ti{b#?S`k+UY+-V>rDDAkc71{eMhOMU?EZf(paZs7RGDPENB zL4^D`r|EvRiVbUI67=N$DD2h{8AJ&8*`$9i|G_KSryqjkI@6Lv=xxsv1Dx+E$dsJN zxUnlN4UobZ=ly9FNaSxfLs>j8Xu5N8+x6%z(bZ-uIE^0h$acIDN%Vf9svSAQ#P0(# z?S~jZAP_C3+mFC(3o~24_}3iMnAqB!*ABQ2(+kP))KTBBJ=X#W7^z2|RHql2gOmoO zz2A6SBYt-#_$#k#zuCrrchByKoon{*j!f_EGgoiZzQWKEw7HDof^GoKu9lLdo}Vts z9p^|N8;qayIE*wJf=mMW@}Z#to|xRU9>L>syovBcInxi=dIQ84uqK=#(mDH)^YnX7 zLvTUzouNkX{C^f1N1U#|-%@N8QVdkEh2$J8@HpLHXL(MJ2aB)ws&-5q21v&m+)d^x zc!PL&Rbr-xl5)st$9qxaE5M!%Vb_siPVS*|PSd&kd5Sd71S2;7M8@HW{jQ|hRc}7A z4udB<9P@)Hs0lHw^N$2x_R6lC0DST3i|>Y$OxhI}^2a$#bJR-} z93^U9sWlt5l_h0)sZ4t{ZYGg4MTlN^(kgNcrwmZcWF#*$|I>--z)H6ToHEwL!6f(P zZW4cXEX`-_T9Zr2H;xiwHc3p(jyjNJc6XNDC#p;$Kg1DC@7@?Q!g0~Kw?MTWAQHtL z=ZWXk`6HrRju*z^n-v!LR9l)46@Ht^%GY*UZ+~gIsME)t%d|HiV&Sj{aj-XSM5C*E zN|_JkX8W8%z82>swm5d<&O_}vYTkTrzbS4%abF@otb!>Z_2ojUG8Qk%`#WZ#>o5rx z!fN_?pg)DlE3wbB#Z9z`9atM<7{C+ty{99au^@JbzD9&&|7L!9HMM*5KIZXvD!GQI zXNw#TVhxe)%)H!7KVk&u`R@2L9IJJdMwgN@gEKr1BIOD7?^+t}qE0N8Iveiu=iPB> zS;IB9zVg7}_w&95;`N{Cl~ldv47Id)$4Qh-Bp|zvq+&pXXH6?NlfD@q-{-?1w=+u= zwnRH?9*3ENn8wO?B2O}>K|aqCth7Zy9)xM^-RpS9f!kxgoB zlvh;pJ;HZC>47J_e7#-H<|cW&I#<<9zgf;x_1r2x0Ci zD9(r8U_u~T9J716Y#d?{i7vbidw%|L?cFg18QtY>m(uyfp$veJqcAwS$h>(kB+7zz zE#l`!zQ10;Bf9cRk{k$hbKl)T*3dWhokd^vh2XAo&xB3-Ai>w2D0J%yvfA& zxTl_`xgoMQhx1n37+5}r07o)D2e&v@SyvQ{A;h#=q!PBY?_N9W(C( zNcPcs$F-@IRjk)M*ZmSlbOp4l2(L^Zd9Cq_SO=*xqlG&EpncfHu7j1ZSc4svQQCsR`dO!sd<};1Jxcolf^B5q&+;hRGQB*9uy;N z5cejl>zTURe6Ki^-;Zib?}U)Sl6g+{sQAu8lQB`rkNbQ*|CruGHgV#?`~)Hn%HdYZ zyUWfyu-+|f_WK3cS;jo?iiH59l^;68LwhB&%fsDAr*1r{`1rdAsl}*53R;?yf+q1p z)4CH!%yfG{hQV9C@8lpD(jVWgJUS}#+!puDKc z&1bJ|{10riNuDK~=iJp#OSop+f*MKw(ceoXa!h-FO|Uj%p~4*PdzSfVqYHIWC;iU= z(be0bRCQKJ8kiJFw1<{3cY;6@usgAN2M5(37&wXd7KnK;H1lHA3d(oZlAG@7>rA76 zLn><#fa&v-YHy^kD_SH3e84H{?vemIgn45Bu882GSV?v8w_c{KnabjwH=QrV0$A4i zeX9Yt&-_GwNvY0PMTX1%2aZV&6oeomOLB8B28_s{&(^KbmW9C>}C!I{7L4 zyI&^_-%=+pQu2+>9*&+7Yo;O|SQVu#W~ovt9cv2uK8m~gK0Z~+w`V{OVPZnC@kcpK z=Mrv^E1qn{LCMth#pX;lGuR}ck=m4wyWlzdU$IoX7DvD99qx z7;9`9zJ20mEhBt9H`lB1CB5&XLfhMXqM)ZQTH$7N}`cIsP~rqN{hLr)xj?1bkf9OM5DTl)z9mn7qUGxF5lFwtTu=)3aYE zU7J@=AIp+NcKGP+ah&3%-_zsEp8n8~0Sr)OXlu^+)O=rgNp*8CdKI)KsbKi78IOmO;v%yWjz6?n-1chPA;>q`d5U+01 zuDNe8Sg8V&j+V+99U-sd)dnxW`8jNt*^(o(aX9SIkgJ=~FB~+Lab3SQ2WNmwj#z7x z(yVJ^4b7>TMQP3;X*!pcT8-%@e5%v^X_TaQ*SAuMxe<_h&`Uop#bdy{q_>LNk6O=7 zDw=lkoEhDra#qshRH>gq7iIUGxr=Ceq=&F9{Bv}R*_>I?@C0?BokO~?(i z6VH>hl?c1NL2QO&Pot7PoJjBFWYeIL>ENJwDrsZrw;Micq6N4;H z-G|jEz;j}U&Ui6kx|~%s8ADRSmeY&%z9RMNq1DNqX%w#XZhSr3^$4%{%^5a~z=Z-* z<}l!yY^L8M(L(&=m-{p|_;PpEp;KY8!2;FU?%bbK%z~mCzcX=O=KpRa7y_1^6JIb_BQIenzYm!j_ zTjD;Q6|QTgu4+=60XpkcqD633@{MJ0m_?ymY7G75FH>}iThcQ-0ps;QM=MgVHcwX%4Aihp1PKv-v=akR^9 zy{^B@Z_%|=gQ%2Ke^f^=yx-t#_7b}LiE-U?r+M+1I;uzB^;-E#79z>;xeR5QpD4 z>?pR)HBJRXftDbL zWyLwJ_F&jS>;v;cz3e^6hhV*c|Mi%2S8G_;9R&|tz+INs>h4H{wQN$$T2El@>iSP*9{kdV9U3thLQukJy_+q{_`fKwyssWrF6 z_FaS`uXA0zV!);t*x2j{>8gKM)#5m}XhLBMUZKWrKna&$)Lm*j0j91q+06XW*TeVr zy^o&a?)=cZ=a?~zrIH&MxOwKgOlZzOWvqC%3hP~zSwA1KXu`lt! z%D4NTyLY)~-1Y5^=NXTUYu{eVOs-$EpNeAh0l%7iYX6yg_|~R>LVC{Z5n%Ch0-w^> zF&QG0S=Mk%>@^DjD>4*!JtFGr{$nSTZdtb!AztSZ5eai=P@_C$7_FGRUW(EvlIh4g9ngtB=TmC*v_m$BLxIJO-tQ;lDOp=326;+j&IeeW|Ij$ zgJS8^SdQT>k0g^Oo*cV>ro@vgS)%b84lXJ^2jYqqBq(iSE7T$~|HTZ{8G~#xpNG2t z!3=_SGq4!148l+;76oFbu{F$^xr_0UgVAECvWx#X^&80lumQ&!9;>PdW2@@H1F-b;{mC;)by6w!-o`|mi4kWp~hwQ{OJhurJ{G#vG z?Tel^ojW}HuzyX+Y<&8(x8;ptcG2jMt(!A+5>j(}*9gpVJfTarZY1x3>^7atf3hlO zHtW|QV<8+~{^*=k_Tvv`rQhtUfM?cI_c{z4g!)44vbX4Nd>$m)qk9(Iu_yqv7y&sycAgYG>ff>%J9_ zJ@9Mvk6FihcCRd7$Pw!#N)!c8tuuMqt?QLSq1cb5foQ_tH-%r7{ixIym8w;98G(J8 zcRky%WHRpQ+K(E24e~O^A=z#8u7d_s zVJ%j~k@^t)!gAjH}3>L5G}lX&r5V$T=9>}~^<#L7iRN|l!B zcFVb_sJWO;X1pLJn!nF_ja-PFd{_CWMuLeFB|RugyK{+gwyjouKsn~c%; z0GrWX9^Q2i&N$kb-^VIXGpFfSCvrL|PCf7E@&J=F-%%9H4~-c5(xHbIXmx1+dOp(N z3dEG@8q*{LUW!ZY#IM5jd{uS#v)~jf6cPu$j{Oz)5WIW$=90y~a1Q}SH?CxyGiy=Zz!4e|Y}*wldhPJiX3TE2CFifoOwR@dYQV<@ZG5iR`1h z%an_rDbpS+H^Ya_p6f$-)>9pIP>(_VA9l&)h7T9F+EHq3){d64fwrevycOy%AFWll z=K}>eubS^KlX)v-BwcacnbNIER@}2DG_NMdFkBKu#3c^{}{T9bt*slMA8-ehW$a<+3}6f}u%4^3}Mz0go3<5blf z&NC?h&Bf^!6I5E@DdkZmFchA4JdLfcJDc_P*EiSp@D84C!&|ZhXVl8zm4*Kc7%3rB zb~KpO!-QZxn@Q{fWpKzc)A#My5!dLx`|CB;S|2tvfE+VJCV&gx8%0o11fox1E@Pr; zri_{xQlmHq#dYF*uHM?1u4*)y4eN6mms%HA!T9h-*r)+o;$N^B8H0K8-k1Ucivrh_ zfcZp=rJL*JTeL?U<+jV{fmXW#iQiB(SUtWtOV;L${%46r-;ZE?AXK5(d!J407%qO~ z)LwbWcTz+m`s1|jiB0vmG8bkt-SKpM)O9+2eSZFvXF z_QoSMjU!w}nY4urjMm=}xrR2-v6)|kaII2EL#@K;50Ndupfan~fGXI-+uELka9>Vf zfTe30+PajWrcgC&zc*088aLmR)eDdss1HrPu_4xl)(eQ-H0L^1E)ewEJ(XE3Va0#c zhZjYq^c=QpAxTn7Wxw=;>a%joRSUzYOegYr^1n#iaRlx$$Lbgqx01~> zD3FokT!xBGUtTA;AC-oA*U&#QJiPgUa+`qN4Lw2&&_#sbWKx#e1I}Yiwjkczgr_sp zCJD1V145?2*B}#_mhfQb#zGe*tvn;aX!7nXwNis&Z6?+bi2|IpML1TWCRvDac(gGq zzLCWA3-9X#z^Ta3O8?=7gk|6ZN=*>10;3RA3apZ%lCcD6@rBNx31C$v#0)Uu&fOMiW>uUW;0n+;TxpsG9h(s5G7%UA_NzEL z1<{Mnj?~ZA1Cj=Yp)pwG=@E~42{(YZzjpc$y+^y@mmM>=a0}{Tb^f|IhQs4Gvcl7o z2YLO=_w0vE=Ya&7tvM$T({4J}O$b7ODyU{cls4T8w5#TpNHclnXa$Uk@#GD4bctG< zH9y&lioZzE)tIAojf&ilgVGRUKF5laRFQlSrXr!pe{m&bu|a<6H__>oeH&@#6&Xj0 z40OyEUO~sV$b)?{6|PG`bqTxylyDHR6aZJIUi@mLPG%9fEZLp)W9^+35Ke5 zxVP`U0zWCxc&&G-tvTDRi-Eb6?UmeWt&h{IvDl~JqDdMFbVqcj|CC(Ke%@5p%hAWh zisX+mnb^weC&_-bY?m|*)HY8-tx&(FK0-9LUL*Q#uCtP?q)V&7m=WE07)4+6gc(f+ zE~*NmfuPmHB!Xh|snUqSY4GwW|7Bp6exw<|6PrZl(2nBKC-IjSZA_7b?W)&K{6)zb zrbZc`Wlu%iG)Fjaqz!f-*U}=TDE9X!qRsxr$YQ?%i_uz4vIDMY^M^2?o{NC|z**zQ zRi}C!onS7Oo=8g&(6bmI1h(U=V zijsb?Y<%I-N@C|VlZB|(>bZ;~hgwgwwl>&XWQ;A$TekUgV!y+&^P!+GQJN6xZ+%6D zc>Jf5_rH1JC+WCih6wGXbZKQr%3hW%ea!@g@c=)qlaEoOM6c;qqY$r;%5(QRKKn&u z&lDNtzfYWdCu_QgkhBMr&4x40XUPi_Ai_nxEvH{zDC!(KS-K|$sL3!-thAl7sI!Mj zpp`G{?;0>=4TGHvF<@WUggcRx;G*NfGGbIhzDw(5|D`PQB`3loQ2seuF{z`pN&nbO z(yTVqJd5D2jqg)J~m5~OUk_FORQ2A`@YT-<(@u&`bb~~EVvdB084SawayTHGf zTvB-80V*V(MukIOZAGsPpbU59yIZCGDc~<*vHf88&nl4POgkk_bM$erl#>1yt1Nee zF790NnZ%Zi7l9Z1YEI+7fx5Y_iJGroysvuv>(6|~gC_vSnplZn`a_-V%hy)r!juP5 zUQ*wPzc+t?TF#8NMpE@&_Tat|2OT(BYA6#J9^{KWukX$Iv=5%vddnet7DOl+2VpSc zppA*$NASygdkrnoV?>~`8Qlz>;`D$d4?ATpo|T*TR{!b&%v!Ceu~?w8kz|~8LIXqv z22m)gNtGMQYM3>Y?G)AUq|8U$vlDA<-af9Eny86C%{S*;F=fNHn=FUZq$RaHx3|uk zs2+A#yc)TTb?u<}5g~QiGlW)?`+~+gRK9l+mW>9#u5^8Hi9EO%H`;xpCo`*f{HFrx zXxBYyf~T)J`(Eb2N7~(ELL8sp7eY%x^q#U#{~PF66qPjLKSo8~f>zYTZBrEN9C?q& zsQJjz_D76L9N(T$DG!|=muNIZ3kBl{wv5K5yun!2>cI37gT=qZAH&CtHIufFVGnFM7VH|{pTUQH?v zqoU7wI9-LtQE2Z{L<+rV#GjYwNE`&I#<{Pus83t_{1jVO5|spiY#pC~U{@*I$LdfN zeKB%MF%HYo-{;E^zQQ~3r8eDkpdM!be2&GBMKU+r5Bg)w{US!9W{u`fJIOJPor`Ib zOcj%oyRtEnCcWn1f>s^dM+T(7=f8joz;0yIlvXP?qh6Qs)FU@~h^z=%T_ z0Ja}V#h6`P9PeZ7N}SI(7f_T?V7VJ6K>a@h4uTu;<{?^{HBp~vAe7M45*80!Uwc-5 zzi1817>Txruh5l~aTm#}IxE*&gC?_Fh96;7F+4TLc3ii~l82L@mBGK@}>4X@(NkDp({t&)ASlIK7W4uwB&u6wY(RRfc z#Is9?L$!cb7V9lF_Rq@HG02(hv@PUc$y%)5?wRtLntvef&{30oK{ceyh6EE-UM9~B~iFFO>8<7kRU;< z#)qACmvwR7x9&L70&^+QiM(NoFp!oC{9kJWQOL{9FD@f$>+lqSqu32QAYF7 zNe%8+lgZkMU1g=%82()Cp8W6!O{TTk?$L8xzb;TrEh4aDVjU`Eq?t*ck}miPc_gc5 z{Y?eMf0zs=4AQsf|Jl6?Vh9muyjmkl8RrclYkfCOy}Z?j({K3~^^v{S!d%ELADOZ? zwZ^7j{%#(VQd0I@iPX5Yv$T@VKB((Ny%At%++QWGl+JBo)que7rE`nbLZA__6bwN9 zVKdA#()IoIP(_O_F18QUuL9eQm{GIBgcaL;pw1dW064@%I>tzTTD2R!Bh_NkE+45g zj!au1R$j4}5WkNAb(F_8QM>9aOFTPQp?4#I`0jd?{<1Y2=$6Vd?a~YxPBx(TWQt6L zP4oNC|JWizX6dYVm&^+zR4Pyw(BsfvR9> zVr;GBmVaGNph=*LMF;78$xrrXKH^ChwP5X99Ck#N~QOucUW3v`q z`?);B*oOi01t_NwwXN|Hmsw*CE*Z+Obkdg9e zu%e$vSXJOH<=~Qzf+`4^uCT5CaSxOKx(C_t22*3IiZFyidC5A@r$DL%1rpb+S@U9V zO9v~a`BD8$e|uwxwLV&_6SAAXvO8B4k!=1Su9tMgAu2-H5M^`3cT}Pf3FUWWT@p#f zFo9q5VPF*7RgPsbj(sIyNrF+hNE$y0l^(yZ`ugcO>Lf}#3PK>u4SkDjIVEY zvol|s?<2U-)}*d>S0*z2(QmhwJImaxP65tY+;f5yb_IkIgT;IuzNb^cCZfm4w=mR& z1-pkBS5aQem-G2+mZyf5^Om0hMjI0jxv zLW~3aGjntK{9aDWU%0AVW*4$Mf*{pQ_{#%1hwGtc zE)jyx+B5cZwDM5Ag*h-+0 zkW&^{$ta!&Z2}0Yf<=As2I@!d! z75zik3!4;9uUY0)Kc-gH=&-BHj#;MumRQcomI9w(lnan zidzhx&zfjp_?9!ZGBD!mBxxcO%7Jds-cn1Rb_wjySR?G-)4M@=8V_8fReVJ9<-<9f z^PJU5_Ehr$2ErYR9kmk$%$Zl$D`NJ61c>CeMXG~phSV;Frh?!t$j=N;7GDpDbSv^rcHf|coE(yqvJQ=+g$evN8w0v zk-j>+J4JFx>clECy$Awg45Wt@jyze0D#p%m*#pmES&z7^VJ_9Fg7JNGe5eoW>8==| z1RhE)-m_LSQOBVYMlSj6*vch|5A0$qwM4cvyN(|()>_GeYu#p@)pBBMcLKI@5(!MN zO@gE+a_SSuMyl9BnYy72mRgtRRQZRi-S<>q>)Ud-qGlT)rN?@x~I#LTC_a?)N z*qb;kIh%-5JCz;d$LF_K&+n0(41VSO>8lRE&ITxom~YqE+Ls{>Y4&6XS9QHzmS67C z=I(|ODKA{{yaluF~oC;A8(fV)fZ+((@L@Y-tWyaUbCHN zMB|Xtu%e3b=f=0fnRL2Vt7rpqA&Pb^MDrZx)}FP}LqC}dE!aC;5xBq;rF^*((6?5sNsU-m30n^ayN}N; zkLdwOOUA3Ca1If0uJrbZxs? zfR;qDcN1ANI$`0T-oS-B##$-3?7*K7@+xStAq23xEdGS={D-wp$YjX$!o6-?M_lG) z*pZJ#4K3e)4Oy^zqCESM&$f7(6=(mFp9ZUN>?d%uh)@?!rh^t5oS`jr#@+4u#o2J)*BO zf39aH&0x!Wnw-~(kY;ViiqLp2TY?^*WLN-QI^wZzM*=bjO6P|_Rwi<@w%4| zRUNr_%0(bNR4T{hW6&D2{S=NAB7PtD#Vo|LUY_}+mb>KFHnkGZI+V|WhV~XLX#qoW zOkI9>p0X=ZK4G(s)H$98((lYIMuEy|zREjgNTxgCaZfJ_&TLE4$I#V?I85D$t9txJ z>W{kK*mqFiWX^|G$y+TdkW|Y1i$Y=#7sC_1fzI!>e4Obfne(5R#a;GySxT!8o?z$A zByX%oYYi}4nQGVpUUB1> zze~y`Q>y#N-}afS9vpF0VmjbK%@(bV&~yT_4Z2Q^0G@rfA`s~{C^DE_h>d6Tl#r^~b)Kcem-qc}f1yShGnMEq`?S z_Y9O~3rKQhvA1}gE88owLm&E|kP1HvV_OJD+%ERy5(A!Q_%+&$iSk}13c$k3X-n^o zu`}NZC!d>e)qAKS2e4tc%U;k)T~dJMMHt>*l0W#LHok&gG)FP%AX#gC{Dp zTBaZjUs~%#+A@W#(d(}@XFuKDY+tQzP<~fPf9i8j_5W_>kytp8)&nNH**^Fn3&yi} z63)>RYlAH{Q|n5+|2aK3=@Wt*ERSmdjLo-4a5+a_(Eac$J?f9F-i@CP>u&V%WqwM@ zgWW1_e0VC!15SVJpAt}2NX>u$it5#KvuBl)miZ-z6x<#2xb`5D!#CAr=u&n;yr)ry zRb>0@z$MjJI&a{7l^>qU+|J!|eO@a0<~wb!`Y~~qMlRiR+~%Z}ZHYHFPOH}rLL8!gG|yd~cqo4csVI3*!Gk*%JnXISu^0@>nD$XodNJh?@y1UTsW;I)LMTINVJl z-dO?08}qa>EPsyc$+9P2il5lJa+S|PMkSf@YE*1(kgu-m>8j}^j;Lth!1gSf!f>8M zxt0cCEBZK1tf$Xh>FTeKD-thK?26|*$P(YNZ46$b?k2nKXT4{ZO>GL{`LVfkj^|fL zMQp}|69dPUy}8?kDw!f6DRR0V$)}v5I1E6~mOPT!R&p^fx`yVF?FYWYEN?|;VXw6O-M8H1+dF{gK zOs*Wn1&1hU@m)m5*vLADL})o#o+8puNg6u5>odj>v*Ce+J|}i%V&GEER(uP| zRzSklLN6T|0MysEy`2lWq=+^1`23v8#8&S))NgXTM60>03vei!d7lly#@+KNC`PcZ zVx;xjV*yhNVXqKx-O-qS!Qg6lEtcZ-*O{bnb(%W#KRRuzzvS?Ea(P;N_wP|)M|O-} z1(&>kQiz6%=F}m2{d%_!dZ&|wtahxW!u!{f!6lKUvi-pGxMyo;Ot|HMtQM5=@x?+` zG<3`;qlCMNl22_6_b016Jx6RS@9U-T*9VQ#dY$kud1d9hzw7b76k4V~z(g+hV1SnNAitSQ$R*9EpvGh1KN@G7jFVdLh+6FB31F@ zn)_q|{eoeb^oYyVD@JQk-)Hge@OfR+fbXG7XED3Mo9*d7CIx|&P=FKM9`|{%1FD$l zMBJ;PQ^mE>KTOT~zj5apGXdOURbZ3{tQGaE?!5IU7Hujla+c25To{nQU71E_M{#t| zr8-I|GXD)2yW~P(^e8qRT{o1?fQ-_1s0Q;>Q@5 zlYV!&E?&Y8p%HY<+UyL85HtBoJms&JSx+`^?KZ(xbdq_pcIPYC^m-Z=$ToVXU^#;; zE9u;r2L6;9GAwD+pl6JO5SmOY)5umiDs%kd2?A)$ZT|tu^u_X=Yk2Nxl(&nSHLmd% zr>kRGdlCzwCa|0@d$)L)_NCGv*OM^0?>Gh3gT31C*Xc)BGP07kh{wwkJEn!~=h_&= z=8wG560J*?GTrl5jEB%lhT#!zeH)^o4Bx-*XbEZr-~YE3pp%J^5xX^0a_zdVjwI*W zU}ouca$Z+xVia_ruH@`zAT3M z!%DYRMv;=SMFaT2H8B%`d|w?-_GR0bP6huDb8j6KSJV9uq5*;h3-0djF2N;8aM$4O zG6^KOyAvFOyF0;QaCdjN0S0!SJn#G4-THn1*xIVC+FLVq@67G#>8?Ka^f{kn+l1&y zi}xSkkq%(8rHJoLMo4d*nU>=*)M=;AEJ>3MYU}d4+yx2j?)CN;^a9?jOBaXec5OgI zjN(6FhCr7tG1MIUpj9k8Jv|Ug$>>zc6KwQZBo|<&Wc1$D6hTl^5r1UZ2^L=D5jv-K zo?+B$_lAs|XXg~Y#mVg0IkLrsM=0iyWe0axJSF)ecfvJ3iT6%S6Wluj9(d$EU=^I~ z_~M#*0ji<7W@0hv__}(Gbf2=|w1K$jttRH4#=H?@TrrX$Z&1u`?W7Rc^|WLCjrmc_ zYl*WKj-HQ?Z+ml7Rzsrzq-`z*M?#X#GpB_;BOrA{&@~&!?wiE#9mOIZQjqM*6JN?* z^pC2cxR)dH)lyS4<(FjbwU~`zLYf*YI|F~8?eXEKB3lk6AR=D9bRF@SEk}d2#=Yje zxvsv7neq!|+Cts3#D4*uKZKu`4$P_4RW#~G}AbA7`D zn@9-kuY;}+;ba`Y?Dw&7Urv@dS4<|M;W)VTzlj7hO$g^?+f!YO<2BubyIX0;K?S}R zL=aQ7sC9vJ%6+1{DkVR5zBBNZYm628eT;I}rbFRF2_b2B>9e$0(dP(Y8vl!M`2P3Z zX4!2w4u&uLV77c>*X^dUDl2FBZ6MLM;uP9#i5{ZwQdoRNn=0!$n~Y=ovYf@~NS9=i zZwS8yhV`hofpapI`4b7G;XG zgM6rnMMoqv0(qIWUX;~;-61r;1G%h0nNP8nKkESRZhEjC^J`ASpCeBZoKcgY>E-6$=XgHI+J#h99LOn)WUqIw~v5HXIv? zN?lWhO$oI@1s|XD5Ov?IR-PlJ2EJn=_OGOoq~blESI#5uxQxrTHY*U7PhdZyE389} zL7JAhH78w=HqCke3+_}shLX3Sy*DW9{|YNW$e&UFy*6fOJ^rIX{EjdxK87?vmD zB9N?-Cy?L)8lUY1E9zep>ZK?br}?EZs;J%i?*fPQbbDdI>hoCy&7J-{D+wD1Ctuo@ zUS` zi#Q%8o+%D5J9X>JPJyyIPY|;rh4C!@xChj$bjviD&PZ#Mp0Ut6W`|vvzc&m0l%_61>cX(M z)*x!hwv8S^Ghh6g@AL+=zJ2Dr1KUWWHPTt3SnL!FtF1Gcd2P&MAwl|x2pGaXVna`Q zdr-mJFNk*w0*mx5T_l`8hT*&M$6W*ZSvn7sfB%q}1sOg1?6Tr3x}LT*5^+ZOBAZhqzmIu+Osq`i>6Z1Hv?)TUP}b9M0Ujbif$=}0;-wdrkgw)&8-eO* zg8FqbXArKx3ad%)v-;Xlr;}7 z$+}7pu%PHh5IbH57tRhr;~prZ?0e)e@=j zKd}pE-IAOQFN3z0X1zKKx-2iIib~gz2j5U*d!mp0O~-+0CZ)CxRCCE4GQQjA=gQ{h zyT}j4+;(RXP$CP*GgNO%`-%{<+FjW1PPhvIUAca%U4-xYL^C|&fQ+OnB%*R`cGr5XvQx6)8nDbb5}u@h&*=km0$7^Z8AMOJJDUX% z8NY{v`7TEG;f0sY#cIW=)y{Xx1u;85(}bZ$%ov$s$nR%pWccQ&bxwyJ`@by_A*anW zj3o;rSj_Dl|ENg-YOd|M)M2`yca|H@-@EP-5QGf+jSAz>|9tQ7KmOBFjLgg7pRs@V z_XFevM8z=w&yfCh)k0o7`WjO5IhR8cA*P=(2bWx{iVe{7ASIQ~W9N7iASiM?iyAc$ zjTJDc-F`cWvXWCWM-Yti^rO|CAT~2|Z2pXJsm&1=3If+flJIA9Sd3g9PDy@bO#|*R zrWiIymo6?X&HM^5({23vXJEX`>0Un;q@VGyGE?Jkb$WWrAFz!$3NZX3f_uy`$|3A~ zo3AtT@#`!Bj7rXK@h8z=a}fDJg!j-!ZiR;!pUa7lSkxxT*8NNAtQ)9Aa6G+n_de@$ z5kQz<61(IuF^mo!jB<%4ZQt?7HPUjc%d3)_oG3%r*7wf`LcZ4WnVY~{{9k!%2 zN|5So$XejrjFQFo3Vz9S+D&5K6k~kad}Yx!B3|1tz;S<^ni~w z396+UtQs;3npKNp9RjFy8qJ7gX)(C0_cUv5_ogGWS12UQ8ESwgY()dplEGN=! z8Uh?9xp~(!{-p}@7(|XY%0xOie%901>jW7ankj6(ZoDS zv4%Iii^$@8ZqDt_iH;E_BqP?o*WEEUKmMlUG&gxREW*R4L0^HS!wjU}~Qbpz9)@^`51hF_1BOl~4Qyeu=l$RUqTAkzo&eE?k409t;}*MOYXBDwr2r#Ept z1oU%@D;35iNX{0ds~RHVdt9idiyxRCZ`q~gS;W%$*Y&9RB#>W0USwjNGGX6vbT9OVgbewW$X&)F+(U&>}7HSFX6DENO)tUqwcsLaj=4P7MVpk~Zp zUwu2Lqq{wtBOUT@?Noj!S|G%sZe=!?wq<2Z*vz4fM|NyFl*sB$6KXAypLU;MMJdax zDdle)p#)jmnPu8x>t5URX^j?74uNzU5{I-ZgzbM@)T<}gE~XUh9sVg_dPLCEWId>B z+~Z6fEoFhQk4s0&z_B+(fvk^7Pe%e&Iy_)UHoOwexs0bf0(RriDy?pgGPRmADHFn+ zjk$AqYQpXmxsE2MvyA0OAVZ7U56#I5NMUU!Obxo7W6VBvO_|_t|7PT*}o@e9b z7oGB)4ID|Uzigj9NHK_9(#jSB>zGmq-I6Tu-x6q>-HwF9!jN8CU6GR*wMIX)@E$%1 ztYsM5Y7~Ce;Cye?MN7Ao65v6FJJNKh*g>H=zblU!zvYO={Fc2@W%;5!6e^rVpt)Ui zLB9>jdxa$0!zyyZZ)W=wrDRB}5HfeKIL)9j^SIbp`j>S&AD@?)Qc{2zP_8S_K{OeS z`U}r2E@aVDLWWqLNw?%4&4ieXLcM+VDapyd7Zga@XjFv(x{*kP+R?jTVcU+D3u!ZW z-r_5xXm@XJYrpnIobXD>Dk_qRkZ1d48}7%!1N}gu^{Jirzb~m?*b5bs*t;HX>shQE zCUJgg*K9}P-{Et1rj6|k#*`-yqqa8MuRy1?vvAo@ulm{D1aG81f>OD@Lt5WK@^sGL zR+7xDb_oOSZ%z8!CHonU%vH6_7US8mTS=6zesi=9sL-_9I7_@{ z_E%8B_rC6Sx5OOjw~!G!ta1*gDB~`bk&wm^4YchEv5D{xo)^~Xkm^TIDFlB2+XFP; zoy28kuv^Rd2GS~Ss#c9_?h21!!Oy}IPI*2;r6*nWKeBzZkJzu_`FfJ4A*6RumhAM_yTv~NcS)#R{I;Pb^%-@st%D;HPEMk)lEhbgivheyVS z*_@>pUH5o#OH8|5-D5h$sCxwSWT(xfQ##Tl z|DRZcp&h_yXXQe>%7c}6m%k^oNGt-i8$g-#-Ef(|xpQZeBr{cDKC2hq;JS^ru)kYJgPDPQJ1(3HI zlIo@?4tNHrbS@JPfIAZK*m$YC$Hrp4Seh$b8= z_Ys=w@6Jl6>`~?%$4$ikaTmfH73}j>RRy4R-6(tcrbxjrYL&>fguG_@7>`LA;tYMV z<~+ud&wdUTUlZhT$Vi?yd-|+8rU_voJY>?4ts4*JU1!cScVBR{$>QXcK5ENYJE#tt z?{-0aolZBC6!#@EOS*5#wHV~RX9}g;v5Ce;J;^Ktve+B*8-^hULEhMN(xy+GswKVe&jzTn8-QAW}4-=WL(y59eHfBD!p z!u8t=dE;&=#^FC!NrB1_PFLhgT)vm63SvN=z)E_zk%RC8q5Wzg9@>vJN}ca|;s=P1 zy0Ly7Le(zNX8qP^2&5p1i0B=8E#L@yP3_>$@-6$X}r~ zs7rV32e1A-Hz$~X`^P8=7k+ zOv2|~F_zVf(Tr@4)#^MkA04PjPb5BP!r;6dne^z(Ec8=$pWO^PJow8NSekTsnvQJbOif|zm$^B+ zfKjc6oqpd{q|t_)gqn`hGcJ_gs3(HUa;#g+nRiQX(Hu7(BfcQq;(_0i5gn- z_A!x?w%hTpwy-CxhYRi`cHMlflp#7g(a8OvmE=aE8OQI`4!*R?NPY&5NIYyL`UGz? zeDmRN&_UwTwV|FCavW7aptjNIQiD-#i!Ey~@F+xY7yrIeZ!8&cGV5kGuT6Ef_v;$D)$>M$XxoW}2rM48MbNB<>AnX3;4GH_{sm6csnI|IEmSEAD8Y9?|S z0GEm+c#v{6qaSi8R%!EjP`^ zQA6qtEIoUFf7|9cg=8v5tP`^#eoQLz>UhD~aE{Iy!rn0X1uHQLE##Z#yHR>(Bd|RDrm=M)(YJv)bcJLuTO`}4a!uh2y%jm5LRL? zzvcQcaru1M`Ja0m8?6rl6-e-P3dv)9<&N8TlmZ&wC&AJEpE&pZacpMkdWUEs48Zg_ z(16c_Kne>Tslacx;zGLn>LfMAiNL{yV^XZcgPG2THLiH54JD21hd^bTfh76sswzv; zORQl7vKedXRmmeccqN%uC0Qa(+L3ro$m#R2?7aE#XX<2Rt4j4E5JI9`Vm0GxVDc9V ze!wev_}r7jEa^4ujtE^)T>&)cB$k@*P->b2EbPVPeC~foD14Wm z_2m10VLytfAal8&W~Xe|H#XO%ee=b3n`hkgxneAzje46*6zqf@b1qsNaD%pg$NVQq zp=nrPmB(rD0t%p&)qf4t-E{bpjH0!@1x>2CQ3Xt4d^HA_-yeET>@0kSRSRIeOJcic z(v?qr&&Pdu}#H_W04?rqvG!2S&rRR^IDXxrNf-~S8=mPooP`p<1N8x06uvL}8 z`tDb52IBpJ%$$epFLqP8?&0AulTh2Y`EAQ-3c@B3)QyHZ=4&h9<$MeGhHvbMrJpt-p#)_E0Ua^}Q9-W?wL)h8 zg9D1G>Iq!~V_UN~gx@|Q!nMQ#2xP*@I0+5YSl#~lmtC7zb@8H2(cm8=>scIU#cT{4 z@1$9UKB?U&!NK&{j)_L)_q*x*9S>aKYUHl+O;}l~+B1(W4}3Tj1TT0w2|ca-`(#2o z$EOYi&#ctES&Tx|AVb1_*?;N!-`m-Q|6TCEC_|5{>JP-{w&&j#I zThF(+(d~C283!Jy-_s^!(r*M1<%lk3`PR7rAtLJA6b%h!=yeNie4t z&}&V5FqMVmyYTCOsHdT!5Kbqhek8 zMt;q&HZ!FaITpq53WUYGcOWmgwcjn3tJ*^Ksy2l(XuI1Fu}#8%a>ml1!L9$FyqL8L z8Lf<>M0NywDr;`fm*dz8^S@pWlN}2P1MXZScLxNqv^eX0-NUizBHIjp$G?-9zt5iu zxtJo~yXds32-St4VWz`qUae zw=Jr8T=LEj4tPebKK8G?GNfNsF&(SlJ|j~9*6igssLo?i4GO>NJQc-?UdQX(gAMW0 z?tEu49c8U>OeNvLY7UO`rDF8S&O{@dt>F8VIn6`Y=9}Bv8bmyJ9#>9v(|z$Fg-%R- zLF<<-y>q7SEjyStpl^cl>PXs{+4-0Ji6zymBkKYxrZR}ws~y1kEP?eIWh+yVKvtu( zcUPfGt>_hMxPtEIo&u5R9b%S9X5FANmR2(#Xr{rWOtd@ty}c;K#jE4v(WXTFus!iH&y^=y1x+#ur)SbOp!@5fFRb{-IH8IfW{*Hw}hz% zwl1!xK2>N#s0@{s=k)+QRt6>(em-SbO;w;R36h%%G6NDh(W`KSx0O7Xy~I^Uu?}$x zPcys7A~41^yR*r+j)K~ZwfZ3LEWx4)7*?cqlo>T*&|FkB(|l@IPRk;#;<2Xh;;5MM zn|JYf)E^t$^aYo5P4uo@@zrJTGlJu`@)Le}+7oQzr2@oLOEPHrXY+?&#irojvRax> ztXVpCcL**R49PRGc=Ivvwq=`zU42(~8#RxBK>JUr|Mdm%9O4Vp`d?J--44^I)Dn~V zE)}Rdh^dpTiXHI_;sbA7fMWB zJaUV-96EWYhcqlcmO2AKC7#A>%z8&`UFQR83+b#=rFSs`c}WFR}l+xkl9 z2?=NB0M2`2!8>60#pg|bPzwvg{1y4fMq~iFd$uVR0|kMVr>7!Vy?1JjSV-#5 z=Yr7?pKb~&Zsnfe{C(Z*aOe-cHIG^E=8T}GX=(R(vrj&L^P~qGMK!w`6G4{lN4gpT z*SNl{LgHmnyCdu1RTlM-@S~5z%g5-EaZ*xkTU(YUfKNRoFIK(Y-^F5WRaNs=BrNOi zpFByosc_dFrhW>fjc-Cc6i+gZ@HGGErY2(i?*JB^e=TfA-2Xzblr3t&@k@)RM%zX+ z2i~Sy;WVT?`2|^bGjFRKKtf*#GY`HV( z_7jNWI=YIzDTi>$Jq>9bdWAok-30SkdYT8k0RIv%JXd$F-I(7rUSOqLK zhg3lHtZSJs98@fcnHg-(uZRp*rUzQdDYr|*?ELK)9kTuDV}S2=3z{OHkwQYA>8Xtu zGxeAF_cER0qeT|Y&Zf{;?`2sEuL3x~yB=KRq6+`HKdZTtG%2)~L3UL87NTFS4 zEme=`{lg74_YJt`Xbp544LkP?82lm5%rEMWtKw83-{pvJc*_=145U3YWb%O*>uovz zAidz-pI1Z7@3@gTWu%<95cSH$4~VU5Blh!w9{w4;^KqK)vfh3)h>Dj0?J4pd#tq)g zGu7446;9_TxK_iX(dmfRS&3#Z-rP%&y?($RrYt0;!EnUt0Dox8|Kblt;Fx|Oxf`-b zSG3t~xjjm?!lq+a4rr?z7Q1`vOc~|EB?o_J-bvCo7*+Ij_%K&tiA$H}X+S)AOjI7? zCZ%WJief9V*^l&cb%{8-k89=CMQw-YC^OyXda82?JGg^Qr4r$C6?M2?$N^6`+HUl& zNY-q(r}8RN7dO+n^_=mC0jROwjejJtyWSV@yUZ=W%2WK5(I2>cUn;Z1_hNvqxu~`-$SzNNo4T*fl;1#mGP=2`};C4CmWo)gSP=@=0zNP^ z$-tgx8gJqInDhN&mjI)ps70Bi9xP|QxsW~fERcsZBwIEfkQCj(n$H1WIKR{6_PUM= zhHv(lN!o|#N?GsBiT^3)$NJtkdG+|_s=(&-NH}Y!HL;^0#3SFsBu&POXKSY}Y7MonTIDZD;R9m5*Z`ZN}W0A@G7?E&!h-i8;1K46{Wp8h<%$iT14fof_qIyd3;?JpJ{ zQG`8>p|x&!+}|hWI%HeDL%RzEum$)thkZ%({8R)dcW;>M!!{%(Ko2E{as7AxqF1A5 z>9=P~k@094nHyKcbxj6ThBfOs_jJUd`_YL+m+Jf%718*&6IDB&+iir1*W0_|3=FkCwA1Qq~A|BF5^0yIHrNJ;neq^TXQ^sULZUgM8TT@`Fw9Wbu&=2H@rS(mCM(?rgArK0Y1_9jyPBF2}2C-?H(mW{7AGhoZ*^JhL?@ED`ci3JW0 z=mgDTwOcc>*0+DD8-Y*$q4v=ap1djbXUxMJ9?uCGd$?5Rd|jH6HM->fYM#!BzvC6W z@Nr<&p`ahs_=uOOA6|Fkr<+B5q6pK%HP(fk3F!$yFvQpwfp<}Dp}$Z+m6V8C73 zQdSp1WA_hvYlq^yqFm9PMnZXC4=zBKVvNd4%M;fa`Js;<(0`il&DZIPe`AszxKr9( zz==Rg*1+`ju zs+FF|vn9t4E3@VD&`%+j>8PrryWFc>q|-2_}^Fx)eiHb3; z(Mr)h?aC4tH=_CQ=DVOn7qwiMuBFH`gPghz(qdT}e`m9gX%}asnzL+KrhH^2FmUsOa6%$|R(`s3xd|r@noPEzLdkz1VTH`*@HrU0Q%Xa8aKwzV29i zzKmM%Hw-9;KbKtpO{8BRlHdlo@=2lv@5ODDZ#Z8Bb@fHZcP8r@5{#0C^8x?LHD ztxAqeU!ApUGCk`ub_&}WBYJ^H5BD$|>Bnft5=xW&cB&cd*F?iv8)MP+(09>})zP6) zOY_K({+^ruVKT>vWGL}0X~}*1j(?5N?Pa3zIcis*H38^{=xFgf#hvP59|d1GNHF5* zW>4p5_*&OC=MuKLS7J-h0z8d7H4YNE{2WOx@lmf(&^ByzFVILE93Nfb+`v)g~pi6bm*~X5sb@S&f5>ak z2=z1KoK@#XV6F|ajquVR%Ps^e+KoQX2j`MgB~_en-#0~@FmCz6`k%k+H(z{Dv7&ij zkU~uui7~izci?WCkl*Zg&maJNX_hmdJz^8^QtcnbU(4Ef^q8dzQ0cPzD8_R?XRtcB zPB`^-r?T#0!E7kWR*gxC;T`v02G@5=!p9qBnB_|`4`OeL!ea}?D`x@!0vOb<*Ynhk zj_)^XG-dih?sjdT1A`lo)8-2aE-;;TnN;H4@OF8xD)+y=-B;*`D^lI>2Sf*(^H>at zmAsKx4%&ouoeidSVYPUDW#!$859=Tq+M`ox7uvPE8~?gtb*KWQ!1ZzSL3MzS*vyUI z96O$h)cz=z7v;}xzwe8rrJ{1}CE((?hUfzjO1BTY;3)EBCSr2}zfiyD0f*{>Zeoj# zg|Mx(gWH&2azvDll%g0`Y$iN%B^EF|F93b?SLzV&S$?*C@=@|Hs;Je~_K{ z$DPbRhjV#dlmk4rV&N*x$fxmpbj8!NW^WfZKAyy7pB2!H5<7RGfO7;4Tfr&OnSvfJ zCE!+gx8uok7Ee!a#C(h`(s$7o7{*QI`nLG~<5{y*o~~KL8i0^Jp8g-tA90p_35nDH zdnk;Iuh93Yl3z1N%4uetkQ3njlaS4?{Mus!A>zpQt`v zoHM&Egp=C#E2EPeq7MS_rEX+P)Q~HY8JD`*>}BZWI+Ed@3SJQ2leNB$t{e zW~0XQPbf?*M-=8wtQd&_d}vxw{>S(cU^{EkHP;QeIdSZPgP|e3 zSv_MhfSrhVi)h_F5nV>Ju=$v(r!xXndTWJ}*@g2gQ_Oe$Ae^_I&z#IDx9hkX9j^6e zd}MZ_dn5rd^i1Pk1O|Nl{hP1hH29N0f;@mP={v}S(`=X@Q!OJFS-q-~_%*^I14efk zUTYAMBt#FX8_x{iezTil){r+Oy3xpQ81Ma^Vgv;=gEO zbN)o#D1d^#tu*a2v&=G!15o}{#K4FXt#&=r1D(J->BP{S>ORTijK2d=zOk&nGzAoh zzInbn%J6WtrwyY&z7-kZlMCZb%}|lo3HQC5H3e&hTp52@uEE7PDM~`CerIf%kaa*d zYx13vq`O5w;7MvT|Co@G(6^5N;Pi$YQmU_I z^TA^pA)Fpnz~$ zQ0+3(QJx8dM}F&nsg$<>DaL}PN66{)nTv75(0RH+U;N5LvmD)QtXq8Xw9Jb&_cX8p zbM3%!b-|ssN=P80|NY!ma(c(%h)TP*W}UU=&IoERhK9ArC05m5Y?kW}?*zv^aDokV z#huCokh(^uZsjJpbdQ=ZdM-p(+q0^)vQpc$k9s7ltxnp%FP{>avpU=X%FC{0HC8l9uw& z(9jnfX=4PR*^S=m3R)nCew6={fYTzgcDcx+B;jO>if^8sX8Ai~k^`?A^ym)=Jfk{A zNo;{%eb>hOEBuoHubw2(l#cnHsnF7J2CYAm(EeZD=8vI}x!(y5&3K~aH4=xra1JwzU}&iL04E+_VMLhUIe*H;+W5s+ zNi-i7uT;jbO@Dz?w{tM}1C>Z+qxHLXIT`_Kdlb8U=9lc4v};ZUEIoD`MZsP_JHDMN z3okzy(MlnoV|0TD==n<4f}6|Ses~auKHx(~dU94fD?78m%wc_w+}wm)XVEj?pz{ZU z<58VKYyP#nTfNb}jbKq>5S5wU4`cU(tr7Zuvj)@5Bi(YgYjBqe0Z0U}6JuA&8(2e} zcUiZP_q<8+XlDTYehr-HUeJk&HY3>$))l?llh^WAvJ+d$y=B(v4fKY2W6?WRHoto^6);+gpkvhT zTb?TF2?H*4#3Ypo-4bv{(x4Fr1BiX1+R{i=t-OuK_2;XW<+DVO*E_4-x<6T>-u z{BOQ}M_o5v+g=v$n<|X;vc&c0=sv&-x-ZvLjKEmE1VCFpz1J+b+dYn!E7v{{DCAjF zG#LMFW{>Y;K?#FON+Gb?D+wT$jhZ=q@Z&VKnFIHsso-Ppk_mGc>OLdJL{jkbt|(Ar zVqlamx2)E=sbFHnA?LR8%X6nu{5`h0-~T_pvbqZ)_S2G*Vxd29>6#LjgIxVMUUS6e z0OnQy`p^b$Qd(uCpm1S1^#Hs_eh+NTK9_@h?94h5K2n?z_;c~r+P+Ez6BLN_{{6dv zHS;#e0IaOkv_H!lI!x#+%>L8iM3rk7ZC04XKL60@cxl;S6nLlI**_gRu7E7ok_8jC|O24YVu_%Lv8QqWncR&aTG%m`roJ<;r?wAw?SLAU~b6%m5q5@ z54PHUg@)h{H?;9}87s`?LL1E#U8P*%-SKScXyDJA4g>7}cH6F-p!1O^B3xcDOcN#J z)2E-_`M}VVmfw1e$H54j9>nH@zrDv&uW;I2etYxG zTPk|Fb5K%hUT;Ue8OwEgjxhZ*MHhA|DjE~KcO)^zeoHlp8fw$i>`E6j&{aRiq@9&Q zV;prvhEz;UtaB8LXNGeen&F?r(&eFwDSs?3wkkef8tAiVfm$J}x^rMaEkFJ^NE68MVB()HH0Iw$gDr&MsUodKS+9I2w!2nbGTAUn-P zNcF9TV`{($tzy$~Ee;EMu8yznx^`^ZaS^|f0MTR2?*P)*voQy}N%-RSEqg{P&hEsd z@8dmd-ObRT8`5X?N7}6C@_61}p7rd8-#Y$SVqoy&&ToD=_14+-p6EO;{3CB1OA2ZM zb+sY1QCvT3scnl`q^+FwoZY{Q78xR?;T-g=w%V(EyDo}!AQ(T?CAb|zA%C2J-3%9( z46QIofqctmb*?yHVWgy?feo4P3|%Es)OPx1Z-k0(zIF-|C08I@L`H$5;bu-9nhW`P z+3=aKsBRa4WFD&nTXS{&SS!++R!(;k=IBld~W?Dv>mM z_q$ed{Qf(pEw`>`?(+-&NF*)4aev&y4jc%Jf_Oim2R|U2-dQ2b(zPxYmJUgnry!x! z0Y($4<-TkHB8>^|x-j2xa%w1Ab|r8>OT7**+09?4kJTDmH|SPtGo=>kSRjHc+67uq zceRYlxp3sN7F(g1wE56eMt_d(F`#Eyj9V!f+!2uX)EZz#>@bk1)n%zQU~juaKs$tY@%M z>M_So+tuG_nZx?_c=vXQ^sm`-{O+hliRh@<&Mggd_>+*L?2T=EDjZo&myMQ_MZzw_ za{E$4yk4Vp#xn0vbGjZr#zdaT*P~W9SZ&Y#eDU>SW_p|kt$RZ%E@i*dBpi3lo=9=+ z-2Yx_VIRaiO9CQr-4EzY}4xpO5%@xn!`H{7_TD_3JkdwXHrM}PceBs`-#R~T0F zDJiLM@9s>)%8Wu%ONOp3*j3~D=c*)wd}<7ZleHxGkFY-)s>KihBXYH3sMy#JiRQTw zQPKOLj!^=lJw=|Gd6PpA&5R>6fRAB)NMR^Yl7j7>pL#Vdh1H@7;9iMWGOg8I1wC$;xb-#u_A}_+|r(f1nZd^~35>l@JKf7uIxUdX=feBupfA z((`cBPb}=Dd1c#!i6P@3@}1V3wylmK$96cHx5Z+2FVgE)VOp_UE#dpaTgbDt8wHas z)~Kc(Id3g;{_8zvf{%3aD;_(MTkDyTVtYG0c}ts469{p_(CiSy0CZyFD3Co!+Lka% zxWw1&K~KmjVJ&!yLDJPC{AJe%1LKN;uqMkFqjg7bzUYhBvO`qC+AopWJ7zM<9SR;v zZlWJQu@lmq_s=QLcm0V_?WGK!@gY`JkipGzwYKFx5oBfkm(3S1rAvqc?@NH`r*sRcEj8$qL#kuvY@h; z->}x)2G$aw8$>MU~K>dL*N-7 z608E#TEgJ#rjZW$5*x`&?H+9ejA$~9;SyTT{a@QC6ATy^TniSv2@=2UbRc|PDdlVs z1;;iRO_1^0L8b6Exq8hN``w#~80YWnZ16KW+pl2B(`>ZgsjM$*!*q%!TyLJ$d(Ib< zdyM?o7a%{`g1$1r<~*v~7zUb?wJrRWkEUqQ;FV;Nm2lMEo*3KC=jU@y>ZmI3<2>nL z9WbVN^p4W{{wCuT@oaRG1OrcJ<0j`h+oWZ*ACYv3@(oOw^)iA+Abw#hGu=&_MGagV zR$w$p6^X)o=(UYJ5{`GsDc@O9ysL)n42~~^Gc+s-Q8NjQv)E5+WhY;_6jsJwCv^*~ zvY*^$mW>es=lcp0;)o3tM5%HcH-7?^3ehFNHj_m_F#)c~enY=Vr3lNLomZht$3H_? z)dKE&;>5M|t zAuPV^CT_Z^Lf^05|CN!-6NLZPozZ>;WamQSll+pICb_+zg*{I))=}lxbGj6fdNT#< zb_*W?_+Yhsd%8*_r&tjCxfN`UY4+4uEPiPy;_pZCAS@7dHfKZNkZ)Kv|HCP>Levjf zgY_(s{fN48;bInM_sK63UazBw>-Kx*-A3KOmnV2m$nFct)YTBc++3bUx@&JSBM!*R zGYv%>KM<3kDKerYSP(9>uLuqGiZjY8npNIVl2~UQg&{yO78_slYb*UG#u;?0{?3mR z5e@Z^jd`7G&vX0pI@7((U6HylX}7dp)0SIx<!oF_A_mur(WRx3lda$iVQ{jO* z8wYa>>t+>GafZwi3VOg)YV0;J5}!fJ2aLFzU2S;+nFRIWp(hLJm`EmE$aRN+42>7P z`T0^?#6N;KM3#m+y`SbGV@Zi9CG8x|?r3weu-Y1#Fa@p~C<^m37jn?=h6(mJb>D9+rFk(9E^_F0r2u0dB~6 z_5udo3?B!j&iyxuc|JKi@8?G;&BX;Y6eTS!on<|$FOG7m8 zZx|mGyLBozyMKwHydQG;lA8C&EiUP7fQyJPi1`r?Zqv+bXku*FEo~mr4bzU3Ezs8$ zNH~*rJ>gc=&KZU9^vRg~+b=N)aujznD4|h-=YmG9I*&K!RKI7fLcCW}{sdGTgEBMd`w%vFGk#F#T*<<9jDMyZ~cu#Uqory3X)voO~s- zo(uzT)~J=#PUfUr8FG-gZ;px`cmYp}eEW3jpOMZZV=sfQZ^u$?vrKbneaVvejwZr0 zU}!%K8nNeC@QjA)z?%N!@0%WewAKH%;LHbY3;0Cyl5gP5k?&KP0pgRbxue);{PHdM zb?^7P$hjI`xW1*R z{G1z7=;~nsqr^b6wlLKd2XDre$Ukkn<#+P;kPsGb^oi`oU&qWL9T;;Vfc-Sj@Lk{Z zWgZ<`Yq0I4*6{p>&V}v9a-8AA6J)(Bx{~wOVxQJx43Xt8CnM7Vs^XHYNv=^ka-C%s zd9tf=a+%k-J>cmD)WOwVtrxEL~4GpA(*mn~r9?lfB(;es3(;HwL!>(wyJu9?X^B%@`|+Fv6RsJH=^pu`$R}ON;A~1l z=H-zDlZdIZJy65JDdk0lZhvw)(|1!GCR!=P`b}2$x5!A6ZW-Cng6ZsKBTukhVOv`< zwpqsIBWJ)<|4kA%$}?gj*p^M-j>jZe8E+AM;4;{Bu;^6?Xct%;-`wm!%iE67t4mlZ zz`%j|Y?hKJswr-EMjVOXM$0`d4_Alf`5(bf7nyk4zyef|xt?7`dhY5o47<=vi<@sg z0ldWUQTe?AZ;vhYxw_jT+wWl95NC2VsFKHGHv%n)B*S*NjyhVMYaR|_EbJVJ>KIchp*jEi<|rf@kP6+z5;r_L}=cE3x;-EJvI z@bzSE5|R2MV;$v*Molm#GMe`1J9*fkT=Y3M!%tW>wpWd(33qrcZjx`d9@tIzr4EP9 z3@*v~ftiWl%)w_Ie@XA zhq$K35!hofEUnVf58>!mWkj*%ojNnN>tAoRrcQ!s=ylMQK z8gElvMn`H~2=n|YYURk18g8dY0|I0?H*LBnuYS5Y2dVa^mgyUU9sfXvkC0K*T`%dX|l^t^20a-_wizn-XvT6J%-Z6Kk-Of%M5>r^VgwrY%j+RwzGibKW=Z7G_bkoLvt z)ORXAmQ)K2p#dgBPQN%P#(C2yK{IsrJ)bYN%<0a~1o>`vxR;|Sz#S{iFSMY ztoq%aR10Ub_d^;>m^Sd!>=pMPq)M8&ZY_$EO?5kR2}9%>CB7!TOD_Czx3#+b8!N+V z{atKgubosR{lHH0&DQu2<$juWG*IjqO~tP&n)l=|ydd66{tPSBN>KZG#Q(tyhhnnu zHZ``{_kna%Xwos%4L5g5e?c?BJ})pKICk&V$zYhnm;m>$%Jm6BX_G z;MvPor-jvgN+#V2ScrE{B=ZQ=<$yy84EY1A)xj6h!k*1qmvNVM&CkYqVyv#|b7Lxq zj9#Yif;HL0bF)rHPK2xSx+znVe^UK02Issh3$~ug%Jtdhr}sXwlvv4lhq$w;lyBy6 zoyR>g4UU&QZ#I%8xp!pK%M5K+!)%hXsS2`xEWyuF;Gb^&?8s>F;w@90sK8gtzQ-3f z*`}51kob?3hSj-z-dL!ffIbC3LgizyD(0dNU0tpsv**1IPN4UM&AdMpYDTO3BqV>WXMH`*`h~oUhOer% zpPY8lIh3J2P{O2A&8)_BHQ*1J2R%v;O4AS_O$33cBqfn7s&+#UHjg|zKs+>K8GaWZ zus$eWPuloy_l)UgQ@<|DyS1gs?W=P(-lQ2D*{H${$d0vo4SF=(1xL6{yb#39&J$r}w#fzk= z{)zR`u%K?@dia;cX%Es5ioKI~8P#`>dcMZl8cRMgL5p_=^~Ox4CF?$wtBt2BHK~a% zHF5aiV&UoTGFl*ZeW-AQ6mR?$m3D-)g?|Jg zX^jzHOo!nir2Ied-XLviOm%uV(-fCC1%0kg1QAX;wA_x@lOGkBq;{Tu{NS-7TQor9(eUElv-|XBxmLY=1({i zL2_%HIi0*&@?uDa&g4Z%jDQy=a?IEl=?{y!od#4P-%T|2kgLfkFxtKw&bGqB>Pt#_ z%wDk-FY09RDvqA*&X3=g@!6q4&*CQ^Ij9G(v_58HN}8;f6xRG}EbLLbTN%}Y9Auma)h9*GSjLTghjOq1b zSkFEy3V^i<#;pFn5MTB+k&y`s3+;Y!aVXhe{dxM-s!vmMq51wfR+J)u)!=KDRm_Q^ z19Lms$**V)h8*EIRI&h)o@&fV!Q8*&L156#0nGm{yzo&TJ$6gX%hD_lyh7O1y#xr* zn4yk^3lR)tKv!Scngc{<=h3}&u z2O+1EjmrnvYCR#Fr>FtIUU0X;J*y!@jyYfK3;^#vl{bSef-{#e(%+N~R%3oQr+vW} zdNVw%oUivCpH#lm7(8F=6ZW7u((su;HW3XCh4vmN{1&`@BN2X;C4fsMlpge2`}OOP0kuIG46oYat6YHAY1)Wo&xA7V zX>|X6K7eag>$6#It-D^m=RpCGEul|nuKr^C%h}sti`>gZ79dB>K*oh;V%J0Ihs3qW zvh?{tYGsc@F-kpg5IspVDIFb2ha^pCq7~s#oiG+Z~FgI z2#65Tv}CWrnpn0uU*TC_vMc$&{KlOii)Hjb;*oRA|C3+u0SK3wmAPeJ_US(mJ_4$t z`nR}9pSXVu{y+M)IUt5D8I0`V`1H5(=sASG$z z!E?6mC=iIV*w&4WVZ^>q^WW_HX>z*oWg>Y=?;qFNTp=Mqkf=46hrZ{!|CQddSF8; z)czr=Vh9LQxSpUT^l7#2>ngFb*zN!-3!W=ugy&biDVUSK*+L-6W?J!scADoK)}G3e zH0v^Pzix7!s~vOEYWMlXQ&;V`p?^U#SJ*X^;TqfmRU#8kHFdOmT$ZO# zDuw3juxY;8=EWQLV{79XYqelg9#h^u)7+&)tazX(h2SA$-$FDhVcrI!xrxv&=bk4r zQo&RAk&DoA<9yE*d+e)E56)|qWjOMZ2?Tq37#g7Mp(^zdX;)V)28QKw>Nl#JvZm$Y zIsS*+(r;(STFxuC5OyXU>BhNVq*N-o&*Fb3-rZWL1X!U9Gn&S&o?@<;nj@18Ar`m^ zoP!PX=;DHDO-~vFDMudE=-zI&iZvfU??a{khEp$b$tLZ$(i`cl&0}RV(8Ez08TocV z&N3U{P|qK;cFXzem1dJGdFM|uPi%g{mR~yl>h3hveUt7kY>-VhSVz&tTRoXOruo0H z|Cj%O{dZ=*lqULiA|_$q@%heGw~&HmxEZsHbH~Fm^;3M#wCZXBN&LP~`H#tr5z78c zWqE5A_mt-S*qprIFYv7;eMFCrMB>X2&s&aBX<7!Bs4A3?J3j&R?2up`XNW=J$w7%hKW*ZCeEL+gs`RhGgp?+CZWGRBx#F#T zq%dc!#xF_^9-gsdv~p9Dmlt3g(;+V0iji^gS27$8|I5MBDA9|ey4thxU{>_cCn~Po zpBC4*6Q|Yh#mA3ZT&yWzR7d>?i*<%X$e9FV@G+4|fI!L|HMM&4@nk|*;I{HIau+49 z>MoXI2?f*_c*_N^^Dvb$5nzuTNO0e)WYgy zM9hTKw9-*XA_0Ti99mdz`8~`%netBg=_+nZP2t*gv{iR^5{i6~vF>>PseZ*TH9_Y^ z^--T~z)hENd^TekvTb9H40}EmFO6K<_jtgcY-xJ1t;jtC3AK(UH|#XIbH#(^Vl;}j zTVHQUy7uD~+w+n>pyIt2YH;0Y-sk2-Vj$>~39T{37)EKDe zuy1Dk1JK$K>C~W5A0fUyHMv;QZWBqxjyNgPA&BoTD7ZLS8XHslzGGKfg6}XGQ(er9 zUiC()zGkL1JmT(-Nu)<#xXBZz`EfS)>G!l$&?0HlStC-Gnsg@YIA;V1{)Lz4ht`0Y zkSEjBQY{7;`b>ssuU7KJvo3W?38&u*=ljk5?ae-)-85+lePO@?xS;PJATJLJ z5Z`H>>Z+<{0I0XjHj3^Eou}BD+j650uq5#HZ7eaFsAmMzv6Hq@k@{`W3OE~%%!)WR z{#X;Db|ZE@3gH#{&0#*b@2xutSG>k+Og+IjJHxtkG2Ju>2rT5I-KYQ!%G)=)dLyf2 z+qv_44?>t1?=WcCR4Y$+-VfB(H{K`Zo*f0F-!|cz->hJAZ*G&fWnT)L1hs#(2rF@V z*I@N{Og(1xXwKX6xclC%M^%2l&5wH}h(Eo^zs5!DS0~8k*w>Y+;&A4v_pi$U0e2jR z4-76eD=mm8aJ)*3jb%2j0KGR?0%JHwGIKsALDvWaYij;Tn%NL?VFNurcMSg}Q=zfd zk-FZ=I#tyleLBaT?Z)eU0abSy-M8Ln429Z(4`MBHa%$1g(72Bi(+y;&ET_8HB&w&s z4Sd)Oe`+uOOGo`KtX^QtjQp!d^Cdg=Hg|Nj_}0l)z5}e1RL!E@{31v!3Mr}lg;Z4a z{)}}j?uS;J0m!<5Y)&{f8G3Zm-$j$6>+p0E{>Hey9)MNsM(2(k#UseA@bRmA>I#bd z33>5|(7fn!7#t9`EXZ2r4+WGXKgYYb)<U$R zUjDRv>o>_Kf}+0Z)ds5nkjp`65K`9II^`;0Jy-ZHge#hmgnO?{wFq1|`;^?X`BNUd z9ieVOs3*2ftyn3F@_V7t91o?JJhzdJ`)=2s4l18b@Z|;AP4Co^{k)ySqc50#qOKCV z*m?-zH+Iz2x({s)uxV*%ME0$nTz5zs<75H>MZUW=z7&mdgw&xtrCA{WX#I-=k-VB^ zU~YFX0yEUWlL+7(6T79!^WE*?#Zc{{{?Kk_y6J2_h!$)!+PP-x{0nDH#oD8w^NGW$ zu(LB~=de-F8Clu3ST(jZC#L#fz%r<{tR<7lnpINeHdLzIxu|bED1!kj;O-A;P*Iww zr!ZLOjPQZf5Bro5r=K@Of29xSUBB@9>2Z^Jk9_e_OMo9ff8Nt|V`b%kZQ_dF+U%7t zdn7rLKgU&Z4P(i>cA?TMX`~h}HCXs8_SseNCcB+4iecKRiwh+h>(N=)m#STyu`s5v zTTHj-byOCNY8`jCj|H5N$u`tiuro-`nwAB96?*wv!0`)Ci-Ee9$yavPHFgtjJpNC< z>ctdau}LTtG-$BpLD>w_6u41jDMdcVM${zQ7J2OrMOHN^&i@SiHBOq38oy6F08L?Z zjl<%tOU}R01l)McimVOM9$y426=P}iw-teEkGjj!64Scn8EZV>bSgp+1O()DAq z_M7CTaVJC3VocS#;NIC!%p!&hBwMp&Ew{eZo*2tAD|O(7*7c`SW@c9+r_8#iSVuP+ z2~ulK_%w}SRs+O#9%PE`k?aB78@z7zc(6qYss;E&f@MS~;qOJcG)%S$qlWwfPJ2nv z@C8f=BaZ475{g8eWMGOhG&tTpy!sISoFobRKv!vzWr(N7aBD+%t4Mtl0HRs%k)4HT zFBqtp@9#GxIT-}%I6PVTvJV!E`Vh>$=&6ZS^_t^1d*byvt@(W+m@YI%eb>@VbQY_| zY2_0A-!Q7XdqueFY)s9Q>jF^inLLWst0MmJ3M}nzbgneU-QEzVLR$mLC4Z9Y_eUpM z3El)<)T(f`+nuRqJofy+-#(8clHsG{g58D3+vJ<=_2GykOpUTz1t;VX=)EWmwfBg0 zY{>q!Y-v!_{so@+g-sTblj$tPxtftBy&o0N?Wlu!RQM#fPGRBZW|O`p@CLVH$5ouL zIlhZ+)bi*QXx>8yueTE{yqtn~3AVJ)xsHeB@jRZs=jN*A>HnVCG?K&SCWe6YcqINP`hxKF;Qp2#?w_Kc^zXZ+tbX+;4aXpX6=J^UyrLp${E)D;|hqZT@b; z(f_=5yc_nU%l6~st~BA4h4}+(L~ftbfmFc`!NX$Puh#7o9>`Oypy8Vh;yuXwhdTAA z=u_Q`KFsv`V_WBOh<6xr^o2yyy@q|Mt&5s3$3H>92}B_E)tJg)Q*UdcI01G~GM}w- z4_t|kPjkyw;Gu`Spe}m}SX|bDFT8lOyZ&2*EeXC8?^=uN_RNbw9!Bk5 zu;}HY@*11e^f0uuWq>gA-s=U<8e|G_S{=K6PC|W3xq5M5@x|?oe?Wbyk6WF|u9yF7 zxD}P+hM*5NSYFNgv_S|r*o)+Hc!+V%!u+8qR^6-9sHg8AM!>2vo^5Stt`9H>jy+UH zLG?mAE%WPBJ%z(hG8kS2oIe0LmEMFxht=t1C3%2{`Y5?v18+=Wiv0OWrSjNn$RmhA zOrvOxdh4a0G#2*Yi?26kUvL1n$CrUo_vVrFd`f(r#iObZ>Kc!PU)COzN`;2$_b+*y zy9n4n8vWvcYwceZI`e!{GQ44rX@U#|Ev7M|m73zKS!ctARoe0-9_L!wdEmCh4d)q$ zn&rslO3k5yEmo{4Q>U!(`Yvigq~Sxrzing0YRHbO>vhf*0%4wIoywovo+?LklKel= z2|c0IOKT&VOdG;8ubYuVKq-V*xiZ3UviO?B+3 zRtrP=5uJiKCGoD2zRn}2CW?HweF=<*d?^un7XG|$8vehG_A)PLZ;AICcQ>b2Gmv4=XBEQ*K+oT+ zEFgGifpipylGRZYx=Qe#yVqyZhjSIu?}>E4q9^`ojKmh@!TfWc2^_&q<`3)E2PNW; zY2!w+aW#_Lzv+hw`$7h9}iYB=w?2D(@V;ciYB}8hy%Df(zXz!1?wYbf0%}>dJ6wM1!m) z5JVuY#l3Nhc_JAHP)|CA=J)*-C!t?1#DyuY`AG@*#LBAntOFd6>_uZgg5#^#;ob<- z#V6V&&yq4TV{BQd7zD(JjM@?s*T^i19}vGRyy=dpyv-h{yaPUM9Yd8PX7!?>Ts9J9 znX(^fXeXo^>VigWj@k#$z!(Qe@8`SSfdia881iyFI{*~mhA%`Z6)F^Ra#^3w3BRl- zggxn96^cMr2}Tc7;q=|yx&Mqg%!_+tVSNHG0o9Z-C%2^-uVo@>)|0l3O&xOLe#}fE zL^^TgxDG0tqvEB|9dgf6;ah5EcT#w7Zk=spq)j@W=g*ZJPE9B5r)nV_R-Y8JD|YHT zzYxUx{%#{;SJ9-aZwxvZDtbQ(F{xx~jQ$v;#<8V7RZ=572TCI}UW?nxgWWaL0N`v} zR~MQEm!UnvZ%0b(1JeO>DRoGPTJUCdJ5;IO1y6BL$9>wdXd49jT^0TZ#CG(aSw%gakQ8U{rC1zcd&R*;HCJ`(AbJx%Mquf$#AUa z52Y%C`jst?^U0`x9J>-?3g^#uW;=3h<^Cn`!=v4|AV? z_v{tYAaCs>h4b$w1JEXDPM~y}?~6;<6KjWl#^ai(o2~XS_myts6|#MKZ6o+5B}!+u z{M4NXpaNC}CCvww>nE2Un-(Ch1T#-(BgFWg=by>v6j2xC-9>sY-w76&D_;`KBb-}K zE+6E(ecAlNlR_qq&)hUSDXEnq9w5IOtGL9sqk1* zsY);Q?WKMiUct=Jjj2r0HH$Qcbm}g57YVJcy48x8*;9qSMrjLQe74@+ohzYu#~vsL z)K>s;!{X~D%R5yqL^KMtReuy}YSx5tF5hP{)<5~;RBJtbH5zSJdkw38GHqN_}O01i|mwV>a((+LNHHEjtl<$4k)l__nY&tsDggN5tzT z`{sxUP98@!SScDiD&-g*d)bGjvok`;*D9yHngi^|iFuwd*A~53*7^crUrQ~CQ-d)6 z!uhZLE~4O-X&>_xa-^>d+>rgy*0b(oLBO6_NaBu)N9g~h6z>6ew8 z#V5X$i%k)H=`k(lfFsWDVa0- z;L!`kCgytx5IxAVoDFObe~F=DYR)ORFwm@b0S%v&I=vyEY*8bJ=vdpvtKc^>{{=18 z!{S!~bYD?X`SN!YKaa=K76!@Sc|q;eYHhI4;x3{o`Iuk|jA39$U~G zetC5_-dM*A);u~D-AR^+Q=c_@{B=~xvc&ZX?sd{m452WRD-cL;@}|=ng!B3zzy5Us z?T)tch;Iw|w0B!gQTPhFk?1Q|%MnLAn(mSm;O+Myz}K`od?fl^_1p zXTQ3duUb&cvv2VGXHUR-vRA-;0^3-bY_7X%rrgdMLuQ4tX($zaj`c`@E^>qJLdPQd zJ$}-zod#!G!?kB*R5Y6jF(Hwn;jIYYH3tzChH9%f;&sHcqI6#%OKIbUzM!M$oM!yYS_VI40r{dO2$18id1}8@CeZU9C(@=O*O~X5?jHAOrj$z#P3?&7U8|L( zTwQ6W{->ZwT5|8i`deVVvhiopLaC~@p{taoldy4~^~c}M?6Q{EVVnO7ksD;G-A=d% zu;2R&&C36=!6O*OnC8l+^A`euRS1a4M!*)m@5uN7j0FmfSBK_}v zhzEZu_rvi64zpnM2mJQ4bgVpCv*nQF%p@r}IS~}V5uD36~f2U;l)3(zUYgcX$3f% zD6B}Jv9cqB2Iv3}^*{+cY#*k7iH-h7(IZExIlyln&>`Rx@aT_Q`_yyEe{!J<*4S!g zgq!~-We~P;KJo9KlJ(&9{~NC3|3}$_fP)6PIMODMLz$SXO~Byergl&|HU=4Y#%Tds zd2}$fOxW#g8^QXQzlk(7{WAy@3wrC;%HdRy@qeO*Hf!rUWif`EeZFrUuGx@;BZfIg zmFJ)Q!|lP&Z~xLx3NtO_JjlzvF30+%P&3kvj|AV&yssE6({AV1PL4-EUm~1N2%L$~ zHU1^C8pnS~#V7W)R2SfPMewZlQm~?{ba8R10`4dTDpTDDUVwY(;2aCmqFVR;N(DQE zlc1>A;i;S}%JDz;H)f9{{A+r=a3#?2-R(7(*D!x-RwsG5l%gV*goK2QtSmk$>7!T1 z#?)kFWPtsf)h@6)@&c(WZEXBo<+T3o2(fk%!{q$t4dvb^GmBLxWkP+Ll?2VEdWxYJh+LpJScwo3?6k7k+?}yIxGsYhz<$-*K_Vv>FF- zlzND&lM@GVOwpv<6rZcmr!p}wm>8^a5%FXT=*@l;4w11D|!ES zG;za!`_j@0+EgwkL>~U8)Y%G9#(QX!Cqki?NIn$|IrwQe6McQYmwpNTF)uc2UR~vg zjQ?+2FKn2oOdBnS=SqF8H?GvAT|&DId~+UMF!*5JL11^LOg@ECRjm}AUo{1Y>aO$O z6-zDd7i%>XjKK_QDm3c~myws($?7dMHyP$BwuPPeM8?M#1D6}1ho^JF`gJ+<@(J4i zo&19U2{`r_50T{leg(VPA9^fYc}phnbzgqKN`V3Y1rJY+SVr2xzda$y3Q3PfI5d3n{jN^ZXPHsW}etylxJ!p$L+SNPHl+?|Yqf})G6TJCtzr>x?!Gg;E; zxu=c$BSJy8T?d=T?Ri@J%f`Dq~{j^L% zw7;@^fP%tSncruHih^==&&UIOG0XkAs1e%_RO}0B5*7-|D{eZV9X^=LFam--kt)DB z8b1>_KcoMDE>P>l!nD$8q0`jVq*dxsJXy`6sF~f6tAC(f5pObZb(LCl;|J6vZ6Rxv zUA(r4>EMW>|M=K`VScu4yTM<}TdO>8Xy#<7C_V9ot)t^mZq#D(Fb)bzM?eofyyLj@ z3C^J!4@pu%0cia?ZcM8Ts+RngHG2{aW|EfXg>r&E^Oh6|%6~E&0XXoZwdH?T$GdD6y)6PBc^0dw;OE?xJzUG{_ON zHYl{NsF8tvgnglTD|H_VA0)Jp>yvYH-gOeF14Bjt-Rky4%UJ8^cqdzWc&r-rXJ&G` zpH4^hPRw_9rfJ!EnPcOU zzg@UC{F6$;imujzgL-f7Gu!%hl0}>=_U&PfYtMj=1@NzKV05d|h2HMT)k#?UdO^Z{ zi=hcNpavdRf=qB!r5Ei>^_8$6s!M8)unR4;+B=6p4nRs9MAv6!4>laP`}kyZx)H83JX%lugl} zMGY&1?#f-qHpYJ+I^Wy?=U(w_oj%TVT>>DNmtRW3<+najQN_i@HG#;OodamvNwDF- z8L%n?nY0L{#gO!EitCg*46f4Lvnif-VjkJJovKA`yiokN7mrat0=fx)51l)3U0+|n z27zElEPG?}^1`j0mT$}_Y{D_T1s}M3IJ_vZpl3*%eEzSY^s6L~-T9W|X93!+ao?(V zF;F0%KrWh{I#}#LCOn^R9t z%9QVtY5wMy#>bleqXh!Rp(x6#$yB^H H{q$b|)9}od literal 0 HcmV?d00001 diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/examples/metrics.png b/roles/custom/matrix-prometheus-nginxlog-exporter/examples/metrics.png new file mode 100644 index 0000000000000000000000000000000000000000..b81265268c84cc78a4902c353c5f0468fc761b0b GIT binary patch literal 128982 zcmc$_bx>Sy*CmQ1AwdJdA!u-ScXxMphu|)O5S)hK?(Xgy++7=YcegqDeeXN<*8OIt zZr%Cgc6A-=a~|FM*=wz{J49Yq3;`A!76JkSK|)+u5ds1_2?7FA>f;CCiZ-7(6|j5f zC@7))5%_q0G!BMDnC@l1&>031nV<08X z$JDZ}YWRlT^1$4OM_fhaQZ@M=Et;q>MCbTDg@5eI%WI}E5p|g1%(nN~qNBcD(qfCF z*_o%=X?XWo{cl9VpPvOk0-J1z!m`p*Jy*PcoeMrok?XmB_@8H<;!za;zP0l|j|+jj zdQ#+aCZkeQg*7#?In%V1Wv+U5)WW^jDrjEvbeHMH+ zlZc|YmXwn6T+#U3>Ps1)4xpx+Xac2ulCnhL%Btw)6Hs{t2&m|9uYe6~`2YSmyHi6` zlhLb(zPnrKBOH>!eXv0Vm(<^K7*e|!{waG0%MoysV}+bjrzig$@hhSzN1Nt+o$j&)KcfK)iZ8Q8C z14GWs%S+(wF%J_9%fQ;YCx$Gfg2WpR4({>pEG*1Qs#vW8w)5f2cl~51pyf$)b8D+e zw~aCb;UQLmxW6@?`&Gx3 zWyLSc<#Gg@rCNiL{VM)PcV_bme$@)y;ge<8*J$omo8zG+12ZczdHIQ>vCz+Nl#hoC zW;gqb&;@-F=Bwbm&S||C)2|Q#9}v7YUbHkcFtqc5DZ?!7)M6}As~8$m8P;g`LOaFr zq1#{Sh`mG`+B%nY_VRvlduG4ImuZnokPXLU`h9=@4!pv~V0Q`yQLIuS`u6I*|0aO% z^Xg8b=XF7Wj*k9jzN$M1cITU_F>{?O*Xhp=luCy?+}zw$uQmU)Tz{s2e{Nt6-X5zj zTgGBC1;Z6sn3)aV+AQCED2a?jd~Ub@1NT0;uTS*)crk5VsX&h%^e|f~;GLS5V)CL_ zWhlan_54Yz-rCnhz_iI>r?R2q8uWhZeVItuF1P#TA*r?+Wn3(kUb+|v4;drHHO;`n zq6-H4!)Hv)o}{QKwRk#0T^6Ck1?l%Id381|tP6{a)ilJNY1}46Hp_JzQF|LuGGc)9 zlqh8in40<>?Cf0iy-$R|cxx3$rlQiUHGc(tNY-g~GJFiD7)fh6Z`wk^^}@bG=wNa= zChv>=bg8eq&r3E!2{broG_!hu>pksVfdmM?yMR|lJ z%;BQh~HD zt=nTuo>YRq+8knpsFb|?=jnV|GS0^eIBpmin0(n3;ghAh5RhD_(Vpz?xL(h6fgEI^ zY8kdtzHGK?nI?H0EUjLD+yWI zG0CHq+q2)XiNfmUm}kyzbVuG&Qc}3MxaYUG8^?>{5L3(+t#7YS%EihdVHk9#Wm+vR zHpQxC-D7E7SnS{R>&KT04Tu#L6&Kn(*(@w9v^#v#rt+k=W^xA|`v<$ae!yYSX3kp5 zlcQemF9sNjgefk}paSv8$%%PyJgvaAEIF1^1>1>}R=0V8P)-ggsODCwMpXuz)jBvX zjs%3?kAjIg@Zh*tlQ)}Zl~CGocd{a;tc(gY6$I2{WMB{}3)kNoY0paJKWWtWeR}{| zP`1D|L4^{H*~KB-<%BaaCFS?$48MXs!gB2HHDZtTD8{gaJvaw> z0V54Gog>$B?~}{RX&YPYrdq}TXIU#Yx^pFyP3;^ks_F`OVCP`j?FsS!8gia7(c)_7 zlgJYW#E$hd-_&O3BYMXAflWc9X;?!DiA&lZEa=uXmviq!EHtD5zbh$Nal@DlB{x9RJR-xjuXSyX5;|eM4ZOu%50u;fA5ye)zW4? z#c>GEBNi1EeOSr|0@v|s+g;ptfo5H?Hhaf<-0_o){Z^k0;92mxYk*(iu)*e+%<_qp zsWQDTGaN6p2WZszKy)rI!x()r`sMRNay0)Ys;G#v)dw=|zx^tmbone30918*x|nd& zAz5bF8@hu^r<>||ce;~&`{MG z-0mIb+)N=V~Y&l|+jrK+W;0=}&KSQ@MFvwyX@S5ulkMBkyk-P+^3-GeN^{xQG z8Tt7;?U}I=ZjNSq$LB$TaOg}1n+@!9-?#79*lNt~(yev$5hjbBsk;CCX>#1NjT}bP zs8TtlsYbwI`NqN$!DKeJ-5e>HHPM13j(>5J=DJEqL?mbj_kCompBxny7LApJgru#Y zd#k@nxlkU`514L4LqkCTd{|87O4PrQk)n?T*VUU?Lsn}FWH_I#dXHuB$@R;AEqax8 z78Lr^_&5R~F4#(;YvQUQj>Mc}C(2~E3R2h5U^IFx#hp)KbVlLvywx9wqRUMw1tRJO z;56VmDU;INc3_rLEmo<>(t^i;4oe@HE%56!Qil>{Q@w# z?Mm~@(B%~+?j`p~EJe)zVhPN0{b7bunOOxM#Jl(HIx8k11v~y@vs5;w#Zm!DyxQ>bDLcAVlKvh_3mxB{7;1>G{5p z@OWPDzP>!|Uw+(&pe`#dl+S_!U{?-MzeWa({(bPqF}Nz`zVX^`5e(+0@&f`(Vlw)e zM_;3A*^;_?BGX~YaSr(%5Zq$OT24MV0Z! zuPqs&>}HwD!muMqOQbAK6SVpG^k`q*DVFPtiVn)^9^37Nj6b|_d^H0eJ=JNcs;SA7 zU19Y|8Ygao#i#~W5R$pj#JS9#v0ct5|=0^kRTNQ~~6!v6lU z+aCSP<)vSNt{9IV);***TxP_(M`U10>$H0%H8!$qGP|0NGwGD1rLYl`kOTq^iiwKi z7xaRnN#-&;LWcvusAQgGTq3tSwokhcgt`{SgI030ndUnLM*!H!q_6^zH)}E%hFK<= zRU}Ul85=vkZWXZnBqmSVBi|PUJw7{5*VCTES*u`B*u19#Ow?!m@k5o8nl>}NMLY}) zjJdbw^nQ>L0}IVh*@7IyJV|b^`_F#WCc{~(B_U(`F3s-Kq{@^kbG*_rqx;JhNI~34 zju)F55W;JX0wkWEGnUS(pVf;DMNU`S5@u!Qt9}vRovw_|dEbci^zo7cT|()Vav<6_ zjy%fE&4n2uB@NUij~GEe3`L{-jD?l7#W^|2782P$*c*lcL;xldNz}bloj;oOf%jzG z%R2R$&4ar=gGCHs7<;Qaw>=?W;PG#7sHF5h5(;-wR8mN<#`9lgz|%v5*{nAMUS9x~ z)xixt`ig)3XQ~_O4&f07*5eC}X6?HI(g=XJVZA*1oNIpuVAUXCL+q}nxM7!WySp+` ziHYJ~UfgBNjT>iYVoujGKB-I~ET)2s^9|zX7wAHz2E+{STME9H+Sr9~4panqEh*VBzSQs%FPUq8}gZ1f!Wwq|PF+@<>!FVu0 zr2$-G^85nAxfMCgnmzpZkv+1c1a6Rm0>CK95u#x-7n?r=^ZELde*YfI2|_Ab%f$Qi z>4IEE5?~7sPw@sAORlHj-OUUPi|KlVU361$npHt?3}CX%jj>vt zFqlpI$NQuxo{4Y}Xm5ex%pd$BMWvKK!iTLd_^3~pG+uV-#OdR@mbm5d!nfa_$UvOL zY4YLX!fsFaG{gJxJq}yb)l(lrI1U%DRVWHj)$TJpPM}~kOX$IHC1E549vjkJsfHAQ zvGjZ%IJ}>3NGK>m0$>n<^&^;$7k>z_74>GPPk}OUUjWt#%v4Co!3uwa&9ZD*{Mg8& zZGM-)?!(pI!CV=cQh}^#@6gV-Z`=m+#1uvS1-JKVfuyEy1a{%CP2?^OOl_S+cWy*5hrlE~LL5|0~sVOi> zc$GFss@f~s?j5dln_FMl-Oek1fB^2{uW8fMROp}dx;rx%1K5*dgRPF`Y_Wi(BqdN| zYFOxyCC5sOE8khYo!A}TiiEV6p#1u$fB6P^(G9zyMmP@kFw>x7&N5d)0Xj;k?yAL_EuFI9v-J!v^o2XAwgjuQa5HgvD37 zO`>Gy*yUGH3H;@alc_$;i$QP`+-f8G`ocn@R~bO>2U`Ikzfgo6hECfxHS~|b^hJOS zi^s$IhjWbcUxCb>&(O@Q#ICd)21iEL+LhWP!4YIBj1UpaBO$E)MwZlrdk07w+(P9l&$ zkQ5mB9IK|0yT6#?L8n}60L3D0X@>i|HK%mYw7$$Hjfez$DWD*<0`Pg@7PuXdPhU3 zU{+^O?)iVHq>4q#iAfsz#>U^efEf;EO9t*382HG<1gA_ndo&jLkD9875=|B-8CX>G z@XwQf71K=`0-FC9+G#f!EO^(<^j{Jy@YI@sPEYau(OAHLsmX%DzMl?gss5LO@qdcP z|9>4noB2!Eln;N>n}@UNJsJ!7{ENYo_miA2zO1NdwXd+Vas`)=U1|5s{XIrx;7=61 zW{~~O?B8poMr`Omt+%(T-;ykWzz9gqAqHwV@o5i>R@gG(u+z4a3cHQT+jWpDYJp}g z^sJV=VVRu=%q&nQ2awj!S43*%yjPFYX-HC3U5zwh#E1;-E{F*;hpw1A?mwv1=o}t~ z-j4<18f@LQ6`CejjHfaMB6!bd7-;l&b5JWQnC#0&`p(1WK#5DXn)caf;KnPgUJBV^ zP0Fp9Gp@pju1A6H$!6`)Pg1oQte3rOA7qg$k2|Y_`GOyByhA%6+0=Bm0ok#XMCcc~ zfzjQEnd0dm90k*`>_6VHd2Sk#aNvkuM|54yTE{9L{gCEGb{dbTk`^1Wu_ljOwzQi) zqN&tg*T)A4xP4#ZZ+G4T>kg%6&;ax8>G&a_ws=^~Qq_Ul<(|gFQnEroM7gu0B+JoD zosg_tv77knfE)Z|BSf1Q!@*w4s!}|YZ_!}_woe~=?o!E%6ASKOusN3e^OLJ*&N)vb znvGz{OC(lAQo-N69Q=FzGEVBk)cWO`vqdz+S=+NUh0ZGfP4DPxZIQlF*27!Zk-P;@ z&&(!c38-m+D}rn@1~zkR^$dSQzW2vcc}9)MbW&4|$M3Z#p1;24R)cjuU7p)$r1Cpw z3|X%S5=I2o4F3?8z=Eb|aPXU1yW-RYW@DagiAc-pAN=kU`kcKzeK4!*0CcnsDA$i>@_N6pP3N4Y0O3oO3o@%j4n#cO7 zI$?Y(7Hb>c(dXZE>mydAjt<#yEx69aj4CY|SjkI8K$YN81*_k&v=!KNPS1ms$Qqbh z>tW>$SN4^BmcH=2DU%C$?lEQl!b&pmx8FG(S=|s47yf7_>#@n(N_cQLd^G^d#*_(q z@i+TU9=-AEHgXmgpz%m#vM6B9QS*x;$JcPHTNnK@Mk7D}2) zjS#<@8k#nU=a7zYpLR`HQg#NT*MMs5Ud?^f8C+?Mcr94EAy|qiSIo}bL&LD zik_Z#^L2*F=yB}Y#|ZjjL6R%y;jGzR5i&D|PxsH!_thCc@x-BhxzN_pyQxf57< zd!65{4fo_9kf^GZ6Hl)oea1u=HBO|%gX7K2cNci~lXS+_nP{VP+&Zirl%n*AQAW)b zJSxz#(0IpAD7MFB+ea!Z{I1eA)7!)6ijtV{$~^9ZrEnE%jCYNKS=G#ktY4kg0EMdI zxSMOAzT^Xk{D7ZPW=6Y%e8f1o?R)le&w*o)l2JBou1A^^m8hIO9ed*z`16bVE+$T2ivlH6NoY3n*LHuQ0>O_+d?9P6 z98OdPL!L>i&4NEv0tidlu}2oaNkAI!|PZi|fB* zYTngz?j56}G)a96+^;-_$9Y7PTT?aoWz>PcaOj&nFz^Le^MNEH%=A=6B&q((_d8w* zbvOEgRyL+0X9m;{GiZ;8ihpClnxI{j#qllAkBtHj#=#KFfR#@dX|ixnkk9DHUBSr} z9VhZCr3@#@s5^7BIJwxB?Fu?%p|&sY_B_(mQIH_QqIJI z311;Wm1jcQaD?n z<2$)0;C19O=&O@SQeKHGnT+?prGy>T;U8#rAjV!-KhPHq51>sKI-A0N zJ)Fz;DcP`YFBX9$m%7_-;h6@`a`qg;Z89FE`mrXmhVPA%{8& zU*GyAni*zrH!#QEBD*W@MGn`}vI!oE-w8a3*$|C*Jy(W@>k1;f`wemI_;%XPbD3yWlqJYqPdZ@SEa$C4GNyZtwDBHMOa zf?X0@abQW!?=S71=LjBxMhzb{Fsfl=w5;(K0z~eXra0|cZFrZYl4#2)Du!CZ_w%R& z1DcSGJY2Iz#ahTOZuT0JV(u6w8l=2;2u`4=9$Th1U-EwTdoYgGk&MxJ)Uc04EvvX^ zG;n03JPzgkR^&0ga`dG+f@zj7$!9uy!xT=HgiMsT+g8lyOgGeC_LyK%M!N}O$b zC&{l;hrf0!x05gyQKYh*RK8VzA!hhE%I!UTJ%>h$fXRABtZd~uU1@9PBV8&H0M+zE zfj`{FVx=Cj7)PziV*P8M*L*^8u@|=)s>v-vUy%z=-;0G@4$3d)6v|4cl%CLvu&O;r zHp|)5fztiE#Je&obcn-8FV;L3Hq&;gHq8k0$vaO(T{*(>W}@*&Eg&r1yG}e=r8rna z$!N*04+M_F+b;Mcd%haa%bQuw9t>p%xB8%~D1W`=Dj0kB#ep>O3!m$s-Nl*kL#ESp z2|>pAj9XkWp#V*Y2>YkiFr}`ppZIV1w3AXvjg%DxggTnrc&zDO!kU-PUS4zx&Hg%& zPBpXNZx$d0Gax7u*uUSiMt~0s8rCtZZ)R6Y!H#Lh{5Y<0R!9=$dXfLm1;`REDQ9kK zOmFg}jV_ef?fbFDo@*UxHG2)VWY$;6heeY@7ftw{rc_XIp$4-HzRbyw)MEOL_}sU8 zG-#fYy5)Meh3aY{kv9?$g*);?$aOMv$M#<1G@-~(r_VKBE4i5R>%OJ0{|;PRV^S&M z1*ohMCcd{$q=-9ZaMrnHV)7UwEFo=Mm(m=C*5Us9yAZ#o7@V65&-0Qso+)M!N1H8G zbYwaEGNwax>Bdl1fG{akh}ow$bCCxJ^batv4|%mVzrwsRQ+yCeRAYv|R@}IOErpLn z-4mcj^8%im$-=qhn9aY8)mZ6$%PUbPswham%JwKA87&iJ$GiMl16d%?(P9eDg|Hbx z$Tq_NzGccisaAfmt;&2?YE52DpBcWN<0;(vN`QAnaHEK+P*fjF_uyc*FdPT%eaUN= z!N*qjc$HI`<;+I*s?G#j!T2)qyL&|m=2K%9q%-gWm36E0w;uZg0fLM*<`G*)j!#Kn zB9uAvzO;3rd~YPtAu3)vm&kTNczuU<0>#Z7TCpXKh3!VrQ@zwT3&T$u9TC$X_zt4P zUS7IUQP0|cZgr8dfAI)TLNvQKcr-1?xu3B2Ig&C-GOeveG70ni_Gw9&)*AfNH=B?m zX%k$AaG{01>BEXHv*Zosv(n3B#%75FX+CKVr_{ZgKD7(`+cpUKS&aMF^~I!~FCgcC zenV^ua_+MoxlI#;p;Ce^QT&c@C`zb=R&@3?Z-@)}pq{*2)>DWB!M`c(KGBq=GK z1;Y8WiC^taYx3jo8{NXoN*R>+e?zL_E^#$9rkoIyldD!^ibe{3=VK(;$`%nJyh6QA zqVyAv9K#aXvHNhfRsJbfqNOvvX^nAZOH$Oz*7kuRKiJv8u)N1u=VKnXhj?oqOA_el zKru#q#9CWYhD63B8Tsd4I%#j1kM-?ew`)H!tbS39r>GzckxJU^pF!^U^SM0*SiTnGGP7B#ZO!qnfhr26zws{!2)70- zft{#KG!Z(v_>|{H5%pYf*B8-=oM;+TNqKbIQ2PN{9u3@ROyL}YbOZ8 z-9PqaMWp+9nUk52%odu!*GUtBGY%HbJpsARN#dI++9R_f3#BsMjld;2jH_P$3)$J# z?Smszg@Z;oO7HI`Z>rsgAIag? zk%`=)C2{V+L8CBJJ;ac_5tf|7QYp5!vHu(P{X(&9iBN)#&R3)}p6!rvIVWrnKQa#M zoTiih>Pa7JCDiWn7iOQ78xk7C@D20o_UGJlcG6E)I990Ike!X@4Ah(DpRM?H9i^t9 zUcK?aYr~~3(;r9nR1^;bV0zFS@@iqrO{s7-H;uL?(CV@ZQShwz4OGGn57lM+4L0JS&P~WT zPD!4)PI-SlJ7&m_BbS{aIEXao*hBK9sab{|M~OcwF3F|Yteh`jCUKvdk@y;~*=sUy z`P`_n_RBps8puJ&!_EmmrhrXRWY_DbFEGlK)7@D&+4f%L^|jrN#vc_r#)u&Fm1#w6TOH5Dj()-Na&HF|OEh3MS{fl}rRmp#0$!;OCiAvYQrjXg0PF z62vn{?D;1!6IrDUk~N3dM{D6h?d{q_M~4b>$;n|b3yu|NdI%Qc_Qdj-XjzIik<3&X zcNp>L%_(gmCs?m0#GyDprb>xy%PjR_dtlrh^S#tQaAJs+Q3}3*JQTKC=^*dwGMh&0 z%;9jYma+wZIEU4vOYLD@1&;Ci}GaL?u-$RoFgA7p;_Y)IYG(Ir4sZ zJfMN0+vy$CYI~UESugDWRP4>2Ja%hJ&d{B2tCbw5B5;W1a>kb5AIv*Lo(*L}XkFYg z)o#$ol;k2?Yo`b)RR?8b$ylUGBO#|WaiEjmQ9hx4-bGjR>5Nk&n_nc!buI6;!?ynO zOFzLC_;_*e>qu;1(bAK5vPs%4c6J50uU-|Q6fKi-Hrd6Q5lNot6;C%7pZ&M&?Jl{3 zfo3!MS$$bZ9+dpzbhZ(X^{8^D3<-&hl%^tzMN$W-=_P$z<6q(JF+e)zkUhSYzefcP zv2Muz;&{g&C$qDWFs7B5-ItK@1+6ZFp^mX!J#Od0N$Os2nD%E?yYK4weOv0c=ee?V zmmn2fJ}ker!`EjPv!+NG7`3V&pmTQnRQ|Olr^=C5dD*S*K}^m!Z2rV?Ys+`CrjO;R zr(QU+o}OGrVs46-J)%(KzZ@PHDBCTP7&Iv;OOKF@H&*$(i31kd+L>XiMYp#;^ky^AL68}Od9u0ZU+nIV;K8TcAvrsW=r}oHb2InuDlZQ zXMN~&ypD?iC2j?zEBm;3^r8G6gP9c9@EC!1>zC$VKgM@=6-Ajb)Oj9ZUai~Ttp$HZ zl%@pDH(DIG-lxf!;4C(7GL6uRMtc(> z(loeI8%At0-DX4(SP!prr-PLBPmTpgar)Uk6k_T?DPo}SU8{lddDq?yz@kB+ZD&2Nb-}%ak5ALq4u3o$Wyb3|g>D16f04HeOI7ph zdF=Xw9>bX`4*FLf8RMUPcvp{``sr0$f;;ASC!DQ9LLuz!p?9`)n=NH*(^^6|)YDpO zxv8du`=h9DE>xa8tPBNRUudzXg5GFy?l8@1D^0;fr!E@9A?L&+MIK2pNg(sgoyS`e z>pHy1{w|tl&aTLmJ;rg~uT^5E=R2DB`ehg!(FGUF%z?6KGE>9B-KmFdrqw5IAEP(K z67}d}E%-c4>!NmFJ%6jc(EL?ixyX;Lsa~GSIbRw2YIWUG$8(ymUWbkzJnHv5qVWk= zg&oqL&5CdsMy;?v>A4u{rU%S_`b(lk22mIOCGir%N(;bOP^Rbf^c5k!q*^1N9s35t%jF=uMfcR8r1NixjtLWQ)W ze<1-y1EpSmTQLdzm*$F!`Ja;Oe@L817>PIv!Sh{(58t?7yxFm^249h95pW^Z{tB3a z!SlnF1k=?_e4a8nAqoadG@L`Y^Lu8$z2ci+-?h@|Y!A(Lbc|KK)bznS@%5%7pFOkS zXBHC$G<>MBGG_^wLek&Lz-V%~k)zcM{WjxE1;i5SrG;j z;vXe*&_s{27=C5&;w<^1BE|HyV*rpr|9~GVop{fx_GyS8i*RK6o;p9`US6O&6|Ye* zaR4u4>YwZeKNdQq|I^%$&;ioUv&jp3q3f+<>B+OUpONFTU0-UWIBMPdqYq~-FHc)P zqIi={<~9@0mdxhg9e%NXw*PX7Bs$TQiz2VTa%;s)(VoCzMVC8{oapfTU<^^&z2MV| zX=>hMVj#Sod1}?2F=9li+>K=>O-AdrCh&v36|e|VQ98Oo(f!f}XuA%go| zUfBND0MF?C0dsEtx0uva!D3N3O@zV0gSP?;0unDY$F|~&**ye$mh!ItKWXeW-zk2` zRlE49<_N@~^vC7kEV?#fs+4G$nW)Aj|E}r?_r_ir$@#xk8Gl|s-1>90I<1eFPtslb+cloA-O%wMP1L(1v#$)g(-yhBK8AeU7?F?z2eEx?v!MY!lZQ?^Ezr4r2tvU+1@%9-vnS@!DaL>8iD$A( zWPBuJJ>?Y6T>Bu(TF*=%BOm9okunRz?#$|6xutbqZbiaq_i4K~SJ0F6*&|BH?9WG@ zDv(OX+}J_|>~j6q;`&!e6sE9k#JE@%U<)wnPyU+vi&)uJB1c z(d!H{KM4{}84Zw{ID52NWR*cHPF^))bGxI!KL*umbNwNy&vxw#rcW|)Oll$PLfYrG zgW5{`PP;C=@WKZa48LaeR*aXCx;s$@%NcTy-U`##_9qT$v#g$KQ7ui?;JwGXg@jW^ zbLIJvY%RX7CS9`l9v4I749dcZ?>F;u_V%ZJ;262{^eMzWQyTjRYht$A%uiZ^73j9` z>h3>0@z&OtN=e4bw>Um0G^w$m4fR%f>AP~)zF}u9DJ6jiKM4JKmm`{H{+aW~7)|nY z;|-ge@R5A{X&-2KmCSiIh<(;txH1N@P&gbAKS z@$tjGucLk2EwRqgeAb{?3k8b{YrruAIXK)1=WoGKw-*U_$TE|p>D*jR zzPUq+FtZBo0!IX5(Ko`k_&%peS&UON7xyQ6_j913bcd{YMmHOvguP^#QZwhz;_?ZO zy({SOXS;M)`9nK6O>|dzu}wVnyJBn0Gh_S>cKV`fClP+gFGwu)M^w)QxfCqaDXo8wle9j+p4Kg*Wm|Fte9`e~3xMkNl> zsgAGfGEf&RJr{M~uL_19-dxI7P9NPqY}VN~ck$~TmUW;*WB!D};l=JR+zB3xc%0|C zpFP8~NbXP7ZHN;WQ%kjh|Fp)U&EXO?AWU#UorO_Gt~b`b-pSVyTR-}}3dv}?BCE$z zv1zLg52O`gzCwPcnAzkMrFZw!elO&MO}D$tNm#B^oaDamAqO2LrR%=`%SA?#@3-Uv z&aV<|&m3-tkebdc+FI(H4F*iU+>@8rhqgX9Gn?SzUj{L|hZMw3it~9=W=x3G4}mdA zQxiSEs(h|E4jU}P512}Ld}&+1%4Gw8i2>sAu|r2Wvx`yv88@eTlA?N?zm+^2Y*Mkf z_Zhj$DwcSIh`B#h&k5EGQp+pV;T=DT4&+@W2qLGF++5(*{=m3%vlb0IlW z+|iGm&PCt2>8Z(OmljE%Rf7W$ii#)E3q>+!hd$dCaEg59pucO?gj;;mbAapEILa-35bMt@a zGmd`jc9e_R?5(0W?zz_q!c3|vDz1!t!Wg}TKMc3FCU@WqUmo}N{y)h&BPl4@ib~Ff zDi!5NdELe2s)Hc6s3?2mI*{AvoP2R)IMi=D6M}CTCRL*F>Gb}15!MV!{?*?V!i8M0 z(a(3<)vP7eukPn;(qFx!yHTu$+3~nXxQm>)J8 zd#Mlmy&42PttNa}BUKM})I50Vy4^Pe=I)NMWQ7?@>1uVnMiHNzpuUkNPvtv{R%Q_i zFDs&s0!}F9M%4#Y)n4-a$Q`Fr#EHzwVum4)xmx;s(g%xznXG9Fhqv+@+XpX(iQc}? zR-1kiO;C6T{2Hh!*%sVBxNp*aNxDAOc9w$EcIXpoTw#zl+#x=&Bz)@Q$O*?*K(4KF z@pJgklAW$L%ur(4P}H}NZ8ONR6<_THm+t?8E8sp(ca9=N{fx> zI*2`|^xXf{JzjoIT-Vx=XP-y;v9Bm>GfcmW_V`3a05+czz zjOi@EtayCQ@FlH9z+)tmcQjSAZKQWMg z)PcFGQXB&k0n)DGU@+Jma(u%q6!vC5woZS&~k(nXk57c?*)bu zLiPW>z>x6!|5ji?o%)x+z&h%=Vz#3wTFVA~-lQG03THb#0--aM+Q)TY;UcUv zLcAHOmLED>^Pmi5jCXGh`#L-oA;PNVXzeZero0MCUC(O8mMV>RLgqm*YlAz2sAM|y zjj6O?DNqw*?XzW|abhhn&Tl;hhauaFEQ>pHy~udI)MWhbG^YGw_pQJs%5Y*#osC2` znku7W376VqF*8iZt9H^LWbZ-+;rBy=3(Br}-hWWu(n37`;U=#_*Lqt?%KcT_?}^Hb zzZa@RhMCcI7-KB@>kBRi7H|M$ehaN{7c`94*=vd7bENvcUiFV`hzg7jco6V>){qjg9A~I)5 z!+-55d<%?rh0aZ9o_;l+ohV8z;)!b`#L9_7ERs_YGHfp(q{d~88Sr4@_)Z%Bxgzhn zK`jTmwxOQUzLhV|43~guFr{bG^yA-uT2} z)`KI0kQn|S+iO+XbOgfA7b#1OxlH0DB{;Ea>UOe@H2A&i+j06=Z|0gdl&J#CmnOP*NA%iYeuh|`50aog-aw*wp0M1M?O6>hPR2qpYSj>T=v z-U1z-Zc9*Mf}8CXO(uPg>YYGi+~~na^QNtiAER9$y<#nU0ma28`a&}rhr_NSDcE|2dMQLc84Rjf!f)i0k^MPedeJ zbucaYkQlk`te|iZcJgl2_O+o%8(#mo&p#@{E7b_&B(*i7zyCYzQ6%;GWf$K!f4Gjj zf>^NPvl_i^i(k|zG{w~~uM9g)AD~^WSh|m90{_n0QNpzZ$M+hXdZ}yrc(3~Wn;-8y zZR!E3Jz@qzYd2= zFSf3R$fYJWN?yOwSjwFwBOKIR$|U;lBV5YinvpSQO6tG`vK`?lf-mcu+e*{@ za7sKrFfDc;pihS>DVChrk6QghI6cEv0&vOS>CdDV1+`u1EqYJhmb3 zJcqe2iz>n){yQy)EG(q|PO|#Sg*80@pMaHq4|BiXmQ8oSLnvc${-DV1C5M8HHB>}g zf;HbP-QLVutSmWU>G+X$r0`|%?HoRYfN_Fn3v+)Q^txpveH7S*tILrRx9n1RR!Ejo zQ2U2vLsMtL><-Q8N=3LcxVn!=Wh+IQ^z?F|OTfx#>ejD^q1&v1bX;(mN$H&SDSfKk z1pc?FYR4hJJn8d@4v4XrTLv?G0SEli$4NQB6QsT>C(Pv^gk>tFWLO+9p) zufj%XhyR^j^LErSmZgnYk=9<{ef-tK_bk#?91}UK{aE*sSB0_t^MA{?+T8KzDcHN& zufK5%!Zn+osd_#$r#C~C&CiR2nwdRlF#po;KmHlZ9rkQ=`oPlecX|T%ks`ZBW!b-T z0eJR8s^FMfz0Uc*b_LRmyT}0^N(5S?2U0cWpZDK*6c%btevIpqGBe8PHS~B=U#yHK zdOYk`5dn&1M1pHn5w(a?khy8=e4=T_lf1zKkm~_mTNL=aj zLd(+&BqjEOj>vTTQ)#*qoQdI5bl0iOw5)OSk>@-<4S!G({xEv{ux}s!%B0Ebv_GOzTG-- zMp4Im`OE8aR2v&cE~`Wa=aIT2Y>)It<)O?u23tV4GrRtFc zwUf4cF)U2g%In&lFQON}axl8I7@2rDVH~%nHz&O}Dq5}*@plf_QhUFCUyOGqrN?UV8J_Jj-t4JdbO?%j*zU9oIfwB`L`%3(Qf9cs`10rpaa%c2sPvJvWjCYKjbSO5&igIf`=UODgdFEx=_x zn}P{0hyHULzm+3VuKe4g9OUvqUZ}&ACX)j*SuigQrAckvUQ!n?fyM$FuP~aM6dlo8 z7Zic>Y}cOpvF=WFAvGVLkpInE#kbk%YtYl^^6^6}&aI2ASM>{eb|h!^{8$|8q~rd4 z9@9yS+@8EJv%R2Ea(nHCWM}K3XW|?3D2qY@tHMNK29HI_uMPA0ka8n%6Xj6hWtU-m zZHR$~nigjSk4zpSLI#qlvC4<)$9^R81;$Xs(PgG>vwP!}cbW&#A8Zn9UEnX*eofV@ z@Tu-G7es{6a%M{KCSO-$lIk32^`~6WB05>~`H8%OYAb#fPknlIM+mCeb6nozVojZ5 zkikK7^=7NwP-c8k^D%qabu^B5KTwIm8z^KpCmdetzsM7^;`H8>%8NvBmOf$5Ufy10 z=Hg4DWv#EZ#~yYSpb+utuzvmYTAGmVIztfKZ@)pBugu-mV_VN`H=WT$rug|Czb**m zs~%vqY5AenR-&Iltnhh9lDD{EIM&a!iE6we>#Zk78Aluc&7e))z5?TA`4Ae`VYB{H zWIU4DZewIb90#2aU(`9x+d{$xYWu0Cvx-W#M(%Q(1VbKO4>GTxp2kDo(i@h7CcRKe zuG&}tRaUBCGRw3h|HzN3fTOO|BH%oN_K>U7$}ebHg(pOD6RlG7CrcOJvtBHQ0zK-u0eal? zWPi0>doqBCZTvne3VOTei}z@_CW{Ol%;&s#i=Qu@c*bX1L1JE{*_VV}%SbVXXToqc zJRDugr_fyAcjoJG{|8;?7@bM9t?P8sVW)$RZTpLD+qP|+9ox2Tr_-@*+cv+Oz4tkH z?0e3>^GE%uKQ(HswQA1!yzi{GM|6}IuGVeAYimU0D7$lo>;}#!hl8;2l9uS&k06*g zn+d0}h{+#AYfs+@DRKJ;?`kcq%X=Cw8eudzR^rYsCT9w{lw@h^$B2Sp;Izvsq<_w< z2VLB4pGU#oE`Sri;gDY2TVpEC>8QIWOs(MIj+6c#d%w11^Bqm5fjatA?N*;8``mYh z4Zj%x*-h@ML~8pYEWMGe+XkX9YK(I$(<{S-2siL}wxN<9CFc9Qqkh%86=TiAX+e^_Mr2E_EuD%_%*Hks)7UULg)cl{(AOCpi& ze9~mG=?$A*mKH<8Fb-tsFkOTlpK2F!Kii`X%(nk8xng^&69#7PIwU9AP}JBj}c!_Ep%|1~`ha^@7;__CrIv);;;AEQ}~s!ICROA~+wD(25Wz*1ZUD_Ij%DNGk>{kb!lYG?>zW-<=hfD@Jl1 z&!LitWj*fm^Eg^*oQ&ykCuCQB+(Xm=8=_5`X~~+b3*~K54cY=dzvpXMS6-Ly?Az;T z5%)Dmq?Q-JTi~BSS(4N)Ndf>oOzT|_YyW|sI>Bs z^Wc(CKx_?n@5NDXGyTC>>B@LE^vo;$EH3sH?;SI^YYVc&KJQla$+ABF*e{yPBW06g z#Ahq!$ObIx>?UgIC#}DVB=&r6sYKO})fH!EYGFgcxb_v3q%TYC|}-v!dN&yo5_Z2as|0u z5dyk%>CmF2G;@()7?F9imT$UCgex$wsZd7@@nD#6mHals!WCSXTU7dZX>zy`x9Ww( z+(>@uqGcF~wpP`1(6XliS`OJs+H!shHurFfAP)>J^u!+~uXoXMp9M_yW16|%{Poxm zZ_vRT#b-KutJ^y!QU!ueK>OkBwA(T+U{8AyIs8S_@6e>RX zpCw@p=vyu9Nn_BZ2c&9eIbKnMJ`%M^+SB_~$QNqJ$CJn94swI_tHw~g+P*t45|R3V zKESbmvRl57)H4qrZbuY}b+3MPH?gg^hfV0VsH))iTj=M}?3hO$%C-IUps(oHom@kw z4Zu%~e=QNILWP-2*5RkGEe;3+iJ8~a3vMz;Rc&yBC$dLC z={=4I*?o8irc1=yvU4Zh1Mn<`4`kh#SHp9b;YfqH(*HQ;Oe0xLmH+_in;^NJ&5es= z(_e$gYYaRU1_DafF=zvWodQ;SyF?*$0L^KzWF$wcQ@&Tz0}KL79Z z#zdyxqQQA7$suc?n?H913Jd%O7d53kvr-kX2EYoatk#M1AVh`B34SyT5=_f0294>zUmr@hwN}F}lOOQ{J$? zCtWF%Hz_NbjWF8+eCV$T>xlpi{cwIIs;8VU;TNxnEr-Q5RxXnN_*KmFum0sH96 zb$KO@j-!@XePxR57w*|2cvHE$+=fQS`WvGd9heSsI)lJ-r1tioMR{?4{4}Z}4@wB< zcrm|*dlJMXw6W4L!Csw@XR3BAD`(4w#isri>UdN39L@`kaO4xO(tR(`vAHkHiy3ca zAmV8xqM?sHvdHxj@Mssi5P6^{e=O89i`3ubuHGCM5|RNQ@@G@_Qcqe)`x1dN=Sow} z{eqaaxV`%k{XPO)kU%0p#A&}JbH(YwN~mrlWRv>>0fPgQDQ)R5&4 zZF0x-fUFXGt<~yxve^uxG%|6&UC{_s2!hD;isSyhYr#U5*>3jfA}PsT(48q^*~NMw zCd{8!lCCTZE;}wpD6e`aNAZkq8={fT$yDSQ`wEQ zcle5sUDSwi{n|(;7wbQcRC&CQat`g)D~iC~69}l)IB-jTRY&|vu(7XEv9zLzQ11}o zcKh2lhd7VR6c3l|fUN96zup#a(=lV}r(x0DRyfq$H)xKvH& z(zH)*$hxz5H+8Xa_u;HX-WT55UB~dZ&r(a83Zxf#jh}YjcVwo!jgBVCb%$y+9}<%x z_vDBQJ*z8DJpvW*#)s0a#gd8%Y))t({zot=JZ_jQ!Qb75QF=K85*_n+##`tX8RSG7 zOci09EvFD%Xk$N+GPv>POB?#yjJQ*fW{y^_l82@keF=-D%4}qzfhJs*R}b4AbBM(K z;5%(DY*%T>-rCiqv<)pgcsSBp!>Arx!04K%E$?m*MGNo#F{`Y)fQqaoBy_Z}r%sJ$ z@1{^e3XXBc6piBaaYf1JT~_p$47@sM#LSHbkR=WXj&YreR$n_*-E(>RLGIY)Rs^`o zraq}6h}+g$8%kai_(5*!snFSIp`0yAKIT}dkAhNlRy$ggHgCai z-pvTVP{&uQ@Dv0gb{D!Txt09WM5FEWuHaOhCh;#fsYZ;!k5)P3TBL}rkuh#ISqHqQ`P3!!7K@0|rHp%_;*2B*f7xg2X%Rfuf;wB(6qGoc#luR)cxqFNmOSfT zp0D1!t*Mj4#HSti8gZC6|ivNg@zg1=o$>TYsSG&(yYnuf~j@##Z?j-_Fn zk*6ymDRJMsQ{DAxUP$pH8#Fy)u|0wVR8tTng`$PeW-2)`C9DM4hD?-uO)m%Ym4zmZ zNpZBMd?H5NUe68RGEdjLN()>SOdU*SfND955qR%}VPCSnQ=X(Bb8v~OD*$~0c^Xs) zrut){HT$YMWWN9_T+)8?8Bh9_#k>V!MM%l@#e3j7%3UbX9Jhm- zwBc`6wNuGIQigtCs63CRcHb8jNcXNO_SO=XE!Xs5-LxmUkEc_jo68wjE%EDh>dz%x z_8sHR0CpB#oCD1jE05|> zpQtd3Fd%9??mv=hvExZjPEI9(-5e>OW0ys;Mw5pTMk{Oub-?#9U%L9yM)QKHxG2cY zO^^mHZ;sW4K_NImL^G@%6Cu~VGXRhH6G_Yi|EoeJxCwbLs8`%yz;)F2d z2Res=X&qE4T0OiM?0aVbP1=Ac@4g8!r?hJ!&Ym4tiK@kCDY^}H$%y48WkOeJ6RO|X zfwVwkc^8Qpuz!5%prNhbX-?{Y{d)kV3#s}4b@N}>u$B;}VQM4~Cv}X!dB6qls0uy_ z0htXT&i?x7WR1OkOHhA@;MR*K;Zt;R`98ts&j4^dtBBo{Z-XRW6fa<5z7T_8EQlS} zP^h*J+_ylY&9a{PW2#NStw$s;cK_|<)#e=(s`twxonP)S8|~F=>}a~tlj^;ZSo{$`fJ~T9T&TQ-cO@B|L^ryGBSV8wYa)-Z82=lX34zDD~CkklFoZepo zf$ruvQ>Ry^5kC5%$ASfHHms2W-oH0nE%7_jKVs@w&)>jOY_#`G>ZY2I6y2tV!)*7e zyYH{2cv6~S3p<+uB%@y|Vy^2teHOj1nu_fxk7T(UBHZQf<|+HHr)}+>M&~nUg%7vv z;TiE9aLlQY`u1fhH&1$BI;6qn2r*!f4(-)HWnWJ$0nw8E7wXsmo9`pFU0!>%L%j0& z-*KFhux{ib@SF#)_58vP3rRltgl@?v1Y|tf_qM=FOog7HH#14T+Clr*7;HAA!6Gc^ z_vMza5n=V1ULM;93^^`Itv$9uqp94V)F)=46RMkTNvPYvhxa~%Wvrzm?U%9o zk)x>h171XBO8=h9z2T;o);f(^ljrEtl#5?-C3wc^hN_u|uU(%>{P7#znww(qPEFF_ z6UBH3=i!s+T}7wK;oXc|LvHltL2m_33M!hh3wq<52rNGvXEA{=leB#U-B<~5T+|;B z0X@?!Tcp5)%LSmI(LDAIP6qGj;Tkk;tG2Rym9y-sW}+ZDhk!_DeV9KO>-9MdN0Wp& zzkfQNCaZBXey$mFf?)==`hq))=`BAEYAlfTlQ66Y^2PI+ef4}Yr2E^%A+NfqvD?${roNF ziVSJX5kp^=nVY=eaQJ}Q5^L!D?-}BGj44~qMF7jCw@+&!O=P^z83~H+ zhelTLQLD}PEgi^wsc_N$9PuV45W}}@lK67Dx2FU3moMv;0(>Or9*fvOudLv+C?0`| z2*&XWtf`Q(F6v8RSC(fzu&BAr-L1xKf(r=J?Awst^&8&tcAS3^woKK^MIEoC>FC+} z@%Q-i#1G)M9PKkrZo@ZxwHfo-sZ6LCQUVsJDcg{{Yz99+@i+G8=bHSEA`qy=7R_Pt zo&z>@^3uDPZ+}@I2hUfgb#-Fs;BpMT>E>90N#Td%TsuQ~+B`v`xF#>ERBV_S;(wk# z$TPQN^=E9TvA)>T2T{7CXisld8UrZ4EkoFczo{MGT4*>}cP|~AAAV2LJtc7W;kKMx zt(MNOH3BhHjWt$dD&(?g)bFqQoADb|R0P3$|C86USPr1TZ16fp6QRq8p~C<-J|khU zsR7sRdr^;^LsR^FC)aH_&kH!Ag%bJQ-49?DA9!gtP`bOGy2K8(7zyvq1cIvh;=oPr zTJkn->3qxp-d4cSKr9rx|86agi4`%M*Y))e+&hura>KQx4;zk5;*?iADn&?VIM`f^ zha&+`bZV@(7kBRE-2!xPe+UB>91snXr+}oFen*{6jZ%jU_HG!o`8`ni}md9H1>2Te{htYnv=z z=G;VAjLnpF%HWd4*MJC~zD$`NWRw|w_!jJ&5LrKh{h_J}hsvxpPXL3oXr-R7+;?c` zqnnL)@CzE}mnh8D@3G3~qbayPLS#XEEfvs0remfgmhb9pY!3a7xpp5D7B(^}eA;$w=!H-s2=O)|o6W#j=t#cWL#b zY>)LjyO+Aq;uA#N@2cy4mUClm*^ekN4@7_AFNWUMopF;Krs^cr_qT3u$ByT8@M}IO zAp3gu7+aLF*)C+w`qi7G$^*3mCqdDfF?wA$k3wU93_30duzVpP5l434O&|Ga9$t|; zN1@=qrp%{BndOs?*Vphwq%4^~K0VWxHYASFi=p{@XakpUceMntcYdSIb}7VdT7=tP z)$)+s9eyf!dVhNOmd&UpQo7OrrqQ?d=ii=H-vb3hyRly-B(e|LbT}L=Vm2dvrwL4& z83*-8paTNHu7SpE%uZ@*v*dvQx%Lf<6V=qFod}w4AyOfPR!_Jw7vYAhg41C)<|-|b z19{G{m2HLlN)z8)U0(z$UwC`~ZG34hlADxG1c7k_(!|3IF_^T+HA}2~TMic764$b$ z`dfJBAv&Gj1$~xo4CJpQ1j%!EIv>ofYyroH+^u%S?=Lh(9p;k7pO>O?wRoO`tlqe? zn_>{Rn6Pimejh+frPlh&(x|m)zDF+&;6ai}9#?e1TU^If;N3tq6n*JN1pAtID*~S2 z{fnU$#v15_WvIq#e=cqH50`B;3`v1`43|lV{QCE_cNWAJU+B3d>!Vy-e1fSD*A=Tf z=jl%lcj40tt`{#pUyt^SK8Hbo$RaK7BMQ^0sqAXGKHI8u{u#P!bvUTWq@x-u)9)OJ zrV{s|I_xU8VCOySX~BuTyR%g1M#MYRR=JtK*>ovR_->mL@3Tq7xV(cCa9z5vq!v$q z+9c?8{8xep4u)zSXJ~hS;37WXVZ!My*`KJz+MgWdwO+(B2~3YhBVO#jKrvOEDXb9UBMLGw3p813OagcdCYr5ya2H@}9ZL2GeLM+)E`=`g9<{TSx!{MfvJSN(2){TG>iQG<&DDGKY*Cd`P%|gs-cy1o&`6 z(qCD~s!Vt#H|OD#*-+`;pNrk0PL4-5>fhYzE2YREGojiTNDLrJotsGBv3#U?5`y#d zNqRTt?N(nwuw+V*0!Oc?x4bTk+LI~4_`k{xsI5r*V&{hD)@q4C;|c87)E{zo$phTj zcIdvb9ZSu3@=MjrYflGfvAf*Y@#m<+Pp1A~Uw)IE{Sirt!V#MVMIxT)p#pnoi97V zq3mYIjfnInoA#pbSZ}*dSfiqCVIgns-qb#?LhSIt?+r1T$`=#f(&n@DHDhd?sRVY! zLZRi*&}N-HcVHMJ^1_U7_kpQ=sY3aYiLDoXh=eC7n=^1JS^d6B^>VB>M*-KDr)v4ePF&C*(hNOP-4d|+(I%CvM~k0RPU7{xkBTf*k(ejH>k80*-EH zbz@OWAO@(zY3qHi!Zt%d4l+tfr}Xtz-nt6U&ghAuP~kB-qB4wl3!dZCqqjr6jl
    bZWLCZI%&gMX7ouv`PyVi?~=$cB#XcC>qCrZK=??<~^AD+>DkoRAsiWS8a zpy@_>0-i(3#2%Ns??iF$g$1oSVzf#kz483KAqW^KpQB`nTk9~U6A}sjPd znDqU|*7#_Drx4$}s1AjHlGZ#ychGgZ*&e4~wqJO9D7Fzf+(p7ev-8Pt%`AoQnCL6X__=Eidqn7`qJ;ozLs z`bNHYv+fZu`6Uaame$S@swa18XrMn#pd@yh|Or{0n&k|ndfuGzQ#@E&6tKZTG#ak-o zXVxyslc?9Uo=UW7;lpq$EY-I8H>hZCRwvCYdqo_V>724w_SEK1mEqZfr)Og9pP!Bc z_h7Kxz@08t=V#P|BR9vFWw!~5C|t~A9Qx}G=~xEHAnYx7Q20Sg z@TCn_6}&vF=SJSl>aHx?W4cqla>jP>LVxu#mN zHLjOW+a9>A6(zrmhl1*qNm^Zqvy8O0)xjG8lKHBaBQU+dTsY7ve;r2|DiSe!SKp%m zel4~wX~RqpRLDQ=j|~L2F9p}#DB}^^62Rn(3Z*-Pq%467$i0mgV5dp|p%1pOABbVT z;vBx>fNA2s`V|ubkt`8_+GUvMwjqwCx<_P69^r~F+FRdcY?ac@{USprA#9oMmc&t? ziH<4+Nco$nS}S4L6YKfmP>ka;y(xT)&Mi1hIvgHrEa@FhH(sIU?FDy|J zNdM3hn>(P|ilQ%E<^IYv^651PT2h(NWU$uoN?60y66n=afqoS+RRt<%iinmZwy?SY zoc$PEeKIO<7#XEJO)YgC9z~_FRma7k5YEDngM7m61Vj|Zv;`BKueBJT((mZ4N6_%_9-;+Sv(qHEmx2PDiF zQ7VreLm8%2`mdhQlA`OFwLII zEUT{{rnNwJb|GCkz|x}yLtd~;XN$P;&QNU2^wY2jX!;bt2T^~4Q9C0+lKXp~QT!Te z-$P#<19_{Op*T+R<#bR^ht2)pU^dHDJ;kVnLoR)z8(eAR$?aMpxN)tR{Hw_sk^iem zjhrq`z+cbgznC&}<0)d<3C#F}G~zG~ckJ+Zsa$U;<^{|4nT8SuKOWK!mxu$OVTQRG z61U@c6s|q@McS_~e5Y~01^D@o>SuJDiYb4Rj7+uvkDSQ91llU->xPP9Y=&@kGF0W{ z#6ej;_NzJMOXUWC?2`Vv)9{3MIlEhh!^jBZA2}dq#&0J*Mi{H3M8UL#0`+|jUrE#( zQyH`mS;EV^r8x#Sn2n6eLxIFa`GChIUg<+0ksIA&byM&>IXXOU&Bsw+A&q7@nj&es z9Fbc4Raq%4-V|;mivlsOiNTdS`xv^8;Bs73-lr7z7w};en8rc3gNy}HiWkX=Zh_z3 z%4L9Qge|AMMz&9xY4X7OJJXH@>>==8*s)u6E)S)BMx~QNp4lRvRRcA+5>@Gf&wE*Q zZ#OvQq?8*C#*Be%*0IAUr(9wTv;4~DFu6FMf-JFnbg93Vt(&t3Tu`a2u!f6~h|3F9 zF`(q8HvLuT8!_qb+8D^(1A;*B@8g>?TcLQ@ZEvGawc=vzbw7Xv{ly$+NOYl%`TUCCM1#_*rsCC%kc6k|gSeeSywqbkZjL;FjEc&;jg= z$qw~^dL4&mi=@*eI3XU4lQuOqO?*2f5N}B;sRkP!UTnnH33$?<~;em`4ft`Eh{eM?jnQ?bgZFpcm{ z;<5=06gIzOsFxzpGc(d;dLxdXbp4G8&eC!IkT6(;GrE7|EP~)rw&1#fFP^D)cMq~W z**7kVPyQIqRO>ZVz#~4R|M6DMkUMv8i&3o+q8Wp?{r5{0T0(W zZH!Pr(!s`^^+tyi{Hh5Mi3NMGmgV@o%o=+T7raQ*Q0|um3lKt}uBscJ#8)KI+cbr< z?AX%(TWcP~Ma{SA_Dj@7g@&5(jGzoWsZ6EqxYxj}JSP7^YP}^o_mt{JEy+F=S|$R@ zBT$SGq#m>H*+ZTYbP(1=%L*btA1ne4wFl6kRoYM_em~_>ku`hKd|s+-F<(=dXRRk4K(dl1$;b#97V=$PDN z>(iS($X7WBLl~wn^5miqIuUldkKo#!rVg(w=RmAw>yw8WYB1@<1(t)K5RA872rM#P zz(b^5I^|<-9!4M!ZZN+I{31femyuSCoiO}YF}IMNrt+DM?DplqmOam!M=unQ)6Y{(Lm} zd+7>zG|-}bnl(RT{I@=wqrA>>~)5|hmM5THLe6v+PcHX4k= zxXHsY_xIOA`z9O-nE;Y* zbp5{oEvLMxkLlcd`Qo6B(koM-V;ZKq z##FE}BE~89+T+XAoL?xE@Df%Ccw?q^k-+B<*fibBST!V)T|pq(6_5yuw)~N*&W#Vm z`lt}u)*Vkvq|U((;QAb1ot2@eV_9Ar!XiKDK)MY3J6oC@@_6Yg zOftcgSKwb3X^6>KZez2Ad&+#IuKCxrPvDar%VvwQ2^a?}cu;e%RtYRY3B0VoFCW}_K zQK}QB>DXVWxn8k=srl7awn+4+?X3Ri?x)-HeT2^X{WG`OKl7GGl)iN#VpHNXOGx2# zb$T9sx<)X@=4ZrvOENks`rLdO=LBW4V6lpV9De@f*ujb8(T9nLx`+2>X8lSr0nU1e z+~gciPi2d39Syem#mEwG!-NF+LMhRgHqR> zeCush_mXRW8u1Ls`C=dnRO$29Sq`n*1pEPU+K#^Xp7SuIjpQ7r;#tu-OW>6A%65lp z`)5UtFsRG-IHS2PNzS-jWtVvSV-#eiT*j<M1_cWaE>fw-Jib7d%!FT_O;r^}$+lsCb%s#@?K` z)aB`WUd20}e^Ash9t#Q8+n z0K89Jzc9A3bIxe+9AEmWV(diUzUmqvZ9j1wP(%@-`c(fY2X2DP{@1^YQ*DMlu+@{! zllkUV--ky&xJD+#fp-4)%i}7hhDg&6)(t$|_INmMYE$NLZ^O6mpFCm7FgWKbSXccl zlKh?Hix^a`tM1(X_Hk}g6~SAo5p0RKgnyE#@tD&}lCKAB>2Fzi4Uh=gI!wP+JHs|s z8<<%kIir@Sj+53NP)57q=q;UVaJgNIGQWUD%~Ax`fVl5LyM4s*oxf(IqrC)|I&)7$ zCf@KeT0d}me4q+sZYf}bPZ(Zyr_|8Jr70DfOh}}nPUR@@?k?}rvFn^jdKvUBGoM5A zO21qtok_yhmZ~J2stj;`r;K-*)aN&n?1qjcy*Gud_U2BYp_`b5LDyKyHBn}~*LCPQ zIBwzzm-KZ5)YTzQo)Na*5AlC4$-#Lf)!_lTv-#0N;Wqj*57E?lY?uj(iYq(A`3_vb zFgBMUvf$7~A|}IAULGp0+@^u7lSA1C%6(Wt+*@Q7geTh`kD5}0bEbG}M@mPR4IRZ_ zg|ME$9)Tn~!Y^@wbBgY|D3h5}q)s-XeQASKQl^0x!2FTzU5YJXPW_uC|5PL;v!z^b zX{zWKgl-(}QflmH?Rp&Nxs;X5(b9|7xBF?F_Db?76Ei`M-Xe^D>Xj*KxllLpZ* z)HyB2uo&oUnsNJZLv+4&i($fA&GodEZkUQ4u~?w)%9OYqWEVYA9x$~YHK3xfHEzSa zAWD>ep9|Yeq1Hw}dVt&EGSJna;mnTg@@C9l17jjvnqj$` zTX4CJ?@`vOxa%sH9|90TJFaudx4)Z|=~GC^xvzPcWic2)@--9OZ}#Anjo$x;e3XETx*Y?;l)sa`J*_c|m7V2^5`eQ~O&uSR8i=fppBZ4b{} z@&o!c`FidEpgoL7XShf=9{0^A<(n*^$$~Avru%+$$im+=!cBaX0;d|D5eGnmA{ z3r_v)dszFv!C_Gon2!_jj(YR_Lv?ZRqlrO9V3&8SqgnI*q-_TqPxR4n+19q5W(WAg z;q=3njx)n5@5m_U=m##4Jt*9(b^&Q=?uv1BkEZB55YlbTaIqz*6LhjbYnam|^>``s zaoTn!n)Ifpjzs9R|I>Nce7PFDtb=9eE(S+W;(bG`nc}9VuRqyE8SL4-BU&BxOFH4p z8^7`Ch#*xb_GCQrItSeN`Y{kY)h%tMep3n4AL>b6&+%BeVJz>-?hjzWs3hSSJ=>d1IjKA);mua-?9)|sNI!47Z-@101?TmQ9+t$Yko=MM?l4{VdLnAUr>2qn zO>o!JmUe_|pkCxeZj2oz1FwXz!?es}NYCa1!mnRIDB_Nfqva}&z-#WF#ODQH%Hl(v z{cBk?;HAd<-gG7{)jz~1|2J+h-x=qON&YDz`>)Gql31V=bl4JK?W^B~J(j(Z9;z9q}RN&gq7xQ=1?PU$zXnw@q2KHkt^IQIZo^YnG-epWgi)7Fq+h2Md1pEWidLRd z4>n(VrvNHDp8K-ZDyUR*2MBQW5i@T1w2EF>L`;6Bax=BgzZ!pHz>O@weRZThC5vmV zSr*m$)GQy{3JE8^dU$txwYE|CZykuIyB|4e{T>n-2mEt#C@WjfyY`8H{)X3kSIPC} z*(*+O`VMFQb6rieYD*#p`$Vzl4s#Jhh_YJiz_J6UTY@8-x)mK zl7fXFUCIAL$MN@mAnAK}`n`7h@7!m%-6UPPenXa;; zGjc`xyn|8{w@g@qM+Z>(Ph4sYr5p!il$d{rpTERRywOX?#$#pNZp2lzt#_XBk2Yob zD{S2#^&DhFF2%-A16pUd%wxQzuScN4F!z`XQN%GD#9~8!;_q|r9#M)Npsf!zOUft| zXmEQdAICY4e183wL=BapTwX{C5YBzoOH5v)zT@x_o(2RUU*`d8b>3B6?YuRX{mE=d}TF$B*p$Co@?^n@aJ+-@ZcKupQGmrd9RXA_ZlCud!{~PF?!s0@UTb0 zd%&GoV&{ej(kKZots+K)H4I*v7El#kfmo_`}E zVNHSqyT;FKfa6L80t49VZ19`H zs}#`ZF9$L&c(g)e2wvYAnj@|G)t3mrBVi3%u}PUpAv4JHyV>FjCzu+;3^L)=1$^)$ z5))?*x!$2Q`uZ@|`mMb6AhcK$3Zh-?3vH{@2H_Yv{P4z<;gC8muckXKUP^xXEJR>}o^66O|g~>Bf~yL5tulY6?5tBB;1Qe9QMS?v4C;&T}q#ypknlt=nz3 z&=<;*W82S2AK4mYMw_`hs=84@2pI|aE;JvuasC7P==@N9eB)5oYX2K)6QxEDeQCs5 z0M4`UU_63zNLE8;sn#G*(IEi55~uj??1nG@mq8f!)qw2Y8k$ZiwHmUH(OFC4Wid_K zYX=^Gug^IKkkD93=S>kV#COQlrh?6GHD@}s!3s+mvQ2N|&qGPL0*|gt3QA?x3(GdS z<0{H$L8XE1A|$SUaTVNZQK|UWzllIfp8;8!7LyIjCwMXf0&MiN8ztu1IWlX1{|1to*d3Pb6kp9jmb1{=~1JBVv?lQm!ok#ea zb%%hCwwSj4x~RFq$$RrM5Org0&lNlSr<$O`!#Lbes>_|GlLIZ;r+d{Tm?o`aPXzfQ zJA;pw^B>*gUGtFd_EwOa;!WnO$65Q?lK&JEioHi2FY_YMUtNmi+3Mc1(<<}h zD)O0gXpSc@in!~V%tcdn#%{zZ$EB49ar?-I{5P#5Am}}4j!(Xm#fZp1qy2BwC%OGp zE{dYBdXV%y=xd_||Cvp~il^iQm$Ou-LuiubWLz53#N$9m=+eouk$?C{F+-?kX8cEYt*PQ4h z9Fis3%zb@R)9kNbsY=6RFZew7Bl~sY;sI+RhWZy^%{Jnr4Ws2=#*)00YFhOqEs$`0 zqU;qZb#(`aKe^q3rX)5AT4lsw-@)re3A`8w(-tRIciSm3QkWf&4QW9@J=D9$k30O9 zS*lap;Pw8PFn_#t{sslJDzP!rpZno;U=KpjejSf=) zEse&k%`wY7(Gp-{5@h}aJ8c!mbLb^=G}>eXU-bL}8>5-QKc(MrHmTdW6XR-^Z|D(B zZ664g#E~SJ&_368W${->{6(oG+h`l{Q^GD$sEmA+6#7?LYZFOVUTn zVGqxgwcEN&S!t}=87~AJQENV9S8oBsAaWu;Lw_bWo(*&z!piEypHAbucN8~WPljfR z(TZU$bDg&d{y%0~$fjYC&3TrnV-|OoiAmYwh$tHC%)wi2ISGAEv`k}rcu4F)y#33j z3$OVms>es~7mmVG{fET$WyT2qEGu&x)@Z||;#wCir2WwKRUTBxH~&g#&j27O+WAHM z?)8d|jivPEm*wYwsuHRbkM7Nv8+q8#ki?Mrb*gBaP{Oo)<#PNPNv8{Tt*f_~OJr~u zzpG21E_#heVSzWIvj^7U{1ofV7J2Y!3SZUmOe;_HEL3A1YJSa-hJiYiHdDAEwMQ%R zRQy+t@@aX@GMu=eH+|eJ)PYC6Gl|K3(!I9qegbVVzfZhLtUf<9EGMH=9e?^L`242` zBiX%e9|Kcg&5A^^*1^PS%E-mN|2BWCT0jXyp-zXpJQZqxGlt+@!bM*q=N3NN-E?QU z&o2!Fme8P!l%%9D5%g%v)c)vB7Q9h+6L?{b{LbfNx@Vp#}S-1R}Bwf6o8d?d;ZXN=S+KtMh}N;!&oN zd@&I9-;I;zl>L_7nO;UQl4}lrpjc>-L5yUf6d>+_Jg}v%+0tk4tr=wTj>f#WdCXtt z&^9&0~J$JPxmIY%!j)+=s+{~^x{_gfKBHH(zr&>DD0>C#h z$0<&1x^dug>TR<*dboK3nX0aiuh^LH%WK%V1e8)M|HZ%)=0J zdY!_H2$?o7Rb3>_lo%Fn1k^rx(=r=^zo+3Qq}s-5Z#pl>X!RG(R^KE zbUt38oRr88h50GeJ^J!jYu{EsY*PhYFrKYf0(qhM0z*94RiJY zSiCwgiZ0Cp0rn?FiI+sSIHQL*Jwk`Zmv<*1FOMK#9Dyj1%i)e{x)`XZwWdN!_e23h zRFMCz`w^i0#I@p93d$&}jc;V^s$FDsgx3FDC@*L3l^VPMs>is1>UJ-`r8OHpG8#RdQ$r>JIkQYdZQ`Zl}q7+MtU+enx z7MPEJUY&nsdAqT7cg;0Q>w1{Yel(tz#>n_j0e5@8VtuktS1&B>&Zt&Oz@u##m**|@ zRd^^z;5-u|m>@>)7{}cAY1`{C zypXoh-Z=YtS29fKI>(W~di5m}bLZa*+DD_-PpM~3u+ql)%xN8BM#U(BY!uwHm1Vsf z!pIUl=4|=9_nKfSDo%gIo*ctqX+YlZWP0ZT5(D}YH+!PdHS0fBrjKvXUp`P(`gp;~ zQVo>5Ak!CBlKzg?_JM{jMKIWR#S=5Sz1>QBz_+fi@o5ZJgRo?*K9g~UdFg1bkz3fu z@^Tr+w=8Mqg@=(#jEwT5QT32$1Es5$zZgY0uY;R#bAPu@P(2!3#*mkTpnUlkDFP&v z2o%Zrrb2$Hs4%H}grKrp7n(}FPTZxEZ>Y_*K%N=D+?FgzC>S)cD&!dx>S?$lFc!n+ z8KW>F^D+D&!VNmfPAT=l>6;6BS}!a05#B~b(_!}!UDqPBIdk|EHIDql5yO6JuO3pF zayNS@j}jigZ~QOpjxjY|1C~M-x@hJssANQC-fl^}KP3&#l1!4sm+uWJd$>p*LYN>a zVvJ1Q`PNK@Z6ZJN_N$RIY1BLNW@d?*)`U}FDqWbPtsZHN&)6uy`y6C5Sue-*91aU4 zTmkjVz5r3FamIIBrGGS@`d&Ua>sCb`;X(A}`C<~w zZd$BEXv%I`Nbo`$AnATQM3UPYd_-%XVB_5?ggOB_ON~!$KIv>2tB2sHQ=2`Hl7L)ULHtwFi zN4arojRYYNe}Dh@cMS1=P)XJa9c!hy%+#ROQ3xsw;!yllO~WcNVlhpn>I7IGL<{C% z7!{?wUqvW=+V$aB-T-x*7(HpRJrBmD(1AoEha<- z>dx{^l4wodKC5TzH0@Q(Jo0@yVZMaF&SkchU?lA3tAc*_u7;!uaxdzBQAe%Onwf%X zlu@0lSM^3j%oSqMxlj^}Ln}dmjxc44^!De+_xWa16}nOYbaPUbJ2Gxj z0xx)MQd5zZ7XlX0C*~XJ;QYswNHR0qR8Smb+g%KAk@~-i{CxbzL5KSKE;}pxC~ncq zQ*1B4VH#Cd0}T#9WivEPMzR-YE`Z;Z+bs_Qq4u0D(#Bqt4I$n(rlb?b+JmXEvJP7* z&4^r?d~R0mP(%jaj^_>P&Aj0_es@qEN3kj~uY@gOH3{1Ag1j0MuqVORSX1R0o?=fF zLYFyJy5468VzkV3E|zhceEfs5|6WSy!BVG31+45j)2U?lI_E@v;5&vxq{P=~$`X#$ z6FbZTx1pacLY{-NXF)zL6T#qP5&TD{}gfKQuzl%95w^KD!gO>mpc*T;gsQF-K>=6 zJnz|c5;k%ZhU;+DUIJz}b3?-4B+1@oms2r!a6PRY8#vob9I5Veez5@_SX*W6;Pn6z zA_%#+Vzh3$#wz(U{6Kh-KlyKfNnI_$tzR!WrGx}L&uaJWma;wRT=Z;|`=JC4#}Oj2zje}NX{p~^ zCu!zXzb-rQQ`WI{4zThL)D(AKgg{@AmzNvr!H`_BGjrZTX?JNQywlON}b6ZW)9 zFl9g1GOMrmb7Gkr74%fBe{3?l`qZaicNB0E|mWD{~EnK^vmVcB#L zo2wA`+%Fxqp(VcUbiQ?%Xt&bl4SxrPF{`RGeOe~eB zH@FNo6DGW6=ugq2I=dy}W5aQ~C|1f8@Y(gNAFA&7v`z`D7G72tae~ey-kGovBvk^2 zQi(jYl)G!DG}Li+e$CXC=ihwAv_Awu#1y@>{~+sdCHHui(sy1H5!@{e4NUWS-uSGB{Y-3Gz^kT=n;muA!pNs^ibvWS}HkEYr%_iq%FnafGwI~4V&3V znlqX)Jjm-*#HF%c&vr1I{as;2_}9I|jPf!kE=W=)J1?CZ>0|CQj8;I6_&1ZEZ z2Ve|aBO^3%l5Do}vp&drM~)bv4lckac^K8-eI2Z$=pu_mXx5y=W{>Y0$1)k z79ka19C3HKiSE$m+bvR!39s)vudlGM*8Y@p;^w7U%qNT;<>w)La&qIsbHl3E*Fgx? zBgT64l+*b^HX&Nr>rUg-uRNLzBsMl9{V8xR=<_=obCx^u;cz2w{KMPY3GvsQ{rXvP zFA)&9j?0}vrcj?_TjE9L1-m*~Gc)6N%tyd6@5SxAxs!B>_hvqaEDg;Hw}IMIgdg!{Yt%>tD-q{$s;EEk3 zes(q@Zg%EorhSJ767^74z`A|xR64Sjqxxj?J;1S@?p|m#L9zA_*NMFq)$J8S^=8RG z_3y?w^&hclutxtdU^)YhcgBSk=FQIdod#+ige)%zK~?le7~>IR=&)B z?WPxo^tz0R=teYJ<6w=E2FHZ=V%iHHhE4JK?<5ax(Y9NRiX&cY5+0q3B6t4-c6=6t zHEUE81%SIFZwp|KeAjyC?G-L5E0l)6iZag`Ay*|*!$UqFg9R@M`OdmYAQVx!|F&Ev z1HrTOm8T**VX~6El=Oy@&xUc2&|LL=d(YIEHuE)8 z{vP0vuCF?0d?2EV5slkhqm0L!BY-sRG~pIoV2KrpDx zwX4UC!Aa?Hq;IYr*SPn8`Zg}jWt8W{JP5)sA0GleUCD?0gwH7tq10`@}}+Q%LX_4W^8^<^anq7&O}rZCeH!tmF0q< zq|(OQJGB`IDxidV3wHR2>&aVsrP8u!OVZ9gqxLwxO!CUca~AJX_pc?OC?iQQM;T3m&=C_RE{wH_)`Si{->}E2Zyj)f`j1j1Yh$*~Qma z_lIS#S{gXt!oJ_BIe>qL(1U7w8<<2k-zEapRy+rTW;?$cX7_JW=h+unCz_-|ZU+pO z+!$iax3h4wrjvI5a3DwCP-xNBZ!SAA4}vXTckJ3lY2W?j8%o#ir9`*9C%fl7M9Anr zJb=B~IQvyBdMK0dusT{*BRrGsT6aF=iS1}!{H`snG1WK^D`VxnZ@WTeb+OqmvMb|I zT`m0_CPzw%|BAc6^h}r+_gx25g^FodT$YT7Co=+Y9S?OL_-c)0p~2vq4W%FJtMy`! zEfp11*BD(pa0vWa3@BDVdxR#W=8h@H4}LE6cWlxbp;$GAeB}oHs>kg+9rAEnF*qK$k1bJ%_3n&KTwNX!!% z7o$E~NJ!#y`OWnKg$wWjSYtR?h_%@cx_TJ15wA8CDwpF^Ka7Gqau<7D@Ke2VXo({L z&s859%uFY9B4b;RP5dNS09Alu-ASvv&vO=Hl{bD%?O6&S@Mxy>2UoCjk>f0@M+a>H zS|bR&_r_4WhHC0Y=}*U1X`-BIK@3l2P%Oe~-hfmgrsbJ(3dhsNyvaL*x6BvPc8Uhx zo0A9)o^(17vY93;gFkexfJ5cmW7GIq`JvL6z%YLUsF}*yUvHYBzH0VL5QLU36rMJg?0_S+wE+90t0#6l_M;QO?Bg(1rrH+vhBDyux zbiR(}ypwN82%V5TrsK}wK17DOY&{@r)ZnPy4r86h;jA5qF=wq7+E>i5*HxxW-;|&0 z#`J!k#&BfAAR2WkA(49UVv-yUy88Xv0{;Vjz3n5wxWjeq*fgKyo6_ych=x%{X*Zoc zmts#H`YZ-(?_)BsWzZaUG!dNoQaZiKV9EXSXRw!vY}{`csMBDfK(E z*|Z`&QhOru1n6y8v;EKmaO%#A(EfY5i;zDJp?=sM8pzEaNDnlcQ%-$4R^g12-W@)H zk-aHvO+RTm+r)>B=Is@!frYPizh@T>tq4TxIi;~`AVe$QVdG%N&#_S?_;!!A5Q&tj z=F=UBbc$S{g`FDVuRsFY%%#7=uZ(+t-Vx)XF_>Sh6>*KI^B=<#9n7Z^K)B#d*Z2nw zokfT{vsZnCyPR_MwYgT{bo`_o7El^09K12;tVh?M*Gp8J!Q!hH^t;1ymrkhL{LaAX zP5w@59xAdK(yrso<;%aq;Ckf<@`q=d2*s~KV6ipB_1Q*8@H#m^PkT}NO1sUh2!7)s zc|;h`u?`QKGvx@XCn2jd8%rK)e7?l}el{q8)gIMZxytk){_!xmHL#F+#*8~y?N6zv zb;(D4@friP&v3~L&l{4IpY4k;1#_RZ4L~LF8i@klo!-utO&^_O3CBb7sDG3pL`H6^ ziErNzTUDkdhHlcQd1bm^n>!ejB9sNSi+^Z--39M#`XVgLhPvQ$c6TtxK2hO=Q;aIq z?ujkc#v=ErCl`m5xE|X^eM?_xD9<~!pS@o1$o%Vq9wRg6KUhG4J=K=XFmc+9gj6mJ zfHRof#$h(wL?iwtFKnsjZ`o+4M$Q=0W}7&))chwx@PwFZHO@)7hrNL-L6{-_$0JXM z$8RyHwu}s>*wIYWJjU#~lp z`GYv)e>ju1>ntl&Ry>T1biMiJ`*vDbIfrjLL*B>~=@=0XB4`n-r}j8Lj&i?}Ga|X# z45v<^5$@7X9A^JMoPs`A4>t|4N*S)bVS2Lv6vWm^>HWT0kXQM3R6@MtuV}%AC(W57 z>Bc`-e;Tk>BA!VHFUOn~RQ}4XaYFT!XN7(dphc|xWsXF>Yzp^eQ<3~ixd4y)ZKmbi zD=FuY=vu$3MO$iWBk5n!u$kF}1alUjYOcirN}fmuA!4}3h++sKp)d;Fcq@hUD&5CI zpa{BYb@$Yi+$~`}G|)^`dMq$80*58c8q#x;hz$(#t<(3?UiF%npI2k*sO$b@I@b|< z!d=TX<0r~tbG9Oz<9cHGKfo$a5?wMKx_}3s`0CPd&PRd?3R@)Gu=&wG;Wwy2TNH}= zXqF1=pYPR#Tp%L;8+Y_h2hGwT+>_wf^LP{4(S*wRnMaDPLN%uFhg) zdN_vNMQfBI@=5YjRvW+%oAENpmWPQdDOR<)xUv=VHEQjrGJw=#lOgi;`IcD6zIR`M zv?M+RIy5iBvh{3!LUya`pM&j(fC+(niK4hy;%*<)&`<*LCv@<5*(|DrPQ2=+lRKUxC7R6Q9xZQXRHPmQ_VGlIT0xQb-0mu8AdV+dUBZ@+7538(|9-gsWVnK-1oud!n9o z+_7{-5k_oO9Ps}VI2YzG|8wENzaIfjD^MbpT)sjEtk));}&7I+|f)q@>o)ad$7WD5`AQ; z3Nw-*0BdIv}ke<`2h%1Bb=_{s~|K zMf`@P!m2_Zk0L&wyA1@oF>82S=d^*Y%$lS37nOvkQOmwqh-&dKfxEI9(i z8jFNpV4bXF@-v-?#<;sw~tUUo7kp((U8uO@^Pk z8dWwf7NTf55L(nI1>@O7cl{0}kuuw3PYJiq*I>8HW3bf7Wup6Ikm;AVo@d@AU!gEi z6RvfF$}pkIB3$53BCoM8e`nWSn1V~b&=1!tBu6!N1c=(=t-JbtJ2?4SrzFwPs4RAv zZ$c?avT$U@{M`vT6#LEDi2J&FthN@7@OzB;44X!=Iv(2{+|h;%?A>n*UH*wg3882)_GZ)(} z8L@*1uHL`%`mIzsJC%`lC4a6vvP#0dCF0a2D)xL(z?rBjcxRBevEQ2+eV%E|=s$PS z{-xDkmfsWRcYKqI3sWuB5crZ}g6ohb=87ukJM+z2_k0`VOc{YIo$>xQZs2)EIYO;t z1YJCFJZrr}Xr?(NpaPdpcXqt;%U#x})yTopDm+z?|DUj$q{zx?1RI{~&wF{EhyGg~ zPe_F7;8rbxVW+4&TGRkBy^nQ|O9hwI|4eX9m;6f7{(BeT%aCc%>T>g)r885onsQ)h zs<%jhOd~1T{{{npgQCF^SKN^p#6OG&YeB@fdXOc7e;}VcOSMXh#(=*I1#eZ=J6f3& z9p+jhMX6M>^f4oiTum$?;Lof6+q}pZnaE5FBQXX!9-DPKv_@ay1mmkwmH0b&6!v)%-zlJYZmV_j}MGYj%#rMTNw@X6awGRm06-l&B61{+O*3QvVNNvNnCC;+uHJ zD4r}qNSI+Oc*)UkkmZC&-%?JSr`9fZo zL0|d8E?3;nQdC4zvhK{d$r{l!%cU`>4B$X-ll{GYmjzKUSMGAR1w(SmHfCRvB>I_& zH2^_i@Q2;0pdkx)vvgfjPlU{67OSB|=`3lURzz zlLV0{A7Hu+Gt<1~jtrJt7*nZsD*Zy#jvFCURe;dz$`8|q_`DOK{{Mzw&YN|j-p~5b z{aj4eUfL6rS-pO#qph39F!5&&T=qHieO>F<0ITt-k3mueo)o zH(*aMer*8!7?&Db!Uc1cOtK3(vXc;okALgAWK2Yz*kUWRvR$m`v6hD%j1oJB6MOrpIerq;WM&HE23K32eE zZtGozVNP#ZQCRVyG5te~AF_J~boABk(^*nV`5Zr|>f*;((cZ@yJT%$S)8i3AN)O{> zg`6PV=A_1@1~sp981ZV?;M>Ng1{8+19O`LZrf0;~9y;G!hsuohX$X6`pQEsJ-YN_iNzIe1jpfReF~cz(i#-n;q* zsls!BRk|mqi73)(F>cY*SbheFYsh}2VvAyfhm6DQs2{T8PKYb^?S-sInp4|?`H07* z`Px;Ml>IL0+YWNKq0)3jJ849mb<(xayotAw7<{* z*B28th8Jdexinl$mN|4N#bSqgwR17V2FXo*Rw;ok4};N#drCC$>J|>t)pP8XJE*oH zfsy0k7&*h@Rnk5JsP%~~uyjoHn7X%+fu6W%v09Pcr+c7W?C_z3>b;R~??pGCz;@(C3cc z+&(?&7|t#NOBsLTWOd?a=uUl|@l9W-(?lAX?4QofD9bQuskI#ZCq|2=MHeesA!3n7 zf+)Q6upI-+eT!49&?XWSG5`qh_tQ^Pvitu&k#IookEnc9UkW9wKKt$lTRd0x!>xt4 z2cK-J5`@Y|cfK=v7?WLR>qtRU--wDul1%GY67Xq#hE+FqMb^UY9ImYs(#J>ERrasObE#jD{7 zgfEhoF?_W-{xT$5!R{Rz2_`8KMEFJR3}%qp7_;7Lxjw^|gNdt`0-9K;V~F*%>e;j@ z1GX?}$C*Dq1w~6CD@zo$2tdFr-0yQHq`m#(3PFm#LIuL|PtZ`G9^8BTD-3ns+JNs* zfK0D=Ma}h=PdYx2a{>}D5#>Mc#W?e@D+2{GzmA4<+Oxfi%$=*PYn%o79zG^1344o{ z34@sHDQtYoJ#2jO$f_~ht#7lbA3q`EJU%jiWg1zO&k{VQVnjZ9y^DG=`QHU-W~4Fs zE7pRtjzfBQH~e^y|Kw>&RI{=xTdA zA(p$ZSfFO_RQspJx#HA4Y#iSgc4GK9%&4L6>8|=DK&t36a_$p#!?20hoPM@``3@0z zsMF_aS4lL$#Yy;ovqOi=a8X^#>+5H_lWyZtZ&^q`AmT!c`wl8@cO{q*g|Z&t;kjv; zk1l}uq?=$H=g3SgYg&w3ZRxEGIcT`_VHf5Nqxp^7k5`%ziQ0tS4q~v~ztxrpDVlin zhZfc8kV7wim;G%w-bL5F{h%WeOC+uusx8;#rM;Jx)n$0N9GOpMBwrCA$cRhLC(6C^;N1P&Oe54TN24#P%0_`O;Yns{i z^J8}T;Bes32$n#DpkpEYYMm`X;h0#;Wb{ zf-EaR_p1pde~D?tcfoT3>2BlDM#AaU^cjg~szW+L<1;Mz6z#<0#2LlnM>|=7G!O5d zWNzMypWjOSMJC~5t{ z-~{`IihPqiW|{_u&=7Bt;F~*>=d0D0=)-k{Sz_E6fMphY{&&%rl$1WPKD|)ifWze)BX9aE$d7n>#H_8==-6oQRD5)o0c2`u}jeBsQPAd-qXEJ?=O=Js968Sfw? z+8Y0Pi0V$S+spW^w@Qq3NDOAXc@G9Jy=m8l{q9Tp?7_aXE_KGYEwL0o=L~5}2^6i09%8l@n;dAi<-`kw zChvWyH%!OLMa)9Q@l3@F1|@$0N{^h%WeSd>0m#*7V!C)}ZP-La26n?+#4vgnnpzed za5{ptk8*4b4r93r3PkPAUa@o~SESjBdeMJ8%nEe^%#3K{XwDuTz||A{VR- z7TK9c--?;b2Z9DqX4kVC?_(a@av(L#^z|7Rk`J5O?!-2@-hMTj4;7d%Wug27+tXBD z?*G@~L2o($RvqTd_^h9cJ7P;}HMQf0eX;4G2RbH^U^sS5xna_Z^f?)o{gfrSh{HAp z())_yOjy(N%e5Vk?*X@`{JO2Sn%zN`ZK53;|Me5wqcXVMyJA=U^8j6!5Gv%(Gi)7_ z(Mb$!-H}?nPI$y@R6rwB(Ym0jhX>E~5@*T{huPgv#+YQ|DH++Qk7ChUk4vroTMUPULNXxvRNwNR@ZZVl-nRUMYGFDISm%E2WM$mtT z4tb`!Q4?~?PJZ#-9ZO>l601q8_pvoucLn_~c=!KBE9ct()FojVn_Z2rO(fJ<^fv^K zU%dmdF0Li>CNlTE>aDCHQJe6Nl~$5xb%xdZfdRGFA0So0&OY-|$&8B=mx&g_-Gd}w z_KVo*!3$cx63|?0G#He4=Vz@Ra^gU ze0;6-a+1mela0&>I?}wRa-X-L81~ZSu1bCOb5kgOjs)a?K#q>G{WQXmevWu22~kAs z%sRJYpTSqTc49K~bV|6mTrpOeq}#gQzneV%BXesN&1KT+*h<$z(6YyJ=3#DKA07jjBFzOj*duNfT?Gf}_{COqmm=k|o0W2TE|hI)=H^@-DyWkwUv7LG zcqzQHU*wk;Ff4sLxtlz8q5RS8)WQF%}~2DWa^V< zc9*~ZS+E{hY=bvdpet5g94A2gMNo-WE6p$ZjPF^BIgVg}Y?E8ckegMR0rloGaQAV?$` zwK2H&Ojj&khl;UWbFS~g?{73tzlC36m`Xi?pq3}B1+~4-6}PTgB&wMnBHKqSCPDMl z@(pH7@%N!T&#rPTdp`e>02>A(WLNR-Y?7%py)%ZE=AP-;_?Wkj!Qs_JgVjn< z^(UM_$r&0ybhs=V7Z<(-o=f52IiLfsZ4hGzmz;c5 z(38Sm_r;~jVi_G3n8H=cYN`s&>deKfKetDl%q11r^-nRQ>h1n5k%&@L0Q#Wra~93m zl4CG;WnRg|U+c1+)>mo<4#X)mU9;RP)@l4v=z&IZM`z^Cy9>cC8cE#2$ASWY*z-}y zgFq1_$R!hRU%7zCPT1&u+ER1P!FXGFsPk%nXF5fRd_1;e_K!lp7X%s!`;F1mBL^i4 zHujp$=$-Qw1$BfN(W9VLTq-_)zDK%(?Ldx-t8vLt1s=QIyG`k%g$Y~`jzmu9f`UbL z4@J9QFG!nRZ>}YP?aOdu7`Lij&GIbN_bc>h0$vi97hYL~tSj;jP;)7W|4do`hCkd8 z-%RZz9cCNlL|pgr%tVBt1CXbFf&Fh*OMUoL?RuV+&rb;S_WkL$_{&b`q|X?Wn(}*q zDo%0E=Vzv>t1ZhFV`ta>ueNG_9UvN1b*F39=Lo_P+JHyN8gi@maNv*<;XQV)^H}{p z*p4=)Q#JxIsfh6X38{=RF@<)eos*{$ca&RS`5M9$-;*YlA0aSnt+)fL*R?;6!*18%2m@p6bqt%V zk`q6x+Xsg64qLHau@f1yw&F2EtK?Wl^|2artc!mkRIbPhw?mJ(5KXvUHKXidpX6`a zFdF;cGy@3*F6>Q9p>jxhd*GYRVM1i9?M8MlG#@X~{}G}J|BZcj*_0v_%9My`L)EFa zC{WgvGw_g7eIU(4n89x4~-68fwHEV0J@x%f?N<5^cyNQsBCWP4_>d%n*t&h0XQE;o4aUkndZqxiUX!US9=>tPDja&456!aiIwd2 z^gf-G;=2x5f_|844>Nc7%_U7(>eT0Y!(uyXkA0mO)wpW_PJ<=Gtc}F~6UaLdF-mtz z$!9uQ0~!t};I-10sHWkqQ5$&H#J$ zrXYU>3Ijs~Pq6h=iKk+OoLsdwtb#Uz-G?dZ$YIu*{hvyp9W|_Ut$&29aq|iVKV({G z)jVrsbEw{W=(hH6_8LB1?ckBJr(kZ$i2dzdL;UqoHMncz#_O*hJ-@BZ)^k(Ynh2M_vfCpPTdKGRk8Jz;-iyVR%njm;f_ny^(VCJD3K(3NL~ne8Gof9 z+Wyc!=mJUQbU91VJ0@=ZDOGWb1f+4KgA|xYVnRN3s-a+SM)!e13SQ zWaBp9I#2k|pfFpIey|r59ynwYrKWP+fc$SBEL^2f_J6k@#-P(hMd~vdvA15^KRAC` zRCU%EMES>WyD%6l&%j0ByrR%qhXe36dgjoR?TjOpB)&4XY+;-nv4-_#YD3>d)N#Gi zx?Aua$&~^8G;H0XpWJRfV-@VIZVWC1?W>?^C&Z!_K;g&tp;GpzDj& zZ(Sf;!wE_4^>=D&0J1ohN1?8f%=M0FLi4JR=H%H3^uHsR{s$YfLg`29dir;9Z5-Xj zlu?JZ%b!W6S5Rqtir~7rRBnzhQ*8;DRCFEbc)7-0KJ(^y&{?bzo{!-!_8k?VQRXVM zAD0wM(RW*cBCtgknv*XnAQ9YG;=OGpE}3bN{b8}Lwxl$Z{(95VUInpbEOj2z8h^sJ zdRMQ*T_dp(5jgpF`Ro52UApH9{jJ8jKmCz)u!>eT?F@6EmP&Gc19URX4I_Ifq^&F& zmr-bK@jy`~i#7_Jr5+)-wsqSFU}Usc+taK5C{rD7?PTU5Mr{=Y8KSSJ7jnUplDVG` zwe6#zscDGmu1Bnp4dSDEdC=>i&h9KvEa)>^?CS9lnf5dl=#+w*tA^&@>7g3D3`sxz z3KJfnerb}&?V=B6@5#yphcVHQm*sj!!bqhir-;a| z7MV!j4_pC;FKQZCu`xKOrJ>Q`i^HF0Q9yie#y)`84pEL%bv%rPHJ_CCq{m6 z*?jSU4@UeVy;>vmU{n>i8$3zZa&Mqh8j$*1875tbr)`i(=HaexOtW-X^le!vdv%I!hO468Rkq zHOr^OWB_y$VlPoAX##_E+WB0CD{$3vTE6^iDWUMl?8~{zi=CDDLpD!9+5!OXQVN-h z&Z;7bf)cmsb_lwcFZqj=H85sY$Y$;Ftz$30R+@1))EgL)D&b_xs5mBF|5-V+g~&Wy z4BaWn7N)=0#WjF=u$7tdi0XPwOTEmRHm6Lie)f($bBnHAs!aoOnV7{biTZOq8WmI5 zu0h%}49}%NpHXOh6bezCQWruKf_wOzdjE*hSj5f|DouCfQ%H#z5pc7tT|;}1&DCF0 zRI)1?I&MjSII zH$)6fcexY8TNx6Jbg#Wi#AN`2mOy{ysBD(z0gYI3Ij3(|0{7F_!*IpQ4onlOQVe04 zQSWM)*ZQb<1cS*3kJ_9$s*$mZF2L_pS^eg(+b(&?H1aY_Z05amfrE@xH;GYw%RhOV9;Kr8 zYM(lc-~NV(?i$Zt41m0yO6$9we)GDP96Bf1pMSZPmgZyq$aq9klfK?hrwc9FvsMKF;hioRHAoRhJ`-D3f zOCQGQccv!LIUF}KzGotk5m}}8n8r+bZbAO|sW^fnwGyrI*H3`+;A?^9SY0(Q&1;hV zHS7m8C}aEx^CeK0W_fk8U0kMr=?~<-Ll)%pFMm}nZp_d`17ph3Z~3AQ_9Yoi{yAR0 zs}Wi3oKBvH^ZvGj4Y;xuA%|NRQp~TWte&T-Ka`(`ooZSZ>16~LAk6d$Y^cJel9A0E)M40`6239_(H6?x_lD;Nv1-uiPQ`Yul!8@>Lewb01*9 zM4=GAaA!{`b{43XsW?;M_{!isZGt;;nxaxN>`YO$gZUKZ1mFK}o1wm@vO z-qkyM0$*wjK2$#4YEY?#H~pK;5BVOKQ@#rT^UDlkd0BEU6{~%sm@s=qwLtrdxXjEt zXhnl4K5fQ9jqgMkhLBzU{`!9SyV3LE<*ULV?PmS%&0uxGCvhj5=Sig2z*IvdAe%25 zYjA|g(RR}>*m(Ga=_Lkpkc@TskdEc`d*qk?m6q|z1su>uH@JFe{F30R>Xl|d;ZV=yW8z`zscyMpqtb8E74c#z|s&repF^OBU;B2n)v%;n0W7Z2wCI%$yl38AAThX647Y|3hx z;3tLmusuT(mBvaw!ax;NP|`}Wx`tB{j7hbzF?E3kHRkXM>#AACoJ4y*$(FPJ$90}! z?442W1ZV5p8Z*VTl+zV80)o+R*#O=Z8o;wpxHC@u0$*GVUS>5$7uz+g0f*R5O6t?J5N z)!svvZ3H{CfAcd+_SWEw3fq%o`DQx0p=o7ohPe3F$b81)ez=s$CrlL+T7=oGD?i^^ z*)iwd&|l|WGb`s+zro>u*glx(B3fjjhh!K735V8~9)}u!hEf*>FKB5>*G;hD*Z9G8zc#vxDSC+=4^|BDhj#or)@WQOB zYv`$~u41u`)kpMO++3orC-GNh>G;USzFmWZ&Rr)4l;dpEQL^THVcxzDjnD zVOTlUAi|}-dK+e6hdq7x&45IcOOkP#Gc=|kcZxxIWiE*lZVPgkp7#XJDWFu;fCK+X z_Ade7w0M#Ky4fyW?KqK~4sdV}sAc{L3t}7FGFcUN+3>Y)^Rm#2NlU;&VT{Rm;{5dD ztotQ#h2~~X&YHh#tXeSrlDJaxjv66NnLtz(N7?F$DrdD{=cm2-iXNl&s`@lc{E*R> zBz#Dw{jvWNSkjnjPX-S@#_1^#ti-0(18Y{M-zIQZtqBtxSR6{#6AkTFNUmGRm=pw| z`DchRv3ZHfkrvZzvY&@DYRTT*#NGfMm92k&b@i8?o_s1Ly5vtfdODk|c~qzTj{|6A z2HFTJS3imH_U~gMm^uU`Y+l(DJEu)=I|R~a%OZ0KS^Z-|E3&L(LX#s&A7EVahwE5x zc~eJij4+yPiR*Ef9LQKB#}qGL>eIvyMkhXVu+!SU@kHWP@0_`DzRjZ$Bd*xr3l8Mw zvcX8{NE4~Y``0OrwSPy3gI~Xom*C?A7w!nns2#{iCxRVm=xS|F@a>d73{K;R!^r}V zUU!WP(23J`s;>(PE4kvpKt8~;vLs=Nxel`L$%eeSgvuotEVz@w402^axlzm61>NSFaEsdfk09 zCxX!>BSz&4CDj2Nt895BO(UH{P3ZCsOEy^n0Z1wi3Fg;@f3CZoM$LN`BaH5QCn|13 z34hW;C(naDkFg(ODYPdsjdu{$cMw5y-LPQk+giUrp6WGKw@Dn1TeaZpOk(!THwPD( z-a&cCuA7xbi!vVzFjy#R1kwdDlh{q#T4CBR_G>zX(lJ4=H71I!H{0_vr~Jk9cVy>j zG{G7gKTD}?0E>l9+P&2hS$WP*^=#s`$9%}i01udvfwOfR@&&WKEaox~qqCRS;rV;Q zgr0(fBqVre^pXaPeVVTtp?0vlf6FUa7&aeHE4z@eydfnYaXE04BD?Uy`O}&Ksv4b= zl#BM~n~;i!g@4XIuxg%oG>{@kssSJOF};NSL7gg372 zyz@u0DW{OkAu`bh>DW(I@lw8LW~em0g25b~wfBHkQ@fa1U@t^xdu+#3aqrXGr@o+}gqsL))kzt%u)f{zs;G?Z-9!>xotID0}o* z=j7w&4r(^>U1*HP4trnd7!z6O$KM3OR%zIifzOGD+dR`xPw~?Eo*-i=*4^uBJiV~D z*^nlRo6qkO9BC}^yML~ibdgHJLPFk1LY!Xd1pQjK!4Sqa1&%&fK}ZQx^!^W9?-V6j z*KO@qy3&=ljY`{DY1_7KtJ1b@+qP}nwlhz>AI|yD-v7Lch>K`zwH9;6Sfh{r^rVZy zJ{`}mV(^rl@m^jZ#r++xmp^d|WODZdjGg2)qM$z@K35A+$@ zU%a(9ndLn^euuV-kpFXyK-^qQCZizyAL~_y5RO4ekmpD4gUUtJx~NRQPaA2gXeEXh zLrCEzPcK3*A>rUq3Juj1qWvzmh%u)w#Se?Bn6wR%t~_eTWjhb|Fw#KiwEw=< zyV6(RpWZj<3*79{`cE-!vS2z$yYZYNzVu$7>8@e0N=Z0}V$o;X-ryP`Kc1 zU-0qTc@ZW?a39LM9<`BY)(ofGh2$V=;Th`i`Rl3eK+E@cq5r<*(|aHy5|(tzww|#I zW#o^MG|6EyQy{A?NdQ>Ya!T#vxS1~s*Li%}!FbXz>5?NtLzXVf;$4<``=Y%|NyYf; z37?uL=p@`^g=YgCr#hAvvA2bwpCyBsm^3V<1b?F$HrHA^6;K?4|K2zKC%+W!c8w)0 z>BtTE7y09%@}6^K;rEA^D>x`3s(XeVi@o`$V_Xc%<@S9BFczp!5S)B+r?_w%Ei77s~1X+rCfu3&W}vIX=n zV)8Gkl~o+cb44Hu-Gz77JT7?q15Y-;^&&=#WW3tg;g?doP|aMG;^PhO7vX=ns!?9^ zIOHlTW_ozO0J17IhopY7#t%8j+5v5@L7RMyBTZ}Slv#^QHGfaE+0g<7q^}zi@|9$P z{PS29lG4RzYM{s45NLc5%=;lRfn6(_^!Ex3 zBM_hTrku#nwb^L#xC|3(x-T|AjW=0-!osx?gTFQx!W6qwBWA$Y#xJ zj)Ka;{O53XG+beS|I&Q`23MM$qU^-1y!T9d*q`94rBb&nZeX9tMqJpnB)Y8Pk$9D- z7aI{Bw~+_C_>DQ|;U&D!d^TLTGLo1J16pae5_s41Xe~-mC{%aL+Gq)= zy?mC$*zj#gZyv2s&-Ay82l}1S-8bSydo1rD0Hvnjow6S45#Baapa*>cPBXY~Ep44g z_ymJ{igU8WsaqUv-0J6_XlJ$ zO_vQwa<4Zw%e;>!`&#ALsMAEt;|@>QeV`Jfrws)PtRVu&dCH~lg05fZO3}ivIOx6k zqzZf&+<%T2EBBtaJ2N$94;h^+D|!;Kk+3>@OF(d%G-**(*oD`C9dbuayrmBKg=5^N zA}mdXzxe%@+;+mzswzNQ#%Qu9e!MSkm7ts%ECuBZ=9sN2#L=k? z-%C`_Hb(L`b}Z#ZUn@hHe7_XD1OV4BB7CW7Y%+VL17@i)Wx8`!dFxHlH$ zM*i+B#@U~C+ze7{d!y;+$d+S1MTC@5#4r8xNJ-o3#)y?(O~%;K$m3#7EH~OlDc|sJ zQ)yI&drw!37>T8kbI%4SRs9$_k=m{CSigR!0{{C@ln^h_IzUp)s0)29kQ33!d>9GFfIIl>%S3&uqG=D&WJ96$dJ6`GuR0b9M`* z5wp|`#at~lzuL3+5t^P$5eQv>y_nHVWT}pq2dt1Vc4w2!&HUU~s*8l^&`PB#vrU3D zN4#?~lNe>}T-%kmd9c(Cl22Hm81CmWSLi6X+2qwjQ`g8*V;9$mV%*oU+*7dP&{maZ z*AR7qlq2LCL%-d#yFVg|jQ+k@g>GVfTY)sm!-zMqO&7jI=A^-PJZMKlp0N;Q&e7v% zJD0RqPp3(AixX#L@N<@ISpx>5ngP$X(cgDkjh|jce5r{2S^ddoYqcancW~6)c*2H? zuDvP)cHU*Qi*uxyV}gSQ-5}Vooib^E2G7?`*iiKNA~6e{w42Zp>;O*ZX(X^5(Y>cl zHUI0D z6|VYxC~*+l&Lb^;Ij8MtI=z*$MW2c#DHBo*x^79fm~axwB+s?P^wHtSglpu)%r9>K_U|S2qCF@G?@r%I zN*_Y5q8ZI|Zx2W#4=E$vIaF`x?{814=6_Y=Bj4a0IE_Tj7$ZFlSrd=0+M+d;2c!LD z$RX1UY6T|bv#c?{S~o(Ed^`5V9~k9FUGG8U%N{>5(`PazyOXci!+x?ze?*4no7kB~ zpww~lSZ2@%cix`*#+6&+5?`K4O9X^>TLZFv6XhK80z zGH`tmV|^=edmH{!q>MdWqqC`M7AyRaTPUgK7B!sEH#ZkE_M2sAk@5KzlzpgA2&OQG zwM?1YdnDc^K;saWt21u(Y6bl>#*t%P;wBYCfF;MoEHsdxswn$G|4$Y%EC6W7>Ym=D zstQ1{GOc1197itK*UO2*ZWlZ)o-oIrZga{OH{j-oP=qI6j4$FA%7c~2QlgM2y|-BUhyRve2Jc=P3>8bRlf&R+lgVsxG-+Ed}e zJxFf$J1cQ?f@Z&DPKmOPOIP~19^j|%S^b16ebqPIt#e~IfW zGbEabxryf-z1E{8R2aM&?^Jgj_tu_>RoLwG`S*Bw3qSs>R!GKJ?*uU}-nVtE8~8qs zVT~8S3kGjrB-K$9!XA<~af}8}pd!dg!ZaXwrgNu!8*djLR&xx0TZLm zZkIdPRXGXz;>GmzyYXG6$`1)51=ptw6uDyX-Hz&$Pa*R}%tsF!%GO=Cqy(!dCYuK+ zh*a8odjRA$G?Yt%Yf``X^{?rOjc2zM53blD5Ot~!-nX6?2EsdVVFe2G2U?DkM-pM^ zKtcM&XD?#;#?0k1 ze%J3C0zi(Ruj~RyiDF<_Y z_?>5_GQKf=E)T@STUP9aK4a{WI_5jfL$M`287vBI&c!gx7i@On{OqnK0xsG#scW0} z8iGj~c^$AUaPsbR(h2l$%28HGv8PZHFR0t_>yicT|1iTjOV;FQ`Wri(gwJd>GBU}T zI=dav#aT|@$>vPhY`pWPbK>U4BET{b)BGdijE40Zb62sFDXwR@1k|9SEcwX$0w)wl@Z2Ka4n0!4I_rKamaCZ3?ILmS6 zEiT-da`R%56;}-@6v-JFWDf=_$JSf2TcbZ0QXSn62UE-27R3=R$4(!rBCr;LCAeeI zmHKlHyd1l(W=bdo(58;tS%Y_fh}M|SVYI6okAR_!O;{$JEq8cVg3m$P-xi+DKt43E z2>T=V-@%^lt@y@qU}xoaTm`Cxaq~(!31+2Jrr-OxNONC~oFGirE&y@~6V9wWW|~%B z-GzwI(e+|pV=S8GWeEr8y5QlA97TC1qxu%5rjqv|WVaQe;t*9AYKtxI8AR*+)xO+R zuyMBCoL;kVlEWFHb^nI$N?d)t`l?XID4p_Wvw(v^0F|L}$yD-PVrHM!N&Ih>M28Zs zTuhM*?%_~<-`i7b8$HyUx$DFx+^+VVQg_asP@-L1|2AT9A_GM*T&Vs;Q+*go>tOQq zc;g3BDA1DE`|O+AFQBz2e#(C-K2KAhrAFjAI*nukZ6iOQ!lyCp)j8;GyahT;CiQwF zP&Upw6GDG)RT-6LzuHo+1?`4+^-K&$!jBbw=(bN5{=|vJ!XO~lK311!`AN$3+82rm zwx%{1exMjpX(3zHgPaxj4mezD^}HrPW0KDQD&#kxXU~aOo~*5f#W4UW0pf=#Q823O zWzmME4HHiq%^A15HHS|Y^*Z9t^J$j_D1Vd+C2bV ze$@jHcbdo2Oa!4jFq8^!?(zA4;FTuNdB)NhXOx>?`M<5%+h-LNFoUxPje*+xSmJ>! zBdK`Pqw0r)%T)}@tJZdh{5X_pZtj^^_nzh03Y^-Izog-|(P0F0E<^#9MjX{okiw0p zTse5oi%{B252;HXJ{{SJ=MZ5U)I3(eT@&9OMY)C`yA2Lv*zoFor zW}gBv0;Fh79{H}aC9$h4|HkY5nXvp!=d~!%b_GSaw*hsg+1(>xbQOQnXc&}^#}5QR zWh^rs3oh)`SA1@0?nBk<8V^Sl;)H0{U}qmw&P{z!T+~0Nw%0%$I;OD776&>2;!3k- z(b&&2Mw2MIJ5zs9q)GNIN$V=8>pb-X_zeG@1qd2KwEKWKfFP~kcqS1YoA zHo)d-$m$xCxPHNBp5|(*kJf9^3tM-E>4SCPcY;Uy|k%~S$O=CJ))t7}Ww$aZwc zC&S0^rlD@PRW{3^hDgB@5xe(D*rQd^e)+guL-sGXaCX;9S^8Bw$Xz_yCe!9`m^Y^( z`v=?KO$`|1sVZx{|81atLq}Sm$wNb`uu>oTMp2Zup_*C0_=4QKAh!-HFuE&#+T&Z< zWbHjnc2faNh2?>;({PqU0x*g~Uo@Z!XX`Ba{(e8|>KxBD!xqAGH@jYYI{@ruBikVjlmgBfMC8O7<0>pOO4={Opz|z}9JWa@&^(qGDsYha|Fkj*Rpx6$ zu0Ngu_(JZePyXG3!9Y7xSEtJ2ldpTx(yx6x8fu&1tS5Lh!KScuoAx+({gZ=u(a zj&SYvRafv=q_h~{^%o9(tgmi9;rdpd7MU`#reeU=j`$?#R~wG0PxMZEab=^hz$J3l z@fh<8jDn%Z}B4K>TT!n zulvDJoc77CM@8_wsWz8m09dpDDJhwNLg0BeU{rM(B^`VcqvrAm0>Gl>?b-f~Ck7UT zb7!Du0fH&*aIE+R6f4IV^zHs*dWNk^$79(9^M6PRbF)drMi(h{!@(z1c7NSI`kGlt zF{@iByi?`No-+EQ;=2TO+Q$ZgpYRKJnP{uFyQV5PmLGf6n8x3=r0!<JtMxo1H#&`x@$&{V^@m)Ir_il24=HIzVU(IhJ;14xOQ&8kHfb} zP!sA!cb6^=>1C-ReBwP9PPy2+vj-KLkTR8Seye>Vd~h`)ZuPIvmdpcJt^d|LRY7Us zwCT;bx>uehvV+~kY94wu6%($;6S+rRE5DyL$`g+D1bfyguD^Jw|8r2bcQwVoP_7lt z(RhBF+HX(z#k-y}B9gafwjw4i#Jl`TWAV?=DAorJfS@HwX~qD|McC2|W*fY-X3GKd zRpZ=ueBP|Tkf2z=9J=`U`1?yUmPg|LG-glkf2YZd7b7D5*p-m2p$!&3F6a`i6xl;` zifJr=-mxFcbg=He%Z#kGX1u5qp18R+9Azb1IXIKr84L%lIQI+uaq>Sq;K{5cR4Mbu z8_FGhgrSkJBr{H6US$UzrIkD+=1+R3^gek=`XOx1@f1%+4kqr8H5%Soj25Kzmdkn@ z{{FX`>%nCV|L|w!Y-SjuzyU~STZC$>d{eWkfB3T)lU+Lfc)hy=!-0D~0RAl10aKyw zT#Q~fKs2C9YN?sGe5=JUZsoOD@L;TMe>?p8ox2g^HDGD`N7}l~bV2$^daI{5Ui&ZT zmBF9!xSzfYM`Tgp83xxkYYC^F;M=-B{+`M6jRi^W=5q)?a+$2W*ZfUfnILQVTPiR{ zOoV^PR|Hx2)1H7TsH4y7<&yFDe!W=Xh)RqQL=X`e`c%OHMv3Y@4;Rxt2r2)KvmOBQ&N4 z`fb26C&2h}4A-918*;%5l-S`??^LiUoiya)CY$Fgs+2lltLW;%V+3b>eO7n@3;uP) zne6=LTLHz5ibp_96J$I62ve2GtE1+x7QSoAh9Y@UXiAfz9pK=Vuepv)zGw-m;nf!! z{dj!y@T7WnB*-*YY}z^DWn6yEj@uQ5m!V=iF&rHe!siTIs@$=d{UFhT!zM73CvV_rOJG)Iv=1)wL8sxRSa33n5Tz~JIml2b{vd-X}zGc&vnMK98w9V zmbm_MOfc9&*bw{esij&uLQ2ILKQSR$SC{AmAkvzC!}VZi2pU!x?NoNV9KQ7 zfo1m5iCv&*n=$I$Evv8J4|&fyaUosk@F*`XG<0*I2j#T!}skOgmk$EUG`gzsF5uglHr9`04Z>JvD@_o+>FFiXEsI5 z$Hu-?UkkZGikAOl>vj2~uP+(`*>iYYZKg||v+0vxiRb83{#4Di~?v6p@mJW38;VRcgfm68Gpe#9|szL4}J zQb@t{jQB00$eCpF-lMlZ?`+0lX5 zfvC;2g5U__9rr$Ndd_!oH#Kpq+Vfy7jJ8Oh{H^@No+=Wme}eX~Twi0~~`-G1cp$*aukT9K7 zL`~-dslW1I5c$+CeldcZ)EBBqV6Lsqd92ZYN%~-IA* zF?;lMSMRWk|6k&X$uA|xRA3Su<9a7cGwDdjoLnh*)a~n`GmNK{lNrOqF3l;M0Hq6z zHNPNO%UAP5F!@5@9GQAZUdFZsJQ%CRkfTrMJm;@eGv_u?DSY(Bd_efF=cgN5*G68? zYjIXWqA$Y{+S@AoPRAvsj25Zhb`y8g)4ZL`;$1+RBdDKz6rmI#yx$)el z;&6<(zIZY8da`A@>8Yb|*FJDacUObtaW z*Ew!Buhz+(77#j7xy?|ygTyY=XN+6mjWibB zm}TOmuH%%_TO)w*Bo3C0MG`3u=|uBGH~W3Kp{8v{BU_L;>n+lHbEh&>Nb3TWas!g~ z{zx+B6Gk_f%<+x=ArOT!C8|Q9XPz#}%byAF`oFu-{MlUeLG~}HZiX&>5kNfFtS7F6 zr23^LVJv$569a1J)SLrXA#=7C6FW+x3}-eKxplWrCbR>4sdfEC0V#8gKg@ zB7d$?S>IB)mOL}>>ND9_;FN_<+&2aJ1F(XIAU;R9v}ti1uFElN8I&fR^ZfZ2ZbodEYBF-UTVj^10Vw5G#vvat22Az_l727R z;%nnPcc)a4_i2OGT<*nxSh|TbMDLItum03dEYV&vh&OX#X(){<%IYq}BK-lY8@rU< zS1`w&lARZ}Q8*!FQnz6eU1+X%Vum>fPwXyvIzVcyw$I*z(7{Ef)9MrW?)@-PN?B9a z?`U%e7ud?+#i%xiA|g0)TYvMc`)OBsEBt_#6M6VCRwHLjw)c=i01jddkXw#dLnU1z($ zOo3HY#n^t@i&i_%d1X0{uyQlYnbhxs*Es;j2rAYi3gK3|>{R5ZC|M`+|4(8{R(!Xn z&6V2~?7DBO>B1WNVQ4$~41*w(NIdMihw}Z$Lj%el2DZS^n7qVrJ-RyM%pfb3zsQdO zTzzQX-w%icxq6hTN@ltGZKkO#EMi$#S2xEkMlFJYIsfQ(RVm`@in9y%1|+=m;q>_& z+}pK2>>1&1)?fI$(nO%x8KdR;_JBVruHgRNt~1YKpyYo_iMMK(<=+hy$Z5bjy!LQ#OX{Dd+H>nyV! z@ix58)=`C}f=WAZS!%6-AWo8^SR&R~2VSDHMMAwNJ%ulC7s_~5y5eFJ1eCKp5*kHm zGbMOzbw=A3y-W!LYbPE1IEy-d()0dB0V@I9l~7^2;UzIMOKw4UR?**kW%dXp8Q>a(!fSVI=DyCBU@e7i)p%*GO?4rcrRJjFti z&{L(3)faF9mAHLffRUW1oH2ovO-{^>hTZ}fk~a>Tkh@)ZUVc;wF7JVu zH<&^(0^WVdHP%9&@sNpOC!(p+bXaoZd?w7m^l1lX`9#S*2b^VT6a>qR7c3-^>Ae|rDnl2~6*dDnk9{45xd!6Cdy|9D1P+o= z;y?=HB1F--!(r%J0K&HqczysKx08%q$~lh`08W!D;VV_lQ~bv-TADzZ=wILn-IdLr zMXRAWAPS5K;&2d4=9oV7x9{B!M|SIeNA-btiPct*U$>V#eQqtE-OU*I(J-gunG@t9 z`B&8s(P5K8L37EstVA*sd49V@g>vJXo{<*5F2BwygaX{9kn>0SlHjJU1 zR|hGEVIIZQtSp{YZG?D_{S1wNQj<_rS~8jNoTESd>+$l|vrL*7g(1S>Rd8>I^n$ui zxV^NM+g@v;hIkL3hL?T%{U#3x(~1}eqJ#uBj5_^i0UFZX+BBck-eU)o4Z9YLU`=T; z5U|>dO#NYczuRSHr;JxO58`Cgt03fA@?X5$ox*$DxTCBC^{%f2rxlE;BvsL6_w!b@ zCg{rRmfEMQ^bM{`D?-A%?vY}28h?Cbdd4c@O4MIaZVEHaJ#(tQ$L2G%k%3~A%koaq zx(j74JmsQ<^rxgAJ}3Qee@yaq>`zw^g>g0f7a9nNSg#F*ec<1$y9#T0&K?ZqA9(u- zuen3nQIDXsJ4EMs#;a(`CW^T{p2A8L0&KUQANq~Y6UDfs=8Db07>PTOLP`|Gq?vOo zT47{=03V?i6_6C?04qX~h#Iv<(&*}z7zyon9*>%x!xz)xjP429gBzn7|2$~$+vs2- zEo~N+Lwh;$5E7?^*B$+Mdx1Y64_QGYH>yCV}?rcx>ag=E0!I6ei$3;%5GC0s8% zL3-y0Y3@6_f11oYAd+p9Gy}B;L7ezKAy?3auN54WtoV}QMigPk9oL%!HsuPpIvBZ! zoscIavgIjRD6Ey^Ep9!m*>}+H>^LTAczguY)_5%lfGTBl6bZ_&s(GaUFi$MY=_;2O z^UfV;DWFG`mm|=XA0u|@DJKPN!|DHb2>51`rxeumPZqLc$vLiD78f)$bXv!dh@ z#p@9f@kM?twkL(n=M3|tZ|sZV4AM)YbBE_8qA|thK3|Cr!9TBO$|u`SyH!bYsdv3n zSLE2WRfK`#;xpyqk72YeP7(mX@Nn`ge+i1ANqMX&@8rJ#!>bmV-66=ZU!0t&2g!vs zbVxgJ`1JjKlFJQX%+vkPbnofhIVNK1r2xQiDW^#nx461ErMUz21j)@G$UmiX2}y;& zV)MWg$dwo#wl3EH$qDt!zRk+~u{xa@Pm$1Tt@7##2q+ zEU3$@oknJtL}?2zdkNR-=@E)%a!xTZ$pf`LGgQt=vVxh>UTUr(mYlbhzODJK;w~M$ zMAUWA|1IK1E4l&iH6;H%+*C)A*q=ziF+{PscsGyRQ>Nd&n5`qB*{@kf@haZaxzxH zbS{CT=V7FVV^>nrqR9gRZIp~<+%#&K9I3BjkfshEcd9RbY;HBJNYeh_+RID6fU!b) zdJ2J0p7@uhQJfEu>$8?HibC_}Q0k1O`j`ZFlxG{>0?T|-Fu29JlkR#0HY`IywBxCS z<#>I-Od7Yv`3XYd(#oUhA0Z-&lDbj(5?MpT99e-iFy6efC*zVz5{6O=so=-_uf!kz zNJ=@L1DWrn3l_2n6u`#LQ4I{U0L=0KMGuEzUK6u>tRp8z$2z~?J7UJ|R1V;`dV8p& zXt7bt@BUx|l^{EsvGlBalyx?#m_{l&L^Ut|NC1+xM!(kJX z(-HZe`o1EQDVD6FozYqrE_{X`khg~|^$76KdSU~1@eegQ*O#;zuOs*dpR>s2N=*#p zVjj#3LAT9J1sP5TcR>g0N4^=xLicsthRU*VSZ~ejvRRhd;;j)Q7^(G#;R{-GC(OwQ0NL1mTR4P$xj^ADdU@l}2K9;X!#S=JdHh=yURx%?E3 z;llOJ<8{{nso*bHQyT8_)AO3L(!JT+(+Cb?gO#lx`ukH3p2`~Hr3-wddKP3g6qU3d z0tTUMUm$lN@oHD;NaExM&-E-dxDp$h>~)_I;+r1|=RJGB&9mGrP4N0{TV1nae3cxR zIS8k6ZE@t{_ZkyIMIzDn5rsDbaUR6idIoe1?u?*KezjOoMYq`;dz#Yuae^zT0gqV( zt9kXsQB+l7b9Mw9U26Y&z8ZyJMO$qm3`515ijVo#7ZwE;Y;2wgMT|&{*FdM?>eVnV z(z`fg=za-DI^@ItC~#D>Q_zHB$!!j&HI#zbp3?d$Q-|WhMt80<7es9kF*&@!nH+44 zGy9i=Br1g%DJw_|pMp6e#$(8EXz)(4&>$T-ENplfwdO=vrK$C^7q30Y!29?Lt5cDi zV`||xD*?*~0LL{YoU$^Jf8UtruP1yly3?aJ!9HvlCs1bc7<}A2bjVBBMvb~tLX5`a z_Wn-H$la`ZRA=C&%NqA{Ftb|7SoOBkyvr7X#vtEorn5T~X#4WcV%r87+0rH}h~S|? z*%0>`6iek%k<7j_wvIE@=un#L6mCOc4|{x7K3KeQa>0&&~b zROz@E^Ufa7hW7!iKpl`!PkQqzD7Cmvu;0489cU}LWE3*jgN&ta?r`V*b8;l^HMX}# z8A&pO(&x%p6vk4)bx)2zYaw?tQnhiT)v)d>b4pu|ucji!mARfDcG{%tao3Dw9W(Mv zdDQh&qXqM6!SKUH;e8^~SO{mw(=}`iWh359YmktaS9pwZijQ3TKG(RUnGYETOqmz{tTlRWapX~#L1O>N* zN)&6~w!L8!7j87B(EmFN;7&XYuU6YN>FD_#-FY7scK3pLbALsHkAvV*vEp$NMo8{# zS&L>#uOwAbyS(BNDr^wC(#}*!KF41m%4|;TEXPLy_0#h8>jwgYGg@!LcJnm5hqQnD z^;W0DbtWgHi?MiT@R^ScE^Icg)wvTWwfKI!pT*DLkHR8_+kYpQ__{h@!HAx?7bZN- zXKrdk${248u!yQ7^?Q<55G7+u-#?~b?iSQAKg~xs%F{L#zpv>|CY`TsTDZ;G+842m zD23uxJSo3=d6Y^9(BCB<+7_b4$Rt`8#R7u9gFWl&1(;1=SmSXFr=wO_EL%JiwfYy? zC#3_xVZX`2E6sE!gLN*Ut5dwV_S7#=mS#Zdf#0OSXN!+uf%BP&{J(unjXYhQR0Idb4n;-gqD71c;A!D_T6@m z`iMisxj(#D>C7f0P{~7bdVzMo_?)h7rt`Ah?aM}e7yyURowJ3}<4lHO?}%UP?E3ak z<~^r;BtL$+4^7bC&MZF-8G49R4dSg`#IsL+9`VcsQ-x65J z-A(vTIZyk>BTz*5^Ln5GN4E3OJjMHR84ByB%|;qquNxeP_`Wf<#>109G5U-l)&A-X znM^%9nNF+vj;>$)E`j@km}h5)*K(;@uZOv&o2x%uF3EgYtn5vg->SHHU}dV)9Xjb} zU9r+gJEt7`WyCRKGf-0d^ zVU&;e^<}(__cBsKzVdTQ;Hap=uv`2mq00iBQksy3nCKErBpLVmx_Fx3N3DBY`EnRe zJNjob?R-1t;n8U=F`sr>j}QT3zr}#Q0io7~d~@EATUCsvchzgKIz!}UNOt?PmKI9WYM$dy^(sF@J4YvNS>dM6Z@0Ws28oK6d`Ylv z9|-rR*Fn+hr0f!{CwNYTRV|t5^{%ip<|8T1*#ms-)~i?d?K0Dw|J;6jLQqqdu-{Rb zOywK~w_@V@SgcD!^BH988yrd^aFt@=&Z!x7t}V7I$2*G3E7aI{>R~v|@}0cKE5Y zLo2sTl3m_O8U939S=yiOhhD+3kB*@1RO_%{#M-l}<@`_;x+~>N^Mqd3;kr3#4#c?r zOvhc~wbG5afzDsU+xH9ojWum)$X@}=s5zgIja#~$%C13{+voywIb||$(J$9T-70mR zdR0LFnL~4VbYX0Vvh2GaPz&^Czr};bcc+%irMrdM|t>q1I;+_6@e)C8=OLTj#^G zLYUMiA^xPP)loj+m zhWY@6!m<&$To6#Nv?#T4jBh%9gMizWXKoxxFh0pk$oHG4?w*aOH`PkVVcs5y>uq7Q zmJ#*8X2*E!2Pk8cDdpFvIV&tcF$)9Ei)Q|LM37F~Q!7D*I+)0d*dvDNCfKTN(K|0N z4DopOpA&jCyzZ>)c`*{BV`F0;M)AKB1O5n0J70Ytj~w79AAYwtC?YYdt5!iD>>aUJ za65)cd;zuC;QXoVI7POT(on{BAR%XnTM^a4Zi>in^^5stpRNzSg@ZphsLOsCWK6)a zmN+q{{y{j_{2i7#1tho`v6D7#e35o~ydL7*NvrCz6?}7IYpv;Wyb^sml1a8WWNbm6 z{9I|Uy?U?t;CQ?+xAj^M7v4$K9b)$v(&C^6aAvG7QCL1Hhy zf~E)5@t@|~#!dGrcXuS@qv70Jr(gM8%0Gv!UcI{^c5C%svQ$UP_7O6&9xw=@l8eJi z7{173IX#ZOl}jhXN|!7MhC8Z}Fi^xpo+(h*75VrwRdccV+iCh)w06`jnR27XYf3+w z8V3}wnX~h^asigjJr8$w5cBTvkio%|xiJN%GW|eYtM1LffNQ5b1EQa;_P%Z`iwof> zW1b3h1|v~aFA#xu!oF3K`* zL7URax6p7yF6qCG`^fIrqbH3N*Nkq-lSR}n5Dj=<@wb5d1UKN`hzs-f+y!baPzMl# ziz!vcg#df^ERBdv6BzP&W1=IG3^EFCX9m<^;Ae{3wR3~9kJ>7drMof zD>$h1Ene936~~Bc)<3kQ?4{J`N}~C1xPstLhHEZuQd)L3(!_oc8w%p>yz^w5Zq=bV z^lQ}UPm=SD(~_0_K?1=$iozD04vkVw`})0k56D3cvM~@{#`W}hQzI}ypu1{}sU%{2 zc?^eRx_&^RNi?o;G7tX<`t^`5PhyR-5B{ikqD|q<3xnT%Jr;Fva<@Nl&@te0EsVXt zfDMLH4uT-OiFUvK0LA9Bo{9R~O6{=)FCA6YASB}bNk?zd=qFZn@qT9ms}^;e-s2-A zZs(_59;Ku8T}t97hwg19e4~$RIf#)JVcuB?N`)oX=!JFV=|>`2A}5RN_OI|+Kk0d8 zCQrA3n_;8wzqIWReopVzv1tf?pJDq0C7&qzXUuU9d+)Ii=gi?b%8V%+G}p=IVz1{1 zo0M?S*C%s3kuYiAsb~FXyWC~87THfmvYb|eO2IXH&p+*-qKggg z;b69*b*wXoj@N#;KfKrhP5S!`)CpOvIe&*)eL;30srBo8i`~LvcXdmOk6?m4qw&}`_X(xh-*-P}Jnvwjz zT&cdDSauQPN3rWH&e{|^wBnyluG8^iyjrf{aB`N_0NUzb{wnP(32i(?}XL1m=_FB65Vf)SeSQIF=cCd>5 z78dUk>;FU7IYwF5tywy(4BNJC+qSI?WZ2HI&5RSaZQIJQZJQlmb=~gjs@w0c^J|YY z*4|@n%xBISnJl5Wn>l6+<^bBY-Vr7a%yPV#NB6PBoBLFB0LzF%I2?<{S6P$c8AIWA zk-kugqt~`v$IS?-`0;1VSETkvxtLDCCL`?mDZb&&n-GUNWB&01EW}W@I{0U;Pgg)! zB{y@QeyS^-z{Fg`DngF!fG~u%Yhlo&4K98;6E?M4CQu+1dp~WsoAaTo63h6mHLF!g zf8}v|67?x%!Zoia^aj0;r75XUvpRz(tGmDbHVN7^8e^p%PJXBZZ`ooZfjL4S?~7dR{H=H(TO9$;*tzfca1lG9yUo z-wj1H*5Gvgt}d(x=5`gaX;hEY2?{}z4xDltVj0lc9Lr;PRfPQYv4poM-sO)!an2J#O{g3pg#2_^zzoe^+M}~P=&GI zTvFl^cm4PL#?r{>p+^`FaI7hzRaj#olCOk<1BKpH=9~O-`}oORzLp(a6>mUjtp44; z5-%3Q)eY+hRcxYMi6Z|MO?`jMF?uX4I726c!$t*-`k`^$(Dtuw=H`S=!c=mU%k9zr zjE9nkrYrRh((O4mWz;wnjM2%g(}l7M>e`f#O$8tvWuEp_Ld(;x?XY`75t2|o<&OGWaQ`$J+KaDd%n zIEK*<3f+yQeT+76<=V<(B6cPyxHJRg@cMHOnDj#H7++GdL?D!WVSmfg0e;Yl^AjV^pS_Vdvzw6z zDEz!C%_F@b%ESPp#@B_?ipbpu5#c`kI6cAaHx0dTNyxgrU!AxLZ;my*|BytGBe-uF%Gpn!j(Nl3H!o)L7|}_FJ2X`>;$QSDe$aH zCcsu~Wx+!-nGF=B;@ER-msSO@C$)DyC(f*h?gj|WouvG#L>%?_PWqA&Zg$gfkq;M| zW67&L*+1`({dUf5_j}7LoXlpWzX|wdmUZ%z8hXZvL7Vea!>8jDj-60Lc?h`E&bv_F zvIr8uN9Hf@whKokhF~6$)K2CaV=Dwen9c1n#1szh1(@qS}$* z@)G%TFWLwg*>6*2<|r-;5H$BD&2`gH9tD4#)3lJ+^$TY`BjWFJP_6vHGVaMSaa-ke z?%8AjE~O2w5wQrfwU)!EU*8n>h@!_1AJZ%&#BHMr#pheAXnQoNMuY z#q{+njH?{kNlzu|s{X0c-S%2;LhyX}Lv1sMI0d~N%&b;e&F-PpS<#!|OG*)oA$cW$ z+Z4&L8!%(a6*pM_rZDnJ>PwTSTPf_jeeFc1?K#*u?6H-cel>X!}rRz6AQ<}x`#ITE7B-81Mw!r^hRKN`sH_TIO zb0HFP$=iE5igm8*p78dSS7&el4zUZPS{5hvKEIE^HhW;wL@0AwCF5nQO$9*_4@!a(~3sc)(Z?BBDZdZu7D#rIVPhA5+BynDp-nzYo8PZKg_LmcOu# zfBNHr8;xCrEHm>~nVxivY?P*1`fqmf0~e{T)T}MT6$XRru@YX7L~}|<=27>bW?Wp7 zgPvwJ6g8N5l2N6aO0n1%Zo5o`3iW~P5WTX-4E_loLj%-0xo59DP9VfeSd6nLIJwmh?=c zvPl`XY1}=mm_#^!A6|`4NXt z6dpVr#V8b=q{l6!}2ao=WU)- z+5FO#WIM6V;-EJS?(clxdZ#|PXlTjOu&SP6r;qId(kdDpCt)rNOJ8L1&h}Xb$%{Z^ zn!gzFmOwB+{E(|CC%mcRuRGpKTmHh_?VF?;C)F||RoiVY^Hw2a&KB^|zYP#tw4Ks( z?|B-BeK{D$F-^L^Ba4?PSm)SM%!-yojFMxT@|2o8<2_61CZ*B}3=by)NgrJ6h`3V4 zMo4N1A6W+LPZHe>0Tq)bma+#Fngxb$%It2E7u{lzlKLz&-&!bm=wDA0;L$9I$xa4{ zSfYExa4EnD$jK&e(kz>$4xHAuhtX@HKN00+EZeTg#_~ATWbey;$Ali9ul2@Q^rt)P zuIMXp*)uce>T)^qVi-DLfhFd`k|n~bF`Jns6t)EQchT^U#0ecs;eMw1%VokqH6u&o zVW8P(BN84AdgIFNds)R@{V3ko9&2Zv!O zB{~D@(*z26qNy!`wJ|e04=thPN1uB*{_dCOi+&lSnE zK0s2U#8N4U&oY-ZQ-LM~2a}zYbx+PJrxq**F%PkNPlq7?z^EHN zWSSSBBxYoSbjT<8#jRbL#G<-VKx(19S-}hP1T@25>2I{!nefL{%e){VDQODsh-n#* zj=xqBNLb3ZrH(zmI6jNGzh?vp$!Y|Nk(GVoj}emWar0uj8NtG$O!zwMZ|KKC3SF&Q zrFEtYsc~y!VS>Z!SF^eH(I8$^tWn-bzefhmuBF_&bGoRM>b|OCp4ctH1BcL7<3in0 z5Ey;Z4#Eu!3ecj~!>UzuVf3rvOD^AY^syVQtpi-G2fmalr<;i}AK_qWG{hE!Fh({O zv5XYq5aCwd+Xm4D$1=sv2q@)E1l-#J(F9~Y&A(n;LcypsRxGI`kVA@b?IOvoh zKX_2NUOVpJlf^QHaO}M!v!K;cx_mYvgKh~-eY#3i@6TFAcF%yz({?FMzVl~M zNFFEid-a!C0e8`s>@F0e|JwE#GX_s^BrV2L8dZgr6fzYCpLe^vbS#A(Nazq164X%O zSaMZctq4rb4b|d3VYE~$xKn^!W@#6|paAR~tZ|fwp^?4sbV$pI7+Hr{>9?Rp(I^Tf zNNeg-RP%~s(8U%EHk;wgfD5Xcpq8g{^jqvQc7;m|k)Mpf0MLSOvxtqwdj06mGp(-e?-}zl%i};V7n!a$5O`8yMd@Fwofs z2s@*j4Y)VX#peVS1dA7ehMwXPxAB6sUjVK=A!}^IiUpA`H9OAIx5FIrAx&NU!n=B( z-tnM;M3vpga-GTwic;a%FrwAfcppD4N#^Va(rVE=t{(~u)`BBMRpafpstpIz%&qa4 zG6TAUFdE4xO#NGdi3g6=Y=r>&lT4mJy(63x63rIuEMq*AA4@C~odc^wRN6HZtR;ay z)bG#qN!%LM}k*Z*Se?-yL?3UcX!MN-RPXu7C9Y*799A&E}+|f6x zN~R!=2(J-^#pXpjDK|jKUZi9%b1Ea~x`cN08(;RL2oJ4MaE3XzDwqzvaX>Qv(Qv8w zm(FA1^i1XNB;$hWRgQxK(qbb+{a9)<7rVv+^8BT#g1%aCTCJwI&N&9HCpD4>1WxMO z=#rhxK|()d|7n9tOs-tAA!F#|%5zLrI@qfjj+ZMX(r(g9W4==y4DaP(zvA!BY2&e% zp&rGD8=Hu*NE^W4FuFyFHux9Fq~eve2scNs8le-XeAcos3=Ig%xS_#iW)?YsP)JAO ztbz0`7JvDlHZk401a$IjplyT(N*GR{X^C-4&DR4 zbj}L+Hg15?TOl0;e-+q4tZZb8#0_=WI1w8rZ*Sn3wsDj;tcl^?n=XP^uDLQ{k@}Zb zMHa{QhB^WoWh9#YTU1p(go=(tlu|hp?AyDZ=!EaP|L-*&4~&=j&m*yW)hF)CZeX-UdWz3=?=ArGo{~u-mowBoHUOfv@03ZJ75k{R*2V00=Z052RB>0k<;@DXFYhj4`sI-&a~wJ ztWPnn$St&^5Bc+-G3*g+k6t4EWdgJy0D$c2t7}AmfS2O`Omh(jSiuvC8u0Y=VDO|r z$e6BFR6!qD8Sx}AtZFFLKWYn|CMSD;@kG6CM3yWwzRS~_3F7?$2^S~#4fQ4I`tk*- zhTL{DtiYzoq56r!H9b|eebmx*-tL@z7uwZ#-`n2-4a}9!0Jx+5)XH6Q(l07k>>>tE z^-x*ubSsOd~3NeBZr&yoL>k$VWi*;Yrc)s4n3PqWs(I;{o*wcfw`Onc}j5 z=V-dy_!H&n?P75928_b@4f~^=<8KCP{4ijz80%6s-61e14XUr|(!#a5BT)oNrE3zb zsSOMX4QFidMa@B{p}gljKWS|#5zCT5uwa@y1Dwt%*aQSd?Uquxwe6k9wc~i4L4QXy zw6!MJFL~Wc^8|1XXo|w2OWi@vc1yVCuys^m9`_L2t?#paiL!t$C2;uC=wh^fE(#=V z{=hXOhVKmkd$B9%E>l7#E{oj^cJoKjSb7|2`RhFO^0Mvq38^jBP$B@~wn_Xi7Ql#Z zehkle=aXk&lHiy3EJFu&cZwC=-*$nfefGQuC647YDkIL%Jj3 zzIKJNUEGy3{bY~SpceG~p#*yE!e@Cj+XTF!7_Q=ymTg#icnYm8_CM|R&DfN4*ShUM zTk2;Hj{M^{;EnE|soVigsI?%792p^ZlbU(1_d?yh&AMUH2Sbb59^qB=f4Yt%FV!Tx zH+g;w^&OE6&9-^+m}kRLvB!kLQY+P)o560C1CW)>&WVieBplss)Tm?m1@AAQ;G@gJ z2-}Bu04a`@JIcBwdEsqs=~E6k>5V*XJ^G5kdiB@~73NWoUUwh?HW^m2#&cGE#CXrM z#~}57kM8#39g-gV&{+m`h~1tt4$)yfUrTlal`r8R)&$l>iiIDD;%iNUfBHj#4{8Hx zg_}NpcUr<=^i}UMYlM!}xG4#vyF^v`%4zwGhR?rs4?S1&c-%+@Pr^X3Vt=w&fcA$+ zxAh$^BGGPbPqo)O^OLJnN_^hKMjpPY*cZ~o&t}`4{Yp$0z$0I(P#Zip-hUyjMK$%y zHl7cTm~e62JumIAxX2K`pMNU0jEF%SL*n>M+3VteZhaT^@{vg~xar-p5I{LiQlUwK z(H>H*)C!951W$k~tliynqB-DJOqnhf`EIN&8LKpHj;%j2W=nY$N5-iQH7XLO+CAWD zuy!-rx5U9dDYrTT4A{$Lj(cb6Q71~Y&T-dlCvbdrNj#T146dVSgI3kJ#8C-bd8_Cq zG7L2ny5ZQ zOfM;>;O7IsV>4zJT)ox~bf3FMSt-W2E~!1+u^72bpKx}+H={zLisNKf26%hj{SZI* z(sad;{;3%G6%zdoK#=F1%JQBJjr`2VtRYkH6s;7soVPe)BM(LR=F$pjeHL?sMDUF> zCLMO%*HD&YxF-6U-Dsn?Qot_Qf3!4cMGpF?J6=SeKK*=lA1f=l_+ne7Tbt)RbR!3| zhDh@xFvf1Mmzui)Z?S?vz>W|#A;JC}X0()hv*v%duGR++`KB*E!NbaCnkw1l+oya3 zfr~;Ci278opodev9Q9aw-uEpb(!W1_Zy{H_e_By}b`z19-vQZtSuwG`N4`|Ag+bNF z34Xini9W+h5RkI4@*T=xN_p;nt6%q$fXJ7q~Cr8 zy6XQgAM$R0%dmo7_Ai9we^Vo$7|)_XvP^Woyx|Ihgz?QES}Uc;^ToemNNQp?2mR}~ zCpEs0VojWTp{$^5!9n++wENAUP!btC6>-1T7nOTjm{~s~EXqpOsx8D9M^wBv!lE!osk4~8Jdn_f32jF1ztbaxv!f ztX_$pkEJpg)NgmHUr{O4FA)3>$B{*%Z*8L%6w-|&Mm>u$?I7nAHn0_>E;douvHbkk zkd`i_j&&icwRW z!0mYM^{tfE_a?0_GvXgKDWn_W0WzH%z~Y)jl?v~bkOfGND4n~2eAI;@WMMB)>`}p5m1ISt-i&s~v0i$jn1!e=Mvt=UQ2d~*~wcJAGUZ^u@&{1BW zsO{!qOXwo!@1#av;lA*Qwiv*?XUGC-kl|2R5D_kc0bMunZ)p-v=l<+kHL);j+1>l- zAlg6mi6}AnU@v%P=8*Yro@it9u4Cp?kiU^peDDA)<0m?m4aw8SWe?gTOjl>3;=#zf zJ`scLSL&w!10}en7$f_3g`7;CN^RAwoiO|M_CDLy4^EUItcl1olldL!uaouZGgy#|B5pkTEyb`qO|Vw0oCdoL!c8umAr)>>3=d3G{Ajj z_~%0_Yn^`2?u!K7`qlh@uo+@oyVz0O$NlM7*oRdeGS((;%c+Sfr@4iF;;PaW{{t$y zavB^ZDPsy(S;FPoL6&SeGC!>3mHOoj6iS{(qFx9}=32_@8_5LlM!fPDB({U}QKYBA zY%<)1mk9h$iZJ-9qC2?jQZ5A~fqdJ6P~5nYQ9Xi2a6VfuaTH9T36rKfpV!VTY+!Ym z?m93&f%UVpGH_TTVhfF}6_!JrzrYWhmWHhhc|L*p-M`qmpXR*2??j%u=1Q3zITe4y z0ibwki;5Mx*>iD7BVB(bZX!HHjg4{jA@Rbfw!(&zMRO`*G1Pk7?0hx9&?bl= zIFdH7`*@|78$=VQ<|9T*cW_9R&x#(hKbdCA1ez27LoI$uEkt>Nkh8nqEAUU&)>OQA zN1VwSAF1Q)Hb)hR)U#{KFH4-`)SeFL#18}$*c@B82b^&QgOzdrhHICItM}u@%XBk* z)_-<9W99eD#0oE)8R!XZC4roE$|FfG@{@4`{r8G-%?ySlHlw31pZ7V#ZN)Wdoe+o3 zSqpPxGuj_+So78=nct@_rF0&G>vx{8=`7LN$@oZ51HZXlqPE`ti*!)_U1zNa*c5W-A8zs+0{> z8n5T@!*0+FUWNkiAEJD3SbD?NCI`6LhGLP2dYH94*jBr|R{Nu1=Nn-ry6my*O|^Gp zEDvKuWVX+qrEsynmm+8A7qz&Z5Y3?;E)&L1qTgP$hnmcid|%x8D=IU z{<{);-vG28Xgymmv1zEy*x%-+lDF!#h%VD@*<*GAhgIyZt{ z>BDPa;V0?Qz!S;I(ob}uN^{0mJ$>e4vV-cxyYH7!wn@6K9peKmo7W---#$XP&5@jw z)KdNm{LTE=x<@Mmh{kz!+te||Me@Kf9WM!EH_d_VM+e#ZY#GaTU}rWYAZV;v$mcEv zij3y-!S!qO3Qd-XX;H$+_1<6Om&+IJa)JFe6?AR0gP#0VR#$A)aFDJ$gRe@OI?hFF z10?TMpjOZ9AZ^VBw`6LW@w)! zXmuKjY@e!^4*_v!KTd==z0zme?fZH8&gNSUEOr@MkyDRo6UbepHo1axJ0WlH`Zp&q z)da3O2hRwbOKFr8E_<4TAiwL*S&N+1nW~yJTX~OXJP+wp*x-!xs}~z;G6o;mX|x{1 z$R1F7^Ujsi0Ugwx43>=qf@@*Hunp(ZkeMr-yy{7t_Q`}*8sXjQ(ME=VUfR!kgtH^` zRei+*c#({zF%RJ2tO$zhinX z>t)GWC~-}Owf-pSOWCX0j6++<+7UirA)usDP$+H%E;b{|HDpht#M+o_6ulDm5%TVa zT6a9k=JDOV=BSpS#M-(BldZ}=0oiX~bTi}MXI>QUro4^oAjfE51W8LB1>>XUWpUax8Ft3Xp_+V+ z5x6u*d=e8@L8DgFPjHKkD`()&uFE-pDsCD4uf>!gpZxV3fs`l^X-YzB8r23!re z9HG_RC)b3R;DGd{vHA8a3Vfawj{~d~x2bybtwsdXWC~ug-U_Zt0UDu?x)$<$j7L)I zHKkovj6Ca^oE?D(Pp;$=2m@J5iGg^h^>Kt%oK7QU*kU5NXzciS(wxq-^qVXIo9|_pryp*g7j-2vx9m6=P+>>Lb zg*L}DnQ-t!Tr*}=Zu5nzFD&u|8~t}AVVeY8#kgIU_-#+06FogJVX=xgc9Omq>KB4( zn8Ck$T+I8t-(icj+866!;{Og`*kqR__w&^I#skD13wZFEPB&@DCCHZw6I!{{;J}#o zNT56KV898hwgA0{z2_^ZgNd|QSZ-6lXiFd#Q`BHE714no-=O7EK(%<=zkbW=?_6Qa zUg-0cP=oX?Bu{kbM#yGJ`gf8*>$T0-_3Zm9+2*}IjkLJ^ zjb4T&Bnb&?A6h6&Zyy#%KMLt|BAuQy8!_1GyD_F!J6oF6`AE3i?={gE@EE8cfLvFQ z-;wfWCrA561S|BcRi4I4bi0wH-E)^3FFqI*|B~N=;q!Y=CQ96x@^%c*-xu@Bv*!wX zAW541;{27aBV`{alL+m0y>B$>Nw&O}|KC*mb}bFY6+mR_J!={KeUaq)xh+pYqTs8*s| z?t+c0fCF-eGG{`C-swSrDfmcs+n#GZ^x_{UjoXN1iCeB9h||3`6NaV4f)QmBF7H!> z)%)X|MSNSzReCY$kAnLy!uG2H{-aP+;M;~bUU#D6d*AW`K9dcH=y8a-R)^8ltSWU@ zhMGLpB>3N_=$h#gj&uBhs#@^V9q@bC4SehuPEQykdw(>W9*IQUvJId1VO{BY)0_2# z8>3Mp^({i~rT6xWOhhTh1v6yt#q2L7g$ksz_a%7c<#uNiHF&$8{O^lnr5M@wE&|PJ zxfRV)2M6uVB(aTct$uIKs;o<;-W_(KJYG7s-CL&k<+{}Rf{Xw{ch2!7%%?!#r@?O| zC$VLMg#(rg$l|*1+z{*CJJ*d&R7tK0^<&Od!Dyx1#~q&>Tm)&v;a&tt$imb;BW88% z@wXr-el7&)VNf$aNkavk*?f1!5mO_)htD!R-u^5(Y;ylLKfJpsl|zZOA6SZOI9inI z^nU0NPf#aQ99Z$1VL*UWt5*4|&)ajl4$@z>4qUEWrqBS z_RjZno*v!Dc4HX7EWVpES^?$V*a?`|JTiwDJDznQVi5@P0Y6^qo-CGmTng+Hf8m-R zULK$ViOG{=*<%M*9|E5jWuRAJB_YN;nw z0wy-0R$s^$fBWMOJMu>MpNc=>RWrt4^3%BVn?-7~{e8-~FsDRBrQkJw_RWTNCCS#lBb z#311qS#oh&h=0Q?AmiSW?7hq%ku{;LkZ??iPndf-L8?D@c3Y^d|Duk;u$WT?sgvkt z8S`YzRsQ!XKcAyN2NA}1dk2|MrrlBXn9uS3HnI*u*ErC@_t|mzS*jYMnXp7$=A7d$ zrmelnplTZTC>;`CibRYYkt#7BC0$h1pmQdC)a)QA1E|nRWkT%z*(x~56nbr762K0l zZ}6PL&ca9K&ab89S~{j6efHx&MEVvcnS<2zABpmvKkYrVv8z$- z|7MNR?p36cc22#uzmrLgBFoCcB8`X!1pZeox}zTWfL+-;Gc1bQ zxaa{EfFP}+Ix13C4a!`K`@O)z^ddy)-8e01#h_@eS~lzJ`K$^09c(5GG7ff_u~&Bwax5+GW9u!mt?QU`5#h7ogE({3xcu93 zM(E-7kEE#^BO&=`eQ**cJWwGM-SJ|TTpmRur$nY1Zj3cj9% z>-yQVQc+M5VI{t*&5{Lbi1})U=+Z0sA%+EFKr=`_t&I9xRS}RMTk}Z(2P&G5R<(RG z4zWR-E=?HAFC>jCp`HSpDtzt+G+-RE4PJ-BHdre)d%`?jcIrhVE4k$0rMSf~AIs;) z$lqjST4>x|to#j=)4smQ4x+_88LHuXio1akI08!XSqo)P$Fo9p#J@6SgHWl%AnlmR zm212WqkI9%b4Trf<(t@*3Kc3R{^Q5plfClM%J~9Y8Xitc)>c#YEh{vXnB=LO-fksrG->eYLuyf-v?McjseXuOImbA4<`{xMJ0*uo(05VMlC#oS1Rl9 zE(vv?*upbi-g^IYoEG;m&82D*reto%t2uQ1awYC!Wyri+Rn~csg72y~b82!rGB~ar zN_qT~AIJvpgYng&H6K9G!xS^uEy%MGH8QQ#0#txX}<__(bS272EB=@g?{a-x%?g9#*|maEGdR${^E#^2+3_)SG{h_*~U6 ze^p`DEPzT}y{0G!1&i(dIVWgmv|h zZd;DR{3SbUxhj0Tu(W&(te85v{jCpis3ZmgYExwT-vfG#jlb>OVukQvB5l!F(tLVI zA#~z5V)bj!U|oW_ve{WUoO*NS$5BeGEJ#5mxaQFnCu>z;Ud)k#jR0>DgJ)CU9|`0^ zm`kl7#+BChc=MoA{tUC!$ht3yK;EC$gCo#%Oz1KtHfF;))<*83UBFn?q|1 zf9zaIta2!FRDJ^Oy-7k{$K=Wmp}pFs)i`n)p!15tBbirv8L#BD%WwvY34Uuu*Ed937dwktVyB{2h|C(%Kjc^&J@tZFVT%e(O z`EL4Y(%ll|Z)WwJn6g|3l&tM6dud?8BapdVY1gffL#9(wgQ(V)^hqVNK^PUxJ{}rV^PBP7P|);cv{J!jI#`o6 zESEu4s?F8SGC*q-b=Y&X(DfTOjtz+=#ZXJq>6TZE|<|0i^Fu9ms zLfHR3*s5E@O{-54Xus^?;Kp4VY`o5B&iVlj^ZPc1R?|f6Il{%gE9s8<*N@0*R+AIy zwfA;#89S11V`lkyx5;p1*ZVG-ymQ(QoL7xeJ#iJ{>ESa$ye(RYN_g6q{pjv1q%Lb+ zrlr0jdfPU`kIa#$%kr{i*X{G+!in~u>)&y$3 zw9iZ&BPJzX0UqF9U+``W+y<%tCWnetsMAgkTz#9CpSBdXAAsKBqbB+E)Z?SpsySkrrLO2PZKc+4e_?4_@vN_Ri}`^-H04^UC;Y&on~YM4EPeSW|jMo+~^zc1>Q21m6C| z0sxE<*ga&AdJA&TX{8iDmWYPl+f{IFI{^FwZKch|CGf&z;<&#I{f`vMao^HpE(TfC zd}Byl+-6M<50ooCOQTD;Q54#kZdWNGY{Ka>u^i#B7li(cM}K@<(^m=y-9SIcSzKUI z>@#(5z8emBJ|6P=T+lWmmT4HvYoHCfFKC+;Z*Hj(UZ zNT$C-c-zWfH1}9ust5cU|CrjJ4TMjmi3%h!{W;4k;`Js$?km|g|ioRTvOw)(q+6Gm|PI}r!oVBN$FiNETa(P&w-rmloq_3 z7cYo3Ao7PAy2DWbkF!p1V%!J=Z242ML1QFmdsm$K1DT^}UHo)#mUL5N_-1=H%N)?% zl~6U3ib89xn<6*Q7w5-Lksk8*d^v~$_LVny#*4iCQYisQa=5^69EV?5MY?;(fF=H& zNRZ$+`|XJdZeD)wNF@Fh4!*A_Qd|qwyFI_Hhg%#maPF@et|QP@wi__+i@vwgg-ky! z%o(F#j`G#P-7a@jib7J2T~Jb-myQxBgITmtKkcY5iaCb5l6t(zPb)6c@A)Je7&jyP z=hy!k{=g2KB1)qFIyd;cL9$|U8!mu?j#&MyV?Td0A8KtY1zeR8Rdz z^t5)l{jPh%1f>Fe)+zi1o0|A&wY9SQCN2RJID!av5*ajZ*QacPy74O z4J5sMt!^d1=Y4$iPP(Yil^nl#Sc$IKp~M$*@%OpWFD0wq`>oil2m$v*Mk4J*1t)La8P+j;#2P{8dikhfa6&R6fY(9Rp zPrD;|?{O~$>aOsW|1fh&_ns}6oc7S+JRlfp%20uc9!$gZp0l* z(V25K1N@E$^$V%WPc)JW;qlnt669m>>EOn$jxOgcnqOh?12xFt{f{fnv0xT3@I?dy zK|VB+%}0LPomD?(LurgM-T77vXn4Ev%Vv-g$S}o!yD<7Jm;|%nY1C8N^HTp*4y-59 zRxIAowQJVx>8p;gLf8yM(=%u2-x-8yTd)n>6Jims#**m=(GDhh=)&n%a31IirRqWkXk!@!ac^ z(-r+H65~eu!ao`aGb#V9;!g`?FtWn|Z+me=uB5s;sphQnxwtL^BoekK^p%Osu@?27 zob4@Y$#P?3H_?aiQ>nu0V9kv*Wo`Mtxtrep;xZeu|BEBp1bdb}rDs4U$_`Ei(o)_v@%|!o_pQXRq z;WYM>ro!=KSNd0~lIgXb@Zw6of_dq2a^*xuON@_%-p$kI&4VYj}(McLy3m6y*(rM6L1h6U#M4XEG2sy8J4CCk`X1fRd z^Rwq}t%Kl@(I)1s;r5i8%ynyG;Wroe#F?qSoGN3y@QM@{`)Ii z7B6g^q>8|2wGw9gylBvd`yPX0Lzk0rJbPDLBM(d#TW&9E7dl6X-JR1Ko)|5sX6ftHLPjBopKiuFE1{2WTfZ8#iq(BCrh{N$F$XE;ap0 z*PJsHRQ>MH9x{BZ$2P(7r>9MlcH9lee5)4F-Em%1k=t35*7y4Gj0X1H*UHT=Wn%P zzw(RTKTHwfaWZW(hK4&uHFD5C{--%Zd#VQBxKyzH!8CP7FRaph3WXA%Pul8`Qc zcMvokEz9}$J|Ip%A`QRS6P$m}vm+6=217o*Ha*B_(1bt*nAJ#iG`!57e-8bPh_oAg zH&$J0MQnMoCp4k3pY&x;gWu%~wsq~-&8w!L@TtSc^(=A_6@e&*h3n>7>*o$$iAHSf zlh%S4HbSyGe5T@(gu<`$sw@nl=%29%zt@>dF<5Zo1^qpE5b1Tqtd);p9)ECVZ3-yN zhN23hq2n$m*B@P%qxmQH)_5=%%g`n>d1`tX@K|ec-&*k|b*A@qjTy^58;d;Z7w^CL zcICJ-43&`*BNIyZwI3-Kyhudq&7Drrh zYX7wsObw2$HQ*1eV%Pf9o&}?}aE|jgb_#E3&%gqAi*@3-z_Gi?Un>*K=6y6{k7P}; zyb1JyYU_b+7XyBr+1nL%k~pP1bgYbQKr%o zSA)5=uy)Y^95Jd~Wq-=M>vA)G6DNr?=0w^Et3-HluGtI+mt$kQ^$tv%$GN+oF-Xg7SEF?@QtlIV#UAzQ%RbGq zq1J+mgkC4Z5xICJ2KhvKsiH>RHrRT!&ay40=nJJ9DbK}9E6ARRQMRSUS_%YfL-zuT z{zfKk%9`Z#v92GKlq%FI4_8+y zf}l~#6hAu8rF!zL*=VaEoOB9hGAT>eE4i3tUgz7iRJ7qX2I-Qc@(d=;^n(z|8_Fc+ zk?c_IbWh}jsc2Rc3;n#sUJrX&t5(9gaJJXf1e7%h7%h9!4n*SZ&m{WWHZ(JI6Cudk zmi^Ow2hMNtWVLq`A6fG+E-dFtAf0&itqtJRhIiYIuq3VuZmuV+7yrx`%IW}=%_48l zJ~%uc_hbk z>UD@pUSpXrMep|*^oFVC9EB+*TPMY|N{cQM1po>_9ZbdEY7C`lE+Q|n!XnA7}wlu`5LEPXEwVD?r8YI2T5(5HFF zP^_3#g}*0MsE8bY`a_~6^Sc{74>DkEH;FzAVa=of-0^loMb*;%#34e4ovwza`s}J` zx7~yVxYn95x#TTYN@=0ci^D{|dZVY%lC10*(G|Z%{G%zF5k#?c26I`l$QYUy)oMVu zT~_p-hfj$9b|iwMzseix%?%8tTAE_ahhj>>#>yg7?W=Hi^Myr}6m)b4Y>U0vxpcxJ z&atxyY0|5SV%7@Ht8Y(<%3!;Fk8(P*Ik&0lM7uY{l@G_s>C7=^!#6mCHCvBA=t=~Q zl6ty>*T_zO4+rSt){rysoI75e_YGC} z#XEe)ziM&Ee<;Mx8F5w-XvzX3>d??W`J*14@_1YA5mmIrYC7d&lU?yKU>YQn78@ zHdk!hNyWB}iftzqCl%YaZQHirJbRyg+kMYDx3xRIu21XV=4^A0`Rjf3^J|}IMO3lv z$3S6aTNy`eAos$>dZs6Xra9|)m9XFEd?c^skDj6TmjJoh`}2WImI-oc%y9iP{4-IoEC&vg?u!lL9=UZGcdpFGNB_H!2`{!?3z-lxkU zJmE2iJA1--8xbTY-+uOtHGNXQ(@9Jh9C$)1iJ;d7=jiOnKV}0C7{_iY_^%S}i;t=R z-obMb_~Q;6d|$7G@mBMvi5+t3YQ0e9cg=29?eI|A3^KMABNbo8|kRylcX=lpdqE1tUhp4Kn8AJ%s{1W%e9~e+iPOwmJBdwH^)>!u@DAlJ!;~UTHF49Z21n`k} zh(sL_vTBpGl!m#Iisc;KqNN%7W@-G7Q)xiW+%R!NG*F?l@H!U?ieodKFYcWZ9rCA| z*NXVil7ssCm~tfK-ICRFpi9U930n7JaSBPQ8^(sHng*abns_^*;uopt=+RY zNxn(O?bhN>)2wLDvhvk$^~&LBs1*}m?|oAWRGo7i>y`Q zfjaW3%_glhO0+{JgX|%r#=!K{BgPV`pAhQkjiObrPv@LRspjMkP^ks>v*P?F`u^tY z(6!&HQ|%5NQ0Kbe;yCv9CEMq5zvo4Arp`uG}r)h8#C3=$A@|E^hZOjaq?UM z;gYqSxzLL)yj(uHD|50X=aOf851Q&4r)s1UwnrWse+!3h82c$`tLtM4>*{-H_zo+g zNcyi8#jrjg;+_7QKA)s#NU=sqs2y;9Jc7q#sS7;|M6+4k3Yn%GMe!TImh?3x^5ghoX+5I z{$2KmH*JWTf3~|Xo@uOt`LJ|xF(p27Hipx+Ml0aQB5=P?6CS_Q9ZWb-Iei%!(?gFg zuc@Z}Br(VP{V8R&?_bznn{@fReckbYd|xKRT!&+Jh#&;%nD?+)uz(0d*g=7@q0%9) z6@kGPms82?s0E%T#q%d0HH=~C4K8cX+Oo?>YW5FM)!=FM_j5sqX)PEXK2(byxrK5b zo`er(NQRJXIyzFl+z#h;00HbEu7D*)>qA zuCEa$$cMeJC})&u7HdE3u=TN%&=~ooNmT-#%JqKcV}VP`V|3&_>il}6Vzm$m76dZV z+feM>4*0_LvDU=`76e#qCnxaOZjH+Tel7-;BR0biSJ&1ErXh&c!okv0FJ`T5W!Q~V z2KhVU+GDn7al1<>)-Mld#FVm{Z6?SKe8iTe`m6=Gl+rJ^@&!#+tj6h{V~N?8#wIz< zZ<6_mR`_gfEtM{VPgNDGP_K;% zgU4~lKSq}NcgQtN+2xNHC8xHMzpnWxYRukdM~n{d{2$dok-|}wxHdQlsAX^rD%Are!lJ5YT55F~ME3P+`o;nIc zxm8RrljnUso8A!`>l0*He1F1Q31Fq!C!qF|Nm_KWNPUqu2^(~>Py}NR^5f!7a%xCV zTr#)iKGWV;06Y%d+2FpymPWN`3;g01Yek3dC*BThIfNhnNFRCTXjAeSo^qnK4S?Yk z6|tPD5t13NkJ@3GY39@`xMfE^QQgGA^jMz1;IE5!kl*a?;|^1e{wOgb(U)(f4&DW(T_;o9(nNj8QLCLPpQa3f9#n{0adL-Mp;-~}yja`RAt(LN#{vP;J^ zd81%QZ8doEpxn6zl_H`-i*%)%lVVarnwnuVLYyf zRa$ilc#f&yHj605Qz9>u^K06T!vD)gBv+`ftZgclAMZmNjdS)TI~ajZ$tXb z7=1#4t)G7D-FVfE# zj#`|0A_4&mZpL>M9fn0LyFn^v@3uV zTiQ=eKgG}cDy4Ek@IK)_I*>Kav*ULE3O-ejwsAqr;`W)}xu$M)lsfC*pux_Vvejke za_HUnZCPUK)JKOh53h)_^taI&y$cxnICV-d2hlo3Xbe4X32v66$@X}@iDtX3L~fDl zwKu`!6~HJr!BxMD3y|S*59R`MYs?cxSD$m!7U&tx#Zxa=-Vqb^=8#%%;isF=Tf~mU zdMjVX*YT`AY+e{QeXPortL9{0@4dkr zL^Te6bGh*KAc>7-1z^!5 zg=^V(vLxOh)C22bhnh{KP4A4=Alj8f(6ITnAqK}=y=LDI{`i^+~ zLyhWfT)%ZL;Ry_$DM2uiN(E!iRm?FxB{TC4x)|!KH*H$#{3546XHV7fq~nDVm?k16 z@ApHS$~V_4YIrtT;hWU!jC|UxNo=c4#ZP|jU}ubK38+gom-Iq<0L-Ln8$vK6-b zIHe?8n6>AUsxC+t0(h*TjpRB?ZlAZZ@?3O=P%j18XDOnC{_$~$JyG&1VYp%;{AE*a z9W&)z-elG#J2)60LRt6KoBWu> z=5Tbve`E6rxw$C2dcq{~_NqK)H8`b&_iA@x%(Li;)UoiMs`=Z7$~2ZNtz#xOy*|*~ zp`38s6pwji!C;vUEOHxP5xVmI29UQASWdxvD3`w*mR8=98TmSZc{tG({IRQNR(h5X z_!n;Y^&4qm?0}W}&20bR+qdhBxyX_g;F+D1`+7A(eDgA6+kvrl0{K2|O$g-fGp%qh zS+8|4G+fs4Y%v$;`^h5;8Agv;SNVRz?SG8V#XNV!%u!_S%J#~&J$uUy=X+llfb@k) z!u@@c#y+2m7jsIy>%|{-1vVf)Xm~vGbUjU&F9-_??p}#@HPWi|HPx)pcY&och0j~d zP6WI{V8|C`0JB!TA*WKn(tLKsp7Vb{TkKwu;j?{?0QO1GF&2x_$T-`JB|0W+qAJ(N zq#mZa{Ctz(P*9KGg-odql<^D0$fwQGH|4sf8`_qZmRTFw+ddhAjFwq0r@9B(IN|J) zo~CLBUMwc3tUoipCw>#09O+4=KS`gr-`$~uM*e*?Js4zN9-fnE_su>?c(T*8maf?B zGgD$BzfwXzsLKEbatG*&>`D=$b3ZG-D*ki%{UZ1hZz=!%|Ehjpb?Wf)mta&dd2PSLtB{CC@iT5gC~#+cd1v$e(fxQ zO_@VO06)v6r5TCyb-EdKs<^NBD3|Mj+ou!$YA5}|HgZ0JU+c@<6e&85UF&QwPld6f zaPOF{(Xzp$n3wxK?PR`USY*Y!F=E$R)8}L2ul-I0>hiYBig51W_7@gE@MI$}<$3pp zp@l-Wnti_5o;KY#TrkC0^V!N_+8#Ey>U5XbpZcZOSV?dFGO>`OzcCytj27)~Z}xh? z@KAnrR@l&qz4F^{@+y_3PlJ)gh<;yb#*eOX(c8QnUsxh*qAD)GgSMC*Y#(A`xb~Sq z#0_>)F9c{CywBuWrr0E_seM@A9aNOTCp~h81jVWB?!E_g za((LP3(IuL?90+q6cT>aX)ZiC-sha6xR>f|w*A316kIcR?MIpGmiXawNo(c^*Oy{- z_pc3mFwpFyI4mR8pjhy7)A2lgywb55-yKb#j5j|QKo*heT7huo5=-6#y%Z+JyQuFP zudpUZ_4zhak!Zc)`U%JltXpI{ll=n2JsV8Hj-I)bdTT}!v#tJD9rSLo5`=nVPG2zo z#4=khIdN67zDh30Nh>}c4PkE9QWIy>(<6XZgzwMc%RxTQSMfmXbI41i3js>O+;$_+ z@?1(NJr~@O0{9@U-Fe~RwH@Hr6#s#K={qFQ73CpqXJ;fD)soZhp2Bnr-$Y~U7Nh;e z?|%nW|C7QYFqpGMG2=;@nUenaX)mKU2#eH{3W9aTKirdk>DqED} zlMv0Z?d|HGCYL13(-_4Scmg=Ihw8B+z6cTDv0 z3bI}f1Hx$5fNo0st*3ip`h)Iu-r^g0NJ651=%XY(r8!}@JKiQC?i+|(!>@C_=LuRr zYEzS0syT*zk&D#o1D2G&K8PDf1A!O^BXfC%(t&Abu^adn!C_QMvrjdpu`i`NN* zq2(Cjoy;Ddufu>bzN`Vbb$xEO>re@kB znP@@A+DtD*cjSkfAr{%>{F06an4i239gln`E$Nr(e?;rLx@D!2g?5+Ty>8k070bh3{6tw;%DY|paH3Xq)LRB+`Tp!L?8bEJQ zD8tX_$s(Pd^2K>~(|~RQIq#qE5=?X~&C}@%X8y zF=NmSxbl0R9+tI8z$lcnNyQQ)*}~kf1%4LQ{h}wHdvd?LO^#?cPX|h#pD9+P?t{FG z$S!tx$f_6H)n({DS1SUS$MISR!DciQ(BWLt&W^u&s;^%5mNnYxb^9$FfZ2ZP%STt% zx$NShNcJb)ooCM;S{DYDBUBWh_j0rR{&Sa+)_KmbgWdKEM?u>~+fC%_){QcJHNDn@hY56Gi=yvm5#77^sQJG(&LO}+xOVd;J z*WlVk#lWo;qwtzANlIK2PVn6S&=EMzOo{ywBB2llZD1z$bSlozM^;5Xx^qr*wG|RL zu$c(cn9W(7NT0Phrn4yp8RwQZROvGMJYNV+ml3tgo90lBstm%z($&!(NJLIbV;svC zOrCf#);07pr5WT^mDn#$Shrk%xzNv(_T)l&IA~Tg7(DoI{K{!PP&?M%TL^&TI(q!e zGX!5tj_A)XHBEJh;qXVJ6MVh6PIrbVOSZf#uxFQrnE3^8m0``-MytTRB5WSlZ2mKo z3bRcQsAA+zicrZ3sXag=ud~+Fq3B-DOHnQ!K@l*fNLTt;I~bv~nMzC%@jAtNbNppt zbIUP*b*02aUK|MM(BaqOTh3qCedUroldTdTr%MLBFRneN2jFAMmNs7~-i*b3le#NT z4L6*zuBz8TiA402nUCT+lq)5mn9nTr`vT+*?9;$@o~`%B$i+CR6NN4~nP9y9VfqM6 zRb4m;lvB2Bd(fC0=X{TOo8xXdEx}MO7n`b_HZ#XC(2~ zK#UTdjwLD(Ol1KhrE5#YiVsjEdJzOn^g{w>dG>4GP<@BEr3OXa)lT56s^R@(SA@F& zYJHU=7!&x*>uPn+LFr@Jmtxnjd1|4SJk57G-RQpude`$NAfDaD6K0;==`5!`I58eMcdu_LlU*W?*8Z&$}>a*e8j$BG@ zs@#Kml_Tqgfy3gsd^tRSGsM)}Uw+<<^qi-*rChTQ5+hOH;z&8($jGpW4c6xe^(oRB zBkLi1C%e~GP9HAau&_}JE^#JMxVvGU1vv23pW^l#1~qR2Y5+iq0%a#Fd9?YNc@EN_ zs0*WrZQqC0Mcd68u;-xhs=t|*`9y_-086r9_J`{Kf8hiI!xcl?KvquebSF^b$J2NG zLa>c-K;F&v-OEVv34a^zel(r6L1@LE8V3H_zzfI*lX}lKBzW+>$-^C7y_Bx>TP``p zVh3*FLFj%8)#Vk2zs_AYOs)@zoX~`VdD=!b)V9p^)+EnI${j9;^C|puZ<4k4t5HAoVlc4 zCftX7;#KgpQ;v4IXM{4K1!VL|?F!MeqQ&+OSJ;}$wH0sP?+~SU;w!{L<^LVml7ox? z55USSnKvJ!&FND|m~}CZ7^}3{$s5!myPJ_%I1}>xc`zkpjKsbn`^`0n+Ef8YJ$-6C zKF^8!;7@Mx_rJwz(A2f4DCQf%Wo)jDR&KaS$`sw*JkTp^(ds8}{&bv|xVf1COmm8I zBX9e8dn0EHr4bS4{2`+>mk4Lw>CyH6ihJ4x=+G%(_6SwyE#dos=s*rX-kN3@4o14z zaK)yj8Vph+C9wDrK8|%Xf8y0K#c#kbXk6Vw4+Pj%!p(&4& zS3VbvxkcCL8qFFirHZ%3Gm7z*&}^a!fSER98K#v~D2+q~`^#aY2eGs9u8z9Xd%|tb zkEAB+9=F*`m;b4U8GV;rryb)HrHLsOTZauVsWJ?qE-G`fLg@c7_Jn{|_S2Z=7ddZp zDM(8w&+7x39TS7678t@YUxbOr4=jT|ZF|@lp@(~>A)d>2M>dm7E`y)?dy8GUr?9vEYFaAsTF8e~lNpm3k+D&;B{rQq(^zP8Qq{13ayj%vQ zq1rNeJZ;0&J-u>2=*TA1*2K7*=!Rb!Ku^oZsd^mQ{&T}4`Di!Jv3)pqi@lONy@fYV zy{-3QFMI3b2kXqQ%I6H9p_%Qn-#Iz5HTieTIDaeD^+bV)h1@={at*LwA8PXR-dU>{ z`^C>Biy+C0jH_*5(w)826}#qsUN)vq1^5gwaf>o;%}4)V)V-e=IYK8~a=C$}$8rnt zvQrfiy*@)o%}D~wSo4h`2}(LbrNHW!5K9%F9VY{m9$uilD30k?VG4y3{`QG;NS?7I z0k||)Q|>3Qsf!yxtTde1?oEK`Z&OiA)b+{j@mkIF)osWlo?9v-E7PUY2TklAo~yV- zO#e|e0Dg-@;j%_B`A9uo>3sIk6l=FVnW3)J1H7~bJ2IOAMW9_>Ax|7?cGC%Zq>As(O2v)j@Fs~XVwe#?CPL;ioF_#E0QCW}{A z@BPX1TaSlJ{O{Ws02kLGZT^RB8=p{6x@qoCJB2Elp#mxX4Btwg1PLJ_v%W>Vgt+oA z6XW2>aZFTY9?x5vH3&_7Xel9ss}3CnDNjtHytIRi9=K9=4lj~;g*urR>+_^0=aJLm zX1uOJIi2%r9z;>_w*a@w`>BvtV^m4j5@jl7Dps@k5@m;d2cWaw#bcGPY~CXr=7S`q zZjz`3(bgoOPRU`WWT)9#7K(ibd)#4}8io|aJ03En5Q}e^_lFMB>_1eus)CS~P}AvA zJRwn>XfPE6y4#ZH@L}*~Q4@}p^4dg^|6%(FfYavCWD&lwKa58@6YxFe*g1=8cCPLo zn8{KrSPomvc5N49jNim8$Y(l^U9?oSRG?6>P%%$1P_k5%PK|(C9Ra&Ap#cra^+l?Msl1miNnKQ9LV_-@qi_3~5h-rR;kuhCE8~ zgq#w_g?s`LCSc{`a`y=<%&C{Mb4KBxc$SX7eB63$f-?a@iyDP%9sZmR7psMR6=@8 zLEj`1>TW(oxNFqP>_IBe5LI10l_)m;O|ok|GXOM-!n_S`sWPn>;x!cloiRSp?TUPs z%mYmwqhnuI^|my6$KC0$%lKd0-aQnxHBYS$d?UiG=KMWm0nx+wwbnodJHQ8X{L<5% zXF*pLYAA`?%+rymBE(<6Yg^87>~%!GJMO@o6?{^KYoNdaP84N2%EObcjH8k16CFpu?SRC+a?d zslpLMU_PU0a!Qv&h(O)-@a;Z2lbffcEHGO2S1cW^51jg~PBQ^N&&U%snv8m~B0oGD z9vmS%%|d;%#7y?^sv&Lks;-HN_(Zlehk%V-ru2?FWsK*`*0mrh%Y{H3(+TM?`uLK* zn$pO0V3<7iy#xHd7gwQjzCzjb@B!umisr3Ug;zP;kLl~)KFFz3ZaawgDCU^DjW+pE zI-ymBmf|VTsm$<$l$^*$ZLsNoRY_BE91tLj8{@ISn%Ev1n!JJK$aQO_pNuVgq56MMT`qMKnhCvi#r(oId} zkRBaPSC{BT!7bsFb>5rZOJW445$xP=h<5r4M+aI;&wXEBGim4Wg*DI7`AfQ zF{_98K_eNWQZ^L@Btu?qKdE%Z2viAp%{vi=)Tujq~{k#aijg z-s6QsmOkZ|b`3tYtK1&88a*1AF-QA&E5RaDsFJ_FaiFmQ&W#071l^qa<|QKF5kF=t z!f9V+(9X)WCeo6uoq($YVj#lE=LWZbUtvC{zmgW1GI_#r!Cvg8W&+2HFSiNd$N#2f zxb1vovSMS8@;Po=9oewGix#aANT?828)uL541HJiqPYQEsAfdmE(H6J@WSgT+i^OE zEBpAEq!I@|bno&AzYu?hO(KT$F^SQHEKMyT&A=x8#kN752VqVQ&mhPKrMpoMJ#uQI zpZn&+bzg+L)^5%&J_X*;-<2=%h?+`1-vDQGjK@7OF8~D)-Q2OSKgNZ!{3dS1B-A(d z_9Q`}kLg0TjmivdRYSa2g~dMmXU}V- z!0)M;tZZxzo^pCE=A~ObB6p6JXz{4AsO!&o$(^p`_>c`+k|d)vV{_%ZGe~)A)YJ8d zO6yLfF#94>+s5iFLx8`a2lnU@vd{N;3&=>w-oU3VTME_bvPFvqa zVs78vypOpJ_kM0o$M5=j|D>xncsW>uFO?rVXvK%jBTbn(aIHTPL$B8pV<=qc-c)8t z{H0k2=&)Gto}(9)Qp_b;-hj`Sjdr3ejTvu-0tRO#9vq9{rs7u!2a50+^q5jMnamyp zJ7}W8Q#hFDn@l%jj|N{d>96XjcH$Q49+IXUgPOIN*FJ=suOY)@otnbkll<6;wAR59 z65#)(86Ui%sU&gp$ZTH&nVML|kC;^~(C-x6KX50Icru+G57pfam$jBSo+>ciZ*O6t z#^rRJcyZ9ZETq{;t{PltJEVdYnI@2PntXhwCEr-T@CGC<|HoF}PvB5W?~6E66=v@h zCXGGB7CY?(NQ};Kez}7Ox&VaSe zKtZ6sWQXpf@-P+-+1sAiWacL_n8KVOoP*=v<)(r>L2W$aV-Fl|6WcLar}K{RG56GH z6qqPRY46?&&zq81rD|unRTPgdQq~%J2?}-p@WYpRAj=!A3NN&+@q>&Q@0)h55Fa56 zLpnA2<;l3qfuA>SL=>c@4+Qxnw4q^AxLOqw4r-+ zRG>dTpm1xd(w&jN55LIveyAS;(b=6qU>>#O&3|G#cX6?q%w=soVd*B(x3Kpi7irTP zoS{_P2AR&RV8U^BL(AuXEam|E*4b9V6CB!#PVttmG-ukSl%UT1*Zg$=7r=b48k0 zIZ^NM$=&ykMg&&$%Jty-+2g8T>ib6g*A>xerl*)#f5w>6bVGHvPTu7s>_|2J8C;l5 zxj;Z?uE{;fjAkJ!=0R(=%I-XouVd(;I5-H$2(-F%HeD7Lns99VA@bsFt}*myi;N?f zi|3p4U#>?W_&F+tvT#0qVe2{#qzv^V8;JM`1}_u;yq zqEUjkek5`7I$t;2P{YTY0(2__Sml*|NR5C$tsP~C_@ccC)#eG*ac#hi3U*rxiUgRA z$4sU`wp9n&FrHz2X+fMEE7%Vc`Os8nnP=F>S4J9L-EWEGw1?tbnqHO{g$;Z>8$%^4 z*?k&K4<$K5CC@t?i_xzUalvQL%fa7`aiE7su7&uzG58;`Gv})8xW@DRceO-gd@9`k zqC6N@M^H?-y~R|J%dhRozG0Hc*i>2H;!M7J>iHvc`CH7by66ViXYKgL1XM%UoJ5R> zsM&{j&-r5ar{+PQeQJ8HlZuAsW#pvvT0C{P*X=J zHccG#zQu{=@x@+uT#N~RcD%!AfbHBolrEQCsa+>KjNBu&>HA5h!7s$e z$vT;z!EB_ID&sgGPlurI>YsOTEPa^}F!m~olZj-kq&2`pLced=N6{ZZi zM?QtMS58G2OPzJU&^(OO=WO}8{~G1=Ou^19CygE~bX5znWfBXda4?Se#dbHfss&yC zN^*5Z%j624JG^4(^1O?R3VjR18T(FPb?(iX4*el3OF5c$($&@EaC=iDi1YA0Iw@yY zD9F7S64KGoIlpZD&6pgM?5p&)0O^Sa+%qPej1hhTC5JpY;M))I=;6NWy^C%YrNwlV zNzRv@fvKn(t+0`!&a}-*ZHjkTLzQ$5Fs)v4pozd4>tO!F(p~FDDXEU#$!t%JN8SJM zS<1zbyBA;g{M>poq&7eaa6-=R#LLWDQ#_i0GA0Y6Q2EPHgwMmCN7^LWHC#lhR;_a+ zCj1*9wR&n9R@izo<1=RYQ#I1$CE>B$1)79t9Q^12xWpvh9{#2>BF(FngIOE6<@}zN zGNo^G@M@{kO4mE(@l4MCy!+cF$-Ze5Plg50m#`H+LL8ooyWhipQ23on$S1%J?+A#I z(`gq;d1nH>y1;f{HD>ln@w(Y$5)au>a$NH7G?pr&t0y+QG+5XDD{-$i66wgA$~xsw z#Dq|Ofob*iyTh}OkH!^kjGkFxV|na0VIcJYRZ#fa<5e9p@AmkBFy+PR!z)xi&#h&> zs<>n-vJP4y`fPkR*2~g6Yq}{b>cw9Q?-OE5)5at8z z?ncwPC*Toa|8CrQWt|}hq5iNIVEVSlg6#uhov|#j&m3P zJTzp^G+n&c3hjkFAN9F*tNBVpNEp|1^r+<@0NmubdC3sf$(>yFhW3s=Qw2y;qP|a^ zvByKd-FYsdN9H{6<>NH^5z;h^#*Z(d>i0|VI_Auk`Ll*B$4Z5t@Zai z=(H|pf7KV?fof%u%;U;q(yInoI?NYqgq`$LY504xvOnLD58xgXN#$E6G8M4jq=&#% z9*I}yI*CU2VG5q=ryp)yPJOr7`k@EQAdnK}`)Ts6vEFsM1`pp_9;j+Rvigq}pkD*A zHA${h=wC_|K!h36x7*lDL=ETDoROr{?DL|NlK$6FHD3e6$PTZ}sdKco6KPdOx#W9< zJix^BtMQ-dQ_aj#O?g3~A00D0Qx7Ou%zu2{L^4LGNhySPEsb6-%)52fp zIIg(j(qEL9%eH=z3V;X8pGR~#hJBHDvb4R=?#DfUiRwOhKE6KhxE`{DsV%%r=ZqOt@^%KIwd`bS#df z5{|A8?p`YX%b|W@XqfeHhkAA8QR_k4x-$XwO7;l$XD>BHBsQW?=CdJ*O!?L*>3_3| zKXRL{Q%de!pZR!w_qttnsifXtLz@~yB1sKE&n?Wr;-LYd8yi`E5L6h;mh^*v%Pd`= zR&mcNH!zmNk*ILPotA?tgZ%yc`p3O|e^5a&=O6oAK5ZO5WdOD(*Y7r;+K)1yc#k@c zlt1mjQVK`{;XP|hg6N!!xgA{uAD+Y(hO2A~yWFvhK$lF!cM|C z**Y9huN8;>tA$+Tep(phk#9 zGsb5xKJ=O)$&UcWti!6_%Kw2g4!(@;-PUV{#{v>@AUxC`JuAB}nlu33zqiIf58Sk#I11?tV z9vJ#It7@TAAJ=4tvvt#qEt*W?LeM*V;?|wsd0^$Is|0ci;oO3MBY$h`(xN&_iBy!x z2r%Z2uZ!kDeup68okrX}`p*wPg_kGBv(?#M!;tV0g_dQDrOq`Ddk#q^@whLB*)W2g zcl9>niQ-=>y|BxIR~BXQ`GMpY^{qH9#)Mk_(st1d^uCD6g`Z9MiIWY80?>gXo-(122?l_1J!8!$QkKbnJ%rf9Ly>a5Qe}&w%~mKLVnx<} zLwS$3I$t+d>9&fVzA0$Em;)yUWhHX1l4>cSK$AMV8*KqCLm&hOmW(OTm_l{zQpXyV zGaUv-(_0|9-uytjE#9a?vA*R+8GzJ$`&wARI0BB4E2Hfw8C;eNare;=Rh+mda#P zEriJ9+DoENyso)MeQ&bt>+Yqgz`lG-!ima+*oFELCLi;to6NgxG3GQZ_gewcW?-qN zHpEAQ

    =Nx;r}pP>cD3NE8M$3Gh4g%+;OIy~L(Gh zy&@#^`iKvKgA;uvNSTF7d5Spku7Y?Jo=4u%8t9&Wl2EO$@PBRPcO^3nBPbLbOSxhW zF`NJ;Knq#ECc2|;#c@QEh7=9>)ls8%MlGu3^}7uW*kNBP*B`jBC%jnAN+M&&XYf{* zhO4O0w2x+TBhkuP3n6vR3Y5vNRD~@MGIlEVx9wv|>YFkAvg&XRi6+qpbH-*Bzwqzz^$MRVh&9aw|*3o!tQ`(%8ch9%`v_Q{87TXHkZJi%&GN)K;cO8KF~_ z%TcQ(br1oWG>BA}wEo|Drq3-JLZ_@XhUb%ZyIXQ8)NbdEVKV4BaV}>dQcZfF$LUZ; zQP0l0T6iCu*}={kvwyb~wegBdm;C>7N%;1Vrkt_VTZ{Yx;+Jf3v8KE{3-Cn}mvk~c z$mx*SVvId>PM@))hS6aU2E!M#iI1;uqV28}XjEsh6uElH#VU7_DAm^K$yM+^He(L+ zdqsXOlu+$WR|R{5oBHE97Cg_0-P2-#tj?P^=o!MiH%iqS-N9d)L$$Zk1U#1Q^v4p} z8rC@${qGsc6jNLrPD_Hqg_eAAHms7+X|0{Po}?5%UT2(cMS0DZPr|ZNLJd=0|GEX( zBqS#lYl=$%RGaec<0zL2hl=4OkCt@Qcv@o#r;lUu9%Avxt%0rwedt5vfs=Plcr@(y zzeu5r!uCq!FZrAGBfy6?d`oA1N@s1((Gu)&k4s7V=V%JLItx9@*%tZCdNoHDx^&_A zjfNG}j8&bJxv|nE?WJ7G<3_4u8!vT{=AWkdTd^6=L{DH(4DpHTC`L>(Qj28sI=j3uuYQ$-O|d>Zcm z1Y9tGCv5#`%|5hDBl>rJ@uY*M#WUSw%>Sn3ZKGft z3+NcdoNB|$mMh?|oF1rGB$dQ~DByu5KUO7@Y~YetAjgCQc~& zDHca$IZH5+I^!ie`Mna_b1L|bMk0Fm0#-IBqDVL?T;s}&(hcX1-4-9PyApwc*Wa=8 zO`xIBXM~Cb!B=6)9qBkiW2ZB7^kdvp%}dJ?+Q(3s@;DmqezNO!3dJFc4VOys&}gMO zVA22GS0z97Nf2BvO2eUM4%~o?_-?1^s6UYA*XpP`zGWK~B2bfW+U}WTM@e14rZ!$Z zP;wRslQvUv`P=ToDD;xa#q}h2FPm;v`q6sO$@rT+C<#L2&&*IVQ)#Bxw- zldXpOYlL?j;vdOQRxhb{NBBmd`g&_N0(2n(q-FBCsdS@F@GV$4Lg{2(N-Joc+3ovr z2W44a{9Qd}XfB?EgRD0F)B@8Bh5Uouim(=Qxvs9`qm<(A;H|B#5J=yHlocf;s3rF* z0W&QU_KHfIgmZIa9&$`UYj{Tx(MibYm*HCT8FE%S61_pz=i?Z|Bl>{PQ=Rvrtrl6~ ze`@~=B?^hV;p`zlr^M86H+cp$b$AR z|3s+o`(8)4&bV9Rho!&ZU~oaZ*U0zUE$oQ&1_aVkYN8--9FB8b4ECS59aFj6lQUN^ z&nyK|LxWEjJp*NGF3Z!8CZ*BOx9ubK<)xbO_MNR9DLwohQ%3SMK%A3|GQGw>(lCz~ zU*0K{);W=-YnsiB)Mt}>jgZJUb##+&-9c+nFgF&fsdp(~^vU>Q2oFP~avvWzq zwX+)}BI!(4iy$6sv_YL9B&~yHA(>vbiBK&+_Z{|cVfHEFOeta|jj5aoV%7(@W#PmD zI>)ia2q~4ii|wPrs!(S&%ox^cA-kX;iHg9|_4HmnWJE1XVVa7z4(~=V`G@HHF*ms+ zzFsnmiJ+Trn97P!n26=|7Xx~(0FcO*Q=Ksg;z0Iw&n(g~qGi(r?i zmU0oPcjca`TTY`!bQP(>2P1vz?jC5Q%r*`#3({!Wtub74N=s;+Ej%w)B}tiiQL<{SgxgNe^%(MW9AX{~0v=%d_gxN=&p*19Vti zR<$h0>VEtJv&1(uCxiCDA>cW<@ZY^eOt=TWD8=uGKa(V!aAXWI#*l@AHxk!rgMDvu zj1}s5I+ZtQkfc<}Vn;ian{W19urDpPgqcOHcRjAkw}&b`t4Yv#um!-1eS#PeH9shH z+qVy($PdAPZ1Az&|wXvQ6TBv(sVNw2S~5Uit|ew$LHTT zs_Fufssg(rg1K|Bv@vZ2q@N4--%(^4KfCOLSNY9HixvW6eS@J2P7}3 zUz4&+#}Hpy6G}&dgaVO>reb*KKM+(ZP{uF3gBT)5B5mzUPbpK#`{eN$d*R%0u`)6uY&Rg0e9H(-uMcGo|8_~b&kEW* zBviK>I_61dIDWlretv>6M!c88`^w(z$mRYhwJA5gvv@X7ON zTwpGKRV1a`>DfSs$A!5i6;KbvSTrr;xI_BBYbGc5TJQ{Uy1X(pNJXzQOI_c&_oM+) z=cK>#32RCYw$2=l3K{{YpAtIsjO+iQ>nx+}`0KXkiEk9XLMEXcZC|+JWG$<+woh2#b z@COE*(fWGJx(l*%TPoR~WkK3pRb=lg_`K*)=8banwxECt1Dp((+Wcd8UUl)Hz(7R% z^Y#5BUW!BY0`F8W+)DWJSt0R$%+po(KZBG9CBC2jj<*OfRy2BeR-uV zq?oP#hD|P9x2__9@yz44MhO8k(`yX`SYwk7RYJ&k;f^S{8N9WNud|ix9*Q`+^)QhF_Vhh9&R)V$>s?nsC zE1hCE)s*`Aca^l&j@1{TZ%fUsh00FNRY?^5R)C6y7&mSce>^@s_VqkMWF=s1Z7uf= zuK(uT_=z2HG|&$;x|XfD6Wb;*I0(=|qEB5q#N>;ENZ43Y3^nbE1vxzf>NAUtBLie* z#J#kiQ|10jnp&J3=2D;`le4(EG{gfvoBm_d2*O|&sl;r2ekd3Zfo$n`tz%D%Dy@{& ze)@^n{sz2#%(CioPCH9$46bOP%TH32yi`fTeB+h3Rt4yyWbd!(pPamwIXVb=sdGaw z7fjg^0C?nJOZejCMh*G)*xUFl1PbyAhr_!WnU-wls_GY4v~U|Yw<6haczT&#?a(Ca%n!>f(EVureBvL2$JWi{gBdO<>kVKA2Md_6_V2p_6D`b94Qd4Mb! z1209wM8|KPtSHB;6bJ~etvJLQTWKBgq*I_cuI9#P!<}MziNG!LDGm!G`MCQoWN4ml z zx~KE=t+kBnTkMHugi?V}g)qv+<^<$ykDuiy6By&q@5{A4pr2%uWcqBNDtb^@j>MxJ9*q zUD4eM3%j+b{pVx~O)K!x#a}vH(KiFdTc{|*JzY|-?1sMTm{CDtFlNk*g#y+ceP5SW zGI(W*>vq0vz@|w4WE?M!Q}p>mm~Zzfg#UnzxLcLlonX4ZrGJJR%KeW5U$_so@R2gc z4PouKCd0;6O{36TlettI#C+&8aaQhb@ks77EJv-mETMO-_#~rCL#$`rbD4w2nG7gR zQc@7Alw~L(xAys-C=7ZCI@0GGxwwn2e+=_O=&a}49piAtzZP^9l&2D<)&y$ycn9Y> zWyFowl)lz4#+^g>x;3m*?tCBiOcs)J34qr|jXn%Mlz97q23<6|-x%T%0e%xz4UBjZ z{-Od-z>lKCzsE8;85&%B#fI9x90}WOb`=xp6GQ!AH$=kP#$RCg6hu&*#VHmDyAbG6;M)D(yShMik=w3q$oH4YE=>L*tD*KYhjpLR1z&TFau^SJr1 zm+J{d0+Z2WriC+zdOY7|XF5^QF8Wy~__d=L`ya@Q_BQzj|4Wc zTZ7KxOuk1yKlzJFuU~~-UEff>7Bfa_`_!6-zlKZFGCwyk%Fz48J-^QE{&O>) zQWGzdWwqv7J$Mvy&FmaYn-K7N39vPVb(!8C$cjeO5+50vUyKg)i=s<~nesqgiti0C zL1etU%%^x((PGVwUw(Vc$S+n9K_VzH4|gCG#0t!vMu{e0`*iws;i0PVL=*lPeMX%B zJ@>O~^#X`j>@zM{NhBo&O>}Rf^iA(r-hKb{=P^-`_S+!*#}08-VEkI^n`KU!O!WJ2 zZZzzkJ4pq^srsUZP+KXZm58zz1{624gx?H!PelMBgqU+=rn-zla4h>?yNyk+a6FiO z*Zd&LL`H43!!8S|1IVCOKU(BXPzGTyH*yW}`pXDAg}>KWhq=u1IvB<|YuhL#rz z$GrAEY4SH3h7U#vS-1^<-b+aeIHO9Wz#Dtxo;Oi5OO}jR^Qq1FF;O-QNN8bFG>DL` zFb2pMg4O!kXGSZiZh~l-@2aUA6m^P+KL|!WNT)vUerz50+JBD|AxIW>kbbCsh%DS% z>HHL1`LoQfjXB=E2|U=(PAcaMUk3mlpLv+ui!i^6yJ)$i=*NOAb!r6A6g)Oh4tlm` z8si{lrOCK4yuw|7KR6y&u$~`$7+CN_P9P4YEST?8Xr#d7^yHW`Y&!43ZJeAjp@3yY zxMVjY#m0Tj7g^_K>dV+(2E-f4j$N%fwBrhkiV_Q$t50{@?2Ea6;#mJ@K{mpaTSvP= z`+TaET}89$;Ol|!n}gnBmJ`dJDe0lg?+=!kXJ|A6U#RA@0t>T>t*gx-l<2U^t)KeH zO7Vdn1bRQh64KSE(JRI_qf21JqlmA|(fr^4Vi#1b9=op!_h$pN{AIoiT!L+7+RRYW zsKbdKZnk3E&ro%SOe)ev&re zH)Aa3GUb!`a5okcvEP9gCJ{9dD1Z`WZOau-#Ht>jJ-1pbiPF>Kyx0g^(^WPCMa9D$ z@3!TOo9Um#%3_quzMx0w27U8AMtFllB@fb$y{mE!W4YdH@ zbTn2NCesHkzBh=LV`ijp1V7X<+XrI4h=!u=wgrMO2mn|T4dz|AGAEx=9Op-S9ZuDSN; zIq~luq(GtacMFWclprKZ;!l!OHCnj$`_BVd#o{37Pavz{YAXI8vSSoRz}kTEB6WUL zxk}%y_oTTrwJB>bWVVo~1kBc1OTgq_y{%-fL2#Z;C$^}|PpYu}adZ39Q0j&9XL}4& zzYI6VO6F|mjT?)UN;frQY~=`@7~?Td!QKLqmgBC}5lr#)`|KQMG9+@-P>0=XOGNG` zG$%`hIV^&G=|UoJXth!N-(xGa(>>_{mk#-To!pK0=EvAyt%f`l7vu|7pG~o{{oa4B z!w;ut)6k26^Z@v8mD*ToXT}-YI#uP=elEoY$6>oSGNzMJ6?jXj|U_XaiUs760e7aoN3Q_-8vG2mdB7~ zWX31XG`DjQN4X|tZ6aG2bQvf^YpcRA_RZ99*YV#32;`VbgL;yWZco?Zb2vJTFGu6& zKLHQQ$_e*PP)qE?n2~0chn)gR5mA_@1EhX3gCVsVP2p`~=jR%`8e@o{k z&Z^YQP-@QRUN0uvQNIq0cD+fG&`!>?Hd9%*he&b7o3lJJw$WhBt(UsrWGHfSh5F35 z&MTN8hd5T)Or=Z@R^2d#!`7ZMTwNmlMPMnn?&U`J-cI)0Tw6&on1*)4ncE*hvBqA} z`uHz%$;0Rvxg^w&utBs%mbPhFX!dG_L_oXZO0}sMt#6|{6!NXL((AdA-}y>*whn6z z(PFw0YFwCop$4t>X)}oYe%_>FoQ}CUBe1^hhEjF;D@2HmS#6a9i~pU4cot@#BTLqw zwi(wM;mP36K1kIDLhwef_%-Gtlm5XdHyfR}o+8iZ&o&b*rl^QEc`v65a~ z9^HiAd3(*k$C9bX+fsF*Zfb;NoyRgu=VwCdKXHy()Rao}v0iV(-}O0S=!3nc%lb4s zjwj6R%+c5rX{0v*T0`(9R^#dBk!A7RbC~Qy_LEM0+w-d){ASx%lc3 zKAZXB*I&R|Lpkyn8d#(I%w~#`p(a-3_e~tIh0kw#DYOjD)h zOa<`oi{h(cQ~pc_tAyf8xn(#C4?j+5$Qwgh0>!X?ZzM^2jrcmN zd~M6Jh@{j3hX+s7HU%6J-Z_aiU)?k~3^+@+JgQ0o)FIlypJA;`-9qpZ@;`mAlo-7h ztd-9f*zV&<;uC|_SO-K_~ocRm6XQJJSq`TJRV6(m4HJijr zN7YvwZ4q*-zyCGH=+=YGyt**0UkZHj!SD29af>|K?WYw%r z#+|MEfj-i&6Qnu&hB9`Ly$@``rup13<_pD@MGc)?N}U%C1KYQy9K@+dFb=>nQQ$702U_;%xySPEQ=91t%M$N<@stg*hoyk?V{n@cB!mH;K zt&P^~=I0$^Lby}aZJQ60h;>$)jV%2Ke^Bfws68Gw;l1@R(wfVn#jm{oXZ?OEBkzrH zxYXWOJmSXh7h!R}WZR?=jDJK^Q(-<2t0E=x;bFj3Cubq`oaeqH?nU!nnX+_e%`7e% zH}39G%3sbWV-4gS)3IV0$5R7zAdZyoP0RR=eLf^N(pna*48-jDw$B!|TqRzfKrmBC zjT|etx*2pk0p`r*wyyd!MO-y&7+V9%Q!uNI;7gq9kNC@gw1dU3oq!k~c9%HzjL_dh zKI09hs?|C`-aMs3D^)7#?X`P{O>tD|B=VuP1FcZ-iHc)1=VM|Gz?hWxVZYy^xmHa1 zzZYD}X~eWAP$Po`xbWL$BKWf7e22cilP}!Tq8G;N!Cgzn*j#OULdRW2z#xH?4G;Yw zM1sFQ?K*pkNWgY2O016hqP~F-iiC_eVQVUq^0CWavMAuy;lDYahZfQ z^h*a-F+j0w#9Jw5B6hYLtIG?G@=h--EPNkM0xb`HZLhk;=8LtBF~4j}&F`repaHdD z%$YY6TMS@AsMLSFVDKmg3prck^79PlPLD^z;WVsP0p%gQdq@BJ(2>+16iae60_w+P>Cpsx z(!;vXMmW$)z#mw}`z3%S2c*H6nYpAEw5PhVI?=hhg}+JVFFYs~d3};$$uuL_4=k=` z-(?Qn8$(o$zQS=|<~9B{3VPojevVnw>SxJkM_*Mug+DUW_(~qSpUr zrH^JSJLjAZOz7ua9?O73MMIroF!|X9Mt#gzHJ^zuh|^d41odR>^L^wALreruiO;+D zCKf?9T~hT?C3K-oIyot$kOG#iS}nVIApyvB4G|*lN_y~=c))$8t{m4JLf#SKo2-Te z_gP~XR)YSKD_Kiwv49)cC-y?e8?XF_INI3@0yV1_-RCCgR6?oCvuBL)6U+)fajN`u zj-vqb(e-pPLR82dd(t%nZVV*eHg12Pla!AyD4-=VX{DC~JL908k&;rh<{eE!-xz_* zeLLpr=HN%1g^Nmqr>4GO`*zBb0Q8QRUHc|+ufEZDrG-?Rew?>lf4H!{I1yRuXT}$t zmF+*|4xqrs10+ylJXY;+$^+5n5m_@Fk54hK_7M~h+R1;Dzl{?S(oOT2FL;^p5lu0D0lS!fe zjdC?_Gn=rs0u=Aw4k;l6us#@Jy}~fW3ZCadMcjjeFO*pul&0mhns zr(oBFJK(#qx?GqX=?Jd!wbKW#F-;Ve92s*5l*%&D*AneV){Q@NKlXgV{wYxiZ0r1t zB>w6-9!0A}1NBpv0gi_fo&6tWz$L;!nJI7;HUmjqdVmTv;V}@Y@v!t^?ar~AaebX) zJ(R+9y@XmAa>C*?#$a~uxK%>`pf*|{8$$*tp`=`1{4Zr8-%CO+T_e4=!zW$zaQS_S zDEzH1-RFtcNdIWMv=9YVz;Po9wx0sMFs&AT80<@w99$wcRxE^~$*>U3Sh)+h9{+?o zo4}f2eO33bH5>A1PDg6&bZnA1Etr)-vF~XPIUc4l`hMz#g|hl7bfwXYn>pAhSJ15$ z+}}De_dB|E1BK&=6Tx$;>`Xg0o&MqUfWy>`_jIMS31d`5i~%7~c-z>8{O2T?u9VDc1EB8InNV>I%oz2t%nnWKt+ zKz|J##J08~^SlQ=sHFgjB^cuKl5JBxD|q}lLi09FZSX^WC;dpR`E{QkKIJ`*9Cg&X zMR%j)_iTXkv-*58x6|L>G_G1?Y{dGgL^H~lSL59eX25S_Xy7lApzMaRPw`q#6Pny~ z!A#3?LziD%fR{>|9m+8Ng-xc~_4X!lIl*fkFU|I~Aq>sP8qiak-5znna%gQv{#FZ3 z{ywAob>Hli#{L}>3ix?QdOaC-C(UI!XNMJ|RiS8BlN`VUP$d;=n|4lBTXN>5`VzoN zyOiC2rt5ax4(L=q;l_}_HR*&K(1b(n{ByY4^37Orz0%3YPswc(PBwgNI

    AaedTYK@tC*Gv^{FE$n%s$qocF-%c2on z<0j{?S~e5dqt{ytBa6)0RyLv-M>AV%1>AO|;Y#zwsySx*}f_YJ`sxo!>DGOkk8OeTFp>Oy^2yA$R{~QA7$<7F3 z5~VHz34~J?jop5Hd>M&M#3i5W+Dva?v(;EK@xotm37ya{u-ZI47S>WIan5rK(dK6N z@D;WJLMiyPZmJS9c83rIalHB^c#*!0wG4VPB$ zq5!_h!nUHsyF>(**{ZG28nO-hYLe2 z*;=p~?LBrLgacnwU;sc&_{Xx(mHv7Dd{M+0Pl?^Eltu;RAx^?ltxQJ`Z@M765~_&p z*kW&u+dt)n-rv|LQyCrki;FZziJmbUdHEpxhJ&Bk!PM#G;9$(vQ1-qthSvWh4|0R# z)Y%99F(9CHWQ{Dttm(2_)3oY+EuUX(Rxn0B<-Vs{$mChfM$`A8Hr+J-)DTt;hwfEn zO7;aCq%WUU;P?;M>yM`8|EX*|N$|UiV}~{WoO5X84NUFi=4rZr$rVq>?ng*mZVA=f zD)pt&DR~$3=u%$aKxr^z`<>HZ{8nU;Pv*qh;W082yAjWC<4j1@g-Ian zV5T)F2AUQgE}Jl?r?ig+`r?6-bT((Fe&TzfBE)A4A7{KEn!l01!Iz#Pf3cTM^b~KC zwwCL!Fn^!sjYghWxy~Pxg&*w75aq1m6m+PZTvfMtihQg*M!IRl#F|>{q00eQ?;G+u00D`@pDJr}M z4Br%f>-7B1AI&w5qOJ+k;6+N2vrF8@r+k@8b)+tO997+=9!9>L24_Rg4aNO$&|oHe^IIZqV|O5Cfa~&j%UNPeJ}o$WR>Sc zaTz>IeiMu39vaW-J=N@vd->C(Vbe|`eot`!pQJj|NTtgi3;CxE=WivBT}y1bq!8Ro zoWO3%3M!_d*EB@&qEY3x;UO&qX>_QQ>#=f?7X8kMsh%rUc)dw`+E-`Us9p8qLQ&pR z-cPjlgR2K1a)0ns71QONns39EH-{CUZ#)r+Ego>j`Gwk2V+pCy&V%g558sS~5Cne%@Hd#Vsmcqe>73!k5n2V*GmC(#gi5K}m~K&b6Hf z9rB-GgxLRA{cQYY92&tapwN)PeA7YI_1PK(D6rUPX!OI+aTqQI2h7VGKHbpRpRE8l%BS|qATZ`Fzs6~L1)y}Yo~B=Y8X2#SJ95>xw><3xP59&&cI>Y}7=IDlwBYn=Ms=x^TJ&Y_MNA@@ zV#X~?kgWRdGu=MyyBV;|PwVjcRbiWRI|MXh4*V3vvZaFh6U z!?>wm1gT}p^EsOG);$U89ay)u*r_=pm$UPA*ZbIuk@t@bFjU!$ha!LHL|w?WC>X3| z&tvWLi+{0M6^M`jVY5!@YQOl5@xmQ09FDEn;xWY+CqDkkT9_m7$ek{+n`3i|KA{`mz2&pbSi^)GQ^ z1VrQ4qeR?FQnYP9)Y`EYWbfpX8ZId?)1)Oc950lF?j3#+Y#@5UpJ#KDvg!z9>y)79i2>#{5~by-hZ#r|N{!8f0AltfL#Wb1EKK(hx@@;;C zpL*w4nu#g!&IU=jJCm<9j`7WB69z|Fvx~o3-#%WEJ;@a|5-tA zvfJD=-T6XUWlrE$tZEXMU1g$OpgoTM#RQ?)$u5$amd@RLx#4+Y8l{`UP*n8jRz{SU>t@$E`Mt z={j;l(|ySZkj+M&(BNz>b4lJs?CuC1Li`M~#x;thoyy&OHyS;PHkDHErY~4bbpGZX z5esSK$zJ9PK@r*ej?MgI)hPTm^(p3)##+?(hl9`MQ0x|I9qB*?<{5M8LD9h{O%P;8 zbVt-|Tb>Py|HOZnV0kav><%Bz={g8bmIIQfJwKpqD>U@?`^Uj$mwho6y1}Zv#`}a} zkRzs@*3@-_d&6Tc_vSPF=I3FMnJhTIVNGE)uw#OOi_|~qUTQ`(#z(=C#iBH{l3h%( zq^KLsAC1|ZDqf!CD65B+RT2K;I}}zNwoH-N4^@%;3czbq6iz6E{$GX~Ti-7~wC(XF zIzKZhJ8+BF|88y_gj5eX@nHM4bT*jq?sI#gc=BT}x~@~F60{wZLH;l0tg9#KcLm3r zUzx^N+o;W2()G^Ntbca;g4B7<}4w4MPQNc20UMWSp9RremNz5J{3>7;2*?E z{nm0$5S#9pQae&U=l^E77Ay>m>54dr4{`Z@+p_}ohI^}Z9AGZV6>qrlYk4V?MvIod ze0L=F{Q7SoVYGzZev&(J{EVS)XG`Ldt&CZ*w1pPaM-WwZrnhqWHL;tw=hn$d|7psy z^8n3CrJFUTr^gl^{)pUA?3}4u2!P*LX@27xT6BMQxd=barZytotOUPl~ZOhuj~t zpPFTM;{oL;M0>9F%2qxnS_skPCvS~QJDwquk>}GT3ojCka;~`Cs0FcnwkaGmI&JY7 z{Z!kbEqn_CjT{Nf9m`7|ZowXZr7z zQ);0rC^a&7(G)UV5Si9t$2hd!aW!QK<5>W-PsXBonSCYxJvA;9=E7g4?Uw!|r70Wn!>f9A=i~ zc71PP22^fZH99tG+&z`q*GJ=@08X9ff#t0Ya@@R}Kw8!Lea)zrS0}If$nvkTtq*ii zXL7l$M1$o(%G#KP=K}q@z!1D3RA^}Bnd@{kR#th9_)M7vQ$HS=O;k^eCVyl2*0NXw z_cq_wQofn+TN<6N^fla1~7e~D8$*IM<{<*f2Z>w?aitMrj>YW@UOtqMdEbj zk=~%D97U;=IUU@$fA54^Aw~j8R;&MAvhS8UEgR8H*D|tWhdlWC0GD6x$qg~sToAb6 zW5 zNg7?iz{gz(i{VK8S}I5)Blzz`v%wef1V>X0y&*vEyh8HT>1v><0?%|KkVEqSV=*H( zSTRLKi^$$OFheL??2oDC?E`+44kf5_>}_nnyI6vvxtmw(jjY^8gQ9kav!bj(K|FUh zX}HR%Au=z@+7MquH77v5UsN;(n=B=>2KCakyXNrhT&agRKX_K=z$i#p1VaSwP`p-tpm)-`I zQ1)>j;t9K?@rGf#6s~y>{I<)qVy@}03Sup=)tSrJ;>7gm63?rvp3b{^#DF*B6lAxO zPGz^8w=FGb!u}!0J5w<6m_FadlCAEFH@oD;b>eHxdRMNbAJ3_ckYViO@_iqHx1PC+ z741b`2u@P^wLbwPWle87-ph5B<;aQvvkL!5@yX@eZaj!*jsZF=12G3`XU(mol6=0$nfy*)Xp zu+tXY4WVuzUyIhO8i_)xOr-C#S6cssX3iE@x%rM90*~Iv5lMyo>*q|LypB=OvRX|m z_C?BHY-uvH45E1nzF3s+l7~4yBerKNL(|Jxc@X~?_gh0_yD@;uqQb|SPrR$;XpjTQ zxA({=ovx%fDXTuFIuV`{$Xnl>SHQ{kI%m`Go24|o-yz2eq#Vh(68rz$Ic?mlpd0?L zUVx6n<}?)cyE2mx-tM|&9PjhE0(BF$qZ?<_j{EE#t$PI3r&O!qcKP`imVe_U%+K>< z6ZMTN^9YVjWOS5{6LcKd)0V5y#@y1jH-IJ4FNniFIN|MB8PBtbvy~i$0jIDz!HQ6tnS}CG?oy+?-EP)P|@DFLI&(x$F zfiQjLCUK%IchUd}9I3T7mzYgWgdA;@u|5fV&(}lh5u}S7@*`OPA&lbic=&&BUc1Zf zREWPB-ebbbE{?w%{}yW@GMY>u9za8YJw0A7z+8gpwAc8nAx!?%-8W^~^XuU4<6KVM zbgqH`_-WJBubD|17}VgP56g?Lf_$E5=otTtbBNjB>q|PP>q{8l?lp~prBYGMO2!xK z{hG$nGnz(2gzdx;F1(T`1;Eby05;1y_lLJ&QsUF9fT_fT37^TWU!qIv%hcV}?&rD{ z9&$cGm`nqfAxIk4dcFQ~NV6|+Ny%MC7Yof7-j1Fy@VJA!oS^tt|BdJxQQ|9TA@_>8 z8<^d8yHhR{S&yKo{X6=YEVu%b4c)%k$AOq z>T=6yVhJ@1(4W9$Y9Q8PvF!`okKYUV4b(CV*KTRU%xkUavVX5?@!g;o+wB9sROQ^0 zG^(vOynP(w;eT>Zb>c@X=4ZYT-fb!^k6MC{Rd9Fm4%FHY5DFKVDoUVvjYf9Q=g!9y z?m#DUVZ_zbRikWjr(%kOX@9o-Id-E2zrNB8b)K7fa+qy+5?k)HI2j;yJs5cu$Wg4_ zU<*`_sT4Kj$;h=f>iAZVw68-zm69FpU2k$_D)5m)P51L}8lrox6sPP`#eR+T9^Dx} zSo24osvlykX=)ZzYlE_-g{rrgK(2M7*~;eSey)He$UvV-gk#mdKbL$BR6A`&iL8kE z<3GdQW=tGtDm-S;YjloC%EGsIsGMv~xde41U#=;G0esthTu(poK54ke%8{ zZt>a0M`^u%*}s#h&(+|v_ILB|esKrok+95XMW&E(W4a{b9hfT}F9|pOJY21)&J9ne zCZ{4(b2RzU-K45SnHWWF=2dN?ZD6QHSn_wI;$-nxs2-+c^+GHit|CpR@%#eEUE;3d zz5VTe2(F^U)us|1oL;SrT5?k*{pGUvPwx>H=D>Dtm-RTI0%3b1$}t12ayX2L%zWRs z@ZaD_-}X4Zx-P-q13W``_E0ti+^My?;HCd;qeQVLxXwji!idqL4e9vTMqNbG1 zUO0_My69!ymd0-N?Q=g!+s-xfctL`?{-hv>p)(;Gi=D5X?{UgUcbmb}I5K&;XPC;D zpxO}Y8C>F!OBe+y<%NT}?ERLiw`kgUtKB67xATw0(6daV(1k!!4;qg& zXLK6RjjpX_r+9u}rM0pLh@se~Vy}^6j>Jro6J8Kd<_ZWE`~QJSNtzuNZl= zB+1K*T>(66k?-lpO4*6WSn4XkE1|X2^Hrsnu$qTT_c>3w4}N6>D8%SC97e}$Yy+xy zSZHKu>^CfwsFT}nepmvd8-q$ym5w}1Nsdj?Gh)GP;j8MsoqNa+%&k4qu*#h8Br}l} z`1Uo^WPY#!zP)U}K72A?X%kw%6AP|PX&%tOCSQq5G4t3_GT=)Aar8=Lt*pe~1A4n) z$;@I(>=S3xXnz=5g*k4$^Lw`4qH6scw{(PTd4%UwrURff%YDSwTxQWZ9D3;a&M=lUXU_(Et98AqP1$6 zbsaIhcm!4HDQ40DhleLao^ahYTU}FZp~Na+RfqUMcm#}(s*PhXF8;FKnG?gpT-P&r zis8-*os;n$AYS~@Ec~yj4;79P%2K`_sUY)M^ZMG}P8K!#aB!d&^F^Lu^!x?Nr@S+t zZj#o&_)S02@*xBZg<~SU!;{{+@8u?B42=LJCgNm-icT$DJ_N7*3u>g8(N~I8>0+2A zy$~HC@TJ*-gb#-vaO&zCI7a2lwDC3`0N!o4vg?q2&_b%XcnlN%@$-jWTq_bn~64NUbA`V8w}&@Inxm{6;(uSudGzA8UR6yM_Z^7 zZ$hq*hbNY_0HQXNKMwB5X+5Pe#W$tmKK07&yz+?|9z#BD~FhSQ=~e0)Qt!^43_Zfr5We}{dME?5~7Or<76GeL*+kBu+lWQc*5(n z-K=lE45=e5EX2RrhpiB_qodTzWLM?#%zerhU-rSlv`IS$jwxX=T+yW>xK34XLCSsIuShB;8t-q4mB#MSZJx0 z;Fjze_>gg&{i0NcCkB!IzF<*jr?pY-Ijt*|-|whzx@tEc1IeKo9rnkk&(_o+KaJ$~ z=y_;uv$clQJj>p-uh%b?BAr-LGV^2KQ9BlAjH75_J>Rm_BZU^LSdWGwxnmBoalX-h zL+{TM>YZI-vAxr+%RAXd8}~N1@66c5=)`Fvy8ut6yoTlk$QA-@X$yI03j4)SF>;L8 zY46zM8G8|0tnTvCr+sFnp)LLTTX%4>$wjV6c)1tV-3es^C`p5c!xLW**>WOV#a5GE zTB@*PPvD^T)u3yf9%Q>*9=1yUG(cC^Fh+Dj7@5SK;@3pSlBkmz&e>AZ^6(js{{iZT zONwc|d4FEQRimRTMxe|f0NQll$VkyC@N+&J?f*W?f*QD?}P?*h2P z`A?0Pgd4H;!bWjwIW>R0!IzyGD<}7p3oe>;-mdMMp-L7kX7-ozfB&}4c$mEc)Xwy0 z%>U^T4${z8T-q}D?Czix7;~Sb@Mrr>)24KI>o@r2-tANUI-^BdHY3{2F*Hj0Hiw>~ zsq;D8#Q%G?Q41&ftuqO7!hjx6yOmN-#}zUq;##)9VLoB@-utMTTB!kh+*>&n5=+0cFW)I zX_S36Z5uaVj0MfCxWW;p8-HJ~-F~wOkBt_wJ_yhg|JB$u1i+B_@eD?+f5dFpb8Ad{ zXq8Qtd@bVVem-_Q{YvkGE>Aas(++Q-8p4QqOW_5wJnhO9L8`vszSmWVT)?5dJ@B@J z|3tqc>lxE(1&b@^DhusX@afey)Fc#+#Ooh_C(S>vwKlQ;yEdvd6%`JY?;YHrka?#$=S?6yxOSgEaR=8gvMbX3}BW&>L(s*bIh$Sj)?ES0B`Hh~RK^ z&F6b-egHhd0&ozzbHr8!^;$IDS?09$44V{W%|1#iW@Aa%8EX85?^O(3qZvW(@loPs zY_IXeUV|*59kE@n%s=0!;^{0|TNsn&Ff{+-NakoaUv(iDnJeZ|4&OkS>HRvok7tIv zIfj4lfKn0=SW5<1(}JeY4tUGP8Bga-1kLN$?w%Z{bMjh~@pGZ5rdInO23HPQR&`D# z)a8G-?b7)Z)B}AEl;|6C9%|ii__DK-JgAzWsO2ZRlYLfN?)AdSJmaYO+2{ZpoGRq9 zCj^l?1*6=hA|ap*zJGUk{HU}77sL@d$NJe%t&)l_xQ^p4Id#>4jCZ>3m?#dKD%O|N ziHf!@Rh(q-21`)I&P+2%csI6rB}`Vwx(S8X;mWDb(8j^OME_)kBRgN%XH!}CG~jl6 z|7AbyQhkb{r2;gW-*QG%TYX80N5If=DG_UJ2sXmUbt!aJ(}|)$aFV8}<4E7#ZDvXa}e}k9IvF@pl6RCY04;NdrQ0h z>4J@LC2{@ZwNeQnDzx3d8ZCME0R0{cFm$a|FaN&rH(fynYBQN4Z8uvG_(*V9xK;yu zTWS&rL19L5GTo|TTXAbrFv+46=CA?EXvz{S{%WAx$|_G}?gLA3^&>Utlm99OjIV{I z6py%VF^HaadM94(#U4z1NIl{x{*BI<&dJT{`CVz@b| z_U_WJeeKrk3rw5$(K#WC^nBYIsQYeSV(U&DnDPfI&^&Bjwr$(LC_}DaPP>?Rbi<`( zB;~zmtk+(;?HQ$r9%K+suy#zoi*-)@DzpDBdNdvNE>H2b72W7Eg>7%>E&Zj>0$&EV zrBYGjR2eil#u=y%>8-RO3RLUtx&8gYLE7bc9hZu6qBw`oRP|%%UTy9qJll;lU1hEo zvM~ZfC{HahgQh@Eij-RhiuzO&#eXF7WY3Ga!c<9B8V?uoLZMPe;8DWjIwza+o$l#& zU2~=E=4;b?`UmaNN3v!FEV~4~ndYlk@l?)Gln6!ovvK!nn0c8MvsVsp7!}7bDx>QV zT-H-nFo|cJKPtz1io;)Hiq6Qralv(CTH8}H!a=o9pwL+J4qR64Jk!Oh-Dfc6)!g7M zfnc0AhqNMkPo5WV8yiC?sc(h(Ia}O4h3a<#ZI+gURc~eXnOKk4Vj9;^w5{2^tCiT% zt^RQo3{mO&v9v-LMyajzk{iDCVku;cE@OqSD|8fNBdn;zSW>n65r5P4F{$CQ4XL1O z>qsoCpUFO*V8$y`WK4SO9LpZs!8YI^G)qw)fhWBT2GVGF^mHRs4kG3{74GVI?Qy56l^e+ zLdHQ@I?p>i#o)!>b~G`>q`jeX=C&5Jr#9(&Q%&X;ey2}hq`=rwadVQ(USQ~@$hXHW zJ1mZz_h7*$|LFBTi9$W(*|^(dsI93!=hu!+wV*DaRL>e`e9&pg6sNZn*?1&-&e~q8 z93WjIE?G^&k(@3{r+LorGfyv^Bjl1xWTXR^0Or2L6-uN8U&^COzbCk=d&|v+(VH{6 z|8-IhzU_PQdnUc{zGLS(pFDIZvezAXx8GdcxQLNVgUKl+CxqQkhrMa0LV|BgDHPL1 z&@d#ie8Y{oXtGVbgGr_U@?47Teq4@1#GQZ>lKTrC5y2-)cNRc#^xo^My%yd=h&~@A zECSa^ogKw&ikC|f6?=C0LCUEUQ=;yfXSee-qjEDb97?$fVyXF`89Yl6I=7~xt-oSHG(-T1aceR z+dSJf%NW2IKxIN3!R*hFse`UZ!ZhD@xQU6}NF9;VJe{}H!PDoG;U=FoR%GSuhyX{i z`#Qze-Tn*M9ctFvEY&-|MK+pJH^{Zx_6O=St~2mH67tIzBGX?BD3ouT*|uVQ54Xc> z>l|4`7Y!zr?#Ltuez_SRbY|ys{&j}X1=sXAOr?+u&Q+TSV&vCal#k`)(k$yyRF&1e)&2w}CyyJEt zccL#w%Gj9gCtjU59zE?1HK8cX?uP1Ire)M8xyMzwL-6p-c8qvq1|~7;WxvbS(CekJ z+!t$M+I=o1>rdGrzRzTV+4{#P@5>YOqB1rg){S?-FTLrN%|18`%z^JZO;AB4kgiVtrg zax>loU-168`4lKIncd_dxat|FNXk**H(hb#Vfiogn?yu&C0?v{MD4FOdTf4^>M)TK z+PMDHcGb1mD8L7FQrie+@Nb)W4YFjYo1C*c>p4r({$z9Br(I;<)D+gyx@x=t<;@I+ zgcB91@+>g@tj>wKu1oYT94tn#PJ7y)Y|ZB_VB32RD2*7Cd?Yx!G&9CGbtrIuz0C;l z_*iP`Rit1Vl+7k-D6zO96*c7E$~#!aeNIZ?&Es}MCt2qD{*Na+lR44DQe(J$k6V{v zn^;y(ey+Oy`mpT`|0CM1%|>IWTL>`< z?f6$WFunr1`+hK_m!B%2O?#393L9$Le5DC<={uRgZq~<$i+ixw)jfnfpS<{EXAU+K zUBtJ+IKqQtwP|&T3ud*MbTz5y4kW;Y5HY83ra$m#*y-T+R%4mUuBB zQ0Ly+$cAy-Ht0|aLpciE&#nHhaQ8N9*u zT6L3-10(eBrobYN=Kf2KGs5e5gH2H69t#A$5$0aBg{-r2F)WP++KN9`t$*kiX{2ty z&x(t99R@;}c7w^B8p<`DYXT=vjY>znpBvelB~`R3)Ve;KL65|kkF#YddK*GAULYmV zs;PD}!`CP>|14|0Qh?U-w-}-SC>K(PABBeXlMaSL^IlNCnlo*HCDWJ^kd$w;Yv{Zs zB*to=GF<%(0|U27NJm^#Cs{75Mr&Y*1F_|=Rz_3rMIMeMb`6yz3G)o=M7Hz1))EKbrVh8>O}T4s`ztNAxQp|`oa?R|f3v^6*82|RB!90+QDt7g zNCj2BDY04j@{#L&x6CV|Z7eAcy=nuR{QBk9jn%p-)5wk|da-dC&4mbG+A_@(t`0-8 z6ouT^&i$!c-w<-(6}s_c$uuKMt@9>eP6mq0_~(fKmEUn`AMX$LbE*|J=}cqyQ0Nv z82$0&0OECQb9YL=J~Zw>%Dp)U)#m3C_TB~5RHw1{6gGRwuG1SpFC_KTlyP4z2V{P1 zrGPT0x$uj7nT=Laqlp_`No{4PWWlQO=H0F$*CU4LBty6Z_C6zhCC+;fIG{A@b@Sqz zidipeDDt*jcx$=pKu@t+<#9DHAl?|Fh5ZQ5jGX|^mWxry&QJGW(511lN{uvc5CP4M?ek7 z6uX4PTEfu2Y=$H=qYB#WyxZPwUAVpT-%;CsH!h(w#VAJoNfJYc^Utbc;YB-c{9E+@U+ zDj=&^4tbjVNgpyK`VIr;Np5Z~F%XqwgeEC=EcaMcpak8IujX_cSQoSBE|zl^4Q}|p zqXn{C+TeBE#;V&>H@`tu6hohFlA!^r91M<#WLE!R_U|kKP9%B|5fevf@x~m121jaq zDQVUc(qqtSB|C)J?EShvjPaq$KvTJc6C8E3C()NZ1B=k7)7m?EV%az^2csv`+D=i- zUr3sdL{beIRZB&Da(BYbT<~HUcEg1-@K%Z}7a9r2-&iCkKW>>GziW*xlt3^sb|h4) zI=7wsmPskGIdVVSd0}Ao9n2P68aQ?#+?&hQvAM8qf7u>PmOZ!X882O1-h0t7*hHHC zq78AUu*`Uot<(H2d=83DmiVq~{fD#dx&6{~j_&j>0l9r4tM`0M;HB**%Y;^gb;kNk zQyf_iqZOF7I!ncJIpLx#6O}bl-(L4M1Uws;{l{qrUB{TWZ|GHBw4{1%-t3M{pUX=6 zb7`6aprt-~;~<4kTqAJ2LIQHheJ&3UWaW11Z>ux+uQ*pb9O+%$JB`U+SFsb&0_hF^ zO8-IvnBw|WT|L_5{t{c5_86X=bi|)1VQz$h+dN=U^*nZF5r@Kj44jn7zB+kmA@2`- zjxOpH0%oZlSfSFJTU_O?`mgz`%lDaygQP}qAVOWot8q(JJt`f(_S&-=0@HVz$ zzP9-jDP4cJZ;SjA$J%BVsh#Aa0l|`SS@Q_btuWDJ;rqx?P7%_}80Wl#acKv;7F;?q z$hwg>$Y8M-7unhxXy~$j;&sc$B@zGsca_zYB*Q6LWfPnG_sCT2$2^;OT2D_BOG3->6`?Kg zaV5Q2dK@I|aZXxRwsIpVn5BKxE?@DpYhsnLUr%;?hK#A`J>Nvb*bP{tY@)omCGJg{ z*jxHRTXymSMca~e@~vS)KfXOg9*A!+jpB&zWANlx0`|Q zF=$h@sx7@|>npAvjv_n6hwvn_OV}Zqs6nR9q?GFKtMQbKaDO+#p)D3E7d~^K($AT` zUyaz48~f)m3xzW7H0kAZ=B4D(`;k>bMs8uAjF4M>Ysr^01fa>Io+6@l*zz{s_M?fr z>ftfZbv^3vZ-zwQpf{AhF;|enzq8$M1#ft@f*i9B5wFZCFeRGeRmyxl7FWMw5AIF> zZbFK$b`T{Hsw(iVPDH>gBfb(oz9)!nd{FKGiCb3b>3fAQNb~STkJ^4wYJuf3xuzon zV^uN*@yZV{Fqm3qgv(c1iLb5OGVARdWJbq+LN1BEH=Ea1vvyrfu0Gi7jySHtE7=>V z2$CYi&yTSyQuK-X*`2RRm{PsvV45rcNu8YxzozbNfDer ztSqZdJpIUV)i678udNVGH!+Ri3{8ICX_%AD>o6GJt6w&%i{2iECfA6!C_5|srMVv_ zQ{*|Qlv|0%9r=PuK%)am71{|Tel%9oUMPB!RT@w2==n)y%1bUh%SntA*_OaylKt(q zN)t6=gX$*nm=1}S8Fvld-qe^}!}$()lF)>v0yN|&K}CAwUftY+%2fK4LyxMW39P$X z>u9%6%wLC?q60Tc|*>tRehE&~jeUYv&QS{-`6G?fk}6 zlYm_P{bXCZQQCY7qR+DCj%siC(_+#4+h_v=+phQ#|8rr5CbU1FO^mOgdX1ERmZANe z^JbhX`|kU7PKSQ=oLRT3-}kKVCjx1l+pX#<4%pO;^4pGR{XXg!-tF*sv)}$~)q=xK z-Q+BDsi;(t8Q*KmthJ?X64&LaT3bJ2Gi6lza!UI;$8rfKMG@U1H$PzTOfnJQvL$AY z)6h^emH(5RJ^3F;*<%^0&0A(yUpDlr0+6%PFQN6l-D#D2=jn)))52}?JGa=M230c6 z#TjAk%DY*ks+%d*gImPM9eHLGucR%MP(x2hyXy0AUiEzEa6khoxL9w_y;k*wv6;Yw%pT7>V1|t(@&#_ZU11Wj#=^Kyx+aI^8$26MxnzC)dV3<@tfE z#3bUc%4y*>45#CRK*WQw(qMDLxG-piGbPXZ@fsCn__MF30H)^^qi$J|xm~q`+#ObB zw6Bv|U19sr^BYyz-Ef^cy}tOM&x^%}g$kuaM94I*ad#gv88%kH!kaID-*UB#$Q!lu z>jK=@y#s~ZrB8|1JxZbehQU`nsy5Uo(DX)*pt>hjBy&I}ye>GdN@u&C^JBvT=Aoh< z0_`RZ`>n_##{(2EEBs&9HI%M;yJ~+fJf|qM)705a@MMwcM*SW0Q==^6+MJEt^{!Y? zdg;uVDTcF+asfq5F{O$MxeGBlReD-L|D8VQX9Mlr-J4wlbt&VRB|s*#9VDRyTdEs$ zi!Yvs(@b2N8@%KohYY;;qY#Z44`kpG@*BSp;N z+PivhR$@|wOi(p%*IhfwQuXJ5kVuvle8`NzHh#K}nW$LLQsP1Y^1U1QK5kufSypB% zG4}ev)`6N?O(!oM6D)iFmd?_sL);K90d3M(>d3xkNzPi|{;di0aF|gq_KpN9HORe=3*ZaxlOc*wk59dhs($vLJh5z} z=VJzfX0wEn;wW3ytf{Ai0z}o=zK8{SzSz^?fDQ7dGK#|K90d&O1RG(q7)@?3_%4T#3IJE;wR>`b7GqUdv1GpDn zzJaPZoDpA_sRmk`hU1mW4vXXh~cOsm4b1D3P_rQ?U~lS zVM&s``?ZH%o^9s^Qr#-Gg#oRi;;sHsOm9*zA6v;!KaeOPGM6>{PA=dI!d+!hiDmHE zr$yo&;CeXvyvGnn-MM$Ty-zRMGFca9FCNv{y=I8`U(_H;d^VRK9HW|#WjMk>C5KV%?h$UazA-veS`#w5d1dSDBYDLFtXy1>B zxY*j>I|e6_h)<{Jm}N_`DYyw|*TwE$BLcC$tK^ngq;r7W_C5BZP~O0<;6_OBpu2=C z?fPHUxLS)-`a~Xs2+kesIn5MmU<4Yf!k9X(2pK&67x|%~;2Uq6jXDn>U(UL|)Br5* zySO3KMd~06(pt%JiRp6f=dYPykNah6MZ;MVh;5cx>&SPsb~5czEV?VzYtl1$vJ#9! zg+8D$eA-O)Djh_&K-HIHW&abtwk3p@mn*A%sAHx$M9wN9I;teJi$RkgEgHhrOV1LU zKPIHD`+NQMk@rC41KW zN-_Gu^WFe_@1b-+E}}g)5j*f*YeszAI%Z6z*@qY#wQU|jm!|~>u(O#3bUzm{NZFn> z-gZdy3YYTbWXkX5w|lNn{%py~ZhC=UB4;%EsVLbRI5W?Xab` z;YNl^d{R<*ko52W6b;;SkXh534X9(%qgMmB&=_O0`a5`bbtJAWo})!hT7Dd_mYwsK z4G-O5mjHt)d$kJZ&=qQYqqC=RuBH-CjBl}hn8t0-_TcN(8>5>|DhbL^|3t|v(c@Ej zexgbS1N`^sL^UqyyPpUsDcbjD<~x7b;-qp)><0~|ES`!gmp9;~@Vv1hY!GA&9g5~j zp9qY{82UezBuJ$*!m*hX2WJf|I`Xn*^K~46AN*z*zg~&&Nu1A&!h1~i<5xBhJKgogHsM&zR@MVwHlmS6 z%VG~kka6(tVv6<;O`X)d*f9eMGW^>07lkbQ#xAd2b;$v!%<8AyxZ+mOEn{liTp@+H zRbfK@D1nB!+Ag7>6C*>4@ftmX;u56$OF^_olfH&A##E&aiX|)OH@)pfhr8ubj9bZ{ z35=u@laiJ|#dEx>1}T)v&EuPNc=v8u44u)fSecI@BPWfNi!;~ z?;Esn8J>DgLlRfhz_Ev)mR*1e8u;!qtZ!j!9e&N45WVAUofoMKv2f1&L{b|I$CV{d z76072@e8z%9Z#J41MHA!QQHSiGS{IMRUCxCK&*L9grp>o4_$%#%ETcZSyS`~IKxpY z+W8nI)O-$}#Pk^**9=j8^i!-?OYU~MI_^^>`j=EnWy5arq}t{s3n1H>78~vez#u! z9H1XuKaOcb z0%X?B{n38jZj_IM9A{C#LJ_loX)?XOpxMB)+z*ZKwX|-os-qhAvD~ldD8`Agi0IiJ z20k`+z5(|83iO094RBid!9^GkGLskWJ0jbgbCHf#eZ+G*-Z0_{!w~^zM1FD{`0FXa zkEs-A*48x#Tur@Gr1}sxQ;3@<_%acV=ynZ(#>16b^!`&#i~{N)ioAyoy3_^C|&oVg*9>iBafs!~RW z2Zx6OslIl=pqV)j13|c_1Hb4cr5uyh9V8tYzVJ(Jtz5p+O85B&eE-W?p}Y-^mbj1_8+95i0&u>J(if? zN3Wwbgs*HTDsp_$O*UU=P#>>7D;#E%09o)gy*-uhY3%109Iv+@G_n@Hc{;V~E9354H>-3^~Uia^pjv#j_dYe4aX@c=16PX zyA!hV4QiB?!H&_>8NWttuG7LaG42k}m|wj+z_4}8_GD@c=aX|b&hc{SPJL#>_ZVSw zwTKFH9sKPbBl>Cd#?){zhGKTTSuh1lkM-tQt4>)e*lUgMN8*E^c?V{_C$+QzA7-ML z1nIJIc;^BR*7jTN`)TB?WM^gMR(6PuZWZ9Eo+o4wFFz#)pHRW0crBJQhVN{c|K9|w zOQH=~gXps`C7rcCOO;B(9DSQ+e^X>%T1`XA`wm{B5u-xc@mOIm<{jl;s5y z;nR;v<{y1>!fIFy&~XbwdW<#E+n-aG4~+VVD%6u*1{WE&{Qe|*^)gQ7C7@y@{Y);G z+t+NUNkFh=_~7R*?Fe9S&<)6&&(TzsefE{2`KOj5syq+bfGm)6eJFCFjI4c&6?1^` zCn?46B!rmsKi5`z zKl^fMH^mmo%#rJtefZ+!)3Ik^MX)R&AlGpk0;o=rc z==rrXPgkZkUxtQ>m1I8F$bduf9I$`Uhjw0h;$Y=ZWc1A`86f7V+M9?z$!uOFlY*== zl?ji6BPUpYa&8kw& zE|u#!>8merkgEhANE#K-fN+5H(Jf;OmYk`dZ<0`Oibs5l`~V@4am37k zw^viP>}Fyo8*A-t;9Y9HyoTbK9^b>U;n2KE5AVuao zlSQXJ8engHN9e|g{l2B;Gx{Mj%c?DRrW)DrdiQ~iGlu3PvSL3m&nE`1%GBfj>J$YX z7FP%1HmL@;`wg1k)7jMbh?PZIQ*KA!Op&i?P(Lem?(QH#SA#?0ZU-px;LhA`IN71a8>dOW988x=2tT71)2%-%f+g+V< zD5%q8U!5Bv>Lv1e!%D@7*D6ibQC=Mg`GD%N=;$~~N=hQuW#297HUNE8-!)$hOas^Q@FrvIBr{A5%4ES^p@DGJZ7`&6wh6vK@|$!ouXScTB)xRZm?i2`mWW_v4h2lOt8oe^l2;``@3rW zyxTr6y9J5!DzDJ$eRhOodDL$WB}W zzP#Pz66=N3h1AQpxLOMJiUi&xk%Xkoj;qS*)Y46uv1!-bv9`HIcpm$bg59$0R5Q!z z-g5k4653ex5U4y0BE@frqM~);Pw|0z-J4IqeG;lhg;~u%_JGy6;`2*YAn=KoC}8t6 zhwhN|OwuV`L@;+K17TisO>3GAT_nJpMva2Og9#914m|#x5=r2^7%v))T={je(;eq| zCu3#!Cq0F>k~d#>qqp(M;y!Ph4tkBdH8+moul*4Q8r;~5_a_^*%roSJ*?jrix7zvantYAhM1=AO;T+x}9q9__*|~`PlX!eSPh_gm z>!bY?GAO^+d-4VQae(#eZB-Phqk_4Ci)7+-yj)cWm8mqLqMs_%xOCi?JY#9REC-{p z#4$r$r}hs=kVR;}UF>h3zsNHYZM4#FHUm-dT3#X`HSH&>{P|FJU@-9I)_Y0Zcq-t~7>-dxZ|Y|B$vep0L0l7@4lzG+>Dz(7RFV?`?*RgDG{Pvb zK~Drl40?`cIs06F+s*#uOseXG0#n(~AL%_Am<66$f5TCaV6Fd`w55`E62}1WsLC(l z2PHUZ5Bor}U%l}&mhI?}e-fA1xrHW~qy?YysQai;$XM8i>CQ%OCU3K*jLmN}X@8Ck zJVt6w8ilVB$X6Uhby7>L0EcvCTxsK=^j}Xblif9lGbJZJbI{dv+$}%?OXwu--I-XA zK!Rat1r&UnQ*-qld%mQ!6jJ?IZ!eM97*C`h`w@{s<9H{IFcN_tS`Zdn>CTc2Bo*4< z0ohcDSZYTh4H0^&m0MtU{A8~2z1ABL@klQCEk+LvsYLzoTY!?r=xwK?Z_ys7sU%bRfIpiDJK-Dofs zc_1WN1cB^J^}~CIk}JQXe1%!_MTPM#=b90gtDf@WnIwSa5Tj0vC1c4jhCmoAL65nZh{9OyWtsus6&>hLZ5%V%1CzgDLT7X_T zcswTSgj#O9&;T+qBSMiGl3F$5g<-$IOos_kHoxc?6dr@kO41?bX0Ggr=)Rkerj*r} zT6yJS-!h#$^9zac`&Ra#TZinPpbr@6>pO#>P1V9up1KtcZw_y&&bXg8SpVJ)S5*Ixb7kom)Bb%(_V=4a^?%(4 z<@Z#iO5wlxcWsA0dcA+M^UVBK2`vAj=HC*M^T4b0uM4qa{{MK~6U~8=E^hdd>Td-2 OrlO!JUny%5`o93|pw3PJ literal 0 HcmV?d00001 diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..15317de09 --- /dev/null +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,31 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append prometheus-nginxlog-exporter's configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role is already executed. + To fix this, please change the order of roles in your playbook to make sure that + the matrix-nginx-proxy role is run after the prometheus-nginxlog-exporter role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate prometheus-nginxlog-exporter's metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/nginxlog) + ansible.builtin.set_fact: + matrix_prometheus_nginxlog_exporter_matrix_nginx_proxy_metrics_configuration_matrix_domain: | + location /metrics/nginxlog { + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_prometheus_nginxlog_exporter_container_hostname }}:{{ matrix_prometheus_nginxlog_exporter_container_metrics_port }}"; + proxy_pass http://$backend/metrics; + } + when: matrix_prometheus_nginxlog_exporter_metrics_proxying_enabled | bool and matrix_nginx_proxy_enabled | bool + +- name: Register prometheus-nginxlog-exporter metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/nginxlog) + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + + + [matrix_prometheus_nginxlog_exporter_matrix_nginx_proxy_metrics_configuration_matrix_domain] + }} + when: matrix_prometheus_nginxlog_exporter_metrics_proxying_enabled | bool diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/main.yml b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/main.yml new file mode 100644 index 000000000..b205dec36 --- /dev/null +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/main.yml @@ -0,0 +1,29 @@ +--- + +- block: + - when: matrix_prometheus_nginxlog_exporter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" + tags: + - setup-all + - setup-prometheus-nginxlog-exporter + - install-all + - install-prometheus-nginxlog-exporter + +- block: + - when: matrix_prometheus_nginxlog_exporter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_prometheus_nginxlog_exporter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-prometheus-nginxlog-exporter + - install-all + - install-prometheus-nginxlog-exporter + +- block: + - when: not matrix_prometheus_nginxlog_exporter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + tags: + - setup-all + - setup-prometheus-nginxlog-exporter diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_install.yml b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_install.yml new file mode 100644 index 000000000..9b2ac3e60 --- /dev/null +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_install.yml @@ -0,0 +1,47 @@ +--- + +- name: Ensure matrix-prometheus-nginxlog-exporter image is pulled + community.docker.docker_image: + name: "{{ matrix_prometheus_nginxlog_exporter_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_prometheus_nginxlog_exporter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_prometheus_nginxlog_exporter_docker_image_force_pull }}" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure prometheus-nginxlog-exporter paths exists + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_prometheus_nginxlog_exporter_base_path }}" + - "{{ matrix_prometheus_nginxlog_exporter_config_path }}" + +- name: Ensure prometheus-nginxlog-exporter.yaml present + ansible.builtin.template: + src: "{{ role_path }}/templates/prometheus-nginxlog-exporter.yaml.j2" + dest: "{{ matrix_prometheus_nginxlog_exporter_config_path }}/prometheus-nginxlog-exporter.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure grafana dashboard is installed + ansible.builtin.template: + src: "{{ role_path }}/templates/nginx-proxy.json" + dest: "{{ matrix_grafana_config_path }}/dashboards/" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: matrix_grafana_enabled + +- name: Ensure matrix-prometheus-nginxlog-exporter.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-prometheus-nginxlog-exporter.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-nginxlog-exporter.service" + mode: 0644 + register: matrix_prometheus_nginxlog_exporter_systemd_service_result diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_uninstall.yml b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_uninstall.yml new file mode 100644 index 000000000..c0d0a8338 --- /dev/null +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_uninstall.yml @@ -0,0 +1,39 @@ +--- + +- name: Check existence of matrix-prometheus-nginxlog-exporter service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-nginxlog-exporter.service" + register: matrix_prometheus_nginxlog_exporter_service_stat + +- when: matrix_prometheus_nginxlog_exporter_service_stat.stat.exists | bool + block: + - name: Fail when not cleaning up nginx and prometheus configs + ansible.builtin.fail: + msg: > + This role has added to configs in 'matrix-nginx-proxy', 'matrix-synapse-reverse-proxy-companion' and 'matrix-prometheus'. + Running 'setup-synapse-reverse-proxy-companion' WILL NOT remove those settings from those roles. + Run the playbook again with the `setup-all` tag or all three 'setup-nginx-proxy,setup-synapse-reverse-proxy-companion,setup-prometheus' tags while + 'matrix_prometheus_enabled: false' to rebuild their configs. + when: not ('setup-all' in ansible_run_tags or ('setup-nginx-proxy' in ansible_run_tags and 'setup-synapse-reverse-proxy-companion' in ansible_run_tags and 'setup-prometheus' in ansible_run_tags)) + + - name: Ensure matrix-prometheus-nginxlog-exporter is stopped + ansible.builtin.service: + name: matrix-prometheus-nginxlog-exporter + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-prometheus-nginxlog-exporter.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-nginxlog-exporter.service" + state: absent + + - name: Ensure matrix-prometheus-nginxlog-exporter paths don't exist + ansible.builtin.file: + path: "{{ matrix_prometheus_nginxlog_exporter_base_path }}" + state: absent + + - name: Ensure matrix-prometheus-nginxlog-exporter grafana dashboard doesn't exist + ansible.builtin.file: + path: "{{ matrix_grafana_config_path }}/dashboards/nginx-proxy.json" + state: absent diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/validate_config.yml b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/validate_config.yml new file mode 100644 index 000000000..a8eccaeed --- /dev/null +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/validate_config.yml @@ -0,0 +1,32 @@ +--- + +- name: Fail if Prometheus not enabled + ansible.builtin.fail: + msg: > + You need to set `matrix_prometheus_enabled: true` or configure an external Prometheus database + as this roles requires Prometheus for data storage. + when: not matrix_prometheus_enabled and not matrix_prometheus_nginxlog_exporter_metrics_proxying_enabled + +- name: Fail if docker image not availble for arch + ansible.builtin.fail: + msg: > + 'prometheus-nginxlog-exporter' docker image is not available for your arch '{{ matrix_architecture }}'. + + We currently do not support building an image using this playbook. + + You can use a custom-build image by setting + 'matrix_prometheus_nginxlog_exporter_docker_image_arch_check_enabled: false' + 'matrix_prometheus_nginxlog_exporter_docker_image: path/to/docker/image:tag' + + or disable 'prometheus-nginxlog-exporter' by setting + 'matrix_prometheus_nginxlog_exporter: false' + + in vars.yml + when: matrix_prometheus_nginxlog_exporter_docker_image_arch_check_enabled and matrix_architecture not in matrix_prometheus_nginxlog_exporter_docker_image_arch + + +- name: Fail if nginx-proxy is not set to proxy metrics while prometheus-nginxlog-exporter is + ansible.builtin.fail: + msg: > + 'matrix_prometheus_nginxlog_exporter_metrics_proxying_enabled' is set but 'matrix_nginx_proxy_proxy_matrix_metrics_enabled' is not + when: matrix_prometheus_nginxlog_exporter_metrics_proxying_enabled | bool and not matrix_nginx_proxy_proxy_matrix_metrics_enabled | bool diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/templates/nginx-proxy.json b/roles/custom/matrix-prometheus-nginxlog-exporter/templates/nginx-proxy.json new file mode 100644 index 000000000..415334885 --- /dev/null +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/templates/nginx-proxy.json @@ -0,0 +1,1705 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__elements": {}, + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "9.3.1" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "timeseries", + "name": "Time series", + "version": "" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "description": "", + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": null, + "links": [], + "liveNow": false, + "panels": [ + { + "collapsed": true, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 23, + "panels": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 17 + }, + "id": 20, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(remote_addr) (rate(http_response_count_total{status=~\"1.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "1xx by remote addr [$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 17 + }, + "id": 21, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_uri) (rate(http_response_count_total{status=~\"1.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "1xx by uri [$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 25 + }, + "id": 18, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(remote_addr) (rate(http_response_count_total{status=~\"2.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "2xx by remote addr [$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 25 + }, + "id": 19, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_uri) (rate(http_response_count_total{status=~\"2.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "2xx by uri [$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 33 + }, + "id": 16, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(remote_addr) (rate(http_response_count_total{status=~\"3.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "3xx by remote addr [$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 33 + }, + "id": 17, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_uri) (rate(http_response_count_total{status=~\"3.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "3xx by uri [$request_host]", + "type": "timeseries" + } + ], + "title": "1xx - 3xx - 2xx Status Code .....................................................", + "type": "row" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 1 + }, + "id": 2, + "panels": [], + "title": "4xx Status Code ......................................................................", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 2 + }, + "id": 9, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(remote_addr) (rate(http_response_count_total{status=~\"404\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "404 by remote addr [$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 2 + }, + "id": 6, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_uri) (rate(http_response_count_total{status=~\"404\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "404 by uri [$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 10 + }, + "id": 14, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(remote_addr) (rate(http_response_count_total{status=~\"4.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "4xx by remote addr [$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 10 + }, + "id": 15, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_uri) (rate(http_response_count_total{status=~\"4.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "4xx by uri [$request_host]", + "type": "timeseries" + }, + { + "collapsed": true, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 18 + }, + "id": 8, + "panels": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 11 + }, + "id": 10, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(remote_addr, status) (rate(http_response_count_total{status=~\"504|502\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "502-504 by remote addr [$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 11 + }, + "id": 11, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_host, status) (rate(http_response_count_total{status=~\"504|502\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "502-504 by host [$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 19 + }, + "id": 12, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(remote_addr) (rate(http_response_count_total{status=~\"5.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "5xx by remote addr [$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 19 + }, + "id": 13, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_host) (rate(http_response_count_total{status=~\"5.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "5xx by uri [$request_host]", + "type": "timeseries" + } + ], + "title": "5xx Status Code ......................................................................", + "type": "row" + }, + { + "collapsed": true, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 19 + }, + "id": 27, + "panels": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 4 + }, + "id": 24, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(remote_addr) (rate(http_response_count_total{status=~\"[6-9]{1}.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "6xx > by remote addr [$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 4 + }, + "id": 25, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_uri) (rate(http_response_count_total{status=~\"[6-9]{1}.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "6xx > by uri [$request_host]", + "type": "timeseries" + } + ], + "title": "6xx > Status Code ...................................................................", + "type": "row" + } + ], + "refresh": "30s", + "schemaVersion": 37, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "current": { + "selected": true, + "text": "Prometheus", + "value": "Prometheus" + }, + "hide": 0, + "includeAll": false, + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "label_values(http_response_count_total, request_host)", + "hide": 0, + "includeAll": true, + "multi": true, + "name": "request_host", + "options": [], + "query": { + "query": "label_values(http_response_count_total, request_host)", + "refId": "StandardVariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 1, + "type": "query" + } + ] + }, + "time": { + "from": "now-1h", + "to": "now" + }, + "timepicker": {}, + "timezone": "", + "title": "NGINX PROXY", + "uid": "x2_jWNF4k", + "version": 11, + "weekStart": "" +} \ No newline at end of file diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/templates/prometheus-nginxlog-exporter.yaml.j2 b/roles/custom/matrix-prometheus-nginxlog-exporter/templates/prometheus-nginxlog-exporter.yaml.j2 new file mode 100644 index 000000000..1e2492cde --- /dev/null +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/templates/prometheus-nginxlog-exporter.yaml.j2 @@ -0,0 +1,37 @@ +listen: + port: {{ matrix_prometheus_nginxlog_exporter_container_metrics_port }} + address: "0.0.0.0" + metrics_endpoint: "/metrics" + +namespaces: + - name: matrix + metrics_override: + preffix: "myprefix" + namespace_label: "namespace" + format: "$log_source $server_name - $upstream_addr - $remote_addr - $remote_user [$time_local] $host \"$request\" $status \"$http_referer\" \"$http_user_agent\" \"$http_x_forwarded_for\"" + # enable to print to console + # print_log: true + source: + syslog: + listen_address: "udp://0.0.0.0:{{ matrix_prometheus_nginxlog_exporter_container_syslog_port }}" + # format options: "rfc3164" ,"rfc5424", "rfc6587", "auto" + format: auto + tags: ["matrix_nginx_proxy", "matrix_nginx_proxy_companion"] + relabel_configs: + - target_label: request_uri + from: request + split: 2 + separator: ' ' + matches: + - regexp: "^([^\\?]+)(.*)" + replacement: "$1" + - target_label: remote_addr + from: remote_addr + - target_label: server_name + from: server_name + - target_label: http_x_forwarded_for + from: http_x_forwarded_for + - target_label: request_host + from: host + - target_label: log_source + from: log_source \ No newline at end of file diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/templates/systemd/matrix-prometheus-nginxlog-exporter.service.j2 b/roles/custom/matrix-prometheus-nginxlog-exporter/templates/systemd/matrix-prometheus-nginxlog-exporter.service.j2 new file mode 100644 index 000000000..e799380e3 --- /dev/null +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/templates/systemd/matrix-prometheus-nginxlog-exporter.service.j2 @@ -0,0 +1,46 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description={{ matrix_prometheus_nginxlog_exporter_container_hostname }} +{% for service in matrix_prometheus_nginxlog_exporter_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_prometheus_nginxlog_exporter_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_prometheus_nginxlog_exporter_container_hostname }} 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_prometheus_nginxlog_exporter_container_hostname }} 2>/dev/null || true' + + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {{ matrix_prometheus_nginxlog_exporter_container_hostname }} \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + {% if matrix_prometheus_nginxlog_exporter_container_http_host_bind_port %} + -p {{ matrix_prometheus_nginxlog_exporter_container_http_host_bind_port }}:{{ matrix_prometheus_nginxlog_exporter_container_metrics_port }} \ + {% endif %} + {% if matrix_prometheus_nginxlog_exporter_container_syslog_host_bind_port %} + -p {{ matrix_prometheus_nginxlog_exporter_container_syslog_host_bind_port }}:{{ matrix_prometheus_nginxlog_exporter_container_syslog_port }}/udp \ + {% endif %} + -v {{ matrix_prometheus_nginxlog_exporter_config_path }}:/etc/prometheus-nginxlog-exporter:z \ + {% for arg in matrix_prometheus_nginxlog_exporter_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_prometheus_nginxlog_exporter_docker_image }} \ + -config-file /etc/prometheus-nginxlog-exporter/prometheus-nginxlog-exporter.yaml + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_prometheus_nginxlog_exporter_container_hostname }} 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_prometheus_nginxlog_exporter_container_hostname }} 2>/dev/null || true' +Restart=always +RestartSec=30 +SyslogIdentifier={{ matrix_prometheus_nginxlog_exporter_container_hostname }} + +[Install] +WantedBy=multi-user.target diff --git a/roles/custom/matrix-prometheus/templates/prometheus.yml.j2 b/roles/custom/matrix-prometheus/templates/prometheus.yml.j2 index 83ae8a9a1..6ed7cd922 100644 --- a/roles/custom/matrix-prometheus/templates/prometheus.yml.j2 +++ b/roles/custom/matrix-prometheus/templates/prometheus.yml.j2 @@ -64,3 +64,10 @@ scrape_configs: static_configs: - targets: {{ matrix_prometheus_scraper_hookshot_targets|to_json }} {% endif %} + + {% if matrix_prometheus_scraper_nginxlog_enabled %} + - job_name: nginxlog + static_configs: + - targets: + - {{ matrix_prometheus_scraper_nginxlog_server_port}} + {% endif %} diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2 index a54701b82..309bb5301 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2 +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2 @@ -39,7 +39,18 @@ http { {% if matrix_synapse_reverse_proxy_companion_access_log_enabled %} access_log /var/log/nginx/access.log main; - {% else %} + {% endif %} + + {% if matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_enabled %} + log_format prometheus_fmt 'matrix-synapse-reverse-proxy-companion $server_name - $upstream_addr - $remote_addr - $remote_user [$time_local] ' + '$host "$request" ' + '$status "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log syslog:server={{ matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_server_port }},tag=matrix_nginx_proxy_companion prometheus_fmt; + {% endif %} + + {% if not matrix_synapse_reverse_proxy_companion_access_log_enabled and not matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_enabled %} access_log off; {% endif %} From fd7914020142be5c8da1fd780079b423efbb0fb2 Mon Sep 17 00:00:00 2001 From: Rhys <66695742+RhysRdm@users.noreply.github.com> Date: Wed, 7 Dec 2022 15:54:58 +0000 Subject: [PATCH 152/915] Changes to allow a user to set the max participants on a jitsi conference (#2323) * Changes to allow a user to set the max participants on a jitsi conference * changed var name from jitsi_max_participants to matrix_prosody_jitsi_max_participants --- docs/configuring-playbook-jitsi.md | 10 ++++++++++ roles/custom/matrix-jitsi/defaults/main.yml | 5 +++++ roles/custom/matrix-jitsi/templates/prosody/env.j2 | 3 +++ 3 files changed, 18 insertions(+) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 4c29b3eb8..a9d3c2de4 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -127,6 +127,16 @@ Read how it works [here](https://github.com/jitsi/jitsi-videobridge/blob/master/ You may want to **limit the maximum video resolution**, to save up resources on both server and clients. +## (Optional) Specify a Max number of participants on a Jitsi conference + +The playbook allows a user to set a max number of participants allowed to join a Jitsi conference. By default there is no limit. + +In order to set the max number of participants add the following variable to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: + +``` +matrix_prosody_jitsi_max_participants: +``` + ## (Optional) Additional JVBs By default, a single JVB ([Jitsi VideoBridge](https://github.com/jitsi/jitsi-videobridge)) is deployed on the same host as the Matrix server. To allow more video-conferences to happen at the same time, you may need to provision additional JVB services on other hosts. diff --git a/roles/custom/matrix-jitsi/defaults/main.yml b/roles/custom/matrix-jitsi/defaults/main.yml index c2d5948da..e923055cb 100644 --- a/roles/custom/matrix-jitsi/defaults/main.yml +++ b/roles/custom/matrix-jitsi/defaults/main.yml @@ -277,3 +277,8 @@ matrix_jitsi_jvb_container_rtp_tcp_host_bind_port: "{{ matrix_jitsi_jvb_rtp_tcp_ # # Takes an ":" or "" value (e.g. "127.0.0.1:12090"), or empty string to not expose. matrix_jitsi_jvb_container_colibri_ws_host_bind_port: '' + +# Default max participants to the empty string +# +# The setting requires an integer to be set for usage and allows a user to specify the max number of particpants on a conference. +matrix_prosody_jitsi_max_participants: '' diff --git a/roles/custom/matrix-jitsi/templates/prosody/env.j2 b/roles/custom/matrix-jitsi/templates/prosody/env.j2 index 941f2c253..147c01d79 100644 --- a/roles/custom/matrix-jitsi/templates/prosody/env.j2 +++ b/roles/custom/matrix-jitsi/templates/prosody/env.j2 @@ -58,3 +58,6 @@ XMPP_MUC_MODULES= XMPP_INTERNAL_MUC_MODULES= XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} XMPP_CROSS_DOMAIN=true +{% if matrix_prosody_jitsi_max_participants is number %} +MAX_PARTICIPANTS={{ matrix_prosody_jitsi_max_participants }} +{% endif %} \ No newline at end of file From 6a5a09ba9bd35f8baa95d26651d0f6180934ed7c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 7 Dec 2022 20:36:22 +0200 Subject: [PATCH 153/915] Remove matrix-change-user-admin-status mentions and provide an alternative --- docs/registering-users.md | 27 +++++++++++++++++++-------- docs/updating-users-passwords.md | 2 +- 2 files changed, 20 insertions(+), 9 deletions(-) diff --git a/docs/registering-users.md b/docs/registering-users.md index 83f31a22e..321346b65 100644 --- a/docs/registering-users.md +++ b/docs/registering-users.md @@ -9,7 +9,7 @@ Table of contents: - [Managing users via a Web UI](#managing-users-via-a-web-ui) - [Letting certain users register on your private server](#letting-certain-users-register-on-your-private-server) - [Enabling public user registration](#enabling-public-user-registration) - - [Adding/Removing Administrator privileges to an existing user](#addingremoving-administrator-privileges-to-an-existing-user) + - [Adding/Removing Administrator privileges to an existing Synapse user](#addingremoving-administrator-privileges-to-an-existing-synapse-user) ## Registering users manually @@ -58,13 +58,24 @@ and running the [installation](installing.md) procedure once again. If you're opening up registrations publicly like this, you might also wish to [configure CAPTCHA protection](configuring-captcha.md). -## Adding/Removing Administrator privileges to an existing user +## Adding/Removing Administrator privileges to an existing Synapse user -The script `/usr/local/bin/matrix-change-user-admin-status` may be used to change a user's admin privileges. +To change the admin privileges for a user, you need to run an SQL query like this against the `synapse` database: -* log on to your server with ssh -* execute with the username and 0/1 (0 = non-admin | 1 = admin) - -``` -/usr/local/bin/matrix-change-user-admin-status <0/1> +```sql +UPDATE users SET admin=ADMIN_VALUE WHERE name = '@USER:DOMAIN' ``` + +where: + +- `ADMIN_VALUE` being either `0` (regular user) or `1` (admin) +- `USER` and `DOMAIN` pointing to a valid user on your server + +If you're using the integrated Postgres server and not an [external Postgres server](configuring-playbook-external-postgres.md), you can launch a Postgres into the `synapse` database by: + +- running `/matrix/postgres/bin/cli` - to launch [`psql`](https://www.postgresql.org/docs/current/app-psql.html) +- running `\c synapse` - to change to the `synapse` database + +You can then proceed to run the query above. + +**Note**: directly modifying the raw data of Synapse (or any other software) could cause the software to break. You've been warned! diff --git a/docs/updating-users-passwords.md b/docs/updating-users-passwords.md index 30aa8c99a..98663c601 100644 --- a/docs/updating-users-passwords.md +++ b/docs/updating-users-passwords.md @@ -36,7 +36,7 @@ Use the Synapse User Admin API as described here: https://github.com/matrix-org/ This requires an [access token](obtaining-access-tokens.md) from a server admin account. *This method will also log the user out of all of their clients while the other options do not.* -If you didn't make your account a server admin when you created it, you can use the `/usr/local/bin/matrix-change-user-admin-status` script as described in [registering-users.md](registering-users.md). +If you didn't make your account a server admin when you created it, you can learn how to switch it now by reading about it in [Adding/Removing Administrator privileges to an existing Synapse user](registering-users.md#addingremoving-administrator-privileges-to-an-existing-synapse-user). ### Example: To set @user:domain.com's password to `correct_horse_battery_staple` you could use this curl command: From 5823f1f29845d913abf0e722a1e6ff294c6dbd2b Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Wed, 7 Dec 2022 13:26:02 -0600 Subject: [PATCH 154/915] Only delete playbook scripts from /usr/local/bin --- .../tasks/cleanup_usr_local_bin.yml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix_playbook_migration/tasks/cleanup_usr_local_bin.yml b/roles/custom/matrix_playbook_migration/tasks/cleanup_usr_local_bin.yml index e7abd4710..586b5c47e 100644 --- a/roles/custom/matrix_playbook_migration/tasks/cleanup_usr_local_bin.yml +++ b/roles/custom/matrix_playbook_migration/tasks/cleanup_usr_local_bin.yml @@ -3,8 +3,20 @@ - name: Find leftover matrix scripts in /usr/local/bin ansible.builtin.find: path: "/usr/local/bin" - patterns: "^matrix-.*" - use_regex: true + patterns: + - matrix-change-user-admin-status + - matrix-dendrite-create-account + - matrix-make-user-admin + - matrix-postgres-cli + - matrix-postgres-cli-non-interactive + - matrix-postgres-update-user-password-hash + - matrix-remove-all + - matrix-ssl-certificates-renew + - matrix-ssl-lets-encrypt-certificates-renew + - matrix-synapse-register-user + - matrix-synapse-s3-storage-provider-migrate + - matrix-synapse-s3-storage-provider-shell + - matrix-synapse-worker-write-pid register: matrix_usr_local_bin_files_result - name: Ensure /usr/local/bin does not contain matrix scripts From 8ef6341fd78e3b3f6a6f3e14bb51379a779dc9fd Mon Sep 17 00:00:00 2001 From: ikkemaniac Date: Thu, 8 Dec 2022 00:02:54 +0100 Subject: [PATCH 155/915] fix: systemd entry --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index e3f63bb33..e2149a99a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -297,7 +297,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-prometheus-postgres-exporter.service', 'priority': 3900, 'groups': ['matrix', 'monitoring', 'prometheus', 'prometheus-node-exporters']}] if matrix_prometheus_postgres_exporter_enabled else []) + - ([{'name': (matrix_prometheus_nginxlog_exporter_container_hostname + '.service'), 'priority': 3900, 'groups': ['matrix', 'monitoring', 'prometheus', 'prometheus-node-exporters']}] if matrix_prometheus_postgres_exporter_enabled else []) + ([{'name': 'matrix-prometheus-nginxlog-exporter.service', 'priority': 3900, 'groups': ['matrix', 'monitoring', 'prometheus', 'prometheus-node-exporters']}] if matrix_prometheus_nginxlog_exporter_enabled else []) + ([{'name': 'matrix-redis', 'priority': 750, 'groups': ['matrix', 'redis']}] if matrix_redis_enabled else []) + From e6fc6b7a863cca81c15384abb0191c8457eaad23 Mon Sep 17 00:00:00 2001 From: ikkemaniac Date: Thu, 8 Dec 2022 01:07:49 +0100 Subject: [PATCH 156/915] fix: nginxlog prometheus config port --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index e3f63bb33..bdfa3fc96 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2911,7 +2911,7 @@ matrix_prometheus_scraper_hookshot_enabled: "{{ matrix_hookshot_metrics_enabled| matrix_prometheus_scraper_hookshot_targets: "{{ [matrix_hookshot_container_url | string +':'+ matrix_hookshot_metrics_port | string] if matrix_hookshot_metrics_enabled else [] }}" matrix_prometheus_scraper_nginxlog_enabled: "{{ matrix_prometheus_nginxlog_exporter_enabled }}" -matrix_prometheus_scraper_nginxlog_server_port: "{{ (matrix_prometheus_nginxlog_exporter_container_hostname | string +':'+ matrix_prometheus_nginxlog_exporter_container_syslog_port | string) +matrix_prometheus_scraper_nginxlog_server_port: "{{ (matrix_prometheus_nginxlog_exporter_container_hostname | string +':'+ matrix_prometheus_nginxlog_exporter_container_metrics_port | string) | default('') }}" ###################################################################### From f186d6236dced7ce52427174693dcaf6852b8fd4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 9 Dec 2022 10:15:06 +0200 Subject: [PATCH 157/915] Add some missing tags to Synapse role Without these: - `--tags=install-synapse` and `--tags=install-all` would be incomplete and will not contain Synapse worker configuration - `--tags=install-synapse-reverse-proxy-companion` and `--tags=setup-synapse-reverse-proxy-companion` would not contain Synapse worker configuration --- roles/custom/matrix-synapse/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/custom/matrix-synapse/tasks/main.yml b/roles/custom/matrix-synapse/tasks/main.yml index 3485e894e..8aa813954 100644 --- a/roles/custom/matrix-synapse/tasks/main.yml +++ b/roles/custom/matrix-synapse/tasks/main.yml @@ -6,6 +6,10 @@ tags: - setup-all - setup-synapse + - install-all + - install-synapse + - setup-synapse-reverse-proxy-companion + - install-synapse-reverse-proxy-companion - start - start-all - start-group From 3824139908428cca72c54cd13a1819de40b0ace4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 9 Dec 2022 10:18:40 +0200 Subject: [PATCH 158/915] Rename inject_into_nginx_proxy.yml to init.yml when it does more than injection --- .../tasks/{inject_into_nginx_proxy.yml => init.yml} | 0 roles/custom/matrix-synapse/tasks/main.yml | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename roles/custom/matrix-synapse/tasks/{inject_into_nginx_proxy.yml => init.yml} (100%) diff --git a/roles/custom/matrix-synapse/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-synapse/tasks/init.yml similarity index 100% rename from roles/custom/matrix-synapse/tasks/inject_into_nginx_proxy.yml rename to roles/custom/matrix-synapse/tasks/init.yml diff --git a/roles/custom/matrix-synapse/tasks/main.yml b/roles/custom/matrix-synapse/tasks/main.yml index 8aa813954..d00c1808c 100644 --- a/roles/custom/matrix-synapse/tasks/main.yml +++ b/roles/custom/matrix-synapse/tasks/main.yml @@ -2,7 +2,7 @@ - block: - when: matrix_synapse_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/init.yml" tags: - setup-all - setup-synapse From 0d8161acb526d6d7ccffa1782dbaf79402e64cf4 Mon Sep 17 00:00:00 2001 From: Abe Date: Fri, 9 Dec 2022 07:15:43 -0700 Subject: [PATCH 159/915] Fix Broken ma1sd Playbook Documentation Link Old link was pointing at `https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/configuring-playbook-ma1sd.md` which 404s New link at `https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-ma1sd.md` --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7cf00607b..177c2a0d8 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ Services that run on the server to make the various parts of your installation w | [Coturn](https://github.com/coturn/coturn) | ✓ | STUN/TURN server for WebRTC audio/video calls | [Link](docs/configuring-playbook-turn.md) | | [nginx](http://nginx.org/) | ✓ | Web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md) | [Link](docs/configuring-playbook-nginx.md) | | [Let's Encrypt](https://letsencrypt.org/) | ✓ | Free SSL certificate, which secures the connection to the Synapse server and the Element web UI | [Link](docs/configuring-playbook-ssl-certificates.md) | -| [ma1sd](https://github.com/ma1uta/ma1sd) | x | Matrix Identity Server | [Link](configuring-playbook-ma1sd.md) +| [ma1sd](https://github.com/ma1uta/ma1sd) | x | Matrix Identity Server | [Link](docs/configuring-playbook-ma1sd.md) | [Exim](https://www.exim.org/) | ✓ | Mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) | - | | [Dimension](https://github.com/turt2live/matrix-dimension) | x | An open source integrations manager for matrix clients | [Link](docs/configuring-playbook-dimension.md) | | [Sygnal](https://github.com/matrix-org/sygnal) | x | Push gateway | [Link](docs/configuring-playbook-sygnal.md) | From d81e7d63280c6f991c963253ac639c13e4e8ad19 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 10 Dec 2022 10:36:40 +0200 Subject: [PATCH 160/915] Make matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url required Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2330 --- docs/configuring-playbook-synapse-s3-storage-provider.md | 4 ++-- .../tasks/ext/s3-storage-provider/validate_config.yml | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-synapse-s3-storage-provider.md b/docs/configuring-playbook-synapse-s3-storage-provider.md index a06d658f4..6022eaad0 100644 --- a/docs/configuring-playbook-synapse-s3-storage-provider.md +++ b/docs/configuring-playbook-synapse-s3-storage-provider.md @@ -28,13 +28,13 @@ While you will need some local disk space around, it's only to accommodate usage ## Installing -After [creating the S3 bucket and configuring it](configuring-playbook-s3.md#bucket-creation-and-security-configuration), you can proceed to configure Goofys in your configuration file (`inventory/host_vars/matrix./vars.yml`): +After [creating the S3 bucket and configuring it](configuring-playbook-s3.md#bucket-creation-and-security-configuration), you can proceed to configure `s3-storage-provider` in your configuration file (`inventory/host_vars/matrix./vars.yml`): ```yaml matrix_synapse_ext_synapse_s3_storage_provider_enabled: true matrix_synapse_ext_synapse_s3_storage_provider_config_bucket: your-bucket-name matrix_synapse_ext_synapse_s3_storage_provider_config_region_name: some-region-name # e.g. eu-central-1 -matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url: https://.. # delete this whole line for Amazon S3 +matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url: https://s3.REGION_NAME.amazonaws.com # adjust this matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: access-key-goes-here matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: secret-key-goes-here matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class: STANDARD # or STANDARD_IA, etc. diff --git a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml index d71809fe5..7a8aafaa7 100644 --- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml +++ b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml @@ -10,9 +10,10 @@ - "matrix_synapse_ext_synapse_s3_storage_provider_config_region_name" - "matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id" - "matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key" + - "matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url" - name: Fail if required matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url looks invalid ansible.builtin.fail: msg: >- `matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url` needs to look like a URL (`http://` or `https://` prefix). - when: "matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url != '' and not matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url.startswith('http')" + when: "matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url.startswith('http')" From dd51ad2ba2320c75d9325ba117e2448ddfecb770 Mon Sep 17 00:00:00 2001 From: Luke Moch <19363185+mochman@users.noreply.github.com> Date: Sat, 10 Dec 2022 08:13:55 -0500 Subject: [PATCH 161/915] fail if matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url 'not' startswith('http') --- .../tasks/ext/s3-storage-provider/validate_config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml index 7a8aafaa7..317269b3c 100644 --- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml +++ b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml @@ -16,4 +16,4 @@ ansible.builtin.fail: msg: >- `matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url` needs to look like a URL (`http://` or `https://` prefix). - when: "matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url.startswith('http')" + when: "not matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url.startswith('http')" From 2b89d5d92f22206923c4418449d9c8fe45240e05 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 11 Dec 2022 11:45:39 +0200 Subject: [PATCH 162/915] Upgrade exim-relay (4.95-r0-4 -> 4.96-r1-0) --- roles/custom/matrix-mailer/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-mailer/defaults/main.yml b/roles/custom/matrix-mailer/defaults/main.yml index 48cd638ce..71e87532a 100644 --- a/roles/custom/matrix-mailer/defaults/main.yml +++ b/roles/custom/matrix-mailer/defaults/main.yml @@ -10,7 +10,7 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src" matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}" -matrix_mailer_version: 4.95-r0-4 +matrix_mailer_version: 4.96-r1-0 matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}" matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" From 3453fff901f0d57a594dab9955546ad166d9ac31 Mon Sep 17 00:00:00 2001 From: Matthew Cengia Date: Sun, 11 Dec 2022 21:25:43 +1100 Subject: [PATCH 163/915] Use upstream Docker image for amd64 rather than self-build --- group_vars/matrix_servers | 2 ++ roles/custom/matrix-client-hydrogen/defaults/main.yml | 8 +++----- .../custom/matrix-client-hydrogen/tasks/setup_install.yml | 5 +---- .../matrix-client-hydrogen/templates/config.json.j2 | 2 +- .../templates/systemd/matrix-client-hydrogen.service.j2 | 1 + 5 files changed, 8 insertions(+), 10 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 48c8e4d51..93102a887 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2658,6 +2658,8 @@ matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matr matrix_client_hydrogen_enabled: false +matrix_client_hydrogen_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}" + # Normally, matrix-nginx-proxy is enabled and nginx can reach Hydrogen over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the HTTP port to the local host. diff --git a/roles/custom/matrix-client-hydrogen/defaults/main.yml b/roles/custom/matrix-client-hydrogen/defaults/main.yml index ac0d8289a..c62b2ff6e 100644 --- a/roles/custom/matrix-client-hydrogen/defaults/main.yml +++ b/roles/custom/matrix-client-hydrogen/defaults/main.yml @@ -3,14 +3,12 @@ matrix_client_hydrogen_enabled: true -# Self building is used by default because the `config.json` file is only read at build time. -# The pre-built images also were not functional as of 2021-05-15. -matrix_client_hydrogen_container_image_self_build: true +matrix_client_hydrogen_container_image_self_build: false matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" matrix_client_hydrogen_version: v0.3.5 -matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" -matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build else matrix_container_global_registry_prefix }}" +matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vector-im/hydrogen-web:{{ matrix_client_hydrogen_version }}" +matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build else 'ghcr.io/' }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" matrix_client_hydrogen_data_path: "{{ matrix_base_data_path }}/client-hydrogen" diff --git a/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml b/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml index 7a886a88f..5fe4ceadd 100644 --- a/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml +++ b/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml @@ -38,11 +38,10 @@ - name: Ensure Hydrogen configuration installed ansible.builtin.copy: content: "{{ matrix_client_hydrogen_configuration | to_nice_json }}" - dest: "{{ matrix_client_hydrogen_docker_src_files_path }}/src/platform/web/assets/config.json" + dest: "{{ matrix_client_hydrogen_data_path }}/config.json" mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: "matrix_client_hydrogen_container_image_self_build | bool" - name: Ensure Hydrogen additional config files installed ansible.builtin.template: @@ -55,8 +54,6 @@ - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} when: "item.src is not none" -# This step MUST come after the steps to install the configuration files because the config files -# are currently only read at build time, not at run time like most other components in the playbook - name: Ensure Hydrogen Docker image is built community.docker.docker_image: name: "{{ matrix_client_hydrogen_docker_image }}" diff --git a/roles/custom/matrix-client-hydrogen/templates/config.json.j2 b/roles/custom/matrix-client-hydrogen/templates/config.json.j2 index 161ee47bb..b6b1b9be5 100644 --- a/roles/custom/matrix-client-hydrogen/templates/config.json.j2 +++ b/roles/custom/matrix-client-hydrogen/templates/config.json.j2 @@ -3,7 +3,7 @@ "defaultHomeServer": {{ matrix_client_hydrogen_default_hs_url | string | to_json }}, "bugReportEndpointUrl": {{ matrix_client_hydrogen_bugReportEndpointUrl | to_json }}, "themeManifests": [ - "assets/theme-Element.json" + "assets/theme-element.json" ], "defaultTheme": { "light": "element-light", diff --git a/roles/custom/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 b/roles/custom/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 index 92bfadcb9..d8a3fb98b 100644 --- a/roles/custom/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 +++ b/roles/custom/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 @@ -24,6 +24,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% endif %} --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ --mount type=bind,src={{ matrix_client_hydrogen_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ + --mount type=bind,src={{ matrix_client_hydrogen_data_path }}/config.json,dst=/usr/share/nginx/html/config.json,ro \ {% for arg in matrix_client_hydrogen_container_extra_arguments %} {{ arg }} \ {% endfor %} From 86d177266aba99b55db30ce0d62f402786950525 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 11 Dec 2022 17:53:39 +0200 Subject: [PATCH 164/915] Upgrade matrix-corporal (2.4.0 -> 2.5.0) --- roles/custom/matrix-corporal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-corporal/defaults/main.yml b/roles/custom/matrix-corporal/defaults/main.yml index 1bed88813..136f3f8bd 100644 --- a/roles/custom/matrix-corporal/defaults/main.yml +++ b/roles/custom/matrix-corporal/defaults/main.yml @@ -23,7 +23,7 @@ matrix_corporal_container_extra_arguments: [] # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] -matrix_corporal_version: 2.4.0 +matrix_corporal_version: 2.5.0 matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_corporal_docker_image_tag: "{{ matrix_corporal_version }}" # for backward-compatibility From f69d90c1e6fb126a8a2b2358707b5931522712ac Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 11 Dec 2022 17:53:52 +0200 Subject: [PATCH 165/915] Upgrade Prometheus (2.40.5 -> 2.40.6) --- roles/custom/matrix-prometheus/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-prometheus/defaults/main.yml b/roles/custom/matrix-prometheus/defaults/main.yml index 77e7fb1af..1f4a4f49c 100644 --- a/roles/custom/matrix-prometheus/defaults/main.yml +++ b/roles/custom/matrix-prometheus/defaults/main.yml @@ -5,7 +5,7 @@ matrix_prometheus_enabled: false -matrix_prometheus_version: v2.40.5 +matrix_prometheus_version: v2.40.6 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" From 108ada75e88744f7d851680a89a44b63f26ffcfc Mon Sep 17 00:00:00 2001 From: ikkemaniac Date: Sun, 11 Dec 2022 22:37:54 +0100 Subject: [PATCH 166/915] update dashboard, fix typo, fix using original user ip improve nginxlog matches to group URI's --- .../templates/nginx-proxy.json | 58 +++++++++---------- .../prometheus-nginxlog-exporter.yaml.j2 | 20 +++++++ 2 files changed, 49 insertions(+), 29 deletions(-) diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/templates/nginx-proxy.json b/roles/custom/matrix-prometheus-nginxlog-exporter/templates/nginx-proxy.json index 415334885..395314fd7 100644 --- a/roles/custom/matrix-prometheus-nginxlog-exporter/templates/nginx-proxy.json +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/templates/nginx-proxy.json @@ -56,7 +56,7 @@ "editable": true, "fiscalYearStartMonth": 0, "graphTooltip": 0, - "id": null, + "id": 5, "links": [], "liveNow": false, "panels": [ @@ -132,7 +132,7 @@ "h": 8, "w": 12, "x": 0, - "y": 17 + "y": 1 }, "id": 20, "options": { @@ -154,14 +154,14 @@ "uid": "${DS_PROMETHEUS}" }, "editorMode": "builder", - "expr": "sum by(remote_addr) (rate(http_response_count_total{status=~\"1.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"1.*\", request_host=~\"$request_host\"}[$__rate_interval]))", "hide": false, "legendFormat": "__auto", "range": true, "refId": "B" } ], - "title": "1xx by remote addr [$request_host]", + "title": "1xx by upstream addr[$request_host]", "type": "timeseries" }, { @@ -226,7 +226,7 @@ "h": 8, "w": 12, "x": 12, - "y": 17 + "y": 1 }, "id": 21, "options": { @@ -323,7 +323,7 @@ "h": 8, "w": 12, "x": 0, - "y": 25 + "y": 9 }, "id": 18, "options": { @@ -345,14 +345,14 @@ "uid": "${DS_PROMETHEUS}" }, "editorMode": "builder", - "expr": "sum by(remote_addr) (rate(http_response_count_total{status=~\"2.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"2.*\", request_host=~\"$request_host\"}[$__rate_interval]))", "hide": false, "legendFormat": "__auto", "range": true, "refId": "B" } ], - "title": "2xx by remote addr [$request_host]", + "title": "2xx by upstream addr[$request_host]", "type": "timeseries" }, { @@ -417,7 +417,7 @@ "h": 8, "w": 12, "x": 12, - "y": 25 + "y": 9 }, "id": 19, "options": { @@ -514,7 +514,7 @@ "h": 8, "w": 12, "x": 0, - "y": 33 + "y": 17 }, "id": 16, "options": { @@ -536,14 +536,14 @@ "uid": "${DS_PROMETHEUS}" }, "editorMode": "builder", - "expr": "sum by(remote_addr) (rate(http_response_count_total{status=~\"3.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"3.*\", request_host=~\"$request_host\"}[$__rate_interval]))", "hide": false, "legendFormat": "__auto", "range": true, "refId": "B" } ], - "title": "3xx by remote addr [$request_host]", + "title": "3xx by upstream addr[$request_host]", "type": "timeseries" }, { @@ -608,7 +608,7 @@ "h": 8, "w": 12, "x": 12, - "y": 33 + "y": 17 }, "id": 17, "options": { @@ -644,7 +644,7 @@ "type": "timeseries" } ], - "title": "1xx - 3xx - 2xx Status Code .....................................................", + "title": "1xx - 2xx - 3xx Status Code .....................................................", "type": "row" }, { @@ -744,14 +744,14 @@ "uid": "${DS_PROMETHEUS}" }, "editorMode": "builder", - "expr": "sum by(remote_addr) (rate(http_response_count_total{status=~\"404\", request_host=~\"$request_host\"}[$__rate_interval]))", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"404\", request_host=~\"$request_host\"}[$__rate_interval]))", "hide": false, "legendFormat": "__auto", "range": true, "refId": "B" } ], - "title": "404 by remote addr [$request_host]", + "title": "404 by upstream addr[$request_host]", "type": "timeseries" }, { @@ -935,14 +935,14 @@ "uid": "${DS_PROMETHEUS}" }, "editorMode": "builder", - "expr": "sum by(remote_addr) (rate(http_response_count_total{status=~\"4.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"4.*\", request_host=~\"$request_host\"}[$__rate_interval]))", "hide": false, "legendFormat": "__auto", "range": true, "refId": "B" } ], - "title": "4xx by remote addr [$request_host]", + "title": "4xx by upstream addr[$request_host]", "type": "timeseries" }, { @@ -1114,7 +1114,7 @@ "h": 8, "w": 12, "x": 0, - "y": 11 + "y": 3 }, "id": 10, "options": { @@ -1136,14 +1136,14 @@ "uid": "${DS_PROMETHEUS}" }, "editorMode": "builder", - "expr": "sum by(remote_addr, status) (rate(http_response_count_total{status=~\"504|502\", request_host=~\"$request_host\"}[$__rate_interval]))", + "expr": "sum by(http_x_forwarded_for, status) (rate(http_response_count_total{status=~\"504|502\", request_host=~\"$request_host\"}[$__rate_interval]))", "hide": false, "legendFormat": "__auto", "range": true, "refId": "B" } ], - "title": "502-504 by remote addr [$request_host]", + "title": "502-504 by upstream addr[$request_host]", "type": "timeseries" }, { @@ -1208,7 +1208,7 @@ "h": 8, "w": 12, "x": 12, - "y": 11 + "y": 3 }, "id": 11, "options": { @@ -1305,7 +1305,7 @@ "h": 8, "w": 12, "x": 0, - "y": 19 + "y": 11 }, "id": 12, "options": { @@ -1327,14 +1327,14 @@ "uid": "${DS_PROMETHEUS}" }, "editorMode": "builder", - "expr": "sum by(remote_addr) (rate(http_response_count_total{status=~\"5.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"5.*\", request_host=~\"$request_host\"}[$__rate_interval]))", "hide": false, "legendFormat": "__auto", "range": true, "refId": "B" } ], - "title": "5xx by remote addr [$request_host]", + "title": "5xx by upstream addr[$request_host]", "type": "timeseries" }, { @@ -1399,7 +1399,7 @@ "h": 8, "w": 12, "x": 12, - "y": 19 + "y": 11 }, "id": 13, "options": { @@ -1532,14 +1532,14 @@ "uid": "${DS_PROMETHEUS}" }, "editorMode": "builder", - "expr": "sum by(remote_addr) (rate(http_response_count_total{status=~\"[6-9]{1}.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"[6-9]{1}.*\", request_host=~\"$request_host\"}[$__rate_interval]))", "hide": false, "legendFormat": "__auto", "range": true, "refId": "B" } ], - "title": "6xx > by remote addr [$request_host]", + "title": "6xx > by upstream addr[$request_host]", "type": "timeseries" }, { @@ -1700,6 +1700,6 @@ "timezone": "", "title": "NGINX PROXY", "uid": "x2_jWNF4k", - "version": 11, + "version": 12, "weekStart": "" } \ No newline at end of file diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/templates/prometheus-nginxlog-exporter.yaml.j2 b/roles/custom/matrix-prometheus-nginxlog-exporter/templates/prometheus-nginxlog-exporter.yaml.j2 index 1e2492cde..38db07eb8 100644 --- a/roles/custom/matrix-prometheus-nginxlog-exporter/templates/prometheus-nginxlog-exporter.yaml.j2 +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/templates/prometheus-nginxlog-exporter.yaml.j2 @@ -23,6 +23,26 @@ namespaces: split: 2 separator: ' ' matches: + - regexp: "^([^\\?]+)/(public|bundles|fonts|img|themes|vector-icons|element-icons|d|media).*" + replacement: "$1/$2/" + - regexp: "^([^\\?]+).*/rooms/.*/(event|read_markers|messages|receipt|state|typing|members).*" + replacement: "$1/rooms/:roomid:/$2" + - regexp: "^([^\\?]+).*/(r0|v3)/(sync|pushers|keys|devices|download|sendtodevice).*" + replacement: "$1/:v:/$3" + - regexp: "^([^\\?]+).*/rooms/(.*)/send/(.*)" + replacement: "$1/rooms/:roomid:/send/:command:/:id:" + - regexp: "^([^\\?]+).*/client/unstable/.*" + replacement: "$1/client/unstable/:matrixspec:" + - regexp: "^([^\\?]+).*/presence/.*" + replacement: "$1/presence/:userid:" + - regexp: "^([^\\?]+).*/user/.*" + replacement: "$1/user/:userid:" + - regexp: "^([^\\?]+).*/profile/.*" + replacement: "$1/profile/:userid:" + - regexp: "^([^\\?]+).*/directory/room/.*" + replacement: "$1/directory/room/:roomid:" + - regexp: "^([^\\?]+).*/thumbnail/.*" + replacement: "$1/thumbnail/:domain:/:mxid:" - regexp: "^([^\\?]+)(.*)" replacement: "$1" - target_label: remote_addr From b9afcead4208c0a3245a6c7b16ab57f10f085052 Mon Sep 17 00:00:00 2001 From: gardar Date: Sun, 11 Dec 2022 23:25:59 +0000 Subject: [PATCH 167/915] fix: unclosed tags typo --- .../templates/config.yaml.j2 | 4 ++-- .../matrix-bridge-mautrix-facebook/templates/config.yaml.j2 | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/custom/matrix-bridge-appservice-kakaotalk/templates/config.yaml.j2 b/roles/custom/matrix-bridge-appservice-kakaotalk/templates/config.yaml.j2 index 1bb87cb41..803d443fd 100644 --- a/roles/custom/matrix-bridge-appservice-kakaotalk/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-appservice-kakaotalk/templates/config.yaml.j2 @@ -230,8 +230,8 @@ bridge: # $message - The message content message_formats: m.text: '$sender_displayname: $message' - m.notice: '$sender_displayname: $message' - m.emote: '* $sender_displayname $message' + m.notice: '$sender_displayname: $message' + m.emote: '* $sender_displayname $message' m.file: 'File from $sender_displayname: $message' m.image: 'Image from $sender_displayname: $message' m.audio: 'Audio from $sender_displayname: $message' diff --git a/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 index 3318255dc..b8e25feeb 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 @@ -216,8 +216,8 @@ bridge: # $message - The message content message_formats: m.text: '$sender_displayname: $message' - m.notice: '$sender_displayname: $message' - m.emote: '* $sender_displayname $message' + m.notice: '$sender_displayname: $message' + m.emote: '* $sender_displayname $message' m.file: '$sender_displayname sent a file' m.image: '$sender_displayname sent an image' m.audio: '$sender_displayname sent an audio file' From ae7325f251d4bc5653913949cba6a4da5a5e4ac5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 12 Dec 2022 15:28:23 +0200 Subject: [PATCH 168/915] Run com.devture.ansible.role.playbook_state_preserver even on --tags=install-all --- playbooks/matrix.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 92e027fb5..9f6d8f77a 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -115,5 +115,6 @@ role: galaxy/com.devture.ansible.role.playbook_state_preserver tags: - setup-all + - install-all - role: galaxy/com.devture.ansible.role.playbook_runtime_messages From a3ec2f32157acc58707e5c4916fe4e333f7d1fc7 Mon Sep 17 00:00:00 2001 From: Fanch Date: Mon, 12 Dec 2022 15:18:05 +0100 Subject: [PATCH 169/915] Specify relation between matrix-registration and matrix-registration-bot --- docs/configuring-playbook-matrix-registration.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/configuring-playbook-matrix-registration.md b/docs/configuring-playbook-matrix-registration.md index 2b4b07ff2..491d94e23 100644 --- a/docs/configuring-playbook-matrix-registration.md +++ b/docs/configuring-playbook-matrix-registration.md @@ -4,6 +4,8 @@ The playbook can install and configure [matrix-registration](https://github.com/ **WARNING**: this is a poorly maintained and buggy project. It's better to avoid using it. +**WARNING**: this is not related to [matrix-registration-bot](configuring-playbook-bot-matrix-registration-bot.md) + > matrix-registration is a simple python application to have a token based matrix registration. Use matrix-registration to **create unique registration links**, which people can use to register on your Matrix server. It allows you to **keep your server's registration closed (private)**, but still allow certain people (these having a special link) to register a user account. From 3f4ab0bd7efbdaea7658dfdeda9f771906aac1f2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 12 Dec 2022 18:56:15 +0200 Subject: [PATCH 170/915] Upgrade Redis (7.0.4 -> 7.0.5) --- roles/custom/matrix-redis/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-redis/defaults/main.yml b/roles/custom/matrix-redis/defaults/main.yml index 4eefbce4c..2ae0c4d4f 100644 --- a/roles/custom/matrix-redis/defaults/main.yml +++ b/roles/custom/matrix-redis/defaults/main.yml @@ -8,7 +8,7 @@ matrix_redis_connection_password: "" matrix_redis_base_path: "{{ matrix_base_data_path }}/redis" matrix_redis_data_path: "{{ matrix_redis_base_path }}/data" -matrix_redis_version: 7.0.4-alpine +matrix_redis_version: 7.0.5-alpine matrix_redis_docker_image_v6: "{{ matrix_container_global_registry_prefix }}redis:{{ matrix_redis_version }}" matrix_redis_docker_image_latest: "{{ matrix_redis_docker_image_v6 }}" matrix_redis_docker_image_to_use: '{{ matrix_redis_docker_image_latest }}' From 1f593f708f4eadc236443d8106cf58811cfb05ca Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 12 Dec 2022 19:00:45 +0200 Subject: [PATCH 171/915] Upgrade Jitsi (stable-8044 -> stable-8138) Untested --- roles/custom/matrix-jitsi/defaults/main.yml | 3 ++- roles/custom/matrix-jitsi/templates/prosody/env.j2 | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-jitsi/defaults/main.yml b/roles/custom/matrix-jitsi/defaults/main.yml index e923055cb..d5bec324c 100644 --- a/roles/custom/matrix-jitsi/defaults/main.yml +++ b/roles/custom/matrix-jitsi/defaults/main.yml @@ -72,7 +72,7 @@ matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false -matrix_jitsi_version: stable-8044 +matrix_jitsi_version: stable-8138 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" @@ -96,6 +96,7 @@ matrix_jitsi_turn_host: "turn.{{ matrix_server_fqn_matrix }}" matrix_jitsi_turns_host: "turn.{{ matrix_server_fqn_matrix }}" matrix_jitsi_turn_port: "{{ matrix_coturn_container_stun_plain_host_bind_port }}" matrix_jitsi_turns_port: "{{ matrix_coturn_container_stun_tls_host_bind_port }}" +matrix_jitsi_turn_transport: tcp # Controls whether Etherpad will be available within Jitsi matrix_jitsi_etherpad_enabled: false diff --git a/roles/custom/matrix-jitsi/templates/prosody/env.j2 b/roles/custom/matrix-jitsi/templates/prosody/env.j2 index 147c01d79..b0ebbefce 100644 --- a/roles/custom/matrix-jitsi/templates/prosody/env.j2 +++ b/roles/custom/matrix-jitsi/templates/prosody/env.j2 @@ -47,6 +47,7 @@ TURN_HOST={{ matrix_jitsi_turn_host }} TURNS_HOST={{ matrix_jitsi_turns_host }} TURN_PORT={{ matrix_jitsi_turn_port }} TURNS_PORT={{ matrix_jitsi_turns_port }} +TURN_TRANSPORT={{ matrix_jitsi_turn_transport }} TZ={{ matrix_jitsi_timezone }} XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} @@ -60,4 +61,4 @@ XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} XMPP_CROSS_DOMAIN=true {% if matrix_prosody_jitsi_max_participants is number %} MAX_PARTICIPANTS={{ matrix_prosody_jitsi_max_participants }} -{% endif %} \ No newline at end of file +{% endif %} From f642f6fae79678ad853700ec886ff95ee51289cf Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 13 Dec 2022 22:45:52 +0000 Subject: [PATCH 172/915] update mautrix-instagram 0.2.2 -> 0.2.3 --- roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml index 75b996562..0e726aa80 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_instagram_container_image_self_build: false matrix_mautrix_instagram_container_image_self_build_repo: "https://github.com/mautrix/instagram.git" matrix_mautrix_instagram_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_instagram_version == 'latest' else matrix_mautrix_instagram_version }}" -matrix_mautrix_instagram_version: v0.2.2 +matrix_mautrix_instagram_version: v0.2.3 # See: https://mau.dev/tulir/mautrix-instagram/container_registry matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}mautrix/instagram:{{ matrix_mautrix_instagram_version }}" matrix_mautrix_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_instagram_container_image_self_build else 'dock.mau.dev/' }}" From 07ca0267f1267747d3532249af763248b951fdb7 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 13 Dec 2022 22:47:30 +0000 Subject: [PATCH 173/915] update redis 7.0.5 -> 7.0.6 --- roles/custom/matrix-redis/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-redis/defaults/main.yml b/roles/custom/matrix-redis/defaults/main.yml index 2ae0c4d4f..8425c737d 100644 --- a/roles/custom/matrix-redis/defaults/main.yml +++ b/roles/custom/matrix-redis/defaults/main.yml @@ -8,7 +8,7 @@ matrix_redis_connection_password: "" matrix_redis_base_path: "{{ matrix_base_data_path }}/redis" matrix_redis_data_path: "{{ matrix_redis_base_path }}/data" -matrix_redis_version: 7.0.5-alpine +matrix_redis_version: 7.0.6-alpine matrix_redis_docker_image_v6: "{{ matrix_container_global_registry_prefix }}redis:{{ matrix_redis_version }}" matrix_redis_docker_image_latest: "{{ matrix_redis_docker_image_v6 }}" matrix_redis_docker_image_to_use: '{{ matrix_redis_docker_image_latest }}' From bd0f21588fea5c85d9bb2cc64370b3b70bd04233 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 13 Dec 2022 22:49:10 +0000 Subject: [PATCH 174/915] Update jitsi stable-8138 -> stable-8138-1 --- roles/custom/matrix-jitsi/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-jitsi/defaults/main.yml b/roles/custom/matrix-jitsi/defaults/main.yml index d5bec324c..ce4d19cc1 100644 --- a/roles/custom/matrix-jitsi/defaults/main.yml +++ b/roles/custom/matrix-jitsi/defaults/main.yml @@ -72,7 +72,7 @@ matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false -matrix_jitsi_version: stable-8138 +matrix_jitsi_version: stable-8138-1 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" From 455b8aff158b651ee41b7a4067d41b70bd965769 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 14 Dec 2022 10:32:14 +0000 Subject: [PATCH 175/915] Update prometheus 2.40.6 -> 2.40.7 --- roles/custom/matrix-prometheus/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-prometheus/defaults/main.yml b/roles/custom/matrix-prometheus/defaults/main.yml index 1f4a4f49c..ed13c10f3 100644 --- a/roles/custom/matrix-prometheus/defaults/main.yml +++ b/roles/custom/matrix-prometheus/defaults/main.yml @@ -5,7 +5,7 @@ matrix_prometheus_enabled: false -matrix_prometheus_version: v2.40.6 +matrix_prometheus_version: v2.40.7 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" From fa735130647e586650b963432363370ce75deb86 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 17 Dec 2022 22:47:38 +0200 Subject: [PATCH 176/915] Upgrade mautrix-whatsapp (0.7.2 -> 0.8.0) --- roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 2 +- .../matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 186c62970..1307d09ed 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_whatsapp_container_image_self_build: false matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git" matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}" -matrix_mautrix_whatsapp_version: v0.7.2 +matrix_mautrix_whatsapp_version: v0.8.0 # See: https://mau.dev/mautrix/whatsapp/container_registry matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}" matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}" diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 index 9c0b95e8d..4b5af2e93 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 @@ -290,6 +290,8 @@ bridge: # Send captions in the same message as images. This will send data compatible with both MSC2530 and MSC3552. # This is currently not supported in most clients. caption_in_message: false + # Should polls be sent using MSC3381 event types? + extev_polls: false # Should Matrix edits be bridged to WhatsApp edits? # Official WhatsApp clients don't render edits yet, but once they do, the bridge should work with them right away. send_whatsapp_edits: false From a7d39b109a69012475aa9053db833b3d348f4008 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 17 Dec 2022 22:48:48 +0200 Subject: [PATCH 177/915] Upgrade Redis (7.0.6 -> 7.0.7) --- roles/custom/matrix-redis/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-redis/defaults/main.yml b/roles/custom/matrix-redis/defaults/main.yml index 8425c737d..779ec3a30 100644 --- a/roles/custom/matrix-redis/defaults/main.yml +++ b/roles/custom/matrix-redis/defaults/main.yml @@ -8,7 +8,7 @@ matrix_redis_connection_password: "" matrix_redis_base_path: "{{ matrix_base_data_path }}/redis" matrix_redis_data_path: "{{ matrix_redis_base_path }}/data" -matrix_redis_version: 7.0.6-alpine +matrix_redis_version: 7.0.7-alpine matrix_redis_docker_image_v6: "{{ matrix_container_global_registry_prefix }}redis:{{ matrix_redis_version }}" matrix_redis_docker_image_latest: "{{ matrix_redis_docker_image_v6 }}" matrix_redis_docker_image_to_use: '{{ matrix_redis_docker_image_latest }}' From 576eb0006cd4907ea3706e584c8341b218854c18 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 17 Dec 2022 22:49:34 +0200 Subject: [PATCH 178/915] Upgrade Grafana (9.3.1 -> 9.3.2) --- roles/custom/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-grafana/defaults/main.yml b/roles/custom/matrix-grafana/defaults/main.yml index 49f2eb511..44821b577 100644 --- a/roles/custom/matrix-grafana/defaults/main.yml +++ b/roles/custom/matrix-grafana/defaults/main.yml @@ -5,7 +5,7 @@ matrix_grafana_enabled: true -matrix_grafana_version: 9.3.1 +matrix_grafana_version: 9.3.2 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From f2e68469cb5893e11ef648e18db013c86008910e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 19 Dec 2022 12:32:43 +0200 Subject: [PATCH 179/915] Upgrade nginx (1.23.2 -> 1.23.3) --- roles/custom/matrix-nginx-proxy/defaults/main.yml | 2 +- .../matrix-synapse-reverse-proxy-companion/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 839211e01..6fbc019e2 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -1,7 +1,7 @@ --- # Project source code URL: https://github.com/nginx/nginx matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_version: 1.23.2-alpine +matrix_nginx_proxy_version: 1.23.3-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml index 13a9ca1ec..364cf2c7e 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml @@ -25,7 +25,7 @@ matrix_synapse_reverse_proxy_companion_enabled: true -matrix_synapse_reverse_proxy_companion_version: 1.23.2-alpine +matrix_synapse_reverse_proxy_companion_version: 1.23.3-alpine matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion" matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d" From 5e30f6d4c4af1bb000f56641b3a57ea91c512d3f Mon Sep 17 00:00:00 2001 From: Catalan Lover <48515417+FSG-Cat@users.noreply.github.com> Date: Mon, 19 Dec 2022 15:33:58 +0100 Subject: [PATCH 180/915] Update Mjolnir from 1.5.0 to 1.6.1 Please note that This Mjolnir version bump technnically is missing some extra stuff that mjolnir claims we should do but it didnt work when i tried it and well my mjolnir deployment has been running this since release day almost and its fine. No errors in log that are unexpected. (Mjolnir throws errors in the log for anyone who wonders for various things that are fine. Like if a protection is off that is an error. Its due to how matrix-bot-lib works.) --- roles/custom/matrix-bot-mjolnir/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-mjolnir/defaults/main.yml b/roles/custom/matrix-bot-mjolnir/defaults/main.yml index 0be97eaec..b17f2f4b7 100644 --- a/roles/custom/matrix-bot-mjolnir/defaults/main.yml +++ b/roles/custom/matrix-bot-mjolnir/defaults/main.yml @@ -4,7 +4,7 @@ matrix_bot_mjolnir_enabled: true -matrix_bot_mjolnir_version: "v1.5.0" +matrix_bot_mjolnir_version: "v1.6.1" matrix_bot_mjolnir_container_image_self_build: false matrix_bot_mjolnir_container_image_self_build_repo: "https://github.com/matrix-org/mjolnir.git" From d4a8435fa2f496f94f9c23a01148b20a56406d18 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 20 Dec 2022 10:32:00 +0200 Subject: [PATCH 181/915] Try to improve own-webserver docs a bit Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2351 --- docs/configuring-playbook-own-webserver.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 76d485877..75ba262b5 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -19,7 +19,12 @@ There are **2 ways you can go about it**, if you'd like to use your own webserve ## Method 1: Disabling the integrated nginx reverse-proxy webserver This method is about completely disabling the integrated nginx reverse-proxy webserver and replicating its behavior using another webserver. -For an alternative, make sure to check Method #2 as well. + +If that other webserver is `nginx`, you'd be able to include configuration files generated by the playbook into your `nginx` webserver. + +If you'd like to use another webserver (not `nginx`), you'd need to do things manually. We have examples for other webservers below. + +For an alternative (which keeps `matrix-nginx-proxy` around and connects your other reverse-proxy with it), make sure to check Method #2. ### Preparation From 362954aeab35398e3cd6cd5e735f3fade338b022 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 20 Dec 2022 11:23:40 +0200 Subject: [PATCH 182/915] Remove warning which no longer applies This warning was added because of: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2090 The problem has since been fixed by: https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/e9e84341a91fb0013469d74ee8c88c2edb5ad3a5 This current patch was provoked by: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2352 --- docs/configuring-playbook-own-webserver.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 75ba262b5..06f21b326 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -6,9 +6,6 @@ If that's alright, you can skip this. If you don't want this playbook's nginx webserver to take over your server's 80/443 ports like that, and you'd like to use your own webserver (be it nginx, Apache, Varnish Cache, etc.), you can. -You should note, however, that the playbook's services work best when you keep using the integrated `matrix-nginx-proxy` webserver. -For example, disabling `matrix-nginx-proxy` when running a [Synapse worker setup for load-balancing](configuring-playbook-synapse.md#load-balancing-with-workers) (a more advanced, non-default configuration) is likely to cause various troubles (see [this issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2090)). If you need a such more scalable setup, disabling `matrix-nginx-proxy` will be a bad idea. If yours will be a simple (default, non-worker-load-balancing) deployment, disabling `matrix-nginx-proxy` may be fine. - There are **2 ways you can go about it**, if you'd like to use your own webserver: - [Method 1: Disabling the integrated nginx reverse-proxy webserver](#method-1-disabling-the-integrated-nginx-reverse-proxy-webserver) From deabd7945296ae6358be4258fe09fb2a9c7509e2 Mon Sep 17 00:00:00 2001 From: Joe Kappus Date: Tue, 20 Dec 2022 14:07:14 -0500 Subject: [PATCH 183/915] Upgrade Synapse (1.73.0 -> 1.74.0) Signed-off-by: Joe Kappus --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 19c6d2b14..07eb803ed 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -36,7 +36,7 @@ matrix_synapse_container_image_customizations_dockerfile_body_custom: '' matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}" matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else matrix_container_global_registry_prefix }}" -matrix_synapse_version: v1.73.0 +matrix_synapse_version: v1.74.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From d0b2a507689233d3120186036f4960bec9cc80d9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 20 Dec 2022 21:36:39 +0200 Subject: [PATCH 184/915] Upgrade Hydrogen (v0.3.5 -> v0.3.6) --- roles/custom/matrix-client-hydrogen/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-hydrogen/defaults/main.yml b/roles/custom/matrix-client-hydrogen/defaults/main.yml index c62b2ff6e..c3f2ab958 100644 --- a/roles/custom/matrix-client-hydrogen/defaults/main.yml +++ b/roles/custom/matrix-client-hydrogen/defaults/main.yml @@ -6,7 +6,7 @@ matrix_client_hydrogen_enabled: true matrix_client_hydrogen_container_image_self_build: false matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" -matrix_client_hydrogen_version: v0.3.5 +matrix_client_hydrogen_version: v0.3.6 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vector-im/hydrogen-web:{{ matrix_client_hydrogen_version }}" matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build else 'ghcr.io/' }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" From 42c4f0450d122806e6fb7a83bf311780d7519eeb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 20 Dec 2022 21:37:19 +0200 Subject: [PATCH 185/915] Upgrade Prometheus (2.40.7 -> 2.41.0) --- roles/custom/matrix-prometheus/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-prometheus/defaults/main.yml b/roles/custom/matrix-prometheus/defaults/main.yml index ed13c10f3..5216ccd74 100644 --- a/roles/custom/matrix-prometheus/defaults/main.yml +++ b/roles/custom/matrix-prometheus/defaults/main.yml @@ -5,7 +5,7 @@ matrix_prometheus_enabled: false -matrix_prometheus_version: v2.40.7 +matrix_prometheus_version: v2.41.0 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" From 40aa42e9821aa066bc58921ec2f18590240d95ea Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 21 Dec 2022 06:43:43 +0200 Subject: [PATCH 186/915] Add reference to push.enabled to homeserver.yaml Related to: - https://github.com/matrix-org/synapse/pull/14551/files - https://github.com/matrix-org/synapse/pull/14619/files --- .../custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 3767a3fc8..d2dd1c743 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2532,6 +2532,8 @@ password_providers: ## Push ## push: + # enabled: false + # Clients requesting push notifications can either have the body of # the message sent in the notification poke along with other details # like the sender, or just the event ID and room ID (`event_id_only`). From 77bb386adc7f8f3a84b0029def894493fafe3093 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 21 Dec 2022 18:47:38 +0200 Subject: [PATCH 187/915] Upgrade devture/ansible (2.13.6-r0 -> 2.13.6-r0-1) This is a rebuild on Alpinelinux 3.17.0 (previously 3.16.2). The new container image tag was pushed for arm32 and arm64 architectures as well (2.13.6-r0 was `amd64`-only due to CI trouble in the past). Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2353 --- docs/ansible.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ansible.md b/docs/ansible.md index 221222830..60be6164c 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -65,7 +65,7 @@ docker run -it --rm \ -w /work \ -v `pwd`:/work \ --entrypoint=/bin/sh \ -docker.io/devture/ansible:2.13.6-r0 +docker.io/devture/ansible:2.13.6-r0-1 ``` Once you execute the above command, you'll be dropped into a `/work` directory inside a Docker container. From 33fb5a46657676ce98fa9bca1c187436a6aba367 Mon Sep 17 00:00:00 2001 From: Samuel Meenzen Date: Wed, 21 Dec 2022 18:21:49 +0100 Subject: [PATCH 188/915] Upgrade Conduit (0.4.0 -> 0.5.0) --- roles/custom/matrix-conduit/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-conduit/defaults/main.yml b/roles/custom/matrix-conduit/defaults/main.yml index 366321b9c..bbab5cde0 100644 --- a/roles/custom/matrix-conduit/defaults/main.yml +++ b/roles/custom/matrix-conduit/defaults/main.yml @@ -6,7 +6,7 @@ matrix_conduit_enabled: true matrix_conduit_docker_image: "{{ matrix_conduit_docker_image_name_prefix }}matrixconduit/matrix-conduit:{{ matrix_conduit_docker_image_tag }}" matrix_conduit_docker_image_name_prefix: "docker.io/" -matrix_conduit_docker_image_tag: "v0.4.0" +matrix_conduit_docker_image_tag: "v0.5.0" matrix_conduit_docker_image_force_pull: "{{ matrix_conduit_docker_image.endswith(':latest') }}" matrix_conduit_base_path: "{{ matrix_base_data_path }}/conduit" From 0179b0f1659d293b3840dc58b0a2cf38945f1c37 Mon Sep 17 00:00:00 2001 From: Samuel Meenzen Date: Wed, 21 Dec 2022 18:28:34 +0100 Subject: [PATCH 189/915] Remove conduit workaround Conduit update 0.5.0 fixed the issue, so this is no longer needed. --- group_vars/matrix_servers | 4 ---- roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml | 4 ++-- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 93102a887..2a9e0414a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -718,10 +718,6 @@ matrix_mautrix_discord_database_engine: "{{ 'postgres' if devture_postgres_enabl matrix_mautrix_discord_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_mautrix_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudiscord.db', rounds=655555) | to_uuid }}" -# Enabling bridge.restricted_rooms for this bridge does not work well with Conduit, so we disable it by default. -# This will be fixed in the upcoming `0.5.0` release of conduit. -matrix_mautrix_discord_bridge_restricted_rooms: "{{ false if matrix_homeserver_implementation == 'conduit' else true }}" - ###################################################################### # # /matrix-bridge-mautrix-discord diff --git a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml index bb8846f5f..a66d5c6ad 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml @@ -141,6 +141,6 @@ matrix_mautrix_discord_bridge_encryption_allow: false matrix_mautrix_discord_bridge_encryption_default: "{{ matrix_mautrix_discord_bridge_encryption_allow }}" matrix_mautrix_discord_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_discord_bridge_encryption_allow }}" -# On conduit this option may prevent you from joining spaces created by the bridge. -# Setting this to false fixes the issue. +# On conduit versions before 0.5.0 this option prevented users from joining spaces created by the bridge. +# Setting this to false fixed the issue. matrix_mautrix_discord_bridge_restricted_rooms: true From bef4fe5d9e8116122acdb84a81f17c188f611b2f Mon Sep 17 00:00:00 2001 From: adam-kress Date: Wed, 21 Dec 2022 13:16:09 -0500 Subject: [PATCH 190/915] Update element v1.11.16 -> v1.11.17 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 480e41a43..d359108ca 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.16 +matrix_client_element_version: v1.11.17 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From d1442dec153e0d3e16e4588e18f9ff752135994a Mon Sep 17 00:00:00 2001 From: Kuchenmampfer <79256346+Kuchenmampfer@users.noreply.github.com> Date: Thu, 22 Dec 2022 22:31:38 +0000 Subject: [PATCH 191/915] Upgrade Signald Fixes the following issue when trying to use the !pm command: https://gitlab.com/signald/signald/-/issues/345 --- roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml index 18681feb5..3bdb02c87 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml @@ -10,7 +10,7 @@ matrix_mautrix_signal_docker_repo_version: "{{ 'master' if matrix_mautrix_signal matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src" matrix_mautrix_signal_version: v0.4.2 -matrix_mautrix_signal_daemon_version: 0.23.0 +matrix_mautrix_signal_daemon_version: 0.23.1 # See: https://mau.dev/mautrix/signal/container_registry matrix_mautrix_signal_docker_image: "dock.mau.dev/mautrix/signal:{{ matrix_mautrix_signal_version }}" matrix_mautrix_signal_docker_image_force_pull: "{{ matrix_mautrix_signal_docker_image.endswith(':latest') }}" From 8b2a86e35ea42c6cb58cac3acb9a53d12e98190e Mon Sep 17 00:00:00 2001 From: Aine Date: Fri, 23 Dec 2022 13:00:35 +0200 Subject: [PATCH 192/915] update beeper-linkedin 0.5.3 -> 0.5.4 --- .../defaults/main.yml | 4 +++- .../templates/config.yaml.j2 | 16 ++++++++-------- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml b/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml index 92d9b2e18..513eba14e 100644 --- a/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml +++ b/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml @@ -4,7 +4,7 @@ matrix_beeper_linkedin_enabled: true -matrix_beeper_linkedin_version: v0.5.3 +matrix_beeper_linkedin_version: v0.5.4 # See: https://github.com/beeper/linkedin/pkgs/container/linkedin matrix_beeper_linkedin_docker_image: "{{ matrix_beeper_linkedin_docker_image_name_prefix }}beeper/linkedin:{{ matrix_beeper_linkedin_docker_image_tag }}" @@ -27,6 +27,8 @@ matrix_beeper_linkedin_appservice_address: "http://matrix-beeper-linkedin:29319" matrix_beeper_linkedin_bridge_presence: true +matrix_beeper_linkedin_bridge_space_support_enable: true + matrix_beeper_linkedin_command_prefix: "!li" matrix_beeper_linkedin_bridge_permissions: | diff --git a/roles/custom/matrix-bridge-beeper-linkedin/templates/config.yaml.j2 b/roles/custom/matrix-bridge-beeper-linkedin/templates/config.yaml.j2 index a30f24253..8b9c81ead 100644 --- a/roles/custom/matrix-bridge-beeper-linkedin/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-beeper-linkedin/templates/config.yaml.j2 @@ -88,15 +88,15 @@ manhole: # Bridge config bridge: # Localpart template of MXIDs for LinkedIn users. + # {userid} is replaced with the user ID of the LinkedIn user username_template: "linkedin_{userid}" - # Displayname template for LinkedIn users. - # Localpart template for per-user room grouping community IDs. - # The bridge will create these communities and add all of the specific user's portals to the community. - # {localpart} is the MXID localpart and {server} is the MXID server part of the user. - # (Note that, by default, non-admins might not have your homeserver's permission to create - # communities. You should set `enable_group_creation: true` in homeserver.yaml to fix this.) - # `linkedin_{localpart}={server}` is a good value. - community_template: null + # Settings for creating a space for every user. + space_support: + # Whether or not to enable creating a space per user and inviting the + # user (as well as all of the puppets) to that space. + enable: {{ matrix_beeper_linkedin_bridge_space_support_enable|to_json }} + # The name of the space + name: "LinkedIn" # Displayname template for LinkedIn users. # {displayname} is replaced with the display name of the LinkedIn user From 6795fe35782e387cb7f789f3d39a0c6a21e9163d Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 23 Dec 2022 15:46:33 +0000 Subject: [PATCH 193/915] Update ntfy 1.29.1 -> 1.30.1 --- roles/custom/matrix-ntfy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-ntfy/defaults/main.yml b/roles/custom/matrix-ntfy/defaults/main.yml index 981eba362..397efb35f 100644 --- a/roles/custom/matrix-ntfy/defaults/main.yml +++ b/roles/custom/matrix-ntfy/defaults/main.yml @@ -7,7 +7,7 @@ matrix_ntfy_base_path: "{{ matrix_base_data_path }}/ntfy" matrix_ntfy_config_dir_path: "{{ matrix_ntfy_base_path }}/config" matrix_ntfy_data_path: "{{ matrix_ntfy_base_path }}/data" -matrix_ntfy_version: v1.29.1 +matrix_ntfy_version: v1.30.1 matrix_ntfy_docker_image: "{{ matrix_container_global_registry_prefix }}binwiederhier/ntfy:{{ matrix_ntfy_version }}" matrix_ntfy_docker_image_force_pull: "{{ matrix_ntfy_docker_image.endswith(':latest') }}" From ba09705f7fbaf0108652ecbe209793b1d935eba7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 26 Dec 2022 07:58:32 +0200 Subject: [PATCH 194/915] Make Jitsi auth setup not show credentials in the shell Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2363 --- roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth.yml b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth.yml index 4edc5431b..60a49b427 100644 --- a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth.yml +++ b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth.yml @@ -22,6 +22,7 @@ - matrix_jitsi_prosody_auth_internal_accounts|length > 0 register: matrix_jitsi_user_configuration_result changed_when: matrix_jitsi_user_configuration_result.rc == 0 + no_log: true # # Tasks related to configuring other Jitsi authentication mechanisms From a6d7370106149e079af50590d228909d6122cf33 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Dec 2022 16:06:33 +0000 Subject: [PATCH 195/915] Bump ansible-community/ansible-lint-action from 6.8.2 to 6.10.0 Bumps [ansible-community/ansible-lint-action](https://github.com/ansible-community/ansible-lint-action) from 6.8.2 to 6.10.0. - [Release notes](https://github.com/ansible-community/ansible-lint-action/releases) - [Commits](https://github.com/ansible-community/ansible-lint-action/compare/v6.8.2...v6.10.0) --- updated-dependencies: - dependency-name: ansible-community/ansible-lint-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/matrix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index 6c7ce3cad..8d846c059 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -21,6 +21,6 @@ jobs: - name: Check out uses: actions/checkout@v3 - name: Run ansible-lint - uses: ansible-community/ansible-lint-action@v6.8.2 + uses: ansible-community/ansible-lint-action@v6.10.0 with: path: roles/custom From 2188dd34d108907037007ecf3f5dec3004d8d565 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 28 Dec 2022 15:29:09 +0200 Subject: [PATCH 196/915] Add missing install-* tags in setup.yml Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2356 --- playbooks/matrix.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 9f6d8f77a..088ea6406 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -18,18 +18,24 @@ tags: - setup-docker - setup-all + - install-docker + - install-all - when: devture_docker_sdk_for_python_installation_enabled | bool role: galaxy/com.devture.ansible.role.docker_sdk_for_python tags: - setup-docker - setup-all + - install-docker + - install-all - when: devture_timesync_installation_enabled | bool role: galaxy/com.devture.ansible.role.timesync tags: - setup-timesync - setup-all + - install-timesync + - install-all - custom/matrix-base - custom/matrix-dynamic-dns From d018677293e9637c6ca53cf1f0e1f2846ed51763 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 30 Dec 2022 18:12:38 +0200 Subject: [PATCH 197/915] Upgrade geerlingguy.docker (6.0.3 -> 6.0.4) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index eef5b0543..93c802158 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,7 +1,7 @@ --- - src: geerlingguy.docker - version: 6.0.3 + version: 6.0.4 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git version: 6ba3be490b6f4c6f35ea109aeb8e533fa231b3a5 From 73e689e48eeef12906478bc6190a5254193ad0c1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 31 Dec 2022 17:33:46 +0200 Subject: [PATCH 198/915] Fix --tags=register-user not working on Dendrite due to broken Jinja syntax Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2369 --- roles/custom/matrix-dendrite/tasks/register_user.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-dendrite/tasks/register_user.yml b/roles/custom/matrix-dendrite/tasks/register_user.yml index 1e2fc100f..8ee18ed2f 100644 --- a/roles/custom/matrix-dendrite/tasks/register_user.yml +++ b/roles/custom/matrix-dendrite/tasks/register_user.yml @@ -29,6 +29,6 @@ - name: Register user ansible.builtin.command: - cmd: "{{ {{ matrix_dendrite_bin_path }} }}/create-account {{ username | quote }} {{ password | quote }} {{ '1' if admin == 'yes' else '0' }}" + cmd: "{{ matrix_dendrite_bin_path }}/create-account {{ username | quote }} {{ password | quote }} {{ '1' if admin == 'yes' else '0' }}" register: matrix_dendrite_register_user_result changed_when: matrix_dendrite_register_user_result.rc == 0 From 1abba4c9181982da12aa0f1464a01754d8103c9e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 2 Jan 2023 14:39:54 +0200 Subject: [PATCH 199/915] Upgrade matrix-corporal (2.5.0 -> 2.5.1) --- roles/custom/matrix-corporal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-corporal/defaults/main.yml b/roles/custom/matrix-corporal/defaults/main.yml index 136f3f8bd..9f6da78ae 100644 --- a/roles/custom/matrix-corporal/defaults/main.yml +++ b/roles/custom/matrix-corporal/defaults/main.yml @@ -23,7 +23,7 @@ matrix_corporal_container_extra_arguments: [] # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] -matrix_corporal_version: 2.5.0 +matrix_corporal_version: 2.5.1 matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_corporal_docker_image_tag: "{{ matrix_corporal_version }}" # for backward-compatibility From 784e5492d558f40ea990f3f8c27c8bdc8658c143 Mon Sep 17 00:00:00 2001 From: Cody Wyatt Neiman Date: Wed, 2 Nov 2022 18:11:32 -0400 Subject: [PATCH 200/915] Add matrix-bridge-mautrix-slack role --- ...nfiguring-playbook-bridge-mautrix-slack.md | 78 ++++++ group_vars/matrix_servers | 6 + .../defaults/main.yml | 138 +++++++++++ .../tasks/init.yml | 21 ++ .../tasks/main.yml | 22 ++ .../tasks/setup_install.yml | 121 +++++++++ .../tasks/setup_uninstall.yml | 25 ++ .../tasks/validate_config.yml | 10 + .../templates/config.yaml.j2 | 231 ++++++++++++++++++ .../systemd/matrix-mautrix-slack.service.j2 | 43 ++++ setup.yml | 0 11 files changed, 695 insertions(+) create mode 100644 docs/configuring-playbook-bridge-mautrix-slack.md create mode 100644 roles/matrix-bridge-mautrix-slack/defaults/main.yml create mode 100644 roles/matrix-bridge-mautrix-slack/tasks/init.yml create mode 100644 roles/matrix-bridge-mautrix-slack/tasks/main.yml create mode 100644 roles/matrix-bridge-mautrix-slack/tasks/setup_install.yml create mode 100644 roles/matrix-bridge-mautrix-slack/tasks/setup_uninstall.yml create mode 100644 roles/matrix-bridge-mautrix-slack/tasks/validate_config.yml create mode 100644 roles/matrix-bridge-mautrix-slack/templates/config.yaml.j2 create mode 100644 roles/matrix-bridge-mautrix-slack/templates/systemd/matrix-mautrix-slack.service.j2 mode change 120000 => 100755 setup.yml diff --git a/docs/configuring-playbook-bridge-mautrix-slack.md b/docs/configuring-playbook-bridge-mautrix-slack.md new file mode 100644 index 000000000..e941b346c --- /dev/null +++ b/docs/configuring-playbook-bridge-mautrix-slack.md @@ -0,0 +1,78 @@ +# Setting up Mautrix Slack (optional) + +**Note**: bridging to [Slack](https://slack.com/) can also happen via the [mx-puppet-slack](configuring-playbook-bridge-mx-puppet-slack.md) and [matrix-appservice-slack](configuring-playbook-bridge-appservice-slack.md) bridges supported by the playbook. +- For using as a Bot we recommend the [Appservice Slack](configuring-playbook-bridge-appservice-slack.md), because it supports plumbing. +- For personal use with a slack account we recommend the `mautrix-slack` bridge (the one being discussed here), because it is the most fully-featured and stable of the 3 Slack bridges supported by the playbook. +The `mautrix-slack` bridge (the one being discussed here) is the most fully-featured and stable of the 3 Slack bridges supported by the playbook, so it's the one we recommend. + +The playbook can install and configure [mautrix-slack](https://github.com/mautrix/slack) for you. + +See the project's [documentation](https://docs.mau.fi/bridges/go/slack/index.html) to learn what it does and why it might be useful to you. + +Note that as of Oct 2022, support for multiple Matrix users using the bot is incomplete. Different users do not yet share the bridged channels. Everyone gets their own copy. + +See the [features and roadmap](https://github.com/mautrix/slack/blob/main/ROADMAP.md) for more information. + + +## Prerequisites + +For using this bridge, you would need to authenticate by **providing your username and password** (legacy) or by using a **token login**. See more information in the [docs](https://docs.mau.fi/bridges/go/slack/authentication.html). + +Note that neither of these methods are officially supported by Slack. [matrix-appservice-slack](configuring-playbook-bridge-appservice-slack.md) uses a Slack bot account which is the only Slack officially supported method for bridging a channel. + + +## Installing + +To enable the bridge, add this to your `vars.yml` file: + +```yaml +matrix_mautrix_slack_enabled: true +``` + +You may optionally wish to add some [Additional configuration](#additional-configuration), or to [prepare for double-puppeting](#set-up-double-puppeting) before the initial installation. + +After adjusting your `vars.yml` file, re-run the playbook and restart all services: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` + +To make use of the bridge, see [Usage](#usage) below. + + +### Additional configuration + +There are some additional things you may wish to configure about the bridge. + +Take a look at: + +- `roles/matrix-bridge-mautrix-slack/defaults/main.yml` for some variables that you can customize via your `vars.yml` file +- `roles/matrix-bridge-mautrix-slack/templates/config.yaml.j2` for the bridge's default configuration. You can override settings (even those that don't have dedicated playbook variables) using the `matrix_mautrix_slack_configuration_extension_yaml` variable + + +### Set up Double Puppeting + +If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it. + +#### Method 1: automatically, by enabling Shared Secret Auth + +The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook. + +This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future. + +#### Method 2: manually, by asking each user to provide a working access token + +**Note**: This method for enabling Double Puppeting can be configured only after you've already set up bridging (see [Usage](#usage)). + +When using this method, **each user** that wishes to enable Double Puppeting needs to follow the following steps: + +- retrieve a Matrix access token for yourself. Refer to the documentation on [how to do that](obtaining-access-tokens.md). + +- send the access token to the bot. Example: `login-matrix MATRIX_ACCESS_TOKEN_HERE` + +- make sure you don't log out the `Mautrix-Slack` device some time in the future, as that would break the Double Puppeting feature + + +## Usage + +1. Start a chat with `@slackbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). +2. If you would like to login to Slack using a token, send the `login-token` command, otherwise, send the `login-password` command. +3. The bot should respond with "Successfully logged into for team " +4. Now that you're logged in, you can send a `help` command to the bot again, to see additional commands you have access to. +5. Slack channels should automatically begin bridging if you authenticated using a token. Otherwise, you must wait to receive a message in the channel if you used password authentication. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 2a9e0414a..9178314ee 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2444,6 +2444,12 @@ devture_postgres_managed_databases_auto: | 'password': matrix_mautrix_discord_database_password, }] if (matrix_mautrix_discord_enabled and matrix_mautrix_discord_database_engine == 'postgres' and matrix_mautrix_discord_database_hostname == devture_postgres_connection_hostname) else []) + + ([{ + 'name': matrix_mautrix_slack_database_name, + 'username': matrix_mautrix_slack_database_username, + 'password': matrix_mautrix_slack_database_password, + }] if (matrix_mautrix_slack_enabled and matrix_mautrix_slack_database_engine == 'postgres' and matrix_mautrix_slack_database_hostname == 'matrix-postgres') else []) + + ([{ 'name': matrix_mx_puppet_slack_database_name, 'username': matrix_mx_puppet_slack_database_username, diff --git a/roles/matrix-bridge-mautrix-slack/defaults/main.yml b/roles/matrix-bridge-mautrix-slack/defaults/main.yml new file mode 100644 index 000000000..c2b5a159c --- /dev/null +++ b/roles/matrix-bridge-mautrix-slack/defaults/main.yml @@ -0,0 +1,138 @@ +--- +# mautrix-slack is a Matrix <-> Slack bridge +# Project source code URL: https://github.com/mautrix/slack + +matrix_mautrix_slack_enabled: true + +matrix_mautrix_slack_container_image_self_build: false +matrix_mautrix_slack_container_image_self_build_repo: "https://mau.dev/mautrix/slack.git" +matrix_mautrix_slack_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_slack_version == 'latest' else matrix_mautrix_slack_version }}" + +matrix_mautrix_slack_version: latest +# See: https://mau.dev/mautrix/slack/container_registry +matrix_mautrix_slack_docker_image: "{{ matrix_mautrix_slack_docker_image_name_prefix }}mautrix/slack:{{ matrix_mautrix_slack_version }}" +matrix_mautrix_slack_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_slack_container_image_self_build else 'dock.mau.dev/' }}" +matrix_mautrix_slack_docker_image_force_pull: "{{ matrix_mautrix_slack_docker_image.endswith(':latest') }}" + +matrix_mautrix_slack_base_path: "{{ matrix_base_data_path }}/mautrix-slack" +matrix_mautrix_slack_config_path: "{{ matrix_mautrix_slack_base_path }}/config" +matrix_mautrix_slack_data_path: "{{ matrix_mautrix_slack_base_path }}/data" +matrix_mautrix_slack_docker_src_files_path: "{{ matrix_mautrix_slack_base_path }}/docker-src" + +matrix_mautrix_slack_homeserver_address: "{{ matrix_homeserver_container_url }}" +matrix_mautrix_slack_homeserver_domain: "{{ matrix_domain }}" +matrix_mautrix_slack_appservice_address: "http://matrix-mautrix-slack:8080" + +matrix_mautrix_slack_command_prefix: "!slack" + +matrix_mautrix_slack_bridge_permissions: | + {{ + {matrix_mautrix_slack_homeserver_domain: 'user'} + | combine({matrix_admin: 'admin'} if matrix_admin else {}) + }} + +# A list of extra arguments to pass to the container +matrix_mautrix_slack_container_extra_arguments: [] + +# List of systemd services that matrix-mautrix-slack.service depends on. +matrix_mautrix_slack_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-mautrix-slack.service wants +matrix_mautrix_slack_systemd_wanted_services_list: [] + +matrix_mautrix_slack_appservice_token: '' +matrix_mautrix_slack_homeserver_token: '' + +matrix_mautrix_slack_appservice_bot_username: slackbot + +# Minimum severity of journal log messages. +# Options: debug, info, warn, error, fatal +matrix_mautrix_slack_logging_level: 'warn' + +# Database-related configuration fields. +# +# To use SQLite, stick to these defaults. +# +# To use Postgres: +# - change the engine (`matrix_mautrix_slack_database_engine: 'postgres'`) +# - adjust your database credentials via the `matrix_mautrix_slack_database_*` variables +matrix_mautrix_slack_database_engine: 'sqlite' + +matrix_mautrix_slack_sqlite_database_path_local: "{{ matrix_mautrix_slack_data_path }}/mautrix-slack.db" +matrix_mautrix_slack_sqlite_database_path_in_container: "/data/mautrix-slack.db" + +matrix_mautrix_slack_database_username: 'matrix_mautrix_slack' +matrix_mautrix_slack_database_password: 'some-password' +matrix_mautrix_slack_database_hostname: 'matrix-postgres' +matrix_mautrix_slack_database_port: 5432 +matrix_mautrix_slack_database_name: 'matrix_mautrix_slack' + +matrix_mautrix_slack_database_connection_string: 'postgresql://{{ matrix_mautrix_slack_database_username }}:{{ matrix_mautrix_slack_database_password }}@{{ matrix_mautrix_slack_database_hostname }}:{{ matrix_mautrix_slack_database_port }}/{{ matrix_mautrix_slack_database_name }}?sslmode=disable' + +matrix_mautrix_slack_appservice_database_type: "{{ + { + 'sqlite': 'sqlite3', + 'postgres':'postgres', + }[matrix_mautrix_slack_database_engine] +}}" + +matrix_mautrix_slack_appservice_database_uri: "{{ + { + 'sqlite': matrix_mautrix_slack_sqlite_database_path_in_container, + 'postgres': matrix_mautrix_slack_database_connection_string, + }[matrix_mautrix_slack_database_engine] +}}" + +# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). +matrix_mautrix_slack_login_shared_secret: '' +matrix_mautrix_slack_bridge_login_shared_secret_map: + "{{ {matrix_mautrix_slack_homeserver_domain: matrix_mautrix_slack_login_shared_secret} if matrix_mautrix_slack_login_shared_secret else {} }}" + +# Servers to always allow double puppeting from +matrix_mautrix_slack_bridge_double_puppet_server_map: + "{{ matrix_mautrix_slack_homeserver_domain : matrix_mautrix_slack_homeserver_address }}" + +# Default mautrix-slack configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_mautrix_slack_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_mautrix_slack_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" + +matrix_mautrix_slack_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_mautrix_slack_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_mautrix_slack_configuration_yaml`. + +matrix_mautrix_slack_configuration_extension: "{{ matrix_mautrix_slack_configuration_extension_yaml | from_yaml if matrix_mautrix_slack_configuration_extension_yaml | from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_slack_configuration_yaml`. +matrix_mautrix_slack_configuration: "{{ matrix_mautrix_slack_configuration_yaml | from_yaml | combine(matrix_mautrix_slack_configuration_extension, recursive=True) }}" + +matrix_mautrix_slack_registration_yaml: | + id: slack + url: {{ matrix_mautrix_slack_appservice_address }} + as_token: "{{ matrix_mautrix_slack_appservice_token }}" + hs_token: "{{ matrix_mautrix_slack_homeserver_token }}" + # See https://github.com/mautrix/signal/issues/43 + sender_localpart: _bot_{{ matrix_mautrix_slack_appservice_bot_username }} + rate_limited: false + namespaces: + users: + - regex: '^@slack_[0-9]+:{{ matrix_mautrix_slack_homeserver_domain | regex_escape }}$' + exclusive: true + - exclusive: true + regex: '^@{{ matrix_mautrix_slack_appservice_bot_username | regex_escape }}:{{ matrix_mautrix_slack_homeserver_domain | regex_escape }}$' + de.sorunome.msc2409.push_ephemeral: true + +matrix_mautrix_slack_registration: "{{ matrix_mautrix_slack_registration_yaml | from_yaml }}" + +# Enable End-to-bridge encryption +matrix_mautrix_slack_bridge_encryption_allow: false +matrix_mautrix_slack_bridge_encryption_default: "{{ matrix_mautrix_slack_bridge_encryption_allow }}" +matrix_mautrix_slack_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_slack_bridge_encryption_allow }}" diff --git a/roles/matrix-bridge-mautrix-slack/tasks/init.yml b/roles/matrix-bridge-mautrix-slack/tasks/init.yml new file mode 100644 index 000000000..0ea03f5b2 --- /dev/null +++ b/roles/matrix-bridge-mautrix-slack/tasks/init.yml @@ -0,0 +1,21 @@ +--- +- ansible.builtin.set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-slack.service'] }}" + when: matrix_mautrix_slack_enabled | bool + +# If the matrix-synapse role is not used, these variables may not exist. +- ansible.builtin.set_fact: + matrix_homeserver_container_runtime_injected_arguments: > + {{ + matrix_homeserver_container_runtime_injected_arguments | default([]) + + + ["--mount type=bind,src={{ matrix_mautrix_slack_config_path }}/registration.yaml,dst=/matrix-mautrix-slack-registration.yaml,ro"] + }} + + matrix_homeserver_app_service_runtime_injected_config_files: > + {{ + matrix_homeserver_app_service_runtime_injected_config_files | default([]) + + + ["/matrix-mautrix-slack-registration.yaml"] + }} + when: matrix_mautrix_slack_enabled | bool diff --git a/roles/matrix-bridge-mautrix-slack/tasks/main.yml b/roles/matrix-bridge-mautrix-slack/tasks/main.yml new file mode 100644 index 000000000..d7fc02023 --- /dev/null +++ b/roles/matrix-bridge-mautrix-slack/tasks/main.yml @@ -0,0 +1,22 @@ +--- +- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup | bool and matrix_mautrix_slack_enabled | bool" + tags: + - setup-all + - setup-mautrix-slack + +- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup and matrix_mautrix_slack_enabled" + tags: + - setup-all + - setup-mautrix-slack + +- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup and not matrix_mautrix_slack_enabled" + tags: + - setup-all + - setup-mautrix-slack diff --git a/roles/matrix-bridge-mautrix-slack/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-slack/tasks/setup_install.yml new file mode 100644 index 000000000..3c9306a53 --- /dev/null +++ b/roles/matrix-bridge-mautrix-slack/tasks/setup_install.yml @@ -0,0 +1,121 @@ +--- + +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + ansible.builtin.fail: + msg: >- + The matrix-bridge-mautrix-slack role needs to execute before the matrix-synapse role. + when: "matrix_synapse_role_executed | default(False)" + +- ansible.builtin.set_fact: + matrix_mautrix_slack_requires_restart: false + +- when: "matrix_mautrix_slack_database_engine == 'postgres'" + block: + - name: Check if an SQLite database already exists + ansible.builtin.stat: + path: "{{ matrix_mautrix_slack_sqlite_database_path_local }}" + register: matrix_mautrix_slack_sqlite_database_path_local_stat_result + + - when: "matrix_mautrix_slack_sqlite_database_path_local_stat_result.stat.exists | bool" + block: + - ansible.builtin.set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_mautrix_slack_sqlite_database_path_local }}" + dst: "{{ matrix_mautrix_slack_database_connection_string }}" + caller: "{{ role_path | basename }}" + engine_variable_name: 'matrix_mautrix_slack_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-mautrix-slack.service'] + pgloader_options: ['--with "quote identifiers"'] + + - ansible.builtin.import_role: + name: matrix-postgres + tasks_from: migrate_db_to_postgres + + - ansible.builtin.set_fact: + matrix_mautrix_slack_requires_restart: true + +- name: Ensure Mautrix Slack paths exists + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {path: "{{ matrix_mautrix_slack_base_path }}", when: true} + - {path: "{{ matrix_mautrix_slack_config_path }}", when: true} + - {path: "{{ matrix_mautrix_slack_data_path }}", when: true} + - {path: "{{ matrix_mautrix_slack_docker_src_files_path }}", when: "{{ matrix_mautrix_slack_container_image_self_build }}"} + when: item.when | bool + +- name: Ensure Mautrix Slack image is pulled + community.docker.docker_image: + name: "{{ matrix_mautrix_slack_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mautrix_slack_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_slack_docker_image_force_pull }}" + when: not matrix_mautrix_slack_container_image_self_build + register: result + retries: "{{ matrix_container_retries_count }}" + delay: "{{ matrix_container_retries_delay }}" + until: result is not failed + +- name: Ensure Mautrix slack repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_mautrix_slack_container_image_self_build_repo }}" + dest: "{{ matrix_mautrix_slack_docker_src_files_path }}" + version: "{{ matrix_mautrix_slack_container_image_self_build_branch }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_mautrix_slack_git_pull_results + when: "matrix_mautrix_slack_container_image_self_build | bool" + +- name: Ensure Mautrix slack Docker image is built + community.docker.docker_image: + name: "{{ matrix_mautrix_slack_docker_image }}" + source: build + force_source: "{{ matrix_mautrix_slack_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_slack_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_mautrix_slack_docker_src_files_path }}" + pull: true + when: "matrix_mautrix_slack_container_image_self_build | bool" + +- name: Ensure mautrix-slack config.yaml installed + ansible.builtin.copy: + content: "{{ matrix_mautrix_slack_configuration | to_nice_yaml(indent=2, width=999999) }}" + dest: "{{ matrix_mautrix_slack_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure mautrix-slack registration.yaml installed + ansible.builtin.copy: + content: "{{ matrix_mautrix_slack_registration | to_nice_yaml(indent=2, width=999999) }}" + dest: "{{ matrix_mautrix_slack_config_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-mautrix-slack.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-mautrix-slack.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-mautrix-slack.service" + mode: 0644 + register: matrix_mautrix_slack_systemd_service_result + +- name: Ensure systemd reloaded after matrix-mautrix-slack.service installation + ansible.builtin.service: + daemon_reload: true + when: "matrix_mautrix_slack_systemd_service_result.changed" + +- name: Ensure matrix-mautrix-slack.service restarted, if necessary + ansible.builtin.service: + name: "matrix-mautrix-slack.service" + state: restarted + when: "matrix_mautrix_slack_requires_restart | bool" diff --git a/roles/matrix-bridge-mautrix-slack/tasks/setup_uninstall.yml b/roles/matrix-bridge-mautrix-slack/tasks/setup_uninstall.yml new file mode 100644 index 000000000..7ce6e8401 --- /dev/null +++ b/roles/matrix-bridge-mautrix-slack/tasks/setup_uninstall.yml @@ -0,0 +1,25 @@ +--- + +- name: Check existence of matrix-mautrix-slack service + ansible.builtin.stat: + path: "{{ matrix_systemd_path }}/matrix-mautrix-slack.service" + register: matrix_mautrix_slack_service_stat + +- name: Ensure matrix-mautrix-slack is stopped + ansible.builtin.service: + name: matrix-mautrix-slack + state: stopped + enabled: false + daemon_reload: true + when: "matrix_mautrix_slack_service_stat.stat.exists" + +- name: Ensure matrix-mautrix-slack.service doesn't exist + ansible.builtin.file: + path: "{{ matrix_systemd_path }}/matrix-mautrix-slack.service" + state: absent + when: "matrix_mautrix_slack_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-mautrix-slack.service removal + ansible.builtin.service: + daemon_reload: true + when: "matrix_mautrix_slack_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mautrix-slack/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-slack/tasks/validate_config.yml new file mode 100644 index 000000000..ebe36e92b --- /dev/null +++ b/roles/matrix-bridge-mautrix-slack/tasks/validate_config.yml @@ -0,0 +1,10 @@ +--- + +- name: Fail if required settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_mautrix_slack_appservice_token" + - "matrix_mautrix_slack_homeserver_token" diff --git a/roles/matrix-bridge-mautrix-slack/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-slack/templates/config.yaml.j2 new file mode 100644 index 000000000..da589f05e --- /dev/null +++ b/roles/matrix-bridge-mautrix-slack/templates/config.yaml.j2 @@ -0,0 +1,231 @@ +#jinja2: lstrip_blocks: "True" +# Homeserver details. +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: {{ matrix_mautrix_slack_homeserver_address | to_json }} + # The domain of the homeserver (for MXIDs, etc). + domain: {{ matrix_mautrix_slack_homeserver_domain | to_json }} + # Is the homeserver actually mautrix-asmux? + asmux: false + # The URL to push real-time bridge status to. + # If set, the bridge will make POST requests to this URL whenever a user's slack connection state changes. + # The bridge will use the appservice as_token to authorize requests. + status_endpoint: null + # Endpoint for reporting per-message status. + message_send_checkpoint_endpoint: null + # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246? + async_media: false + +# Application service host/registration related details. +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: {{ matrix_mautrix_slack_appservice_address | to_json }} + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 8080 + + # Database config. + database: + # The database type. "sqlite3" and "postgres" are supported. + type: {{ matrix_mautrix_slack_appservice_database_type|to_json }} + # The database URI. + # SQLite: File name is enough. https://github.com/mattn/go-sqlite3#connection-string + # Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable + # To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql + uri: {{ matrix_mautrix_slack_appservice_database_uri|to_json }} + # Maximum number of connections. Mostly relevant for Postgres. + max_open_conns: 20 + max_idle_conns: 2 + # Maximum connection idle time and lifetime before they're closed. Disabled if null. + # Parsed with https://pkg.go.dev/time#ParseDuration + max_conn_idle_time: null + max_conn_lifetime: null + + # The unique ID of this appservice. + id: slack + # Appservice bot details. + bot: + # Username of the appservice bot. + username: {{ matrix_mautrix_slack_appservice_bot_username|to_json }} + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + displayname: Slack bridge bot + avatar: mxc://maunium.net/pVtzLmChZejGxLqmXtQjFxem + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + ephemeral_events: true + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: {{ matrix_mautrix_slack_appservice_token | to_json }} + hs_token: {{ matrix_mautrix_slack_homeserver_token | to_json }} + +# Bridge config +bridge: + # Localpart template of MXIDs for Slack users. + # {{ '{{.}}' }} is replaced with the internal ID of the Slack user. + username_template: "{{ 'slack_{{.}}' }}" + # Displayname template for Slack users. + # TODO: document variables + displayname_template: "{{ '{{.RealName}} (S)' }}" + bot_displayname_template: "{{ '{{.Name}} (bot)' }}" + channel_name_template: "{{ '#{{.Name}}' }}" + + portal_message_buffer: 128 + + # Should the bridge send a read receipt from the bridge bot when a message has been sent to Slack? + delivery_receipts: true + # Whether the bridge should send the message status as a custom com.beeper.message_send_status event. + message_status_events: false + # Whether the bridge should send error notices via m.notice events when a message fails to bridge. + message_error_notices: true + + # Should the bridge sync with double puppeting to receive EDUs that aren't normally sent to appservices. + sync_with_custom_puppets: false + # Should the bridge update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: false + + # Servers to always allow double puppeting from + double_puppet_server_map: + "{{ matrix_mautrix_slack_homeserver_domain }}": {{ matrix_mautrix_slack_homeserver_address }} + # Allow using double puppeting from any server with a valid client .well-known file. + double_puppet_allow_discovery: false + # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, double puppeting will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + login_shared_secret_map: {{ matrix_mautrix_slack_bridge_login_shared_secret_map|to_json }} + + message_handling_timeout: + # Send an error message after this timeout, but keep waiting for the response until the deadline. + # This is counted from the origin_server_ts, so the warning time is consistent regardless of the source of delay. + # If the message is older than this when it reaches the bridge, the message won't be handled at all. + error_after: 10s + # Drop messages after this timeout. They may still go through if the message got sent to the servers. + # This is counted from the time the bridge starts handling the message. + deadline: 60s + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "{{ matrix_mautrix_slack_command_prefix }}" + # Messages sent upon joining a management room. + # Markdown is supported. The defaults are listed below. + management_room_text: + # Sent when joining a room. + welcome: "Hello, I'm a Slack bridge bot." + # Sent when joining a management room and the user is already logged in. + welcome_connected: "Use `help` for help." + # Sent when joining a management room and the user is not logged in. + welcome_unconnected: "Use `help` for help, or `login-token` or `login-password` to log in." + # Optional extra text sent when joining a management room. + additional_help: "" + + backfill: + # Allow backfilling at all? Requires MSC2716 support on homeserver. + enable: false + + # If a backfilled chat is older than this number of hours, mark it as read even if it's unread on Slack. + # Set to -1 to let any chat be unread. + unread_hours_threshold: 720 + + # Number of messages to immediately backfill when creating a portal. + immediate_messages: 10 + + # Settings for incremental backfill of history. + incremental: + # Maximum number of messages to backfill per batch. + messages_per_batch: 100 + # The number of seconds to wait after backfilling the batch of messages. + post_batch_delay: 20 + # The maximum number of messages to backfill per portal, split by the chat type. + # If set to -1, all messages in the chat will eventually be backfilled. + max_messages: + # Channels + channel: -1 + # Group direct messages + group_dm: -1 + # 1:1 direct messages + dm: -1 + + # End-to-bridge encryption support options. + # + # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: {{ matrix_mautrix_slack_bridge_encryption_allow|to_json }} + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: {{ matrix_mautrix_slack_bridge_encryption_default|to_json }} + # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data. + appservice: false + # Require encryption, drop any unencrypted messages. + require: false + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow_key_sharing: {{ matrix_mautrix_slack_bridge_encryption_key_sharing_allow|to_json }} + # What level of device verification should be required from users? + # + # Valid levels: + # unverified - Send keys to all device in the room. + # cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys. + # cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes). + # cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot. + # Note that creating user signatures from the bridge bot is not currently possible. + # verified - Require manual per-device verification + # (currently only possible by modifying the `trust` column in the `crypto_device` database table). + verification_levels: + # Minimum level for which the bridge should send keys to when bridging messages from WhatsApp to Matrix. + receive: unverified + # Minimum level that the bridge should accept for incoming Matrix messages. + send: unverified + # Minimum level that the bridge should require for accepting key requests. + share: cross-signed-tofu + # Options for Megolm room key rotation. These options allow you to + # configure the m.room.encryption event content. See: + # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for + # more information about that event. + rotation: + # Enable custom Megolm room key rotation settings. Note that these + # settings will only apply to rooms created after this option is + # set. + enable_custom: false + # The maximum number of milliseconds a session should be used + # before changing it. The Matrix spec recommends 604800000 (a week) + # as the default. + milliseconds: 604800000 + # The maximum number of messages that should be sent with a given a + # session before changing it. The Matrix spec recommends 100 as the + # default. + messages: 100 + + # Settings for provisioning API + provisioning: + # Prefix for the provisioning API paths. + prefix: /_matrix/provision + # Shared secret for authentication. If set to "generate", a random secret will be generated, + # or if set to "disable", the provisioning API will be disabled. + shared_secret: generate + + # Permissions for using the bridge. + # Permitted values: + # relay - Talk through the relaybot (if enabled), no access otherwise + # user - Access to use the bridge to chat with a Slack account. + # admin - User level and some additional administration tools + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: {{ matrix_mautrix_slack_bridge_permissions|to_json }} + +logging: + directory: ./logs + file_name_format: '' + file_date_format: "2006-01-02" + file_mode: 384 + timestamp_format: Jan _2, 2006 15:04:05 + print_level: {{ matrix_mautrix_slack_logging_level | to_json }} + print_json: false + file_json: false diff --git a/roles/matrix-bridge-mautrix-slack/templates/systemd/matrix-mautrix-slack.service.j2 b/roles/matrix-bridge-mautrix-slack/templates/systemd/matrix-mautrix-slack.service.j2 new file mode 100644 index 000000000..f75090fb3 --- /dev/null +++ b/roles/matrix-bridge-mautrix-slack/templates/systemd/matrix-mautrix-slack.service.j2 @@ -0,0 +1,43 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Mautrix Slack bridge +{% for service in matrix_mautrix_slack_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_mautrix_slack_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-slack 2>/dev/null || true' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-slack 2>/dev/null || true' + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-slack \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + --mount type=bind,src={{ matrix_mautrix_slack_config_path }},dst=/config,ro \ + --mount type=bind,src={{ matrix_mautrix_slack_data_path }},dst=/data \ + --workdir=/data \ + {% for arg in matrix_mautrix_slack_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_mautrix_slack_docker_image }} \ + /usr/bin/mautrix-slack -c /config/config.yaml -r /config/registration.yaml --no-update + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-slack 2>/dev/null || true' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-slack 2>/dev/null || true' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-mautrix-slack + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml deleted file mode 120000 index 7acc4c4c9..000000000 --- a/setup.yml +++ /dev/null @@ -1 +0,0 @@ -playbooks/matrix.yml \ No newline at end of file diff --git a/setup.yml b/setup.yml new file mode 100755 index 000000000..7acc4c4c9 --- /dev/null +++ b/setup.yml @@ -0,0 +1 @@ +playbooks/matrix.yml \ No newline at end of file From 6fb0f26b30d7639794dd79435b8b8d93e0ce814a Mon Sep 17 00:00:00 2001 From: Cody Wyatt Neiman Date: Fri, 4 Nov 2022 17:47:46 -0400 Subject: [PATCH 201/915] Add mautrix/appservice slack bridge bot username checks --- .../tasks/validate_config.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/roles/matrix-bridge-mautrix-slack/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-slack/tasks/validate_config.yml index ebe36e92b..363bbacf2 100644 --- a/roles/matrix-bridge-mautrix-slack/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-slack/tasks/validate_config.yml @@ -8,3 +8,12 @@ with_items: - "matrix_mautrix_slack_appservice_token" - "matrix_mautrix_slack_homeserver_token" + +- name: Fail if appservice-slack and mautrix-slack have conflicting bot usernames + when: matrix_appservice_slack_enabled | default(False) | bool and matrix_mautrix_slack_appservice_bot_username == matrix_appservice_slack_bot_name | default ('') + ansible.builtin.fail: + msg: | + The appservice-slack and mautrix-slack components are both enabled and use the same bot username ({{ matrix_mautrix_slack_appservice_bot_username }}), as per their default configuration, which causes a conflcit. + To resolve the conflict, make one of these components use a different username. + Consider either changing `matrix_mautrix_slack_appservice_bot_username` (the bot username for the mautrix-slack component) or `matrix_appservice_slack_bot_name` (the bot username for the appservice-slack component). + We recommend that you change the username for the newly-added (and yet unused) component. From d6022d851e07c9f6a7ba98c615d4f5264fb476a3 Mon Sep 17 00:00:00 2001 From: Cody Wyatt Neiman Date: Fri, 4 Nov 2022 17:51:10 -0400 Subject: [PATCH 202/915] Move mautrix-sack role files to new roles/custom path --- roles/{ => custom}/matrix-bridge-mautrix-slack/defaults/main.yml | 0 roles/{ => custom}/matrix-bridge-mautrix-slack/tasks/init.yml | 0 roles/{ => custom}/matrix-bridge-mautrix-slack/tasks/main.yml | 0 .../matrix-bridge-mautrix-slack/tasks/setup_install.yml | 0 .../matrix-bridge-mautrix-slack/tasks/setup_uninstall.yml | 0 .../matrix-bridge-mautrix-slack/tasks/validate_config.yml | 0 .../matrix-bridge-mautrix-slack/templates/config.yaml.j2 | 0 .../templates/systemd/matrix-mautrix-slack.service.j2 | 0 8 files changed, 0 insertions(+), 0 deletions(-) rename roles/{ => custom}/matrix-bridge-mautrix-slack/defaults/main.yml (100%) rename roles/{ => custom}/matrix-bridge-mautrix-slack/tasks/init.yml (100%) rename roles/{ => custom}/matrix-bridge-mautrix-slack/tasks/main.yml (100%) rename roles/{ => custom}/matrix-bridge-mautrix-slack/tasks/setup_install.yml (100%) rename roles/{ => custom}/matrix-bridge-mautrix-slack/tasks/setup_uninstall.yml (100%) rename roles/{ => custom}/matrix-bridge-mautrix-slack/tasks/validate_config.yml (100%) rename roles/{ => custom}/matrix-bridge-mautrix-slack/templates/config.yaml.j2 (100%) rename roles/{ => custom}/matrix-bridge-mautrix-slack/templates/systemd/matrix-mautrix-slack.service.j2 (100%) diff --git a/roles/matrix-bridge-mautrix-slack/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml similarity index 100% rename from roles/matrix-bridge-mautrix-slack/defaults/main.yml rename to roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml diff --git a/roles/matrix-bridge-mautrix-slack/tasks/init.yml b/roles/custom/matrix-bridge-mautrix-slack/tasks/init.yml similarity index 100% rename from roles/matrix-bridge-mautrix-slack/tasks/init.yml rename to roles/custom/matrix-bridge-mautrix-slack/tasks/init.yml diff --git a/roles/matrix-bridge-mautrix-slack/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-slack/tasks/main.yml similarity index 100% rename from roles/matrix-bridge-mautrix-slack/tasks/main.yml rename to roles/custom/matrix-bridge-mautrix-slack/tasks/main.yml diff --git a/roles/matrix-bridge-mautrix-slack/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-slack/tasks/setup_install.yml similarity index 100% rename from roles/matrix-bridge-mautrix-slack/tasks/setup_install.yml rename to roles/custom/matrix-bridge-mautrix-slack/tasks/setup_install.yml diff --git a/roles/matrix-bridge-mautrix-slack/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-slack/tasks/setup_uninstall.yml similarity index 100% rename from roles/matrix-bridge-mautrix-slack/tasks/setup_uninstall.yml rename to roles/custom/matrix-bridge-mautrix-slack/tasks/setup_uninstall.yml diff --git a/roles/matrix-bridge-mautrix-slack/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-slack/tasks/validate_config.yml similarity index 100% rename from roles/matrix-bridge-mautrix-slack/tasks/validate_config.yml rename to roles/custom/matrix-bridge-mautrix-slack/tasks/validate_config.yml diff --git a/roles/matrix-bridge-mautrix-slack/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2 similarity index 100% rename from roles/matrix-bridge-mautrix-slack/templates/config.yaml.j2 rename to roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2 diff --git a/roles/matrix-bridge-mautrix-slack/templates/systemd/matrix-mautrix-slack.service.j2 b/roles/custom/matrix-bridge-mautrix-slack/templates/systemd/matrix-mautrix-slack.service.j2 similarity index 100% rename from roles/matrix-bridge-mautrix-slack/templates/systemd/matrix-mautrix-slack.service.j2 rename to roles/custom/matrix-bridge-mautrix-slack/templates/systemd/matrix-mautrix-slack.service.j2 From 97c45676def6754e5a14ec4afd31219acc297ccf Mon Sep 17 00:00:00 2001 From: Cody Wyatt Neiman Date: Fri, 4 Nov 2022 17:56:04 -0400 Subject: [PATCH 203/915] Update paths and vars for mautrix-slack to roles/custom --- .../tasks/setup_install.yml | 8 ++++---- .../tasks/setup_uninstall.yml | 4 ++-- .../systemd/matrix-mautrix-slack.service.j2 | 12 ++++++------ 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/roles/custom/matrix-bridge-mautrix-slack/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-slack/tasks/setup_install.yml index 3c9306a53..c9406f149 100644 --- a/roles/custom/matrix-bridge-mautrix-slack/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-slack/tasks/setup_install.yml @@ -31,7 +31,7 @@ pgloader_options: ['--with "quote identifiers"'] - ansible.builtin.import_role: - name: matrix-postgres + name: custom/matrix-postgres tasks_from: migrate_db_to_postgres - ansible.builtin.set_fact: @@ -59,8 +59,8 @@ force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_slack_docker_image_force_pull }}" when: not matrix_mautrix_slack_container_image_self_build register: result - retries: "{{ matrix_container_retries_count }}" - delay: "{{ matrix_container_retries_delay }}" + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" until: result is not failed - name: Ensure Mautrix slack repository is present on self-build @@ -105,7 +105,7 @@ - name: Ensure matrix-mautrix-slack.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-mautrix-slack.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-mautrix-slack.service" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-slack.service" mode: 0644 register: matrix_mautrix_slack_systemd_service_result diff --git a/roles/custom/matrix-bridge-mautrix-slack/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-slack/tasks/setup_uninstall.yml index 7ce6e8401..671fa529a 100644 --- a/roles/custom/matrix-bridge-mautrix-slack/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mautrix-slack/tasks/setup_uninstall.yml @@ -2,7 +2,7 @@ - name: Check existence of matrix-mautrix-slack service ansible.builtin.stat: - path: "{{ matrix_systemd_path }}/matrix-mautrix-slack.service" + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-slack.service" register: matrix_mautrix_slack_service_stat - name: Ensure matrix-mautrix-slack is stopped @@ -15,7 +15,7 @@ - name: Ensure matrix-mautrix-slack.service doesn't exist ansible.builtin.file: - path: "{{ matrix_systemd_path }}/matrix-mautrix-slack.service" + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-slack.service" state: absent when: "matrix_mautrix_slack_service_stat.stat.exists" diff --git a/roles/custom/matrix-bridge-mautrix-slack/templates/systemd/matrix-mautrix-slack.service.j2 b/roles/custom/matrix-bridge-mautrix-slack/templates/systemd/matrix-mautrix-slack.service.j2 index f75090fb3..af5f3c038 100644 --- a/roles/custom/matrix-bridge-mautrix-slack/templates/systemd/matrix-mautrix-slack.service.j2 +++ b/roles/custom/matrix-bridge-mautrix-slack/templates/systemd/matrix-mautrix-slack.service.j2 @@ -12,14 +12,14 @@ DefaultDependencies=no [Service] Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-slack 2>/dev/null || true' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-slack 2>/dev/null || true' +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-mautrix-slack 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-slack 2>/dev/null || true' # Intentional delay, so that the homeserver (we likely depend on) can manage to start. ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-slack \ +ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-mautrix-slack \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-slack {{ matrix_mautrix_slack_docker_image }} \ /usr/bin/mautrix-slack -c /config/config.yaml -r /config/registration.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-slack 2>/dev/null || true' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-slack 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-mautrix-slack 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-slack 2>/dev/null || true' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-slack From d07480a883aa2878a3313e369b4c071ca36df764 Mon Sep 17 00:00:00 2001 From: Cody Wyatt Neiman Date: Mon, 2 Jan 2023 19:23:14 -0500 Subject: [PATCH 204/915] Remove hardcoded matrix-postgres references --- .../matrix-bridge-mautrix-slack/defaults/main.yml | 2 +- .../tasks/validate_config.yml | 11 ++++++----- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml index c2b5a159c..ae03943a0 100644 --- a/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml @@ -63,7 +63,7 @@ matrix_mautrix_slack_sqlite_database_path_in_container: "/data/mautrix-slack.db" matrix_mautrix_slack_database_username: 'matrix_mautrix_slack' matrix_mautrix_slack_database_password: 'some-password' -matrix_mautrix_slack_database_hostname: 'matrix-postgres' +matrix_mautrix_slack_database_hostname: '' matrix_mautrix_slack_database_port: 5432 matrix_mautrix_slack_database_name: 'matrix_mautrix_slack' diff --git a/roles/custom/matrix-bridge-mautrix-slack/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-slack/tasks/validate_config.yml index 363bbacf2..3c764a4ea 100644 --- a/roles/custom/matrix-bridge-mautrix-slack/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mautrix-slack/tasks/validate_config.yml @@ -1,13 +1,14 @@ --- -- name: Fail if required settings not defined +- name: Fail if required mautrix-slack settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "matrix_mautrix_slack_appservice_token" - - "matrix_mautrix_slack_homeserver_token" + - {'name': 'matrix_mautrix_slack_appservice_token', when: true} + - {'name': 'matrix_mautrix_slack_homeserver_token', when: true} + - {'name': 'matrix_mautrix_slack_database_hostname', when: "{{ matrix_mautrix_slack_database_engine == 'postgres' }}"} - name: Fail if appservice-slack and mautrix-slack have conflicting bot usernames when: matrix_appservice_slack_enabled | default(False) | bool and matrix_mautrix_slack_appservice_bot_username == matrix_appservice_slack_bot_name | default ('') From 2e0dfb2dc1ecc754bac770b9ec3377f4f82a2cde Mon Sep 17 00:00:00 2001 From: Cody Wyatt Neiman Date: Mon, 2 Jan 2023 20:07:04 -0500 Subject: [PATCH 205/915] Update slack bridge implementation --- group_vars/matrix_servers | 48 ++++++++++++++++++- .../tasks/init.yml | 21 -------- .../tasks/main.yml | 22 ++++----- .../tasks/setup_install.yml | 25 +++------- .../tasks/setup_uninstall.yml | 29 +++++------ 5 files changed, 75 insertions(+), 70 deletions(-) delete mode 100644 roles/custom/matrix-bridge-mautrix-slack/tasks/init.yml diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 9178314ee..2ace75d19 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -53,6 +53,8 @@ matrix_homeserver_container_extra_arguments_auto: | + (['--mount type=bind,src=' + matrix_mautrix_discord_config_path + '/registration.yaml,dst=/matrix-mautrix-discord-registration.yaml,ro'] if matrix_mautrix_discord_enabled else []) + + (['--mount type=bind,src=' + matrix_mautrix_slack_config_path + '/registration.yaml,dst=/matrix-mautrix-slack-registration.yaml,ro'] if matrix_mautrix_slack_enabled else []) + + (['--mount type=bind,src=' + matrix_mautrix_facebook_config_path + '/registration.yaml,dst=/matrix-mautrix-facebook-registration.yaml,ro'] if matrix_mautrix_facebook_enabled else []) + (['--mount type=bind,src=' + matrix_mautrix_googlechat_config_path + '/registration.yaml,dst=/matrix-mautrix-googlechat-registration.yaml,ro'] if matrix_mautrix_googlechat_enabled else []) @@ -108,6 +110,8 @@ matrix_homeserver_app_service_config_files_auto: | + (['/matrix-mautrix-discord-registration.yaml'] if matrix_mautrix_discord_enabled else []) + + (['/matrix-mautrix-slack-registration.yaml'] if matrix_mautrix_slack_enabled else []) + + (['/matrix-mautrix-facebook-registration.yaml'] if matrix_mautrix_facebook_enabled else []) + (['/matrix-mautrix-googlechat-registration.yaml'] if matrix_mautrix_googlechat_enabled else []) @@ -209,6 +213,8 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-mautrix-discord.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-discord']}] if matrix_mautrix_discord_enabled else []) + + ([{'name': 'matrix-mautrix-slack.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-slack']}] if matrix_mautrix_slack_enabled else []) + + ([{'name': 'matrix-mautrix-facebook.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-facebook']}] if matrix_mautrix_facebook_enabled else []) + ([{'name': 'matrix-mautrix-googlechat.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-googlechat']}] if matrix_mautrix_googlechat_enabled else []) @@ -725,6 +731,46 @@ matrix_mautrix_discord_database_password: "{{ '%s' | format(matrix_homeserver_ge ###################################################################### +###################################################################### +# +# matrix-bridge-mautrix-slack +# +###################################################################### + +# We don't enable bridges by default. +matrix_mautrix_slack_enabled: false + +matrix_mautrix_slack_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" + +matrix_mautrix_slack_systemd_required_services_list: | + {{ + ['docker.service'] + + + ['matrix-' + matrix_homeserver_implementation + '.service'] + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + }} + +matrix_mautrix_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mauslack.as.tok', rounds=655555) | to_uuid }}" + +matrix_mautrix_slack_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mauslack.hs.tok', rounds=655555) | to_uuid }}" + +matrix_mautrix_slack_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" + +# Postgres is the default, except if not using internal Postgres server +matrix_mautrix_slack_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mautrix_slack_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_mautrix_slack_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mauslack.db', rounds=655555) | to_uuid }}" + +###################################################################### +# +# /matrix-bridge-mautrix-slack +# +###################################################################### + + ###################################################################### # # matrix-bridge-mautrix-facebook @@ -2448,7 +2494,7 @@ devture_postgres_managed_databases_auto: | 'name': matrix_mautrix_slack_database_name, 'username': matrix_mautrix_slack_database_username, 'password': matrix_mautrix_slack_database_password, - }] if (matrix_mautrix_slack_enabled and matrix_mautrix_slack_database_engine == 'postgres' and matrix_mautrix_slack_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mautrix_slack_enabled and matrix_mautrix_slack_database_engine == 'postgres' and matrix_mautrix_slack_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': matrix_mx_puppet_slack_database_name, diff --git a/roles/custom/matrix-bridge-mautrix-slack/tasks/init.yml b/roles/custom/matrix-bridge-mautrix-slack/tasks/init.yml deleted file mode 100644 index 0ea03f5b2..000000000 --- a/roles/custom/matrix-bridge-mautrix-slack/tasks/init.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- ansible.builtin.set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-slack.service'] }}" - when: matrix_mautrix_slack_enabled | bool - -# If the matrix-synapse role is not used, these variables may not exist. -- ansible.builtin.set_fact: - matrix_homeserver_container_runtime_injected_arguments: > - {{ - matrix_homeserver_container_runtime_injected_arguments | default([]) - + - ["--mount type=bind,src={{ matrix_mautrix_slack_config_path }}/registration.yaml,dst=/matrix-mautrix-slack-registration.yaml,ro"] - }} - - matrix_homeserver_app_service_runtime_injected_config_files: > - {{ - matrix_homeserver_app_service_runtime_injected_config_files | default([]) - + - ["/matrix-mautrix-slack-registration.yaml"] - }} - when: matrix_mautrix_slack_enabled | bool diff --git a/roles/custom/matrix-bridge-mautrix-slack/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-slack/tasks/main.yml index d7fc02023..bff905495 100644 --- a/roles/custom/matrix-bridge-mautrix-slack/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-slack/tasks/main.yml @@ -1,22 +1,20 @@ --- -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_mautrix_slack_enabled | bool" - tags: - - setup-all - - setup-mautrix-slack +- block: + - when: matrix_mautrix_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup and matrix_mautrix_slack_enabled" + - when: matrix_mautrix_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" tags: - setup-all - setup-mautrix-slack + - install-all + - install-mautrix-slack -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup and not matrix_mautrix_slack_enabled" +- block: + - when: not matrix_mautrix_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" tags: - setup-all - setup-mautrix-slack diff --git a/roles/custom/matrix-bridge-mautrix-slack/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-slack/tasks/setup_install.yml index c9406f149..f266f0262 100644 --- a/roles/custom/matrix-bridge-mautrix-slack/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-slack/tasks/setup_install.yml @@ -1,13 +1,5 @@ --- -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - ansible.builtin.fail: - msg: >- - The matrix-bridge-mautrix-slack role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed | default(False)" - - ansible.builtin.set_fact: matrix_mautrix_slack_requires_restart: false @@ -20,8 +12,11 @@ - when: "matrix_mautrix_slack_sqlite_database_path_local_stat_result.stat.exists | bool" block: - - ansible.builtin.set_fact: - matrix_postgres_db_migration_request: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: + devture_postgres_db_migration_request: src: "{{ matrix_mautrix_slack_sqlite_database_path_local }}" dst: "{{ matrix_mautrix_slack_database_connection_string }}" caller: "{{ role_path | basename }}" @@ -30,10 +25,6 @@ systemd_services_to_stop: ['matrix-mautrix-slack.service'] pgloader_options: ['--with "quote identifiers"'] - - ansible.builtin.import_role: - name: custom/matrix-postgres - tasks_from: migrate_db_to_postgres - - ansible.builtin.set_fact: matrix_mautrix_slack_requires_restart: true @@ -109,13 +100,9 @@ mode: 0644 register: matrix_mautrix_slack_systemd_service_result -- name: Ensure systemd reloaded after matrix-mautrix-slack.service installation - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_slack_systemd_service_result.changed" - - name: Ensure matrix-mautrix-slack.service restarted, if necessary ansible.builtin.service: name: "matrix-mautrix-slack.service" state: restarted + daemon_reload: true when: "matrix_mautrix_slack_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mautrix-slack/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-slack/tasks/setup_uninstall.yml index 671fa529a..19350b443 100644 --- a/roles/custom/matrix-bridge-mautrix-slack/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-mautrix-slack/tasks/setup_uninstall.yml @@ -5,21 +5,16 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-slack.service" register: matrix_mautrix_slack_service_stat -- name: Ensure matrix-mautrix-slack is stopped - ansible.builtin.service: - name: matrix-mautrix-slack - state: stopped - enabled: false - daemon_reload: true - when: "matrix_mautrix_slack_service_stat.stat.exists" +- when: matrix_mautrix_slack_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mautrix-slack is stopped + ansible.builtin.service: + name: matrix-mautrix-slack + state: stopped + enabled: false + daemon_reload: true -- name: Ensure matrix-mautrix-slack.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-slack.service" - state: absent - when: "matrix_mautrix_slack_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mautrix-slack.service removal - ansible.builtin.service: - daemon_reload: true - when: "matrix_mautrix_slack_service_stat.stat.exists" + - name: Ensure matrix-mautrix-slack.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-slack.service" + state: absent From c925b517e79d377f1d7cca78f3302c444df4b6de Mon Sep 17 00:00:00 2001 From: Cody Wyatt Neiman Date: Mon, 2 Jan 2023 21:09:23 -0500 Subject: [PATCH 206/915] Include mautrix-slack in setup --- playbooks/matrix.yml | 1 + setup.yml | 0 2 files changed, 1 insertion(+) mode change 100755 => 120000 setup.yml diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 088ea6406..45cb9052f 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -61,6 +61,7 @@ - custom/matrix-bridge-mautrix-telegram - custom/matrix-bridge-mautrix-whatsapp - custom/matrix-bridge-mautrix-discord + - custom/matrix-bridge-mautrix-slack - custom/matrix-bridge-mx-puppet-discord - custom/matrix-bridge-mx-puppet-groupme - custom/matrix-bridge-mx-puppet-steam diff --git a/setup.yml b/setup.yml deleted file mode 100755 index 7acc4c4c9..000000000 --- a/setup.yml +++ /dev/null @@ -1 +0,0 @@ -playbooks/matrix.yml \ No newline at end of file diff --git a/setup.yml b/setup.yml new file mode 120000 index 000000000..7acc4c4c9 --- /dev/null +++ b/setup.yml @@ -0,0 +1 @@ +playbooks/matrix.yml \ No newline at end of file From f4874d2e4a8af587cc0aecb87049f054dfe70a8b Mon Sep 17 00:00:00 2001 From: Cody Wyatt Neiman Date: Mon, 2 Jan 2023 21:09:40 -0500 Subject: [PATCH 207/915] Pull upstream mautrix-slack config defaults --- .../templates/config.yaml.j2 | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2 index da589f05e..b7919ec2d 100644 --- a/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2 @@ -28,10 +28,11 @@ appservice: # Database config. database: - # The database type. "sqlite3" and "postgres" are supported. + # The database type. "sqlite3-fk-wal" and "postgres" are supported. type: {{ matrix_mautrix_slack_appservice_database_type|to_json }} # The database URI. - # SQLite: File name is enough. https://github.com/mattn/go-sqlite3#connection-string + # SQLite: A raw file path is supported, but `file:?_txlock=immediate` is recommended. + # https://github.com/mattn/go-sqlite3#connection-string # Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable # To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql uri: {{ matrix_mautrix_slack_appservice_database_uri|to_json }} @@ -57,6 +58,11 @@ appservice: # Requires MSC2409 support (i.e. Synapse 1.22+). ephemeral_events: true + # Should incoming events be handled asynchronously? + # This may be necessary for large public instances with lots of messages going through. + # However, messages will not be guaranteed to be bridged in the same order they were sent in. + async_transactions: false + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. as_token: {{ matrix_mautrix_slack_appservice_token | to_json }} hs_token: {{ matrix_mautrix_slack_homeserver_token | to_json }} From e9772420226f8796276537161a7cc883f42bdaf2 Mon Sep 17 00:00:00 2001 From: Cody Wyatt Neiman Date: Mon, 2 Jan 2023 21:31:04 -0500 Subject: [PATCH 208/915] Pull more mautrix-slack defaults from upstream --- .../matrix-bridge-mautrix-slack/templates/config.yaml.j2 | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2 index b7919ec2d..1c7a1dff0 100644 --- a/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2 @@ -5,8 +5,10 @@ homeserver: address: {{ matrix_mautrix_slack_homeserver_address | to_json }} # The domain of the homeserver (for MXIDs, etc). domain: {{ matrix_mautrix_slack_homeserver_domain | to_json }} - # Is the homeserver actually mautrix-asmux? - asmux: false + + # What software is the homeserver running? + # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here. + software: standard # The URL to push real-time bridge status to. # If set, the bridge will make POST requests to this URL whenever a user's slack connection state changes. # The bridge will use the appservice as_token to authorize requests. @@ -56,6 +58,7 @@ appservice: avatar: mxc://maunium.net/pVtzLmChZejGxLqmXtQjFxem # Whether or not to receive ephemeral events via appservice transactions. # Requires MSC2409 support (i.e. Synapse 1.22+). + # You should disable bridge -> sync_with_custom_puppets when this is enabled. ephemeral_events: true # Should incoming events be handled asynchronously? From 12b8cb3aab14c76ed6801d5f41f36283d2c05c90 Mon Sep 17 00:00:00 2001 From: Cody Wyatt Neiman Date: Mon, 2 Jan 2023 21:58:52 -0500 Subject: [PATCH 209/915] Fix localpart slack id regex for mautrix-slack --- roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml index ae03943a0..4d8e3f2f0 100644 --- a/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml @@ -124,7 +124,7 @@ matrix_mautrix_slack_registration_yaml: | rate_limited: false namespaces: users: - - regex: '^@slack_[0-9]+:{{ matrix_mautrix_slack_homeserver_domain | regex_escape }}$' + - regex: '^@slack_[a-z-A-Z0-9\-]+:{{ matrix_mautrix_slack_homeserver_domain | regex_escape }}$' exclusive: true - exclusive: true regex: '^@{{ matrix_mautrix_slack_appservice_bot_username | regex_escape }}:{{ matrix_mautrix_slack_homeserver_domain | regex_escape }}$' From 2a2d9d97c2e8c593903b83491893a724f60a613d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Jan 2023 16:06:49 +0000 Subject: [PATCH 210/915] Bump ansible-community/ansible-lint-action from 6.10.0 to 6.10.2 Bumps [ansible-community/ansible-lint-action](https://github.com/ansible-community/ansible-lint-action) from 6.10.0 to 6.10.2. - [Release notes](https://github.com/ansible-community/ansible-lint-action/releases) - [Commits](https://github.com/ansible-community/ansible-lint-action/compare/v6.10.0...v6.10.2) --- updated-dependencies: - dependency-name: ansible-community/ansible-lint-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/matrix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index 8d846c059..281b1496e 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -21,6 +21,6 @@ jobs: - name: Check out uses: actions/checkout@v3 - name: Run ansible-lint - uses: ansible-community/ansible-lint-action@v6.10.0 + uses: ansible-community/ansible-lint-action@v6.10.2 with: path: roles/custom From 1c6ab4a1bcfa896571cbd2d0ad1e42acbd7b5727 Mon Sep 17 00:00:00 2001 From: Cody Wyatt Neiman Date: Tue, 3 Jan 2023 12:33:09 -0500 Subject: [PATCH 211/915] Update documentation for mautrix slack --- README.md | 3 ++- docs/configuring-playbook-bridge-mautrix-slack.md | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 177c2a0d8..92a461072 100644 --- a/README.md +++ b/README.md @@ -89,7 +89,8 @@ Bridges can be used to connect your matrix installation with third-party communi | Name | Default? | Description | Documentation | | ---- | -------- | ----------- | ------------- | -[mautrix-discord](https://github.com/mautrix/discord) | x | Bridge for bridging your Matrix server to [Discord](https://discord.com/) | [Link](docs/configuring-playbook-bridge-mautrix-discord.md) | +| [mautrix-discord](https://github.com/mautrix/discord) | x | Bridge for bridging your Matrix server to [Discord](https://discord.com/) | [Link](docs/configuring-playbook-bridge-mautrix-discord.md) | +| [mautrix-slack](https://github.com/mautrix/slack) | x | Bridge for bridging your Matrix server to [Slack](https://slack.com/) | [Link](docs/configuring-playbook-bridge-mautrix-slack.md) | | [mautrix-telegram](https://github.com/mautrix/telegram) | x | Bridge for bridging your Matrix server to [Telegram](https://telegram.org/) | [Link](docs/configuring-playbook-bridge-mautrix-telegram.md) | | [mautrix-whatsapp](https://github.com/mautrix/whatsapp) | x | Bridge for bridging your Matrix server to [WhatsApp](https://www.whatsapp.com/) | [Link](docs/configuring-playbook-bridge-mautrix-whatsapp.md) | | [mautrix-facebook](https://github.com/mautrix/facebook) | x | Bridge for bridging your Matrix server to [Facebook](https://facebook.com/) | [Link](docs/configuring-playbook-bridge-mautrix-facebook.md) | diff --git a/docs/configuring-playbook-bridge-mautrix-slack.md b/docs/configuring-playbook-bridge-mautrix-slack.md index e941b346c..4ec28e971 100644 --- a/docs/configuring-playbook-bridge-mautrix-slack.md +++ b/docs/configuring-playbook-bridge-mautrix-slack.md @@ -42,8 +42,8 @@ There are some additional things you may wish to configure about the bridge. Take a look at: -- `roles/matrix-bridge-mautrix-slack/defaults/main.yml` for some variables that you can customize via your `vars.yml` file -- `roles/matrix-bridge-mautrix-slack/templates/config.yaml.j2` for the bridge's default configuration. You can override settings (even those that don't have dedicated playbook variables) using the `matrix_mautrix_slack_configuration_extension_yaml` variable +- `roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml` for some variables that you can customize via your `vars.yml` file +- `roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2` for the bridge's default configuration. You can override settings (even those that don't have dedicated playbook variables) using the `matrix_mautrix_slack_configuration_extension_yaml` variable ### Set up Double Puppeting From 94474e387ab502779876143207782acf1b48db32 Mon Sep 17 00:00:00 2001 From: Cody Wyatt Neiman Date: Tue, 3 Jan 2023 12:53:57 -0500 Subject: [PATCH 212/915] Fix mautrix slack doc typos and clarifications --- docs/configuring-playbook-bridge-mautrix-slack.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/docs/configuring-playbook-bridge-mautrix-slack.md b/docs/configuring-playbook-bridge-mautrix-slack.md index 4ec28e971..d0a60aa7c 100644 --- a/docs/configuring-playbook-bridge-mautrix-slack.md +++ b/docs/configuring-playbook-bridge-mautrix-slack.md @@ -3,7 +3,6 @@ **Note**: bridging to [Slack](https://slack.com/) can also happen via the [mx-puppet-slack](configuring-playbook-bridge-mx-puppet-slack.md) and [matrix-appservice-slack](configuring-playbook-bridge-appservice-slack.md) bridges supported by the playbook. - For using as a Bot we recommend the [Appservice Slack](configuring-playbook-bridge-appservice-slack.md), because it supports plumbing. - For personal use with a slack account we recommend the `mautrix-slack` bridge (the one being discussed here), because it is the most fully-featured and stable of the 3 Slack bridges supported by the playbook. -The `mautrix-slack` bridge (the one being discussed here) is the most fully-featured and stable of the 3 Slack bridges supported by the playbook, so it's the one we recommend. The playbook can install and configure [mautrix-slack](https://github.com/mautrix/slack) for you. @@ -18,7 +17,7 @@ See the [features and roadmap](https://github.com/mautrix/slack/blob/main/ROADMA For using this bridge, you would need to authenticate by **providing your username and password** (legacy) or by using a **token login**. See more information in the [docs](https://docs.mau.fi/bridges/go/slack/authentication.html). -Note that neither of these methods are officially supported by Slack. [matrix-appservice-slack](configuring-playbook-bridge-appservice-slack.md) uses a Slack bot account which is the only Slack officially supported method for bridging a channel. +Note that neither of these methods are officially supported by Slack. [matrix-appservice-slack](configuring-playbook-bridge-appservice-slack.md) uses a Slack bot account which is the only officially supported method for bridging a Slack channel. ## Installing @@ -38,7 +37,7 @@ To make use of the bridge, see [Usage](#usage) below. ### Additional configuration -There are some additional things you may wish to configure about the bridge. +There are some additional options you may wish to configure with the bridge. Take a look at: @@ -72,7 +71,7 @@ When using this method, **each user** that wishes to enable Double Puppeting nee ## Usage 1. Start a chat with `@slackbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). -2. If you would like to login to Slack using a token, send the `login-token` command, otherwise, send the `login-password` command. +2. If you would like to login to Slack using a token, send the `login-token` command, otherwise, send the `login-password` command. Read [here](https://docs.mau.fi/bridges/go/slack/authentication.html) on how to retrieve your token and cookie token. 3. The bot should respond with "Successfully logged into for team " 4. Now that you're logged in, you can send a `help` command to the bot again, to see additional commands you have access to. 5. Slack channels should automatically begin bridging if you authenticated using a token. Otherwise, you must wait to receive a message in the channel if you used password authentication. From 533e47e9b98f94fc9dc9a0ca3166fe28cc924520 Mon Sep 17 00:00:00 2001 From: Cody Wyatt Neiman Date: Tue, 3 Jan 2023 15:16:55 -0500 Subject: [PATCH 213/915] Add documentation on using s3 sse-c --- docs/configuring-playbook-synapse-s3-storage-provider.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/configuring-playbook-synapse-s3-storage-provider.md b/docs/configuring-playbook-synapse-s3-storage-provider.md index 6022eaad0..f029b3f37 100644 --- a/docs/configuring-playbook-synapse-s3-storage-provider.md +++ b/docs/configuring-playbook-synapse-s3-storage-provider.md @@ -39,6 +39,13 @@ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: access-key- matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: secret-key-goes-here matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class: STANDARD # or STANDARD_IA, etc. +# S3 Server Side Encryption with a Customer provided key (SSE-C) can also be configured as follows +# This is not recommended unless you understand what you are doing, and may make restoring from backups additionally challenging +# You can read more about SSE-C here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html +matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled: true +matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key: ssec-key-goes-here # Generate with: cat /dev/urandom | head -c 32 | base64 - +matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo: AES256 + # For additional advanced settings, take a look at `roles/custom/matrix-synapse/defaults/main.yml` ``` From 4d44f7b49ed750d97e413f2b4b156048e8608bbf Mon Sep 17 00:00:00 2001 From: Cody Wyatt Neiman Date: Tue, 3 Jan 2023 15:18:09 -0500 Subject: [PATCH 214/915] Use base64 encoded string for sse-c key --- .../templates/synapse/ext/s3-storage-provider/env.j2 | 2 +- .../ext/s3-storage-provider/media_storage_provider.yaml.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 index 58d262558..6cc7753fd 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 @@ -6,7 +6,7 @@ ENDPOINT={{ matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url } BUCKET={{ matrix_synapse_ext_synapse_s3_storage_provider_config_bucket }} {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %} -SSE_CUSTOMER_KEY={{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key }} +SSE_CUSTOMER_KEY={{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key | b64decode }} SSE_CUSTOMER_ALGO={{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo }} {% endif %} diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 index e888e3c53..988ad0021 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 @@ -10,7 +10,7 @@ config: secret_access_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key | to_json }} {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %} - sse_customer_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key | to_json }} + sse_customer_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key | b64decode | to_json }} sse_customer_algo: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo | to_json }} {% endif %} From 6d96bcee1da1a306aaeab101026a7a08702f417a Mon Sep 17 00:00:00 2001 From: Cody Wyatt Neiman Date: Tue, 3 Jan 2023 15:18:49 -0500 Subject: [PATCH 215/915] Allow 'git' as a version for s3 storage provider --- .../templates/synapse/customizations/Dockerfile.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/custom/matrix-synapse/templates/synapse/customizations/Dockerfile.j2 b/roles/custom/matrix-synapse/templates/synapse/customizations/Dockerfile.j2 index 3919e9557..b77dbc239 100644 --- a/roles/custom/matrix-synapse/templates/synapse/customizations/Dockerfile.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/customizations/Dockerfile.j2 @@ -1,7 +1,11 @@ FROM {{ matrix_synapse_docker_image }} {% if matrix_synapse_container_image_customizations_s3_storage_provider_installation_enabled %} + {% if matrix_synapse_ext_synapse_s3_storage_provider_version == 'git' %} +RUN apt-get update -yq && apt-get install -yq git && pip install git+https://github.com/matrix-org/synapse-s3-storage-provider.git + {% else %} RUN pip install synapse-s3-storage-provider=={{ matrix_synapse_ext_synapse_s3_storage_provider_version }} + {% endif %} {% endif %} {{ matrix_synapse_container_image_customizations_dockerfile_body_custom }} From b9604da9d9b861b5d156581ce46b16b7a757e119 Mon Sep 17 00:00:00 2001 From: Cody Wyatt Neiman Date: Tue, 3 Jan 2023 15:26:06 -0500 Subject: [PATCH 216/915] Add note on using synapse s3 provider git version for sse-c support --- docs/configuring-playbook-synapse-s3-storage-provider.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/configuring-playbook-synapse-s3-storage-provider.md b/docs/configuring-playbook-synapse-s3-storage-provider.md index f029b3f37..a4ee70633 100644 --- a/docs/configuring-playbook-synapse-s3-storage-provider.md +++ b/docs/configuring-playbook-synapse-s3-storage-provider.md @@ -45,6 +45,8 @@ matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class: STANDARD # matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled: true matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key: ssec-key-goes-here # Generate with: cat /dev/urandom | head -c 32 | base64 - matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo: AES256 +# Using the git version is also required until > v1.1.2 is released +matrix_synapse_ext_synapse_s3_storage_provider_version: git # For additional advanced settings, take a look at `roles/custom/matrix-synapse/defaults/main.yml` ``` From f5390562ed5a9df7cf254e783d41fe260c643931 Mon Sep 17 00:00:00 2001 From: Cody Wyatt Neiman Date: Tue, 3 Jan 2023 16:13:09 -0500 Subject: [PATCH 217/915] Fix synapse s3 storage provider container indentation --- .../templates/synapse/customizations/Dockerfile.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-synapse/templates/synapse/customizations/Dockerfile.j2 b/roles/custom/matrix-synapse/templates/synapse/customizations/Dockerfile.j2 index b77dbc239..65375aeeb 100644 --- a/roles/custom/matrix-synapse/templates/synapse/customizations/Dockerfile.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/customizations/Dockerfile.j2 @@ -1,11 +1,11 @@ FROM {{ matrix_synapse_docker_image }} {% if matrix_synapse_container_image_customizations_s3_storage_provider_installation_enabled %} - {% if matrix_synapse_ext_synapse_s3_storage_provider_version == 'git' %} +{% if matrix_synapse_ext_synapse_s3_storage_provider_version == 'git' %} RUN apt-get update -yq && apt-get install -yq git && pip install git+https://github.com/matrix-org/synapse-s3-storage-provider.git - {% else %} +{% else %} RUN pip install synapse-s3-storage-provider=={{ matrix_synapse_ext_synapse_s3_storage_provider_version }} - {% endif %} +{% endif %} {% endif %} {{ matrix_synapse_container_image_customizations_dockerfile_body_custom }} From 7e5e1712f5e15f59d3598367f4128ed5d6135382 Mon Sep 17 00:00:00 2001 From: Cody Wyatt Neiman Date: Tue, 3 Jan 2023 17:53:33 -0500 Subject: [PATCH 218/915] Encode s3 sse-c key for utf-8 --- docs/configuring-playbook-synapse-s3-storage-provider.md | 2 +- .../templates/synapse/ext/s3-storage-provider/env.j2 | 2 +- .../ext/s3-storage-provider/media_storage_provider.yaml.j2 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-synapse-s3-storage-provider.md b/docs/configuring-playbook-synapse-s3-storage-provider.md index a4ee70633..25d9a54a4 100644 --- a/docs/configuring-playbook-synapse-s3-storage-provider.md +++ b/docs/configuring-playbook-synapse-s3-storage-provider.md @@ -43,7 +43,7 @@ matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class: STANDARD # # This is not recommended unless you understand what you are doing, and may make restoring from backups additionally challenging # You can read more about SSE-C here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled: true -matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key: ssec-key-goes-here # Generate with: cat /dev/urandom | head -c 32 | base64 - +matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key: ssec-key-goes-here # Generate with: cat /dev/urandom | base64 | head -c 32 matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo: AES256 # Using the git version is also required until > v1.1.2 is released matrix_synapse_ext_synapse_s3_storage_provider_version: git diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 index 6cc7753fd..58d262558 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 @@ -6,7 +6,7 @@ ENDPOINT={{ matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url } BUCKET={{ matrix_synapse_ext_synapse_s3_storage_provider_config_bucket }} {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %} -SSE_CUSTOMER_KEY={{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key | b64decode }} +SSE_CUSTOMER_KEY={{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key }} SSE_CUSTOMER_ALGO={{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo }} {% endif %} diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 index 988ad0021..e888e3c53 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 @@ -10,7 +10,7 @@ config: secret_access_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key | to_json }} {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %} - sse_customer_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key | b64decode | to_json }} + sse_customer_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key | to_json }} sse_customer_algo: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo | to_json }} {% endif %} From 3a28b7e332e06188b9533d1521888d2f7e0af513 Mon Sep 17 00:00:00 2001 From: Cody Wyatt Neiman Date: Tue, 3 Jan 2023 18:01:15 -0500 Subject: [PATCH 219/915] Specify version requirement for sse-c in s3 storage provider --- docs/configuring-playbook-synapse-s3-storage-provider.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-synapse-s3-storage-provider.md b/docs/configuring-playbook-synapse-s3-storage-provider.md index 25d9a54a4..4b0770273 100644 --- a/docs/configuring-playbook-synapse-s3-storage-provider.md +++ b/docs/configuring-playbook-synapse-s3-storage-provider.md @@ -45,7 +45,7 @@ matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class: STANDARD # matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled: true matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key: ssec-key-goes-here # Generate with: cat /dev/urandom | base64 | head -c 32 matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo: AES256 -# Using the git version is also required until > v1.1.2 is released +# Using the git version is also required for SSE-C until > v1.1.2 is released matrix_synapse_ext_synapse_s3_storage_provider_version: git # For additional advanced settings, take a look at `roles/custom/matrix-synapse/defaults/main.yml` From 42e4e50f5be654b812939732114f0724865cdc78 Mon Sep 17 00:00:00 2001 From: jakicoll Date: Wed, 4 Jan 2023 13:45:37 +0100 Subject: [PATCH 220/915] Matrix Authentication Support for Jitsi This extends the collection with support for seamless authentication at the Jitsi server using Matrix OpenID. 1. New role for installing the [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) 2. Changes to Jitsi role: Installing Jitsi Prosody Mods and configuring Jitsi Auth 3. Changes to Jitsi and nginx-proxy roles: Serving .well-known/element/jitsi from jitsi.DOMAIN 4. We updated the Jitsi documentation on authentication and added documentation for the user verification service. --- docs/configuring-playbook-jitsi.md | 47 ++++++- ...ring-playbook-user-verification-service.md | 116 ++++++++++++++++++ group_vars/matrix_servers | 61 ++++++++- playbooks/matrix.yml | 1 + roles/custom/matrix-jitsi/defaults/main.yml | 36 +++++- roles/custom/matrix-jitsi/tasks/main.yml | 6 + .../tasks/self_check_matrix_auth.yml | 62 ++++++++++ .../tasks/setup_jitsi_prosody_install.yml | 46 ++++++- .../setup_jitsi_auth_internal.yml | 17 +++ .../tasks/util/setup_jitsi_auth.yml | 42 ------- .../util/setup_jitsi_auth_uvs_install.yml | 13 ++ .../util/setup_jitsi_auth_uvs_uninstall.yml | 26 ++++ .../setup_jitsi_prosody_post_setup_hooks.yml | 49 ++++++++ .../matrix-jitsi/tasks/validate_config.yml | 15 ++- .../matrix-jitsi/templates/prosody/env.j2 | 8 +- .../templates/web/custom-config.js.j2 | 4 + .../matrix-nginx-proxy/defaults/main.yml | 2 + .../nginx/conf.d/matrix-jitsi.conf.j2 | 11 +- .../defaults/main.yml | 81 ++++++++++++ .../handlers/main.yml | 6 + .../tasks/main.yml | 24 ++++ .../tasks/setup_install.yml | 42 +++++++ .../tasks/setup_uninstall.yml | 35 ++++++ .../templates/.env.j2 | 14 +++ ...atrix-user-verification-service.service.j2 | 42 +++++++ 25 files changed, 747 insertions(+), 59 deletions(-) create mode 100644 docs/configuring-playbook-user-verification-service.md create mode 100644 roles/custom/matrix-jitsi/tasks/self_check_matrix_auth.yml create mode 100644 roles/custom/matrix-jitsi/tasks/util/prosody_post_setup_hooks/setup_jitsi_auth_internal.yml delete mode 100644 roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth.yml create mode 100644 roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml create mode 100644 roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml create mode 100644 roles/custom/matrix-jitsi/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml create mode 100644 roles/custom/matrix-user-verification-service/defaults/main.yml create mode 100644 roles/custom/matrix-user-verification-service/handlers/main.yml create mode 100644 roles/custom/matrix-user-verification-service/tasks/main.yml create mode 100644 roles/custom/matrix-user-verification-service/tasks/setup_install.yml create mode 100644 roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml create mode 100644 roles/custom/matrix-user-verification-service/templates/.env.j2 create mode 100644 roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index a9d3c2de4..f51f8fc12 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -39,7 +39,17 @@ By default the Jitsi Meet instance does not require any kind of login and is ope If you're fine with such an open Jitsi instance, please skip to [Apply changes](#apply-changes). -If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's authentication and guests mode. With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join. If a registered host is not yet present, guests are put on hold in individual waiting rooms. +If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow the following steps to enable Jitsi's authentication and optionally guests mode. +Currently, there are three supported authentication modes: 'internal' (default), 'matrix' and 'ldap'. + +**Note:** Authentication is not tested via the playbook's self-checks. +We therefore recommend that you manually verify if authentication is required by jitsi. +For this, try to manually create a conference on jitsi.DOMAIN in your browser. + +### Authenticate using Jitsi accounts (Auth-Type 'internal') +The default authentication mechanism is 'internal' auth, which requires jitsi-accounts to be setup and is the recommended setup, as it also works in federated rooms. +With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join. +If a registered host is not yet present, guests are put on hold in individual waiting rooms. Add these lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: @@ -53,20 +63,35 @@ matrix_jitsi_prosody_auth_internal_accounts: password: "another-password" ``` -**Caution:** Accounts added here and subsquently removed will not be automatically removed from the Prosody server until user account cleaning is integrated into the playbook. +**Caution:** Accounts added here and subsequently removed will not be automatically removed from the Prosody server until user account cleaning is integrated into the playbook. **If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation). +### Authenticate using Matrix OpenID (Auth-Type 'matrix') -### (Optional) LDAP authentication +**Attention: Probably breaks jitsi in federated rooms and does not allow sharing conference links with guests.** -The default authentication mode of Jitsi is `internal`, however LDAP is also supported. An example LDAP configuration could be: +Using this authentication type require a [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service). +By default, this playbook creates and configures a user-verification-service to run locally, see [configuring-user-verification-service](configuring-playbook-user-verification-service.md). + +To enable set this configuration at host level: + +```yaml +matrix_jitsi_enable_auth: true +matrix_jitsi_auth_type: "matrix" +``` + +For more information see also [https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification](https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification). + +### Authenticate using LDAP (Auth-Type 'ldap') + +An example LDAP configuration could be: ```yaml matrix_jitsi_enable_auth: true matrix_jitsi_auth_type: ldap matrix_jitsi_ldap_url: "ldap://ldap.DOMAIN" -matrix_jitsi_ldap_base: "OU=People,DC=DOMAIN +matrix_jitsi_ldap_base: "OU=People,DC=DOMAIN" #matrix_jitsi_ldap_binddn: "" #matrix_jitsi_ldap_bindpw: "" matrix_jitsi_ldap_filter: "uid=%u" @@ -200,7 +225,19 @@ matrix_nginx_proxy_proxy_jitsi_additional_jvbs: Applied together this will allow you to provision extra JVB instances which will register themselves with the prosody service and be available for jicofo to route conferences too. +## (Optional) Enable Gravatar + +In the default Jisti Meet configuration, gravatar.com is enabled as an avatar service. This results in third party request leaking data to gravatar. +Since element already sends the url of configured Matrix avatars to Jitsi, we disabled gravatar. + +To enable Gravatar set: + +```yaml +matrix_jitsi_disable_gravatar: false +``` +**Beware:** This leaks information to a third party, namely the Gravatar-Service (unless configured otherwise: gravatar.com). +Besides metadata, this includes the matrix user_id and possibly the room identifier (via `referrer` header). ## Apply changes diff --git a/docs/configuring-playbook-user-verification-service.md b/docs/configuring-playbook-user-verification-service.md new file mode 100644 index 000000000..f3d3aa6e2 --- /dev/null +++ b/docs/configuring-playbook-user-verification-service.md @@ -0,0 +1,116 @@ +# Setting up Matrix User Verification Service (optional) + +**[Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) (hereafter: UVS) can only be installed after Matrix services are installed and running.** +If you're just installing Matrix services for the first time, please continue with the [Configuration](configuring-playbook.md) / [Installation](installing.md) flow and come back here later. + +Currently, the main purpose of this role is to allow Jitsi to authenticate matrix users and check if they are authorized to join a conference. Please refer to the documentation of the [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) to understand how it works. + +**Note**: enabling Matrix User Verification Service, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. + +If the Jitsi server is also configured by this collection, all plugging of variables and secrets is handled in `group_vars/matrix_servers`. + +__Some general concepts of UVS may be helpful to understand the rest, so here they are:__ + +UVS can be used to verify two claims: + +* (A) Whether a given OpenID token is valid for a given server and +* (B) whether a user is member of a given room and the corresponding PowerLevel + +Verifying an OpenID token id done by finding the corresponding Homeserver via '.well-known/matrix/server' for the given domain. +The configured `matrix_user_verification_service_uvs_homeserver_url` does **not** factor into this. +By default, this collection only checks against `matrix_server_fqn_matrix`. +Therefore, the request will be made against the public openid API for `matrix_server_fqn_matrix`. + +Verifying RoomMembership and PowerLevel is done against `matrix_user_verification_service_uvs_homeserver_url` which is by default done via the docker network. +UVS will verify the validity of the token beforehand though. + +## Prerequisites + +In order to use UVS, an admin token for the configured homeserver must be supplied. For now this means configuring Synapse and creating the token before installing UVS. + +## Enable + +[Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) installation is disabled by default unless required by Jitsi (see group_vars/matrix_servers). +You can enable it in your configuration file (`inventory/host_vars/matrix./vars.yml`): + +```yaml +matrix_user_verification_service_enabled: true +``` + +## Configuration + +The only required configuration variable is `matrix_user_verification_service_uvs_access_token` (see below). + +For a list of all configuration options see the role defaults [`roles/matrix-user-verification-service/defaults/main.yml`](../roles/custom/matrix-user-verification-service/defaults/main.yml). +But be aware of all the plugging happening in `group_vars/matrix_servers`. + +In the default configuration, the UVS Server is only reachable via the docker network, which is fine if e.g. Jitsi is also running in a container on the host. +However, it is possible to expose UVS via setting `matrix_user_verification_service_container_http_host_bind_port`. Be aware that the normally used port (3000) may collide with Grafana. + +### Access token + +The Synapse Access Token is used to verify RoomMembership and PowerLevel against the configured homeserver_url (which is plugged in group_vars). + +We recommend that you create a dedicated Matrix user for uvs (`uvs` is a good username). +Follow our [Registering users](registering-users.md) guide to register a user with administration privileges. + +You are required to specify an access token (belonging to this new user) for UVS to work. +To get an access token for the UVS user, you can follow the documentation on [how to do obtain an access token](obtaining-access-tokens.md). + +**Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.** + +```yaml +matrix_user_verification_service_uvs_access_token: "YOUR ACCESS TOKEN HERE" +``` + +### (Optional) Auth Token + +It is possible to set an API Auth Token to restrict access to the UVS. If this is set, anyone making a request to UVS must provide it via the header "Authorization: Bearer TOKEN" + +By default, the token will be derived from `matrix_homeserver_generic_secret_key` in `group_vars/matrix_servers`. +To set your own Token, simply put the following in your host_vars. + +```yaml +matrix_user_verification_service_uvs_auth_token: "TOKEN" +``` + +In case Jitsi is also managed by this collection and 'matrix' authentication in Jitsi is enabled, this collection will automatically configure Jitsi to use the configured auth token. + +### (Optional) Federation + +In theory (however currently untested), UVS can handle federation. Simply set: + +```yaml +matrix_user_verification_service_uvs_openid_verify_server_name: ~ +``` + +using host_vars to override the group_vars. + +This will instruct UVS to verify the OpenID token against any domain given in a request. +Homeserver discovery is done via '.well-known/matrix/server' of the given domain. + +## Installation + +After these variables have been set, please run the following command to re-run setup and to restart UVS: + +``` +ansible-playbook -i inventory/hosts setup.yml --tags=setup-matrix-user-verification-service,start +``` + +## Logging + +The configuration variable `UVS_LOG_LEVEL` can be set to: +- warning +- info +- debug + +## TLS Certificate Checking +If the matrix Homeserver does not provide a valid TLS certificate, UVS will fail with the following error message: + +> message: 'No response received: [object Object]', + +This also applies to self-signed and let's encrypt staging certificates. + +To disable certificate validation altogether (INSECURE! Not suitable for production use!) set: `NODE_TLS_REJECT_UNAUTHORIZED=0` + +Alternatively, it is possible to inject your own CA certificates into the container by mounting a PEM file with additional trusted CAs into the container and pointing the `NODE_EXTRA_CA_CERTS` environment variable to it. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 2a9e0414a..18068bd6c 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -312,6 +312,8 @@ devture_systemd_service_manager_services_list_auto: | ([{'name': 'matrix-synapse-admin.service', 'priority': 4000, 'groups': ['matrix', 'synapse-admin']}] if matrix_synapse_admin_enabled else []) + ([{'name': 'matrix-synapse-reverse-proxy-companion.service', 'priority': 1500, 'groups': ['matrix', 'homeservers', 'synapse', 'reverse-proxies']}] if matrix_synapse_reverse_proxy_companion_enabled else []) + + + ([{'name': 'matrix-user-verification-service.service', 'priority': 800, 'groups': ['matrix', 'matrix-user-verification-service']}] if matrix_user_verification_service_enabled else []) }} ######################################################################## @@ -1945,6 +1947,11 @@ matrix_jitsi_web_stun_servers: | matrix_jitsi_etherpad_enabled: "{{ matrix_etherpad_enabled }}" matrix_jitsi_etherpad_base: "{{ matrix_etherpad_base_url if matrix_etherpad_enabled else 'https://scalar.vector.im/etherpad' }}" +# Allow verification using JWT and matrix-UVS +matrix_jitsi_prosody_auth_matrix_uvs_auth_token: "{{ matrix_user_verification_service_uvs_auth_token }}" + +matrix_jitsi_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" + ###################################################################### # # /matrix-jitsi @@ -2090,7 +2097,10 @@ matrix_nginx_proxy_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" matrix_nginx_proxy_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" + matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" +matrix_nginx_proxy_proxy_jitsi_manage_wellknown: "{{ matrix_jitsi_require_well_known }}" + matrix_nginx_proxy_proxy_grafana_enabled: "{{ matrix_grafana_enabled }}" matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}" matrix_nginx_proxy_proxy_ntfy_enabled: "{{ matrix_ntfy_enabled }}" @@ -2732,7 +2742,7 @@ matrix_synapse_tls_federation_listener_enabled: false matrix_synapse_tls_certificate_path: ~ matrix_synapse_tls_private_key_path: ~ -matrix_synapse_federation_port_openid_resource_required: "{{ not matrix_synapse_federation_enabled and (matrix_dimension_enabled or matrix_ma1sd_enabled) }}" +matrix_synapse_federation_port_openid_resource_required: "{{ not matrix_synapse_federation_enabled and (matrix_dimension_enabled or matrix_ma1sd_enabled or matrix_user_verification_service_enabled) }}" # If someone instals Prometheus via the playbook, they most likely wish to monitor Synapse. matrix_synapse_metrics_enabled: "{{ matrix_prometheus_enabled }}" @@ -3166,3 +3176,52 @@ matrix_user_creator_users_auto: | # /matrix-user-creator # ###################################################################### + + +###################################################################### +# +# matrix-user-verification-service +# +###################################################################### + +## FIXME: Needs to be updated when there is a proper release by upstream. +matrix_user_verification_service_docker_image: "{{ matrix_user_verification_service_docker_image_name_prefix }}matrixdotorg/matrix-user-verification-service@sha256:d2aabc984dd69d258c91900c36928972d7aaef19d776caa3cd6a0fbc0e307270" + +# enable if jitsi is managed by this playbook and requires JWT auth +matrix_user_verification_service_enabled: "{{ (matrix_jitsi_enabled | bool and matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix') }}" +matrix_user_verification_service_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + }} + +# If Jitsi is managed by this playbook we can use the docker network - no need to expose a port. +# If Jitsi is not managed by this playbook, or you otherwise have a need for it, you can expose +# matrix-user-verfification-services's client-server port to the local host. +# Note: If grafana is also enabled, the exposed port is changed to 3003. +matrix_user_verification_service_container_http_host_bind_port: "{{ '' if (matrix_jitsi_enabled | bool and matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix') else '127.0.0.1:' + ('3003' if matrix_nginx_proxy_proxy_grafana_enabled else '3000') }}" + +# URL exposed in the docker network +matrix_user_verification_service_container_url: "http://{{ matrix_user_verification_service_container_name }}:3000" + +# Set the homeserver URL to the container name if synapse is managed by this collection +matrix_user_verification_service_uvs_homeserver_url: "{{ matrix_homeserver_container_url if matrix_synapse_enabled }}" +# If synapse is managed by this collection, we will connect via docker network, which is a private ip. +# Therefore we need to disable IP checks +matrix_user_verification_service_uvs_disable_ip_blacklist: "{{'true' if matrix_synapse_enabled else 'false'}}" + +matrix_user_verification_service_uvs_auth_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'uvs.auth.token', rounds=655555) | to_uuid }}" + +# Pin UVS to only check openId Tokens for the matrix_server_name configured by this collection. +# This is not the homeserverURL, but rather the domain in the matrix "user ID" +matrix_user_verification_service_uvs_openid_verify_server_name: "{{ matrix_domain }}" +matrix_user_verification_service_uvs_log_level: warning + +###################################################################### +# +# /matrix-user-verification-service +# +###################################################################### diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 088ea6406..a74b982d0 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -94,6 +94,7 @@ - custom/matrix-client-hydrogen - custom/matrix-client-cinny - custom/matrix-jitsi + - custom/matrix-user-verification-service - custom/matrix-ldap-registration-proxy - custom/matrix-ma1sd - custom/matrix-dimension diff --git a/roles/custom/matrix-jitsi/defaults/main.yml b/roles/custom/matrix-jitsi/defaults/main.yml index ce4d19cc1..1f8502c84 100644 --- a/roles/custom/matrix-jitsi/defaults/main.yml +++ b/roles/custom/matrix-jitsi/defaults/main.yml @@ -13,14 +13,16 @@ matrix_jitsi_enable_jaas_components: false matrix_jitsi_enable_p2p: true matrix_jitsi_enable_av_moderation: true matrix_jitsi_enable_breakout_rooms: true +matrix_jitsi_disable_gravatar: true -# Authentication type, must be one of internal, jwt or ldap. -# Currently only internal and ldap mechanisms are supported by this playbook. +# Authentication type, must be one of internal, jwt, matrix or ldap. +# Currently, only internal, matrix and ldap mechanisms are supported by this playbook. +# matrix auth verifies against matrix openID, and requires a user-verification-service to run. matrix_jitsi_auth_type: internal # A list of Jitsi (Prosody) accounts to create using the internal authentication mechanism. # -# Accounts added here and subsquently removed will not be automatically removed +# Accounts added here and subsequently removed will not be automatically removed # from the Prosody server until user account cleaning is integrated into the playbook. # # Example: @@ -49,6 +51,23 @@ matrix_jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt" matrix_jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs" matrix_jitsi_ldap_start_tls: false +# Auth type: matrix +matrix_jitsi_prosody_auth_matrix_user_verification_repo_location: "https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification" +matrix_jitsi_prosody_auth_matrix_user_verification_repo_target: "{{ matrix_jitsi_prosody_ext_path }}/prosody_auth_matrix_user_verification" +matrix_jitsi_prosody_auth_matrix_user_verification_repo_version: "2839499cb03894d8cfc3e5b2219441427cb133d8" # v1.8.0 +matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels: true +matrix_jitsi_prosody_auth_matrix_uvs_location: "{{ matrix_user_verification_service_container_url }}" +# Should match domain, see https://github.com/vector-im/element-web/pull/15114/commits/0410a6b3be82a41457275e4d1ce879dea146e092 +matrix_jitsi_prosody_auth_matrix_jwt_app_id: "{{ matrix_server_fqn_jitsi }}" +matrix_jitsi_prosody_auth_matrix_files: + - path: "mod_auth_matrix_user_verification.lua" + when: true + - path: "mod_matrix_power_sync.lua" + when: "{{ matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels }}" + +# Plugged in group_vars +#matrix_jitsi_prosody_auth_matrix_uvs_auth_token: + matrix_jitsi_timezone: UTC matrix_jitsi_xmpp_domain: meet.jitsi @@ -180,6 +199,17 @@ matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_im matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody" matrix_jitsi_prosody_config_path: "{{ matrix_jitsi_prosody_base_path }}/config" matrix_jitsi_prosody_plugins_path: "{{ matrix_jitsi_prosody_base_path }}/prosody-plugins-custom" +matrix_jitsi_prosody_ext_path: "{{ matrix_jitsi_prosody_base_path }}/ext" + +# well known is currently only needed for auth type "matrix" +matrix_jitsi_require_well_known: "{{ matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix' }}" +matrix_jitsi_wellknown_element_jitsi_json: '{"auth": "openidtoken-jwt"}' + +# +matrix_jitsi_muc_modules: | + {{ + (['matrix_power_sync'] if matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels | bool else []) + }} # A list of extra arguments to pass to the container matrix_jitsi_prosody_container_extra_arguments: [] diff --git a/roles/custom/matrix-jitsi/tasks/main.yml b/roles/custom/matrix-jitsi/tasks/main.yml index d7dc66232..b35c2c347 100644 --- a/roles/custom/matrix-jitsi/tasks/main.yml +++ b/roles/custom/matrix-jitsi/tasks/main.yml @@ -67,3 +67,9 @@ - setup-all - setup-jitsi - setup-additional-jitsi-jvb + +- block: + - when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix' + ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_matrix_auth.yml" + tags: + - self-check diff --git a/roles/custom/matrix-jitsi/tasks/self_check_matrix_auth.yml b/roles/custom/matrix-jitsi/tasks/self_check_matrix_auth.yml new file mode 100644 index 000000000..68a28ef77 --- /dev/null +++ b/roles/custom/matrix-jitsi/tasks/self_check_matrix_auth.yml @@ -0,0 +1,62 @@ +--- + +- ansible.builtin.set_fact: + matrix_jitsi_prosody_self_check_uvs_health_url: "{{ matrix_jitsi_prosody_auth_matrix_uvs_location }}/health" + matrix_jitsi_element_jitsi_well_known_url: "{{ matrix_jitsi_web_public_url }}/.well-known/element/jitsi" + +- name: Check if jitsi serves the .well-known/element/jitsi + ansible.builtin.uri: + url: "{{ matrix_jitsi_element_jitsi_well_known_url }}" + follow_redirects: none + return_content: true + validate_certs: "{{ matrix_jitsi_self_check_validate_certificates }}" + headers: + Origin: example.com + check_mode: false + register: result_well_known_jitsi_element_jitsi + ignore_errors: true + +- name: Fail if .well-known not working + ansible.builtin.fail: + msg: | + Failed checking that the Jitsi well-known file for Element auth is configured at `{{ matrix_jitsi_element_jitsi_well_known_url }}` + Full error: {{ result_well_known_jitsi_element_jitsi }} + when: "result_well_known_jitsi_element_jitsi.failed" + +- name: Parse JSON for well-known payload at the matrix hostname + ansible.builtin.set_fact: + well_known_matrix_payload: "{{ result_well_known_jitsi_element_jitsi.content | from_json }}" + +- name: Fail if .well-known not CORS-aware + ansible.builtin.fail: + msg: "The well-known file on `{{ matrix_jitsi_element_jitsi_well_known_url }}` is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set." + when: "'access_control_allow_origin' not in result_well_known_jitsi_element_jitsi" + +- name: Report working .well-known + ansible.builtin.debug: + msg: "well-known is configured correctly at `{{ matrix_jitsi_element_jitsi_well_known_url }}`" + +- name: Check if we can reach the user verification service and if it's healthy + ansible.builtin.command: + argv: + - "docker" + - "exec" + - "matrix-jitsi-prosody" + - "wget" + - "-O" + - "-" + - "--quiet" + - "{{ matrix_jitsi_prosody_self_check_uvs_health_url | quote }}" + register: matrix_jitsi_prosody_self_check_uvs_result + ignore_errors: true + +- name: Fail if user verification service is not (reachable and healthy) + ansible.builtin.fail: + msg: | + Failed checking user verification service is up (checked endpoint: `{{ matrix_jitsi_prosody_self_check_uvs_health_url }}`). + Full error: {{ matrix_jitsi_prosody_self_check_uvs_result }} + when: "matrix_jitsi_prosody_self_check_uvs_result.failed" + +- name: Report healthy user verification service + ansible.builtin.debug: + msg: "User verification service is working (checked endpoint: `{{ matrix_jitsi_prosody_self_check_uvs_health_url }}`)" diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_install.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_install.yml index 785811666..f5beab2bf 100644 --- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_install.yml +++ b/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_install.yml @@ -11,6 +11,7 @@ - {path: "{{ matrix_jitsi_prosody_base_path }}", when: true} - {path: "{{ matrix_jitsi_prosody_config_path }}", when: true} - {path: "{{ matrix_jitsi_prosody_plugins_path }}", when: true} + - {path: "{{ matrix_jitsi_prosody_ext_path }}", when: true} when: item.when | bool - name: Ensure jitsi-prosody Docker image is pulled @@ -32,6 +33,43 @@ group: "{{ matrix_user_groupname }}" mode: 0640 +# Configure matrix authentication. +- name: Install user verification plugin + ansible.builtin.include_tasks: + file: "{{ role_path }}/tasks/util/setup_jitsi_auth_uvs_install.yml" + when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "matrix" + +- name: Manage Jitsi .well-known + when: matrix_jitsi_require_well_known | bool + block: + - name: Ensure .well-known directories exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0775 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {path: "{{ matrix_static_files_base_path }}/.well-known/element", when: "{{ matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix' }}"} + when: item.when | bool + + # Create .well-known/element/jitsi in the static file directory for nginx-proxy. + - name: Ensure Jitsi /.well-known/element/jitsi configured + ansible.builtin.copy: + content: "{{ matrix_jitsi_wellknown_element_jitsi_json }}" + dest: "{{ matrix_static_files_base_path }}/.well-known/element/jitsi" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "matrix" +# END Block + +# Remove matrix authentication if disabled +- name: Ensure user verification plugin is not present if matrix auth is disabled + ansible.builtin.include_tasks: + file: "{{ role_path }}/tasks/util/setup_jitsi_auth_uvs_uninstall.yml" + when: (not matrix_jitsi_enable_auth | bool) or (matrix_jitsi_auth_type != "matrix") + - name: Ensure matrix-jitsi-prosody.service file is installed ansible.builtin.template: src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2" @@ -39,7 +77,9 @@ mode: 0644 register: matrix_jitsi_prosody_systemd_service_result -- name: Ensure authentication is properly configured +# Tasks that require a running prosody container are called in this file. +- name: Run prosody related tasks, that require a running container. ansible.builtin.include_tasks: - file: "{{ role_path }}/tasks/util/setup_jitsi_auth.yml" - when: matrix_jitsi_enable_auth | bool + file: "{{ role_path }}/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml" + when: + - matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "internal" diff --git a/roles/custom/matrix-jitsi/tasks/util/prosody_post_setup_hooks/setup_jitsi_auth_internal.yml b/roles/custom/matrix-jitsi/tasks/util/prosody_post_setup_hooks/setup_jitsi_auth_internal.yml new file mode 100644 index 000000000..ac9bda49b --- /dev/null +++ b/roles/custom/matrix-jitsi/tasks/util/prosody_post_setup_hooks/setup_jitsi_auth_internal.yml @@ -0,0 +1,17 @@ +--- +# +# Tasks related to configuring Jitsi internal authentication on a running prosody instance. +# + +- name: Ensure Jitsi internal authentication users are configured + ansible.builtin.shell: "{{ devture_systemd_docker_base_host_command_docker }} exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}" + with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}" + when: + - matrix_jitsi_prosody_auth_internal_accounts|length > 0 + register: matrix_jitsi_user_configuration_result + changed_when: matrix_jitsi_user_configuration_result.rc == 0 + no_log: true + +# +# Tasks related to clean up after configuring internal authentication. +# diff --git a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth.yml b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth.yml deleted file mode 100644 index 60a49b427..000000000 --- a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- -# -# Start Necessary Services -# - -- name: Ensure matrix-jitsi-prosody container is running - ansible.builtin.systemd: - state: started - name: matrix-jitsi-prosody - register: matrix_jitsi_prosody_start_result - - -# -# Tasks related to configuring Jitsi internal authentication -# - -- name: Ensure Jitsi internal authentication users are configured - ansible.builtin.shell: "{{ devture_systemd_docker_base_host_command_docker }} exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}" - with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}" - when: - - matrix_jitsi_auth_type == "internal" - - matrix_jitsi_prosody_auth_internal_accounts|length > 0 - register: matrix_jitsi_user_configuration_result - changed_when: matrix_jitsi_user_configuration_result.rc == 0 - no_log: true - -# -# Tasks related to configuring other Jitsi authentication mechanisms -# - -# -# Tasks related to cleaning after Jitsi authentication configuration -# - -# -# Stop Necessary Services -# -- name: Ensure matrix-jitsi-prosody container is stopped if necessary - ansible.builtin.systemd: - state: stopped - name: matrix-jitsi-prosody - when: matrix_jitsi_prosody_start_result.changed | bool diff --git a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml new file mode 100644 index 000000000..36f334253 --- /dev/null +++ b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml @@ -0,0 +1,13 @@ +- name: Checkout Prosody Auth Matrix User Verification Plugin Repo + ansible.builtin.git: + repo: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_location }}" + dest: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}" + version: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_version }}" + +- name: Install Prosody Auth Matrix User Verification Plugin + ansible.builtin.copy: + remote_src: yes + src: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}/{{ item.path }}" + dest: "{{ matrix_jitsi_prosody_plugins_path }}/{{ item.path }}" + with_items: "{{ matrix_jitsi_prosody_auth_matrix_files }}" + when: item.when | bool diff --git a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml new file mode 100644 index 000000000..2ba793eca --- /dev/null +++ b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml @@ -0,0 +1,26 @@ +- name: Remove all files regarding prosody mod auth_matrix_user_verification and .well-known/element/jitsi + ansible.builtin.file: + path: "{{ item }}" + state: absent + with_flattened: + - "{{ matrix_static_files_base_path }}/.well-known/element/jitsi" + - "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}" + - "{{ matrix_jitsi_prosody_auth_matrix_files | map(attribute='path') | map('regex_replace', '^', matrix_jitsi_prosody_plugins_path+'/') | list }}" + register: matrix_jitsi_prosody_auth_matrix_user_verification_uninstalled + +- name: Remove .well-known/element directory if empty + ansible.builtin.command: + argv: + - rmdir + - "{{ matrix_static_files_base_path }}/.well-known/element" + removes: "{{matrix_static_files_base_path}}/.well-known/element" + ignore_errors: yes + +- when: matrix_jitsi_prosody_auth_matrix_user_verification_uninstalled.changed + block: + - name: Populate service facts + ansible.builtin.service_facts: + + - name: Ensure prosody is restarted later on if currently running + set_fact: + matrix_jitsi_prosody_require_restart: "{{ true if ansible_facts.services['matrix-jitsi-prosody.service']['state'] == 'running' else false }}" diff --git a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml new file mode 100644 index 000000000..69c18ab32 --- /dev/null +++ b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml @@ -0,0 +1,49 @@ +--- +##### +# +# This tasks file starts and stops (if state before was stopped) a prosody container during setup to run commands, +# that require a running prosody container. +# The task is called in ../setup_jitsi_prosody_install.yml. +# +# Important: The task is called conditionally, as to only start if really needed. +# So if you add or change anything - remember to also change the 'when' in: ../setup_jitsi_prosody_install.yml +# +##### + +# +# Start Necessary Services +# + +- name: Ensure matrix-jitsi-prosody container is running + ansible.builtin.systemd: + state: "{{ 'restarted' if matrix_jitsi_prosody_require_restart | d(false) | bool else 'started' }}" + name: matrix-jitsi-prosody + register: matrix_jitsi_prosody_start_result + +# If the flag was set, we can safely disable now. +- name: Disable require restart flag + set_fact: + matrix_jitsi_prosody_require_restart: false + +# +# Tasks related to configuring Jitsi internal authentication +# + +- name: Ensure internal authentication is properly configured + ansible.builtin.include_tasks: + file: "{{ role_path }}/tasks/util/prosody_post_setup_hooks/setup_jitsi_auth_internal.yml" + when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "internal" + +# +# Tasks related to ... +# + + +# +# Stop Necessary Services +# +- name: Ensure matrix-jitsi-prosody container is stopped if necessary + ansible.builtin.systemd: + state: stopped + name: matrix-jitsi-prosody + when: matrix_jitsi_prosody_start_result.changed | bool diff --git a/roles/custom/matrix-jitsi/tasks/validate_config.yml b/roles/custom/matrix-jitsi/tasks/validate_config.yml index 258b4864c..5975a605b 100644 --- a/roles/custom/matrix-jitsi/tasks/validate_config.yml +++ b/roles/custom/matrix-jitsi/tasks/validate_config.yml @@ -25,16 +25,25 @@ - "matrix_jitsi_jvb_auth_password" -- name: Fail if a Jitsi internal authentication account is not defined +- name: Fail if authentication is enabled, but not properly configured. ansible.builtin.fail: msg: >- + You have enabled authentication, but the configured auth type is missing required configuration. + + Auth type 'internal': At least one Jitsi user needs to be defined in `matrix_jitsi_prosody_auth_internal_accounts` when using internal authentication. If you're setting up Jitsi for the first time, you may have missed a step. Refer to our setup instructions (docs/configuring-playbook-jitsi.md). + + Auth type 'matrix': + If you want to enable matrix_user_verification in jitsi, + please provide an auth token for the user verification service (uvs) using `matrix_jitsi_prosody_auth_matrix_uvs_auth_token`. + If the user-verfication-service is also managed by this playbook the token is derived from `matrix_homeserver_generic_secret_key` in the group vars. when: - matrix_jitsi_enable_auth | bool - - matrix_jitsi_auth_type == 'internal' - - matrix_jitsi_prosody_auth_internal_accounts|length == 0 + - ((matrix_jitsi_auth_type == 'internal' and matrix_jitsi_prosody_auth_internal_accounts|length == 0) + or (matrix_jitsi_auth_type == 'matrix' and matrix_jitsi_prosody_auth_matrix_uvs_auth_token|length == 0)) + - name: (Deprecation) Catch and report renamed settings diff --git a/roles/custom/matrix-jitsi/templates/prosody/env.j2 b/roles/custom/matrix-jitsi/templates/prosody/env.j2 index b0ebbefce..541727b8f 100644 --- a/roles/custom/matrix-jitsi/templates/prosody/env.j2 +++ b/roles/custom/matrix-jitsi/templates/prosody/env.j2 @@ -41,6 +41,12 @@ LDAP_TLS_CACERT_DIR={{ matrix_jitsi_ldap_tls_cacert_dir }} LDAP_START_TLS={{ 1 if matrix_jitsi_ldap_start_tls else 0 }} LDAP_URL={{ matrix_jitsi_ldap_url }} LDAP_USE_TLS={{ 1 if matrix_jitsi_ldap_use_tls else 0 }} +MATRIX_UVS_ISSUER={{ matrix_jitsi_prosody_auth_matrix_jwt_app_id }} +MATRIX_UVS_URL={{ matrix_jitsi_prosody_auth_matrix_uvs_location }} +{% if matrix_jitsi_prosody_auth_matrix_uvs_auth_token is defined %} +MATRIX_UVS_AUTH_TOKEN={{ matrix_jitsi_prosody_auth_matrix_uvs_auth_token }} +{% endif %} +MATRIX_UVS_SYNC_POWER_LEVELS={{ 'true' if matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels else 'false' }} PUBLIC_URL={{ matrix_jitsi_web_public_url }} TURN_CREDENTIALS={{ matrix_jitsi_turn_credentials }} TURN_HOST={{ matrix_jitsi_turn_host }} @@ -55,7 +61,7 @@ XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} XMPP_MODULES={{ matrix_jitsi_xmpp_modules }} -XMPP_MUC_MODULES= +XMPP_MUC_MODULES={{ matrix_jitsi_muc_modules | join(',') }} XMPP_INTERNAL_MUC_MODULES= XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} XMPP_CROSS_DOMAIN=true diff --git a/roles/custom/matrix-jitsi/templates/web/custom-config.js.j2 b/roles/custom/matrix-jitsi/templates/web/custom-config.js.j2 index bbe85798a..2bde96a8b 100644 --- a/roles/custom/matrix-jitsi/templates/web/custom-config.js.j2 +++ b/roles/custom/matrix-jitsi/templates/web/custom-config.js.j2 @@ -11,6 +11,10 @@ config.p2p.stunServers = [ ]; {% endif %} +{% if matrix_jitsi_disable_gravatar %} +config.gravatar = {'disabled': true}; +{% endif %} + {% if matrix_jitsi_etherpad_enabled %} config.etherpad_base = {{ (matrix_jitsi_etherpad_base + '/p/') |to_json }} {% endif %} diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 6fbc019e2..5d5329b0e 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -203,6 +203,8 @@ matrix_nginx_proxy_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb } # Controls whether proxying the jitsi domain should be done. matrix_nginx_proxy_proxy_jitsi_enabled: false matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" +matrix_nginx_proxy_proxy_jitsi_manage_wellknown: false +matrix_nginx_proxy_proxy_jitsi_well_known_configuration_blocks: [] # Controls whether proxying the grafana domain should be done. matrix_nginx_proxy_proxy_grafana_enabled: false diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 4d5a4ce7c..39dedfc8c 100644 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -18,6 +18,15 @@ {{- configuration_block }} {% endfor %} + {% if matrix_nginx_proxy_proxy_jitsi_manage_wellknown %} + location /.well-known { + root {{ matrix_static_files_base_path }}; + expires 4h; + default_type application/json; + add_header Access-Control-Allow-Origin *; + } + {% endif %} + location / { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} @@ -75,7 +84,7 @@ {% if matrix_nginx_proxy_enabled %} resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; set $backend {{ matrix_jitsi_xmpp_bosh_url_base }}; - proxy_pass $backend/xmpp-websocket; + proxy_pass $backend$request_uri; {% else %} {# Generic configuration for use outside of our container setup #} proxy_pass http://127.0.0.1:5280; diff --git a/roles/custom/matrix-user-verification-service/defaults/main.yml b/roles/custom/matrix-user-verification-service/defaults/main.yml new file mode 100644 index 000000000..a86d62357 --- /dev/null +++ b/roles/custom/matrix-user-verification-service/defaults/main.yml @@ -0,0 +1,81 @@ +--- +# Set this to the display name for ansible used in Output e.g. fail_msg +matrix_user_verification_service_ansible_name: "Matrix User Verification Service" + +# Enable by default. This is overwritten in provided group vars. +matrix_user_verification_service_enabled: true + +# Fix version tag +matrix_user_verification_service_version: "v2.0.0" + +# Paths +matrix_user_verification_service_base_path: "{{ matrix_base_data_path }}/user-verification-service" +# We need the docker src directory to be named user_verification_service. See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/588 +matrix_user_verification_service_docker_src_files_path: "{{ matrix_user_verification_service_base_path }}/docker-src/user-verification-service" +matrix_user_verification_service_config_path: "{{ matrix_user_verification_service_base_path }}/config" +matrix_user_verification_service_config_env_file: "{{ matrix_user_verification_service_config_path }}/.env" + +# Set this to true in order to not use the docker image from docker hub, but rather build locally +matrix_user_verification_service_container_image_self_build: false +matrix_user_verification_service_container_image_self_build_repo: "https://github.com/matrix-org/matrix-user-verification-service.git" +matrix_user_verification_service_container_image_self_build_branch: "{{ matrix_user_verification_service_version }}" + +# Docker +matrix_user_verification_service_docker_image_name_prefix: "{{ 'localhost/' if matrix_user_verification_service_container_image_self_build else matrix_container_global_registry_prefix }}" +matrix_user_verification_service_docker_image: "{{ matrix_user_verification_service_docker_image_name_prefix }}matrixdotorg/matrix-user-verification-service:{{ matrix_user_verification_service_version }}" +matrix_user_verification_service_docker_image_force_pull: "{{ matrix_user_verification_service_docker_image.endswith(':latest') }}" + +matrix_user_verification_service_container_name: "matrix-user-verification-service" +# Normally this would run on port 3000 however that may conflict with grafana. It is thus advised to change this port. +#matrix_user_verification_service_container_http_host_bind_port: +matrix_user_verification_service_container_extra_arguments: [] +# Systemd +matrix_user_verification_service_systemd_required_services_list: [] +matrix_user_verification_service_systemd_wanted_services_list: [] +matrix_user_verification_service_systemd_service_basename: "matrix-user-verification-service" +matrix_user_verification_service_systemd_service_name: "{{ matrix_user_verification_service_systemd_service_basename }}.service" + +# Matrix User Verification Service Configuration +## REQUIRED + +# Homeserver client API admin token (synapse only)- Required for the service to verify room membership +# matrix_user_verification_service_uvs_access_token: + +# homeserver client api url +# matrix_user_verification_service_uvs_homeserver_url: "" +# disable check for non private ip range of homeserver. e.g. set to `true` if your homeserver domain resolves to a private ip. +matrix_user_verification_service_uvs_disable_ip_blacklist: false + +## OPTIONAL + +# Auth token to protect the API +# If this is set any calls to the provided API endpoints +# need have the header "Authorization: Bearer changeme". +# matrix_user_verification_service_uvs_auth_token: changeme + +# Matrix server name to verify OpenID tokens against. See below section. +# Defaults to empty value which means verification is made against +# whatever Matrix server name passed in with the token +# matrix_user_verification_service_uvs_openid_verify_server_name: matrix.org + +# Log level, defaults to 'info' +# See choices here: https://github.com/winstonjs/winston#logging-levels +# matrix_user_verification_service_uvs_log_level: info + + +###################################################################### +##### ##### +##### Variables used in this role which are not set by this role ##### +##### ##### +###################################################################### + +# matrix_user_username +# matrix_user_groupname +# matrix_user_uid +# matrix_user_gid +# matrix_container_global_registry_prefix +# matrix_docker_network +# devture_systemd_docker_base_systemd_path +# devture_systemd_docker_base_systemd_unit_home_path +# devture_systemd_docker_base_host_command_sh +# devture_systemd_docker_base_host_command_docker diff --git a/roles/custom/matrix-user-verification-service/handlers/main.yml b/roles/custom/matrix-user-verification-service/handlers/main.yml new file mode 100644 index 000000000..a1ad1f31e --- /dev/null +++ b/roles/custom/matrix-user-verification-service/handlers/main.yml @@ -0,0 +1,6 @@ +--- + +- name: Ensure systemd reloaded after matrix-user-verification-service.service installation + service: + daemon_reload: yes + listen: "reload matrix-user-verification-service" diff --git a/roles/custom/matrix-user-verification-service/tasks/main.yml b/roles/custom/matrix-user-verification-service/tasks/main.yml new file mode 100644 index 000000000..0f51d6cc5 --- /dev/null +++ b/roles/custom/matrix-user-verification-service/tasks/main.yml @@ -0,0 +1,24 @@ +--- + +- name: verify all necessary variables are present + assert: + that: + - matrix_user_verification_service_uvs_access_token is defined and matrix_user_verification_service_uvs_access_token|length + - matrix_user_verification_service_uvs_homeserver_url is defined and matrix_user_verification_service_uvs_homeserver_url|length + fail_msg: "Missing variable in {{ matrix_user_verification_service_ansible_name }} role" + +- block: + - when: run_setup | bool and matrix_user_verification_service_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-user-verification-service + - install-all + - install-user-verification-service + +- block: + - when: run_setup | bool and not matrix_user_verification_service_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + tags: + - setup-all + - setup-user-verification-service diff --git a/roles/custom/matrix-user-verification-service/tasks/setup_install.yml b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml new file mode 100644 index 000000000..5d1d28454 --- /dev/null +++ b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml @@ -0,0 +1,42 @@ +--- + +- name: "Ensure Matrix User Verification Service paths exist" + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_user_verification_service_config_path }}", when: true } + - { path: "{{ matrix_user_verification_service_docker_src_files_path }}", when: "{{ matrix_user_verification_service_container_image_self_build }}" } + when: item.when | bool + +- name: Ensure Matrix User Verification Service image is pulled + community.docker.docker_image: + name: "{{ matrix_user_verification_service_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_user_verification_service_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_user_verification_service_docker_image_force_pull }}" + when: "not matrix_user_verification_service_container_image_self_build | bool" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +#- block: +# TODO +# when: "matrix_user_verification_service_container_image_self_build|bool" + +- name: write env file + ansible.builtin.template: + src: "{{ role_path }}/templates/.env.j2" + dest: "{{ matrix_user_verification_service_config_env_file }}" + mode: 0644 + +- name: Ensure matrix-user-verification-service.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-user-verification-service.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" + mode: 0644 + notify: "reload matrix-user-verification-service" diff --git a/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml b/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml new file mode 100644 index 000000000..2a14d96ac --- /dev/null +++ b/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml @@ -0,0 +1,35 @@ +--- + +- name: Check existence of matrix-user-verification-service service + stat: + path: "{{ matrix_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" + register: matrix_user_verification_service_service_stat + +- name: Ensure matrix-user-verification-service is stopped + service: + name: "{{ matrix_user_verification_service_systemd_service_basename }}" + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_user_verification_service_service_stat.stat.exists|bool" + +- name: Ensure matrix-user-verification-service.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" + state: absent + when: "matrix_user_verification_service_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-user-verification-service.service removal + service: + daemon_reload: yes + when: "matrix_user_verification_service_service_stat.stat.exists|bool" + +- name: Ensure Matrix user-verification-service paths don't exist + file: + path: "{{ matrix_user_verification_service_base_path }}" + state: absent + +- name: Ensure user-verification-service Docker image doesn't exist + docker_image: + name: "{{ matrix_user_verification_service_docker_image }}" + state: absent diff --git a/roles/custom/matrix-user-verification-service/templates/.env.j2 b/roles/custom/matrix-user-verification-service/templates/.env.j2 new file mode 100644 index 000000000..b2f2aaab8 --- /dev/null +++ b/roles/custom/matrix-user-verification-service/templates/.env.j2 @@ -0,0 +1,14 @@ +UVS_ACCESS_TOKEN={{ matrix_user_verification_service_uvs_access_token }} +UVS_HOMESERVER_URL={{ matrix_user_verification_service_uvs_homeserver_url }} +UVS_DISABLE_IP_BLACKLIST={{ matrix_user_verification_service_uvs_disable_ip_blacklist }} + +{% if matrix_user_verification_service_uvs_auth_token is defined and matrix_user_verification_service_uvs_auth_token|length %} + UVS_AUTH_TOKEN={{ matrix_user_verification_service_uvs_auth_token }} +{% endif %} +{% if matrix_user_verification_service_uvs_openid_verify_server_name is defined and matrix_user_verification_service_uvs_openid_verify_server_name|length %} + UVS_OPENID_VERIFY_SERVER_NAME={{ matrix_user_verification_service_uvs_openid_verify_server_name }} +{% endif %} +{% if matrix_user_verification_service_uvs_log_level is defined and matrix_user_verification_service_uvs_log_level|length %} + UVS_LOG_LEVEL={{ matrix_user_verification_service_uvs_log_level }} +{% endif %} + diff --git a/roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 b/roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 new file mode 100644 index 000000000..eb24b1281 --- /dev/null +++ b/roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 @@ -0,0 +1,42 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description={{ matrix_user_verification_service_ansible_name }} +{% for service in matrix_user_verification_service_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_user_verification_service_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_user_verification_service_container_name }} 2>/dev/null' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_user_verification_service_container_name }} 2>/dev/null' + + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {{ matrix_user_verification_service_container_name }}\ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + {% if matrix_user_verification_service_container_http_host_bind_port %} + -p {{ matrix_user_verification_service_container_http_host_bind_port }}:3000 \ + {% endif %} + --mount type=bind,src={{ matrix_user_verification_service_config_env_file }},dst=/app/.env,ro \ + {% for arg in matrix_user_verification_service_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_user_verification_service_docker_image }} + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_user_verification_service_container_name }} 2>/dev/null' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_user_verification_service_container_name }} 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier={{ matrix_user_verification_service_systemd_service_basename }} + +[Install] +WantedBy=multi-user.target From c86720eeaee2fad2c598431309e409839049ae3b Mon Sep 17 00:00:00 2001 From: Thomas Baer Date: Thu, 5 Jan 2023 14:10:06 +0100 Subject: [PATCH 221/915] convert to list from generator selectattr() returns a generator object, an iterator. This leads to an exception later, lists can't concated to iterators, only to other lists. So '| list' converts the iterator to a list and the script runs happily. --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 2a9e0414a..33c124014 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -283,7 +283,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-nginx-proxy.service', 'priority': 3000, 'groups': ['matrix', 'nginx', 'reverse-proxies']}] if matrix_nginx_proxy_enabled else []) + - (matrix_ssl_renewal_systemd_units_list | selectattr('applicable') | selectattr('enableable')) + (matrix_ssl_renewal_systemd_units_list | selectattr('applicable') | selectattr('enableable') | list ) + ([{'name': 'matrix-ntfy.service', 'priority': 800, 'groups': ['matrix', 'ntfy']}] if matrix_ntfy_enabled else []) + From 36d8ea281cc4721d8b9c5d6b6793a2ee92b47f08 Mon Sep 17 00:00:00 2001 From: James Collier <26444312+MaybeJustJames@users.noreply.github.com> Date: Fri, 6 Jan 2023 20:09:07 +1100 Subject: [PATCH 222/915] Allow the mautrix whatsapp relaybot to be enabled with a variable (#2381) * Allow the mautrix whatsapp relaybot to be enable with a variable This allows a user to enable the relaybot by setting a variable in `vars.yml` in the same way that the mautrix signal relaybot is configured. * Correct default values for mautrix whatsapp relaybot variables * Add documentation for using the relaybot with mautrix whatsapp * Adjust variable names to better reflect what they do * Set default variables properly and use to_json in template --- .../configuring-playbook-bridge-mautrix-whatsapp.md | 13 +++++++++++++ .../defaults/main.yml | 6 ++++++ .../templates/config.yaml.j2 | 4 ++-- 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-bridge-mautrix-whatsapp.md b/docs/configuring-playbook-bridge-mautrix-whatsapp.md index 8ae6e5a04..b08556fe7 100644 --- a/docs/configuring-playbook-bridge-mautrix-whatsapp.md +++ b/docs/configuring-playbook-bridge-mautrix-whatsapp.md @@ -11,6 +11,19 @@ matrix_mautrix_whatsapp_enabled: true ``` Whatsapp multidevice beta is required, now it is enough if Whatsapp is connected to the Internet every 2 weeks. +The relay bot functionality is off by default. If you would like to enable the relay bot, add the following to your `vars.yml` file: +```yaml +matrix_mautrix_whatsapp_bridge_relay_enabled: true +``` + +By default, only admins are allowed to set themselves as relay users. To allow anyone on your homeserver to set themselves as relay users add this to your `vars.yml` file: +```yaml +matrix_mautrix_whatsapp_bridge_relay_admin_only: false +``` + +If you want to activate the relay bot in a room, use `!whatsapp set-relay`. +Use `!whatsapp unset-relay` to deactivate. + ## Enable backfilling history This requires a server with MSC2716 support, which is currently an experimental feature in synapse. Note that as of Synapse 1.46, there are still some bugs with the implementation, especially if using event persistence workers. diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 1307d09ed..3a722eeb0 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -102,6 +102,12 @@ matrix_mautrix_whatsapp_bridge_permissions: | | combine({matrix_admin: 'admin'} if matrix_admin else {}) }} +# Enable bridge relay functionality +matrix_mautrix_whatsapp_bridge_relay_enabled: false + +# Only allow admins on this home server to set themselves as a relay user +matrix_mautrix_whatsapp_bridge_relay_admin_only: true + # Default mautrix-whatsapp configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 index 4b5af2e93..0962ac4dd 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 @@ -396,9 +396,9 @@ bridge: relay: # Whether relay mode should be allowed. If allowed, `!wa set-relay` can be used to turn any # authenticated user into a relaybot for that chat. - enabled: false + enabled: {{ matrix_mautrix_whatsapp_bridge_relay_enabled | to_json }} # Should only admins be allowed to set themselves as relay users? - admin_only: true + admin_only: {{ matrix_mautrix_whatsapp_bridge_relay_admin_only | to_json }} # The formats to use when sending messages to WhatsApp via the relaybot. message_formats: m.text: "{{ '{{ .Sender.Displayname }}' }}: {{ '{{ .Message }}' }}" From 38151c9fd327f3533271b8dcd561c7c6e810c142 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 6 Jan 2023 11:03:18 +0000 Subject: [PATCH 223/915] Update heisenbridge 1.14.0 -> 1.14.1 --- roles/custom/matrix-bridge-heisenbridge/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml b/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml index 48101db1d..d51bb9133 100644 --- a/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml +++ b/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml @@ -4,7 +4,7 @@ matrix_heisenbridge_enabled: true -matrix_heisenbridge_version: 1.14.0 +matrix_heisenbridge_version: 1.14.1 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" From b487bb67498fca22b266f83aab446a7a8a4a0cd2 Mon Sep 17 00:00:00 2001 From: Aine Date: Sun, 8 Jan 2023 22:05:43 +0200 Subject: [PATCH 224/915] unify image prefixes --- roles/custom/matrix-bot-buscarron/defaults/main.yml | 4 ++-- roles/custom/matrix-bot-honoroit/defaults/main.yml | 4 ++-- roles/custom/matrix-bot-postmoogle/defaults/main.yml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/custom/matrix-bot-buscarron/defaults/main.yml b/roles/custom/matrix-bot-buscarron/defaults/main.yml index 290248e0a..60ed165c8 100644 --- a/roles/custom/matrix-bot-buscarron/defaults/main.yml +++ b/roles/custom/matrix-bot-buscarron/defaults/main.yml @@ -10,8 +10,8 @@ matrix_bot_buscarron_docker_repo_version: "{{ matrix_bot_buscarron_version }}" matrix_bot_buscarron_docker_src_files_path: "{{ matrix_base_data_path }}/buscarron/docker-src" matrix_bot_buscarron_version: v1.3.0 -matrix_bot_buscarron_docker_image: "{{ matrix_bot_buscarron_docker_image_name_prefix }}buscarron:{{ matrix_bot_buscarron_version }}" -matrix_bot_buscarron_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_buscarron_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}" +matrix_bot_buscarron_docker_image: "{{ matrix_bot_buscarron_docker_image_name_prefix }}etke.cc/buscarron:{{ matrix_bot_buscarron_version }}" +matrix_bot_buscarron_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_buscarron_container_image_self_build else 'registry.gitlab.com/' }}" matrix_bot_buscarron_docker_image_force_pull: "{{ matrix_bot_buscarron_docker_image.endswith(':latest') }}" matrix_bot_buscarron_base_path: "{{ matrix_base_data_path }}/buscarron" diff --git a/roles/custom/matrix-bot-honoroit/defaults/main.yml b/roles/custom/matrix-bot-honoroit/defaults/main.yml index 186ef3f4e..e880df4f0 100644 --- a/roles/custom/matrix-bot-honoroit/defaults/main.yml +++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml @@ -10,8 +10,8 @@ matrix_bot_honoroit_docker_repo_version: "{{ matrix_bot_honoroit_version }}" matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src" matrix_bot_honoroit_version: v0.9.16 -matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}honoroit:{{ matrix_bot_honoroit_version }}" -matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}" +matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}etke.cc/honoroit:{{ matrix_bot_honoroit_version }}" +matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/' }}" matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" matrix_bot_honoroit_base_path: "{{ matrix_base_data_path }}/honoroit" diff --git a/roles/custom/matrix-bot-postmoogle/defaults/main.yml b/roles/custom/matrix-bot-postmoogle/defaults/main.yml index 14795d1f3..b8e42828f 100644 --- a/roles/custom/matrix-bot-postmoogle/defaults/main.yml +++ b/roles/custom/matrix-bot-postmoogle/defaults/main.yml @@ -10,8 +10,8 @@ matrix_bot_postmoogle_docker_repo_version: "{{ 'main' if matrix_bot_postmoogle_v matrix_bot_postmoogle_docker_src_files_path: "{{ matrix_base_data_path }}/postmoogle/docker-src" matrix_bot_postmoogle_version: v0.9.10 -matrix_bot_postmoogle_docker_image: "{{ matrix_bot_postmoogle_docker_image_name_prefix }}postmoogle:{{ matrix_bot_postmoogle_version }}" -matrix_bot_postmoogle_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_postmoogle_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}" +matrix_bot_postmoogle_docker_image: "{{ matrix_bot_postmoogle_docker_image_name_prefix }}etke.cc/postmoogle:{{ matrix_bot_postmoogle_version }}" +matrix_bot_postmoogle_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_postmoogle_container_image_self_build else 'registry.gitlab.com/' }}" matrix_bot_postmoogle_docker_image_force_pull: "{{ matrix_bot_postmoogle_docker_image.endswith(':latest') }}" matrix_bot_postmoogle_base_path: "{{ matrix_base_data_path }}/postmoogle" From 1d1fd7053cf141d0ce9b92f55974e382f09f0831 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 9 Jan 2023 18:55:13 +0200 Subject: [PATCH 225/915] ewoutp/goofys:latest -> docker.io/ewoutp/goofys:latest --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 07eb803ed..ba6c265ed 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -815,7 +815,7 @@ matrix_synapse_ext_synapse_s3_storage_provider_update_db_day_count: 0 matrix_s3_media_store_enabled: false matrix_s3_media_store_custom_endpoint_enabled: false -matrix_s3_goofys_docker_image: "ewoutp/goofys:latest" +matrix_s3_goofys_docker_image: "docker.io/ewoutp/goofys:latest" matrix_s3_goofys_docker_image_force_pull: "{{ matrix_s3_goofys_docker_image.endswith(':latest') }}" matrix_s3_media_store_custom_endpoint: "your-custom-endpoint" matrix_s3_media_store_bucket_name: "your-bucket-name" From 6bd909bbb7f2578777eb126a5cb9f6ad4628cc89 Mon Sep 17 00:00:00 2001 From: Aine Date: Mon, 9 Jan 2023 22:18:37 +0200 Subject: [PATCH 226/915] add mode var for synapse ext ldap auth --- roles/custom/matrix-synapse/defaults/main.yml | 1 + roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index ba6c265ed..d2e5d6411 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -725,6 +725,7 @@ matrix_synapse_ext_password_provider_shared_secret_config_yaml: | matrix_synapse_ext_password_provider_ldap_enabled: false matrix_synapse_ext_password_provider_ldap_uri: "ldap://ldap.mydomain.tld:389" matrix_synapse_ext_password_provider_ldap_start_tls: true +matrix_synapse_ext_password_provider_ldap_mode: "search" matrix_synapse_ext_password_provider_ldap_base: "" matrix_synapse_ext_password_provider_ldap_attributes_uid: "uid" matrix_synapse_ext_password_provider_ldap_attributes_mail: "mail" diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index d2dd1c743..1885aeef1 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2511,6 +2511,7 @@ password_providers: - module: "ldap_auth_provider.LdapAuthProvider" config: enabled: true + mode: {{ matrix_synapse_ext_password_provider_ldap_mode | string | to_json }} uri: {{ matrix_synapse_ext_password_provider_ldap_uri | string|to_json }} start_tls: {{ matrix_synapse_ext_password_provider_ldap_start_tls|to_json }} base: {{ matrix_synapse_ext_password_provider_ldap_base | string|to_json }} From fc9eaa6ec5ebb87d00d6224a686c0dcf25266dda Mon Sep 17 00:00:00 2001 From: Cody Wyatt Neiman Date: Mon, 9 Jan 2023 15:52:38 -0500 Subject: [PATCH 227/915] Remove git version for s3 storage provider --- docs/configuring-playbook-synapse-s3-storage-provider.md | 2 -- roles/custom/matrix-synapse/defaults/main.yml | 2 +- .../templates/synapse/customizations/Dockerfile.j2 | 4 ---- 3 files changed, 1 insertion(+), 7 deletions(-) diff --git a/docs/configuring-playbook-synapse-s3-storage-provider.md b/docs/configuring-playbook-synapse-s3-storage-provider.md index 4b0770273..4f6314e4a 100644 --- a/docs/configuring-playbook-synapse-s3-storage-provider.md +++ b/docs/configuring-playbook-synapse-s3-storage-provider.md @@ -45,8 +45,6 @@ matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class: STANDARD # matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled: true matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key: ssec-key-goes-here # Generate with: cat /dev/urandom | base64 | head -c 32 matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo: AES256 -# Using the git version is also required for SSE-C until > v1.1.2 is released -matrix_synapse_ext_synapse_s3_storage_provider_version: git # For additional advanced settings, take a look at `roles/custom/matrix-synapse/defaults/main.yml` ``` diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 4da590a5e..519279192 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -791,7 +791,7 @@ matrix_synapse_ext_encryption_config_yaml: | # Installing it requires building a customized Docker image for Synapse (see `matrix_synapse_container_image_customizations_enabled`). # Enabling this will enable customizations and inject the appropriate Dockerfile clauses for installing synapse-s3-storage-provider. matrix_synapse_ext_synapse_s3_storage_provider_enabled: false -matrix_synapse_ext_synapse_s3_storage_provider_version: 1.1.2 +matrix_synapse_ext_synapse_s3_storage_provider_version: 1.2.0 # Controls whether media from this (local) server is stored in s3-storage-provider matrix_synapse_ext_synapse_s3_storage_provider_store_local: true # Controls whether media from remote servers is stored in s3-storage-provider diff --git a/roles/custom/matrix-synapse/templates/synapse/customizations/Dockerfile.j2 b/roles/custom/matrix-synapse/templates/synapse/customizations/Dockerfile.j2 index 65375aeeb..3919e9557 100644 --- a/roles/custom/matrix-synapse/templates/synapse/customizations/Dockerfile.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/customizations/Dockerfile.j2 @@ -1,11 +1,7 @@ FROM {{ matrix_synapse_docker_image }} {% if matrix_synapse_container_image_customizations_s3_storage_provider_installation_enabled %} -{% if matrix_synapse_ext_synapse_s3_storage_provider_version == 'git' %} -RUN apt-get update -yq && apt-get install -yq git && pip install git+https://github.com/matrix-org/synapse-s3-storage-provider.git -{% else %} RUN pip install synapse-s3-storage-provider=={{ matrix_synapse_ext_synapse_s3_storage_provider_version }} {% endif %} -{% endif %} {{ matrix_synapse_container_image_customizations_dockerfile_body_custom }} From f0d1e23c9d3891524e89bee72a8202c500661850 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 10 Jan 2023 09:22:55 +0200 Subject: [PATCH 228/915] Move around whitelines --- .../ext/s3-storage-provider/media_storage_provider.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 index e888e3c53..ac2b58dbb 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 @@ -12,8 +12,8 @@ config: {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %} sse_customer_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key | to_json }} sse_customer_algo: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo | to_json }} - {% endif %} + storage_class: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class | to_json }} threadpool_size: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_threadpool_size | to_json }} From 0ec1868b951b4632767f7065277def9011918abc Mon Sep 17 00:00:00 2001 From: bertybuttface <110790513+bertybuttface@users.noreply.github.com> Date: Mon, 2 Jan 2023 18:16:38 +0000 Subject: [PATCH 229/915] Add matrix-bot-chatgpt. Co-Authored-By: Slavi Pantaleev --- README.md | 1 + docs/configuring-playbook-bot-chatgpt.md | 69 ++++++++++++++++ group_vars/matrix_servers | 2 + playbooks/matrix.yml | 1 + .../matrix-bot-chatgpt/defaults/main.yml | 78 +++++++++++++++++++ .../custom/matrix-bot-chatgpt/tasks/main.yml | 20 +++++ .../tasks/setup_install.yml | 63 +++++++++++++++ .../tasks/setup_uninstall.yml | 25 ++++++ .../tasks/validate_config.yml | 12 +++ .../matrix-bot-chatgpt/templates/env.j2 | 25 ++++++ .../systemd/matrix-bot-chatgpt.service.j2 | 40 ++++++++++ 11 files changed, 336 insertions(+) create mode 100644 docs/configuring-playbook-bot-chatgpt.md create mode 100644 roles/custom/matrix-bot-chatgpt/defaults/main.yml create mode 100644 roles/custom/matrix-bot-chatgpt/tasks/main.yml create mode 100644 roles/custom/matrix-bot-chatgpt/tasks/setup_install.yml create mode 100644 roles/custom/matrix-bot-chatgpt/tasks/setup_uninstall.yml create mode 100644 roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml create mode 100644 roles/custom/matrix-bot-chatgpt/templates/env.j2 create mode 100644 roles/custom/matrix-bot-chatgpt/templates/systemd/matrix-bot-chatgpt.service.j2 diff --git a/README.md b/README.md index 177c2a0d8..2a09ef418 100644 --- a/README.md +++ b/README.md @@ -130,6 +130,7 @@ Bots provide various additional functionality to your installation. | [Go-NEB](https://github.com/matrix-org/go-neb) | x | A multi functional bot written in Go | [Link](docs/configuring-playbook-bot-go-neb.md) | | [Mjolnir](https://github.com/matrix-org/mjolnir) | x | A moderation tool for Matrix | [Link](docs/configuring-playbook-bot-mjolnir.md) | | [Buscarron](https://gitlab.com/etke.cc/buscarron) | x | Web forms (HTTP POST) to matrix | [Link](docs/configuring-playbook-bot-buscarron.md) | +| [matrix-chatgpt-bot](https://github.com/matrixgpt/matrix-chatgpt-bot) | x | ChatGPT from matrix | [Link](docs/configuring-playbook-bot-chatgpt.md) | ### Administration diff --git a/docs/configuring-playbook-bot-chatgpt.md b/docs/configuring-playbook-bot-chatgpt.md new file mode 100644 index 000000000..49b3fddef --- /dev/null +++ b/docs/configuring-playbook-bot-chatgpt.md @@ -0,0 +1,69 @@ +# Setting up ChatGPT (optional) + +The playbook can install and configure [matrix-chatgpt-bot](https://github.com/matrixgpt/matrix-chatgpt-bot) for you. + +Talk to ChatGPT via your favourite Matrix client! + + +## 1. Register the bot account + +The playbook does not automatically create users for you. The bot requires an access token to be able to connect to your homeserver. + +You **need to register the bot user manually** before setting up the bot. + +Choose a strong password for the bot. You can generate a good password with a command like this: `pwgen -s 64 1`. + +You can use the playbook to [register a new user](registering-users.md): + +``` +ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.chatgpt password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user +``` + + +## 2. Get an access token + +Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md). + + +## 3. Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs): + +```yaml +matrix_bot_chatgpt_enabled: true +# See instructions on +# https://www.npmjs.com/package/chatgpt +matrix_bot_chatgpt_openai_email: '' +matrix_bot_chatgpt_openai_password: '' +matrix_bot_chatgpt_openai_login_type: google +# With the @ and :DOMAIN, ie @SOMETHING:DOMAIN +matrix_bot_chatgpt_matrix_bot_username: '@bot.chatgpt:{{ matrix_domain }}' +# Matrix access token (from bot user above) +# see: https://webapps.stackexchange.com/questions/131056/how-to-get-an-access-token-for-element-riot-matrix +matrix_bot_chatgpt_matrix_access_token: '' +matrix_bot_chatgpt_matrix_default_prefix: '!chatgpt ' +matrix_bot_chatgpt_matrix_default_prefix_reply: false +matrix_bot_chatgpt_matrix_whitelist: ':{{ matrix_domain }}' +``` + +You will need to get tokens for ChatGPT. + + +## 4. Installing + +After configuring the playbook, run the [installation](installing.md) command again: + +```sh +ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start +``` + +**Notes**: + +- if you change the bot password (`matrix_bot_chatgpt_matrix_password` in your `vars.yml` file) subsequently, the bot user's credentials on the homeserver won't be updated automatically. If you'd like to change the bot user's password, use a tool like [synapse-admin](configuring-playbook-synapse-admin.md) to change it, and then update `matrix_bot_chatgpt_matrix_password` to let the bot know its new password + + +## Usage + +To use the bot, invite the `@bot.chatgpt:DOMAIN` to the room you specified in a config, after that start speaking to it, use the prefix if you configured one or mention the bot. + +You can also refer to the upstream [documentation](https://github.com/matrixgpt/matrix-chatgpt-bot). diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 33c124014..6b8efb334 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -187,6 +187,8 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-bot-postmoogle.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'postmoogle']}] if matrix_bot_postmoogle_enabled else []) + + ([{'name': 'matrix-bot-chatgpt.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'chatgpt']}] if matrix_bot_chatgpt_enabled else []) + + ([{'name': 'matrix-appservice-discord.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'appservice-discord']}] if matrix_appservice_discord_enabled else []) + ([{'name': 'matrix-appservice-irc.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'appservice-irc']}] if matrix_appservice_irc_enabled else []) diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 088ea6406..b0b83109c 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -78,6 +78,7 @@ - custom/matrix-bot-postmoogle - custom/matrix-bot-go-neb - custom/matrix-bot-mjolnir + - custom/matrix-bot-chatgpt - custom/matrix-cactus-comments - custom/matrix-synapse - custom/matrix-synapse-reverse-proxy-companion diff --git a/roles/custom/matrix-bot-chatgpt/defaults/main.yml b/roles/custom/matrix-bot-chatgpt/defaults/main.yml new file mode 100644 index 000000000..002ebabd5 --- /dev/null +++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml @@ -0,0 +1,78 @@ +--- +# chatgpt is a bot for chatting to openAI chatgpt matrix bot +# Project source code URL: https://github.com/matrixgpt/matrix-chatgpt-bot + +matrix_bot_chatgpt_enabled: true + +matrix_bot_chatgpt_container_image_self_build: false +matrix_bot_chatgpt_docker_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot" +matrix_bot_chatgpt_docker_repo_version: "{{ 'latest' if matrix_bot_chatgpt_version == 'latest' else matrix_bot_chatgpt_version }}" +matrix_bot_chatgpt_docker_src_files_path: "{{ matrix_base_data_path }}/chatgpt/docker-src" + +matrix_bot_chatgpt_version: 1.1.1 +matrix_bot_chatgpt_docker_image: "{{ matrix_bot_chatgpt_docker_image_name_prefix }}matrixgpt/matrix-chatgpt-bot:{{ matrix_bot_chatgpt_version }}" +matrix_bot_chatgpt_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_chatgpt_container_image_self_build else 'ghcr.io/' }}" +matrix_bot_chatgpt_docker_image_force_pull: "{{ matrix_bot_chatgpt_docker_image.endswith(':latest') }}" + +matrix_bot_chatgpt_base_path: "{{ matrix_base_data_path }}/chatgpt" +matrix_bot_chatgpt_config_path: "{{ matrix_bot_chatgpt_base_path }}/config" +matrix_bot_chatgpt_data_path: "{{ matrix_bot_chatgpt_base_path }}/data" + +# A list of extra arguments to pass to the container +matrix_bot_chatgpt_container_extra_arguments: [] + +# List of systemd services that matrix-bot-chatgpt.service depends on +matrix_bot_chatgpt_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-bot-chatgpt.service wants +matrix_bot_chatgpt_systemd_wanted_services_list: [] + +# ChatGPT Settings +matrix_bot_chatgpt_openai_email: '' # OPENAI_EMAIL= +matrix_bot_chatgpt_openai_password: '' # OPENAI_PASSWORD= +matrix_bot_chatgpt_openai_login_type: 'google' # OPENAI_LOGIN_TYPE="google" + +# Matrix Static Settings (required, see notes) +# Defaults to "https://matrix.org" +matrix_bot_chatgpt_matrix_homeserver_url: "{{ matrix_homeserver_container_url }}" # MATRIX_HOMESERVER_URL= +# With the @ and :DOMAIN, ie @SOMETHING:DOMAIN, needs to be set, created manually beforehand. +matrix_bot_chatgpt_matrix_bot_username: '@bot.chatgpt:{{ matrix_domain }}' # MATRIX_BOT_USERNAME= +# Set `MATRIX_BOT_PASSWORD` the bot will print an `MATRIX_ACCESS_TOKEN` to the terminal +# or https://webapps.stackexchange.com/questions/131056/how-to-get-an-access-token-for-element-riot-matrix +matrix_bot_chatgpt_matrix_access_token: '' # MATRIX_ACCESS_TOKEN= +# Once `MATRIX_BOT_ACCESS_TOKEN` is set this is no longer used. +matrix_bot_chatgpt_matrix_bot_password: '' # MATRIX_BOT_PASSWORD= + +# Matrix Configurable Settings Defaults (optional) +matrix_bot_chatgpt_matrix_default_prefix: "!chatgpt " # MATRIX_DEFAULT_PREFIX= Leave prefix blank to reply to all messages, trailing space matters +matrix_bot_chatgpt_matrix_default_prefix_reply: false # MATRIX_DEFAULT_PREFIX_REPLY= + +# Matrix Access Control (optional) +matrix_bot_chatgpt_matrix_blacklist: '' +matrix_bot_chatgpt_matrix_whitelist: ':{{ matrix_domain }}' + +# Matrix Feature Flags (optional) +matrix_bot_chatgpt_matrix_autojoin: true # MATRIX_AUTOJOIN=true +matrix_bot_chatgpt_matrix_encryption: true # MATRIX_ENCRYPTION=true +matrix_bot_chatgpt_matrix_threads: true # MATRIX_THREADS=true +matrix_bot_chatgpt_matrix_rich_text: true # MATRIX_RICH_TEXT=true + + +# A list of admins +# Example set of rules: +# matrix_bot_chatgpt_admins: +# - @someone:example.com +# - @another:example.com +# - @bot.*:example.com +# - @*:another.com +# matrix_bot_chatgpt_admins: "{{ [matrix_admin] if matrix_admin else [] }}" + +# Log level +# matrix_bot_chatgpt_loglevel: 'INFO' + +# Additional environment variables to pass to the chatgpt container +# +# Example: +# matrix_bot_chatgpt_environment_variables_extension: | +# chatgpt_TEXT_DONE=Done +matrix_bot_chatgpt_environment_variables_extension: '' diff --git a/roles/custom/matrix-bot-chatgpt/tasks/main.yml b/roles/custom/matrix-bot-chatgpt/tasks/main.yml new file mode 100644 index 000000000..c5487fb81 --- /dev/null +++ b/roles/custom/matrix-bot-chatgpt/tasks/main.yml @@ -0,0 +1,20 @@ +--- + +- block: + - when: matrix_bot_chatgpt_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_bot_chatgpt_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-bot-chatgpt + - install-all + - install-bot-chatgpt + +- block: + - when: not matrix_bot_chatgpt_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + tags: + - setup-all + - setup-bot-chatgpt diff --git a/roles/custom/matrix-bot-chatgpt/tasks/setup_install.yml b/roles/custom/matrix-bot-chatgpt/tasks/setup_install.yml new file mode 100644 index 000000000..5ae5ea953 --- /dev/null +++ b/roles/custom/matrix-bot-chatgpt/tasks/setup_install.yml @@ -0,0 +1,63 @@ +--- +- name: Ensure chatgpt paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {path: "{{ matrix_bot_chatgpt_config_path }}", when: true} + - {path: "{{ matrix_bot_chatgpt_data_path }}", when: true} + - {path: "{{ matrix_bot_chatgpt_docker_src_files_path }}", when: matrix_bot_chatgpt_container_image_self_build} + when: "item.when | bool" + +- name: Ensure chatgpt environment variables file created + ansible.builtin.template: + src: "{{ role_path }}/templates/env.j2" + dest: "{{ matrix_bot_chatgpt_config_path }}/env" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + mode: 0640 + +- name: Ensure chatgpt image is pulled + community.docker.docker_image: + name: "{{ matrix_bot_chatgpt_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_bot_chatgpt_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_chatgpt_docker_image_force_pull }}" + when: "not matrix_bot_chatgpt_container_image_self_build | bool" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure chatgpt repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_bot_chatgpt_docker_repo }}" + version: "{{ matrix_bot_chatgpt_docker_repo_version }}" + dest: "{{ matrix_bot_chatgpt_docker_src_files_path }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_bot_chatgpt_git_pull_results + when: "matrix_bot_chatgpt_container_image_self_build | bool" + +- name: Ensure chatgpt image is built + community.docker.docker_image: + name: "{{ matrix_bot_chatgpt_docker_image }}" + source: build + force_source: "{{ matrix_bot_chatgpt_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_bot_chatgpt_docker_src_files_path }}" + pull: true + when: "matrix_bot_chatgpt_container_image_self_build | bool" + +- name: Ensure matrix-bot-chatgpt.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-bot-chatgpt.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-chatgpt.service" + mode: 0644 + register: matrix_bot_chatgpt_systemd_service_result diff --git a/roles/custom/matrix-bot-chatgpt/tasks/setup_uninstall.yml b/roles/custom/matrix-bot-chatgpt/tasks/setup_uninstall.yml new file mode 100644 index 000000000..4a50d7337 --- /dev/null +++ b/roles/custom/matrix-bot-chatgpt/tasks/setup_uninstall.yml @@ -0,0 +1,25 @@ +--- + +- name: Check existence of matrix-chatgpt service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-chatgpt.service" + register: matrix_bot_chatgpt_service_stat + +- when: matrix_bot_chatgpt_service_stat.stat.exists | bool + block: + - name: Ensure matrix-chatgpt is stopped + ansible.builtin.service: + name: matrix-bot-chatgpt + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-bot-chatgpt.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-chatgpt.service" + state: absent + + - name: Ensure Matrix chatgpt paths don't exist + ansible.builtin.file: + path: "{{ matrix_bot_chatgpt_base_path }}" + state: absent diff --git a/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml b/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml new file mode 100644 index 000000000..f68d0e5c2 --- /dev/null +++ b/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml @@ -0,0 +1,12 @@ +--- + +- name: Fail if required Chatgpt settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" + with_items: + - {'name': 'matrix_bot_chatgpt_openai_email', when: true} + - {'name': 'matrix_bot_chatgpt_openai_password', when: true} + - {'name': 'matrix_bot_chatgpt_openai_login_type', when: true} + - {'name': 'matrix_bot_chatgpt_matrix_bot_username', when: true} diff --git a/roles/custom/matrix-bot-chatgpt/templates/env.j2 b/roles/custom/matrix-bot-chatgpt/templates/env.j2 new file mode 100644 index 000000000..8837fe3ef --- /dev/null +++ b/roles/custom/matrix-bot-chatgpt/templates/env.j2 @@ -0,0 +1,25 @@ +MATRIX_HOMESERVER_URL={{ matrix_bot_chatgpt_matrix_homeserver_url }} +MATRIX_ACCESS_TOKEN={{ matrix_bot_chatgpt_matrix_access_token }} + +OPENAI_EMAIL={{ matrix_bot_chatgpt_openai_email }} +OPENAI_PASSWORD={{ matrix_bot_chatgpt_openai_password }} +OPENAI_LOGIN_TYPE={{ matrix_bot_chatgpt_openai_login_type }} + +# With the @ and :DOMAIN, ie @SOMETHING:DOMAIN +MATRIX_BOT_USERNAME={{ matrix_bot_chatgpt_matrix_bot_username }} +MATRIX_BOT_PASSWORD={{ matrix_bot_chatgpt_matrix_bot_password }} + +MATRIX_DEFAULT_PREFIX={{ matrix_bot_chatgpt_matrix_default_prefix }} +MATRIX_DEFAULT_PREFIX_REPLY={{ matrix_bot_chatgpt_matrix_default_prefix_reply|lower }} + +MATRIX_BLACKLIST={{ matrix_bot_chatgpt_matrix_blacklist }} +MATRIX_WHITELIST={{ matrix_bot_chatgpt_matrix_whitelist }} + +MATRIX_AUTOJOIN={{ matrix_bot_chatgpt_matrix_autojoin|lower }} +MATRIX_ENCRYPTION={{ matrix_bot_chatgpt_matrix_encryption|lower }} +MATRIX_THREADS={{ matrix_bot_chatgpt_matrix_threads|lower }} +MATRIX_RICH_TEXT={{ matrix_bot_chatgpt_matrix_rich_text|lower }} + +DATA_PATH=/data/ + +{{ matrix_bot_chatgpt_environment_variables_extension }} diff --git a/roles/custom/matrix-bot-chatgpt/templates/systemd/matrix-bot-chatgpt.service.j2 b/roles/custom/matrix-bot-chatgpt/templates/systemd/matrix-bot-chatgpt.service.j2 new file mode 100644 index 000000000..4a528126a --- /dev/null +++ b/roles/custom/matrix-bot-chatgpt/templates/systemd/matrix-bot-chatgpt.service.j2 @@ -0,0 +1,40 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix chatgpt bot +{% for service in matrix_bot_chatgpt_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_bot_chatgpt_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-chatgpt 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-chatgpt 2>/dev/null || true' + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-bot-chatgpt \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs /tmp \ + --network={{ matrix_docker_network }} \ + --env-file={{ matrix_bot_chatgpt_config_path }}/env \ + --mount type=bind,src={{ matrix_bot_chatgpt_data_path }},dst=/data \ + {% for arg in matrix_bot_chatgpt_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_bot_chatgpt_docker_image }} + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-chatgpt 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-chatgpt 2>/dev/null || true' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-bot-chatgpt + +[Install] +WantedBy=multi-user.target From 0b8829339360342e584836c4f251f150771824fd Mon Sep 17 00:00:00 2001 From: bertybuttface <110790513+bertybuttface@users.noreply.github.com> Date: Tue, 10 Jan 2023 14:09:08 +0000 Subject: [PATCH 230/915] Bump ChatGPT version. --- roles/custom/matrix-bot-chatgpt/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-chatgpt/defaults/main.yml b/roles/custom/matrix-bot-chatgpt/defaults/main.yml index 002ebabd5..f85fc8f56 100644 --- a/roles/custom/matrix-bot-chatgpt/defaults/main.yml +++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml @@ -9,7 +9,7 @@ matrix_bot_chatgpt_docker_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot matrix_bot_chatgpt_docker_repo_version: "{{ 'latest' if matrix_bot_chatgpt_version == 'latest' else matrix_bot_chatgpt_version }}" matrix_bot_chatgpt_docker_src_files_path: "{{ matrix_base_data_path }}/chatgpt/docker-src" -matrix_bot_chatgpt_version: 1.1.1 +matrix_bot_chatgpt_version: 1.2.1 matrix_bot_chatgpt_docker_image: "{{ matrix_bot_chatgpt_docker_image_name_prefix }}matrixgpt/matrix-chatgpt-bot:{{ matrix_bot_chatgpt_version }}" matrix_bot_chatgpt_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_chatgpt_container_image_self_build else 'ghcr.io/' }}" matrix_bot_chatgpt_docker_image_force_pull: "{{ matrix_bot_chatgpt_docker_image.endswith(':latest') }}" From 8d3ce50d1bb0d2d364ba32e0b7100579f98afff4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 10 Jan 2023 17:20:33 +0200 Subject: [PATCH 231/915] Disable chatgpt from group_vars/matrix_servers by default --- group_vars/matrix_servers | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6b8efb334..5e1f01237 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1616,6 +1616,22 @@ matrix_bot_postmoogle_database_password: "{{ '%s' | format(matrix_homeserver_gen ###################################################################### +###################################################################### +# +# matrix-bot-chatgpt +# +###################################################################### + +# We don't enable bots by default. +matrix_bot_chatgpt_enabled: false + +###################################################################### +# +# /matrix-bot-chatgpt +# +###################################################################### + + ###################################################################### # # matrix-bot-go-neb From ddfab6042797311d8c87a2abda2c58ed95800f60 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 10 Jan 2023 17:20:50 +0200 Subject: [PATCH 232/915] Enable self-building for chatgpt for arm32 --- group_vars/matrix_servers | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 5e1f01237..78c45d0b8 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1625,6 +1625,8 @@ matrix_bot_postmoogle_database_password: "{{ '%s' | format(matrix_homeserver_gen # We don't enable bots by default. matrix_bot_chatgpt_enabled: false +matrix_bot_chatgpt_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" + ###################################################################### # # /matrix-bot-chatgpt From 9ecca2cbb9a3785046e5d79d560ab540ce0000a5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 10 Jan 2023 17:22:54 +0200 Subject: [PATCH 233/915] Update documentation with more chatgpt mentions --- docs/configuring-playbook-bot-chatgpt.md | 2 +- docs/configuring-playbook.md | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bot-chatgpt.md b/docs/configuring-playbook-bot-chatgpt.md index 49b3fddef..1856fb356 100644 --- a/docs/configuring-playbook-bot-chatgpt.md +++ b/docs/configuring-playbook-bot-chatgpt.md @@ -2,7 +2,7 @@ The playbook can install and configure [matrix-chatgpt-bot](https://github.com/matrixgpt/matrix-chatgpt-bot) for you. -Talk to ChatGPT via your favourite Matrix client! +Talk to [ChatGPT](https://openai.com/blog/chatgpt/) via your favourite Matrix client! ## 1. Register the bot account diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index fa00c858d..27ff1baeb 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -161,6 +161,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins ### Bots +- [Setting up matrix-bot-chatgpt](configuring-playbook-bot-chatgpt.md) - talk to [ChatGPT](https://openai.com/blog/chatgpt/) via your favourite Matrix client (optional) + - [Setting up matrix-reminder-bot](configuring-playbook-bot-matrix-reminder-bot.md) - a bot to remind you about stuff (optional) - [Setting up matrix-registration-bot](configuring-playbook-bot-matrix-registration-bot.md) - a bot to create and manage registration tokens to invite users (optional) From a96a22c925051866a41cfbae4e4ca9d4452b7442 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 10 Jan 2023 17:26:59 +0200 Subject: [PATCH 234/915] chatgpt docs updates --- docs/configuring-playbook-bot-chatgpt.md | 16 ++++++---------- .../custom/matrix-bot-chatgpt/defaults/main.yml | 3 ++- 2 files changed, 8 insertions(+), 11 deletions(-) diff --git a/docs/configuring-playbook-bot-chatgpt.md b/docs/configuring-playbook-bot-chatgpt.md index 1856fb356..eb0c75966 100644 --- a/docs/configuring-playbook-bot-chatgpt.md +++ b/docs/configuring-playbook-bot-chatgpt.md @@ -31,19 +31,19 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars. ```yaml matrix_bot_chatgpt_enabled: true + # See instructions on # https://www.npmjs.com/package/chatgpt matrix_bot_chatgpt_openai_email: '' matrix_bot_chatgpt_openai_password: '' matrix_bot_chatgpt_openai_login_type: google -# With the @ and :DOMAIN, ie @SOMETHING:DOMAIN -matrix_bot_chatgpt_matrix_bot_username: '@bot.chatgpt:{{ matrix_domain }}' + +# This is the default username +# matrix_bot_chatgpt_matrix_bot_username_localpart: 'bot.chatgpt' + # Matrix access token (from bot user above) # see: https://webapps.stackexchange.com/questions/131056/how-to-get-an-access-token-for-element-riot-matrix matrix_bot_chatgpt_matrix_access_token: '' -matrix_bot_chatgpt_matrix_default_prefix: '!chatgpt ' -matrix_bot_chatgpt_matrix_default_prefix_reply: false -matrix_bot_chatgpt_matrix_whitelist: ':{{ matrix_domain }}' ``` You will need to get tokens for ChatGPT. @@ -54,13 +54,9 @@ You will need to get tokens for ChatGPT. After configuring the playbook, run the [installation](installing.md) command again: ```sh -ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start +ansible-playbook -i inventory/hosts setup.yml --tags=install-all,start ``` -**Notes**: - -- if you change the bot password (`matrix_bot_chatgpt_matrix_password` in your `vars.yml` file) subsequently, the bot user's credentials on the homeserver won't be updated automatically. If you'd like to change the bot user's password, use a tool like [synapse-admin](configuring-playbook-synapse-admin.md) to change it, and then update `matrix_bot_chatgpt_matrix_password` to let the bot know its new password - ## Usage diff --git a/roles/custom/matrix-bot-chatgpt/defaults/main.yml b/roles/custom/matrix-bot-chatgpt/defaults/main.yml index f85fc8f56..361aa3511 100644 --- a/roles/custom/matrix-bot-chatgpt/defaults/main.yml +++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml @@ -36,7 +36,8 @@ matrix_bot_chatgpt_openai_login_type: 'google' # OPENAI_LOGIN_TYPE="google" # Defaults to "https://matrix.org" matrix_bot_chatgpt_matrix_homeserver_url: "{{ matrix_homeserver_container_url }}" # MATRIX_HOMESERVER_URL= # With the @ and :DOMAIN, ie @SOMETHING:DOMAIN, needs to be set, created manually beforehand. -matrix_bot_chatgpt_matrix_bot_username: '@bot.chatgpt:{{ matrix_domain }}' # MATRIX_BOT_USERNAME= +matrix_bot_chatgpt_matrix_bot_username_localpart: 'bot.chatgpt' +matrix_bot_chatgpt_matrix_bot_username: "@{{ matrix_bot_chatgpt_matrix_bot_username_localpart }}:{{ matrix_domain }}" # MATRIX_BOT_USERNAME= # Set `MATRIX_BOT_PASSWORD` the bot will print an `MATRIX_ACCESS_TOKEN` to the terminal # or https://webapps.stackexchange.com/questions/131056/how-to-get-an-access-token-for-element-riot-matrix matrix_bot_chatgpt_matrix_access_token: '' # MATRIX_ACCESS_TOKEN= From 20558589cba14e294bd28262479c01d7d49465ce Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 10 Jan 2023 17:31:21 +0200 Subject: [PATCH 235/915] Announce matrix-bot-chatgpt Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2386 --- CHANGELOG.md | 9 +++++++++ docs/configuring-playbook.md | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3be19f005..11b5d39ab 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2023-01-10 + +## ChatGPT support + +Thanks to [@bertybuttface](https://github.com/bertybuttface), the playbook can now help you set up [matrix-chatgpt-bot](https://github.com/matrixgpt/matrix-chatgpt-bot) - a bot through which you can talk to the [ChatGPT](https://openai.com/blog/chatgpt/) model. + +See our [Setting up matrix-bot-chatgpt](docs/configuring-playbook-bot-chatgpt.md) documentation to get started. + + # 2022-11-30 ## matrix-postgres-backup has been replaced by the com.devture.ansible.role.postgres_backup external role diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 27ff1baeb..f9af7c6bb 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -161,7 +161,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins ### Bots -- [Setting up matrix-bot-chatgpt](configuring-playbook-bot-chatgpt.md) - talk to [ChatGPT](https://openai.com/blog/chatgpt/) via your favourite Matrix client (optional) +- [Setting up matrix-bot-chatgpt](configuring-playbook-bot-chatgpt.md) - a bot through which you can talk to the [ChatGPT](https://openai.com/blog/chatgpt/) model(optional) - [Setting up matrix-reminder-bot](configuring-playbook-bot-matrix-reminder-bot.md) - a bot to remind you about stuff (optional) From 275a739b22d7375e3e07b3d91785e1fe5b2e4597 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 11 Jan 2023 10:38:54 +0200 Subject: [PATCH 236/915] Announce maurtix-slack Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2227 --- CHANGELOG.md | 9 +++++++++ docs/configuring-playbook-bridge-appservice-slack.md | 2 +- docs/configuring-playbook-bridge-mx-puppet-slack.md | 3 +-- docs/configuring-playbook.md | 2 ++ 4 files changed, 13 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 11b5d39ab..daf3e97bf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2023-01-11 + +## mautrix-slack support + +Thanks to [Cody Neiman](https://github.com/xangelix)'s efforts, the playbook now supports bridging to [Slack](https://slack.com/) via the [mautrix-slack](https://mau.dev/mautrix/slack) bridge. See our [Setting up Mautrix Slack bridging](docs/configuring-playbook-bridge-mautrix-slack.md) documentation page for getting started. + +**Note**: this is a new Slack bridge. The playbook still retains Slack bridging via [matrix-appservice-slack](docs/configuring-playbook-bridge-appservice-slack.md) and [mx-puppet-slack](docs/configuring-playbook-bridge-mx-puppet-slack.md). You're free too use the bridge that serves you better, or even all three of them (for different users and use-cases). + + # 2023-01-10 ## ChatGPT support diff --git a/docs/configuring-playbook-bridge-appservice-slack.md b/docs/configuring-playbook-bridge-appservice-slack.md index fc2bf1662..3e6f798e4 100644 --- a/docs/configuring-playbook-bridge-appservice-slack.md +++ b/docs/configuring-playbook-bridge-appservice-slack.md @@ -1,6 +1,6 @@ # Setting up Appservice Slack (optional) -**Note**: bridging to [Slack](https://slack.com) can also happen via the [mx-puppet-slack](configuring-playbook-bridge-mx-puppet-slack.md) bridge supported by the playbook. +**Note**: bridging to [Slack](https://slack.com) can also happen via the [mx-puppet-slack](configuring-playbook-bridge-mx-puppet-slack.md) and [mautrix-slack](configuring-playbook-bridge-mautrix-slack.md) bridges supported by the playbook. The playbook can install and configure [matrix-appservice-slack](https://github.com/matrix-org/matrix-appservice-slack) for you. diff --git a/docs/configuring-playbook-bridge-mx-puppet-slack.md b/docs/configuring-playbook-bridge-mx-puppet-slack.md index 8db159d70..c195b8b50 100644 --- a/docs/configuring-playbook-bridge-mx-puppet-slack.md +++ b/docs/configuring-playbook-bridge-mx-puppet-slack.md @@ -1,8 +1,7 @@ # Setting up MX Puppet Slack (optional) **Note**: bridging to [Slack](https://slack.com) can also happen via the -[matrix-appservice-slack](configuring-playbook-bridge-appservice-slack.md) -bridge supported by the playbook. +[matrix-appservice-slack](configuring-playbook-bridge-appservice-slack.md) and [mautrix-slack](configuring-playbook-bridge-mautrix-slack.md) bridges supported by the playbook. The playbook can install and configure [Beeper](https://www.beeper.com/)-maintained fork of [mx-puppet-slack](https://gitlab.com/beeper/mx-puppet-monorepo) for you. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index f9af7c6bb..b2724598a 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -106,6 +106,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Mautrix Telegram bridging](configuring-playbook-bridge-mautrix-telegram.md) (optional) +- [Setting up Mautrix Slack bridging](configuring-playbook-bridge-mautrix-slack.md) (optional) + - [Setting up Mautrix Whatsapp bridging](configuring-playbook-bridge-mautrix-whatsapp.md) (optional) - [Setting up Mautrix Facebook bridging](configuring-playbook-bridge-mautrix-facebook.md) (optional) From ecb5c077f6d5eb4fb0ee6a2a7de42abde84c9629 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 11 Jan 2023 10:41:09 +0200 Subject: [PATCH 237/915] Fix typo (too -> to) --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index daf3e97bf..e01d69d6e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ Thanks to [Cody Neiman](https://github.com/xangelix)'s efforts, the playbook now supports bridging to [Slack](https://slack.com/) via the [mautrix-slack](https://mau.dev/mautrix/slack) bridge. See our [Setting up Mautrix Slack bridging](docs/configuring-playbook-bridge-mautrix-slack.md) documentation page for getting started. -**Note**: this is a new Slack bridge. The playbook still retains Slack bridging via [matrix-appservice-slack](docs/configuring-playbook-bridge-appservice-slack.md) and [mx-puppet-slack](docs/configuring-playbook-bridge-mx-puppet-slack.md). You're free too use the bridge that serves you better, or even all three of them (for different users and use-cases). +**Note**: this is a new Slack bridge. The playbook still retains Slack bridging via [matrix-appservice-slack](docs/configuring-playbook-bridge-appservice-slack.md) and [mx-puppet-slack](docs/configuring-playbook-bridge-mx-puppet-slack.md). You're free to use the bridge that serves you better, or even all three of them (for different users and use-cases). # 2023-01-10 @@ -371,7 +371,7 @@ matrix_homeserver_implementation: conduit Thanks to [MdotAmaan](https://github.com/MdotAmaan)'s efforts, the playbook now supports bridging to [Discord](https://discordapp.com/) via the [mautrix-discord](https://mau.dev/mautrix/discord) bridge. See our [Setting up Mautrix Discord bridging](docs/configuring-playbook-bridge-mautrix-discord.md) documentation page for getting started. -**Note**: this is a new Discord bridge. The playbook still retains Discord bridging via [matrix-appservice-discord](docs/configuring-playbook-bridge-appservice-discord.md) and [mx-puppet-discord](docs/configuring-playbook-bridge-mx-puppet-discord.md). You're free too use the bridge that serves you better, or even all three of them (for different users and use-cases). +**Note**: this is a new Discord bridge. The playbook still retains Discord bridging via [matrix-appservice-discord](docs/configuring-playbook-bridge-appservice-discord.md) and [mx-puppet-discord](docs/configuring-playbook-bridge-mx-puppet-discord.md). You're free to use the bridge that serves you better, or even all three of them (for different users and use-cases). # 2022-07-27 From 0c472c172ec5636b3e7e8ee6abd1c81c74bd47da Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 11 Jan 2023 13:51:35 +0200 Subject: [PATCH 238/915] Upgrade mjolnir (v1.6.1 -> v1.6.3) --- roles/custom/matrix-bot-mjolnir/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-mjolnir/defaults/main.yml b/roles/custom/matrix-bot-mjolnir/defaults/main.yml index b17f2f4b7..e6e0fab5d 100644 --- a/roles/custom/matrix-bot-mjolnir/defaults/main.yml +++ b/roles/custom/matrix-bot-mjolnir/defaults/main.yml @@ -4,7 +4,7 @@ matrix_bot_mjolnir_enabled: true -matrix_bot_mjolnir_version: "v1.6.1" +matrix_bot_mjolnir_version: "v1.6.3" matrix_bot_mjolnir_container_image_self_build: false matrix_bot_mjolnir_container_image_self_build_repo: "https://github.com/matrix-org/mjolnir.git" From a529bca7566710675cbe5f743a1dd8eba7854cf7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 11 Jan 2023 15:05:49 +0200 Subject: [PATCH 239/915] Add justfile We keep the Makefile for now, but don't mention it to new users anymore. --- docs/installing.md | 6 ++-- docs/maintenance-upgrading-services.md | 4 +-- docs/prerequisites.md | 2 +- docs/registering-users.md | 10 +++++- justfile | 44 ++++++++++++++++++++++++++ playbooks/matrix.yml | 2 +- 6 files changed, 61 insertions(+), 7 deletions(-) create mode 100644 justfile diff --git a/docs/installing.md b/docs/installing.md index 3bbc9a44c..7e2edf6c5 100644 --- a/docs/installing.md +++ b/docs/installing.md @@ -2,7 +2,7 @@ If you've [configured your DNS](configuring-dns.md) and have [configured the playbook](configuring-playbook.md), you can start the installation procedure. -**Before installing** and each time you update the playbook in the future, you will need to update the Ansible roles in this playbook by running `make roles`. `make roles` is a shortcut (a `roles` target defined in [`Makefile`](Makefile) and executed by the [`make`](https://www.gnu.org/software/make/) utility) which ultimately runs [ansible-galaxy](https://docs.ansible.com/ansible/latest/cli/ansible-galaxy.html) to download Ansible roles. If you don't have `make`, you can also manually run the `roles` commands seen in the `Makefile`. +**Before installing** and each time you update the playbook in the future, you will need to update the Ansible roles in this playbook by running `just roles`. `just roles` is a shortcut (a `roles` target defined in [`justfile`](justfile) and executed by the [`just`](https://github.com/casey/just) utility) which ultimately runs [ansible-galaxy](https://docs.ansible.com/ansible/latest/cli/ansible-galaxy.html) to download Ansible roles. If you don't have `just`, you can also manually run the `roles` commands seen in the `justfile`. ## Playbook tags introduction @@ -57,7 +57,7 @@ Proceed to [Maintaining your setup in the future](#2-maintaining-your-setup-in-t If you will be importing data into your newly created Matrix server, install it, but **do not** start its services just yet. Starting its services or messing with its database now will affect your data import later on. -To do the installation **without** starting services, run only the `setup-all` tag: +To do the installation **without** starting services, run only the `install-all` tag: ```sh ansible-playbook -i inventory/hosts setup.yml --tags=install-all @@ -88,6 +88,8 @@ Feel free to **re-run the setup command any time** you think something is off wi Note that if you remove components from `vars.yml`, or if we switch some component from being installed by default to not being installed by default anymore, you'd need to run the setup command with `--tags=setup-all` instead of `--tags=install-all`. See [Playbook tags introduction](#playbook-tags-introduction) +A way to invoke these `ansible-playbook` commands with less typing in the future is to use [just](https://github.com/casey/just) to run them: `just install-all` or `just setup-all`. See [our `justfile`](../../justfile) for more information. + ## 3. Finalize the installation diff --git a/docs/maintenance-upgrading-services.md b/docs/maintenance-upgrading-services.md index d1c707fd6..b65eadd77 100644 --- a/docs/maintenance-upgrading-services.md +++ b/docs/maintenance-upgrading-services.md @@ -10,8 +10,8 @@ To upgrade services: - take a look at [the changelog](../CHANGELOG.md) to see if there have been any backward-incompatible changes that you need to take care of -- download the upstream Ansible roles used by the playbook by running `make roles` +- download the upstream Ansible roles used by the playbook by running `just roles` -- re-run the [playbook setup](installing.md) and restart all serivces: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,ensure-matrix-users-created,start` +- re-run the [playbook setup](installing.md) and restart all services: `just setup-all` **Note**: major version upgrades to the internal PostgreSQL database are not done automatically. To upgrade it, refer to the [upgrading PostgreSQL guide](maintenance-postgres.md#upgrading-postgresql). diff --git a/docs/prerequisites.md b/docs/prerequisites.md index c0a906408..83ae42dae 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -22,7 +22,7 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you - [`git`](https://git-scm.com/) is the recommended way to download the playbook to your computer. `git` may also be required on the server if you will be [self-building](self-building.md) components. -- [`make`](https://www.gnu.org/software/make/) for running `make roles`, etc. (see [`Makefile`](../Makefile)), although you can also run these commands manually (without `make`) +- [`just`](https://github.com/casey/just) for running `just roles`, etc. (see [`justfile`](../justfile)), although you can also run these commands manually - An HTTPS-capable web server at the base domain name (``) which is capable of serving static files. Unless you decide to [Serve the base domain from the Matrix server](configuring-playbook-base-domain-serving.md) or alternatively, to use DNS SRV records for [Server Delegation](howto-server-delegation.md). diff --git a/docs/registering-users.md b/docs/registering-users.md index 321346b65..51fdef346 100644 --- a/docs/registering-users.md +++ b/docs/registering-users.md @@ -16,13 +16,21 @@ Table of contents: You can do it via this Ansible playbook (make sure to edit the `` and `` part below): +```sh +just register-user + +# Example: `just register-user john secret-password yes` ``` + +**or** by invoking `ansible-playbook` manually: + +```sh ansible-playbook -i inventory/hosts setup.yml --extra-vars='username= password= admin=' --tags=register-user ``` **or** using the command-line after **SSH**-ing to your server (requires that [all services have been started](#starting-the-services)): -``` +```sh /matrix/synapse/bin/register-user ``` diff --git a/justfile b/justfile new file mode 100644 index 000000000..4b6dfbfb1 --- /dev/null +++ b/justfile @@ -0,0 +1,44 @@ +# Shows help +default: + @just --list --justfile {{ justfile() }} + +# Pulls external Ansible roles +roles: + rm -rf roles/galaxy + ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force + +# Runs ansible-lint against all roles in the playbook +lint: + ansible-lint + +# Runs the playbook with --tags=install-all,ensure-matrix-users-created,start and optional arguments +install-all *extra_args: (run-tags "install-all,ensure-matrix-users-created,start" extra_args) + +# Runs the playbook with --tags=setup-all,ensure-matrix-users-created,start and optional arguments +setup-all *extra_args: (run-tags "setup-all,ensure-matrix-users-created,start" extra_args) + +# Runs the playbook with the given list of arguments +run +extra_args: + time ansible-playbook -i inventory/hosts setup.yml {{ extra_args }} + +# Runs the playbook with the given list of comma-separated tags and optional arguments +run-tags tags *extra_args: + just --justfile {{ justfile() }} run --tags={{ tags }} {{ extra_args }} + +# Runs the playbook in user-registration mode +register-user username password admin_yes_or_no *extra_args: + time ansible-playbook -i inventory/hosts setup.yml --tags=register-user --extra-vars="username={{ username }} password={{ password }} admin={{ admin_yes_or_no }}" {{ extra_args }} + +# Starts all services +start-all *extra_args: (run-tags "start-all" extra_args) + +# Starts a specific service group +start-group group *extra_args: + @just --justfile {{ justfile() }} run-tags start-group --extra-vars="group={{ group }}" {{ extra_args }} + +# Stops all services +stop-all *extra_args: (run-tags "stop-all" extra_args) + +# Stops a specific service group +stop-group group *extra_args: + @just --justfile {{ justfile() }} run-tags stop-group --extra-vars="group={{ group }}" {{ extra_args }} diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 1723d8afe..409328aec 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -4,7 +4,7 @@ become: true roles: - # Most of the roles below are not distributed with the playbook, but downloaded separately using `ansible-galaxy` via the `make roles` command (see `Makefile`). + # Most of the roles below are not distributed with the playbook, but downloaded separately using `ansible-galaxy` via the `just roles` command (see `justfile`). - role: galaxy/com.devture.ansible.role.playbook_help - role: galaxy/com.devture.ansible.role.systemd_docker_base From 17438bd0dd9aba21841820877b107e753a0de134 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 11 Jan 2023 19:24:35 +0200 Subject: [PATCH 240/915] Upgrade mjolnir (v1.6.3 -> v1.6.4) --- roles/custom/matrix-bot-mjolnir/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-mjolnir/defaults/main.yml b/roles/custom/matrix-bot-mjolnir/defaults/main.yml index e6e0fab5d..ecbbdb884 100644 --- a/roles/custom/matrix-bot-mjolnir/defaults/main.yml +++ b/roles/custom/matrix-bot-mjolnir/defaults/main.yml @@ -4,7 +4,7 @@ matrix_bot_mjolnir_enabled: true -matrix_bot_mjolnir_version: "v1.6.3" +matrix_bot_mjolnir_version: "v1.6.4" matrix_bot_mjolnir_container_image_self_build: false matrix_bot_mjolnir_container_image_self_build_repo: "https://github.com/matrix-org/mjolnir.git" From ab8cb21a45b316ea4d8307a5548606de80651c07 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 11 Jan 2023 19:25:07 +0200 Subject: [PATCH 241/915] Upgrade matrix-chatgpt (1.2.1 -> 1.2.2) --- roles/custom/matrix-bot-chatgpt/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-chatgpt/defaults/main.yml b/roles/custom/matrix-bot-chatgpt/defaults/main.yml index 361aa3511..3efb00305 100644 --- a/roles/custom/matrix-bot-chatgpt/defaults/main.yml +++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml @@ -9,7 +9,7 @@ matrix_bot_chatgpt_docker_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot matrix_bot_chatgpt_docker_repo_version: "{{ 'latest' if matrix_bot_chatgpt_version == 'latest' else matrix_bot_chatgpt_version }}" matrix_bot_chatgpt_docker_src_files_path: "{{ matrix_base_data_path }}/chatgpt/docker-src" -matrix_bot_chatgpt_version: 1.2.1 +matrix_bot_chatgpt_version: 1.2.2 matrix_bot_chatgpt_docker_image: "{{ matrix_bot_chatgpt_docker_image_name_prefix }}matrixgpt/matrix-chatgpt-bot:{{ matrix_bot_chatgpt_version }}" matrix_bot_chatgpt_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_chatgpt_container_image_self_build else 'ghcr.io/' }}" matrix_bot_chatgpt_docker_image_force_pull: "{{ matrix_bot_chatgpt_docker_image.endswith(':latest') }}" From 673ee508dcc4612b5466e569744803bf1f03f5c0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 12 Jan 2023 11:25:00 +0200 Subject: [PATCH 242/915] Upgrade matrix-chatgpt (1.2.2 -> 1.2.3) --- roles/custom/matrix-bot-chatgpt/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-chatgpt/defaults/main.yml b/roles/custom/matrix-bot-chatgpt/defaults/main.yml index 3efb00305..d6119ca6b 100644 --- a/roles/custom/matrix-bot-chatgpt/defaults/main.yml +++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml @@ -9,7 +9,7 @@ matrix_bot_chatgpt_docker_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot matrix_bot_chatgpt_docker_repo_version: "{{ 'latest' if matrix_bot_chatgpt_version == 'latest' else matrix_bot_chatgpt_version }}" matrix_bot_chatgpt_docker_src_files_path: "{{ matrix_base_data_path }}/chatgpt/docker-src" -matrix_bot_chatgpt_version: 1.2.2 +matrix_bot_chatgpt_version: 1.2.3 matrix_bot_chatgpt_docker_image: "{{ matrix_bot_chatgpt_docker_image_name_prefix }}matrixgpt/matrix-chatgpt-bot:{{ matrix_bot_chatgpt_version }}" matrix_bot_chatgpt_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_chatgpt_container_image_self_build else 'ghcr.io/' }}" matrix_bot_chatgpt_docker_image_force_pull: "{{ matrix_bot_chatgpt_docker_image.endswith(':latest') }}" From fb60ba67f646288b40818a555bb716405e144956 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 13 Jan 2023 09:18:27 +0200 Subject: [PATCH 243/915] Announce just --- CHANGELOG.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e01d69d6e..b66cc8ba7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,26 @@ +# 2023-01-13 + +## Support for running commands via just + +We've previously used [make](https://www.gnu.org/software/make/) for easily running some playbook commands (e.g. `make roles` which triggers `ansible-galaxy`, see [Makefile](Makefile)). +Our `Makefile` is still around and you can still run these commands. + +In addition, we've added support for running commands via [just](https://github.com/casey/just) - a more modern command-runner alternative to `make`. Instead of `make roles`, you can now run `just roles` to accomplish the same. + +Our [justfile](justfile) already defines some additional helpful **shortcut** commands that weren't part of our `Makefile`. Here are some examples: + +- `just install-all` to trigger the much longer `ansible-playbook -i inventory/hosts setup.yml --tags=install-all,ensure-matrix-users-created,start` command +- `just install-all --ask-vault-pass` - commands also support additional arguments (`--ask-vault-pass` will be appended to the above installation command) +- `just run-tags install-mautrix-slack,start` - to run specific playbook tags +- `just start-all` - (re-)starts all services +- `just stop-group postgres` - to stop only the Postgres service +- `just register-user john secret-password yes` - registers a `john` user with the `secret-password` password and admin access (admin = `yes`) + +Additional helpful commands and shortcuts may be defined in the future. + +This is all completely optional. If you find it difficult to [install `just`](https://github.com/casey/just#installation) or don't find any of this convenient, feel free to run all commands manually. + + # 2023-01-11 ## mautrix-slack support From c874830de36fb9f47ee5333213a160023306bd4e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 13 Jan 2023 09:42:04 +0200 Subject: [PATCH 244/915] Upgrade com.devture.ansible.role.postgres The new version uses the corresponding container image when running vacuum, not the latest Postgres version. --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 93c802158..e52cec115 100644 --- a/requirements.yml +++ b/requirements.yml @@ -19,7 +19,7 @@ version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git - version: e75973e3a4edc12dfc3e880e43b12ebecbf82c61 + version: 867b5b083f48d75c2fb64eb20c9d65e119d02cfd - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git version: 77b1f9ae1aafa31c9078178c1036bf744c99d08b From 4c5d945ad3d10d8394c8f284b78cfc86458137d5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 13 Jan 2023 18:12:22 +0200 Subject: [PATCH 245/915] Upgrade com.devture.ansible.role.postgres --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index e52cec115..6006ebbf8 100644 --- a/requirements.yml +++ b/requirements.yml @@ -19,7 +19,7 @@ version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git - version: 867b5b083f48d75c2fb64eb20c9d65e119d02cfd + version: a1bb78d194434b38005f3a9e623bfa4b2c06c7bc - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git version: 77b1f9ae1aafa31c9078178c1036bf744c99d08b From ae1ad3baf6aa20ad353920d05b2dcbba0a9d3ff3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 13 Jan 2023 18:17:52 +0200 Subject: [PATCH 246/915] Improve block tasks indentation to make yamllint happy Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2392 --- .../tasks/setup_install.yml | 32 +++++++-------- .../tasks/prepare_themes.yml | 40 +++++++++---------- 2 files changed, 36 insertions(+), 36 deletions(-) diff --git a/roles/custom/matrix-backup-borg/tasks/setup_install.yml b/roles/custom/matrix-backup-borg/tasks/setup_install.yml index 647aabf40..307542f71 100644 --- a/roles/custom/matrix-backup-borg/tasks/setup_install.yml +++ b/roles/custom/matrix-backup-borg/tasks/setup_install.yml @@ -2,25 +2,25 @@ - when: matrix_backup_borg_postgresql_enabled | bool and matrix_backup_borg_version == '' block: - - name: Fail with matrix_backup_borg_version advice if Postgres not enabled - ansible.builtin.fail: - msg: >- - You are not running a built-in Postgres server (`devture_postgres_enabled: false`), so auto-detecting its version and setting `matrix_backup_borg_version` automatically based on that cannot happen. - Consider setting `matrix_backup_borg_version` to your Postgres version manually. - when: not devture_postgres_enabled + - name: Fail with matrix_backup_borg_version advice if Postgres not enabled + ansible.builtin.fail: + msg: >- + You are not running a built-in Postgres server (`devture_postgres_enabled: false`), so auto-detecting its version and setting `matrix_backup_borg_version` automatically based on that cannot happen. + Consider setting `matrix_backup_borg_version` to your Postgres version manually. + when: not devture_postgres_enabled - - ansible.builtin.include_role: - name: galaxy/com.devture.ansible.role.postgres - tasks_from: detect_existing_postgres_version + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: detect_existing_postgres_version - - name: Fail if detected Postgres version is unsupported - ansible.builtin.fail: - msg: "You cannot use borg backup with such an old version ({{ devture_postgres_detected_version }}) of Postgres. Consider upgrading - link to docs for upgrading Postgres: docs/maintenance-postgres.md#upgrading-postgresql" - when: "devture_postgres_detected_version not in matrix_backup_borg_supported_postgres_versions" + - name: Fail if detected Postgres version is unsupported + ansible.builtin.fail: + msg: "You cannot use borg backup with such an old version ({{ devture_postgres_detected_version }}) of Postgres. Consider upgrading - link to docs for upgrading Postgres: docs/maintenance-postgres.md#upgrading-postgresql" + when: "devture_postgres_detected_version not in matrix_backup_borg_supported_postgres_versions" - - name: Set the correct borg backup version to use - ansible.builtin.set_fact: - matrix_backup_borg_version: "{{ devture_postgres_detected_version }}" + - name: Set the correct borg backup version to use + ansible.builtin.set_fact: + matrix_backup_borg_version: "{{ devture_postgres_detected_version }}" - name: Ensure borg paths exist ansible.builtin.file: diff --git a/roles/custom/matrix-client-element/tasks/prepare_themes.yml b/roles/custom/matrix-client-element/tasks/prepare_themes.yml index 3f5c9783c..70646c94c 100644 --- a/roles/custom/matrix-client-element/tasks/prepare_themes.yml +++ b/roles/custom/matrix-client-element/tasks/prepare_themes.yml @@ -9,29 +9,29 @@ delegate_to: 127.0.0.1 become: false block: - - name: Ensure Element themes repository is pulled - ansible.builtin.git: - repo: "{{ matrix_client_element_themes_repository_url }}" - version: "{{ matrix_client_element_themes_repository_version }}" - dest: "{{ role_path }}/files/scratchpad/themes" + - name: Ensure Element themes repository is pulled + ansible.builtin.git: + repo: "{{ matrix_client_element_themes_repository_url }}" + version: "{{ matrix_client_element_themes_repository_version }}" + dest: "{{ role_path }}/files/scratchpad/themes" - - name: Find all Element theme files - ansible.builtin.find: - paths: "{{ role_path }}/files/scratchpad/themes" - patterns: "*.json" - recurse: true - register: matrix_client_element_theme_file_list + - name: Find all Element theme files + ansible.builtin.find: + paths: "{{ role_path }}/files/scratchpad/themes" + patterns: "*.json" + recurse: true + register: matrix_client_element_theme_file_list - - name: Read Element theme - ansible.builtin.slurp: - path: "{{ item.path }}" - register: "matrix_client_element_theme_file_contents" - with_items: "{{ matrix_client_element_theme_file_list.files }}" + - name: Read Element theme + ansible.builtin.slurp: + path: "{{ item.path }}" + register: "matrix_client_element_theme_file_contents" + with_items: "{{ matrix_client_element_theme_file_list.files }}" - - name: Load Element theme - ansible.builtin.set_fact: - matrix_client_element_settingDefaults_custom_themes: "{{ matrix_client_element_settingDefaults_custom_themes + [item['content'] | b64decode | from_json] }}" # noqa var-naming - with_items: "{{ matrix_client_element_theme_file_contents.results }}" + - name: Load Element theme + ansible.builtin.set_fact: + matrix_client_element_settingDefaults_custom_themes: "{{ matrix_client_element_settingDefaults_custom_themes + [item['content'] | b64decode | from_json] }}" # noqa var-naming + with_items: "{{ matrix_client_element_theme_file_contents.results }}" # # Tasks related to getting rid of Element themes (if it was previously enabled) From ada582bc9fc68686bbf50fac78255b67ced05946 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 13 Jan 2023 16:25:02 +0000 Subject: [PATCH 247/915] Bump frenck/action-yamllint from 1.3.1 to 1.4.0 Bumps [frenck/action-yamllint](https://github.com/frenck/action-yamllint) from 1.3.1 to 1.4.0. - [Release notes](https://github.com/frenck/action-yamllint/releases) - [Commits](https://github.com/frenck/action-yamllint/compare/v1.3.1...v1.4.0) --- updated-dependencies: - dependency-name: frenck/action-yamllint dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/matrix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index 281b1496e..8fd821422 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -13,7 +13,7 @@ jobs: - name: Check out uses: actions/checkout@v3 - name: Run yamllint - uses: frenck/action-yamllint@v1.3.1 + uses: frenck/action-yamllint@v1.4.0 ansible-lint: name: ansible-lint runs-on: ubuntu-latest From e8c6267e9a9be2caa3ca3ad17e1bd845b7a15dda Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 13 Jan 2023 16:30:18 +0000 Subject: [PATCH 248/915] Update jitsi stable-8138-1 -> stable-8218 --- roles/custom/matrix-jitsi/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-jitsi/defaults/main.yml b/roles/custom/matrix-jitsi/defaults/main.yml index ce4d19cc1..da166cd86 100644 --- a/roles/custom/matrix-jitsi/defaults/main.yml +++ b/roles/custom/matrix-jitsi/defaults/main.yml @@ -72,7 +72,7 @@ matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false -matrix_jitsi_version: stable-8138-1 +matrix_jitsi_version: stable-8218 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" From 627d8557ae77158087d841aa649a7c55a5242e6a Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 13 Jan 2023 16:31:19 +0000 Subject: [PATCH 249/915] Update hookshot 2.5.0 -> 2.6.0 --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 14c0e6df3..505e42513 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 2.5.0 +matrix_hookshot_version: 2.6.0 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" From d1b4a6ebe1e868c4665f7d8fd077ecf8618fab7a Mon Sep 17 00:00:00 2001 From: Aine Date: Sat, 14 Jan 2023 15:26:58 +0200 Subject: [PATCH 250/915] unify docker images urls --- roles/custom/matrix-bot-maubot/defaults/main.yml | 3 ++- roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml | 6 ++++-- .../custom/matrix-bridge-mautrix-telegram/defaults/main.yml | 6 ++++-- .../matrix-prometheus-postgres-exporter/defaults/main.yml | 3 ++- roles/custom/matrix-synapse/defaults/main.yml | 6 ++++-- 5 files changed, 16 insertions(+), 8 deletions(-) diff --git a/roles/custom/matrix-bot-maubot/defaults/main.yml b/roles/custom/matrix-bot-maubot/defaults/main.yml index 71353914b..525b5e9e1 100644 --- a/roles/custom/matrix-bot-maubot/defaults/main.yml +++ b/roles/custom/matrix-bot-maubot/defaults/main.yml @@ -11,7 +11,8 @@ matrix_bot_maubot_docker_repo_version: "{{ 'master' if matrix_bot_maubot_version matrix_bot_maubot_version: v0.3.1 -matrix_bot_maubot_docker_image: "dock.mau.dev/maubot/maubot:{{ matrix_bot_maubot_version }}" +matrix_bot_maubot_docker_image: "{{ matrix_bot_maubot_docker_image_name_prefix }}maubot/maubot:{{ matrix_bot_maubot_version }}" +matrix_bot_maubot_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_maubot_container_image_self_build else 'dock.mau.dev/' }}" matrix_bot_maubot_docker_image_force_pull: "{{ matrix_bot_maubot_docker_image.endswith(':latest') }}" matrix_bot_maubot_base_path: "{{ matrix_base_data_path }}/maubot" diff --git a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml index 3bdb02c87..953d17078 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml @@ -12,7 +12,8 @@ matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautri matrix_mautrix_signal_version: v0.4.2 matrix_mautrix_signal_daemon_version: 0.23.1 # See: https://mau.dev/mautrix/signal/container_registry -matrix_mautrix_signal_docker_image: "dock.mau.dev/mautrix/signal:{{ matrix_mautrix_signal_version }}" +matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_name_prefix }}mautrix/signal:{{ matrix_mautrix_signal_version }}" +matrix_mautrix_signal_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_signal_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_signal_docker_image_force_pull: "{{ matrix_mautrix_signal_docker_image.endswith(':latest') }}" matrix_mautrix_signal_daemon_container_image_self_build: false @@ -20,7 +21,8 @@ matrix_mautrix_signal_daemon_docker_repo: "https://gitlab.com/signald/signald" matrix_mautrix_signal_daemon_docker_repo_version: "{{ 'master' if matrix_mautrix_signal_daemon_version == 'latest' else matrix_mautrix_signal_daemon_version }}" matrix_mautrix_signal_daemon_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signald/docker-src" -matrix_mautrix_signal_daemon_docker_image: "docker.io/signald/signald:{{ matrix_mautrix_signal_daemon_docker_image_tag }}" +matrix_mautrix_signal_daemon_docker_image: "{{ matrix_mautrix_signal_daemon_docker_image_name_prefix }}signald/signald:{{ matrix_mautrix_signal_daemon_docker_image_tag }}" +matrix_mautrix_signal_daemon_docker_image_name_prefix: "docker.io/" matrix_mautrix_signal_daemon_docker_image_force_pull: "{{ matrix_mautrix_signal_daemon_docker_image_tag.endswith(':latest') }}" matrix_mautrix_signal_daemon_docker_image_tag: "{{ matrix_mautrix_signal_daemon_version }}" diff --git a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml index 5d2c0c88c..1221da84c 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -9,7 +9,8 @@ matrix_telegram_lottieconverter_container_image_self_build_mask_arch: false matrix_telegram_lottieconverter_docker_repo: "https://mau.dev/tulir/lottieconverter.git" matrix_telegram_lottieconverter_docker_repo_version: "master" matrix_telegram_lottieconverter_docker_src_files_path: "{{ matrix_base_data_path }}/lotticonverter/docker-src" -matrix_telegram_lottieconverter_docker_image: "dock.mau.dev/tulir/lottieconverter:alpine-3.16" # needs to be adjusted according to the FROM clause of Dockerfile of mautrix-telegram +matrix_telegram_lottieconverter_docker_image: "{{ matrix_telegram_lottieconverter_docker_image_name_prefix }}tulir/lottieconverter:alpine-3.16" # needs to be adjusted according to the FROM clause of Dockerfile of mautrix-telegram +matrix_telegram_lottieconverter_docker_image_name_prefix: "{{ 'localhost/' if matrix_telegram_lottieconverter_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_telegram_container_image_self_build: false matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git" @@ -18,7 +19,8 @@ matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/maut matrix_mautrix_telegram_version: v0.12.2 # See: https://mau.dev/mautrix/telegram/container_registry -matrix_mautrix_telegram_docker_image: "dock.mau.dev/mautrix/telegram:{{ matrix_mautrix_telegram_version }}" +matrix_mautrix_telegram_docker_image: "{{ matrix_mautrix_telegram_docker_image_name_prefix }}mautrix/telegram:{{ matrix_mautrix_telegram_version }}" +matrix_mautrix_telegram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_telegram_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}" matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram" diff --git a/roles/custom/matrix-prometheus-postgres-exporter/defaults/main.yml b/roles/custom/matrix-prometheus-postgres-exporter/defaults/main.yml index 5fc8e9196..78481a32b 100644 --- a/roles/custom/matrix-prometheus-postgres-exporter/defaults/main.yml +++ b/roles/custom/matrix-prometheus-postgres-exporter/defaults/main.yml @@ -7,7 +7,8 @@ matrix_prometheus_postgres_exporter_enabled: false matrix_prometheus_postgres_exporter_version: v0.11.1 matrix_prometheus_postgres_exporter_port: 9187 -matrix_prometheus_postgres_exporter_docker_image: "quay.io/prometheuscommunity/postgres-exporter:{{ matrix_prometheus_postgres_exporter_version }}" +matrix_prometheus_postgres_exporter_docker_image: "{{ matrix_prometheus_postgres_exporter_docker_image_name_prefix }}prometheuscommunity/postgres-exporter:{{ matrix_prometheus_postgres_exporter_version }}" +matrix_prometheus_postgres_exporter_docker_image_name_prefix: "quay.io/" matrix_prometheus_postgres_exporter_docker_image_force_pull: "{{ matrix_prometheus_postgres_exporter_docker_image.endswith(':latest') }}" # A list of extra arguments to pass to the container diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index b06615214..a58d13338 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -819,7 +819,8 @@ matrix_synapse_ext_synapse_s3_storage_provider_update_db_day_count: 0 matrix_s3_media_store_enabled: false matrix_s3_media_store_custom_endpoint_enabled: false -matrix_s3_goofys_docker_image: "docker.io/ewoutp/goofys:latest" +matrix_s3_goofys_docker_image: "{{ matrix_s3_goofys_docker_image_name_prefix }}ewoutp/goofys:latest" +matrix_s3_goofys_docker_image_name_prefix: "docker.io/" matrix_s3_goofys_docker_image_force_pull: "{{ matrix_s3_goofys_docker_image.endswith(':latest') }}" matrix_s3_media_store_custom_endpoint: "your-custom-endpoint" matrix_s3_media_store_bucket_name: "your-bucket-name" @@ -895,7 +896,8 @@ matrix_synapse_redaction_retention_period: 7d matrix_synapse_user_ips_max_age: 28d -matrix_synapse_rust_synapse_compress_state_docker_image: "registry.gitlab.com/mb-saces/rust-synapse-compress-state:latest" +matrix_synapse_rust_synapse_compress_state_docker_image: "{{ matrix_synapse_rust_synapse_compress_state_docker_image_name_prefix }}mb-saces/rust-synapse-compress-state:latest" +matrix_synapse_rust_synapse_compress_state_docker_image_name_prefix: "registry.gitlab.com/" matrix_synapse_rust_synapse_compress_state_docker_image_force_pull: "{{ matrix_synapse_rust_synapse_compress_state_docker_image.endswith(':latest') }}" matrix_synapse_rust_synapse_compress_state_base_path: "{{ matrix_base_data_path }}/rust-synapse-compress-state" From 34c448c3bbb88948878a365c2893d8aa64ffc369 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 15 Jan 2023 11:07:19 +0200 Subject: [PATCH 251/915] Upgrade Cinny (2.2.2 -> 2.2.3) --- roles/custom/matrix-client-cinny/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-cinny/defaults/main.yml b/roles/custom/matrix-client-cinny/defaults/main.yml index de974eb12..98c327456 100644 --- a/roles/custom/matrix-client-cinny/defaults/main.yml +++ b/roles/custom/matrix-client-cinny/defaults/main.yml @@ -6,7 +6,7 @@ matrix_client_cinny_enabled: true matrix_client_cinny_container_image_self_build: false matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/cinny.git" -matrix_client_cinny_version: v2.2.2 +matrix_client_cinny_version: v2.2.3 matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_name_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}" matrix_client_cinny_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_image.endswith(':latest') }}" From 5c8bad60914f08ac4715085c87fa631e1b551d11 Mon Sep 17 00:00:00 2001 From: Aine Date: Mon, 16 Jan 2023 12:11:01 +0200 Subject: [PATCH 252/915] update borg image tag --- roles/custom/matrix-backup-borg/defaults/main.yml | 5 ++++- roles/custom/matrix-backup-borg/tasks/setup_install.yml | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-backup-borg/defaults/main.yml b/roles/custom/matrix-backup-borg/defaults/main.yml index 472abe976..b8796c92d 100644 --- a/roles/custom/matrix-backup-borg/defaults/main.yml +++ b/roles/custom/matrix-backup-borg/defaults/main.yml @@ -11,8 +11,11 @@ matrix_backup_borg_docker_repo: "https://gitlab.com/etke.cc/borgmatic" matrix_backup_borg_docker_repo_version: main matrix_backup_borg_docker_src_files_path: "{{ matrix_backup_borg_base_path }}/docker-src" -# version determined automatically, based on postgres server version (if enabled), otherwise latest is used +# image and postgres version determined automatically, based on detected postgres server version (if enabled), otherwise latest is used matrix_backup_borg_version: "" +matrix_backup_borg_postgres_version: "" +matrix_backup_borg_borg_version: 1.2.3 +matrix_backup_borg_borgmatic_version: 1.7.5 matrix_backup_borg_docker_image: "{{ matrix_backup_borg_docker_image_name_prefix }}etke.cc/borgmatic:{{ matrix_backup_borg_version }}" matrix_backup_borg_docker_image_name_prefix: "{{ 'localhost/' if matrix_backup_borg_container_image_self_build else 'registry.gitlab.com/' }}" matrix_backup_borg_docker_image_force_pull: "{{ matrix_backup_borg_docker_image.endswith(':latest') or matrix_backup_borg_version | default('') == '' }}" diff --git a/roles/custom/matrix-backup-borg/tasks/setup_install.yml b/roles/custom/matrix-backup-borg/tasks/setup_install.yml index 307542f71..41d953716 100644 --- a/roles/custom/matrix-backup-borg/tasks/setup_install.yml +++ b/roles/custom/matrix-backup-borg/tasks/setup_install.yml @@ -20,7 +20,7 @@ - name: Set the correct borg backup version to use ansible.builtin.set_fact: - matrix_backup_borg_version: "{{ devture_postgres_detected_version }}" + matrix_backup_borg_version: "{{ devture_postgres_detected_version }}-{{ matrix_backup_borg_borg_version }}-{{ matrix_backup_borg_borgmatic_version }}" - name: Ensure borg paths exist ansible.builtin.file: From e053b2b0fcfe187f7729561bcf852d5d2ca1ac28 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Mon, 16 Jan 2023 13:17:02 +0000 Subject: [PATCH 253/915] update mautrix-whatsapp 0.8.0 -> 0.8.1 --- roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 3a722eeb0..449ace05f 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_whatsapp_container_image_self_build: false matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git" matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}" -matrix_mautrix_whatsapp_version: v0.8.0 +matrix_mautrix_whatsapp_version: v0.8.1 # See: https://mau.dev/mautrix/whatsapp/container_registry matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}" matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}" From 3ff6e755a9d315e7d183cbc61d7b73c8b474015f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 16 Jan 2023 18:52:22 +0200 Subject: [PATCH 254/915] Upgrade Hookshot (2.6.0 -> 2.6.1) --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 505e42513..4c38ec225 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 2.6.0 +matrix_hookshot_version: 2.6.1 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" From f64745c6ace555b113c0af84a61b20e9a35c4cfb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 17 Jan 2023 14:47:53 +0200 Subject: [PATCH 255/915] Upgrade com.devture.ansible.role.timesync Related to https://github.com/devture/com.devture.ansible.role.timesync --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 6006ebbf8..00f80fad1 100644 --- a/requirements.yml +++ b/requirements.yml @@ -13,7 +13,7 @@ version: 327d2e17f5189ac2480d6012f58cf64a2b46efba - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git - version: 660f384f176a9ea3b5cc702bde39e7dc10bf6186 + version: 16c8a8995ee442dd1e2afb1880bec1c38994bc12 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_state_preserver.git version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 From c27021b29b0f2987dd651bf448c2f782d6190d15 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 17 Jan 2023 14:51:00 +0200 Subject: [PATCH 256/915] Upgrade com.devture.ansible.role.timesync --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 00f80fad1..03eed35df 100644 --- a/requirements.yml +++ b/requirements.yml @@ -13,7 +13,7 @@ version: 327d2e17f5189ac2480d6012f58cf64a2b46efba - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git - version: 16c8a8995ee442dd1e2afb1880bec1c38994bc12 + version: 3d5bb2976815958cdce3f368fa34fb51554f899b - src: git+https://github.com/devture/com.devture.ansible.role.playbook_state_preserver.git version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 From 34745b5206247b795f89fd3a04224aafda432c88 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 17 Jan 2023 15:53:26 +0200 Subject: [PATCH 257/915] Upgrade Synapse (v1.74.0 -> v1.75.0) --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index a58d13338..7c5496faa 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -36,7 +36,7 @@ matrix_synapse_container_image_customizations_dockerfile_body_custom: '' matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}" matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else matrix_container_global_registry_prefix }}" -matrix_synapse_version: v1.74.0 +matrix_synapse_version: v1.75.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From 424f79df3a071328b6e2ddc5dab29cdf854c678e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 17 Jan 2023 15:55:49 +0200 Subject: [PATCH 258/915] Replace synapse.app.pusher and synapse.app.federation_sender with synapse.app.generic_worker Related to https://github.com/matrix-org/synapse/commit/3479599387164aca2613e88d169719 --- roles/custom/matrix-synapse/tasks/synapse/workers/init.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml b/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml index d88884d09..359fe0316 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml @@ -46,7 +46,7 @@ id: "federation-sender-{{ item }}" name: "matrix-synapse-worker-federation-sender-{{ item }}" type: 'federation_sender' - app: 'federation_sender' + app: 'generic_worker' webserving: false port: 0 metrics_port: "{{ matrix_synapse_workers_federation_sender_workers_metrics_range_start + item }}" @@ -58,14 +58,13 @@ matrix_synapse_federation_sender_instances: "{{ matrix_synapse_federation_sender_instances + [item.ansible_facts.worker.name] }}" with_items: "{{ matrix_synapse_workers_list_results_federation_sender_workers.results }}" -# This type of worker can only have a count of 1, at most - name: Build pusher workers ansible.builtin.set_fact: worker: id: "pusher-{{ item }}" name: "matrix-synapse-worker-pusher-{{ item }}" type: 'pusher' - app: 'pusher' + app: 'generic_worker' webserving: false port: 0 metrics_port: "{{ matrix_synapse_workers_pusher_workers_metrics_range_start + item }}" From 903db549590222206058f9f3154680d44932e13a Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 18 Jan 2023 13:37:03 +0000 Subject: [PATCH 259/915] Update postmoogle 0.9.10 -> 0.9.11 --- roles/custom/matrix-bot-postmoogle/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-postmoogle/defaults/main.yml b/roles/custom/matrix-bot-postmoogle/defaults/main.yml index b8e42828f..48a2b45c9 100644 --- a/roles/custom/matrix-bot-postmoogle/defaults/main.yml +++ b/roles/custom/matrix-bot-postmoogle/defaults/main.yml @@ -9,7 +9,7 @@ matrix_bot_postmoogle_docker_repo: "https://gitlab.com/etke.cc/postmoogle.git" matrix_bot_postmoogle_docker_repo_version: "{{ 'main' if matrix_bot_postmoogle_version == 'latest' else matrix_bot_postmoogle_version }}" matrix_bot_postmoogle_docker_src_files_path: "{{ matrix_base_data_path }}/postmoogle/docker-src" -matrix_bot_postmoogle_version: v0.9.10 +matrix_bot_postmoogle_version: v0.9.11 matrix_bot_postmoogle_docker_image: "{{ matrix_bot_postmoogle_docker_image_name_prefix }}etke.cc/postmoogle:{{ matrix_bot_postmoogle_version }}" matrix_bot_postmoogle_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_postmoogle_container_image_self_build else 'registry.gitlab.com/' }}" matrix_bot_postmoogle_docker_image_force_pull: "{{ matrix_bot_postmoogle_docker_image.endswith(':latest') }}" From 2fc02abfdc57fafa57344b5b464db52a77adf379 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 18 Jan 2023 13:52:44 +0000 Subject: [PATCH 260/915] Update buscarron v1.3.0 -> v1.3.1 --- roles/custom/matrix-bot-buscarron/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-buscarron/defaults/main.yml b/roles/custom/matrix-bot-buscarron/defaults/main.yml index 60ed165c8..f887e262d 100644 --- a/roles/custom/matrix-bot-buscarron/defaults/main.yml +++ b/roles/custom/matrix-bot-buscarron/defaults/main.yml @@ -9,7 +9,7 @@ matrix_bot_buscarron_docker_repo: "https://gitlab.com/etke.cc/buscarron.git" matrix_bot_buscarron_docker_repo_version: "{{ matrix_bot_buscarron_version }}" matrix_bot_buscarron_docker_src_files_path: "{{ matrix_base_data_path }}/buscarron/docker-src" -matrix_bot_buscarron_version: v1.3.0 +matrix_bot_buscarron_version: v1.3.1 matrix_bot_buscarron_docker_image: "{{ matrix_bot_buscarron_docker_image_name_prefix }}etke.cc/buscarron:{{ matrix_bot_buscarron_version }}" matrix_bot_buscarron_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_buscarron_container_image_self_build else 'registry.gitlab.com/' }}" matrix_bot_buscarron_docker_image_force_pull: "{{ matrix_bot_buscarron_docker_image.endswith(':latest') }}" From ecb173c8d4b71252a2d50f80c67f4b633a1925c0 Mon Sep 17 00:00:00 2001 From: Array in a Matrix Date: Wed, 18 Jan 2023 10:30:09 -0500 Subject: [PATCH 261/915] Update installing.md --- docs/installing.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/installing.md b/docs/installing.md index 7e2edf6c5..fccc1caf3 100644 --- a/docs/installing.md +++ b/docs/installing.md @@ -2,7 +2,7 @@ If you've [configured your DNS](configuring-dns.md) and have [configured the playbook](configuring-playbook.md), you can start the installation procedure. -**Before installing** and each time you update the playbook in the future, you will need to update the Ansible roles in this playbook by running `just roles`. `just roles` is a shortcut (a `roles` target defined in [`justfile`](justfile) and executed by the [`just`](https://github.com/casey/just) utility) which ultimately runs [ansible-galaxy](https://docs.ansible.com/ansible/latest/cli/ansible-galaxy.html) to download Ansible roles. If you don't have `just`, you can also manually run the `roles` commands seen in the `justfile`. +**Before installing** and each time you update the playbook in the future, you will need to update the Ansible roles in this playbook by running `just roles`. `just roles` is a shortcut (a `roles` target defined in [`justfile`](../justfile) and executed by the [`just`](https://github.com/casey/just) utility) which ultimately runs [ansible-galaxy](https://docs.ansible.com/ansible/latest/cli/ansible-galaxy.html) to download Ansible roles. If you don't have `just`, you can also manually run the `roles` commands seen in the `justfile`. ## Playbook tags introduction @@ -88,7 +88,7 @@ Feel free to **re-run the setup command any time** you think something is off wi Note that if you remove components from `vars.yml`, or if we switch some component from being installed by default to not being installed by default anymore, you'd need to run the setup command with `--tags=setup-all` instead of `--tags=install-all`. See [Playbook tags introduction](#playbook-tags-introduction) -A way to invoke these `ansible-playbook` commands with less typing in the future is to use [just](https://github.com/casey/just) to run them: `just install-all` or `just setup-all`. See [our `justfile`](../../justfile) for more information. +A way to invoke these `ansible-playbook` commands with less typing in the future is to use [just](https://github.com/casey/just) to run them: `just install-all` or `just setup-all`. See [our `justfile`](../justfile) for more information. ## 3. Finalize the installation From 63a3764f51d67947ba84330895da5aad6616b318 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 18 Jan 2023 15:45:04 +0000 Subject: [PATCH 262/915] Update element 1.11.17 -> 1.11.18 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index d359108ca..551ee766f 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.17 +matrix_client_element_version: v1.11.18 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 6c332da7d3c275a043d3a977983984daf162067d Mon Sep 17 00:00:00 2001 From: Vladimir Panteleev Date: Thu, 19 Jan 2023 01:21:14 +0000 Subject: [PATCH 263/915] Fix ChatGPT container This container needs a writable $HOME, and will fail at startup if there isn't one. Provide one by pointing HOME to a path under the mounted /data directory. --- .../templates/systemd/matrix-bot-chatgpt.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix-bot-chatgpt/templates/systemd/matrix-bot-chatgpt.service.j2 b/roles/custom/matrix-bot-chatgpt/templates/systemd/matrix-bot-chatgpt.service.j2 index 4a528126a..8e4a50202 100644 --- a/roles/custom/matrix-bot-chatgpt/templates/systemd/matrix-bot-chatgpt.service.j2 +++ b/roles/custom/matrix-bot-chatgpt/templates/systemd/matrix-bot-chatgpt.service.j2 @@ -25,6 +25,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name --network={{ matrix_docker_network }} \ --env-file={{ matrix_bot_chatgpt_config_path }}/env \ --mount type=bind,src={{ matrix_bot_chatgpt_data_path }},dst=/data \ + --env HOME=/data/home \ {% for arg in matrix_bot_chatgpt_container_extra_arguments %} {{ arg }} \ {% endfor %} From 8804a158216d535772fd5d8687f4434e60211b39 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 19 Jan 2023 05:10:49 +0000 Subject: [PATCH 264/915] Update element 1.11.18 -> 1.11.19 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 551ee766f..f45b61661 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.18 +matrix_client_element_version: v1.11.19 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 36ef2c6131ae355e341c8d9b3f77949bcc8bf68d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 19 Jan 2023 16:59:37 +0200 Subject: [PATCH 265/915] Do not recommend SSE-C in default s3-storage-provider config This is an advanced feature with dubious usefulness. Putting it in the default config just confuses people. Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2220 --- docs/configuring-playbook-synapse-s3-storage-provider.md | 7 ------- 1 file changed, 7 deletions(-) diff --git a/docs/configuring-playbook-synapse-s3-storage-provider.md b/docs/configuring-playbook-synapse-s3-storage-provider.md index 4f6314e4a..6022eaad0 100644 --- a/docs/configuring-playbook-synapse-s3-storage-provider.md +++ b/docs/configuring-playbook-synapse-s3-storage-provider.md @@ -39,13 +39,6 @@ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: access-key- matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: secret-key-goes-here matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class: STANDARD # or STANDARD_IA, etc. -# S3 Server Side Encryption with a Customer provided key (SSE-C) can also be configured as follows -# This is not recommended unless you understand what you are doing, and may make restoring from backups additionally challenging -# You can read more about SSE-C here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html -matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled: true -matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key: ssec-key-goes-here # Generate with: cat /dev/urandom | base64 | head -c 32 -matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo: AES256 - # For additional advanced settings, take a look at `roles/custom/matrix-synapse/defaults/main.yml` ``` From 910c99d03ddbde556130744c0d9a4dd41f6d317c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 19 Jan 2023 17:13:36 +0200 Subject: [PATCH 266/915] Improve "Copying data to Amazon S3" documentation for synapse-s3-storage-provider --- ...uring-playbook-synapse-s3-storage-provider.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/docs/configuring-playbook-synapse-s3-storage-provider.md b/docs/configuring-playbook-synapse-s3-storage-provider.md index 6022eaad0..2647a77b2 100644 --- a/docs/configuring-playbook-synapse-s3-storage-provider.md +++ b/docs/configuring-playbook-synapse-s3-storage-provider.md @@ -93,13 +93,21 @@ To migrate your existing local data to S3, we recommend to: #### Copying data to Amazon S3 -Generally, you need to use the `aws s3` tool. +To copy to AWS S3, start a container on the Matrix server like this: -This documentation section could use an improvement. Ideally, we'd come up with a guide like the one used in [Copying data to Backblaze B2](#copying-data-to-backblaze-b2) - running `aws s3` in a container, etc. +```sh +docker run -it --rm \ +-w /work \ +--env-file=/matrix/synapse/ext/s3-storage-provider/env \ +--mount type=bind,src=/matrix/synapse/storage/media-store,dst=/work,ro \ +--entrypoint=/bin/sh \ +docker.io/amazon/aws-cli:2.9.16 \ +-c 'aws s3 sync /work/. s3://$BUCKET/' +``` #### Copying data to Backblaze B2 -To copy to Backblaze B2, start a container like this: +To copy to Backblaze B2, start a container on the Matrix server like this: ```sh docker run -it --rm \ @@ -109,7 +117,7 @@ docker run -it --rm \ --env='B2_BUCKET_NAME=YOUR_BUCKET_NAME_GOES_HERE' \ --mount type=bind,src=/matrix/synapse/storage/media-store,dst=/work,ro \ --entrypoint=/bin/sh \ -tianon/backblaze-b2:3.6.0 \ +docker.io/tianon/backblaze-b2:3.6.0 \ -c 'b2 authorize-account $B2_KEY_ID $B2_KEY_SECRET && b2 sync /work b2://$B2_BUCKET_NAME --skipNewer' ``` From 4ec602983fca72979503980784456e5221fb0b6a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 19 Jan 2023 17:13:55 +0200 Subject: [PATCH 267/915] Remove scary synapse-s3-storage-provider warning --- docs/configuring-playbook-synapse-s3-storage-provider.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/configuring-playbook-synapse-s3-storage-provider.md b/docs/configuring-playbook-synapse-s3-storage-provider.md index 2647a77b2..c42df7a6e 100644 --- a/docs/configuring-playbook-synapse-s3-storage-provider.md +++ b/docs/configuring-playbook-synapse-s3-storage-provider.md @@ -3,8 +3,6 @@ If you'd like to store Synapse's content repository (`media_store`) files on Amazon S3 (or other S3-compatible service), you can use the [synapse-s3-storage-provider](https://github.com/matrix-org/synapse-s3-storage-provider) media provider module for Synapse. -**`synapse-s3-storage-provider` support is very new and still relatively untested. Using it may cause data loss.** - An alternative (which has worse performance) is to use [Goofys to mount the S3 store to the local filesystem](configuring-playbook-s3-goofys.md). From b7b5c7edb77c5d1243656b62d1d59ed694252d8a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 19 Jan 2023 17:16:21 +0200 Subject: [PATCH 268/915] Improve s3-storage-provider migration steps visibility --- docs/configuring-playbook-synapse-s3-storage-provider.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-synapse-s3-storage-provider.md b/docs/configuring-playbook-synapse-s3-storage-provider.md index c42df7a6e..d5d5ca5e2 100644 --- a/docs/configuring-playbook-synapse-s3-storage-provider.md +++ b/docs/configuring-playbook-synapse-s3-storage-provider.md @@ -66,11 +66,11 @@ This launches a Synapse container, which has access to the local media store, Po Then use the following commands (`$` values come from environment variables - they're **not placeholders** that you need to substitute): -- `s3_media_upload update-db $UPDATE_DB_DURATION` - create a local SQLite database (`cache.db`) with a list of media repository files (from the `synapse` Postgres database) eligible for operating on +1. `s3_media_upload update-db $UPDATE_DB_DURATION` - create a local SQLite database (`cache.db`) with a list of media repository files (from the `synapse` Postgres database) eligible for operating on - `$UPDATE_DB_DURATION` is influenced by the `matrix_synapse_ext_synapse_s3_storage_provider_update_db_day_count` variable (defaults to `0`) - `$UPDATE_DB_DURATION` defaults to `0d` (0 days), which means **include files which haven't been accessed for more than 0 days** (that is, **all files will be included**). -- `s3_media_upload check-deleted $MEDIA_PATH` - check whether files in the local cache still exist in the local media repository directory -- `s3_media_upload upload $MEDIA_PATH $BUCKET --delete --storage-class $STORAGE_CLASS --endpoint-url $ENDPOINT` - uploads locally-stored files to S3 and deletes them from the local media repository directory +2. `s3_media_upload check-deleted $MEDIA_PATH` - check whether files in the local cache still exist in the local media repository directory +3. `s3_media_upload upload $MEDIA_PATH $BUCKET --delete --storage-class $STORAGE_CLASS --endpoint-url $ENDPOINT` - uploads locally-stored files to S3 and deletes them from the local media repository directory The `s3_media_upload upload` command may take a lot of time to complete. From b4c36eb8cac7807223bb86a40280609897aeb9b1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 20 Jan 2023 16:03:54 +0000 Subject: [PATCH 269/915] Bump ansible-community/ansible-lint-action from 6.10.2 to 6.11.0 Bumps [ansible-community/ansible-lint-action](https://github.com/ansible-community/ansible-lint-action) from 6.10.2 to 6.11.0. - [Release notes](https://github.com/ansible-community/ansible-lint-action/releases) - [Commits](https://github.com/ansible-community/ansible-lint-action/compare/v6.10.2...v6.11.0) --- updated-dependencies: - dependency-name: ansible-community/ansible-lint-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/matrix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index 8fd821422..2f9e79534 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -21,6 +21,6 @@ jobs: - name: Check out uses: actions/checkout@v3 - name: Run ansible-lint - uses: ansible-community/ansible-lint-action@v6.10.2 + uses: ansible-community/ansible-lint-action@v6.11.0 with: path: roles/custom From b71e26722155c47fc847ea6fef08ef8b1d04525d Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 20 Jan 2023 18:38:14 +0000 Subject: [PATCH 270/915] Update element 1.11.19 -> 1.11.20 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index f45b61661..f13ad035f 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.19 +matrix_client_element_version: v1.11.20 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 32292b1f02bbf4dcd2cdb7fa76196d367dae1733 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 20 Jan 2023 18:39:05 +0000 Subject: [PATCH 271/915] Update hookshot 2.6.1 -> 2.7.0 --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 4c38ec225..aa4ae45c2 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 2.6.1 +matrix_hookshot_version: 2.7.0 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" From 9ed2e04d808593c146d81b361baa57c078364dfd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 21 Jan 2023 11:07:04 +0200 Subject: [PATCH 272/915] Switch from matrix-prometheus-node-exporter to an external prometheus_node_exporter role --- CHANGELOG.md | 15 +++++ ...configuring-playbook-prometheus-grafana.md | 10 +-- group_vars/matrix_servers | 27 ++++++-- playbooks/matrix.yml | 3 +- requirements.yml | 3 + .../defaults/main.yml | 67 ------------------- .../tasks/main.yml | 26 ------- .../tasks/setup_install.yml | 19 ------ .../tasks/setup_uninstall.yml | 20 ------ ...matrix-prometheus-node-exporter.service.j2 | 44 ------------ .../vars/main.yml | 5 -- .../defaults/main.yml | 15 +++++ .../tasks/main.yml | 19 ++++++ .../inject_into_nginx_proxy.yml | 19 ++---- .../defaults/main.yml | 4 ++ .../tasks/validate_config.yml | 16 +++++ 16 files changed, 104 insertions(+), 208 deletions(-) delete mode 100644 roles/custom/matrix-prometheus-node-exporter/defaults/main.yml delete mode 100644 roles/custom/matrix-prometheus-node-exporter/tasks/main.yml delete mode 100644 roles/custom/matrix-prometheus-node-exporter/tasks/setup_install.yml delete mode 100644 roles/custom/matrix-prometheus-node-exporter/tasks/setup_uninstall.yml delete mode 100644 roles/custom/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 delete mode 100644 roles/custom/matrix-prometheus-node-exporter/vars/main.yml create mode 100644 roles/custom/matrix-prometheus-services-proxy-connect/defaults/main.yml create mode 100644 roles/custom/matrix-prometheus-services-proxy-connect/tasks/main.yml rename roles/custom/{matrix-prometheus-node-exporter/tasks => matrix-prometheus-services-proxy-connect/tasks/prometheus-node-exporter}/inject_into_nginx_proxy.yml (51%) create mode 100644 roles/custom/matrix_playbook_migration/defaults/main.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index b66cc8ba7..e4607148c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,18 @@ +# 2023-01-21 + +## The matrix-prometheus-node-exporter role lives independently now + +**TLDR**: the `matrix-prometheus-node-exporter` role is now included from another repository. Some variables have been renamed. All functionality remains intact. + +The `matrix-prometheus-node-exporter` role (which configures [Prometheus node exporter](https://github.com/prometheus/node_exporter)) has been extracted from the playbook and now lives in its own repository at https://gitlab.com/etke.cc/roles/prometheus_node_exporter. + +It's still part of the playbook, but is now installed via `ansible-galaxy` (by running `just roles` / `make roles`). Some variables have been renamed (`matrix_prometheus_node_exporter_` -> `prometheus_node_exporter_`, etc.). The playbook will report all variables that you need to rename to get upgraded. All functionality remains intact. + +A new `matrix-prometheus-services-proxy-connect` role was added to the playbook to help integrate the new `prometheus_node_exporter` role with our own services (`matrix-nginx-proxy`) + +Other roles which aren't strictly related to Matrix are likely to follow this fate of moving to their own repositories. Extracting them out allows other Ansible playbooks to make use of these roles easily. + + # 2023-01-13 ## Support for running commands via just diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index 0b785c359..703c03b22 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -10,7 +10,7 @@ Remember to add `stats.` to DNS as described in [Configuring DNS](c matrix_prometheus_enabled: true # You can remove this, if unnecessary. -matrix_prometheus_node_exporter_enabled: true +prometheus_node_exporter_enabled: true # You can remove this, if unnecessary. matrix_prometheus_postgres_exporter_enabled: true @@ -40,7 +40,7 @@ The retention policy of Prometheus metrics is [15 days by default](https://prome Name | Description -----|---------- `matrix_prometheus_enabled`|[Prometheus](https://prometheus.io) is a time series database. It holds all the data we're going to talk about. -`matrix_prometheus_node_exporter_enabled`|[Node Exporter](https://prometheus.io/docs/guides/node-exporter/) is an addon of sorts to Prometheus that collects generic system information such as CPU, memory, filesystem, and even system temperatures +`prometheus_node_exporter_enabled`|[Node Exporter](https://prometheus.io/docs/guides/node-exporter/) is an addon of sorts to Prometheus that collects generic system information such as CPU, memory, filesystem, and even system temperatures `matrix_prometheus_postgres_exporter_enabled`|[Postgres Exporter](configuring-playbook-prometheus-postgres.md) is an addon of sorts to expose Postgres database metrics to Prometheus. `matrix_prometheus_nginxlog_exporter_enabled`|[NGINX Log Exporter](configuring-playbook-prometheus-nginxlog.md) is an addon of sorts to expose NGINX logs to Prometheus. `matrix_grafana_enabled`|[Grafana](https://grafana.com/) is the visual component. It shows (on the `stats.` subdomain) the dashboards with the graphs that we're interested in @@ -52,7 +52,7 @@ Name | Description Metrics and resulting graphs can contain a lot of information. This includes system specs but also usage patterns. This applies especially to small personal/family scale homeservers. Someone might be able to figure out when you wake up and go to sleep by looking at the graphs over time. Think about this before enabling anonymous access. And you should really not forget to change your Grafana password. -Most of our docker containers run with limited system access, but the `prometheus-node-exporter` has access to the host network stack and (readonly) root filesystem. This is required to report on them. If you don't like that, you can set `matrix_prometheus_node_exporter_enabled: false` (which is actually the default). You will still get Synapse metrics with this container disabled. Both of the dashboards will always be enabled, so you can still look at historical data after disabling either source. +Most of our docker containers run with limited system access, but the `prometheus-node-exporter` has access to the host network stack and (readonly) root filesystem. This is required to report on them. If you don't like that, you can set `prometheus_node_exporter_enabled: false` (which is actually the default). You will still get Synapse metrics with this container disabled. Both of the dashboards will always be enabled, so you can still look at historical data after disabling either source. ## Collecting metrics to an external Prometheus server @@ -74,8 +74,8 @@ Name | Description `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content`|Set this to the Basic Authentication credentials (raw `htpasswd` file content) used to protect `/metrics/*`. This htpasswd-file needs to be generated with the `htpasswd` tool and can include multiple username/password pairs. If you only need one credential, use `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password` instead. `matrix_synapse_metrics_enabled`|Set this to `true` to make Synapse expose metrics (locally, on the container network) `matrix_synapse_metrics_proxying_enabled`|Set this to `true` to expose Synapse's metrics on `https://matrix.DOMAIN/metrics/synapse/main-process` and `https://matrix.DOMAIN/metrics/synapse/worker/TYPE-ID` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`). Read [below](#collecting-synapse-worker-metrics-to-an-external-prometheus-server) if you're running a Synapse worker setup (`matrix_synapse_workers_enabled: true`). -`matrix_prometheus_node_exporter_enabled`|Set this to `true` to enable the node (general system stats) exporter (locally, on the container network) -`matrix_prometheus_node_exporter_metrics_proxying_enabled`|Set this to `true` to expose the node (general system stats) metrics on `https://matrix.DOMAIN/metrics/node-exporter` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`) +`prometheus_node_exporter_enabled`|Set this to `true` to enable the node (general system stats) exporter (locally, on the container network) +`matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled`|Set this to `true` to expose the node (general system stats) metrics on `https://matrix.DOMAIN/metrics/node-exporter` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`) `matrix_prometheus_postgres_exporter_enabled`|Set this to `true` to enable the [Postgres exporter](configuring-playbook-prometheus-postgres.md) (locally, on the container network) `matrix_prometheus_nginxlog_exporter_enabled`|Set this to `true` to enable the [NGINX Log exporter](configuring-playbook-prometheus-nginxlog.md) (locally, on the container network) `matrix_prometheus_postgres_exporter_metrics_proxying_enabled`|Set this to `true` to expose the [Postgres exporter](configuring-playbook-prometheus-postgres.md) metrics on `https://matrix.DOMAIN/metrics/postgres-exporter` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 0e6e3691f..70abde3af 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -301,7 +301,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-prometheus.service', 'priority': 4000, 'groups': ['matrix', 'monitoring', 'prometheus', 'prometheus-core']}] if matrix_prometheus_enabled else []) + - ([{'name': 'matrix-prometheus-node-exporter.service', 'priority': 3900, 'groups': ['matrix', 'monitoring', 'prometheus', 'prometheus-node-exporters']}] if matrix_prometheus_node_exporter_enabled else []) + ([{'name': (prometheus_node_exporter_identifier + '.service'), 'priority': 3900, 'groups': ['matrix', 'monitoring', 'prometheus', 'prometheus-node-exporters']}] if prometheus_node_exporter_enabled else []) + ([{'name': 'matrix-prometheus-postgres-exporter.service', 'priority': 3900, 'groups': ['matrix', 'monitoring', 'prometheus', 'prometheus-node-exporters']}] if matrix_prometheus_postgres_exporter_enabled else []) + @@ -2927,15 +2927,28 @@ matrix_synapse_admin_container_image_self_build: "{{ matrix_architecture not in ###################################################################### # -# matrix-prometheus-node-exporter +# etke/prometheus_node_exporter # ###################################################################### -matrix_prometheus_node_exporter_enabled: false +prometheus_node_exporter_enabled: false + +prometheus_node_exporter_identifier: matrix-prometheus-node-exporter + +prometheus_node_exporter_base_path: "{{ matrix_base_data_path }}/prometheus-node-exporter" + +prometheus_node_exporter_uid: "{{ matrix_user_uid }}" +prometheus_node_exporter_gid: "{{ matrix_user_gid }}" + +prometheus_node_exporter_server_fqn: "{{ matrix_server_fqn_matrix }}" + +prometheus_node_exporter_container_network: "{{ matrix_docker_network }}" + +prometheus_node_exporter_container_labels_traefik_enabled: false ###################################################################### # -# /matrix-prometheus-node-exporter +# /etke/prometheus_node_exporter # ###################################################################### @@ -2971,8 +2984,8 @@ matrix_prometheus_scraper_synapse_targets: ['matrix-synapse:{{ matrix_synapse_me matrix_prometheus_scraper_synapse_workers_enabled_list: "{{ matrix_synapse_workers_enabled_list }}" matrix_prometheus_scraper_synapse_rules_synapse_tag: "{{ matrix_synapse_docker_image_tag }}" -matrix_prometheus_scraper_node_enabled: "{{ matrix_prometheus_node_exporter_enabled }}" -matrix_prometheus_scraper_node_targets: "{{ ['matrix-prometheus-node-exporter:9100'] if matrix_prometheus_node_exporter_enabled else [] }}" +matrix_prometheus_scraper_node_enabled: "{{ prometheus_node_exporter_enabled }}" +matrix_prometheus_scraper_node_targets: "{{ [prometheus_node_exporter_identifier + ':9100'] if prometheus_node_exporter_enabled else [] }}" matrix_prometheus_scraper_postgres_enabled: "{{ matrix_prometheus_postgres_exporter_enabled }}" matrix_prometheus_scraper_postgres_targets: "{{ ['matrix-prometheus-postgres-exporter:'+ matrix_prometheus_postgres_exporter_port | string] if matrix_prometheus_scraper_postgres_enabled else [] }}" @@ -3030,7 +3043,7 @@ matrix_grafana_dashboard_download_urls: | {{ (matrix_synapse_grafana_dashboard_urls if matrix_homeserver_implementation == 'synapse' and matrix_synapse_metrics_enabled else []) + - (matrix_prometheus_node_exporter_dashboard_urls if matrix_prometheus_node_exporter_enabled else []) + (prometheus_node_exporter_dashboard_urls if prometheus_node_exporter_enabled else []) + (matrix_prometheus_postgres_exporter_dashboard_urls if matrix_prometheus_postgres_exporter_enabled else []) + diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 409328aec..5190521e2 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -86,11 +86,12 @@ - custom/matrix-dendrite - custom/matrix-conduit - custom/matrix-synapse-admin - - custom/matrix-prometheus-node-exporter + - galaxy/prometheus_node_exporter - custom/matrix-prometheus-postgres-exporter - custom/matrix-prometheus-nginxlog-exporter - custom/matrix-prometheus - custom/matrix-grafana + - custom/matrix-prometheus-services-proxy-connect - custom/matrix-registration - custom/matrix-client-element - custom/matrix-client-hydrogen diff --git a/requirements.yml b/requirements.yml index 03eed35df..07cab1972 100644 --- a/requirements.yml +++ b/requirements.yml @@ -29,3 +29,6 @@ - src: git+https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages.git version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6 + +- src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git + version: v1.5.0-0 diff --git a/roles/custom/matrix-prometheus-node-exporter/defaults/main.yml b/roles/custom/matrix-prometheus-node-exporter/defaults/main.yml deleted file mode 100644 index 070e86164..000000000 --- a/roles/custom/matrix-prometheus-node-exporter/defaults/main.yml +++ /dev/null @@ -1,67 +0,0 @@ ---- -# matrix-prometheus-node-exporter is an Prometheus exporter for machine metrics -# See: https://prometheus.io/docs/guides/node-exporter/ -# Project source code URL: https://github.com/prometheus/node_exporter - -matrix_prometheus_node_exporter_enabled: false - -matrix_prometheus_node_exporter_version: v1.5.0 -matrix_prometheus_node_exporter_docker_image: "{{ matrix_container_global_registry_prefix }}prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}" -matrix_prometheus_node_exporter_docker_image_force_pull: "{{ matrix_prometheus_node_exporter_docker_image.endswith(':latest') }}" - -# A list of extra arguments to pass to the container -matrix_prometheus_node_exporter_container_extra_arguments: [] - -# A list of extra arguments to pass to the node_exporter process -# -# Example: -# matrix_prometheus_node_exporter_process_extra_arguments: -# - "--collector.systemd" -# - "--collector.logind" -# -# Note: the above is just an example. Various collectors may require various tweaks to be able to run. -# Running the systemd collector requires the following `matrix_prometheus_node_exporter_container_extra_arguments`: -# - the socket to be mounted as well (`--mount type=bind,src=/var/run/dbus/system_bus_socket,dst=/var/run/dbus/system_bus_socket,ro,bind-propagation=rslave`) -# - (on AppArmor-based distros) disabling AppArmor protection (`--security-opt apparmor=unconfined`) -matrix_prometheus_node_exporter_process_extra_arguments: [] - -# List of systemd services that matrix-prometheus.service depends on -matrix_prometheus_node_exporter_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-prometheus.service wants -matrix_prometheus_node_exporter_systemd_wanted_services_list: [] - -# Controls whether node-exporter metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/node-exporter`. -# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`. -# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. -matrix_prometheus_node_exporter_metrics_proxying_enabled: false - -# Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container). -# -# Takes an ":" value (e.g. "127.0.0.1:9100"), just a port number or empty string to not expose. -# -# You likely don't need to do this. See `matrix_prometheus_node_exporter_metrics_proxying_enabled`. -# -# Official recommendations are to run this container with `--net=host`, -# but we don't do that, since it: -# - likely exposes the metrics web server way too publicly (before applying https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1008) -# - or listens on a loopback interface only (--net=host and 127.0.0.1:9100), which is not reachable from another container (like `matrix-prometheus`) -# -# Using `--net=host` and binding to Docker's `matrix` bridge network may be a solution to both, -# but that's trickier to accomplish and won't necessarily work (hasn't been tested). -# -# Not using `--net=host` means that our network statistic reports are likely broken (inaccurate), -# because node-exporter can't see all interfaces, etc. -# For now, we'll live with that, until someone develops a better solution. -matrix_prometheus_node_exporter_container_http_host_bind_port: '' - -# If you are supplying your own NGINX proxy but want to use the provided exporters you will have to supply an ":" value for the containers to bind to on your host. -# If matrix_prometheus_node_exporter_container_http_host_bind_port is set to just a port number, this will default to "127.0.0.1:" -# If matrix_prometheus_node_exporter_container_http_host_bind_port is set to an IP that is not 0.0.0.0 and a port, that ":" value will be used -# Otherwise this value will be empty and you will have to manually configure your NGINX config file. (If you are using the config files generated by this playbook, you will have to edit matrix-domain.conf) -matrix_prometheus_node_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host: "{{ '127.0.0.1' + matrix_prometheus_node_exporter_container_http_host_bind_port_number_raw if not ':' in matrix_prometheus_node_exporter_container_http_host_bind_port else (matrix_prometheus_node_exporter_container_http_host_bind_port if matrix_prometheus_node_exporter_container_http_host_bind_port.split(':')[0] != '0.0.0.0' else '') }}" - -# matrix_prometheus_node_exporter_dashboard_urls contains a list of URLs with Grafana dashboard definitions. -# If the Grafana role is enabled, these dashboards will be downloaded. -matrix_prometheus_node_exporter_dashboard_urls: - - https://raw.githubusercontent.com/rfrail3/grafana-dashboards/master/prometheus/node-exporter-full.json diff --git a/roles/custom/matrix-prometheus-node-exporter/tasks/main.yml b/roles/custom/matrix-prometheus-node-exporter/tasks/main.yml deleted file mode 100644 index 6a0cd8307..000000000 --- a/roles/custom/matrix-prometheus-node-exporter/tasks/main.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- - -- block: - - when: matrix_prometheus_node_exporter_enabled | bool and matrix_prometheus_node_exporter_metrics_proxying_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: - - setup-all - - setup-nginx-proxy - - install-all - - install-nginx-proxy - -- block: - - when: matrix_prometheus_node_exporter_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: - - setup-all - - setup-prometheus-node-exporter - - install-all - - install-prometheus-node-exporter - -- block: - - when: not matrix_prometheus_node_exporter_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-prometheus-node-exporter diff --git a/roles/custom/matrix-prometheus-node-exporter/tasks/setup_install.yml b/roles/custom/matrix-prometheus-node-exporter/tasks/setup_install.yml deleted file mode 100644 index 3c0af96b9..000000000 --- a/roles/custom/matrix-prometheus-node-exporter/tasks/setup_install.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- - -- name: Ensure matrix-prometheus-node-exporter image is pulled - community.docker.docker_image: - name: "{{ matrix_prometheus_node_exporter_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_prometheus_node_exporter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_prometheus_node_exporter_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure matrix-prometheus-node-exporter.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-prometheus-node-exporter.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-node-exporter.service" - mode: 0644 - register: matrix_prometheus_node_exporter_systemd_service_result diff --git a/roles/custom/matrix-prometheus-node-exporter/tasks/setup_uninstall.yml b/roles/custom/matrix-prometheus-node-exporter/tasks/setup_uninstall.yml deleted file mode 100644 index b5ef4f0f7..000000000 --- a/roles/custom/matrix-prometheus-node-exporter/tasks/setup_uninstall.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- - -- name: Check existence of matrix-prometheus-node-exporter service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-node-exporter.service" - register: matrix_prometheus_node_exporter_service_stat - -- when: matrix_prometheus_node_exporter_service_stat.stat.exists | bool - block: - - name: Ensure matrix-prometheus-node-exporter is stopped - ansible.builtin.service: - name: matrix-prometheus-node-exporter - state: stopped - enabled: false - daemon_reload: true - - - name: Ensure matrix-prometheus-node-exporter.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-node-exporter.service" - state: absent diff --git a/roles/custom/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 b/roles/custom/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 deleted file mode 100644 index 82aca453f..000000000 --- a/roles/custom/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 +++ /dev/null @@ -1,44 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=matrix-prometheus-node-exporter -{% for service in matrix_prometheus_node_exporter_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_prometheus_node_exporter_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-prometheus-node-exporter 2>/dev/null || true' - - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-prometheus-node-exporter \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - {% for arg in matrix_prometheus_node_exporter_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - --network={{ matrix_docker_network }} \ - {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} - -p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \ - {% endif %} - --pid=host \ - --mount type=bind,src=/,dst=/host,ro,bind-propagation=rslave \ - {{ matrix_prometheus_node_exporter_docker_image }} \ - --path.rootfs=/host {{ matrix_prometheus_node_exporter_process_extra_arguments|join(' ') }} - -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-prometheus-node-exporter 2>/dev/null || true' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-prometheus-node-exporter - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix-prometheus-node-exporter/vars/main.yml b/roles/custom/matrix-prometheus-node-exporter/vars/main.yml deleted file mode 100644 index 952dc2050..000000000 --- a/roles/custom/matrix-prometheus-node-exporter/vars/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -# `matrix_prometheus_node_exporter_container_http_host_bind_port_number_raw` contains the raw port number extracted from `matrix_prometheus_node_exporter_container_http_host_bind_port`, -# which can contain values like this: ('1234', '127.0.0.1:1234', '0.0.0.0:1234') -matrix_prometheus_node_exporter_container_http_host_bind_port_number_raw: "{{ '' if matrix_prometheus_node_exporter_container_http_host_bind_port == '' else (matrix_prometheus_node_exporter_container_http_host_bind_port.split(':')[1] if ':' in matrix_prometheus_node_exporter_container_http_host_bind_port else matrix_prometheus_node_exporter_container_http_host_bind_port) }}" diff --git a/roles/custom/matrix-prometheus-services-proxy-connect/defaults/main.yml b/roles/custom/matrix-prometheus-services-proxy-connect/defaults/main.yml new file mode 100644 index 000000000..5799d0535 --- /dev/null +++ b/roles/custom/matrix-prometheus-services-proxy-connect/defaults/main.yml @@ -0,0 +1,15 @@ +--- +# matrix-prometheus-services-proxy-connect is a role which helps integrate +# the various Prometheus roles, which may live outside this Matrix playbook, into it. + + +# Controls whether node-exporter metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/node-exporter`. +# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`. +# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. +matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled: false + +# If you are supplying your own NGINX proxy but want to use the provided exporters you will have to supply an ":" value for the containers to bind to on your host. +# If prometheus_node_exporter_container_http_host_bind_port is set to just a port number, this will default to "127.0.0.1:" +# If prometheus_node_exporter_container_http_host_bind_port is set to an IP that is not 0.0.0.0 and a port, that ":" value will be used +# Otherwise this value will be empty and you will have to manually configure your NGINX config file. (If you are using the config files generated by this playbook, you will have to edit matrix-domain.conf) +matrix_prometheus_services_proxy_connect_prometheus_node_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host: "{{ '127.0.0.1' + prometheus_node_exporter_container_http_host_bind_port_number_raw if not ':' in prometheus_node_exporter_container_http_host_bind_port else (prometheus_node_exporter_container_http_host_bind_port if prometheus_node_exporter_container_http_host_bind_port.split(':')[0] != '0.0.0.0' else '') }}" diff --git a/roles/custom/matrix-prometheus-services-proxy-connect/tasks/main.yml b/roles/custom/matrix-prometheus-services-proxy-connect/tasks/main.yml new file mode 100644 index 000000000..7f35a318d --- /dev/null +++ b/roles/custom/matrix-prometheus-services-proxy-connect/tasks/main.yml @@ -0,0 +1,19 @@ +--- + +- name: Fail if matrix-nginx-proxy role executed before matrix-prometheus-services-proxy-connect + ansible.builtin.fail: + msg: >- + Trying to append node-exporter's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-prometheus-services-proxy-connect role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- block: + - when: prometheus_node_exporter_enabled | bool and matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/prometheus-node-exporter/inject_into_nginx_proxy.yml" + tags: + - setup-all + - setup-nginx-proxy + - install-all + - install-nginx-proxy diff --git a/roles/custom/matrix-prometheus-node-exporter/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-prometheus-services-proxy-connect/tasks/prometheus-node-exporter/inject_into_nginx_proxy.yml similarity index 51% rename from roles/custom/matrix-prometheus-node-exporter/tasks/inject_into_nginx_proxy.yml rename to roles/custom/matrix-prometheus-services-proxy-connect/tasks/prometheus-node-exporter/inject_into_nginx_proxy.yml index 24e05ed8d..4c86e8aab 100644 --- a/roles/custom/matrix-prometheus-node-exporter/tasks/inject_into_nginx_proxy.yml +++ b/roles/custom/matrix-prometheus-services-proxy-connect/tasks/prometheus-node-exporter/inject_into_nginx_proxy.yml @@ -1,25 +1,16 @@ --- -- name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append node-exporter's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-prometheus-node-exporter role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - name: Generate node-exporter metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/node-exporter) ansible.builtin.set_fact: - matrix_prometheus_node_exporter_nginx_metrics_configuration_block: | + matrix_prometheus_services_proxy_connect_node_exporter_nginx_metrics_configuration_block: | location /metrics/node-exporter { {% if matrix_nginx_proxy_enabled | default(False) %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; - set $backend "matrix-prometheus-node-exporter:9100"; + set $backend "{{ prometheus_node_exporter_identifier }}:9100"; proxy_pass http://$backend/metrics; - {% elif matrix_prometheus_node_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host != '' %} - proxy_pass http://{{ matrix_prometheus_node_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host }}/metrics; + {% elif matrix_prometheus_services_proxy_connect_prometheus_node_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host != '' %} + proxy_pass http://{{ matrix_prometheus_services_proxy_connect_prometheus_node_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host }}/metrics; {% else %} return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; {% endif %} @@ -31,5 +22,5 @@ {{ matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + - [matrix_prometheus_node_exporter_nginx_metrics_configuration_block] + [matrix_prometheus_services_proxy_connect_node_exporter_nginx_metrics_configuration_block] }} diff --git a/roles/custom/matrix_playbook_migration/defaults/main.yml b/roles/custom/matrix_playbook_migration/defaults/main.yml new file mode 100644 index 000000000..b553160a9 --- /dev/null +++ b/roles/custom/matrix_playbook_migration/defaults/main.yml @@ -0,0 +1,4 @@ +--- + +# Controls if (`matrix_prometheus_node_exporter` -> `prometheus_node_exporter`) validation will run. +matrix_playbook_migration_matrix_prometheus_node_exporter_migration_validation_enabled: true diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index f4ce2bdca..5d22e4bfe 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -34,6 +34,7 @@ - {'old': 'matrix_systemd_services_list', 'new': 'devture_systemd_service_manager_services_list_additional'} - {'old': 'matrix_common_after_systemd_service_start_wait_for_timeout_seconds', 'new': 'devture_systemd_service_manager_up_verification_delay_seconds'} - {'old': 'matrix_systemd_services_autostart_enabled', 'new': 'devture_systemd_service_manager_services_autostart_enabled'} + - {'old': 'matrix_prometheus_node_exporter_metrics_proxying_enabled', 'new': 'matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled'} - name: (Deprecation) Catch and report matrix_postgres variables ansible.builtin.fail: @@ -48,3 +49,18 @@ The following variables in your configuration need to be renamed: {{ vars | dict2items | selectattr('key', 'match', 'matrix_postgres_.*') | map (attribute='key') | join(', ') }} when: "vars | dict2items | selectattr('key', 'match', 'matrix_postgres_.*') | list | items2dict" + +- when: matrix_playbook_migration_matrix_prometheus_node_exporter_migration_validation_enabled | bool + block: + - ansible.builtin.set_fact: + matrix_playbook_migration_matrix_prometheus_node_exporter_migration_vars: |- + {{ vars | dict2items | selectattr('key', 'match', 'matrix_prometheus_node_exporter_.*') | list | items2dict }} + + - name: (Deprecation) Catch and report matrix_prometheus_node_exporter variables + ansible.builtin.fail: + msg: >- + The matrix-prometheus-node-exporter role that used to be part of this playbook has been replaced by https://gitlab.com/etke.cc/roles/prometheus_node_exporter. + The new role is compatible with the old one, but uses different names for its variables. + Please change your configuration (vars.yml) to rename all variables (`matrix_prometheus_node_exporter_` -> `prometheus_node_exporter_`). + We found usage of the following variables: {{ matrix_playbook_migration_matrix_prometheus_node_exporter_migration_vars.keys() | join(', ') }} + when: "matrix_playbook_migration_matrix_prometheus_node_exporter_migration_vars | length > 0" From 18d8d41e1454680b404e4aa92609d0cf82f1074d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sat, 21 Jan 2023 20:54:12 +0100 Subject: [PATCH 273/915] Fix client js and css download (load compiled version) --- .../matrix-cactus-comments/defaults/main.yml | 6 ++-- .../tasks/setup_install.yml | 31 +++---------------- 2 files changed, 9 insertions(+), 28 deletions(-) diff --git a/roles/custom/matrix-cactus-comments/defaults/main.yml b/roles/custom/matrix-cactus-comments/defaults/main.yml index 224a53489..7b12b9f1c 100644 --- a/roles/custom/matrix-cactus-comments/defaults/main.yml +++ b/roles/custom/matrix-cactus-comments/defaults/main.yml @@ -31,10 +31,12 @@ matrix_cactus_comments_version: 0.9.0 matrix_cactus_comments_docker_image: "{{ matrix_container_global_registry_prefix }}cactuscomments/cactus-appservice:{{ matrix_cactus_comments_version }}" matrix_cactus_comments_docker_image_force_pull: "{{ matrix_cactus_comments_docker_image.endswith(':latest') }}" -# matrix_cactus_comments_client_version specifies the version of the cactus-client release to use. +# The released&compiled client ist uploaded to URL that changes per commit. Therefore it is necessary to check the +# available versions and adjust the url manually. # For available versions, see: https://gitlab.com/cactus-comments/cactus-client/-/releases # Also see: `matrix_cactus_comments_client_local_dir` -matrix_cactus_comments_client_version: "0.13.0" +matrix_cactus_comments_webclient_js_url: "https://gateway.pinata.cloud/ipfs/QmSiWN27KZZ1XE32jKwifBnS3nWTUcFGNArKzur2nmDgoL/v0.13.0/cactus.js" +matrix_cactus_comments_webclient_css_url: "https://gateway.pinata.cloud/ipfs/QmSiWN27KZZ1XE32jKwifBnS3nWTUcFGNArKzur2nmDgoL/v0.13.0/style.css" # matrix_cactus_comments_client_local_dir specifies a local directory (on the Ansible controller, not on the remote server) with cactus-client files to use. # This is an alternative to `matrix_cactus_comments_client_version`, to be used when you'd like to diff --git a/roles/custom/matrix-cactus-comments/tasks/setup_install.yml b/roles/custom/matrix-cactus-comments/tasks/setup_install.yml index 8a8bf3261..03b97d0ad 100644 --- a/roles/custom/matrix-cactus-comments/tasks/setup_install.yml +++ b/roles/custom/matrix-cactus-comments/tasks/setup_install.yml @@ -67,37 +67,16 @@ - when: matrix_cactus_comments_client_local_dir | length == 0 block: - - name: Download client binary to local folder + - name: Download web client js ansible.builtin.get_url: - url: "https://gitlab.com/cactus-comments/cactus-client/-/archive/v{{ matrix_cactus_comments_client_version }}/cactus-client-v{{ matrix_cactus_comments_client_version }}.tar.gz" - dest: "/tmp/cactus-comments-{{ matrix_cactus_comments_client_version }}.tar.gz" - mode: '0644' - register: _download_client - until: _download_client is succeeded - retries: 5 - delay: 2 - check_mode: false - - - name: Unpack client - ansible.builtin.unarchive: - src: "/tmp/cactus-comments-{{ matrix_cactus_comments_client_version }}.tar.gz" - dest: "/tmp/" - remote_src: true - mode: 0600 - check_mode: false - - - name: Propagate client javascript file - ansible.builtin.copy: - src: "/tmp/cactus-client-v{{ matrix_cactus_comments_client_version }}/src/cactus.js" - remote_src: true + url: "{{ matrix_cactus_comments_webclient_js_url }}" dest: "{{ matrix_cactus_comments_client_path }}/cactus.js" mode: "{{ matrix_cactus_comments_client_file_permissions }}" owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - - name: Propagate client style file - ansible.builtin.copy: - src: "/tmp/cactus-client-v{{ matrix_cactus_comments_client_version }}/src/style.css" - remote_src: true + - name: Download web client css + ansible.builtin.get_url: + url: "{{ matrix_cactus_comments_webclient_css_url }}" dest: "{{ matrix_cactus_comments_client_path }}/style.css" mode: "{{ matrix_cactus_comments_client_file_permissions }}" owner: "{{ matrix_user_username }}" From c4d1347466d793874383abcee3c5bbb35b0be154 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 22 Jan 2023 09:08:47 +0200 Subject: [PATCH 274/915] Fix typos --- roles/custom/matrix-cactus-comments/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-cactus-comments/defaults/main.yml b/roles/custom/matrix-cactus-comments/defaults/main.yml index 7b12b9f1c..80f8c15ee 100644 --- a/roles/custom/matrix-cactus-comments/defaults/main.yml +++ b/roles/custom/matrix-cactus-comments/defaults/main.yml @@ -31,7 +31,7 @@ matrix_cactus_comments_version: 0.9.0 matrix_cactus_comments_docker_image: "{{ matrix_container_global_registry_prefix }}cactuscomments/cactus-appservice:{{ matrix_cactus_comments_version }}" matrix_cactus_comments_docker_image_force_pull: "{{ matrix_cactus_comments_docker_image.endswith(':latest') }}" -# The released&compiled client ist uploaded to URL that changes per commit. Therefore it is necessary to check the +# The released & compiled client is uploaded to a URL that changes per commit. Therefore it is necessary to check the # available versions and adjust the url manually. # For available versions, see: https://gitlab.com/cactus-comments/cactus-client/-/releases # Also see: `matrix_cactus_comments_client_local_dir` From 47165e890272f0e6763d7c6c0c68d624377313a8 Mon Sep 17 00:00:00 2001 From: Array in a Matrix Date: Tue, 24 Jan 2023 15:50:06 -0500 Subject: [PATCH 275/915] updated dendrite version --- roles/custom/matrix-dendrite/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index 32f262ad5..6a495f8f2 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -6,7 +6,7 @@ matrix_dendrite_enabled: true matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "docker.io/" -matrix_dendrite_docker_image_tag: "v0.10.8" +matrix_dendrite_docker_image_tag: "v0.11.0" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" From 6afd3c59eb617d2781581578048fb403bd42fd32 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 25 Jan 2023 08:39:47 +0000 Subject: [PATCH 276/915] Update grafana 9.3.2 -> 9.3.4 --- roles/custom/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-grafana/defaults/main.yml b/roles/custom/matrix-grafana/defaults/main.yml index 44821b577..9920572d4 100644 --- a/roles/custom/matrix-grafana/defaults/main.yml +++ b/roles/custom/matrix-grafana/defaults/main.yml @@ -5,7 +5,7 @@ matrix_grafana_enabled: true -matrix_grafana_version: 9.3.2 +matrix_grafana_version: 9.3.4 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From 547b01d618aad45abcc438a21632b9a9892d6f80 Mon Sep 17 00:00:00 2001 From: rhys Date: Wed, 25 Jan 2023 12:02:40 +0000 Subject: [PATCH 277/915] Added option to allow user to set jigasi user and password for AUTH --- roles/custom/matrix-jitsi/defaults/main.yml | 5 +++++ roles/custom/matrix-jitsi/templates/prosody/env.j2 | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-jitsi/defaults/main.yml b/roles/custom/matrix-jitsi/defaults/main.yml index da166cd86..6b0e7e969 100644 --- a/roles/custom/matrix-jitsi/defaults/main.yml +++ b/roles/custom/matrix-jitsi/defaults/main.yml @@ -283,3 +283,8 @@ matrix_jitsi_jvb_container_colibri_ws_host_bind_port: '' # # The setting requires an integer to be set for usage and allows a user to specify the max number of particpants on a conference. matrix_prosody_jitsi_max_participants: '' + +# Allows abailty to set XMPP AUTH user if using JIGASI +matrix_jitsi_jigasi_xmpp_user: '' +# Allows abailty to set XMPP AUTH pasword if using JIGASI +matrix_jitsi_jigasi_xmpp_password: '' \ No newline at end of file diff --git a/roles/custom/matrix-jitsi/templates/prosody/env.j2 b/roles/custom/matrix-jitsi/templates/prosody/env.j2 index b0ebbefce..72b23e3cc 100644 --- a/roles/custom/matrix-jitsi/templates/prosody/env.j2 +++ b/roles/custom/matrix-jitsi/templates/prosody/env.j2 @@ -15,8 +15,8 @@ JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }} JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }} JICOFO_COMPONENT_SECRET -JIGASI_XMPP_USER= -JIGASI_XMPP_PASSWORD= +JIGASI_XMPP_USER={{ matrix_jitsi_jigasi_xmpp_user }} +JIGASI_XMPP_PASSWORD={{ matrix_jitsi_jigasi_xmpp_password }} JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} JWT_APP_ID From d01de9f33dfbf47c636bd796b3a71a9f08a73390 Mon Sep 17 00:00:00 2001 From: rhys Date: Wed, 25 Jan 2023 12:07:00 +0000 Subject: [PATCH 278/915] Fix lint errors --- roles/custom/matrix-jitsi/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-jitsi/defaults/main.yml b/roles/custom/matrix-jitsi/defaults/main.yml index 6b0e7e969..538d8e4eb 100644 --- a/roles/custom/matrix-jitsi/defaults/main.yml +++ b/roles/custom/matrix-jitsi/defaults/main.yml @@ -287,4 +287,4 @@ matrix_prosody_jitsi_max_participants: '' # Allows abailty to set XMPP AUTH user if using JIGASI matrix_jitsi_jigasi_xmpp_user: '' # Allows abailty to set XMPP AUTH pasword if using JIGASI -matrix_jitsi_jigasi_xmpp_password: '' \ No newline at end of file +matrix_jitsi_jigasi_xmpp_password: '' From ad58858a965896a27967d086315d5d20c1d8b30e Mon Sep 17 00:00:00 2001 From: bertybuttface <110790513+bertybuttface@users.noreply.github.com> Date: Thu, 26 Jan 2023 15:09:24 +0000 Subject: [PATCH 279/915] Upgrade matrix-chatgpt (1.2.3 -> 1.3.2) Add support for OPENAI_PRO for ChatGPT pro subscriptions. --- roles/custom/matrix-bot-chatgpt/defaults/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-chatgpt/defaults/main.yml b/roles/custom/matrix-bot-chatgpt/defaults/main.yml index d6119ca6b..86d185b76 100644 --- a/roles/custom/matrix-bot-chatgpt/defaults/main.yml +++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml @@ -9,7 +9,7 @@ matrix_bot_chatgpt_docker_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot matrix_bot_chatgpt_docker_repo_version: "{{ 'latest' if matrix_bot_chatgpt_version == 'latest' else matrix_bot_chatgpt_version }}" matrix_bot_chatgpt_docker_src_files_path: "{{ matrix_base_data_path }}/chatgpt/docker-src" -matrix_bot_chatgpt_version: 1.2.3 +matrix_bot_chatgpt_version: 1.3.2 matrix_bot_chatgpt_docker_image: "{{ matrix_bot_chatgpt_docker_image_name_prefix }}matrixgpt/matrix-chatgpt-bot:{{ matrix_bot_chatgpt_version }}" matrix_bot_chatgpt_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_chatgpt_container_image_self_build else 'ghcr.io/' }}" matrix_bot_chatgpt_docker_image_force_pull: "{{ matrix_bot_chatgpt_docker_image.endswith(':latest') }}" @@ -31,6 +31,7 @@ matrix_bot_chatgpt_systemd_wanted_services_list: [] matrix_bot_chatgpt_openai_email: '' # OPENAI_EMAIL= matrix_bot_chatgpt_openai_password: '' # OPENAI_PASSWORD= matrix_bot_chatgpt_openai_login_type: 'google' # OPENAI_LOGIN_TYPE="google" +matrix_bot_chatgpt_openai_pro: false # OPENAI_PRO # Matrix Static Settings (required, see notes) # Defaults to "https://matrix.org" From 18c3903defbf28a753d4bfebbbe94725a2510f21 Mon Sep 17 00:00:00 2001 From: bertybuttface <110790513+bertybuttface@users.noreply.github.com> Date: Thu, 26 Jan 2023 15:12:36 +0000 Subject: [PATCH 280/915] Update env.j2 Set OPEN_AI to matrix_bot_chatgpt_openai_pro --- roles/custom/matrix-bot-chatgpt/templates/env.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix-bot-chatgpt/templates/env.j2 b/roles/custom/matrix-bot-chatgpt/templates/env.j2 index 8837fe3ef..bf2dafbff 100644 --- a/roles/custom/matrix-bot-chatgpt/templates/env.j2 +++ b/roles/custom/matrix-bot-chatgpt/templates/env.j2 @@ -4,6 +4,7 @@ MATRIX_ACCESS_TOKEN={{ matrix_bot_chatgpt_matrix_access_token }} OPENAI_EMAIL={{ matrix_bot_chatgpt_openai_email }} OPENAI_PASSWORD={{ matrix_bot_chatgpt_openai_password }} OPENAI_LOGIN_TYPE={{ matrix_bot_chatgpt_openai_login_type }} +OPENAI_PRO={{ matrix_bot_chatgpt_openai_pro }} # With the @ and :DOMAIN, ie @SOMETHING:DOMAIN MATRIX_BOT_USERNAME={{ matrix_bot_chatgpt_matrix_bot_username }} From 4c9f96722f3f6ed56e73cfeecbbeb6fd88ab2faf Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 26 Jan 2023 17:04:04 +0200 Subject: [PATCH 281/915] Add no-multicast-peers to Coturn config by default Part of a security hardening provoked by: https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/ --- roles/custom/matrix-coturn/defaults/main.yml | 3 +++ roles/custom/matrix-coturn/templates/turnserver.conf.j2 | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index 3a125de48..22ad48d65 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -73,6 +73,9 @@ matrix_coturn_denied_peer_ips: [] matrix_coturn_user_quota: null matrix_coturn_total_quota: null +# Controls whether `no-multicast-peers` is added to the configuration +matrix_coturn_no_multicast_peers_enabled: true + # To enable TLS, you need to provide paths to certificates. # Paths defined in `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path` are in-container paths. # Files on the host can be mounted into the container using `matrix_coturn_container_additional_volumes`. diff --git a/roles/custom/matrix-coturn/templates/turnserver.conf.j2 b/roles/custom/matrix-coturn/templates/turnserver.conf.j2 index 1bdf310a2..dc8d96ee7 100644 --- a/roles/custom/matrix-coturn/templates/turnserver.conf.j2 +++ b/roles/custom/matrix-coturn/templates/turnserver.conf.j2 @@ -39,6 +39,10 @@ user-quota={{ matrix_coturn_user_quota }} total-quota={{ matrix_coturn_total_quota }} {% endif %} +{% if matrix_coturn_no_multicast_peers_enabled %} +no-multicast-peers +{% endif %} + {% for ip_range in matrix_coturn_denied_peer_ips %} denied-peer-ip={{ ip_range }} {% endfor %} From bf23d63f8211135ad38288978d0fbf38d193b5df Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 26 Jan 2023 17:07:36 +0200 Subject: [PATCH 282/915] Add matrix_coturn_additional_configuration --- roles/custom/matrix-coturn/defaults/main.yml | 8 ++++++++ roles/custom/matrix-coturn/templates/turnserver.conf.j2 | 2 ++ 2 files changed, 10 insertions(+) diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index 22ad48d65..0d5d15dc8 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -76,6 +76,14 @@ matrix_coturn_total_quota: null # Controls whether `no-multicast-peers` is added to the configuration matrix_coturn_no_multicast_peers_enabled: true +# Additional configuration to be passed to turnserver.conf +# Example: +# matrix_coturn_additional_configuration: | +# simple-log +# aux-server=1.2.3.4 +# relay-ip=4.3.2.1 +matrix_coturn_additional_configuration: '' + # To enable TLS, you need to provide paths to certificates. # Paths defined in `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path` are in-container paths. # Files on the host can be mounted into the container using `matrix_coturn_container_additional_volumes`. diff --git a/roles/custom/matrix-coturn/templates/turnserver.conf.j2 b/roles/custom/matrix-coturn/templates/turnserver.conf.j2 index dc8d96ee7..47fa5b861 100644 --- a/roles/custom/matrix-coturn/templates/turnserver.conf.j2 +++ b/roles/custom/matrix-coturn/templates/turnserver.conf.j2 @@ -49,3 +49,5 @@ denied-peer-ip={{ ip_range }} {% for ip_range in matrix_coturn_allowed_peer_ips %} allowed-peer-ip={{ ip_range }} {% endfor %} + +{{ matrix_coturn_additional_configuration }} From 773cb7d37e018ad462d4229bf58ecbe569c918be Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 26 Jan 2023 17:08:05 +0200 Subject: [PATCH 283/915] Make no-tcp-relay Coturn configuration property configurable --- roles/custom/matrix-coturn/defaults/main.yml | 3 +++ roles/custom/matrix-coturn/templates/turnserver.conf.j2 | 3 +++ 2 files changed, 6 insertions(+) diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index 0d5d15dc8..71c97b254 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -73,6 +73,9 @@ matrix_coturn_denied_peer_ips: [] matrix_coturn_user_quota: null matrix_coturn_total_quota: null +# Controls whether `no-tcp-relay` is added to the configuration +matrix_coturn_no_tcp_relay_enabled: true + # Controls whether `no-multicast-peers` is added to the configuration matrix_coturn_no_multicast_peers_enabled: true diff --git a/roles/custom/matrix-coturn/templates/turnserver.conf.j2 b/roles/custom/matrix-coturn/templates/turnserver.conf.j2 index 47fa5b861..dfc3a87d5 100644 --- a/roles/custom/matrix-coturn/templates/turnserver.conf.j2 +++ b/roles/custom/matrix-coturn/templates/turnserver.conf.j2 @@ -30,7 +30,10 @@ no-dtls {% endif %} prod + +{% if matrix_coturn_no_tcp_relay_enabled %} no-tcp-relay +{% endif %} {% if matrix_coturn_user_quota != None %} user-quota={{ matrix_coturn_user_quota }} From bb0faa6bc37be94f443fa9730f9af726f9ba1486 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 26 Jan 2023 17:15:44 +0200 Subject: [PATCH 284/915] Block various private network ranges via denied_peer_ips for Coturn by default Inspired by: https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/ --- CHANGELOG.md | 11 +++++++ roles/custom/matrix-coturn/defaults/main.yml | 32 +++++++++++++++++++- 2 files changed, 42 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e4607148c..b32958ca5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2023-01-26 + +## (Backward Compatibility) Tightening Coturn security can lead to connectivity issues + +**TLDR**: users who run and access their Matrix server on a private network (likely a small minority of users) may experience connectivity issues with our new default Coturn blocklists. They may need to override `matrix_coturn_denied_peer_ips` and remove some IP ranges from it. + +Inspired by [this security article](https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/), we've decided to make use of Coturn's `denied-peer-ip` functionality to prevent relaying network traffic to certain private IP subnets. This ensures that your Coturn server won't accidentally try to forward traffic to certain services running on your local networks. We run Coturn in a container and in a private container network by default, which should prevent such access anyway, but having additional block layers in place is better. + +If you access your Matrix server from a local network and need Coturn to relay to private IP addresses, you may observe that relaying is now blocked due to our new default `denied-peer-ip` lists (specified in `matrix_coturn_denied_peer_ips`). If you experience such connectivity problems, consider overriding this setting in your `vars.yml` file and removing certain networks from it. + + # 2023-01-21 ## The matrix-prometheus-node-exporter role lives independently now diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index 71c97b254..223d0d04e 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -69,7 +69,37 @@ matrix_coturn_turn_external_ip_address: '' matrix_coturn_turn_external_ip_addresses: ["{{ matrix_coturn_turn_external_ip_address }}"] matrix_coturn_allowed_peer_ips: [] -matrix_coturn_denied_peer_ips: [] + +# We block loopback interfaces and private networks by default to prevent private resources from being accessible. +# This is especially important when Coturn does not run within a container network (e.g. `matrix_coturn_docker_network: host`). +# +# Learn more: https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/ +# +# If you're running Coturn for local network peers, you may wish to override these rules. +matrix_coturn_denied_peer_ips: + - 0.0.0.0-0.255.255.255 + - 10.0.0.0-10.255.255.255 + - 100.64.0.0-100.127.255.255 + - 127.0.0.0-127.255.255.255 + - 169.254.0.0-169.254.255.255 + - 172.16.0.0-172.31.255.255 + - 192.0.0.0-192.0.0.255 + - 192.0.2.0-192.0.2.255 + - 192.88.99.0-192.88.99.255 + - 192.168.0.0-192.168.255.255 + - 198.18.0.0-198.19.255.255 + - 198.51.100.0-198.51.100.255 + - 203.0.113.0-203.0.113.255 + - 240.0.0.0-255.255.255.255 + - ::1 + - 64:ff9b::-64:ff9b::ffff:ffff + - ::ffff:0.0.0.0-::ffff:255.255.255.255 + - 100::-100::ffff:ffff:ffff:ffff + - 2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff + - 2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff + - fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + - fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff + matrix_coturn_user_quota: null matrix_coturn_total_quota: null From aafa8f019cbc3535cc90eb285e5126ccaf415aa4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 26 Jan 2023 17:16:20 +0200 Subject: [PATCH 285/915] Allow matrix_coturn_docker_network to be set to 'host' to use host-networking This helps large deployments which need to open up thousands of ports (matrix_coturn_turn_udp_min_port, matrix_coturn_turn_udp_min_port) On a test VM, opening 1k ports takes 17 seconds for Docker to "publish" all of these ports (setting up forwarding rules with the firewall, etc), so service startup and shutdown take a long amount of time. If host-networking is used, there's no need to open any ports at all and startup/shutdown can be quick. --- CHANGELOG.md | 16 ++++++++++++++++ roles/custom/matrix-coturn/defaults/main.yml | 15 +++++++++++---- .../custom/matrix-coturn/tasks/setup_install.yml | 3 ++- .../templates/systemd/matrix-coturn.service.j2 | 2 +- 4 files changed, 30 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b32958ca5..030fbbdb9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,21 @@ # 2023-01-26 +## Coturn can now use host-networking + +Large Coturn deployments (with a huge range of ports specified via `matrix_coturn_turn_udp_min_port` and `matrix_coturn_turn_udp_max_port`) experience a huge slowdown with how Docker publishes all these ports (setting up firewall forwarding rules), which leads to a very slow Coturn service startup and shutdown. + +Such deployments don't need to run Coturn within a private container network anymore. Coturn can now run with host-networking by using configuration like this: + +```yaml +matrix_coturn_docker_network: host +``` + +With such a configuration, Docker no longer needs to configure thousands of firewall forwarding rules each time Coturn starts and stops. +You may, however, need to allow these ports in your firewall configuration yourself. + +Thanks to us [tightening Coturn security](#backward-compatibility-tightening-coturn-security-can-lead-to-connectivity-issues), running Coturn with host-networking should be safe and not expose neither other services running on the host, nor other services running on the local network. + + ## (Backward Compatibility) Tightening Coturn security can lead to connectivity issues **TLDR**: users who run and access their Matrix server on a private network (likely a small minority of users) may experience connectivity issues with our new default Coturn blocklists. They may need to override `matrix_coturn_denied_peer_ips` and remove some IP ranges from it. diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index 223d0d04e..9f7ff2ba8 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -20,6 +20,13 @@ matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(' # # Setting up deny/allow rules with `matrix_coturn_allowed_peer_ips`/`matrix_coturn_denied_peer_ips` is also # possible for achieving such isolation, but is more complicated due to the dynamic nature of Docker networking. +# +# Setting `matrix_coturn_docker_network` to 'host' will run the container with host networking, +# which will drastically improve performance when thousands of ports are opened due to Docker not having to set up forwarding rules for each port. +# Running with host networking can be dangerous, as it potentially exposes your local network and its services to Coturn peers. +# Regardless of the networking mode, we apply a deny list which via `matrix_coturn_denied_peer_ips`, +# which hopefully prevents access to such private network ranges. +# When running in host-networking mode, you need to adjust the firewall yourself, so that ports are opened. matrix_coturn_docker_network: "matrix-coturn" matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn" @@ -41,20 +48,20 @@ matrix_coturn_container_extra_arguments: [] # Controls whether the Coturn container exposes its plain STUN port (tcp/3478 and udp/3478 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:3478"), or empty string to not expose. -matrix_coturn_container_stun_plain_host_bind_port: '3478' +matrix_coturn_container_stun_plain_host_bind_port: "{{ '3478' if matrix_coturn_docker_network != 'host' else '' }}" # Controls whether the Coturn container exposes its TLS STUN port (tcp/5349 and udp/5349 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:5349"), or empty string to not expose. -matrix_coturn_container_stun_tls_host_bind_port: '5349' +matrix_coturn_container_stun_tls_host_bind_port: "{{ '5349' if matrix_coturn_docker_network != 'host' else '' }}" # Controls whether the Coturn container exposes its TURN UDP port range and which interface to do it on. # # Takes an interface "" (e.g. "127.0.0.1"), or empty string to listen on all interfaces. -# Takes a null/none value (`~`) to prevent listening. +# Takes a null/none value (`~`) or 'none' (as a string) to prevent listening. # # The UDP port-range itself is specified using `matrix_coturn_turn_udp_min_port` and `matrix_coturn_turn_udp_max_port`. -matrix_coturn_container_turn_range_listen_interface: '' +matrix_coturn_container_turn_range_listen_interface: "{{ '' if matrix_coturn_docker_network != 'host' else 'none' }}" # UDP port-range to use for TURN matrix_coturn_turn_udp_min_port: 49152 diff --git a/roles/custom/matrix-coturn/tasks/setup_install.yml b/roles/custom/matrix-coturn/tasks/setup_install.yml index ab94db27e..44325f460 100644 --- a/roles/custom/matrix-coturn/tasks/setup_install.yml +++ b/roles/custom/matrix-coturn/tasks/setup_install.yml @@ -62,7 +62,8 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" -- name: Ensure Coturn network is created in Docker +- when: matrix_coturn_docker_network not in ['', 'host'] + name: Ensure Coturn network is created in Docker community.docker.docker_network: name: "{{ matrix_coturn_docker_network }}" driver: bridge diff --git a/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index 3a0782bf8..8c0272cf9 100644 --- a/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -30,7 +30,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name -p {{ matrix_coturn_container_stun_tls_host_bind_port }}:5349 \ -p {{ matrix_coturn_container_stun_tls_host_bind_port }}:5349/udp \ {% endif %} - {% if matrix_coturn_container_turn_range_listen_interface is not none %} + {% if matrix_coturn_container_turn_range_listen_interface is not in [none, 'none'] %} -p {{ matrix_coturn_container_turn_range_listen_interface }}{{ ':' if matrix_coturn_container_turn_range_listen_interface else '' }}{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \ {% endif %} --mount type=bind,src={{ matrix_coturn_config_path }},dst=/turnserver.conf,ro \ From 867737fe0b5bd9201c0d85ad3bcf3f4614823a50 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 26 Jan 2023 17:42:03 +0200 Subject: [PATCH 286/915] Upgrade Grafana (9.3.4 -> 9.3.6) --- roles/custom/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-grafana/defaults/main.yml b/roles/custom/matrix-grafana/defaults/main.yml index 9920572d4..5b7304802 100644 --- a/roles/custom/matrix-grafana/defaults/main.yml +++ b/roles/custom/matrix-grafana/defaults/main.yml @@ -5,7 +5,7 @@ matrix_grafana_enabled: true -matrix_grafana_version: 9.3.4 +matrix_grafana_version: 9.3.6 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From f1c9052fe530c41dcd24284765329f32029df221 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 26 Jan 2023 17:59:56 +0200 Subject: [PATCH 287/915] Make it obvious that running Coturn in host-networking mode requires manual firewall changes --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 030fbbdb9..23275a14b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,8 +10,8 @@ Such deployments don't need to run Coturn within a private container network any matrix_coturn_docker_network: host ``` -With such a configuration, Docker no longer needs to configure thousands of firewall forwarding rules each time Coturn starts and stops. -You may, however, need to allow these ports in your firewall configuration yourself. +With such a configuration, **Docker no longer needs to configure thousands of firewall forwarding rules** each time Coturn starts and stops. +This, however, means that **you will need to ensure these ports are open** in your firewall yourself. Thanks to us [tightening Coturn security](#backward-compatibility-tightening-coturn-security-can-lead-to-connectivity-issues), running Coturn with host-networking should be safe and not expose neither other services running on the host, nor other services running on the local network. From 864b64d0157f01e5240f1e6ea9de4c4215139c1d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 26 Jan 2023 20:01:38 +0200 Subject: [PATCH 288/915] Mention the new no-multicast-peers default in Coturn config Related to 4c9f96722f3f6ed56 --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 23275a14b..edb4dba9c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,6 +24,8 @@ Inspired by [this security article](https://www.rtcsec.com/article/cve-2020-2626 If you access your Matrix server from a local network and need Coturn to relay to private IP addresses, you may observe that relaying is now blocked due to our new default `denied-peer-ip` lists (specified in `matrix_coturn_denied_peer_ips`). If you experience such connectivity problems, consider overriding this setting in your `vars.yml` file and removing certain networks from it. +We've also added `no-multicast-peers` to the default Coturn configuration, but we don't expect this to cause trouble for most people. + # 2023-01-21 From e43ba65dd334fb9aadc74b94e4337080751a7fe7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 27 Jan 2023 08:46:16 +0200 Subject: [PATCH 289/915] Upgrade prometheus_node_exporter (v1.5.0-0 -> v1.5.0-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 07cab1972..8ffa99d53 100644 --- a/requirements.yml +++ b/requirements.yml @@ -31,4 +31,4 @@ version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6 - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git - version: v1.5.0-0 + version: v1.5.0-1 From 784043cc5dd0f6fef50004d40236ece31c7a4fa2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 27 Jan 2023 08:55:38 +0200 Subject: [PATCH 290/915] Ensure OPENAI_PRO is true/false (not True/False) --- roles/custom/matrix-bot-chatgpt/templates/env.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-chatgpt/templates/env.j2 b/roles/custom/matrix-bot-chatgpt/templates/env.j2 index bf2dafbff..1315ddf55 100644 --- a/roles/custom/matrix-bot-chatgpt/templates/env.j2 +++ b/roles/custom/matrix-bot-chatgpt/templates/env.j2 @@ -4,7 +4,7 @@ MATRIX_ACCESS_TOKEN={{ matrix_bot_chatgpt_matrix_access_token }} OPENAI_EMAIL={{ matrix_bot_chatgpt_openai_email }} OPENAI_PASSWORD={{ matrix_bot_chatgpt_openai_password }} OPENAI_LOGIN_TYPE={{ matrix_bot_chatgpt_openai_login_type }} -OPENAI_PRO={{ matrix_bot_chatgpt_openai_pro }} +OPENAI_PRO={{ matrix_bot_chatgpt_openai_pro | to_json }} # With the @ and :DOMAIN, ie @SOMETHING:DOMAIN MATRIX_BOT_USERNAME={{ matrix_bot_chatgpt_matrix_bot_username }} From 7e1408ea65c2aaf162c887087c9ed403d615fcde Mon Sep 17 00:00:00 2001 From: bertybuttface <110790513+bertybuttface@users.noreply.github.com> Date: Fri, 27 Jan 2023 18:55:13 +0000 Subject: [PATCH 291/915] Bump ChatGPT version and add new config settings matrix_bot_chatgpt_context=thread --- roles/custom/matrix-bot-chatgpt/defaults/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-chatgpt/defaults/main.yml b/roles/custom/matrix-bot-chatgpt/defaults/main.yml index 86d185b76..3ba8ba7a9 100644 --- a/roles/custom/matrix-bot-chatgpt/defaults/main.yml +++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml @@ -9,7 +9,7 @@ matrix_bot_chatgpt_docker_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot matrix_bot_chatgpt_docker_repo_version: "{{ 'latest' if matrix_bot_chatgpt_version == 'latest' else matrix_bot_chatgpt_version }}" matrix_bot_chatgpt_docker_src_files_path: "{{ matrix_base_data_path }}/chatgpt/docker-src" -matrix_bot_chatgpt_version: 1.3.2 +matrix_bot_chatgpt_version: 1.4.1 matrix_bot_chatgpt_docker_image: "{{ matrix_bot_chatgpt_docker_image_name_prefix }}matrixgpt/matrix-chatgpt-bot:{{ matrix_bot_chatgpt_version }}" matrix_bot_chatgpt_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_chatgpt_container_image_self_build else 'ghcr.io/' }}" matrix_bot_chatgpt_docker_image_force_pull: "{{ matrix_bot_chatgpt_docker_image.endswith(':latest') }}" @@ -33,6 +33,8 @@ matrix_bot_chatgpt_openai_password: '' # OPENAI_PASSWORD= matrix_bot_chatgpt_openai_login_type: 'google' # OPENAI_LOGIN_TYPE="google" matrix_bot_chatgpt_openai_pro: false # OPENAI_PRO +matrix_bot_chatgpt_context: 'thread' # CHATGPT_CONTEXT="thread" + # Matrix Static Settings (required, see notes) # Defaults to "https://matrix.org" matrix_bot_chatgpt_matrix_homeserver_url: "{{ matrix_homeserver_container_url }}" # MATRIX_HOMESERVER_URL= From d66a2949f6b6a3e09a50f4da45f0d832b898d205 Mon Sep 17 00:00:00 2001 From: bertybuttface <110790513+bertybuttface@users.noreply.github.com> Date: Fri, 27 Jan 2023 18:57:24 +0000 Subject: [PATCH 292/915] Update env.j2 Use matrix_bot_chatgpt_context for CHATGPT_CONTEXT --- roles/custom/matrix-bot-chatgpt/templates/env.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/custom/matrix-bot-chatgpt/templates/env.j2 b/roles/custom/matrix-bot-chatgpt/templates/env.j2 index 1315ddf55..faf6be713 100644 --- a/roles/custom/matrix-bot-chatgpt/templates/env.j2 +++ b/roles/custom/matrix-bot-chatgpt/templates/env.j2 @@ -6,6 +6,8 @@ OPENAI_PASSWORD={{ matrix_bot_chatgpt_openai_password }} OPENAI_LOGIN_TYPE={{ matrix_bot_chatgpt_openai_login_type }} OPENAI_PRO={{ matrix_bot_chatgpt_openai_pro | to_json }} +CHATGPT_CONTEXT={{ matrix_bot_chatgpt_context }} + # With the @ and :DOMAIN, ie @SOMETHING:DOMAIN MATRIX_BOT_USERNAME={{ matrix_bot_chatgpt_matrix_bot_username }} MATRIX_BOT_PASSWORD={{ matrix_bot_chatgpt_matrix_bot_password }} From 7b5ced3037e16613f040d1044cf93a964eb3c439 Mon Sep 17 00:00:00 2001 From: bertybuttface <110790513+bertybuttface@users.noreply.github.com> Date: Fri, 27 Jan 2023 19:02:14 +0000 Subject: [PATCH 293/915] Fix linting issue. --- roles/custom/matrix-bot-chatgpt/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-chatgpt/defaults/main.yml b/roles/custom/matrix-bot-chatgpt/defaults/main.yml index 3ba8ba7a9..324e64abf 100644 --- a/roles/custom/matrix-bot-chatgpt/defaults/main.yml +++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml @@ -33,7 +33,7 @@ matrix_bot_chatgpt_openai_password: '' # OPENAI_PASSWORD= matrix_bot_chatgpt_openai_login_type: 'google' # OPENAI_LOGIN_TYPE="google" matrix_bot_chatgpt_openai_pro: false # OPENAI_PRO -matrix_bot_chatgpt_context: 'thread' # CHATGPT_CONTEXT="thread" +matrix_bot_chatgpt_context: 'thread' # CHATGPT_CONTEXT="thread" # Matrix Static Settings (required, see notes) # Defaults to "https://matrix.org" From f165aa5d481e048089cb0b367ef61036dd893643 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sat, 28 Jan 2023 07:54:52 +0000 Subject: [PATCH 294/915] Update synapse-admin 0.8.5 -> 0.8.6 --- roles/custom/matrix-synapse-admin/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index 9f4510b6a..ae77a570a 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -9,7 +9,7 @@ matrix_synapse_admin_container_image_self_build_repo: "https://github.com/Awesom matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" -matrix_synapse_admin_version: 0.8.5 +matrix_synapse_admin_version: 0.8.6 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" From 6a31fba346d9da434a3d7cfd2d342658d002cc2e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 28 Jan 2023 17:04:55 +0200 Subject: [PATCH 295/915] Fix synapse-admin reverse-proxying regression caused by 0.8.6 Related to f165aa5d481e048089cb0b367ef61036dd893643 Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2424 --- .../tasks/inject_into_nginx_proxy.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/custom/matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml index 6a4af859c..b082190d9 100644 --- a/roles/custom/matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml +++ b/roles/custom/matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml @@ -24,6 +24,14 @@ {# Generic configuration for use outside of our container setup #} proxy_pass http://127.0.0.1:8766/$1; {% endif %} + + {# + Workaround synapse-admin serving all assets at /static. + See: https://github.com/Awesome-Technologies/synapse-admin/issues/322 + #} + sub_filter_once off; + sub_filter_types text/css; + sub_filter "/static/" "{{ matrix_synapse_admin_public_endpoint }}/static/"; } - name: Register Synapse Admin proxying configuration with matrix-nginx-proxy From e588c42088c6fc5f94bb14d2473074294decc3b2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 28 Jan 2023 17:09:20 +0200 Subject: [PATCH 296/915] Improve synapse-admin reverse-proxying fix Fixup for 6a31fba346d9da434a3d7cf --- .../matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml index b082190d9..2c25ff476 100644 --- a/roles/custom/matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml +++ b/roles/custom/matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml @@ -30,8 +30,9 @@ See: https://github.com/Awesome-Technologies/synapse-admin/issues/322 #} sub_filter_once off; - sub_filter_types text/css; sub_filter "/static/" "{{ matrix_synapse_admin_public_endpoint }}/static/"; + sub_filter "/favicon.ico" "{{ matrix_synapse_admin_public_endpoint }}/favicon.ico"; + sub_filter "/manifest.json" "{{ matrix_synapse_admin_public_endpoint }}/manifest.json"; } - name: Register Synapse Admin proxying configuration with matrix-nginx-proxy From 691ef13cabd18c3f45f57ec6741a994fa62457ee Mon Sep 17 00:00:00 2001 From: Adrien le Maire <1832823+alemairebe@users.noreply.github.com> Date: Sun, 29 Jan 2023 09:45:52 +0100 Subject: [PATCH 297/915] template metric toggle for mautrix bridges supporting it --- roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml | 3 +++ .../matrix-bridge-mautrix-facebook/templates/config.yaml.j2 | 2 +- .../custom/matrix-bridge-mautrix-instagram/defaults/main.yml | 3 +++ .../matrix-bridge-mautrix-instagram/templates/config.yaml.j2 | 2 +- roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml | 3 +++ .../matrix-bridge-mautrix-signal/templates/config.yaml.j2 | 2 +- roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml | 3 +++ .../matrix-bridge-mautrix-twitter/templates/config.yaml.j2 | 2 +- roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 4 ++++ .../matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 | 4 ++-- 10 files changed, 22 insertions(+), 6 deletions(-) diff --git a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml index 989720140..7863270bd 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -46,6 +46,9 @@ matrix_mautrix_facebook_homeserver_token: '' # If false, created portal rooms will never be federated. matrix_mautrix_facebook_federate_rooms: true +# Whether or not metrics endpoint should be enabled. +matrix_mautrix_facebook_metrics_enabled: false + matrix_mautrix_facebook_bridge_permissions: | {{ {matrix_mautrix_facebook_homeserver_domain: 'user'} diff --git a/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 index b8e25feeb..ce9aaea34 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 @@ -62,7 +62,7 @@ appservice: # Prometheus telemetry config. Requires prometheus-client to be installed. metrics: - enabled: false + enabled: {{ matrix_mautrix_facebook_metrics_enabled }} listen_port: 8000 # Bridge config diff --git a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml index 0e726aa80..e9b6991bc 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml @@ -47,6 +47,9 @@ matrix_mautrix_instagram_homeserver_token: '' # If false, created portal rooms will never be federated. matrix_mautrix_instagram_federate_rooms: true +# Whether or not metrics endpoint should be enabled. +matrix_mautrix_instagram_metrics_enabled: false + # Database-related configuration fields. # # To use Postgres: diff --git a/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 index 039b9bfea..700657850 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 @@ -57,7 +57,7 @@ appservice: # Prometheus telemetry config. Requires prometheus-client to be installed. metrics: - enabled: false + enabled: {{ matrix_mautrix_instagram_metrics_enabled }} listen_port: 8000 instagram: diff --git a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml index 953d17078..fb5e49b13 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml @@ -70,6 +70,9 @@ matrix_mautrix_signal_logging_level: WARNING # If false, created portal rooms will never be federated. matrix_mautrix_signal_federate_rooms: true +# Whether or not metrics endpoint should be enabled. +matrix_mautrix_signal_metrics_enabled: false + # Database-related configuration fields # # This bridge only supports postgres. diff --git a/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index 796a6e41a..fbe2f4f31 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -67,7 +67,7 @@ appservice: # Prometheus telemetry config. Requires prometheus-client to be installed. metrics: - enabled: false + enabled: {{ matrix_mautrix_signal_metrics_enabled }} listen_port: 8000 # Manhole config. diff --git a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml index 22475596a..372dd4b61 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -78,6 +78,9 @@ matrix_mautrix_twitter_appservice_bot_username: twitterbot # Specifies the default log level for all bridge loggers. matrix_mautrix_twitter_logging_level: WARNING +# Whether or not metrics endpoint should be enabled. +matrix_mautrix_twitter_metrics_enabled: false + # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 index da823d1eb..5b79a073e 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 @@ -65,7 +65,7 @@ appservice: # Prometheus telemetry config. Requires prometheus-client to be installed. metrics: - enabled: false + enabled: {{ matrix_mautrix_twitter_metrics_enabled }} listen_port: 8000 # Bridge config diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 449ace05f..91e27dc01 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -47,6 +47,10 @@ matrix_mautrix_whatsapp_logging_level: 'warn' # If false, created portal rooms will never be federated. matrix_mautrix_whatsapp_federate_rooms: true +# Whether or not metrics endpoint should be enabled. +matrix_mautrix_whatsapp_metrics_enabled: false + + # Database-related configuration fields. # # To use SQLite, stick to these defaults. diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 index 0962ac4dd..1c6b59d4d 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 @@ -67,9 +67,9 @@ segment_key: null # Prometheus config. metrics: # Enable prometheus metrics? - enabled: false + enabled: {{ matrix_mautrix_whatsapp_metrics_enabled }} # IP and port where the metrics listener should be. The path is always /metrics - listen: 127.0.0.1:8001 + listen: 0.0.0.0:8001 # Config for things that are directly sent to WhatsApp. whatsapp: From 9eaf6944e3c6d8ea8f1094dc515713053e190573 Mon Sep 17 00:00:00 2001 From: Adrien le Maire <1832823+alemairebe@users.noreply.github.com> Date: Sun, 29 Jan 2023 15:13:42 +0100 Subject: [PATCH 298/915] add nginx proxy connfig for mautrix metrics --- .../tasks/inject_into_nginx_proxy.yml | 25 ++++++++++++++ .../tasks/inject_into_nginx_proxy.yml | 33 +++++++++++++++++++ .../tasks/main.yml | 9 +++++ .../tasks/inject_into_nginx_proxy.yml | 33 +++++++++++++++++++ .../tasks/main.yml | 9 +++++ .../tasks/inject_into_nginx_proxy.yml | 33 +++++++++++++++++++ .../tasks/main.yml | 9 +++++ .../defaults/main.yml | 1 - .../tasks/inject_into_nginx_proxy.yml | 33 +++++++++++++++++++ .../tasks/main.yml | 9 +++++ 10 files changed, 193 insertions(+), 1 deletion(-) create mode 100644 roles/custom/matrix-bridge-mautrix-instagram/tasks/inject_into_nginx_proxy.yml create mode 100644 roles/custom/matrix-bridge-mautrix-signal/tasks/inject_into_nginx_proxy.yml create mode 100644 roles/custom/matrix-bridge-mautrix-twitter/tasks/inject_into_nginx_proxy.yml create mode 100644 roles/custom/matrix-bridge-mautrix-whatsapp/tasks/inject_into_nginx_proxy.yml diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/inject_into_nginx_proxy.yml index b9f95cb7d..db4d906f0 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/inject_into_nginx_proxy.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/inject_into_nginx_proxy.yml @@ -42,3 +42,28 @@ URL endpoint to the matrix-mautrix-facebook container. You can expose the container's port using the `matrix_mautrix_facebook_container_http_host_bind_port` variable. when: "not matrix_nginx_proxy_enabled | default(False) | bool" + +- name: Generate mautrix-facebook metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-facebook) + ansible.builtin.set_fact: + matrix_mautrix_facebook_nginx_metrics_configuration_block: | + location /metrics/mautrix-facebook { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-facebook:8000"; + proxy_pass http://$backend/metrics; + {% else %} + return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; + {% endif %} + } + when: matrix_mautrix_facebook_metrics_enabled | bool + +- name: Register mautrix-facebook metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-facebook) + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + + + [matrix_mautrix_facebook_nginx_metrics_configuration_block] + }} + when: matrix_mautrix_facebook_metrics_enabled | bool diff --git a/roles/custom/matrix-bridge-mautrix-instagram/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mautrix-instagram/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..90d91c6d4 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-instagram/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,33 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append mautrix-whatapp-metrics's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-instagram role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate mautrix-instagram metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-instagram) + ansible.builtin.set_fact: + matrix_mautrix_instagram_nginx_metrics_configuration_block: | + location /metrics/mautrix-instagram { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-instagram:8000"; + proxy_pass http://$backend/metrics; + {% else %} + return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; + {% endif %} + } + +- name: Register mautrix-instagram metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-instagram) + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + + + [matrix_mautrix_instagram_nginx_metrics_configuration_block] + }} diff --git a/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml index 2bd0417ee..0b3a722df 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml @@ -1,5 +1,14 @@ --- +- block: + - when: matrix_mautrix_instagram_enabled | bool and matrix_mautrix_instagram_metrics_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" + tags: + - setup-all + - setup-nginx-proxy + - install-all + - install-nginx-proxy + - block: - when: matrix_mautrix_instagram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" diff --git a/roles/custom/matrix-bridge-mautrix-signal/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mautrix-signal/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..4bb6f6bd2 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-signal/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,33 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append mautrix-whatapp-metrics's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-signal role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate mautrix-signal metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-signal) + ansible.builtin.set_fact: + matrix_mautrix_signal_nginx_metrics_configuration_block: | + location /metrics/mautrix-signal { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-signal:8000"; + proxy_pass http://$backend/metrics; + {% else %} + return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; + {% endif %} + } + +- name: Register mautrix-signal metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-signal) + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + + + [matrix_mautrix_signal_nginx_metrics_configuration_block] + }} diff --git a/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml index 0c0a1239f..9473344b9 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml @@ -1,5 +1,14 @@ --- +- block: + - when: matrix_mautrix_signal_enabled | bool and matrix_mautrix_signal_metrics_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" + tags: + - setup-all + - setup-nginx-proxy + - install-all + - install-nginx-proxy + - block: - when: matrix_mautrix_signal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" diff --git a/roles/custom/matrix-bridge-mautrix-twitter/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mautrix-twitter/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..df296dc67 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-twitter/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,33 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append mautrix-whatapp-metrics's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-twitter role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate mautrix-twitter metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-twitter) + ansible.builtin.set_fact: + matrix_mautrix_twitter_nginx_metrics_configuration_block: | + location /metrics/mautrix-twitter { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-twitter:8000"; + proxy_pass http://$backend/metrics; + {% else %} + return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; + {% endif %} + } + +- name: Register mautrix-twitter metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-twitter) + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + + + [matrix_mautrix_twitter_nginx_metrics_configuration_block] + }} diff --git a/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml index f8dbc28be..9eb444a76 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml @@ -1,5 +1,14 @@ --- +- block: + - when: matrix_mautrix_twitter_enabled | bool and matrix_mautrix_twitter_metrics_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" + tags: + - setup-all + - setup-nginx-proxy + - install-all + - install-nginx-proxy + - block: - when: matrix_mautrix_twitter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 91e27dc01..6e85599ae 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -50,7 +50,6 @@ matrix_mautrix_whatsapp_federate_rooms: true # Whether or not metrics endpoint should be enabled. matrix_mautrix_whatsapp_metrics_enabled: false - # Database-related configuration fields. # # To use SQLite, stick to these defaults. diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..e3fc3d162 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,33 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append mautrix-whatapp-metrics's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-whatsapp role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- name: Generate mautrix-whatsapp metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-whatsapp) + ansible.builtin.set_fact: + matrix_mautrix_whatsapp_nginx_metrics_configuration_block: | + location /metrics/mautrix-whatsapp { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-whatsapp:8001"; + proxy_pass http://$backend/metrics; + {% else %} + return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; + {% endif %} + } + +- name: Register mautrix-whatsapp metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-whatsapp) + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + + + [matrix_mautrix_whatsapp_nginx_metrics_configuration_block] + }} diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml index fdb654315..b49a13003 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml @@ -1,5 +1,14 @@ --- +- block: + - when: matrix_mautrix_whatsapp_enabled | bool and matrix_mautrix_whatsapp_metrics_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" + tags: + - setup-all + - setup-nginx-proxy + - install-all + - install-nginx-proxy + - block: - when: matrix_mautrix_whatsapp_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" From 111303208a94131e285bbeda43befde2bdfc41df Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sun, 29 Jan 2023 18:11:33 +0000 Subject: [PATCH 299/915] Update mautrix-discord latest -> 0.1.0 --- roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml index a66d5c6ad..0211f8f3e 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_discord_container_image_self_build: false matrix_mautrix_discord_container_image_self_build_repo: "https://mau.dev/mautrix/discord.git" matrix_mautrix_discord_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_discord_version == 'latest' else matrix_mautrix_discord_version }}" -matrix_mautrix_discord_version: latest +matrix_mautrix_discord_version: v0.1.0 # See: https://mau.dev/mautrix/discord/container_registry matrix_mautrix_discord_docker_image: "{{ matrix_mautrix_discord_docker_image_name_prefix }}mautrix/discord:{{ matrix_mautrix_discord_version }}" matrix_mautrix_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_discord_container_image_self_build else 'dock.mau.dev/' }}" From a9a17d803e2436b64b95ba5c70029b37a9e957f1 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sun, 29 Jan 2023 18:12:26 +0000 Subject: [PATCH 300/915] Update maubot 0.3.1 -> 0.4.0 --- roles/custom/matrix-bot-maubot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-maubot/defaults/main.yml b/roles/custom/matrix-bot-maubot/defaults/main.yml index 525b5e9e1..caee9b132 100644 --- a/roles/custom/matrix-bot-maubot/defaults/main.yml +++ b/roles/custom/matrix-bot-maubot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_bot_maubot_docker_src_files_path: "{{ matrix_bot_maubot_base_path }}/dock matrix_bot_maubot_docker_repo_version: "{{ 'master' if matrix_bot_maubot_version == 'latest' else matrix_bot_maubot_version }}" -matrix_bot_maubot_version: v0.3.1 +matrix_bot_maubot_version: v0.4.0 matrix_bot_maubot_docker_image: "{{ matrix_bot_maubot_docker_image_name_prefix }}maubot/maubot:{{ matrix_bot_maubot_version }}" matrix_bot_maubot_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_maubot_container_image_self_build else 'dock.mau.dev/' }}" matrix_bot_maubot_docker_image_force_pull: "{{ matrix_bot_maubot_docker_image.endswith(':latest') }}" From 4f69b22a6ec72b06e004f33936c21945dad3b2ae Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sun, 29 Jan 2023 18:14:41 +0000 Subject: [PATCH 301/915] Update borgmatic 1.7.5 -> 1.7.6 --- roles/custom/matrix-backup-borg/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-backup-borg/defaults/main.yml b/roles/custom/matrix-backup-borg/defaults/main.yml index b8796c92d..ad5a02811 100644 --- a/roles/custom/matrix-backup-borg/defaults/main.yml +++ b/roles/custom/matrix-backup-borg/defaults/main.yml @@ -15,7 +15,7 @@ matrix_backup_borg_docker_src_files_path: "{{ matrix_backup_borg_base_path }}/do matrix_backup_borg_version: "" matrix_backup_borg_postgres_version: "" matrix_backup_borg_borg_version: 1.2.3 -matrix_backup_borg_borgmatic_version: 1.7.5 +matrix_backup_borg_borgmatic_version: 1.7.6 matrix_backup_borg_docker_image: "{{ matrix_backup_borg_docker_image_name_prefix }}etke.cc/borgmatic:{{ matrix_backup_borg_version }}" matrix_backup_borg_docker_image_name_prefix: "{{ 'localhost/' if matrix_backup_borg_container_image_self_build else 'registry.gitlab.com/' }}" matrix_backup_borg_docker_image_force_pull: "{{ matrix_backup_borg_docker_image.endswith(':latest') or matrix_backup_borg_version | default('') == '' }}" From df9931f719e3e8252a2c399ba9062d0ec952371f Mon Sep 17 00:00:00 2001 From: Shaleen Jain Date: Mon, 30 Jan 2023 04:45:31 +0000 Subject: [PATCH 302/915] mautrix-slack: add team name in channel name template --- .../custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2 index 1c7a1dff0..5c60c66f4 100644 --- a/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2 @@ -79,7 +79,7 @@ bridge: # TODO: document variables displayname_template: "{{ '{{.RealName}} (S)' }}" bot_displayname_template: "{{ '{{.Name}} (bot)' }}" - channel_name_template: "{{ '#{{.Name}}' }}" + channel_name_template: "{{ '#{{.Name}} ({{.TeamName}})' }}" portal_message_buffer: 128 From d82d0ad84bb4cf63bb0bb04fa769d57d0f831eb5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 30 Jan 2023 08:50:57 +0200 Subject: [PATCH 303/915] Add _metrics_proxying_enabled variables to mautrix bridges Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2427 `metrics_enabled` should only expose the metrics locally, on the container network, so that a local Prometheus can consume them. Exposing them publicly should be done via a separate toggle (`metrics_proxying_enabled`). This is how all other roles work, so this makes these mautrix roles consistent with the rest. --- .../defaults/main.yml | 7 +++ .../tasks/inject_into_nginx_proxy.yml | 46 +++++++++---------- .../defaults/main.yml | 7 +++ .../tasks/inject_into_nginx_proxy.yml | 44 +++++++++--------- .../defaults/main.yml | 7 +++ .../tasks/inject_into_nginx_proxy.yml | 44 +++++++++--------- .../defaults/main.yml | 7 +++ .../tasks/inject_into_nginx_proxy.yml | 44 +++++++++--------- .../defaults/main.yml | 7 +++ .../tasks/inject_into_nginx_proxy.yml | 44 +++++++++--------- 10 files changed, 150 insertions(+), 107 deletions(-) diff --git a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml index 7863270bd..8c19139a7 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -47,8 +47,15 @@ matrix_mautrix_facebook_homeserver_token: '' matrix_mautrix_facebook_federate_rooms: true # Whether or not metrics endpoint should be enabled. +# Enabling them is usually enough for a local (in-container) Prometheus to consume them. +# If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_facebook_metrics_proxying_enabled`. matrix_mautrix_facebook_metrics_enabled: false +# Controls whether metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/mautrix-facebook`. +# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`. +# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. +matrix_mautrix_facebook_metrics_proxying_enabled: false + matrix_mautrix_facebook_bridge_permissions: | {{ {matrix_mautrix_facebook_homeserver_domain: 'user'} diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/inject_into_nginx_proxy.yml index db4d906f0..17e2b138d 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/inject_into_nginx_proxy.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/inject_into_nginx_proxy.yml @@ -43,27 +43,27 @@ You can expose the container's port using the `matrix_mautrix_facebook_container_http_host_bind_port` variable. when: "not matrix_nginx_proxy_enabled | default(False) | bool" -- name: Generate mautrix-facebook metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-facebook) - ansible.builtin.set_fact: - matrix_mautrix_facebook_nginx_metrics_configuration_block: | - location /metrics/mautrix-facebook { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-mautrix-facebook:8000"; - proxy_pass http://$backend/metrics; - {% else %} - return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; - {% endif %} - } - when: matrix_mautrix_facebook_metrics_enabled | bool +- when: matrix_mautrix_facebook_metrics_proxying_enabled | bool + block: + - name: Generate mautrix-facebook metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-facebook) + ansible.builtin.set_fact: + matrix_mautrix_facebook_nginx_metrics_configuration_block: | + location /metrics/mautrix-facebook { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-facebook:8000"; + proxy_pass http://$backend/metrics; + {% else %} + return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; + {% endif %} + } -- name: Register mautrix-facebook metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-facebook) - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) - + - [matrix_mautrix_facebook_nginx_metrics_configuration_block] - }} - when: matrix_mautrix_facebook_metrics_enabled | bool + - name: Register mautrix-facebook metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-facebook) + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + + + [matrix_mautrix_facebook_nginx_metrics_configuration_block] + }} diff --git a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml index e9b6991bc..80d591629 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml @@ -48,8 +48,15 @@ matrix_mautrix_instagram_homeserver_token: '' matrix_mautrix_instagram_federate_rooms: true # Whether or not metrics endpoint should be enabled. +# Enabling them is usually enough for a local (in-container) Prometheus to consume them. +# If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_instagram_metrics_proxying_enabled`. matrix_mautrix_instagram_metrics_enabled: false +# Controls whether metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/mautrix-instagram`. +# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`. +# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. +matrix_mautrix_instagram_metrics_proxying_enabled: false + # Database-related configuration fields. # # To use Postgres: diff --git a/roles/custom/matrix-bridge-mautrix-instagram/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mautrix-instagram/tasks/inject_into_nginx_proxy.yml index 90d91c6d4..99a36c141 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/tasks/inject_into_nginx_proxy.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/tasks/inject_into_nginx_proxy.yml @@ -9,25 +9,27 @@ so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-instagram role. when: matrix_nginx_proxy_role_executed | default(False) | bool -- name: Generate mautrix-instagram metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-instagram) - ansible.builtin.set_fact: - matrix_mautrix_instagram_nginx_metrics_configuration_block: | - location /metrics/mautrix-instagram { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-mautrix-instagram:8000"; - proxy_pass http://$backend/metrics; - {% else %} - return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; - {% endif %} - } +- when: matrix_mautrix_instagram_metrics_proxying_enabled | bool + block: + - name: Generate mautrix-instagram metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-instagram) + ansible.builtin.set_fact: + matrix_mautrix_instagram_nginx_metrics_configuration_block: | + location /metrics/mautrix-instagram { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-instagram:8000"; + proxy_pass http://$backend/metrics; + {% else %} + return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; + {% endif %} + } -- name: Register mautrix-instagram metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-instagram) - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) - + - [matrix_mautrix_instagram_nginx_metrics_configuration_block] - }} + - name: Register mautrix-instagram metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-instagram) + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + + + [matrix_mautrix_instagram_nginx_metrics_configuration_block] + }} diff --git a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml index fb5e49b13..8cd285cac 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml @@ -71,8 +71,15 @@ matrix_mautrix_signal_logging_level: WARNING matrix_mautrix_signal_federate_rooms: true # Whether or not metrics endpoint should be enabled. +# Enabling them is usually enough for a local (in-container) Prometheus to consume them. +# If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_signal_metrics_proxying_enabled`. matrix_mautrix_signal_metrics_enabled: false +# Controls whether metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/mautrix-signal`. +# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`. +# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. +matrix_mautrix_signal_metrics_proxying_enabled: false + # Database-related configuration fields # # This bridge only supports postgres. diff --git a/roles/custom/matrix-bridge-mautrix-signal/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mautrix-signal/tasks/inject_into_nginx_proxy.yml index 4bb6f6bd2..fe85254bd 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/tasks/inject_into_nginx_proxy.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/tasks/inject_into_nginx_proxy.yml @@ -9,25 +9,27 @@ so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-signal role. when: matrix_nginx_proxy_role_executed | default(False) | bool -- name: Generate mautrix-signal metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-signal) - ansible.builtin.set_fact: - matrix_mautrix_signal_nginx_metrics_configuration_block: | - location /metrics/mautrix-signal { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-mautrix-signal:8000"; - proxy_pass http://$backend/metrics; - {% else %} - return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; - {% endif %} - } +- when: matrix_mautrix_signal_metrics_proxying_enabled | bool + block: + - name: Generate mautrix-signal metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-signal) + ansible.builtin.set_fact: + matrix_mautrix_signal_nginx_metrics_configuration_block: | + location /metrics/mautrix-signal { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-signal:8000"; + proxy_pass http://$backend/metrics; + {% else %} + return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; + {% endif %} + } -- name: Register mautrix-signal metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-signal) - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) - + - [matrix_mautrix_signal_nginx_metrics_configuration_block] - }} + - name: Register mautrix-signal metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-signal) + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + + + [matrix_mautrix_signal_nginx_metrics_configuration_block] + }} diff --git a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml index 372dd4b61..8f38bb004 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -79,8 +79,15 @@ matrix_mautrix_twitter_appservice_bot_username: twitterbot matrix_mautrix_twitter_logging_level: WARNING # Whether or not metrics endpoint should be enabled. +# Enabling them is usually enough for a local (in-container) Prometheus to consume them. +# If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_twitter_metrics_proxying_enabled`. matrix_mautrix_twitter_metrics_enabled: false +# Controls whether metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/mautrix-twitter`. +# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`. +# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. +matrix_mautrix_twitter_metrics_proxying_enabled: false + # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/custom/matrix-bridge-mautrix-twitter/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mautrix-twitter/tasks/inject_into_nginx_proxy.yml index df296dc67..2efad7cdf 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/tasks/inject_into_nginx_proxy.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/tasks/inject_into_nginx_proxy.yml @@ -9,25 +9,27 @@ so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-twitter role. when: matrix_nginx_proxy_role_executed | default(False) | bool -- name: Generate mautrix-twitter metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-twitter) - ansible.builtin.set_fact: - matrix_mautrix_twitter_nginx_metrics_configuration_block: | - location /metrics/mautrix-twitter { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-mautrix-twitter:8000"; - proxy_pass http://$backend/metrics; - {% else %} - return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; - {% endif %} - } +- when: matrix_mautrix_twitter_metrics_proxying_enabled | bool + block: + - name: Generate mautrix-twitter metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-twitter) + ansible.builtin.set_fact: + matrix_mautrix_twitter_nginx_metrics_configuration_block: | + location /metrics/mautrix-twitter { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-twitter:8000"; + proxy_pass http://$backend/metrics; + {% else %} + return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; + {% endif %} + } -- name: Register mautrix-twitter metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-twitter) - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) - + - [matrix_mautrix_twitter_nginx_metrics_configuration_block] - }} + - name: Register mautrix-twitter metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-twitter) + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + + + [matrix_mautrix_twitter_nginx_metrics_configuration_block] + }} diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 6e85599ae..dd628162d 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -48,8 +48,15 @@ matrix_mautrix_whatsapp_logging_level: 'warn' matrix_mautrix_whatsapp_federate_rooms: true # Whether or not metrics endpoint should be enabled. +# Enabling them is usually enough for a local (in-container) Prometheus to consume them. +# If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_whatsapp_metrics_proxying_enabled`. matrix_mautrix_whatsapp_metrics_enabled: false +# Controls whether metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/mautrix-whatsapp`. +# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`. +# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. +matrix_mautrix_whatsapp_metrics_proxying_enabled: false + # Database-related configuration fields. # # To use SQLite, stick to these defaults. diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/inject_into_nginx_proxy.yml index e3fc3d162..03113dcc5 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/inject_into_nginx_proxy.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/inject_into_nginx_proxy.yml @@ -9,25 +9,27 @@ so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-whatsapp role. when: matrix_nginx_proxy_role_executed | default(False) | bool -- name: Generate mautrix-whatsapp metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-whatsapp) - ansible.builtin.set_fact: - matrix_mautrix_whatsapp_nginx_metrics_configuration_block: | - location /metrics/mautrix-whatsapp { - {% if matrix_nginx_proxy_enabled | default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-mautrix-whatsapp:8001"; - proxy_pass http://$backend/metrics; - {% else %} - return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; - {% endif %} - } +- when: matrix_mautrix_whatsapp_metrics_proxying_enabled | bool + block: + - name: Generate mautrix-whatsapp metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-whatsapp) + ansible.builtin.set_fact: + matrix_mautrix_whatsapp_nginx_metrics_configuration_block: | + location /metrics/mautrix-whatsapp { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-whatsapp:8001"; + proxy_pass http://$backend/metrics; + {% else %} + return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; + {% endif %} + } -- name: Register mautrix-whatsapp metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-whatsapp) - ansible.builtin.set_fact: - matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) - + - [matrix_mautrix_whatsapp_nginx_metrics_configuration_block] - }} + - name: Register mautrix-whatsapp metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-whatsapp) + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + + + [matrix_mautrix_whatsapp_nginx_metrics_configuration_block] + }} From d7c0239e40f8a6b0bec1266055cf02dcca29d98f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 30 Jan 2023 08:53:28 +0200 Subject: [PATCH 304/915] Enable metrics endpoint for mautrix bridges by default when Prometheus is enabled Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2427 This just enables the endpoint, which is somewhat helpful, but not really enough to scrape them. Ideally, we'd be injecting these targets into the Prometheus scrape config too. For now, registering targets with Prometheus is very manual (`matrix_prometheus_scraper_postgres_enabled`, `matrix_prometheus_scraper_hookshot_enabled`, ..). This should be redone - e.g. a new `matrix_prometheus_scrape_config_jobs_auto` variable, which is dynamically built in `group_vars/matrix_servers`. --- group_vars/matrix_servers | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 70abde3af..2a8b24430 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -807,6 +807,12 @@ matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_pro matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" +# People using an external Prometheus server will need to toggle all of these to be able to consume metrics remotely: +# - `matrix_mautrix_facebook_metrics_enabled` +# - `matrix_mautrix_facebook_proxying_metrics_enabled` +# - `matrix_nginx_proxy_proxy_matrix_metrics_enabled` +matrix_mautrix_facebook_metrics_enabled: "{{ matrix_prometheus_enabled }}" + # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. matrix_mautrix_facebook_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" @@ -934,6 +940,12 @@ matrix_mautrix_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_pr matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" +# People using an external Prometheus server will need to toggle all of these to be able to consume metrics remotely: +# - `matrix_mautrix_instagram_metrics_enabled` +# - `matrix_mautrix_instagram_proxying_metrics_enabled` +# - `matrix_nginx_proxy_proxy_matrix_metrics_enabled` +matrix_mautrix_instagram_metrics_enabled: "{{ matrix_prometheus_enabled }}" + # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. matrix_mautrix_instagram_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" @@ -979,6 +991,12 @@ matrix_mautrix_signal_appservice_token: "{{ '%s' | format(matrix_homeserver_gene matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" +# People using an external Prometheus server will need to toggle all of these to be able to consume metrics remotely: +# - `matrix_mautrix_signal_metrics_enabled` +# - `matrix_mautrix_signal_proxying_metrics_enabled` +# - `matrix_nginx_proxy_proxy_matrix_metrics_enabled` +matrix_mautrix_signal_metrics_enabled: "{{ matrix_prometheus_enabled }}" + matrix_mautrix_signal_database_engine: 'postgres' matrix_mautrix_signal_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.signal.db', rounds=655555) | to_uuid }}" @@ -1103,6 +1121,12 @@ matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_homeserver_ge matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" +# People using an external Prometheus server will need to toggle all of these to be able to consume metrics remotely: +# - `matrix_mautrix_twitter_metrics_enabled` +# - `matrix_mautrix_twitter_proxying_metrics_enabled` +# - `matrix_nginx_proxy_proxy_matrix_metrics_enabled` +matrix_mautrix_twitter_metrics_enabled: "{{ matrix_prometheus_enabled }}" + # Postgres is the default, except if not using internal Postgres server matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" matrix_mautrix_whatsapp_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" From 611a74bde2414cb95171d4833c926a5427c08c21 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 30 Jan 2023 08:59:35 +0200 Subject: [PATCH 305/915] Use |to_json in mautrix metrics configuration Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2427 --- .../matrix-bridge-mautrix-facebook/templates/config.yaml.j2 | 2 +- .../matrix-bridge-mautrix-instagram/templates/config.yaml.j2 | 2 +- .../matrix-bridge-mautrix-signal/templates/config.yaml.j2 | 2 +- .../matrix-bridge-mautrix-twitter/templates/config.yaml.j2 | 2 +- .../matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 index ce9aaea34..184ea7808 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 @@ -62,7 +62,7 @@ appservice: # Prometheus telemetry config. Requires prometheus-client to be installed. metrics: - enabled: {{ matrix_mautrix_facebook_metrics_enabled }} + enabled: {{ matrix_mautrix_facebook_metrics_enabled | to_json }} listen_port: 8000 # Bridge config diff --git a/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 index 700657850..93bbfe39f 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 @@ -57,7 +57,7 @@ appservice: # Prometheus telemetry config. Requires prometheus-client to be installed. metrics: - enabled: {{ matrix_mautrix_instagram_metrics_enabled }} + enabled: {{ matrix_mautrix_instagram_metrics_enabled | to_json }} listen_port: 8000 instagram: diff --git a/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index fbe2f4f31..828ff940b 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -67,7 +67,7 @@ appservice: # Prometheus telemetry config. Requires prometheus-client to be installed. metrics: - enabled: {{ matrix_mautrix_signal_metrics_enabled }} + enabled: {{ matrix_mautrix_signal_metrics_enabled | to_json }} listen_port: 8000 # Manhole config. diff --git a/roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 index 5b79a073e..6e12a7552 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 @@ -65,7 +65,7 @@ appservice: # Prometheus telemetry config. Requires prometheus-client to be installed. metrics: - enabled: {{ matrix_mautrix_twitter_metrics_enabled }} + enabled: {{ matrix_mautrix_twitter_metrics_enabled | to_json }} listen_port: 8000 # Bridge config diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 index 1c6b59d4d..ad381f6aa 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 @@ -67,7 +67,7 @@ segment_key: null # Prometheus config. metrics: # Enable prometheus metrics? - enabled: {{ matrix_mautrix_whatsapp_metrics_enabled }} + enabled: {{ matrix_mautrix_whatsapp_metrics_enabled | to_json }} # IP and port where the metrics listener should be. The path is always /metrics listen: 0.0.0.0:8001 From 8c2b77bf0cf5400f6234a3adcf97758f1bc62d93 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Mon, 30 Jan 2023 07:07:09 +0000 Subject: [PATCH 306/915] Update cinny 2.2.3 -> 2.2.4 --- roles/custom/matrix-client-cinny/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-cinny/defaults/main.yml b/roles/custom/matrix-client-cinny/defaults/main.yml index 98c327456..5b15b42cd 100644 --- a/roles/custom/matrix-client-cinny/defaults/main.yml +++ b/roles/custom/matrix-client-cinny/defaults/main.yml @@ -6,7 +6,7 @@ matrix_client_cinny_enabled: true matrix_client_cinny_container_image_self_build: false matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/cinny.git" -matrix_client_cinny_version: v2.2.3 +matrix_client_cinny_version: v2.2.4 matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_name_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}" matrix_client_cinny_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_image.endswith(':latest') }}" From d70076c805bd30f7e69a35115d7e6ccdb772d88b Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 31 Jan 2023 14:01:11 +0000 Subject: [PATCH 307/915] Update element 1.11.20 -> 1.11.21 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index f13ad035f..ea88e58f6 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.20 +matrix_client_element_version: v1.11.21 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 68ca23d709c6025ade132466158715f87952debd Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 31 Jan 2023 14:02:50 +0000 Subject: [PATCH 308/915] Update jitsi stable-8218 -> stable-8252 --- roles/custom/matrix-jitsi/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-jitsi/defaults/main.yml b/roles/custom/matrix-jitsi/defaults/main.yml index 538d8e4eb..8ccd67935 100644 --- a/roles/custom/matrix-jitsi/defaults/main.yml +++ b/roles/custom/matrix-jitsi/defaults/main.yml @@ -72,7 +72,7 @@ matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false -matrix_jitsi_version: stable-8218 +matrix_jitsi_version: stable-8252 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" From c7767e9bc80e0e94801560d2d661d466d0024175 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 31 Jan 2023 20:25:59 +0200 Subject: [PATCH 309/915] Upgrade Coturn (4.6.1-r0 -> 4.6.1-r1) --- roles/custom/matrix-coturn/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index 9f7ff2ba8..78efc73cf 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -8,7 +8,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}" matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" -matrix_coturn_version: 4.6.1-r0 +matrix_coturn_version: 4.6.1-r1 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" From 5300740f703e040bb3dab81fbcb98a5e3ab05a9e Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 31 Jan 2023 19:11:07 +0000 Subject: [PATCH 310/915] Update element 1.11.21 -> 1.11.22 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index ea88e58f6..85d8d6cfa 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.21 +matrix_client_element_version: v1.11.22 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 82d870fddf6c658df41128a705a5157e4a586aca Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 31 Jan 2023 19:16:52 +0000 Subject: [PATCH 311/915] Update prometheus 2.41.0 -> 2.42.0 --- roles/custom/matrix-prometheus/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-prometheus/defaults/main.yml b/roles/custom/matrix-prometheus/defaults/main.yml index 5216ccd74..956faf461 100644 --- a/roles/custom/matrix-prometheus/defaults/main.yml +++ b/roles/custom/matrix-prometheus/defaults/main.yml @@ -5,7 +5,7 @@ matrix_prometheus_enabled: false -matrix_prometheus_version: v2.41.0 +matrix_prometheus_version: v2.42.0 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" From 0f208ed053bc33dd451da9c4b6ed9a08b30a908b Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 31 Jan 2023 19:19:43 +0000 Subject: [PATCH 312/915] Update synapse 1.75.0 -> 1.76.0; default room version 9 -> 10 --- roles/custom/matrix-synapse/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 7c5496faa..b5a214ed1 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -36,7 +36,7 @@ matrix_synapse_container_image_customizations_dockerfile_body_custom: '' matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}" matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else matrix_container_global_registry_prefix }}" -matrix_synapse_version: v1.75.0 +matrix_synapse_version: v1.76.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" @@ -849,7 +849,7 @@ matrix_synapse_room_list_publication_rules: room_id: "*" action: allow -matrix_synapse_default_room_version: "9" +matrix_synapse_default_room_version: "10" # Controls the Synapse `spam_checker` setting. # From 7cb140b98744890adbdb148b2b68f51594c33d98 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 31 Jan 2023 23:24:20 +0200 Subject: [PATCH 313/915] Downgrade Prometheus (v2.42.0 -> v2.41.0) until a container image gets published Container image not published yet. Reverts #2438 --- roles/custom/matrix-prometheus/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-prometheus/defaults/main.yml b/roles/custom/matrix-prometheus/defaults/main.yml index 956faf461..5216ccd74 100644 --- a/roles/custom/matrix-prometheus/defaults/main.yml +++ b/roles/custom/matrix-prometheus/defaults/main.yml @@ -5,7 +5,7 @@ matrix_prometheus_enabled: false -matrix_prometheus_version: v2.42.0 +matrix_prometheus_version: v2.41.0 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" From c11f772e781c762f69810e374ac3a4aaf5ff8362 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 31 Jan 2023 21:34:25 +0000 Subject: [PATCH 314/915] Fix python packages path in synapse container --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index b5a214ed1..18165dd93 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -123,7 +123,7 @@ matrix_synapse_systemd_required_services_list: ['docker.service'] # List of systemd services that matrix-synapse.service wants matrix_synapse_systemd_wanted_services_list: [] -matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.9/site-packages" +matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.11/site-packages" # Specifies which template files to use when configuring Synapse. # If you'd like to have your own different configuration, feel free to copy and paste From 4d49f1f56ecd5feddc83bc704ac950161dabe6dc Mon Sep 17 00:00:00 2001 From: Catalan Lover <48515417+FSG-Cat@users.noreply.github.com> Date: Thu, 2 Feb 2023 16:00:07 +0100 Subject: [PATCH 315/915] Update Prometheus to v2.42.0 from v2.41.0 Docker images are released now so this change can now be pushed. --- roles/custom/matrix-prometheus/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-prometheus/defaults/main.yml b/roles/custom/matrix-prometheus/defaults/main.yml index 5216ccd74..956faf461 100644 --- a/roles/custom/matrix-prometheus/defaults/main.yml +++ b/roles/custom/matrix-prometheus/defaults/main.yml @@ -5,7 +5,7 @@ matrix_prometheus_enabled: false -matrix_prometheus_version: v2.41.0 +matrix_prometheus_version: v2.42.0 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" From 2d7d5d4babd11d7ed70060b4d8d06b6113dc519a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Feb 2023 20:36:19 +0200 Subject: [PATCH 316/915] Use new security-opt syntax (: -> =) Related to https://docs.docker.com/engine/deprecated/#separator--of---security-opt-flag-on-docker-run --- .../templates/goofys/systemd/matrix-goofys.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 b/roles/custom/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 index a1174bced..a968965b7 100644 --- a/roles/custom/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 +++ b/roles/custom/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 @@ -17,7 +17,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name --mount type=bind,src=/etc/passwd,dst=/etc/passwd,ro \ --mount type=bind,src=/etc/group,dst=/etc/group,ro \ --mount type=bind,src={{ matrix_s3_media_store_path }},dst=/s3,bind-propagation=shared \ - --security-opt apparmor:unconfined \ + --security-opt apparmor=unconfined \ --cap-add mknod \ --cap-add sys_admin \ --device=/dev/fuse \ From be78b74fbdd00ab89b0827f7ddec91ac7e21aeb9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 5 Feb 2023 10:32:09 +0200 Subject: [PATCH 317/915] Switch from matrix-prometheus-postgres-exporter to an external prometheus_postgres_exporter role --- CHANGELOG.md | 17 +++- ...configuring-playbook-prometheus-grafana.md | 8 +- ...onfiguring-playbook-prometheus-postgres.md | 10 +-- group_vars/matrix_servers | 89 ++++++++++--------- playbooks/matrix.yml | 2 +- requirements.yml | 3 + .../defaults/main.yml | 65 -------------- .../tasks/main.yml | 29 ------ .../tasks/setup_install.yml | 19 ---- .../tasks/setup_uninstall.yml | 20 ----- .../tasks/validate_config.yml | 9 -- ...ix-prometheus-postgres-exporter.service.j2 | 42 --------- .../vars/main.yml | 5 -- .../defaults/main.yml | 12 +++ .../tasks/main.yml | 9 ++ .../inject_into_nginx_proxy.yml | 19 ++-- .../defaults/main.yml | 3 + .../tasks/validate_config.yml | 16 ++++ 18 files changed, 123 insertions(+), 254 deletions(-) delete mode 100644 roles/custom/matrix-prometheus-postgres-exporter/defaults/main.yml delete mode 100644 roles/custom/matrix-prometheus-postgres-exporter/tasks/main.yml delete mode 100644 roles/custom/matrix-prometheus-postgres-exporter/tasks/setup_install.yml delete mode 100644 roles/custom/matrix-prometheus-postgres-exporter/tasks/setup_uninstall.yml delete mode 100644 roles/custom/matrix-prometheus-postgres-exporter/tasks/validate_config.yml delete mode 100644 roles/custom/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 delete mode 100644 roles/custom/matrix-prometheus-postgres-exporter/vars/main.yml rename roles/custom/{matrix-prometheus-postgres-exporter/tasks => matrix-prometheus-services-proxy-connect/tasks/prometheus-postgres-exporter}/inject_into_nginx_proxy.yml (51%) diff --git a/CHANGELOG.md b/CHANGELOG.md index edb4dba9c..bb62d8dd3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,18 @@ +# 2023-02-05 + +## The matrix-prometheus-postgres-exporter role lives independently now + +**TLDR**: the `matrix-prometheus-postgres-exporter` role is now included from another repository. Some variables have been renamed. All functionality remains intact. + +The `matrix-prometheus-postgres-exporter` role (which configures [Prometheus Postgres Exporter](https://github.com/prometheus-community/postgres_exporter)) has been extracted from the playbook and now lives in its own repository at https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter. + +It's still part of the playbook, but is now installed via `ansible-galaxy` (by running `just roles` / `make roles`). Some variables have been renamed (`matrix_prometheus_postgres_exporter_` -> `prometheus_postgres_exporter_`, etc.). The playbook will report all variables that you need to rename to get upgraded. All functionality remains intact. + +The `matrix-prometheus-services-proxy-connect` role has bee adjusted to help integrate the new `prometheus_postgres_exporter` role with our own services (`matrix-nginx-proxy`) + +Other roles which aren't strictly related to Matrix are likely to follow this fate of moving to their own repositories. Extracting them out allows other Ansible playbooks to make use of these roles easily. + + # 2023-01-26 ## Coturn can now use host-networking @@ -519,7 +534,7 @@ See our [Setting up the ntfy push notifications server](docs/configuring-playboo **If you're using node-exporter** (`matrix_prometheus_node_exporter_enabled: true`) and would like to collect its metrics from an external Prometheus server, see `matrix_prometheus_node_exporter_metrics_proxying_enabled` described in our [Collecting metrics to an external Prometheus server](docs/configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) documentation. You will be able to collect its metrics from `https://matrix.DOMAIN/metrics/node-exporter`. -**If you're using [postgres-exporter](docs/configuring-playbook-prometheus-postgres.md)** (`matrix_prometheus_postgres_exporter_enabled: true`) and would like to collect its metrics from an external Prometheus server, see `matrix_prometheus_postgres_exporter_metrics_proxying_enabled` described in our [Collecting metrics to an external Prometheus server](docs/configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) documentation. You will be able to collect its metrics from `https://matrix.DOMAIN/metrics/postgres-exporter`. +**If you're using [postgres-exporter](docs/configuring-playbook-prometheus-postgres.md)** (`prometheus_postgres_exporter_enabled: true`) and would like to collect its metrics from an external Prometheus server, see `matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled` described in our [Collecting metrics to an external Prometheus server](docs/configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) documentation. You will be able to collect its metrics from `https://matrix.DOMAIN/metrics/postgres-exporter`. **If you're using Synapse** and would like to collect its metrics from an external Prometheus server, you may find that: diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index 703c03b22..956b05736 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -13,7 +13,7 @@ matrix_prometheus_enabled: true prometheus_node_exporter_enabled: true # You can remove this, if unnecessary. -matrix_prometheus_postgres_exporter_enabled: true +prometheus_postgres_exporter_enabled: true # You can remove this, if unnecessary. matrix_prometheus_nginxlog_exporter_enabled: true @@ -41,7 +41,7 @@ Name | Description -----|---------- `matrix_prometheus_enabled`|[Prometheus](https://prometheus.io) is a time series database. It holds all the data we're going to talk about. `prometheus_node_exporter_enabled`|[Node Exporter](https://prometheus.io/docs/guides/node-exporter/) is an addon of sorts to Prometheus that collects generic system information such as CPU, memory, filesystem, and even system temperatures -`matrix_prometheus_postgres_exporter_enabled`|[Postgres Exporter](configuring-playbook-prometheus-postgres.md) is an addon of sorts to expose Postgres database metrics to Prometheus. +`prometheus_postgres_exporter_enabled`|[Postgres Exporter](configuring-playbook-prometheus-postgres.md) is an addon of sorts to expose Postgres database metrics to Prometheus. `matrix_prometheus_nginxlog_exporter_enabled`|[NGINX Log Exporter](configuring-playbook-prometheus-nginxlog.md) is an addon of sorts to expose NGINX logs to Prometheus. `matrix_grafana_enabled`|[Grafana](https://grafana.com/) is the visual component. It shows (on the `stats.` subdomain) the dashboards with the graphs that we're interested in `matrix_grafana_anonymous_access`|By default you need to log in to see graphs. If you want to publicly share your graphs (e.g. when asking for help in [`#synapse:matrix.org`](https://matrix.to/#/#synapse:matrix.org?via=matrix.org&via=privacytools.io&via=mozilla.org)) you'll want to enable this option. @@ -76,9 +76,9 @@ Name | Description `matrix_synapse_metrics_proxying_enabled`|Set this to `true` to expose Synapse's metrics on `https://matrix.DOMAIN/metrics/synapse/main-process` and `https://matrix.DOMAIN/metrics/synapse/worker/TYPE-ID` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`). Read [below](#collecting-synapse-worker-metrics-to-an-external-prometheus-server) if you're running a Synapse worker setup (`matrix_synapse_workers_enabled: true`). `prometheus_node_exporter_enabled`|Set this to `true` to enable the node (general system stats) exporter (locally, on the container network) `matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled`|Set this to `true` to expose the node (general system stats) metrics on `https://matrix.DOMAIN/metrics/node-exporter` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`) -`matrix_prometheus_postgres_exporter_enabled`|Set this to `true` to enable the [Postgres exporter](configuring-playbook-prometheus-postgres.md) (locally, on the container network) +`prometheus_postgres_exporter_enabled`|Set this to `true` to enable the [Postgres exporter](configuring-playbook-prometheus-postgres.md) (locally, on the container network) `matrix_prometheus_nginxlog_exporter_enabled`|Set this to `true` to enable the [NGINX Log exporter](configuring-playbook-prometheus-nginxlog.md) (locally, on the container network) -`matrix_prometheus_postgres_exporter_metrics_proxying_enabled`|Set this to `true` to expose the [Postgres exporter](configuring-playbook-prometheus-postgres.md) metrics on `https://matrix.DOMAIN/metrics/postgres-exporter` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`) +`matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled`|Set this to `true` to expose the [Postgres exporter](configuring-playbook-prometheus-postgres.md) metrics on `https://matrix.DOMAIN/metrics/postgres-exporter` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`) `matrix_bridge_hookshot_metrics_enabled`|Set this to `true` to make [Hookshot](configuring-playbook-bridge-hookshot.md) expose metrics (locally, on the container network) `matrix_bridge_hookshot_metrics_proxying_enabled`|Set this to `true` to expose the [Hookshot](configuring-playbook-bridge-hookshot.md) metrics on `https://matrix.DOMAIN/metrics/hookshot` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`) `matrix_SERVICE_metrics_proxying_enabled`|Various other services/roles may provide similar `_metrics_enabled` and `_metrics_proxying_enabled` variables for exposing their metrics. Refer to each role for details. Only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true` diff --git a/docs/configuring-playbook-prometheus-postgres.md b/docs/configuring-playbook-prometheus-postgres.md index 6fd13a9e9..c3c8e0bfb 100644 --- a/docs/configuring-playbook-prometheus-postgres.md +++ b/docs/configuring-playbook-prometheus-postgres.md @@ -6,17 +6,17 @@ You can enable this with the following settings in your configuration file (`inv ```yaml -matrix_prometheus_postgres_exporter_enabled: true +prometheus_postgres_exporter_enabled: true ``` ## What does it do? Name | Description -----|---------- -`matrix_prometheus_postgres_exporter_enabled`|Enable the postgres prometheus exporter. This sets up the docker container, connects it to the database and adds a 'job' to the prometheus config which tells prometheus about this new exporter. The default is 'false' -`matrix_prometheus_postgres_exporter_database_username`| The 'username' for the user that the exporter uses to connect to the database. The default is 'matrix_prometheus_postgres_exporter' -`matrix_prometheus_postgres_exporter_database_password`| The 'password' for the user that the exporter uses to connect to the database. By default, this is auto-generated by the playbook -`matrix_prometheus_postgres_exporter_metrics_proxying_enabled`|If set to `true`, exposes the Postgres exporter metrics on `https://matrix.DOMAIN/metrics/postgres-exporter` for usage with an [external Prometheus server](configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`) +`prometheus_postgres_exporter_enabled`|Enable the postgres prometheus exporter. This sets up the docker container, connects it to the database and adds a 'job' to the prometheus config which tells prometheus about this new exporter. The default is 'false' +`prometheus_postgres_exporter_database_username`| The 'username' for the user that the exporter uses to connect to the database. The default is 'matrix_prometheus_postgres_exporter' +`prometheus_postgres_exporter_database_password`| The 'password' for the user that the exporter uses to connect to the database. By default, this is auto-generated by the playbook +`matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled`|If set to `true`, exposes the Postgres exporter metrics on `https://matrix.DOMAIN/metrics/postgres-exporter` for usage with an [external Prometheus server](configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`) ## More information diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 2a8b24430..6d096dea0 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -301,11 +301,11 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-prometheus.service', 'priority': 4000, 'groups': ['matrix', 'monitoring', 'prometheus', 'prometheus-core']}] if matrix_prometheus_enabled else []) + - ([{'name': (prometheus_node_exporter_identifier + '.service'), 'priority': 3900, 'groups': ['matrix', 'monitoring', 'prometheus', 'prometheus-node-exporters']}] if prometheus_node_exporter_enabled else []) + ([{'name': (prometheus_node_exporter_identifier + '.service'), 'priority': 3900, 'groups': ['matrix', 'monitoring', 'prometheus', 'prometheus-exporters']}] if prometheus_node_exporter_enabled else []) + - ([{'name': 'matrix-prometheus-postgres-exporter.service', 'priority': 3900, 'groups': ['matrix', 'monitoring', 'prometheus', 'prometheus-node-exporters']}] if matrix_prometheus_postgres_exporter_enabled else []) + ([{'name': (prometheus_postgres_exporter_identifier + '.service'), 'priority': 3900, 'groups': ['matrix', 'monitoring', 'prometheus', 'prometheus-exporters']}] if prometheus_postgres_exporter_enabled else []) + - ([{'name': 'matrix-prometheus-nginxlog-exporter.service', 'priority': 3900, 'groups': ['matrix', 'monitoring', 'prometheus', 'prometheus-node-exporters']}] if matrix_prometheus_nginxlog_exporter_enabled else []) + ([{'name': 'matrix-prometheus-nginxlog-exporter.service', 'priority': 3900, 'groups': ['matrix', 'monitoring', 'prometheus', 'prometheus-exporters']}] if matrix_prometheus_nginxlog_exporter_enabled else []) + ([{'name': 'matrix-redis', 'priority': 750, 'groups': ['matrix', 'redis']}] if matrix_redis_enabled else []) + @@ -2589,10 +2589,10 @@ devture_postgres_managed_databases_auto: | }] if (matrix_etherpad_enabled and matrix_etherpad_database_engine == 'postgres' and matrix_etherpad_database_hostname == devture_postgres_connection_hostname) else []) + ([{ - 'name': matrix_prometheus_postgres_exporter_database_name, - 'username': matrix_prometheus_postgres_exporter_database_username, - 'password': matrix_prometheus_postgres_exporter_database_password, - }] if (matrix_prometheus_postgres_exporter_enabled and matrix_prometheus_postgres_exporter_database_hostname == devture_postgres_connection_hostname) else []) + 'name': prometheus_postgres_exporter_database_name, + 'username': prometheus_postgres_exporter_database_username, + 'password': prometheus_postgres_exporter_database_password, + }] if (prometheus_postgres_exporter_enabled and prometheus_postgres_exporter_database_hostname == devture_postgres_connection_hostname) else []) }} @@ -2976,6 +2976,45 @@ prometheus_node_exporter_container_labels_traefik_enabled: false # ###################################################################### +###################################################################### +# +# etke/prometheus_postgres_exporter +# +###################################################################### + +prometheus_postgres_exporter_enabled: false + +prometheus_postgres_exporter_identifier: matrix-prometheus-postgres-exporter + +prometheus_postgres_exporter_base_path: "{{ matrix_base_data_path }}/prometheus-postgres-exporter" + +prometheus_postgres_exporter_uid: "{{ matrix_user_uid }}" +prometheus_postgres_exporter_gid: "{{ matrix_user_gid }}" + +prometheus_postgres_exporter_server_fqn: "{{ matrix_server_fqn_matrix }}" + +prometheus_postgres_exporter_container_network: "{{ matrix_docker_network }}" + +prometheus_postgres_exporter_container_labels_traefik_enabled: false + +prometheus_postgres_exporter_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +prometheus_postgres_exporter_database_username: matrix_prometheus_postgres_exporter +prometheus_postgres_exporter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'prometheus.pg.db', rounds=655555) | to_uuid }}" +prometheus_postgres_exporter_database_name: matrix_prometheus_postgres_exporter + +prometheus_postgres_exporter_systemd_required_services_list: | + {{ + ['docker.service'] + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + }} + +###################################################################### +# +# /etke/prometheus_postgres_exporter +# +###################################################################### + ###################################################################### # # matrix-prometheus-nginxlog-exporter @@ -3011,8 +3050,8 @@ matrix_prometheus_scraper_synapse_rules_synapse_tag: "{{ matrix_synapse_docker_i matrix_prometheus_scraper_node_enabled: "{{ prometheus_node_exporter_enabled }}" matrix_prometheus_scraper_node_targets: "{{ [prometheus_node_exporter_identifier + ':9100'] if prometheus_node_exporter_enabled else [] }}" -matrix_prometheus_scraper_postgres_enabled: "{{ matrix_prometheus_postgres_exporter_enabled }}" -matrix_prometheus_scraper_postgres_targets: "{{ ['matrix-prometheus-postgres-exporter:'+ matrix_prometheus_postgres_exporter_port | string] if matrix_prometheus_scraper_postgres_enabled else [] }}" +matrix_prometheus_scraper_postgres_enabled: "{{ prometheus_postgres_exporter_enabled }}" +matrix_prometheus_scraper_postgres_targets: "{{ [prometheus_postgres_exporter_identifier + ':' + prometheus_postgres_exporter_port | string] if matrix_prometheus_scraper_postgres_enabled else [] }}" matrix_prometheus_scraper_hookshot_enabled: "{{ matrix_hookshot_metrics_enabled|default(false) }}" matrix_prometheus_scraper_hookshot_targets: "{{ [matrix_hookshot_container_url | string +':'+ matrix_hookshot_metrics_port | string] if matrix_hookshot_metrics_enabled else [] }}" @@ -3027,29 +3066,6 @@ matrix_prometheus_scraper_nginxlog_server_port: "{{ (matrix_prometheus_nginxlog_ # ###################################################################### -###################################################################### -# -# matrix-prometheus-postgres-exporter -# -###################################################################### - -matrix_prometheus_postgres_exporter_enabled: false -matrix_prometheus_postgres_exporter_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" -matrix_prometheus_postgres_exporter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'prometheus.pg.db', rounds=655555) | to_uuid }}" - -matrix_prometheus_postgres_exporter_systemd_required_services_list: | - {{ - ['docker.service'] - + - ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) - }} - -###################################################################### -# -# /matrix-prometheus-postgres-exporter -# -###################################################################### - ###################################################################### # # matrix-grafana @@ -3069,7 +3085,7 @@ matrix_grafana_dashboard_download_urls: | + (prometheus_node_exporter_dashboard_urls if prometheus_node_exporter_enabled else []) + - (matrix_prometheus_postgres_exporter_dashboard_urls if matrix_prometheus_postgres_exporter_enabled else []) + (prometheus_postgres_exporter_dashboard_urls if prometheus_postgres_exporter_enabled else []) + (matrix_prometheus_nginxlog_exporter_dashboard_urls if matrix_prometheus_nginxlog_exporter_enabled else []) }} @@ -3083,13 +3099,6 @@ matrix_grafana_default_home_dashboard_path: |- }[matrix_homeserver_implementation] }} -matrix_grafana_systemd_wanted_services_list: | - {{ - [] - + - (['matrix-prometheus-postgres-exporter.service'] if matrix_prometheus_postgres_exporter_enabled else []) - }} - ###################################################################### # # /matrix-grafana diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 5190521e2..7be0d6295 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -87,7 +87,7 @@ - custom/matrix-conduit - custom/matrix-synapse-admin - galaxy/prometheus_node_exporter - - custom/matrix-prometheus-postgres-exporter + - galaxy/prometheus_postgres_exporter - custom/matrix-prometheus-nginxlog-exporter - custom/matrix-prometheus - custom/matrix-grafana diff --git a/requirements.yml b/requirements.yml index 8ffa99d53..69b09cac5 100644 --- a/requirements.yml +++ b/requirements.yml @@ -32,3 +32,6 @@ - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.5.0-1 + +- src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git + version: v0.11.1-0 diff --git a/roles/custom/matrix-prometheus-postgres-exporter/defaults/main.yml b/roles/custom/matrix-prometheus-postgres-exporter/defaults/main.yml deleted file mode 100644 index 78481a32b..000000000 --- a/roles/custom/matrix-prometheus-postgres-exporter/defaults/main.yml +++ /dev/null @@ -1,65 +0,0 @@ ---- -# matrix-prometheus-postgres-exporter is an Prometheus exporter for postgres metrics -# Project source code URL: https://github.com/prometheus-community/postgres_exporter - -matrix_prometheus_postgres_exporter_enabled: false - -matrix_prometheus_postgres_exporter_version: v0.11.1 -matrix_prometheus_postgres_exporter_port: 9187 - -matrix_prometheus_postgres_exporter_docker_image: "{{ matrix_prometheus_postgres_exporter_docker_image_name_prefix }}prometheuscommunity/postgres-exporter:{{ matrix_prometheus_postgres_exporter_version }}" -matrix_prometheus_postgres_exporter_docker_image_name_prefix: "quay.io/" -matrix_prometheus_postgres_exporter_docker_image_force_pull: "{{ matrix_prometheus_postgres_exporter_docker_image.endswith(':latest') }}" - -# A list of extra arguments to pass to the container -matrix_prometheus_postgres_exporter_container_extra_arguments: ["-e PG_EXPORTER_AUTO_DISCOVER_DATABASES=true", - "-e PG_EXPORTER_WEB_LISTEN_ADDRESS=\":{{ matrix_prometheus_postgres_exporter_port }}\"", - "-e DATA_SOURCE_NAME=\"postgresql://{{ matrix_prometheus_postgres_exporter_database_username }}:{{ matrix_prometheus_postgres_exporter_database_password }}@{{ matrix_prometheus_postgres_exporter_database_hostname }}:5432/{{ matrix_prometheus_postgres_exporter_database_name }}?sslmode=disable\""] - -# List of systemd services that matrix-prometheus-postgres-exporter.service depends on -matrix_prometheus_postgres_exporter_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-prometheus-postgres-exporter.service wants -matrix_prometheus_postgres_exporter_systemd_wanted_services_list: [] - -# details for connecting to the database -matrix_prometheus_postgres_exporter_database_username: 'matrix_prometheus_postgres_exporter' -matrix_prometheus_postgres_exporter_database_password: 'some-password' -matrix_prometheus_postgres_exporter_database_hostname: '' -matrix_prometheus_postgres_exporter_database_port: 5432 -matrix_prometheus_postgres_exporter_database_name: 'matrix_prometheus_postgres_exporter' - -# Controls whether postgres-exporter metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/postgres-exporter`. -# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`. -# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. -matrix_prometheus_postgres_exporter_metrics_proxying_enabled: false - -# Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9187 in the container). -# -# Takes an ":" value (e.g. "127.0.0.1:9187"), just a port number or an empty string to not expose. -# -# You likely don't need to do this. See `matrix_prometheus_postgres_exporter_metrics_proxying_enabled`. -# -# Official recommendations are to run this container with `--net=host`, -# but we don't do that, since it: -# - likely exposes the metrics web server way too publicly (before applying https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1008) -# - or listens on a loopback interface only (--net=host and 127.0.0.1:9187), which is not reachable from another container (like `matrix-prometheus`) -# -# Using `--net=host` and binding to Docker's `matrix` bridge network may be a solution to both, -# but that's trickier to accomplish and won't necessarily work (hasn't been tested). -# -# Not using `--net=host` means that our network statistic reports are likely broken (inaccurate), -# because node-exporter can't see all interfaces, etc. -# For now, we'll live with that, until someone develops a better solution. -matrix_prometheus_postgres_exporter_container_http_host_bind_port: '' - -# If you are supplying your own NGINX proxy but want to use the provided exporters you will have to supply an ":" value for the containers to bind to on your host. -# If matrix_prometheus_postgres_exporter_container_http_host_bind_port is set to just a port number, this will default to "127.0.0.1:" -# If matrix_prometheus_postgres_exporter_container_http_host_bind_port is set to an IP that is not 0.0.0.0 and a port, that ":" value will be used -# Otherwise this value will be empty and you will have to manually configure your NGINX config file. (If you are using the config files generated by this playbook, you will have to edit matrix-domain.conf) -matrix_prometheus_postgres_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host: "{{ '127.0.0.1' + matrix_prometheus_postgres_exporter_container_http_host_bind_port_number_raw if not ':' in matrix_prometheus_postgres_exporter_container_http_host_bind_port else (matrix_prometheus_postgres_exporter_container_http_host_bind_port if matrix_prometheus_postgres_exporter_container_http_host_bind_port.split(':')[0] != '0.0.0.0' else '') }}" - -# matrix_prometheus_postgres_exporter_dashboard_urls contains a list of URLs with Grafana dashboard definitions. -# If the Grafana role is enabled, these dashboards will be downloaded. -matrix_prometheus_postgres_exporter_dashboard_urls: - - "https://grafana.com/api/dashboards/9628/revisions/7/download" diff --git a/roles/custom/matrix-prometheus-postgres-exporter/tasks/main.yml b/roles/custom/matrix-prometheus-postgres-exporter/tasks/main.yml deleted file mode 100644 index 7ff6d15ae..000000000 --- a/roles/custom/matrix-prometheus-postgres-exporter/tasks/main.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- - -- block: - - when: matrix_prometheus_postgres_exporter_enabled | bool and matrix_prometheus_postgres_exporter_metrics_proxying_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: - - setup-all - - setup-nginx-proxy - - install-all - - install-nginx-proxy - -- block: - - when: matrix_prometheus_postgres_exporter_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - - - when: matrix_prometheus_postgres_exporter_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: - - setup-all - - setup-prometheus-postgres-exporter - - install-all - - install-prometheus-postgres-exporter - -- block: - - when: not matrix_prometheus_postgres_exporter_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-prometheus-postgres-exporter diff --git a/roles/custom/matrix-prometheus-postgres-exporter/tasks/setup_install.yml b/roles/custom/matrix-prometheus-postgres-exporter/tasks/setup_install.yml deleted file mode 100644 index ee0f9bef7..000000000 --- a/roles/custom/matrix-prometheus-postgres-exporter/tasks/setup_install.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- - -- name: Ensure matrix-prometheus-postgres-exporter image is pulled - community.docker.docker_image: - name: "{{ matrix_prometheus_postgres_exporter_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_prometheus_postgres_exporter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_prometheus_postgres_exporter_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure matrix-prometheus-postgres-exporter.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-prometheus-postgres-exporter.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-postgres-exporter.service" - mode: 0644 - register: matrix_prometheus_postgres_exporter_systemd_service_result diff --git a/roles/custom/matrix-prometheus-postgres-exporter/tasks/setup_uninstall.yml b/roles/custom/matrix-prometheus-postgres-exporter/tasks/setup_uninstall.yml deleted file mode 100644 index bdf720428..000000000 --- a/roles/custom/matrix-prometheus-postgres-exporter/tasks/setup_uninstall.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- - -- name: Check existence of matrix-prometheus-postgres-exporter service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-postgres-exporter.service" - register: matrix_prometheus_postgres_exporter_service_stat - -- when: matrix_prometheus_postgres_exporter_service_stat.stat.exists | bool - block: - - name: Ensure matrix-prometheus-postgres-exporter is stopped - ansible.builtin.service: - name: matrix-prometheus-postgres-exporter - state: stopped - enabled: false - daemon_reload: true - - - name: Ensure matrix-prometheus-postgres-exporter.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-postgres-exporter.service" - state: absent diff --git a/roles/custom/matrix-prometheus-postgres-exporter/tasks/validate_config.yml b/roles/custom/matrix-prometheus-postgres-exporter/tasks/validate_config.yml deleted file mode 100644 index 6acf784f2..000000000 --- a/roles/custom/matrix-prometheus-postgres-exporter/tasks/validate_config.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- - -- name: Fail if required prometheus-postgres-exporter settings not defined - ansible.builtin.fail: - msg: > - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" - with_items: - - matrix_prometheus_postgres_exporter_database_hostname diff --git a/roles/custom/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 b/roles/custom/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 deleted file mode 100644 index 5c3fbac6f..000000000 --- a/roles/custom/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 +++ /dev/null @@ -1,42 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=matrix-prometheus-postgres-exporter -{% for service in matrix_prometheus_postgres_exporter_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_prometheus_postgres_exporter_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-prometheus-postgres-exporter 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-prometheus-postgres-exporter 2>/dev/null || true' - - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-prometheus-postgres-exporter \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - {% for arg in matrix_prometheus_postgres_exporter_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - --network={{ matrix_docker_network }} \ - {% if matrix_prometheus_postgres_exporter_container_http_host_bind_port %} - -p {{ matrix_prometheus_postgres_exporter_container_http_host_bind_port }}:{{matrix_prometheus_postgres_exporter_port}} \ - {% endif %} - --pid=host \ - {{ matrix_prometheus_postgres_exporter_docker_image }} - -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-prometheus-postgres-exporter 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-prometheus-postgres-exporter 2>/dev/null || true' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-prometheus-postgres-exporter - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix-prometheus-postgres-exporter/vars/main.yml b/roles/custom/matrix-prometheus-postgres-exporter/vars/main.yml deleted file mode 100644 index aed3b2167..000000000 --- a/roles/custom/matrix-prometheus-postgres-exporter/vars/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -# `matrix_prometheus_postgres_exporter_container_http_host_bind_port_number_raw` contains the raw port number extracted from `matrix_prometheus_postgres_exporter_container_http_host_bind_port`, -# which can contain values like this: ('1234', '127.0.0.1:1234', '0.0.0.0:1234') -matrix_prometheus_postgres_exporter_container_http_host_bind_port_number_raw: "{{ '' if matrix_prometheus_postgres_exporter_container_http_host_bind_port == '' else (matrix_prometheus_postgres_exporter_container_http_host_bind_port.split(':')[1] if ':' in matrix_prometheus_postgres_exporter_container_http_host_bind_port else matrix_prometheus_postgres_exporter_container_http_host_bind_port) }}" diff --git a/roles/custom/matrix-prometheus-services-proxy-connect/defaults/main.yml b/roles/custom/matrix-prometheus-services-proxy-connect/defaults/main.yml index 5799d0535..30ef2c130 100644 --- a/roles/custom/matrix-prometheus-services-proxy-connect/defaults/main.yml +++ b/roles/custom/matrix-prometheus-services-proxy-connect/defaults/main.yml @@ -13,3 +13,15 @@ matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxyi # If prometheus_node_exporter_container_http_host_bind_port is set to an IP that is not 0.0.0.0 and a port, that ":" value will be used # Otherwise this value will be empty and you will have to manually configure your NGINX config file. (If you are using the config files generated by this playbook, you will have to edit matrix-domain.conf) matrix_prometheus_services_proxy_connect_prometheus_node_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host: "{{ '127.0.0.1' + prometheus_node_exporter_container_http_host_bind_port_number_raw if not ':' in prometheus_node_exporter_container_http_host_bind_port else (prometheus_node_exporter_container_http_host_bind_port if prometheus_node_exporter_container_http_host_bind_port.split(':')[0] != '0.0.0.0' else '') }}" + + +# Controls whether postgres-exporter metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/postgres-exporter`. +# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`. +# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. +matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled: false + +# If you are supplying your own NGINX proxy but want to use the provided exporters you will have to supply an ":" value for the containers to bind to on your host. +# If prometheus_node_exporter_container_http_host_bind_port is set to just a port number, this will default to "127.0.0.1:" +# If prometheus_node_exporter_container_http_host_bind_port is set to an IP that is not 0.0.0.0 and a port, that ":" value will be used +# Otherwise this value will be empty and you will have to manually configure your NGINX config file. (If you are using the config files generated by this playbook, you will have to edit matrix-domain.conf) +matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host: "{{ '127.0.0.1' + prometheus_postgres_exporter_container_http_host_bind_port_number_raw if not ':' in prometheus_postgres_exporter_container_http_host_bind_port else (prometheus_postgres_exporter_container_http_host_bind_port if prometheus_postgres_exporter_container_http_host_bind_port.split(':')[0] != '0.0.0.0' else '') }}" diff --git a/roles/custom/matrix-prometheus-services-proxy-connect/tasks/main.yml b/roles/custom/matrix-prometheus-services-proxy-connect/tasks/main.yml index 7f35a318d..e56546889 100644 --- a/roles/custom/matrix-prometheus-services-proxy-connect/tasks/main.yml +++ b/roles/custom/matrix-prometheus-services-proxy-connect/tasks/main.yml @@ -17,3 +17,12 @@ - setup-nginx-proxy - install-all - install-nginx-proxy + +- block: + - when: prometheus_node_exporter_enabled | bool and matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/prometheus-postgres-exporter/inject_into_nginx_proxy.yml" + tags: + - setup-all + - setup-nginx-proxy + - install-all + - install-nginx-proxy diff --git a/roles/custom/matrix-prometheus-postgres-exporter/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-prometheus-services-proxy-connect/tasks/prometheus-postgres-exporter/inject_into_nginx_proxy.yml similarity index 51% rename from roles/custom/matrix-prometheus-postgres-exporter/tasks/inject_into_nginx_proxy.yml rename to roles/custom/matrix-prometheus-services-proxy-connect/tasks/prometheus-postgres-exporter/inject_into_nginx_proxy.yml index 121efc17b..347960818 100644 --- a/roles/custom/matrix-prometheus-postgres-exporter/tasks/inject_into_nginx_proxy.yml +++ b/roles/custom/matrix-prometheus-services-proxy-connect/tasks/prometheus-postgres-exporter/inject_into_nginx_proxy.yml @@ -1,25 +1,16 @@ --- -- name: Fail if matrix-nginx-proxy role already executed - ansible.builtin.fail: - msg: >- - Trying to append postgres-exporter's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your playbook, - so that the matrix-nginx-proxy role would run after the matrix-prometheus-postgres-exporter role. - when: matrix_nginx_proxy_role_executed | default(False) | bool - - name: Generate postgres-exporter metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/postgres-exporter) ansible.builtin.set_fact: - matrix_prometheus_postgres_exporter_nginx_metrics_configuration_block: | + matrix_prometheus_services_proxy_connect_postgres_exporter_nginx_metrics_configuration_block: | location /metrics/postgres-exporter { {% if matrix_nginx_proxy_enabled | default(False) %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; - set $backend "matrix-prometheus-postgres-exporter:9187"; + set $backend "{{ prometheus_postgres_exporter_identifier }}:{{ prometheus_postgres_exporter_port }}"; proxy_pass http://$backend/metrics; - {% elif matrix_prometheus_postgres_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host != '' %} - proxy_pass http://{{ matrix_prometheus_postgres_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host }}/metrics; + {% elif matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host != '' %} + proxy_pass http://{{ matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host }}/metrics; {% else %} return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; {% endif %} @@ -31,5 +22,5 @@ {{ matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + - [matrix_prometheus_postgres_exporter_nginx_metrics_configuration_block] + [matrix_prometheus_services_proxy_connect_postgres_exporter_nginx_metrics_configuration_block] }} diff --git a/roles/custom/matrix_playbook_migration/defaults/main.yml b/roles/custom/matrix_playbook_migration/defaults/main.yml index b553160a9..496c4c753 100644 --- a/roles/custom/matrix_playbook_migration/defaults/main.yml +++ b/roles/custom/matrix_playbook_migration/defaults/main.yml @@ -2,3 +2,6 @@ # Controls if (`matrix_prometheus_node_exporter` -> `prometheus_node_exporter`) validation will run. matrix_playbook_migration_matrix_prometheus_node_exporter_migration_validation_enabled: true + +# Controls if (`matrix_prometheus_postgres_exporter` -> `prometheus_postgres_exporter`) validation will run. +matrix_playbook_migration_matrix_prometheus_postgres_exporter_migration_validation_enabled: true diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 5d22e4bfe..b04c9e0e9 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -35,6 +35,7 @@ - {'old': 'matrix_common_after_systemd_service_start_wait_for_timeout_seconds', 'new': 'devture_systemd_service_manager_up_verification_delay_seconds'} - {'old': 'matrix_systemd_services_autostart_enabled', 'new': 'devture_systemd_service_manager_services_autostart_enabled'} - {'old': 'matrix_prometheus_node_exporter_metrics_proxying_enabled', 'new': 'matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled'} + - {'old': 'matrix_prometheus_postgres_exporter_metrics_proxying_enabled', 'new': 'matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled'} - name: (Deprecation) Catch and report matrix_postgres variables ansible.builtin.fail: @@ -64,3 +65,18 @@ Please change your configuration (vars.yml) to rename all variables (`matrix_prometheus_node_exporter_` -> `prometheus_node_exporter_`). We found usage of the following variables: {{ matrix_playbook_migration_matrix_prometheus_node_exporter_migration_vars.keys() | join(', ') }} when: "matrix_playbook_migration_matrix_prometheus_node_exporter_migration_vars | length > 0" + +- when: matrix_playbook_migration_matrix_prometheus_postgres_exporter_migration_validation_enabled | bool + block: + - ansible.builtin.set_fact: + matrix_playbook_migration_matrix_prometheus_postgres_exporter_migration_vars: |- + {{ vars | dict2items | selectattr('key', 'match', 'matrix_prometheus_postgres_exporter_.*') | list | items2dict }} + + - name: (Deprecation) Catch and report matrix_prometheus_postgres_exporter variables + ansible.builtin.fail: + msg: >- + The matrix-prometheus-postgres-exporter role that used to be part of this playbook has been replaced by https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter. + The new role is compatible with the old one, but uses different names for its variables. + Please change your configuration (vars.yml) to rename all variables (`matrix_prometheus_postgres_exporter_` -> `prometheus_postgres_exporter_`). + We found usage of the following variables: {{ matrix_playbook_migration_matrix_prometheus_postgres_exporter_migration_vars.keys() | join(', ') }} + when: "matrix_playbook_migration_matrix_prometheus_postgres_exporter_migration_vars | length > 0" From 045ed94d43fbaa63befc3f2a863311b86b02c56c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 5 Feb 2023 10:54:51 +0200 Subject: [PATCH 318/915] Upgrade prometheus_postgres_exporter (v0.11.1-0 -> v0.11.1-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 69b09cac5..02521cbc5 100644 --- a/requirements.yml +++ b/requirements.yml @@ -34,4 +34,4 @@ version: v1.5.0-1 - src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git - version: v0.11.1-0 + version: v0.11.1-1 From e018663ba4f2721f58dacad58a23da9b776c5fff Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Feb 2023 08:38:43 +0200 Subject: [PATCH 319/915] Attach ma1sd/nginx-proxy/synapse-reverse-proxy-companion to additional networks in a better way Switching from doing "post-start" loop hacks to running the container in 3 steps: `create` + potentially connect to additional networks + `start`. This way, the container would be connected to all its networks even at the very beginning of its life. --- .../templates/systemd/matrix-ma1sd.service.j2 | 8 ++++++-- .../templates/systemd/matrix-nginx-proxy.service.j2 | 8 ++++++-- .../matrix-synapse-reverse-proxy-companion.service.j2 | 6 ++++-- 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/roles/custom/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 b/roles/custom/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 index 19bd5720c..55505ab69 100644 --- a/roles/custom/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 +++ b/roles/custom/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 @@ -18,7 +18,9 @@ ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_s # ma1sd writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there, # so /tmp needs to be mounted with an exec option. -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-ma1sd \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-ma1sd \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -39,9 +41,11 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {{ matrix_ma1sd_docker_image }} {% for network in matrix_ma1sd_container_additional_networks %} -ExecStartPost={{ devture_systemd_docker_base_host_command_sh }} -c 'container_name=matrix-ma1sd; network_name={{ network }}; attempt=0; while [ $attempt -le 29 ]; do attempt=$(( $attempt + 1 )); if [ "`{{ devture_systemd_docker_base_host_command_docker }} inspect -f {{ '{{.State.Running}}' }} $container_name 2> /dev/null`" = "true" ]; then break; fi; sleep 1; done; {{ devture_systemd_docker_base_host_command_docker }} network connect $network_name $container_name' +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-ma1sd {% endfor %} +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-ma1sd + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-ma1sd 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-ma1sd 2>/dev/null || true' Restart=always diff --git a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index 0a7e90522..e6c941328 100755 --- a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -16,7 +16,9 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-nginx-proxy 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-nginx-proxy 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-nginx-proxy \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-nginx-proxy \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -48,9 +50,11 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {{ matrix_nginx_proxy_docker_image }} {% for network in matrix_nginx_proxy_container_additional_networks %} -ExecStartPost={{ devture_systemd_docker_base_host_command_sh }} -c 'container_name=matrix-nginx-proxy; network_name={{ network }}; attempt=0; while [ $attempt -le 29 ]; do attempt=$(( $attempt + 1 )); if [ "`{{ devture_systemd_docker_base_host_command_docker }} inspect -f {{ '{{.State.Running}}' }} $container_name 2> /dev/null`" = "true" ]; then break; fi; sleep 1; done; {{ devture_systemd_docker_base_host_command_docker }} network connect $network_name $container_name' +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-nginx-proxy {% endfor %} +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-nginx-proxy + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-nginx-proxy 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-nginx-proxy 2>/dev/null || true' ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-nginx-proxy /usr/sbin/nginx -s reload diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 index 2b548ef8c..125d7f498 100755 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 @@ -16,7 +16,7 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-synapse-reverse-proxy-companion 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-synapse-reverse-proxy-companion 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --rm \ --name=matrix-synapse-reverse-proxy-companion \ --log-driver=none \ @@ -39,9 +39,11 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run \ {{ matrix_synapse_reverse_proxy_companion_container_image }} {% for network in matrix_synapse_reverse_proxy_companion_container_additional_networks %} -ExecStartPost={{ devture_systemd_docker_base_host_command_sh }} -c 'container_name=matrix-synapse-reverse-proxy-companion; network_name={{ network }}; attempt=0; while [ $attempt -le 29 ]; do attempt=$(( $attempt + 1 )); if [ "`{{ devture_systemd_docker_base_host_command_docker }} inspect -f {{ '{{.State.Running}}' }} $container_name 2> /dev/null`" = "true" ]; then break; fi; sleep 1; done; {{ devture_systemd_docker_base_host_command_docker }} network connect $network_name $container_name' +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-synapse-reverse-proxy-companion {% endfor %} +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-synapse-reverse-proxy-companion + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-synapse-reverse-proxy-companion 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-synapse-reverse-proxy-companion 2>/dev/null || true' ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-synapse-reverse-proxy-companion /usr/sbin/nginx -s reload From 4d6a8d049d7436a8c487661f67f57c6b92da0e21 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Feb 2023 08:48:11 +0200 Subject: [PATCH 320/915] Add matrix_nginx_proxy_container_network variable --- roles/custom/matrix-nginx-proxy/defaults/main.yml | 4 ++++ .../templates/bin/lets-encrypt-certificates-renew.j2 | 2 +- .../templates/systemd/matrix-nginx-proxy.service.j2 | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 6fbc019e2..2861084de 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -21,6 +21,10 @@ matrix_nginx_proxy_systemd_required_services_list: ['docker.service'] # List of systemd services that matrix-nginx-proxy.service wants matrix_nginx_proxy_systemd_wanted_services_list: [] +# The base container network. +# Also see: matrix_nginx_proxy_container_additional_networks +matrix_nginx_proxy_container_network: "{{ matrix_docker_network }}" + # A list of additional container networks that matrix-nginx-proxy would be connected to. # The playbook does not create these networks, so make sure they already exist. # diff --git a/roles/custom/matrix-nginx-proxy/templates/bin/lets-encrypt-certificates-renew.j2 b/roles/custom/matrix-nginx-proxy/templates/bin/lets-encrypt-certificates-renew.j2 index 89113629b..5f235ea26 100644 --- a/roles/custom/matrix-nginx-proxy/templates/bin/lets-encrypt-certificates-renew.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/bin/lets-encrypt-certificates-renew.j2 @@ -12,7 +12,7 @@ docker run \ --name=matrix-certbot \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ - --network="{{ matrix_docker_network }}" \ + --network="{{ matrix_nginx_proxy_container_network }}" \ -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \ --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt \ --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt \ diff --git a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index e6c941328..301eb9d5d 100755 --- a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -24,7 +24,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --cap-drop=ALL \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_nginx_proxy_tmp_directory_size_mb }}m \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_nginx_proxy_container_network }} \ {% if matrix_nginx_proxy_container_http_host_bind_port %} -p {{ matrix_nginx_proxy_container_http_host_bind_port }}:8080 \ {% endif %} From 5de5b5c62c5efe9e71e225e673c72932177f95f9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Feb 2023 09:49:15 +0200 Subject: [PATCH 321/915] Upgrade prometheus_postgres_exporter (v0.11.1-1 -> v0.11.1-2) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 02521cbc5..d580dbde8 100644 --- a/requirements.yml +++ b/requirements.yml @@ -34,4 +34,4 @@ version: v1.5.0-1 - src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git - version: v0.11.1-1 + version: v0.11.1-2 From 946bbe9734a0b045285e738d5ab52a44d061ab71 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Feb 2023 09:54:34 +0200 Subject: [PATCH 322/915] Upgrade prometheus_node_exporter (v1.5.0-1 -> v1.5.0-2) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index d580dbde8..4797423d9 100644 --- a/requirements.yml +++ b/requirements.yml @@ -31,7 +31,7 @@ version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6 - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git - version: v1.5.0-1 + version: v1.5.0-2 - src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git version: v0.11.1-2 From f9836046956bb7fb3741dcafb2e37a55047b67b5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Feb 2023 10:34:51 +0200 Subject: [PATCH 323/915] Initial work on Traefik support This gets us started on adding a Traefik role and hooking Traefik: - directly to services which support Traefik - we only have a few of these right now, but the list will grow - to matrix-nginx-proxy for most services that integrate with matrix-nginx-proxy right now Traefik usage should be disabled by default for now and nothing should change for people just yet. Enabling these experiments requires additional configuration like this: ```yaml devture_traefik_ssl_email_address: '.....' matrix_playbook_traefik_role_enabled: true matrix_playbook_traefik_labels_enabled: true matrix_ssl_retrieval_method: none matrix_nginx_proxy_https_enabled: false matrix_nginx_proxy_container_http_host_bind_port: '' matrix_nginx_proxy_container_federation_host_bind_port: '' matrix_nginx_proxy_trust_forwarded_proto: true matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for' matrix_coturn_enabled: false ``` What currently works is: reverse-proxying for all nginx-proxy based services **except** for the Matrix homeserver (both Client-Server an Federation traffic for the homeserver don't work yet) --- group_vars/matrix_servers | 70 +++++++++ playbooks/matrix.yml | 3 + requirements.yml | 3 + .../matrix-nginx-proxy/defaults/main.yml | 74 +++++++++ .../tasks/setup_nginx_proxy.yml | 8 + .../matrix-nginx-proxy/templates/labels.j2 | 144 ++++++++++++++++++ .../systemd/matrix-nginx-proxy.service.j2 | 1 + 7 files changed, 303 insertions(+) create mode 100644 roles/custom/matrix-nginx-proxy/templates/labels.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6d096dea0..da624d9a5 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -19,6 +19,28 @@ # Also see `devture_docker_sdk_for_python_installation_enabled`. matrix_playbook_docker_installation_enabled: true +# Controls whether to run the Traefik role or not +# See the `com.devture.ansible.role.traefik` section below for role configuration. +# +# There's a difference between `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`. +# `devture_traefik_enabled` controls what the Traefik role would do - when not enabled, it will run uninstall tasks, etc. +# `matrix_playbook_traefik_role_enabled` controls if the Traefik role would even run at all. +# +# Sometimes, you're installing Traefik via a different (related playbook) which uses the same role. +# In such cases, you'd like to disable the role in this playbook from bothering with Traefik at all (`matrix_playbook_traefik_role_enabled: false`). +# If you used `devture_traefik_enabled: false` + `matrix_playbook_traefik_role_enabled: true` instead, you'd see the Treafik role here +# try to delete Traefik data (`/devture-traefik`) installed by the other playbook. +matrix_playbook_traefik_role_enabled: false + +# Controls whether to attach Traefik labels to services. +# This is separate from `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`, +# because you may wish to disable Traefik installation by the playbook, yet still use Traefik +# installed in another way. +matrix_playbook_traefik_labels_enabled: false + +# Controls the additional network that reverse-proxyable services will be connected to. +matrix_playbook_reverse_proxyable_services_additional_network: "{{ devture_traefik_container_network if devture_traefik_enabled else '' }}" + ######################################################################## # # # /Playbook # @@ -320,6 +342,8 @@ devture_systemd_service_manager_services_list_auto: | ([{'name': 'matrix-synapse-admin.service', 'priority': 4000, 'groups': ['matrix', 'synapse-admin']}] if matrix_synapse_admin_enabled else []) + ([{'name': 'matrix-synapse-reverse-proxy-companion.service', 'priority': 1500, 'groups': ['matrix', 'homeservers', 'synapse', 'reverse-proxies']}] if matrix_synapse_reverse_proxy_companion_enabled else []) + + + ([{'name': 'devture-traefik.service', 'priority': 3000, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if matrix_playbook_traefik_role_enabled else []) }} ######################################################################## @@ -2157,6 +2181,8 @@ matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secr # If that's not the case, you may wish to disable this and take care of proxying yourself. matrix_nginx_proxy_enabled: true +matrix_nginx_proxy_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-nginx-proxy:12080' }}" matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ '127.0.0.1:41080' if matrix_corporal_enabled else '127.0.0.1:12080' }}" matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: |- @@ -2185,6 +2211,22 @@ matrix_nginx_proxy_proxy_grafana_enabled: "{{ matrix_grafana_enabled }}" matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}" matrix_nginx_proxy_proxy_ntfy_enabled: "{{ matrix_ntfy_enabled }}" +matrix_nginx_proxy_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_config_entrypoint_primary }}" + +matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled: "{{ matrix_client_element_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_grafana_enabled: "{{ matrix_grafana_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_enabled: "{{ matrix_ntfy_enabled }}" + matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081" @@ -2968,7 +3010,11 @@ prometheus_node_exporter_server_fqn: "{{ matrix_server_fqn_matrix }}" prometheus_node_exporter_container_network: "{{ matrix_docker_network }}" +prometheus_node_exporter_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + prometheus_node_exporter_container_labels_traefik_enabled: false +prometheus_node_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +prometheus_node_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_config_entrypoint_primary }}" ###################################################################### # @@ -2995,7 +3041,11 @@ prometheus_postgres_exporter_server_fqn: "{{ matrix_server_fqn_matrix }}" prometheus_postgres_exporter_container_network: "{{ matrix_docker_network }}" +prometheus_postgres_exporter_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + prometheus_postgres_exporter_container_labels_traefik_enabled: false +prometheus_postgres_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +prometheus_postgres_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_config_entrypoint_primary }}" prometheus_postgres_exporter_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" prometheus_postgres_exporter_database_username: matrix_prometheus_postgres_exporter @@ -3284,3 +3334,23 @@ matrix_user_creator_users_auto: | # /matrix-user-creator # ###################################################################### + + +######################################################################## +# # +# com.devture.ansible.role.traefik # +# # +######################################################################## + +# To completely disable the Traefik role from running, use `matrix_playbook_traefik_role_enabled: false`. +# See the comment there for more details about why we have both `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`. +devture_traefik_enabled: "{{ matrix_playbook_traefik_role_enabled }}" + +devture_traefik_uid: "{{ matrix_user_uid }}" +devture_traefik_gid: "{{ matrix_user_gid }}" + +######################################################################## +# # +# /com.devture.ansible.role.traefik # +# # +######################################################################## diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 7be0d6295..392a3a0e0 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -115,6 +115,9 @@ - custom/matrix-user-creator - custom/matrix-common-after + - when: matrix_playbook_traefik_role_enabled | bool + role: galaxy/com.devture.ansible.role.traefik + - when: devture_systemd_service_manager_enabled | bool role: galaxy/com.devture.ansible.role.systemd_service_manager diff --git a/requirements.yml b/requirements.yml index 4797423d9..696b27000 100644 --- a/requirements.yml +++ b/requirements.yml @@ -35,3 +35,6 @@ - src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git version: v0.11.1-2 + +- src: git+https://github.com/devture/com.devture.ansible.role.traefik.git + version: 407af71a3667b1d8083beb10bf22423ecf013f58 diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 2861084de..25911a499 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -40,6 +40,80 @@ matrix_nginx_proxy_container_additional_networks: [] # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} matrix_nginx_proxy_container_additional_volumes: [] +# matrix_nginx_proxy_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_nginx_proxy_container_labels_additional_labels`. +matrix_nginx_proxy_container_labels_traefik_enabled: false +matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_nginx_proxy_container_network }}" +matrix_nginx_proxy_container_labels_traefik_entrypoints: web-secure +matrix_nginx_proxy_container_labels_traefik_tls_certResolver: default # noqa var-naming + +matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_element_hostname: "{{ matrix_server_fqn_element }}" +matrix_nginx_proxy_container_labels_traefik_proxy_element_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_element_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_element_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}" +matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_cinny_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_cinny_hostname: "{{ matrix_server_fqn_cinny }}" +matrix_nginx_proxy_container_labels_traefik_proxy_cinny_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_cinny_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_cinny_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_hostname: "{{ matrix_server_fqn_buscarron }}" +matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}" +matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_dimension_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_hostname: "{{ matrix_server_fqn_etherpad }}" +matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}" +matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" +matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_grafana_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}" +matrix_nginx_proxy_container_labels_traefik_proxy_grafana_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_grafana_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_grafana_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}" +matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_hostname: "{{ matrix_server_fqn_ntfy }}" +matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_hostname }}`)" + +# matrix_nginx_proxy_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_nginx_proxy_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_nginx_proxy_container_labels_additional_labels: '' + + # A list of extra arguments to pass to the container matrix_nginx_proxy_container_extra_arguments: [] diff --git a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index dd11721a0..31ff68f25 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -22,6 +22,14 @@ - "{{ matrix_nginx_proxy_data_path }}" - "{{ matrix_nginx_proxy_confd_path }}" +- name: Ensure Matrix nginx-proxy labels file is created + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_nginx_proxy_base_path }}/labels" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + mode: 0640 + - name: Ensure Matrix nginx-proxy configured (main config override) ansible.builtin.template: src: "{{ role_path }}/templates/nginx/nginx.conf.j2" diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 new file mode 100644 index 000000000..06cc8d1a8 --- /dev/null +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -0,0 +1,144 @@ +{% if matrix_nginx_proxy_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_nginx_proxy_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_nginx_proxy_container_labels_traefik_docker_network }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled %} +# Element +traefik.http.routers.matrix-nginx-proxy-element.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_element_rule }} +traefik.http.routers.matrix-nginx-proxy-element.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-element.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_element_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_element_tls %} +traefik.http.routers.matrix-nginx-proxy-element.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-element.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_enabled %} +# Hydrogen +traefik.http.routers.matrix-nginx-proxy-hydrogen.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_rule }} +traefik.http.routers.matrix-nginx-proxy-hydrogen.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-hydrogen.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_tls %} +traefik.http.routers.matrix-nginx-proxy-hydrogen.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-hydrogen.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_cinny_enabled %} +# Cinny +traefik.http.routers.matrix-nginx-proxy-cinny.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_cinny_rule }} +traefik.http.routers.matrix-nginx-proxy-cinny.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-cinny.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_cinny_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_cinny_tls %} +traefik.http.routers.matrix-nginx-proxy-cinny.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-cinny.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled %} +# Buscarron +traefik.http.routers.matrix-nginx-proxy-buscarron.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_rule }} +traefik.http.routers.matrix-nginx-proxy-buscarron.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-buscarron.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_tls %} +traefik.http.routers.matrix-nginx-proxy-buscarron.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-buscarron.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled %} +# Dimension +traefik.http.routers.matrix-nginx-proxy-dimension.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_rule }} +traefik.http.routers.matrix-nginx-proxy-dimension.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-dimension.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls %} +traefik.http.routers.matrix-nginx-proxy-dimension.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-dimension.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled %} +# Etherpad +traefik.http.routers.matrix-nginx-proxy-etherpad.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_rule }} +traefik.http.routers.matrix-nginx-proxy-etherpad.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-etherpad.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls %} +traefik.http.routers.matrix-nginx-proxy-etherpad.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-etherpad.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled %} +# Go NEB bot +traefik.http.routers.matrix-nginx-proxy-bot_go_neb.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_rule }} +traefik.http.routers.matrix-nginx-proxy-bot_go_neb.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-bot_go_neb.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls %} +traefik.http.routers.matrix-nginx-proxy-bot_go_neb.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-bot_go_neb.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled %} +# Jitsi +traefik.http.routers.matrix-nginx-proxy-jitsi.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_rule }} +traefik.http.routers.matrix-nginx-proxy-jitsi.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-jitsi.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_tls %} +traefik.http.routers.matrix-nginx-proxy-jitsi.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-jitsi.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_grafana_enabled %} +# Grafana +traefik.http.routers.matrix-nginx-proxy-grafana.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_grafana_rule }} +traefik.http.routers.matrix-nginx-proxy-grafana.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-grafana.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_grafana_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_grafana_tls %} +traefik.http.routers.matrix-nginx-proxy-grafana.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-grafana.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled %} +# Sygnal +traefik.http.routers.matrix-nginx-proxy-sygnal.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_rule }} +traefik.http.routers.matrix-nginx-proxy-sygnal.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-sygnal.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls %} +traefik.http.routers.matrix-nginx-proxy-sygnal.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-sygnal.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_enabled %} +# ntfy +traefik.http.routers.matrix-nginx-proxy-ntfy.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_rule }} +traefik.http.routers.matrix-nginx-proxy-ntfy.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-ntfy.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_tls %} +traefik.http.routers.matrix-nginx-proxy-ntfy.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-ntfy.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +traefik.http.services.matrix-nginx-proxy-web.loadbalancer.server.port=8080 +{% endif %} + +{{ matrix_nginx_proxy_container_labels_additional_labels }} diff --git a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index 301eb9d5d..f302c92e0 100755 --- a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -24,6 +24,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --cap-drop=ALL \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_nginx_proxy_tmp_directory_size_mb }}m \ + --label-file={{ matrix_nginx_proxy_base_path }}/labels \ --network={{ matrix_nginx_proxy_container_network }} \ {% if matrix_nginx_proxy_container_http_host_bind_port %} -p {{ matrix_nginx_proxy_container_http_host_bind_port }}:8080 \ From 94830b582bc56226245020b450bb311228c2e299 Mon Sep 17 00:00:00 2001 From: jakicoll Date: Mon, 6 Feb 2023 11:58:50 +0100 Subject: [PATCH 324/915] Wording: change collection -> playbook --- docs/configuring-playbook-user-verification-service.md | 6 +++--- group_vars/matrix_servers | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/configuring-playbook-user-verification-service.md b/docs/configuring-playbook-user-verification-service.md index f3d3aa6e2..e7fc95709 100644 --- a/docs/configuring-playbook-user-verification-service.md +++ b/docs/configuring-playbook-user-verification-service.md @@ -7,7 +7,7 @@ Currently, the main purpose of this role is to allow Jitsi to authenticate matri **Note**: enabling Matrix User Verification Service, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. -If the Jitsi server is also configured by this collection, all plugging of variables and secrets is handled in `group_vars/matrix_servers`. +If the Jitsi server is also configured by this playbook, all plugging of variables and secrets is handled in `group_vars/matrix_servers`. __Some general concepts of UVS may be helpful to understand the rest, so here they are:__ @@ -18,7 +18,7 @@ UVS can be used to verify two claims: Verifying an OpenID token id done by finding the corresponding Homeserver via '.well-known/matrix/server' for the given domain. The configured `matrix_user_verification_service_uvs_homeserver_url` does **not** factor into this. -By default, this collection only checks against `matrix_server_fqn_matrix`. +By default, this playbook only checks against `matrix_server_fqn_matrix`. Therefore, the request will be made against the public openid API for `matrix_server_fqn_matrix`. Verifying RoomMembership and PowerLevel is done against `matrix_user_verification_service_uvs_homeserver_url` which is by default done via the docker network. @@ -74,7 +74,7 @@ To set your own Token, simply put the following in your host_vars. matrix_user_verification_service_uvs_auth_token: "TOKEN" ``` -In case Jitsi is also managed by this collection and 'matrix' authentication in Jitsi is enabled, this collection will automatically configure Jitsi to use the configured auth token. +In case Jitsi is also managed by this playbook and 'matrix' authentication in Jitsi is enabled, this collection will automatically configure Jitsi to use the configured auth token. ### (Optional) Federation diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 18068bd6c..6c785e01f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3207,15 +3207,15 @@ matrix_user_verification_service_container_http_host_bind_port: "{{ '' if (matr # URL exposed in the docker network matrix_user_verification_service_container_url: "http://{{ matrix_user_verification_service_container_name }}:3000" -# Set the homeserver URL to the container name if synapse is managed by this collection +# Set the homeserver URL to the container name if synapse is managed by this playbook matrix_user_verification_service_uvs_homeserver_url: "{{ matrix_homeserver_container_url if matrix_synapse_enabled }}" -# If synapse is managed by this collection, we will connect via docker network, which is a private ip. +# If synapse is managed by this playbook, we will connect via docker network, which is a private ip. # Therefore we need to disable IP checks matrix_user_verification_service_uvs_disable_ip_blacklist: "{{'true' if matrix_synapse_enabled else 'false'}}" matrix_user_verification_service_uvs_auth_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'uvs.auth.token', rounds=655555) | to_uuid }}" -# Pin UVS to only check openId Tokens for the matrix_server_name configured by this collection. +# Pin UVS to only check openId Tokens for the matrix_server_name configured by this playbook. # This is not the homeserverURL, but rather the domain in the matrix "user ID" matrix_user_verification_service_uvs_openid_verify_server_name: "{{ matrix_domain }}" matrix_user_verification_service_uvs_log_level: warning From 8155f780e5291496eaf4f4ab989e676cf33e8a91 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Feb 2023 13:08:11 +0200 Subject: [PATCH 325/915] Add support for reverse-proxying Matric (Client & Federation) via Traefik --- group_vars/matrix_servers | 7 +++++ requirements.yml | 2 +- roles/custom/matrix-base/defaults/main.yml | 3 +++ .../matrix-nginx-proxy/defaults/main.yml | 7 +++++ .../matrix-nginx-proxy/templates/labels.j2 | 26 +++++++++++++++++++ 5 files changed, 44 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index da624d9a5..8ce94f52e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2215,6 +2215,7 @@ matrix_nginx_proxy_container_labels_traefik_enabled: "{{ matrix_playbook_traefik matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_config_entrypoint_primary }}" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled: "{{ matrix_client_element_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled }}" @@ -3349,6 +3350,12 @@ devture_traefik_enabled: "{{ matrix_playbook_traefik_role_enabled }}" devture_traefik_uid: "{{ matrix_user_uid }}" devture_traefik_gid: "{{ matrix_user_gid }}" +devture_traefik_additional_entrypoints_auto: + - name: matrix-federation + port: "{{ matrix_federation_public_port }}" + host_bind_port: "{{ matrix_federation_public_port }}" + config: {} + ######################################################################## # # # /com.devture.ansible.role.traefik # diff --git a/requirements.yml b/requirements.yml index 696b27000..e0ff1e818 100644 --- a/requirements.yml +++ b/requirements.yml @@ -37,4 +37,4 @@ version: v0.11.1-2 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: 407af71a3667b1d8083beb10bf22423ecf013f58 + version: b8609fd07c26c89a72fe2934d183af5fd964bc1c diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 63aee58ac..025e7363a 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -92,6 +92,9 @@ matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}" matrix_federation_public_port: 8448 +# The name of the Traefik entrypoint for handling Matrix Federation +matrix_federation_traefik_entrypoint: matrix-federation + # The architecture that your server runs. # Recognized values by us are 'amd64', 'arm32' and 'arm64'. # Not all architectures support all services, so your experience (on non-amd64) may vary. diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 25911a499..e83e9b5b2 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -49,6 +49,13 @@ matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_nginx_pro matrix_nginx_proxy_container_labels_traefik_entrypoints: web-secure matrix_nginx_proxy_container_labels_traefik_tls_certResolver: default # noqa var-naming +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_hostname }}`)" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint: "{{ matrix_federation_traefik_entrypoint }}" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints: "{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint }}" + matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled: false matrix_nginx_proxy_container_labels_traefik_proxy_element_hostname: "{{ matrix_server_fqn_element }}" matrix_nginx_proxy_container_labels_traefik_proxy_element_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 index 06cc8d1a8..407654a70 100644 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -6,6 +6,27 @@ traefik.docker.network={{ matrix_nginx_proxy_container_labels_traefik_docker_net {% endif %} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled %} +# Matrix Client +traefik.http.routers.matrix-nginx-proxy-matrix-client.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule }} +traefik.http.routers.matrix-nginx-proxy-matrix-client.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-matrix-client.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls %} +traefik.http.routers.matrix-nginx-proxy-matrix-client.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-matrix-client.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} + +# Matrix Federation +traefik.http.routers.matrix-nginx-proxy-matrix-federation.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule }} +traefik.http.routers.matrix-nginx-proxy-matrix-federation.service=matrix-nginx-proxy-federation +traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls %} +traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-matrix-federation.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints }} +{% endif %} + + {% if matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled %} # Element traefik.http.routers.matrix-nginx-proxy-element.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_element_rule }} @@ -139,6 +160,11 @@ traefik.http.routers.matrix-nginx-proxy-ntfy.entrypoints={{ matrix_nginx_proxy_c traefik.http.services.matrix-nginx-proxy-web.loadbalancer.server.port=8080 + +{% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %} +traefik.http.services.matrix-nginx-proxy-federation.loadbalancer.server.port={{ matrix_nginx_proxy_proxy_matrix_federation_port }} +{% endif %} + {% endif %} {{ matrix_nginx_proxy_container_labels_additional_labels }} From f53731756d23079660ee299a0621097dd2936398 Mon Sep 17 00:00:00 2001 From: jakicoll Date: Mon, 6 Feb 2023 12:15:54 +0100 Subject: [PATCH 326/915] Change comment Applying the assumption, that synapse is always managed by this playbook. --- group_vars/matrix_servers | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6c785e01f..b52c74a3b 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3209,8 +3209,7 @@ matrix_user_verification_service_container_url: "http://{{ matrix_user_verifica # Set the homeserver URL to the container name if synapse is managed by this playbook matrix_user_verification_service_uvs_homeserver_url: "{{ matrix_homeserver_container_url if matrix_synapse_enabled }}" -# If synapse is managed by this playbook, we will connect via docker network, which is a private ip. -# Therefore we need to disable IP checks +# We connect via the container network (private IPs), so we need to disable IP checks matrix_user_verification_service_uvs_disable_ip_blacklist: "{{'true' if matrix_synapse_enabled else 'false'}}" matrix_user_verification_service_uvs_auth_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'uvs.auth.token', rounds=655555) | to_uuid }}" From 6913d368c8a11d61b2de4bb8fbe1adb39c8bb32f Mon Sep 17 00:00:00 2001 From: Jakob S Date: Mon, 6 Feb 2023 12:38:01 +0100 Subject: [PATCH 327/915] Consolidate conditionals into a block, keep image Co-authored-by: Slavi Pantaleev --- .../tasks/setup_uninstall.yml | 42 +++++++------------ 1 file changed, 16 insertions(+), 26 deletions(-) diff --git a/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml b/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml index 2a14d96ac..5daafd3d8 100644 --- a/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml @@ -5,31 +5,21 @@ path: "{{ matrix_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" register: matrix_user_verification_service_service_stat -- name: Ensure matrix-user-verification-service is stopped - service: - name: "{{ matrix_user_verification_service_systemd_service_basename }}" - state: stopped - daemon_reload: yes - register: stopping_result - when: "matrix_user_verification_service_service_stat.stat.exists|bool" +- when: matrix_user_verification_service_service_stat.stat.exists | bool + block: + - name: Ensure matrix-user-verification-service is stopped + service: + name: "{{ matrix_user_verification_service_systemd_service_basename }}" + state: stopped + daemon_reload: yes + register: stopping_result -- name: Ensure matrix-user-verification-service.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" - state: absent - when: "matrix_user_verification_service_service_stat.stat.exists|bool" - -- name: Ensure systemd reloaded after matrix-user-verification-service.service removal - service: - daemon_reload: yes - when: "matrix_user_verification_service_service_stat.stat.exists|bool" - -- name: Ensure Matrix user-verification-service paths don't exist - file: - path: "{{ matrix_user_verification_service_base_path }}" - state: absent + - name: Ensure matrix-user-verification-service.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" + state: absent -- name: Ensure user-verification-service Docker image doesn't exist - docker_image: - name: "{{ matrix_user_verification_service_docker_image }}" - state: absent + - name: Ensure Matrix user-verification-service paths don't exist + file: + path: "{{ matrix_user_verification_service_base_path }}" + state: absent From b89f5b7ff5e7e957145c1f2e4a79dba77dc22e89 Mon Sep 17 00:00:00 2001 From: Paul N <92150859+stift-n2@users.noreply.github.com> Date: Mon, 6 Feb 2023 12:47:50 +0100 Subject: [PATCH 328/915] Clarify task name and add user and group to templated env file Co-authored-by: Slavi Pantaleev --- .../matrix-user-verification-service/tasks/setup_install.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-user-verification-service/tasks/setup_install.yml b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml index 5d1d28454..3ce463aa2 100644 --- a/roles/custom/matrix-user-verification-service/tasks/setup_install.yml +++ b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml @@ -28,10 +28,12 @@ # TODO # when: "matrix_user_verification_service_container_image_self_build|bool" -- name: write env file +- name: Ensure Matrix User Verification Service env file installed ansible.builtin.template: src: "{{ role_path }}/templates/.env.j2" dest: "{{ matrix_user_verification_service_config_env_file }}" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" mode: 0644 - name: Ensure matrix-user-verification-service.service installed From bf5e633656b8b88bc9dedf7e2be01fcc6f4851b3 Mon Sep 17 00:00:00 2001 From: jakicoll Date: Mon, 6 Feb 2023 12:57:20 +0100 Subject: [PATCH 329/915] Remove the self-build stub, because self-build was not implemented --- .../matrix-user-verification-service/defaults/main.yml | 7 +------ .../tasks/setup_install.yml | 6 ------ 2 files changed, 1 insertion(+), 12 deletions(-) diff --git a/roles/custom/matrix-user-verification-service/defaults/main.yml b/roles/custom/matrix-user-verification-service/defaults/main.yml index a86d62357..2f4b726ca 100644 --- a/roles/custom/matrix-user-verification-service/defaults/main.yml +++ b/roles/custom/matrix-user-verification-service/defaults/main.yml @@ -15,13 +15,8 @@ matrix_user_verification_service_docker_src_files_path: "{{ matrix_user_verifica matrix_user_verification_service_config_path: "{{ matrix_user_verification_service_base_path }}/config" matrix_user_verification_service_config_env_file: "{{ matrix_user_verification_service_config_path }}/.env" -# Set this to true in order to not use the docker image from docker hub, but rather build locally -matrix_user_verification_service_container_image_self_build: false -matrix_user_verification_service_container_image_self_build_repo: "https://github.com/matrix-org/matrix-user-verification-service.git" -matrix_user_verification_service_container_image_self_build_branch: "{{ matrix_user_verification_service_version }}" - # Docker -matrix_user_verification_service_docker_image_name_prefix: "{{ 'localhost/' if matrix_user_verification_service_container_image_self_build else matrix_container_global_registry_prefix }}" +matrix_user_verification_service_docker_image_name_prefix: "{{ matrix_container_global_registry_prefix }}" matrix_user_verification_service_docker_image: "{{ matrix_user_verification_service_docker_image_name_prefix }}matrixdotorg/matrix-user-verification-service:{{ matrix_user_verification_service_version }}" matrix_user_verification_service_docker_image_force_pull: "{{ matrix_user_verification_service_docker_image.endswith(':latest') }}" diff --git a/roles/custom/matrix-user-verification-service/tasks/setup_install.yml b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml index 3ce463aa2..24b8b811a 100644 --- a/roles/custom/matrix-user-verification-service/tasks/setup_install.yml +++ b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml @@ -9,7 +9,6 @@ group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_user_verification_service_config_path }}", when: true } - - { path: "{{ matrix_user_verification_service_docker_src_files_path }}", when: "{{ matrix_user_verification_service_container_image_self_build }}" } when: item.when | bool - name: Ensure Matrix User Verification Service image is pulled @@ -18,16 +17,11 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_user_verification_service_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_user_verification_service_docker_image_force_pull }}" - when: "not matrix_user_verification_service_container_image_self_build | bool" register: result retries: "{{ devture_playbook_help_container_retries_count }}" delay: "{{ devture_playbook_help_container_retries_delay }}" until: result is not failed -#- block: -# TODO -# when: "matrix_user_verification_service_container_image_self_build|bool" - - name: Ensure Matrix User Verification Service env file installed ansible.builtin.template: src: "{{ role_path }}/templates/.env.j2" From 0e0ae2f3e6c808e392782bc60b168c7a0cb54ba7 Mon Sep 17 00:00:00 2001 From: jakicoll Date: Mon, 6 Feb 2023 13:04:06 +0100 Subject: [PATCH 330/915] Assign default log level in role instead of matrix_servers file. --- group_vars/matrix_servers | 1 - roles/custom/matrix-user-verification-service/defaults/main.yml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index b52c74a3b..a5d8c497c 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3217,7 +3217,6 @@ matrix_user_verification_service_uvs_auth_token: "{{ '%s' | format(matrix_homese # Pin UVS to only check openId Tokens for the matrix_server_name configured by this playbook. # This is not the homeserverURL, but rather the domain in the matrix "user ID" matrix_user_verification_service_uvs_openid_verify_server_name: "{{ matrix_domain }}" -matrix_user_verification_service_uvs_log_level: warning ###################################################################### # diff --git a/roles/custom/matrix-user-verification-service/defaults/main.yml b/roles/custom/matrix-user-verification-service/defaults/main.yml index 2f4b726ca..fd1743941 100644 --- a/roles/custom/matrix-user-verification-service/defaults/main.yml +++ b/roles/custom/matrix-user-verification-service/defaults/main.yml @@ -55,7 +55,7 @@ matrix_user_verification_service_uvs_disable_ip_blacklist: false # Log level, defaults to 'info' # See choices here: https://github.com/winstonjs/winston#logging-levels -# matrix_user_verification_service_uvs_log_level: info +matrix_user_verification_service_uvs_log_level: warning ###################################################################### From 07d9ea5e875a217a44ffde6ba6cdb698a6d67ac7 Mon Sep 17 00:00:00 2001 From: Paul N <92150859+stift-n2@users.noreply.github.com> Date: Mon, 6 Feb 2023 13:06:14 +0100 Subject: [PATCH 331/915] Stick to port 3003 instead of changing the port based on the status of grafana. --- docs/configuring-playbook-user-verification-service.md | 2 +- group_vars/matrix_servers | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/configuring-playbook-user-verification-service.md b/docs/configuring-playbook-user-verification-service.md index e7fc95709..d6468b54c 100644 --- a/docs/configuring-playbook-user-verification-service.md +++ b/docs/configuring-playbook-user-verification-service.md @@ -45,7 +45,7 @@ For a list of all configuration options see the role defaults [`roles/matrix-use But be aware of all the plugging happening in `group_vars/matrix_servers`. In the default configuration, the UVS Server is only reachable via the docker network, which is fine if e.g. Jitsi is also running in a container on the host. -However, it is possible to expose UVS via setting `matrix_user_verification_service_container_http_host_bind_port`. Be aware that the normally used port (3000) may collide with Grafana. +However, it is possible to expose UVS via setting `matrix_user_verification_service_container_http_host_bind_port`. ### Access token diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index a5d8c497c..0a6ae4f39 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3200,9 +3200,9 @@ matrix_user_verification_service_systemd_required_services_list: | # If Jitsi is managed by this playbook we can use the docker network - no need to expose a port. # If Jitsi is not managed by this playbook, or you otherwise have a need for it, you can expose -# matrix-user-verfification-services's client-server port to the local host. -# Note: If grafana is also enabled, the exposed port is changed to 3003. -matrix_user_verification_service_container_http_host_bind_port: "{{ '' if (matrix_jitsi_enabled | bool and matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix') else '127.0.0.1:' + ('3003' if matrix_nginx_proxy_proxy_grafana_enabled else '3000') }}" +# matrix-user-verfification-services's client-server port to the local host port 3003. +# By default Matrix-User-Verification-Service binds to port 3000, which collides with grafana, therefore this uses port 3003. +matrix_user_verification_service_container_http_host_bind_port: "{{ '' if (matrix_jitsi_enabled | bool and matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix') else '127.0.0.1:3003' }}" # URL exposed in the docker network matrix_user_verification_service_container_url: "http://{{ matrix_user_verification_service_container_name }}:3000" From 50c1e9d695490d59d3b8b6234b44e69e6c48640c Mon Sep 17 00:00:00 2001 From: Paul N <92150859+stift-n2@users.noreply.github.com> Date: Mon, 6 Feb 2023 13:14:34 +0100 Subject: [PATCH 332/915] Set matrix_user_verification_service_uvs_homeserver_url in the role defaults and updated docs accordingly. --- docs/configuring-playbook-user-verification-service.md | 2 +- group_vars/matrix_servers | 2 -- roles/custom/matrix-user-verification-service/defaults/main.yml | 2 +- 3 files changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/configuring-playbook-user-verification-service.md b/docs/configuring-playbook-user-verification-service.md index d6468b54c..82e4e84e4 100644 --- a/docs/configuring-playbook-user-verification-service.md +++ b/docs/configuring-playbook-user-verification-service.md @@ -49,7 +49,7 @@ However, it is possible to expose UVS via setting `matrix_user_verification_serv ### Access token -The Synapse Access Token is used to verify RoomMembership and PowerLevel against the configured homeserver_url (which is plugged in group_vars). +The Synapse Access Token is used to verify RoomMembership and PowerLevel against `matrix_user_verification_service_uvs_homeserver_url`. We recommend that you create a dedicated Matrix user for uvs (`uvs` is a good username). Follow our [Registering users](registering-users.md) guide to register a user with administration privileges. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 0a6ae4f39..8cd9baa92 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3207,8 +3207,6 @@ matrix_user_verification_service_container_http_host_bind_port: "{{ '' if (matr # URL exposed in the docker network matrix_user_verification_service_container_url: "http://{{ matrix_user_verification_service_container_name }}:3000" -# Set the homeserver URL to the container name if synapse is managed by this playbook -matrix_user_verification_service_uvs_homeserver_url: "{{ matrix_homeserver_container_url if matrix_synapse_enabled }}" # We connect via the container network (private IPs), so we need to disable IP checks matrix_user_verification_service_uvs_disable_ip_blacklist: "{{'true' if matrix_synapse_enabled else 'false'}}" diff --git a/roles/custom/matrix-user-verification-service/defaults/main.yml b/roles/custom/matrix-user-verification-service/defaults/main.yml index fd1743941..2b2cbcb26 100644 --- a/roles/custom/matrix-user-verification-service/defaults/main.yml +++ b/roles/custom/matrix-user-verification-service/defaults/main.yml @@ -37,7 +37,7 @@ matrix_user_verification_service_systemd_service_name: "{{ matrix_user_verificat # matrix_user_verification_service_uvs_access_token: # homeserver client api url -# matrix_user_verification_service_uvs_homeserver_url: "" +matrix_user_verification_service_uvs_homeserver_url: "{{ matrix_homeserver_container_url }}" # disable check for non private ip range of homeserver. e.g. set to `true` if your homeserver domain resolves to a private ip. matrix_user_verification_service_uvs_disable_ip_blacklist: false From 1d99f17b4a32c724dd7ecf8a1cd36f0b7361f383 Mon Sep 17 00:00:00 2001 From: Paul N <92150859+stift-n2@users.noreply.github.com> Date: Mon, 6 Feb 2023 13:23:11 +0100 Subject: [PATCH 333/915] Disable matrix-user-verification-service in group_vars and update docs accordingly. --- docs/configuring-playbook-jitsi.md | 1 + docs/configuring-playbook-user-verification-service.md | 2 +- group_vars/matrix_servers | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index f51f8fc12..6c787bdb4 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -79,6 +79,7 @@ To enable set this configuration at host level: ```yaml matrix_jitsi_enable_auth: true matrix_jitsi_auth_type: "matrix" +matrix_user_verification_service_enabled: true ``` For more information see also [https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification](https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification). diff --git a/docs/configuring-playbook-user-verification-service.md b/docs/configuring-playbook-user-verification-service.md index 82e4e84e4..1990e8919 100644 --- a/docs/configuring-playbook-user-verification-service.md +++ b/docs/configuring-playbook-user-verification-service.md @@ -30,7 +30,7 @@ In order to use UVS, an admin token for the configured homeserver must be suppli ## Enable -[Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) installation is disabled by default unless required by Jitsi (see group_vars/matrix_servers). +[Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) installation is disabled by default. You can enable it in your configuration file (`inventory/host_vars/matrix./vars.yml`): ```yaml diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 8cd9baa92..1bd1c1d3d 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3188,7 +3188,7 @@ matrix_user_creator_users_auto: | matrix_user_verification_service_docker_image: "{{ matrix_user_verification_service_docker_image_name_prefix }}matrixdotorg/matrix-user-verification-service@sha256:d2aabc984dd69d258c91900c36928972d7aaef19d776caa3cd6a0fbc0e307270" # enable if jitsi is managed by this playbook and requires JWT auth -matrix_user_verification_service_enabled: "{{ (matrix_jitsi_enabled | bool and matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix') }}" +matrix_user_verification_service_enabled: false matrix_user_verification_service_systemd_required_services_list: | {{ ['docker.service'] From 6499b6536abe94e28a661b5e1e32751e90d47043 Mon Sep 17 00:00:00 2001 From: jakicoll Date: Mon, 6 Feb 2023 15:18:25 +0100 Subject: [PATCH 334/915] Decoupling: Do not use variables user-verification-service role inside the jitsi role. --- group_vars/matrix_servers | 1 + roles/custom/matrix-jitsi/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 1bd1c1d3d..cabe35615 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1949,6 +1949,7 @@ matrix_jitsi_etherpad_base: "{{ matrix_etherpad_base_url if matrix_etherpad_enab # Allow verification using JWT and matrix-UVS matrix_jitsi_prosody_auth_matrix_uvs_auth_token: "{{ matrix_user_verification_service_uvs_auth_token }}" +matrix_jitsi_prosody_auth_matrix_uvs_location: "{{ matrix_user_verification_service_container_url }}" matrix_jitsi_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" diff --git a/roles/custom/matrix-jitsi/defaults/main.yml b/roles/custom/matrix-jitsi/defaults/main.yml index 1f8502c84..d97689ea5 100644 --- a/roles/custom/matrix-jitsi/defaults/main.yml +++ b/roles/custom/matrix-jitsi/defaults/main.yml @@ -56,7 +56,7 @@ matrix_jitsi_prosody_auth_matrix_user_verification_repo_location: "https://githu matrix_jitsi_prosody_auth_matrix_user_verification_repo_target: "{{ matrix_jitsi_prosody_ext_path }}/prosody_auth_matrix_user_verification" matrix_jitsi_prosody_auth_matrix_user_verification_repo_version: "2839499cb03894d8cfc3e5b2219441427cb133d8" # v1.8.0 matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels: true -matrix_jitsi_prosody_auth_matrix_uvs_location: "{{ matrix_user_verification_service_container_url }}" +matrix_jitsi_prosody_auth_matrix_uvs_location: "" # Should match domain, see https://github.com/vector-im/element-web/pull/15114/commits/0410a6b3be82a41457275e4d1ce879dea146e092 matrix_jitsi_prosody_auth_matrix_jwt_app_id: "{{ matrix_server_fqn_jitsi }}" matrix_jitsi_prosody_auth_matrix_files: From 6b206b3763cebd721fa6cfd5e55c35685e2070e3 Mon Sep 17 00:00:00 2001 From: jakicoll Date: Mon, 6 Feb 2023 15:21:10 +0100 Subject: [PATCH 335/915] Move checks into validate_config.yml. --- .../matrix-user-verification-service/tasks/main.yml | 9 ++------- .../tasks/validate_config.yml | 8 ++++++++ 2 files changed, 10 insertions(+), 7 deletions(-) create mode 100644 roles/custom/matrix-user-verification-service/tasks/validate_config.yml diff --git a/roles/custom/matrix-user-verification-service/tasks/main.yml b/roles/custom/matrix-user-verification-service/tasks/main.yml index 0f51d6cc5..926860362 100644 --- a/roles/custom/matrix-user-verification-service/tasks/main.yml +++ b/roles/custom/matrix-user-verification-service/tasks/main.yml @@ -1,13 +1,8 @@ --- -- name: verify all necessary variables are present - assert: - that: - - matrix_user_verification_service_uvs_access_token is defined and matrix_user_verification_service_uvs_access_token|length - - matrix_user_verification_service_uvs_homeserver_url is defined and matrix_user_verification_service_uvs_homeserver_url|length - fail_msg: "Missing variable in {{ matrix_user_verification_service_ansible_name }} role" - - block: + - when: matrix_jitsi_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: run_setup | bool and matrix_user_verification_service_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" tags: diff --git a/roles/custom/matrix-user-verification-service/tasks/validate_config.yml b/roles/custom/matrix-user-verification-service/tasks/validate_config.yml new file mode 100644 index 000000000..e4349fa6b --- /dev/null +++ b/roles/custom/matrix-user-verification-service/tasks/validate_config.yml @@ -0,0 +1,8 @@ +--- + +- name: verify all necessary variables are present + assert: + that: + - matrix_user_verification_service_uvs_access_token is defined and matrix_user_verification_service_uvs_access_token|length + - matrix_user_verification_service_uvs_homeserver_url is defined and matrix_user_verification_service_uvs_homeserver_url|length + fail_msg: "Missing variable in {{ matrix_user_verification_service_ansible_name }} role" From d67d8c07f5dde9a8ff702416529bd9d6d5533260 Mon Sep 17 00:00:00 2001 From: Paul N <92150859+stift-n2@users.noreply.github.com> Date: Mon, 6 Feb 2023 15:11:20 +0100 Subject: [PATCH 336/915] Remove remnant comment. --- group_vars/matrix_servers | 1 - 1 file changed, 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index cabe35615..060ffbcaa 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3188,7 +3188,6 @@ matrix_user_creator_users_auto: | ## FIXME: Needs to be updated when there is a proper release by upstream. matrix_user_verification_service_docker_image: "{{ matrix_user_verification_service_docker_image_name_prefix }}matrixdotorg/matrix-user-verification-service@sha256:d2aabc984dd69d258c91900c36928972d7aaef19d776caa3cd6a0fbc0e307270" -# enable if jitsi is managed by this playbook and requires JWT auth matrix_user_verification_service_enabled: false matrix_user_verification_service_systemd_required_services_list: | {{ From 96dd86d33b943c381d5ffebca256b2bdec9a1780 Mon Sep 17 00:00:00 2001 From: Paul N <92150859+stift-n2@users.noreply.github.com> Date: Mon, 6 Feb 2023 15:19:58 +0100 Subject: [PATCH 337/915] Set default values where sensible and remove unnecessary conditionals in .env.j2. Check for empty string instead of Null to verify if an openid_server_name is pinned. --- ...onfiguring-playbook-user-verification-service.md | 4 ++-- group_vars/matrix_servers | 4 ---- .../defaults/main.yml | 13 +++++++------ .../templates/.env.j2 | 11 +++-------- 4 files changed, 12 insertions(+), 20 deletions(-) diff --git a/docs/configuring-playbook-user-verification-service.md b/docs/configuring-playbook-user-verification-service.md index 1990e8919..451f54f4b 100644 --- a/docs/configuring-playbook-user-verification-service.md +++ b/docs/configuring-playbook-user-verification-service.md @@ -81,10 +81,10 @@ In case Jitsi is also managed by this playbook and 'matrix' authentication in Ji In theory (however currently untested), UVS can handle federation. Simply set: ```yaml -matrix_user_verification_service_uvs_openid_verify_server_name: ~ +matrix_user_verification_service_uvs_openid_verify_server_name: "" ``` -using host_vars to override the group_vars. +in your host_vars. This will instruct UVS to verify the OpenID token against any domain given in a request. Homeserver discovery is done via '.well-known/matrix/server' of the given domain. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 060ffbcaa..988af72e0 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3212,10 +3212,6 @@ matrix_user_verification_service_uvs_disable_ip_blacklist: "{{'true' if matrix_s matrix_user_verification_service_uvs_auth_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'uvs.auth.token', rounds=655555) | to_uuid }}" -# Pin UVS to only check openId Tokens for the matrix_server_name configured by this playbook. -# This is not the homeserverURL, but rather the domain in the matrix "user ID" -matrix_user_verification_service_uvs_openid_verify_server_name: "{{ matrix_domain }}" - ###################################################################### # # /matrix-user-verification-service diff --git a/roles/custom/matrix-user-verification-service/defaults/main.yml b/roles/custom/matrix-user-verification-service/defaults/main.yml index 2b2cbcb26..cdef8f399 100644 --- a/roles/custom/matrix-user-verification-service/defaults/main.yml +++ b/roles/custom/matrix-user-verification-service/defaults/main.yml @@ -48,14 +48,15 @@ matrix_user_verification_service_uvs_disable_ip_blacklist: false # need have the header "Authorization: Bearer changeme". # matrix_user_verification_service_uvs_auth_token: changeme -# Matrix server name to verify OpenID tokens against. See below section. -# Defaults to empty value which means verification is made against -# whatever Matrix server name passed in with the token -# matrix_user_verification_service_uvs_openid_verify_server_name: matrix.org +# Matrix server name to verify OpenID tokens against. +# Pin UVS to only check openId Tokens for the matrix_server_name configured by this playbook. +# This is not the homeserverURL, but rather the domain in the matrix "user ID" +# UVS can also be instructed to verify against the Matrix server name passed in the token, to enable set to "" +matrix_user_verification_service_uvs_openid_verify_server_name: "{{ matrix_domain }}" -# Log level, defaults to 'info' +# Log level # See choices here: https://github.com/winstonjs/winston#logging-levels -matrix_user_verification_service_uvs_log_level: warning +matrix_user_verification_service_uvs_log_level: info ###################################################################### diff --git a/roles/custom/matrix-user-verification-service/templates/.env.j2 b/roles/custom/matrix-user-verification-service/templates/.env.j2 index b2f2aaab8..8119c1e98 100644 --- a/roles/custom/matrix-user-verification-service/templates/.env.j2 +++ b/roles/custom/matrix-user-verification-service/templates/.env.j2 @@ -1,14 +1,9 @@ UVS_ACCESS_TOKEN={{ matrix_user_verification_service_uvs_access_token }} UVS_HOMESERVER_URL={{ matrix_user_verification_service_uvs_homeserver_url }} UVS_DISABLE_IP_BLACKLIST={{ matrix_user_verification_service_uvs_disable_ip_blacklist }} - -{% if matrix_user_verification_service_uvs_auth_token is defined and matrix_user_verification_service_uvs_auth_token|length %} - UVS_AUTH_TOKEN={{ matrix_user_verification_service_uvs_auth_token }} -{% endif %} -{% if matrix_user_verification_service_uvs_openid_verify_server_name is defined and matrix_user_verification_service_uvs_openid_verify_server_name|length %} +UVS_LOG_LEVEL={{ matrix_user_verification_service_uvs_log_level }} +UVS_AUTH_TOKEN={{ matrix_user_verification_service_uvs_auth_token }} +{% if matrix_user_verification_service_uvs_openid_verify_server_name | length > 0 %} UVS_OPENID_VERIFY_SERVER_NAME={{ matrix_user_verification_service_uvs_openid_verify_server_name }} {% endif %} -{% if matrix_user_verification_service_uvs_log_level is defined and matrix_user_verification_service_uvs_log_level|length %} - UVS_LOG_LEVEL={{ matrix_user_verification_service_uvs_log_level }} -{% endif %} From 70bea81df753f281ae844239529b3b6bc94c95cc Mon Sep 17 00:00:00 2001 From: Paul N <92150859+stift-n2@users.noreply.github.com> Date: Mon, 6 Feb 2023 15:59:32 +0100 Subject: [PATCH 338/915] Introduced flags to (1) enable/disable Auth (2) enable/disable openid_server_name pinning. Updated validate_config.yml and added new checks to verify. --- ...ring-playbook-user-verification-service.md | 15 +++++++++--- .../defaults/main.yml | 12 ++++++---- .../tasks/validate_config.yml | 23 ++++++++++++++++--- .../templates/.env.j2 | 6 +++-- 4 files changed, 44 insertions(+), 12 deletions(-) diff --git a/docs/configuring-playbook-user-verification-service.md b/docs/configuring-playbook-user-verification-service.md index 451f54f4b..d33c7147d 100644 --- a/docs/configuring-playbook-user-verification-service.md +++ b/docs/configuring-playbook-user-verification-service.md @@ -63,9 +63,9 @@ To get an access token for the UVS user, you can follow the documentation on [ho matrix_user_verification_service_uvs_access_token: "YOUR ACCESS TOKEN HERE" ``` -### (Optional) Auth Token +### (Optional) Custom Auth Token -It is possible to set an API Auth Token to restrict access to the UVS. If this is set, anyone making a request to UVS must provide it via the header "Authorization: Bearer TOKEN" +It is possible to set an API Auth Token to restrict access to the UVS. If this is enabled, anyone making a request to UVS must provide it via the header "Authorization: Bearer TOKEN" By default, the token will be derived from `matrix_homeserver_generic_secret_key` in `group_vars/matrix_servers`. To set your own Token, simply put the following in your host_vars. @@ -76,12 +76,21 @@ matrix_user_verification_service_uvs_auth_token: "TOKEN" In case Jitsi is also managed by this playbook and 'matrix' authentication in Jitsi is enabled, this collection will automatically configure Jitsi to use the configured auth token. +### (Optional) Disable Auth +Authorization is enabled by default. To disable set + +```yaml +matrix_user_verification_service_uvs_require_auth: false +``` + +in your host_vars. + ### (Optional) Federation In theory (however currently untested), UVS can handle federation. Simply set: ```yaml -matrix_user_verification_service_uvs_openid_verify_server_name: "" +matrix_user_verification_service_uvs_pin_openid_verify_server_name: false ``` in your host_vars. diff --git a/roles/custom/matrix-user-verification-service/defaults/main.yml b/roles/custom/matrix-user-verification-service/defaults/main.yml index cdef8f399..6f7be0d1f 100644 --- a/roles/custom/matrix-user-verification-service/defaults/main.yml +++ b/roles/custom/matrix-user-verification-service/defaults/main.yml @@ -43,13 +43,17 @@ matrix_user_verification_service_uvs_disable_ip_blacklist: false ## OPTIONAL +# Require an Auth-Token with API calls. If set to false, UVS will reply to any API call. +# The Auth-Token is defined via: matrix_user_verification_service_uvs_auth_token +matrix_user_verification_service_uvs_require_auth: true # Auth token to protect the API -# If this is set any calls to the provided API endpoints -# need have the header "Authorization: Bearer changeme". -# matrix_user_verification_service_uvs_auth_token: changeme +# If enabled any calls to the provided API endpoints need have the header "Authorization: Bearer TOKEN". +# A Token will be derived from matrix_homeserver_generic_secret_key in group_vars/matrix_servers +matrix_user_verification_service_uvs_auth_token: '' -# Matrix server name to verify OpenID tokens against. # Pin UVS to only check openId Tokens for the matrix_server_name configured by this playbook. +matrix_user_verification_service_uvs_pin_openid_verify_server_name: true +# Matrix server name to verify OpenID tokens against. # This is not the homeserverURL, but rather the domain in the matrix "user ID" # UVS can also be instructed to verify against the Matrix server name passed in the token, to enable set to "" matrix_user_verification_service_uvs_openid_verify_server_name: "{{ matrix_domain }}" diff --git a/roles/custom/matrix-user-verification-service/tasks/validate_config.yml b/roles/custom/matrix-user-verification-service/tasks/validate_config.yml index e4349fa6b..40e9090cb 100644 --- a/roles/custom/matrix-user-verification-service/tasks/validate_config.yml +++ b/roles/custom/matrix-user-verification-service/tasks/validate_config.yml @@ -1,8 +1,25 @@ --- -- name: verify all necessary variables are present +- name: Verify homeserver_url is not empty assert: that: - - matrix_user_verification_service_uvs_access_token is defined and matrix_user_verification_service_uvs_access_token|length - - matrix_user_verification_service_uvs_homeserver_url is defined and matrix_user_verification_service_uvs_homeserver_url|length + - matrix_user_verification_service_uvs_homeserver_url|length > 0 fail_msg: "Missing variable in {{ matrix_user_verification_service_ansible_name }} role" + +- name: Verify Auth is configured properly or disabled + assert: + that: + - matrix_user_verification_service_uvs_access_token|length > 0 or not matrix_user_verification_service_uvs_require_auth|bool + fail_msg: "If Auth is enabled, a valid (non empty) TOKEN must be given in 'matrix_user_verification_service_uvs_access_token'." + +- name: Verify server_name for openid verification is given, if pinning a single server_name is enabled. + assert: + that: + - matrix_user_verification_service_uvs_openid_verify_server_name|length > 0 or not matrix_user_verification_service_uvs_pin_openid_verify_server_name|bool + fail_msg: "If pinning a single server_name is enabled, a valid (non empty) server_name must be given in 'matrix_user_verification_service_uvs_openid_verify_server_name'." + +- name: Verify the homeserver implementation is synapse + assert: + that: + - matrix_homeserver_implementation == 'synapse' + fail_msg: "The User-Verification-Service requires Synapse as homeserver implementation" diff --git a/roles/custom/matrix-user-verification-service/templates/.env.j2 b/roles/custom/matrix-user-verification-service/templates/.env.j2 index 8119c1e98..359eed2a1 100644 --- a/roles/custom/matrix-user-verification-service/templates/.env.j2 +++ b/roles/custom/matrix-user-verification-service/templates/.env.j2 @@ -2,8 +2,10 @@ UVS_ACCESS_TOKEN={{ matrix_user_verification_service_uvs_access_token }} UVS_HOMESERVER_URL={{ matrix_user_verification_service_uvs_homeserver_url }} UVS_DISABLE_IP_BLACKLIST={{ matrix_user_verification_service_uvs_disable_ip_blacklist }} UVS_LOG_LEVEL={{ matrix_user_verification_service_uvs_log_level }} -UVS_AUTH_TOKEN={{ matrix_user_verification_service_uvs_auth_token }} -{% if matrix_user_verification_service_uvs_openid_verify_server_name | length > 0 %} +{% if matrix_user_verification_service_uvs_require_auth | bool %} + UVS_AUTH_TOKEN={{ matrix_user_verification_service_uvs_auth_token }} +{% endif %} +{% if matrix_user_verification_service_uvs_pin_openid_verify_server_name | bool %} UVS_OPENID_VERIFY_SERVER_NAME={{ matrix_user_verification_service_uvs_openid_verify_server_name }} {% endif %} From 7848d865a50eb95d18f9b330a6e53bbef492986c Mon Sep 17 00:00:00 2001 From: jakicoll Date: Mon, 6 Feb 2023 16:15:06 +0100 Subject: [PATCH 339/915] Also define the vars to be overwritten in group vars within the role vars. --- roles/custom/matrix-jitsi/defaults/main.yml | 2 +- .../custom/matrix-user-verification-service/defaults/main.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-jitsi/defaults/main.yml b/roles/custom/matrix-jitsi/defaults/main.yml index d97689ea5..25a0e9b2d 100644 --- a/roles/custom/matrix-jitsi/defaults/main.yml +++ b/roles/custom/matrix-jitsi/defaults/main.yml @@ -66,7 +66,7 @@ matrix_jitsi_prosody_auth_matrix_files: when: "{{ matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels }}" # Plugged in group_vars -#matrix_jitsi_prosody_auth_matrix_uvs_auth_token: +matrix_jitsi_prosody_auth_matrix_uvs_auth_token: '' matrix_jitsi_timezone: UTC diff --git a/roles/custom/matrix-user-verification-service/defaults/main.yml b/roles/custom/matrix-user-verification-service/defaults/main.yml index 6f7be0d1f..38304f6d1 100644 --- a/roles/custom/matrix-user-verification-service/defaults/main.yml +++ b/roles/custom/matrix-user-verification-service/defaults/main.yml @@ -21,8 +21,8 @@ matrix_user_verification_service_docker_image: "{{ matrix_user_verification_serv matrix_user_verification_service_docker_image_force_pull: "{{ matrix_user_verification_service_docker_image.endswith(':latest') }}" matrix_user_verification_service_container_name: "matrix-user-verification-service" -# Normally this would run on port 3000 however that may conflict with grafana. It is thus advised to change this port. -#matrix_user_verification_service_container_http_host_bind_port: +# This will be set in group vars +matrix_user_verification_service_container_http_host_bind_port: '' matrix_user_verification_service_container_extra_arguments: [] # Systemd matrix_user_verification_service_systemd_required_services_list: [] From f3ca4a06322442fe846d514847b1d2b6a1a5e98e Mon Sep 17 00:00:00 2001 From: jakicoll Date: Mon, 6 Feb 2023 16:16:36 +0100 Subject: [PATCH 340/915] Remove unnecessary comment. --- .../defaults/main.yml | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/roles/custom/matrix-user-verification-service/defaults/main.yml b/roles/custom/matrix-user-verification-service/defaults/main.yml index 38304f6d1..c6781fdc4 100644 --- a/roles/custom/matrix-user-verification-service/defaults/main.yml +++ b/roles/custom/matrix-user-verification-service/defaults/main.yml @@ -61,21 +61,3 @@ matrix_user_verification_service_uvs_openid_verify_server_name: "{{ matrix_domai # Log level # See choices here: https://github.com/winstonjs/winston#logging-levels matrix_user_verification_service_uvs_log_level: info - - -###################################################################### -##### ##### -##### Variables used in this role which are not set by this role ##### -##### ##### -###################################################################### - -# matrix_user_username -# matrix_user_groupname -# matrix_user_uid -# matrix_user_gid -# matrix_container_global_registry_prefix -# matrix_docker_network -# devture_systemd_docker_base_systemd_path -# devture_systemd_docker_base_systemd_unit_home_path -# devture_systemd_docker_base_host_command_sh -# devture_systemd_docker_base_host_command_docker From be634168ac4be065e3bac7868b98fe7a30b75a9e Mon Sep 17 00:00:00 2001 From: jakicoll Date: Mon, 6 Feb 2023 16:29:25 +0100 Subject: [PATCH 341/915] Make the linter happy. --- roles/custom/matrix-jitsi/defaults/main.yml | 2 +- .../tasks/util/setup_jitsi_auth_uvs_install.yml | 4 +++- .../tasks/util/setup_jitsi_auth_uvs_uninstall.yml | 8 +++++--- roles/custom/matrix-jitsi/tasks/validate_config.yml | 1 - .../matrix-user-verification-service/handlers/main.yml | 2 +- .../tasks/setup_install.yml | 2 +- .../tasks/setup_uninstall.yml | 2 +- 7 files changed, 12 insertions(+), 9 deletions(-) diff --git a/roles/custom/matrix-jitsi/defaults/main.yml b/roles/custom/matrix-jitsi/defaults/main.yml index 25a0e9b2d..66d06e3b7 100644 --- a/roles/custom/matrix-jitsi/defaults/main.yml +++ b/roles/custom/matrix-jitsi/defaults/main.yml @@ -54,7 +54,7 @@ matrix_jitsi_ldap_start_tls: false # Auth type: matrix matrix_jitsi_prosody_auth_matrix_user_verification_repo_location: "https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification" matrix_jitsi_prosody_auth_matrix_user_verification_repo_target: "{{ matrix_jitsi_prosody_ext_path }}/prosody_auth_matrix_user_verification" -matrix_jitsi_prosody_auth_matrix_user_verification_repo_version: "2839499cb03894d8cfc3e5b2219441427cb133d8" # v1.8.0 +matrix_jitsi_prosody_auth_matrix_user_verification_repo_version: "2839499cb03894d8cfc3e5b2219441427cb133d8" # v1.8.0 matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels: true matrix_jitsi_prosody_auth_matrix_uvs_location: "" # Should match domain, see https://github.com/vector-im/element-web/pull/15114/commits/0410a6b3be82a41457275e4d1ce879dea146e092 diff --git a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml index 36f334253..f1d9ff210 100644 --- a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml +++ b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml @@ -1,3 +1,5 @@ +--- + - name: Checkout Prosody Auth Matrix User Verification Plugin Repo ansible.builtin.git: repo: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_location }}" @@ -6,7 +8,7 @@ - name: Install Prosody Auth Matrix User Verification Plugin ansible.builtin.copy: - remote_src: yes + remote_src: true src: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}/{{ item.path }}" dest: "{{ matrix_jitsi_prosody_plugins_path }}/{{ item.path }}" with_items: "{{ matrix_jitsi_prosody_auth_matrix_files }}" diff --git a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml index 2ba793eca..229ce896e 100644 --- a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml +++ b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml @@ -1,3 +1,5 @@ +--- + - name: Remove all files regarding prosody mod auth_matrix_user_verification and .well-known/element/jitsi ansible.builtin.file: path: "{{ item }}" @@ -11,10 +13,10 @@ - name: Remove .well-known/element directory if empty ansible.builtin.command: argv: - - rmdir - - "{{ matrix_static_files_base_path }}/.well-known/element" + - rmdir + - "{{ matrix_static_files_base_path }}/.well-known/element" removes: "{{matrix_static_files_base_path}}/.well-known/element" - ignore_errors: yes + ignore_errors: true - when: matrix_jitsi_prosody_auth_matrix_user_verification_uninstalled.changed block: diff --git a/roles/custom/matrix-jitsi/tasks/validate_config.yml b/roles/custom/matrix-jitsi/tasks/validate_config.yml index 5975a605b..f975e4ac9 100644 --- a/roles/custom/matrix-jitsi/tasks/validate_config.yml +++ b/roles/custom/matrix-jitsi/tasks/validate_config.yml @@ -45,7 +45,6 @@ or (matrix_jitsi_auth_type == 'matrix' and matrix_jitsi_prosody_auth_matrix_uvs_auth_token|length == 0)) - - name: (Deprecation) Catch and report renamed settings ansible.builtin.fail: msg: >- diff --git a/roles/custom/matrix-user-verification-service/handlers/main.yml b/roles/custom/matrix-user-verification-service/handlers/main.yml index a1ad1f31e..b9ee66d73 100644 --- a/roles/custom/matrix-user-verification-service/handlers/main.yml +++ b/roles/custom/matrix-user-verification-service/handlers/main.yml @@ -2,5 +2,5 @@ - name: Ensure systemd reloaded after matrix-user-verification-service.service installation service: - daemon_reload: yes + daemon_reload: true listen: "reload matrix-user-verification-service" diff --git a/roles/custom/matrix-user-verification-service/tasks/setup_install.yml b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml index 24b8b811a..d095c4101 100644 --- a/roles/custom/matrix-user-verification-service/tasks/setup_install.yml +++ b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml @@ -8,7 +8,7 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" with_items: - - { path: "{{ matrix_user_verification_service_config_path }}", when: true } + - {path: "{{ matrix_user_verification_service_config_path }}", when: true} when: item.when | bool - name: Ensure Matrix User Verification Service image is pulled diff --git a/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml b/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml index 5daafd3d8..bc09f7ef2 100644 --- a/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml @@ -11,7 +11,7 @@ service: name: "{{ matrix_user_verification_service_systemd_service_basename }}" state: stopped - daemon_reload: yes + daemon_reload: true register: stopping_result - name: Ensure matrix-user-verification-service.service doesn't exist From 6cffec14eabf6cf1001684ff7bd88c3c67ba6444 Mon Sep 17 00:00:00 2001 From: jakicoll Date: Mon, 6 Feb 2023 16:36:49 +0100 Subject: [PATCH 342/915] fixup! Remove the self-build stub, because self-build was not implemented --- roles/custom/matrix-user-verification-service/defaults/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/custom/matrix-user-verification-service/defaults/main.yml b/roles/custom/matrix-user-verification-service/defaults/main.yml index c6781fdc4..52b30a28a 100644 --- a/roles/custom/matrix-user-verification-service/defaults/main.yml +++ b/roles/custom/matrix-user-verification-service/defaults/main.yml @@ -10,8 +10,6 @@ matrix_user_verification_service_version: "v2.0.0" # Paths matrix_user_verification_service_base_path: "{{ matrix_base_data_path }}/user-verification-service" -# We need the docker src directory to be named user_verification_service. See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/588 -matrix_user_verification_service_docker_src_files_path: "{{ matrix_user_verification_service_base_path }}/docker-src/user-verification-service" matrix_user_verification_service_config_path: "{{ matrix_user_verification_service_base_path }}/config" matrix_user_verification_service_config_env_file: "{{ matrix_user_verification_service_config_path }}/.env" From 6a205a83f616f0217b2cbd90f1c193b5ef19bf64 Mon Sep 17 00:00:00 2001 From: jakicoll Date: Mon, 6 Feb 2023 17:20:13 +0100 Subject: [PATCH 343/915] Change renamed variables matrix_systemd_path -> devture_systemd_docker_base_systemd_path --- .../tasks/setup_uninstall.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml b/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml index bc09f7ef2..172bf1863 100644 --- a/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml @@ -2,7 +2,7 @@ - name: Check existence of matrix-user-verification-service service stat: - path: "{{ matrix_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" + path: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" register: matrix_user_verification_service_service_stat - when: matrix_user_verification_service_service_stat.stat.exists | bool @@ -16,7 +16,7 @@ - name: Ensure matrix-user-verification-service.service doesn't exist file: - path: "{{ matrix_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" + path: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" state: absent - name: Ensure Matrix user-verification-service paths don't exist From 66baef5bf6c1dc89580204f5e5368b346e0c80c3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 7 Feb 2023 08:48:50 +0200 Subject: [PATCH 344/915] Fix matrix-synapse-reverse-proxy-companion.service stopping during uninstallation Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2444 --- .../tasks/setup_uninstall.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_uninstall.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_uninstall.yml index bb1b534cf..7b820b35b 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_uninstall.yml @@ -9,7 +9,7 @@ block: - name: Ensure matrix-synapse-reverse-proxy-companion.service is stopped ansible.builtin.service: - name: matrix_synapse_reverse_proxy_companion_service_stat + name: matrix-synapse-reverse-proxy-companion state: stopped enabled: false daemon_reload: true From 6c17671abd3e152300609a6abf5851d421637aa1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 7 Feb 2023 10:45:19 +0200 Subject: [PATCH 345/915] Upgrade synapse-admin (0.8.6 -> 0.8.7) and drop reverse-proxy workaround Related to 6a31fba346d9da434, 6a31fba346d9d. Related to https://github.com/Awesome-Technologies/synapse-admin/issues/322 --- roles/custom/matrix-synapse-admin/defaults/main.yml | 2 +- .../tasks/inject_into_nginx_proxy.yml | 9 --------- 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index ae77a570a..0f5c7af6e 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -9,7 +9,7 @@ matrix_synapse_admin_container_image_self_build_repo: "https://github.com/Awesom matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" -matrix_synapse_admin_version: 0.8.6 +matrix_synapse_admin_version: 0.8.7 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" diff --git a/roles/custom/matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml index 2c25ff476..6a4af859c 100644 --- a/roles/custom/matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml +++ b/roles/custom/matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml @@ -24,15 +24,6 @@ {# Generic configuration for use outside of our container setup #} proxy_pass http://127.0.0.1:8766/$1; {% endif %} - - {# - Workaround synapse-admin serving all assets at /static. - See: https://github.com/Awesome-Technologies/synapse-admin/issues/322 - #} - sub_filter_once off; - sub_filter "/static/" "{{ matrix_synapse_admin_public_endpoint }}/static/"; - sub_filter "/favicon.ico" "{{ matrix_synapse_admin_public_endpoint }}/favicon.ico"; - sub_filter "/manifest.json" "{{ matrix_synapse_admin_public_endpoint }}/manifest.json"; } - name: Register Synapse Admin proxying configuration with matrix-nginx-proxy From 2b9061a5d361b99f344e9198df5141367c909113 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 7 Feb 2023 11:02:02 +0200 Subject: [PATCH 346/915] Add support for reverse-proxying the base domain via Traefik --- roles/custom/matrix-nginx-proxy/defaults/main.yml | 5 +++++ roles/custom/matrix-nginx-proxy/templates/labels.j2 | 12 ++++++++++++ 2 files changed, 17 insertions(+) diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index e83e9b5b2..b60b6194d 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -49,6 +49,11 @@ matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_nginx_pro matrix_nginx_proxy_container_labels_traefik_entrypoints: web-secure matrix_nginx_proxy_container_labels_traefik_tls_certResolver: default # noqa var-naming +matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_enabled: "{{ matrix_nginx_proxy_base_domain_serving_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_hostname: "{{ matrix_nginx_proxy_base_domain_hostname }}" +matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_hostname }}`)" + matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: false matrix_nginx_proxy_container_labels_traefik_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 index 407654a70..b6994617b 100644 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -6,6 +6,18 @@ traefik.docker.network={{ matrix_nginx_proxy_container_labels_traefik_docker_net {% endif %} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_enabled %} +# Base domain +traefik.http.routers.matrix-nginx-proxy-base-domain.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_rule }} +traefik.http.routers.matrix-nginx-proxy-base-domain.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-base-domain.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_tls %} +traefik.http.routers.matrix-nginx-proxy-base-domain.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-base-domain.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + {% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled %} # Matrix Client traefik.http.routers.matrix-nginx-proxy-matrix-client.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule }} From 2eb2ad0ad72780883e0c57ade07bbe5ea9d44f05 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 7 Feb 2023 09:06:00 +0000 Subject: [PATCH 347/915] Update heisenbridge 1.14.1 -> 1.14.2 --- roles/custom/matrix-bridge-heisenbridge/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml b/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml index d51bb9133..ba5471cce 100644 --- a/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml +++ b/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml @@ -4,7 +4,7 @@ matrix_heisenbridge_enabled: true -matrix_heisenbridge_version: 1.14.1 +matrix_heisenbridge_version: 1.14.2 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" From c07630ed51f05117659635f45405d946d97d00d6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Feb 2023 16:05:38 +0200 Subject: [PATCH 348/915] Add com.devture.ansible.role.traefik_certs_dumper role With this, other roles (like Coturn, Postmoogle) will be able to use SSL certificates extracted from Traefik via https://github.com/ldez/traefik-certs-dumper --- group_vars/matrix_servers | 30 ++++++++++++++++++++++++++++++ playbooks/matrix.yml | 3 +++ requirements.yml | 5 ++++- 3 files changed, 37 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 8ce94f52e..08e3bf4e7 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -38,6 +38,8 @@ matrix_playbook_traefik_role_enabled: false # installed in another way. matrix_playbook_traefik_labels_enabled: false +matrix_playbook_traefik_certs_dumper_role_enabled: "{{ matrix_playbook_traefik_role_enabled }}" + # Controls the additional network that reverse-proxyable services will be connected to. matrix_playbook_reverse_proxyable_services_additional_network: "{{ devture_traefik_container_network if devture_traefik_enabled else '' }}" @@ -344,6 +346,8 @@ devture_systemd_service_manager_services_list_auto: | ([{'name': 'matrix-synapse-reverse-proxy-companion.service', 'priority': 1500, 'groups': ['matrix', 'homeservers', 'synapse', 'reverse-proxies']}] if matrix_synapse_reverse_proxy_companion_enabled else []) + ([{'name': 'devture-traefik.service', 'priority': 3000, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if matrix_playbook_traefik_role_enabled else []) + + + ([{'name': (devture_traefik_certs_dumper_identifier + '.service'), 'priority': 3500, 'groups': ['matrix', 'traefik-certs-dumper']}] if matrix_playbook_traefik_certs_dumper_role_enabled else []) }} ######################################################################## @@ -3361,3 +3365,29 @@ devture_traefik_additional_entrypoints_auto: # /com.devture.ansible.role.traefik # # # ######################################################################## + + +######################################################################## +# # +# com.devture.ansible.role.traefik_certs_dumper # +# # +######################################################################## + +# To completely disable the Traefik certs dumper role from running, use `matrix_playbook_traefik_certs_dumper_role_enabled: false`. +# See the comment there for more details about why we have both `devture_traefik_certs_dumper_enabled` and `matrix_playbook_traefik_certs_dumper_role_enabled`. +devture_traefik_certs_dumper_enabled: "{{ matrix_playbook_traefik_certs_dumper_role_enabled and devture_traefik_enabled }}" + +devture_traefik_certs_dumper_identifier: matrix-traefik-certs-dumper + +devture_traefik_certs_dumper_base_path: "{{ matrix_base_data_path }}/traefik-certs-dumper" + +devture_traefik_certs_dumper_uid: "{{ matrix_user_uid }}" +devture_traefik_certs_dumper_gid: "{{ matrix_user_gid }}" + +devture_traefik_certs_dumper_ssl_dir_path: "{{ devture_traefik_ssl_dir_path }}" + +######################################################################## +# # +# /com.devture.ansible.role.traefik_certs_dumper # +# # +######################################################################## diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 392a3a0e0..3199f8cfc 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -118,6 +118,9 @@ - when: matrix_playbook_traefik_role_enabled | bool role: galaxy/com.devture.ansible.role.traefik + - when: matrix_playbook_traefik_certs_dumper_role_enabled | bool + role: galaxy/com.devture.ansible.role.traefik_certs_dumper + - when: devture_systemd_service_manager_enabled | bool role: galaxy/com.devture.ansible.role.systemd_service_manager diff --git a/requirements.yml b/requirements.yml index e0ff1e818..b0dd8d1a3 100644 --- a/requirements.yml +++ b/requirements.yml @@ -37,4 +37,7 @@ version: v0.11.1-2 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: b8609fd07c26c89a72fe2934d183af5fd964bc1c + version: c90a0adcdc1de3d00d256e794b095ffbf466bb05 + +- src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git + version: e7563caa814e634d2f8deec4a41e970caa1c0ae4 From d44d4b637f1d01b1957c451e1bf90339e9f7f3bb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Feb 2023 16:06:46 +0200 Subject: [PATCH 349/915] Allow Coturn to work with SSL certificates extracted from Traefik --- group_vars/matrix_servers | 90 ++++++++++++++----- .../systemd/matrix-coturn.service.j2 | 2 +- 2 files changed, 70 insertions(+), 22 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 08e3bf4e7..1d75d2c06 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -43,6 +43,10 @@ matrix_playbook_traefik_certs_dumper_role_enabled: "{{ matrix_playbook_traefik_r # Controls the additional network that reverse-proxyable services will be connected to. matrix_playbook_reverse_proxyable_services_additional_network: "{{ devture_traefik_container_network if devture_traefik_enabled else '' }}" +matrix_playbook_reverse_proxy_type: "{{ 'traefik' if matrix_playbook_traefik_role_enabled else ('nginx-proxy' if matrix_nginx_proxy_enabled else 'none') }}" + +matrix_playbook_ssl_retrieval_method: "{{ 'lets-encrypt' if matrix_playbook_traefik_certs_dumper_role_enabled else matrix_ssl_retrieval_method }}" + ######################################################################## # # # /Playbook # @@ -1908,18 +1912,62 @@ matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" matrix_coturn_turn_static_auth_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'coturn.sas', rounds=655555) | to_uuid }}" -matrix_coturn_tls_enabled: "{{ matrix_ssl_retrieval_method != 'none' }}" -matrix_coturn_tls_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/fullchain.pem" -matrix_coturn_tls_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/privkey.pem" +matrix_coturn_tls_enabled: "{{ matrix_playbook_ssl_retrieval_method != 'none' }}" + +matrix_coturn_tls_cert_path: |- + {{ + { + 'nginx-proxy': '/fullchain.pem', + 'traefik': '/certificate.crt', + }[matrix_playbook_reverse_proxy_type] + }} + +matrix_coturn_tls_key_path: |- + {{ + { + 'nginx-proxy': '/privkey.pem', + 'traefik': '/privatekey.key', + }[matrix_playbook_reverse_proxy_type] + }} + matrix_coturn_container_additional_volumes: | {{ - ([] if matrix_ssl_retrieval_method == 'none' else [ - { - 'src': matrix_ssl_config_dir_path, - 'dst': matrix_ssl_config_dir_path, - 'options': 'ro', - } - ]) + ( + [ + { + 'src': (matrix_ssl_config_dir_path + '/live/' + matrix_server_fqn_matrix + '/fullchain.pem'), + 'dst': '/fullchain.pem', + 'options': 'ro', + }, + { + 'src': (matrix_ssl_config_dir_path + '/live/' + matrix_server_fqn_matrix + '/privkey.pem'), + 'dst': '/privkey.pem', + 'options': 'ro', + }, + ] if matrix_playbook_reverse_proxy_type == 'nginx-proxy' else [] + ) + + + ( + [ + { + 'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/' + matrix_server_fqn_matrix + '/certificate.crt'), + 'dst': '/certificate.crt', + 'options': 'ro', + }, + { + 'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/' + matrix_server_fqn_matrix + '/privatekey.key'), + 'dst': '/privatekey.key', + 'options': 'ro', + }, + ] if matrix_playbook_reverse_proxy_type == 'traefik' and matrix_playbook_traefik_certs_dumper_role_enabled else [] + ) + }} + +matrix_coturn_systemd_required_services_list: | + {{ + ['docker.service'] + + + ([devture_traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_server_fqn_matrix + '.service'] if matrix_playbook_reverse_proxy_type == 'traefik' and matrix_playbook_traefik_certs_dumper_role_enabled else []) }} ###################################################################### @@ -2146,7 +2194,7 @@ matrix_ma1sd_threepid_medium_email_connectors_smtp_host: "matrix-mailer" matrix_ma1sd_threepid_medium_email_connectors_smtp_port: 8025 matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 0 -matrix_ma1sd_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_ma1sd_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" matrix_ma1sd_systemd_required_services_list: | {{ @@ -2281,12 +2329,12 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" -matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" # OCSP stapling does not make sense when self-signed certificates are used. # See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1073 # and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1074 -matrix_nginx_proxy_ocsp_stapling_enabled: "{{ matrix_ssl_retrieval_method != 'self-signed' }}" +matrix_nginx_proxy_ocsp_stapling_enabled: "{{ matrix_playbook_ssl_retrieval_method != 'self-signed' }}" matrix_nginx_proxy_systemd_wanted_services_list: | {{ @@ -2768,7 +2816,7 @@ matrix_client_element_integrations_rest_url: "{{ matrix_dimension_integrations_r matrix_client_element_integrations_widgets_urls: "{{ matrix_dimension_integrations_widgets_urls if matrix_dimension_enabled else ['https://scalar.vector.im/api'] }}" matrix_client_element_integrations_jitsi_widget_url: "{{ matrix_dimension_integrations_jitsi_widget_url if matrix_dimension_enabled else 'https://scalar.vector.im/api/widgets/jitsi.html' }}" -matrix_client_element_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_client_element_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" matrix_client_element_registration_enabled: "{{ matrix_synapse_enable_registration }}" @@ -2806,7 +2854,7 @@ matrix_client_hydrogen_container_http_host_bind_port: "{{ '' if matrix_nginx_pro matrix_client_hydrogen_default_hs_url: "{{ matrix_homeserver_url }}" -matrix_client_hydrogen_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_client_hydrogen_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" ###################################################################### # @@ -2831,7 +2879,7 @@ matrix_client_cinny_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_ matrix_client_cinny_default_hs_url: "{{ matrix_homeserver_url }}" -matrix_client_cinny_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_client_cinny_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" ###################################################################### # @@ -2899,7 +2947,7 @@ matrix_synapse_turn_uris: | [ 'turns:' + matrix_server_fqn_matrix + '?transport=udp', 'turns:' + matrix_server_fqn_matrix + '?transport=tcp', - ] if matrix_coturn_enabled and matrix_coturn_tls_enabled and matrix_ssl_retrieval_method != 'lets-encrypt' else [] + ] if matrix_coturn_enabled and matrix_coturn_tls_enabled and matrix_playbook_ssl_retrieval_method != 'lets-encrypt' else [] + [ 'turn:' + matrix_server_fqn_matrix + '?transport=udp', @@ -2909,7 +2957,7 @@ matrix_synapse_turn_uris: | matrix_synapse_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}" -matrix_synapse_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_synapse_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" matrix_synapse_systemd_required_services_list: | {{ @@ -3186,7 +3234,7 @@ matrix_registration_shared_secret: |- matrix_registration_server_location: "{{ matrix_homeserver_container_url }}" -matrix_registration_api_validate_certs: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_registration_api_validate_certs: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" matrix_registration_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" @@ -3251,9 +3299,9 @@ matrix_dendrite_client_api_turn_uris: | matrix_dendrite_client_api_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}" -matrix_dendrite_disable_tls_validation: "{{ true if matrix_ssl_retrieval_method == 'self-signed' else false }}" +matrix_dendrite_disable_tls_validation: "{{ true if matrix_playbook_ssl_retrieval_method == 'self-signed' else false }}" -matrix_dendrite_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_dendrite_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" matrix_dendrite_trusted_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_ma1sd_enabled else ['matrix.org', 'vector.im'] }}" diff --git a/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index 8c0272cf9..523ad1cca 100644 --- a/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -35,7 +35,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% endif %} --mount type=bind,src={{ matrix_coturn_config_path }},dst=/turnserver.conf,ro \ {% for volume in matrix_coturn_container_additional_volumes %} - -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ + --mount type=bind,src={{ volume.src }},dst={{ volume.dst }}{{ (',' + volume.options) if volume.options else '' }} \ {% endfor %} {% for arg in matrix_coturn_container_extra_arguments %} {{ arg }} \ From ddf6b2d4eead44547bdc804d10b1940fbd3a6890 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Feb 2023 16:12:19 +0200 Subject: [PATCH 350/915] Handle matrix_playbook_reverse_proxy_type being "none" when deciding on Coturn certificate parameters --- group_vars/matrix_servers | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 1d75d2c06..92d729d7f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1919,6 +1919,7 @@ matrix_coturn_tls_cert_path: |- { 'nginx-proxy': '/fullchain.pem', 'traefik': '/certificate.crt', + 'none': '', }[matrix_playbook_reverse_proxy_type] }} @@ -1927,6 +1928,7 @@ matrix_coturn_tls_key_path: |- { 'nginx-proxy': '/privkey.pem', 'traefik': '/privatekey.key', + 'none': '', }[matrix_playbook_reverse_proxy_type] }} From 9a71a5696ba58f3c9278e52a7d926aa8edf58796 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Feb 2023 16:45:03 +0200 Subject: [PATCH 351/915] Allow Postmoogle to work with SSL certificates extracted from Traefik --- group_vars/matrix_servers | 39 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 36 insertions(+), 3 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 92d729d7f..d146b252a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1693,9 +1693,40 @@ matrix_bot_postmoogle_enabled: false matrix_bot_postmoogle_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" -matrix_bot_postmoogle_ssl_path: "{{ matrix_ssl_config_dir_path }}" -matrix_bot_postmoogle_tls_cert: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/live/{{ domain }}/fullchain.pem {% endfor %}" -matrix_bot_postmoogle_tls_key: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/live/{{ domain }}/privkey.pem {% endfor %}" +matrix_bot_postmoogle_ssl_path: |- + {{ + { + 'nginx-proxy': (matrix_ssl_config_dir_path if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'traefik': devture_traefik_certs_dumper_dumped_certificates_dir_path, + 'none': '', + }[matrix_playbook_reverse_proxy_type] + }} + +matrix_playbook_bot_postmoogle_nginx_proxy_tls_cert: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/live/{{ domain }}/fullchain.pem {% endfor %}" +matrix_playbook_bot_postmoogle_nginx_proxy_key: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/live/{{ domain }}/privkey.pem {% endfor %}" + +matrix_playbook_bot_postmoogle_traefik_tls_cert: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/{{ domain }}/certificate.crt {% endfor %}" +matrix_playbook_bot_postmoogle_traefik_key: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/{{ domain }}/privatekey.key {% endfor %}" + +matrix_bot_postmoogle_tls_cert: |- + {{ + { + 'nginx-proxy': (matrix_playbook_bot_postmoogle_nginx_proxy_tls_cert if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'traefik': matrix_playbook_bot_postmoogle_traefik_tls_cert, + 'none': '', + }[matrix_playbook_reverse_proxy_type] + }} + +matrix_bot_postmoogle_tls_key: |- + {{ + { + 'nginx-proxy': (matrix_playbook_bot_postmoogle_nginx_proxy_key if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'traefik': matrix_playbook_bot_postmoogle_traefik_key, + 'none': '', + }[matrix_playbook_reverse_proxy_type] + }} + +matrix_playbook_bot_postmoogle_traefik_certs_dumper_waiter_services: "{% for domain in matrix_bot_postmoogle_domains %}{{ devture_traefik_certs_dumper_identifier }}-wait-for-domain@{{ domain }}.service {% endfor %}" matrix_bot_postmoogle_systemd_required_services_list: | {{ @@ -1704,6 +1735,8 @@ matrix_bot_postmoogle_systemd_required_services_list: | ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (matrix_playbook_bot_postmoogle_traefik_certs_dumper_waiter_services | trim | split(' ') if matrix_playbook_reverse_proxy_type == 'traefik' and matrix_playbook_traefik_certs_dumper_role_enabled else []) }} # Postgres is the default, except if not using internal Postgres server From 49a1985750aa38786935ec4a70d504199e7831ce Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Feb 2023 16:45:52 +0200 Subject: [PATCH 352/915] Fix Postmoogle systemd service description --- .../templates/systemd/matrix-bot-postmoogle.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-postmoogle/templates/systemd/matrix-bot-postmoogle.service.j2 b/roles/custom/matrix-bot-postmoogle/templates/systemd/matrix-bot-postmoogle.service.j2 index f2610600c..ab1177f67 100644 --- a/roles/custom/matrix-bot-postmoogle/templates/systemd/matrix-bot-postmoogle.service.j2 +++ b/roles/custom/matrix-bot-postmoogle/templates/systemd/matrix-bot-postmoogle.service.j2 @@ -1,6 +1,6 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=Matrix helpdesk bot +Description=Matrix Postmoogle bot {% for service in matrix_bot_postmoogle_systemd_required_services_list %} Requires={{ service }} After={{ service }} From 563cf1a4bafcfe84d3166133e6ed41140949d050 Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Wed, 8 Feb 2023 16:44:12 +0100 Subject: [PATCH 353/915] Initial commit for draupnir. main.yml is not included due to that its changed separately. --- .../custom/matrix-bot-draupnir/tasks/main.yml | 20 ++ .../tasks/setup_install.yml | 74 ++++++ .../tasks/setup_uninstall.yml | 25 ++ .../tasks/validate_config.yml | 9 + .../templates/production.yaml.j2 | 246 ++++++++++++++++++ .../systemd/matrix-bot-mjolnir.service.j2 | 42 +++ 6 files changed, 416 insertions(+) create mode 100644 roles/custom/matrix-bot-draupnir/tasks/main.yml create mode 100644 roles/custom/matrix-bot-draupnir/tasks/setup_install.yml create mode 100644 roles/custom/matrix-bot-draupnir/tasks/setup_uninstall.yml create mode 100644 roles/custom/matrix-bot-draupnir/tasks/validate_config.yml create mode 100644 roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 create mode 100644 roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-mjolnir.service.j2 diff --git a/roles/custom/matrix-bot-draupnir/tasks/main.yml b/roles/custom/matrix-bot-draupnir/tasks/main.yml new file mode 100644 index 000000000..686fe298c --- /dev/null +++ b/roles/custom/matrix-bot-draupnir/tasks/main.yml @@ -0,0 +1,20 @@ +--- + +- block: + - when: matrix_bot_draupnir_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_bot_draupnir_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-bot-draupnir + - install-all + - install-bot-draupnir + +- block: + - when: not matrix_bot_draupnir_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + tags: + - setup-all + - setup-bot-draupnir diff --git a/roles/custom/matrix-bot-draupnir/tasks/setup_install.yml b/roles/custom/matrix-bot-draupnir/tasks/setup_install.yml new file mode 100644 index 000000000..4808f71fc --- /dev/null +++ b/roles/custom/matrix-bot-draupnir/tasks/setup_install.yml @@ -0,0 +1,74 @@ +--- + +- ansible.builtin.set_fact: + matrix_bot_draupnir_requires_restart: false + +- name: Ensure matrix-bot-draupnir paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {path: "{{ matrix_bot_draupnir_base_path }}", when: true} + - {path: "{{ matrix_bot_draupnir_config_path }}", when: true} + - {path: "{{ matrix_bot_draupnir_data_path }}", when: true} + - {path: "{{ matrix_bot_draupnir_docker_src_files_path }}", when: "{{ matrix_bot_draupnir_container_image_self_build }}"} + when: "item.when | bool" + +- name: Ensure draupnir Docker image is pulled + community.docker.docker_image: + name: "{{ matrix_bot_draupnir_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_bot_draupnir_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_draupnir_docker_image_force_pull }}" + when: "not matrix_bot_draupnir_container_image_self_build | bool" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure draupnir repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_bot_draupnir_container_image_self_build_repo }}" + dest: "{{ matrix_bot_draupnir_docker_src_files_path }}" + version: "{{ matrix_bot_draupnir_docker_image.split(':')[1] }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_bot_draupnir_git_pull_results + when: "matrix_bot_draupnir_container_image_self_build | bool" + +- name: Ensure draupnir Docker image is built + community.docker.docker_image: + name: "{{ matrix_bot_draupnir_docker_image }}" + source: build + force_source: "{{ matrix_bot_draupnir_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_bot_draupnir_docker_src_files_path }}" + pull: true + when: "matrix_bot_draupnir_container_image_self_build | bool" + +- name: Ensure matrix-bot-draupnir config installed + ansible.builtin.copy: + content: "{{ matrix_bot_draupnir_configuration | to_nice_yaml(indent=2, width=999999) }}" + dest: "{{ matrix_bot_draupnir_config_path }}/production.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-bot-draupnir.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-bot-draupnir.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-draupnir.service" + mode: 0644 + register: matrix_bot_draupnir_systemd_service_result + +- name: Ensure matrix-bot-draupnir.service restarted, if necessary + ansible.builtin.service: + name: "matrix-bot-draupnir.service" + state: restarted + daemon_reload: true + when: "matrix_bot_draupnir_requires_restart | bool" diff --git a/roles/custom/matrix-bot-draupnir/tasks/setup_uninstall.yml b/roles/custom/matrix-bot-draupnir/tasks/setup_uninstall.yml new file mode 100644 index 000000000..10583a0bc --- /dev/null +++ b/roles/custom/matrix-bot-draupnir/tasks/setup_uninstall.yml @@ -0,0 +1,25 @@ +--- + +- name: Check existence of matrix-bot-draupnir service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-draupnir.service" + register: matrix_bot_draupnir_service_stat + +- when: matrix_bot_draupnir_service_stat.stat.exists | bool + block: + - name: Ensure matrix-bot-draupnir is stopped + ansible.builtin.service: + name: matrix-bot-draupnir + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-bot-draupnir.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-draupnir.service" + state: absent + + - name: Ensure matrix-bot-draupnir paths don't exist + ansible.builtin.file: + path: "{{ matrix_bot_draupnir_base_path }}" + state: absent diff --git a/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml b/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml new file mode 100644 index 000000000..b38281899 --- /dev/null +++ b/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml @@ -0,0 +1,9 @@ +--- + +- name: Fail if required variables are undefined + ansible.builtin.fail: + msg: "The `{{ item }}` variable must be defined and have a non-null value." + with_items: + - "matrix_bot_draupnir_access_token" + - "matrix_bot_draupnir_management_room" + when: "vars[item] == '' or vars[item] is none" diff --git a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 new file mode 100644 index 000000000..06d88f481 --- /dev/null +++ b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 @@ -0,0 +1,246 @@ +# Endpoint URL that draupnir uses to interact with the matrix homeserver (client-server API), +# set this to the pantalaimon URL if you're using that. +homeserverUrl: "{{ matrix_homeserver_url }}" + +# Endpoint URL that draupnir could use to fetch events related to reports (client-server API and /_synapse/), +# only set this to the public-internet homeserver client API URL, do NOT set this to the pantalaimon URL. +rawHomeserverUrl: "{{ matrix_homeserver_url }}" + +# Matrix Access Token to use, draupnir will only use this if pantalaimon.use is false. +accessToken: "{{ matrix_bot_draupnir_access_token }}" + +# Options related to Pantalaimon (https://github.com/matrix-org/pantalaimon) +#pantalaimon: +# # Whether or not draupnir will use pantalaimon to access the matrix homeserver, +# # set to `true` if you're using pantalaimon. +# # +# # Be sure to point homeserverUrl to the pantalaimon instance. +# # +# # draupnir will log in using the given username and password once, +# # then store the resulting access token in a file under dataPath. +# use: false +# +# # The username to login with. +# username: draupnir +# +# # The password draupnir will login with. +# # +# # After successfully logging in once, this will be ignored, so this value can be blanked after first startup. +# password: your_password + +# The path draupnir will store its state/data in, leave default ("/data/storage") when using containers. +dataPath: "/data" + +# If true (the default), draupnir will only accept invites from users present in managementRoom. +autojoinOnlyIfManager: true + +# If `autojoinOnlyIfManager` is false, only the members in this space can invite +# the bot to new rooms. +#acceptInvitesFromSpace: "!example:example.org" + +# Whether draupnir should report ignored invites to the management room (if autojoinOnlyIfManager is true). +recordIgnoredInvites: false + +# The room ID (or room alias) of the management room, anyone in this room can issue commands to draupnir. +# +# draupnir has no more granular access controls other than this, be sure you trust everyone in this room - secure it! +# +# This should be a room alias or room ID - not a matrix.to URL. +# +# Note: By default, draupnir is fairly verbose - expect a lot of messages in this room. +# (see verboseLogging to adjust this a bit.) +managementRoom: "{{ matrix_bot_draupnir_management_room }}" + +# Whether draupnir should log a lot more messages in the room, +# mainly involves "all-OK" messages, and debugging messages for when draupnir checks bans in a room. +verboseLogging: false + +# The log level of terminal (or container) output, +# can be one of DEBUG, INFO, WARN and ERROR, in increasing order of importance and severity. +# +# This should be at INFO or DEBUG in order to get support for draupnir problems. +logLevel: "INFO" + +# Whether or not draupnir should synchronize policy lists immediately after startup. +# Equivalent to running '!draupnir sync'. +syncOnStartup: true + +# Whether or not draupnir should check moderation permissions in all protected rooms on startup. +# Equivalent to running `!draupnir verify`. +verifyPermissionsOnStartup: true + +# Whether or not draupnir should actually apply bans and policy lists, +# turn on to trial some untrusted configuration or lists. +noop: false + +# Whether draupnir should check member lists quicker (by using a different endpoint), +# keep in mind that enabling this will miss invited (but not joined) users. +# +# Turn on if your bot is in (very) large rooms, or in large amounts of rooms. +fasterMembershipChecks: false + +# A case-insensitive list of ban reasons to have the bot also automatically redact the user's messages for. +# +# If the bot sees you ban a user with a reason that is an (exact case-insensitive) match to this list, +# it will also remove the user's messages automatically. +# +# Typically this is useful to avoid having to give two commands to the bot. +# Advanced: Use asterisks to have the reason match using "globs" +# (f.e. "spam*testing" would match "spam for testing" as well as "spamtesting"). +# +# See here for more info: https://www.digitalocean.com/community/tools/glob +# Note: Keep in mind that glob is NOT regex! +automaticallyRedactForReasons: + - "spam" + - "advertising" + +# A list of rooms to protect. draupnir will add this to the list it knows from its account data. +# +# It won't, however, add it to the account data. +# Manually add the room via '!draupnir rooms add' to have it stay protected regardless if this config value changes. +# +# Note: These must be matrix.to URLs +#protectedRooms: +# - "https://matrix.to/#/#yourroom:example.org" + +# Whether or not to add all joined rooms to the "protected rooms" list +# (excluding the management room and watched policy list rooms, see below). +# +# Note that this effectively makes the protectedRooms and associated commands useless +# for regular rooms. +# +# Note: the management room is *excluded* from this condition. +# Explicitly add it as a protected room to protect it. +# +# Note: Ban list rooms the bot is watching but didn't create will not be protected. +# Explicitly add these rooms as a protected room list if you want them protected. +protectAllJoinedRooms: false + +# Increase this delay to have Mjölnir wait longer between two consecutive backgrounded +# operations. The total duration of operations will be longer, but the homeserver won't +# be affected as much. Conversely, decrease this delay to have Mjölnir chain operations +# faster. The total duration of operations will generally be shorter, but the performance +# of the homeserver may be more impacted. +backgroundDelayMS: 500 + +# Server administration commands, these commands will only work if draupnir is +# a global server administrator, and the bot's server is a Synapse instance. +#admin: +# # Whether or not draupnir can temporarily take control of any eligible account from the local homeserver who's in the room +# # (with enough permissions) to "make" a user an admin. +# # +# # This only works if a local user with enough admin permissions is present in the room. +# enableMakeRoomAdminCommand: false + +# Misc options for command handling and commands +commands: + # Whether or not the `!draupnir` prefix is necessary to submit commands. + # + # If `true`, will allow commands like `!ban`, `!help`, etc. + # + # Note: draupnir can also be pinged by display name instead of having to use + # the !draupnir prefix. For example, "my_moderator_bot: ban @spammer:example.org" + # will address only my_moderator_bot. + allowNoPrefix: false + + # Any additional bot prefixes that draupnir will listen to. i.e. adding `mod` will allow `!mod help`. + additionalPrefixes: + - "draupnir_bot" + + # Whether or not commands with a wildcard (*) will require an additional `--force` argument + # in the command to be able to be submitted. + confirmWildcardBan: true + +# Configuration specific to certain toggle-able protections +#protections: +# # Configuration for the wordlist plugin, which can ban users based if they say certain +# # blocked words shortly after joining. +# wordlist: +# # A list of case-insensitive keywords that the WordList protection will watch for from new users. +# # +# # WordList will ban users who use these words when first joining a room, so take caution when selecting them. +# # +# # For advanced usage, regex can also be used, see the following links for more information; +# # - https://www.digitalocean.com/community/tutorials/an-introduction-to-regular-expressions +# # - https://regexr.com/ +# # - https://regexone.com/ +# words: +# - "LoReM" +# - "IpSuM" +# - "DoLoR" +# - "aMeT" +# +# # For how long (in minutes) the user is "new" to the WordList plugin. +# # +# # After this time, the user will no longer be banned for using a word in the above wordlist. +# # +# # Set to zero to disable the timeout and make users *always* appear "new". +# # (users will always be banned if they say a bad word) +# minutesBeforeTrusting: 20 + +# Options for advanced monitoring of the health of the bot. +health: + # healthz options. These options are best for use in container environments + # like Kubernetes to detect how healthy the service is. The bot will report + # that it is unhealthy until it is able to process user requests. Typically + # this means that it'll flag itself as unhealthy for a number of minutes + # before saying "Now monitoring rooms" and flagging itself healthy. + # + # Health is flagged through HTTP status codes, defined below. + healthz: + # Whether the healthz integration should be enabled (default false) + enabled: false + + # The port to expose the webserver on. Defaults to 8080. + port: 8080 + + # The address to listen for requests on. Defaults to all addresses. + address: "0.0.0.0" + + # The path to expose the monitoring endpoint at. Defaults to `/healthz` + endpoint: "/healthz" + + # The HTTP status code which reports that the bot is healthy/ready to + # process requests. Typically this should not be changed. Defaults to + # 200. + healthyStatus: 200 + + # The HTTP status code which reports that the bot is not healthy/ready. + # Defaults to 418. + unhealthyStatus: 418 + +# Options for exposing web APIs. +#web: +# # Whether to enable web APIs. +# enabled: false +# +# # The port to expose the webserver on. Defaults to 8080. +# port: 8080 +# +# # The address to listen for requests on. Defaults to only the current +# # computer. +# address: localhost +# +# # Alternative setting to open to the entire web. Be careful, +# # as this will increase your security perimeter: +# # +# # address: "0.0.0.0" +# +# # A web API designed to intercept Matrix API +# # POST /_matrix/client/r0/rooms/{roomId}/report/{eventId} +# # and display readable abuse reports in the moderation room. +# # +# # If you wish to take advantage of this feature, you will need +# # to configure a reverse proxy, see e.g. test/nginx.conf +# abuseReporting: +# # Whether to enable this feature. +# enabled: false + +# Whether or not to actively poll synapse for abuse reports, to be used +# instead of intercepting client calls to synapse's abuse endpoint, when that +# isn't possible/practical. +pollReports: false + +# Whether or not new reports, received either by webapi or polling, +# should be printed to our managementRoom. +displayReports: false diff --git a/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-mjolnir.service.j2 b/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-mjolnir.service.j2 new file mode 100644 index 000000000..6995bcc39 --- /dev/null +++ b/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-mjolnir.service.j2 @@ -0,0 +1,42 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Draupnir bot +{% for service in matrix_bot_draupnir_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_bot_draupnir_systemd_required_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-draupnir 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-draupnir 2>/dev/null || true' + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-bot-draupnir \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + --mount type=bind,src={{ matrix_bot_draupnir_config_path }},dst=/data/config,ro \ + --mount type=bind,src={{ matrix_bot_draupnir_data_path }},dst=/data \ + {% for arg in matrix_bot_draupnir_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_bot_draupnir_docker_image }} + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-draupnir 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-draupnir 2>/dev/null || true' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-bot-draupnir + +[Install] +WantedBy=multi-user.target From 78b1ebd5af15d4acdc3e69a9cf3539cb3452a49c Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Wed, 8 Feb 2023 16:44:30 +0100 Subject: [PATCH 354/915] commit main.yml for draupnir and set target ver to develop --- .../matrix-bot-draupnir/defaults/main.yml | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 roles/custom/matrix-bot-draupnir/defaults/main.yml diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml new file mode 100644 index 000000000..cafba72d1 --- /dev/null +++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml @@ -0,0 +1,59 @@ +--- +# A moderation tool for Matrix +# Project source code URL: https://github.com/Gnuxie/Draupnir + +matrix_bot_draupnir_enabled: true + +matrix_bot_draupnir_version: "develop" + +matrix_bot_draupnir_container_image_self_build: false +matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/Gnuxie/Draupnir.git" + +matrix_bot_draupnir_docker_image: "{{ matrix_bot_draupnir_docker_image_name_prefix }}gnuxie/draupnir:{{ matrix_bot_draupnir_version }}" +matrix_bot_draupnir_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_draupnir_container_image_self_build else matrix_container_global_registry_prefix }}" +matrix_bot_draupnir_docker_image_force_pull: "{{ matrix_bot_draupnir_docker_image.endswith(':latest') }}" + +matrix_bot_draupnir_base_path: "{{ matrix_base_data_path }}/draupnir" +matrix_bot_draupnir_config_path: "{{ matrix_bot_draupnir_base_path }}/config" +matrix_bot_draupnir_data_path: "{{ matrix_bot_draupnir_base_path }}/data" +matrix_bot_draupnir_docker_src_files_path: "{{ matrix_bot_draupnir_base_path }}/docker-src" + +# A list of extra arguments to pass to the container +matrix_bot_draupnir_container_extra_arguments: [] + +# List of systemd services that matrix-bot-draupnir.service depends on +matrix_bot_draupnir_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-bot-draupnir.service wants +matrix_bot_draupnir_systemd_wanted_services_list: [] + +# The access token for the bot user +matrix_bot_draupnir_access_token: "" + +# The room ID where people can use the bot. The bot has no access controls, so +# anyone in this room can use the bot - secure your room! +# This should be a room alias or room ID - not a matrix.to URL. +# Note: draupnir is fairly verbose - expect a lot of messages from it. +matrix_bot_draupnir_management_room: "" + +# Default configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_bot_draupnir_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_bot_draupnir_configuration_yaml: "{{ lookup('template', 'templates/production.yaml.j2') }}" + +matrix_bot_draupnir_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_bot_draupnir_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_bot_draupnir_configuration_yaml`. + +matrix_bot_draupnir_configuration_extension: "{{ matrix_bot_draupnir_configuration_extension_yaml | from_yaml if matrix_bot_draupnir_configuration_extension_yaml | from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_bot_draupnir_configuration_yaml`. +matrix_bot_draupnir_configuration: "{{ matrix_bot_draupnir_configuration_yaml | from_yaml | combine(matrix_bot_draupnir_configuration_extension, recursive=True) }}" From 9092d4bb6b6348b9c7ad068f308f52392ba0e104 Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Wed, 8 Feb 2023 17:02:59 +0100 Subject: [PATCH 355/915] Push draupnir version from develop to v1.80.0-beta.0 --- roles/custom/matrix-bot-draupnir/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml index cafba72d1..f0aa4da8e 100644 --- a/roles/custom/matrix-bot-draupnir/defaults/main.yml +++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml @@ -4,7 +4,7 @@ matrix_bot_draupnir_enabled: true -matrix_bot_draupnir_version: "develop" +matrix_bot_draupnir_version: "v1.80.0-beta.0" matrix_bot_draupnir_container_image_self_build: false matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/Gnuxie/Draupnir.git" From 1338963b6cac0273ef078983bac3851fbeedad51 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Feb 2023 18:47:19 +0200 Subject: [PATCH 356/915] Add support for obtaining additional SSL certificates via Traefik --- group_vars/matrix_servers | 2 ++ requirements.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index d146b252a..fbc83fa17 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3443,6 +3443,8 @@ devture_traefik_additional_entrypoints_auto: host_bind_port: "{{ matrix_federation_public_port }}" config: {} +devture_traefik_additional_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}" + ######################################################################## # # # /com.devture.ansible.role.traefik # diff --git a/requirements.yml b/requirements.yml index b0dd8d1a3..1edda46a0 100644 --- a/requirements.yml +++ b/requirements.yml @@ -37,7 +37,7 @@ version: v0.11.1-2 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: c90a0adcdc1de3d00d256e794b095ffbf466bb05 + version: 650adfa75931714d9bc7c596cab71e33a4873a4e - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: e7563caa814e634d2f8deec4a41e970caa1c0ae4 From c71567477a0fb762dae6e56938c682b21e25e99e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Feb 2023 18:48:01 +0200 Subject: [PATCH 357/915] Stop using deprecated matrix_bot_postmoogle_domain variable in group vars --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6d096dea0..162d6ccc2 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2306,7 +2306,7 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([matrix_server_fqn_ntfy] if matrix_ntfy_enabled else []) + - ([matrix_bot_postmoogle_domain] if matrix_bot_postmoogle_enabled else []) + (matrix_bot_postmoogle_domains if matrix_bot_postmoogle_enabled else []) + ([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else []) + From 7b42ff4b759afc031cce73218d7199573483e87c Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Wed, 8 Feb 2023 18:55:08 +0100 Subject: [PATCH 358/915] Finalise moving draupnir to a fully testable state. --- group_vars/matrix_servers | 30 ++++++++++++++++++++++++++++++ playbooks/matrix.yml | 1 + 2 files changed, 31 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6d096dea0..1c0a14e49 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -189,6 +189,8 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-bot-mjolnir.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'mjolnir']}] if matrix_bot_mjolnir_enabled else []) + + ([{'name': 'matrix-bot-draupnir.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'draupnir']}] if matrix_bot_draupnir_enabled else []) + + ([{'name': 'matrix-bot-postmoogle.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'postmoogle']}] if matrix_bot_postmoogle_enabled else []) + ([{'name': 'matrix-bot-chatgpt.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'chatgpt']}] if matrix_bot_chatgpt_enabled else []) @@ -1759,6 +1761,34 @@ matrix_bot_mjolnir_systemd_required_services_list: | # ###################################################################### +###################################################################### +# +# matrix-bot-draupnir +# +###################################################################### + +# We don't enable bots by default. +matrix_bot_draupnir_enabled: false + +matrix_bot_draupnir_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" + +matrix_bot_draupnir_systemd_required_services_list: | + {{ + ['docker.service'] + + + ['matrix-' + matrix_homeserver_implementation + '.service'] + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + }} + +###################################################################### +# +# /matrix-bot-draupnir +# +###################################################################### + ###################################################################### # # matrix-backup-borg diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 7be0d6295..906784548 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -79,6 +79,7 @@ - custom/matrix-bot-postmoogle - custom/matrix-bot-go-neb - custom/matrix-bot-mjolnir + - custom/matrix-bot-draupnir - custom/matrix-bot-chatgpt - custom/matrix-cactus-comments - custom/matrix-synapse From 79a4e57fbdf9d900e3753bc0cea595c2a5e02bfc Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Wed, 8 Feb 2023 18:55:27 +0100 Subject: [PATCH 359/915] Add draupnir docs. --- docs/configuring-playbook-bot-draupnir.md | 114 ++++++++++++++++++++++ 1 file changed, 114 insertions(+) create mode 100644 docs/configuring-playbook-bot-draupnir.md diff --git a/docs/configuring-playbook-bot-draupnir.md b/docs/configuring-playbook-bot-draupnir.md new file mode 100644 index 000000000..cbec1c4f0 --- /dev/null +++ b/docs/configuring-playbook-bot-draupnir.md @@ -0,0 +1,114 @@ +# Setting up draupnir (optional) + +The playbook can install and configure the [draupnir](https://github.com/Gnuxie/Draupnir) moderation bot for you. + +See the project's [documentation](https://github.com/Gnuxie/Draupnir) to learn what it does and why it might be useful to you. + +If your migrating from Mjolnir skip to step 5b. + +## 1. Register the bot account + +The playbook does not automatically create users for you. The bot requires an access token to be able to connect to your homeserver. + +You **need to register the bot user manually** before setting up the bot. + +Choose a strong password for the bot. You can generate a good password with a command like this: `pwgen -s 64 1`. + +You can use the playbook to [register a new user](registering-users.md): + +``` +ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.draupnir password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user +``` + +If you would like draupnir to be able to deactivate users, move aliases, shutdown rooms, etc then it must be a server admin so you need to change `admin=no` to `admin=yes` in the command above. + + +## 2. Get an access token + +Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md). + + +## 3. Make sure the account is free from rate limiting + +You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step draupnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). This can also be manually done by editing the Synapse database. Manually editing the Synapse database is rarely a good idea. Please ask for help if you are uncomfortable with these steps. + +1. Copy the statement below into a text editor. + + ``` + INSERT INTO ratelimit_override VALUES ('@bot.draupnir:DOMAIN', 0, 0); + ``` + +1. Change the username (`@bot.draupnir:DOMAIN`) to the username you used when you registered the bot's account. You must change `DOMAIN` to your server's domain. + +1. Get a database terminal by following these steps: [maintenance-postgres.md#getting-a-database-terminal](maintenance-postgres.md#getting-a-database-terminal) + +1. Connect to Synapse's database by typing `\connect synapse` into the database terminal + +1. Paste in the `INSERT INTO` command that you edited and press enter. + +You can run `SELECT * FROM ratelimit_override;` to see if it worked. If the output looks like this: + +``` + user_id | messages_per_second | burst_count +-----------------------+---------------------+------------- + @bot.draupnir:raim.ist | 0 | 0` +``` +then you did it correctly. + + +## 4. Create a management room + +Using your own account, create a new invite only room that you will use to manage the bot. This is the room where you will see the status of the bot and where you will send commands to the bot, such as the command to ban a user from another room. Anyone in this room can control the bot so it is important that you only invite trusted users to this room. The room must be unencrypted since the playbook does not support installing Pantalaimon yet. + +Once you have created the room you need to copy the room ID so you can tell the bot to use that room. In Element you can do this by going to the room's settings, clicking Advanced, and then coping the internal room ID. The room ID will look something like `!QvgVuKq0ha8glOLGMG:DOMAIN`. + +Finally invite the `@bot.draupnir:DOMAIN` account you created earlier into the room. + + +## 5a. Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs): + +You must replace `ACCESS_TOKEN_FROM_STEP_2_GOES_HERE` and `ROOM_ID_FROM_STEP_4_GOES_HERE` with the your own values. + +```yaml +matrix_bot_draupnir_enabled: true + +matrix_bot_draupnir_access_token: "ACCESS_TOKEN_FROM_STEP_2_GOES_HERE" + +matrix_bot_draupnir_management_room: "ROOM_ID_FROM_STEP_4_GOES_HERE" +``` + +## 5b. Migrating from Mjolnir (Only required if migrating.) + +Replace your matrix_bot_mjolnir config with matrix_bot_draupnir config. Also disable mjolnir if your doing migration. +That is all you need to do due to that Draupnir can complete migration on its own. + +## 6. Installing + +After configuring the playbook, run the [installation](installing.md) command: + +``` +ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start +``` + + +## Usage + +You can refer to the upstream [documentation](https://github.com/Gnuxie/Draupnir) for additional ways to use and configure draupnir. Check out their [quickstart guide](https://github.com/matrix-org/draupnir/blob/main/docs/moderators.md#quick-usage) for some basic commands you can give to the bot. + +You can configure additional options by adding the `matrix_bot_draupnir_configuration_extension_yaml` variable to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file. + +For example to change draupnir's `recordIgnoredInvites` option to `true` you would add the following to your `vars.yml` file. + +```yaml +matrix_bot_draupnir_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_bot_draupnir_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_bot_draupnir_configuration_yaml`. + recordIgnoredInvites: true +``` From a717590aa5e00e988d1c6db0b72b45a0decf3c31 Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Wed, 8 Feb 2023 19:53:35 +0100 Subject: [PATCH 360/915] Rename systemd service file from mjolnir to draupnir --- ...trix-bot-mjolnir.service.j2 => matrix-bot-draupnir.service.j2} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename roles/custom/matrix-bot-draupnir/templates/systemd/{matrix-bot-mjolnir.service.j2 => matrix-bot-draupnir.service.j2} (100%) diff --git a/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-mjolnir.service.j2 b/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2 similarity index 100% rename from roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-mjolnir.service.j2 rename to roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2 From ddcb1735e2671344dec7742b6d5726edfaeeecba Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Wed, 8 Feb 2023 20:05:47 +0100 Subject: [PATCH 361/915] Add draupnir as valid prefix to resolve a bug Current draupnir does not listen to its name. This config change fixes this bug. This bodge is able to be removed once this is fixed upstream. --- roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 index 06d88f481..dcc61b1b5 100644 --- a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 +++ b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 @@ -146,6 +146,7 @@ commands: # Any additional bot prefixes that draupnir will listen to. i.e. adding `mod` will allow `!mod help`. additionalPrefixes: - "draupnir_bot" + - "draupnir" # Whether or not commands with a wildcard (*) will require an additional `--force` argument # in the command to be able to be submitted. From a5683a64497e3275908bdeabd3e590b5c61320ef Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 9 Feb 2023 10:12:09 +0200 Subject: [PATCH 362/915] Upgrade com.devture.ansible.role.traefik and rename some variables --- group_vars/matrix_servers | 6 +++--- requirements.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 88800113f..fcc9c84ea 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2300,7 +2300,7 @@ matrix_nginx_proxy_proxy_ntfy_enabled: "{{ matrix_ntfy_enabled }}" matrix_nginx_proxy_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" -matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_config_entrypoint_primary }}" +matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled: "{{ matrix_client_element_enabled }}" @@ -3102,7 +3102,7 @@ prometheus_node_exporter_container_additional_networks: "{{ [matrix_playbook_rev prometheus_node_exporter_container_labels_traefik_enabled: false prometheus_node_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" -prometheus_node_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_config_entrypoint_primary }}" +prometheus_node_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" ###################################################################### # @@ -3133,7 +3133,7 @@ prometheus_postgres_exporter_container_additional_networks: "{{ [matrix_playbook prometheus_postgres_exporter_container_labels_traefik_enabled: false prometheus_postgres_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" -prometheus_postgres_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_config_entrypoint_primary }}" +prometheus_postgres_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" prometheus_postgres_exporter_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" prometheus_postgres_exporter_database_username: matrix_prometheus_postgres_exporter diff --git a/requirements.yml b/requirements.yml index 1edda46a0..aa1c14de7 100644 --- a/requirements.yml +++ b/requirements.yml @@ -37,7 +37,7 @@ version: v0.11.1-2 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: 650adfa75931714d9bc7c596cab71e33a4873a4e + version: b52ecc4df030fb99ca547575126baaf916db0743 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: e7563caa814e634d2f8deec4a41e970caa1c0ae4 From c289996cd9a72281263a095fffbc7b95de60bb9e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 9 Feb 2023 10:16:41 +0200 Subject: [PATCH 363/915] Upgrade com.devture.ansible.role.traefik --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index aa1c14de7..1341bbbe2 100644 --- a/requirements.yml +++ b/requirements.yml @@ -37,7 +37,7 @@ version: v0.11.1-2 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: b52ecc4df030fb99ca547575126baaf916db0743 + version: fb09fd26f877372417d5586f1e79e83f983f0bd6 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: e7563caa814e634d2f8deec4a41e970caa1c0ae4 From 9615855cfa7e86bb3843f5fa2db90a9b3b9a5fc4 Mon Sep 17 00:00:00 2001 From: ntallasv Date: Thu, 9 Feb 2023 14:53:56 +0200 Subject: [PATCH 364/915] update matrix-chatgpt-bot --- roles/custom/matrix-bot-chatgpt/defaults/main.yml | 13 +++++++------ .../matrix-bot-chatgpt/tasks/validate_config.yml | 4 +--- roles/custom/matrix-bot-chatgpt/templates/env.j2 | 11 ++++++----- 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/roles/custom/matrix-bot-chatgpt/defaults/main.yml b/roles/custom/matrix-bot-chatgpt/defaults/main.yml index 324e64abf..489b22c4a 100644 --- a/roles/custom/matrix-bot-chatgpt/defaults/main.yml +++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml @@ -9,7 +9,7 @@ matrix_bot_chatgpt_docker_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot matrix_bot_chatgpt_docker_repo_version: "{{ 'latest' if matrix_bot_chatgpt_version == 'latest' else matrix_bot_chatgpt_version }}" matrix_bot_chatgpt_docker_src_files_path: "{{ matrix_base_data_path }}/chatgpt/docker-src" -matrix_bot_chatgpt_version: 1.4.1 +matrix_bot_chatgpt_version: 2.2.1 matrix_bot_chatgpt_docker_image: "{{ matrix_bot_chatgpt_docker_image_name_prefix }}matrixgpt/matrix-chatgpt-bot:{{ matrix_bot_chatgpt_version }}" matrix_bot_chatgpt_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_chatgpt_container_image_self_build else 'ghcr.io/' }}" matrix_bot_chatgpt_docker_image_force_pull: "{{ matrix_bot_chatgpt_docker_image.endswith(':latest') }}" @@ -28,13 +28,14 @@ matrix_bot_chatgpt_systemd_required_services_list: ['docker.service'] matrix_bot_chatgpt_systemd_wanted_services_list: [] # ChatGPT Settings -matrix_bot_chatgpt_openai_email: '' # OPENAI_EMAIL= -matrix_bot_chatgpt_openai_password: '' # OPENAI_PASSWORD= -matrix_bot_chatgpt_openai_login_type: 'google' # OPENAI_LOGIN_TYPE="google" -matrix_bot_chatgpt_openai_pro: false # OPENAI_PRO - +matrix_bot_chatgpt_openai_api_key: '' matrix_bot_chatgpt_context: 'thread' # CHATGPT_CONTEXT="thread" +matrix_bot_chatgpt_keyv_backend: 'file' +matrix_bot_chatgpt_keyv_url: '' +matrix_bot_chatgpt_keyv_bot_encryption: false +matrix_bot_chatgpt_keyv_bot_storage: true + # Matrix Static Settings (required, see notes) # Defaults to "https://matrix.org" matrix_bot_chatgpt_matrix_homeserver_url: "{{ matrix_homeserver_container_url }}" # MATRIX_HOMESERVER_URL= diff --git a/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml b/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml index f68d0e5c2..3d30994c8 100644 --- a/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml +++ b/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml @@ -6,7 +6,5 @@ You need to define a required configuration setting (`{{ item.name }}`). when: "item.when | bool and vars[item.name] == ''" with_items: - - {'name': 'matrix_bot_chatgpt_openai_email', when: true} - - {'name': 'matrix_bot_chatgpt_openai_password', when: true} - - {'name': 'matrix_bot_chatgpt_openai_login_type', when: true} + - {'name': 'matrix_bot_chatgpt_openai_api_key', when: true} - {'name': 'matrix_bot_chatgpt_matrix_bot_username', when: true} diff --git a/roles/custom/matrix-bot-chatgpt/templates/env.j2 b/roles/custom/matrix-bot-chatgpt/templates/env.j2 index faf6be713..40b2f9ffe 100644 --- a/roles/custom/matrix-bot-chatgpt/templates/env.j2 +++ b/roles/custom/matrix-bot-chatgpt/templates/env.j2 @@ -1,13 +1,14 @@ MATRIX_HOMESERVER_URL={{ matrix_bot_chatgpt_matrix_homeserver_url }} MATRIX_ACCESS_TOKEN={{ matrix_bot_chatgpt_matrix_access_token }} -OPENAI_EMAIL={{ matrix_bot_chatgpt_openai_email }} -OPENAI_PASSWORD={{ matrix_bot_chatgpt_openai_password }} -OPENAI_LOGIN_TYPE={{ matrix_bot_chatgpt_openai_login_type }} -OPENAI_PRO={{ matrix_bot_chatgpt_openai_pro | to_json }} - +OPENAI_API_KEY={{ matrix_bot_chatgpt_openai_api_key }} CHATGPT_CONTEXT={{ matrix_bot_chatgpt_context }} +KEYV_BACKEND={{ matrix_bot_chatgpt_keyv_backend }} +KEYV_URL={{ matrix_bot_chatgpt_keyv_url }} +KEYV_BOT_ENCRYPTION={{ matrix_bot_chatgpt_keyv_bot_encryption|lower }} +KEYV_BOT_STORAGE={{ matrix_bot_chatgpt_keyv_bot_storage|lower }} + # With the @ and :DOMAIN, ie @SOMETHING:DOMAIN MATRIX_BOT_USERNAME={{ matrix_bot_chatgpt_matrix_bot_username }} MATRIX_BOT_PASSWORD={{ matrix_bot_chatgpt_matrix_bot_password }} From d32f80bf29c8fe3750534e0bf14970c3e1160576 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 9 Feb 2023 17:43:35 +0000 Subject: [PATCH 365/915] Update postmoogle 0.9.11 -> 0.9.12 * fix uploads from incoming emails into matrix threads * fix emails dequeue (account data cleanup) * rewrite recipients handling (Cc, To, etc.) --- roles/custom/matrix-bot-postmoogle/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-postmoogle/defaults/main.yml b/roles/custom/matrix-bot-postmoogle/defaults/main.yml index 48a2b45c9..9f3dad24b 100644 --- a/roles/custom/matrix-bot-postmoogle/defaults/main.yml +++ b/roles/custom/matrix-bot-postmoogle/defaults/main.yml @@ -9,7 +9,7 @@ matrix_bot_postmoogle_docker_repo: "https://gitlab.com/etke.cc/postmoogle.git" matrix_bot_postmoogle_docker_repo_version: "{{ 'main' if matrix_bot_postmoogle_version == 'latest' else matrix_bot_postmoogle_version }}" matrix_bot_postmoogle_docker_src_files_path: "{{ matrix_base_data_path }}/postmoogle/docker-src" -matrix_bot_postmoogle_version: v0.9.11 +matrix_bot_postmoogle_version: v0.9.12 matrix_bot_postmoogle_docker_image: "{{ matrix_bot_postmoogle_docker_image_name_prefix }}etke.cc/postmoogle:{{ matrix_bot_postmoogle_version }}" matrix_bot_postmoogle_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_postmoogle_container_image_self_build else 'registry.gitlab.com/' }}" matrix_bot_postmoogle_docker_image_force_pull: "{{ matrix_bot_postmoogle_docker_image.endswith(':latest') }}" From b7384866844545756ee356ab0a7706b1a6196891 Mon Sep 17 00:00:00 2001 From: ntallasv Date: Fri, 10 Feb 2023 00:13:31 +0200 Subject: [PATCH 366/915] update validate_config.yml --- .../matrix-bot-chatgpt/tasks/validate_config.yml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml b/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml index 3d30994c8..fcf77a8e7 100644 --- a/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml +++ b/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml @@ -6,5 +6,17 @@ You need to define a required configuration setting (`{{ item.name }}`). when: "item.when | bool and vars[item.name] == ''" with_items: - - {'name': 'matrix_bot_chatgpt_openai_api_key', when: true} - - {'name': 'matrix_bot_chatgpt_matrix_bot_username', when: true} + - { 'name': 'matrix_bot_chatgpt_openai_api_key', when: true } + - { 'name': 'matrix_bot_chatgpt_matrix_bot_username', when: true } + + +- name: Fail if OpenAI configuration not up-to-date. + ansible.builtin.fail: + msg: >- + Your configuration contains a varible that is no longer used. + Please change your configuration to remove the variable (`{{ item.name }}`). + when: "item.name in vars" + with_items: + - { 'name': 'matrix_bot_chatgpt_openai_email' } + - { 'name': 'matrix_bot_chatgpt_openai_password' } + - { 'name': 'matrix_bot_chatgpt_openai_login_type' } From 4221b64a9805a8c9da3a3dc83b5f87a0bf9fe0f3 Mon Sep 17 00:00:00 2001 From: ntallasv Date: Fri, 10 Feb 2023 00:14:09 +0200 Subject: [PATCH 367/915] update configuring-playbook-bot-chatgpt.md --- docs/configuring-playbook-bot-chatgpt.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/docs/configuring-playbook-bot-chatgpt.md b/docs/configuring-playbook-bot-chatgpt.md index eb0c75966..7a006816d 100644 --- a/docs/configuring-playbook-bot-chatgpt.md +++ b/docs/configuring-playbook-bot-chatgpt.md @@ -32,11 +32,8 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars. ```yaml matrix_bot_chatgpt_enabled: true -# See instructions on -# https://www.npmjs.com/package/chatgpt -matrix_bot_chatgpt_openai_email: '' -matrix_bot_chatgpt_openai_password: '' -matrix_bot_chatgpt_openai_login_type: google +# Obtain a new API key from https://platform.openai.com/account/api-keys +matrix_bot_chatgpt_openai_api_key: '' # This is the default username # matrix_bot_chatgpt_matrix_bot_username_localpart: 'bot.chatgpt' From f71cd3a760657bff3b89ebf172f83c26f94e5834 Mon Sep 17 00:00:00 2001 From: ntallasv Date: Fri, 10 Feb 2023 00:34:07 +0200 Subject: [PATCH 368/915] fix linting in validate_config.yml --- .../matrix-bot-chatgpt/tasks/validate_config.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml b/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml index fcf77a8e7..ecc2b8d22 100644 --- a/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml +++ b/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml @@ -6,8 +6,8 @@ You need to define a required configuration setting (`{{ item.name }}`). when: "item.when | bool and vars[item.name] == ''" with_items: - - { 'name': 'matrix_bot_chatgpt_openai_api_key', when: true } - - { 'name': 'matrix_bot_chatgpt_matrix_bot_username', when: true } + - {'name': 'matrix_bot_chatgpt_openai_api_key', when: true} + - {'name': 'matrix_bot_chatgpt_matrix_bot_username', when: true} - name: Fail if OpenAI configuration not up-to-date. @@ -17,6 +17,6 @@ Please change your configuration to remove the variable (`{{ item.name }}`). when: "item.name in vars" with_items: - - { 'name': 'matrix_bot_chatgpt_openai_email' } - - { 'name': 'matrix_bot_chatgpt_openai_password' } - - { 'name': 'matrix_bot_chatgpt_openai_login_type' } + - {'name': 'matrix_bot_chatgpt_openai_email'} + - {'name': 'matrix_bot_chatgpt_openai_password'} + - {'name': 'matrix_bot_chatgpt_openai_login_type'} From 0a15e56641b81801fc72c8aab7da0ca4282447fe Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 10 Feb 2023 11:41:44 +0200 Subject: [PATCH 369/915] Fix typo --- docs/configuring-playbook-bot-draupnir.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bot-draupnir.md b/docs/configuring-playbook-bot-draupnir.md index cbec1c4f0..7626db249 100644 --- a/docs/configuring-playbook-bot-draupnir.md +++ b/docs/configuring-playbook-bot-draupnir.md @@ -81,7 +81,7 @@ matrix_bot_draupnir_management_room: "ROOM_ID_FROM_STEP_4_GOES_HERE" ## 5b. Migrating from Mjolnir (Only required if migrating.) -Replace your matrix_bot_mjolnir config with matrix_bot_draupnir config. Also disable mjolnir if your doing migration. +Replace your matrix_bot_mjolnir config with matrix_bot_draupnir config. Also disable mjolnir if you're doing migration. That is all you need to do due to that Draupnir can complete migration on its own. ## 6. Installing From 600aaa0bc7db67eff0777d3707f199461d80e749 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 10 Feb 2023 11:52:25 +0200 Subject: [PATCH 370/915] Announce Draupnir support Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2451 --- CHANGELOG.md | 9 +++++++++ docs/configuring-playbook-bot-draupnir.md | 6 +++--- docs/configuring-playbook.md | 2 ++ 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bb62d8dd3..69e932a97 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2023-02-10 + +## Draupnir moderation tool (bot) support + +Thanks to [FSG-Cat](https://github.com/FSG-Cat), the playbook can now install and configure the [Draupnir](https://github.com/Gnuxie/Draupnir) moderation tool (bot). Draupnir is a fork of [Mjolnir](docs/configuring-playbook-bot-mjolnir.md) (which the playbook has supported for a long time) maintained by Mjolnir's former lead developer. + +Additional details are available in [Setting up Draupnir](docs/configuring-playbook-bot-draupnir.md). + + # 2023-02-05 ## The matrix-prometheus-postgres-exporter role lives independently now diff --git a/docs/configuring-playbook-bot-draupnir.md b/docs/configuring-playbook-bot-draupnir.md index 7626db249..6704ad65f 100644 --- a/docs/configuring-playbook-bot-draupnir.md +++ b/docs/configuring-playbook-bot-draupnir.md @@ -32,7 +32,7 @@ Refer to the documentation on [how to obtain an access token](obtaining-access-t You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step draupnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). This can also be manually done by editing the Synapse database. Manually editing the Synapse database is rarely a good idea. Please ask for help if you are uncomfortable with these steps. -1. Copy the statement below into a text editor. +1. Copy the statement below into a text editor. ``` INSERT INTO ratelimit_override VALUES ('@bot.draupnir:DOMAIN', 0, 0); @@ -81,8 +81,8 @@ matrix_bot_draupnir_management_room: "ROOM_ID_FROM_STEP_4_GOES_HERE" ## 5b. Migrating from Mjolnir (Only required if migrating.) -Replace your matrix_bot_mjolnir config with matrix_bot_draupnir config. Also disable mjolnir if you're doing migration. -That is all you need to do due to that Draupnir can complete migration on its own. +Replace your matrix_bot_mjolnir config with matrix_bot_draupnir config. Also disable mjolnir if you're doing migration. +That is all you need to do due to that Draupnir can complete migration on its own. ## 6. Installing diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index b2724598a..9ab507630 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -177,6 +177,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Mjolnir](configuring-playbook-bot-mjolnir.md) - a moderation tool/bot (optional) +- [Setting up Draupnir](configuring-playbook-bot-draupnir.md) - a moderation tool/bot (optional), forked from Mjolnir and maintained by its former leader developer + - [Setting up Buscarron](configuring-playbook-bot-buscarron.md) - a bot you can use to send any form (HTTP POST, HTML) to a (encrypted) Matrix room (optional) From 43a6a035a046a95bfaa289bf18b9ecd76c1521db Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 10 Feb 2023 14:16:00 +0200 Subject: [PATCH 371/915] Skip removing /.well-known/element directory to suppress ansible-lint error Leaving an orphan directory is okay and can be improved later on. --- .../tasks/util/setup_jitsi_auth_uvs_uninstall.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml index 229ce896e..5c7425660 100644 --- a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml +++ b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml @@ -10,14 +10,6 @@ - "{{ matrix_jitsi_prosody_auth_matrix_files | map(attribute='path') | map('regex_replace', '^', matrix_jitsi_prosody_plugins_path+'/') | list }}" register: matrix_jitsi_prosody_auth_matrix_user_verification_uninstalled -- name: Remove .well-known/element directory if empty - ansible.builtin.command: - argv: - - rmdir - - "{{ matrix_static_files_base_path }}/.well-known/element" - removes: "{{matrix_static_files_base_path}}/.well-known/element" - ignore_errors: true - - when: matrix_jitsi_prosody_auth_matrix_user_verification_uninstalled.changed block: - name: Populate service facts From e1bfa2a7d632735410d9682e00c8a4ea1f953ba5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 10 Feb 2023 14:21:31 +0200 Subject: [PATCH 372/915] Fix ansible-lint-reported errors --- .../custom/matrix-jitsi/tasks/self_check_matrix_auth.yml | 1 + .../tasks/util/setup_jitsi_auth_uvs_uninstall.yml | 2 +- .../tasks/util/setup_jitsi_prosody_post_setup_hooks.yml | 4 ++-- .../matrix-user-verification-service/handlers/main.yml | 2 +- .../tasks/setup_uninstall.yml | 8 ++++---- .../tasks/validate_config.yml | 8 ++++---- 6 files changed, 13 insertions(+), 12 deletions(-) diff --git a/roles/custom/matrix-jitsi/tasks/self_check_matrix_auth.yml b/roles/custom/matrix-jitsi/tasks/self_check_matrix_auth.yml index 68a28ef77..52d865c5d 100644 --- a/roles/custom/matrix-jitsi/tasks/self_check_matrix_auth.yml +++ b/roles/custom/matrix-jitsi/tasks/self_check_matrix_auth.yml @@ -48,6 +48,7 @@ - "--quiet" - "{{ matrix_jitsi_prosody_self_check_uvs_health_url | quote }}" register: matrix_jitsi_prosody_self_check_uvs_result + changed_when: false ignore_errors: true - name: Fail if user verification service is not (reachable and healthy) diff --git a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml index 5c7425660..2559c7e69 100644 --- a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml +++ b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml @@ -16,5 +16,5 @@ ansible.builtin.service_facts: - name: Ensure prosody is restarted later on if currently running - set_fact: + ansible.builtin.set_fact: matrix_jitsi_prosody_require_restart: "{{ true if ansible_facts.services['matrix-jitsi-prosody.service']['state'] == 'running' else false }}" diff --git a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml index 69c18ab32..6be6092a0 100644 --- a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml +++ b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml @@ -16,13 +16,13 @@ - name: Ensure matrix-jitsi-prosody container is running ansible.builtin.systemd: - state: "{{ 'restarted' if matrix_jitsi_prosody_require_restart | d(false) | bool else 'started' }}" + state: "{{ 'restarted' if matrix_jitsi_prosody_require_restart | default(false) | bool else 'started' }}" name: matrix-jitsi-prosody register: matrix_jitsi_prosody_start_result # If the flag was set, we can safely disable now. - name: Disable require restart flag - set_fact: + ansible.builtin.set_fact: matrix_jitsi_prosody_require_restart: false # diff --git a/roles/custom/matrix-user-verification-service/handlers/main.yml b/roles/custom/matrix-user-verification-service/handlers/main.yml index b9ee66d73..b955df806 100644 --- a/roles/custom/matrix-user-verification-service/handlers/main.yml +++ b/roles/custom/matrix-user-verification-service/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: Ensure systemd reloaded after matrix-user-verification-service.service installation - service: + ansible.builtin.service: daemon_reload: true listen: "reload matrix-user-verification-service" diff --git a/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml b/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml index 172bf1863..b61f9cdd2 100644 --- a/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml @@ -1,25 +1,25 @@ --- - name: Check existence of matrix-user-verification-service service - stat: + ansible.builtin.stat: path: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" register: matrix_user_verification_service_service_stat - when: matrix_user_verification_service_service_stat.stat.exists | bool block: - name: Ensure matrix-user-verification-service is stopped - service: + ansible.builtin.service: name: "{{ matrix_user_verification_service_systemd_service_basename }}" state: stopped daemon_reload: true register: stopping_result - name: Ensure matrix-user-verification-service.service doesn't exist - file: + ansible.builtin.file: path: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" state: absent - name: Ensure Matrix user-verification-service paths don't exist - file: + ansible.builtin.file: path: "{{ matrix_user_verification_service_base_path }}" state: absent diff --git a/roles/custom/matrix-user-verification-service/tasks/validate_config.yml b/roles/custom/matrix-user-verification-service/tasks/validate_config.yml index 40e9090cb..9d7f1be8c 100644 --- a/roles/custom/matrix-user-verification-service/tasks/validate_config.yml +++ b/roles/custom/matrix-user-verification-service/tasks/validate_config.yml @@ -1,25 +1,25 @@ --- - name: Verify homeserver_url is not empty - assert: + ansible.builtin.assert: that: - matrix_user_verification_service_uvs_homeserver_url|length > 0 fail_msg: "Missing variable in {{ matrix_user_verification_service_ansible_name }} role" - name: Verify Auth is configured properly or disabled - assert: + ansible.builtin.assert: that: - matrix_user_verification_service_uvs_access_token|length > 0 or not matrix_user_verification_service_uvs_require_auth|bool fail_msg: "If Auth is enabled, a valid (non empty) TOKEN must be given in 'matrix_user_verification_service_uvs_access_token'." - name: Verify server_name for openid verification is given, if pinning a single server_name is enabled. - assert: + ansible.builtin.assert: that: - matrix_user_verification_service_uvs_openid_verify_server_name|length > 0 or not matrix_user_verification_service_uvs_pin_openid_verify_server_name|bool fail_msg: "If pinning a single server_name is enabled, a valid (non empty) server_name must be given in 'matrix_user_verification_service_uvs_openid_verify_server_name'." - name: Verify the homeserver implementation is synapse - assert: + ansible.builtin.assert: that: - matrix_homeserver_implementation == 'synapse' fail_msg: "The User-Verification-Service requires Synapse as homeserver implementation" From f6ab162fff21e59c3b7eb095fb180beb4fc5a309 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 10 Feb 2023 14:22:37 +0200 Subject: [PATCH 373/915] Remove systemd-reloading handler in matrix-user-verification-service None of the other roles use handlers. We rely on com.devture.ansible.role.systemd_service_manager to reload services when it's necessary to do so. --- .../matrix-user-verification-service/handlers/main.yml | 6 ------ .../tasks/setup_install.yml | 1 - 2 files changed, 7 deletions(-) delete mode 100644 roles/custom/matrix-user-verification-service/handlers/main.yml diff --git a/roles/custom/matrix-user-verification-service/handlers/main.yml b/roles/custom/matrix-user-verification-service/handlers/main.yml deleted file mode 100644 index b955df806..000000000 --- a/roles/custom/matrix-user-verification-service/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- - -- name: Ensure systemd reloaded after matrix-user-verification-service.service installation - ansible.builtin.service: - daemon_reload: true - listen: "reload matrix-user-verification-service" diff --git a/roles/custom/matrix-user-verification-service/tasks/setup_install.yml b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml index d095c4101..185b4b642 100644 --- a/roles/custom/matrix-user-verification-service/tasks/setup_install.yml +++ b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml @@ -35,4 +35,3 @@ src: "{{ role_path }}/templates/systemd/matrix-user-verification-service.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" mode: 0644 - notify: "reload matrix-user-verification-service" From 6db3c8f2ad4c81f2b975d8913c104f73568b77d0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 10 Feb 2023 14:26:38 +0200 Subject: [PATCH 374/915] Announce Matrix Authentication Support for Jitsi Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2375 --- CHANGELOG.md | 7 +++++++ docs/configuring-playbook.md | 4 +++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 69e932a97..257f57d9b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # 2023-02-10 +## Matrix Authentication Support for Jitsi + +Thanks to [Jakob S.](https://github.com/jakicoll) ([zakk gGmbH](https://github.com/zakk-it)), Jitsi can now use Matrix for authentication (via [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service)). + +Additional details are available in the [Authenticate using Matrix OpenID (Auth-Type 'matrix')](docs/configuring-playbook-jitsi.md#authenticate-using-matrix-openid-auth-type-matrix). + + ## Draupnir moderation tool (bot) support Thanks to [FSG-Cat](https://github.com/FSG-Cat), the playbook can now install and configure the [Draupnir](https://github.com/Gnuxie/Draupnir) moderation tool (bot). Draupnir is a fork of [Mjolnir](docs/configuring-playbook-bot-mjolnir.md) (which the playbook has supported for a long time) maintained by Mjolnir's former lead developer. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 9ab507630..3e904abca 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -99,6 +99,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Matrix Corporal](configuring-playbook-matrix-corporal.md) (optional, advanced) +- [Matrix User Verification Service](docs/configuring-playbook-user-verification-service.md) (optional, advanced) + ### Bridging other networks @@ -177,7 +179,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Mjolnir](configuring-playbook-bot-mjolnir.md) - a moderation tool/bot (optional) -- [Setting up Draupnir](configuring-playbook-bot-draupnir.md) - a moderation tool/bot (optional), forked from Mjolnir and maintained by its former leader developer +- [Setting up Draupnir](configuring-playbook-bot-draupnir.md) - a moderation tool/bot, forked from Mjolnir and maintained by its former leader developer (optional) - [Setting up Buscarron](configuring-playbook-bot-buscarron.md) - a bot you can use to send any form (HTTP POST, HTML) to a (encrypted) Matrix room (optional) From 29be262f3bda7f10d0769b2dba95fd905045e221 Mon Sep 17 00:00:00 2001 From: Catalan Lover <48515417+FSG-Cat@users.noreply.github.com> Date: Fri, 10 Feb 2023 13:34:16 +0100 Subject: [PATCH 375/915] Fix formating error in Draupnir docs --- docs/configuring-playbook-bot-draupnir.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bot-draupnir.md b/docs/configuring-playbook-bot-draupnir.md index 6704ad65f..11960474a 100644 --- a/docs/configuring-playbook-bot-draupnir.md +++ b/docs/configuring-playbook-bot-draupnir.md @@ -81,7 +81,7 @@ matrix_bot_draupnir_management_room: "ROOM_ID_FROM_STEP_4_GOES_HERE" ## 5b. Migrating from Mjolnir (Only required if migrating.) -Replace your matrix_bot_mjolnir config with matrix_bot_draupnir config. Also disable mjolnir if you're doing migration. +Replace your `matrix_bot_mjolnir` config with `matrix_bot_draupnir` config. Also disable mjolnir if you're doing migration. That is all you need to do due to that Draupnir can complete migration on its own. ## 6. Installing From 28d2eb593cc0b01b4cec70a512990e6df37b9bbd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 10 Feb 2023 15:50:35 +0200 Subject: [PATCH 376/915] Add matrix_playbook_reverse_proxy_type variable which influences all other services --- group_vars/matrix_servers | 170 ++++++++++-------- roles/custom/matrix-base/defaults/main.yml | 42 +++++ .../matrix-base/tasks/validate_config.yml | 5 + .../custom/matrix-dendrite/defaults/main.yml | 2 +- 4 files changed, 147 insertions(+), 72 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index fc866f9d2..62771b6c8 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -30,21 +30,19 @@ matrix_playbook_docker_installation_enabled: true # In such cases, you'd like to disable the role in this playbook from bothering with Traefik at all (`matrix_playbook_traefik_role_enabled: false`). # If you used `devture_traefik_enabled: false` + `matrix_playbook_traefik_role_enabled: true` instead, you'd see the Treafik role here # try to delete Traefik data (`/devture-traefik`) installed by the other playbook. -matrix_playbook_traefik_role_enabled: false +matrix_playbook_traefik_role_enabled: true # Controls whether to attach Traefik labels to services. # This is separate from `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`, # because you may wish to disable Traefik installation by the playbook, yet still use Traefik # installed in another way. -matrix_playbook_traefik_labels_enabled: false +matrix_playbook_traefik_labels_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-installed-traefik', 'other-traefik-container'] }}" -matrix_playbook_traefik_certs_dumper_role_enabled: "{{ matrix_playbook_traefik_role_enabled }}" +matrix_playbook_traefik_certs_dumper_role_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-installed-traefik', 'other-traefik-container'] }}" # Controls the additional network that reverse-proxyable services will be connected to. matrix_playbook_reverse_proxyable_services_additional_network: "{{ devture_traefik_container_network if devture_traefik_enabled else '' }}" -matrix_playbook_reverse_proxy_type: "{{ 'traefik' if matrix_playbook_traefik_role_enabled else ('nginx-proxy' if matrix_nginx_proxy_enabled else 'none') }}" - matrix_playbook_ssl_retrieval_method: "{{ 'lets-encrypt' if matrix_playbook_traefik_certs_dumper_role_enabled else matrix_ssl_retrieval_method }}" ######################################################################## @@ -452,7 +450,7 @@ matrix_appservice_discord_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-discord over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-discord's client-server port to the local host. -matrix_appservice_discord_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9005' }}" +matrix_appservice_discord_container_http_host_bind_port: "{{ matrix_playbook_service_host_bind_interface_prefix + ':9005' if matrix_playbook_service_host_bind_interface_prefix else '' }}" # If the homeserver disables presence, it's likely better (less wasteful) to also disable presence on the bridge side. matrix_appservice_discord_bridge_disablePresence: "{{ not matrix_synapse_presence_enabled }}" @@ -499,7 +497,7 @@ matrix_appservice_webhooks_container_image_self_build: "{{ matrix_architecture ! # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-webhooks over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-webhooks' client-server port to the local host. -matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_webhooks_matrix_port) }}" +matrix_appservice_webhooks_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':' ~ matrix_appservice_webhooks_matrix_port) if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_appservice_webhooks_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.as.token', rounds=655555) | to_uuid }}" @@ -538,7 +536,7 @@ matrix_appservice_slack_container_image_self_build: "{{ matrix_architecture not # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-slack over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-slack's client-server port to the local host. -matrix_appservice_slack_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_slack_slack_port) }}" +matrix_appservice_slack_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix + ':' ~ matrix_appservice_slack_slack_port) if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_appservice_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.as.token', rounds=655555) | to_uuid }}" @@ -581,7 +579,7 @@ matrix_appservice_irc_container_image_self_build: "{{ matrix_architecture != 'am # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-irc over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-irc's client-server port to the local host. -matrix_appservice_irc_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9999' }}" +matrix_appservice_irc_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9999') if matrix_playbook_service_host_bind_interface_prefix else '' }}" # The IRC bridge docs say that if homeserver presence is disabled, it's better to also disable # IRC bridge presence, for performance reasons. @@ -837,7 +835,7 @@ matrix_mautrix_facebook_homeserver_token: "{{ '%s' | format(matrix_homeserver_ge matrix_mautrix_facebook_public_endpoint: "/{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'facebook', rounds=655555) | to_uuid }}" -matrix_mautrix_facebook_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9008' }}" +matrix_mautrix_facebook_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9008') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -888,7 +886,7 @@ matrix_mautrix_googlechat_appservice_token: "{{ '%s' | format(matrix_homeserver_ matrix_mautrix_googlechat_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gc.hs.token', rounds=655555) | to_uuid }}" -matrix_mautrix_googlechat_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" +matrix_mautrix_googlechat_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9007') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_mautrix_googlechat_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -930,7 +928,7 @@ matrix_mautrix_hangouts_appservice_token: "{{ '%s' | format(matrix_homeserver_ge matrix_mautrix_hangouts_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ho.hs.token', rounds=655555) | to_uuid }}" -matrix_mautrix_hangouts_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" +matrix_mautrix_hangouts_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9007') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -1077,7 +1075,7 @@ matrix_mautrix_telegram_homeserver_token: "{{ '%s' | format(matrix_homeserver_ge matrix_mautrix_telegram_public_endpoint: "/{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegram', rounds=655555) | to_uuid }}" -matrix_mautrix_telegram_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9006' }}" +matrix_mautrix_telegram_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9006') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -1252,12 +1250,12 @@ matrix_hookshot_systemd_wanted_services_list: | }} matrix_hookshot_container_http_host_bind_ports_defaultmapping: - - "127.0.0.1:{{ matrix_hookshot_appservice_port }}:{{ matrix_hookshot_appservice_port }}" - - "127.0.0.1:{{ matrix_hookshot_metrics_port }}:{{ matrix_hookshot_metrics_port }}" - - "127.0.0.1:{{ matrix_hookshot_webhook_port }}:{{ matrix_hookshot_webhook_port }}" - - "127.0.0.1:{{ matrix_hookshot_provisioning_port }}:{{ matrix_hookshot_provisioning_port }}" + - "{{ matrix_playbook_service_host_bind_interface_prefix }}{{ matrix_hookshot_appservice_port }}:{{ matrix_hookshot_appservice_port }}" + - "{{ matrix_playbook_service_host_bind_interface_prefix }}{{ matrix_hookshot_metrics_port }}:{{ matrix_hookshot_metrics_port }}" + - "{{ matrix_playbook_service_host_bind_interface_prefix }}{{ matrix_hookshot_webhook_port }}:{{ matrix_hookshot_webhook_port }}" + - "{{ matrix_playbook_service_host_bind_interface_prefix }}{{ matrix_hookshot_provisioning_port }}:{{ matrix_hookshot_provisioning_port }}" -matrix_hookshot_container_http_host_bind_ports: "{{ [] if matrix_nginx_proxy_enabled else matrix_hookshot_container_http_host_bind_ports_defaultmapping }}" +matrix_hookshot_container_http_host_bind_ports: "{{ matrix_hookshot_container_http_host_bind_ports_defaultmapping if matrix_playbook_service_host_bind_interface_prefix else [] }}" matrix_hookshot_provisioning_enabled: "{{ matrix_hookshot_provisioning_secret and matrix_dimension_enabled }}" @@ -1347,7 +1345,7 @@ matrix_mx_puppet_twitter_homeserver_token: "{{ '%s' | format(matrix_homeserver_g matrix_mx_puppet_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_mx_puppet_twitter_appservice_port) }}" +matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':' ~ matrix_mx_puppet_twitter_appservice_port) if matrix_playbook_service_host_bind_interface_prefix else '' }}" # Postgres is the default, except if not using internal Postgres server matrix_mx_puppet_twitter_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" @@ -1607,7 +1605,7 @@ matrix_bot_maubot_registration_shared_secret: |- }[matrix_homeserver_implementation] }} -matrix_bot_maubot_management_interface_http_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' + matrix_bot_maubot_management_interface_port | string) }}" +matrix_bot_maubot_management_interface_http_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':' ~ matrix_bot_maubot_management_interface_port | string) if matrix_playbook_service_host_bind_interface_prefix else '' }}" # Postgres is the default, except if not using internal Postgres server matrix_bot_maubot_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" @@ -1700,8 +1698,12 @@ matrix_bot_postmoogle_container_image_self_build: "{{ matrix_architecture not in matrix_bot_postmoogle_ssl_path: |- {{ { - 'nginx-proxy': (matrix_ssl_config_dir_path if matrix_playbook_ssl_retrieval_method != 'none' else ''), - 'traefik': devture_traefik_certs_dumper_dumped_certificates_dir_path, + 'playbook-installed-traefik': devture_traefik_certs_dumper_dumped_certificates_dir_path, + 'other-traefik-container': devture_traefik_certs_dumper_dumped_certificates_dir_path, + 'playbook-installed-nginx': (matrix_ssl_config_dir_path if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'other-nginx-non-container': (matrix_ssl_config_dir_path if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'other-on-same-host': '', + 'other-on-another-host': '', 'none': '', }[matrix_playbook_reverse_proxy_type] }} @@ -1715,8 +1717,12 @@ matrix_playbook_bot_postmoogle_traefik_key: "{% for domain in matrix_bot_postmoo matrix_bot_postmoogle_tls_cert: |- {{ { - 'nginx-proxy': (matrix_playbook_bot_postmoogle_nginx_proxy_tls_cert if matrix_playbook_ssl_retrieval_method != 'none' else ''), - 'traefik': matrix_playbook_bot_postmoogle_traefik_tls_cert, + 'playbook-installed-traefik': matrix_playbook_bot_postmoogle_traefik_tls_cert, + 'other-traefik-container': matrix_playbook_bot_postmoogle_traefik_tls_cert, + 'playbook-installed-nginx': (matrix_playbook_bot_postmoogle_nginx_proxy_tls_cert if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'other-nginx-non-container': (matrix_playbook_bot_postmoogle_nginx_proxy_tls_cert if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'other-on-same-host': '', + 'other-on-another-host': '', 'none': '', }[matrix_playbook_reverse_proxy_type] }} @@ -1724,8 +1730,12 @@ matrix_bot_postmoogle_tls_cert: |- matrix_bot_postmoogle_tls_key: |- {{ { - 'nginx-proxy': (matrix_playbook_bot_postmoogle_nginx_proxy_key if matrix_playbook_ssl_retrieval_method != 'none' else ''), - 'traefik': matrix_playbook_bot_postmoogle_traefik_key, + 'playbook-installed-traefik': matrix_playbook_bot_postmoogle_traefik_key, + 'other-traefik-container': matrix_playbook_bot_postmoogle_traefik_key, + 'playbook-installed-nginx': (matrix_playbook_bot_postmoogle_nginx_proxy_key if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'other-nginx-non-container': (matrix_playbook_bot_postmoogle_nginx_proxy_key if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'other-on-same-host': '', + 'other-on-another-host': '', 'none': '', }[matrix_playbook_reverse_proxy_type] }} @@ -1740,7 +1750,7 @@ matrix_bot_postmoogle_systemd_required_services_list: | + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + - (matrix_playbook_bot_postmoogle_traefik_certs_dumper_waiter_services | trim | split(' ') if matrix_playbook_reverse_proxy_type == 'traefik' and matrix_playbook_traefik_certs_dumper_role_enabled else []) + (matrix_playbook_bot_postmoogle_traefik_certs_dumper_waiter_services | trim | split(' ') if matrix_playbook_reverse_proxy_type in ['playbook-installed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled else []) }} # Postgres is the default, except if not using internal Postgres server @@ -1791,7 +1801,7 @@ matrix_bot_go_neb_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_bot_go_neb_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:4050' }}" +matrix_bot_go_neb_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':4050') if matrix_playbook_service_host_bind_interface_prefix else '' }}" ###################################################################### # @@ -1938,8 +1948,8 @@ matrix_corporal_container_image_self_build: "{{ matrix_architecture not in ['amd # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-corporal over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-corporal's web-server ports to the local host. -matrix_corporal_container_http_gateway_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:41080' }}" -matrix_corporal_container_http_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:41081' }}" +matrix_corporal_container_http_gateway_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':41080') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_corporal_container_http_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':41081') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_corporal_systemd_required_services_list: | {{ @@ -1982,8 +1992,12 @@ matrix_coturn_tls_enabled: "{{ matrix_playbook_ssl_retrieval_method != 'none' }} matrix_coturn_tls_cert_path: |- {{ { - 'nginx-proxy': '/fullchain.pem', - 'traefik': '/certificate.crt', + 'playbook-installed-traefik': '/certificate.crt', + 'other-traefik-container': '/certificate.crt', + 'playbook-installed-nginx': '/fullchain.pem', + 'other-nginx-non-container': '/fullchain.pem', + 'other-on-same-host': '', + 'other-on-another-host': '', 'none': '', }[matrix_playbook_reverse_proxy_type] }} @@ -1991,8 +2005,12 @@ matrix_coturn_tls_cert_path: |- matrix_coturn_tls_key_path: |- {{ { - 'nginx-proxy': '/privkey.pem', - 'traefik': '/privatekey.key', + 'playbook-installed-traefik': '/privatekey.key', + 'other-traefik-container': '/privatekey.key', + 'playbook-installed-nginx': '/privkey.pem', + 'other-nginx-non-container': '/privkey.pem', + 'other-on-same-host': '', + 'other-on-another-host': '', 'none': '', }[matrix_playbook_reverse_proxy_type] }} @@ -2011,7 +2029,7 @@ matrix_coturn_container_additional_volumes: | 'dst': '/privkey.pem', 'options': 'ro', }, - ] if matrix_playbook_reverse_proxy_type == 'nginx-proxy' else [] + ] if matrix_playbook_reverse_proxy_type in ['playbook-installed-nginx', 'other-nginx-non-container'] else [] ) + ( @@ -2026,7 +2044,7 @@ matrix_coturn_container_additional_volumes: | 'dst': '/privatekey.key', 'options': 'ro', }, - ] if matrix_playbook_reverse_proxy_type == 'traefik' and matrix_playbook_traefik_certs_dumper_role_enabled else [] + ] if matrix_playbook_reverse_proxy_type in ['playbook-installed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled else [] ) }} @@ -2034,7 +2052,7 @@ matrix_coturn_systemd_required_services_list: | {{ ['docker.service'] + - ([devture_traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_server_fqn_matrix + '.service'] if matrix_playbook_reverse_proxy_type == 'traefik' and matrix_playbook_traefik_certs_dumper_role_enabled else []) + ([devture_traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_server_fqn_matrix + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-installed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled else []) }} ###################################################################### @@ -2056,7 +2074,7 @@ matrix_dimension_container_image_self_build: "{{ matrix_architecture != 'amd64' # Normally, matrix-nginx-proxy is enabled and nginx can reach Dimension over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the Dimension HTTP port to the local host. -matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8184' }}" +matrix_dimension_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8184') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_dimension_homeserver_federationUrl: "{{ matrix_homeserver_container_federation_url }}" @@ -2090,7 +2108,7 @@ matrix_dimension_database_password: "{{ '%s' | format(matrix_homeserver_generic_ matrix_etherpad_enabled: false -matrix_etherpad_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9001' }}" +matrix_etherpad_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9001') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_etherpad_base_url: "{{ 'https://' + matrix_server_fqn_dimension + matrix_etherpad_public_endpoint if matrix_etherpad_mode == 'dimension' else 'https://' + matrix_server_fqn_etherpad + '/' }}" @@ -2151,11 +2169,11 @@ matrix_jitsi_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach jitsi/web over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the Jitsi HTTP port to the local host. -matrix_jitsi_web_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:13080' }}" +matrix_jitsi_web_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':13080') if matrix_playbook_service_host_bind_interface_prefix else '' }}" -matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:13090' }}" +matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':13090') if matrix_playbook_service_host_bind_interface_prefix else '' }}" -matrix_jitsi_prosody_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:5280' }}" +matrix_jitsi_prosody_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':5280') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_jitsi_jibri_xmpp_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jibri', rounds=655555) | to_uuid }}" matrix_jitsi_jicofo_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jicofo', rounds=655555) | to_uuid }}" @@ -2245,7 +2263,7 @@ matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach ma1sd over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # ma1sd's web-server port. -matrix_ma1sd_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:' + matrix_ma1sd_container_port | string }}" +matrix_ma1sd_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':' ~ matrix_ma1sd_container_port | string) if matrix_playbook_service_host_bind_interface_prefix else '' }}" # We enable Synapse integration via its Postgres database by default. @@ -2259,7 +2277,7 @@ matrix_ma1sd_dns_overwrite_enabled: true matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" # The `matrix_ma1sd_dns_overwrite_homeserver_client_value` value when matrix_nginx_proxy_enabled is false covers the general case, # but may be inaccurate if matrix-corporal is enabled. -matrix_ma1sd_dns_overwrite_homeserver_client_value: "{{ ('http://' + matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container) if matrix_nginx_proxy_enabled else matrix_homeserver_container_url }}" +matrix_ma1sd_dns_overwrite_homeserver_client_value: "{{ matrix_homeserver_container_url }}" # By default, we send mail through the `matrix-mailer` service. matrix_ma1sd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}" @@ -2301,10 +2319,24 @@ matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secr # ###################################################################### -# By default, this playbook sets up a reverse-proxy nginx proxy server on TCP ports 80, 443 and 8448. -# This is fine if you're dedicating the whole server to Matrix. -# If that's not the case, you may wish to disable this and take care of proxying yourself. -matrix_nginx_proxy_enabled: true +# This playbook installs its own nginx if +# - it's explicitly enabled +# - Traefik is in use. Not all services are Traefik-native yet, so we use reverse-proxy to some via a local-only matrix-nginx-proxy +matrix_nginx_proxy_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-installed-nginx', 'playbook-installed-traefik', 'other-traefik-container'] }}" + +# matrix-nginx-proxy is only to handle HTTPS only if it's the chosen reverse-proxy. +# It may be enabled even if it's not chosen. See `matrix_nginx_proxy_enabled`. +matrix_ssl_retrieval_method: "{{ 'lets-encrypt' if matrix_playbook_reverse_proxy_type == 'playbook-installed-nginx' else 'none' }}" +matrix_nginx_proxy_https_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-installed-nginx' }}" + +# matrix-nginx-proxy is to publish ports only if it's the chosen reverse-proxy. +# It may be enabled even if it's not chosen. See `matrix_nginx_proxy_enabled`. +matrix_nginx_proxy_container_http_host_bind_port: "{{ '80' if matrix_playbook_reverse_proxy_type == 'playbook-installed-nginx' else '' }}" +matrix_nginx_proxy_container_federation_host_bind_port: "{{ matrix_federation_public_port if matrix_playbook_reverse_proxy_type == 'playbook-installed-nginx' else '' }}" + +# matrix-nginx-proxy is to trust reverse-proxy forwarded protocol and headers, unless it's the "main" (chosen) reverse-proxy +matrix_nginx_proxy_trust_forwarded_proto: "{{ matrix_playbook_reverse_proxy_type != 'playbook-installed-nginx' }}" +matrix_nginx_proxy_x_forwarded_for: "{{ '$remote_addr' if matrix_playbook_reverse_proxy_type == 'playbook-installed-nginx' else '$proxy_add_x_forwarded_for' }}" matrix_nginx_proxy_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" @@ -2399,8 +2431,6 @@ matrix_nginx_proxy_proxy_conduit_federation_api_addr_sans_container: "127.0.0.1: # When matrix-nginx-proxy is disabled, the actual port number that the vhost uses may begin to matter. matrix_nginx_proxy_proxy_matrix_federation_port: "{{ matrix_federation_public_port }}" -matrix_nginx_proxy_container_federation_host_bind_port: "{{ matrix_federation_public_port }}" - matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" @@ -2828,7 +2858,7 @@ matrix_sygnal_enabled: false # If someone instals Prometheus via the playbook, they most likely wish to monitor Sygnal. matrix_sygnal_metrics_prometheus_enabled: "{{ matrix_prometheus_enabled }}" -matrix_sygnal_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:6000' }}" +matrix_sygnal_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':6000') if matrix_playbook_service_host_bind_interface_prefix else '' }}" ###################################################################### # @@ -2844,7 +2874,7 @@ matrix_sygnal_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enable matrix_ntfy_enabled: false -matrix_ntfy_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:2586' }}" +matrix_ntfy_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':2586') if matrix_playbook_service_host_bind_interface_prefix else '' }}" ###################################################################### # @@ -2881,7 +2911,7 @@ matrix_client_element_container_image_self_build: "{{ matrix_architecture not in # Normally, matrix-nginx-proxy is enabled and nginx can reach Element over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the Element HTTP port to the local host. -matrix_client_element_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8765' }}" +matrix_client_element_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8765') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_client_element_default_hs_url: "{{ matrix_homeserver_url }}" matrix_client_element_default_is_url: "{{ matrix_identity_server_url }}" @@ -2926,7 +2956,7 @@ matrix_client_hydrogen_container_image_self_build: "{{ matrix_architecture not i # Normally, matrix-nginx-proxy is enabled and nginx can reach Hydrogen over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the HTTP port to the local host. -matrix_client_hydrogen_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8768' }}" +matrix_client_hydrogen_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8768') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_client_hydrogen_default_hs_url: "{{ matrix_homeserver_url }}" @@ -2951,7 +2981,7 @@ matrix_client_cinny_container_image_self_build: "{{ matrix_architecture not in [ # Normally, matrix-nginx-proxy is enabled and nginx can reach Cinny over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the HTTP port to the local host. -matrix_client_cinny_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8080' }}" +matrix_client_cinny_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8080') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_client_cinny_default_hs_url: "{{ matrix_homeserver_url }}" @@ -2980,13 +3010,13 @@ matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:' + m matrix_synapse_container_federation_api_tls_host_bind_port: "{{ matrix_federation_public_port if (matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled) else '' }}" # # For exposing the Synapse Metrics API's port (plain HTTP) to the local host. -matrix_synapse_container_metrics_api_host_bind_port: "{{ '127.0.0.1:9100' if (matrix_synapse_metrics_enabled and not matrix_nginx_proxy_enabled) else '' }}" +matrix_synapse_container_metrics_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9100') if matrix_synapse_metrics_enabled and matrix_playbook_service_host_bind_interface_prefix else '' }}" # # For exposing the Synapse Manhole port (plain HTTP) to the local host. -matrix_synapse_container_manhole_api_host_bind_port: "{{ '127.0.0.1:9000' if matrix_synapse_manhole_enabled else '' }}" +matrix_synapse_container_manhole_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9000') if matrix_synapse_metrics_enabled and matrix_playbook_service_host_bind_interface_prefix else '' }}" # # For exposing the Synapse worker (and metrics) ports to the local host. -matrix_synapse_workers_container_host_bind_address: "{{ '127.0.0.1' if (matrix_synapse_workers_enabled and not matrix_nginx_proxy_enabled) else '' }}" +matrix_synapse_workers_container_host_bind_address: "{{ matrix_playbook_service_host_bind_interface_prefix[0:-1] if (matrix_synapse_workers_enabled and matrix_playbook_service_host_bind_interface_prefix) else '' }}" matrix_synapse_database_host: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_synapse_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'synapse.db', rounds=655555) | to_uuid }}" @@ -3075,8 +3105,8 @@ matrix_synapse_reverse_proxy_companion_enabled: "{{ matrix_synapse_enabled }}" matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}" -matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8008' }}" -matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8048' }}" +matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8008') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8048') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_synapse_reverse_proxy_companion_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}" matrix_synapse_reverse_proxy_companion_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}" @@ -3110,7 +3140,7 @@ matrix_synapse_admin_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse Admin over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # Synapse Admin's HTTP port to the local host. -matrix_synapse_admin_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8766' }}" +matrix_synapse_admin_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8766') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_synapse_admin_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" @@ -3219,7 +3249,7 @@ matrix_prometheus_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach Prometheus over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # Prometheus' HTTP port to the local host. -matrix_prometheus_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9090' }}" +matrix_prometheus_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':99090005') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_prometheus_scraper_synapse_enabled: "{{ matrix_synapse_enabled and matrix_synapse_metrics_enabled }}" matrix_prometheus_scraper_synapse_targets: ['matrix-synapse:{{ matrix_synapse_metrics_port }}'] @@ -3256,7 +3286,7 @@ matrix_grafana_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach Grafana over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # Grafana's HTTP port to the local host. -matrix_grafana_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:3000' }}" +matrix_grafana_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':3000') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_grafana_dashboard_download_urls: | {{ @@ -3295,7 +3325,7 @@ matrix_registration_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-registration over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-registration's HTTP port to the local host. -matrix_registration_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8767' }}" +matrix_registration_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8767') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_registration_riot_instance: "{{ ('https://' + matrix_server_fqn_element) if matrix_client_element_enabled else 'https://riot.im/app/' }}" @@ -3346,12 +3376,10 @@ matrix_dendrite_enabled: "{{ matrix_homeserver_implementation == 'dendrite' }}" # you can expose Dendrite's ports to the host. # # For exposing Dendrite's plain HTTP server to the local host. -matrix_dendrite_container_http_host_bind_address: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' + matrix_dendrite_http_bind_port | string) }}" +matrix_dendrite_container_http_host_bind_address: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':' ~ matrix_dendrite_http_bind_port | string) if matrix_playbook_service_host_bind_interface_prefix else '' }}" # # For exposing Dendrite's HTTPS server to the local host. -matrix_dendrite_container_https_host_bind_address: "{{ '' if matrix_nginx_proxy_enabled or not matrix_dendrite_https_bind_port else ('127.0.0.1:' + matrix_dendrite_https_bind_port | string) }}" - -matrix_dendrite_sync_api_real_ip_header: "{{ 'X-Forwarded-For' if matrix_nginx_proxy_enabled else '' }}" +matrix_dendrite_container_https_host_bind_address: "{{ '' if not matrix_dendrite_https_bind_port or not matrix_playbook_service_host_bind_interface_prefix else (matrix_playbook_service_host_bind_interface_prefix + matrix_dendrite_https_bind_port | string) }}" matrix_dendrite_client_api_registration_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.rss', rounds=655555) | to_uuid }}" @@ -3486,9 +3514,9 @@ matrix_user_verification_service_systemd_required_services_list: | # If Jitsi is managed by this playbook we can use the docker network - no need to expose a port. # If Jitsi is not managed by this playbook, or you otherwise have a need for it, you can expose -# matrix-user-verfification-services's client-server port to the local host port 3003. +# matrix-user-verfification-services's client-server port to port 3003. # By default Matrix-User-Verification-Service binds to port 3000, which collides with grafana, therefore this uses port 3003. -matrix_user_verification_service_container_http_host_bind_port: "{{ '' if (matrix_jitsi_enabled | bool and matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix') else '127.0.0.1:3003' }}" +matrix_user_verification_service_container_http_host_bind_port: "{{ '' if (matrix_jitsi_enabled | bool and matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix') else matrix_playbook_service_host_bind_interface_prefix ~ ':3003' }}" # URL exposed in the docker network matrix_user_verification_service_container_url: "http://{{ matrix_user_verification_service_container_name }}:3000" @@ -3513,7 +3541,7 @@ matrix_user_verification_service_uvs_auth_token: "{{ '%s' | format(matrix_homese # To completely disable the Traefik role from running, use `matrix_playbook_traefik_role_enabled: false`. # See the comment there for more details about why we have both `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`. -devture_traefik_enabled: "{{ matrix_playbook_traefik_role_enabled }}" +devture_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-installed-traefik' }}" devture_traefik_uid: "{{ matrix_user_uid }}" devture_traefik_gid: "{{ matrix_user_gid }}" diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 025e7363a..e74fa4f18 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -265,6 +265,48 @@ matrix_well_known_matrix_support_enabled: false matrix_homeserver_container_extra_arguments_auto: [] matrix_homeserver_app_service_config_files_auto: [] +# Specifies the type of reverse-proxy used by the playbook. +# +# Changing this has an effect on whether a reverse-proxy is installed at all and what its type is, +# as well as how all other services are configured. +# +# Valid options and a description of their behavior: +# +# - `playbook-installed-traefik` +# - the playbook will install devture-traefik for SSL termination +# - it will also install matrix-nginx-proxy in local-only mode, while we migrate the rest of the services to a Traefik-native mode of working +# +# - `playbook-installed-nginx` +# - the playbook will install matrix-nginx-proxy and do SSL termination with Certbot +# +# - `other-traefik-container` +# - Traefik will be used, but it's not installed by this playbook. +# - you should make sure it's compatible with what the playbook would have configured (web, web-secure, matrix-federation entrypoints, etc.) +# - you may wish to set `matrix_playbook_reverse_proxyable_services_additional_network` to the name of your Traefik network +# - you may wish to enable `devture_traefik_certs_dumper_enabled` and point it to your Traefik's SSL certificates (`devture_traefik_certs_dumper_ssl_dir_path`) +# +# - `other-nginx-non-container` +# - the playbook will not install matrix-nginx-proxy +# - however, it will still dump some nginx configuration in /matrix/nginx/conf.d +# - these configs are meant to be included into a locally-installed (without a container) nginx server +# - all container services are exposed locally (e.g. `-p 127.0.0.1:8080:8080`) +# +# - `other-on-same-host` +# - like other-nginx-non-container, but supposedly won't generate useless configuration in /matrix/nginx/conf.d in the future +# +# - `other-on-another-host` +# - like other-on-same-host, but services are exposed on all interfaces (e.g. `-p 0.0.0.0:8080:8080`) +# - configurable via `matrix_playbook_service_host_bind_interface_prefix` +# +# - `none` +# - no reverse-proxy will be installed +# - no nginx configuration will be dumped in /matrix/nginx/conf.d +# - no port exposure will be done for any of the container services +# - it's up to you to expose the ports you want, etc. +matrix_playbook_reverse_proxy_type: playbook-installed-nginx + +matrix_playbook_service_host_bind_interface_prefix: "{{ '' if matrix_playbook_reverse_proxy_type not in ['other-nginx-non-container', 'other-on-same-host', 'other-on-another-host'] else ('0.0.0.0:' if matrix_playbook_reverse_proxy_type == 'other-on-another-host' else '127.0.0.1:') }}" + # Variables to Control which parts of our roles run. run_postgres_import: true run_postgres_upgrade: true diff --git a/roles/custom/matrix-base/tasks/validate_config.yml b/roles/custom/matrix-base/tasks/validate_config.yml index b3551e2e3..5f63c1c6b 100644 --- a/roles/custom/matrix-base/tasks/validate_config.yml +++ b/roles/custom/matrix-base/tasks/validate_config.yml @@ -51,6 +51,11 @@ msg: "Detected that variable matrix_architecture {{ matrix_architecture }} appears to be set incorrectly. See docs/alternative-architectures.md. Server appears to be {{ ansible_architecture }}." when: matrix_architecture not in ['amd64', 'arm32', 'arm64'] +- name: Fail if matrix_playbook_reverse_proxy_type is set incorrectly + ansible.builtin.fail: + msg: "Detected that variable matrix_playbook_reverse_proxy_type (current value: `{{ matrix_playbook_reverse_proxy_type }}`) appears to be set incorrectly. See roles/custom/matrix-base/defaults/main.yml for valid choices." + when: matrix_playbook_reverse_proxy_type not in ['playbook-installed-traefik', 'playbook-installed-nginx', 'other-traefik-container', 'other-nginx-non-container', 'other-on-same-host', 'other-on-another-host', 'none'] + - name: Fail if uppercase domain used ansible.builtin.fail: msg: "Detected that you're using an uppercase domain name - `{{ item }}`. This will cause trouble. Please use all-lowercase!" diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index 6a495f8f2..5e6d7d3b0 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -84,7 +84,7 @@ matrix_dendrite_max_file_size_bytes: 10485760 # Controls which HTTP header (e.g. 'X-Forwarded-For', 'X-Real-IP') to inspect to find the real remote IP address of the client. # This is likely required if Dendrite is running behind a reverse proxy server. -matrix_dendrite_sync_api_real_ip_header: '' +matrix_dendrite_sync_api_real_ip_header: 'X-Forwarded-For' # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. matrix_dendrite_tmp_directory_size_mb: 500 From c773a005ae3253fc9e22f5bd976e47929addaecc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 10 Feb 2023 16:08:55 +0200 Subject: [PATCH 377/915] Fix broken link to Matrix User Verification Service --- docs/configuring-playbook.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 3e904abca..1f3cb7a4b 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -99,7 +99,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Matrix Corporal](configuring-playbook-matrix-corporal.md) (optional, advanced) -- [Matrix User Verification Service](docs/configuring-playbook-user-verification-service.md) (optional, advanced) +- [Matrix User Verification Service](configuring-playbook-user-verification-service.md) (optional, advanced) ### Bridging other networks From a1ef28681ac6e388a869fae6dd43c6262006ad71 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 10 Feb 2023 14:40:50 +0000 Subject: [PATCH 378/915] Update Hydrogen 0.3.6 -> 0.3.7 --- roles/custom/matrix-client-hydrogen/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-hydrogen/defaults/main.yml b/roles/custom/matrix-client-hydrogen/defaults/main.yml index c3f2ab958..6ee304cfa 100644 --- a/roles/custom/matrix-client-hydrogen/defaults/main.yml +++ b/roles/custom/matrix-client-hydrogen/defaults/main.yml @@ -6,7 +6,7 @@ matrix_client_hydrogen_enabled: true matrix_client_hydrogen_container_image_self_build: false matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" -matrix_client_hydrogen_version: v0.3.6 +matrix_client_hydrogen_version: v0.3.7 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vector-im/hydrogen-web:{{ matrix_client_hydrogen_version }}" matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build else 'ghcr.io/' }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" From 97f65e8dffcf979a296cc99dfecaf744392a0116 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 10 Feb 2023 19:36:06 +0200 Subject: [PATCH 379/915] Minor fixes to allow for Traefik without SSL --- group_vars/matrix_servers | 2 +- roles/custom/matrix-base/defaults/main.yml | 13 ++++++++----- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 62771b6c8..2bcaa73c6 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -38,7 +38,7 @@ matrix_playbook_traefik_role_enabled: true # installed in another way. matrix_playbook_traefik_labels_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-installed-traefik', 'other-traefik-container'] }}" -matrix_playbook_traefik_certs_dumper_role_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-installed-traefik', 'other-traefik-container'] }}" +matrix_playbook_traefik_certs_dumper_role_enabled: "{{ (matrix_playbook_reverse_proxy_type == 'playbook-installed-traefik' and devture_traefik_config_entrypoint_web_secure_enabled) or matrix_playbook_reverse_proxy_type == 'other-traefik-container' }}" # Controls the additional network that reverse-proxyable services will be connected to. matrix_playbook_reverse_proxyable_services_additional_network: "{{ devture_traefik_container_network if devture_traefik_enabled else '' }}" diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index e74fa4f18..7e76a9e78 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -273,16 +273,19 @@ matrix_homeserver_app_service_config_files_auto: [] # Valid options and a description of their behavior: # # - `playbook-installed-traefik` -# - the playbook will install devture-traefik for SSL termination +# - the playbook will install devture-traefik +# - Traefik will do SSL termination, unless you disable it (e.g. `devture_traefik_config_entrypoint_web_secure_enabled: false`) # - it will also install matrix-nginx-proxy in local-only mode, while we migrate the rest of the services to a Traefik-native mode of working # # - `playbook-installed-nginx` -# - the playbook will install matrix-nginx-proxy and do SSL termination with Certbot +# - the playbook will install matrix-nginx-proxy +# - matrix-nginx-proxy will do SSL termination with Certbot, unless you change that (see `matrix_ssl_retrieval_method`) # # - `other-traefik-container` -# - Traefik will be used, but it's not installed by this playbook. -# - you should make sure it's compatible with what the playbook would have configured (web, web-secure, matrix-federation entrypoints, etc.) -# - you may wish to set `matrix_playbook_reverse_proxyable_services_additional_network` to the name of your Traefik network +# - this playbook will not install Traefik +# - nevertheless, the playbook expects that you would install Traefik yourself via other means +# - you should make sure your Traefik configuration is compatible with what the playbook would have configured (web, web-secure, matrix-federation entrypoints, etc.) +# - you need to set `matrix_playbook_reverse_proxyable_services_additional_network` to the name of your Traefik network # - you may wish to enable `devture_traefik_certs_dumper_enabled` and point it to your Traefik's SSL certificates (`devture_traefik_certs_dumper_ssl_dir_path`) # # - `other-nginx-non-container` From 7142ff422dfe8aad313f77f9fd19a51d50799a4f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 10 Feb 2023 19:39:15 +0200 Subject: [PATCH 380/915] Ensure matrix_user_verification_service_uvs_access_token is always defined The playbook tries to avoid such variables which are sometimes defined and sometimes not. We'd rather not check for `is defined`. --- roles/custom/matrix-user-verification-service/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-user-verification-service/defaults/main.yml b/roles/custom/matrix-user-verification-service/defaults/main.yml index 52b30a28a..5b3611b88 100644 --- a/roles/custom/matrix-user-verification-service/defaults/main.yml +++ b/roles/custom/matrix-user-verification-service/defaults/main.yml @@ -32,7 +32,7 @@ matrix_user_verification_service_systemd_service_name: "{{ matrix_user_verificat ## REQUIRED # Homeserver client API admin token (synapse only)- Required for the service to verify room membership -# matrix_user_verification_service_uvs_access_token: +matrix_user_verification_service_uvs_access_token: '' # homeserver client api url matrix_user_verification_service_uvs_homeserver_url: "{{ matrix_homeserver_container_url }}" From ad22bdb884e6cda2308412aca5f72e0e53d04216 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 10 Feb 2023 19:39:55 +0200 Subject: [PATCH 381/915] Do not run matrix-user-verification-service validation tasks unless the service is enabled --- roles/custom/matrix-user-verification-service/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-user-verification-service/tasks/main.yml b/roles/custom/matrix-user-verification-service/tasks/main.yml index 926860362..6eaaaf232 100644 --- a/roles/custom/matrix-user-verification-service/tasks/main.yml +++ b/roles/custom/matrix-user-verification-service/tasks/main.yml @@ -1,7 +1,7 @@ --- - block: - - when: matrix_jitsi_enabled | bool + - when: run_setup | bool and matrix_user_verification_service_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: run_setup | bool and matrix_user_verification_service_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" From 8309a2130354d407171c489b803d24175c446b2b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 11 Feb 2023 08:44:11 +0200 Subject: [PATCH 382/915] Rename reverse proxy types and fix Hookshot http/https urlPrefix issue --- group_vars/matrix_servers | 52 ++++++++++--------- roles/custom/matrix-base/defaults/main.yml | 6 +-- .../matrix-base/tasks/validate_config.yml | 2 +- 3 files changed, 31 insertions(+), 29 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 2bcaa73c6..5a79ccdcb 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -36,15 +36,17 @@ matrix_playbook_traefik_role_enabled: true # This is separate from `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`, # because you may wish to disable Traefik installation by the playbook, yet still use Traefik # installed in another way. -matrix_playbook_traefik_labels_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-installed-traefik', 'other-traefik-container'] }}" +matrix_playbook_traefik_labels_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" -matrix_playbook_traefik_certs_dumper_role_enabled: "{{ (matrix_playbook_reverse_proxy_type == 'playbook-installed-traefik' and devture_traefik_config_entrypoint_web_secure_enabled) or matrix_playbook_reverse_proxy_type == 'other-traefik-container' }}" +matrix_playbook_traefik_certs_dumper_role_enabled: "{{ (matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' and devture_traefik_config_entrypoint_web_secure_enabled) or matrix_playbook_reverse_proxy_type == 'other-traefik-container' }}" # Controls the additional network that reverse-proxyable services will be connected to. matrix_playbook_reverse_proxyable_services_additional_network: "{{ devture_traefik_container_network if devture_traefik_enabled else '' }}" matrix_playbook_ssl_retrieval_method: "{{ 'lets-encrypt' if matrix_playbook_traefik_certs_dumper_role_enabled else matrix_ssl_retrieval_method }}" +matrix_playbook_ssl_enabled: "{{ matrix_playbook_ssl_retrieval_method in ['lets-encrypt', 'self-signed', 'manually-managed'] }}" + ######################################################################## # # # /Playbook # @@ -1269,7 +1271,7 @@ matrix_hookshot_metrics_enabled: "{{ matrix_prometheus_enabled }}" matrix_hookshot_urlprefix_port_enabled: "{{ matrix_nginx_proxy_container_https_host_bind_port == 443 if matrix_nginx_proxy_https_enabled else matrix_nginx_proxy_container_https_host_bind_port == 80 }}" matrix_hookshot_urlprefix_port: ":{{ matrix_nginx_proxy_container_https_host_bind_port if matrix_nginx_proxy_https_enabled else matrix_nginx_proxy_container_http_host_bind_port }}" -matrix_hookshot_urlprefix: "http{{ 's' if matrix_nginx_proxy_https_enabled else '' }}://{{ matrix_server_fqn_matrix }}{{ matrix_hookshot_urlprefix_port if matrix_hookshot_urlprefix_port_enabled else '' }}" +matrix_hookshot_urlprefix: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_server_fqn_matrix }}{{ matrix_hookshot_urlprefix_port if matrix_hookshot_urlprefix_port_enabled else '' }}" ###################################################################### # @@ -1698,9 +1700,9 @@ matrix_bot_postmoogle_container_image_self_build: "{{ matrix_architecture not in matrix_bot_postmoogle_ssl_path: |- {{ { - 'playbook-installed-traefik': devture_traefik_certs_dumper_dumped_certificates_dir_path, + 'playbook-managed-traefik': devture_traefik_certs_dumper_dumped_certificates_dir_path, 'other-traefik-container': devture_traefik_certs_dumper_dumped_certificates_dir_path, - 'playbook-installed-nginx': (matrix_ssl_config_dir_path if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'playbook-managed-nginx': (matrix_ssl_config_dir_path if matrix_playbook_ssl_retrieval_method != 'none' else ''), 'other-nginx-non-container': (matrix_ssl_config_dir_path if matrix_playbook_ssl_retrieval_method != 'none' else ''), 'other-on-same-host': '', 'other-on-another-host': '', @@ -1717,9 +1719,9 @@ matrix_playbook_bot_postmoogle_traefik_key: "{% for domain in matrix_bot_postmoo matrix_bot_postmoogle_tls_cert: |- {{ { - 'playbook-installed-traefik': matrix_playbook_bot_postmoogle_traefik_tls_cert, + 'playbook-managed-traefik': matrix_playbook_bot_postmoogle_traefik_tls_cert, 'other-traefik-container': matrix_playbook_bot_postmoogle_traefik_tls_cert, - 'playbook-installed-nginx': (matrix_playbook_bot_postmoogle_nginx_proxy_tls_cert if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'playbook-managed-nginx': (matrix_playbook_bot_postmoogle_nginx_proxy_tls_cert if matrix_playbook_ssl_retrieval_method != 'none' else ''), 'other-nginx-non-container': (matrix_playbook_bot_postmoogle_nginx_proxy_tls_cert if matrix_playbook_ssl_retrieval_method != 'none' else ''), 'other-on-same-host': '', 'other-on-another-host': '', @@ -1730,9 +1732,9 @@ matrix_bot_postmoogle_tls_cert: |- matrix_bot_postmoogle_tls_key: |- {{ { - 'playbook-installed-traefik': matrix_playbook_bot_postmoogle_traefik_key, + 'playbook-managed-traefik': matrix_playbook_bot_postmoogle_traefik_key, 'other-traefik-container': matrix_playbook_bot_postmoogle_traefik_key, - 'playbook-installed-nginx': (matrix_playbook_bot_postmoogle_nginx_proxy_key if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'playbook-managed-nginx': (matrix_playbook_bot_postmoogle_nginx_proxy_key if matrix_playbook_ssl_retrieval_method != 'none' else ''), 'other-nginx-non-container': (matrix_playbook_bot_postmoogle_nginx_proxy_key if matrix_playbook_ssl_retrieval_method != 'none' else ''), 'other-on-same-host': '', 'other-on-another-host': '', @@ -1750,7 +1752,7 @@ matrix_bot_postmoogle_systemd_required_services_list: | + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + - (matrix_playbook_bot_postmoogle_traefik_certs_dumper_waiter_services | trim | split(' ') if matrix_playbook_reverse_proxy_type in ['playbook-installed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled else []) + (matrix_playbook_bot_postmoogle_traefik_certs_dumper_waiter_services | trim | split(' ') if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled else []) }} # Postgres is the default, except if not using internal Postgres server @@ -1992,9 +1994,9 @@ matrix_coturn_tls_enabled: "{{ matrix_playbook_ssl_retrieval_method != 'none' }} matrix_coturn_tls_cert_path: |- {{ { - 'playbook-installed-traefik': '/certificate.crt', + 'playbook-managed-traefik': '/certificate.crt', 'other-traefik-container': '/certificate.crt', - 'playbook-installed-nginx': '/fullchain.pem', + 'playbook-managed-nginx': '/fullchain.pem', 'other-nginx-non-container': '/fullchain.pem', 'other-on-same-host': '', 'other-on-another-host': '', @@ -2005,9 +2007,9 @@ matrix_coturn_tls_cert_path: |- matrix_coturn_tls_key_path: |- {{ { - 'playbook-installed-traefik': '/privatekey.key', + 'playbook-managed-traefik': '/privatekey.key', 'other-traefik-container': '/privatekey.key', - 'playbook-installed-nginx': '/privkey.pem', + 'playbook-managed-nginx': '/privkey.pem', 'other-nginx-non-container': '/privkey.pem', 'other-on-same-host': '', 'other-on-another-host': '', @@ -2029,7 +2031,7 @@ matrix_coturn_container_additional_volumes: | 'dst': '/privkey.pem', 'options': 'ro', }, - ] if matrix_playbook_reverse_proxy_type in ['playbook-installed-nginx', 'other-nginx-non-container'] else [] + ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [] ) + ( @@ -2044,7 +2046,7 @@ matrix_coturn_container_additional_volumes: | 'dst': '/privatekey.key', 'options': 'ro', }, - ] if matrix_playbook_reverse_proxy_type in ['playbook-installed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled else [] + ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled else [] ) }} @@ -2052,7 +2054,7 @@ matrix_coturn_systemd_required_services_list: | {{ ['docker.service'] + - ([devture_traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_server_fqn_matrix + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-installed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled else []) + ([devture_traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_server_fqn_matrix + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled else []) }} ###################################################################### @@ -2322,21 +2324,21 @@ matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secr # This playbook installs its own nginx if # - it's explicitly enabled # - Traefik is in use. Not all services are Traefik-native yet, so we use reverse-proxy to some via a local-only matrix-nginx-proxy -matrix_nginx_proxy_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-installed-nginx', 'playbook-installed-traefik', 'other-traefik-container'] }}" +matrix_nginx_proxy_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'playbook-managed-traefik', 'other-traefik-container'] }}" # matrix-nginx-proxy is only to handle HTTPS only if it's the chosen reverse-proxy. # It may be enabled even if it's not chosen. See `matrix_nginx_proxy_enabled`. -matrix_ssl_retrieval_method: "{{ 'lets-encrypt' if matrix_playbook_reverse_proxy_type == 'playbook-installed-nginx' else 'none' }}" -matrix_nginx_proxy_https_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-installed-nginx' }}" +matrix_ssl_retrieval_method: "{{ 'lets-encrypt' if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'none' }}" +matrix_nginx_proxy_https_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' }}" # matrix-nginx-proxy is to publish ports only if it's the chosen reverse-proxy. # It may be enabled even if it's not chosen. See `matrix_nginx_proxy_enabled`. -matrix_nginx_proxy_container_http_host_bind_port: "{{ '80' if matrix_playbook_reverse_proxy_type == 'playbook-installed-nginx' else '' }}" -matrix_nginx_proxy_container_federation_host_bind_port: "{{ matrix_federation_public_port if matrix_playbook_reverse_proxy_type == 'playbook-installed-nginx' else '' }}" +matrix_nginx_proxy_container_http_host_bind_port: "{{ '80' if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else '' }}" +matrix_nginx_proxy_container_federation_host_bind_port: "{{ matrix_federation_public_port if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else '' }}" # matrix-nginx-proxy is to trust reverse-proxy forwarded protocol and headers, unless it's the "main" (chosen) reverse-proxy -matrix_nginx_proxy_trust_forwarded_proto: "{{ matrix_playbook_reverse_proxy_type != 'playbook-installed-nginx' }}" -matrix_nginx_proxy_x_forwarded_for: "{{ '$remote_addr' if matrix_playbook_reverse_proxy_type == 'playbook-installed-nginx' else '$proxy_add_x_forwarded_for' }}" +matrix_nginx_proxy_trust_forwarded_proto: "{{ matrix_playbook_reverse_proxy_type != 'playbook-managed-nginx' }}" +matrix_nginx_proxy_x_forwarded_for: "{{ '$remote_addr' if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else '$proxy_add_x_forwarded_for' }}" matrix_nginx_proxy_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" @@ -3541,7 +3543,7 @@ matrix_user_verification_service_uvs_auth_token: "{{ '%s' | format(matrix_homese # To completely disable the Traefik role from running, use `matrix_playbook_traefik_role_enabled: false`. # See the comment there for more details about why we have both `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`. -devture_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-installed-traefik' }}" +devture_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' }}" devture_traefik_uid: "{{ matrix_user_uid }}" devture_traefik_gid: "{{ matrix_user_gid }}" diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 7e76a9e78..8cf63b9ba 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -272,12 +272,12 @@ matrix_homeserver_app_service_config_files_auto: [] # # Valid options and a description of their behavior: # -# - `playbook-installed-traefik` +# - `playbook-managed-traefik` # - the playbook will install devture-traefik # - Traefik will do SSL termination, unless you disable it (e.g. `devture_traefik_config_entrypoint_web_secure_enabled: false`) # - it will also install matrix-nginx-proxy in local-only mode, while we migrate the rest of the services to a Traefik-native mode of working # -# - `playbook-installed-nginx` +# - `playbook-managed-nginx` # - the playbook will install matrix-nginx-proxy # - matrix-nginx-proxy will do SSL termination with Certbot, unless you change that (see `matrix_ssl_retrieval_method`) # @@ -306,7 +306,7 @@ matrix_homeserver_app_service_config_files_auto: [] # - no nginx configuration will be dumped in /matrix/nginx/conf.d # - no port exposure will be done for any of the container services # - it's up to you to expose the ports you want, etc. -matrix_playbook_reverse_proxy_type: playbook-installed-nginx +matrix_playbook_reverse_proxy_type: playbook-managed-nginx matrix_playbook_service_host_bind_interface_prefix: "{{ '' if matrix_playbook_reverse_proxy_type not in ['other-nginx-non-container', 'other-on-same-host', 'other-on-another-host'] else ('0.0.0.0:' if matrix_playbook_reverse_proxy_type == 'other-on-another-host' else '127.0.0.1:') }}" diff --git a/roles/custom/matrix-base/tasks/validate_config.yml b/roles/custom/matrix-base/tasks/validate_config.yml index 5f63c1c6b..cd6d20cdd 100644 --- a/roles/custom/matrix-base/tasks/validate_config.yml +++ b/roles/custom/matrix-base/tasks/validate_config.yml @@ -54,7 +54,7 @@ - name: Fail if matrix_playbook_reverse_proxy_type is set incorrectly ansible.builtin.fail: msg: "Detected that variable matrix_playbook_reverse_proxy_type (current value: `{{ matrix_playbook_reverse_proxy_type }}`) appears to be set incorrectly. See roles/custom/matrix-base/defaults/main.yml for valid choices." - when: matrix_playbook_reverse_proxy_type not in ['playbook-installed-traefik', 'playbook-installed-nginx', 'other-traefik-container', 'other-nginx-non-container', 'other-on-same-host', 'other-on-another-host', 'none'] + when: matrix_playbook_reverse_proxy_type not in ['playbook-managed-traefik', 'playbook-managed-nginx', 'other-traefik-container', 'other-nginx-non-container', 'other-on-same-host', 'other-on-another-host', 'none'] - name: Fail if uppercase domain used ansible.builtin.fail: From f37a7a21f17ff8b1b7c7f38eea3f63ecd2dfc04f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 11 Feb 2023 08:53:32 +0200 Subject: [PATCH 383/915] Delay Postmoogle startup to help Traefik-based setups --- group_vars/matrix_servers | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 5a79ccdcb..5b206d918 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -199,6 +199,9 @@ matrix_homeserver_app_service_config_files_auto: | # - so that, when the reverse-proxy is up (Matrix is up), all bots and bridges can be interacted with # - monitoring services (Prometheus, Grafana, ..) get a level of 4000 - they can start later than all-of-Matrix # - services which aren't time-sensitive (various crons and timers) get a level of 5000 - they can start later than all-of-Matrix +# +# `matrix-bot-postmoogle.service` has a higher priority number (4000), unlike other bots' priority (2200), +# because it requires SSL certificates. If Traefik is used, then Postmoogle needs to start at least after Traefik (3500) and Traefik certs dumper (3500). devture_systemd_service_manager_services_list_auto: | {{ ([{'name': 'matrix-backup-borg.timer', 'priority': 5000, 'groups': ['matrix', 'backup', 'borg']}] if matrix_backup_borg_enabled else []) @@ -219,7 +222,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-bot-draupnir.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'draupnir']}] if matrix_bot_draupnir_enabled else []) + - ([{'name': 'matrix-bot-postmoogle.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'postmoogle']}] if matrix_bot_postmoogle_enabled else []) + ([{'name': 'matrix-bot-postmoogle.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'postmoogle']}] if matrix_bot_postmoogle_enabled else []) + ([{'name': 'matrix-bot-chatgpt.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'chatgpt']}] if matrix_bot_chatgpt_enabled else []) + From 94be74e633e8141d3cbe784537d4dcc8f59d9d9e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 11 Feb 2023 08:54:07 +0200 Subject: [PATCH 384/915] Improve traefik-certs-dumper defaults for other-traefik-container setups We'd like to auto-enable traefik-certs-dumper for these setups. `devture_traefik_certs_dumper_ssl_dir_path` will be empty though, so the role's validation will point people in the right direction. --- group_vars/matrix_servers | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 5b206d918..df095b888 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3574,7 +3574,7 @@ devture_traefik_additional_domains_to_obtain_certificates_for: "{{ matrix_ssl_ad # To completely disable the Traefik certs dumper role from running, use `matrix_playbook_traefik_certs_dumper_role_enabled: false`. # See the comment there for more details about why we have both `devture_traefik_certs_dumper_enabled` and `matrix_playbook_traefik_certs_dumper_role_enabled`. -devture_traefik_certs_dumper_enabled: "{{ matrix_playbook_traefik_certs_dumper_role_enabled and devture_traefik_enabled }}" +devture_traefik_certs_dumper_enabled: "{{ matrix_playbook_traefik_certs_dumper_role_enabled }}" devture_traefik_certs_dumper_identifier: matrix-traefik-certs-dumper @@ -3583,7 +3583,7 @@ devture_traefik_certs_dumper_base_path: "{{ matrix_base_data_path }}/traefik-cer devture_traefik_certs_dumper_uid: "{{ matrix_user_uid }}" devture_traefik_certs_dumper_gid: "{{ matrix_user_gid }}" -devture_traefik_certs_dumper_ssl_dir_path: "{{ devture_traefik_ssl_dir_path }}" +devture_traefik_certs_dumper_ssl_dir_path: "{{ devture_traefik_ssl_dir_path if devture_traefik_enabled else '' }}" ######################################################################## # # From 6b0650641ba27b6a13561199c89fcb75b6a2eeb5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 11 Feb 2023 08:58:53 +0200 Subject: [PATCH 385/915] Update matrix_playbook_reverse_proxy_type documentation --- roles/custom/matrix-base/defaults/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 8cf63b9ba..6a9901717 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -275,18 +275,20 @@ matrix_homeserver_app_service_config_files_auto: [] # - `playbook-managed-traefik` # - the playbook will install devture-traefik # - Traefik will do SSL termination, unless you disable it (e.g. `devture_traefik_config_entrypoint_web_secure_enabled: false`) +# - if SSL termination is enabled (as it is by default), you need to populate: `devture_traefik_ssl_email_address` # - it will also install matrix-nginx-proxy in local-only mode, while we migrate the rest of the services to a Traefik-native mode of working # # - `playbook-managed-nginx` # - the playbook will install matrix-nginx-proxy # - matrix-nginx-proxy will do SSL termination with Certbot, unless you change that (see `matrix_ssl_retrieval_method`) +# - if SSL termination is enabled (as it is by default), you need to populate: `matrix_ssl_lets_encrypt_support_email` # # - `other-traefik-container` # - this playbook will not install Traefik # - nevertheless, the playbook expects that you would install Traefik yourself via other means # - you should make sure your Traefik configuration is compatible with what the playbook would have configured (web, web-secure, matrix-federation entrypoints, etc.) # - you need to set `matrix_playbook_reverse_proxyable_services_additional_network` to the name of your Traefik network -# - you may wish to enable `devture_traefik_certs_dumper_enabled` and point it to your Traefik's SSL certificates (`devture_traefik_certs_dumper_ssl_dir_path`) +# - Traefik certs dumper will be enabled by default (`devture_traefik_certs_dumper_enabled`). You need to point it to your Traefik's SSL certificates (`devture_traefik_certs_dumper_ssl_dir_path`) # # - `other-nginx-non-container` # - the playbook will not install matrix-nginx-proxy From be471250dd0c053e161a1ab8449f70eb51c07725 Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Sat, 11 Feb 2023 17:58:19 +0100 Subject: [PATCH 386/915] Move services that crash without hs connectivity to after proxy. --- group_vars/matrix_servers | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index fe83d4662..00e63b798 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -187,9 +187,9 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-bot-maubot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'maubot']}] if matrix_bot_maubot_enabled else []) + - ([{'name': 'matrix-bot-mjolnir.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'mjolnir']}] if matrix_bot_mjolnir_enabled else []) + ([{'name': 'matrix-bot-mjolnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'mjolnir']}] if matrix_bot_mjolnir_enabled else []) + - ([{'name': 'matrix-bot-draupnir.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'draupnir']}] if matrix_bot_draupnir_enabled else []) + ([{'name': 'matrix-bot-draupnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'draupnir']}] if matrix_bot_draupnir_enabled else []) + ([{'name': 'matrix-bot-postmoogle.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'postmoogle']}] if matrix_bot_postmoogle_enabled else []) + @@ -267,7 +267,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-coturn-reload.timer', 'priority': 5000, 'groups': ['matrix', 'coturn']}] if (matrix_coturn_enabled and matrix_coturn_tls_enabled) else []) + - ([{'name': 'matrix-dimension.service', 'priority': 2500, 'groups': ['matrix', 'integration-managers', 'dimension']}] if matrix_dimension_enabled else []) + ([{'name': 'matrix-dimension.service', 'priority': 4000, 'groups': ['matrix', 'integration-managers', 'dimension']}] if matrix_dimension_enabled else []) + ([{'name': 'matrix-dynamic-dns.service', 'priority': 5000, 'groups': ['matrix', 'dynamic-dns']}] if matrix_dynamic_dns_enabled else []) + From cba63bd4b98b8d030b37787611f8ddf36e96d254 Mon Sep 17 00:00:00 2001 From: Catalan Lover <48515417+FSG-Cat@users.noreply.github.com> Date: Sat, 11 Feb 2023 23:51:13 +0100 Subject: [PATCH 387/915] Upgrade Drapunir from 1.8.0 Beta to 1.8.0 release. --- roles/custom/matrix-bot-draupnir/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml index f0aa4da8e..5900f21b0 100644 --- a/roles/custom/matrix-bot-draupnir/defaults/main.yml +++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml @@ -4,7 +4,7 @@ matrix_bot_draupnir_enabled: true -matrix_bot_draupnir_version: "v1.80.0-beta.0" +matrix_bot_draupnir_version: "v1.80.0" matrix_bot_draupnir_container_image_self_build: false matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/Gnuxie/Draupnir.git" From 17e3c2157e2f74a8f316e6dbb9d278f91ea26a8d Mon Sep 17 00:00:00 2001 From: JokerGermany <30293477+JokerGermany@users.noreply.github.com> Date: Sun, 12 Feb 2023 01:07:51 +0100 Subject: [PATCH 388/915] Add Draupnir to the Readme --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 941058412..fa9064370 100644 --- a/README.md +++ b/README.md @@ -130,6 +130,7 @@ Bots provide various additional functionality to your installation. | [Postmoogle](https://gitlab.com/etke.cc/postmoogle) | x | Email to matrix bot | [Link](docs/configuring-playbook-bot-postmoogle.md) | | [Go-NEB](https://github.com/matrix-org/go-neb) | x | A multi functional bot written in Go | [Link](docs/configuring-playbook-bot-go-neb.md) | | [Mjolnir](https://github.com/matrix-org/mjolnir) | x | A moderation tool for Matrix | [Link](docs/configuring-playbook-bot-mjolnir.md) | +| [Draupnir](https://github.com/Gnuxie/Draupnir) | x | A moderation tool for Matrix (Fork of Mjolnir) | [Link](docs/configuring-playbook-bot-draupnir.md) | | [Buscarron](https://gitlab.com/etke.cc/buscarron) | x | Web forms (HTTP POST) to matrix | [Link](docs/configuring-playbook-bot-buscarron.md) | | [matrix-chatgpt-bot](https://github.com/matrixgpt/matrix-chatgpt-bot) | x | ChatGPT from matrix | [Link](docs/configuring-playbook-bot-chatgpt.md) | From b3f6436a0d182918f24ac74d8525aa88d0c0a2cd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 12 Feb 2023 15:50:13 +0200 Subject: [PATCH 389/915] Do not enable the Traefik role when reverse-proxy = other-traefik-container --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index df095b888..72633c6e5 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -30,7 +30,7 @@ matrix_playbook_docker_installation_enabled: true # In such cases, you'd like to disable the role in this playbook from bothering with Traefik at all (`matrix_playbook_traefik_role_enabled: false`). # If you used `devture_traefik_enabled: false` + `matrix_playbook_traefik_role_enabled: true` instead, you'd see the Treafik role here # try to delete Traefik data (`/devture-traefik`) installed by the other playbook. -matrix_playbook_traefik_role_enabled: true +matrix_playbook_traefik_role_enabled: "{{ matrix_playbook_reverse_proxy_type != 'other-traefik-container' }}" # Controls whether to attach Traefik labels to services. # This is separate from `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`, From 73435dfe100d1765e007bee97ab747c51e5cfcdd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 12 Feb 2023 15:53:11 +0200 Subject: [PATCH 390/915] Announce Traefik support --- CHANGELOG.md | 108 +++++++++++++++++++++ docs/configuring-playbook-own-webserver.md | 2 + 2 files changed, 110 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 257f57d9b..d3f74e705 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,111 @@ +# 2023-02-12 + +## Reverse-proxy configuration changes and initial Traefik support + +**TLDR**: + +- there's a new `matrix_playbook_reverse_proxy_type` variable (see [roles/custom/matrix-base/defaults/main.yml](roles/custom/matrix-base/defaults/main.yml)), which lets you tell the playbook what reverse-proxy setup you'd like to have. This makes it easier for people who want to do reverse-proxying in other ways. +- the default reverse-proxy (`matrix_playbook_reverse_proxy_type`) is still `playbook-managed-nginx` (via `matrix-nginx-proxy`), for now. **Existing users should not observe any changes** and can stay on this for now. +- we now have **optional [Traefik](https://traefik.io/) support**, so you could easily host Matrix and other Traefik-native services in containers on the same server. Traefik support is still experimental (albeit, good enough) and will improve over time. It does work, but certain esoteric features may not be there yet. +- **Traefik will become the default reverse-proxy in the near future**. `matrix-nginx-proxy` will either remain as an option, or be completely removed to simplify the playbook + +### Motivation for redoing our reverse-proxy setup + +The playbook has supported various reverse-proxy setups for a long time. +We have various configuration variables (`matrix_nginx_proxy_enabled`, various `_host_bind_port` variables, etc.) which allow the playbook to adapt to these different setups. The whole situation was messy though - hard to figure out and with lots of variables to toggle to make things work as you'd expect - huge **operational complexity**. + +We love containers, proven by the fact that **everything** that this playbook manages runs in a container. Yet, we weren't allowing people to easily host other web-exposed containers alongside Matrix services on the same server. We were using `matrix-nginx-proxy` (our integrated [nginx](https://nginx.org/) server), which was handling web-exposure and SSL termination for our own services, but we **weren't helping you with all your other containers**. + +People who were **using `matrix-nginx-proxy`** were on the happy path on which everything worked well by default (Matrix-wise), **but** could not easily run other web-exposed services on their Matrix server because `matrix-nginx-proxy` was occupying ports `80` and `443`. Other services which wanted to get web exposure either had to be plugged into `matrix-nginx-proxy` (somewhat difficult) or people had to forgo using `matrix-nginx-proxy` in favor of something else. + +Of those that decided to forgo `matrix-nginx-proxy`, many were **using nginx** on the same server without a container. This was likely some ancient nginx version, depending on your choice of distro. The Matrix playbook was trying to be helpful and even with `matrix_nginx_proxy_enabled: false` was still generating nginx configuration in `/matrix/nginx-proxy/conf.d`. Those configuration files were adapted for inclusion into an nginx server running locally. Disabling the `matrix-nginx-proxy` role like this, yet still having it produce files is a bit disgusting, but it's what we've had since the early beginnings of this playbook. + +Others still, wanted to run Matrix locally (no SSL certificates), regardless of which web server technology this relied on, and then **reverse-proxy from another machine on the network** which was doing SSL termination. These people were: + +- *either* relying on `matrix_nginx_proxy_enabled: false` as well, combined with exposing services manually (setting `_bind_port` variables) +- *or* better yet, they were keeping `matrix-nginx-proxy` enabled, but in `http`-only mode (no SSL certificate retrieval). + +Despite this operational complexity, things worked and were reasonably flexible to adapt to all these situations. + +When using `matrix-nginx-proxy` as is, we still had another problem - one of **internal playbook complexity**. Too many services need to be web-exposed (port 80/443, SSL certificates). Because of this, they all had to integrate with the `matrix-nginx-proxy` role. Tens of different roles explicitly integrating with `matrix-nginx-proxy` is not what we call clean. The `matrix-nginx-proxy` role contains variables for many of these roles (yikes). Other roles were more decoupled from it and were injecting configuration into `matrix-nginx-proxy` at runtime - see all the `inject_into_nginx_proxy.yml` task files in this playbook (more decoupled, but still.. yikes). + +The next problem is one of **efficiency, interoperability and cost-saving**. We're working on other playbooks: + +- [vaultwarden-docker-ansible-deploy](https://github.com/spantaleev/vaultwarden-docker-ansible-deploy) for hosting the [Vaultwarden](https://github.com/dani-garcia/vaultwarden) server - an alternative implementation of the [Bitwarden](https://bitwarden.com/) password manager +- [gitea-docker-ansible-deploy](https://github.com/spantaleev/gitea-docker-ansible-deploy) - for hosting the [Gitea](https://gitea.io/) git source code hosting service +- [nextcloud-docker-ansible-deploy](https://github.com/spantaleev/nextcloud-docker-ansible-deploy) - for hosting the [Nextcloud](https://nextcloud.com/) groupware platform + +We'd love for users to be able to **seamlessly use all these playbooks (and others, even) against a single server**. We don't want `matrix-nginx-proxy` to have a monopoly on port `80`/`443` and make it hard for other services to join in on the party. Such a thing forces people into running multiple servers (one for each service), which does provide nice security benefits, but is costly and ineffiecient. We'd like to make self-hosting these services cheap and easy. + +These other playbooks have been using [Traefik](https://traefik.io/) as their default reverse-proxy for a long time. They can all coexist nicely together (as an example, see the [Interoperability](https://github.com/spantaleev/nextcloud-docker-ansible-deploy/blob/master/docs/configuring-playbook-interoperability.md) documentation for the [Nextcloud playbook](https://github.com/spantaleev/nextcloud-docker-ansible-deploy)). Now that this playbook is gaining Traefik support, it will be able to interoperate with them. If you're going this way, make sure to have the Matrix playbook install Traefik and have the others use `*_reverse_proxy_type: other-traefik-container`. + +Finally, at [etke.cc - a managed Matrix server hosting service](https://etke.cc) (built on top of this playbook, and coincidentally [turning 2 years old today](https://etke.cc/news/upsyw4ykbtgmwhz8k7ukldx0zbbfq-fh0iqi3llixi0/) 🎉), we're allowing people to host some additional services besides Matrix components. Exposing these services to the web requires ugly hacks and configuration files being dropped into `/matrix/nginx-proxy/conf.d`. We believe that everything should run in independent containers and be exposed to the web via a Traefik server, without a huge Ansible role like `matrix-nginx-proxy` that everything else needs to integrate with. + +### How do these changes fix all these problems? + +The new `matrix_playbook_reverse_proxy_type` lets you easily specify your preferred reverse-proxy type, including `other-on-same-host`, `other-on-another-host` and `none`, so people who'd like to reverse-proxy with their own web server have more options now. + +Using Traefik greatly simplifies things, so going forward we'll have a simpler and easier to maintain playbook, which is also interoperable with other services. + +Traefik is a web server, which has been specifically **designed for reverse-proxying to services running in containers**. It's ideal for usage in an Ansible playbook which runs everything in containers. + +**Traefik obtains SSL certificates automatically**, so there's no need for plugging additional tools like [Certbot](https://certbot.eff.org/) into your web server (like we were doing in the `matrix-nginx-proxy` role). No more certificate renewal timers, web server reloading timers, etc. It's just simpler. + +Traefik is a **modern web server**. [HTTP/3](https://doc.traefik.io/traefik/routing/entrypoints/#http3) is supported already (experimentally) and will move to stable soon, in the upcoming Traefik v3 release. + +Traefik does not lock important functionality we'd like to use into [plus packages like nginx does](https://www.nginx.com/products/nginx/), leading us to resolve to configuration workarounds. The default Traefik package is good enough as it is. + +### Where we're at right now? + +`matrix_playbook_reverse_proxy_type` still defaults to a value of `playbook-managed-nginx`. + +Unless we have some regression, **existing users should be able to update their Matrix server and not observe any changes**. Their setup should still remain on nginx and everything should still work as expected. + +#### How do I explicitly switch to Traefik right now? + +**Users who want to migrate to Traefik** today, can do so by using configuration like this: + +```yaml +matrix_playbook_reverse_proxy_type: playbook-managed-traefik + +devture_traefik_ssl_email_address: YOUR_EMAIL_ADDRESS +``` + +Switching to Traefik will obtain new SSL certificates from Let's Encrypt (stored in `/devture-traefik/ssl/acme.json`). **The switch is reversible**. You can always go back to `playbook-managed-nginx` if Traefik is causing you trouble. + +**Note**: toggling `matrix_playbook_reverse_proxy_type` between Traefik and nginx will uninstall the Traefik role and all of its data (under `/devture-traefik`), so you may run into a Let's Encrypt rate limit if you do it often. + +Treafik directly reverse-proxies to **some** services right now, but for most other services it goes through `matrix-nginx-proxy` (e.g. Traefik -> `matrix-nginx-proxy` -> [Ntfy](docs/configuring-playbook-ntfy.md)). So, even if you opt into Traefik, you'll still see `matrix-nginx-proxy` being installed in local-only mode. This will improve with time. + +Some services (like [Coturn](docs/configuring-playbook-turn.md) and [Postmoogle](docs/configuring-playbook-bot-postmoogle.md)) cannot be reverse-proxied to directly from Traefik, so they require direct access to SSL certificate files extracted out of Traefik. The playbook does this automatically thanks to a new [com.devture.ansible.role.traefik_certs_dumper](https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper) role utilizing the [traefik-certs-dumper](https://github.com/ldez/traefik-certs-dumper) tool. + +Our Traefik setup mostly works, but certain esoteric features may not work. If you have a default setup, we expect you to have a good experience. + + +### Where we're going in the near future? + +The `matrix-nginx-proxy` role is quite messy. It manages both nginx and Certbot and its certificate renewal scripts and timers. It generates configuration even when the role is disabled (weird). Although it doesn't directly reach into variables from other roles, it has explicit awareness of various other services that it reverse-proxies to (`roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-ntfy.conf.j2`, etc.). We'd like to clean this up. The only way is probably to just get rid of the whole thing at some point. + +For now, `matrix-nginx-proxy` will stay around. + +As mentioned above, Traefik still reverse-proxies to some (most) services by going through a local-only `matrix-nginx-proxy` server. This has allowed us to add Traefik support to the playbook early on (without having to rework all services), but is not the final goal. We'll **work on making each service support Traefik natively**, so that traffic will not need to go through `matrix-nginx-proxy` anymore. In the end, choosing Traefik should only give you a pure Traefik installation with no `matrix-nginx-proxy` in sight. + +As Traefik support becomes complete and proves to be stable for a while, especially as a playbook default, we will **most likely remove `matrix-nginx-proxy` completely**. It will likely be some months before this happens though. Keeping support for both Traefik and nginx in the playbook will be a burden, especially with most of us running Traefik in the future. The Traefik role should do everything nginx does in a better and cleaner way. Users who use their own `nginx` server on the Matrix server will be inconvenienced, as nothing will generate ready-to-include nginx configuration for them. Still, we hope it won't be too hard to migrate their setup to another way of doing things, like: + +- not using nginx anymore. A common reason for using nginx until now was that you were running other containers and you need your own nginx to reverse-proxy to all of them. Just switch them to Traefik as well. +- running Traefik in local-only mode (`devture_traefik_config_entrypoint_web_secure_enabled: false`) and using some nginx configuration which reverse-proxies to Traefik (we should introduce examples for this in `examples/nginx`). + +### How do I help? + +You can help by: + +- **explicitly switching your server to Traefik** right now (see example configuration in [How do I explicitly switch to Traefik right now?](#how-do-i-explicitly-switch-to-traefik-right-now) above), testing, reporting troubles + +- **adding native Traefik support to a role** (requires adding Traefik labels, etc.) - for inspiration, see these roles ([prometheus_node_exporter](https://gitlab.com/etke.cc/roles/prometheus_node_exporter), [prometheus_postgres_exporter](https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter)) and how they're hooked into the playbook via [group_vars/matrix_servers](group_vars/matrix_servers). + +- **adding reverse-proxying examples for nginx users** in `examples/nginx`. People who insist on using their own `nginx` server on the same Matrix host, can run Traefik in local-only mode (`devture_traefik_config_entrypoint_web_secure_enabled: false`) and reverse-proxy to the Traefik server + + # 2023-02-10 ## Matrix Authentication Support for Jitsi diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 06f21b326..e978a1e14 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -1,5 +1,7 @@ # Using your own webserver, instead of this playbook's nginx proxy (optional, advanced) +**Note**: the playbook is [in the process of moving to Traefik](../CHANGELOG.md#reverse-proxy-configuration-changes-and-initial-traefik-support). The documentation below should be correct, but things will change soon. + By default, this playbook installs its own nginx webserver (called `matrix-nginx-proxy`, in a Docker container) which listens on ports 80 and 443. If that's alright, you can skip this. From bc4cb7bb6a52185b43fe710bfa7ec2e956981c55 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 12 Feb 2023 16:03:44 +0200 Subject: [PATCH 391/915] Update configuring-playbook-own-webserver.md with matrix_playbook_reverse_proxy_type awareness --- docs/configuring-playbook-own-webserver.md | 89 +++++++--------------- 1 file changed, 26 insertions(+), 63 deletions(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index e978a1e14..77fa018d0 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -102,13 +102,7 @@ You can disable such behavior and make the integrated nginx reverse-proxy webser You would need some configuration like this: ```yaml -# Do not retrieve SSL certificates. This shall be managed by another webserver or other means. -matrix_ssl_retrieval_method: none - -# Do not try to serve HTTPS, since we have no SSL certificates. -# Disabling this also means services will be served on the HTTP port -# (`matrix_nginx_proxy_container_http_host_bind_port`). -matrix_nginx_proxy_https_enabled: false +matrix_playbook_reverse_proxy_type: other-on-same-host # Do not listen for HTTP on port 80 globally (default), listen on the loopback interface. # If you'd like, you can make it use the local network as well and reverse-proxy from another local machine. @@ -122,15 +116,9 @@ matrix_nginx_proxy_container_http_host_bind_port: '127.0.0.1:81' matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449' # Coturn relies on SSL certificates that have already been obtained. -# Since we don't obtain any certificates (`matrix_ssl_retrieval_method: none` above), it won't work by default. +# Since we don't obtain any certificates in this `other-on-same-host` mode, it won't work by default. # An alternative is to tweak some of: `matrix_coturn_tls_enabled`, `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path`. matrix_coturn_enabled: false - -# Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection. -matrix_nginx_proxy_trust_forwarded_proto: true - -# Trust and use the other reverse proxy's `X-Forwarded-For` header. -matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for' ``` With this, nginx would still be in use, but it would not bother with anything SSL related or with taking up public ports. @@ -142,63 +130,38 @@ The expected domains vary depending on the services you have enabled (`matrix.DO ### Sample configuration for running behind Traefik 2.0 -Below is a sample configuration for using this playbook with a [Traefik](https://traefik.io/) 2.0 reverse proxy. +To run behind Traefik, you can: -```yaml -# Disable generation and retrieval of SSL certs -matrix_ssl_retrieval_method: none +- use a [Playbook-managed Traefik installation](#playbook-managed-traefik-installation) +- or, use [Your own Traefik server (not managed by the playbook)](#your-own-traefik-server-not-managed-by-the-playbook) -# Configure Nginx to only use plain HTTP -matrix_nginx_proxy_https_enabled: false +#### Playbook-managed Traefik installation -# Don't bind any HTTP or federation port to the host -# (Traefik will proxy directly into the containers) -matrix_nginx_proxy_container_http_host_bind_port: '' -matrix_nginx_proxy_container_federation_host_bind_port: '' +The playbook can install and manage Traefik for you using the [com.devture.ansible.role.traefik](https://github.com/devture/com.devture.ansible.role.traefik) role. -# Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection. -matrix_nginx_proxy_trust_forwarded_proto: true +It's simplest if you go with this method. You will need the following configuration: -# Trust and use the other reverse proxy's `X-Forwarded-For` header. -matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for' +```yaml +matrix_playbook_reverse_proxy_type: playbook-managed-traefik -# Disable Coturn because it needs SSL certs -# (Clients can, though exposing IP address, use Matrix.org TURN) -matrix_coturn_enabled: false +devture_traefik_ssl_email_address: YOUR_EMAIL_ADDRESS +``` + +#### Your own Traefik server (not managed by the playbook) -# All containers need to be on the same Docker network as Traefik -# (This network should already exist and Traefik should be using this network) -matrix_docker_network: 'traefik' - -matrix_nginx_proxy_container_extra_arguments: - # May be unnecessary depending on Traefik config, but can't hurt - - '--label "traefik.enable=true"' - - # The Nginx proxy container will receive traffic from these subdomains - - '--label "traefik.http.routers.matrix-nginx-proxy.rule=Host(`{{ matrix_server_fqn_matrix }}`,`{{ matrix_server_fqn_element }}`,`{{ matrix_server_fqn_dimension }}`,`{{ matrix_server_fqn_jitsi }}`)"' - # (The 'web-secure' entrypoint must bind to port 443 in Traefik config) - - '--label "traefik.http.routers.matrix-nginx-proxy.entrypoints=web-secure"' - # (The 'default' certificate resolver must be defined in Traefik config) - - '--label "traefik.http.routers.matrix-nginx-proxy.tls.certResolver=default"' - # Traefik requires that we declare which service this router is using - - '--label "traefik.http.routers.matrix-nginx-proxy.service=matrix-nginx-proxy"' - # The Nginx proxy container uses port 8080 internally - - '--label "traefik.http.services.matrix-nginx-proxy.loadbalancer.server.port=8080"' - - # Federation - - '--label "traefik.http.routers.matrix-nginx-proxy-federation.rule=Host(`{{ matrix_server_fqn_matrix }}`)"' - # (The 'federation' entrypoint must bind to port 8448 in Traefik config) - - '--label "traefik.http.routers.matrix-nginx-proxy-federation.entrypoints=federation"' - # (The 'default' certificate resolver must be defined in Traefik config) - - '--label "traefik.http.routers.matrix-nginx-proxy-federation.tls.certResolver=default"' - # Traefik requires that we declare which service this router is using - - '--label "traefik.http.routers.matrix-nginx-proxy-federation.service=matrix-nginx-proxy-federation"' - # The Nginx proxy container uses port `matrix_nginx_proxy_proxy_matrix_federation_port (8448) internally - - '--label "traefik.http.services.matrix-nginx-proxy-federation.loadbalancer.server.port={{ matrix_nginx_proxy_proxy_matrix_federation_port }}"' - - '--label "traefik.http.services.matrix-nginx-proxy-federation.loadbalancer.server.scheme={{ "https" if matrix_nginx_proxy_https_enabled else "http" }}"' +If you'd like to run Traefik yourself, you can use configuration like this: + +```yaml +matrix_playbook_reverse_proxy_type: other-traefik-container + +matrix_playbook_reverse_proxyable_services_additional_network: your-traefik-network ``` -This method uses labels attached to the Nginx and Synapse containers to provide the Traefik Docker provider with the information it needs to proxy `matrix.DOMAIN`, `element.DOMAIN`, `dimension.DOMAIN` and `jitsi.DOMAIN`. Some [static configuration](https://docs.traefik.io/v2.0/reference/static-configuration/file/) is required in Traefik; namely, having endpoints on ports 443 and 8448 and having a certificate resolver. +In this mode all roles will still have Traefik labels attached. You will, however, need to configure your Traefik instance and its entrypoints. + +By default, the playbook congiures services use a `web-secure` (443) and `matrix-federation` (8448) entrypoints, as well as a `default` certificate resolver. + +Below is some configuration for running Traefik yourself (although we recommend using a [playbook-managed Traefik installation](#playbook-managed-traefik-installation)). Note that this configuration on its own does **not** redirect traffic on port 80 (plain HTTP) to port 443 for HTTPS, which may cause some issues, since the built-in Nginx proxy usually does this. If you are not already doing this in Traefik, it can be added to Traefik in a [file provider](https://docs.traefik.io/v2.0/providers/file/) as follows: @@ -228,7 +191,7 @@ version: "3.3" services: traefik: - image: "traefik:v2.3" + image: "docker.io/traefik:v2.9.6" restart: always container_name: "traefik" networks: From 972043cfaf5795fa8c3a82ab974bd817c87977c1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 12 Feb 2023 17:14:25 +0200 Subject: [PATCH 392/915] Fix trying to start devture-traefik when not necessarily enabled Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2465 --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 46c808744..1b31bf00d 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -356,7 +356,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-user-verification-service.service', 'priority': 800, 'groups': ['matrix', 'matrix-user-verification-service']}] if matrix_user_verification_service_enabled else []) + - ([{'name': 'devture-traefik.service', 'priority': 3000, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if matrix_playbook_traefik_role_enabled else []) + ([{'name': 'devture-traefik.service', 'priority': 3000, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if devture_traefik_enabled else []) + ([{'name': (devture_traefik_certs_dumper_identifier + '.service'), 'priority': 3500, 'groups': ['matrix', 'traefik-certs-dumper']}] if matrix_playbook_traefik_certs_dumper_role_enabled else []) }} From 79413e7717b669f07cdc32909aecbcb6114c1e6e Mon Sep 17 00:00:00 2001 From: Array in a Matrix Date: Sun, 12 Feb 2023 13:09:53 -0500 Subject: [PATCH 393/915] updated dendrite --- roles/custom/matrix-dendrite/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index 5e6d7d3b0..525f48548 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -6,7 +6,7 @@ matrix_dendrite_enabled: true matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "docker.io/" -matrix_dendrite_docker_image_tag: "v0.11.0" +matrix_dendrite_docker_image_tag: "v0.11.1" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" From 6939a3d6d319c896b525a70c1b4ab697968e7458 Mon Sep 17 00:00:00 2001 From: Jayesh Nirve Date: Mon, 13 Feb 2023 12:06:20 +0530 Subject: [PATCH 394/915] fix: only add element related entries to client well-known if element is enabled (#2453) * fix: only add element related entries to client well-known if element is enabled * Fix matrix-base/defaults/main.yml syntax --------- Co-authored-by: Slavi Pantaleev --- roles/custom/matrix-base/defaults/main.yml | 14 +++++++++++--- roles/custom/matrix-base/tasks/validate_config.yml | 3 +++ .../static-files/well-known/matrix-client.j2 | 11 ++++++----- 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 6a9901717..e72142c37 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -154,17 +154,25 @@ matrix_client_element_jitsi_preferredDomain: '' # noqa var-naming # Controls whether Element should use End-to-End Encryption by default. # Setting this to false will update `/.well-known/matrix/client` and tell Element clients to avoid E2EE. # See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md -matrix_client_element_e2ee_default: true +matrix_well_known_matrix_client_io_element_e2ee_default: true # Controls whether Element should require a secure backup set up before Element can be used. # Setting this to true will update `/.well-known/matrix/client` and tell Element require a secure backup. # See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md -matrix_client_element_e2ee_secure_backup_required: false +matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required: false # Controls which backup methods from ["key", "passphrase"] should be used, both is the default. # Setting this to other then empty will update `/.well-known/matrix/client` and tell Element which method to use # See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md -matrix_client_element_e2ee_secure_backup_setup_methods: [] +matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods: [] + +# Controls whether element related entries should be added to the client well-known. Override this to false to hide +# element related well-known entries. +# By default if any of the following change from their default this is set to true: +# `matrix_well_known_matrix_client_io_element_e2ee_default` +# `matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required` +# `matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods` +matrix_well_known_matrix_client_io_element_e2ee_entries_enabled: "{{ not matrix_well_known_matrix_client_io_element_e2ee_default or matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required or matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods | length > 0 }}" # Default `/.well-known/matrix/client` configuration - it covers the generic use case. # You can customize it by controlling the various variables inside the template file that it references. diff --git a/roles/custom/matrix-base/tasks/validate_config.yml b/roles/custom/matrix-base/tasks/validate_config.yml index cd6d20cdd..ab06ffcd6 100644 --- a/roles/custom/matrix-base/tasks/validate_config.yml +++ b/roles/custom/matrix-base/tasks/validate_config.yml @@ -18,6 +18,9 @@ - {'old': 'hostname_riot', 'new': 'matrix_server_fqn_element'} - {'old': 'matrix_server_fqn_riot', 'new': 'matrix_server_fqn_element'} - {'old': 'matrix_local_bin_path', 'new': ''} + - {'old': 'matrix_client_element_e2ee_default', 'new': 'matrix_well_known_matrix_client_io_element_e2ee_default'} + - {'old': 'matrix_client_element_e2ee_secure_backup_required', 'new': 'matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required'} + - {'old': 'matrix_client_element_e2ee_secure_backup_setup_methods', 'new': 'matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods'} # We have a dedicated check for this variable, because we'd like to have a custom (friendlier) message. - name: Fail if matrix_homeserver_generic_secret_key is undefined diff --git a/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 b/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 index 4595bed11..63b2c812f 100644 --- a/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 +++ b/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 @@ -31,13 +31,14 @@ "map_style_url": "https://{{ matrix_server_fqn_element }}/map_style.json" } {% endif %} - , + {% if matrix_well_known_matrix_client_io_element_e2ee_entries_enabled %}, "io.element.e2ee": { - "default": {{ matrix_client_element_e2ee_default|to_json }}, - "secure_backup_required": {{ matrix_client_element_e2ee_secure_backup_required|to_json }}, - "secure_backup_setup_methods": {{ matrix_client_element_e2ee_secure_backup_setup_methods|to_json }} + "default": {{ matrix_well_known_matrix_client_io_element_e2ee_default|to_json }}, + "secure_backup_required": {{ matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required|to_json }}, + "secure_backup_setup_methods": {{ matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods|to_json }} }, + {% if matrix_well_known_matrix_client_io_element_e2ee_entries_enabled %}, "im.vector.riot.e2ee": { - "default": {{ matrix_client_element_e2ee_default|to_json }} + "default": {{ matrix_well_known_matrix_client_io_element_e2ee_default|to_json }} } } From af10d350bc3bc16c3cd59d60f65c50a2f2b9d887 Mon Sep 17 00:00:00 2001 From: td Date: Mon, 13 Feb 2023 12:32:43 +0530 Subject: [PATCH 395/915] fix: missing endif in client well-known --- .../templates/static-files/well-known/matrix-client.j2 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 b/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 index 63b2c812f..45fc9b66c 100644 --- a/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 +++ b/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 @@ -36,9 +36,11 @@ "default": {{ matrix_well_known_matrix_client_io_element_e2ee_default|to_json }}, "secure_backup_required": {{ matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required|to_json }}, "secure_backup_setup_methods": {{ matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods|to_json }} - }, + } + {% endif %} {% if matrix_well_known_matrix_client_io_element_e2ee_entries_enabled %}, "im.vector.riot.e2ee": { "default": {{ matrix_well_known_matrix_client_io_element_e2ee_default|to_json }} } + {% endif %} } From 78c35136b2cff4a6f24d01077c2fc19c36f1a878 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 13 Feb 2023 10:53:11 +0200 Subject: [PATCH 396/915] Replace matrix-backup-borg with an external role --- docs/configuring-playbook-backup-borg.md | 18 +-- group_vars/matrix_servers | 38 ++++--- playbooks/matrix.yml | 2 +- requirements.yml | 3 + .../matrix-backup-borg/defaults/main.yml | 107 ------------------ .../custom/matrix-backup-borg/tasks/main.yml | 20 ---- .../tasks/setup_install.yml | 107 ------------------ .../tasks/setup_uninstall.yml | 25 ---- .../tasks/validate_config.yml | 16 --- .../templates/config.yaml.j2 | 43 ------- .../matrix-backup-borg/templates/passwd.j2 | 29 ----- .../matrix-backup-borg/templates/sshkey.j2 | 1 - .../systemd/matrix-backup-borg.service.j2 | 65 ----------- .../systemd/matrix-backup-borg.timer.j2 | 10 -- .../defaults/main.yml | 3 + .../tasks/validate_config.yml | 17 +++ 16 files changed, 57 insertions(+), 447 deletions(-) delete mode 100644 roles/custom/matrix-backup-borg/defaults/main.yml delete mode 100644 roles/custom/matrix-backup-borg/tasks/main.yml delete mode 100644 roles/custom/matrix-backup-borg/tasks/setup_install.yml delete mode 100644 roles/custom/matrix-backup-borg/tasks/setup_uninstall.yml delete mode 100644 roles/custom/matrix-backup-borg/tasks/validate_config.yml delete mode 100644 roles/custom/matrix-backup-borg/templates/config.yaml.j2 delete mode 100644 roles/custom/matrix-backup-borg/templates/passwd.j2 delete mode 100644 roles/custom/matrix-backup-borg/templates/sshkey.j2 delete mode 100644 roles/custom/matrix-backup-borg/templates/systemd/matrix-backup-borg.service.j2 delete mode 100644 roles/custom/matrix-backup-borg/templates/systemd/matrix-backup-borg.timer.j2 diff --git a/docs/configuring-playbook-backup-borg.md b/docs/configuring-playbook-backup-borg.md index b6b5cb096..2f6ab5ad3 100644 --- a/docs/configuring-playbook-backup-borg.md +++ b/docs/configuring-playbook-backup-borg.md @@ -6,9 +6,9 @@ That means your daily incremental backups can be stored in a fraction of the spa You will need a remote server where borg will store the backups. There are hosted, borg compatible solutions available, such as [BorgBase](https://www.borgbase.com). -The backup will run based on `matrix_backup_borg_schedule` var (systemd timer calendar), default: 4am every day. +The backup will run based on `backup_borg_schedule` var (systemd timer calendar), default: 4am every day. -By default, if you're using the integrated Postgres database server (as opposed to [an external Postgres server](configuring-playbook-external-postgres.md)), Borg backups will also include dumps of your Postgres database. An alternative solution for backing up the Postgres database is [postgres backup](configuring-playbook-postgres-backup.md). If you decide to go with another solution, you can disable Postgres-backup support for Borg using the `matrix_backup_borg_postgresql_enabled` variable. +By default, if you're using the integrated Postgres database server (as opposed to [an external Postgres server](configuring-playbook-external-postgres.md)), Borg backups will also include dumps of your Postgres database. An alternative solution for backing up the Postgres database is [postgres backup](configuring-playbook-postgres-backup.md). If you decide to go with another solution, you can disable Postgres-backup support for Borg using the `backup_borg_postgresql_enabled` variable. ## Prerequisites @@ -38,11 +38,11 @@ cat PUBKEY | ssh USER@HOST 'dd of=.ssh/authorized_keys oflag=append conv=notrunc Minimal working configuration (`inventory/host_vars/matrix.DOMAIN/vars.yml`) to enable borg backup: ```yaml -matrix_backup_borg_enabled: true -matrix_backup_borg_location_repositories: +backup_borg_enabled: true +backup_borg_location_repositories: - ssh://USER@HOST/./REPO -matrix_backup_borg_storage_encryption_passphrase: "PASSPHRASE" -matrix_backup_borg_ssh_key_private: | +backup_borg_storage_encryption_passphrase: "PASSPHRASE" +backup_borg_ssh_key_private: | -----BEGIN OPENSSH PRIVATE KEY----- TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQsIGNvbnNlY3RldHVyIGFkaXBpc2NpbmcgZW xpdCwgc2VkIGRvIGVpdXNtb2QgdGVtcG9yIGluY2lkaWR1bnQgdXQgbGFib3JlIGV0IGRv @@ -58,11 +58,11 @@ where: * HOST - SSH host of a provider/server * REPO - borg repository name, it will be initialized on backup start, eg: `matrix`, regarding Syntax see [Remote repositories](https://borgbackup.readthedocs.io/en/stable/usage/general.html#repository-urls) * PASSPHRASE - passphrase used for encrypting backups, you may generate it with `pwgen -s 64 1` or use any password manager -* PRIVATE KEY - the content of the **private** part of the SSH key you created before. The whole key (all of its belonging lines) under `matrix_backup_borg_ssh_key_private` needs to be indented with 2 spaces +* PRIVATE KEY - the content of the **private** part of the SSH key you created before. The whole key (all of its belonging lines) under `backup_borg_ssh_key_private` needs to be indented with 2 spaces -To backup without encryption, add `matrix_backup_borg_encryption: 'none'` to your vars. This will also enable the `matrix_backup_borg_unknown_unencrypted_repo_access_is_ok` variable. +To backup without encryption, add `backup_borg_encryption: 'none'` to your vars. This will also enable the `backup_borg_unknown_unencrypted_repo_access_is_ok` variable. -`matrix_backup_borg_location_source_directories` defines the list of directories to back up: it's set to `{{ matrix_base_data_path }}` by default, which is the base directory for every service's data, such as Synapse, Postgres and the bridges. You might want to exclude certain directories or file patterns from the backup using the `matrix_backup_borg_location_exclude_patterns` variable. +`backup_borg_location_source_directories` defines the list of directories to back up: it's set to `{{ matrix_base_data_path }}` by default, which is the base directory for every service's data, such as Synapse, Postgres and the bridges. You might want to exclude certain directories or file patterns from the backup using the `backup_borg_location_exclude_patterns` variable. Check the `roles/custom/matrix-backup-borg/defaults/main.yml` file for the full list of available options. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 1b31bf00d..fbae03046 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -204,7 +204,7 @@ matrix_homeserver_app_service_config_files_auto: | # because it requires SSL certificates. If Traefik is used, then Postmoogle needs to start at least after Traefik (3500) and Traefik certs dumper (3500). devture_systemd_service_manager_services_list_auto: | {{ - ([{'name': 'matrix-backup-borg.timer', 'priority': 5000, 'groups': ['matrix', 'backup', 'borg']}] if matrix_backup_borg_enabled else []) + ([{'name': (backup_borg_identifier + '.timer'), 'priority': 5000, 'groups': ['matrix', 'backup', 'borg']}] if backup_borg_enabled else []) + ([{'name': 'matrix-bot-buscarron.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'buscarron']}] if matrix_bot_buscarron_enabled else []) + @@ -1871,34 +1871,42 @@ matrix_bot_draupnir_systemd_required_services_list: | # ###################################################################### + ###################################################################### # -# matrix-backup-borg +# etke/backup_borg # ###################################################################### -matrix_backup_borg_enabled: false +backup_borg_enabled: false + +backup_borg_identifier: matrix-backup-borg + +backup_borg_uid: "{{ matrix_user_uid }}" +backup_borg_gid: "{{ matrix_user_gid }}" -matrix_backup_borg_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}" +backup_borg_container_network: "{{ devture_postgres_container_network if devture_postgres_enabled else backup_borg_identifier }}" -matrix_backup_borg_postgresql_enabled: "{{ devture_postgres_enabled }}" -matrix_backup_borg_postgresql_databases_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" -matrix_backup_borg_postgresql_databases_username: "{{ devture_postgres_connection_username if devture_postgres_enabled else '' }}" -matrix_backup_borg_postgresql_databases_password: "{{ devture_postgres_connection_password if devture_postgres_enabled else '' }}" -matrix_backup_borg_postgresql_databases_port: "{{ devture_postgres_connection_port if devture_postgres_enabled else 5432 }}" -matrix_backup_borg_postgresql_databases: "{{ devture_postgres_managed_databases | map(attribute='name') if devture_postgres_enabled else [] }}" +backup_borg_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}" -matrix_backup_borg_location_source_directories: +backup_borg_postgresql_enabled: "{{ devture_postgres_enabled }}" +backup_borg_postgresql_databases_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +backup_borg_postgresql_databases_username: "{{ devture_postgres_connection_username if devture_postgres_enabled else '' }}" +backup_borg_postgresql_databases_password: "{{ devture_postgres_connection_password if devture_postgres_enabled else '' }}" +backup_borg_postgresql_databases_port: "{{ devture_postgres_connection_port if devture_postgres_enabled else 5432 }}" +backup_borg_postgresql_databases: "{{ devture_postgres_managed_databases | map(attribute='name') if devture_postgres_enabled else [] }}" + +backup_borg_location_source_directories: - "{{ matrix_base_data_path }}" -matrix_backup_borg_location_exclude_patterns: | +backup_borg_location_exclude_patterns: | {{ ([matrix_synapse_media_store_path + '/local_thumbnails', matrix_synapse_media_store_path + '/remote_thumbnail', matrix_synapse_media_store_path + '/url_cache', matrix_synapse_media_store_path + '/url_cache_thumbnails'] if matrix_homeserver_implementation == 'synapse' else []) + ([devture_postgres_data_path] if devture_postgres_enabled else []) }} -matrix_backup_borg_systemd_required_services_list: | +backup_borg_systemd_required_services_list: | {{ ['docker.service'] + @@ -1907,9 +1915,11 @@ matrix_backup_borg_systemd_required_services_list: | ###################################################################### # -# /matrix-backup-borg +# /etke/backup_borg # ###################################################################### + + ###################################################################### # # matrix-cactus-comments diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 508adb4d7..d976a0126 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -112,7 +112,7 @@ - role: galaxy/com.devture.ansible.role.postgres_backup - - custom/matrix-backup-borg + - role: galaxy/backup_borg - custom/matrix-user-creator - custom/matrix-common-after diff --git a/requirements.yml b/requirements.yml index 1341bbbe2..754491244 100644 --- a/requirements.yml +++ b/requirements.yml @@ -36,6 +36,9 @@ - src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git version: v0.11.1-2 +- src: git+https://gitlab.com/etke.cc/roles/backup_borg.git + version: v1.2.3-1.7.5-0 + - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git version: fb09fd26f877372417d5586f1e79e83f983f0bd6 diff --git a/roles/custom/matrix-backup-borg/defaults/main.yml b/roles/custom/matrix-backup-borg/defaults/main.yml deleted file mode 100644 index ad5a02811..000000000 --- a/roles/custom/matrix-backup-borg/defaults/main.yml +++ /dev/null @@ -1,107 +0,0 @@ ---- -# Project source code URL: https://gitlab.com/etke.cc/borgmatic - -matrix_backup_borg_enabled: true - -matrix_backup_borg_base_path: "{{ matrix_base_data_path }}/backup-borg" -matrix_backup_borg_config_path: "{{ matrix_backup_borg_base_path }}/config" - -matrix_backup_borg_container_image_self_build: false -matrix_backup_borg_docker_repo: "https://gitlab.com/etke.cc/borgmatic" -matrix_backup_borg_docker_repo_version: main -matrix_backup_borg_docker_src_files_path: "{{ matrix_backup_borg_base_path }}/docker-src" - -# image and postgres version determined automatically, based on detected postgres server version (if enabled), otherwise latest is used -matrix_backup_borg_version: "" -matrix_backup_borg_postgres_version: "" -matrix_backup_borg_borg_version: 1.2.3 -matrix_backup_borg_borgmatic_version: 1.7.6 -matrix_backup_borg_docker_image: "{{ matrix_backup_borg_docker_image_name_prefix }}etke.cc/borgmatic:{{ matrix_backup_borg_version }}" -matrix_backup_borg_docker_image_name_prefix: "{{ 'localhost/' if matrix_backup_borg_container_image_self_build else 'registry.gitlab.com/' }}" -matrix_backup_borg_docker_image_force_pull: "{{ matrix_backup_borg_docker_image.endswith(':latest') or matrix_backup_borg_version | default('') == '' }}" - -# A list of extra arguments to pass to the container -matrix_backup_borg_container_extra_arguments: [] - -# List of systemd services that matrix-backup-borg.service depends on -matrix_backup_borg_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-backup-borg.service wants -matrix_backup_borg_systemd_wanted_services_list: [] - -# systemd calendar configuration for the backup job -# the actual job may run with a delay (see matrix_backup_borg_schedule_randomized_delay_sec) -matrix_backup_borg_schedule: "*-*-* 04:00:00" -# the delay with which the systemd timer may run in relation to the `matrix_backup_borg_schedule` schedule -matrix_backup_borg_schedule_randomized_delay_sec: 2h - -# what directories should be added to backup -matrix_backup_borg_location_source_directories: [] - -# postgres db backup -matrix_backup_borg_postgresql_enabled: true -matrix_backup_borg_supported_postgres_versions: ['12', '13', '14', '15'] -matrix_backup_borg_postgresql_databases: [] -matrix_backup_borg_postgresql_databases_hostname: '' -matrix_backup_borg_postgresql_databases_username: "matrix" -matrix_backup_borg_postgresql_databases_password: "" -matrix_backup_borg_postgresql_databases_port: 5432 - -# target repositories -matrix_backup_borg_location_repositories: [] - -# exclude following paths: -matrix_backup_borg_location_exclude_patterns: [] - -# borg encryption mode, only "repokey-*" and "none" are supported -matrix_backup_borg_encryption: repokey-blake2 - -# private ssh key used to connect to the borg repo -matrix_backup_borg_ssh_key_private: "" - -# allow unencrypted repo access -matrix_backup_borg_unknown_unencrypted_repo_access_is_ok: "{{ matrix_backup_borg_encryption == 'none' }}" - -# borg ssh command with ssh key -matrix_backup_borg_storage_ssh_command: ssh -o "StrictHostKeyChecking accept-new" -i /etc/borgmatic.d/sshkey - -# compression algorithm -matrix_backup_borg_storage_compression: lz4 - -# archive name format -matrix_backup_borg_storage_archive_name_format: matrix-{now:%Y-%m-%d-%H%M%S} - -# repository passphrase -matrix_backup_borg_storage_encryption_passphrase: "" - -# retention configuration -matrix_backup_borg_retention_keep_hourly: 0 -matrix_backup_borg_retention_keep_daily: 7 -matrix_backup_borg_retention_keep_weekly: 4 -matrix_backup_borg_retention_keep_monthly: 12 -matrix_backup_borg_retention_keep_yearly: 2 - -# retention prefix -matrix_backup_borg_retention_prefix: matrix- - -# Default borgmatic configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -# -# For a more advanced customization, you can extend the default (see `matrix_backup_borg_configuration_extension_yaml`) -# or completely replace this variable with your own template. -matrix_backup_borg_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" - -matrix_backup_borg_configuration_extension_yaml: | - # Your custom YAML configuration for borgmatic goes here. - # This configuration extends the default starting configuration (`matrix_borg_configuration_yaml`). - # - # You can override individual variables from the default configuration, or introduce new ones. - # - # If you need something more special, you can take full control by - # completely redefining `matrix_backup_borg_configuration_yaml`. - -matrix_backup_borg_configuration_extension: "{{ matrix_backup_borg_configuration_extension_yaml | from_yaml if matrix_backup_borg_configuration_extension_yaml | from_yaml is mapping else {} }}" - -# Holds the final borgmatic configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_backup_borg_configuration_yaml`. -matrix_backup_borg_configuration: "{{ matrix_backup_borg_configuration_yaml | from_yaml | combine(matrix_backup_borg_configuration_extension, recursive=True) }}" diff --git a/roles/custom/matrix-backup-borg/tasks/main.yml b/roles/custom/matrix-backup-borg/tasks/main.yml deleted file mode 100644 index 88d120c04..000000000 --- a/roles/custom/matrix-backup-borg/tasks/main.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- - -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_backup_borg_enabled | bool" - - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_backup_borg_enabled | bool" - tags: - - setup-all - - setup-backup-borg - - install-all - - install-backup-borg - -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_backup_borg_enabled | bool" - tags: - - setup-all - - setup-backup-borg diff --git a/roles/custom/matrix-backup-borg/tasks/setup_install.yml b/roles/custom/matrix-backup-borg/tasks/setup_install.yml deleted file mode 100644 index 41d953716..000000000 --- a/roles/custom/matrix-backup-borg/tasks/setup_install.yml +++ /dev/null @@ -1,107 +0,0 @@ ---- - -- when: matrix_backup_borg_postgresql_enabled | bool and matrix_backup_borg_version == '' - block: - - name: Fail with matrix_backup_borg_version advice if Postgres not enabled - ansible.builtin.fail: - msg: >- - You are not running a built-in Postgres server (`devture_postgres_enabled: false`), so auto-detecting its version and setting `matrix_backup_borg_version` automatically based on that cannot happen. - Consider setting `matrix_backup_borg_version` to your Postgres version manually. - when: not devture_postgres_enabled - - - ansible.builtin.include_role: - name: galaxy/com.devture.ansible.role.postgres - tasks_from: detect_existing_postgres_version - - - name: Fail if detected Postgres version is unsupported - ansible.builtin.fail: - msg: "You cannot use borg backup with such an old version ({{ devture_postgres_detected_version }}) of Postgres. Consider upgrading - link to docs for upgrading Postgres: docs/maintenance-postgres.md#upgrading-postgresql" - when: "devture_postgres_detected_version not in matrix_backup_borg_supported_postgres_versions" - - - name: Set the correct borg backup version to use - ansible.builtin.set_fact: - matrix_backup_borg_version: "{{ devture_postgres_detected_version }}-{{ matrix_backup_borg_borg_version }}-{{ matrix_backup_borg_borgmatic_version }}" - -- name: Ensure borg paths exist - ansible.builtin.file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - {path: "{{ matrix_backup_borg_config_path }}", when: true} - - {path: "{{ matrix_backup_borg_docker_src_files_path }}", when: true} - when: "item.when | bool" - -- name: Ensure borgmatic config is created - ansible.builtin.copy: - content: "{{ matrix_backup_borg_configuration | to_nice_yaml(indent=2, width=999999) }}" - dest: "{{ matrix_backup_borg_config_path }}/config.yaml" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0640 - -- name: Ensure borg passwd is created - ansible.builtin.template: - src: "{{ role_path }}/templates/passwd.j2" - dest: "{{ matrix_backup_borg_config_path }}/passwd" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0640 - -- name: Ensure borg ssh key is created - ansible.builtin.template: - src: "{{ role_path }}/templates/sshkey.j2" - dest: "{{ matrix_backup_borg_config_path }}/sshkey" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0600 - -- name: Ensure borg image is pulled - community.docker.docker_image: - name: "{{ matrix_backup_borg_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_backup_borg_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_backup_borg_docker_image_force_pull }}" - when: "not matrix_backup_borg_container_image_self_build | bool" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure borg repository is present on self-build - ansible.builtin.git: - repo: "{{ matrix_backup_borg_docker_repo }}" - version: "{{ matrix_backup_borg_docker_repo_version }}" - dest: "{{ matrix_backup_borg_docker_src_files_path }}" - force: "yes" - become: true - become_user: "{{ matrix_user_username }}" - register: matrix_backup_borg_git_pull_results - when: "matrix_backup_borg_container_image_self_build | bool" - -- name: Ensure borg image is built - community.docker.docker_image: - name: "{{ matrix_backup_borg_docker_image }}" - source: build - force_source: "{{ matrix_backup_borg_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" - build: - dockerfile: Dockerfile - path: "{{ matrix_backup_borg_docker_src_files_path }}" - pull: true - when: "matrix_backup_borg_container_image_self_build | bool" - -- name: Ensure matrix-backup-borg.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-backup-borg.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-backup-borg.service" - mode: 0644 - register: matrix_backup_borg_systemd_service_result - -- name: Ensure matrix-backup-borg.timer installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-backup-borg.timer.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-backup-borg.timer" - mode: 0644 diff --git a/roles/custom/matrix-backup-borg/tasks/setup_uninstall.yml b/roles/custom/matrix-backup-borg/tasks/setup_uninstall.yml deleted file mode 100644 index 3d8b08ef4..000000000 --- a/roles/custom/matrix-backup-borg/tasks/setup_uninstall.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- - -- name: Check existence of matrix-backup-borg service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-backup-borg.service" - register: matrix_backup_borg_service_stat - -- when: matrix_backup_borg_service_stat.stat.exists | bool - block: - - name: Ensure matrix-backup-borg is stopped - ansible.builtin.service: - name: matrix-backup-borg - state: stopped - enabled: false - daemon_reload: true - - - name: Ensure matrix-backup-borg.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-backup-borg.service" - state: absent - - - name: Ensure matrix-backup-borg.timer doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-backup-borg.timer" - state: absent diff --git a/roles/custom/matrix-backup-borg/tasks/validate_config.yml b/roles/custom/matrix-backup-borg/tasks/validate_config.yml deleted file mode 100644 index bb6cd4151..000000000 --- a/roles/custom/matrix-backup-borg/tasks/validate_config.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -- name: Fail if required backup-borg settings not defined - ansible.builtin.fail: - msg: >- - You need to define a required configuration setting (`{{ item.name }}`). - when: "item.when | bool and vars[item.name] == ''" - with_items: - - {'name': 'matrix_backup_borg_ssh_key_private', when: true} - - {'name': 'matrix_backup_borg_location_repositories', when: true} - - {'name': 'matrix_backup_borg_postgresql_databases_hostname', when: "{{ matrix_backup_borg_postgresql_enabled }}"} - -- name: Fail if encryption passphrase is undefined unless repository is unencrypted - ansible.builtin.fail: - msg: >- - You need to define a required passphrase using the `matrix_backup_borg_storage_encryption_passphrase` variable. - when: "matrix_backup_borg_storage_encryption_passphrase == '' and matrix_backup_borg_encryption != 'none'" diff --git a/roles/custom/matrix-backup-borg/templates/config.yaml.j2 b/roles/custom/matrix-backup-borg/templates/config.yaml.j2 deleted file mode 100644 index 105c0ce1f..000000000 --- a/roles/custom/matrix-backup-borg/templates/config.yaml.j2 +++ /dev/null @@ -1,43 +0,0 @@ -#jinja2: lstrip_blocks: "True", trim_blocks: "True" - -location: - source_directories: {{ matrix_backup_borg_location_source_directories|to_json }} - repositories: {{ matrix_backup_borg_location_repositories|to_json }} - one_file_system: true - exclude_patterns: {{ matrix_backup_borg_location_exclude_patterns|to_json }} - -storage: - compression: {{ matrix_backup_borg_storage_compression|to_json }} - ssh_command: {{ matrix_backup_borg_storage_ssh_command|to_json }} - archive_name_format: {{ matrix_backup_borg_storage_archive_name_format|to_json }} - encryption_passphrase: {{ matrix_backup_borg_storage_encryption_passphrase|to_json }} - unknown_unencrypted_repo_access_is_ok: {{ matrix_backup_borg_unknown_unencrypted_repo_access_is_ok|to_json }} - -retention: - keep_hourly: {{ matrix_backup_borg_retention_keep_hourly|to_json }} - keep_daily: {{ matrix_backup_borg_retention_keep_daily|to_json }} - keep_weekly: {{ matrix_backup_borg_retention_keep_weekly|to_json }} - keep_monthly: {{ matrix_backup_borg_retention_keep_monthly|to_json }} - keep_yearly: {{ matrix_backup_borg_retention_keep_yearly|to_json }} - prefix: {{ matrix_backup_borg_retention_prefix|to_json }} - -consistency: - checks: - - repository - - archives - -hooks: -{% if matrix_backup_borg_postgresql_enabled and matrix_backup_borg_postgresql_databases|length > 0 %} - postgresql_databases: - {% for database in matrix_backup_borg_postgresql_databases %} - - name: {{ database|to_json }} - hostname: {{ matrix_backup_borg_postgresql_databases_hostname|to_json }} - username: {{ matrix_backup_borg_postgresql_databases_username|to_json }} - password: {{ matrix_backup_borg_postgresql_databases_password|to_json }} - port: {{ matrix_backup_borg_postgresql_databases_port | int | to_json }} - {% endfor %} -{% endif %} - after_backup: - - echo "Backup created." - on_error: - - echo "Error while creating a backup." diff --git a/roles/custom/matrix-backup-borg/templates/passwd.j2 b/roles/custom/matrix-backup-borg/templates/passwd.j2 deleted file mode 100644 index d3665cf4b..000000000 --- a/roles/custom/matrix-backup-borg/templates/passwd.j2 +++ /dev/null @@ -1,29 +0,0 @@ -{# the passwd file with correct username, UID and GID is mandatory to work with borg over ssh, otherwise ssh connections will fail #} -root:x:0:0:root:/root:/bin/ash -bin:x:1:1:bin:/bin:/sbin/nologin -daemon:x:2:2:daemon:/sbin:/sbin/nologin -adm:x:3:4:adm:/var/adm:/sbin/nologin -lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin -sync:x:5:0:sync:/sbin:/bin/sync -shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown -halt:x:7:0:halt:/sbin:/sbin/halt -mail:x:8:12:mail:/var/mail:/sbin/nologin -news:x:9:13:news:/usr/lib/news:/sbin/nologin -uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin -operator:x:11:0:operator:/root:/sbin/nologin -man:x:13:15:man:/usr/man:/sbin/nologin -postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin -cron:x:16:16:cron:/var/spool/cron:/sbin/nologin -ftp:x:21:21::/var/lib/ftp:/sbin/nologin -sshd:x:22:22:sshd:/dev/null:/sbin/nologin -at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin -squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin -xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin -games:x:35:35:games:/usr/games:/sbin/nologin -cyrus:x:85:12::/usr/cyrus:/sbin/nologin -vpopmail:x:89:89::/var/vpopmail:/sbin/nologin -ntp:x:123:123:NTP:/var/empty:/sbin/nologin -smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin -guest:x:405:100:guest:/dev/null:/sbin/nologin -{{ matrix_user_username }}:x:{{ matrix_user_uid }}:{{ matrix_user_gid }}:Matrix:/tmp:/bin/ash -nobody:x:65534:65534:nobody:/:/sbin/nologin diff --git a/roles/custom/matrix-backup-borg/templates/sshkey.j2 b/roles/custom/matrix-backup-borg/templates/sshkey.j2 deleted file mode 100644 index 999cf38d1..000000000 --- a/roles/custom/matrix-backup-borg/templates/sshkey.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ matrix_backup_borg_ssh_key_private }} diff --git a/roles/custom/matrix-backup-borg/templates/systemd/matrix-backup-borg.service.j2 b/roles/custom/matrix-backup-borg/templates/systemd/matrix-backup-borg.service.j2 deleted file mode 100644 index 900369b9d..000000000 --- a/roles/custom/matrix-backup-borg/templates/systemd/matrix-backup-borg.service.j2 +++ /dev/null @@ -1,65 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix Borg Backup -{% for service in matrix_backup_borg_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_backup_borg_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=oneshot -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-backup-borg 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-backup-borg 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-backup-borg \ - --log-driver=none \ - --cap-drop=ALL \ - --read-only \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --network={{ matrix_docker_network }} \ - --tmpfs=/tmp:rw,noexec,nosuid,size=100m \ - --mount type=bind,src={{ matrix_backup_borg_config_path }}/passwd,dst=/etc/passwd,ro \ - --mount type=bind,src={{ matrix_backup_borg_config_path }},dst=/etc/borgmatic.d,ro \ - {% for source in matrix_backup_borg_location_source_directories %} - --mount type=bind,src={{ source }},dst={{ source }},ro \ - {% endfor %} - {% for arg in matrix_backup_borg_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_backup_borg_docker_image }} \ - sh -c "borgmatic rcreate --encryption {{ matrix_backup_borg_encryption }}" - -# The `CAP_DAC_OVERRIDE` capability is required, so that `root` in the container -# can read the `/etc/borgmatic.d/config.yaml` (`{{ matrix_backup_borg_config_path }}/config.yaml`) file, -# owned by `matrix:matrix` on the filesystem. -# -# `/root` is mountes as temporary filesystem, because we're using `--read-only` and because -# Borgmatic tries to write to at least a few paths under `/root` (`.config`, `.ssh`, `.borgmatic`). -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-backup-borg \ - --log-driver=none \ - --cap-drop=ALL \ - --cap-add=CAP_DAC_OVERRIDE \ - --read-only \ - --network={{ matrix_docker_network }} \ - --tmpfs=/root:rw,noexec,nosuid,size=100m \ - --tmpfs=/tmp:rw,noexec,nosuid,size=100m \ - --mount type=bind,src={{ matrix_backup_borg_config_path }}/passwd,dst=/etc/passwd,ro \ - --mount type=bind,src={{ matrix_backup_borg_config_path }},dst=/etc/borgmatic.d,ro \ - {% for source in matrix_backup_borg_location_source_directories %} - --mount type=bind,src={{ source }},dst={{ source }},ro \ - {% endfor %} - {% for arg in matrix_backup_borg_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_backup_borg_docker_image }} - -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-backup-borg 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-backup-borg 2>/dev/null || true' -SyslogIdentifier=matrix-backup-borg - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix-backup-borg/templates/systemd/matrix-backup-borg.timer.j2 b/roles/custom/matrix-backup-borg/templates/systemd/matrix-backup-borg.timer.j2 deleted file mode 100644 index fdafef766..000000000 --- a/roles/custom/matrix-backup-borg/templates/systemd/matrix-backup-borg.timer.j2 +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Matrix Borg Backup timer - -[Timer] -Unit=matrix-backup-borg.service -OnCalendar={{ matrix_backup_borg_schedule }} -RandomizedDelaySec={{ matrix_backup_borg_schedule_randomized_delay_sec }} - -[Install] -WantedBy=timers.target diff --git a/roles/custom/matrix_playbook_migration/defaults/main.yml b/roles/custom/matrix_playbook_migration/defaults/main.yml index 496c4c753..109ecd726 100644 --- a/roles/custom/matrix_playbook_migration/defaults/main.yml +++ b/roles/custom/matrix_playbook_migration/defaults/main.yml @@ -5,3 +5,6 @@ matrix_playbook_migration_matrix_prometheus_node_exporter_migration_validation_e # Controls if (`matrix_prometheus_postgres_exporter` -> `prometheus_postgres_exporter`) validation will run. matrix_playbook_migration_matrix_prometheus_postgres_exporter_migration_validation_enabled: true + +# Controls if (`matrix_backup_borg` -> `backup_borg`) validation will run. +matrix_playbook_migration_matrix_backup_borg_migration_validation_enabled: true diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index b04c9e0e9..4f3d79318 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -80,3 +80,20 @@ Please change your configuration (vars.yml) to rename all variables (`matrix_prometheus_postgres_exporter_` -> `prometheus_postgres_exporter_`). We found usage of the following variables: {{ matrix_playbook_migration_matrix_prometheus_postgres_exporter_migration_vars.keys() | join(', ') }} when: "matrix_playbook_migration_matrix_prometheus_postgres_exporter_migration_vars | length > 0" + +- when: matrix_playbook_migration_matrix_backup_borg_migration_validation_enabled | bool + block: + - ansible.builtin.set_fact: + matrix_playbook_migration_backup_borg_migration_vars: |- + {{ vars | dict2items | selectattr('key', 'match', 'matrix_backup_borg_.*') | list | items2dict }} + + - name: (Deprecation) Catch and report matrix_backup_borg variables + ansible.builtin.fail: + msg: >- + The matrix-backup-borg role that used to be part of this playbook has been replaced by https://gitlab.com/etke.cc/roles/backup_borg. + The new role is compatible with the old one, but uses different names for its variables. + Please change your configuration (vars.yml) to rename all variables (`matrix_backup_borg_` -> `backup_borg_`). + We found usage of the following variables: {{ matrix_playbook_migration_backup_borg_migration_vars.keys() | join(', ') }} + when: "matrix_playbook_migration_backup_borg_migration_vars | length > 0" + + From 38904c08b05148ca2fb3d0d3911058835c1868df Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 13 Feb 2023 11:01:54 +0200 Subject: [PATCH 397/915] Wire backup_borg_username It's probably unnecessary, as this user is only used in the borg container internally, but.. It doesn't hurt to set it to `matrix`. --- group_vars/matrix_servers | 1 + .../custom/matrix_playbook_migration/tasks/validate_config.yml | 2 -- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index fbae03046..734364db1 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1882,6 +1882,7 @@ backup_borg_enabled: false backup_borg_identifier: matrix-backup-borg +backup_borg_username: "{{ matrix_user_username }}" backup_borg_uid: "{{ matrix_user_uid }}" backup_borg_gid: "{{ matrix_user_gid }}" diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 4f3d79318..f588ed08b 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -95,5 +95,3 @@ Please change your configuration (vars.yml) to rename all variables (`matrix_backup_borg_` -> `backup_borg_`). We found usage of the following variables: {{ matrix_playbook_migration_backup_borg_migration_vars.keys() | join(', ') }} when: "matrix_playbook_migration_backup_borg_migration_vars | length > 0" - - From 23f7720247628e6c9f0e9a587a4d727c403be46d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 13 Feb 2023 11:44:19 +0200 Subject: [PATCH 398/915] Add missing backup_borg_base_path override --- group_vars/matrix_servers | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 734364db1..c8c4bd617 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1882,6 +1882,8 @@ backup_borg_enabled: false backup_borg_identifier: matrix-backup-borg +backup_borg_base_path: "{{ matrix_base_data_path }}/backup-borg" + backup_borg_username: "{{ matrix_user_username }}" backup_borg_uid: "{{ matrix_user_uid }}" backup_borg_gid: "{{ matrix_user_gid }}" From 65730b84d35c75dffab374079fe5c67b4619e66e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 13 Feb 2023 11:51:11 +0200 Subject: [PATCH 399/915] Upgrade backup_borg (v1.2.3-1.7.5-0 -> v1.2.3-1.7.5-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 754491244..fa5290ffa 100644 --- a/requirements.yml +++ b/requirements.yml @@ -37,7 +37,7 @@ version: v0.11.1-2 - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.3-1.7.5-0 + version: v1.2.3-1.7.5-1 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git version: fb09fd26f877372417d5586f1e79e83f983f0bd6 From 266195ab450421f2376974483d1bc68c1e62b7d5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 13 Feb 2023 12:25:05 +0200 Subject: [PATCH 400/915] Upgrade backup_borg (v1.2.3-1.7.5-1 -> v1.2.3-1.7.6-0) Supersedes https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2472 --- group_vars/matrix_servers | 2 ++ requirements.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c8c4bd617..b1d0ffcc2 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1890,6 +1890,8 @@ backup_borg_gid: "{{ matrix_user_gid }}" backup_borg_container_network: "{{ devture_postgres_container_network if devture_postgres_enabled else backup_borg_identifier }}" +backup_borg_postgresql_version_detection_devture_postgres_role_name: "{{ 'galaxy/com.devture.ansible.role.postgres' if devture_postgres_enabled else '' }}" + backup_borg_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}" backup_borg_postgresql_enabled: "{{ devture_postgres_enabled }}" diff --git a/requirements.yml b/requirements.yml index fa5290ffa..1244c4654 100644 --- a/requirements.yml +++ b/requirements.yml @@ -37,7 +37,7 @@ version: v0.11.1-2 - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.3-1.7.5-1 + version: v1.2.3-1.7.6-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git version: fb09fd26f877372417d5586f1e79e83f983f0bd6 From 33b4f7031b24a58613bcefc90d045652b0f0799f Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Mon, 13 Feb 2023 10:44:42 +0000 Subject: [PATCH 401/915] restore borg prefixes --- group_vars/matrix_servers | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index b1d0ffcc2..f5fab4e65 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1881,6 +1881,8 @@ matrix_bot_draupnir_systemd_required_services_list: | backup_borg_enabled: false backup_borg_identifier: matrix-backup-borg +backup_borg_retention_prefix: matrix- +backup_borg_storage_archive_name_format: matrix-{now:%Y-%m-%d-%H%M%S} backup_borg_base_path: "{{ matrix_base_data_path }}/backup-borg" From 5d146219167754a05ea58bc90068ade537c11bef Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 13 Feb 2023 13:08:53 +0200 Subject: [PATCH 402/915] Fix outdated documentation leading to matrix-backup-borg --- docs/configuring-playbook-backup-borg.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-backup-borg.md b/docs/configuring-playbook-backup-borg.md index 2f6ab5ad3..6c9e7f808 100644 --- a/docs/configuring-playbook-backup-borg.md +++ b/docs/configuring-playbook-backup-borg.md @@ -64,7 +64,7 @@ To backup without encryption, add `backup_borg_encryption: 'none'` to your vars. `backup_borg_location_source_directories` defines the list of directories to back up: it's set to `{{ matrix_base_data_path }}` by default, which is the base directory for every service's data, such as Synapse, Postgres and the bridges. You might want to exclude certain directories or file patterns from the backup using the `backup_borg_location_exclude_patterns` variable. -Check the `roles/custom/matrix-backup-borg/defaults/main.yml` file for the full list of available options. +Check the [backup_borg role](https://gitlab.com/etke.cc/roles/backup_borg)'s [defaults/main.yml](https://gitlab.com/etke.cc/roles/backup_borg/-/blob/main/defaults/main.yml) file for the full list of available options. ## Installing From 06f5be4fa549713ef88e830d371f9806b894f9e1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 13 Feb 2023 13:15:01 +0200 Subject: [PATCH 403/915] Announce matrix-backup-borg extraction --- CHANGELOG.md | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d3f74e705..99acdcb9f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2023-02-13 + +## The matrix-backup-borg role lives independently now + +**TLDR**: the `matrix-backup-borg` role is now included from another repository. Some variables have been renamed. All functionality remains intact. + +Thanks to [moan0s](https://github.com/moan0s), the `matrix-backup-borg` role (which configures [Borg backups](docs/configuring-playbook-backup-borg.md)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/borg_backup). This makes it possible to easily use it in other Ansible playbooks and will become part of [nextcloud-docker-ansible-deploy](https://github.com/spantaleev/nextcloud-docker-ansible-deploy) soon. + +You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're enabling Borg backup functionality or not. If you're making use of Borg backups via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_backup_borg_` -> `backup_borg_`). + + # 2023-02-12 ## Reverse-proxy configuration changes and initial Traefik support @@ -128,7 +139,7 @@ Additional details are available in [Setting up Draupnir](docs/configuring-playb **TLDR**: the `matrix-prometheus-postgres-exporter` role is now included from another repository. Some variables have been renamed. All functionality remains intact. -The `matrix-prometheus-postgres-exporter` role (which configures [Prometheus Postgres Exporter](https://github.com/prometheus-community/postgres_exporter)) has been extracted from the playbook and now lives in its own repository at https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter. +The `matrix-prometheus-postgres-exporter` role (which configures [Prometheus Postgres Exporter](https://github.com/prometheus-community/postgres_exporter)) has been extracted from the playbook and now lives in its own repository at https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter It's still part of the playbook, but is now installed via `ansible-galaxy` (by running `just roles` / `make roles`). Some variables have been renamed (`matrix_prometheus_postgres_exporter_` -> `prometheus_postgres_exporter_`, etc.). The playbook will report all variables that you need to rename to get upgraded. All functionality remains intact. @@ -172,7 +183,7 @@ We've also added `no-multicast-peers` to the default Coturn configuration, but w **TLDR**: the `matrix-prometheus-node-exporter` role is now included from another repository. Some variables have been renamed. All functionality remains intact. -The `matrix-prometheus-node-exporter` role (which configures [Prometheus node exporter](https://github.com/prometheus/node_exporter)) has been extracted from the playbook and now lives in its own repository at https://gitlab.com/etke.cc/roles/prometheus_node_exporter. +The `matrix-prometheus-node-exporter` role (which configures [Prometheus node exporter](https://github.com/prometheus/node_exporter)) has been extracted from the playbook and now lives in its own repository at https://gitlab.com/etke.cc/roles/prometheus_node_exporter It's still part of the playbook, but is now installed via `ansible-galaxy` (by running `just roles` / `make roles`). Some variables have been renamed (`matrix_prometheus_node_exporter_` -> `prometheus_node_exporter_`, etc.). The playbook will report all variables that you need to rename to get upgraded. All functionality remains intact. From 80935a5194738818eec2a816d2f626914e07dd55 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 13 Feb 2023 14:14:25 +0200 Subject: [PATCH 404/915] Fix broken backup_borg link Referenced here: https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/06f5be4fa549713ef88e830d371f9806b894f9e1#r100414988 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 99acdcb9f..3b2716ef8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ **TLDR**: the `matrix-backup-borg` role is now included from another repository. Some variables have been renamed. All functionality remains intact. -Thanks to [moan0s](https://github.com/moan0s), the `matrix-backup-borg` role (which configures [Borg backups](docs/configuring-playbook-backup-borg.md)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/borg_backup). This makes it possible to easily use it in other Ansible playbooks and will become part of [nextcloud-docker-ansible-deploy](https://github.com/spantaleev/nextcloud-docker-ansible-deploy) soon. +Thanks to [moan0s](https://github.com/moan0s), the `matrix-backup-borg` role (which configures [Borg backups](docs/configuring-playbook-backup-borg.md)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/backup_borg). This makes it possible to easily use it in other Ansible playbooks and will become part of [nextcloud-docker-ansible-deploy](https://github.com/spantaleev/nextcloud-docker-ansible-deploy) soon. You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're enabling Borg backup functionality or not. If you're making use of Borg backups via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_backup_borg_` -> `backup_borg_`). From f6f7bbd2a1fdc701ff2affe92f289882e1965c3f Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Mon, 13 Feb 2023 12:54:55 +0000 Subject: [PATCH 405/915] Update coturn 4.6.1-r1 -> 4.6.1-r2 --- roles/custom/matrix-coturn/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index 78efc73cf..47577a467 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -8,7 +8,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}" matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" -matrix_coturn_version: 4.6.1-r1 +matrix_coturn_version: 4.6.1-r2 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" From 3d9aa8387e4adc37bbbb997155dfe3a9042241fc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 13 Feb 2023 15:08:42 +0200 Subject: [PATCH 406/915] Add (native) Traefik support to synapse-admin Previously, it had to go through matrix-nginx-proxy. It's exposed to Traefik directly via container labels now. --- group_vars/matrix_servers | 11 +++-- .../matrix-synapse-admin/defaults/main.yml | 42 ++++++++++++++++++- .../matrix-synapse-admin/tasks/main.yml | 2 +- .../tasks/setup_install.yml | 22 +++++++++- .../tasks/setup_uninstall.yml | 5 +++ .../tasks/validate_config.yml | 21 ++++++++++ .../matrix-synapse-admin/templates/labels.j2 | 25 +++++++++++ .../systemd/matrix-synapse-admin.service.j2 | 14 ++++++- 8 files changed, 133 insertions(+), 9 deletions(-) create mode 100644 roles/custom/matrix-synapse-admin/templates/labels.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f5fab4e65..3abc1d438 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3159,13 +3159,18 @@ matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_server_port matrix_synapse_admin_enabled: false -# Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse Admin over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# Synapse Admin's HTTP port to the local host. +matrix_synapse_admin_nginx_proxy_integration_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" + matrix_synapse_admin_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8766') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_synapse_admin_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" +matrix_synapse_admin_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + +matrix_synapse_admin_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_synapse_admin_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_synapse_admin_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary if devture_traefik_enabled else '' }}" + ###################################################################### # # /matrix-synapse-admin diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index 0f5c7af6e..b95632a72 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -4,19 +4,57 @@ matrix_synapse_admin_enabled: true +# A path on host where all related files will be saved +matrix_synapse_admin_base_path: "{{ matrix_base_data_path }}/synapse-admin" +matrix_synapse_admin_docker_src_files_path: "{{ matrix_synapse_admin_base_path }}/docker-src" + +# Specifies whether this role will integrate with the matrix-nginx-proxy role +matrix_synapse_admin_nginx_proxy_integration_enabled: false + matrix_synapse_admin_container_image_self_build: false matrix_synapse_admin_container_image_self_build_repo: "https://github.com/Awesome-Technologies/synapse-admin.git" -matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" - matrix_synapse_admin_version: 0.8.7 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" +# The base container network +matrix_synapse_admin_container_network: matrix-synapse-admin + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# +# Use this to expose this container to another reverse proxy, which runs in a different container network, +# without exposing all other container services to that other reverse-proxy. +matrix_synapse_admin_container_additional_networks: [] + # A list of extra arguments to pass to the container matrix_synapse_admin_container_extra_arguments: [] +# matrix_synapse_admin_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_synapse_admin_container_labels_additional_labels`. +matrix_synapse_admin_container_labels_traefik_enabled: true +matrix_synapse_admin_container_labels_traefik_docker_network: "{{ matrix_synapse_admin_container_network }}" +matrix_synapse_admin_container_labels_traefik_hostname: "{{ matrix_server_fqn_matrix }}" +# The path prefix must not end with a slash +matrix_synapse_admin_container_labels_traefik_path_prefix: /synapse-admin +matrix_synapse_admin_container_labels_traefik_rule: "Host(`{{ matrix_synapse_admin_container_labels_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_admin_container_labels_traefik_path_prefix | quote }}`)" +matrix_synapse_admin_container_labels_traefik_entrypoints: web-secure +matrix_synapse_admin_container_labels_traefik_tls: "{{ matrix_synapse_admin_container_labels_traefik_entrypoints != 'web' }}" +matrix_synapse_admin_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# matrix_synapse_admin_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_synapse_admin_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_synapse_admin_container_labels_additional_labels: '' + # List of systemd services that matrix-synapse-admin.service depends on matrix_synapse_admin_systemd_required_services_list: ['docker.service'] diff --git a/roles/custom/matrix-synapse-admin/tasks/main.yml b/roles/custom/matrix-synapse-admin/tasks/main.yml index 0b1664cf1..f38f1d5e4 100644 --- a/roles/custom/matrix-synapse-admin/tasks/main.yml +++ b/roles/custom/matrix-synapse-admin/tasks/main.yml @@ -1,7 +1,7 @@ --- - block: - - when: matrix_synapse_admin_enabled | bool + - when: matrix_synapse_admin_enabled | bool and matrix_synapse_admin_nginx_proxy_integration_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - setup-all diff --git a/roles/custom/matrix-synapse-admin/tasks/setup_install.yml b/roles/custom/matrix-synapse-admin/tasks/setup_install.yml index 57e591486..2eefe06f6 100644 --- a/roles/custom/matrix-synapse-admin/tasks/setup_install.yml +++ b/roles/custom/matrix-synapse-admin/tasks/setup_install.yml @@ -1,5 +1,21 @@ --- +- name: Ensure matrix-synapse-admin path exist + ansible.builtin.file: + path: "{{ matrix_synapse_admin_base_path }}" + state: directory + mode: 0700 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-synapse-admin labels file is created + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_synapse_admin_base_path }}/labels" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + mode: 0640 + - name: Ensure matrix-synapse-admin image is pulled community.docker.docker_image: name: "{{ matrix_synapse_admin_docker_image }}" @@ -35,9 +51,13 @@ pull: true when: matrix_synapse_admin_container_image_self_build | bool +- name: Ensure matrix-synapse-admin container network is created + community.general.docker_network: + name: "{{ matrix_synapse_admin_container_network }}" + driver: bridge + - name: Ensure matrix-synapse-admin.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-synapse-admin.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-admin.service" mode: 0644 - register: matrix_synapse_admin_systemd_service_result diff --git a/roles/custom/matrix-synapse-admin/tasks/setup_uninstall.yml b/roles/custom/matrix-synapse-admin/tasks/setup_uninstall.yml index 3828b7359..69820a005 100644 --- a/roles/custom/matrix-synapse-admin/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-synapse-admin/tasks/setup_uninstall.yml @@ -18,3 +18,8 @@ ansible.builtin.file: path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-admin.service" state: absent + + - name: Ensure matrix-synapse-admin directory doesn't exist + ansible.builtin.file: + path: "{{ matrix_synapse_admin_base_path }}" + state: absent diff --git a/roles/custom/matrix-synapse-admin/tasks/validate_config.yml b/roles/custom/matrix-synapse-admin/tasks/validate_config.yml index bf5fe69e1..41f19b751 100644 --- a/roles/custom/matrix-synapse-admin/tasks/validate_config.yml +++ b/roles/custom/matrix-synapse-admin/tasks/validate_config.yml @@ -10,3 +10,24 @@ - {'old': 'matrix_synapse_admin_docker_repo', 'new': 'matrix_synapse_admin_container_self_build_repo'} - {'old': 'matrix_synapse_admin_container_self_build', 'new': 'matrix_synapse_admin_container_image_self_build'} - {'old': 'matrix_synapse_admin_container_self_build_repo', 'new': 'matrix_synapse_admin_container_image_self_build_repo'} + +- when: matrix_synapse_admin_container_labels_traefik_enabled | bool + block: + - name: Fail if required matrix-synapse-admin Traefik settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_synapse_admin_container_labels_traefik_hostname + - matrix_synapse_admin_container_labels_traefik_path_prefix + + # We ensure it doesn't end with a slash, because we handle both (slash and no-slash). + # Knowing that `matrix_synapse_admin_container_labels_traefik_path_prefix` does not end with a slash + # ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere. + - name: Fail if matrix_synapse_admin_container_labels_traefik_path_prefix ends with a slash + ansible.builtin.fail: + msg: >- + matrix_synapse_admin_container_labels_traefik_path_prefix (`{{ matrix_synapse_admin_container_labels_traefik_path_prefix }}`) must not end with a slash. + Example: `/synapse-admin`. + when: "matrix_synapse_admin_container_labels_traefik_path_prefix[-1] == '/'" diff --git a/roles/custom/matrix-synapse-admin/templates/labels.j2 b/roles/custom/matrix-synapse-admin/templates/labels.j2 new file mode 100644 index 000000000..772fdad80 --- /dev/null +++ b/roles/custom/matrix-synapse-admin/templates/labels.j2 @@ -0,0 +1,25 @@ +{% if matrix_synapse_admin_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_synapse_admin_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_synapse_admin_container_labels_traefik_docker_network }} +{% endif %} + +traefik.http.middlewares.matrix-synapse-admin-slashless-redirect.redirectregex.regex=({{ matrix_synapse_admin_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-synapse-admin-slashless-redirect.redirectregex.replacement=${1}/ + +traefik.http.middlewares.matrix-synapse-admin-replacepath.replacepath.path=/ + +traefik.http.routers.matrix-synapse-admin.rule={{ matrix_synapse_admin_container_labels_traefik_rule }} +traefik.http.routers.matrix-synapse-admin.middlewares=matrix-synapse-admin-slashless-redirect,matrix-synapse-admin-replacepath +traefik.http.routers.matrix-synapse-admin.service=matrix-synapse-admin +traefik.http.routers.matrix-synapse-admin.entrypoints={{ matrix_synapse_admin_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-synapse-admin.tls={{ matrix_synapse_admin_container_labels_traefik_tls | to_json }} +{% if matrix_synapse_admin_container_labels_traefik_tls %} +traefik.http.routers.matrix-synapse-admin.tls.certResolver={{ matrix_synapse_admin_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-synapse-admin.loadbalancer.server.port=80 +{% endif %} + +{{ matrix_synapse_admin_container_labels_additional_labels }} diff --git a/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 b/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 index 9bae6e03f..ba56374c4 100644 --- a/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 +++ b/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 @@ -16,24 +16,34 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-synapse-admin 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-synapse-admin 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-synapse-admin \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-synapse-admin \ --log-driver=none \ --cap-drop=ALL \ --cap-add=CHOWN \ --cap-add=NET_BIND_SERVICE \ --cap-add=SETUID \ --cap-add=SETGID \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_synapse_admin_container_network }} \ {% if matrix_synapse_admin_container_http_host_bind_port %} -p {{ matrix_synapse_admin_container_http_host_bind_port }}:80 \ {% endif %} + --label-file={{ matrix_synapse_admin_base_path }}/labels \ {% for arg in matrix_synapse_admin_container_extra_arguments %} {{ arg }} \ {% endfor %} {{ matrix_synapse_admin_docker_image }} +{% for network in matrix_synapse_admin_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-synapse-admin +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-synapse-admin + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-synapse-admin 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-synapse-admin 2>/dev/null || true' + Restart=always RestartSec=30 SyslogIdentifier=matrix-synapse-admin From 6cda711c0b74ccb6ec192cb2a5947d4b27e39d29 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 13 Feb 2023 15:37:12 +0200 Subject: [PATCH 407/915] Fix incorrect host_bind_port syntax (extra `:`) affecting certain deployments Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2474 Seems like this affected all "own webserver" deployments, which required port exposure. `playbook-managed-traefik` and `playbook-managed-nginx` were not affected. --- group_vars/matrix_servers | 64 +++++++++++++++++++-------------------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 3abc1d438..cabc149a1 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -502,7 +502,7 @@ matrix_appservice_webhooks_container_image_self_build: "{{ matrix_architecture ! # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-webhooks over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-webhooks' client-server port to the local host. -matrix_appservice_webhooks_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':' ~ matrix_appservice_webhooks_matrix_port) if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_appservice_webhooks_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '' ~ matrix_appservice_webhooks_matrix_port) if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_appservice_webhooks_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.as.token', rounds=655555) | to_uuid }}" @@ -584,7 +584,7 @@ matrix_appservice_irc_container_image_self_build: "{{ matrix_architecture != 'am # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-irc over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-irc's client-server port to the local host. -matrix_appservice_irc_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9999') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_appservice_irc_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9999') if matrix_playbook_service_host_bind_interface_prefix else '' }}" # The IRC bridge docs say that if homeserver presence is disabled, it's better to also disable # IRC bridge presence, for performance reasons. @@ -840,7 +840,7 @@ matrix_mautrix_facebook_homeserver_token: "{{ '%s' | format(matrix_homeserver_ge matrix_mautrix_facebook_public_endpoint: "/{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'facebook', rounds=655555) | to_uuid }}" -matrix_mautrix_facebook_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9008') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_mautrix_facebook_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9008') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -891,7 +891,7 @@ matrix_mautrix_googlechat_appservice_token: "{{ '%s' | format(matrix_homeserver_ matrix_mautrix_googlechat_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gc.hs.token', rounds=655555) | to_uuid }}" -matrix_mautrix_googlechat_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9007') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_mautrix_googlechat_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9007') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_mautrix_googlechat_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -933,7 +933,7 @@ matrix_mautrix_hangouts_appservice_token: "{{ '%s' | format(matrix_homeserver_ge matrix_mautrix_hangouts_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ho.hs.token', rounds=655555) | to_uuid }}" -matrix_mautrix_hangouts_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9007') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_mautrix_hangouts_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9007') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -1080,7 +1080,7 @@ matrix_mautrix_telegram_homeserver_token: "{{ '%s' | format(matrix_homeserver_ge matrix_mautrix_telegram_public_endpoint: "/{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegram', rounds=655555) | to_uuid }}" -matrix_mautrix_telegram_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9006') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_mautrix_telegram_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9006') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -1350,7 +1350,7 @@ matrix_mx_puppet_twitter_homeserver_token: "{{ '%s' | format(matrix_homeserver_g matrix_mx_puppet_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':' ~ matrix_mx_puppet_twitter_appservice_port) if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '' ~ matrix_mx_puppet_twitter_appservice_port) if matrix_playbook_service_host_bind_interface_prefix else '' }}" # Postgres is the default, except if not using internal Postgres server matrix_mx_puppet_twitter_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" @@ -1610,7 +1610,7 @@ matrix_bot_maubot_registration_shared_secret: |- }[matrix_homeserver_implementation] }} -matrix_bot_maubot_management_interface_http_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':' ~ matrix_bot_maubot_management_interface_port | string) if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_bot_maubot_management_interface_http_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '' ~ matrix_bot_maubot_management_interface_port | string) if matrix_playbook_service_host_bind_interface_prefix else '' }}" # Postgres is the default, except if not using internal Postgres server matrix_bot_maubot_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" @@ -1806,7 +1806,7 @@ matrix_bot_go_neb_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_bot_go_neb_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':4050') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_bot_go_neb_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '4050') if matrix_playbook_service_host_bind_interface_prefix else '' }}" ###################################################################### # @@ -1970,8 +1970,8 @@ matrix_corporal_container_image_self_build: "{{ matrix_architecture not in ['amd # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-corporal over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-corporal's web-server ports to the local host. -matrix_corporal_container_http_gateway_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':41080') if matrix_playbook_service_host_bind_interface_prefix else '' }}" -matrix_corporal_container_http_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':41081') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_corporal_container_http_gateway_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '41080') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_corporal_container_http_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '41081') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_corporal_systemd_required_services_list: | {{ @@ -2096,7 +2096,7 @@ matrix_dimension_container_image_self_build: "{{ matrix_architecture != 'amd64' # Normally, matrix-nginx-proxy is enabled and nginx can reach Dimension over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the Dimension HTTP port to the local host. -matrix_dimension_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8184') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_dimension_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8184') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_dimension_homeserver_federationUrl: "{{ matrix_homeserver_container_federation_url }}" @@ -2130,7 +2130,7 @@ matrix_dimension_database_password: "{{ '%s' | format(matrix_homeserver_generic_ matrix_etherpad_enabled: false -matrix_etherpad_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9001') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_etherpad_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9001') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_etherpad_base_url: "{{ 'https://' + matrix_server_fqn_dimension + matrix_etherpad_public_endpoint if matrix_etherpad_mode == 'dimension' else 'https://' + matrix_server_fqn_etherpad + '/' }}" @@ -2191,11 +2191,11 @@ matrix_jitsi_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach jitsi/web over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the Jitsi HTTP port to the local host. -matrix_jitsi_web_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':13080') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_jitsi_web_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '13080') if matrix_playbook_service_host_bind_interface_prefix else '' }}" -matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':13090') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '13090') if matrix_playbook_service_host_bind_interface_prefix else '' }}" -matrix_jitsi_prosody_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':5280') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_jitsi_prosody_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '5280') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_jitsi_jibri_xmpp_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jibri', rounds=655555) | to_uuid }}" matrix_jitsi_jicofo_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jicofo', rounds=655555) | to_uuid }}" @@ -2285,7 +2285,7 @@ matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach ma1sd over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # ma1sd's web-server port. -matrix_ma1sd_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':' ~ matrix_ma1sd_container_port | string) if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_ma1sd_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '' ~ matrix_ma1sd_container_port | string) if matrix_playbook_service_host_bind_interface_prefix else '' }}" # We enable Synapse integration via its Postgres database by default. @@ -2880,7 +2880,7 @@ matrix_sygnal_enabled: false # If someone instals Prometheus via the playbook, they most likely wish to monitor Sygnal. matrix_sygnal_metrics_prometheus_enabled: "{{ matrix_prometheus_enabled }}" -matrix_sygnal_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':6000') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_sygnal_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '6000') if matrix_playbook_service_host_bind_interface_prefix else '' }}" ###################################################################### # @@ -2896,7 +2896,7 @@ matrix_sygnal_container_http_host_bind_port: "{{ (matrix_playbook_service_host_b matrix_ntfy_enabled: false -matrix_ntfy_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':2586') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_ntfy_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '2586') if matrix_playbook_service_host_bind_interface_prefix else '' }}" ###################################################################### # @@ -2933,7 +2933,7 @@ matrix_client_element_container_image_self_build: "{{ matrix_architecture not in # Normally, matrix-nginx-proxy is enabled and nginx can reach Element over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the Element HTTP port to the local host. -matrix_client_element_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8765') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_client_element_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8765') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_client_element_default_hs_url: "{{ matrix_homeserver_url }}" matrix_client_element_default_is_url: "{{ matrix_identity_server_url }}" @@ -2978,7 +2978,7 @@ matrix_client_hydrogen_container_image_self_build: "{{ matrix_architecture not i # Normally, matrix-nginx-proxy is enabled and nginx can reach Hydrogen over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the HTTP port to the local host. -matrix_client_hydrogen_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8768') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_client_hydrogen_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8768') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_client_hydrogen_default_hs_url: "{{ matrix_homeserver_url }}" @@ -3003,7 +3003,7 @@ matrix_client_cinny_container_image_self_build: "{{ matrix_architecture not in [ # Normally, matrix-nginx-proxy is enabled and nginx can reach Cinny over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the HTTP port to the local host. -matrix_client_cinny_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8080') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_client_cinny_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8080') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_client_cinny_default_hs_url: "{{ matrix_homeserver_url }}" @@ -3032,10 +3032,10 @@ matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:' + m matrix_synapse_container_federation_api_tls_host_bind_port: "{{ matrix_federation_public_port if (matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled) else '' }}" # # For exposing the Synapse Metrics API's port (plain HTTP) to the local host. -matrix_synapse_container_metrics_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9100') if matrix_synapse_metrics_enabled and matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_synapse_container_metrics_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9100') if matrix_synapse_metrics_enabled and matrix_playbook_service_host_bind_interface_prefix else '' }}" # # For exposing the Synapse Manhole port (plain HTTP) to the local host. -matrix_synapse_container_manhole_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9000') if matrix_synapse_metrics_enabled and matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_synapse_container_manhole_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9000') if matrix_synapse_metrics_enabled and matrix_playbook_service_host_bind_interface_prefix else '' }}" # # For exposing the Synapse worker (and metrics) ports to the local host. matrix_synapse_workers_container_host_bind_address: "{{ matrix_playbook_service_host_bind_interface_prefix[0:-1] if (matrix_synapse_workers_enabled and matrix_playbook_service_host_bind_interface_prefix) else '' }}" @@ -3127,8 +3127,8 @@ matrix_synapse_reverse_proxy_companion_enabled: "{{ matrix_synapse_enabled }}" matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}" -matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8008') if matrix_playbook_service_host_bind_interface_prefix else '' }}" -matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8048') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8008') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8048') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_synapse_reverse_proxy_companion_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}" matrix_synapse_reverse_proxy_companion_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}" @@ -3161,7 +3161,7 @@ matrix_synapse_admin_enabled: false matrix_synapse_admin_nginx_proxy_integration_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" -matrix_synapse_admin_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8766') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_synapse_admin_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8766') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_synapse_admin_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" @@ -3276,7 +3276,7 @@ matrix_prometheus_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach Prometheus over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # Prometheus' HTTP port to the local host. -matrix_prometheus_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':99090005') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_prometheus_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9090') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_prometheus_scraper_synapse_enabled: "{{ matrix_synapse_enabled and matrix_synapse_metrics_enabled }}" matrix_prometheus_scraper_synapse_targets: ['matrix-synapse:{{ matrix_synapse_metrics_port }}'] @@ -3313,7 +3313,7 @@ matrix_grafana_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach Grafana over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # Grafana's HTTP port to the local host. -matrix_grafana_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':3000') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_grafana_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '3000') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_grafana_dashboard_download_urls: | {{ @@ -3352,7 +3352,7 @@ matrix_registration_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-registration over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-registration's HTTP port to the local host. -matrix_registration_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8767') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_registration_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8767') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_registration_riot_instance: "{{ ('https://' + matrix_server_fqn_element) if matrix_client_element_enabled else 'https://riot.im/app/' }}" @@ -3403,7 +3403,7 @@ matrix_dendrite_enabled: "{{ matrix_homeserver_implementation == 'dendrite' }}" # you can expose Dendrite's ports to the host. # # For exposing Dendrite's plain HTTP server to the local host. -matrix_dendrite_container_http_host_bind_address: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':' ~ matrix_dendrite_http_bind_port | string) if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_dendrite_container_http_host_bind_address: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ matrix_dendrite_http_bind_port | string) if matrix_playbook_service_host_bind_interface_prefix else '' }}" # # For exposing Dendrite's HTTPS server to the local host. matrix_dendrite_container_https_host_bind_address: "{{ '' if not matrix_dendrite_https_bind_port or not matrix_playbook_service_host_bind_interface_prefix else (matrix_playbook_service_host_bind_interface_prefix + matrix_dendrite_https_bind_port | string) }}" @@ -3543,7 +3543,7 @@ matrix_user_verification_service_systemd_required_services_list: | # If Jitsi is not managed by this playbook, or you otherwise have a need for it, you can expose # matrix-user-verfification-services's client-server port to port 3003. # By default Matrix-User-Verification-Service binds to port 3000, which collides with grafana, therefore this uses port 3003. -matrix_user_verification_service_container_http_host_bind_port: "{{ '' if (matrix_jitsi_enabled | bool and matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix') else matrix_playbook_service_host_bind_interface_prefix ~ ':3003' }}" +matrix_user_verification_service_container_http_host_bind_port: "{{ '' if (matrix_jitsi_enabled | bool and matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix') else matrix_playbook_service_host_bind_interface_prefix ~ '3003' }}" # URL exposed in the docker network matrix_user_verification_service_container_url: "http://{{ matrix_user_verification_service_container_name }}:3000" From 9f820a506aab53f3e13552ad07f6c0d969b865ed Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Mon, 13 Feb 2023 14:08:09 +0000 Subject: [PATCH 408/915] Update postmoogle 0.9.12 -> 0.9.13 * live SSL certificates reload on file changes (e.g., on automatic certs renewal) * print all errors when trying connection to an SMTP server --- roles/custom/matrix-bot-postmoogle/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-postmoogle/defaults/main.yml b/roles/custom/matrix-bot-postmoogle/defaults/main.yml index 9f3dad24b..b3b12fef3 100644 --- a/roles/custom/matrix-bot-postmoogle/defaults/main.yml +++ b/roles/custom/matrix-bot-postmoogle/defaults/main.yml @@ -9,7 +9,7 @@ matrix_bot_postmoogle_docker_repo: "https://gitlab.com/etke.cc/postmoogle.git" matrix_bot_postmoogle_docker_repo_version: "{{ 'main' if matrix_bot_postmoogle_version == 'latest' else matrix_bot_postmoogle_version }}" matrix_bot_postmoogle_docker_src_files_path: "{{ matrix_base_data_path }}/postmoogle/docker-src" -matrix_bot_postmoogle_version: v0.9.12 +matrix_bot_postmoogle_version: v0.9.13 matrix_bot_postmoogle_docker_image: "{{ matrix_bot_postmoogle_docker_image_name_prefix }}etke.cc/postmoogle:{{ matrix_bot_postmoogle_version }}" matrix_bot_postmoogle_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_postmoogle_container_image_self_build else 'registry.gitlab.com/' }}" matrix_bot_postmoogle_docker_image_force_pull: "{{ matrix_bot_postmoogle_docker_image.endswith(':latest') }}" From b2d8718233006f1365b604a11ec2cfaf13c625ab Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 13 Feb 2023 16:08:51 +0200 Subject: [PATCH 409/915] Fix synapse-admin reverse-proxying regression for "playbook-managed-nginx" Regression since 3d9aa8387e4adc3 --- group_vars/matrix_servers | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index cabc149a1..a1a5f797d 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3165,6 +3165,8 @@ matrix_synapse_admin_container_http_host_bind_port: "{{ (matrix_playbook_service matrix_synapse_admin_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" +matrix_synapse_admin_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-synapse-admin' }}" + matrix_synapse_admin_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" matrix_synapse_admin_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" From f2ed5e4b0499a24b8b51e7e524800b1993c26cdb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 13 Feb 2023 18:28:03 +0200 Subject: [PATCH 410/915] Delete /matrix/nginx-proxy/conf.d/matrix-client-element.conf if matrix_nginx_proxy_proxy_element_enabled not enabled --- roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 31ff68f25..5aa635979 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -261,6 +261,12 @@ state: absent when: "not matrix_nginx_proxy_proxy_riot_compat_redirect_enabled | bool" +- name: Ensure Matrix nginx-proxy configuration for Element domain deleted + ansible.builtin.file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-element.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_element_enabled | bool" + - name: Ensure Matrix nginx-proxy configuration for Hydrogen domain deleted ansible.builtin.file: path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf" From e51e4eec097d5e6976b8083e3a4600d0b3184e0b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 13 Feb 2023 18:33:06 +0200 Subject: [PATCH 411/915] Add (native) Traefik support to matrix-client-element Previously, it had to go through matrix-nginx-proxy. It's exposed to Traefik directly via container labels now --- group_vars/matrix_servers | 11 +++++-- .../matrix-client-element/defaults/main.yml | 29 +++++++++++++++++++ .../tasks/setup_install.yml | 6 ++++ .../tasks/setup_uninstall.yml | 2 +- .../matrix-client-element/templates/labels.j2 | 19 ++++++++++++ .../systemd/matrix-client-element.service.j2 | 14 +++++++-- .../matrix-nginx-proxy/defaults/main.yml | 5 ---- .../matrix-nginx-proxy/templates/labels.j2 | 12 -------- .../matrix-synapse-admin/defaults/main.yml | 4 +-- 9 files changed, 77 insertions(+), 25 deletions(-) create mode 100644 roles/custom/matrix-client-element/templates/labels.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index a1a5f797d..ca0460401 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2378,7 +2378,7 @@ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "{{ matrix_server_fqn_element if matrix_client_element_enabled else '' }}" matrix_nginx_proxy_proxy_matrix_enabled: true -matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}" +matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}" matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled }}" matrix_nginx_proxy_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}" @@ -2398,7 +2398,6 @@ matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_playbook_ matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true -matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled: "{{ matrix_client_element_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}" @@ -2935,6 +2934,14 @@ matrix_client_element_container_image_self_build: "{{ matrix_architecture not in # the Element HTTP port to the local host. matrix_client_element_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8765') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_client_element_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-client-element' }}" + +matrix_client_element_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + +matrix_client_element_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_client_element_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_client_element_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary if devture_traefik_enabled else '' }}" + matrix_client_element_default_hs_url: "{{ matrix_homeserver_url }}" matrix_client_element_default_is_url: "{{ matrix_identity_server_url }}" diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 85d8d6cfa..82097e1c8 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -18,11 +18,40 @@ matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_ matrix_client_element_data_path: "{{ matrix_base_data_path }}/client-element" matrix_client_element_docker_src_files_path: "{{ matrix_client_element_data_path }}/docker-src" +# The base container network +matrix_client_element_container_network: matrix-client-element + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to a reverse proxy, which runs in a different container network. +matrix_client_element_container_additional_networks: [] + # Controls whether the matrix-client-element container exposes its HTTP port (tcp/8080 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8765"), or empty string to not expose. matrix_client_element_container_http_host_bind_port: '' +# matrix_client_element_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_client_element_container_labels_additional_labels`. +matrix_client_element_container_labels_traefik_enabled: true +matrix_client_element_container_labels_traefik_docker_network: "{{ matrix_client_element_container_network }}" +matrix_client_element_container_labels_traefik_hostname: "{{ matrix_server_fqn_element }}" +matrix_client_element_container_labels_traefik_rule: "Host(`{{ matrix_client_element_container_labels_traefik_hostname }}`)" +matrix_client_element_container_labels_traefik_entrypoints: web-secure +matrix_client_element_container_labels_traefik_tls: "{{ matrix_client_element_container_labels_traefik_entrypoints != 'web' }}" +matrix_client_element_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_client_element_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_client_element_container_labels_additional_labels: '' + # A list of extra arguments to pass to the container matrix_client_element_container_extra_arguments: [] diff --git a/roles/custom/matrix-client-element/tasks/setup_install.yml b/roles/custom/matrix-client-element/tasks/setup_install.yml index 813b4da04..fc0532db6 100644 --- a/roles/custom/matrix-client-element/tasks/setup_install.yml +++ b/roles/custom/matrix-client-element/tasks/setup_install.yml @@ -84,6 +84,7 @@ group: "{{ matrix_user_groupname }}" with_items: - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} + - {src: "{{ role_path }}/templates/labels.j2", name: "labels"} - {src: "{{ matrix_client_element_page_template_welcome_path }}", name: "welcome.html"} - {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"} when: "item.src is not none" @@ -96,6 +97,11 @@ - {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"} when: "item.src is none" +- name: Ensure Element container network is created + community.general.docker_network: + name: "{{ matrix_client_element_container_network }}" + driver: bridge + - name: Ensure matrix-client-element.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-client-element.service.j2" diff --git a/roles/custom/matrix-client-element/tasks/setup_uninstall.yml b/roles/custom/matrix-client-element/tasks/setup_uninstall.yml index e1b25caa6..e0930cc11 100644 --- a/roles/custom/matrix-client-element/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-client-element/tasks/setup_uninstall.yml @@ -19,7 +19,7 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-element.service" state: absent - - name: Ensure Element paths doesn't exist + - name: Ensure Element path doesn't exist ansible.builtin.file: path: "{{ matrix_client_element_data_path }}" state: absent diff --git a/roles/custom/matrix-client-element/templates/labels.j2 b/roles/custom/matrix-client-element/templates/labels.j2 new file mode 100644 index 000000000..85df036f9 --- /dev/null +++ b/roles/custom/matrix-client-element/templates/labels.j2 @@ -0,0 +1,19 @@ +{% if matrix_client_element_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_client_element_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_client_element_container_labels_traefik_docker_network }} +{% endif %} + +traefik.http.routers.matrix-client-element.rule={{ matrix_client_element_container_labels_traefik_rule }} +traefik.http.routers.matrix-client-element.service=matrix-client-element +traefik.http.routers.matrix-client-element.entrypoints={{ matrix_client_element_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-client-element.tls={{ matrix_client_element_container_labels_traefik_tls | to_json }} +{% if matrix_client_element_container_labels_traefik_tls %} +traefik.http.routers.matrix-client-element.tls.certResolver={{ matrix_client_element_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-client-element.loadbalancer.server.port=8080 +{% endif %} + +{{ matrix_client_element_container_labels_additional_labels }} diff --git a/roles/custom/matrix-client-element/templates/systemd/matrix-client-element.service.j2 b/roles/custom/matrix-client-element/templates/systemd/matrix-client-element.service.j2 index be96cab78..bbb509896 100644 --- a/roles/custom/matrix-client-element/templates/systemd/matrix-client-element.service.j2 +++ b/roles/custom/matrix-client-element/templates/systemd/matrix-client-element.service.j2 @@ -13,15 +13,18 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-client-element 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-element 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-client-element \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-client-element \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_client_element_container_network }} \ {% if matrix_client_element_container_http_host_bind_port %} -p {{ matrix_client_element_container_http_host_bind_port }}:8080 \ {% endif %} + --label-file={{ matrix_client_element_data_path }}/labels \ --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ --mount type=bind,src={{ matrix_client_element_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ --mount type=bind,src={{ matrix_client_element_data_path }}/config.json,dst=/app/config.json,ro \ @@ -38,8 +41,15 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% endfor %} {{ matrix_client_element_docker_image }} +{% for network in matrix_client_element_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-client-element +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-client-element + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-client-element 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-element 2>/dev/null || true' + Restart=always RestartSec=30 SyslogIdentifier=matrix-client-element diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 4ce7e9230..b443cc728 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -61,11 +61,6 @@ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule: "Host(`{{ matrix_ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint: "{{ matrix_federation_traefik_entrypoint }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints: "{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint }}" -matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled: false -matrix_nginx_proxy_container_labels_traefik_proxy_element_hostname: "{{ matrix_server_fqn_element }}" -matrix_nginx_proxy_container_labels_traefik_proxy_element_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" -matrix_nginx_proxy_container_labels_traefik_proxy_element_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_element_hostname }}`)" - matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_enabled: false matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}" matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 index b6994617b..d629ce00d 100644 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -39,18 +39,6 @@ traefik.http.routers.matrix-nginx-proxy-matrix-federation.entrypoints={{ matrix_ {% endif %} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled %} -# Element -traefik.http.routers.matrix-nginx-proxy-element.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_element_rule }} -traefik.http.routers.matrix-nginx-proxy-element.service=matrix-nginx-proxy-web -traefik.http.routers.matrix-nginx-proxy-element.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_element_tls | to_json }} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_element_tls %} -traefik.http.routers.matrix-nginx-proxy-element.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.routers.matrix-nginx-proxy-element.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} -{% endif %} - - {% if matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_enabled %} # Hydrogen traefik.http.routers.matrix-nginx-proxy-hydrogen.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_rule }} diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index b95632a72..11b898186 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -24,9 +24,7 @@ matrix_synapse_admin_container_network: matrix-synapse-admin # A list of additional container networks that the container would be connected to. # The role does not create these networks, so make sure they already exist. -# -# Use this to expose this container to another reverse proxy, which runs in a different container network, -# without exposing all other container services to that other reverse-proxy. +# Use this to expose this container to a reverse proxy, which runs in a different container network. matrix_synapse_admin_container_additional_networks: [] # A list of extra arguments to pass to the container From e34174b1b4350b180d0922a38efe1c447da473d5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 13 Feb 2023 19:03:10 +0200 Subject: [PATCH 412/915] Add various security headers to matrix-client-element when behind Traefik --- .../matrix-client-element/defaults/main.yml | 66 +++++++++++++++++++ .../matrix-client-element/templates/labels.j2 | 12 ++++ 2 files changed, 78 insertions(+) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 82097e1c8..890bc4736 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -43,6 +43,72 @@ matrix_client_element_container_labels_traefik_entrypoints: web-secure matrix_client_element_container_labels_traefik_tls: "{{ matrix_client_element_container_labels_traefik_entrypoints != 'web' }}" matrix_client_element_container_labels_traefik_tls_certResolver: default # noqa var-naming +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_client_element_container_labels_traefik_additional_response_headers_custom` +matrix_client_element_container_labels_traefik_additional_response_headers: "{{ matrix_client_element_container_labels_traefik_additional_response_headers_auto | combine(matrix_client_element_container_labels_traefik_additional_response_headers_custom) }}" +matrix_client_element_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_client_element_http_header_xss_protection} if matrix_client_element_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_client_element_http_header_frame_options} if matrix_client_element_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_client_element_http_header_content_type_options} if matrix_client_element_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_client_element_http_header_content_security_policy} if matrix_client_element_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_client_element_http_header_content_permission_policy} if matrix_client_element_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_client_element_http_header_strict_transport_security} if matrix_client_element_http_header_strict_transport_security and matrix_client_element_container_labels_traefik_tls else {}) + }} +matrix_client_element_container_labels_traefik_additional_response_headers_custom: {} + +# Specifies the value of the `X-XSS-Protection` header +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. +# +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected +matrix_client_element_http_header_xss_protection: "1; mode=block" + +# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +matrix_client_element_http_header_frame_options: SAMEORIGIN + +# Specifies the value of the `X-Content-Type-Options` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +matrix_client_element_http_header_content_type_options: nosniff + +# Specifies the value of the `Content-Security-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +matrix_client_element_http_header_content_security_policy: frame-ancestors 'self' + +# Specifies the value of the `Permission-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy +matrix_client_element_http_header_content_permission_policy: "{{ 'interest-cohort=() always' if matrix_client_element_floc_optout_enabled else '' }}" + +# Specifies the value of the `Strict-Transport-Security` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +matrix_client_element_http_header_strict_transport_security: "{{ '\"max-age=31536000; includeSubDomains; preload\" always' if matrix_client_element_hsts_preload_enabled else '\"max-age=31536000; includeSubDomains\" always' }}" + +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +# See: `matrix_client_element_content_permission_policy` +matrix_client_element_floc_optout_enabled: true + +# Controls if HSTS preloading is enabled +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be "preloaded" into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +# See: `matrix_client_element_http_header_strict_transport_security` +matrix_client_element_hsts_preload_enabled: false + # matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. # diff --git a/roles/custom/matrix-client-element/templates/labels.j2 b/roles/custom/matrix-client-element/templates/labels.j2 index 85df036f9..5f5cd7516 100644 --- a/roles/custom/matrix-client-element/templates/labels.j2 +++ b/roles/custom/matrix-client-element/templates/labels.j2 @@ -5,8 +5,20 @@ traefik.enable=true traefik.docker.network={{ matrix_client_element_container_labels_traefik_docker_network }} {% endif %} +{% set middlewares = [] %} + +{% if matrix_client_element_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_client_element_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-client-element-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-client-element-add-headers'] %} +{% endif %} + traefik.http.routers.matrix-client-element.rule={{ matrix_client_element_container_labels_traefik_rule }} traefik.http.routers.matrix-client-element.service=matrix-client-element +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-client-element.middlewares={{ middlewares | join(',') }} +{% endif %} traefik.http.routers.matrix-client-element.entrypoints={{ matrix_client_element_container_labels_traefik_entrypoints }} traefik.http.routers.matrix-client-element.tls={{ matrix_client_element_container_labels_traefik_tls | to_json }} {% if matrix_client_element_container_labels_traefik_tls %} From ff1338e0036e4d97fcb7d41d584afdb78449fe5c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Feb 2023 08:31:26 +0200 Subject: [PATCH 413/915] Add support for hosting Element (on Traefik) at a subpath --- .../matrix-client-element/defaults/main.yml | 4 +++- .../tasks/validate_config.yml | 20 +++++++++++++++++++ .../matrix-client-element/templates/labels.j2 | 11 ++++++++++ 3 files changed, 34 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 890bc4736..3ebed0561 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -38,7 +38,9 @@ matrix_client_element_container_http_host_bind_port: '' matrix_client_element_container_labels_traefik_enabled: true matrix_client_element_container_labels_traefik_docker_network: "{{ matrix_client_element_container_network }}" matrix_client_element_container_labels_traefik_hostname: "{{ matrix_server_fqn_element }}" -matrix_client_element_container_labels_traefik_rule: "Host(`{{ matrix_client_element_container_labels_traefik_hostname }}`)" +# The path prefix must either be `/` or not end with a slash (e.g. `/element`). +matrix_client_element_container_labels_traefik_path_prefix: / +matrix_client_element_container_labels_traefik_rule: "Host(`{{ matrix_client_element_container_labels_traefik_hostname }}`){% if matrix_client_element_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_client_element_container_labels_traefik_path_prefix }}`){% endif %}" matrix_client_element_container_labels_traefik_entrypoints: web-secure matrix_client_element_container_labels_traefik_tls: "{{ matrix_client_element_container_labels_traefik_entrypoints != 'web' }}" matrix_client_element_container_labels_traefik_tls_certResolver: default # noqa var-naming diff --git a/roles/custom/matrix-client-element/tasks/validate_config.yml b/roles/custom/matrix-client-element/tasks/validate_config.yml index 0e252db80..658542fb7 100644 --- a/roles/custom/matrix-client-element/tasks/validate_config.yml +++ b/roles/custom/matrix-client-element/tasks/validate_config.yml @@ -26,3 +26,23 @@ when: "vars | dict2items | selectattr('key', 'match', item.old) | list | items2dict" with_items: - {'old': 'matrix_riot_web_.*', 'new': 'matrix_client_element_.*'} + +- when: matrix_client_element_container_labels_traefik_enabled | bool + block: + - name: Fail if required matrix-client-element Traefik settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_synapse_admin_container_labels_traefik_hostname + - matrix_client_element_container_labels_traefik_path_prefix + + # We ensure it doesn't end with a slash, because we handle both (slash and no-slash). + # Knowing that `matrix_client_element_container_labels_traefik_path_prefix` does not end with a slash + # ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere. + - name: Fail if matrix_client_element_container_labels_traefik_path_prefix ends with a slash + ansible.builtin.fail: + msg: >- + matrix_client_element_container_labels_traefik_path_prefix (`{{ matrix_client_element_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/element`). + when: "matrix_client_element_container_labels_traefik_path_prefix != '/' and matrix_client_element_container_labels_traefik_path_prefix[-1] == '/'" diff --git a/roles/custom/matrix-client-element/templates/labels.j2 b/roles/custom/matrix-client-element/templates/labels.j2 index 5f5cd7516..33fb28e13 100644 --- a/roles/custom/matrix-client-element/templates/labels.j2 +++ b/roles/custom/matrix-client-element/templates/labels.j2 @@ -7,6 +7,17 @@ traefik.docker.network={{ matrix_client_element_container_labels_traefik_docker_ {% set middlewares = [] %} +{% if matrix_client_element_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-client-element-slashless-redirect.redirectregex.regex=({{ matrix_client_element_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-client-element-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-client-element-slashless-redirect'] %} +{% endif %} + +{% if matrix_client_element_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-client-element-strip-prefix.stripprefix.prefixes={{ matrix_client_element_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-client-element-strip-prefix'] %} +{% endif %} + {% if matrix_client_element_container_labels_traefik_additional_response_headers.keys() | length > 0 %} {% for name, value in matrix_client_element_container_labels_traefik_additional_response_headers.items() %} traefik.http.middlewares.matrix-client-element-add-headers.headers.customresponseheaders.{{ name }}={{ value }} From 5ab5f28d14c442091192c7c0ad3d4a64f64003d6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Feb 2023 08:42:50 +0200 Subject: [PATCH 414/915] Add support for running synapse-admin (on Traefik) at the root path Previously, we had to run it at a subpath, like `/synapse-admin`. We can now dedicate a whole domain and the `/` path to it, should we wish to do so. --- .../custom/matrix-synapse-admin/defaults/main.yml | 4 ++-- .../matrix-synapse-admin/tasks/validate_config.yml | 5 ++--- .../matrix-synapse-admin/templates/labels.j2 | 14 ++++++++++++-- 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index 11b898186..cb64b5490 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -37,9 +37,9 @@ matrix_synapse_admin_container_extra_arguments: [] matrix_synapse_admin_container_labels_traefik_enabled: true matrix_synapse_admin_container_labels_traefik_docker_network: "{{ matrix_synapse_admin_container_network }}" matrix_synapse_admin_container_labels_traefik_hostname: "{{ matrix_server_fqn_matrix }}" -# The path prefix must not end with a slash +# The path prefix must either be `/` or not end with a slash (e.g. `/synapse-admin`). matrix_synapse_admin_container_labels_traefik_path_prefix: /synapse-admin -matrix_synapse_admin_container_labels_traefik_rule: "Host(`{{ matrix_synapse_admin_container_labels_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_admin_container_labels_traefik_path_prefix | quote }}`)" +matrix_synapse_admin_container_labels_traefik_rule: "Host(`{{ matrix_synapse_admin_container_labels_traefik_hostname }}`){% if matrix_synapse_admin_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_synapse_admin_container_labels_traefik_path_prefix | quote }}`){% endif %}" matrix_synapse_admin_container_labels_traefik_entrypoints: web-secure matrix_synapse_admin_container_labels_traefik_tls: "{{ matrix_synapse_admin_container_labels_traefik_entrypoints != 'web' }}" matrix_synapse_admin_container_labels_traefik_tls_certResolver: default # noqa var-naming diff --git a/roles/custom/matrix-synapse-admin/tasks/validate_config.yml b/roles/custom/matrix-synapse-admin/tasks/validate_config.yml index 41f19b751..482435554 100644 --- a/roles/custom/matrix-synapse-admin/tasks/validate_config.yml +++ b/roles/custom/matrix-synapse-admin/tasks/validate_config.yml @@ -28,6 +28,5 @@ - name: Fail if matrix_synapse_admin_container_labels_traefik_path_prefix ends with a slash ansible.builtin.fail: msg: >- - matrix_synapse_admin_container_labels_traefik_path_prefix (`{{ matrix_synapse_admin_container_labels_traefik_path_prefix }}`) must not end with a slash. - Example: `/synapse-admin`. - when: "matrix_synapse_admin_container_labels_traefik_path_prefix[-1] == '/'" + matrix_synapse_admin_container_labels_traefik_path_prefix (`{{ matrix_synapse_admin_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/synapse-admin`). + when: "matrix_synapse_admin_container_labels_traefik_path_prefix != '/' and matrix_synapse_admin_container_labels_traefik_path_prefix[-1] == '/'" diff --git a/roles/custom/matrix-synapse-admin/templates/labels.j2 b/roles/custom/matrix-synapse-admin/templates/labels.j2 index 772fdad80..c70892a8c 100644 --- a/roles/custom/matrix-synapse-admin/templates/labels.j2 +++ b/roles/custom/matrix-synapse-admin/templates/labels.j2 @@ -5,13 +5,23 @@ traefik.enable=true traefik.docker.network={{ matrix_synapse_admin_container_labels_traefik_docker_network }} {% endif %} +{% set middlewares = [] %} + +{% if matrix_synapse_admin_container_labels_traefik_path_prefix != '/' %} traefik.http.middlewares.matrix-synapse-admin-slashless-redirect.redirectregex.regex=({{ matrix_synapse_admin_container_labels_traefik_path_prefix | quote }})$ traefik.http.middlewares.matrix-synapse-admin-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-synapse-admin-slashless-redirect'] %} +{% endif %} -traefik.http.middlewares.matrix-synapse-admin-replacepath.replacepath.path=/ +{% if matrix_synapse_admin_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-synapse-admin-strip-prefix.stripprefix.prefixes={{ matrix_synapse_admin_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-synapse-admin-strip-prefix'] %} +{% endif %} traefik.http.routers.matrix-synapse-admin.rule={{ matrix_synapse_admin_container_labels_traefik_rule }} -traefik.http.routers.matrix-synapse-admin.middlewares=matrix-synapse-admin-slashless-redirect,matrix-synapse-admin-replacepath +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-synapse-admin.middlewares={{ middlewares | join(',') }} +{% endif %} traefik.http.routers.matrix-synapse-admin.service=matrix-synapse-admin traefik.http.routers.matrix-synapse-admin.entrypoints={{ matrix_synapse_admin_container_labels_traefik_entrypoints }} traefik.http.routers.matrix-synapse-admin.tls={{ matrix_synapse_admin_container_labels_traefik_tls | to_json }} From 71597132e0d8efac9456ecd984f0750cc62e7d43 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Feb 2023 08:45:32 +0200 Subject: [PATCH 415/915] Move around some matrix-client-element variables --- .../matrix-client-element/defaults/main.yml | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 3ebed0561..500c5b471 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -60,6 +60,21 @@ matrix_client_element_container_labels_traefik_additional_response_headers_auto: }} matrix_client_element_container_labels_traefik_additional_response_headers_custom: {} +# matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_client_element_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_client_element_container_labels_additional_labels: '' + +# A list of extra arguments to pass to the container +matrix_client_element_container_extra_arguments: [] + +# List of systemd services that matrix-client-element.service depends on +matrix_client_element_systemd_required_services_list: ['docker.service'] + # Specifies the value of the `X-XSS-Protection` header # Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. # @@ -111,21 +126,6 @@ matrix_client_element_floc_optout_enabled: true # See: `matrix_client_element_http_header_strict_transport_security` matrix_client_element_hsts_preload_enabled: false -# matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. -# See `../templates/labels.j2` for details. -# -# Example: -# matrix_client_element_container_labels_additional_labels: | -# my.label=1 -# another.label="here" -matrix_client_element_container_labels_additional_labels: '' - -# A list of extra arguments to pass to the container -matrix_client_element_container_extra_arguments: [] - -# List of systemd services that matrix-client-element.service depends on -matrix_client_element_systemd_required_services_list: ['docker.service'] - # Element config.json customizations matrix_client_element_default_server_name: "{{ matrix_domain }}" matrix_client_element_default_hs_url: "" From c33ed94352e48be29d200a3ff12992a30c9efc39 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Feb 2023 08:49:00 +0200 Subject: [PATCH 416/915] Add security headers to synapse-admin (on Traefik) We've had it on `matrix-nginx-proxy` before, but our initial support for Traefik did not include any of these security headers. --- .../matrix-synapse-admin/defaults/main.yml | 72 ++++++++++++++++++- .../matrix-synapse-admin/templates/labels.j2 | 7 ++ 2 files changed, 76 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index cb64b5490..f150bd359 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -27,6 +27,11 @@ matrix_synapse_admin_container_network: matrix-synapse-admin # Use this to expose this container to a reverse proxy, which runs in a different container network. matrix_synapse_admin_container_additional_networks: [] +# Controls whether the matrix-synapse-admin container exposes its HTTP port (tcp/80 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8766"), or empty string to not expose. +matrix_synapse_admin_container_http_host_bind_port: '' + # A list of extra arguments to pass to the container matrix_synapse_admin_container_extra_arguments: [] @@ -44,6 +49,21 @@ matrix_synapse_admin_container_labels_traefik_entrypoints: web-secure matrix_synapse_admin_container_labels_traefik_tls: "{{ matrix_synapse_admin_container_labels_traefik_entrypoints != 'web' }}" matrix_synapse_admin_container_labels_traefik_tls_certResolver: default # noqa var-naming +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_synapse_admin_container_labels_traefik_additional_response_headers_custom` +matrix_synapse_admin_container_labels_traefik_additional_response_headers: "{{ matrix_synapse_admin_container_labels_traefik_additional_response_headers_auto | combine(matrix_synapse_admin_container_labels_traefik_additional_response_headers_custom) }}" +matrix_synapse_admin_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_synapse_admin_http_header_xss_protection} if matrix_synapse_admin_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_synapse_admin_http_header_frame_options} if matrix_synapse_admin_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_synapse_admin_http_header_content_type_options} if matrix_synapse_admin_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_synapse_admin_http_header_content_security_policy} if matrix_synapse_admin_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_synapse_admin_http_header_content_permission_policy} if matrix_synapse_admin_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_synapse_admin_http_header_strict_transport_security} if matrix_synapse_admin_http_header_strict_transport_security and matrix_synapse_admin_container_labels_traefik_tls else {}) + }} +matrix_synapse_admin_container_labels_traefik_additional_response_headers_custom: {} + # matrix_synapse_admin_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. # @@ -59,10 +79,56 @@ matrix_synapse_admin_systemd_required_services_list: ['docker.service'] # List of systemd services that matrix-synapse-admin.service wants matrix_synapse_admin_systemd_wanted_services_list: [] -# Controls whether the matrix-synapse-admin container exposes its HTTP port (tcp/80 in the container). +# Specifies the value of the `X-XSS-Protection` header +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. # -# Takes an ":" or "" value (e.g. "127.0.0.1:8766"), or empty string to not expose. -matrix_synapse_admin_container_http_host_bind_port: '' +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected +matrix_synapse_admin_http_header_xss_protection: "1; mode=block" + +# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +matrix_synapse_admin_http_header_frame_options: SAMEORIGIN + +# Specifies the value of the `X-Content-Type-Options` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +matrix_synapse_admin_http_header_content_type_options: nosniff + +# Specifies the value of the `Content-Security-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +matrix_synapse_admin_http_header_content_security_policy: frame-ancestors 'self' + +# Specifies the value of the `Permission-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy +matrix_synapse_admin_http_header_content_permission_policy: "{{ 'interest-cohort=() always' if matrix_synapse_admin_floc_optout_enabled else '' }}" + +# Specifies the value of the `Strict-Transport-Security` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +matrix_synapse_admin_http_header_strict_transport_security: "{{ '\"max-age=31536000; includeSubDomains; preload\" always' if matrix_synapse_admin_hsts_preload_enabled else '\"max-age=31536000; includeSubDomains\" always' }}" + +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +# See: `matrix_synapse_admin_content_permission_policy` +matrix_synapse_admin_floc_optout_enabled: true + +# Controls if HSTS preloading is enabled +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be "preloaded" into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +# See: `matrix_synapse_admin_http_header_strict_transport_security` +matrix_synapse_admin_hsts_preload_enabled: false # The path at which Synapse Admin will be exposed on `matrix.DOMAIN` # (only applies when matrix-nginx-proxy is used). diff --git a/roles/custom/matrix-synapse-admin/templates/labels.j2 b/roles/custom/matrix-synapse-admin/templates/labels.j2 index c70892a8c..b754f6b84 100644 --- a/roles/custom/matrix-synapse-admin/templates/labels.j2 +++ b/roles/custom/matrix-synapse-admin/templates/labels.j2 @@ -18,6 +18,13 @@ traefik.http.middlewares.matrix-synapse-admin-strip-prefix.stripprefix.prefixes= {% set middlewares = middlewares + ['matrix-synapse-admin-strip-prefix'] %} {% endif %} +{% if matrix_synapse_admin_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_synapse_admin_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-synapse-admin-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-synapse-admin-add-headers'] %} +{% endif %} + traefik.http.routers.matrix-synapse-admin.rule={{ matrix_synapse_admin_container_labels_traefik_rule }} {% if middlewares | length > 0 %} traefik.http.routers.matrix-synapse-admin.middlewares={{ middlewares | join(',') }} From 5c7cd7068480e9e0f07c6243e80fe53a6cad37e9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Feb 2023 08:51:20 +0200 Subject: [PATCH 417/915] Make use of the existing matrix_synapse_admin_public_endpoint variable --- roles/custom/matrix-synapse-admin/defaults/main.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index f150bd359..07a91833a 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -43,7 +43,7 @@ matrix_synapse_admin_container_labels_traefik_enabled: true matrix_synapse_admin_container_labels_traefik_docker_network: "{{ matrix_synapse_admin_container_network }}" matrix_synapse_admin_container_labels_traefik_hostname: "{{ matrix_server_fqn_matrix }}" # The path prefix must either be `/` or not end with a slash (e.g. `/synapse-admin`). -matrix_synapse_admin_container_labels_traefik_path_prefix: /synapse-admin +matrix_synapse_admin_container_labels_traefik_path_prefix: "{{ matrix_synapse_admin_public_endpoint }}" matrix_synapse_admin_container_labels_traefik_rule: "Host(`{{ matrix_synapse_admin_container_labels_traefik_hostname }}`){% if matrix_synapse_admin_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_synapse_admin_container_labels_traefik_path_prefix | quote }}`){% endif %}" matrix_synapse_admin_container_labels_traefik_entrypoints: web-secure matrix_synapse_admin_container_labels_traefik_tls: "{{ matrix_synapse_admin_container_labels_traefik_entrypoints != 'web' }}" @@ -130,6 +130,9 @@ matrix_synapse_admin_floc_optout_enabled: true # See: `matrix_synapse_admin_http_header_strict_transport_security` matrix_synapse_admin_hsts_preload_enabled: false -# The path at which Synapse Admin will be exposed on `matrix.DOMAIN` -# (only applies when matrix-nginx-proxy is used). +# The path at which Synapse Admin will be exposed on `matrix.DOMAIN` when matrix-nginx-proxy is used. +# A path of `/` is likely not a good choice when matrix-nginx-proxy is used. +# +# If Traefik is used, the hostname name is configurable - see `matrix_synapse_admin_container_labels_traefik_hostname`. +# This value must either be `/` or not end with a slash (e.g. `/synapse-admin`). matrix_synapse_admin_public_endpoint: /synapse-admin From 799cbb44fbaf800840ed5612a4a2ddc476ac98f4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Feb 2023 09:04:50 +0200 Subject: [PATCH 418/915] Add the ability to control (Traefik) routing priority for Element and synapse-admin This may proof useful to someone in the future. --- roles/custom/matrix-client-element/defaults/main.yml | 1 + roles/custom/matrix-client-element/templates/labels.j2 | 3 +++ roles/custom/matrix-synapse-admin/defaults/main.yml | 1 + roles/custom/matrix-synapse-admin/templates/labels.j2 | 3 +++ 4 files changed, 8 insertions(+) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 500c5b471..041fb033f 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -41,6 +41,7 @@ matrix_client_element_container_labels_traefik_hostname: "{{ matrix_server_fqn_e # The path prefix must either be `/` or not end with a slash (e.g. `/element`). matrix_client_element_container_labels_traefik_path_prefix: / matrix_client_element_container_labels_traefik_rule: "Host(`{{ matrix_client_element_container_labels_traefik_hostname }}`){% if matrix_client_element_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_client_element_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_client_element_container_labels_traefik_priority: 0 matrix_client_element_container_labels_traefik_entrypoints: web-secure matrix_client_element_container_labels_traefik_tls: "{{ matrix_client_element_container_labels_traefik_entrypoints != 'web' }}" matrix_client_element_container_labels_traefik_tls_certResolver: default # noqa var-naming diff --git a/roles/custom/matrix-client-element/templates/labels.j2 b/roles/custom/matrix-client-element/templates/labels.j2 index 33fb28e13..de67299e2 100644 --- a/roles/custom/matrix-client-element/templates/labels.j2 +++ b/roles/custom/matrix-client-element/templates/labels.j2 @@ -26,6 +26,9 @@ traefik.http.middlewares.matrix-client-element-add-headers.headers.customrespons {% endif %} traefik.http.routers.matrix-client-element.rule={{ matrix_client_element_container_labels_traefik_rule }} +{% if matrix_client_element_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-client-element.priority={{ matrix_client_element_container_labels_traefik_priority }} +{% endif %} traefik.http.routers.matrix-client-element.service=matrix-client-element {% if middlewares | length > 0 %} traefik.http.routers.matrix-client-element.middlewares={{ middlewares | join(',') }} diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index 07a91833a..1d655d738 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -45,6 +45,7 @@ matrix_synapse_admin_container_labels_traefik_hostname: "{{ matrix_server_fqn_ma # The path prefix must either be `/` or not end with a slash (e.g. `/synapse-admin`). matrix_synapse_admin_container_labels_traefik_path_prefix: "{{ matrix_synapse_admin_public_endpoint }}" matrix_synapse_admin_container_labels_traefik_rule: "Host(`{{ matrix_synapse_admin_container_labels_traefik_hostname }}`){% if matrix_synapse_admin_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_synapse_admin_container_labels_traefik_path_prefix | quote }}`){% endif %}" +matrix_synapse_admin_container_labels_traefik_priority: 0 matrix_synapse_admin_container_labels_traefik_entrypoints: web-secure matrix_synapse_admin_container_labels_traefik_tls: "{{ matrix_synapse_admin_container_labels_traefik_entrypoints != 'web' }}" matrix_synapse_admin_container_labels_traefik_tls_certResolver: default # noqa var-naming diff --git a/roles/custom/matrix-synapse-admin/templates/labels.j2 b/roles/custom/matrix-synapse-admin/templates/labels.j2 index b754f6b84..946fd6c98 100644 --- a/roles/custom/matrix-synapse-admin/templates/labels.j2 +++ b/roles/custom/matrix-synapse-admin/templates/labels.j2 @@ -26,6 +26,9 @@ traefik.http.middlewares.matrix-synapse-admin-add-headers.headers.customresponse {% endif %} traefik.http.routers.matrix-synapse-admin.rule={{ matrix_synapse_admin_container_labels_traefik_rule }} +{% if matrix_synapse_admin_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-synapse-admin.priority={{ matrix_synapse_admin_container_labels_traefik_priority }} +{% endif %} {% if middlewares | length > 0 %} traefik.http.routers.matrix-synapse-admin.middlewares={{ middlewares | join(',') }} {% endif %} From 64e2b26ed55fd6ee1c1ffc62a37cb09e452fe7ec Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Feb 2023 09:49:22 +0200 Subject: [PATCH 419/915] Fix Hydrogen failing to start We were mounting our own configuration to `/usr/share/nginx/html/config.json`, which is a symlink to `/tmp/config.json`. So we effectively mount our file to `/tmp/config.json`. When starting: - if Hydrogen sees a `CONFIG_OVERRIDE` environment variable, it will try to save it into our read-only config file and fail. - if Hydrogen doesn't see a `CONFIG_OVERRIDE` environment variable (the path we go through, because we don't pass such a variable), it will try to copy its bundled configuration (`/config.json.bundled`) to `/tmp/config.json`. Because our configuration is mounted as read-only, it will fail. In both cases, it will fail with: > cp: can't create '/tmp/config.json': File exists Source: https://github.com/vector-im/hydrogen-web/blob/3720de36bbee8609ca7cf625e7b72dc44609e393/docker/dynamic-config.sh We work around this by mounting our configuration on top of the bundled one (`/config.json.bundled`). We then let Hydrogen's startup script copy it to `/tmp/config.json` (a tmpfs we've mounted into the container) and use it from there. --- .../templates/systemd/matrix-client-hydrogen.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 b/roles/custom/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 index d8a3fb98b..e09978eae 100644 --- a/roles/custom/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 +++ b/roles/custom/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 @@ -24,7 +24,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% endif %} --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ --mount type=bind,src={{ matrix_client_hydrogen_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ - --mount type=bind,src={{ matrix_client_hydrogen_data_path }}/config.json,dst=/usr/share/nginx/html/config.json,ro \ + --mount type=bind,src={{ matrix_client_hydrogen_data_path }}/config.json,dst=/config.json.bundled,ro \ {% for arg in matrix_client_hydrogen_container_extra_arguments %} {{ arg }} \ {% endfor %} From 6a52be79877daf9d320bb5ef28389977d1ec8d31 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Feb 2023 09:58:35 +0200 Subject: [PATCH 420/915] Add (native) Traefik support to matrix-client-hydrogen Previously, it had to go through matrix-nginx-proxy. It's exposed to Traefik directly via container labels now Serving at a path other than `/` doesn't work well yet. --- group_vars/matrix_servers | 8 ++ .../matrix-client-hydrogen/defaults/main.yml | 99 +++++++++++++++++++ .../tasks/setup_install.yml | 7 +- .../tasks/validate_config.yml | 31 ++++++ .../templates/labels.j2 | 45 +++++++++ .../systemd/matrix-client-hydrogen.service.j2 | 14 ++- 6 files changed, 201 insertions(+), 3 deletions(-) create mode 100644 roles/custom/matrix-client-hydrogen/templates/labels.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index ca0460401..1a131a285 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2987,6 +2987,14 @@ matrix_client_hydrogen_container_image_self_build: "{{ matrix_architecture not i # the HTTP port to the local host. matrix_client_hydrogen_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8768') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_client_hydrogen_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-client-hydrogen' }}" + +matrix_client_hydrogen_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + +matrix_client_hydrogen_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_client_hydrogen_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_client_hydrogen_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary if devture_traefik_enabled else '' }}" + matrix_client_hydrogen_default_hs_url: "{{ matrix_homeserver_url }}" matrix_client_hydrogen_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" diff --git a/roles/custom/matrix-client-hydrogen/defaults/main.yml b/roles/custom/matrix-client-hydrogen/defaults/main.yml index 6ee304cfa..d429707c6 100644 --- a/roles/custom/matrix-client-hydrogen/defaults/main.yml +++ b/roles/custom/matrix-client-hydrogen/defaults/main.yml @@ -14,17 +14,116 @@ matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docke matrix_client_hydrogen_data_path: "{{ matrix_base_data_path }}/client-hydrogen" matrix_client_hydrogen_docker_src_files_path: "{{ matrix_client_hydrogen_data_path }}/docker-src" +# The base container network +matrix_client_hydrogen_container_network: matrix-client-hydrogen + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to a reverse proxy, which runs in a different container network. +matrix_client_hydrogen_container_additional_networks: [] + # Controls whether the container exposes its HTTP port (tcp/8080 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8768"), or empty string to not expose. matrix_client_hydrogen_container_http_host_bind_port: '' +# matrix_client_hydrogen_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_client_hydrogen_container_labels_additional_labels`. +matrix_client_hydrogen_container_labels_traefik_enabled: true +matrix_client_hydrogen_container_labels_traefik_docker_network: "{{ matrix_client_hydrogen_container_network }}" +matrix_client_hydrogen_container_labels_traefik_hostname: "{{ matrix_server_fqn_element }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/hydrogen`). +# For now, only `/` is supported due to problems with serving Hydrogen at a subpath. +matrix_client_hydrogen_container_labels_traefik_path_prefix: / +matrix_client_hydrogen_container_labels_traefik_rule: "Host(`{{ matrix_client_hydrogen_container_labels_traefik_hostname }}`){% if matrix_client_hydrogen_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_client_hydrogen_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_client_hydrogen_container_labels_traefik_priority: 0 +matrix_client_hydrogen_container_labels_traefik_entrypoints: web-secure +matrix_client_hydrogen_container_labels_traefik_tls: "{{ matrix_client_hydrogen_container_labels_traefik_entrypoints != 'web' }}" +matrix_client_hydrogen_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_client_hydrogen_container_labels_traefik_additional_response_headers_custom` +matrix_client_hydrogen_container_labels_traefik_additional_response_headers: "{{ matrix_client_hydrogen_container_labels_traefik_additional_response_headers_auto | combine(matrix_client_hydrogen_container_labels_traefik_additional_response_headers_custom) }}" +matrix_client_hydrogen_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_client_hydrogen_http_header_xss_protection} if matrix_client_hydrogen_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_client_hydrogen_http_header_frame_options} if matrix_client_hydrogen_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_client_hydrogen_http_header_content_type_options} if matrix_client_hydrogen_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_client_hydrogen_http_header_content_security_policy} if matrix_client_hydrogen_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_client_hydrogen_http_header_content_permission_policy} if matrix_client_hydrogen_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_client_hydrogen_http_header_strict_transport_security} if matrix_client_hydrogen_http_header_strict_transport_security and matrix_client_hydrogen_container_labels_traefik_tls else {}) + }} +matrix_client_hydrogen_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_client_hydrogen_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_client_hydrogen_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_client_hydrogen_container_labels_additional_labels: '' + # A list of extra arguments to pass to the container matrix_client_hydrogen_container_extra_arguments: [] # List of systemd services that matrix-client-hydrogen.service depends on matrix_client_hydrogen_systemd_required_services_list: ['docker.service'] +# Specifies the value of the `X-XSS-Protection` header +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. +# +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected +matrix_client_hydrogen_http_header_xss_protection: "1; mode=block" + +# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +matrix_client_hydrogen_http_header_frame_options: SAMEORIGIN + +# Specifies the value of the `X-Content-Type-Options` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +matrix_client_hydrogen_http_header_content_type_options: nosniff + +# Specifies the value of the `Content-Security-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +matrix_client_hydrogen_http_header_content_security_policy: frame-ancestors 'self' + +# Specifies the value of the `Permission-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy +matrix_client_hydrogen_http_header_content_permission_policy: "{{ 'interest-cohort=() always' if matrix_client_hydrogen_floc_optout_enabled else '' }}" + +# Specifies the value of the `Strict-Transport-Security` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +matrix_client_hydrogen_http_header_strict_transport_security: "{{ '\"max-age=31536000; includeSubDomains; preload\" always' if matrix_client_hydrogen_hsts_preload_enabled else '\"max-age=31536000; includeSubDomains\" always' }}" + +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +# See: `matrix_client_hydrogen_content_permission_policy` +matrix_client_hydrogen_floc_optout_enabled: true + +# Controls if HSTS preloading is enabled +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be "preloaded" into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +# See: `matrix_client_hydrogen_http_header_strict_transport_security` +matrix_client_hydrogen_hsts_preload_enabled: false + # Controls whether the self-check feature should validate SSL certificates. matrix_client_hydrogen_self_check_validate_certificates: true diff --git a/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml b/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml index 5fe4ceadd..0e1148042 100644 --- a/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml +++ b/roles/custom/matrix-client-hydrogen/tasks/setup_install.yml @@ -52,7 +52,7 @@ group: "{{ matrix_user_groupname }}" with_items: - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} - when: "item.src is not none" + - {src: "{{ role_path }}/templates/labels.j2", name: "labels"} - name: Ensure Hydrogen Docker image is built community.docker.docker_image: @@ -65,6 +65,11 @@ pull: true when: "matrix_client_hydrogen_container_image_self_build | bool" +- name: Ensure Hydrogen container network is created + community.general.docker_network: + name: "{{ matrix_client_hydrogen_container_network }}" + driver: bridge + - name: Ensure matrix-client-hydrogen.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-client-hydrogen.service.j2" diff --git a/roles/custom/matrix-client-hydrogen/tasks/validate_config.yml b/roles/custom/matrix-client-hydrogen/tasks/validate_config.yml index 65b0e14f6..bc7725945 100644 --- a/roles/custom/matrix-client-hydrogen/tasks/validate_config.yml +++ b/roles/custom/matrix-client-hydrogen/tasks/validate_config.yml @@ -7,3 +7,34 @@ when: "(vars[item] == '' or vars[item] is none) and matrix_client_hydrogen_container_image_self_build | bool" with_items: - "matrix_client_hydrogen_default_hs_url" + +- when: matrix_client_hydrogen_container_labels_traefik_enabled | bool + block: + - name: Fail if required matrix-client-hydrogen Traefik settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_client_hydrogen_container_labels_traefik_hostname + - matrix_client_hydrogen_container_labels_traefik_path_prefix + + # We ensure it doesn't end with a slash, because we handle both (slash and no-slash). + # Knowing that `matrix_client_hydrogen_container_labels_traefik_path_prefix` does not end with a slash + # ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere. + - name: Fail if matrix_client_hydrogen_container_labels_traefik_path_prefix ends with a slash + ansible.builtin.fail: + msg: >- + matrix_client_hydrogen_container_labels_traefik_path_prefix (`{{ matrix_client_hydrogen_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/hydrogen`). + when: "matrix_client_hydrogen_container_labels_traefik_path_prefix != '/' and matrix_client_hydrogen_container_labels_traefik_path_prefix[-1] == '/'" + + # For example, we're getting errors like this: + # > main.js:51 Failed to load stylesheet from https://DOMAIN/assets/theme-element-light.5316e268.css: + # despite having set a prefix of `/hydrogen`. + # This is yet to be investigated and workaround around. + - name: Fail if matrix_client_hydrogen_container_labels_traefik_path_prefix is not / + ansible.builtin.fail: + msg: >- + matrix_client_hydrogen_container_labels_traefik_path_prefix can only be set to `/` right now. + Serving Hydrogen from another path doesn't work just yet. + when: "matrix_client_hydrogen_container_labels_traefik_path_prefix != '/'" diff --git a/roles/custom/matrix-client-hydrogen/templates/labels.j2 b/roles/custom/matrix-client-hydrogen/templates/labels.j2 new file mode 100644 index 000000000..71c3ca59e --- /dev/null +++ b/roles/custom/matrix-client-hydrogen/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_client_hydrogen_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_client_hydrogen_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_client_hydrogen_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_client_hydrogen_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-client-hydrogen-slashless-redirect.redirectregex.regex=({{ matrix_client_hydrogen_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-client-hydrogen-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-client-hydrogen-slashless-redirect'] %} +{% endif %} + +{% if matrix_client_hydrogen_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-client-hydrogen-strip-prefix.stripprefix.prefixes={{ matrix_client_hydrogen_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-client-hydrogen-strip-prefix'] %} +{% endif %} + +{% if matrix_client_hydrogen_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_client_hydrogen_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-client-hydrogen-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-client-hydrogen-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-client-hydrogen.rule={{ matrix_client_hydrogen_container_labels_traefik_rule }} +{% if matrix_client_hydrogen_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-client-hydrogen.priority={{ matrix_client_hydrogen_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-client-hydrogen.service=matrix-client-hydrogen +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-client-hydrogen.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-client-hydrogen.entrypoints={{ matrix_client_hydrogen_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-client-hydrogen.tls={{ matrix_client_hydrogen_container_labels_traefik_tls | to_json }} +{% if matrix_client_hydrogen_container_labels_traefik_tls %} +traefik.http.routers.matrix-client-hydrogen.tls.certResolver={{ matrix_client_hydrogen_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-client-hydrogen.loadbalancer.server.port=8080 +{% endif %} + +{{ matrix_client_hydrogen_container_labels_additional_labels }} diff --git a/roles/custom/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 b/roles/custom/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 index e09978eae..1f1f0dc9b 100644 --- a/roles/custom/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 +++ b/roles/custom/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 @@ -13,15 +13,18 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-client-hydrogen \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-client-hydrogen \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_client_hydrogen_container_network }} \ {% if matrix_client_hydrogen_container_http_host_bind_port %} -p {{ matrix_client_hydrogen_container_http_host_bind_port }}:8080 \ {% endif %} + --label-file={{ matrix_client_hydrogen_data_path }}/labels \ --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ --mount type=bind,src={{ matrix_client_hydrogen_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ --mount type=bind,src={{ matrix_client_hydrogen_data_path }}/config.json,dst=/config.json.bundled,ro \ @@ -30,8 +33,15 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% endfor %} {{ matrix_client_hydrogen_docker_image }} +{% for network in matrix_client_hydrogen_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-client-hydrogen +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-client-hydrogen + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null || true' + Restart=always RestartSec=30 SyslogIdentifier=matrix-client-hydrogen From eb7292f274bb7c4cfa9ce26ff72aa92da0018154 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Feb 2023 10:56:16 +0200 Subject: [PATCH 421/915] Add matrix_client_hydrogen_hostname and fix Hydrogen serving at non-root-path --- .../matrix-client-hydrogen/defaults/main.yml | 18 ++++++++++++++---- .../tasks/validate_config.yml | 11 ----------- .../templates/config.json.j2 | 2 +- .../matrix-synapse-admin/defaults/main.yml | 2 +- 4 files changed, 16 insertions(+), 17 deletions(-) diff --git a/roles/custom/matrix-client-hydrogen/defaults/main.yml b/roles/custom/matrix-client-hydrogen/defaults/main.yml index d429707c6..6ead5f446 100644 --- a/roles/custom/matrix-client-hydrogen/defaults/main.yml +++ b/roles/custom/matrix-client-hydrogen/defaults/main.yml @@ -33,10 +33,9 @@ matrix_client_hydrogen_container_http_host_bind_port: '' # To inject your own other container labels, see `matrix_client_hydrogen_container_labels_additional_labels`. matrix_client_hydrogen_container_labels_traefik_enabled: true matrix_client_hydrogen_container_labels_traefik_docker_network: "{{ matrix_client_hydrogen_container_network }}" -matrix_client_hydrogen_container_labels_traefik_hostname: "{{ matrix_server_fqn_element }}" +matrix_client_hydrogen_container_labels_traefik_hostname: "{{ matrix_client_hydrogen_hostname }}" # The path prefix must either be `/` or not end with a slash (e.g. `/hydrogen`). -# For now, only `/` is supported due to problems with serving Hydrogen at a subpath. -matrix_client_hydrogen_container_labels_traefik_path_prefix: / +matrix_client_hydrogen_container_labels_traefik_path_prefix: "{{ matrix_client_hydrogen_path_prefix }}" matrix_client_hydrogen_container_labels_traefik_rule: "Host(`{{ matrix_client_hydrogen_container_labels_traefik_hostname }}`){% if matrix_client_hydrogen_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_client_hydrogen_container_labels_traefik_path_prefix }}`){% endif %}" matrix_client_hydrogen_container_labels_traefik_priority: 0 matrix_client_hydrogen_container_labels_traefik_entrypoints: web-secure @@ -124,6 +123,18 @@ matrix_client_hydrogen_floc_optout_enabled: true # See: `matrix_client_hydrogen_http_header_strict_transport_security` matrix_client_hydrogen_hsts_preload_enabled: false +# The hostname at which Hydrogen is served. +# Only works with with Traefik reverse-proxying. +# For matrix-nginx-proxy, `matrix_server_fqn_hydrogen` is used and this variable has no effect. +matrix_client_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}" + +# The path at which Hydrogen is exposed. +# When matrix-nginx-proxy is used, setting this to values other than `/` will cause configuration mismatches and trouble. +# +# If Traefik is used, the hostname is also configurable - see `matrix_client_hydrogen_container_labels_traefik_hostname`. +# This value must either be `/` or not end with a slash (e.g. `/hydrogen`). +matrix_client_hydrogen_path_prefix: / + # Controls whether the self-check feature should validate SSL certificates. matrix_client_hydrogen_self_check_validate_certificates: true @@ -135,7 +146,6 @@ matrix_client_hydrogen_push: matrix_client_hydrogen_default_hs_url: "" matrix_client_hydrogen_bugReportEndpointUrl: "https://element.io/bugreports/submit" # noqa var-naming - # Default Hydrogen configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/custom/matrix-client-hydrogen/tasks/validate_config.yml b/roles/custom/matrix-client-hydrogen/tasks/validate_config.yml index bc7725945..dd880ddb2 100644 --- a/roles/custom/matrix-client-hydrogen/tasks/validate_config.yml +++ b/roles/custom/matrix-client-hydrogen/tasks/validate_config.yml @@ -27,14 +27,3 @@ msg: >- matrix_client_hydrogen_container_labels_traefik_path_prefix (`{{ matrix_client_hydrogen_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/hydrogen`). when: "matrix_client_hydrogen_container_labels_traefik_path_prefix != '/' and matrix_client_hydrogen_container_labels_traefik_path_prefix[-1] == '/'" - - # For example, we're getting errors like this: - # > main.js:51 Failed to load stylesheet from https://DOMAIN/assets/theme-element-light.5316e268.css: - # despite having set a prefix of `/hydrogen`. - # This is yet to be investigated and workaround around. - - name: Fail if matrix_client_hydrogen_container_labels_traefik_path_prefix is not / - ansible.builtin.fail: - msg: >- - matrix_client_hydrogen_container_labels_traefik_path_prefix can only be set to `/` right now. - Serving Hydrogen from another path doesn't work just yet. - when: "matrix_client_hydrogen_container_labels_traefik_path_prefix != '/'" diff --git a/roles/custom/matrix-client-hydrogen/templates/config.json.j2 b/roles/custom/matrix-client-hydrogen/templates/config.json.j2 index b6b1b9be5..e503c105b 100644 --- a/roles/custom/matrix-client-hydrogen/templates/config.json.j2 +++ b/roles/custom/matrix-client-hydrogen/templates/config.json.j2 @@ -3,7 +3,7 @@ "defaultHomeServer": {{ matrix_client_hydrogen_default_hs_url | string | to_json }}, "bugReportEndpointUrl": {{ matrix_client_hydrogen_bugReportEndpointUrl | to_json }}, "themeManifests": [ - "assets/theme-element.json" + "{{ matrix_client_hydrogen_path_prefix }}assets/theme-element.json" ], "defaultTheme": { "light": "element-light", diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index 1d655d738..4345a0262 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -134,6 +134,6 @@ matrix_synapse_admin_hsts_preload_enabled: false # The path at which Synapse Admin will be exposed on `matrix.DOMAIN` when matrix-nginx-proxy is used. # A path of `/` is likely not a good choice when matrix-nginx-proxy is used. # -# If Traefik is used, the hostname name is configurable - see `matrix_synapse_admin_container_labels_traefik_hostname`. +# If Traefik is used, the hostname is also configurable - see `matrix_synapse_admin_container_labels_traefik_hostname`. # This value must either be `/` or not end with a slash (e.g. `/synapse-admin`). matrix_synapse_admin_public_endpoint: /synapse-admin From 2e74187050b87d2835e385bf3af245d9767efd2b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Feb 2023 11:02:18 +0200 Subject: [PATCH 422/915] Add matrix_client_element_hostname and matrix_client_element_path_prefix variables --- .../matrix-client-element/defaults/main.yml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 041fb033f..bacaa786c 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -37,9 +37,9 @@ matrix_client_element_container_http_host_bind_port: '' # To inject your own other container labels, see `matrix_client_element_container_labels_additional_labels`. matrix_client_element_container_labels_traefik_enabled: true matrix_client_element_container_labels_traefik_docker_network: "{{ matrix_client_element_container_network }}" -matrix_client_element_container_labels_traefik_hostname: "{{ matrix_server_fqn_element }}" +matrix_client_element_container_labels_traefik_hostname: "{{ matrix_client_element_hostname }}" # The path prefix must either be `/` or not end with a slash (e.g. `/element`). -matrix_client_element_container_labels_traefik_path_prefix: / +matrix_client_element_container_labels_traefik_path_prefix: "{{ matrix_client_element_path_prefix }}" matrix_client_element_container_labels_traefik_rule: "Host(`{{ matrix_client_element_container_labels_traefik_hostname }}`){% if matrix_client_element_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_client_element_container_labels_traefik_path_prefix }}`){% endif %}" matrix_client_element_container_labels_traefik_priority: 0 matrix_client_element_container_labels_traefik_entrypoints: web-secure @@ -127,6 +127,18 @@ matrix_client_element_floc_optout_enabled: true # See: `matrix_client_element_http_header_strict_transport_security` matrix_client_element_hsts_preload_enabled: false +# The hostname at which Element is served. +# Only works with with Traefik reverse-proxying. +# For matrix-nginx-proxy, `matrix_server_fqn_element` is used and this variable has no effect. +matrix_client_element_hostname: "{{ matrix_server_fqn_element }}" + +# The path at which Element is exposed. +# When matrix-nginx-proxy is used, setting this to values other than `/` will cause configuration mismatches and trouble. +# +# If Traefik is used, the hostname is also configurable - see `matrix_client_element_container_labels_traefik_hostname`. +# This value must either be `/` or not end with a slash (e.g. `/element`). +matrix_client_element_path_prefix: / + # Element config.json customizations matrix_client_element_default_server_name: "{{ matrix_domain }}" matrix_client_element_default_hs_url: "" From 3bace0c7b9d43ce860078a20a24a9c7a2c19114b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Feb 2023 11:05:39 +0200 Subject: [PATCH 423/915] Add matrix_synapse_admin_hostname and rename matrix_synapse_admin_public_endpoint (to matrix_synapse_admin_path_prefix) --- docs/configuring-playbook-synapse-admin.md | 28 ------------------- .../matrix-synapse-admin/defaults/main.yml | 15 ++++++---- .../tasks/inject_into_nginx_proxy.yml | 6 ++-- .../tasks/validate_config.yml | 1 + 4 files changed, 14 insertions(+), 36 deletions(-) diff --git a/docs/configuring-playbook-synapse-admin.md b/docs/configuring-playbook-synapse-admin.md index ad1bda028..1099553bf 100644 --- a/docs/configuring-playbook-synapse-admin.md +++ b/docs/configuring-playbook-synapse-admin.md @@ -35,34 +35,6 @@ To use Synapse Admin, you need to have [registered at least one administrator ac The Homeserver URL to use on Synapse Admin's login page is: `https://matrix.DOMAIN` -### Sample configuration for running behind Traefik 2.0 - -Below is a sample configuration for using this playbook with a [Traefik](https://traefik.io/) 2.0 reverse proxy. - -This an extension to Traefik config sample in [own-webserver-documentation](./configuring-playbook-own-webserver.md). - -```yaml -# Don't bind any HTTP or federation port to the host -# (Traefik will proxy directly into the containers) -matrix_synapse_admin_container_http_host_bind_port: "" - -matrix_synapse_admin_container_extra_arguments: - # May be unnecessary depending on Traefik config, but can't hurt - - '--label "traefik.enable=true"' - - # The Synapse Admin container will only receive traffic from this subdomain and path - - '--label "traefik.http.routers.matrix-synapse-admin.rule=(Host(`{{ matrix_server_fqn_matrix }}`) && Path(`{{matrix_synapse_admin_public_endpoint}}`))"' - - # (Define your entrypoint) - - '--label "traefik.http.routers.matrix-synapse-admin.entrypoints=web-secure"' - - # (The 'default' certificate resolver must be defined in Traefik config) - - '--label "traefik.http.routers.matrix-synapse-admin.tls.certResolver=default"' - - # The Synapse Admin container uses port 80 by default - - '--label "traefik.http.services.matrix-synapse-admin.loadbalancer.server.port=80"' -``` - ### Sample configuration for running behind Caddy v2 Below is a sample configuration for using this playbook with a [Caddy](https://caddyserver.com/v2) 2.0 reverse proxy (non-default configuration where `matrix-nginx-proxy` is disabled - `matrix_nginx_proxy_enabled: false`). diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index 4345a0262..91383a9e9 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -41,9 +41,9 @@ matrix_synapse_admin_container_extra_arguments: [] # To inject your own other container labels, see `matrix_synapse_admin_container_labels_additional_labels`. matrix_synapse_admin_container_labels_traefik_enabled: true matrix_synapse_admin_container_labels_traefik_docker_network: "{{ matrix_synapse_admin_container_network }}" -matrix_synapse_admin_container_labels_traefik_hostname: "{{ matrix_server_fqn_matrix }}" +matrix_synapse_admin_container_labels_traefik_hostname: "{{ matrix_synapse_admin_hostname }}" # The path prefix must either be `/` or not end with a slash (e.g. `/synapse-admin`). -matrix_synapse_admin_container_labels_traefik_path_prefix: "{{ matrix_synapse_admin_public_endpoint }}" +matrix_synapse_admin_container_labels_traefik_path_prefix: "{{ matrix_synapse_admin_path_prefix }}" matrix_synapse_admin_container_labels_traefik_rule: "Host(`{{ matrix_synapse_admin_container_labels_traefik_hostname }}`){% if matrix_synapse_admin_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_synapse_admin_container_labels_traefik_path_prefix | quote }}`){% endif %}" matrix_synapse_admin_container_labels_traefik_priority: 0 matrix_synapse_admin_container_labels_traefik_entrypoints: web-secure @@ -131,9 +131,14 @@ matrix_synapse_admin_floc_optout_enabled: true # See: `matrix_synapse_admin_http_header_strict_transport_security` matrix_synapse_admin_hsts_preload_enabled: false -# The path at which Synapse Admin will be exposed on `matrix.DOMAIN` when matrix-nginx-proxy is used. -# A path of `/` is likely not a good choice when matrix-nginx-proxy is used. +# The hostname at which Synapse Admin is served. +# Only works with with Traefik reverse-proxying. +# For matrix-nginx-proxy, `matrix_server_fqn_matrix` is used and this variable has no effect. +matrix_synapse_admin_hostname: "{{ matrix_server_fqn_matrix }}" + +# The path at which Synapse Admin is exposed. +# When matrix-nginx-proxy is used, setting this to values other than `/` will cause configuration mismatches and trouble. # # If Traefik is used, the hostname is also configurable - see `matrix_synapse_admin_container_labels_traefik_hostname`. # This value must either be `/` or not end with a slash (e.g. `/synapse-admin`). -matrix_synapse_admin_public_endpoint: /synapse-admin +matrix_synapse_admin_path_prefix: /synapse-admin diff --git a/roles/custom/matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml index 6a4af859c..a06f47a1d 100644 --- a/roles/custom/matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml +++ b/roles/custom/matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml @@ -12,9 +12,9 @@ - name: Generate Synapse Admin proxying configuration for matrix-nginx-proxy ansible.builtin.set_fact: matrix_synapse_admin_matrix_nginx_proxy_configuration: | - rewrite ^{{ matrix_synapse_admin_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_synapse_admin_public_endpoint }}/ permanent; + rewrite ^{{ matrix_synapse_admin_path_prefix }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_synapse_admin_path_prefix }}/ permanent; - location ~ ^{{ matrix_synapse_admin_public_endpoint }}/(.*) { + location ~ ^{{ matrix_synapse_admin_path_prefix }}/(.*) { {% if matrix_nginx_proxy_enabled | default(False) %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; @@ -40,7 +40,7 @@ msg: >- NOTE: You've enabled the Synapse Admin tool but are not using the matrix-nginx-proxy reverse proxy. - Please make sure that you're proxying the `{{ matrix_synapse_admin_public_endpoint }}` + Please make sure that you're proxying the `{{ matrix_synapse_admin_path_prefix }}` URL endpoint to the matrix-synapse-admin container. You can expose the container's port using the `matrix_synapse_admin_container_http_host_bind_port` variable. when: "not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-synapse-admin/tasks/validate_config.yml b/roles/custom/matrix-synapse-admin/tasks/validate_config.yml index 482435554..d02819863 100644 --- a/roles/custom/matrix-synapse-admin/tasks/validate_config.yml +++ b/roles/custom/matrix-synapse-admin/tasks/validate_config.yml @@ -10,6 +10,7 @@ - {'old': 'matrix_synapse_admin_docker_repo', 'new': 'matrix_synapse_admin_container_self_build_repo'} - {'old': 'matrix_synapse_admin_container_self_build', 'new': 'matrix_synapse_admin_container_image_self_build'} - {'old': 'matrix_synapse_admin_container_self_build_repo', 'new': 'matrix_synapse_admin_container_image_self_build_repo'} + - {'old': 'matrix_synapse_admin_public_endpoint', 'new': 'matrix_synapse_admin_path_prefix'} - when: matrix_synapse_admin_container_labels_traefik_enabled | bool block: From f28e7ef9c71f02c3935be0c0c8b3f21bcb69a26d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Feb 2023 11:29:53 +0200 Subject: [PATCH 424/915] Add (native) Traefik support to matrix-client-cinny Previously, it had to go through matrix-nginx-proxy. It's exposed to Traefik directly via container labels now --- group_vars/matrix_servers | 8 ++ .../matrix-client-cinny/defaults/main.yml | 111 ++++++++++++++++++ .../tasks/setup_install.yml | 7 +- .../tasks/validate_config.yml | 20 ++++ .../matrix-client-cinny/templates/labels.j2 | 45 +++++++ .../systemd/matrix-client-cinny.service.j2 | 14 ++- 6 files changed, 202 insertions(+), 3 deletions(-) create mode 100644 roles/custom/matrix-client-cinny/templates/labels.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 1a131a285..6e311db1a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3020,6 +3020,14 @@ matrix_client_cinny_container_image_self_build: "{{ matrix_architecture not in [ # the HTTP port to the local host. matrix_client_cinny_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8080') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_client_cinny_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-client-cinny' }}" + +matrix_client_cinny_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + +matrix_client_cinny_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_client_cinny_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_client_cinny_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary if devture_traefik_enabled else '' }}" + matrix_client_cinny_default_hs_url: "{{ matrix_homeserver_url }}" matrix_client_cinny_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" diff --git a/roles/custom/matrix-client-cinny/defaults/main.yml b/roles/custom/matrix-client-cinny/defaults/main.yml index 5b15b42cd..5e5f216f9 100644 --- a/roles/custom/matrix-client-cinny/defaults/main.yml +++ b/roles/custom/matrix-client-cinny/defaults/main.yml @@ -14,17 +14,128 @@ matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_imag matrix_client_cinny_data_path: "{{ matrix_base_data_path }}/client-cinny" matrix_client_cinny_docker_src_files_path: "{{ matrix_client_cinny_data_path }}/docker-src" +# The base container network +matrix_client_cinny_container_network: matrix-client-cinny + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to a reverse proxy, which runs in a different container network. +matrix_client_cinny_container_additional_networks: [] + # Controls whether the container exposes its HTTP port (tcp/8080 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8768"), or empty string to not expose. matrix_client_cinny_container_http_host_bind_port: '' + +# matrix_client_cinny_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_client_cinny_container_labels_additional_labels`. +matrix_client_cinny_container_labels_traefik_enabled: true +matrix_client_cinny_container_labels_traefik_docker_network: "{{ matrix_client_cinny_container_network }}" +matrix_client_cinny_container_labels_traefik_hostname: "{{ matrix_client_cinny_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/cinny`). +matrix_client_cinny_container_labels_traefik_path_prefix: "{{ matrix_client_cinny_path_prefix }}" +matrix_client_cinny_container_labels_traefik_rule: "Host(`{{ matrix_client_cinny_container_labels_traefik_hostname }}`){% if matrix_client_cinny_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_client_cinny_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_client_cinny_container_labels_traefik_priority: 0 +matrix_client_cinny_container_labels_traefik_entrypoints: web-secure +matrix_client_cinny_container_labels_traefik_tls: "{{ matrix_client_cinny_container_labels_traefik_entrypoints != 'web' }}" +matrix_client_cinny_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_client_cinny_container_labels_traefik_additional_response_headers_custom` +matrix_client_cinny_container_labels_traefik_additional_response_headers: "{{ matrix_client_cinny_container_labels_traefik_additional_response_headers_auto | combine(matrix_client_cinny_container_labels_traefik_additional_response_headers_custom) }}" +matrix_client_cinny_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_client_cinny_http_header_xss_protection} if matrix_client_cinny_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_client_cinny_http_header_frame_options} if matrix_client_cinny_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_client_cinny_http_header_content_type_options} if matrix_client_cinny_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_client_cinny_http_header_content_security_policy} if matrix_client_cinny_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_client_cinny_http_header_content_permission_policy} if matrix_client_cinny_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_client_cinny_http_header_strict_transport_security} if matrix_client_cinny_http_header_strict_transport_security and matrix_client_cinny_container_labels_traefik_tls else {}) + }} +matrix_client_cinny_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_client_cinny_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_client_cinny_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_client_cinny_container_labels_additional_labels: '' + # A list of extra arguments to pass to the container matrix_client_cinny_container_extra_arguments: [] # List of systemd services that matrix-client-cinny.service depends on matrix_client_cinny_systemd_required_services_list: ['docker.service'] +# Specifies the value of the `X-XSS-Protection` header +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. +# +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected +matrix_client_cinny_http_header_xss_protection: "1; mode=block" + +# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +matrix_client_cinny_http_header_frame_options: SAMEORIGIN + +# Specifies the value of the `X-Content-Type-Options` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +matrix_client_cinny_http_header_content_type_options: nosniff + +# Specifies the value of the `Content-Security-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +matrix_client_cinny_http_header_content_security_policy: frame-ancestors 'self' + +# Specifies the value of the `Permission-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy +matrix_client_cinny_http_header_content_permission_policy: "{{ 'interest-cohort=() always' if matrix_client_cinny_floc_optout_enabled else '' }}" + +# Specifies the value of the `Strict-Transport-Security` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +matrix_client_cinny_http_header_strict_transport_security: "{{ '\"max-age=31536000; includeSubDomains; preload\" always' if matrix_client_cinny_hsts_preload_enabled else '\"max-age=31536000; includeSubDomains\" always' }}" + +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +# See: `matrix_client_cinny_content_permission_policy` +matrix_client_cinny_floc_optout_enabled: true + +# Controls if HSTS preloading is enabled +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be "preloaded" into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +# See: `matrix_client_cinny_http_header_strict_transport_security` +matrix_client_cinny_hsts_preload_enabled: false + +# The hostname at which Cinny is served. +# Only works with with Traefik reverse-proxying. +# For matrix-nginx-proxy, `matrix_server_fqn_cinny` is used and this variable has no effect. +matrix_client_cinny_hostname: "{{ matrix_server_fqn_cinny }}" + +# The path at which Cinny is exposed. +# When matrix-nginx-proxy is used, setting this to values other than `/` will cause configuration mismatches and trouble. +# +# If Traefik is used, the hostname is also configurable - see `matrix_client_cinny_container_labels_traefik_hostname`. +# This value must either be `/` or not end with a slash (e.g. `/cinny`). +matrix_client_cinny_path_prefix: / + # Controls whether the self-check feature should validate SSL certificates. matrix_client_cinny_self_check_validate_certificates: true diff --git a/roles/custom/matrix-client-cinny/tasks/setup_install.yml b/roles/custom/matrix-client-cinny/tasks/setup_install.yml index 46458f0b0..e4eb79387 100644 --- a/roles/custom/matrix-client-cinny/tasks/setup_install.yml +++ b/roles/custom/matrix-client-cinny/tasks/setup_install.yml @@ -51,7 +51,7 @@ group: "{{ matrix_user_groupname }}" with_items: - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} - when: "item.src is not none" + - {src: "{{ role_path }}/templates/labels.j2", name: "labels"} - name: Ensure Cinny Docker image is built community.docker.docker_image: @@ -64,6 +64,11 @@ pull: true when: "matrix_client_cinny_container_image_self_build | bool" +- name: Ensure Cinny container network is created + community.general.docker_network: + name: "{{ matrix_client_cinny_container_network }}" + driver: bridge + - name: Ensure matrix-client-cinny.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-client-cinny.service.j2" diff --git a/roles/custom/matrix-client-cinny/tasks/validate_config.yml b/roles/custom/matrix-client-cinny/tasks/validate_config.yml index 10f64fee1..333872097 100644 --- a/roles/custom/matrix-client-cinny/tasks/validate_config.yml +++ b/roles/custom/matrix-client-cinny/tasks/validate_config.yml @@ -6,3 +6,23 @@ when: "vars[item] == '' or vars[item] is none" with_items: - "matrix_client_cinny_default_hs_url" + +- when: matrix_client_cinny_container_labels_traefik_enabled | bool + block: + - name: Fail if required matrix-client-cinny Traefik settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_client_cinny_container_labels_traefik_hostname + - matrix_client_cinny_container_labels_traefik_path_prefix + + # We ensure it doesn't end with a slash, because we handle both (slash and no-slash). + # Knowing that `matrix_client_cinny_container_labels_traefik_path_prefix` does not end with a slash + # ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere. + - name: Fail if matrix_client_cinny_container_labels_traefik_path_prefix ends with a slash + ansible.builtin.fail: + msg: >- + matrix_client_cinny_container_labels_traefik_path_prefix (`{{ matrix_client_cinny_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/cinny`). + when: "matrix_client_cinny_container_labels_traefik_path_prefix != '/' and matrix_client_cinny_container_labels_traefik_path_prefix[-1] == '/'" diff --git a/roles/custom/matrix-client-cinny/templates/labels.j2 b/roles/custom/matrix-client-cinny/templates/labels.j2 new file mode 100644 index 000000000..f1c4f49ad --- /dev/null +++ b/roles/custom/matrix-client-cinny/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_client_cinny_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_client_cinny_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_client_cinny_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_client_cinny_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-client-cinny-slashless-redirect.redirectregex.regex=({{ matrix_client_cinny_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-client-cinny-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-client-cinny-slashless-redirect'] %} +{% endif %} + +{% if matrix_client_cinny_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-client-cinny-strip-prefix.stripprefix.prefixes={{ matrix_client_cinny_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-client-cinny-strip-prefix'] %} +{% endif %} + +{% if matrix_client_cinny_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_client_cinny_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-client-cinny-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-client-cinny-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-client-cinny.rule={{ matrix_client_cinny_container_labels_traefik_rule }} +{% if matrix_client_cinny_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-client-cinny.priority={{ matrix_client_cinny_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-client-cinny.service=matrix-client-cinny +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-client-cinny.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-client-cinny.entrypoints={{ matrix_client_cinny_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-client-cinny.tls={{ matrix_client_cinny_container_labels_traefik_tls | to_json }} +{% if matrix_client_cinny_container_labels_traefik_tls %} +traefik.http.routers.matrix-client-cinny.tls.certResolver={{ matrix_client_cinny_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-client-cinny.loadbalancer.server.port=8080 +{% endif %} + +{{ matrix_client_cinny_container_labels_additional_labels }} diff --git a/roles/custom/matrix-client-cinny/templates/systemd/matrix-client-cinny.service.j2 b/roles/custom/matrix-client-cinny/templates/systemd/matrix-client-cinny.service.j2 index b9a66c74b..2c49a0f3b 100644 --- a/roles/custom/matrix-client-cinny/templates/systemd/matrix-client-cinny.service.j2 +++ b/roles/custom/matrix-client-cinny/templates/systemd/matrix-client-cinny.service.j2 @@ -13,15 +13,18 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-client-cinny 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-cinny 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-client-cinny \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-client-cinny \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_client_cinny_container_network }} \ {% if matrix_client_cinny_container_http_host_bind_port %} -p {{ matrix_client_cinny_container_http_host_bind_port }}:8080 \ {% endif %} + --label-file={{ matrix_client_cinny_data_path }}/labels \ --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ --mount type=bind,src={{ matrix_client_cinny_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ --mount type=bind,src={{ matrix_client_cinny_data_path }}/config.json,dst=/app/config.json,ro \ @@ -30,8 +33,15 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% endfor %} {{ matrix_client_cinny_docker_image }} +{% for network in matrix_client_cinny_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-client-cinny +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-client-cinny + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-client-cinny 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-cinny 2>/dev/null || true' + Restart=always RestartSec=30 SyslogIdentifier=matrix-client-cinny From 6727aa55ec99f3cc9e82384b46d9111669a62ff4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Tue, 14 Feb 2023 13:36:04 +0100 Subject: [PATCH 425/915] Bump element version MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Julian-Samuel Gebühr --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 85d8d6cfa..6fd686477 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.22 +matrix_client_element_version: v1.11.23 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From c98f40c8360d315c49ea626e12e630e7f9f5b3bd Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 14 Feb 2023 17:49:16 +0000 Subject: [PATCH 426/915] Update hydrogen 0.3.7 -> 0.3.8 --- roles/custom/matrix-client-hydrogen/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-hydrogen/defaults/main.yml b/roles/custom/matrix-client-hydrogen/defaults/main.yml index 6ead5f446..35d18cd9e 100644 --- a/roles/custom/matrix-client-hydrogen/defaults/main.yml +++ b/roles/custom/matrix-client-hydrogen/defaults/main.yml @@ -6,7 +6,7 @@ matrix_client_hydrogen_enabled: true matrix_client_hydrogen_container_image_self_build: false matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" -matrix_client_hydrogen_version: v0.3.7 +matrix_client_hydrogen_version: v0.3.8 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vector-im/hydrogen-web:{{ matrix_client_hydrogen_version }}" matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build else 'ghcr.io/' }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" From 357080863315fbc69ef1280b7fa2ad546d9151ec Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 14 Feb 2023 17:50:55 +0000 Subject: [PATCH 427/915] Update synapse 1.76.0 -> 1.77.0 --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 18165dd93..93d1ee021 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -36,7 +36,7 @@ matrix_synapse_container_image_customizations_dockerfile_body_custom: '' matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}" matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else matrix_container_global_registry_prefix }}" -matrix_synapse_version: v1.76.0 +matrix_synapse_version: v1.77.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From 4045d72e7baafe17801fd8af8e8fd8dcc65d5cbb Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 14 Feb 2023 20:04:27 +0000 Subject: [PATCH 428/915] update postmoogle 0.9.13 -> 0.9.14 * make banlist consistent * proper multi-error message * ignore "." MX hosts * try recipient domain directly, even when MX records found, but failed --- roles/custom/matrix-bot-postmoogle/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-postmoogle/defaults/main.yml b/roles/custom/matrix-bot-postmoogle/defaults/main.yml index b3b12fef3..4eeb835be 100644 --- a/roles/custom/matrix-bot-postmoogle/defaults/main.yml +++ b/roles/custom/matrix-bot-postmoogle/defaults/main.yml @@ -9,7 +9,7 @@ matrix_bot_postmoogle_docker_repo: "https://gitlab.com/etke.cc/postmoogle.git" matrix_bot_postmoogle_docker_repo_version: "{{ 'main' if matrix_bot_postmoogle_version == 'latest' else matrix_bot_postmoogle_version }}" matrix_bot_postmoogle_docker_src_files_path: "{{ matrix_base_data_path }}/postmoogle/docker-src" -matrix_bot_postmoogle_version: v0.9.13 +matrix_bot_postmoogle_version: v0.9.14 matrix_bot_postmoogle_docker_image: "{{ matrix_bot_postmoogle_docker_image_name_prefix }}etke.cc/postmoogle:{{ matrix_bot_postmoogle_version }}" matrix_bot_postmoogle_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_postmoogle_container_image_self_build else 'registry.gitlab.com/' }}" matrix_bot_postmoogle_docker_image_force_pull: "{{ matrix_bot_postmoogle_docker_image.endswith(':latest') }}" From c85d48c45ccc659ef7249d4e98bf0532708505bb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Feb 2023 22:46:34 +0200 Subject: [PATCH 429/915] Remove Traefik labels for Hydrogen & Cinny from matrix-nginx-proxy Related to 6a52be79877 and 28e7ef9c71f02 --- group_vars/matrix_servers | 2 -- .../matrix-nginx-proxy/defaults/main.yml | 10 -------- .../matrix-nginx-proxy/templates/labels.j2 | 25 ------------------- 3 files changed, 37 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6e311db1a..3c0737f4a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2398,8 +2398,6 @@ matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_playbook_ matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true -matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}" -matrix_nginx_proxy_container_labels_traefik_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index b443cc728..2b3d1eb11 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -61,16 +61,6 @@ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule: "Host(`{{ matrix_ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint: "{{ matrix_federation_traefik_entrypoint }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints: "{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint }}" -matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_enabled: false -matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}" -matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" -matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_hostname }}`)" - -matrix_nginx_proxy_container_labels_traefik_proxy_cinny_enabled: false -matrix_nginx_proxy_container_labels_traefik_proxy_cinny_hostname: "{{ matrix_server_fqn_cinny }}" -matrix_nginx_proxy_container_labels_traefik_proxy_cinny_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" -matrix_nginx_proxy_container_labels_traefik_proxy_cinny_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_cinny_hostname }}`)" - matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled: false matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_hostname: "{{ matrix_server_fqn_buscarron }}" matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 index d629ce00d..2676b0610 100644 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -38,31 +38,6 @@ traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.certResolver={{ ma traefik.http.routers.matrix-nginx-proxy-matrix-federation.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints }} {% endif %} - -{% if matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_enabled %} -# Hydrogen -traefik.http.routers.matrix-nginx-proxy-hydrogen.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_rule }} -traefik.http.routers.matrix-nginx-proxy-hydrogen.service=matrix-nginx-proxy-web -traefik.http.routers.matrix-nginx-proxy-hydrogen.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_tls | to_json }} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_tls %} -traefik.http.routers.matrix-nginx-proxy-hydrogen.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.routers.matrix-nginx-proxy-hydrogen.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} -{% endif %} - - -{% if matrix_nginx_proxy_container_labels_traefik_proxy_cinny_enabled %} -# Cinny -traefik.http.routers.matrix-nginx-proxy-cinny.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_cinny_rule }} -traefik.http.routers.matrix-nginx-proxy-cinny.service=matrix-nginx-proxy-web -traefik.http.routers.matrix-nginx-proxy-cinny.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_cinny_tls | to_json }} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_cinny_tls %} -traefik.http.routers.matrix-nginx-proxy-cinny.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.routers.matrix-nginx-proxy-cinny.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} -{% endif %} - - {% if matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled %} # Buscarron traefik.http.routers.matrix-nginx-proxy-buscarron.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_rule }} From 7fca8dc986c7032ad2e0c8e2097f3a46ba251297 Mon Sep 17 00:00:00 2001 From: Array in a Matrix Date: Tue, 14 Feb 2023 20:38:24 -0500 Subject: [PATCH 430/915] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fa9064370..174ea4c37 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ Services that run on the server to make the various parts of your installation w | [nginx](http://nginx.org/) | ✓ | Web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md) | [Link](docs/configuring-playbook-nginx.md) | | [Let's Encrypt](https://letsencrypt.org/) | ✓ | Free SSL certificate, which secures the connection to the Synapse server and the Element web UI | [Link](docs/configuring-playbook-ssl-certificates.md) | | [ma1sd](https://github.com/ma1uta/ma1sd) | x | Matrix Identity Server | [Link](docs/configuring-playbook-ma1sd.md) -| [Exim](https://www.exim.org/) | ✓ | Mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) | - | +| [Exim](https://www.exim.org/) | ✓ | Mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) | [Link](docs/configuring-playbook-email.md) | | [Dimension](https://github.com/turt2live/matrix-dimension) | x | An open source integrations manager for matrix clients | [Link](docs/configuring-playbook-dimension.md) | | [Sygnal](https://github.com/matrix-org/sygnal) | x | Push gateway | [Link](docs/configuring-playbook-sygnal.md) | | [ntfy](https://ntfy.sh) | x | Push notifications server | [Link](docs/configuring-playbook-ntfy.md) | From 0b9dc56edffb3f85deb2919a7d4e2f9f69c0fe78 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 15 Feb 2023 06:03:55 +0200 Subject: [PATCH 431/915] Add type support to matrix_coturn_container_additional_volumes .. and try to auto-switch between `bind` and `volume` depending on whether there's a slash in the `src` path. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2482 --- roles/custom/matrix-coturn/defaults/main.yml | 3 ++- .../matrix-coturn/templates/systemd/matrix-coturn.service.j2 | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index 47577a467..9922f1d01 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -39,7 +39,8 @@ matrix_coturn_systemd_required_services_list: ['docker.service'] # A list of additional "volumes" to mount in the container. # This list gets populated dynamically at runtime. You can provide a different default value, # if you wish to mount your own files into the container. -# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} +# Contains definition objects like this: `{"type": "bind", "src": "/outside", "dst": "/inside", "options": "readonly"}. +# See the `--mount` documentation for the `docker run` command. matrix_coturn_container_additional_volumes: [] # A list of extra arguments to pass to the container diff --git a/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index 523ad1cca..2c0c9cd9e 100644 --- a/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -35,7 +35,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% endif %} --mount type=bind,src={{ matrix_coturn_config_path }},dst=/turnserver.conf,ro \ {% for volume in matrix_coturn_container_additional_volumes %} - --mount type=bind,src={{ volume.src }},dst={{ volume.dst }}{{ (',' + volume.options) if volume.options else '' }} \ + --mount type={{ volume.type | default('bind' if '/' in volume.src else 'volume') }},src={{ volume.src }},dst={{ volume.dst }}{{ (',' + volume.options) if volume.options else '' }} \ {% endfor %} {% for arg in matrix_coturn_container_extra_arguments %} {{ arg }} \ From b648d4579f65d0cdd042d22124ff20ed3bc7323e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 15 Feb 2023 07:30:36 +0200 Subject: [PATCH 432/915] Make it clear that certain matrix_nginx_proxy_* variables are necessary for now, even with Traefik Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2480 --- CHANGELOG.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3b2716ef8..bbf1772d3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -74,7 +74,7 @@ Unless we have some regression, **existing users should be able to update their #### How do I explicitly switch to Traefik right now? -**Users who want to migrate to Traefik** today, can do so by using configuration like this: +**Users who wish to migrate to Traefik** today, can do so by **adding** this to their configuration: ```yaml matrix_playbook_reverse_proxy_type: playbook-managed-traefik @@ -82,6 +82,8 @@ matrix_playbook_reverse_proxy_type: playbook-managed-traefik devture_traefik_ssl_email_address: YOUR_EMAIL_ADDRESS ``` +You may still need to keep certain old `matrix_nginx_proxy_*` variables (like `matrix_nginx_proxy_base_domain_serving_enabled`), even when using Traefik. For now, we recommend keeping all `matrix_nginx_proxy_*` variables just in case. In the future, reliance on `matrix-nginx-proxy` will be removed. + Switching to Traefik will obtain new SSL certificates from Let's Encrypt (stored in `/devture-traefik/ssl/acme.json`). **The switch is reversible**. You can always go back to `playbook-managed-nginx` if Traefik is causing you trouble. **Note**: toggling `matrix_playbook_reverse_proxy_type` between Traefik and nginx will uninstall the Traefik role and all of its data (under `/devture-traefik`), so you may run into a Let's Encrypt rate limit if you do it often. From b6d45304b4b19639539b9e31f6589009d54fe0b1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 15 Feb 2023 08:49:30 +0200 Subject: [PATCH 433/915] Make sure group_vars/matrix_servers is indented like other YAML files (with 2 spaces) --- .editorconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.editorconfig b/.editorconfig index 6d5dc09a1..996cf9b44 100644 --- a/.editorconfig +++ b/.editorconfig @@ -15,7 +15,7 @@ trim_trailing_whitespace = true ######################### # YAML Files -[*.{yml,yaml,log.config.j2,yaml.j2}] +[*.{yml,yaml,log.config.j2,yaml.j2,group_vars/matrix_servers}] indent_style = space indent_size = 2 From 59a3646c66dcc0314c9622907c5278ec10e05e30 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 15 Feb 2023 08:50:31 +0200 Subject: [PATCH 434/915] Make .editorconfig for group_vars/matrix_servers cleaner It's the same result as b6d45304b4b19, but it's done in a cleaner way. --- .editorconfig | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.editorconfig b/.editorconfig index 996cf9b44..fac22d42c 100644 --- a/.editorconfig +++ b/.editorconfig @@ -15,7 +15,11 @@ trim_trailing_whitespace = true ######################### # YAML Files -[*.{yml,yaml,log.config.j2,yaml.j2,group_vars/matrix_servers}] +[*.{yml,yaml,log.config.j2,yaml.j2}] +indent_style = space +indent_size = 2 + +[group_vars/matrix_servers] indent_style = space indent_size = 2 From 94124263a7c3414b96fdd72cc35dbf16f7af57d6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 15 Feb 2023 08:56:03 +0200 Subject: [PATCH 435/915] Add matrix_prometheus_container_network/matrix_prometheus_container_additional_networks --- group_vars/matrix_servers | 2 ++ roles/custom/matrix-prometheus/defaults/main.yml | 8 ++++++++ .../matrix-prometheus/tasks/setup_install.yml | 5 +++++ .../matrix-prometheus/tasks/validate_config.yml | 8 ++++++++ .../templates/systemd/matrix-prometheus.service.j2 | 14 +++++++++++--- 5 files changed, 34 insertions(+), 3 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 3c0737f4a..3e64c14ab 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3296,6 +3296,8 @@ matrix_prometheus_nginxlog_exporter_enabled: false matrix_prometheus_enabled: false +matrix_prometheus_container_network: "{{ matrix_docker_network }}" + # Normally, matrix-nginx-proxy is enabled and nginx can reach Prometheus over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # Prometheus' HTTP port to the local host. diff --git a/roles/custom/matrix-prometheus/defaults/main.yml b/roles/custom/matrix-prometheus/defaults/main.yml index 956faf461..fddacfb45 100644 --- a/roles/custom/matrix-prometheus/defaults/main.yml +++ b/roles/custom/matrix-prometheus/defaults/main.yml @@ -22,6 +22,14 @@ matrix_prometheus_systemd_required_services_list: ['docker.service'] # List of systemd services that matrix-prometheus.service wants matrix_prometheus_systemd_wanted_services_list: [] +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_prometheus_container_network: '' + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_prometheus_container_additional_networks: [] + # Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9090 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:9090"), or empty string to not expose. diff --git a/roles/custom/matrix-prometheus/tasks/setup_install.yml b/roles/custom/matrix-prometheus/tasks/setup_install.yml index 1d3d66694..f606e268e 100644 --- a/roles/custom/matrix-prometheus/tasks/setup_install.yml +++ b/roles/custom/matrix-prometheus/tasks/setup_install.yml @@ -45,6 +45,11 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" +- name: Ensure Prometheus container network is created + community.general.docker_network: + name: "{{ matrix_prometheus_container_network }}" + driver: bridge + - name: Ensure matrix-prometheus.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-prometheus.service.j2" diff --git a/roles/custom/matrix-prometheus/tasks/validate_config.yml b/roles/custom/matrix-prometheus/tasks/validate_config.yml index 3e3863042..49121e7e0 100644 --- a/roles/custom/matrix-prometheus/tasks/validate_config.yml +++ b/roles/custom/matrix-prometheus/tasks/validate_config.yml @@ -5,3 +5,11 @@ msg: > You need to enable `matrix_prometheus_scraper_synapse_enabled` and/or `matrix_prometheus_scraper_node_enabled` for Prometheus grab metrics. when: "not matrix_prometheus_scraper_synapse_enabled and not matrix_prometheus_scraper_node_enabled" + +- name: Fail if required Prometheus settings not defined + ansible.builtin.fail: + msg: > + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_prometheus_container_network diff --git a/roles/custom/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 b/roles/custom/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 index 584557344..2b716db6b 100644 --- a/roles/custom/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 +++ b/roles/custom/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 @@ -16,13 +16,14 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-prometheus 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-prometheus 2>/dev/null || true' - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-prometheus \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-prometheus \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_prometheus_container_network }} \ {% if matrix_prometheus_container_http_host_bind_port %} -p {{ matrix_prometheus_container_http_host_bind_port }}:9090 \ {% endif %} @@ -33,8 +34,15 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% endfor %} {{ matrix_prometheus_docker_image }} {{ matrix_prometheus_process_arguments|join(' ') }} +{% for network in matrix_prometheus_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-prometheus +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-prometheus + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-prometheus 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-prometheus 2>/dev/null || true' + Restart=always RestartSec=30 SyslogIdentifier=matrix-prometheus From 1006b8d8996b81c7f44914bf86ddef9a2653cdde Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 15 Feb 2023 10:30:58 +0200 Subject: [PATCH 436/915] Replace matrix-grafana with an external role --- CHANGELOG.md | 11 +++ ...configuring-playbook-prometheus-grafana.md | 14 ++-- ...onfiguring-playbook-prometheus-nginxlog.md | 6 +- group_vars/matrix_servers | 69 +++++++++++++----- playbooks/matrix.yml | 2 +- requirements.yml | 3 + roles/custom/matrix-grafana/defaults/main.yml | 65 ----------------- roles/custom/matrix-grafana/tasks/main.yml | 20 ----- .../matrix-grafana/tasks/setup_install.yml | 73 ------------------- .../matrix-grafana/tasks/setup_uninstall.yml | 20 ----- .../matrix-grafana/tasks/validate_config.yml | 16 ---- .../templates/dashboards.yaml.j2 | 9 --- .../templates/datasources.yaml.j2 | 8 -- .../matrix-grafana/templates/grafana.ini.j2 | 29 -------- .../systemd/matrix-grafana.service.j2 | 43 ----------- .../matrix-nginx-proxy/defaults/main.yml | 5 -- .../matrix-nginx-proxy/templates/labels.j2 | 13 ---- .../tasks/setup_install.yml | 4 +- .../tasks/setup_uninstall.yml | 2 +- .../defaults/main.yml | 3 + .../tasks/validate_config.yml | 15 ++++ 21 files changed, 97 insertions(+), 333 deletions(-) delete mode 100644 roles/custom/matrix-grafana/defaults/main.yml delete mode 100644 roles/custom/matrix-grafana/tasks/main.yml delete mode 100644 roles/custom/matrix-grafana/tasks/setup_install.yml delete mode 100644 roles/custom/matrix-grafana/tasks/setup_uninstall.yml delete mode 100644 roles/custom/matrix-grafana/tasks/validate_config.yml delete mode 100644 roles/custom/matrix-grafana/templates/dashboards.yaml.j2 delete mode 100644 roles/custom/matrix-grafana/templates/datasources.yaml.j2 delete mode 100644 roles/custom/matrix-grafana/templates/grafana.ini.j2 delete mode 100644 roles/custom/matrix-grafana/templates/systemd/matrix-grafana.service.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index bbf1772d3..b47433d7d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2023-02-15 + +## The matrix-grafana role lives independently now + +**TLDR**: the `matrix-grafana` role is now included from another repository. Some variables have been renamed. All functionality remains intact. + +The `matrix-grafana` role (which configures [Grafana](docs/configuring-playbook-prometheus-grafana.md)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/grafana). This makes it possible to easily use it in other Ansible playbooks. + +You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're enabling Grafana or not. If you're making use of Grafana via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_grafana_` -> `grafana_`). + + # 2023-02-13 ## The matrix-backup-borg role lives independently now diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index 956b05736..de05d690c 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -18,16 +18,16 @@ prometheus_postgres_exporter_enabled: true # You can remove this, if unnecessary. matrix_prometheus_nginxlog_exporter_enabled: true -matrix_grafana_enabled: true +grafana_enabled: true -matrix_grafana_anonymous_access: false +grafana_anonymous_access: false # This has no relation to your Matrix user id. It can be any username you'd like. # Changing the username subsequently won't work. -matrix_grafana_default_admin_user: "some_username_chosen_by_you" +grafana_default_admin_user: "some_username_chosen_by_you" # Changing the password subsequently won't work. -matrix_grafana_default_admin_password: "some_strong_password_chosen_by_you" +grafana_default_admin_password: "some_strong_password_chosen_by_you" ``` By default, a [Grafana](https://grafana.com/) web user-interface will be available at `https://stats.`. @@ -43,9 +43,9 @@ Name | Description `prometheus_node_exporter_enabled`|[Node Exporter](https://prometheus.io/docs/guides/node-exporter/) is an addon of sorts to Prometheus that collects generic system information such as CPU, memory, filesystem, and even system temperatures `prometheus_postgres_exporter_enabled`|[Postgres Exporter](configuring-playbook-prometheus-postgres.md) is an addon of sorts to expose Postgres database metrics to Prometheus. `matrix_prometheus_nginxlog_exporter_enabled`|[NGINX Log Exporter](configuring-playbook-prometheus-nginxlog.md) is an addon of sorts to expose NGINX logs to Prometheus. -`matrix_grafana_enabled`|[Grafana](https://grafana.com/) is the visual component. It shows (on the `stats.` subdomain) the dashboards with the graphs that we're interested in -`matrix_grafana_anonymous_access`|By default you need to log in to see graphs. If you want to publicly share your graphs (e.g. when asking for help in [`#synapse:matrix.org`](https://matrix.to/#/#synapse:matrix.org?via=matrix.org&via=privacytools.io&via=mozilla.org)) you'll want to enable this option. -`matrix_grafana_default_admin_user`
    `matrix_grafana_default_admin_password`|By default Grafana creates a user with `admin` as the username and password. If you feel this is insecure and you want to change it beforehand, you can do that here +`grafana_enabled`|[Grafana](https://grafana.com/) is the visual component. It shows (on the `stats.` subdomain) the dashboards with the graphs that we're interested in +`grafana_anonymous_access`|By default you need to log in to see graphs. If you want to publicly share your graphs (e.g. when asking for help in [`#synapse:matrix.org`](https://matrix.to/#/#synapse:matrix.org?via=matrix.org&via=privacytools.io&via=mozilla.org)) you'll want to enable this option. +`grafana_default_admin_user`
    `grafana_default_admin_password`|By default Grafana creates a user with `admin` as the username and password. If you feel this is insecure and you want to change it beforehand, you can do that here ## Security and privacy diff --git a/docs/configuring-playbook-prometheus-nginxlog.md b/docs/configuring-playbook-prometheus-nginxlog.md index 832efbd8d..321a1d6e6 100644 --- a/docs/configuring-playbook-prometheus-nginxlog.md +++ b/docs/configuring-playbook-prometheus-nginxlog.md @@ -15,13 +15,13 @@ matrix_prometheus_nginxlog_exporter_enabled: true matrix_prometheus_enabled: true # optional for visualization -matrix_grafana_enabled: true +grafana_enabled: true ``` x | Prerequisites | Variable | Description |:--:|:--:|:--:|:--| **REQUIRED** | `matrix-prometheus`| `matrix_prometheus_enabled`|[Prometheus](https://prometheus.io) is a time series database. It holds all the data we're going to talk about. -_Optional_ | [`matrix-grafana`](configuring-playbook-prometheus-grafana.md) | [`matrix_grafana_enabled`](configuring-playbook-prometheus-grafana.md)|[Grafana](https://grafana.com) is the visual component. It shows (on the `stats.` subdomain) graphs that we're interested in. When enabled the `NGINX PROXY` dashboard is automatically added. +_Optional_ | [`matrix-grafana`](configuring-playbook-prometheus-grafana.md) | [`grafana_enabled`](configuring-playbook-prometheus-grafana.md)|[Grafana](https://grafana.com) is the visual component. It shows (on the `stats.` subdomain) graphs that we're interested in. When enabled the `NGINX PROXY` dashboard is automatically added. ## Docker Image Compatibility @@ -56,4 +56,4 @@ The following variables may be of interest: Name | Description -----|---------- -`matrix_nginx_proxy_proxy_matrix_metrics_enabled`|Set this to `true` to enable metrics exposure for various services on `https://matrix.DOMAIN/metrics/*`. Refer to the individual `matrix_SERVICE_metrics_proxying_enabled` variables below for exposing metrics for each individual service. \ No newline at end of file +`matrix_nginx_proxy_proxy_matrix_metrics_enabled`|Set this to `true` to enable metrics exposure for various services on `https://matrix.DOMAIN/metrics/*`. Refer to the individual `matrix_SERVICE_metrics_proxying_enabled` variables below for exposing metrics for each individual service. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 3e64c14ab..76b718ef1 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -306,7 +306,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-etherpad.service', 'priority': 4000, 'groups': ['matrix', 'etherpad']}] if matrix_etherpad_enabled else []) + - ([{'name': 'matrix-grafana.service', 'priority': 4000, 'groups': ['matrix', 'monitoring', 'grafana']}] if matrix_grafana_enabled else []) + ([{'name': (grafana_identifier + '.service'), 'priority': 4000, 'groups': ['matrix', 'monitoring', 'grafana']}] if grafana_enabled else []) + ([{'name': 'matrix-jitsi-web.service', 'priority': 4200, 'groups': ['matrix', 'jitsi', 'jitsi-web']}] if matrix_jitsi_enabled else []) + @@ -2389,7 +2389,7 @@ matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" matrix_nginx_proxy_proxy_jitsi_manage_wellknown: "{{ matrix_jitsi_require_well_known }}" -matrix_nginx_proxy_proxy_grafana_enabled: "{{ matrix_grafana_enabled }}" +matrix_nginx_proxy_proxy_grafana_enabled: "{{ grafana_enabled }}" matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}" matrix_nginx_proxy_proxy_ntfy_enabled: "{{ matrix_ntfy_enabled }}" @@ -2403,7 +2403,6 @@ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: "{{ matrix_ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" -matrix_nginx_proxy_container_labels_traefik_proxy_grafana_enabled: "{{ matrix_grafana_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_enabled: "{{ matrix_ntfy_enabled }}" @@ -2481,7 +2480,7 @@ matrix_nginx_proxy_systemd_wanted_services_list: | + (['matrix-client-hydrogen.service'] if matrix_client_hydrogen_enabled else []) + - (['matrix-grafana.service'] if matrix_grafana_enabled else []) + ([(grafana_idenifier + '.service')] if grafana_enabled else []) + (['matrix-dimension.service'] if matrix_dimension_enabled else []) + @@ -2520,7 +2519,7 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([matrix_server_fqn_jitsi] if matrix_jitsi_enabled else []) + - ([matrix_server_fqn_grafana] if matrix_grafana_enabled else []) + ([matrix_server_fqn_grafana] if grafana_enabled else []) + ([matrix_server_fqn_sygnal] if matrix_sygnal_enabled else []) + @@ -2938,7 +2937,7 @@ matrix_client_element_container_additional_networks: "{{ [matrix_playbook_revers matrix_client_element_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" matrix_client_element_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" -matrix_client_element_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary if devture_traefik_enabled else '' }}" +matrix_client_element_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" matrix_client_element_default_hs_url: "{{ matrix_homeserver_url }}" matrix_client_element_default_is_url: "{{ matrix_identity_server_url }}" @@ -2991,7 +2990,7 @@ matrix_client_hydrogen_container_additional_networks: "{{ [matrix_playbook_rever matrix_client_hydrogen_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" matrix_client_hydrogen_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" -matrix_client_hydrogen_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary if devture_traefik_enabled else '' }}" +matrix_client_hydrogen_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" matrix_client_hydrogen_default_hs_url: "{{ matrix_homeserver_url }}" @@ -3024,7 +3023,7 @@ matrix_client_cinny_container_additional_networks: "{{ [matrix_playbook_reverse_ matrix_client_cinny_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" matrix_client_cinny_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" -matrix_client_cinny_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary if devture_traefik_enabled else '' }}" +matrix_client_cinny_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" matrix_client_cinny_default_hs_url: "{{ matrix_homeserver_url }}" @@ -3192,7 +3191,7 @@ matrix_synapse_admin_container_additional_networks: "{{ [matrix_playbook_reverse matrix_synapse_admin_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" matrix_synapse_admin_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" -matrix_synapse_admin_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary if devture_traefik_enabled else '' }}" +matrix_synapse_admin_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" ###################################################################### # @@ -3329,18 +3328,52 @@ matrix_prometheus_scraper_nginxlog_server_port: "{{ (matrix_prometheus_nginxlog_ ###################################################################### # -# matrix-grafana +# etke/grafana # ###################################################################### -matrix_grafana_enabled: false +grafana_enabled: false + +grafana_identifier: matrix-grafana + +grafana_uid: "{{ matrix_user_uid }}" +grafana_gid: "{{ matrix_user_gid }}" + +grafana_hostname: "{{ matrix_server_fqn_grafana }}" + +grafana_base_path: "{{ matrix_base_data_path }}/grafana" + +grafana_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else grafana_identifier }}" + +grafana_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([matrix_prometheus_container_network] if matrix_prometheus_enabled and matrix_prometheus_container_network != grafana_container_network else []) + ) | unique + }} + +grafana_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +grafana_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +grafana_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach Grafana over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # Grafana's HTTP port to the local host. -matrix_grafana_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '3000') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +grafana_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '3000') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +grafana_provisioning_datasources: | + {{ + ([{ + 'name': (matrix_server_fqn_matrix + ' - Prometheus'), + 'type': 'prometheus', + 'access': 'proxy', + 'url': 'http://matrix-prometheus:9090', + }] if matrix_prometheus_enabled else []) + }} -matrix_grafana_dashboard_download_urls: | +grafana_dashboard_download_urls: | {{ (matrix_synapse_grafana_dashboard_urls if matrix_homeserver_implementation == 'synapse' and matrix_synapse_metrics_enabled else []) + @@ -3351,18 +3384,18 @@ matrix_grafana_dashboard_download_urls: | (matrix_prometheus_nginxlog_exporter_dashboard_urls if matrix_prometheus_nginxlog_exporter_enabled else []) }} -matrix_grafana_default_home_dashboard_path: |- +grafana_default_home_dashboard_path: |- {{ { - 'synapse': ('/etc/grafana/dashboards/synapse.json' if matrix_synapse_metrics_enabled else '/etc/grafana/dashboards/node-exporter-full.json'), - 'dendrite': '/etc/grafana/dashboards/node-exporter-full.json', - 'conduit': '/etc/grafana/dashboards/node-exporter-full.json', + 'synapse': ('/etc/grafana/dashboards/synapse.json' if matrix_synapse_metrics_enabled and matrix_synapse_metrics_enabled else ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else '')), + 'dendrite': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''), + 'conduit': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''), }[matrix_homeserver_implementation] }} ###################################################################### # -# /matrix-grafana +# /etke/grafana # ###################################################################### diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index d976a0126..f5e214938 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -91,7 +91,7 @@ - galaxy/prometheus_postgres_exporter - custom/matrix-prometheus-nginxlog-exporter - custom/matrix-prometheus - - custom/matrix-grafana + - galaxy/grafana - custom/matrix-prometheus-services-proxy-connect - custom/matrix-registration - custom/matrix-client-element diff --git a/requirements.yml b/requirements.yml index 1244c4654..829ef99bd 100644 --- a/requirements.yml +++ b/requirements.yml @@ -39,6 +39,9 @@ - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git version: v1.2.3-1.7.6-0 +- src: git+https://gitlab.com/etke.cc/roles/grafana.git + version: v9.3.6-0 + - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git version: fb09fd26f877372417d5586f1e79e83f983f0bd6 diff --git a/roles/custom/matrix-grafana/defaults/main.yml b/roles/custom/matrix-grafana/defaults/main.yml deleted file mode 100644 index 5b7304802..000000000 --- a/roles/custom/matrix-grafana/defaults/main.yml +++ /dev/null @@ -1,65 +0,0 @@ ---- -# matrix-grafana is open source visualization and analytics software -# See: https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md -# Project source code URL: https://github.com/grafana/grafana - -matrix_grafana_enabled: true - -matrix_grafana_version: 9.3.6 -matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" -matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" - -# matrix_grafana_dashboard_download_urls holds a list of URLs of dashboards to download -matrix_grafana_dashboard_download_urls: [] - -matrix_grafana_base_path: "{{ matrix_base_data_path }}/grafana" -matrix_grafana_config_path: "{{ matrix_grafana_base_path }}/config" -matrix_grafana_data_path: "{{ matrix_grafana_base_path }}/data" - -# Allow viewing Grafana without logging in -matrix_grafana_anonymous_access: false - -# When `false`, sends a `X-Frame-Options: deny` HTTP header, which allows Grafana from being embeded in a frame. -# Read more here: https://grafana.com/docs/grafana/latest/administration/configuration/#allow_embedding -matrix_grafana_allow_embedding: false - -# specify organization name that should be used for unauthenticated users -# if you change this in the Grafana admin panel, this needs to be updated -# to match to keep anonymous logins working -matrix_grafana_anonymous_access_org_name: 'Main Org.' - - -# default admin credentials, you are asked to change these on first login -matrix_grafana_default_admin_user: admin -matrix_grafana_default_admin_password: admin - -# Set to true to add the Content-Security-Policy header to your requests. -# CSP allows to control resources that the user agent can load and helps -# prevent XSS attacks. -# [Content Security Policy](https://grafana.com/docs/grafana/latest/administration/configuration/#content_security_policy) -matrix_grafana_content_security_policy: true - -# specify content security policy template to customized template -# added https: and http: url schemes (ignored by browsers supporting 'strict-dynamic') to be backward compatible with older browsers. -# [Content Security Policy Browser Test] (https://content-security-policy.com/browser-test/) -# [Content Security Policy Reference](https://content-security-policy.com/script-src/) -matrix_grafana_content_security_policy_customized: false -matrix_grafana_content_security_policy_template: "script-src 'self' 'unsafe-eval' 'unsafe-inline' http: https: 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src * data:;base-uri 'self';connect-src 'self' grafana.com ws://$ROOT_PATH wss://$ROOT_PATH;manifest-src 'self';media-src 'none';form-action 'self';" - -# matrix_grafana_default_home_dashboard_path influences the `default_home_dashboard_path` grafana.ini setting, -# which is an in-container path for the default dashboard. -matrix_grafana_default_home_dashboard_path: /etc/grafana/dashboards/node-exporter-full.json - -# A list of extra arguments to pass to the container -matrix_grafana_container_extra_arguments: [] - -# List of systemd services that matrix-grafana.service depends on -matrix_grafana_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-grafana.service wants -matrix_grafana_systemd_wanted_services_list: [] - -# Controls whether the matrix-grafana container exposes its HTTP port (tcp/3000 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:3000"), or empty string to not expose. -matrix_grafana_container_http_host_bind_port: '' diff --git a/roles/custom/matrix-grafana/tasks/main.yml b/roles/custom/matrix-grafana/tasks/main.yml deleted file mode 100644 index 263d894fe..000000000 --- a/roles/custom/matrix-grafana/tasks/main.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- - -- block: - - when: matrix_grafana_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - - - when: matrix_grafana_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: - - setup-all - - setup-grafana - - install-all - - install-grafana - -- block: - - when: not matrix_grafana_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-grafana diff --git a/roles/custom/matrix-grafana/tasks/setup_install.yml b/roles/custom/matrix-grafana/tasks/setup_install.yml deleted file mode 100644 index 86a6b04b8..000000000 --- a/roles/custom/matrix-grafana/tasks/setup_install.yml +++ /dev/null @@ -1,73 +0,0 @@ ---- - -- name: Ensure matrix-grafana image is pulled - community.docker.docker_image: - name: "{{ matrix_grafana_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_grafana_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_grafana_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure grafana paths exists - ansible.builtin.file: - path: "{{ item }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_grafana_base_path }}" - - "{{ matrix_grafana_config_path }}" - - "{{ matrix_grafana_config_path }}/provisioning" - - "{{ matrix_grafana_config_path }}/provisioning/datasources" - - "{{ matrix_grafana_config_path }}/provisioning/dashboards" - - "{{ matrix_grafana_config_path }}/dashboards" - - "{{ matrix_grafana_data_path }}" - -- name: Ensure grafana.ini present - ansible.builtin.template: - src: "{{ role_path }}/templates/grafana.ini.j2" - dest: "{{ matrix_grafana_config_path }}/grafana.ini" - mode: 0440 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure provisioning/datasources/default.yaml present - ansible.builtin.template: - src: "{{ role_path }}/templates/datasources.yaml.j2" - dest: "{{ matrix_grafana_config_path }}/provisioning/datasources/default.yaml" - mode: 0440 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure provisioning/dashboards/default.yaml present - ansible.builtin.template: - src: "{{ role_path }}/templates/dashboards.yaml.j2" - dest: "{{ matrix_grafana_config_path }}/provisioning/dashboards/default.yaml" - mode: 0440 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure dashboard(s) downloaded - ansible.builtin.get_url: - url: "{{ item }}" - dest: "{{ matrix_grafana_config_path }}/dashboards/" - force: true - mode: 0440 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: "{{ matrix_grafana_dashboard_download_urls }}" - register: result - retries: "{{ devture_playbook_help_geturl_retries_count }}" - delay: "{{ devture_playbook_help_geturl_retries_delay }}" - until: result is not failed - -- name: Ensure matrix-grafana.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-grafana.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-grafana.service" - mode: 0644 - register: matrix_grafana_systemd_service_result diff --git a/roles/custom/matrix-grafana/tasks/setup_uninstall.yml b/roles/custom/matrix-grafana/tasks/setup_uninstall.yml deleted file mode 100644 index 12c3cde93..000000000 --- a/roles/custom/matrix-grafana/tasks/setup_uninstall.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- - -- name: Check existence of matrix-grafana service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-grafana.service" - register: matrix_grafana_service_stat - -- when: matrix_grafana_service_stat.stat.exists | bool - block: - - name: Ensure matrix-grafana is stopped - ansible.builtin.service: - name: matrix-grafana - state: stopped - enabled: false - daemon_reload: true - - - name: Ensure matrix-grafana.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-grafana.service" - state: absent diff --git a/roles/custom/matrix-grafana/tasks/validate_config.yml b/roles/custom/matrix-grafana/tasks/validate_config.yml deleted file mode 100644 index 21c44dc83..000000000 --- a/roles/custom/matrix-grafana/tasks/validate_config.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- - -- name: Fail if Prometheus not enabled - ansible.builtin.fail: - msg: > - You need to enable `matrix_prometheus_enabled` to use Prometheus as data source for Grafana. - when: "not matrix_prometheus_enabled" - -- name: (Deprecation) Catch and report renamed settings - ansible.builtin.fail: - msg: >- - Your configuration contains a variable, which now has a different name. - Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - when: "item.old in vars" - with_items: - - {'old': 'matrix_grafana_dashboard_download_urls_all', 'new': 'matrix_grafana_dashboard_download_urls'} diff --git a/roles/custom/matrix-grafana/templates/dashboards.yaml.j2 b/roles/custom/matrix-grafana/templates/dashboards.yaml.j2 deleted file mode 100644 index aae42ba29..000000000 --- a/roles/custom/matrix-grafana/templates/dashboards.yaml.j2 +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: 1 - -providers: - - name: {{ matrix_server_fqn_matrix }} - Dashboards - folder: '' # The folder where to place the dashboards - type: file - allowUiUpdates: true - options: - path: /etc/grafana/dashboards diff --git a/roles/custom/matrix-grafana/templates/datasources.yaml.j2 b/roles/custom/matrix-grafana/templates/datasources.yaml.j2 deleted file mode 100644 index 6ccbe3742..000000000 --- a/roles/custom/matrix-grafana/templates/datasources.yaml.j2 +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: 1 - -datasources: - - name: {{ matrix_server_fqn_matrix }} - Prometheus - type: prometheus - # Access mode - proxy (server in the UI) or direct (browser in the UI). - access: proxy - url: http://matrix-prometheus:9090 diff --git a/roles/custom/matrix-grafana/templates/grafana.ini.j2 b/roles/custom/matrix-grafana/templates/grafana.ini.j2 deleted file mode 100644 index ac609f914..000000000 --- a/roles/custom/matrix-grafana/templates/grafana.ini.j2 +++ /dev/null @@ -1,29 +0,0 @@ -[server] -root_url = "https://{{ matrix_server_fqn_grafana }}" - -[security] -# default admin user, created on startup -admin_user = "{{ matrix_grafana_default_admin_user }}" - -# default admin password, can be changed before first start of grafana, or in profile settings -admin_password = """{{ matrix_grafana_default_admin_password }}""" - -# specify content_security_policy to add the Content-Security-Policy header to your requests -content_security_policy = "{{ matrix_grafana_content_security_policy }}" - -# specify content security policy template to customized template -{% if matrix_grafana_content_security_policy_customized %} -content_security_policy_template = """{{ matrix_grafana_content_security_policy_template }}""" -{% endif %} - -allow_embedding = {{ matrix_grafana_allow_embedding }} - -[auth.anonymous] -# enable anonymous access -enabled = {{ matrix_grafana_anonymous_access }} - -# specify organization name that should be used for unauthenticated users -org_name = "{{ matrix_grafana_anonymous_access_org_name }}" - -[dashboards] -default_home_dashboard_path = {{ matrix_grafana_default_home_dashboard_path }} diff --git a/roles/custom/matrix-grafana/templates/systemd/matrix-grafana.service.j2 b/roles/custom/matrix-grafana/templates/systemd/matrix-grafana.service.j2 deleted file mode 100644 index fd48b01eb..000000000 --- a/roles/custom/matrix-grafana/templates/systemd/matrix-grafana.service.j2 +++ /dev/null @@ -1,43 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=matrix-grafana -{% for service in matrix_grafana_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_grafana_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-grafana 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-grafana 2>/dev/null || true' - - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-grafana \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --network={{ matrix_docker_network }} \ - {% if matrix_grafana_container_http_host_bind_port %} - -p {{ matrix_grafana_container_http_host_bind_port }}:3000 \ - {% endif %} - -v {{ matrix_grafana_config_path }}:/etc/grafana:z \ - -v {{ matrix_grafana_data_path }}:/var/lib/grafana:z \ - {% for arg in matrix_grafana_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_grafana_docker_image }} - -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-grafana 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-grafana 2>/dev/null || true' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-grafana - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 2b3d1eb11..38afb3c49 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -86,11 +86,6 @@ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_hostname: "{{ matrix_ser matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_hostname }}`)" -matrix_nginx_proxy_container_labels_traefik_proxy_grafana_enabled: false -matrix_nginx_proxy_container_labels_traefik_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}" -matrix_nginx_proxy_container_labels_traefik_proxy_grafana_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" -matrix_nginx_proxy_container_labels_traefik_proxy_grafana_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_grafana_hostname }}`)" - matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled: false matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}" matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 index 2676b0610..4565da197 100644 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -97,19 +97,6 @@ traefik.http.routers.matrix-nginx-proxy-jitsi.tls.certResolver={{ matrix_nginx_p traefik.http.routers.matrix-nginx-proxy-jitsi.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} {% endif %} - -{% if matrix_nginx_proxy_container_labels_traefik_proxy_grafana_enabled %} -# Grafana -traefik.http.routers.matrix-nginx-proxy-grafana.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_grafana_rule }} -traefik.http.routers.matrix-nginx-proxy-grafana.service=matrix-nginx-proxy-web -traefik.http.routers.matrix-nginx-proxy-grafana.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_grafana_tls | to_json }} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_grafana_tls %} -traefik.http.routers.matrix-nginx-proxy-grafana.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.routers.matrix-nginx-proxy-grafana.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} -{% endif %} - - {% if matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled %} # Sygnal traefik.http.routers.matrix-nginx-proxy-sygnal.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_rule }} diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_install.yml b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_install.yml index 9b2ac3e60..2835b2c98 100644 --- a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_install.yml +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_install.yml @@ -33,11 +33,11 @@ - name: Ensure grafana dashboard is installed ansible.builtin.template: src: "{{ role_path }}/templates/nginx-proxy.json" - dest: "{{ matrix_grafana_config_path }}/dashboards/" + dest: "{{ grafana_config_path }}/dashboards/" mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: matrix_grafana_enabled + when: grafana_enabled - name: Ensure matrix-prometheus-nginxlog-exporter.service installed ansible.builtin.template: diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_uninstall.yml b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_uninstall.yml index c0d0a8338..6fce44ae3 100644 --- a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_uninstall.yml @@ -35,5 +35,5 @@ - name: Ensure matrix-prometheus-nginxlog-exporter grafana dashboard doesn't exist ansible.builtin.file: - path: "{{ matrix_grafana_config_path }}/dashboards/nginx-proxy.json" + path: "{{ grafana_config_path }}/dashboards/nginx-proxy.json" state: absent diff --git a/roles/custom/matrix_playbook_migration/defaults/main.yml b/roles/custom/matrix_playbook_migration/defaults/main.yml index 109ecd726..038676798 100644 --- a/roles/custom/matrix_playbook_migration/defaults/main.yml +++ b/roles/custom/matrix_playbook_migration/defaults/main.yml @@ -8,3 +8,6 @@ matrix_playbook_migration_matrix_prometheus_postgres_exporter_migration_validati # Controls if (`matrix_backup_borg` -> `backup_borg`) validation will run. matrix_playbook_migration_matrix_backup_borg_migration_validation_enabled: true + +# Controls if (`matrix_grafana` -> `grafana`) validation will run. +matrix_playbook_migration_matrix_grafana_migration_validation_enabled: true diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index f588ed08b..2ac04ecea 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -95,3 +95,18 @@ Please change your configuration (vars.yml) to rename all variables (`matrix_backup_borg_` -> `backup_borg_`). We found usage of the following variables: {{ matrix_playbook_migration_backup_borg_migration_vars.keys() | join(', ') }} when: "matrix_playbook_migration_backup_borg_migration_vars | length > 0" + +- when: matrix_playbook_migration_matrix_grafana_migration_validation_enabled | bool + block: + - ansible.builtin.set_fact: + matrix_playbook_migration_grafana_migration_vars: |- + {{ vars | dict2items | selectattr('key', 'match', 'matrix_grafana_.*') | list | items2dict }} + + - name: (Deprecation) Catch and report matrix_grafana variables + ansible.builtin.fail: + msg: >- + The matrix-grafana role that used to be part of this playbook has been replaced by https://gitlab.com/etke.cc/roles/grafana. + The new role is compatible with the old one, but uses different names for its variables. + Please change your configuration (vars.yml) to rename all variables (`matrix_grafana_` -> `grafana_`). + We found usage of the following variables: {{ matrix_playbook_migration_grafana_migration_vars.keys() | join(', ') }} + when: "matrix_playbook_migration_grafana_migration_vars | length > 0" From 7c5826f1c334d1458d010ee0bb2af3a768584367 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 15 Feb 2023 10:52:25 +0200 Subject: [PATCH 437/915] Break dependency between matrix-prometheus-nginxlog-exporter and the Grafana role Wiring happens via `group_vars/matrix_servers` now. --- group_vars/matrix_servers | 8 + requirements.yml | 2 +- .../tasks/setup_install.yml | 10 - .../templates/grafana/nginx-proxy.json | 1705 +++++++++++++++++ 4 files changed, 1714 insertions(+), 11 deletions(-) create mode 100644 roles/custom/matrix-prometheus-nginxlog-exporter/templates/grafana/nginx-proxy.json diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 76b718ef1..78e15ecaa 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3384,6 +3384,14 @@ grafana_dashboard_download_urls: | (matrix_prometheus_nginxlog_exporter_dashboard_urls if matrix_prometheus_nginxlog_exporter_enabled else []) }} +grafana_provisioning_dashboard_template_files: | + {{ + ([{ + 'path': 'roles/custom/matrix-prometheus-nginxlog-exporter/templates/grafana/nginx-proxy.json', + 'name': 'nginx-proxy.json', + }] if matrix_prometheus_nginxlog_exporter_enabled else []) + }} + grafana_default_home_dashboard_path: |- {{ { diff --git a/requirements.yml b/requirements.yml index 829ef99bd..716b7c6e1 100644 --- a/requirements.yml +++ b/requirements.yml @@ -40,7 +40,7 @@ version: v1.2.3-1.7.6-0 - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v9.3.6-0 + version: v9.3.6-1 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git version: fb09fd26f877372417d5586f1e79e83f983f0bd6 diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_install.yml b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_install.yml index 2835b2c98..ca3bf3a8e 100644 --- a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_install.yml +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_install.yml @@ -30,18 +30,8 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" -- name: Ensure grafana dashboard is installed - ansible.builtin.template: - src: "{{ role_path }}/templates/nginx-proxy.json" - dest: "{{ grafana_config_path }}/dashboards/" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: grafana_enabled - - name: Ensure matrix-prometheus-nginxlog-exporter.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-prometheus-nginxlog-exporter.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-nginxlog-exporter.service" mode: 0644 - register: matrix_prometheus_nginxlog_exporter_systemd_service_result diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/templates/grafana/nginx-proxy.json b/roles/custom/matrix-prometheus-nginxlog-exporter/templates/grafana/nginx-proxy.json new file mode 100644 index 000000000..395314fd7 --- /dev/null +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/templates/grafana/nginx-proxy.json @@ -0,0 +1,1705 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__elements": {}, + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "9.3.1" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "timeseries", + "name": "Time series", + "version": "" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "description": "", + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": 5, + "links": [], + "liveNow": false, + "panels": [ + { + "collapsed": true, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 23, + "panels": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 1 + }, + "id": 20, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"1.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "1xx by upstream addr[$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 1 + }, + "id": 21, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_uri) (rate(http_response_count_total{status=~\"1.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "1xx by uri [$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 9 + }, + "id": 18, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"2.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "2xx by upstream addr[$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 9 + }, + "id": 19, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_uri) (rate(http_response_count_total{status=~\"2.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "2xx by uri [$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 17 + }, + "id": 16, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"3.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "3xx by upstream addr[$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 17 + }, + "id": 17, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_uri) (rate(http_response_count_total{status=~\"3.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "3xx by uri [$request_host]", + "type": "timeseries" + } + ], + "title": "1xx - 2xx - 3xx Status Code .....................................................", + "type": "row" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 1 + }, + "id": 2, + "panels": [], + "title": "4xx Status Code ......................................................................", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 2 + }, + "id": 9, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"404\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "404 by upstream addr[$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 2 + }, + "id": 6, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_uri) (rate(http_response_count_total{status=~\"404\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "404 by uri [$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 10 + }, + "id": 14, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"4.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "4xx by upstream addr[$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 10 + }, + "id": 15, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_uri) (rate(http_response_count_total{status=~\"4.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "4xx by uri [$request_host]", + "type": "timeseries" + }, + { + "collapsed": true, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 18 + }, + "id": 8, + "panels": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 3 + }, + "id": 10, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(http_x_forwarded_for, status) (rate(http_response_count_total{status=~\"504|502\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "502-504 by upstream addr[$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 3 + }, + "id": 11, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_host, status) (rate(http_response_count_total{status=~\"504|502\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "502-504 by host [$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 11 + }, + "id": 12, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"5.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "5xx by upstream addr[$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 11 + }, + "id": 13, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_host) (rate(http_response_count_total{status=~\"5.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "5xx by uri [$request_host]", + "type": "timeseries" + } + ], + "title": "5xx Status Code ......................................................................", + "type": "row" + }, + { + "collapsed": true, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 19 + }, + "id": 27, + "panels": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 4 + }, + "id": 24, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "expr": "sum by(http_x_forwarded_for) (rate(http_response_count_total{status=~\"[6-9]{1}.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "6xx > by upstream addr[$request_host]", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 4 + }, + "id": 25, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(request_uri) (rate(http_response_count_total{status=~\"[6-9]{1}.*\", request_host=~\"$request_host\"}[$__rate_interval]))", + "format": "time_series", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": true, + "refId": "B" + } + ], + "title": "6xx > by uri [$request_host]", + "type": "timeseries" + } + ], + "title": "6xx > Status Code ...................................................................", + "type": "row" + } + ], + "refresh": "30s", + "schemaVersion": 37, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "current": { + "selected": true, + "text": "Prometheus", + "value": "Prometheus" + }, + "hide": 0, + "includeAll": false, + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "label_values(http_response_count_total, request_host)", + "hide": 0, + "includeAll": true, + "multi": true, + "name": "request_host", + "options": [], + "query": { + "query": "label_values(http_response_count_total, request_host)", + "refId": "StandardVariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 1, + "type": "query" + } + ] + }, + "time": { + "from": "now-1h", + "to": "now" + }, + "timepicker": {}, + "timezone": "", + "title": "NGINX PROXY", + "uid": "x2_jWNF4k", + "version": 12, + "weekStart": "" +} \ No newline at end of file From 4fe601546413d87e7c571f82d084e60648d103c3 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 15 Feb 2023 09:02:36 +0000 Subject: [PATCH 438/915] Update ntfy 1.30.1 -> 1.31.0 --- roles/custom/matrix-ntfy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-ntfy/defaults/main.yml b/roles/custom/matrix-ntfy/defaults/main.yml index 397efb35f..b2d2f25f4 100644 --- a/roles/custom/matrix-ntfy/defaults/main.yml +++ b/roles/custom/matrix-ntfy/defaults/main.yml @@ -7,7 +7,7 @@ matrix_ntfy_base_path: "{{ matrix_base_data_path }}/ntfy" matrix_ntfy_config_dir_path: "{{ matrix_ntfy_base_path }}/config" matrix_ntfy_data_path: "{{ matrix_ntfy_base_path }}/data" -matrix_ntfy_version: v1.30.1 +matrix_ntfy_version: v1.31.0 matrix_ntfy_docker_image: "{{ matrix_container_global_registry_prefix }}binwiederhier/ntfy:{{ matrix_ntfy_version }}" matrix_ntfy_docker_image_force_pull: "{{ matrix_ntfy_docker_image.endswith(':latest') }}" From bb7895678cdaa4eace98654c2558ce99c5f34a32 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 15 Feb 2023 11:47:57 +0200 Subject: [PATCH 439/915] Fix typo --- group_vars/matrix_servers | 2 +- .../tasks/setup_uninstall.yml | 7 +------ 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 78e15ecaa..a7e229d4d 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2480,7 +2480,7 @@ matrix_nginx_proxy_systemd_wanted_services_list: | + (['matrix-client-hydrogen.service'] if matrix_client_hydrogen_enabled else []) + - ([(grafana_idenifier + '.service')] if grafana_enabled else []) + ([(grafana_identifier + '.service')] if grafana_enabled else []) + (['matrix-dimension.service'] if matrix_dimension_enabled else []) + diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_uninstall.yml b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_uninstall.yml index 6fce44ae3..7d27cbae8 100644 --- a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_uninstall.yml @@ -28,12 +28,7 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus-nginxlog-exporter.service" state: absent - - name: Ensure matrix-prometheus-nginxlog-exporter paths don't exist + - name: Ensure matrix-prometheus-nginxlog-exporter path doesn't exist ansible.builtin.file: path: "{{ matrix_prometheus_nginxlog_exporter_base_path }}" state: absent - - - name: Ensure matrix-prometheus-nginxlog-exporter grafana dashboard doesn't exist - ansible.builtin.file: - path: "{{ grafana_config_path }}/dashboards/nginx-proxy.json" - state: absent From 8a471b97a14bf17d3fec0ee2bae7ba016543c208 Mon Sep 17 00:00:00 2001 From: Stuart Mumford Date: Wed, 15 Feb 2023 17:14:09 +0000 Subject: [PATCH 440/915] Update configuring-playbook-bridge-mautrix-slack.md --- docs/configuring-playbook-bridge-mautrix-slack.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/configuring-playbook-bridge-mautrix-slack.md b/docs/configuring-playbook-bridge-mautrix-slack.md index d0a60aa7c..f53fbd104 100644 --- a/docs/configuring-playbook-bridge-mautrix-slack.md +++ b/docs/configuring-playbook-bridge-mautrix-slack.md @@ -8,8 +8,6 @@ The playbook can install and configure [mautrix-slack](https://github.com/mautri See the project's [documentation](https://docs.mau.fi/bridges/go/slack/index.html) to learn what it does and why it might be useful to you. -Note that as of Oct 2022, support for multiple Matrix users using the bot is incomplete. Different users do not yet share the bridged channels. Everyone gets their own copy. - See the [features and roadmap](https://github.com/mautrix/slack/blob/main/ROADMAP.md) for more information. From 93bb117a29a36e4356aac04debb3e6d82875da11 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 16 Feb 2023 08:24:27 +0200 Subject: [PATCH 441/915] Mention Traefik changes causing backward-compatibility break for own-webserver (non-nginx-proxy) users This also updates `docs/configuring-playbook-own-webserver.md`, trying to make it up-to-date with all recent changes. --- CHANGELOG.md | 9 +- docs/configuring-playbook-own-webserver.md | 270 +++++++++++---------- 2 files changed, 142 insertions(+), 137 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b47433d7d..f6b76e109 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,12 +22,13 @@ You need to **update you roles** (`just roles` or `make roles`) regardless of wh # 2023-02-12 -## Reverse-proxy configuration changes and initial Traefik support +## (Backward Compatibility) Reverse-proxy configuration changes and initial Traefik support **TLDR**: - there's a new `matrix_playbook_reverse_proxy_type` variable (see [roles/custom/matrix-base/defaults/main.yml](roles/custom/matrix-base/defaults/main.yml)), which lets you tell the playbook what reverse-proxy setup you'd like to have. This makes it easier for people who want to do reverse-proxying in other ways. -- the default reverse-proxy (`matrix_playbook_reverse_proxy_type`) is still `playbook-managed-nginx` (via `matrix-nginx-proxy`), for now. **Existing users should not observe any changes** and can stay on this for now. +- the default reverse-proxy (`matrix_playbook_reverse_proxy_type`) is still `playbook-managed-nginx` (via `matrix-nginx-proxy`), for now. **Existing `matrix-nginx-proxy` users should not observe any changes** and can stay on this for now. +- **Users who use their [own other webserver](docs/configuring-playbook-own-webserver.md) (e.g. Apache, etc.) need to change** `matrix_playbook_reverse_proxy_type` to something like `other-on-same-host`, `other-on-another-host` or `other-nginx-non-container` - we now have **optional [Traefik](https://traefik.io/) support**, so you could easily host Matrix and other Traefik-native services in containers on the same server. Traefik support is still experimental (albeit, good enough) and will improve over time. It does work, but certain esoteric features may not be there yet. - **Traefik will become the default reverse-proxy in the near future**. `matrix-nginx-proxy` will either remain as an option, or be completely removed to simplify the playbook @@ -81,7 +82,9 @@ Traefik does not lock important functionality we'd like to use into [plus packag `matrix_playbook_reverse_proxy_type` still defaults to a value of `playbook-managed-nginx`. -Unless we have some regression, **existing users should be able to update their Matrix server and not observe any changes**. Their setup should still remain on nginx and everything should still work as expected. +Unless we have some regression, **existing `matrix-nginx-proxy` users should be able to update their Matrix server and not observe any changes**. Their setup should still remain on nginx and everything should still work as expected. + +**Users using [their own webservers](docs/configuring-playbook-own-webserver.md) will need to change `matrix_playbook_reverse_proxy_type`** to something like `other-on-same-host`, `other-on-another-host` or `other-nginx-non-container`. Previously, they could toggle `matrix_nginx_proxy_enabled` to `false`, and that made the playbook automatically expose services locally. Currently, we only do this if you change the reverse-proxy type to `other-on-same-host`, `other-on-another-host` or `other-nginx-non-container`. #### How do I explicitly switch to Traefik right now? diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 77fa018d0..41b1fd83a 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -1,145 +1,21 @@ # Using your own webserver, instead of this playbook's nginx proxy (optional, advanced) -**Note**: the playbook is [in the process of moving to Traefik](../CHANGELOG.md#reverse-proxy-configuration-changes-and-initial-traefik-support). The documentation below should be correct, but things will change soon. +**Note**: the playbook is [in the process of moving to Traefik](../CHANGELOG.md#reverse-proxy-configuration-changes-and-initial-traefik-support). The **documentation below may be incomplete or misleading**. By default, this playbook installs its own nginx webserver (called `matrix-nginx-proxy`, in a Docker container) which listens on ports 80 and 443. If that's alright, you can skip this. -If you don't want this playbook's nginx webserver to take over your server's 80/443 ports like that, -and you'd like to use your own webserver (be it nginx, Apache, Varnish Cache, etc.), you can. +Soon, this default will change and the playbook will install its own [Traefik](https://traefik.io/) reverse-proxy instead. -There are **2 ways you can go about it**, if you'd like to use your own webserver: +## Traefik -- [Method 1: Disabling the integrated nginx reverse-proxy webserver](#method-1-disabling-the-integrated-nginx-reverse-proxy-webserver) +[Traefik](https://traefik.io/) will be the default reverse-proxy for the playbook in the near future. -- [Method 2: Fronting the integrated nginx reverse-proxy webserver with another reverse-proxy](#method-2-fronting-the-integrated-nginx-reverse-proxy-webserver-with-another-reverse-proxy) +There are 2 ways to use Traefik with this playbook, as described below. +### Traefik managed by the playbook -## Method 1: Disabling the integrated nginx reverse-proxy webserver - -This method is about completely disabling the integrated nginx reverse-proxy webserver and replicating its behavior using another webserver. - -If that other webserver is `nginx`, you'd be able to include configuration files generated by the playbook into your `nginx` webserver. - -If you'd like to use another webserver (not `nginx`), you'd need to do things manually. We have examples for other webservers below. - -For an alternative (which keeps `matrix-nginx-proxy` around and connects your other reverse-proxy with it), make sure to check Method #2. - -### Preparation - -No matter which external webserver you decide to go with, you'll need to: - -1) Make sure your web server user (something like `http`, `apache`, `www-data`, `nginx`) is part of the `matrix` group. You should run something like this: `usermod -a -G matrix nginx`. This allows your webserver user to access files owned by the `matrix` group. When using an external nginx webserver, this allows it to read configuration files from `/matrix/nginx-proxy/conf.d`. When using another server, it would make other files, such as `/matrix/static-files/.well-known`, accessible to it. - -2) Edit your configuration file (`inventory/host_vars/matrix./vars.yml`) - - to disable the integrated nginx server: - - ```yaml - matrix_nginx_proxy_enabled: false - ``` - - if using an external server on another host, add the `_http_host_bind_port` or `_http_bind_port` variables for the services that will be exposed by the external server on the other host. The actual name of the variable is listed in the `roles//defaults/vars.yml` file for each service. Most variables follow the `_http_host_bind_port` format. - - These variables will make Docker expose the ports on all network interfaces instead of localhost only. - [Keep in mind that there are some security concerns if you simply proxy everything.](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints) - - Here are the variables required for the default configuration (Synapse and Element) - ``` - matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: '0.0.0.0:8008' - matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: '0.0.0.0:8048' - matrix_client_element_container_http_host_bind_port: "0.0.0.0:8765" - ``` - -3) **If you'll manage SSL certificates by yourself**, edit your configuration file (`inventory/host_vars/matrix./vars.yml`) to disable SSL certificate retrieval: - -```yaml -matrix_ssl_retrieval_method: none -``` - -**Note**: During [installation](installing.md), unless you've disabled SSL certificate management (`matrix_ssl_retrieval_method: none`), the playbook would need 80 to be available, in order to retrieve SSL certificates. **Please manually stop your other webserver while installing**. You can start it back up afterwards. - -### Using your own external nginx webserver - -Once you've followed the [Preparation](#preparation) guide above, it's time to set up your external nginx server. - -Even with `matrix_nginx_proxy_enabled: false`, the playbook still generates some helpful files for you in `/matrix/nginx-proxy/conf.d`. -Those configuration files are adapted for use with an external web server (one not running in the container network). - -You can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your own `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;` - -Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example: - -```yaml -# Custom protocol list (removing `TLSv1.3`) to suit your nginx version. -matrix_nginx_proxy_ssl_protocols: "TLSv1.2" -``` - -If you are experiencing issues, try updating to a newer version of Nginx. As a data point in May 2021 a user reported that Nginx 1.14.2 was not working for them. They were getting errors about socket leaks. Updating to Nginx 1.19 fixed their issue. - -### Using your own external Apache webserver - -Once you've followed the [Preparation](#preparation) guide above, you can take a look at the [examples/apache](../examples/apache) directory for a sample configuration. - -### Using your own external caddy webserver - -After following the [Preparation](#preparation) guide above, you can take a look at the [examples/caddy](../examples/caddy) directory and [examples/caddy2](../examples/caddy2) directory for a sample configuration for Caddy v1 and v2, respectively. - -### Using your own HAproxy reverse proxy -After following the [Preparation](#preparation) guide above, you can take a look at the [examples/haproxy](../examples/haproxy) directory for a sample configuration. In this case HAproxy is used as a reverse proxy and a simple Nginx container is used to serve statically `.well-known` files. - -### Using another external webserver - -Feel free to look at the [examples/apache](../examples/apache) directory, or the [template files in the matrix-nginx-proxy role](../roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/). - - -## Method 2: Fronting the integrated nginx reverse-proxy webserver with another reverse-proxy - -This method is about leaving the integrated nginx reverse-proxy webserver be, but making it not get in the way (using up important ports, trying to retrieve SSL certificates, etc.). - -If you wish to use another webserver, the integrated nginx reverse-proxy webserver usually gets in the way because it attempts to fetch SSL certificates and binds to ports 80, 443 and 8448 (if Matrix Federation is enabled). - -You can disable such behavior and make the integrated nginx reverse-proxy webserver only serve traffic locally (or over a local network). - -You would need some configuration like this: - -```yaml -matrix_playbook_reverse_proxy_type: other-on-same-host - -# Do not listen for HTTP on port 80 globally (default), listen on the loopback interface. -# If you'd like, you can make it use the local network as well and reverse-proxy from another local machine. -matrix_nginx_proxy_container_http_host_bind_port: '127.0.0.1:81' - -# Likewise, expose the Matrix Federation port on the loopback interface. -# Since `matrix_nginx_proxy_https_enabled` is set to `false`, this federation port will serve HTTP traffic. -# If you'd like, you can make it use the local network as well and reverse-proxy from another local machine. -# -# You'd most likely need to expose it publicly on port 8448 (8449 was chosen for the local port to prevent overlap). -matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449' - -# Coturn relies on SSL certificates that have already been obtained. -# Since we don't obtain any certificates in this `other-on-same-host` mode, it won't work by default. -# An alternative is to tweak some of: `matrix_coturn_tls_enabled`, `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path`. -matrix_coturn_enabled: false -``` - -With this, nginx would still be in use, but it would not bother with anything SSL related or with taking up public ports. - -All services would be served locally on `127.0.0.1:81` and `127.0.0.1:8449` (as per the example configuration above). - -You can then set up another reverse-proxy server on ports 80/443/8448 for all of the expected domains and make traffic go to these local ports. -The expected domains vary depending on the services you have enabled (`matrix.DOMAIN` for sure; `element.DOMAIN`, `dimension.DOMAIN` and `jitsi.DOMAIN` are optional). - -### Sample configuration for running behind Traefik 2.0 - -To run behind Traefik, you can: - -- use a [Playbook-managed Traefik installation](#playbook-managed-traefik-installation) -- or, use [Your own Traefik server (not managed by the playbook)](#your-own-traefik-server-not-managed-by-the-playbook) - -#### Playbook-managed Traefik installation - -The playbook can install and manage Traefik for you using the [com.devture.ansible.role.traefik](https://github.com/devture/com.devture.ansible.role.traefik) role. - -It's simplest if you go with this method. You will need the following configuration: +To switch to Traefik now, use configuration like this: ```yaml matrix_playbook_reverse_proxy_type: playbook-managed-traefik @@ -147,9 +23,11 @@ matrix_playbook_reverse_proxy_type: playbook-managed-traefik devture_traefik_ssl_email_address: YOUR_EMAIL_ADDRESS ``` -#### Your own Traefik server (not managed by the playbook) +This will install Traefik in the place of `matrix-nginx-proxy`. Traefik will manage SSL certificates for all services seamlessly. + +**Note**: during the transition period, `matrix-nginx-proxy` will still be installed in local-only mode. Do not be alarmed to see `matrix-nginx-proxy` running even when you've chosen Traefik as your reverse-proxy. In the future, we'll be able to run without nginx, but we're not there yet. -If you'd like to run Traefik yourself, you can use configuration like this: +### Traefik managed by you ```yaml matrix_playbook_reverse_proxy_type: other-traefik-container @@ -161,7 +39,9 @@ In this mode all roles will still have Traefik labels attached. You will, howeve By default, the playbook congiures services use a `web-secure` (443) and `matrix-federation` (8448) entrypoints, as well as a `default` certificate resolver. -Below is some configuration for running Traefik yourself (although we recommend using a [playbook-managed Traefik installation](#playbook-managed-traefik-installation)). +You need to configure 3 entrypoints for your Traefik server: `web` (TCP port `80`), `web-secure` (TCP port `443`) and `matrix-federation` (TCP port `8448`). + +Below is some configuration for running Traefik yourself, although we recommend using [Traefik managed by the playbook](#traefik-managed-by-the-playbook). Note that this configuration on its own does **not** redirect traffic on port 80 (plain HTTP) to port 443 for HTTPS, which may cause some issues, since the built-in Nginx proxy usually does this. If you are not already doing this in Traefik, it can be added to Traefik in a [file provider](https://docs.traefik.io/v2.0/providers/file/) as follows: @@ -217,3 +97,125 @@ networks: traefik: external: true ``` + +## Another webserver + +If you don't wish to use Traefik or `matrix-nginx-proxy`, you can also use your own webserver. + +Doing this is possible, but requires manual work. + +There are 2 ways to go about it: + +- (recommended) [Fronting the integrated reverse-proxy webserver with another reverse-proxy](#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) - using a playbook-managed reverse-proxy (either `matrix-nginx-proxy` or Traefik), disabling SSL termination for it, exposing this reverse-proxy on a few local ports (e.g. `127.0.0.1:81`, etc.) and forwarding traffic from your own webserver to those few ports + +- (difficult) [Using no reverse-proxy on the Matrix side at all](#using-no-reverse-proxy-on-the-matrix-side-at-all) disabling all playbook-managed reverse-proxies (no `matrix-nginx-proxy`, no Traefik) + + +### Fronting the integrated reverse-proxy webserver with another reverse-proxy + +This method is about leaving the integrated reverse-proxy webserver be, but making it not get in the way (using up important ports, trying to retrieve SSL certificates, etc.). + +If you wish to use another webserver, the integrated nginx reverse-proxy webserver usually gets in the way because it attempts to fetch SSL certificates and binds to ports 80, 443 and 8448 (if Matrix Federation is enabled). + +You can disable such behavior and make the integrated reverse-proxy webserver only serve traffic locally (or over a local network). + +This is the recommended way for using another reverse-proxy, because the integrated one would act as a black box and wire all Matrix services correctly. You would only need to reverse-proxy a few individual domains and ports over to it. + +**For `matrix-nginx-proxy`** fronted by another reverse-proxy, you would need some configuration like this: + +```yaml +# playbook-managed-proxy is the default right now, so we can keep this commented out. +# matrix_playbook_reverse_proxy_type: playbook-managed-nginx + +# Disable SSL certificate retrieval +matrix_ssl_retrieval_method: none + +# Given that we won't be obtaining SSL certificates here, disable HTTPS +matrix_nginx_proxy_https_enabled: false + +# Do not listen for HTTP on port 80 globally (default), listen on the loopback interface. +# If you'd like, you can make it use the local network as well and reverse-proxy from another local machine. +matrix_nginx_proxy_container_http_host_bind_port: '127.0.0.1:81' + +# Likewise, expose the Matrix Federation port on the loopback interface. +# Since `matrix_nginx_proxy_https_enabled` is set to `false`, this federation port will serve HTTP traffic. +# If you'd like, you can make it use the local network as well and reverse-proxy from another local machine. +# +# You'd most likely need to expose it publicly on port 8448 (8449 was chosen for the local port to prevent overlap). +matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449' +``` + +**For Traefik** fronted by another reverse-proxy, you would need some configuration like this: + +```yaml +# playbook-managed-proxy is the default right now, so we can keep this commented out. +matrix_playbook_reverse_proxy_type: playbook-managed-traefik + +# Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval +devture_traefik_config_entrypoint_web_secure_enabled: false + +devture_traefik_container_web_host_bind_port: '127.0.0.1:81' + +devture_traefik_additional_entrypoints_auto: + - name: matrix-federation + port: "{{ matrix_federation_public_port }}" + host_bind_port: "127.0.0.1:{{ matrix_federation_public_port }}" + config: {} +``` + +If you'll be fronting with a reverse-proxy that lives on another machine (not on the same one as Matrix), you need to replace `127.0.0.1` in the above configurations with `0.0.0.0` or another network interface. + +### Using no reverse-proxy on the Matrix side at all + +Instead of [Fronting the integrated reverse-proxy webserver with another reverse-proxy](#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy), you can also go another way -- completely disabling the playbook-managed reverse-proxy. You would then need to reverse-proxy from your own webserver directly to Matrix services. + +This is more difficult, as you would need to handle the configuration for each service manually. Enabling additional services would come with extra manual work you need to do. + +If your webserver is on the same machine, sure your web server user (something like `http`, `apache`, `www-data`, `nginx`) is part of the `matrix` group. You should run something like this: `usermod -a -G matrix nginx`. This allows your webserver user to access files owned by the `matrix` group. When using an external nginx webserver, this allows it to read configuration files from `/matrix/nginx-proxy/conf.d`. When using another server, it would make other files, such as `/matrix/static-files/.well-known`, accessible to it. + +#### Using your own nginx reverse-proxy running on the same machine + +If you'll be using `nginx` running on the same machine (not in a container), you can make the playbook help you generate configuration for `nginx` with this configuration: + +```yaml +matrix_playbook_reverse_proxy_type: other-nginx-non-container + +# If you will manage SSL certificates yourself, uncomment the line below +# matrix_ssl_retrieval_method: none + +# If you're using an old nginx version, consider using a custom protocol list +# (removing `TLSv1.3` that is enabled by default) to suit your nginx version. +# matrix_nginx_proxy_ssl_protocols: "TLSv1.2" +``` + +You can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your own `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;` + +#### Using your own reverse-proxy running on the same machine or elsewhere + +To reverse-proxy manually for each service, use configuration like this: + +```yaml +# If your reverse-proxy runs on the same machine: +matrix_playbook_reverse_proxy_type: other-on-same-host + +# Or, if it runs on another machine: +# matrix_playbook_reverse_proxy_type: other-on-another-host + +# Or, optionally customize the network interface prefix (note the trailing `:` character). +# For other-on-same-host, the interface defaults to `127.0.0.1:`. +# For other-on-another-host, the interface defaults to `0.0.0.0:`. +# matrix_playbook_service_host_bind_interface_prefix: '192.168.30.4:' +``` + +With this configuration, each service will be exposed on a custom port. Example: + +- Synapse will be exposed on port `8008` +- [Grafana](configuring-playbook-prometheus-grafana.md) will be exposed on port `3000` +- [synapse-admin](configuring-playbook-synapse-admin.md) will be exposed on port `8766` + +You can capture traffic for these services and forward it to their port. +Some of these services are configured with certain default expecations with regard to hostname, path, etc., so it's not completely arbitrary where you can host them (unless you change the defaults). + +For each new playbook service that you enable, you'll need special handling. + +The [`examples/`](../examples/) directory contains examples for various servers: Caddy, Apache, HAproxy, etc. From e80b98c3ad9d4cd2c93f3e906ab2e38ee8eee158 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 16 Feb 2023 09:22:29 +0200 Subject: [PATCH 442/915] Do not mount SSL certificates into Coturn if TLS is disabled for it --- group_vars/matrix_servers | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index a7e229d4d..e55bade91 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2051,7 +2051,7 @@ matrix_coturn_container_additional_volumes: | 'dst': '/privkey.pem', 'options': 'ro', }, - ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [] + ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] and matrix_coturn_tls_enabled else [] ) + ( @@ -2066,7 +2066,7 @@ matrix_coturn_container_additional_volumes: | 'dst': '/privatekey.key', 'options': 'ro', }, - ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled else [] + ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled and matrix_coturn_tls_enabled else [] ) }} @@ -2074,7 +2074,7 @@ matrix_coturn_systemd_required_services_list: | {{ ['docker.service'] + - ([devture_traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_server_fqn_matrix + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled else []) + ([devture_traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_server_fqn_matrix + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled and matrix_coturn_tls_enabled else []) }} ###################################################################### From 649f6512ca3850cd48bb301eae7fe7c5a2cfa588 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 16 Feb 2023 18:02:25 +0000 Subject: [PATCH 443/915] Update mautrix-discord 0.1.0 -> 0.1.1 --- roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml index 0211f8f3e..036b4060e 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_discord_container_image_self_build: false matrix_mautrix_discord_container_image_self_build_repo: "https://mau.dev/mautrix/discord.git" matrix_mautrix_discord_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_discord_version == 'latest' else matrix_mautrix_discord_version }}" -matrix_mautrix_discord_version: v0.1.0 +matrix_mautrix_discord_version: v0.1.1 # See: https://mau.dev/mautrix/discord/container_registry matrix_mautrix_discord_docker_image: "{{ matrix_mautrix_discord_docker_image_name_prefix }}mautrix/discord:{{ matrix_mautrix_discord_version }}" matrix_mautrix_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_discord_container_image_self_build else 'dock.mau.dev/' }}" From 64ec1db077f87ae6439485b810b5587cc02f1163 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 16 Feb 2023 18:03:18 +0000 Subject: [PATCH 444/915] Update mautrix-whatsapp 0.8.1 -> 0.8.2 --- roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml index dd628162d..04c242951 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_whatsapp_container_image_self_build: false matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git" matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}" -matrix_mautrix_whatsapp_version: v0.8.1 +matrix_mautrix_whatsapp_version: v0.8.2 # See: https://mau.dev/mautrix/whatsapp/container_registry matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}" matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}" From 954920dd4fd8bf928e0d082f981a8f90451f5bb3 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 16 Feb 2023 20:00:00 +0000 Subject: [PATCH 445/915] Update ntfy 1.31.0 -> 2.0.0 --- roles/custom/matrix-ntfy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-ntfy/defaults/main.yml b/roles/custom/matrix-ntfy/defaults/main.yml index b2d2f25f4..e0c90f5fb 100644 --- a/roles/custom/matrix-ntfy/defaults/main.yml +++ b/roles/custom/matrix-ntfy/defaults/main.yml @@ -7,7 +7,7 @@ matrix_ntfy_base_path: "{{ matrix_base_data_path }}/ntfy" matrix_ntfy_config_dir_path: "{{ matrix_ntfy_base_path }}/config" matrix_ntfy_data_path: "{{ matrix_ntfy_base_path }}/data" -matrix_ntfy_version: v1.31.0 +matrix_ntfy_version: v2.0.0 matrix_ntfy_docker_image: "{{ matrix_container_global_registry_prefix }}binwiederhier/ntfy:{{ matrix_ntfy_version }}" matrix_ntfy_docker_image_force_pull: "{{ matrix_ntfy_docker_image.endswith(':latest') }}" From 38c4e464c1a415d526829b2aa56947abcea449b0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Feb 2023 09:20:22 +0200 Subject: [PATCH 446/915] Fix self-check for Hydrogen and Cinny when running under a subpath --- roles/custom/matrix-client-cinny/tasks/self_check.yml | 6 +++--- roles/custom/matrix-client-hydrogen/tasks/self_check.yml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/custom/matrix-client-cinny/tasks/self_check.yml b/roles/custom/matrix-client-cinny/tasks/self_check.yml index c1c6195e0..2ea64a32e 100644 --- a/roles/custom/matrix-client-cinny/tasks/self_check.yml +++ b/roles/custom/matrix-client-cinny/tasks/self_check.yml @@ -1,7 +1,7 @@ --- - ansible.builtin.set_fact: - matrix_client_cinny_url_endpoint_public: "https://{{ matrix_server_fqn_cinny }}/config.json" + matrix_client_cinny_url_endpoint_public: "https://{{ matrix_client_cinny_hostname }}{{ matrix_client_cinny_path_prefix }}/config.json" - name: Check Cinny ansible.builtin.uri: @@ -16,9 +16,9 @@ - name: Fail if Cinny not working ansible.builtin.fail: - msg: "Failed checking Cinny is up at `{{ matrix_server_fqn_cinny }}` (checked endpoint: `{{ matrix_client_cinny_url_endpoint_public }}`). Is Cinny running? Is port 443 open in your firewall? Full error: {{ matrix_client_cinny_self_check_result }}" + msg: "Failed checking Cinny is up at `{{ matrix_client_cinny_hostname }}` (checked endpoint: `{{ matrix_client_cinny_url_endpoint_public }}`). Is Cinny running? Is port 443 open in your firewall? Full error: {{ matrix_client_cinny_self_check_result }}" when: "matrix_client_cinny_self_check_result.failed or 'json' not in matrix_client_cinny_self_check_result" - name: Report working Cinny ansible.builtin.debug: - msg: "Cinny at `{{ matrix_server_fqn_cinny }}` is working (checked endpoint: `{{ matrix_client_cinny_url_endpoint_public }}`)" + msg: "Cinny at `{{ matrix_client_cinny_hostname }}` is working (checked endpoint: `{{ matrix_client_cinny_url_endpoint_public }}`)" diff --git a/roles/custom/matrix-client-hydrogen/tasks/self_check.yml b/roles/custom/matrix-client-hydrogen/tasks/self_check.yml index 478f0dc86..42c1f09b6 100644 --- a/roles/custom/matrix-client-hydrogen/tasks/self_check.yml +++ b/roles/custom/matrix-client-hydrogen/tasks/self_check.yml @@ -1,7 +1,7 @@ --- - ansible.builtin.set_fact: - matrix_client_hydrogen_url_endpoint_public: "https://{{ matrix_server_fqn_hydrogen }}/config.json" + matrix_client_hydrogen_url_endpoint_public: "https://{{ matrix_client_hydrogen_hostname }}{{ matrix_client_hydrogen_path_prefix }}/config.json" - name: Check Hydrogen ansible.builtin.uri: @@ -16,9 +16,9 @@ - name: Fail if Hydrogen not working ansible.builtin.fail: - msg: "Failed checking Hydrogen is up at `{{ matrix_server_fqn_hydrogen }}` (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`). Is Hydrogen running? Is port 443 open in your firewall? Full error: {{ matrix_client_hydrogen_self_check_result }}" + msg: "Failed checking Hydrogen is up at `{{ matrix_client_hydrogen_hostname }}` (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`). Is Hydrogen running? Is port 443 open in your firewall? Full error: {{ matrix_client_hydrogen_self_check_result }}" when: "matrix_client_hydrogen_self_check_result.failed or 'json' not in matrix_client_hydrogen_self_check_result" - name: Report working Hydrogen ansible.builtin.debug: - msg: "Hydrogen at `{{ matrix_server_fqn_hydrogen }}` is working (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`)" + msg: "Hydrogen at `{{ matrix_client_hydrogen_hostname }}` is working (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`)" From 964aa0e84d82161adf4f3b1d5290d94952be9a85 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Feb 2023 09:54:33 +0200 Subject: [PATCH 447/915] Switch to using an external Ntfy role The newly extracted role also has native Traefik support, so we no longer need to rely on `matrix-nginx-proxy` for reverse-proxying to Ntfy. The new role uses port `80` inside the container (not `8080`, like before), because that's the default assumption of the officially published container image. Using a custom port (like `8080`), means the default healthcheck command (which hardcodes port `80`) doesn't work. Instead of fiddling to override the healthcheck command, we've decided to stick to the default port instead. This only affects the inside-the-container port, not any external ports. The new role also supports adding the network ranges of the container's multiple additional networks as "exempt hosts". Previously, only one network's address range was added to "exempt hosts". --- CHANGELOG.md | 11 ++++ docs/configuring-playbook-ntfy.md | 17 +++--- group_vars/matrix_servers | 45 +++++++++++---- playbooks/matrix.yml | 2 +- requirements.yml | 3 + .../matrix-nginx-proxy/defaults/main.yml | 5 -- .../matrix-nginx-proxy/templates/labels.j2 | 12 ---- .../nginx/conf.d/matrix-ntfy.conf.j2 | 2 +- roles/custom/matrix-ntfy/defaults/main.yml | 56 ------------------- roles/custom/matrix-ntfy/tasks/main.yml | 23 -------- roles/custom/matrix-ntfy/tasks/self_check.yml | 27 --------- .../matrix-ntfy/tasks/setup_install.yml | 38 ------------- .../matrix-ntfy/tasks/setup_uninstall.yml | 25 --------- .../matrix-ntfy/templates/ntfy/server.yml.j2 | 11 ---- .../templates/systemd/matrix-ntfy.service.j2 | 39 ------------- .../defaults/main.yml | 3 + .../tasks/validate_config.yml | 17 +++++- 17 files changed, 78 insertions(+), 258 deletions(-) delete mode 100644 roles/custom/matrix-ntfy/defaults/main.yml delete mode 100644 roles/custom/matrix-ntfy/tasks/main.yml delete mode 100644 roles/custom/matrix-ntfy/tasks/self_check.yml delete mode 100644 roles/custom/matrix-ntfy/tasks/setup_install.yml delete mode 100644 roles/custom/matrix-ntfy/tasks/setup_uninstall.yml delete mode 100644 roles/custom/matrix-ntfy/templates/ntfy/server.yml.j2 delete mode 100644 roles/custom/matrix-ntfy/templates/systemd/matrix-ntfy.service.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index f6b76e109..493315b72 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2023-02-17 + +## The matrix-ntfy role lives independently now + +**TLDR**: the `matrix-ntfy` role is now included from another repository. Some variables have been renamed. All functionality remains intact. + +The `matrix-ntfy` role (which configures [Ntfy](https://ntfy.sh/)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/ntfy). This makes it possible to easily use it in other Ansible playbooks. + +You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're enabling Ntfy or not. If you're making use of Ntfy via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_ntfy_` -> `ntfy_`). + + # 2023-02-15 ## The matrix-grafana role lives independently now diff --git a/docs/configuring-playbook-ntfy.md b/docs/configuring-playbook-ntfy.md index a5aec60b4..27d2fb122 100644 --- a/docs/configuring-playbook-ntfy.md +++ b/docs/configuring-playbook-ntfy.md @@ -15,17 +15,20 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars. ```yaml # Enabling it is the only required setting -matrix_ntfy_enabled: true +ntfy_enabled: true -# Some other options -matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}" -matrix_ntfy_configuration_extension_yaml: | - log_level: DEBUG +# This is the default hostname. +# Uncomment the line below and change it, if you'd like. +# matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}" + +# Uncomment and change to inject additional configuration options. +# ntfy_configuration_extension_yaml: | +# log_level: DEBUG ``` -For a more complete list of variables that you could override, see `roles/custom/matrix-ntfy/defaults/main.yml`. +For a more complete list of variables that you could override, see the [`defaults/main.yml` file](https://gitlab.com/etke.cc/roles/ntfy/-/blob/main/defaults/main.yml) of the ntfy Ansible role. -For a complete list of ntfy config options that you could put in `matrix_ntfy_configuration_extension_yaml`, see the [ntfy config documentation](https://ntfy.sh/docs/config/#config-options). +For a complete list of ntfy config options that you could put in `ntfy_configuration_extension_yaml`, see the [ntfy config documentation](https://ntfy.sh/docs/config/#config-options). ## Installing diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index e55bade91..32b99629c 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -326,7 +326,7 @@ devture_systemd_service_manager_services_list_auto: | + (matrix_ssl_renewal_systemd_units_list | selectattr('applicable') | selectattr('enableable') | list ) + - ([{'name': 'matrix-ntfy.service', 'priority': 800, 'groups': ['matrix', 'ntfy']}] if matrix_ntfy_enabled else []) + ([{'name': (ntfy_identifier + '.service'), 'priority': 800, 'groups': ['matrix', 'ntfy']}] if ntfy_enabled else []) + ([{'name': (devture_postgres_identifier + '.service'), 'priority': 500, 'groups': ['matrix', 'postgres']}] if devture_postgres_enabled else []) + @@ -2379,8 +2379,8 @@ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "{{ matrix_s matrix_nginx_proxy_proxy_matrix_enabled: true matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" -matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}" -matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled }}" +matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" +matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" matrix_nginx_proxy_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" @@ -2389,9 +2389,9 @@ matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" matrix_nginx_proxy_proxy_jitsi_manage_wellknown: "{{ matrix_jitsi_require_well_known }}" -matrix_nginx_proxy_proxy_grafana_enabled: "{{ grafana_enabled }}" +matrix_nginx_proxy_proxy_grafana_enabled: "{{ grafana_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}" -matrix_nginx_proxy_proxy_ntfy_enabled: "{{ matrix_ntfy_enabled }}" +matrix_nginx_proxy_proxy_ntfy_enabled: "{{ ntfy_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" @@ -2404,7 +2404,6 @@ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: "{{ matrix_e matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}" -matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_enabled: "{{ matrix_ntfy_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" @@ -2486,7 +2485,7 @@ matrix_nginx_proxy_systemd_wanted_services_list: | + (['matrix-sygnal.service'] if matrix_sygnal_enabled else []) + - (['matrix-ntfy.service'] if matrix_ntfy_enabled else []) + ([(ntfy_identifier + '.service')] if ntfy_enabled else []) + (['matrix-jitsi.service'] if matrix_jitsi_enabled else []) + @@ -2523,7 +2522,7 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([matrix_server_fqn_sygnal] if matrix_sygnal_enabled else []) + - ([matrix_server_fqn_ntfy] if matrix_ntfy_enabled else []) + ([ntfy_hostname] if ntfy_enabled else []) + (matrix_bot_postmoogle_domains if matrix_bot_postmoogle_enabled else []) + @@ -2886,17 +2885,39 @@ matrix_sygnal_container_http_host_bind_port: "{{ (matrix_playbook_service_host_b ###################################################################### # -# matrix-ntfy +# etke/ntfy # ###################################################################### -matrix_ntfy_enabled: false +ntfy_enabled: false -matrix_ntfy_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '2586') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +ntfy_identifier: matrix-ntfy + +ntfy_base_path: "{{ matrix_base_data_path }}/ntfy" + +ntfy_uid: "{{ matrix_user_uid }}" +ntfy_gid: "{{ matrix_user_gid }}" + +ntfy_hostname: "{{ matrix_server_fqn_ntfy }}" + +ntfy_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else ntfy_identifier }}" + +ntfy_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + +ntfy_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '2586') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +ntfy_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +ntfy_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +ntfy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" + +ntfy_visitor_request_limit_exempt_hosts_hostnames_auto: | + {{ + [matrix_server_fqn_matrix] + }} ###################################################################### # -# /matrix-ntfy +# /etky/ntfy # ###################################################################### diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index f5e214938..f6a83ccbc 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -105,7 +105,7 @@ - custom/matrix-etherpad - custom/matrix-email2matrix - custom/matrix-sygnal - - custom/matrix-ntfy + - galaxy/ntfy - custom/matrix-nginx-proxy - custom/matrix-coturn - custom/matrix-aux diff --git a/requirements.yml b/requirements.yml index 716b7c6e1..54c172ec4 100644 --- a/requirements.yml +++ b/requirements.yml @@ -42,6 +42,9 @@ - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v9.3.6-1 +- src: git+https://gitlab.com/etke.cc/roles/ntfy.git + version: v2.0.0-0 + - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git version: fb09fd26f877372417d5586f1e79e83f983f0bd6 diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 38afb3c49..b656f074a 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -91,11 +91,6 @@ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_hostname: "{{ matrix_se matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_hostname }}`)" -matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_enabled: false -matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_hostname: "{{ matrix_server_fqn_ntfy }}" -matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" -matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_hostname }}`)" - # matrix_nginx_proxy_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. # diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 index 4565da197..1e60ba6d9 100644 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -109,18 +109,6 @@ traefik.http.routers.matrix-nginx-proxy-sygnal.entrypoints={{ matrix_nginx_proxy {% endif %} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_enabled %} -# ntfy -traefik.http.routers.matrix-nginx-proxy-ntfy.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_rule }} -traefik.http.routers.matrix-nginx-proxy-ntfy.service=matrix-nginx-proxy-web -traefik.http.routers.matrix-nginx-proxy-ntfy.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_tls | to_json }} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_tls %} -traefik.http.routers.matrix-nginx-proxy-ntfy.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.routers.matrix-nginx-proxy-ntfy.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} -{% endif %} - - traefik.http.services.matrix-nginx-proxy-web.loadbalancer.server.port=8080 {% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-ntfy.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-ntfy.conf.j2 index fbae47e17..7d5c8a0ed 100644 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-ntfy.conf.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-ntfy.conf.j2 @@ -21,7 +21,7 @@ {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-ntfy:8080"; + set $backend "matrix-ntfy:80"; proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} diff --git a/roles/custom/matrix-ntfy/defaults/main.yml b/roles/custom/matrix-ntfy/defaults/main.yml deleted file mode 100644 index e0c90f5fb..000000000 --- a/roles/custom/matrix-ntfy/defaults/main.yml +++ /dev/null @@ -1,56 +0,0 @@ ---- -# Project source code URL: https://github.com/binwiederhier/ntfy - -matrix_ntfy_enabled: true - -matrix_ntfy_base_path: "{{ matrix_base_data_path }}/ntfy" -matrix_ntfy_config_dir_path: "{{ matrix_ntfy_base_path }}/config" -matrix_ntfy_data_path: "{{ matrix_ntfy_base_path }}/data" - -matrix_ntfy_version: v2.0.0 -matrix_ntfy_docker_image: "{{ matrix_container_global_registry_prefix }}binwiederhier/ntfy:{{ matrix_ntfy_version }}" -matrix_ntfy_docker_image_force_pull: "{{ matrix_ntfy_docker_image.endswith(':latest') }}" - -# Public facing base URL of the ntfy service -matrix_ntfy_base_url: "https://{{ matrix_server_fqn_ntfy }}" - -# Rate limits - -matrix_ntfy_global_topic_limit: 15000 # default -matrix_ntfy_visitor_subscription_limit: 30 # default -matrix_ntfy_visitor_request_limit_burst: 60 # default -matrix_ntfy_visitor_request_limit_replenish: "5s" # default - - -# Controls whether the container exposes its HTTP port (tcp/80 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:2586"), or empty string to not expose. -matrix_ntfy_container_http_host_bind_port: '' - -# A list of extra arguments to pass to the container (`docker run` command) -matrix_ntfy_container_extra_arguments: [] - -# Controls whether the self-check feature should validate SSL certificates. -matrix_ntfy_self_check_validate_certificates: true - -# Default ntfy configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -# -# For a more advanced customization, you can extend the default (see `matrix_ntfy_configuration_extension_yaml`) -# or completely replace this variable with your own template. -matrix_ntfy_configuration_yaml: "{{ lookup('template', 'templates/ntfy/server.yml.j2') }}" - -matrix_ntfy_configuration_extension_yaml: | - # Your custom YAML configuration for ntfy goes here. - # This configuration extends the default starting configuration (`matrix_ntfy_configuration_yaml`). - # - # You can override individual variables from the default configuration, or introduce new ones. - # - # If you need something more special, you can take full control by - # completely redefining `matrix_ntfy_configuration_yaml`. - -matrix_ntfy_configuration_extension: "{{ matrix_ntfy_configuration_extension_yaml | from_yaml if matrix_ntfy_configuration_extension_yaml | from_yaml is mapping else {} }}" - -# Holds the final ntfy configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_ntfy_configuration_yaml`. -matrix_ntfy_configuration: "{{ matrix_ntfy_configuration_yaml | from_yaml | combine(matrix_ntfy_configuration_extension, recursive=True) }}" diff --git a/roles/custom/matrix-ntfy/tasks/main.yml b/roles/custom/matrix-ntfy/tasks/main.yml deleted file mode 100644 index 85d80841d..000000000 --- a/roles/custom/matrix-ntfy/tasks/main.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- - -- block: - - when: matrix_ntfy_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: - - setup-all - - setup-ntfy - - install-all - - install-ntfy - -- block: - - when: not matrix_ntfy_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-ntfy - -- block: - - when: matrix_ntfy_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" - tags: - - self-check diff --git a/roles/custom/matrix-ntfy/tasks/self_check.yml b/roles/custom/matrix-ntfy/tasks/self_check.yml deleted file mode 100644 index bdbd666a0..000000000 --- a/roles/custom/matrix-ntfy/tasks/self_check.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- - -# Query an arbitrary ntfy topic using ntfy's UnifiedPush topic name syntax. -# Expect an empty response (because we query 'since=1s'). - -- ansible.builtin.set_fact: - matrix_ntfy_url_endpoint_public: "{{ matrix_ntfy_base_url }}/upSELFCHECK123/json?poll=1&since=1s" - -- name: Check ntfy - ansible.builtin.uri: - url: "{{ matrix_ntfy_url_endpoint_public }}" - follow_redirects: none - validate_certs: "{{ matrix_ntfy_self_check_validate_certificates }}" - register: matrix_ntfy_self_check_result - check_mode: false - ignore_errors: true - delegate_to: 127.0.0.1 - become: false - -- name: Fail if ntfy not working - ansible.builtin.fail: - msg: "Failed checking ntfy is up at `{{ matrix_server_fqn_ntfy }}` (checked endpoint: `{{ matrix_ntfy_url_endpoint_public }}`). Is ntfy running? Is port 443 open in your firewall? Full error: {{ matrix_ntfy_self_check_result }}" - when: "matrix_ntfy_self_check_result.failed" - -- name: Report working ntfy - ansible.builtin.debug: - msg: "ntfy at `{{ matrix_server_fqn_ntfy }}` is working (checked endpoint: `{{ matrix_ntfy_url_endpoint_public }}`)" diff --git a/roles/custom/matrix-ntfy/tasks/setup_install.yml b/roles/custom/matrix-ntfy/tasks/setup_install.yml deleted file mode 100644 index 38adb122e..000000000 --- a/roles/custom/matrix-ntfy/tasks/setup_install.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- - -- name: Ensure matrix-ntfy image is pulled - community.docker.docker_image: - name: "{{ matrix_ntfy_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_ntfy_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ntfy_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure matrix-ntfy paths exists - ansible.builtin.file: - path: "{{ item }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_ntfy_base_path }}" - - "{{ matrix_ntfy_config_dir_path }}" - - "{{ matrix_ntfy_data_path }}" - -- name: Ensure matrix-ntfy config installed - ansible.builtin.copy: - content: "{{ matrix_ntfy_configuration | to_nice_yaml(indent=2, width=999999) }}" - dest: "{{ matrix_ntfy_config_dir_path }}/server.yml" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure matrix-ntfy.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-ntfy.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ntfy.service" - mode: 0644 diff --git a/roles/custom/matrix-ntfy/tasks/setup_uninstall.yml b/roles/custom/matrix-ntfy/tasks/setup_uninstall.yml deleted file mode 100644 index afd826f8d..000000000 --- a/roles/custom/matrix-ntfy/tasks/setup_uninstall.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- - -- name: Check existence of matrix-ntfy service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ntfy.service" - register: matrix_ntfy_service_stat - -- when: matrix_ntfy_service_stat.stat.exists | bool - block: - - name: Ensure matrix-ntfy is stopped - ansible.builtin.service: - name: matrix-ntfy - state: stopped - enabled: false - daemon_reload: true - - - name: Ensure matrix-ntfy.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ntfy.service" - state: absent - - - name: Ensure matrix-ntfy path doesn't exist - ansible.builtin.file: - path: "{{ matrix_ntfy_base_path }}" - state: absent diff --git a/roles/custom/matrix-ntfy/templates/ntfy/server.yml.j2 b/roles/custom/matrix-ntfy/templates/ntfy/server.yml.j2 deleted file mode 100644 index 9815fd6b4..000000000 --- a/roles/custom/matrix-ntfy/templates/ntfy/server.yml.j2 +++ /dev/null @@ -1,11 +0,0 @@ -base_url: {{ matrix_ntfy_base_url }} -behind_proxy: true -cache_file: /data/cache.db -listen-http: :8080 - -# Rate Limits -global-topic-limit: {{ matrix_ntfy_global_topic_limit | to_json }} -visitor-subscription-limit: {{ matrix_ntfy_visitor_subscription_limit | to_json }} - -visitor-request-limit-burst: {{ matrix_ntfy_visitor_request_limit_burst | to_json }} -visitor-request-limit-replenish: "{{ matrix_ntfy_visitor_request_limit_replenish }}" diff --git a/roles/custom/matrix-ntfy/templates/systemd/matrix-ntfy.service.j2 b/roles/custom/matrix-ntfy/templates/systemd/matrix-ntfy.service.j2 deleted file mode 100644 index 5c2feac01..000000000 --- a/roles/custom/matrix-ntfy/templates/systemd/matrix-ntfy.service.j2 +++ /dev/null @@ -1,39 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=matrix-ntfy -After=docker.service -Requires=docker.service -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-ntfy 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-ntfy 2>/dev/null || true' - -ExecStart={{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-ntfy \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --env NTFY_VISITOR_REQUEST_LIMIT_EXEMPT_HOSTS={{matrix_server_fqn_matrix}},localhost,$(docker network inspect {{matrix_docker_network}} -f "{% raw %}{{ (index .IPAM.Config 0).Subnet }}{% endraw %}") \ - {% for arg in matrix_ntfy_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - --network={{ matrix_docker_network }} \ - {% if matrix_ntfy_container_http_host_bind_port %} - -p {{ matrix_ntfy_container_http_host_bind_port }}:8080 \ - {% endif %} - --mount type=bind,src={{ matrix_ntfy_config_dir_path }},dst=/etc/ntfy,ro \ - --mount type=bind,src={{ matrix_ntfy_data_path }},dst=/data \ - {{ matrix_ntfy_docker_image }} \ - serve' - -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-ntfy 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-ntfy 2>/dev/null || true' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-ntfy - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix_playbook_migration/defaults/main.yml b/roles/custom/matrix_playbook_migration/defaults/main.yml index 038676798..f8ccc88a5 100644 --- a/roles/custom/matrix_playbook_migration/defaults/main.yml +++ b/roles/custom/matrix_playbook_migration/defaults/main.yml @@ -11,3 +11,6 @@ matrix_playbook_migration_matrix_backup_borg_migration_validation_enabled: true # Controls if (`matrix_grafana` -> `grafana`) validation will run. matrix_playbook_migration_matrix_grafana_migration_validation_enabled: true + +# Controls if (`matrix_ntfy` -> `ntfy`) validation will run. +matrix_playbook_migration_matrix_ntfy_migration_validation_enabled: true diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 2ac04ecea..80f101974 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -82,7 +82,7 @@ when: "matrix_playbook_migration_matrix_prometheus_postgres_exporter_migration_vars | length > 0" - when: matrix_playbook_migration_matrix_backup_borg_migration_validation_enabled | bool - block: + block:ntfy - ansible.builtin.set_fact: matrix_playbook_migration_backup_borg_migration_vars: |- {{ vars | dict2items | selectattr('key', 'match', 'matrix_backup_borg_.*') | list | items2dict }} @@ -110,3 +110,18 @@ Please change your configuration (vars.yml) to rename all variables (`matrix_grafana_` -> `grafana_`). We found usage of the following variables: {{ matrix_playbook_migration_grafana_migration_vars.keys() | join(', ') }} when: "matrix_playbook_migration_grafana_migration_vars | length > 0" + +- when: matrix_playbook_migration_matrix_ntfy_migration_validation_enabled | bool + block: + - ansible.builtin.set_fact: + matrix_playbook_migration_ntfy_migration_vars: |- + {{ vars | dict2items | selectattr('key', 'match', 'matrix_ntfy_.*') | list | items2dict }} + + - name: (Deprecation) Catch and report matrix_ntfy variables + ansible.builtin.fail: + msg: >- + The matrix-ntfy role that used to be part of this playbook has been replaced by https://gitlab.com/etke.cc/roles/ntfy. + The new role is compatible with the old one, but uses different names for its variables. + Please change your configuration (vars.yml) to rename all variables (`matrix_ntfy_` -> `ntfy_`). + We found usage of the following variables: {{ matrix_playbook_migration_ntfy_migration_vars.keys() | join(', ') }} + when: "matrix_playbook_migration_ntfy_migration_vars | length > 0" From b291459bf33d0a6a43b305dd5add202d417a3c6d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Feb 2023 10:13:34 +0200 Subject: [PATCH 448/915] Fix syntax error --- .../custom/matrix_playbook_migration/tasks/validate_config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 80f101974..c17bec69d 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -82,7 +82,7 @@ when: "matrix_playbook_migration_matrix_prometheus_postgres_exporter_migration_vars | length > 0" - when: matrix_playbook_migration_matrix_backup_borg_migration_validation_enabled | bool - block:ntfy + block: - ansible.builtin.set_fact: matrix_playbook_migration_backup_borg_migration_vars: |- {{ vars | dict2items | selectattr('key', 'match', 'matrix_backup_borg_.*') | list | items2dict }} From 0ce2121d01d79be4b6c04a4670b99b7ca2a92b76 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Feb 2023 14:59:22 +0200 Subject: [PATCH 449/915] Fix variable typo in validation task --- roles/custom/matrix-client-element/tasks/validate_config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/tasks/validate_config.yml b/roles/custom/matrix-client-element/tasks/validate_config.yml index 658542fb7..fdf42df7a 100644 --- a/roles/custom/matrix-client-element/tasks/validate_config.yml +++ b/roles/custom/matrix-client-element/tasks/validate_config.yml @@ -35,7 +35,7 @@ You need to define a required configuration setting (`{{ item }}`). when: "vars[item] == ''" with_items: - - matrix_synapse_admin_container_labels_traefik_hostname + - matrix_client_element_container_labels_traefik_hostname - matrix_client_element_container_labels_traefik_path_prefix # We ensure it doesn't end with a slash, because we handle both (slash and no-slash). From 519b32543c5feebc9980dd058d0185b907b458b1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Feb 2023 16:13:38 +0200 Subject: [PATCH 450/915] Add matrix_synapse_container_network and matrix_synapse_container_additional_networks --- roles/custom/matrix-synapse/defaults/main.yml | 10 +++++++++- .../matrix-synapse/tasks/synapse/setup_install.yml | 5 +++++ .../synapse/systemd/matrix-synapse-worker.service.j2 | 9 ++++++++- .../synapse/systemd/matrix-synapse.service.j2 | 11 ++++++++++- 4 files changed, 32 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 93d1ee021..c86db72e6 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -69,6 +69,14 @@ matrix_synapse_container_federation_api_tls_port: 8448 matrix_synapse_container_federation_api_plain_port: 8048 +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_synapse_container_network: "{{ matrix_docker_network }}" + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_synapse_container_additional_networks: [] + # Controls whether the matrix-synapse container exposes the Client/Server API port (tcp/{{ matrix_synapse_container_client_api_port }} in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8008"), or empty string to not expose. @@ -661,7 +669,7 @@ matrix_synapse_redis_password: "" # # If Redis is available, we prefer to use that, instead of talking over Synapse's custom replication protocol. # -# matrix_synapse_replication_listener_enabled: "{{ matrix_synapse_workers_enabled and not matrix_redis_enabled }}" +# matrix_synapse_replication_listener_enabled: "{{ matrix_synapse_workers_enabled and not redis_enabled }}" # We force-enable this listener for now until we debug why communication via Redis fails. matrix_synapse_replication_listener_enabled: true diff --git a/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml b/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml index 2c6f05b7f..773a7518e 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml @@ -122,6 +122,11 @@ dest: "{{ matrix_synapse_config_dir_path }}/{{ matrix_server_fqn_matrix }}.log.config" mode: 0644 +- name: Ensure Synapse container network is created + community.general.docker_network: + name: "{{ matrix_synapse_container_network }}" + driver: bridge + - name: Ensure matrix-synapse.service installed ansible.builtin.template: src: "{{ role_path }}/templates/synapse/systemd/matrix-synapse.service.j2" diff --git a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 index 3d50ac9bc..e1e439958 100644 --- a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 @@ -14,7 +14,9 @@ ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_s # Intentional delay, so that the homeserver can manage to start. ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {{ matrix_synapse_worker_container_name }} \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name={{ matrix_synapse_worker_container_name }} \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -45,6 +47,11 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {{ matrix_synapse_docker_image_final }} \ run -m synapse.app.{{ matrix_synapse_worker_details.app }} -c /data/homeserver.yaml -c /data/{{ matrix_synapse_worker_config_file_name }} +{% for network in matrix_synapse_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} {{ matrix_synapse_worker_container_name }} +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach {{ matrix_synapse_worker_container_name }} ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_synapse_worker_container_name }} 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_synapse_worker_container_name }} 2>/dev/null || true' diff --git a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 7f6c2336a..1c23c8ac6 100644 --- a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -30,7 +30,9 @@ ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_s ExecStartPre={{ matrix_host_command_sleep }} 3 {% endif %} -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-synapse \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-synapse \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -63,8 +65,15 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {{ matrix_synapse_docker_image_final }} \ run -m synapse.app.homeserver -c /data/homeserver.yaml +{% for network in matrix_synapse_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-synapse +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-synapse + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-synapse 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-synapse 2>/dev/null || true' + ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-synapse /bin/sh -c 'kill -HUP 1' Restart=always RestartSec=30 From 990a6369e13f7f70e5bc544f55ea99727c554aaa Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Feb 2023 16:23:59 +0200 Subject: [PATCH 451/915] Switch to using an external Redis role --- CHANGELOG.md | 8 +++ group_vars/matrix_servers | 30 +++++++++--- playbooks/matrix.yml | 2 +- requirements.yml | 3 ++ roles/custom/matrix-redis/defaults/main.yml | 25 ---------- roles/custom/matrix-redis/tasks/main.yml | 17 ------- .../matrix-redis/tasks/setup_install.yml | 49 ------------------- .../matrix-redis/tasks/setup_uninstall.yml | 31 ------------ .../matrix-redis/templates/redis.conf.j2 | 4 -- .../templates/systemd/matrix-redis.service.j2 | 37 -------------- .../defaults/main.yml | 3 ++ .../tasks/validate_config.yml | 15 ++++++ 12 files changed, 52 insertions(+), 172 deletions(-) delete mode 100644 roles/custom/matrix-redis/defaults/main.yml delete mode 100644 roles/custom/matrix-redis/tasks/main.yml delete mode 100644 roles/custom/matrix-redis/tasks/setup_install.yml delete mode 100644 roles/custom/matrix-redis/tasks/setup_uninstall.yml delete mode 100644 roles/custom/matrix-redis/templates/redis.conf.j2 delete mode 100644 roles/custom/matrix-redis/templates/systemd/matrix-redis.service.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 493315b72..5fea8b789 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,13 @@ # 2023-02-17 +## The matrix-redis role lives independently now + +**TLDR**: the `matrix-redis` role is now included from another repository. Some variables have been renamed. All functionality remains intact. + +The `matrix-redis` role (which configures [Redis](https://redis.io/)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/redis). This makes it possible to easily use it in other Ansible playbooks. + +You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're enabling Ntfy or not. If you're making use of Ntfy via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_redis_` -> `redis_`). + ## The matrix-ntfy role lives independently now **TLDR**: the `matrix-ntfy` role is now included from another repository. Some variables have been renamed. All functionality remains intact. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 32b99629c..1cd84c6b5 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -340,7 +340,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-prometheus-nginxlog-exporter.service', 'priority': 3900, 'groups': ['matrix', 'monitoring', 'prometheus', 'prometheus-exporters']}] if matrix_prometheus_nginxlog_exporter_enabled else []) + - ([{'name': 'matrix-redis', 'priority': 750, 'groups': ['matrix', 'redis']}] if matrix_redis_enabled else []) + ([{'name': (redis_identifier + '.service'), 'priority': 750, 'groups': ['matrix', 'redis']}] if redis_enabled else []) + ([{'name': 'matrix-registration.service', 'priority': 4000, 'groups': ['matrix', 'registration']}] if matrix_registration_enabled else []) + @@ -2923,15 +2923,22 @@ ntfy_visitor_request_limit_exempt_hosts_hostnames_auto: | ###################################################################### # -# matrix-redis +# etke/redis # ###################################################################### -matrix_redis_enabled: "{{ matrix_synapse_workers_enabled }}" +redis_enabled: "{{ matrix_synapse_workers_enabled }}" + +redis_identifier: matrix-redis + +redis_uid: "{{ matrix_user_uid }}" +redis_gid: "{{ matrix_user_gid }}" + +redis_base_path: "{{ matrix_base_data_path }}/redis" ###################################################################### # -# /matrix-redis +# /etle/redis # ###################################################################### @@ -3077,7 +3084,12 @@ matrix_synapse_container_metrics_api_host_bind_port: "{{ (matrix_playbook_servic # # For exposing the Synapse Manhole port (plain HTTP) to the local host. matrix_synapse_container_manhole_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9000') if matrix_synapse_metrics_enabled and matrix_playbook_service_host_bind_interface_prefix else '' }}" -# + +matrix_synapse_container_additional_networks: | + {{ + ([redis_container_network] if matrix_synapse_redis_enabled and matrix_synapse_redis_host == redis_identifier else []) + }} + # For exposing the Synapse worker (and metrics) ports to the local host. matrix_synapse_workers_container_host_bind_address: "{{ matrix_playbook_service_host_bind_interface_prefix[0:-1] if (matrix_synapse_workers_enabled and matrix_playbook_service_host_bind_interface_prefix) else '' }}" @@ -3134,6 +3146,8 @@ matrix_synapse_systemd_required_services_list: | + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + + ([redis_identifier ~ '.service'] if matrix_synapse_redis_enabled and matrix_synapse_redis_host == redis_identifier else []) + + (['matrix-goofys.service'] if matrix_s3_media_store_enabled else []) }} @@ -3145,9 +3159,9 @@ matrix_synapse_systemd_wanted_services_list: | }} # Synapse workers (used for parallel load-scaling) need Redis for IPC. -matrix_synapse_redis_enabled: "{{ matrix_redis_enabled }}" -matrix_synapse_redis_host: "{{ 'matrix-redis' if matrix_redis_enabled else '' }}" -matrix_synapse_redis_password: "{{ matrix_redis_connection_password if matrix_redis_enabled else '' }}" +matrix_synapse_redis_enabled: "{{ redis_enabled }}" +matrix_synapse_redis_host: "{{ redis_identifier if redis_enabled else '' }}" +matrix_synapse_redis_password: "{{ redis_connection_password if redis_enabled else '' }}" matrix_synapse_container_extra_arguments_auto: "{{ matrix_homeserver_container_extra_arguments_auto }}" matrix_synapse_app_service_config_files_auto: "{{ matrix_homeserver_app_service_config_files_auto }}" diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index f6a83ccbc..6980a6f9b 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -43,7 +43,7 @@ - role: galaxy/com.devture.ansible.role.postgres - - custom/matrix-redis + - galaxy/redis - custom/matrix-corporal - custom/matrix-bridge-appservice-discord - custom/matrix-bridge-appservice-slack diff --git a/requirements.yml b/requirements.yml index 54c172ec4..cc270a6c5 100644 --- a/requirements.yml +++ b/requirements.yml @@ -45,6 +45,9 @@ - src: git+https://gitlab.com/etke.cc/roles/ntfy.git version: v2.0.0-0 +- src: git+https://gitlab.com/etke.cc/roles/redis.git + version: v7.0.7-0 + - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git version: fb09fd26f877372417d5586f1e79e83f983f0bd6 diff --git a/roles/custom/matrix-redis/defaults/main.yml b/roles/custom/matrix-redis/defaults/main.yml deleted file mode 100644 index 779ec3a30..000000000 --- a/roles/custom/matrix-redis/defaults/main.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# Project source code URL: https://github.com/redis/redis - -matrix_redis_enabled: true - -matrix_redis_connection_password: "" - -matrix_redis_base_path: "{{ matrix_base_data_path }}/redis" -matrix_redis_data_path: "{{ matrix_redis_base_path }}/data" - -matrix_redis_version: 7.0.7-alpine -matrix_redis_docker_image_v6: "{{ matrix_container_global_registry_prefix }}redis:{{ matrix_redis_version }}" -matrix_redis_docker_image_latest: "{{ matrix_redis_docker_image_v6 }}" -matrix_redis_docker_image_to_use: '{{ matrix_redis_docker_image_latest }}' - -matrix_redis_docker_image_force_pull: "{{ matrix_redis_docker_image_to_use.endswith(':latest') }}" - -# A list of extra arguments to pass to the container -matrix_redis_container_extra_arguments: [] - -# Controls whether the matrix-redis container exposes a port (tcp/6379 in the container) -# that can be used to access redis from outside the container -# -# Takes an ":" or "" value (e.g. "127.0.0.1:6379"), or empty string to not expose. -matrix_redis_container_redis_bind_port: "" diff --git a/roles/custom/matrix-redis/tasks/main.yml b/roles/custom/matrix-redis/tasks/main.yml deleted file mode 100644 index 296400059..000000000 --- a/roles/custom/matrix-redis/tasks/main.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -- block: - - when: matrix_redis_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: - - setup-all - - setup-redis - - install-all - - install-redis - -- block: - - when: not matrix_redis_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-redis diff --git a/roles/custom/matrix-redis/tasks/setup_install.yml b/roles/custom/matrix-redis/tasks/setup_install.yml deleted file mode 100644 index 1384c042c..000000000 --- a/roles/custom/matrix-redis/tasks/setup_install.yml +++ /dev/null @@ -1,49 +0,0 @@ ---- - -- name: Ensure redis Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_redis_docker_image_to_use }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_redis_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_redis_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure redis paths exist - ansible.builtin.file: - path: "{{ item }}" - state: directory - mode: 0700 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - with_items: - - "{{ matrix_redis_base_path }}" - - "{{ matrix_redis_data_path }}" - -# We do this as a separate task, because: -# - we'd like to do it for the data path only, not for the base path (which contains root-owned environment variable files we'd like to leave as-is) -# - we need to do it without `mode`, or we risk making certain `.conf` and other files's executable bit to flip to true -- name: Ensure redis data path ownership is correct - ansible.builtin.file: - path: "{{ matrix_redis_data_path }}" - state: directory - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - recurse: true - -- name: Ensure redis environment variables file created - ansible.builtin.template: - src: "{{ role_path }}/templates/{{ item }}.j2" - dest: "{{ matrix_redis_base_path }}/{{ item }}" - mode: 0644 - with_items: - - "redis.conf" - -- name: Ensure matrix-redis.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-redis.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-redis.service" - mode: 0644 - register: matrix_redis_systemd_service_result diff --git a/roles/custom/matrix-redis/tasks/setup_uninstall.yml b/roles/custom/matrix-redis/tasks/setup_uninstall.yml deleted file mode 100644 index e2bbc9e44..000000000 --- a/roles/custom/matrix-redis/tasks/setup_uninstall.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- - -- name: Check existence of matrix-redis service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-redis.service" - register: matrix_redis_service_stat - -- when: matrix_redis_service_stat.stat.exists | bool - block: - - name: Ensure matrix-redis is stopped - ansible.builtin.service: - name: matrix-redis - state: stopped - enabled: false - daemon_reload: true - - - name: Ensure matrix-redis.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-redis.service" - state: absent - -- name: Check existence of matrix-redis local data path - ansible.builtin.stat: - path: "{{ matrix_redis_data_path }}" - register: matrix_redis_data_path_stat - -# We just want to notify the user. Deleting data is too destructive. -- name: Notify if matrix-redis local data remains - ansible.builtin.debug: - msg: "Note: You are not using a local redis instance, but some old data remains from before in `{{ matrix_redis_data_path }}`. Feel free to delete it." - when: matrix_redis_data_path_stat.stat.exists | bool diff --git a/roles/custom/matrix-redis/templates/redis.conf.j2 b/roles/custom/matrix-redis/templates/redis.conf.j2 deleted file mode 100644 index 343713566..000000000 --- a/roles/custom/matrix-redis/templates/redis.conf.j2 +++ /dev/null @@ -1,4 +0,0 @@ -#jinja2: lstrip_blocks: "True" -{% if matrix_redis_connection_password %} -requirepass {{ matrix_redis_connection_password }} -{% endif %} diff --git a/roles/custom/matrix-redis/templates/systemd/matrix-redis.service.j2 b/roles/custom/matrix-redis/templates/systemd/matrix-redis.service.j2 deleted file mode 100644 index 5f6699f83..000000000 --- a/roles/custom/matrix-redis/templates/systemd/matrix-redis.service.j2 +++ /dev/null @@ -1,37 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix Redis server -After=docker.service -Requires=docker.service - -[Service] -Type=simple -ExecStartPre=-/usr/bin/docker stop matrix-redis -ExecStartPre=-/usr/bin/docker rm matrix-redis - -ExecStart=/usr/bin/docker run --rm --name matrix-redis \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --tmpfs=/tmp:rw,noexec,nosuid,size=100m \ - --network={{ matrix_docker_network }} \ - {% if matrix_redis_container_redis_bind_port %} - -p {{ matrix_redis_container_redis_bind_port }}:6379 \ - {% endif %} - --mount type=bind,src={{ matrix_redis_base_path }}/redis.conf,dst=/usr/local/etc/redis/redis.conf,ro \ - --mount type=bind,src={{ matrix_redis_data_path }},dst=/data \ - {% for arg in matrix_redis_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_redis_docker_image_to_use }} \ - redis-server /usr/local/etc/redis/redis.conf - -ExecStop=-/usr/bin/docker stop matrix-redis -ExecStop=-/usr/bin/docker rm matrix-redis -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-redis - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix_playbook_migration/defaults/main.yml b/roles/custom/matrix_playbook_migration/defaults/main.yml index f8ccc88a5..514125ec0 100644 --- a/roles/custom/matrix_playbook_migration/defaults/main.yml +++ b/roles/custom/matrix_playbook_migration/defaults/main.yml @@ -14,3 +14,6 @@ matrix_playbook_migration_matrix_grafana_migration_validation_enabled: true # Controls if (`matrix_ntfy` -> `ntfy`) validation will run. matrix_playbook_migration_matrix_ntfy_migration_validation_enabled: true + +# Controls if (`matrix_redis` -> `redis`) validation will run. +matrix_playbook_migration_matrix_redis_migration_validation_enabled: true diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index c17bec69d..7afd21540 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -125,3 +125,18 @@ Please change your configuration (vars.yml) to rename all variables (`matrix_ntfy_` -> `ntfy_`). We found usage of the following variables: {{ matrix_playbook_migration_ntfy_migration_vars.keys() | join(', ') }} when: "matrix_playbook_migration_ntfy_migration_vars | length > 0" + +- when: matrix_playbook_migration_matrix_redis_migration_validation_enabled | bool + block: + - ansible.builtin.set_fact: + matrix_playbook_migration_redis_migration_vars: |- + {{ vars | dict2items | selectattr('key', 'match', 'matrix_redis_.*') | list | items2dict }} + + - name: (Deprecation) Catch and report matrix_redis variables + ansible.builtin.fail: + msg: >- + The matrix-redis role that used to be part of this playbook has been replaced by https://gitlab.com/etke.cc/roles/redis. + The new role is compatible with the old one, but uses different names for its variables. + Please change your configuration (vars.yml) to rename all variables (`matrix_redis_` -> `redis_`). + We found usage of the following variables: {{ matrix_playbook_migration_redis_migration_vars.keys() | join(', ') }} + when: "matrix_playbook_migration_redis_migration_vars | length > 0" From 154d077ec736eb776ca01a3d20b6d7263d9be875 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Feb 2023 16:24:10 +0200 Subject: [PATCH 452/915] Upgrade ntfy (v2.0.0-0 -> v2.0.0-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index cc270a6c5..e1f419faf 100644 --- a/requirements.yml +++ b/requirements.yml @@ -43,7 +43,7 @@ version: v9.3.6-1 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git - version: v2.0.0-0 + version: v2.0.0-1 - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.7-0 From 632026513e577127ff06bd9cc845cf88ada28192 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Feb 2023 17:16:50 +0200 Subject: [PATCH 453/915] Add matrix_synapse_uid, matrix_synapse_gid and matrix_synapse_username --- group_vars/matrix_servers | 4 ++++ roles/custom/matrix-synapse/defaults/main.yml | 4 ++++ .../ext/encryption-disabler/setup_install.yml | 4 ++-- .../ext/mjolnir-antispam/setup_install.yml | 2 +- .../tasks/ext/rest-auth/setup_install.yml | 4 ++-- .../ext/s3-storage-provider/setup_install.yml | 4 ++-- .../ext/shared-secret-auth/setup_install.yml | 4 ++-- .../synapse-simple-antispam/setup_install.yml | 2 +- .../tasks/goofys/setup_install.yml | 4 ++-- .../tasks/import_media_store.yml | 4 ++-- .../compress_room.yml | 2 +- .../rust-synapse-compress-state/main.yml | 4 ++-- .../matrix-synapse/tasks/setup_install.yml | 4 ++-- .../tasks/synapse/setup_install.yml | 20 +++++++++---------- .../workers/util/setup_files_for_worker.yml | 4 ++-- .../matrix-synapse/tasks/validate_config.yml | 14 ++++++++----- .../goofys/systemd/matrix-goofys.service.j2 | 2 +- .../systemd/matrix-synapse-worker.service.j2 | 2 +- .../synapse/systemd/matrix-synapse.service.j2 | 2 +- 19 files changed, 51 insertions(+), 39 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 1cd84c6b5..e47f1e60d 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3071,6 +3071,10 @@ matrix_client_cinny_self_check_validate_certificates: "{{ false if matrix_playbo matrix_synapse_enabled: "{{ matrix_homeserver_implementation == 'synapse' }}" +matrix_synapse_username: "{{ matrix_user_username }}" +matrix_synapse_uid: "{{ matrix_user_uid }}" +matrix_synapse_gid: "{{ matrix_user_gid }}" + matrix_synapse_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" # When ma1sd is enabled, we can use it to validate phone numbers. It's something that the homeserver cannot do by itself. diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index c86db72e6..86f1f23ed 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,6 +4,10 @@ matrix_synapse_enabled: true +matrix_synapse_username: '' +matrix_synapse_uid: '' +matrix_synapse_gid: '' + matrix_synapse_container_image_self_build: false matrix_synapse_container_image_self_build_repo: "https://github.com/matrix-org/synapse.git" diff --git a/roles/custom/matrix-synapse/tasks/ext/encryption-disabler/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/encryption-disabler/setup_install.yml index 6ba5946d9..3725545fd 100644 --- a/roles/custom/matrix-synapse/tasks/ext/encryption-disabler/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/ext/encryption-disabler/setup_install.yml @@ -6,8 +6,8 @@ dest: "{{ matrix_synapse_ext_path }}/matrix_e2ee_filter.py" force: true mode: 0440 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + owner: "{{ matrix_synapse_uid }}" + group: "{{ matrix_synapse_gid }}" register: result retries: "{{ devture_playbook_help_geturl_retries_count }}" delay: "{{ devture_playbook_help_geturl_retries_delay }}" diff --git a/roles/custom/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml index 5d36a2348..f32188080 100644 --- a/roles/custom/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml @@ -11,7 +11,7 @@ version: "{{ matrix_synapse_ext_spam_checker_mjolnir_antispam_git_version }}" dest: "{{ matrix_synapse_ext_path }}/mjolnir" become: true - become_user: "{{ matrix_user_username }}" + become_user: "{{ matrix_synapse_username }}" - ansible.builtin.set_fact: matrix_synapse_spam_checker: > diff --git a/roles/custom/matrix-synapse/tasks/ext/rest-auth/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/rest-auth/setup_install.yml index 3c4d8cb5d..ad58830a6 100644 --- a/roles/custom/matrix-synapse/tasks/ext/rest-auth/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/ext/rest-auth/setup_install.yml @@ -11,8 +11,8 @@ dest: "{{ matrix_synapse_ext_path }}/rest_auth_provider.py" force: true mode: 0440 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + owner: "{{ matrix_synapse_uid }}" + group: "{{ matrix_synapse_gid }}" register: result retries: "{{ devture_playbook_help_geturl_retries_count }}" delay: "{{ devture_playbook_help_geturl_retries_delay }}" diff --git a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_install.yml index c892e0b6f..384f16815 100644 --- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_install.yml @@ -12,8 +12,8 @@ path: "{{ item }}" state: directory mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + owner: "{{ matrix_synapse_uid }}" + group: "{{ matrix_synapse_gid }}" with_items: - "{{ matrix_synapse_ext_s3_storage_provider_base_path }}" - "{{ matrix_synapse_ext_s3_storage_provider_bin_path }}" diff --git a/roles/custom/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml index 6dead7360..c974bd2cf 100644 --- a/roles/custom/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml @@ -16,8 +16,8 @@ dest: "{{ matrix_synapse_ext_path }}/shared_secret_authenticator.py" force: true mode: 0440 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + owner: "{{ matrix_synapse_uid }}" + group: "{{ matrix_synapse_gid }}" register: result retries: "{{ devture_playbook_help_geturl_retries_count }}" delay: "{{ devture_playbook_help_geturl_retries_delay }}" diff --git a/roles/custom/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml index 15fe220ab..e62c62dfe 100644 --- a/roles/custom/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml @@ -16,7 +16,7 @@ version: "{{ matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_version }}" dest: "{{ matrix_synapse_ext_path }}/synapse-simple-antispam" become: true - become_user: "{{ matrix_user_username }}" + become_user: "{{ matrix_synapse_username }}" - ansible.builtin.set_fact: matrix_synapse_modules: > diff --git a/roles/custom/matrix-synapse/tasks/goofys/setup_install.yml b/roles/custom/matrix-synapse/tasks/goofys/setup_install.yml index 7fd4659d7..dd6d3e922 100644 --- a/roles/custom/matrix-synapse/tasks/goofys/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/goofys/setup_install.yml @@ -27,8 +27,8 @@ path: "{{ matrix_s3_media_store_path }}" state: directory mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + owner: "{{ matrix_synapse_uid }}" + group: "{{ matrix_synapse_gid }}" when: "not local_path_matrix_s3_media_store_path_stat.failed and not local_path_matrix_s3_media_store_path_stat.stat.exists" - name: Ensure goofys environment variables file created diff --git a/roles/custom/matrix-synapse/tasks/import_media_store.yml b/roles/custom/matrix-synapse/tasks/import_media_store.yml index bdd99ca4d..a6c085874 100644 --- a/roles/custom/matrix-synapse/tasks/import_media_store.yml +++ b/roles/custom/matrix-synapse/tasks/import_media_store.yml @@ -66,8 +66,8 @@ - name: Ensure media store permissions are correct (generic case) ansible.builtin.file: path: "{{ matrix_synapse_media_store_path }}" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + owner: "{{ matrix_synapse_uid }}" + group: "{{ matrix_synapse_gid }}" recurse: true when: "not matrix_s3_media_store_enabled | bool" diff --git a/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml b/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml index 4eafad1fb..1d71fea64 100644 --- a/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml +++ b/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml @@ -7,7 +7,7 @@ ansible.builtin.set_fact: matrix_synapse_rust_synapse_compress_state_compress_room_command: >- {{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-rust-synapse-compress-state-compress-room - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --user={{ matrix_synapse_uid }}:{{ matrix_synapse_gid }} --cap-drop=ALL --network={{ matrix_docker_network }} --mount type=bind,src={{ matrix_synapse_rust_synapse_compress_state_base_path }},dst=/work diff --git a/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/main.yml b/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/main.yml index 45716ef03..8f781e519 100644 --- a/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/main.yml +++ b/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/main.yml @@ -39,8 +39,8 @@ path: "{{ matrix_synapse_rust_synapse_compress_state_base_path }}" state: directory mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + owner: "{{ matrix_synapse_uid }}" + group: "{{ matrix_synapse_gid }}" - name: Ensure rust-synapse-compress-state image is pulled community.docker.docker_image: diff --git a/roles/custom/matrix-synapse/tasks/setup_install.yml b/roles/custom/matrix-synapse/tasks/setup_install.yml index 921df753e..c8b191ec2 100644 --- a/roles/custom/matrix-synapse/tasks/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/setup_install.yml @@ -5,8 +5,8 @@ path: "{{ item.path }}" state: directory mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + owner: "{{ matrix_synapse_uid }}" + group: "{{ matrix_synapse_gid }}" with_items: - {path: "{{ matrix_synapse_config_dir_path }}", when: true} - {path: "{{ matrix_synapse_ext_path }}", when: true} diff --git a/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml b/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml index 773a7518e..7a7b5ed37 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml @@ -14,8 +14,8 @@ path: "{{ matrix_synapse_media_store_path }}" state: directory mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + owner: "{{ matrix_synapse_uid }}" + group: "{{ matrix_synapse_gid }}" when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists" - when: "matrix_synapse_container_image_self_build | bool" @@ -27,7 +27,7 @@ version: "{{ matrix_synapse_docker_image.split(':')[1] }}" force: "yes" become: true - become_user: "{{ matrix_user_username }}" + become_user: "{{ matrix_synapse_username }}" register: matrix_synapse_git_pull_results - name: Check if Synapse Docker image exists @@ -68,8 +68,8 @@ ansible.builtin.template: src: "{{ role_path }}/templates/synapse/customizations/Dockerfile.j2" dest: "{{ matrix_synapse_customized_docker_src_files_path }}/Dockerfile" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + owner: "{{ matrix_synapse_uid }}" + group: "{{ matrix_synapse_gid }}" mode: 0640 - name: Ensure customized Docker image for Synapse is built @@ -98,7 +98,7 @@ docker run --rm --name=matrix-config - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --user={{ matrix_synapse_uid }}:{{ matrix_synapse_gid }} --cap-drop=ALL --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml @@ -113,8 +113,8 @@ content: "{{ matrix_synapse_configuration | to_nice_yaml(indent=2, width=999999) }}" dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml" mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + owner: "{{ matrix_synapse_uid }}" + group: "{{ matrix_synapse_gid }}" - name: Ensure Synapse log config installed ansible.builtin.template: @@ -143,7 +143,7 @@ ansible.builtin.template: src: "{{ role_path }}/templates/synapse/prometheus/external_prometheus.yml.example.j2" dest: "{{ matrix_synapse_base_path }}/external_prometheus.yml.example" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + owner: "{{ matrix_synapse_uid }}" + group: "{{ matrix_synapse_gid }}" mode: 0644 when: matrix_synapse_metrics_proxying_enabled | bool diff --git a/roles/custom/matrix-synapse/tasks/synapse/workers/util/setup_files_for_worker.yml b/roles/custom/matrix-synapse/tasks/synapse/workers/util/setup_files_for_worker.yml index 6910445e2..d35094129 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/workers/util/setup_files_for_worker.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/workers/util/setup_files_for_worker.yml @@ -10,8 +10,8 @@ src: "{{ role_path }}/templates/synapse/worker.yaml.j2" dest: "{{ matrix_synapse_config_dir_path }}/{{ matrix_synapse_worker_config_file_name }}" mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + owner: "{{ matrix_synapse_uid }}" + group: "{{ matrix_synapse_gid }}" - name: Ensure systemd service exists for {{ matrix_synapse_worker_systemd_service_name }} ansible.builtin.template: diff --git a/roles/custom/matrix-synapse/tasks/validate_config.yml b/roles/custom/matrix-synapse/tasks/validate_config.yml index 56f12bf67..31a10e918 100644 --- a/roles/custom/matrix-synapse/tasks/validate_config.yml +++ b/roles/custom/matrix-synapse/tasks/validate_config.yml @@ -6,11 +6,15 @@ You need to define a required configuration setting (`{{ item }}`) for using Synapse. when: "vars[item] == ''" with_items: - - "matrix_synapse_macaroon_secret_key" - - "matrix_synapse_database_host" - - "matrix_synapse_database_user" - - "matrix_synapse_database_password" - - "matrix_synapse_database_database" + - matrix_synapse_username + - matrix_synapse_uid + - matrix_synapse_gid + - matrix_synapse_container_network + - matrix_synapse_macaroon_secret_key + - matrix_synapse_database_host + - matrix_synapse_database_user + - matrix_synapse_database_password + - matrix_synapse_database_database - name: Fail if asking for more than 1 instance of single-instance workers ansible.builtin.fail: diff --git a/roles/custom/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 b/roles/custom/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 index a968965b7..fea02d479 100644 --- a/roles/custom/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 +++ b/roles/custom/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 @@ -13,7 +13,7 @@ ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} rm %n ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name %n \ --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --user={{ matrix_synapse_uid }}:{{ matrix_synapse_gid }} \ --mount type=bind,src=/etc/passwd,dst=/etc/passwd,ro \ --mount type=bind,src=/etc/group,dst=/etc/group,ro \ --mount type=bind,src={{ matrix_s3_media_store_path }},dst=/s3,bind-propagation=shared \ diff --git a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 index e1e439958..de475bb44 100644 --- a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 @@ -18,7 +18,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --rm \ --name={{ matrix_synapse_worker_container_name }} \ --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --user={{ matrix_synapse_uid }}:{{ matrix_synapse_gid }} \ --cap-drop=ALL \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ diff --git a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 1c23c8ac6..a287f5536 100644 --- a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -34,7 +34,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --rm \ --name=matrix-synapse \ --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --user={{ matrix_synapse_uid }}:{{ matrix_synapse_gid }} \ --cap-drop=ALL \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ From 977521885037d739066aea67858f0118fee195cb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Feb 2023 18:31:01 +0200 Subject: [PATCH 454/915] Add matrix_synapse_email_app_name variable --- roles/custom/matrix-synapse/defaults/main.yml | 1 + .../custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 86f1f23ed..9842f31f1 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -706,6 +706,7 @@ matrix_synapse_email_smtp_user: "" matrix_synapse_email_smtp_pass: "" matrix_synapse_email_smtp_require_transport_security: false matrix_synapse_email_notif_from: "Matrix " +matrix_synapse_email_app_name: Matrix matrix_synapse_email_client_base_url: "https://{{ matrix_server_fqn_element }}" matrix_synapse_email_invite_client_location: "https://app.element.io" diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 1885aeef1..1afbcdc37 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2363,7 +2363,7 @@ email: # subjects. It defaults to 'Matrix'. # #app_name: my_branded_matrix_server - app_name: Matrix + app_name: {{ matrix_synapse_email_app_name | to_json }} # Uncomment the following to enable sending emails for messages that the user # has missed. Disabled by default. From 5df89a44b386cfba65310742e3e2f4f6bd0cd6fe Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Feb 2023 19:37:34 +0200 Subject: [PATCH 455/915] Add support for customizing Synapse templates --- CHANGELOG.md | 6 +++ docs/configuring-playbook-synapse.md | 39 +++++++++++++++ roles/custom/matrix-synapse/defaults/main.yml | 47 ++++++++++++++++++- .../tasks/synapse/setup_install.yml | 3 +- .../matrix-synapse/tasks/validate_config.yml | 19 ++++++++ .../synapse/customizations/Dockerfile.j2 | 44 +++++++++++++++++ .../templates/synapse/homeserver.yaml.j2 | 3 ++ 7 files changed, 159 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5fea8b789..25d351387 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # 2023-02-17 +## Synapse templates customization support + +The playbook can now help you customize Synapse's templates. + +Additional details are available in the [Customizing templates](docs/configuring-playbook-synapse.md#customizing-templates) section of our Synapse documentation. + ## The matrix-redis role lives independently now **TLDR**: the `matrix-redis` role is now included from another repository. Some variables have been renamed. All functionality remains intact. diff --git a/docs/configuring-playbook-synapse.md b/docs/configuring-playbook-synapse.md index 4dc8f5195..ef562ae88 100644 --- a/docs/configuring-playbook-synapse.md +++ b/docs/configuring-playbook-synapse.md @@ -80,3 +80,42 @@ matrix_synapse_configuration_extension_yaml: | backchannel_logout_enabled: true # Optional ``` + +## Customizing templates + +[Templates](https://github.com/matrix-org/synapse/blob/develop/docs/templates.md) are used by Synapse for showing **certain web pages** handled by the server, as well as for **email notifications**. + +This playbook allows you to customize the default templates (see the [`synapse/res/templates` directory](https://github.com/matrix-org/synapse/tree/develop/synapse/res/templates)). + +If template customization is enabled, the playbook will build a custom container image based on the official one. + +Your custom templates need to live in a public or private git repository. This repository will be cloned during Synapse image customization (during the playbook run). + +To enable template customizations, use a configuration (`inventory/host_vars/matrix.DOMAIN/vars.yml`) like this: + +```yaml +# If you'd like to ensure that the customized image is built each time the playbook runs, enable this. +# Otherwise, the customized image will only be rebuilt whenever the Synapse version changes (once every ~2 weeks). +# matrix_synapse_docker_image_customized_build_nocache: true + +matrix_synapse_container_image_customizations_templates_enabled: true + +# Our templates live in a templates/ directory within the repository. +# If they're at the root path, delete this line. +matrix_synapse_container_image_customizations_templates_in_container_template_files_relative_path: templates + +matrix_synapse_container_image_customizations_templates_git_repository_url: git@github.com:organization/repository.git +matrix_synapse_container_image_customizations_templates_git_repository_branch: main + +matrix_synapse_container_image_customizations_templates_git_repository_keyscan_enabled: true +matrix_synapse_container_image_customizations_templates_git_repository_keyscan_hostname: github.com + +# If your git repository is public, do not define the private key (remove the variable). +matrix_synapse_container_image_customizations_templates_git_repository_ssh_private_key: | + -----BEGIN OPENSSH PRIVATE KEY----- + .... + -----END OPENSSH PRIVATE KEY----- +``` + +As mentioned in Synapse's Templates documentation, Synapse will fall back to its own templates if a template is not found in that directory. +Due to this, it's recommended to only store and maintain template files in your repository if you need to make custom changes. Other files (which you don't need to change), should not be duplicated, so that you don't need to worry about getting out-of-sync with the original Synapse templates. diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 9842f31f1..e4e2e5e2a 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -21,12 +21,41 @@ matrix_synapse_container_image_self_build_repo: "https://github.com/matrix-org/s # - `matrix_synapse_container_image_customizations_dockerfile_body_custom` # - `matrix_synapse_docker_image_customized` # - `matrix_synapse_docker_image_final` -matrix_synapse_container_image_customizations_enabled: "{{ matrix_synapse_ext_synapse_s3_storage_provider_enabled }}" +matrix_synapse_container_image_customizations_enabled: |- + {{ + matrix_synapse_container_image_customizations_s3_storage_provider_installation_enabled + or + matrix_synapse_container_image_customizations_templates_enabled + }} # Controls whether custom build steps will be added to the Dockerfile for installing s3-storage-provider. # The version that will be installed is specified in `matrix_synapse_ext_synapse_s3_storage_provider_version`. matrix_synapse_container_image_customizations_s3_storage_provider_installation_enabled: "{{ matrix_synapse_ext_synapse_s3_storage_provider_enabled }}" +# Controls whether custom build steps will be added to the Dockerfile for customizing the email templates used by Synapse. +# +# Example usage: +# +# ```yml +# matrix_synapse_container_image_customizations_templates_enabled: true +# # The templates are expected to be in a `templates/` subdirectory in +# matrix_synapse_container_image_customizations_templates_in_container_template_files_relative_path: templates/ +# matrix_synapse_container_image_customizations_templates_git_repository_url: git@github.com:organization/repository.git +# matrix_synapse_container_image_customizations_templates_git_repository_branch: main +# matrix_synapse_container_image_customizations_templates_git_repository_keyscan_enabled: true +# matrix_synapse_container_image_customizations_templates_git_repository_keyscan_hostname: github.com +# ``` +# +# See: https://github.com/matrix-org/synapse/blob/develop/docs/templates.md +matrix_synapse_container_image_customizations_templates_enabled: false +matrix_synapse_container_image_customizations_templates_in_container_base_path: /custom-templates +matrix_synapse_container_image_customizations_templates_in_container_template_files_relative_path: '' +matrix_synapse_container_image_customizations_templates_in_container_full_path: "{{ matrix_synapse_container_image_customizations_templates_in_container_base_path }}/{{ matrix_synapse_container_image_customizations_templates_in_container_template_files_relative_path }}" +matrix_synapse_container_image_customizations_templates_git_repository_url: '' +matrix_synapse_container_image_customizations_templates_git_repository_branch: main +matrix_synapse_container_image_customizations_templates_git_repository_keyscan_enabled: false +matrix_synapse_container_image_customizations_templates_git_repository_keyscan_hostname: '' + # matrix_synapse_container_image_customizations_dockerfile_body contains your custom Dockerfile steps # for building your customized Synapse image based on the original (upstream) image (`matrix_synapse_docker_image`). # A `FROM ...` clause is included automatically so you don't have to. @@ -49,6 +78,15 @@ matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith # This image will be based on the upstream `matrix_synapse_docker_image` image, only if `matrix_synapse_container_image_customizations_enabled: true`. matrix_synapse_docker_image_customized: "localhost/matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}-customized" +# Controls whether the customized image (`matrix_synapse_docker_image_customized`) is to be force-built without layer caching enabled. +# This is useful if you've enabled customizations (e.g. `matrix_synapse_container_image_customizations_templates_enabled`), +# which clone some branch of some repository, and you'd like for each Ansible run to pull new revisions from that branch. +matrix_synapse_docker_image_customized_build_nocache: false + +# Controls whether the customized image (`matrix_synapse_docker_image_customized`) is to be built, even if it already exists. +# Related to: matrix_synapse_docker_image_customized_build_nocache +matrix_synapse_docker_image_customized_force_source: "{{ matrix_synapse_docker_image_customized_build_nocache }}" + # matrix_synapse_docker_image_final holds the name of the Synapse image to run depending on whether or not customizations are enabled. matrix_synapse_docker_image_final: "{{ matrix_synapse_docker_image_customized if matrix_synapse_container_image_customizations_enabled else matrix_synapse_docker_image }} " @@ -230,6 +268,13 @@ matrix_synapse_rc_federation: matrix_synapse_federation_rr_transactions_per_room_per_second: 50 +# Controls the templates directory setting. +# +# See: +# - `matrix_synapse_container_image_customizations_templates_enabled` +# - https://github.com/matrix-org/synapse/blob/develop/docs/templates.md +matrix_synapse_templates_custom_template_directory: "{{ matrix_synapse_container_image_customizations_templates_in_container_full_path if matrix_synapse_container_image_customizations_templates_enabled else '' }}" + # Controls whether the TLS federation listener is enabled (tcp/8448). # Only makes sense if federation is enabled (`matrix_synapse_federation_enabled`). # Note that federation may potentially be enabled as non-TLS on `matrix_synapse_container_federation_api_plain_port` as well. diff --git a/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml b/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml index 7a7b5ed37..4a62d88d9 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml @@ -76,10 +76,11 @@ community.docker.docker_image: name: "{{ matrix_synapse_docker_image_customized }}" source: build + force_source: "{{ matrix_synapse_docker_image_customized_force_source }}" build: dockerfile: Dockerfile path: "{{ matrix_synapse_customized_docker_src_files_path }}" - pull: true + nocache: "{{ matrix_synapse_docker_image_customized_build_nocache }}" - name: Check if a Synapse signing key exists ansible.builtin.stat: diff --git a/roles/custom/matrix-synapse/tasks/validate_config.yml b/roles/custom/matrix-synapse/tasks/validate_config.yml index 31a10e918..607c75b8c 100644 --- a/roles/custom/matrix-synapse/tasks/validate_config.yml +++ b/roles/custom/matrix-synapse/tasks/validate_config.yml @@ -76,3 +76,22 @@ when: "item.old in matrix_synapse_configuration_extension" with_items: - {'old': 'federation_ip_range_blacklist', 'new': 'ip_range_blacklist'} + +- when: matrix_synapse_container_image_customizations_templates_enabled | bool + block: + - name: Fail if required `matrix_synapse_container_image_customizations_templates_*` settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`) when enabling `matrix_synapse_container_image_customizations_templates_enabled`. + when: "vars[item] == ''" + with_items: + - matrix_synapse_container_image_customizations_templates_git_repository_url + - matrix_synapse_container_image_customizations_templates_git_repository_branch + + - name: Fail if required `matrix_synapse_container_image_customizations_templates_git_repository_keyscan_*` settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`) when enabling `matrix_synapse_container_image_customizations_templates_git_repository_keyscan`. + when: "matrix_synapse_container_image_customizations_templates_git_repository_keyscan_enabled | bool and vars[item] == ''" + with_items: + - matrix_synapse_container_image_customizations_templates_git_repository_keyscan_hostname diff --git a/roles/custom/matrix-synapse/templates/synapse/customizations/Dockerfile.j2 b/roles/custom/matrix-synapse/templates/synapse/customizations/Dockerfile.j2 index 3919e9557..6257f1985 100644 --- a/roles/custom/matrix-synapse/templates/synapse/customizations/Dockerfile.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/customizations/Dockerfile.j2 @@ -1,7 +1,51 @@ +#jinja2: lstrip_blocks: "True" FROM {{ matrix_synapse_docker_image }} {% if matrix_synapse_container_image_customizations_s3_storage_provider_installation_enabled %} RUN pip install synapse-s3-storage-provider=={{ matrix_synapse_ext_synapse_s3_storage_provider_version }} {% endif %} +{% if matrix_synapse_container_image_customizations_templates_enabled %} +{# +This ugly script below does quite a lot: + - installs git and other dependencies temporarily, just so we could do a shallow-clone + - prepare the SSH config: keyscanning (if enabled), private key (if enabled) + - performs a git shallow clone with just the branch we need + - makes sure the files are owned by the user that will actually run the container later + - removes the `.git` directory to save space, but keeps git revision in `git-revision.txt`, should we need it for debugging + - finally, verifies that the templates path can indeed be found within the base path (sanity check) +#} +{% set dependencies = ['git', 'ssh', 'openssh-client'] %} +RUN \ + {% if matrix_synapse_container_image_customizations_templates_git_repository_ssh_private_key %} + echo '{{ matrix_synapse_container_image_customizations_templates_git_repository_ssh_private_key | b64encode }}' | base64 -d > /custom-templates-private-key && \ + chmod 400 /custom-templates-private-key && \ + {% endif %} + apt-get update && \ + apt-get install --no-install-recommends -y {{ dependencies | join(' ') }} && \ + {% if matrix_synapse_container_image_customizations_templates_git_repository_keyscan_enabled %} + mkdir ~/.ssh && \ + chmod 700 ~/.ssh && \ + ssh-keyscan -t rsa {{ matrix_synapse_container_image_customizations_templates_git_repository_keyscan_hostname }} >> ~/.ssh/known_hosts && \ + {% endif %} + {% if matrix_synapse_container_image_customizations_templates_git_repository_ssh_private_key %}GIT_SSH_COMMAND='ssh -i /custom-templates-private-key'{% endif %} git \ + clone \ + --branch={{ matrix_synapse_container_image_customizations_templates_git_repository_branch }} \ + --depth=1 \ + --single-branch \ + --no-tags \ + {{ matrix_synapse_container_image_customizations_templates_git_repository_url }} \ + {{ matrix_synapse_container_image_customizations_templates_in_container_base_path }} && \ + /bin/sh -c 'cd {{ matrix_synapse_container_image_customizations_templates_in_container_base_path }} && git rev-parse HEAD > git-revision.txt' && \ + rm -rf {{ matrix_synapse_container_image_customizations_templates_in_container_base_path }}/.git && \ + chown -R {{ matrix_synapse_uid }}:{{ matrix_synapse_gid }} {{ matrix_synapse_container_image_customizations_templates_in_container_base_path }} && \ + apt-get autoremove -y {{ dependencies | join(' ') }} && \ + {% if matrix_synapse_container_image_customizations_templates_git_repository_ssh_private_key %} + rm /custom-templates-private-key && \ + {% endif %} + true + +RUN /bin/sh -c 'stat {{ matrix_synapse_container_image_customizations_templates_in_container_base_path }}/{{ matrix_synapse_container_image_customizations_templates_in_container_template_files_relative_path }} || exit 1' +{% endif %} + {{ matrix_synapse_container_image_customizations_dockerfile_body_custom }} diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 1afbcdc37..9b039ff52 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -555,6 +555,9 @@ templates: # information about using custom templates. # #custom_template_directory: /path/to/custom/templates/ + {% if matrix_synapse_templates_custom_template_directory %} + custom_template_directory: {{ matrix_synapse_templates_custom_template_directory | to_json }} + {% endif %} # List of rooms to exclude from sync responses. This is useful for server # administrators wishing to group users into a room without these users being able From 89f2fa53c08166c5eacf7a78b47fa3c98af337bc Mon Sep 17 00:00:00 2001 From: Array in a Matrix Date: Fri, 17 Feb 2023 15:48:53 -0500 Subject: [PATCH 456/915] remove comment regarding nginx in traefik doc --- docs/configuring-playbook-own-webserver.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 41b1fd83a..d1975dae6 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -148,7 +148,6 @@ matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449' **For Traefik** fronted by another reverse-proxy, you would need some configuration like this: ```yaml -# playbook-managed-proxy is the default right now, so we can keep this commented out. matrix_playbook_reverse_proxy_type: playbook-managed-traefik # Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval From 886d1cddd0aad2dc085230c6a923515f824485cb Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sat, 18 Feb 2023 19:10:23 +0000 Subject: [PATCH 457/915] Update ntfy v2.0.0-1 -> v2.0.1-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index e1f419faf..66089d478 100644 --- a/requirements.yml +++ b/requirements.yml @@ -43,7 +43,7 @@ version: v9.3.6-1 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git - version: v2.0.0-1 + version: v2.0.1-0 - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.7-0 From 0da308e24d9e3ad5d6b368e367d72190992d1d39 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 19 Feb 2023 10:19:54 +0200 Subject: [PATCH 458/915] Upgrade com.devture.ansible.role.traefik --- CHANGELOG.md | 2 +- docs/configuring-playbook-own-webserver.md | 2 +- requirements.yml | 2 +- roles/custom/matrix-base/defaults/main.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 25d351387..5dd5e9f62 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -118,7 +118,7 @@ Unless we have some regression, **existing `matrix-nginx-proxy` users should be ```yaml matrix_playbook_reverse_proxy_type: playbook-managed-traefik -devture_traefik_ssl_email_address: YOUR_EMAIL_ADDRESS +devture_traefik_config_certificatesResolvers_acme_email: YOUR_EMAIL_ADDRESS ``` You may still need to keep certain old `matrix_nginx_proxy_*` variables (like `matrix_nginx_proxy_base_domain_serving_enabled`), even when using Traefik. For now, we recommend keeping all `matrix_nginx_proxy_*` variables just in case. In the future, reliance on `matrix-nginx-proxy` will be removed. diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index d1975dae6..6377b8b1f 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -20,7 +20,7 @@ To switch to Traefik now, use configuration like this: ```yaml matrix_playbook_reverse_proxy_type: playbook-managed-traefik -devture_traefik_ssl_email_address: YOUR_EMAIL_ADDRESS +devture_traefik_config_certificatesResolvers_acme_email: YOUR_EMAIL_ADDRESS ``` This will install Traefik in the place of `matrix-nginx-proxy`. Traefik will manage SSL certificates for all services seamlessly. diff --git a/requirements.yml b/requirements.yml index 66089d478..ed0faa52e 100644 --- a/requirements.yml +++ b/requirements.yml @@ -49,7 +49,7 @@ version: v7.0.7-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: fb09fd26f877372417d5586f1e79e83f983f0bd6 + version: da90b6cdbbb9374ca72c1b530867add2fd8f024e - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: e7563caa814e634d2f8deec4a41e970caa1c0ae4 diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index e72142c37..da5459f80 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -283,7 +283,7 @@ matrix_homeserver_app_service_config_files_auto: [] # - `playbook-managed-traefik` # - the playbook will install devture-traefik # - Traefik will do SSL termination, unless you disable it (e.g. `devture_traefik_config_entrypoint_web_secure_enabled: false`) -# - if SSL termination is enabled (as it is by default), you need to populate: `devture_traefik_ssl_email_address` +# - if SSL termination is enabled (as it is by default), you need to populate: `devture_traefik_config_certificatesResolvers_acme_email` # - it will also install matrix-nginx-proxy in local-only mode, while we migrate the rest of the services to a Traefik-native mode of working # # - `playbook-managed-nginx` From a758301bf6658382b20cc5d028140afd4bae5262 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 19 Feb 2023 10:20:40 +0200 Subject: [PATCH 459/915] Upgrade geerlingguy.docker (6.0.4 -> 6.1.0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index ed0faa52e..3f48cec27 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,7 +1,7 @@ --- - src: geerlingguy.docker - version: 6.0.4 + version: 6.1.0 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git version: 6ba3be490b6f4c6f35ea109aeb8e533fa231b3a5 From 5e7f30a129077004baaa701dea1aad571f176e8d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 19 Feb 2023 11:20:58 +0200 Subject: [PATCH 460/915] Fix appservice-discord/appservice-slack/appservice-webhooks port troubles with external reverse-proxy Continuation of 6cda711 --- group_vars/matrix_servers | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index e47f1e60d..f148e0425 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -455,7 +455,7 @@ matrix_appservice_discord_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-discord over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-discord's client-server port to the local host. -matrix_appservice_discord_container_http_host_bind_port: "{{ matrix_playbook_service_host_bind_interface_prefix + ':9005' if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_appservice_discord_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9005') if matrix_playbook_service_host_bind_interface_prefix else '' }}" # If the homeserver disables presence, it's likely better (less wasteful) to also disable presence on the bridge side. matrix_appservice_discord_bridge_disablePresence: "{{ not matrix_synapse_presence_enabled }}" @@ -502,7 +502,7 @@ matrix_appservice_webhooks_container_image_self_build: "{{ matrix_architecture ! # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-webhooks over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-webhooks' client-server port to the local host. -matrix_appservice_webhooks_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '' ~ matrix_appservice_webhooks_matrix_port) if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_appservice_webhooks_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ matrix_appservice_webhooks_matrix_port) if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_appservice_webhooks_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.as.token', rounds=655555) | to_uuid }}" @@ -541,7 +541,7 @@ matrix_appservice_slack_container_image_self_build: "{{ matrix_architecture not # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-slack over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-slack's client-server port to the local host. -matrix_appservice_slack_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix + ':' ~ matrix_appservice_slack_slack_port) if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_appservice_slack_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ matrix_appservice_slack_slack_port) if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_appservice_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.as.token', rounds=655555) | to_uuid }}" From 6438f1ff427cfbb604399c23e25f4371eb671cdd Mon Sep 17 00:00:00 2001 From: Tilo Spannagel Date: Sun, 19 Feb 2023 17:16:17 +0100 Subject: [PATCH 461/915] Add matrix_playbook_ssl_enabled: true to configuring-playbook-own-webserver.md Otherwise the public hookshot url will use http and not https --- docs/configuring-playbook-own-webserver.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 6377b8b1f..e7dc24557 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -127,6 +127,9 @@ This is the recommended way for using another reverse-proxy, because the integra # playbook-managed-proxy is the default right now, so we can keep this commented out. # matrix_playbook_reverse_proxy_type: playbook-managed-nginx +# Ensure that public urls use https +matrix_playbook_ssl_enabled: true + # Disable SSL certificate retrieval matrix_ssl_retrieval_method: none @@ -150,6 +153,9 @@ matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449' ```yaml matrix_playbook_reverse_proxy_type: playbook-managed-traefik +# Ensure that public urls use https +matrix_playbook_ssl_enabled: true + # Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval devture_traefik_config_entrypoint_web_secure_enabled: false From 6cdbde01d7c2fa980e18853d0118e554e10def86 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 20 Feb 2023 16:50:39 +0200 Subject: [PATCH 462/915] Fix various Traefik headers syntax `always` is an nginx suffix, which shouldn't have been added to these. --- roles/custom/matrix-client-cinny/defaults/main.yml | 4 ++-- roles/custom/matrix-client-element/defaults/main.yml | 4 ++-- roles/custom/matrix-client-hydrogen/defaults/main.yml | 4 ++-- roles/custom/matrix-synapse-admin/defaults/main.yml | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/roles/custom/matrix-client-cinny/defaults/main.yml b/roles/custom/matrix-client-cinny/defaults/main.yml index 5e5f216f9..f1114c366 100644 --- a/roles/custom/matrix-client-cinny/defaults/main.yml +++ b/roles/custom/matrix-client-cinny/defaults/main.yml @@ -95,11 +95,11 @@ matrix_client_cinny_http_header_content_security_policy: frame-ancestors 'self' # Specifies the value of the `Permission-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy -matrix_client_cinny_http_header_content_permission_policy: "{{ 'interest-cohort=() always' if matrix_client_cinny_floc_optout_enabled else '' }}" +matrix_client_cinny_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_client_cinny_floc_optout_enabled else '' }}" # Specifies the value of the `Strict-Transport-Security` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -matrix_client_cinny_http_header_strict_transport_security: "{{ '\"max-age=31536000; includeSubDomains; preload\" always' if matrix_client_cinny_hsts_preload_enabled else '\"max-age=31536000; includeSubDomains\" always' }}" +matrix_client_cinny_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_client_cinny_hsts_preload_enabled else '' }}" # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses # diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 4ab72bab4..c9540ae01 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -98,11 +98,11 @@ matrix_client_element_http_header_content_security_policy: frame-ancestors 'self # Specifies the value of the `Permission-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy -matrix_client_element_http_header_content_permission_policy: "{{ 'interest-cohort=() always' if matrix_client_element_floc_optout_enabled else '' }}" +matrix_client_element_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_client_element_floc_optout_enabled else '' }}" # Specifies the value of the `Strict-Transport-Security` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -matrix_client_element_http_header_strict_transport_security: "{{ '\"max-age=31536000; includeSubDomains; preload\" always' if matrix_client_element_hsts_preload_enabled else '\"max-age=31536000; includeSubDomains\" always' }}" +matrix_client_element_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_client_element_hsts_preload_enabled else '' }}" # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses # diff --git a/roles/custom/matrix-client-hydrogen/defaults/main.yml b/roles/custom/matrix-client-hydrogen/defaults/main.yml index 35d18cd9e..f3ddb81b6 100644 --- a/roles/custom/matrix-client-hydrogen/defaults/main.yml +++ b/roles/custom/matrix-client-hydrogen/defaults/main.yml @@ -94,11 +94,11 @@ matrix_client_hydrogen_http_header_content_security_policy: frame-ancestors 'sel # Specifies the value of the `Permission-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy -matrix_client_hydrogen_http_header_content_permission_policy: "{{ 'interest-cohort=() always' if matrix_client_hydrogen_floc_optout_enabled else '' }}" +matrix_client_hydrogen_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_client_hydrogen_floc_optout_enabled else '' }}" # Specifies the value of the `Strict-Transport-Security` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -matrix_client_hydrogen_http_header_strict_transport_security: "{{ '\"max-age=31536000; includeSubDomains; preload\" always' if matrix_client_hydrogen_hsts_preload_enabled else '\"max-age=31536000; includeSubDomains\" always' }}" +matrix_client_hydrogen_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_client_hydrogen_hsts_preload_enabled else '' }}" # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses # diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index 91383a9e9..ae912f71f 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -102,11 +102,11 @@ matrix_synapse_admin_http_header_content_security_policy: frame-ancestors 'self' # Specifies the value of the `Permission-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy -matrix_synapse_admin_http_header_content_permission_policy: "{{ 'interest-cohort=() always' if matrix_synapse_admin_floc_optout_enabled else '' }}" +matrix_synapse_admin_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_synapse_admin_floc_optout_enabled else '' }}" # Specifies the value of the `Strict-Transport-Security` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -matrix_synapse_admin_http_header_strict_transport_security: "{{ '\"max-age=31536000; includeSubDomains; preload\" always' if matrix_synapse_admin_hsts_preload_enabled else '\"max-age=31536000; includeSubDomains\" always' }}" +matrix_synapse_admin_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_synapse_admin_hsts_preload_enabled else '' }}" # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses # From 8e592fb0c1761610e8dd79ba948ac5df18fc3328 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 20 Feb 2023 16:53:19 +0200 Subject: [PATCH 463/915] Upgrade grafana role (v9.3.6-1 -> v9.3.6-2) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 3f48cec27..67a1efc29 100644 --- a/requirements.yml +++ b/requirements.yml @@ -40,7 +40,7 @@ version: v1.2.3-1.7.6-0 - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v9.3.6-1 + version: v9.3.6-2 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git version: v2.0.1-0 From ba429f6a403131339c940684dc5a1e678558b53c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bergr=C3=BCbe?= <68869895+Bergruebe@users.noreply.github.com> Date: Mon, 20 Feb 2023 16:59:38 +0100 Subject: [PATCH 464/915] Added matrix_nginx_proxy_https_enabled to the own-nginx documentation --- docs/configuring-playbook-own-webserver.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index e7dc24557..34e0bf3e4 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -185,6 +185,9 @@ If you'll be using `nginx` running on the same machine (not in a container), you ```yaml matrix_playbook_reverse_proxy_type: other-nginx-non-container +# If you want https configured in /matrix/nginx-proxy/conf.d/ +matrix_nginx_proxy_https_enabled: true + # If you will manage SSL certificates yourself, uncomment the line below # matrix_ssl_retrieval_method: none From 601b67c02d45f9bae711e0e6655c60b597d8a05c Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Mon, 20 Feb 2023 22:21:02 +0100 Subject: [PATCH 465/915] Update Draupnir Config --- .../templates/production.yaml.j2 | 78 ++++++++++--------- 1 file changed, 43 insertions(+), 35 deletions(-) diff --git a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 index dcc61b1b5..2dbff886a 100644 --- a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 +++ b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 @@ -1,79 +1,79 @@ -# Endpoint URL that draupnir uses to interact with the matrix homeserver (client-server API), +# Endpoint URL that Draupnir uses to interact with the matrix homeserver (client-server API), # set this to the pantalaimon URL if you're using that. homeserverUrl: "{{ matrix_homeserver_url }}" -# Endpoint URL that draupnir could use to fetch events related to reports (client-server API and /_synapse/), +# Endpoint URL that Draupnir could use to fetch events related to reports (client-server API and /_synapse/), # only set this to the public-internet homeserver client API URL, do NOT set this to the pantalaimon URL. rawHomeserverUrl: "{{ matrix_homeserver_url }}" -# Matrix Access Token to use, draupnir will only use this if pantalaimon.use is false. +# Matrix Access Token to use, Draupnir will only use this if pantalaimon.use is false. accessToken: "{{ matrix_bot_draupnir_access_token }}" # Options related to Pantalaimon (https://github.com/matrix-org/pantalaimon) #pantalaimon: -# # Whether or not draupnir will use pantalaimon to access the matrix homeserver, +# # Whether or not Draupnir will use pantalaimon to access the matrix homeserver, # # set to `true` if you're using pantalaimon. # # # # Be sure to point homeserverUrl to the pantalaimon instance. # # -# # draupnir will log in using the given username and password once, +# # Draupnir will log in using the given username and password once, # # then store the resulting access token in a file under dataPath. # use: false # # # The username to login with. # username: draupnir # -# # The password draupnir will login with. +# # The password Draupnir will login with. # # # # After successfully logging in once, this will be ignored, so this value can be blanked after first startup. # password: your_password -# The path draupnir will store its state/data in, leave default ("/data/storage") when using containers. +# The path Draupnir will store its state/data in, leave default ("/data/storage") when using containers. dataPath: "/data" -# If true (the default), draupnir will only accept invites from users present in managementRoom. +# If true (the default), Draupnir will only accept invites from users present in managementRoom. autojoinOnlyIfManager: true # If `autojoinOnlyIfManager` is false, only the members in this space can invite # the bot to new rooms. -#acceptInvitesFromSpace: "!example:example.org" +acceptInvitesFromSpace: "!example:example.org" -# Whether draupnir should report ignored invites to the management room (if autojoinOnlyIfManager is true). +# Whether Draupnir should report ignored invites to the management room (if autojoinOnlyIfManager is true). recordIgnoredInvites: false -# The room ID (or room alias) of the management room, anyone in this room can issue commands to draupnir. +# The room ID (or room alias) of the management room, anyone in this room can issue commands to Draupnir. # -# draupnir has no more granular access controls other than this, be sure you trust everyone in this room - secure it! +# Draupnir has no more granular access controls other than this, be sure you trust everyone in this room - secure it! # # This should be a room alias or room ID - not a matrix.to URL. # -# Note: By default, draupnir is fairly verbose - expect a lot of messages in this room. +# Note: By default, Draupnir is fairly verbose - expect a lot of messages in this room. # (see verboseLogging to adjust this a bit.) -managementRoom: "{{ matrix_bot_draupnir_management_room }}" +managementRoom: "#moderators:example.org" -# Whether draupnir should log a lot more messages in the room, -# mainly involves "all-OK" messages, and debugging messages for when draupnir checks bans in a room. -verboseLogging: false +# Whether Draupnir should log a lot more messages in the room, +# mainly involves "all-OK" messages, and debugging messages for when Draupnir checks bans in a room. +verboseLogging: true # The log level of terminal (or container) output, # can be one of DEBUG, INFO, WARN and ERROR, in increasing order of importance and severity. # -# This should be at INFO or DEBUG in order to get support for draupnir problems. +# This should be at INFO or DEBUG in order to get support for Draupnir problems. logLevel: "INFO" -# Whether or not draupnir should synchronize policy lists immediately after startup. +# Whether or not Draupnir should synchronize policy lists immediately after startup. # Equivalent to running '!draupnir sync'. syncOnStartup: true -# Whether or not draupnir should check moderation permissions in all protected rooms on startup. +# Whether or not Draupnir should check moderation permissions in all protected rooms on startup. # Equivalent to running `!draupnir verify`. verifyPermissionsOnStartup: true -# Whether or not draupnir should actually apply bans and policy lists, +# Whether or not Draupnir should actually apply bans and policy lists, # turn on to trial some untrusted configuration or lists. noop: false -# Whether draupnir should check member lists quicker (by using a different endpoint), +# Whether Draupnir should check member lists quicker (by using a different endpoint), # keep in mind that enabling this will miss invited (but not joined) users. # # Turn on if your bot is in (very) large rooms, or in large amounts of rooms. @@ -94,7 +94,7 @@ automaticallyRedactForReasons: - "spam" - "advertising" -# A list of rooms to protect. draupnir will add this to the list it knows from its account data. +# A list of rooms to protect. Draupnir will add this to the list it knows from its account data. # # It won't, however, add it to the account data. # Manually add the room via '!draupnir rooms add' to have it stay protected regardless if this config value changes. @@ -116,21 +116,21 @@ automaticallyRedactForReasons: # Explicitly add these rooms as a protected room list if you want them protected. protectAllJoinedRooms: false -# Increase this delay to have Mjölnir wait longer between two consecutive backgrounded +# Increase this delay to have Draupnir wait longer between two consecutive backgrounded # operations. The total duration of operations will be longer, but the homeserver won't -# be affected as much. Conversely, decrease this delay to have Mjölnir chain operations +# be affected as much. Conversely, decrease this delay to have Draupnir chain operations # faster. The total duration of operations will generally be shorter, but the performance # of the homeserver may be more impacted. backgroundDelayMS: 500 -# Server administration commands, these commands will only work if draupnir is +# Server administration commands, these commands will only work if Draupnir is # a global server administrator, and the bot's server is a Synapse instance. -#admin: -# # Whether or not draupnir can temporarily take control of any eligible account from the local homeserver who's in the room -# # (with enough permissions) to "make" a user an admin. -# # -# # This only works if a local user with enough admin permissions is present in the room. -# enableMakeRoomAdminCommand: false +admin: + # Whether or not Draupnir can temporarily take control of any eligible account from the local homeserver who's in the room + # (with enough permissions) to "make" a user an admin. + # + # This only works if a local user with enough admin permissions is present in the room. + enableMakeRoomAdminCommand: true # Misc options for command handling and commands commands: @@ -138,20 +138,28 @@ commands: # # If `true`, will allow commands like `!ban`, `!help`, etc. # - # Note: draupnir can also be pinged by display name instead of having to use + # Note: Draupnir can also be pinged by display name instead of having to use # the !draupnir prefix. For example, "my_moderator_bot: ban @spammer:example.org" # will address only my_moderator_bot. allowNoPrefix: false - # Any additional bot prefixes that draupnir will listen to. i.e. adding `mod` will allow `!mod help`. + # Any additional bot prefixes that Draupnir will listen to. i.e. adding `mod` will allow `!mod help`. additionalPrefixes: - - "draupnir_bot" + - "draupnir-bot" - "draupnir" # Whether or not commands with a wildcard (*) will require an additional `--force` argument # in the command to be able to be submitted. confirmWildcardBan: true + # The default reasons to be prompted with if the reason is missing from a ban command. + ban: + defaultReasons: + - "spam" + - "brigading" + - "harassment" + - "disagreement" + # Configuration specific to certain toggle-able protections #protections: # # Configuration for the wordlist plugin, which can ban users based if they say certain From 65e7aa2406dbd3fb2f981aa8c14fd210c9850416 Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Mon, 20 Feb 2023 22:22:10 +0100 Subject: [PATCH 466/915] Update Draupnir from v1.80.0 to v1.80.1 --- roles/custom/matrix-bot-draupnir/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml index 5900f21b0..92abc7ab0 100644 --- a/roles/custom/matrix-bot-draupnir/defaults/main.yml +++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml @@ -4,7 +4,7 @@ matrix_bot_draupnir_enabled: true -matrix_bot_draupnir_version: "v1.80.0" +matrix_bot_draupnir_version: "v1.80.1" matrix_bot_draupnir_container_image_self_build: false matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/Gnuxie/Draupnir.git" From 1c10a7727c82028b5b997ebe328d19db17d52b96 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 21 Feb 2023 07:40:49 +0200 Subject: [PATCH 467/915] Upgrade ddclient (v3.10.0-ls106 -> v3.10.0-ls110) --- roles/custom/matrix-dynamic-dns/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-dynamic-dns/defaults/main.yml b/roles/custom/matrix-dynamic-dns/defaults/main.yml index 95e197f3f..4ec034a9b 100644 --- a/roles/custom/matrix-dynamic-dns/defaults/main.yml +++ b/roles/custom/matrix-dynamic-dns/defaults/main.yml @@ -7,7 +7,7 @@ matrix_dynamic_dns_enabled: true # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' -matrix_dynamic_dns_version: v3.10.0-ls106 +matrix_dynamic_dns_version: v3.10.0-ls110 # The docker container to use when in mode matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" From cbc8f0c6e60e626eef493934b8a5d73317122ba1 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 21 Feb 2023 10:14:53 +0000 Subject: [PATCH 468/915] Update borgmatic 1.7.6 -> 1.7.7 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 67a1efc29..17acfa32b 100644 --- a/requirements.yml +++ b/requirements.yml @@ -37,7 +37,7 @@ version: v0.11.1-2 - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.3-1.7.6-0 + version: v1.2.3-1.7.7-0 - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v9.3.6-2 From 620247673e9fec7d3ebb99af4f2665e6cbbf72ab Mon Sep 17 00:00:00 2001 From: Igor Goldenberg Date: Wed, 22 Feb 2023 18:04:13 +0500 Subject: [PATCH 469/915] Allow configure default country code in element welcome page. --- roles/custom/matrix-client-element/defaults/main.yml | 3 +++ roles/custom/matrix-client-element/templates/config.json.j2 | 1 + 2 files changed, 4 insertions(+) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index c9540ae01..60b52d60a 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -191,6 +191,9 @@ matrix_client_element_self_check_validate_certificates: true # don't show the registration button on welcome page matrix_client_element_registration_enabled: false +# Default country code on welcome page when login by phone number +matrix_client_element_default_country_code: "GB" + # Controls whether presence will be enabled matrix_client_element_enable_presence_by_hs_url: ~ diff --git a/roles/custom/matrix-client-element/templates/config.json.j2 b/roles/custom/matrix-client-element/templates/config.json.j2 index 1ae16f416..e0dc993cf 100644 --- a/roles/custom/matrix-client-element/templates/config.json.j2 +++ b/roles/custom/matrix-client-element/templates/config.json.j2 @@ -12,6 +12,7 @@ "custom_themes": {{ matrix_client_element_settingDefaults_custom_themes|to_json }} }, "default_theme": {{ matrix_client_element_default_theme | string|to_json }}, + "default_country_code": {{ matrix_client_element_default_country_code | string|to_json }}, "permalinkPrefix": {{ matrix_client_element_permalinkPrefix | string|to_json }}, "disable_custom_urls": {{ matrix_client_element_disable_custom_urls|to_json }}, "disable_guests": {{ matrix_client_element_disable_guests|to_json }}, From 4caeab911703e453a8dd3593620f94a44ccf7077 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 22 Feb 2023 15:54:14 +0200 Subject: [PATCH 470/915] Fix spacing around Jinja2 filters --- .../templates/config.json.j2 | 48 +++++++++---------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/roles/custom/matrix-client-element/templates/config.json.j2 b/roles/custom/matrix-client-element/templates/config.json.j2 index e0dc993cf..6f2498fd8 100644 --- a/roles/custom/matrix-client-element/templates/config.json.j2 +++ b/roles/custom/matrix-client-element/templates/config.json.j2 @@ -1,49 +1,49 @@ { "default_server_config": { "m.homeserver": { - "base_url": {{ matrix_client_element_default_hs_url | string|to_json }}, - "server_name": {{ matrix_client_element_default_server_name | string|to_json }} + "base_url": {{ matrix_client_element_default_hs_url | string | to_json }}, + "server_name": {{ matrix_client_element_default_server_name | string | to_json }} }, "m.identity_server": { - "base_url": {{ matrix_client_element_default_is_url | string|to_json }} + "base_url": {{ matrix_client_element_default_is_url | string | to_json }} } }, "settingDefaults": { - "custom_themes": {{ matrix_client_element_settingDefaults_custom_themes|to_json }} + "custom_themes": {{ matrix_client_element_settingDefaults_custom_themes | to_json }} }, - "default_theme": {{ matrix_client_element_default_theme | string|to_json }}, - "default_country_code": {{ matrix_client_element_default_country_code | string|to_json }}, - "permalinkPrefix": {{ matrix_client_element_permalinkPrefix | string|to_json }}, - "disable_custom_urls": {{ matrix_client_element_disable_custom_urls|to_json }}, - "disable_guests": {{ matrix_client_element_disable_guests|to_json }}, - "brand": {{ matrix_client_element_brand|to_json }}, - "integrations_ui_url": {{ matrix_client_element_integrations_ui_url | string|to_json }}, - "integrations_rest_url": {{ matrix_client_element_integrations_rest_url | string|to_json }}, - "integrations_widgets_urls": {{ matrix_client_element_integrations_widgets_urls|to_json }}, - "integrations_jitsi_widget_url": {{ matrix_client_element_integrations_jitsi_widget_url | string|to_json }}, - "bug_report_endpoint_url": {{ matrix_client_element_bug_report_endpoint_url|to_json }}, - "showLabsSettings": {{ matrix_client_element_showLabsSettings|to_json }}, + "default_theme": {{ matrix_client_element_default_theme | string | to_json }}, + "default_country_code": {{ matrix_client_element_default_country_code | string | to_json }}, + "permalinkPrefix": {{ matrix_client_element_permalinkPrefix | string | to_json }}, + "disable_custom_urls": {{ matrix_client_element_disable_custom_urls | to_json }}, + "disable_guests": {{ matrix_client_element_disable_guests | to_json }}, + "brand": {{ matrix_client_element_brand | to_json }}, + "integrations_ui_url": {{ matrix_client_element_integrations_ui_url | string | to_json }}, + "integrations_rest_url": {{ matrix_client_element_integrations_rest_url | string | to_json }}, + "integrations_widgets_urls": {{ matrix_client_element_integrations_widgets_urls | to_json }}, + "integrations_jitsi_widget_url": {{ matrix_client_element_integrations_jitsi_widget_url | string | to_json }}, + "bug_report_endpoint_url": {{ matrix_client_element_bug_report_endpoint_url | to_json }}, + "showLabsSettings": {{ matrix_client_element_showLabsSettings | to_json }}, "roomDirectory": { - "servers": {{ matrix_client_element_roomdir_servers|to_json }} + "servers": {{ matrix_client_element_roomdir_servers | to_json }} }, - "welcomeUserId": {{ matrix_client_element_welcome_user_id|to_json }}, + "welcomeUserId": {{ matrix_client_element_welcome_user_id | to_json }}, {% if matrix_client_element_enable_presence_by_hs_url is not none %} - "enable_presence_by_hs_url": {{ matrix_client_element_enable_presence_by_hs_url|to_json }}, + "enable_presence_by_hs_url": {{ matrix_client_element_enable_presence_by_hs_url | to_json }}, {% endif %} "embeddedPages": { - "homeUrl": {{ matrix_client_element_embedded_pages_home_url | string|to_json }} + "homeUrl": {{ matrix_client_element_embedded_pages_home_url | string | to_json }} }, {% if matrix_client_element_jitsi_preferredDomain %} "jitsi": { - "preferredDomain": {{ matrix_client_element_jitsi_preferredDomain|to_json }} + "preferredDomain": {{ matrix_client_element_jitsi_preferredDomain | to_json }} }, {% endif %} {% if matrix_client_element_location_sharing_enabled %} "map_style_url": "https://{{ matrix_server_fqn_element }}/map_style.json", {% endif %} "branding": { - "authFooterLinks": {{ matrix_client_element_branding_authFooterLinks|to_json }}, - "authHeaderLogoUrl": {{ matrix_client_element_branding_authHeaderLogoUrl|to_json }}, - "welcomeBackgroundUrl": {{ matrix_client_element_branding_welcomeBackgroundUrl|to_json }} + "authFooterLinks": {{ matrix_client_element_branding_authFooterLinks | to_json }}, + "authHeaderLogoUrl": {{ matrix_client_element_branding_authHeaderLogoUrl | to_json }}, + "welcomeBackgroundUrl": {{ matrix_client_element_branding_welcomeBackgroundUrl | to_json }} } } From 643acfcb5b671d6fcd9e305c26e6fd0f1e7f4d3c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 22 Feb 2023 08:18:21 +0200 Subject: [PATCH 471/915] Make synapse-s3-storage-provider periodic migration schedule customizable Larger deployments may wish to run migration more often. --- roles/custom/matrix-synapse/defaults/main.yml | 3 +++ .../matrix-synapse-s3-storage-provider-migrate.timer.j2 | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index e4e2e5e2a..dd69facd5 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -874,6 +874,9 @@ matrix_synapse_ext_synapse_s3_storage_provider_config_threadpool_size: 40 # It specifies how old files need to have been inactive to be eligible for migration from the local filesystem to the S3 data store. # By default, we use `0` which says "all files are eligible for migration". matrix_synapse_ext_synapse_s3_storage_provider_update_db_day_count: 0 +# Specifies how often periodic migration (`matrix-synapse-s3-storage-provider-migrate.timer`) will run. +# This is a systemd timer OnCalendar definition. Learn more here: https://man.archlinux.org/man/systemd.time.7#CALENDAR_EVENTS +matrix_synapse_ext_synapse_s3_storage_provider_periodic_migration_schedule: '*-*-* 05:00:00' matrix_s3_media_store_enabled: false matrix_s3_media_store_custom_endpoint_enabled: false diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/systemd/matrix-synapse-s3-storage-provider-migrate.timer.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/systemd/matrix-synapse-s3-storage-provider-migrate.timer.j2 index 5013c7a81..14473dd7d 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/systemd/matrix-synapse-s3-storage-provider-migrate.timer.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/systemd/matrix-synapse-s3-storage-provider-migrate.timer.j2 @@ -3,7 +3,7 @@ Description=Migrates locally-stored Synapse media store files to S3 [Timer] Unit=matrix-synapse-s3-storage-provider-migrate.service -OnCalendar=*-*-* 05:00:00 +OnCalendar={{ matrix_synapse_ext_synapse_s3_storage_provider_periodic_migration_schedule }} [Install] WantedBy=timers.target From 84c5b44bea7612b307ddae902c9f54d21d4f78d5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 22 Feb 2023 16:09:16 +0200 Subject: [PATCH 472/915] Upgrade com.devture.ansible.role.docker_sdk_for_python --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 17acfa32b..3b117ef6e 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: 6.1.0 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git - version: 6ba3be490b6f4c6f35ea109aeb8e533fa231b3a5 + version: 54d6d1831f063e4a99b66c722f49053d59f8ee60 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git version: c1f40e82b4d6b072b6f0e885239322bdaaaf554f From 0af6e6d9d970715ae1513a5ccf47f5321298fea9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Feb 2023 08:26:35 +0200 Subject: [PATCH 473/915] Make wait time for matrix-user-creator configurable and increase default (7 -> 10 sec.) --- roles/custom/matrix-user-creator/defaults/main.yml | 3 +++ roles/custom/matrix-user-creator/tasks/setup.yml | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-user-creator/defaults/main.yml b/roles/custom/matrix-user-creator/defaults/main.yml index 5c90a1e0f..20aad3d10 100644 --- a/roles/custom/matrix-user-creator/defaults/main.yml +++ b/roles/custom/matrix-user-creator/defaults/main.yml @@ -20,3 +20,6 @@ matrix_user_creator_users_auto: [] # Add your own users here to have them end up in `matrix_user_creator_users` (see `vars/main.yml`) and get automatically created. # For example syntax for this variable, see the documentation for `matrix_user_creator_users` in `vars/main.yml`. matrix_user_creator_users_additional: [] + +# matrix_user_creator_homeserver_start_wait_time_seconds specifies how long to wait after starting the homeserver service and before doing our work. +matrix_user_creator_homeserver_start_wait_time_seconds: 10 diff --git a/roles/custom/matrix-user-creator/tasks/setup.yml b/roles/custom/matrix-user-creator/tasks/setup.yml index 73dfd4548..d53726bde 100644 --- a/roles/custom/matrix-user-creator/tasks/setup.yml +++ b/roles/custom/matrix-user-creator/tasks/setup.yml @@ -21,7 +21,7 @@ - name: Wait a while, so that the homeserver can manage to start before creating Matrix users ansible.builtin.pause: - seconds: 7 + seconds: "{{ matrix_user_creator_homeserver_start_wait_time_seconds }}" when: matrix_user_registrator_homeserver_start_result.changed | bool - name: Ensure Matrix users are created From c8022c1a18219c281909a950c656454c959e91cd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Feb 2023 08:35:45 +0200 Subject: [PATCH 474/915] Remove useless explicit daemon reload in matrix-user-creator The next task asks for a daemon reload, so there's no need to do it twice. --- roles/custom/matrix-user-creator/tasks/setup.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/roles/custom/matrix-user-creator/tasks/setup.yml b/roles/custom/matrix-user-creator/tasks/setup.yml index d53726bde..bcf2fd65f 100644 --- a/roles/custom/matrix-user-creator/tasks/setup.yml +++ b/roles/custom/matrix-user-creator/tasks/setup.yml @@ -8,10 +8,6 @@ # Suppress logging to avoid dumping the credentials to the shell no_log: true -- name: Ensure systemd is reloaded before starting the homeserver - ansible.builtin.service: - daemon_reload: true - - name: Ensure homeserver is started before creating Matrix users ansible.builtin.service: name: "matrix-{{ matrix_homeserver_implementation }}.service" From 40f037b36d47d222997d2a90daf90ca910e787f6 Mon Sep 17 00:00:00 2001 From: Benjamin Kampmann Date: Mon, 20 Feb 2023 22:34:16 +0100 Subject: [PATCH 475/915] Add rageshake server --- group_vars/matrix_servers | 20 ++++ playbooks/matrix.yml | 1 + roles/custom/matrix-base/defaults/main.yml | 3 + .../matrix-nginx-proxy/defaults/main.yml | 12 +++ .../tasks/setup_nginx_proxy.yml | 13 +++ .../matrix-nginx-proxy/templates/labels.j2 | 11 ++ .../nginx/conf.d/matrix-rageshake.conf.j2 | 100 ++++++++++++++++++ .../custom/matrix-rageshake/defaults/main.yml | 38 +++++++ roles/custom/matrix-rageshake/tasks/main.yml | 19 ++++ .../matrix-rageshake/tasks/setup_install.yml | 66 ++++++++++++ .../tasks/setup_uninstall.yml | 24 +++++ .../tasks/validate_config.yml | 1 + .../matrix-rageshake/templates/config.j2 | 2 + .../systemd/matrix-rageshake.service.j2 | 41 +++++++ 14 files changed, 351 insertions(+) create mode 100644 roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-rageshake.conf.j2 create mode 100644 roles/custom/matrix-rageshake/defaults/main.yml create mode 100644 roles/custom/matrix-rageshake/tasks/main.yml create mode 100644 roles/custom/matrix-rageshake/tasks/setup_install.yml create mode 100644 roles/custom/matrix-rageshake/tasks/setup_uninstall.yml create mode 100644 roles/custom/matrix-rageshake/tasks/validate_config.yml create mode 100644 roles/custom/matrix-rageshake/templates/config.j2 create mode 100644 roles/custom/matrix-rageshake/templates/systemd/matrix-rageshake.service.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f148e0425..1307679d2 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -296,6 +296,8 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-coturn.service', 'priority': 4000, 'groups': ['matrix', 'coturn']}] if matrix_coturn_enabled else []) + + ([{'name': 'matrix-rageshake.service', 'priority': 4000, 'groups': ['matrix', 'rageshake']}] if matrix_rageshake_enabled else []) + + ([{'name': 'matrix-coturn-reload.timer', 'priority': 5000, 'groups': ['matrix', 'coturn']}] if (matrix_coturn_enabled and matrix_coturn_tls_enabled) else []) + ([{'name': 'matrix-dimension.service', 'priority': 4000, 'groups': ['matrix', 'integration-managers', 'dimension']}] if matrix_dimension_enabled else []) @@ -1995,6 +1997,18 @@ matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registrati # ###################################################################### + +###################################################################### +# +# /matrix-rageshake +# +###################################################################### + +# We don't enable rageshake by default. +matrix_rageshake_enabled: false + +matrix_rageshake_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" + ###################################################################### # # matrix-coturn @@ -2383,6 +2397,7 @@ matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled an matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" +matrix_nginx_proxy_proxy_rageshake_enabled: "{{ matrix_rageshake_enabled }}" matrix_nginx_proxy_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" @@ -2400,6 +2415,7 @@ matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_ent matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_enabled: "{{ matrix_rageshake_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" @@ -2483,6 +2499,8 @@ matrix_nginx_proxy_systemd_wanted_services_list: | + (['matrix-dimension.service'] if matrix_dimension_enabled else []) + + (['matrix-rageshake.service'] if matrix_rageshake_enabled else []) + + (['matrix-sygnal.service'] if matrix_sygnal_enabled else []) + ([(ntfy_identifier + '.service')] if ntfy_enabled else []) @@ -2524,6 +2542,8 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([ntfy_hostname] if ntfy_enabled else []) + + ([matrix_server_fqn_rageshake] if matrix_rageshake_enabled else []) + + (matrix_bot_postmoogle_domains if matrix_bot_postmoogle_enabled else []) + ([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else []) diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 6980a6f9b..a425cd883 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -82,6 +82,7 @@ - custom/matrix-bot-draupnir - custom/matrix-bot-chatgpt - custom/matrix-cactus-comments + - custom/matrix-rageshake - custom/matrix-synapse - custom/matrix-synapse-reverse-proxy-companion - custom/matrix-dendrite diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index da5459f80..0f2e3b488 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -90,6 +90,9 @@ matrix_server_fqn_sygnal: "sygnal.{{ matrix_domain }}" # This is where you access the ntfy push notification service. matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}" +# This is where you access rageshake. +matrix_server_fqn_rageshake: "rageshake.{{ matrix_domain }}" + matrix_federation_public_port: 8448 # The name of the Traefik entrypoint for handling Matrix Federation diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index b656f074a..b5915dc40 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -71,6 +71,11 @@ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname: "{{ matrix matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" matrix_nginx_proxy_container_labels_traefik_proxy_dimension_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname }}`)" +matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_hostname: "{{ matrix_server_fqn_rageshake }}" +matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_hostname }}`)" + matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: false matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_hostname: "{{ matrix_server_fqn_etherpad }}" matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" @@ -257,6 +262,10 @@ matrix_nginx_proxy_proxy_matrix_federation_port: 8448 matrix_nginx_proxy_proxy_dimension_enabled: false matrix_nginx_proxy_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}" +# Controls whether proxying the rageshake domain should be done. +matrix_nginx_proxy_proxy_rageshake_enabled: false +matrix_nginx_proxy_proxy_rageshake_hostname: "{{ matrix_server_fqn_rageshake }}" + # Controls whether proxying the etherpad domain should be done. matrix_nginx_proxy_proxy_etherpad_enabled: false matrix_nginx_proxy_proxy_etherpad_hostname: "{{ matrix_server_fqn_etherpad }}" @@ -444,6 +453,9 @@ matrix_nginx_proxy_proxy_buscarron_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf). matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: [] +# A list of strings containing additional configuration blocks to add to Rageshake's server configuration (matrix-rageshake.conf). +matrix_nginx_proxy_proxy_rageshake_additional_server_configuration_blocks: [] + # A list of strings containing additional configuration blocks to add to etherpad's server configuration (matrix-etherpad.conf). matrix_nginx_proxy_proxy_etherpad_additional_server_configuration_blocks: [] diff --git a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 5aa635979..1a55e28f7 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -129,6 +129,13 @@ mode: 0644 when: matrix_nginx_proxy_proxy_dimension_enabled | bool +- name: Ensure Matrix nginx-proxy configuration for rageshake domain exists + ansible.builtin.template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-rageshake.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-rageshake.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_rageshake_enabled | bool + - name: Ensure Matrix nginx-proxy configuration for etherpad domain exists ansible.builtin.template: src: "{{ role_path }}/templates/nginx/conf.d/matrix-etherpad.conf.j2" @@ -291,6 +298,12 @@ state: absent when: "not matrix_nginx_proxy_proxy_dimension_enabled | bool" +- name: Ensure Matrix nginx-proxy configuration for rageshake domain deleted + ansible.builtin.file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-rageshake.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_rageshake_enabled | bool" + - name: Ensure Matrix nginx-proxy configuration for goneb domain deleted ansible.builtin.file: path: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-go-neb.conf" diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 index 1e60ba6d9..00c9c40a9 100644 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -62,6 +62,17 @@ traefik.http.routers.matrix-nginx-proxy-dimension.entrypoints={{ matrix_nginx_pr {% endif %} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_enabled %} +# Rageshake +traefik.http.routers.matrix-nginx-proxy-rageshake.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_rule }} +traefik.http.routers.matrix-nginx-proxy-rageshake.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-rageshake.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_tls %} +traefik.http.routers.matrix-nginx-proxy-rageshake.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-rageshake.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + {% if matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled %} # Etherpad traefik.http.routers.matrix-nginx-proxy-etherpad.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_rule }} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-rageshake.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-rageshake.conf.j2 new file mode 100644 index 000000000..5da96684a --- /dev/null +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-rageshake.conf.j2 @@ -0,0 +1,100 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + gzip on; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + {% if matrix_nginx_proxy_hsts_preload_enabled %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; + add_header X-Content-Type-Options nosniff; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + +{% for configuration_block in matrix_nginx_proxy_proxy_rageshake_additional_server_configuration_blocks %} + {{- configuration_block }} +{% endfor %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; + set $backend "matrix-rageshake:9110"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:9110; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + + server_name {{ matrix_nginx_proxy_proxy_rageshake_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_rageshake_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_rageshake_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_rageshake_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != '' %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_rageshake_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/roles/custom/matrix-rageshake/defaults/main.yml b/roles/custom/matrix-rageshake/defaults/main.yml new file mode 100644 index 000000000..743b30004 --- /dev/null +++ b/roles/custom/matrix-rageshake/defaults/main.yml @@ -0,0 +1,38 @@ +--- +# rageshake is a issue submission service from matrix.org +# Project source code URL: https://github.com/matrix-org/rageshake/ + +matrix_rageshake_enabled: false + +matrix_rageshake_container_image_self_build: false +matrix_rageshake_docker_repo: "https://github.com/matrix-org/rageshake/" +matrix_rageshake_docker_repo_version: "{{ 'master' if matrix_rageshake_version == 'master' else matrix_rageshake_version }}" +matrix_rageshake_docker_src_files_path: "{{ matrix_base_data_path }}/Dockerfile" + +matrix_rageshake_version: "master" +matrix_rageshake_docker_image: "{{ matrix_rageshake_docker_image_name_prefix }}matrix-org/rageshake:{{ matrix_rageshake_version }}" +matrix_rageshake_docker_image_name_prefix: "{{ 'localhost/' if matrix_rageshake_container_image_self_build else 'ghcr.io/' }}" +matrix_rageshake_docker_image_force_pull: "{{ matrix_rageshake_docker_image.endswith(':master') }}" + +matrix_rageshake_base_path: "{{ matrix_base_data_path }}/rageshake" +matrix_rageshake_config_path: "{{ matrix_rageshake_base_path }}/config" +matrix_rageshake_data_path: "{{ matrix_rageshake_base_path }}/data" + +# A list of extra arguments to pass to the container +matrix_rageshake_container_extra_arguments: [] + +# List of systemd services that matrix-rageshake.service depends on +matrix_rageshake_systemd_required_services_list: ["docker.service"] + +# List of systemd services that matrix-rageshake.service wants +matrix_rageshake_systemd_wanted_services_list: [] + +# Rageshake Settings + +# Additional config to pass to the rageshake. +# See https://github.com/matrix-org/rageshake/blob/master/rageshake.sample.yaml +# +# Example: +# matrix_rageshake_config: | +# github_token: secrettoken +matrix_rageshake_config: "" diff --git a/roles/custom/matrix-rageshake/tasks/main.yml b/roles/custom/matrix-rageshake/tasks/main.yml new file mode 100644 index 000000000..f0e03e66a --- /dev/null +++ b/roles/custom/matrix-rageshake/tasks/main.yml @@ -0,0 +1,19 @@ +--- +- block: + - when: matrix_rageshake_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_rageshake_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-rageshake + - install-all + - install-rageshake + +- block: + - when: not matrix_rageshake_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + tags: + - setup-all + - setup-rageshake diff --git a/roles/custom/matrix-rageshake/tasks/setup_install.yml b/roles/custom/matrix-rageshake/tasks/setup_install.yml new file mode 100644 index 000000000..b081960e5 --- /dev/null +++ b/roles/custom/matrix-rageshake/tasks/setup_install.yml @@ -0,0 +1,66 @@ +--- +- name: Ensure rageshake paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_rageshake_config_path }}", when: true } + - { path: "{{ matrix_rageshake_data_path }}", when: true } + - { + path: "{{ matrix_rageshake_docker_src_files_path }}", + when: matrix_rageshake_container_image_self_build, + } + when: "item.when | bool" + +- name: Ensure rageshake config file created + ansible.builtin.template: + src: "{{ role_path }}/templates/config.j2" + dest: "{{ matrix_rageshake_config_path }}/config.yml" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + mode: 0640 + +- name: Ensure rageshake image is pulled + community.docker.docker_image: + name: "{{ matrix_rageshake_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_rageshake_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_rageshake_docker_image_force_pull }}" + when: "not matrix_rageshake_container_image_self_build | bool" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure rageshake repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_rageshake_docker_repo }}" + version: "{{ matrix_rageshake_docker_repo_version }}" + dest: "{{ matrix_rageshake_docker_src_files_path }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_rageshake_git_pull_results + when: "matrix_rageshake_container_image_self_build | bool" + +- name: Ensure rageshake image is built + community.docker.docker_image: + name: "{{ matrix_rageshake_docker_image }}" + source: build + force_source: "{{ matrix_rageshake_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_rageshake_docker_src_files_path }}" + pull: true + when: "matrix_rageshake_container_image_self_build | bool" + +- name: Ensure matrix-rageshake.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-rageshake.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-rageshake.service" + mode: 0644 + register: matrix_rageshake_systemd_service_result diff --git a/roles/custom/matrix-rageshake/tasks/setup_uninstall.yml b/roles/custom/matrix-rageshake/tasks/setup_uninstall.yml new file mode 100644 index 000000000..133ac76d3 --- /dev/null +++ b/roles/custom/matrix-rageshake/tasks/setup_uninstall.yml @@ -0,0 +1,24 @@ +--- +- name: Check existence of matrix-rageshake service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-rageshake.service" + register: matrix_rageshake_service_stat + +- when: matrix_rageshake_service_stat.stat.exists | bool + block: + - name: Ensure matrix-rageshake is stopped + ansible.builtin.service: + name: matrix-rageshake + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-rageshake.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-rageshake.service" + state: absent + + - name: Ensure Matrix rageshake paths don't exist + ansible.builtin.file: + path: "{{ matrix_rageshake_base_path }}" + state: absent diff --git a/roles/custom/matrix-rageshake/tasks/validate_config.yml b/roles/custom/matrix-rageshake/tasks/validate_config.yml new file mode 100644 index 000000000..ed97d539c --- /dev/null +++ b/roles/custom/matrix-rageshake/tasks/validate_config.yml @@ -0,0 +1 @@ +--- diff --git a/roles/custom/matrix-rageshake/templates/config.j2 b/roles/custom/matrix-rageshake/templates/config.j2 new file mode 100644 index 000000000..2b0d64b7a --- /dev/null +++ b/roles/custom/matrix-rageshake/templates/config.j2 @@ -0,0 +1,2 @@ +api_prefix: "https://{{ matrix_server_fqn_rageshake }}/api/" +{{ matrix_rageshake_config | to_nice_yaml(indent=2, width=999999) }} diff --git a/roles/custom/matrix-rageshake/templates/systemd/matrix-rageshake.service.j2 b/roles/custom/matrix-rageshake/templates/systemd/matrix-rageshake.service.j2 new file mode 100644 index 000000000..6e818e0f3 --- /dev/null +++ b/roles/custom/matrix-rageshake/templates/systemd/matrix-rageshake.service.j2 @@ -0,0 +1,41 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Rageshake Service +{% for service in matrix_rageshake_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_rageshake_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-rageshake 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-rageshake 2>/dev/null || true' + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-rageshake \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs /tmp \ + --network={{ matrix_docker_network }} \ + --mount type=bind,src={{ matrix_rageshake_config_path }},dst=/config \ + --mount type=bind,src={{ matrix_rageshake_data_path }},dst=/bugs \ + {% for arg in matrix_rageshake_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_rageshake_docker_image }} \ + --config /config/config.yml + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-rageshake 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-rageshake 2>/dev/null || true' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-rageshake + +[Install] +WantedBy=multi-user.target From 53f8a0c6ae8d00f365bf3793660a5ca30f0ef601 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 24 Feb 2023 20:27:15 +0200 Subject: [PATCH 476/915] Upgrade com.devture.ansible.role.traefik --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 3b117ef6e..cbdd37ca3 100644 --- a/requirements.yml +++ b/requirements.yml @@ -49,7 +49,7 @@ version: v7.0.7-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: da90b6cdbbb9374ca72c1b530867add2fd8f024e + version: 5e3248cd4d17db9ff3ba90904e7330150dab599e - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: e7563caa814e634d2f8deec4a41e970caa1c0ae4 From c139d139a5c12a091fa170b1b67afcb64505de8f Mon Sep 17 00:00:00 2001 From: Tupsi Date: Sat, 25 Feb 2023 00:46:54 +0100 Subject: [PATCH 477/915] Update configuring-playbook-own-webserver.md own traefik server option must have the path to the acme.json. Otherwise the service will not start. --- docs/configuring-playbook-own-webserver.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 34e0bf3e4..22170f40a 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -33,6 +33,8 @@ This will install Traefik in the place of `matrix-nginx-proxy`. Traefik will man matrix_playbook_reverse_proxy_type: other-traefik-container matrix_playbook_reverse_proxyable_services_additional_network: your-traefik-network + +devture_traefik_certs_dumper_ssl_dir_path: "/path/to/your/traefiks/acme.json/directory" ``` In this mode all roles will still have Traefik labels attached. You will, however, need to configure your Traefik instance and its entrypoints. From 55f43dcc6d6f6733ce2346112c13b43778080108 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 12:09:23 +0200 Subject: [PATCH 478/915] Fixup matrix-rageshake section in group vars --- group_vars/matrix_servers | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 1307679d2..4669b331d 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2000,7 +2000,7 @@ matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registrati ###################################################################### # -# /matrix-rageshake +# matrix-rageshake # ###################################################################### @@ -2009,6 +2009,12 @@ matrix_rageshake_enabled: false matrix_rageshake_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" +###################################################################### +# +# /matrix-rageshake +# +###################################################################### + ###################################################################### # # matrix-coturn From d513c0f446589dc34249b8ce417f4a1d21263ca8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 12:20:09 +0200 Subject: [PATCH 479/915] Document why the rageshake version is master --- roles/custom/matrix-rageshake/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/custom/matrix-rageshake/defaults/main.yml b/roles/custom/matrix-rageshake/defaults/main.yml index 743b30004..16a936bca 100644 --- a/roles/custom/matrix-rageshake/defaults/main.yml +++ b/roles/custom/matrix-rageshake/defaults/main.yml @@ -9,6 +9,8 @@ matrix_rageshake_docker_repo: "https://github.com/matrix-org/rageshake/" matrix_rageshake_docker_repo_version: "{{ 'master' if matrix_rageshake_version == 'master' else matrix_rageshake_version }}" matrix_rageshake_docker_src_files_path: "{{ matrix_base_data_path }}/Dockerfile" +# There are no stable container image tags yet. +# See: https://github.com/matrix-org/rageshake/issues/69 matrix_rageshake_version: "master" matrix_rageshake_docker_image: "{{ matrix_rageshake_docker_image_name_prefix }}matrix-org/rageshake:{{ matrix_rageshake_version }}" matrix_rageshake_docker_image_name_prefix: "{{ 'localhost/' if matrix_rageshake_container_image_self_build else 'ghcr.io/' }}" From 19e0b8374bab3de8ba4ec4dad12b7bcc9b907690 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 12:20:25 +0200 Subject: [PATCH 480/915] Enable matrix_rageshake_enabled in the role by default We disable it via `group_vars/matrix_servers`, as we do for all other roles. --- roles/custom/matrix-rageshake/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-rageshake/defaults/main.yml b/roles/custom/matrix-rageshake/defaults/main.yml index 16a936bca..3568d23f8 100644 --- a/roles/custom/matrix-rageshake/defaults/main.yml +++ b/roles/custom/matrix-rageshake/defaults/main.yml @@ -2,7 +2,7 @@ # rageshake is a issue submission service from matrix.org # Project source code URL: https://github.com/matrix-org/rageshake/ -matrix_rageshake_enabled: false +matrix_rageshake_enabled: true matrix_rageshake_container_image_self_build: false matrix_rageshake_docker_repo: "https://github.com/matrix-org/rageshake/" From db0104978f97e540db418eeb3b4b7cdcba602c5a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 12:23:07 +0200 Subject: [PATCH 481/915] Extract api_prefix rageshake configuration into matrix_rageshake_config_api_prefix --- roles/custom/matrix-rageshake/defaults/main.yml | 2 ++ roles/custom/matrix-rageshake/templates/config.j2 | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-rageshake/defaults/main.yml b/roles/custom/matrix-rageshake/defaults/main.yml index 3568d23f8..4f574d3f6 100644 --- a/roles/custom/matrix-rageshake/defaults/main.yml +++ b/roles/custom/matrix-rageshake/defaults/main.yml @@ -29,6 +29,8 @@ matrix_rageshake_systemd_required_services_list: ["docker.service"] # List of systemd services that matrix-rageshake.service wants matrix_rageshake_systemd_wanted_services_list: [] +matrix_rageshake_config_api_prefix: "https://{{ matrix_server_fqn_rageshake }}/api/" + # Rageshake Settings # Additional config to pass to the rageshake. diff --git a/roles/custom/matrix-rageshake/templates/config.j2 b/roles/custom/matrix-rageshake/templates/config.j2 index 2b0d64b7a..08c90438c 100644 --- a/roles/custom/matrix-rageshake/templates/config.j2 +++ b/roles/custom/matrix-rageshake/templates/config.j2 @@ -1,2 +1,2 @@ -api_prefix: "https://{{ matrix_server_fqn_rageshake }}/api/" +api_prefix: {{ matrix_rageshake_config_api_prefix | to_json }} {{ matrix_rageshake_config | to_nice_yaml(indent=2, width=999999) }} From a51c9521a8f976d2778be3a45d411682fa60b073 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 12:23:45 +0200 Subject: [PATCH 482/915] Rename some task files --- .../matrix-rageshake/tasks/{setup_install.yml => install.yml} | 0 roles/custom/matrix-rageshake/tasks/main.yml | 4 ++-- .../tasks/{setup_uninstall.yml => uninstall.yml} | 0 3 files changed, 2 insertions(+), 2 deletions(-) rename roles/custom/matrix-rageshake/tasks/{setup_install.yml => install.yml} (100%) rename roles/custom/matrix-rageshake/tasks/{setup_uninstall.yml => uninstall.yml} (100%) diff --git a/roles/custom/matrix-rageshake/tasks/setup_install.yml b/roles/custom/matrix-rageshake/tasks/install.yml similarity index 100% rename from roles/custom/matrix-rageshake/tasks/setup_install.yml rename to roles/custom/matrix-rageshake/tasks/install.yml diff --git a/roles/custom/matrix-rageshake/tasks/main.yml b/roles/custom/matrix-rageshake/tasks/main.yml index f0e03e66a..c330964a4 100644 --- a/roles/custom/matrix-rageshake/tasks/main.yml +++ b/roles/custom/matrix-rageshake/tasks/main.yml @@ -4,7 +4,7 @@ ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_rageshake_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" tags: - setup-all - setup-rageshake @@ -13,7 +13,7 @@ - block: - when: not matrix_rageshake_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" tags: - setup-all - setup-rageshake diff --git a/roles/custom/matrix-rageshake/tasks/setup_uninstall.yml b/roles/custom/matrix-rageshake/tasks/uninstall.yml similarity index 100% rename from roles/custom/matrix-rageshake/tasks/setup_uninstall.yml rename to roles/custom/matrix-rageshake/tasks/uninstall.yml From 8339ebdf5894ef6e2b12627fe9097672cb06cfcb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 12:29:22 +0200 Subject: [PATCH 483/915] Redo the way matryx-rageshake configuration is done This makes it consistent with the rest of the playbook: - there's a default config which has various variables controlling settings - there's also an `_extension_yaml` variable, which lets you override it --- .../custom/matrix-rageshake/defaults/main.yml | 33 ++++++++++++++----- .../custom/matrix-rageshake/tasks/install.yml | 5 ++- .../matrix-rageshake/templates/config.j2 | 2 -- .../matrix-rageshake/templates/config.yml.j2 | 4 +++ 4 files changed, 31 insertions(+), 13 deletions(-) delete mode 100644 roles/custom/matrix-rageshake/templates/config.j2 create mode 100644 roles/custom/matrix-rageshake/templates/config.yml.j2 diff --git a/roles/custom/matrix-rageshake/defaults/main.yml b/roles/custom/matrix-rageshake/defaults/main.yml index 4f574d3f6..a1bbe242b 100644 --- a/roles/custom/matrix-rageshake/defaults/main.yml +++ b/roles/custom/matrix-rageshake/defaults/main.yml @@ -31,12 +31,29 @@ matrix_rageshake_systemd_wanted_services_list: [] matrix_rageshake_config_api_prefix: "https://{{ matrix_server_fqn_rageshake }}/api/" -# Rageshake Settings - -# Additional config to pass to the rageshake. -# See https://github.com/matrix-org/rageshake/blob/master/rageshake.sample.yaml +# Default Rageshake configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. # -# Example: -# matrix_rageshake_config: | -# github_token: secrettoken -matrix_rageshake_config: "" +# For a more advanced customization, you can extend the default (see `matrix_rageshake_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_rageshake_configuration_yaml: "{{ lookup('template', 'templates/config.yml.j2') }}" + +matrix_rageshake_configuration_extension_yaml: | + # Your custom YAML configuration for Synapse goes here. + # This configuration extends the default starting configuration (`matrix_rageshake_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_rageshake_configuration_yaml`. + # + # Example configuration extension follows: + # + # github_project_mappings: + # my-app: octocat/HelloWorld + +matrix_rageshake_configuration_extension: "{{ matrix_rageshake_configuration_extension_yaml | from_yaml if matrix_rageshake_configuration_extension_yaml | from_yaml is mapping else {} }}" + +# Holds the final Synapse configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_rageshake_configuration_yaml`. +matrix_rageshake_configuration: "{{ matrix_rageshake_configuration_yaml | from_yaml | combine(matrix_rageshake_configuration_extension, recursive=True) }}" diff --git a/roles/custom/matrix-rageshake/tasks/install.yml b/roles/custom/matrix-rageshake/tasks/install.yml index b081960e5..3f4d64c5d 100644 --- a/roles/custom/matrix-rageshake/tasks/install.yml +++ b/roles/custom/matrix-rageshake/tasks/install.yml @@ -16,8 +16,8 @@ when: "item.when | bool" - name: Ensure rageshake config file created - ansible.builtin.template: - src: "{{ role_path }}/templates/config.j2" + ansible.builtin.copy: + content: "{{ matrix_rageshake_configuration | to_nice_yaml(indent=2, width=999999) }}" dest: "{{ matrix_rageshake_config_path }}/config.yml" owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" @@ -63,4 +63,3 @@ src: "{{ role_path }}/templates/systemd/matrix-rageshake.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-rageshake.service" mode: 0644 - register: matrix_rageshake_systemd_service_result diff --git a/roles/custom/matrix-rageshake/templates/config.j2 b/roles/custom/matrix-rageshake/templates/config.j2 deleted file mode 100644 index 08c90438c..000000000 --- a/roles/custom/matrix-rageshake/templates/config.j2 +++ /dev/null @@ -1,2 +0,0 @@ -api_prefix: {{ matrix_rageshake_config_api_prefix | to_json }} -{{ matrix_rageshake_config | to_nice_yaml(indent=2, width=999999) }} diff --git a/roles/custom/matrix-rageshake/templates/config.yml.j2 b/roles/custom/matrix-rageshake/templates/config.yml.j2 new file mode 100644 index 000000000..6b0c2664d --- /dev/null +++ b/roles/custom/matrix-rageshake/templates/config.yml.j2 @@ -0,0 +1,4 @@ +# Default configuration for Rageshake. +# To extend it, use `matrix_rageshake_configuration_extension_yaml`. + +api_prefix: {{ matrix_rageshake_config_api_prefix | to_json }} From 306679103b28ce6642f390e99fe264ab73483706 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 12:32:19 +0200 Subject: [PATCH 484/915] Require self-building of rageshake for arm64 There are no arm64 images published.. yet --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 4669b331d..2ad11473b 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2007,7 +2007,7 @@ matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registrati # We don't enable rageshake by default. matrix_rageshake_enabled: false -matrix_rageshake_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" +matrix_rageshake_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}" ###################################################################### # From 5934de84be6721ecac0187cf473abcd058a5b455 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 12:59:56 +0200 Subject: [PATCH 485/915] Reorder matrix-rageshake default variables a bit --- roles/custom/matrix-rageshake/defaults/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/custom/matrix-rageshake/defaults/main.yml b/roles/custom/matrix-rageshake/defaults/main.yml index a1bbe242b..85a3e50e3 100644 --- a/roles/custom/matrix-rageshake/defaults/main.yml +++ b/roles/custom/matrix-rageshake/defaults/main.yml @@ -4,11 +4,6 @@ matrix_rageshake_enabled: true -matrix_rageshake_container_image_self_build: false -matrix_rageshake_docker_repo: "https://github.com/matrix-org/rageshake/" -matrix_rageshake_docker_repo_version: "{{ 'master' if matrix_rageshake_version == 'master' else matrix_rageshake_version }}" -matrix_rageshake_docker_src_files_path: "{{ matrix_base_data_path }}/Dockerfile" - # There are no stable container image tags yet. # See: https://github.com/matrix-org/rageshake/issues/69 matrix_rageshake_version: "master" @@ -20,6 +15,11 @@ matrix_rageshake_base_path: "{{ matrix_base_data_path }}/rageshake" matrix_rageshake_config_path: "{{ matrix_rageshake_base_path }}/config" matrix_rageshake_data_path: "{{ matrix_rageshake_base_path }}/data" +matrix_rageshake_container_image_self_build: false +matrix_rageshake_docker_repo: "https://github.com/matrix-org/rageshake/" +matrix_rageshake_docker_repo_version: "{{ 'master' if matrix_rageshake_version == 'master' else matrix_rageshake_version }}" +matrix_rageshake_docker_src_files_path: "{{ matrix_base_data_path }}/Dockerfile" + # A list of extra arguments to pass to the container matrix_rageshake_container_extra_arguments: [] From 9a8ebf3d8c5e96d9703abb7b681e5852196eebbe Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 13:01:11 +0200 Subject: [PATCH 486/915] matrix_rageshake_docker_ -> matrix_rageshake_container_ --- .../custom/matrix-rageshake/defaults/main.yml | 12 ++++++------ .../custom/matrix-rageshake/tasks/install.yml | 18 +++++++++--------- .../systemd/matrix-rageshake.service.j2 | 2 +- 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/roles/custom/matrix-rageshake/defaults/main.yml b/roles/custom/matrix-rageshake/defaults/main.yml index 85a3e50e3..e29ca62fb 100644 --- a/roles/custom/matrix-rageshake/defaults/main.yml +++ b/roles/custom/matrix-rageshake/defaults/main.yml @@ -7,18 +7,18 @@ matrix_rageshake_enabled: true # There are no stable container image tags yet. # See: https://github.com/matrix-org/rageshake/issues/69 matrix_rageshake_version: "master" -matrix_rageshake_docker_image: "{{ matrix_rageshake_docker_image_name_prefix }}matrix-org/rageshake:{{ matrix_rageshake_version }}" -matrix_rageshake_docker_image_name_prefix: "{{ 'localhost/' if matrix_rageshake_container_image_self_build else 'ghcr.io/' }}" -matrix_rageshake_docker_image_force_pull: "{{ matrix_rageshake_docker_image.endswith(':master') }}" +matrix_rageshake_container_image: "{{ matrix_rageshake_container_image_name_prefix }}matrix-org/rageshake:{{ matrix_rageshake_version }}" +matrix_rageshake_container_image_name_prefix: "{{ 'localhost/' if matrix_rageshake_container_image_self_build else 'ghcr.io/' }}" +matrix_rageshake_container_image_force_pull: "{{ matrix_rageshake_container_image.endswith(':master') }}" matrix_rageshake_base_path: "{{ matrix_base_data_path }}/rageshake" matrix_rageshake_config_path: "{{ matrix_rageshake_base_path }}/config" matrix_rageshake_data_path: "{{ matrix_rageshake_base_path }}/data" matrix_rageshake_container_image_self_build: false -matrix_rageshake_docker_repo: "https://github.com/matrix-org/rageshake/" -matrix_rageshake_docker_repo_version: "{{ 'master' if matrix_rageshake_version == 'master' else matrix_rageshake_version }}" -matrix_rageshake_docker_src_files_path: "{{ matrix_base_data_path }}/Dockerfile" +matrix_rageshake_container_repo: "https://github.com/matrix-org/rageshake/" +matrix_rageshake_container_repo_version: "{{ 'master' if matrix_rageshake_version == 'master' else matrix_rageshake_version }}" +matrix_rageshake_container_src_files_path: "{{ matrix_base_data_path }}/Dockerfile" # A list of extra arguments to pass to the container matrix_rageshake_container_extra_arguments: [] diff --git a/roles/custom/matrix-rageshake/tasks/install.yml b/roles/custom/matrix-rageshake/tasks/install.yml index 3f4d64c5d..6b75b969e 100644 --- a/roles/custom/matrix-rageshake/tasks/install.yml +++ b/roles/custom/matrix-rageshake/tasks/install.yml @@ -10,7 +10,7 @@ - { path: "{{ matrix_rageshake_config_path }}", when: true } - { path: "{{ matrix_rageshake_data_path }}", when: true } - { - path: "{{ matrix_rageshake_docker_src_files_path }}", + path: "{{ matrix_rageshake_container_src_files_path }}", when: matrix_rageshake_container_image_self_build, } when: "item.when | bool" @@ -25,10 +25,10 @@ - name: Ensure rageshake image is pulled community.docker.docker_image: - name: "{{ matrix_rageshake_docker_image }}" + name: "{{ matrix_rageshake_container_image }}" source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_rageshake_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_rageshake_docker_image_force_pull }}" + force_source: "{{ matrix_rageshake_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_rageshake_container_image_force_pull }}" when: "not matrix_rageshake_container_image_self_build | bool" register: result retries: "{{ devture_playbook_help_container_retries_count }}" @@ -37,9 +37,9 @@ - name: Ensure rageshake repository is present on self-build ansible.builtin.git: - repo: "{{ matrix_rageshake_docker_repo }}" - version: "{{ matrix_rageshake_docker_repo_version }}" - dest: "{{ matrix_rageshake_docker_src_files_path }}" + repo: "{{ matrix_rageshake_container_repo }}" + version: "{{ matrix_rageshake_container_repo_version }}" + dest: "{{ matrix_rageshake_container_src_files_path }}" force: "yes" become: true become_user: "{{ matrix_user_username }}" @@ -48,13 +48,13 @@ - name: Ensure rageshake image is built community.docker.docker_image: - name: "{{ matrix_rageshake_docker_image }}" + name: "{{ matrix_rageshake_container_image }}" source: build force_source: "{{ matrix_rageshake_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" build: dockerfile: Dockerfile - path: "{{ matrix_rageshake_docker_src_files_path }}" + path: "{{ matrix_rageshake_container_src_files_path }}" pull: true when: "matrix_rageshake_container_image_self_build | bool" diff --git a/roles/custom/matrix-rageshake/templates/systemd/matrix-rageshake.service.j2 b/roles/custom/matrix-rageshake/templates/systemd/matrix-rageshake.service.j2 index 6e818e0f3..5e6cfecee 100644 --- a/roles/custom/matrix-rageshake/templates/systemd/matrix-rageshake.service.j2 +++ b/roles/custom/matrix-rageshake/templates/systemd/matrix-rageshake.service.j2 @@ -28,7 +28,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% for arg in matrix_rageshake_container_extra_arguments %} {{ arg }} \ {% endfor %} - {{ matrix_rageshake_docker_image }} \ + {{ matrix_rageshake_container_image }} \ --config /config/config.yml ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-rageshake 2>/dev/null || true' From 39be2ef71abf6d85c73381b5f22cfae292db5fe1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 13:01:38 +0200 Subject: [PATCH 487/915] Fix matrix_rageshake_container_src_files_path value --- roles/custom/matrix-rageshake/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-rageshake/defaults/main.yml b/roles/custom/matrix-rageshake/defaults/main.yml index e29ca62fb..5be3a1ca1 100644 --- a/roles/custom/matrix-rageshake/defaults/main.yml +++ b/roles/custom/matrix-rageshake/defaults/main.yml @@ -18,7 +18,7 @@ matrix_rageshake_data_path: "{{ matrix_rageshake_base_path }}/data" matrix_rageshake_container_image_self_build: false matrix_rageshake_container_repo: "https://github.com/matrix-org/rageshake/" matrix_rageshake_container_repo_version: "{{ 'master' if matrix_rageshake_version == 'master' else matrix_rageshake_version }}" -matrix_rageshake_container_src_files_path: "{{ matrix_base_data_path }}/Dockerfile" +matrix_rageshake_container_src_files_path: "{{ matrix_rageshake_base_path }}/container-src" # A list of extra arguments to pass to the container matrix_rageshake_container_extra_arguments: [] From 4c64e092d00e0abc84b9695bc32c852ea7d17771 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 13:09:53 +0200 Subject: [PATCH 488/915] Fix rageshake self-building BuildX is required for building this container image. --- .../custom/matrix-rageshake/tasks/install.yml | 31 +++++++++---------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/roles/custom/matrix-rageshake/tasks/install.yml b/roles/custom/matrix-rageshake/tasks/install.yml index 6b75b969e..a7b6a5b1e 100644 --- a/roles/custom/matrix-rageshake/tasks/install.yml +++ b/roles/custom/matrix-rageshake/tasks/install.yml @@ -7,12 +7,12 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" with_items: - - { path: "{{ matrix_rageshake_config_path }}", when: true } - - { path: "{{ matrix_rageshake_data_path }}", when: true } - - { - path: "{{ matrix_rageshake_container_src_files_path }}", - when: matrix_rageshake_container_image_self_build, - } + - path: "{{ matrix_rageshake_config_path }}" + when: true + - path: "{{ matrix_rageshake_data_path }}" + when: true + - path: "{{ matrix_rageshake_container_src_files_path }}" + when: matrix_rageshake_container_image_self_build | bool when: "item.when | bool" - name: Ensure rageshake config file created @@ -46,17 +46,14 @@ register: matrix_rageshake_git_pull_results when: "matrix_rageshake_container_image_self_build | bool" -- name: Ensure rageshake image is built - community.docker.docker_image: - name: "{{ matrix_rageshake_container_image }}" - source: build - force_source: "{{ matrix_rageshake_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" - build: - dockerfile: Dockerfile - path: "{{ matrix_rageshake_container_src_files_path }}" - pull: true - when: "matrix_rageshake_container_image_self_build | bool" +- name: Ensure rageshake container image is built + ansible.builtin.command: + cmd: |- + {{ devture_systemd_docker_base_host_command_docker }} buildx build + --tag={{ matrix_rageshake_container_image }} + --file={{ matrix_rageshake_container_src_files_path }}/Dockerfile + {{ matrix_rageshake_container_src_files_path }} + when: matrix_rageshake_container_image_self_build | bool - name: Ensure matrix-rageshake.service installed ansible.builtin.template: From 233e25326457fdbb6c65e74412c6f0f824a310f9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 13:15:34 +0200 Subject: [PATCH 489/915] Add native Traefik support to rageshake --- group_vars/matrix_servers | 15 +++- .../matrix-nginx-proxy/defaults/main.yml | 5 -- .../matrix-nginx-proxy/templates/labels.j2 | 11 --- .../custom/matrix-rageshake/defaults/main.yml | 69 +++++++++++++++++-- .../custom/matrix-rageshake/tasks/install.yml | 18 ++++- .../matrix-rageshake/tasks/uninstall.yml | 3 +- .../tasks/validate_config.yml | 30 ++++++++ .../matrix-rageshake/templates/labels.j2 | 45 ++++++++++++ .../systemd/matrix-rageshake.service.j2 | 14 +++- 9 files changed, 180 insertions(+), 30 deletions(-) create mode 100644 roles/custom/matrix-rageshake/templates/labels.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 2ad11473b..dc24392e3 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2009,6 +2009,18 @@ matrix_rageshake_enabled: false matrix_rageshake_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}" +matrix_rageshake_hostname: "{{ matrix_server_fqn_rageshake }}" + +matrix_rageshake_container_network: "{{ matrix_docker_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-rageshake' }}" + +matrix_rageshake_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + +matrix_rageshake_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9110') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +matrix_rageshake_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +matrix_rageshake_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_rageshake_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" + ###################################################################### # # /matrix-rageshake @@ -2403,7 +2415,7 @@ matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled an matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" -matrix_nginx_proxy_proxy_rageshake_enabled: "{{ matrix_rageshake_enabled }}" +matrix_nginx_proxy_proxy_rageshake_enabled: "{{ matrix_rageshake_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" @@ -2421,7 +2433,6 @@ matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_ent matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" -matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_enabled: "{{ matrix_rageshake_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index b5915dc40..061d8f936 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -71,11 +71,6 @@ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname: "{{ matrix matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" matrix_nginx_proxy_container_labels_traefik_proxy_dimension_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname }}`)" -matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_enabled: false -matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_hostname: "{{ matrix_server_fqn_rageshake }}" -matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" -matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_hostname }}`)" - matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: false matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_hostname: "{{ matrix_server_fqn_etherpad }}" matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 index 00c9c40a9..1e60ba6d9 100644 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -62,17 +62,6 @@ traefik.http.routers.matrix-nginx-proxy-dimension.entrypoints={{ matrix_nginx_pr {% endif %} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_enabled %} -# Rageshake -traefik.http.routers.matrix-nginx-proxy-rageshake.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_rule }} -traefik.http.routers.matrix-nginx-proxy-rageshake.service=matrix-nginx-proxy-web -traefik.http.routers.matrix-nginx-proxy-rageshake.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_tls | to_json }} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_tls %} -traefik.http.routers.matrix-nginx-proxy-rageshake.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.routers.matrix-nginx-proxy-rageshake.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} -{% endif %} - {% if matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled %} # Etherpad traefik.http.routers.matrix-nginx-proxy-etherpad.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_rule }} diff --git a/roles/custom/matrix-rageshake/defaults/main.yml b/roles/custom/matrix-rageshake/defaults/main.yml index 5be3a1ca1..456838ed9 100644 --- a/roles/custom/matrix-rageshake/defaults/main.yml +++ b/roles/custom/matrix-rageshake/defaults/main.yml @@ -4,21 +4,76 @@ matrix_rageshake_enabled: true +matrix_rageshake_scheme: https + +# The hostname at which rageshake is served. +matrix_rageshake_hostname: '' + +# The path at which rageshake is exposed. +# This value must either be `/` or not end with a slash (e.g. `/rageshake`). +matrix_rageshake_path_prefix: / + # There are no stable container image tags yet. # See: https://github.com/matrix-org/rageshake/issues/69 matrix_rageshake_version: "master" -matrix_rageshake_container_image: "{{ matrix_rageshake_container_image_name_prefix }}matrix-org/rageshake:{{ matrix_rageshake_version }}" -matrix_rageshake_container_image_name_prefix: "{{ 'localhost/' if matrix_rageshake_container_image_self_build else 'ghcr.io/' }}" -matrix_rageshake_container_image_force_pull: "{{ matrix_rageshake_container_image.endswith(':master') }}" matrix_rageshake_base_path: "{{ matrix_base_data_path }}/rageshake" matrix_rageshake_config_path: "{{ matrix_rageshake_base_path }}/config" matrix_rageshake_data_path: "{{ matrix_rageshake_base_path }}/data" +matrix_rageshake_container_src_files_path: "{{ matrix_rageshake_base_path }}/container-src" + +matrix_rageshake_container_image: "{{ matrix_rageshake_container_image_name_prefix }}matrix-org/rageshake:{{ matrix_rageshake_container_image_tag }}" +matrix_rageshake_container_image_name_prefix: "{{ 'localhost/' if matrix_rageshake_container_image_self_build else matrix_rageshake_container_registry_prefix }}" +matrix_rageshake_container_image_force_pull: "{{ matrix_rageshake_container_image.endswith(':master') }}" +matrix_rageshake_container_image_tag: "{{ matrix_rageshake_version }}" +matrix_rageshake_container_registry_prefix: ghcr.io/ matrix_rageshake_container_image_self_build: false -matrix_rageshake_container_repo: "https://github.com/matrix-org/rageshake/" -matrix_rageshake_container_repo_version: "{{ 'master' if matrix_rageshake_version == 'master' else matrix_rageshake_version }}" -matrix_rageshake_container_src_files_path: "{{ matrix_rageshake_base_path }}/container-src" +matrix_rageshake_container_image_self_build_repo: "https://github.com/matrix-org/rageshake/" +matrix_rageshake_container_image_self_build_repo_version: "{{ matrix_rageshake_version }}" + +# Controls whether the container exposes its HTTP port (tcp/9110 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:9110"), or empty string to not expose. +matrix_rageshake_container_http_host_bind_port: '' + +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_rageshake_container_network: matrix-rageshake + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_rageshake_container_additional_networks: [] + +# matrix_rageshake_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_rageshake_container_labels_additional_labels`. +matrix_rageshake_container_labels_traefik_enabled: true +matrix_rageshake_container_labels_traefik_docker_network: "{{ matrix_rageshake_container_network }}" +matrix_rageshake_container_labels_traefik_hostname: "{{ matrix_rageshake_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/rageshake`). +matrix_rageshake_container_labels_traefik_path_prefix: "{{ matrix_rageshake_path_prefix }}" +matrix_rageshake_container_labels_traefik_rule: "Host(`{{ matrix_rageshake_container_labels_traefik_hostname }}`){% if matrix_rageshake_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_rageshake_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_rageshake_container_labels_traefik_priority: 0 +matrix_rageshake_container_labels_traefik_entrypoints: web-secure +matrix_rageshake_container_labels_traefik_tls: "{{ matrix_rageshake_container_labels_traefik_entrypoints != 'web' }}" +matrix_rageshake_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_rageshake_container_labels_traefik_additional_response_headers_custom` +matrix_rageshake_container_labels_traefik_additional_response_headers: "{{ matrix_rageshake_container_labels_traefik_additional_response_headers_auto | combine(matrix_rageshake_container_labels_traefik_additional_response_headers_custom) }}" +matrix_rageshake_container_labels_traefik_additional_response_headers_auto: {} +matrix_rageshake_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_rageshake_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_rageshake_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_rageshake_container_labels_additional_labels: '' # A list of extra arguments to pass to the container matrix_rageshake_container_extra_arguments: [] @@ -29,7 +84,7 @@ matrix_rageshake_systemd_required_services_list: ["docker.service"] # List of systemd services that matrix-rageshake.service wants matrix_rageshake_systemd_wanted_services_list: [] -matrix_rageshake_config_api_prefix: "https://{{ matrix_server_fqn_rageshake }}/api/" +matrix_rageshake_config_api_prefix: "{{ matrix_rageshake_scheme }}://{{ matrix_rageshake_hostname }}{{ matrix_rageshake_path_prefix }}{{ '' if matrix_rageshake_path_prefix == '/' else '/' }}api/" # Default Rageshake configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/custom/matrix-rageshake/tasks/install.yml b/roles/custom/matrix-rageshake/tasks/install.yml index a7b6a5b1e..f9461680f 100644 --- a/roles/custom/matrix-rageshake/tasks/install.yml +++ b/roles/custom/matrix-rageshake/tasks/install.yml @@ -1,4 +1,5 @@ --- + - name: Ensure rageshake paths exist ansible.builtin.file: path: "{{ item.path }}" @@ -23,6 +24,14 @@ group: "{{ matrix_user_groupname }}" mode: 0640 +- name: Ensure rageshake labels installed + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_rageshake_base_path }}/labels" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + - name: Ensure rageshake image is pulled community.docker.docker_image: name: "{{ matrix_rageshake_container_image }}" @@ -37,8 +46,8 @@ - name: Ensure rageshake repository is present on self-build ansible.builtin.git: - repo: "{{ matrix_rageshake_container_repo }}" - version: "{{ matrix_rageshake_container_repo_version }}" + repo: "{{ matrix_rageshake_container_image_self_build_repo }}" + version: "{{ matrix_rageshake_container_image_self_build_version }}" dest: "{{ matrix_rageshake_container_src_files_path }}" force: "yes" become: true @@ -55,6 +64,11 @@ {{ matrix_rageshake_container_src_files_path }} when: matrix_rageshake_container_image_self_build | bool +- name: Ensure rageshake container network is created + community.general.docker_network: + name: "{{ matrix_rageshake_container_network }}" + driver: bridge + - name: Ensure matrix-rageshake.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-rageshake.service.j2" diff --git a/roles/custom/matrix-rageshake/tasks/uninstall.yml b/roles/custom/matrix-rageshake/tasks/uninstall.yml index 133ac76d3..8f04d9894 100644 --- a/roles/custom/matrix-rageshake/tasks/uninstall.yml +++ b/roles/custom/matrix-rageshake/tasks/uninstall.yml @@ -1,4 +1,5 @@ --- + - name: Check existence of matrix-rageshake service ansible.builtin.stat: path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-rageshake.service" @@ -18,7 +19,7 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-rageshake.service" state: absent - - name: Ensure Matrix rageshake paths don't exist + - name: Ensure rageshake paths don't exist ansible.builtin.file: path: "{{ matrix_rageshake_base_path }}" state: absent diff --git a/roles/custom/matrix-rageshake/tasks/validate_config.yml b/roles/custom/matrix-rageshake/tasks/validate_config.yml index ed97d539c..b61a486d2 100644 --- a/roles/custom/matrix-rageshake/tasks/validate_config.yml +++ b/roles/custom/matrix-rageshake/tasks/validate_config.yml @@ -1 +1,31 @@ --- + +- name: Fail if required rageshake settings not defined + ansible.builtin.fail: + msg: > + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_rageshake_hostname + - matrix_rageshake_path_prefix + - matrix_rageshake_container_network + +- when: matrix_rageshake_container_labels_traefik_enabled | bool + block: + - name: Fail if required rageshake Traefik settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_rageshake_container_labels_traefik_hostname + - matrix_rageshake_container_labels_traefik_path_prefix + + # We ensure it doesn't end with a slash, because we handle both (slash and no-slash). + # Knowing that `matrix_rageshake_container_labels_traefik_path_prefix` does not end with a slash + # ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere. + - name: Fail if matrix_rageshake_container_labels_traefik_path_prefix ends with a slash + ansible.builtin.fail: + msg: >- + matrix_rageshake_container_labels_traefik_path_prefix (`{{ matrix_rageshake_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/rageshake`). + when: "matrix_rageshake_container_labels_traefik_path_prefix != '/' and matrix_rageshake_container_labels_traefik_path_prefix[-1] == '/'" diff --git a/roles/custom/matrix-rageshake/templates/labels.j2 b/roles/custom/matrix-rageshake/templates/labels.j2 new file mode 100644 index 000000000..cdaf5f6af --- /dev/null +++ b/roles/custom/matrix-rageshake/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_rageshake_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_rageshake_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_rageshake_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_rageshake_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-rageshake-slashless-redirect.redirectregex.regex=({{ matrix_rageshake_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-rageshake-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-rageshake-slashless-redirect'] %} +{% endif %} + +{% if matrix_rageshake_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-rageshake-strip-prefix.stripprefix.prefixes={{ matrix_rageshake_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-rageshake-strip-prefix'] %} +{% endif %} + +{% if matrix_rageshake_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_rageshake_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-rageshake-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-rageshake-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-rageshake.rule={{ matrix_rageshake_container_labels_traefik_rule }} +{% if matrix_rageshake_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-rageshake.priority={{ matrix_rageshake_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-rageshake.service=matrix-rageshake +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-rageshake.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-rageshake.entrypoints={{ matrix_rageshake_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-rageshake.tls={{ matrix_rageshake_container_labels_traefik_tls | to_json }} +{% if matrix_rageshake_container_labels_traefik_tls %} +traefik.http.routers.matrix-rageshake.tls.certResolver={{ matrix_rageshake_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-rageshake.loadbalancer.server.port=9110 +{% endif %} + +{{ matrix_rageshake_container_labels_additional_labels }} diff --git a/roles/custom/matrix-rageshake/templates/systemd/matrix-rageshake.service.j2 b/roles/custom/matrix-rageshake/templates/systemd/matrix-rageshake.service.j2 index 5e6cfecee..75006c2d5 100644 --- a/roles/custom/matrix-rageshake/templates/systemd/matrix-rageshake.service.j2 +++ b/roles/custom/matrix-rageshake/templates/systemd/matrix-rageshake.service.j2 @@ -16,23 +16,33 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-rageshake 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-rageshake 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-rageshake \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-rageshake \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ --tmpfs /tmp \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_rageshake_container_network }} \ --mount type=bind,src={{ matrix_rageshake_config_path }},dst=/config \ --mount type=bind,src={{ matrix_rageshake_data_path }},dst=/bugs \ + --label-file={{ matrix_rageshake_base_path }}/labels \ {% for arg in matrix_rageshake_container_extra_arguments %} {{ arg }} \ {% endfor %} {{ matrix_rageshake_container_image }} \ --config /config/config.yml +{% for network in matrix_rageshake_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-rageshake +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-rageshake + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-rageshake 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-rageshake 2>/dev/null || true' + Restart=always RestartSec=30 SyslogIdentifier=matrix-rageshake From b5e9ff59266eb2a255140337af2c5499b8a75afd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 14:00:42 +0200 Subject: [PATCH 490/915] Add Rageshake documentation --- docs/configuring-playbook-rageshake.md | 65 ++++++++++++++++++++++++++ docs/configuring-playbook.md | 2 + 2 files changed, 67 insertions(+) create mode 100644 docs/configuring-playbook-rageshake.md diff --git a/docs/configuring-playbook-rageshake.md b/docs/configuring-playbook-rageshake.md new file mode 100644 index 000000000..274d0c8b3 --- /dev/null +++ b/docs/configuring-playbook-rageshake.md @@ -0,0 +1,65 @@ +# Setting up Rageshake (optional) + +The playbook can install and configure the [rageshake](https://github.com/matrix-org/rageshake) bug report server for you. + +This is useful if you're developing your own applications and would like to collect bug reports for them. + + +## Decide on a domain and path + +By default, Rageshake is configured to use its own dedicated domain (`rageshake.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records). + +You can override the domain and path like this: + +```yaml +# Switch to the domain used for Matrix services (`matrix.DOMAIN`), +# so we won't need to an additional DNS records for Rageshake. +matrix_rageshake_hostname: "{{ matrix_server_fqn_matrix }}" + +# Expose under the /rageshake subpath +matrix_rageshake_path_prefix: /rageshake +``` + +**NOTE**: When using `matrix-nginx-proxy` instead of Traefik, you won't be able to override the path prefix. You can only override the domain, but that needs to happen using another variable: `matrix_server_fqn_rageshake` (e.g. `matrix_server_fqn_rageshake: "some-domain.{{ matrix_domain }}"`). + + +## Adjusting DNS records + +Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Rageshake domain to the Matrix server. + +If you've decided to reuse the `matrix.` domain, you won't need to do any extra DNS configuration. + + +## Enabling the Rageshake service + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs): + +```yaml +matrix_rageshake_enabled: true +``` + +Rageshake has various options which don't have dedicated Ansible variables. You can see the full list of options in the [`rageshake.sample.yaml` file](https://github.com/matrix-org/rageshake/blob/master/rageshake.sample.yaml). + +To set these, you can make use of the `matrix_rageshake_configuration_extension_yaml` variable like this: + +```yaml +matrix_rageshake_configuration_extension_yaml: | + github_token: secrettoken + + github_project_mappings: + my-app: octocat/HelloWorld +``` + + +## Installing + +After configuring the playbook, run the [installation](installing.md) command again: + +``` +ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start +``` + + +## Usage + +Refer to the [rageshake documentation](https://github.com/matrix-org/rageshake) for available APIs, etc. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 1f3cb7a4b..c94977a25 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -198,3 +198,5 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up the ntfy push notifications server](configuring-playbook-ntfy.md) (optional) - [Setting up a Cactus Comments server](configuring-playbook-cactus-comments.md) - a federated comment system built on Matrix (optional) + +- [Setting up the Rageshake bug report server](configuring-playbook-rageshake.md) (optional) From a45c70fd66aa8ea08d5fe416c6b06d192ef75211 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 14:04:20 +0200 Subject: [PATCH 491/915] Announce Rageshake support --- CHANGELOG.md | 9 +++++++++ README.md | 5 +++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5dd5e9f62..a49de417c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2023-02-25 + +## Rageshake support + +Thanks to [Benjamin Kampmann](https://github.com/gnunicorn), the playbook can now install and configure the [Rageshake](https://github.com/matrix-org/rageshake) bug report server. + +Additional details are available in [Setting up Rageshake](docs/configuring-playbook-rageshake.md). + + # 2023-02-17 ## Synapse templates customization support diff --git a/README.md b/README.md index 174ea4c37..d284909f9 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ You can always re-run the playbook later to add or remove components. The homeserver is the backbone of your matrix system. Choose one from the following list. | Name | Default? | Description | Documentation | -| ---- | -------- | ----------- | ------------- | +| ---- | -------- | ----------- | ------------- | | [Synapse](https://github.com/matrix-org/synapse) | ✓ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network | [Link](docs/configuring-playbook-synapse.md) | | [Conduit](https://conduit.rs) | x | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Conduit is a lightweight open-source server implementation of the Matrix Specification with a focus on easy setup and low system requirements | [Link](docs/configuring-playbook-conduit.md) | | [Dendrite](https://github.com/matrix-org/dendrite) | x | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. | [Link](docs/configuring-playbook-dendrite.md) | @@ -66,7 +66,7 @@ Services that run on the server to make the various parts of your installation w Extend and modify how users are authenticated on your homeserver. | Name | Default? | Description | Documentation | -| ---- | -------- | ----------- | ------------- | +| ---- | -------- | ----------- | ------------- | | [matrix-synapse-rest-auth](https://github.com/ma1uta/matrix-synapse-rest-password-provider) (advanced) | x | REST authentication password provider module | [Link](docs/configuring-playbook-rest-auth.md) | |[matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) (advanced) | x | Password provider module | [Link](docs/configuring-playbook-shared-secret-auth.md) | | [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) (advanced) | x | LDAP Auth password provider module | [Link](configuring-playbook-ldap-auth.md) | @@ -144,6 +144,7 @@ Services that help you in administrating and monitoring your matrix installation | [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin) | x | A web UI tool for administrating users and rooms on your Matrix server | [Link](docs/configuring-playbook-synapse-admin.md) | | Metrics and Graphs | x | Consists of the [Prometheus](https://prometheus.io) time-series database server, the Prometheus [node-exporter](https://prometheus.io/docs/guides/node-exporter/) host metrics exporter, and the [Grafana](https://grafana.com/) web UI | [Link](docs/configuring-playbook-prometheus-grafana.md) | | [Borg](https://borgbackup.org) | x | Backups | [Link](docs/configuring-playbook-backup-borg.md) | +| [Rageshake](https://github.com/matrix-org/rageshake) | x | Bug report server | [Link](docs/configuring-playbook-rageshake.md) | ### Misc From 6c2d397853b50751ee268341497427f59c93c765 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 14:58:41 +0200 Subject: [PATCH 492/915] Fix inaccurate Buscarron project description comment --- roles/custom/matrix-bot-buscarron/defaults/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-buscarron/defaults/main.yml b/roles/custom/matrix-bot-buscarron/defaults/main.yml index f887e262d..c2d8d2de0 100644 --- a/roles/custom/matrix-bot-buscarron/defaults/main.yml +++ b/roles/custom/matrix-bot-buscarron/defaults/main.yml @@ -1,5 +1,6 @@ --- -# buscarron is a helpdesk bot + +# buscarron is a Web forms (HTTP POST) to Matrix service. # Project source code URL: https://gitlab.com/etke.cc/buscarron matrix_bot_buscarron_enabled: true From 0220c851e8781e4468b1ff1b68e205c1e1c05212 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 15:02:30 +0200 Subject: [PATCH 493/915] Add multiple container networks support to Buscarron --- group_vars/matrix_servers | 2 ++ roles/custom/matrix-bot-buscarron/defaults/main.yml | 8 ++++++++ .../matrix-bot-buscarron/tasks/setup_install.yml | 5 +++++ .../systemd/matrix-bot-buscarron.service.j2 | 13 +++++++++++-- 4 files changed, 26 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index dc24392e3..ee00dc589 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1685,6 +1685,8 @@ matrix_bot_buscarron_database_engine: "{{ 'postgres' if devture_postgres_enabled matrix_bot_buscarron_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_bot_buscarron_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'buscarron.bot.db', rounds=655555) | to_uuid }}" +matrix_bot_container_network: "{{ matrix_docker_network }}" + ###################################################################### # # /matrix-bot-buscarron diff --git a/roles/custom/matrix-bot-buscarron/defaults/main.yml b/roles/custom/matrix-bot-buscarron/defaults/main.yml index c2d8d2de0..6ed6e9620 100644 --- a/roles/custom/matrix-bot-buscarron/defaults/main.yml +++ b/roles/custom/matrix-bot-buscarron/defaults/main.yml @@ -20,6 +20,14 @@ matrix_bot_buscarron_config_path: "{{ matrix_bot_buscarron_base_path }}/config" matrix_bot_buscarron_data_path: "{{ matrix_bot_buscarron_base_path }}/data" matrix_bot_buscarron_data_store_path: "{{ matrix_bot_buscarron_data_path }}/store" +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_bot_container_network: matrix-bot-buscarron + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_bot_container_additional_networks: [] + # A list of extra arguments to pass to the container matrix_bot_buscarron_container_extra_arguments: [] diff --git a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml index 6ae0f9b92..94fe93f65 100644 --- a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml @@ -89,6 +89,11 @@ dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-buscarron.service" mode: 0644 +- name: Ensure buscarron container network is created + community.general.docker_network: + name: "{{ matrix_bot_buscarron_container_network }}" + driver: bridge + - name: Ensure matrix-bot-buscarron.service restarted, if necessary ansible.builtin.service: name: "matrix-bot-buscarron.service" diff --git a/roles/custom/matrix-bot-buscarron/templates/systemd/matrix-bot-buscarron.service.j2 b/roles/custom/matrix-bot-buscarron/templates/systemd/matrix-bot-buscarron.service.j2 index 60909dc91..b3ed673d6 100644 --- a/roles/custom/matrix-bot-buscarron/templates/systemd/matrix-bot-buscarron.service.j2 +++ b/roles/custom/matrix-bot-buscarron/templates/systemd/matrix-bot-buscarron.service.j2 @@ -16,12 +16,14 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-buscarron 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-buscarron 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-bot-buscarron \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-bot-buscarron \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_bot_buscarron_container_network }} \ --env-file={{ matrix_bot_buscarron_config_path }}/env \ --mount type=bind,src={{ matrix_bot_buscarron_data_path }},dst=/data \ {% for arg in matrix_bot_buscarron_container_extra_arguments %} @@ -29,8 +31,15 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% endfor %} {{ matrix_bot_buscarron_docker_image }} +{% for network in matrix_bot_buscarron_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-bot-buscarron +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-bot-buscarron + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-buscarron 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-buscarron 2>/dev/null || true' + Restart=always RestartSec=30 SyslogIdentifier=matrix-bot-buscarron From 63408096cfb6ae0fd0aefc5fcd25aace68ea995e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 15:06:29 +0200 Subject: [PATCH 494/915] Fix up Buscarron description on its documentation page --- docs/configuring-playbook-bot-buscarron.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/configuring-playbook-bot-buscarron.md b/docs/configuring-playbook-bot-buscarron.md index 0b80ba403..bfee92ee5 100644 --- a/docs/configuring-playbook-bot-buscarron.md +++ b/docs/configuring-playbook-bot-buscarron.md @@ -2,8 +2,7 @@ The playbook can install and configure [buscarron](https://gitlab.com/etke.cc/buscarron) for you. -It's a bot you can use to setup **your own helpdesk on matrix** -It's a bot you can use to send any form (HTTP POST, HTML) to a (encrypted) matrix room +Buscarron is bot that receives HTTP POST submissions of web forms and forwards them to a Matrix room. ## Adjusting the playbook configuration From d7578880b6124bdbe961011ccff95f6587b317f1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 15:07:47 +0200 Subject: [PATCH 495/915] Fix typo on Rageshake documentation page --- docs/configuring-playbook-rageshake.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-rageshake.md b/docs/configuring-playbook-rageshake.md index 274d0c8b3..fe45db260 100644 --- a/docs/configuring-playbook-rageshake.md +++ b/docs/configuring-playbook-rageshake.md @@ -13,7 +13,7 @@ You can override the domain and path like this: ```yaml # Switch to the domain used for Matrix services (`matrix.DOMAIN`), -# so we won't need to an additional DNS records for Rageshake. +# so we won't need to add additional DNS records for Rageshake. matrix_rageshake_hostname: "{{ matrix_server_fqn_matrix }}" # Expose under the /rageshake subpath From bc5dda2b3aba7842ae63127ef9cc6e8f5816d52f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 15:10:40 +0200 Subject: [PATCH 496/915] Reorder some Buscarron default variables and fix some typos Fixes a regression introduced in 0220c851e8781e4468b1 --- group_vars/matrix_servers | 2 +- .../matrix-bot-buscarron/defaults/main.yml | 17 +++++++++-------- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index ee00dc589..6af65b3a1 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1685,7 +1685,7 @@ matrix_bot_buscarron_database_engine: "{{ 'postgres' if devture_postgres_enabled matrix_bot_buscarron_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_bot_buscarron_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'buscarron.bot.db', rounds=655555) | to_uuid }}" -matrix_bot_container_network: "{{ matrix_docker_network }}" +matrix_bot_buscarron_container_network: "{{ matrix_docker_network }}" ###################################################################### # diff --git a/roles/custom/matrix-bot-buscarron/defaults/main.yml b/roles/custom/matrix-bot-buscarron/defaults/main.yml index 6ed6e9620..195359dd0 100644 --- a/roles/custom/matrix-bot-buscarron/defaults/main.yml +++ b/roles/custom/matrix-bot-buscarron/defaults/main.yml @@ -5,28 +5,29 @@ matrix_bot_buscarron_enabled: true +matrix_bot_buscarron_version: v1.3.1 + +matrix_bot_buscarron_base_path: "{{ matrix_base_data_path }}/buscarron" +matrix_bot_buscarron_config_path: "{{ matrix_bot_buscarron_base_path }}/config" +matrix_bot_buscarron_data_path: "{{ matrix_bot_buscarron_base_path }}/data" +matrix_bot_buscarron_data_store_path: "{{ matrix_bot_buscarron_data_path }}/store" + matrix_bot_buscarron_container_image_self_build: false matrix_bot_buscarron_docker_repo: "https://gitlab.com/etke.cc/buscarron.git" matrix_bot_buscarron_docker_repo_version: "{{ matrix_bot_buscarron_version }}" matrix_bot_buscarron_docker_src_files_path: "{{ matrix_base_data_path }}/buscarron/docker-src" -matrix_bot_buscarron_version: v1.3.1 matrix_bot_buscarron_docker_image: "{{ matrix_bot_buscarron_docker_image_name_prefix }}etke.cc/buscarron:{{ matrix_bot_buscarron_version }}" matrix_bot_buscarron_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_buscarron_container_image_self_build else 'registry.gitlab.com/' }}" matrix_bot_buscarron_docker_image_force_pull: "{{ matrix_bot_buscarron_docker_image.endswith(':latest') }}" -matrix_bot_buscarron_base_path: "{{ matrix_base_data_path }}/buscarron" -matrix_bot_buscarron_config_path: "{{ matrix_bot_buscarron_base_path }}/config" -matrix_bot_buscarron_data_path: "{{ matrix_bot_buscarron_base_path }}/data" -matrix_bot_buscarron_data_store_path: "{{ matrix_bot_buscarron_data_path }}/store" - # The base container network. It will be auto-created by this role if it doesn't exist already. -matrix_bot_container_network: matrix-bot-buscarron +matrix_bot_buscarron_container_network: matrix-bot-buscarron # A list of additional container networks that the container would be connected to. # The role does not create these networks, so make sure they already exist. # Use this to expose this container to another reverse proxy, which runs in a different container network. -matrix_bot_container_additional_networks: [] +matrix_bot_buscarron_container_additional_networks: [] # A list of extra arguments to pass to the container matrix_bot_buscarron_container_extra_arguments: [] From 3852a740bc5e0dba7ff662df3ce3a0f857f0216c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 15:50:35 +0200 Subject: [PATCH 497/915] Mention that Buscarron is aggressive when it comes to banning --- docs/configuring-playbook-bot-buscarron.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/configuring-playbook-bot-buscarron.md b/docs/configuring-playbook-bot-buscarron.md index bfee92ee5..58b27db7b 100644 --- a/docs/configuring-playbook-bot-buscarron.md +++ b/docs/configuring-playbook-bot-buscarron.md @@ -66,4 +66,12 @@ To use the bot, invite the `@bot.buscarron:DOMAIN` to the room you specified in ``` +**NOTE**: to fight against spam, Buscarron is **very aggressive when it comes to banning** and will ban you if: + +- if you hit the homepage (HTTP `GET` request to `/`) +- if you submit a form to the wrong URL (`POST` request to `/non-existing-form`) +- if `hasemail` is enabled for the form (like in the example above) and you don't submit an `email` field + +If you get banned, you'd need to restart the process by running the playbook with `--tags=start` or running `systemctl restart matrix-bot-buscarron` on the server. + You can also refer to the upstream [documentation](https://gitlab.com/etke.cc/buscarron). From 725b2beed7346328ca939fb3daa0a1ecfd71091d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 15:50:48 +0200 Subject: [PATCH 498/915] Add native Traefik support to Buscarron --- docs/configuring-playbook-bot-buscarron.md | 35 ++++++++++----- group_vars/matrix_servers | 23 ++++++++-- .../matrix-bot-buscarron/defaults/main.yml | 37 +++++++++++++++ .../tasks/setup_install.yml | 9 ++-- .../tasks/validate_config.yml | 1 + .../matrix-bot-buscarron/templates/labels.j2 | 45 +++++++++++++++++++ .../systemd/matrix-bot-buscarron.service.j2 | 1 + .../matrix-nginx-proxy/defaults/main.yml | 5 --- .../matrix-nginx-proxy/templates/labels.j2 | 11 ----- 9 files changed, 135 insertions(+), 32 deletions(-) create mode 100644 roles/custom/matrix-bot-buscarron/templates/labels.j2 diff --git a/docs/configuring-playbook-bot-buscarron.md b/docs/configuring-playbook-bot-buscarron.md index 58b27db7b..dd5778545 100644 --- a/docs/configuring-playbook-bot-buscarron.md +++ b/docs/configuring-playbook-bot-buscarron.md @@ -5,6 +5,31 @@ The playbook can install and configure [buscarron](https://gitlab.com/etke.cc/bu Buscarron is bot that receives HTTP POST submissions of web forms and forwards them to a Matrix room. +## Decide on a domain and path + +By default, Rageshake is configured to use its own dedicated domain (`buscarron.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records). + +You can override the domain and path like this: + +```yaml +# Switch to the domain used for Matrix services (`matrix.DOMAIN`), +# so we won't need to add additional DNS records for Rageshake. +matrix_bot_buscarron_hostname: "{{ matrix_server_fqn_matrix }}" + +# Expose under the /buscarron subpath +matrix_bot_buscarron_path_prefix: /buscarron +``` + +**NOTE**: When using `matrix-nginx-proxy` instead of Traefik, you won't be able to override the path prefix. You can only override the domain, but that needs to happen using another variable: `matrix_server_fqn_buscarron` (e.g. `matrix_server_fqn_buscarron: "form.{{ matrix_domain }}"`). + + +## Adjusting DNS records + +Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Buscarron domain to the Matrix server. + +If you've decided to reuse the `matrix.` domain, you won't need to do any extra DNS configuration. + + ## Adjusting the playbook configuration Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: @@ -30,16 +55,6 @@ matrix_bot_buscarron_forms: matrix_bot_buscarron_spamlist: [] # (optional) list of emails/domains/hosts (with wildcards support) that should be rejected automatically ``` -You will also need to add a DNS record so that buscarron can be accessed. -By default buscarron will use https://buscarron.DOMAIN so you will need to create an CNAME record for `buscarron`. -See [Configuring DNS](configuring-dns.md). - -If you would like to use a different domain, add the following to your configuration file (changing it to use your preferred domain): - -```yaml -matrix_server_fqn_buscarron: "form.{{ matrix_domain }}" -``` - ## Installing diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6af65b3a1..afc1511c6 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1685,7 +1685,25 @@ matrix_bot_buscarron_database_engine: "{{ 'postgres' if devture_postgres_enabled matrix_bot_buscarron_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_bot_buscarron_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'buscarron.bot.db', rounds=655555) | to_uuid }}" -matrix_bot_buscarron_container_network: "{{ matrix_docker_network }}" +matrix_bot_buscarron_hostname: "{{ matrix_server_fqn_buscarron }}" + +matrix_bot_buscarron_container_network: "{{ matrix_docker_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-bot-buscarron' }}" + +# For now, we attach this to the matrix-nginx-proxy network (unless that's the same network as the main one for us), +# because that's where the homeserver is expected to be accessed from. +# In the future, this will need to be redone. +matrix_bot_buscarron_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([matrix_nginx_proxy_container_network] if matrix_nginx_proxy_enabled and matrix_bot_buscarron_container_network != matrix_nginx_proxy_container_network else []) + ) | unique + }} + +matrix_bot_buscarron_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +matrix_bot_buscarron_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_bot_buscarron_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" ###################################################################### # @@ -2415,7 +2433,7 @@ matrix_nginx_proxy_proxy_matrix_enabled: true matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" -matrix_nginx_proxy_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}" +matrix_nginx_proxy_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" matrix_nginx_proxy_proxy_rageshake_enabled: "{{ matrix_rageshake_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" @@ -2433,7 +2451,6 @@ matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_playbook_ matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true -matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" diff --git a/roles/custom/matrix-bot-buscarron/defaults/main.yml b/roles/custom/matrix-bot-buscarron/defaults/main.yml index 195359dd0..0596c440f 100644 --- a/roles/custom/matrix-bot-buscarron/defaults/main.yml +++ b/roles/custom/matrix-bot-buscarron/defaults/main.yml @@ -7,6 +7,13 @@ matrix_bot_buscarron_enabled: true matrix_bot_buscarron_version: v1.3.1 +# The hostname at which Buscarron is served. +matrix_bot_buscarron_hostname: '' + +# The path at which Buscarron is exposed. +# This value must either be `/` or not end with a slash (e.g. `/buscarron`). +matrix_bot_buscarron_path_prefix: / + matrix_bot_buscarron_base_path: "{{ matrix_base_data_path }}/buscarron" matrix_bot_buscarron_config_path: "{{ matrix_bot_buscarron_base_path }}/config" matrix_bot_buscarron_data_path: "{{ matrix_bot_buscarron_base_path }}/data" @@ -29,6 +36,36 @@ matrix_bot_buscarron_container_network: matrix-bot-buscarron # Use this to expose this container to another reverse proxy, which runs in a different container network. matrix_bot_buscarron_container_additional_networks: [] +# matrix_bot_buscarron_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_bot_buscarron_container_labels_additional_labels`. +matrix_bot_buscarron_container_labels_traefik_enabled: true +matrix_bot_buscarron_container_labels_traefik_docker_network: "{{ matrix_bot_buscarron_container_network }}" +matrix_bot_buscarron_container_labels_traefik_hostname: "{{ matrix_bot_buscarron_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/buscarron`). +matrix_bot_buscarron_container_labels_traefik_path_prefix: "{{ matrix_bot_buscarron_path_prefix }}" +matrix_bot_buscarron_container_labels_traefik_rule: "Host(`{{ matrix_bot_buscarron_container_labels_traefik_hostname }}`){% if matrix_bot_buscarron_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_buscarron_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_bot_buscarron_container_labels_traefik_priority: 0 +matrix_bot_buscarron_container_labels_traefik_entrypoints: web-secure +matrix_bot_buscarron_container_labels_traefik_tls: "{{ matrix_bot_buscarron_container_labels_traefik_entrypoints != 'web' }}" +matrix_bot_buscarron_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_bot_buscarron_container_labels_traefik_additional_response_headers_custom` +matrix_bot_buscarron_container_labels_traefik_additional_response_headers: "{{ matrix_bot_buscarron_container_labels_traefik_additional_response_headers_auto | combine(matrix_bot_buscarron_container_labels_traefik_additional_response_headers_custom) }}" +matrix_bot_buscarron_container_labels_traefik_additional_response_headers_auto: {} +matrix_bot_buscarron_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_bot_buscarron_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_bot_buscarron_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_bot_buscarron_container_labels_additional_labels: '' + # A list of extra arguments to pass to the container matrix_bot_buscarron_container_extra_arguments: [] diff --git a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml index 94fe93f65..1c2c62e14 100644 --- a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml @@ -40,13 +40,16 @@ - {path: "{{ matrix_bot_buscarron_docker_src_files_path }}", when: true} when: "item.when | bool" -- name: Ensure buscarron environment variables file created +- name: Ensure buscarron support files installed ansible.builtin.template: - src: "{{ role_path }}/templates/env.j2" - dest: "{{ matrix_bot_buscarron_config_path }}/env" + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_bot_buscarron_config_path }}/{{ item }}" owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" mode: 0640 + with_items: + - env + - labels - name: Ensure buscarron image is pulled community.docker.docker_image: diff --git a/roles/custom/matrix-bot-buscarron/tasks/validate_config.yml b/roles/custom/matrix-bot-buscarron/tasks/validate_config.yml index 3547fc037..51102b73e 100644 --- a/roles/custom/matrix-bot-buscarron/tasks/validate_config.yml +++ b/roles/custom/matrix-bot-buscarron/tasks/validate_config.yml @@ -7,4 +7,5 @@ when: "item.when | bool and vars[item.name] == ''" with_items: - {'name': 'matrix_bot_buscarron_password', when: true} + - {'name': 'matrix_bot_buscarron_hostname', when: true} - {'name': 'matrix_bot_buscarron_database_hostname', when: "{{ matrix_bot_buscarron_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bot-buscarron/templates/labels.j2 b/roles/custom/matrix-bot-buscarron/templates/labels.j2 new file mode 100644 index 000000000..5a53805a5 --- /dev/null +++ b/roles/custom/matrix-bot-buscarron/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_bot_buscarron_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_bot_buscarron_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_bot_buscarron_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_bot_buscarron_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-bot-buscarron-slashless-redirect.redirectregex.regex=({{ matrix_bot_buscarron_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-bot-buscarron-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-bot-buscarron-slashless-redirect'] %} +{% endif %} + +{% if matrix_bot_buscarron_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-bot-buscarron-strip-prefix.stripprefix.prefixes={{ matrix_bot_buscarron_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-bot-buscarron-strip-prefix'] %} +{% endif %} + +{% if matrix_bot_buscarron_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_bot_buscarron_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-bot-buscarron-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-bot-buscarron-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-bot-buscarron.rule={{ matrix_bot_buscarron_container_labels_traefik_rule }} +{% if matrix_bot_buscarron_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-bot-buscarron.priority={{ matrix_bot_buscarron_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-bot-buscarron.service=matrix-bot-buscarron +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-bot-buscarron.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-bot-buscarron.entrypoints={{ matrix_bot_buscarron_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-bot-buscarron.tls={{ matrix_bot_buscarron_container_labels_traefik_tls | to_json }} +{% if matrix_bot_buscarron_container_labels_traefik_tls %} +traefik.http.routers.matrix-bot-buscarron.tls.certResolver={{ matrix_bot_buscarron_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-bot-buscarron.loadbalancer.server.port=8080 +{% endif %} + +{{ matrix_bot_buscarron_container_labels_additional_labels }} diff --git a/roles/custom/matrix-bot-buscarron/templates/systemd/matrix-bot-buscarron.service.j2 b/roles/custom/matrix-bot-buscarron/templates/systemd/matrix-bot-buscarron.service.j2 index b3ed673d6..49c699488 100644 --- a/roles/custom/matrix-bot-buscarron/templates/systemd/matrix-bot-buscarron.service.j2 +++ b/roles/custom/matrix-bot-buscarron/templates/systemd/matrix-bot-buscarron.service.j2 @@ -25,6 +25,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --read-only \ --network={{ matrix_bot_buscarron_container_network }} \ --env-file={{ matrix_bot_buscarron_config_path }}/env \ + --label-file={{ matrix_bot_buscarron_config_path }}/labels \ --mount type=bind,src={{ matrix_bot_buscarron_data_path }},dst=/data \ {% for arg in matrix_bot_buscarron_container_extra_arguments %} {{ arg }} \ diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 061d8f936..158a1b2b2 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -61,11 +61,6 @@ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule: "Host(`{{ matrix_ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint: "{{ matrix_federation_traefik_entrypoint }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints: "{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint }}" -matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled: false -matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_hostname: "{{ matrix_server_fqn_buscarron }}" -matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" -matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_hostname }}`)" - matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: false matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}" matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 index 1e60ba6d9..d177d2fb7 100644 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -38,17 +38,6 @@ traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.certResolver={{ ma traefik.http.routers.matrix-nginx-proxy-matrix-federation.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints }} {% endif %} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled %} -# Buscarron -traefik.http.routers.matrix-nginx-proxy-buscarron.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_rule }} -traefik.http.routers.matrix-nginx-proxy-buscarron.service=matrix-nginx-proxy-web -traefik.http.routers.matrix-nginx-proxy-buscarron.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_tls | to_json }} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_tls %} -traefik.http.routers.matrix-nginx-proxy-buscarron.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.routers.matrix-nginx-proxy-buscarron.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} -{% endif %} - {% if matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled %} # Dimension From ccb5b37842478b2cfc8038d4a01abcf24cec1222 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 15:59:28 +0200 Subject: [PATCH 499/915] Fix some typos on the Buscarron docs page --- docs/configuring-playbook-bot-buscarron.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-bot-buscarron.md b/docs/configuring-playbook-bot-buscarron.md index dd5778545..b21dceef0 100644 --- a/docs/configuring-playbook-bot-buscarron.md +++ b/docs/configuring-playbook-bot-buscarron.md @@ -7,13 +7,13 @@ Buscarron is bot that receives HTTP POST submissions of web forms and forwards t ## Decide on a domain and path -By default, Rageshake is configured to use its own dedicated domain (`buscarron.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records). +By default, Buscarron is configured to use its own dedicated domain (`buscarron.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records). You can override the domain and path like this: ```yaml # Switch to the domain used for Matrix services (`matrix.DOMAIN`), -# so we won't need to add additional DNS records for Rageshake. +# so we won't need to add additional DNS records for Buscarron. matrix_bot_buscarron_hostname: "{{ matrix_server_fqn_matrix }}" # Expose under the /buscarron subpath From 8df7ad47cd1c95a667e9f56e7739de51aca9cadb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 19:04:28 +0200 Subject: [PATCH 500/915] Fix rageshake project description in defaults/main.yml --- roles/custom/matrix-rageshake/defaults/main.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-rageshake/defaults/main.yml b/roles/custom/matrix-rageshake/defaults/main.yml index 456838ed9..2dca91b1a 100644 --- a/roles/custom/matrix-rageshake/defaults/main.yml +++ b/roles/custom/matrix-rageshake/defaults/main.yml @@ -1,6 +1,7 @@ --- -# rageshake is a issue submission service from matrix.org -# Project source code URL: https://github.com/matrix-org/rageshake/ + +# rageshake is a bug report collection service +# Project source code URL: https://github.com/matrix-org/rageshake matrix_rageshake_enabled: true From 348dd8e76bcd1da24934592ccac9d0f1c2fc2ea9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 19:36:57 +0200 Subject: [PATCH 501/915] Remove double space --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index afc1511c6..7f3783804 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1697,7 +1697,7 @@ matrix_bot_buscarron_container_additional_networks: | ( ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + - ([matrix_nginx_proxy_container_network] if matrix_nginx_proxy_enabled and matrix_bot_buscarron_container_network != matrix_nginx_proxy_container_network else []) + ([matrix_nginx_proxy_container_network] if matrix_nginx_proxy_enabled and matrix_bot_buscarron_container_network != matrix_nginx_proxy_container_network else []) ) | unique }} From 252e542bc552d9e4de48e61b0ef309e5eaaa0f18 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sun, 26 Feb 2023 08:19:51 +0000 Subject: [PATCH 502/915] Update ntfy 2.0.1 -> 2.1.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index cbdd37ca3..4ebe8a063 100644 --- a/requirements.yml +++ b/requirements.yml @@ -43,7 +43,7 @@ version: v9.3.6-2 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git - version: v2.0.1-0 + version: v2.1.0-0 - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.7-0 From d20ff688dbc31d40f5a4616ee84bafce5a25d1da Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 26 Feb 2023 11:03:42 +0200 Subject: [PATCH 503/915] Add native Traefik support to Sygnal --- docs/configuring-playbook-sygnal.md | 31 ++++++++-- group_vars/matrix_servers | 13 +++- .../matrix-nginx-proxy/defaults/main.yml | 5 -- .../matrix-nginx-proxy/templates/labels.j2 | 11 ---- roles/custom/matrix-sygnal/defaults/main.yml | 59 +++++++++++++++++-- .../tasks/{setup_install.yml => install.yml} | 35 +++++++---- roles/custom/matrix-sygnal/tasks/main.yml | 4 +- .../{setup_uninstall.yml => uninstall.yml} | 0 .../matrix-sygnal/tasks/validate_config.yml | 32 +++++++++- .../custom/matrix-sygnal/templates/labels.j2 | 45 ++++++++++++++ .../systemd/matrix-sygnal.service.j2 | 14 ++++- 11 files changed, 206 insertions(+), 43 deletions(-) rename roles/custom/matrix-sygnal/tasks/{setup_install.yml => install.yml} (78%) rename roles/custom/matrix-sygnal/tasks/{setup_uninstall.yml => uninstall.yml} (100%) create mode 100644 roles/custom/matrix-sygnal/templates/labels.j2 diff --git a/docs/configuring-playbook-sygnal.md b/docs/configuring-playbook-sygnal.md index 1a344530c..786498c64 100644 --- a/docs/configuring-playbook-sygnal.md +++ b/docs/configuring-playbook-sygnal.md @@ -11,6 +11,31 @@ See the project's [documentation](https://github.com/matrix-org/sygnal) to learn This optional playbook component is only useful to people who develop/build their own Matrix client applications themselves. +## Decide on a domain and path + +By default, Sygnal is configured to use its own dedicated domain (`sygnal.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records). + +You can override the domain and path like this: + +```yaml +# Switch to the domain used for Matrix services (`matrix.DOMAIN`), +# so we won't need to add additional DNS records for Sygnal. +matrix_sygnal_hostname: "{{ matrix_server_fqn_matrix }}" + +# Expose under the /sygnal subpath +matrix_sygnal_path_prefix: /sygnal +``` + +**NOTE**: When using `matrix-nginx-proxy` instead of Traefik, you won't be able to override the path prefix. You can only override the domain, but that needs to happen using another variable: `matrix_server_fqn_sygnal` (e.g. `matrix_server_fqn_sygnal: "push.{{ matrix_domain }}"`). + + +## Adjusting DNS records + +Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Sygnal domain to the Matrix server. + +If you've decided to reuse the `matrix.` domain, you won't need to do any extra DNS configuration. + + ## Adjusting the playbook configuration Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs): @@ -55,9 +80,7 @@ To do that, the above example configuration: ## Installing -Don't forget to add `sygnal.` to DNS as described in [Configuring DNS](configuring-dns.md) before running the playbook. - -After configuring the playbook, run the [installation](installing.md) command again: +After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the [installation](installing.md) command: ``` ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start @@ -66,6 +89,6 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start ## Usage -To make use of your Sygnal installation, you'd need to build your own Matrix client application, which uses the same API keys (for [GCM/FCM](https://firebase.google.com/docs/cloud-messaging/)) and certificates (for [APNS](https://developer.apple.com/notifications/)) and is also pointed to `https://sygnal.DOMAIN` as the configured push server. +To make use of your Sygnal installation, you'd need to build your own Matrix client application, which uses the same API keys (for [GCM/FCM](https://firebase.google.com/docs/cloud-messaging/)) and certificates (for [APNS](https://developer.apple.com/notifications/)) and is to your Sygnal URL endpoint (e.g. `https://sygnal.DOMAIN`). Refer to Sygnal's [Notes for application developers](https://github.com/matrix-org/sygnal/blob/master/docs/applications.md) document. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 7f3783804..359c6e3f2 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2443,7 +2443,7 @@ matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" matrix_nginx_proxy_proxy_jitsi_manage_wellknown: "{{ matrix_jitsi_require_well_known }}" matrix_nginx_proxy_proxy_grafana_enabled: "{{ grafana_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" -matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}" +matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_ntfy_enabled: "{{ ntfy_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" @@ -2455,7 +2455,6 @@ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: "{{ matrix_ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" -matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" @@ -2931,8 +2930,18 @@ matrix_sygnal_enabled: false # If someone instals Prometheus via the playbook, they most likely wish to monitor Sygnal. matrix_sygnal_metrics_prometheus_enabled: "{{ matrix_prometheus_enabled }}" +matrix_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}" + +matrix_sygnal_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-sygnal' }}" + +matrix_sygnal_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + matrix_sygnal_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '6000') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_sygnal_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +matrix_sygnal_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_sygnal_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" + ###################################################################### # # /matrix-sygnal diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 158a1b2b2..a098a098e 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -81,11 +81,6 @@ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_hostname: "{{ matrix_ser matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_hostname }}`)" -matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled: false -matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}" -matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" -matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_hostname }}`)" - # matrix_nginx_proxy_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. # diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 index d177d2fb7..6afa6029c 100644 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -86,17 +86,6 @@ traefik.http.routers.matrix-nginx-proxy-jitsi.tls.certResolver={{ matrix_nginx_p traefik.http.routers.matrix-nginx-proxy-jitsi.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} {% endif %} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled %} -# Sygnal -traefik.http.routers.matrix-nginx-proxy-sygnal.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_rule }} -traefik.http.routers.matrix-nginx-proxy-sygnal.service=matrix-nginx-proxy-web -traefik.http.routers.matrix-nginx-proxy-sygnal.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls | to_json }} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls %} -traefik.http.routers.matrix-nginx-proxy-sygnal.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.routers.matrix-nginx-proxy-sygnal.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} -{% endif %} - traefik.http.services.matrix-nginx-proxy-web.loadbalancer.server.port=8080 diff --git a/roles/custom/matrix-sygnal/defaults/main.yml b/roles/custom/matrix-sygnal/defaults/main.yml index 1268d6029..f3c1df4eb 100644 --- a/roles/custom/matrix-sygnal/defaults/main.yml +++ b/roles/custom/matrix-sygnal/defaults/main.yml @@ -1,28 +1,77 @@ --- + # Sygnal is a reference Push Gateway for Matrix. # To make use of it for delivering push notificatins, you'll need to develop/build your own Matrix app. # Project source code URL: https://github.com/matrix-org/sygnal -matrix_sygnal_enabled: false +matrix_sygnal_enabled: true + +# The hostname at which Sygnal is served. +matrix_sygnal_hostname: '' + +# The path at which Sygnal is exposed. +# This value must either be `/` or not end with a slash (e.g. `/sygnal`). +matrix_sygnal_path_prefix: / + +matrix_sygnal_version: v0.12.0 matrix_sygnal_base_path: "{{ matrix_base_data_path }}/sygnal" matrix_sygnal_config_path: "{{ matrix_sygnal_base_path }}/config" matrix_sygnal_data_path: "{{ matrix_sygnal_base_path }}/data" -matrix_sygnal_version: v0.12.0 -matrix_sygnal_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/sygnal:{{ matrix_sygnal_version }}" -matrix_sygnal_docker_image_force_pull: "{{ matrix_sygnal_docker_image.endswith(':latest') }}" - # List of systemd services that matrix-sygnal.service depends on. matrix_sygnal_systemd_required_services_list: ['docker.service'] # List of systemd services that matrix-sygnal.service wants matrix_sygnal_systemd_wanted_services_list: [] +matrix_sygnal_docker_image: "{{ matrix_sygnal_docker_image_registry_prefix }}matrixdotorg/sygnal:{{ matrix_sygnal_docker_image_tag }}" +matrix_sygnal_docker_image_tag: "{{ matrix_sygnal_version }}" +matrix_sygnal_docker_image_registry_prefix: "{{ matrix_container_global_registry_prefix }}" +matrix_sygnal_docker_image_force_pull: "{{ matrix_sygnal_docker_image.endswith(':latest') }}" + +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_sygnal_container_network: "{{ matrix_sygnal_identifier }}" + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_sygnal_container_additional_networks: [] + # Controls whether the matrix-sygnal container exposes its HTTP port (tcp/6000 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:6000"), or empty string to not expose. matrix_sygnal_container_http_host_bind_port: '' +# matrix_sygnal_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_sygnal_container_labels_additional_labels`. +matrix_sygnal_container_labels_traefik_enabled: true +matrix_sygnal_container_labels_traefik_docker_network: "{{ matrix_sygnal_container_network }}" +matrix_sygnal_container_labels_traefik_hostname: "{{ matrix_sygnal_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/sygnal`). +matrix_sygnal_container_labels_traefik_path_prefix: "{{ matrix_sygnal_path_prefix }}" +matrix_sygnal_container_labels_traefik_rule: "Host(`{{ matrix_sygnal_container_labels_traefik_hostname }}`){% if matrix_sygnal_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_sygnal_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_sygnal_container_labels_traefik_priority: 0 +matrix_sygnal_container_labels_traefik_entrypoints: web-secure +matrix_sygnal_container_labels_traefik_tls: "{{ matrix_sygnal_container_labels_traefik_entrypoints != 'web' }}" +matrix_sygnal_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_sygnal_container_labels_traefik_additional_response_headers_custom` +matrix_sygnal_container_labels_traefik_additional_response_headers: "{{ matrix_sygnal_container_labels_traefik_additional_response_headers_auto | combine(matrix_sygnal_container_labels_traefik_additional_response_headers_custom) }}" +matrix_sygnal_container_labels_traefik_additional_response_headers_auto: {} +matrix_sygnal_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_sygnal_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_sygnal_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_sygnal_container_labels_additional_labels: '' + # A list of extra arguments to pass to the container matrix_sygnal_container_extra_arguments: [] diff --git a/roles/custom/matrix-sygnal/tasks/setup_install.yml b/roles/custom/matrix-sygnal/tasks/install.yml similarity index 78% rename from roles/custom/matrix-sygnal/tasks/setup_install.yml rename to roles/custom/matrix-sygnal/tasks/install.yml index 7c9caf38e..7ee75a94e 100644 --- a/roles/custom/matrix-sygnal/tasks/setup_install.yml +++ b/roles/custom/matrix-sygnal/tasks/install.yml @@ -1,16 +1,5 @@ --- -- name: Ensure Sygnal image is pulled - community.docker.docker_image: - name: "{{ matrix_sygnal_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_sygnal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_sygnal_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - - name: Ensure Sygnal paths exists ansible.builtin.file: path: "{{ item }}" @@ -31,6 +20,30 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" +- name: Ensure Sygnal labels installed + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_sygnal_base_path }}/labels" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure Sygnal image is pulled + community.docker.docker_image: + name: "{{ matrix_sygnal_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_sygnal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_sygnal_docker_image_force_pull }}" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure Sygnal container network is created + community.general.docker_network: + name: "{{ matrix_sygnal_container_network }}" + driver: bridge + - name: Ensure matrix-sygnal.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-sygnal.service.j2" diff --git a/roles/custom/matrix-sygnal/tasks/main.yml b/roles/custom/matrix-sygnal/tasks/main.yml index ed8015262..ba4cb8768 100644 --- a/roles/custom/matrix-sygnal/tasks/main.yml +++ b/roles/custom/matrix-sygnal/tasks/main.yml @@ -5,7 +5,7 @@ ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_sygnal_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" tags: - setup-all - setup-sygnal @@ -14,7 +14,7 @@ - block: - when: not matrix_sygnal_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" tags: - setup-all - setup-sygnal diff --git a/roles/custom/matrix-sygnal/tasks/setup_uninstall.yml b/roles/custom/matrix-sygnal/tasks/uninstall.yml similarity index 100% rename from roles/custom/matrix-sygnal/tasks/setup_uninstall.yml rename to roles/custom/matrix-sygnal/tasks/uninstall.yml diff --git a/roles/custom/matrix-sygnal/tasks/validate_config.yml b/roles/custom/matrix-sygnal/tasks/validate_config.yml index 277bd1b2a..1cdf20381 100644 --- a/roles/custom/matrix-sygnal/tasks/validate_config.yml +++ b/roles/custom/matrix-sygnal/tasks/validate_config.yml @@ -1,7 +1,37 @@ --- +- name: Fail if required Sygnal settings not defined + ansible.builtin.fail: + msg: > + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_sygnal_hostname + - matrix_sygnal_path_prefix + - matrix_sygnal_container_network + +- when: matrix_sygnal_container_labels_traefik_enabled | bool + block: + - name: Fail if required Sygnal Traefik settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_sygnal_container_labels_traefik_hostname + - matrix_sygnal_container_labels_traefik_path_prefix + + # We ensure it doesn't end with a slash, because we handle both (slash and no-slash). + # Knowing that `matrix_sygnal_container_labels_traefik_path_prefix` does not end with a slash + # ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere. + - name: Fail if matrix_sygnal_container_labels_traefik_path_prefix ends with a slash + ansible.builtin.fail: + msg: >- + matrix_sygnal_container_labels_traefik_path_prefix (`{{ matrix_sygnal_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/sygnal`). + when: "matrix_sygnal_container_labels_traefik_path_prefix != '/' and matrix_sygnal_container_labels_traefik_path_prefix[-1] == '/'" + - name: Fail if no Sygnal apps defined ansible.builtin.fail: msg: >- Enabling Sygnal requires that you specify at least one app in `matrix_sygnal_apps` - when: "matrix_sygnal_enabled and matrix_sygnal_apps | length == 0" + when: "matrix_sygnal_apps | length == 0" diff --git a/roles/custom/matrix-sygnal/templates/labels.j2 b/roles/custom/matrix-sygnal/templates/labels.j2 new file mode 100644 index 000000000..964805894 --- /dev/null +++ b/roles/custom/matrix-sygnal/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_sygnal_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_sygnal_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_sygnal_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_sygnal_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-sygnal-slashless-redirect.redirectregex.regex=({{ matrix_sygnal_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-sygnal-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-sygnal-slashless-redirect'] %} +{% endif %} + +{% if matrix_sygnal_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-sygnal-strip-prefix.stripprefix.prefixes={{ matrix_sygnal_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-sygnal-strip-prefix'] %} +{% endif %} + +{% if matrix_sygnal_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_sygnal_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-sygnal-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-sygnal-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-sygnal.rule={{ matrix_sygnal_container_labels_traefik_rule }} +{% if matrix_sygnal_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-sygnal.priority={{ matrix_sygnal_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-sygnal.service=matrix-sygnal +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-sygnal.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-sygnal.entrypoints={{ matrix_sygnal_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-sygnal.tls={{ matrix_sygnal_container_labels_traefik_tls | to_json }} +{% if matrix_sygnal_container_labels_traefik_tls %} +traefik.http.routers.matrix-sygnal.tls.certResolver={{ matrix_sygnal_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-sygnal.loadbalancer.server.port=6000 +{% endif %} + +{{ matrix_sygnal_container_labels_additional_labels }} diff --git a/roles/custom/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 b/roles/custom/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 index 646314dfb..49b513cda 100644 --- a/roles/custom/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 +++ b/roles/custom/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 @@ -16,15 +16,18 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-sygnal 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-sygnal 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-sygnal \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-sygnal \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --env=SYGNAL_CONF=/config/sygnal.yaml \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_sygnal_container_network }} \ {% if matrix_sygnal_container_http_host_bind_port %} -p {{ matrix_sygnal_container_http_host_bind_port }}:6000 \ {% endif %} + --label-file={{ matrix_sygnal_base_path }}/labels \ --mount type=bind,src={{ matrix_sygnal_config_path }},dst=/config \ --mount type=bind,src={{ matrix_sygnal_data_path }},dst=/data \ {% for arg in matrix_sygnal_container_extra_arguments %} @@ -32,8 +35,15 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% endfor %} {{ matrix_sygnal_docker_image }} +{% for network in matrix_sygnal_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-sygnal +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-sygnal + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-sygnal 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-sygnal 2>/dev/null || true' + Restart=always RestartSec=30 SyslogIdentifier=matrix-sygnal From e625e9aa5bd6c8685b77ea6de36c300e4a45e44d Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sun, 26 Feb 2023 10:41:40 +0000 Subject: [PATCH 504/915] fix postgres version detection in the borg role --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 4ebe8a063..56fa7701a 100644 --- a/requirements.yml +++ b/requirements.yml @@ -37,7 +37,7 @@ version: v0.11.1-2 - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.3-1.7.7-0 + version: v1.2.3-1.7.7-1 - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v9.3.6-2 From 67e97cd2dc46a73acc6c89c5c93c77e17aae932a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 26 Feb 2023 15:54:30 +0200 Subject: [PATCH 505/915] Redo etke.cc section in the README --- README.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index d284909f9..f57db148b 100644 --- a/README.md +++ b/README.md @@ -13,6 +13,15 @@ We run all services in [Docker](https://www.docker.com/) containers (see [the co [Installation](docs/README.md) (upgrades) and some maintenance tasks are automated using [Ansible](https://www.ansible.com/) (see [our Ansible guide](docs/ansible.md)). +## Self-hosting or SaaS + +This Ansible playbook tries to make self-hosting and maintaining a Matrix server fairly easy. Still, running any service smoothly requires knowledge, time and effort. + +If you like the [FOSS](https://en.wikipedia.org/wiki/Free_and_open-source_software) spirit of this Ansible playbook, but prefer to put the responsibility on someone else, you can also [get a managed Matrix server from etke.cc](https://etke.cc/) - a service built on top of this Ansible playbook, which can help you run a Matrix server with ease. + +If you like learning and experimentation, but would rather reduce future maintenance effort, you can even go for a hybrid approach - self-hosting manually using this Ansible playbook at first and then transferring server maintenance to etke.cc at a later time. + + ## Supported services Using this playbook, you can get the following list of services configured on your server. Basically, this playbook aims to get you up-and-running with all the necessities around Matrix, without you having to do anything else. @@ -178,8 +187,3 @@ When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up w - IRC channel: `#matrix-docker-ansible-deploy` on the [Libera Chat](https://libera.chat/) IRC network (irc.libera.chat:6697) - GitHub issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues) - - -## Services by the community - -- [etke.cc](https://etke.cc) - matrix-docker-ansible-deploy and system stuff "as a service". That service will create your matrix homeserver on your domain and server (doesn't matter if it's cloud provider or on an old laptop in the corner of your room), (optional) maintains it (server's system updates, cleanup, security adjustments, tuning, etc.; matrix homeserver updates & maintenance) and (optional) provide full-featured email service for your domain From 71ae825f6aa70a61fb457a213f3bc69787c1d221 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 26 Feb 2023 16:14:05 +0200 Subject: [PATCH 506/915] Switch default reverse-proxy to Traefik, force reverse-proxy choice on existing users --- CHANGELOG.md | 62 +++++++++++ README.md | 5 +- docs/configuring-playbook-nginx.md | 3 +- docs/configuring-playbook-own-webserver.md | 54 ++++----- docs/configuring-playbook-ssl-certificates.md | 104 +++--------------- docs/configuring-playbook-traefik.md | 48 ++++++++ docs/configuring-playbook.md | 6 +- examples/vars.yml | 7 +- roles/custom/matrix-base/defaults/main.yml | 2 +- .../matrix-base/tasks/validate_config.yml | 8 ++ 10 files changed, 175 insertions(+), 124 deletions(-) create mode 100644 docs/configuring-playbook-traefik.md diff --git a/CHANGELOG.md b/CHANGELOG.md index a49de417c..5cf821f38 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,65 @@ +# 2023-02-26 + +## Traefik is the default reverse-proxy now + +**TLDR**: new installations will now default to Traefik as their reverse-proxy. Existing users need to explicitly choose their reverse-proxy type. [Switching to Traefik](#how-do-i-switch-my-existing-setup-to-traefik) is strongly encouraged. `matrix-nginx-proxy` may break over time and will ultimately be removed. + +As mentioned 2 weeks ago in [(Backward Compatibility) Reverse-proxy configuration changes and initial Traefik support](#backward-compatibility-reverse-proxy-configuration-changes-and-initial-traefik-support), the playbook is moving to Traefik as its default SSL-terminating reverse-proxy. + +Until now, we've been doing the migration gradually and keeping full backward compatibility. New installations were defaulting to `matrix-nginx-proxy` (just like before), while existing installations were allowed to remain on `matrix-nginx-proxy` as well. This makes things very difficult for us, because we need to maintain and think about lots of different setups: + +- Traefik managed by the playbook +- Traefik managed by the user in another way +- another reverse-proxy on the same host (`127.0.0.1` port exposure) +- another reverse-proxy on another host (`0.0.0.0` port exposure) +- `matrix-nginx-proxy` - an `nginx` container managed by the playbook +- `nginx` webserver operated by the user, running without a container on the same server + +Each change we do and each new feature that comes in needs to support all these different ways of reverse-proxying. Because `matrix-nginx-proxy` was the default and pretty much everyone was (and still is) using it, means that new PRs also come with `matrix-nginx-proxy` as their main focus and Traefik as an afterthought, which means we need to spend hours fixing up Traefik support. + +We can't spend all this time maintaining so many different configurations anymore. Traefik support has been an option for 2 weeks and lots of people have already migrated their server and have tested things out. Traefik is what we use and preferentially test for. + +It's time for the **next step in our migration process** to Traefik and elimination of `matrix-nginx-proxy`: + +- Traefik is now the default reverse-proxy for new installations +- All existing users need to explicitly choose their reverse-proxy type by defining the `matrix_playbook_reverse_proxy_type` variable in their `vars.yml` configuration file. We strongly encourage existing users to [switch the Traefik](#how-to-switch-an-existing-setup-to-traefik), as the nginx setup is bound to become more and more broken over time until it's ultimately removed + +### How do I switch my existing setup to Traefik? + +**For users who are on `matrix-nginx-proxy`** (the default reverse-proxy provided by the playbook), switching to Traefik can happen with a simple configuration change. Follow this section from 2 weeks ago: [How do I explicitly switch to Traefik right now?](#how-do-i-explicitly-switch-to-traefik-right-now). + +If you experience trouble: + +1. Follow [How do I remain on matrix-nginx-proxy?](#how-do-i-remain-on-matrix-nginx-proxy) to bring your server back online using the old reverse-proxy +2. Ask for help in our [support channels](README.md#support) +3. Try switching to Traefik again later + +**For users with a more special reverse-proxying setup** (another nginx server, Apache, Caddy, etc.), the migration may not be so smooth. Follow the [Using your own webserver](docs/configuring-playbook-own-webserver.md) guide. Ideally, your custom reverse-proxy will be configured in such a way that it **fronts the Traefik reverse-proxy** provided by the playbook. Other means of reverse-proxying are more fragile and may be deprecated in the future. + +### I already use my own Traefik server. How do I plug that in? + +See the [Traefik managed by the playbook](docs/configuring-playbook-own-webserver.md#traefik-managed-by-the-playbook) section. + +### Why is matrix-nginx-proxy used even after switching to Traefik? + +This playbook manages many different services. All these services were initially integrated with `matrix-nginx-proxy`. + +While we migrate all these components to have native Traefik support, some still go through nginx internally (Traefik -> local `matrix-nginx-proxy` -> component). +As time goes on, internal reliance on `matrix-nginx-proxy` will gradually decrease until it's completely removed. + +### How do I remain on matrix-nginx-proxy? + +Most new work and testing targets Traefik, so remaining on nginx is **not** "the good old stable" option, but rather the "still available, but largely untested and likely to be broken very soon" option. + +To proceed regardless of this warning, add `matrix_playbook_reverse_proxy_type: playbook-managed-nginx` to your configuration. + +At some point in the **near** future (days, or even weeks at most), we hope to completely get rid of `matrix-nginx-proxy` (or break it enough to make it unusable), so you **will soon be forced to migrate** anyway. Plan your migration accordingly. + +### How do I keep using my own other reverse-proxy? + +We recommend that you follow the guide for [Fronting the integraed reverse-proxy webserver with another reverse-proxy](docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy). + + # 2023-02-25 ## Rageshake support diff --git a/README.md b/README.md index f57db148b..dd4467258 100644 --- a/README.md +++ b/README.md @@ -61,8 +61,9 @@ Services that run on the server to make the various parts of your installation w | ---- | -------- | ----------- | ------------- | | [PostgreSQL](https://www.postgresql.org/)| ✓ | Database for Synapse. [Using an external PostgreSQL server](docs/configuring-playbook-external-postgres.md) is also possible. | [Link](docs/configuring-playbook-external-postgres.md) | | [Coturn](https://github.com/coturn/coturn) | ✓ | STUN/TURN server for WebRTC audio/video calls | [Link](docs/configuring-playbook-turn.md) | -| [nginx](http://nginx.org/) | ✓ | Web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md) | [Link](docs/configuring-playbook-nginx.md) | -| [Let's Encrypt](https://letsencrypt.org/) | ✓ | Free SSL certificate, which secures the connection to the Synapse server and the Element web UI | [Link](docs/configuring-playbook-ssl-certificates.md) | +| [Traefik](https://doc.traefik.io/traefik/) | ✓ | Web server, listening on ports 80, 443 and 8448 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md) | [Link](docs/configuring-playbook-traefik.md) | +| [nginx](http://nginx.org/) | x | (Deprecated) Web server, listening on ports 80, 443 and 8448 - standing in front of all the other services. Deprecated in favor of Traefik | [Link](docs/configuring-playbook-nginx.md) | +| [Let's Encrypt](https://letsencrypt.org/) | ✓ | Free SSL certificate, which secures the connection to all components | [Link](docs/configuring-playbook-ssl-certificates.md) | | [ma1sd](https://github.com/ma1uta/ma1sd) | x | Matrix Identity Server | [Link](docs/configuring-playbook-ma1sd.md) | [Exim](https://www.exim.org/) | ✓ | Mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) | [Link](docs/configuring-playbook-email.md) | | [Dimension](https://github.com/turt2live/matrix-dimension) | x | An open source integrations manager for matrix clients | [Link](docs/configuring-playbook-dimension.md) | diff --git a/docs/configuring-playbook-nginx.md b/docs/configuring-playbook-nginx.md index 96f854d0e..43cff4a83 100644 --- a/docs/configuring-playbook-nginx.md +++ b/docs/configuring-playbook-nginx.md @@ -1,7 +1,6 @@ # Configure Nginx (optional, advanced) -By default, this playbook installs its own nginx webserver (in a Docker container) which listens on ports 80 and 443. -If that's alright, you can skip this. +**Note**: the playbook is [in the process of moving to Traefik](../CHANGELOG.md#reverse-proxy-configuration-changes-and-initial-traefik-support). Traefik is already the default reverse-proxy for new installations and existing users are also strongly encouraged to switch to Traefik. As such, this **nginx documentation below may be incomplete or misleading**. ## Using Nginx status diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 22170f40a..3b9d822d7 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -1,4 +1,4 @@ -# Using your own webserver, instead of this playbook's nginx proxy (optional, advanced) +# Using your own webserver, instead of this playbook's Traefik reverse-proxy (optional, advanced) **Note**: the playbook is [in the process of moving to Traefik](../CHANGELOG.md#reverse-proxy-configuration-changes-and-initial-traefik-support). The **documentation below may be incomplete or misleading**. @@ -117,17 +117,36 @@ There are 2 ways to go about it: This method is about leaving the integrated reverse-proxy webserver be, but making it not get in the way (using up important ports, trying to retrieve SSL certificates, etc.). -If you wish to use another webserver, the integrated nginx reverse-proxy webserver usually gets in the way because it attempts to fetch SSL certificates and binds to ports 80, 443 and 8448 (if Matrix Federation is enabled). +If you wish to use another webserver, the integrated reverse-proxy webserver usually gets in the way because it attempts to fetch SSL certificates and binds to ports 80, 443 and 8448 (if Matrix Federation is enabled). You can disable such behavior and make the integrated reverse-proxy webserver only serve traffic locally (or over a local network). This is the recommended way for using another reverse-proxy, because the integrated one would act as a black box and wire all Matrix services correctly. You would only need to reverse-proxy a few individual domains and ports over to it. -**For `matrix-nginx-proxy`** fronted by another reverse-proxy, you would need some configuration like this: +**For Traefik** fronted by another reverse-proxy, you would need some configuration like this: + +```yaml +matrix_playbook_reverse_proxy_type: playbook-managed-traefik + +# Ensure that public urls use https +matrix_playbook_ssl_enabled: true + +# Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval +devture_traefik_config_entrypoint_web_secure_enabled: false + +devture_traefik_container_web_host_bind_port: '127.0.0.1:81' + +devture_traefik_additional_entrypoints_auto: + - name: matrix-federation + port: "{{ matrix_federation_public_port }}" + host_bind_port: "127.0.0.1:{{ matrix_federation_public_port }}" + config: {} +``` + +(Deprecated) **For `matrix-nginx-proxy`** fronted by another reverse-proxy, you would need some configuration like this: ```yaml -# playbook-managed-proxy is the default right now, so we can keep this commented out. -# matrix_playbook_reverse_proxy_type: playbook-managed-nginx +matrix_playbook_reverse_proxy_type: playbook-managed-nginx # Ensure that public urls use https matrix_playbook_ssl_enabled: true @@ -150,28 +169,9 @@ matrix_nginx_proxy_container_http_host_bind_port: '127.0.0.1:81' matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449' ``` -**For Traefik** fronted by another reverse-proxy, you would need some configuration like this: - -```yaml -matrix_playbook_reverse_proxy_type: playbook-managed-traefik - -# Ensure that public urls use https -matrix_playbook_ssl_enabled: true - -# Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval -devture_traefik_config_entrypoint_web_secure_enabled: false - -devture_traefik_container_web_host_bind_port: '127.0.0.1:81' - -devture_traefik_additional_entrypoints_auto: - - name: matrix-federation - port: "{{ matrix_federation_public_port }}" - host_bind_port: "127.0.0.1:{{ matrix_federation_public_port }}" - config: {} -``` - If you'll be fronting with a reverse-proxy that lives on another machine (not on the same one as Matrix), you need to replace `127.0.0.1` in the above configurations with `0.0.0.0` or another network interface. + ### Using no reverse-proxy on the Matrix side at all Instead of [Fronting the integrated reverse-proxy webserver with another reverse-proxy](#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy), you can also go another way -- completely disabling the playbook-managed reverse-proxy. You would then need to reverse-proxy from your own webserver directly to Matrix services. @@ -182,6 +182,8 @@ If your webserver is on the same machine, sure your web server user (something l #### Using your own nginx reverse-proxy running on the same machine +**WARNING**: this type of setup is not maintained and will be removed in the future. We recommend that you go for [Fronting the integrated reverse-proxy webserver with another reverse-proxy](#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instead. + If you'll be using `nginx` running on the same machine (not in a container), you can make the playbook help you generate configuration for `nginx` with this configuration: ```yaml @@ -202,6 +204,8 @@ You can most likely directly use the config files installed by this playbook at: #### Using your own reverse-proxy running on the same machine or elsewhere +**WARNING**: this is difficult to set up, likely not very well supported and will be removed in the future. We recommend that you go for [Fronting the integrated reverse-proxy webserver with another reverse-proxy](#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instead. + To reverse-proxy manually for each service, use configuration like this: ```yaml diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index 606160da4..60d5b1351 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -1,112 +1,34 @@ # Adjusting SSL certificate retrieval (optional, advanced) -By default, this playbook retrieves and auto-renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/) for the domains it needs (`matrix.` and possibly `element.`) +By default, this playbook retrieves and auto-renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/) for the domains it needs (e.g. `matrix.` and others) -Those certificates are used when configuring the nginx reverse proxy installed by this playbook. -They can also be used for configuring [your own webserver](configuring-playbook-own-webserver.md), in case you're not using the integrated nginx server provided by the playbook. +This guide is about using the integrated Traefik server and doesn't apply if you're using [your own webserver](configuring-playbook-own-webserver.md). -If you need to retrieve certificates for other domains (e.g. your base domain) or more control over certificate retrieval, read below. -Things discussed in this document: +## Using staging Let's Encrypt certificates instead of real ones -- [Using self-signed SSL certificates](#using-self-signed-ssl-certificates), if you can't use Let's Encrypt or just need a test setup +For testing purposes, you may wish to use staging certificates provide by Let's Encrypt. -- [Using your own SSL certificates](#using-your-own-ssl-certificates), if you don't want to or can't use Let's Encrypt certificates, but are still interested in using the integrated nginx reverse proxy server - -- [Not bothering with SSL certificates](#not-bothering-with-ssl-certificates), if you're using [your own webserver](configuring-playbook-own-webserver.md) and would rather this playbook leaves SSL certificate management to you - -- [Obtaining SSL certificates for additional domains](#obtaining-ssl-certificates-for-additional-domains), if you'd like to host additional domains on the Matrix server and would like the playbook to help you obtain and renew certificates for those domains automatically - - -## Using self-signed SSL certificates - -For private deployments (not publicly accessible from the internet), you may not be able to use Let's Encrypt certificates. - -If self-signed certificates are alright with you, you can ask the playbook to generate such for you with the following configuration: - -```yaml -matrix_ssl_retrieval_method: self-signed -``` - -If you get a `Cannot reach homeserver` error in Element, you will have to visit `https://matrix.` in your browser and agree to the certificate exception before you can login. - - -## Using your own SSL certificates - -If you'd like to manage SSL certificates by yourself and have the playbook use your certificate files, you can use the following configuration: - -```yaml -matrix_ssl_retrieval_method: manually-managed -``` - -With such a configuration, the playbook would expect you to drop the SSL certificate files in the directory specified by `matrix_ssl_config_dir_path` (`/matrix/ssl/config` by default) obeying the following hierarchy: - -- `/live//fullchain.pem` -- `/live//privkey.pem` -- `/live//chain.pem` - -where `` refers to the domains that you need (usually `matrix.` and `element.`). - - -## Not bothering with SSL certificates - -If you're [using an external web server](configuring-playbook-own-webserver.md) which is not nginx, or you would otherwise want to manage its certificates without this playbook getting in the way, you can completely disable SSL certificate management with the following configuration: +You can do this with the following configuration: ```yaml -matrix_ssl_retrieval_method: none +devture_traefik_config_certificatesResolvers_acme_use_staging: true ``` -With such a configuration, no certificates will be retrieved at all. You're free to manage them however you want. - -## Obtaining SSL certificates for additional domains +## Disabling SSL termination -The playbook tries to be smart about the certificates it will obtain for you. +For testing or other purposes, you may wish to install services without SSL termination and have services exposed to `http://` instead of `https://`. -By default, it obtains certificates for: -- `matrix.` (`matrix_server_fqn_matrix`) -- possibly for `element.`, unless you have disabled the [Element client component](configuring-playbook-client-element.md) using `matrix_client_element_enabled: false` -- possibly for `riot.`, if you have explicitly enabled Riot to Element redirection (for background compatibility) using `matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: true` -- possibly for `hydrogen.`, if you have explicitly [set up Hydrogen client](configuring-playbook-client-hydrogen.md). -- possibly for `cinny.`, if you have explicitly [set up Cinny client](configuring-playbook-client-cinny.md). -- possibly for `dimension.`, if you have explicitly [set up Dimension](configuring-playbook-dimension.md). -- possibly for `goneb.`, if you have explicitly [set up Go-NEB bot](configuring-playbook-bot-go-neb.md). -- possibly for `jitsi.`, if you have explicitly [set up Jitsi](configuring-playbook-jitsi.md). -- possibly for `stats.`, if you have explicitly [set up Grafana](configuring-playbook-prometheus-grafana.md). -- possibly for `sygnal.`, if you have explicitly [set up Sygnal](configuring-playbook-sygnal.md). -- possibly for `ntfy.`, if you have explicitly [set up ntfy](configuring-playbook-ntfy.md). -- possibly for your base domain (``), if you have explicitly configured [Serving the base domain](configuring-playbook-base-domain-serving.md) - -If you are hosting other domains on the Matrix machine, you can make the playbook obtain and renew certificates for those other domains too. -To do that, simply define your own custom configuration like this: +You can do this with the following configuration: ```yaml -# In this example, we retrieve 2 extra certificates, -# one for the base domain (in the `matrix_domain` variable) and one for a hardcoded domain. -# Adding any other additional domains (hosted on the same machine) is possible. -matrix_ssl_additional_domains_to_obtain_certificates_for: - - '{{ matrix_domain }}' - - 'another.domain.example.com' +devture_traefik_config_entrypoint_web_secure_enabled: false ``` -After redefining `matrix_ssl_domains_to_obtain_certificates_for`, to actually obtain certificates you should: - -- make sure the web server occupying port 80 is stopped. If you are using matrix-nginx-proxy server (which is the default for this playbook), you need to stop it temporarily by running `systemctl stop matrix-nginx-proxy` on the server. -- re-run the SSL part of the playbook and restart all services: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-ssl,start` - -The certificate files would be made available in `/matrix/ssl/config/live//...`. - -For automated certificate renewal to work, each port `80` vhost for each domain you are obtaining certificates for needs to forward requests for `/.well-known/acme-challenge` to the certbot container we use for renewal. - -See how this is configured for the `matrix.` subdomain in `/matrix/nginx-proxy/conf.d/matrix-domain.conf` -Don't be alarmed if the above configuration file says port `8080`, instead of port `80`. It's due to port mapping due to our use of containers. - - -## Specify the SSL private key algorithm +## Using self-signed SSL certificates -If you'd like to [specify the private key type](https://eff-certbot.readthedocs.io/en/stable/using.html#using-ecdsa-keys) used with Let's Encrypt, define your own custom configuration like this: +Using self-signed certificates with Traefik is a somewhat involved processes, where you need to manually mount the files into the container and adjust the "static" configuration to refer to them. -```yaml -matrix_ssl_lets_encrypt_key_type: ecdsa -``` +Feel free to research this approach on your own and improve this guide! diff --git a/docs/configuring-playbook-traefik.md b/docs/configuring-playbook-traefik.md new file mode 100644 index 000000000..4f6a73356 --- /dev/null +++ b/docs/configuring-playbook-traefik.md @@ -0,0 +1,48 @@ +# Configure Traefik (optional, advanced) + +By default, this playbook installs and manages a [Traefik](https://doc.traefik.io/traefik/) reverse-proxy server, powered by the [com.devture.ansible.role.traefik](https://github.com/devture/com.devture.ansible.role.traefik) Ansible role. + +This Ansible role support various configuration options. Feel free to consult its `default/main.yml` variables file. + + +## Adjusting SSL certificate retrieval + +See the dedicated [Adjusting SSL certificate retrieval](configuring-playbook-ssl-certificates.md) documentation page. + +## Increase logging verbosity + +```yaml +devture_traefik_config_log_level: DEBUG +``` + +## Disable access logs + +This will disable access logging. + +```yaml +devture_traefik_config_accessLog_enabled: false +``` + +## Enable Traefik Dashboard + +This will enable a Traefik [Dashboard](https://doc.traefik.io/traefik/operations/dashboard/) UI at `https://matrix.DOMAIN/dashboard/` (note the trailing `/`). + +```yaml +devture_traefik_dashboard_enabled: true +devture_traefik_dashboard_hostname: "{{ matrix_server_fqn_matrix }}" +devture_traefik_dashboard_basicauth_enabled: true +devture_traefik_dashboard_basicauth_user: YOUR_USERNAME_HERE +devture_traefik_dashboard_basicauth_password: YOUR_PASSWORD_HERE +``` + +## Additional configuration + +Use the `devture_traefik_configuration_extension_yaml` variable provided by the Traefik Ansible role to override or inject additional settings, even when no dedicated variable exists. + +```yaml +# This is a contrived example. +# You can enable and secure the Dashboard using dedicated variables. See above. +devture_traefik_configuration_extension_yaml: | + api: + dashboard: true +``` diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index c94977a25..b4bae7869 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -59,9 +59,11 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Serving your base domain using this playbook's nginx server](configuring-playbook-base-domain-serving.md) (optional) -- [Configure Nginx](configuring-playbook-nginx.md) (optional, advanced) +- [Configure the Traefik reverse-proxy](configuring-playbook-traefik.md) (optional, advanced) -- [Using your own webserver, instead of this playbook's nginx proxy](configuring-playbook-own-webserver.md) (optional, advanced) +- (Deprecated) [Configure the Nginx reverse-proxy](configuring-playbook-nginx.md) (optional, advanced) + +- [Using your own webserver, instead of this playbook's default reverse-proxy](configuring-playbook-own-webserver.md) (optional, advanced) - [Adjusting TURN server configuration](configuring-playbook-turn.md) (optional, advanced) diff --git a/examples/vars.yml b/examples/vars.yml index 732d7eedd..784bf0613 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -21,6 +21,11 @@ matrix_homeserver_implementation: synapse # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). matrix_homeserver_generic_secret_key: '' +# By default, the playbook manages its own Traefik (https://doc.traefik.io/traefik/) reverse-proxy server. +# It will retrieve SSL certificates for you on-demand and forward requests to all other components. +# For alternatives, see `docs/configuring-playbook-own-webserver.md`. +matrix_playbook_reverse_proxy_type: playbook-managed-traefik + # This is something which is provided to Let's Encrypt when retrieving SSL certificates for domains. # # In case SSL renewal fails at some point, you'll also get an email notification there. @@ -29,7 +34,7 @@ matrix_homeserver_generic_secret_key: '' # you won't be required to define this variable (see `docs/configuring-playbook-ssl-certificates.md`). # # Example value: someone@example.com -matrix_ssl_lets_encrypt_support_email: '' +devture_traefik_config_certificatesResolvers_acme_email: '' # A Postgres password to use for the superuser Postgres user (called `matrix` by default). # diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 0f2e3b488..403af983c 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -319,7 +319,7 @@ matrix_homeserver_app_service_config_files_auto: [] # - no nginx configuration will be dumped in /matrix/nginx/conf.d # - no port exposure will be done for any of the container services # - it's up to you to expose the ports you want, etc. -matrix_playbook_reverse_proxy_type: playbook-managed-nginx +matrix_playbook_reverse_proxy_type: '' matrix_playbook_service_host_bind_interface_prefix: "{{ '' if matrix_playbook_reverse_proxy_type not in ['other-nginx-non-container', 'other-on-same-host', 'other-on-another-host'] else ('0.0.0.0:' if matrix_playbook_reverse_proxy_type == 'other-on-another-host' else '127.0.0.1:') }}" diff --git a/roles/custom/matrix-base/tasks/validate_config.yml b/roles/custom/matrix-base/tasks/validate_config.yml index ab06ffcd6..c663ab2ee 100644 --- a/roles/custom/matrix-base/tasks/validate_config.yml +++ b/roles/custom/matrix-base/tasks/validate_config.yml @@ -54,6 +54,14 @@ msg: "Detected that variable matrix_architecture {{ matrix_architecture }} appears to be set incorrectly. See docs/alternative-architectures.md. Server appears to be {{ ansible_architecture }}." when: matrix_architecture not in ['amd64', 'arm32', 'arm64'] +- name: Fail if matrix_playbook_reverse_proxy_type is set incorrectly + ansible.builtin.fail: + msg: | + You have not explicitly specified the type of reverse-proxy you'd like to use (with a `matrix_playbook_reverse_proxy_type` variable in your configuration). + The playbook used to default to nginx (matrix-nginx-proxy), but things are changing with Traefik being the new default reverse-proxy. + Learn more here: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#traefik-is-the-default-reverse-proxy-now + when: matrix_playbook_reverse_proxy_type == '' + - name: Fail if matrix_playbook_reverse_proxy_type is set incorrectly ansible.builtin.fail: msg: "Detected that variable matrix_playbook_reverse_proxy_type (current value: `{{ matrix_playbook_reverse_proxy_type }}`) appears to be set incorrectly. See roles/custom/matrix-base/defaults/main.yml for valid choices." From 0452619820fd0bd98a6b9e20ced51b54bcf3a19a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 26 Feb 2023 16:21:50 +0200 Subject: [PATCH 507/915] Add Related plabooks --- README.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/README.md b/README.md index dd4467258..bd37d23ef 100644 --- a/README.md +++ b/README.md @@ -188,3 +188,18 @@ When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up w - IRC channel: `#matrix-docker-ansible-deploy` on the [Libera Chat](https://libera.chat/) IRC network (irc.libera.chat:6697) - GitHub issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues) + + +## Related + +You may also be interested in these other Ansible playbooks: + +- [gitea-docker-ansible-deploy](https://github.com/spantaleev/gitea-docker-ansible-deploy) - for deploying a [Gitea](https://gitea.io/) git version-control server + +- [nextcloud-docker-ansible-deploy](https://github.com/spantaleev/nextcloud-docker-ansible-deploy) - for deploying a [Nextcloud](https://nextcloud.com/) server + +- [peertube-docker-ansible-deploy](https://github.com/spantaleev/peertube-docker-ansible-deploy) - for deploying a [PeerTube](https://joinpeertube.org/) video-platform server + +- [vaultwarden-docker-ansible-deploy](https://github.com/spantaleev/vaultwarden-docker-ansible-deploy) - for deploying a [Vaultwarden](https://github.com/dani-garcia/vaultwarden) password manager server (unofficial [Bitwarden](https://bitwarden.com/) compatible server) + +They're all making use of Traefik as their reverse-proxy, so it should be easy to host all these services on the same server. Follow the `docs/configuring-playbook-interoperability.md` documentation in each playbook. From 7852d5eb26457b828fe8dc76327bb0639c36e3c7 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sun, 26 Feb 2023 15:58:10 +0000 Subject: [PATCH 508/915] update mautrix-telegram 0.12.2 -> 0.13.0 --- roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml index 1221da84c..4d0401616 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -17,7 +17,7 @@ matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git" matrix_mautrix_telegram_docker_repo_version: "{{ 'master' if matrix_mautrix_telegram_version == 'latest' else matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" -matrix_mautrix_telegram_version: v0.12.2 +matrix_mautrix_telegram_version: v0.13.0 # See: https://mau.dev/mautrix/telegram/container_registry matrix_mautrix_telegram_docker_image: "{{ matrix_mautrix_telegram_docker_image_name_prefix }}mautrix/telegram:{{ matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_telegram_container_image_self_build else 'dock.mau.dev/' }}" From ffff236167e8b228e6fe0a3fe2332057937fc9c7 Mon Sep 17 00:00:00 2001 From: Jan <31133207+Jaffex@users.noreply.github.com> Date: Sun, 26 Feb 2023 17:21:08 +0100 Subject: [PATCH 509/915] Update configuring-playbook-own-webserver.md Change documentation for host bind port when fronting traefik with another reverse proxy --- docs/configuring-playbook-own-webserver.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 3b9d822d7..ff9d2c935 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -138,8 +138,8 @@ devture_traefik_container_web_host_bind_port: '127.0.0.1:81' devture_traefik_additional_entrypoints_auto: - name: matrix-federation - port: "{{ matrix_federation_public_port }}" - host_bind_port: "127.0.0.1:{{ matrix_federation_public_port }}" + port: 8449 + host_bind_port: '127.0.0.1:8449' config: {} ``` From 05b3f6565b4affa08fa71204088b27e288beb9d2 Mon Sep 17 00:00:00 2001 From: Jan <31133207+Jaffex@users.noreply.github.com> Date: Sun, 26 Feb 2023 17:21:59 +0100 Subject: [PATCH 510/915] Update CHANGELOG.md Fix typo in changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5cf821f38..cd5923375 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -57,7 +57,7 @@ At some point in the **near** future (days, or even weeks at most), we hope to c ### How do I keep using my own other reverse-proxy? -We recommend that you follow the guide for [Fronting the integraed reverse-proxy webserver with another reverse-proxy](docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy). +We recommend that you follow the guide for [Fronting the integrated reverse-proxy webserver with another reverse-proxy](docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy). # 2023-02-25 From 7c622bd249821b1e4ddfb9fdd85c7cf43d74d45d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 26 Feb 2023 19:12:10 +0200 Subject: [PATCH 511/915] Upgrade com.devture.ansible.role.traefik --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 56fa7701a..f3ab0272b 100644 --- a/requirements.yml +++ b/requirements.yml @@ -49,7 +49,7 @@ version: v7.0.7-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: 5e3248cd4d17db9ff3ba90904e7330150dab599e + version: 2c949e88261c4398533ad16017475a1c75391487 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: e7563caa814e634d2f8deec4a41e970caa1c0ae4 From 31857ea9bb332463720bc638cb49d47fff96a223 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 26 Feb 2023 19:49:01 +0200 Subject: [PATCH 512/915] Upgrade com.devture.ansible.role.traefik_certs_dumper --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index f3ab0272b..fe0d85b53 100644 --- a/requirements.yml +++ b/requirements.yml @@ -52,4 +52,4 @@ version: 2c949e88261c4398533ad16017475a1c75391487 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git - version: e7563caa814e634d2f8deec4a41e970caa1c0ae4 + version: abeecc09f6fd165eff3cef5d6dd7696b9ca4ec27 From 9e4ecf4ac917d6d92116c297ab982e230dd50f3d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 26 Feb 2023 22:05:36 +0200 Subject: [PATCH 513/915] Add matrix_dendrite_container_network/matrix_dendrite_container_additional_networks --- roles/custom/matrix-dendrite/defaults/main.yml | 8 ++++++++ roles/custom/matrix-dendrite/tasks/setup_install.yml | 5 +++++ .../dendrite/systemd/matrix-dendrite.service.j2 | 12 ++++++++++-- 3 files changed, 23 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index 525f48548..8c2dded48 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -33,6 +33,14 @@ matrix_dendrite_http_bind_address: "{{ (':' + matrix_dendrite_http_bind_port | s # This is passed as an `-https-bind-address` flag to the Dendrite server in the container matrix_dendrite_https_bind_address: "{{ (':' + matrix_dendrite_https_bind_port | string) if matrix_dendrite_https_bind_port else '' }}" +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_dendrite_container_network: "{{ matrix_docker_network }}" + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_dendrite_container_additional_networks: [] + # Controls whether the matrix-dendrite container exposes the HTTP port (tcp/{{ matrix_dendrite_http_bind_port }} in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8008"), or empty string to not expose. diff --git a/roles/custom/matrix-dendrite/tasks/setup_install.yml b/roles/custom/matrix-dendrite/tasks/setup_install.yml index c516c5b7c..3b8cbd9b2 100644 --- a/roles/custom/matrix-dendrite/tasks/setup_install.yml +++ b/roles/custom/matrix-dendrite/tasks/setup_install.yml @@ -76,6 +76,11 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" +- name: Ensure Dendrite container network is created + community.general.docker_network: + name: "{{ matrix_dendrite_container_network }}" + driver: bridge + - name: Ensure matrix-dendrite.service installed ansible.builtin.template: src: "{{ role_path }}/templates/dendrite/systemd/matrix-dendrite.service.j2" diff --git a/roles/custom/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/custom/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 index 4649c3a31..378cf596e 100644 --- a/roles/custom/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 +++ b/roles/custom/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -22,13 +22,15 @@ ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_s ExecStartPre={{ matrix_host_command_sleep }} 5 {% endif %} -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-dendrite \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-dendrite \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_dendrite_tmp_directory_size_mb }}m \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_dendrite_container_network }} \ {% if matrix_dendrite_container_http_host_bind_address and matrix_dendrite_http_bind_port %} -p {{ matrix_dendrite_container_http_host_bind_address }}:{{ matrix_dendrite_http_bind_port }} \ {% endif %} @@ -54,6 +56,12 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name -https-bind-address {{ matrix_dendrite_https_bind_address }} {% endif %} +{% for network in matrix_dendrite_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-dendrite +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-dendrite + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-dendrite 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-dendrite 2>/dev/null || true' ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-dendrite /bin/sh -c 'kill -HUP 1' From cdd23aafc6931aa9f6902a03f40fe0dc8e09d264 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 26 Feb 2023 22:08:08 +0200 Subject: [PATCH 514/915] Add matrix_conduit_container_network/matrix_conduit_container_additional_networks --- roles/custom/matrix-conduit/defaults/main.yml | 8 ++++++ .../matrix-conduit/tasks/setup_install.yml | 26 ++++++++++++------- .../conduit/systemd/matrix-conduit.service.j2 | 12 +++++++-- 3 files changed, 34 insertions(+), 12 deletions(-) diff --git a/roles/custom/matrix-conduit/defaults/main.yml b/roles/custom/matrix-conduit/defaults/main.yml index bbab5cde0..7673a7d27 100644 --- a/roles/custom/matrix-conduit/defaults/main.yml +++ b/roles/custom/matrix-conduit/defaults/main.yml @@ -23,6 +23,14 @@ matrix_conduit_systemd_required_services_list: ["docker.service"] # List of systemd services that matrix-conduit.service wants matrix_conduit_systemd_wanted_services_list: [] +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_conduit_container_network: "{{ matrix_docker_network }}" + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_conduit_container_additional_networks: [] + # Extra arguments for the Docker container matrix_conduit_container_extra_arguments: [] diff --git a/roles/custom/matrix-conduit/tasks/setup_install.yml b/roles/custom/matrix-conduit/tasks/setup_install.yml index ef47c620c..ecccbb326 100644 --- a/roles/custom/matrix-conduit/tasks/setup_install.yml +++ b/roles/custom/matrix-conduit/tasks/setup_install.yml @@ -1,14 +1,4 @@ --- -- name: Ensure Conduit Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_conduit_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_conduit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_conduit_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - name: Ensure Conduit config path exists ansible.builtin.file: @@ -34,6 +24,22 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" +- name: Ensure Conduit container network is created + community.general.docker_network: + name: "{{ matrix_conduit_container_network }}" + driver: bridge + +- name: Ensure Conduit container image is pulled + community.docker.docker_image: + name: "{{ matrix_conduit_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_conduit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_conduit_docker_image_force_pull }}" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + - name: Ensure matrix-conduit.service installed ansible.builtin.template: src: "{{ role_path }}/templates/conduit/systemd/matrix-conduit.service.j2" diff --git a/roles/custom/matrix-conduit/templates/conduit/systemd/matrix-conduit.service.j2 b/roles/custom/matrix-conduit/templates/conduit/systemd/matrix-conduit.service.j2 index cdaead01d..91c1e9151 100644 --- a/roles/custom/matrix-conduit/templates/conduit/systemd/matrix-conduit.service.j2 +++ b/roles/custom/matrix-conduit/templates/conduit/systemd/matrix-conduit.service.j2 @@ -12,13 +12,15 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-conduit 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-conduit 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-conduit \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-conduit \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_conduit_tmp_directory_size_mb }}m \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_conduit_container_network }} \ --env CONDUIT_CONFIG=/etc/matrix-conduit/conduit.toml \ --mount type=bind,src={{ matrix_conduit_data_path }},dst=/var/lib/matrix-conduit \ --mount type=bind,src={{ matrix_conduit_config_path }},dst=/etc/matrix-conduit,ro \ @@ -27,6 +29,12 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% endfor %} {{ matrix_conduit_docker_image }} +{% for network in matrix_conduit_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-conduit +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-conduit + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-conduit 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-conduit 2>/dev/null || true' ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-conduit /bin/sh -c 'kill -HUP 1' From b84f25309b6b0351b5b24b5be2ca49c4c12195a6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 26 Feb 2023 22:09:37 +0200 Subject: [PATCH 515/915] Add matrix_homeserver_container_network --- group_vars/matrix_servers | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 359c6e3f2..75076bbc1 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -435,6 +435,15 @@ matrix_homeserver_container_federation_url: |- }[matrix_homeserver_implementation] }} +matrix_homeserver_container_network: |- + {{ + matrix_nginx_proxy_container_network if matrix_nginx_proxy_enabled else { + 'synapse': matrix_synapse_container_network, + 'dendrite': matrix_dendrite_container_network, + 'conduit': matrix_conduit_container_network, + }[matrix_homeserver_implementation] + }} + matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}" matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}" From 058a54fd0593994b25b421ede595e8a6d07b8183 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 26 Feb 2023 23:06:36 +0200 Subject: [PATCH 516/915] Add native Traefik support to Dimension --- docs/configuring-playbook-dimension.md | 23 +++- group_vars/matrix_servers | 29 +++- .../custom/matrix-dimension/defaults/main.yml | 127 +++++++++++++++++- .../matrix-dimension/tasks/setup_install.yml | 13 ++ .../tasks/validate_config.yml | 33 +++++ .../matrix-dimension/templates/config.yaml.j2 | 14 +- .../matrix-dimension/templates/labels.j2 | 45 +++++++ .../systemd/matrix-dimension.service.j2 | 14 +- .../matrix-nginx-proxy/defaults/main.yml | 5 - .../matrix-nginx-proxy/templates/labels.j2 | 12 -- 10 files changed, 275 insertions(+), 40 deletions(-) create mode 100644 roles/custom/matrix-dimension/templates/labels.j2 diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index e201785a1..4472e103e 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -6,14 +6,29 @@ If you're just installing Matrix services for the first time, please continue wi **Note**: This playbook now supports running [Dimension](https://dimension.t2bot.io) in both a federated and [unfederated](https://github.com/turt2live/matrix-dimension/blob/master/docs/unfederated.md) environments. This is handled automatically based on the value of `matrix_synapse_federation_enabled`. Enabling Dimension, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. It's something to be aware of, especially in terms of firewall whitelisting (make sure port `8448` is accessible). -## Prerequisites +## Decide on a domain and path -The `dimension.` DNS record must be created. See [Configuring your DNS server](configuring-dns.md) on how to set up DNS record correctly. +By default, Dimension is configured to use its own dedicated domain (`dimension.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records). + +You can override the domain and path like this: + +```yaml +# Switch to another hostname compared to the default (`dimension.{{ matrix_domain }}`) +matrix_dimension_hostname: "integrations.{{ matrix_domain }}" + +``` + +While there is a `matrix_dimension_path_prefix` variable for changing the path where Dimension is served, overriding it is not possible right now due to [this Dimension issue](https://github.com/turt2live/matrix-dimension/issues/510). You must serve Dimension at a dedicated subdomain until this issue is solved. + + +## Adjusting DNS records + +Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Dimension domain to the Matrix server. ## Enable -[Dimension integrations manager](https://dimension.t2bot.io) installation is disabled by default. You can enable it in your configuration file (`inventory/host_vars/matrix./vars.yml`): +To enable Dimension, add this to your configuration file (`inventory/host_vars/matrix./vars.yml`): ```yaml matrix_dimension_enabled: true @@ -54,7 +69,7 @@ For more information on how to acquire an access token, visit [https://t2bot.io/ ## Installation -After these variables have been set, please run the following command to re-run setup and to restart Dimension: +After these variables have been set and you have potentially [adjusted your DNS records](#adjusting-dns-records), please run the following command to re-run setup and to restart Dimension: ``` ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 75076bbc1..e9d244d20 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2154,12 +2154,32 @@ matrix_dimension_enabled: false matrix_dimension_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" -# Normally, matrix-nginx-proxy is enabled and nginx can reach Dimension over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# the Dimension HTTP port to the local host. +matrix_dimension_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" + +matrix_dimension_hostname: "{{ matrix_server_fqn_dimension }}" + +matrix_dimension_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-dimension' }}" + +matrix_dimension_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([matrix_homeserver_container_network] if matrix_homeserver_container_network != matrix_dimension_container_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_dimension_container_network else []) + ) | unique + }} + matrix_dimension_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8184') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_dimension_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +matrix_dimension_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_dimension_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" + +matrix_dimension_homeserver_clientServerUrl: "{{ matrix_homeserver_container_url }}" matrix_dimension_homeserver_federationUrl: "{{ matrix_homeserver_container_federation_url }}" +matrix_dimension_homeserver_mediaUrl: "https://{{ matrix_server_fqn_matrix }}" matrix_dimension_systemd_required_services_list: | {{ @@ -2443,7 +2463,7 @@ matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled and matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" -matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" +matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_rageshake_enabled: "{{ matrix_rageshake_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" @@ -2460,7 +2480,6 @@ matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_playbook_ matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true -matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" diff --git a/roles/custom/matrix-dimension/defaults/main.yml b/roles/custom/matrix-dimension/defaults/main.yml index 4be76fd1e..e66f90094 100644 --- a/roles/custom/matrix-dimension/defaults/main.yml +++ b/roles/custom/matrix-dimension/defaults/main.yml @@ -3,6 +3,15 @@ matrix_dimension_enabled: false +matrix_dimension_scheme: https + +# The hostname at which Dimension is served. +matrix_dimension_hostname: '' + +# The path at which Dimension is exposed. +# This value must either be `/` or not end with a slash (e.g. `/dimension`). +matrix_dimension_path_prefix: / + # You are required to specify an access token for Dimension to work. # For information on how to acquire an access token, visit https://t2bot.io/docs/access_tokens matrix_dimension_access_token: "" @@ -35,21 +44,129 @@ matrix_dimension_systemd_wanted_services_list: [] matrix_dimension_user_uid: '1000' matrix_dimension_user_gid: '1000' +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_dimension_container_network: matrix-dimension + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_dimension_container_additional_networks: [] + # Controls whether the matrix-dimension container exposes its HTTP port (tcp/8184 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8184"), or empty string to not expose. matrix_dimension_container_http_host_bind_port: '' + +# matrix_dimension_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_dimension_container_labels_additional_labels`. +matrix_dimension_container_labels_traefik_enabled: true +matrix_dimension_container_labels_traefik_docker_network: "{{ matrix_dimension_container_network }}" +matrix_dimension_container_labels_traefik_hostname: "{{ matrix_dimension_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/dimension`). +matrix_dimension_container_labels_traefik_path_prefix: "{{ matrix_dimension_path_prefix }}" +matrix_dimension_container_labels_traefik_rule: "Host(`{{ matrix_dimension_container_labels_traefik_hostname }}`){% if matrix_dimension_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_dimension_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_dimension_container_labels_traefik_priority: 0 +matrix_dimension_container_labels_traefik_entrypoints: web-secure +matrix_dimension_container_labels_traefik_tls: "{{ matrix_dimension_container_labels_traefik_entrypoints != 'web' }}" +matrix_dimension_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_dimension_container_labels_traefik_additional_response_headers_custom` +matrix_dimension_container_labels_traefik_additional_response_headers: "{{ matrix_dimension_container_labels_traefik_additional_response_headers_auto | combine(matrix_dimension_container_labels_traefik_additional_response_headers_custom) }}" +matrix_dimension_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_dimension_http_header_xss_protection} if matrix_dimension_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_dimension_http_header_frame_options} if matrix_dimension_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_dimension_http_header_content_type_options} if matrix_dimension_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_dimension_http_header_content_security_policy} if matrix_dimension_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_dimension_http_header_content_permission_policy} if matrix_dimension_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_dimension_http_header_strict_transport_security} if matrix_dimension_http_header_strict_transport_security and matrix_dimension_container_labels_traefik_tls else {}) + }} +matrix_dimension_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_dimension_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_dimension_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_dimension_container_labels_additional_labels: '' + + # A list of extra arguments to pass to the container matrix_dimension_container_extra_arguments: [] -matrix_dimension_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/element" -matrix_dimension_integrations_rest_url: "https://{{ matrix_server_fqn_dimension }}/api/v1/scalar" -matrix_dimension_integrations_widgets_urls: ["https://{{ matrix_server_fqn_dimension }}/widgets"] -matrix_dimension_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi" +# Public facing base URL of the Dimension service. +# It should not end with a slash. +matrix_dimension_base_url: "{{ matrix_dimension_scheme }}://{{ matrix_dimension_hostname }}{{ '' if matrix_dimension_path_prefix == '/' else matrix_dimension_path_prefix }}" + +matrix_dimension_integrations_ui_url: "{{ matrix_dimension_base_url }}/element" +matrix_dimension_integrations_rest_url: "{{ matrix_dimension_base_url }}/api/v1/scalar" +matrix_dimension_integrations_widgets_urls: ["{{ matrix_dimension_base_url }}/widgets"] +matrix_dimension_integrations_jitsi_widget_url: "{{ matrix_dimension_base_url }}/widgets/jitsi" + +matrix_dimension_homeserver_clientServerUrl: '' # noqa var-naming +matrix_dimension_homeserver_federationUrl: '' # noqa var-naming +matrix_dimension_homeserver_mediaUrl: '' # noqa var-naming -matrix_dimension_homeserver_federationUrl: "" # noqa var-naming +# Controls the dimension.publicUrl configuration option +matrix_dimension_dimension_publicUrl: "{{ matrix_dimension_base_url }}" # noqa var-naming +# Specifies the value of the `X-XSS-Protection` header +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. +# +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected +matrix_dimension_http_header_xss_protection: "1; mode=block" + +# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +matrix_dimension_http_header_frame_options: '' + +# Specifies the value of the `X-Content-Type-Options` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +matrix_dimension_http_header_content_type_options: nosniff + +# Specifies the value of the `Content-Security-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +matrix_dimension_http_header_content_security_policy: '' + +# Specifies the value of the `Permission-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy +matrix_dimension_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_dimension_floc_optout_enabled else '' }}" + +# Specifies the value of the `Strict-Transport-Security` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +matrix_dimension_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_dimension_hsts_preload_enabled else '' }}" + +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +# See: `matrix_dimension_content_permission_policy` +matrix_dimension_floc_optout_enabled: true + +# Controls if HSTS preloading is enabled +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be "preloaded" into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +# See: `matrix_dimension_http_header_strict_transport_security` +matrix_dimension_hsts_preload_enabled: false # Database-related configuration fields. # diff --git a/roles/custom/matrix-dimension/tasks/setup_install.yml b/roles/custom/matrix-dimension/tasks/setup_install.yml index 26617f7a3..b1f0c242d 100644 --- a/roles/custom/matrix-dimension/tasks/setup_install.yml +++ b/roles/custom/matrix-dimension/tasks/setup_install.yml @@ -85,6 +85,14 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_dimension_user_gid }}" +- name: Ensure Dimension labels installed + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_dimension_base_path }}/labels" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + - name: Ensure Dimension image is pulled community.docker.docker_image: name: "{{ matrix_dimension_docker_image }}" @@ -120,6 +128,11 @@ pull: true when: "matrix_dimension_container_image_self_build | bool" +- name: Ensure Dimension container network is created + community.general.docker_network: + name: "{{ matrix_dimension_container_network }}" + driver: bridge + - name: Ensure matrix-dimension.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-dimension.service.j2" diff --git a/roles/custom/matrix-dimension/tasks/validate_config.yml b/roles/custom/matrix-dimension/tasks/validate_config.yml index 8f681e082..b001ceedb 100644 --- a/roles/custom/matrix-dimension/tasks/validate_config.yml +++ b/roles/custom/matrix-dimension/tasks/validate_config.yml @@ -6,7 +6,12 @@ You need to define a required configuration setting (`{{ item.name }}`). when: "item.when | bool and vars[item.name] == ''" with_items: + - {'name': 'matrix_dimension_hostname', when: true} + - {'name': 'matrix_dimension_container_network', when: true} - {'name': 'matrix_dimension_access_token', when: true} + - {'name': 'matrix_dimension_homeserver_clientServerUrl', when: true} + - {'name': 'matrix_dimension_homeserver_federationUrl', when: true} + - {'name': 'matrix_dimension_homeserver_mediaUrl', when: true} - {'name': 'matrix_dimension_database_hostname', when: "{{ matrix_dimension_database_engine == 'postgres' }}"} - name: (Deprecation) Catch and report renamed Dimension variables @@ -17,3 +22,31 @@ when: "item.old in vars" with_items: - {'old': 'matrix_dimension_container_expose_port', 'new': ''} + +- when: matrix_dimension_container_labels_traefik_enabled | bool + block: + - name: Fail if required Dimension Traefik settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_dimension_container_labels_traefik_hostname + - matrix_dimension_container_labels_traefik_path_prefix + + # We ensure it doesn't end with a slash, because we handle both (slash and no-slash). + # Knowing that `matrix_dimension_container_labels_traefik_path_prefix` does not end with a slash + # ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere. + - name: Fail if matrix_dimension_container_labels_traefik_path_prefix ends with a slash + ansible.builtin.fail: + msg: >- + matrix_dimension_container_labels_traefik_path_prefix (`{{ matrix_dimension_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/dimension`). + when: "matrix_dimension_container_labels_traefik_path_prefix != '/' and matrix_dimension_container_labels_traefik_path_prefix[-1] == '/'" + + - name: Fail if matrix_dimension_container_labels_traefik_path_prefix is not / + ansible.builtin.fail: + msg: >- + matrix_dimension_container_labels_traefik_path_prefix (`{{ matrix_dimension_container_labels_traefik_path_prefix }}`) must currently be set to `/`. + Other values are not supported. + See: https://github.com/turt2live/matrix-dimension/issues/510 + when: "matrix_dimension_container_labels_traefik_path_prefix != '/' and matrix_dimension_container_labels_traefik_path_prefix[-1] == '/'" diff --git a/roles/custom/matrix-dimension/templates/config.yaml.j2 b/roles/custom/matrix-dimension/templates/config.yaml.j2 index 592c65ac8..c387c91b6 100644 --- a/roles/custom/matrix-dimension/templates/config.yaml.j2 +++ b/roles/custom/matrix-dimension/templates/config.yaml.j2 @@ -9,30 +9,30 @@ web: homeserver: # The domain name of the homeserver. This is used in many places, such as with go-neb # setups, to identify the homeserver. - name: "{{ matrix_domain }}" + name: {{ matrix_domain | to_json }} # The URL that Dimension, go-neb, and other services provisioned by Dimension should # use to access the homeserver with. - clientServerUrl: "{{ matrix_homeserver_container_url }}" + clientServerUrl: {{ matrix_dimension_homeserver_clientServerUrl | to_json }} # The URL that Dimension should use when trying to communicate with federated APIs on # the homeserver. If not supplied or left empty Dimension will try to resolve the address # through the normal federation process. - federationUrl: "{{ matrix_dimension_homeserver_federationUrl }}" + federationUrl: {{ matrix_dimension_homeserver_federationUrl | to_json }} # The URL that Dimension will redirect media requests to for downloading media such as # stickers. If not supplied or left empty Dimension will use the clientServerUrl. - mediaUrl: "https://{{ matrix_server_fqn_matrix }}" + mediaUrl: {{ matrix_dimension_homeserver_mediaUrl | to_json }} # The access token Dimension should use for miscellaneous access to the homeserver. This # should be for a user on the configured homeserver: any user will do, however it is # recommended to use a dedicated user (such as @dimension:t2bot.io). For information on # how to acquire an access token, visit https://t2bot.io/docs/access_tokens - accessToken: "{{ matrix_dimension_access_token }}" + accessToken: {{ matrix_dimension_access_token | to_json }} # These users can modify the integrations this Dimension supports. # To access the admin interface, open Dimension in Element and click the settings icon. -admins: {{ matrix_dimension_admins|to_json }} +admins: {{ matrix_dimension_admins | to_json }} # IPs and CIDR ranges listed here will be blocked from being widgets. # Note: Widgets may still be embedded with restricted content, although not through Dimension directly. @@ -72,4 +72,4 @@ goneb: dimension: # This is where Dimension is accessible from clients. Be sure to set this # to your own Dimension instance. - publicUrl: "https://{{ matrix_server_fqn_dimension }}" + publicUrl: {{ matrix_dimension_dimension_publicUrl | to_json }} diff --git a/roles/custom/matrix-dimension/templates/labels.j2 b/roles/custom/matrix-dimension/templates/labels.j2 new file mode 100644 index 000000000..24b570cbb --- /dev/null +++ b/roles/custom/matrix-dimension/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_dimension_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_dimension_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_dimension_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_dimension_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-dimension-slashless-redirect.redirectregex.regex=({{ matrix_dimension_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-dimension-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-dimension-slashless-redirect'] %} +{% endif %} + +{% if matrix_dimension_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-dimension-strip-prefix.stripprefix.prefixes={{ matrix_dimension_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-dimension-strip-prefix'] %} +{% endif %} + +{% if matrix_dimension_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_dimension_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-dimension-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-dimension-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-dimension.rule={{ matrix_dimension_container_labels_traefik_rule }} +{% if matrix_dimension_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-dimension.priority={{ matrix_dimension_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-dimension.service=matrix-dimension +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-dimension.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-dimension.entrypoints={{ matrix_dimension_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-dimension.tls={{ matrix_dimension_container_labels_traefik_tls | to_json }} +{% if matrix_dimension_container_labels_traefik_tls %} +traefik.http.routers.matrix-dimension.tls.certResolver={{ matrix_dimension_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-dimension.loadbalancer.server.port=8184 +{% endif %} + +{{ matrix_dimension_container_labels_additional_labels }} diff --git a/roles/custom/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/custom/matrix-dimension/templates/systemd/matrix-dimension.service.j2 index 07428ffa5..0b14a117c 100644 --- a/roles/custom/matrix-dimension/templates/systemd/matrix-dimension.service.j2 +++ b/roles/custom/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -21,25 +21,35 @@ ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_s ExecStartPre=-{{ matrix_host_command_chown }} {{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} {{ matrix_dimension_sqlite_database_path_local }} {% endif %} -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-dimension \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-dimension \ --log-driver=none \ --user={{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} \ --cap-drop=ALL \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_dimension_container_network }} \ {% if matrix_dimension_widgets_allow_self_signed_ssl_certificates %} -e NODE_TLS_REJECT_UNAUTHORIZED=0 \ {% endif %} {% if matrix_dimension_container_http_host_bind_port %} -p {{ matrix_dimension_container_http_host_bind_port }}:8184 \ {% endif %} + --label-file={{ matrix_dimension_base_path }}/labels \ --mount type=bind,src={{ matrix_dimension_base_path }},dst=/data \ {% for arg in matrix_dimension_container_extra_arguments %} {{ arg }} \ {% endfor %} {{ matrix_dimension_docker_image }} +{% for network in matrix_dimension_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-dimension +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-dimension + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-dimension 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-dimension 2>/dev/null || true' + Restart=always RestartSec=30 SyslogIdentifier=matrix-dimension diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index a098a098e..f04f19f4f 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -61,11 +61,6 @@ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule: "Host(`{{ matrix_ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint: "{{ matrix_federation_traefik_entrypoint }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints: "{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint }}" -matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: false -matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}" -matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" -matrix_nginx_proxy_container_labels_traefik_proxy_dimension_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname }}`)" - matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: false matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_hostname: "{{ matrix_server_fqn_etherpad }}" matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 index 6afa6029c..b4c68471c 100644 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -39,18 +39,6 @@ traefik.http.routers.matrix-nginx-proxy-matrix-federation.entrypoints={{ matrix_ {% endif %} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled %} -# Dimension -traefik.http.routers.matrix-nginx-proxy-dimension.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_rule }} -traefik.http.routers.matrix-nginx-proxy-dimension.service=matrix-nginx-proxy-web -traefik.http.routers.matrix-nginx-proxy-dimension.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls | to_json }} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls %} -traefik.http.routers.matrix-nginx-proxy-dimension.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.routers.matrix-nginx-proxy-dimension.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} -{% endif %} - - {% if matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled %} # Etherpad traefik.http.routers.matrix-nginx-proxy-etherpad.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_rule }} From d5910d0421f8debb1939c2246916271e0d91b27d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 27 Feb 2023 08:27:41 +0200 Subject: [PATCH 517/915] Upgrade com.devture.ansible.role.docker_sdk_for_python Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2522 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index fe0d85b53..d38383dc5 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: 6.1.0 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git - version: 54d6d1831f063e4a99b66c722f49053d59f8ee60 + version: 129c8590e106b83e6f4c259649a613c6279e937a - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git version: c1f40e82b4d6b072b6f0e885239322bdaaaf554f From d544f746e8f2da3d01c9e00d699ec8e255b5bc9c Mon Sep 17 00:00:00 2001 From: Thom Wiggers Date: Mon, 27 Feb 2023 13:40:23 +0100 Subject: [PATCH 518/915] Update irc appservice --- roles/custom/matrix-bridge-appservice-irc/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml index 5e8c11910..ce39bc56e 100644 --- a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml @@ -11,7 +11,7 @@ matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appser # matrix_appservice_irc_version used to contain the full Docker image tag (e.g. `release-X.X.X`). # It's a bare version number now. We try to somewhat retain compatibility below. -matrix_appservice_irc_version: 0.36.0 +matrix_appservice_irc_version: 0.37.0 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_docker_image_tag }}" matrix_appservice_irc_docker_image_tag: "{{ 'latest' if matrix_appservice_irc_version == 'latest' else ('release-' + matrix_appservice_irc_version) }}" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" From 724373b12358664dd226a658ed2ff4c7f9d21d6c Mon Sep 17 00:00:00 2001 From: Jost Alemann Date: Mon, 27 Feb 2023 14:59:36 +0100 Subject: [PATCH 519/915] add nginx to list of own webserver example configs --- docs/configuring-playbook-own-webserver.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index ff9d2c935..35c22b35c 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -232,4 +232,4 @@ Some of these services are configured with certain default expecations with rega For each new playbook service that you enable, you'll need special handling. -The [`examples/`](../examples/) directory contains examples for various servers: Caddy, Apache, HAproxy, etc. +The [`examples/`](../examples/) directory contains examples for various servers: Caddy, Apache, HAproxy, Nginx, etc. From e6ba7cc2c915d4f0674da72aa911e140a9390e4c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 27 Feb 2023 16:32:37 +0200 Subject: [PATCH 520/915] Upgrade com.devture.ansible.role.traefik --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index d38383dc5..c882aee91 100644 --- a/requirements.yml +++ b/requirements.yml @@ -49,7 +49,7 @@ version: v7.0.7-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: 2c949e88261c4398533ad16017475a1c75391487 + version: acc49a8059206743f1921f94891ebc177bf79bd2 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: abeecc09f6fd165eff3cef5d6dd7696b9ca4ec27 From 8dacdb038b67dc41711bf72648f749a106c550e6 Mon Sep 17 00:00:00 2001 From: Jost Alemann Date: Mon, 27 Feb 2023 15:34:37 +0100 Subject: [PATCH 521/915] add: nginx example conf + readme for fronting playbooks traefik with own nginx --- examples/nginx/README.md | 32 +++++++++++++ examples/nginx/matrix.conf | 96 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 128 insertions(+) create mode 100644 examples/nginx/README.md create mode 100644 examples/nginx/matrix.conf diff --git a/examples/nginx/README.md b/examples/nginx/README.md new file mode 100644 index 000000000..d2d2a6ce1 --- /dev/null +++ b/examples/nginx/README.md @@ -0,0 +1,32 @@ +# Nginx reverse-proxy fronting playbook's Traefik + +This directory contains a sample config that show you how to do reverse-proxying using Nginx and the playbook's internal traefik container. + +This is for when you wish to front the playbook's integrated traefik container with a self-managed Nginx reverse-proxy running on the same server. +See the [Using your own webserver, instead of this playbook's nginx proxy & Fronting the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) documentation page and follow the instructions for the playbook's configuration (`inventory/host_vars/matrix./vars.yml`). + +That is this part: +**For Traefik** fronted by another reverse-proxy, you would need some configuration like this: + +```yaml +matrix_playbook_reverse_proxy_type: playbook-managed-traefik + +# Ensure that public urls use https +matrix_playbook_ssl_enabled: true + +# Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval +devture_traefik_config_entrypoint_web_secure_enabled: false + +devture_traefik_container_web_host_bind_port: '127.0.0.1:81' + +devture_traefik_additional_entrypoints_auto: + - name: matrix-federation + port: 8449 + host_bind_port: '127.0.0.1:8449' + config: {} +``` + +**NOTE**: +- that this also disables SSL certificate retrieval, which then has to be done manually (e.g. by using certbot and setting the appropriate path as found in [the example nginx configuration file](./matrix.conf)). For the example nginx config one certificate is used that contains all the used subdomains. +- that [the example nginx configuration file](./matrix.conf) has to be adapted to whatever services you are using. For example, remove element.domain.com from the `server_name` list if you don't use Element web client or add dimension.domain.com to it if you do use Dimension. +- that this is just an example and may not be entirely accurate. It may also not cover other use cases (enabling various services or bridges requires additional reverse-proxying configuration). diff --git a/examples/nginx/matrix.conf b/examples/nginx/matrix.conf new file mode 100644 index 000000000..366a8a8eb --- /dev/null +++ b/examples/nginx/matrix.conf @@ -0,0 +1,96 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + # TODO: add/remove services and their subdomains if you use/don't use them + # this example is using hosting something on the base domain and an element web client, so example.com and element.example.com are listed in addition to matrix.example.com + # if you don't use those, you can remove them + # if you use e.g. dimension on dimension.example.com, add dimension.example.com to the server_name list + server_name example.com matrix.example.com element.example.com; + + location / { + # note: do not add a path (even a single /) after the port in `proxy_pass`, + # otherwise, nginx will canonicalise the URI and cause signature verification + # errors. + proxy_pass http://localhost:81; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + + access_log /var/log/nginx/matrix.access.log; + error_log /var/log/nginx/matrix.error.log; + + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 50M; + } + + # TODO: adapt the path to your ssl certificate for the domains listed on server_name + ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot + # TODO: adapt the path to your ssl certificate for the domains listed on server_name + ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot +} + +# settings for matrix federation +server { + # For the federation port + listen 8448 ssl http2 default_server; + listen [::]:8448 ssl http2 default_server; + + server_name matrix.example.com; + + location / { + proxy_pass http://localhost:8449; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + + access_log /var/log/nginx/matrix.access.log; + error_log /var/log/nginx/matrix.error.log; + + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 50M; + } + # TODO: adapt the path to your ssl certificate for the domains listed on server_name + ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot + # TODO: adapt the path to your ssl certificate for the domains listed on server_name + ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot +} + +# ensure using https +# TODO: remove server blocks that you don't use / add server blocks for domains you do use +server { + if ($host = example.com) { + return 301 https://$host$request_uri; + } # managed by Certbot + + server_name example.com; + listen 80; + return 404; # managed by Certbot +} + +server { + if ($host = matrix.example.com) { + return 301 https://$host$request_uri; + } # managed by Certbot + + server_name matrix.example.com; + listen 80; + return 404; # managed by Certbot +} + +server { + if ($host = element.example.com) { + return 301 https://$host$request_uri; + } # managed by Certbot + + server_name element.example.com; + listen 80; + return 404; # managed by Certbot +} \ No newline at end of file From 89b9fca85cbe88673cf9ff63bce5656be6393ca6 Mon Sep 17 00:00:00 2001 From: Jost Alemann Date: Mon, 27 Feb 2023 15:51:04 +0100 Subject: [PATCH 522/915] remove duplicate of playbook config instructions --- examples/nginx/README.md | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/examples/nginx/README.md b/examples/nginx/README.md index d2d2a6ce1..038b060e8 100644 --- a/examples/nginx/README.md +++ b/examples/nginx/README.md @@ -5,27 +5,6 @@ This directory contains a sample config that show you how to do reverse-proxying This is for when you wish to front the playbook's integrated traefik container with a self-managed Nginx reverse-proxy running on the same server. See the [Using your own webserver, instead of this playbook's nginx proxy & Fronting the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) documentation page and follow the instructions for the playbook's configuration (`inventory/host_vars/matrix./vars.yml`). -That is this part: -**For Traefik** fronted by another reverse-proxy, you would need some configuration like this: - -```yaml -matrix_playbook_reverse_proxy_type: playbook-managed-traefik - -# Ensure that public urls use https -matrix_playbook_ssl_enabled: true - -# Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval -devture_traefik_config_entrypoint_web_secure_enabled: false - -devture_traefik_container_web_host_bind_port: '127.0.0.1:81' - -devture_traefik_additional_entrypoints_auto: - - name: matrix-federation - port: 8449 - host_bind_port: '127.0.0.1:8449' - config: {} -``` - **NOTE**: - that this also disables SSL certificate retrieval, which then has to be done manually (e.g. by using certbot and setting the appropriate path as found in [the example nginx configuration file](./matrix.conf)). For the example nginx config one certificate is used that contains all the used subdomains. - that [the example nginx configuration file](./matrix.conf) has to be adapted to whatever services you are using. For example, remove element.domain.com from the `server_name` list if you don't use Element web client or add dimension.domain.com to it if you do use Dimension. From 84e6677bc0fcbde82a91db920b9a0af84b0566c8 Mon Sep 17 00:00:00 2001 From: Jost Alemann Date: Mon, 27 Feb 2023 15:56:34 +0100 Subject: [PATCH 523/915] in own webserver doc link to nginx fronting traefik example --- docs/configuring-playbook-own-webserver.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 35c22b35c..cae1486e1 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -143,6 +143,8 @@ devture_traefik_additional_entrypoints_auto: config: {} ``` +For an example where the playbook's traefik is fronted by Nginx running on the same server, see [Nginx reverse-proxy fronting playbook's Traefik](../examples/nginx/README.md). + (Deprecated) **For `matrix-nginx-proxy`** fronted by another reverse-proxy, you would need some configuration like this: ```yaml From 9e7415afa269d84dbfab98f7ff16eed371a56d63 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 27 Feb 2023 17:07:44 +0200 Subject: [PATCH 524/915] Ensure Buscarron is part of the Postgres network --- group_vars/matrix_servers | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index e9d244d20..40daa42ee 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1707,6 +1707,8 @@ matrix_bot_buscarron_container_additional_networks: | ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + ([matrix_nginx_proxy_container_network] if matrix_nginx_proxy_enabled and matrix_bot_buscarron_container_network != matrix_nginx_proxy_container_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_bot_buscarron_container_network else []) ) | unique }} From b388a01ab7df38da612e9fceaa23ba8b23289b38 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 27 Feb 2023 17:09:19 +0200 Subject: [PATCH 525/915] Wire all certResolver variables to devture_traefik_certResolver_primary This allows people wishing to change or unset the resolver, to have a single variable which they can toggle. Unsetting the resolver is useful for using your own certificates (not coming from a certificate resolver). --- group_vars/matrix_servers | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 40daa42ee..4827a3c24 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1715,6 +1715,7 @@ matrix_bot_buscarron_container_additional_networks: | matrix_bot_buscarron_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" matrix_bot_buscarron_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_bot_buscarron_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_bot_buscarron_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" ###################################################################### # @@ -2051,6 +2052,7 @@ matrix_rageshake_container_http_host_bind_port: "{{ (matrix_playbook_service_hos matrix_rageshake_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" matrix_rageshake_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_rageshake_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_rageshake_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" ###################################################################### # @@ -2178,6 +2180,7 @@ matrix_dimension_container_http_host_bind_port: "{{ (matrix_playbook_service_hos matrix_dimension_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" matrix_dimension_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_dimension_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_dimension_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" matrix_dimension_homeserver_clientServerUrl: "{{ matrix_homeserver_container_url }}" matrix_dimension_homeserver_federationUrl: "{{ matrix_homeserver_container_federation_url }}" @@ -2480,6 +2483,7 @@ matrix_nginx_proxy_proxy_ntfy_enabled: "{{ ntfy_enabled and matrix_playbook_reve matrix_nginx_proxy_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_nginx_proxy_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" @@ -2971,6 +2975,7 @@ matrix_sygnal_container_http_host_bind_port: "{{ (matrix_playbook_service_host_b matrix_sygnal_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" matrix_sygnal_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_sygnal_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_sygnal_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" ###################################################################### # @@ -3004,6 +3009,7 @@ ntfy_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_inter ntfy_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" ntfy_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" ntfy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +ntfy_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" ntfy_visitor_request_limit_exempt_hosts_hostnames_auto: | {{ @@ -3061,6 +3067,7 @@ matrix_client_element_container_additional_networks: "{{ [matrix_playbook_revers matrix_client_element_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" matrix_client_element_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_client_element_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_client_element_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" matrix_client_element_default_hs_url: "{{ matrix_homeserver_url }}" matrix_client_element_default_is_url: "{{ matrix_identity_server_url }}" @@ -3114,6 +3121,7 @@ matrix_client_hydrogen_container_additional_networks: "{{ [matrix_playbook_rever matrix_client_hydrogen_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" matrix_client_hydrogen_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_client_hydrogen_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_client_hydrogen_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" matrix_client_hydrogen_default_hs_url: "{{ matrix_homeserver_url }}" @@ -3147,6 +3155,7 @@ matrix_client_cinny_container_additional_networks: "{{ [matrix_playbook_reverse_ matrix_client_cinny_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" matrix_client_cinny_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_client_cinny_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_client_cinny_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" matrix_client_cinny_default_hs_url: "{{ matrix_homeserver_url }}" @@ -3326,6 +3335,7 @@ matrix_synapse_admin_container_additional_networks: "{{ [matrix_playbook_reverse matrix_synapse_admin_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" matrix_synapse_admin_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_synapse_admin_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_synapse_admin_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" ###################################################################### # @@ -3357,6 +3367,7 @@ prometheus_node_exporter_container_additional_networks: "{{ [matrix_playbook_rev prometheus_node_exporter_container_labels_traefik_enabled: false prometheus_node_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" prometheus_node_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +prometheus_node_exporter_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" ###################################################################### # @@ -3388,6 +3399,7 @@ prometheus_postgres_exporter_container_additional_networks: "{{ [matrix_playbook prometheus_postgres_exporter_container_labels_traefik_enabled: false prometheus_postgres_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" prometheus_postgres_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +prometheus_postgres_exporter_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" prometheus_postgres_exporter_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" prometheus_postgres_exporter_database_username: matrix_prometheus_postgres_exporter @@ -3491,6 +3503,7 @@ grafana_container_additional_networks: | grafana_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" grafana_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" grafana_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +grafana_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach Grafana over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose From 7716c306f1d9a99fd3302fb04ac535d643be2e60 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 27 Feb 2023 17:26:22 +0200 Subject: [PATCH 526/915] Split Traefik rules for Matrix Client and Matrix Federation APIs This helps people who run federation on another domain (etc.). They should now easily be able to add a custom rule for federation traffic. --- roles/custom/matrix-nginx-proxy/defaults/main.yml | 5 ++++- roles/custom/matrix-nginx-proxy/tasks/validate_config.yml | 2 ++ roles/custom/matrix-nginx-proxy/templates/labels.j2 | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index f04f19f4f..6565e1b9b 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -57,7 +57,10 @@ matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_rule: "Host(`{{ ma matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: false matrix_nginx_proxy_container_labels_traefik_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" -matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_hostname }}`)" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_hostname: "{{ matrix_server_fqn_matrix }}" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_hostname }}`)" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_hostname: "{{ matrix_server_fqn_matrix }}" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_hostname }}`)" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint: "{{ matrix_federation_traefik_entrypoint }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints: "{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint }}" diff --git a/roles/custom/matrix-nginx-proxy/tasks/validate_config.yml b/roles/custom/matrix-nginx-proxy/tasks/validate_config.yml index f7d18c9e4..8d63876a8 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/validate_config.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/validate_config.yml @@ -14,6 +14,8 @@ - {'old': 'matrix_nginx_proxy_proxy_riot_enabled', 'new': 'matrix_nginx_proxy_proxy_element_enabled'} - {'old': 'matrix_ssl_lets_encrypt_renew_cron_time_definition', 'new': ''} - {'old': 'matrix_nginx_proxy_reload_cron_time_definition', 'new': ''} + - {'old': 'matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule', 'new': ''} + - {'old': 'matrix_nginx_proxy_container_labels_traefik_proxy_matrix_hostname', 'new': ''} - name: Fail on unknown matrix_ssl_retrieval_method ansible.builtin.fail: diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 index b4c68471c..0aff6a05a 100644 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -20,7 +20,7 @@ traefik.http.routers.matrix-nginx-proxy-base-domain.entrypoints={{ matrix_nginx_ {% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled %} # Matrix Client -traefik.http.routers.matrix-nginx-proxy-matrix-client.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule }} +traefik.http.routers.matrix-nginx-proxy-matrix-client.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_rule }} traefik.http.routers.matrix-nginx-proxy-matrix-client.service=matrix-nginx-proxy-web traefik.http.routers.matrix-nginx-proxy-matrix-client.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls | to_json }} {% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls %} @@ -29,7 +29,7 @@ traefik.http.routers.matrix-nginx-proxy-matrix-client.tls.certResolver={{ matrix traefik.http.routers.matrix-nginx-proxy-matrix-client.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} # Matrix Federation -traefik.http.routers.matrix-nginx-proxy-matrix-federation.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule }} +traefik.http.routers.matrix-nginx-proxy-matrix-federation.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule }} traefik.http.routers.matrix-nginx-proxy-matrix-federation.service=matrix-nginx-proxy-federation traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls | to_json }} {% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls %} From 91660f7433867b0ea4d1165c53d76b05e4d4387a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 27 Feb 2023 17:45:28 +0200 Subject: [PATCH 527/915] Improve wordng in examples/nginx/README.md --- examples/nginx/README.md | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/examples/nginx/README.md b/examples/nginx/README.md index 038b060e8..f9be21fd2 100644 --- a/examples/nginx/README.md +++ b/examples/nginx/README.md @@ -1,11 +1,17 @@ -# Nginx reverse-proxy fronting playbook's Traefik +# Nginx reverse-proxy fronting the playbook's integrated Traefik reverse-proxy -This directory contains a sample config that show you how to do reverse-proxying using Nginx and the playbook's internal traefik container. +This directory contains a sample config that shows you how use the [nginx](https://nginx.org/) webserver to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with another reverse-proxy. -This is for when you wish to front the playbook's integrated traefik container with a self-managed Nginx reverse-proxy running on the same server. -See the [Using your own webserver, instead of this playbook's nginx proxy & Fronting the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) documentation page and follow the instructions for the playbook's configuration (`inventory/host_vars/matrix./vars.yml`). -**NOTE**: -- that this also disables SSL certificate retrieval, which then has to be done manually (e.g. by using certbot and setting the appropriate path as found in [the example nginx configuration file](./matrix.conf)). For the example nginx config one certificate is used that contains all the used subdomains. -- that [the example nginx configuration file](./matrix.conf) has to be adapted to whatever services you are using. For example, remove element.domain.com from the `server_name` list if you don't use Element web client or add dimension.domain.com to it if you do use Dimension. -- that this is just an example and may not be entirely accurate. It may also not cover other use cases (enabling various services or bridges requires additional reverse-proxying configuration). +## Prerequisite configuration + +To get started, first follow the [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instructions and update your playbook's configuration (`inventory/host_vars/matrix./vars.yml`). + + +## Using the nginx configuration + +Copy the [matrix.conf](matrix.conf) file to your nginx server's filesystem, modify it to your needs and include it your nginx configuration (e.g. `include /path/to/matrix.conf;`). + +This configuration **disables SSL certificate retrieval**, so you will **need to obtain SSL certificates manually** (e.g. by using [certbot](https://certbot.eff.org/)) and set the appropriate path in `matrix.conf`. In the example nginx configuration, a single certificate is used for all subdomains (`matrix.DOMAIN`, `element.DOMAIN`, etc.). For your setup, may wish to change this and use separate `server` blocks and separate certificate files for each host. + +Also note that your copy of the `matrix.conf` file has to be adapted to whatever services you are using. For example, remove `element.domain.com` from the `server_name` list if you don't use [Element](../../docs/configuring-playbook-client-element.md) web client or add `dimension.domain.com` to it if you do use the [Dimension](../../docs/configuring-playbook-dimension.md) integration manager. From faa074f7af4ca4b5fa86122a38a303ab50e3cf57 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 27 Feb 2023 17:47:19 +0200 Subject: [PATCH 528/915] Improve wording --- docs/configuring-playbook-own-webserver.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index cae1486e1..81b154e2f 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -143,7 +143,7 @@ devture_traefik_additional_entrypoints_auto: config: {} ``` -For an example where the playbook's traefik is fronted by Nginx running on the same server, see [Nginx reverse-proxy fronting playbook's Traefik](../examples/nginx/README.md). +For an example where the playbook's Traefik reverse-proxy is fronted by [Nginx](https://nginx.org/) running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md). (Deprecated) **For `matrix-nginx-proxy`** fronted by another reverse-proxy, you would need some configuration like this: From 73f09d4bb0aa4bf6006267f3af62cf1c1ea255d7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 27 Feb 2023 17:48:35 +0200 Subject: [PATCH 529/915] Remove fronting matrix-nginx-proxy example We don't need this anymore. No one should be using matrix-nginx-proxy anymore. --- docs/configuring-playbook-own-webserver.md | 32 ++-------------------- 1 file changed, 3 insertions(+), 29 deletions(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 81b154e2f..12c969d25 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -123,7 +123,7 @@ You can disable such behavior and make the integrated reverse-proxy webserver on This is the recommended way for using another reverse-proxy, because the integrated one would act as a black box and wire all Matrix services correctly. You would only need to reverse-proxy a few individual domains and ports over to it. -**For Traefik** fronted by another reverse-proxy, you would need some configuration like this: +To front Traefik with another reverse-proxy, you would need some configuration like this: ```yaml matrix_playbook_reverse_proxy_type: playbook-managed-traefik @@ -143,36 +143,10 @@ devture_traefik_additional_entrypoints_auto: config: {} ``` -For an example where the playbook's Traefik reverse-proxy is fronted by [Nginx](https://nginx.org/) running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md). - -(Deprecated) **For `matrix-nginx-proxy`** fronted by another reverse-proxy, you would need some configuration like this: - -```yaml -matrix_playbook_reverse_proxy_type: playbook-managed-nginx - -# Ensure that public urls use https -matrix_playbook_ssl_enabled: true - -# Disable SSL certificate retrieval -matrix_ssl_retrieval_method: none - -# Given that we won't be obtaining SSL certificates here, disable HTTPS -matrix_nginx_proxy_https_enabled: false - -# Do not listen for HTTP on port 80 globally (default), listen on the loopback interface. -# If you'd like, you can make it use the local network as well and reverse-proxy from another local machine. -matrix_nginx_proxy_container_http_host_bind_port: '127.0.0.1:81' - -# Likewise, expose the Matrix Federation port on the loopback interface. -# Since `matrix_nginx_proxy_https_enabled` is set to `false`, this federation port will serve HTTP traffic. -# If you'd like, you can make it use the local network as well and reverse-proxy from another local machine. -# -# You'd most likely need to expose it publicly on port 8448 (8449 was chosen for the local port to prevent overlap). -matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449' -``` - If you'll be fronting with a reverse-proxy that lives on another machine (not on the same one as Matrix), you need to replace `127.0.0.1` in the above configurations with `0.0.0.0` or another network interface. +For an example where the playbook's Traefik reverse-proxy is fronted by [Nginx](https://nginx.org/) running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md). + ### Using no reverse-proxy on the Matrix side at all From bb9053687486bc320b31fb735b3ab6abab7673d5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 27 Feb 2023 17:57:33 +0200 Subject: [PATCH 530/915] Fix variable name typos in docs/configuring-playbook-postgres-backup.md Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2524 --- docs/configuring-playbook-postgres-backup.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-postgres-backup.md b/docs/configuring-playbook-postgres-backup.md index 2510ecc11..9ea3c60eb 100644 --- a/docs/configuring-playbook-postgres-backup.md +++ b/docs/configuring-playbook-postgres-backup.md @@ -23,8 +23,8 @@ Refer to the table below for additional configuration variables and their defaul |`devture_postgres_backup_keep_days`|`7`|Number of daily backups to keep| |`devture_postgres_backup_keep_weeks`|`4`|Number of weekly backups to keep| |`devture_postgres_backup_keep_months`|`12`|Number of monthly backups to keep| -|`devture_postgres_base_path` | `"{{ matrix_base_data_path }}/postgres-backup"` | Base path for postgres-backup. Also see `devture_postgres_data_path` | -|`devture_postgres_data_path` | `"{{ devture_postgres_base_path }}/data"` | Storage path for postgres-backup database backups | +|`devture_postgres_backup_base_path` | `"{{ matrix_base_data_path }}/postgres-backup"` | Base path for postgres-backup. Also see `devture_postgres_backup_data_path` | +|`devture_postgres_backup_data_path` | `"{{ devture_postgres_backup_base_path }}/data"` | Storage path for postgres-backup database backups | ## Installing From 6fe739a2cb790add5a307bd35255c13edbc8096d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 27 Feb 2023 18:32:22 +0200 Subject: [PATCH 531/915] Remove unnecessary variable --- roles/custom/matrix-nginx-proxy/defaults/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 6565e1b9b..27978cae9 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -55,7 +55,6 @@ matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_tls: "{{ matrix_ng matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_hostname }}`)" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: false -matrix_nginx_proxy_container_labels_traefik_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_hostname: "{{ matrix_server_fqn_matrix }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_hostname }}`)" From 0aede060f30a35f0c789701dc96b04cb9eff6ae8 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 28 Feb 2023 13:18:21 +0000 Subject: [PATCH 532/915] Update grafana 9.3.6 -> 9.4.1 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index c882aee91..e638955ee 100644 --- a/requirements.yml +++ b/requirements.yml @@ -40,7 +40,7 @@ version: v1.2.3-1.7.7-1 - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v9.3.6-2 + version: v9.4.1-0 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git version: v2.1.0-0 From 0fe1d1f9ece89025ee5952a4730e03e83fcd2654 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 28 Feb 2023 13:18:59 +0000 Subject: [PATCH 533/915] Update element 1.11.23 -> 1.11.24 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 60b52d60a..8e24ca664 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.23 +matrix_client_element_version: v1.11.24 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 32e700f0767f8893fe2a0f5fd0b65fdd4b96a7b6 Mon Sep 17 00:00:00 2001 From: plui29989 Date: Tue, 28 Feb 2023 21:07:16 +0100 Subject: [PATCH 534/915] Add doc for self-signed certificates --- docs/configuring-playbook-ssl-certificates.md | 43 ++++++++++++++++++- 1 file changed, 41 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index 60d5b1351..a2fab7c3e 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -29,6 +29,45 @@ devture_traefik_config_entrypoint_web_secure_enabled: false ## Using self-signed SSL certificates -Using self-signed certificates with Traefik is a somewhat involved processes, where you need to manually mount the files into the container and adjust the "static" configuration to refer to them. +To use self-signed SSL certificates, you need to disable the certResolvers and the traefik-certs-dumper tool. +You also need to override the providers.file setting in the Traefik configs. +Create a file 'certificates.yml' in /devture-traefik/config/ with the following content: -Feel free to research this approach on your own and improve this guide! +```yaml +tls: + certificates: + - certFile: /ssl/cert.pem + keyFile: /ssl/privkey.pem + stores: + default: + defaultCertificate: + certFile: /ssl/cert.pem + keyFile: /ssl/privkey.pem +``` + +Place the key and your certificate in /devture-traefik/ssl/ +You can use the matrix-aux role for this: + +```yaml +matrix_aux_file_definitions: + - dest: /devture-traefik/ssl/privkey.pem + src: /path/to/privkey.pem + - dest: /devture-traefik/ssl/cert.pem + src: /path/to/cert.pem + - dest: /devture-traefik/config/certificates.yml + src: /path/to/certificates.yml +``` + +Then add the following to your vars.yml: + +```yaml +devture_traefik_config_certificatesResolvers_acme_enabled: false +devture_traefik_certResolver_primary: '' +devture_traefik_ssl_dir_enabled: true +devture_traefik_configuration_extension_yaml: | + providers: + file: + filename: /config/certificates.yml + watch: true +matrix_playbook_traefik_certs_dumper_role_enabled: false +``` From 4b17a1e73a5a3560f6b2bb25ec8ac6ac26c52924 Mon Sep 17 00:00:00 2001 From: plui29989 Date: Tue, 28 Feb 2023 21:09:37 +0100 Subject: [PATCH 535/915] formatting --- docs/configuring-playbook-ssl-certificates.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index a2fab7c3e..859885dda 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -31,6 +31,7 @@ devture_traefik_config_entrypoint_web_secure_enabled: false To use self-signed SSL certificates, you need to disable the certResolvers and the traefik-certs-dumper tool. You also need to override the providers.file setting in the Traefik configs. + Create a file 'certificates.yml' in /devture-traefik/config/ with the following content: ```yaml @@ -46,6 +47,7 @@ tls: ``` Place the key and your certificate in /devture-traefik/ssl/ + You can use the matrix-aux role for this: ```yaml From c3900aaf1b7c755519857f315da56ac3e304bbf5 Mon Sep 17 00:00:00 2001 From: array-in-a-matrix Date: Tue, 28 Feb 2023 18:06:46 -0500 Subject: [PATCH 536/915] remove devture services --- roles/custom/matrix-base/templates/bin/remove-all.j2 | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/custom/matrix-base/templates/bin/remove-all.j2 b/roles/custom/matrix-base/templates/bin/remove-all.j2 index 5dd862aea..46e1f7573 100644 --- a/roles/custom/matrix-base/templates/bin/remove-all.j2 +++ b/roles/custom/matrix-base/templates/bin/remove-all.j2 @@ -21,6 +21,13 @@ else rm -f {{ devture_systemd_docker_base_systemd_path }}/$s done + echo "Stop and remove devture services" + + for s in $(find {{ devture_systemd_docker_base_systemd_path }}/ -type f -name "devture-*" -printf "%f\n"); do + systemctl disable --now $s + rm -f {{ devture_systemd_docker_base_systemd_path }}/$s + done + systemctl daemon-reload echo "Remove unused Docker images and resources" From f7149103e457eaf1067824360ecd95c59ec69c6f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Mar 2023 09:29:14 +0200 Subject: [PATCH 537/915] Remove matrix_playbook_traefik_certs_dumper_role_enabled in favor of just devture_traefik_certs_dumper_enabled We don't need these 2 roughly-the-same settings related to the traefik-certs-dumper role. For Traefik, it makes sense, because it's a component used by the various related playbooks and they could step onto each other's toes if the role is enabled, but Traefik is disabled (in that case, uninstall tasks will run). As for Traefik certs dumper, the other related playbooks don't have it, so there's no conflict. Even if they used it, each one would use its own instance (different `devture_traefik_certs_dumper_identifier`), so there wouldn't be a conflict and uninstall tasks can run without any danger. --- group_vars/matrix_servers | 16 ++++++---------- playbooks/matrix.yml | 3 +-- .../tasks/validate_config.yml | 1 + 3 files changed, 8 insertions(+), 12 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 4827a3c24..4195aa529 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -38,12 +38,10 @@ matrix_playbook_traefik_role_enabled: "{{ matrix_playbook_reverse_proxy_type != # installed in another way. matrix_playbook_traefik_labels_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" -matrix_playbook_traefik_certs_dumper_role_enabled: "{{ (matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' and devture_traefik_config_entrypoint_web_secure_enabled) or matrix_playbook_reverse_proxy_type == 'other-traefik-container' }}" - # Controls the additional network that reverse-proxyable services will be connected to. matrix_playbook_reverse_proxyable_services_additional_network: "{{ devture_traefik_container_network if devture_traefik_enabled else '' }}" -matrix_playbook_ssl_retrieval_method: "{{ 'lets-encrypt' if matrix_playbook_traefik_certs_dumper_role_enabled else matrix_ssl_retrieval_method }}" +matrix_playbook_ssl_retrieval_method: "{{ 'lets-encrypt' if devture_traefik_certs_dumper_enabled else matrix_ssl_retrieval_method }}" matrix_playbook_ssl_enabled: "{{ matrix_playbook_ssl_retrieval_method in ['lets-encrypt', 'self-signed', 'manually-managed'] }}" @@ -360,7 +358,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'devture-traefik.service', 'priority': 3000, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if devture_traefik_enabled else []) + - ([{'name': (devture_traefik_certs_dumper_identifier + '.service'), 'priority': 3500, 'groups': ['matrix', 'traefik-certs-dumper']}] if matrix_playbook_traefik_certs_dumper_role_enabled else []) + ([{'name': (devture_traefik_certs_dumper_identifier + '.service'), 'priority': 3500, 'groups': ['matrix', 'traefik-certs-dumper']}] if devture_traefik_certs_dumper_enabled else []) }} ######################################################################## @@ -1789,7 +1787,7 @@ matrix_bot_postmoogle_systemd_required_services_list: | + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + - (matrix_playbook_bot_postmoogle_traefik_certs_dumper_waiter_services | trim | split(' ') if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled else []) + (matrix_playbook_bot_postmoogle_traefik_certs_dumper_waiter_services | trim | split(' ') if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled else []) }} # Postgres is the default, except if not using internal Postgres server @@ -2131,7 +2129,7 @@ matrix_coturn_container_additional_volumes: | 'dst': '/privatekey.key', 'options': 'ro', }, - ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled and matrix_coturn_tls_enabled else [] + ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else [] ) }} @@ -2139,7 +2137,7 @@ matrix_coturn_systemd_required_services_list: | {{ ['docker.service'] + - ([devture_traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_server_fqn_matrix + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled and matrix_coturn_tls_enabled else []) + ([devture_traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_server_fqn_matrix + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []) }} ###################################################################### @@ -3807,9 +3805,7 @@ devture_traefik_additional_domains_to_obtain_certificates_for: "{{ matrix_ssl_ad # # ######################################################################## -# To completely disable the Traefik certs dumper role from running, use `matrix_playbook_traefik_certs_dumper_role_enabled: false`. -# See the comment there for more details about why we have both `devture_traefik_certs_dumper_enabled` and `matrix_playbook_traefik_certs_dumper_role_enabled`. -devture_traefik_certs_dumper_enabled: "{{ matrix_playbook_traefik_certs_dumper_role_enabled }}" +devture_traefik_certs_dumper_enabled: "{{ (matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' and devture_traefik_config_entrypoint_web_secure_enabled) or matrix_playbook_reverse_proxy_type == 'other-traefik-container' }}" devture_traefik_certs_dumper_identifier: matrix-traefik-certs-dumper diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index a425cd883..6a8987bf9 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -121,8 +121,7 @@ - when: matrix_playbook_traefik_role_enabled | bool role: galaxy/com.devture.ansible.role.traefik - - when: matrix_playbook_traefik_certs_dumper_role_enabled | bool - role: galaxy/com.devture.ansible.role.traefik_certs_dumper + - role: galaxy/com.devture.ansible.role.traefik_certs_dumper - when: devture_systemd_service_manager_enabled | bool role: galaxy/com.devture.ansible.role.systemd_service_manager diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 7afd21540..2241d5023 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -36,6 +36,7 @@ - {'old': 'matrix_systemd_services_autostart_enabled', 'new': 'devture_systemd_service_manager_services_autostart_enabled'} - {'old': 'matrix_prometheus_node_exporter_metrics_proxying_enabled', 'new': 'matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled'} - {'old': 'matrix_prometheus_postgres_exporter_metrics_proxying_enabled', 'new': 'matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled'} + - {'old': 'matrix_playbook_traefik_certs_dumper_role_enabled', 'new': 'devture_traefik_certs_dumper_enabled'} - name: (Deprecation) Catch and report matrix_postgres variables ansible.builtin.fail: From b0845984b3ea9e73e78f020ae3690db74363da49 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Mar 2023 09:44:54 +0200 Subject: [PATCH 538/915] Only enable Traefik certs dumper if the ACME certificate resolver for Traefik is enabled If someone disables ACME, then they're using their own certificates somehow. There's nothing to dump from an `acme.json` file. --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 4195aa529..6e40aba74 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3805,7 +3805,7 @@ devture_traefik_additional_domains_to_obtain_certificates_for: "{{ matrix_ssl_ad # # ######################################################################## -devture_traefik_certs_dumper_enabled: "{{ (matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' and devture_traefik_config_entrypoint_web_secure_enabled) or matrix_playbook_reverse_proxy_type == 'other-traefik-container' }}" +devture_traefik_certs_dumper_enabled: "{{ (matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' and devture_traefik_config_entrypoint_web_secure_enabled and devture_traefik_config_certificatesResolvers_acme_enabled) or matrix_playbook_reverse_proxy_type == 'other-traefik-container' }}" devture_traefik_certs_dumper_identifier: matrix-traefik-certs-dumper From 7331d314c422ec9b113ea3d09135355d89610824 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Mar 2023 09:45:54 +0200 Subject: [PATCH 539/915] Improve wording --- docs/configuring-playbook-ssl-certificates.md | 74 +++++++++++-------- 1 file changed, 42 insertions(+), 32 deletions(-) diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index 859885dda..bde425bde 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -29,47 +29,57 @@ devture_traefik_config_entrypoint_web_secure_enabled: false ## Using self-signed SSL certificates -To use self-signed SSL certificates, you need to disable the certResolvers and the traefik-certs-dumper tool. -You also need to override the providers.file setting in the Traefik configs. +To use self-signed SSL certificates, you need to: -Create a file 'certificates.yml' in /devture-traefik/config/ with the following content: - -```yaml -tls: - certificates: - - certFile: /ssl/cert.pem - keyFile: /ssl/privkey.pem - stores: - default: - defaultCertificate: - certFile: /ssl/cert.pem - keyFile: /ssl/privkey.pem -``` - -Place the key and your certificate in /devture-traefik/ssl/ - -You can use the matrix-aux role for this: - -```yaml -matrix_aux_file_definitions: - - dest: /devture-traefik/ssl/privkey.pem - src: /path/to/privkey.pem - - dest: /devture-traefik/ssl/cert.pem - src: /path/to/cert.pem - - dest: /devture-traefik/config/certificates.yml - src: /path/to/certificates.yml -``` - -Then add the following to your vars.yml: +- disable `certResolvers` in Traefik, so it won't attempt to retrieve SSL certificates using the default certificate resolver (using [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) / [Let's Encrypt](https://letsencrypt.org/)) +- put a custom Traefik configuration file on the server, with the help of this Ansible playbook (via the `matrix-aux` role) or manually +- register your custom configuration file with Traefik, by adding an extra provider of type [file](https://doc.traefik.io/traefik/providers/file/) +- put the SSL files on the server, with the help of this Ansible playbook (via the `matrix-aux` role) or manually ```yaml +# Disable ACME / Let's Encrypt support devture_traefik_config_certificatesResolvers_acme_enabled: false + +# Unset the default certificate resolver devture_traefik_certResolver_primary: '' + +# Keep the SSL directory normally used for ACME / Let's Encrypt certificates. +# We need to explicitly enable this, because disabling ACME support (above) automatically disables it otherwise. devture_traefik_ssl_dir_enabled: true + +# Tell Traefik to load our custom configuration file (certificates.yml). +# The file is created below. See `matrix_aux_file_definitions`. +# The `/config/..` path is an in-container path, not a path on the host. Do not change it! devture_traefik_configuration_extension_yaml: | providers: file: filename: /config/certificates.yml watch: true -matrix_playbook_traefik_certs_dumper_role_enabled: false + +# Use the matrix-aux role to create our custom files on the server. +# If you'd like to do this manually, you remove this `matrix_aux_file_definitions` variable. +matrix_aux_file_definitions: + # Create the privkey.pem file on the server by + # uploading a file from the computer where Ansible is running. + - dest: "{{ devture_traefik_ssl_dir_path }}/privkey.pem" + src: /path/on/your/Ansible/computer/to/privkey.pem + + # Create the cert.pem file on the server + # uploading a file from the computer where Ansible is running. + - dest: "{{ devture_traefik_ssl_dir_path }}/cert.pem" + src: /path/on/your/Ansible/computer/to/cert.pem + + # Create the custom Traefik configuration. + # The `/ssl/..` paths below are in-container paths, not paths on the host. Do not change them! + - dest: "{{ devture_traefik_config_dir_path }}/certificates.yml" + content: | + tls: + certificates: + - certFile: /ssl/cert.pem + keyFile: /ssl/privkey.pem + stores: + default: + defaultCertificate: + certFile: /ssl/cert.pem + keyFile: /ssl/privkey.pem ``` From ba2a3caaf383fa7b576d156acfd8c87584ff850b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Mar 2023 09:54:23 +0200 Subject: [PATCH 540/915] Minor improvements to docs/configuring-playbook-ssl-certificates.md --- docs/configuring-playbook-ssl-certificates.md | 37 +++++++++++++------ 1 file changed, 26 insertions(+), 11 deletions(-) diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index bde425bde..13d5f609b 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -29,27 +29,32 @@ devture_traefik_config_entrypoint_web_secure_enabled: false ## Using self-signed SSL certificates -To use self-signed SSL certificates, you need to: +If you'd like to use your own SSL certificates, instead of the default (SSL certificates obtained automatically via [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) from [Let's Encrypt](https://letsencrypt.org/)): -- disable `certResolvers` in Traefik, so it won't attempt to retrieve SSL certificates using the default certificate resolver (using [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) / [Let's Encrypt](https://letsencrypt.org/)) +- generate your self-signed certificate files +- follow the [Using your own SSL certificates](#using-your-own-ssl-certificates) documentation below + + +## Using your own SSL certificates + +To use your own SSL certificates with Traefik, you need to: + +- disable [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) / [Let's Encrypt](https://letsencrypt.org/) support - put a custom Traefik configuration file on the server, with the help of this Ansible playbook (via the `matrix-aux` role) or manually - register your custom configuration file with Traefik, by adding an extra provider of type [file](https://doc.traefik.io/traefik/providers/file/) - put the SSL files on the server, with the help of this Ansible playbook (via the `matrix-aux` role) or manually ```yaml -# Disable ACME / Let's Encrypt support +# Disable ACME / Let's Encrypt support. devture_traefik_config_certificatesResolvers_acme_enabled: false -# Unset the default certificate resolver -devture_traefik_certResolver_primary: '' - -# Keep the SSL directory normally used for ACME / Let's Encrypt certificates. -# We need to explicitly enable this, because disabling ACME support (above) automatically disables it otherwise. +# Disabling ACME support (above) automatically disables the creation of the SSL directory. +# Force-enable it here, because we'll add our certificate files there. devture_traefik_ssl_dir_enabled: true # Tell Traefik to load our custom configuration file (certificates.yml). -# The file is created below. See `matrix_aux_file_definitions`. -# The `/config/..` path is an in-container path, not a path on the host. Do not change it! +# The file is created below, in `matrix_aux_file_definitions`. +# The `/config/..` path is an in-container path, not a path on the host (like `/devture-traefik/config`). Do not change it! devture_traefik_configuration_extension_yaml: | providers: file: @@ -63,14 +68,24 @@ matrix_aux_file_definitions: # uploading a file from the computer where Ansible is running. - dest: "{{ devture_traefik_ssl_dir_path }}/privkey.pem" src: /path/on/your/Ansible/computer/to/privkey.pem + # Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline. + # Note the indentation level. + # content: | + # FILE CONTENT + # HERE # Create the cert.pem file on the server # uploading a file from the computer where Ansible is running. - dest: "{{ devture_traefik_ssl_dir_path }}/cert.pem" src: /path/on/your/Ansible/computer/to/cert.pem + # Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline. + # Note the indentation level. + # content: | + # FILE CONTENT + # HERE # Create the custom Traefik configuration. - # The `/ssl/..` paths below are in-container paths, not paths on the host. Do not change them! + # The `/ssl/..` paths below are in-container paths, not paths on the host (/`devture-traefik/ssl/..`). Do not change them! - dest: "{{ devture_traefik_config_dir_path }}/certificates.yml" content: | tls: From 468bed653e06ad632cdbdaf9c6c1cb66a44b0eee Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Mar 2023 10:30:09 +0200 Subject: [PATCH 541/915] Upgrade Redis (v7.0.7-0 -> v7.0.9-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index e638955ee..fc39323a0 100644 --- a/requirements.yml +++ b/requirements.yml @@ -46,7 +46,7 @@ version: v2.1.0-0 - src: git+https://gitlab.com/etke.cc/roles/redis.git - version: v7.0.7-0 + version: v7.0.9-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git version: acc49a8059206743f1921f94891ebc177bf79bd2 From d6371a07816bf0861d653c70188049b21eb5175b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Mar 2023 10:32:49 +0200 Subject: [PATCH 542/915] Upgrade ddclient (v3.10.0-ls110 -> v3.10.0-ls111) --- roles/custom/matrix-dynamic-dns/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-dynamic-dns/defaults/main.yml b/roles/custom/matrix-dynamic-dns/defaults/main.yml index 4ec034a9b..08cf023ca 100644 --- a/roles/custom/matrix-dynamic-dns/defaults/main.yml +++ b/roles/custom/matrix-dynamic-dns/defaults/main.yml @@ -7,7 +7,7 @@ matrix_dynamic_dns_enabled: true # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' -matrix_dynamic_dns_version: v3.10.0-ls110 +matrix_dynamic_dns_version: v3.10.0-ls111 # The docker container to use when in mode matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" From 8db2c0498a20aaf74a59a3f8bfcdd2eef7f30c02 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Mar 2023 11:07:25 +0200 Subject: [PATCH 543/915] Upgrade Synapse (v1.77.0 -> v1.78.0) --- roles/custom/matrix-synapse/defaults/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index dd69facd5..41ad0bc4a 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,6 +4,8 @@ matrix_synapse_enabled: true +matrix_synapse_version: v1.78.0 + matrix_synapse_username: '' matrix_synapse_uid: '' matrix_synapse_gid: '' @@ -69,7 +71,6 @@ matrix_synapse_container_image_customizations_dockerfile_body_custom: '' matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}" matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else matrix_container_global_registry_prefix }}" -matrix_synapse_version: v1.77.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From a4b401c4da53ada67f25dd131144bce880ac5593 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Mar 2023 12:31:46 +0200 Subject: [PATCH 544/915] Upgrade com.devture.ansible.role.traefik and improve front-Traefik-with-another-proxy docs Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2532 --- docs/configuring-playbook-own-webserver.md | 19 +++++++++++++++++-- requirements.yml | 2 +- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 12c969d25..affb565fb 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -134,17 +134,32 @@ matrix_playbook_ssl_enabled: true # Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval devture_traefik_config_entrypoint_web_secure_enabled: false +# If your reverse-proxy runs on another machine, consider using `0.0.0.0:81`, just `81` or `SOME_IP_ADDRESS_OF_THIS_MACHINE:81` devture_traefik_container_web_host_bind_port: '127.0.0.1:81' +# We bind to `127.0.0.1` by default (see above), so trusting `X-Forwarded-*` headers from +# a reverse-proxy running on the local machine is safe enough. +devture_traefik_config_entrypoint_web_forwardedHeaders_insecure: true + +# Or, if you're publishing the port (`devture_traefik_container_web_host_bind_port` above) to a public network interfaces: +# - remove the `devture_traefik_config_entrypoint_web_forwardedHeaders_insecure` variable definition above +# - uncomment and adjust the line below +# devture_traefik_config_entrypoint_web_forwardedHeaders_trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY'] + +# Likewise (to `devture_traefik_container_web_host_bind_port` above), +# if your reverse-proxy runs on another machine, consider changing the `host_bind_port` setting below. devture_traefik_additional_entrypoints_auto: - name: matrix-federation port: 8449 host_bind_port: '127.0.0.1:8449' config: {} + # If your reverse-proxy runs on another machine, remove the config above and use this config instead: + # config: + # forwardedHeaders: + # insecure: true + # # trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY'] ``` -If you'll be fronting with a reverse-proxy that lives on another machine (not on the same one as Matrix), you need to replace `127.0.0.1` in the above configurations with `0.0.0.0` or another network interface. - For an example where the playbook's Traefik reverse-proxy is fronted by [Nginx](https://nginx.org/) running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md). diff --git a/requirements.yml b/requirements.yml index fc39323a0..1c3b8e76e 100644 --- a/requirements.yml +++ b/requirements.yml @@ -49,7 +49,7 @@ version: v7.0.9-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: acc49a8059206743f1921f94891ebc177bf79bd2 + version: ed9f59753468556b363f90798be23c600d16ef5f - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: abeecc09f6fd165eff3cef5d6dd7696b9ca4ec27 From adc18251a9e9a34ba51b49e9c6eb91dca01a4f22 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Mar 2023 12:47:55 +0200 Subject: [PATCH 545/915] Upgrade com.devture.ansible.role.traefik (2.9.6 -> 2.9.8) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 1c3b8e76e..410dc446e 100644 --- a/requirements.yml +++ b/requirements.yml @@ -49,7 +49,7 @@ version: v7.0.9-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: ed9f59753468556b363f90798be23c600d16ef5f + version: 4ec9187017cb7832f521fc273fabd0a873ca2736 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: abeecc09f6fd165eff3cef5d6dd7696b9ca4ec27 From 4cd9e65d6dc47166b8584870ac88f84ebedb439d Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 1 Mar 2023 20:09:54 +0000 Subject: [PATCH 546/915] update ntfy 2.1.0 -> 2.1.1 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 410dc446e..c8d6ed7d9 100644 --- a/requirements.yml +++ b/requirements.yml @@ -43,7 +43,7 @@ version: v9.4.1-0 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git - version: v2.1.0-0 + version: v2.1.1-0 - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.9-0 From 227d9d820900d15fd2a3dbf06283c805b721928d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Mar 2023 23:14:40 +0200 Subject: [PATCH 547/915] Fix variable name typo --- roles/custom/matrix-bot-maubot/tasks/setup_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-maubot/tasks/setup_install.yml b/roles/custom/matrix-bot-maubot/tasks/setup_install.yml index 97f189c45..60b87861e 100644 --- a/roles/custom/matrix-bot-maubot/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-maubot/tasks/setup_install.yml @@ -53,7 +53,7 @@ name: "{{ matrix_bot_maubot_docker_image }}" source: build force_source: "{{ matrix_bot_maubot_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_maubot_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_bot_maubot_docker_src_files_path }}" From 4ccd3f79de54d3c86a1cebb0ea4ec8c33ddde8d4 Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Thu, 2 Mar 2023 03:58:03 +0100 Subject: [PATCH 548/915] Fix Draupnir config Config was accidently changed when importing upstream changes. --- .../matrix-bot-draupnir/templates/production.yaml.j2 | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 index 2dbff886a..95acbd356 100644 --- a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 +++ b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 @@ -36,7 +36,7 @@ autojoinOnlyIfManager: true # If `autojoinOnlyIfManager` is false, only the members in this space can invite # the bot to new rooms. -acceptInvitesFromSpace: "!example:example.org" +#acceptInvitesFromSpace: "!example:example.org" # Whether Draupnir should report ignored invites to the management room (if autojoinOnlyIfManager is true). recordIgnoredInvites: false @@ -49,11 +49,11 @@ recordIgnoredInvites: false # # Note: By default, Draupnir is fairly verbose - expect a lot of messages in this room. # (see verboseLogging to adjust this a bit.) -managementRoom: "#moderators:example.org" +managementRoom: "{{ matrix_bot_draupnir_management_room }}" # Whether Draupnir should log a lot more messages in the room, # mainly involves "all-OK" messages, and debugging messages for when Draupnir checks bans in a room. -verboseLogging: true +verboseLogging: false # The log level of terminal (or container) output, # can be one of DEBUG, INFO, WARN and ERROR, in increasing order of importance and severity. @@ -130,7 +130,7 @@ admin: # (with enough permissions) to "make" a user an admin. # # This only works if a local user with enough admin permissions is present in the room. - enableMakeRoomAdminCommand: true + enableMakeRoomAdminCommand: false # Misc options for command handling and commands commands: @@ -146,6 +146,7 @@ commands: # Any additional bot prefixes that Draupnir will listen to. i.e. adding `mod` will allow `!mod help`. additionalPrefixes: - "draupnir-bot" + - "draupnir_bot" - "draupnir" # Whether or not commands with a wildcard (*) will require an additional `--force` argument From 4f74d21ba8d53f6b9c7651ddf3e6568f49bd705b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 2 Mar 2023 10:31:23 +0200 Subject: [PATCH 549/915] Upgrade devture/ansible (2.13.6-r0-1 -> 2.13.6-r0-2) The new version includes the `passlib` Python module. --- docs/ansible.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ansible.md b/docs/ansible.md index 60be6164c..dcda338ad 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -65,7 +65,7 @@ docker run -it --rm \ -w /work \ -v `pwd`:/work \ --entrypoint=/bin/sh \ -docker.io/devture/ansible:2.13.6-r0-1 +docker.io/devture/ansible:2.13.6-r0-2 ``` Once you execute the above command, you'll be dropped into a `/work` directory inside a Docker container. From ae76db4d77d3ee52e69c7d254122747f31a010da Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 2 Mar 2023 16:06:01 +0200 Subject: [PATCH 550/915] Upgrade com.devture.ansible.role.traefik_certs_dumper for wait time increase (60 -> 180 sec.) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index c8d6ed7d9..3fc359f71 100644 --- a/requirements.yml +++ b/requirements.yml @@ -52,4 +52,4 @@ version: 4ec9187017cb7832f521fc273fabd0a873ca2736 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git - version: abeecc09f6fd165eff3cef5d6dd7696b9ca4ec27 + version: 55051deb663f7a30bf01637df7dd6b6bc2a7ce00 From 124fbeda045857233880478da814cb99444860ef Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 2 Mar 2023 22:50:13 +0200 Subject: [PATCH 551/915] Switch to using an external Etherpad role This new role also adds native Traefik support and support for other (non-`amd64`) architectures via self-building. --- CHANGELOG.md | 33 ++++- docs/configuring-playbook-etherpad.md | 69 +++++++---- group_vars/matrix_servers | 65 +++++++--- playbooks/matrix.yml | 3 +- requirements.yml | 3 + .../etherpad-proxy-connect/defaults/main.yml | 11 ++ .../tasks/inject_into_nginx_proxy.yml | 10 +- .../etherpad-proxy-connect/tasks/main.yml | 12 ++ .../tasks/validate_config.yml | 32 +++++ roles/custom/matrix-base/defaults/main.yml | 2 +- .../custom/matrix-etherpad/defaults/main.yml | 102 --------------- roles/custom/matrix-etherpad/tasks/main.yml | 29 ----- .../matrix-etherpad/tasks/setup_install.yml | 34 ----- .../matrix-etherpad/tasks/setup_uninstall.yml | 25 ---- .../matrix-etherpad/tasks/validate_config.yml | 15 --- .../templates/settings.json.j2 | 116 ------------------ .../systemd/matrix-etherpad.service.j2 | 44 ------- .../matrix-nginx-proxy/defaults/main.yml | 5 - .../matrix-nginx-proxy/templates/labels.j2 | 12 -- 19 files changed, 189 insertions(+), 433 deletions(-) create mode 100644 roles/custom/etherpad-proxy-connect/defaults/main.yml rename roles/custom/{matrix-etherpad => etherpad-proxy-connect}/tasks/inject_into_nginx_proxy.yml (81%) create mode 100644 roles/custom/etherpad-proxy-connect/tasks/main.yml create mode 100644 roles/custom/etherpad-proxy-connect/tasks/validate_config.yml delete mode 100644 roles/custom/matrix-etherpad/defaults/main.yml delete mode 100644 roles/custom/matrix-etherpad/tasks/main.yml delete mode 100644 roles/custom/matrix-etherpad/tasks/setup_install.yml delete mode 100644 roles/custom/matrix-etherpad/tasks/setup_uninstall.yml delete mode 100644 roles/custom/matrix-etherpad/tasks/validate_config.yml delete mode 100644 roles/custom/matrix-etherpad/templates/settings.json.j2 delete mode 100644 roles/custom/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index cd5923375..790406f3c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,32 @@ +# 2023-03-02 + +## The matrix-etherpad role lives independently now + +**TLDR**: the `matrix-etherpad` role is now included from [another repository](https://gitlab.com/etke.cc/roles/etherpad). Some variables have been renamed. All functionality remains intact. + +You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're using Etherpad or not. + +If you're making use of Etherpad via this playbook, you will need to update variable references in your `vars.yml` file: + +- Rename `matrix_etherpad_public_endpoint` to `etherpad_path_prefix` + +- Replace `matrix_etherpad_mode: dimension` with: + - for `matrix-nginx-proxy` users: + - `etherpad_nginx_proxy_dimension_integration_enabled: true` + - `etherpad_hostname: "{{ matrix_server_fqn_dimension }}"` + - for Traefik users: + - define your own `etherpad_hostname` and `etherpad_path_prefix` as you see fit + +- Rename all other variables: + - `matrix_etherpad_docker_image_` -> `matrix_etherpad_container_image_` + - `matrix_etherpad_` -> `etherpad_` + +Along with this relocation, the new role also: + +- supports [self-building](docs/self-building.md), so it should work on `arm32` and `arm64` architectures +- has native Traefik reverse-proxy support (Etherpad requests no longer go through `matrix-nginx-proxy` when using Traefik) + + # 2023-02-26 ## Traefik is the default reverse-proxy now @@ -483,11 +512,11 @@ Various services (like Dimension, etc.) still talk to Synapse via `matrix-nginx- Until now, [Etherpad](https://etherpad.org/) (which [the playbook could install for you](docs/configuring-playbook-etherpad.md)) required the [Dimension integration manager](docs/configuring-playbook-dimension.md) to also be installed, because Etherpad was hosted on the Dimension domain (at `dimension.DOMAIN/etherpad`). -From now on, Etherpad can be installed in `standalone` mode on `etherpad.DOMAIN` and used even without Dimension. This is much more versatile, so the playbook now defaults to this new mode (`matrix_etherpad_mode: standalone`). +From now on, Etherpad can be installed in `standalone` mode on `etherpad.DOMAIN` and used even without Dimension. This is much more versatile, so the playbook now defaults to this new mode (`etherpad_mode: standalone`). If you've already got both Etherpad and Dimension in use you could: -- **either** keep hosting Etherpad under the Dimension domain by adding `matrix_etherpad_mode: dimension` to your `vars.yml` file. All your existing room widgets will continue working at the same URLs and no other changes will be necessary. +- **either** keep hosting Etherpad under the Dimension domain by adding `etherpad_mode: dimension` to your `vars.yml` file. All your existing room widgets will continue working at the same URLs and no other changes will be necessary. - **or**, you could change to hosting Etherpad separately on `etherpad.DOMAIN`. You will need to [configure a DNS record](docs/configuring-dns.md) for this new domain. You will also need to reconfigure Dimension to use the new pad URLs (`https://etherpad.DOMAIN/...`) going forward (refer to our [configuring Etherpad documentation](docs/configuring-playbook-etherpad.md)). All your existing room widgets (which still use `https://dimension.DOMAIN/etherpad/...`) will break as Etherpad is not hosted there anymore. You will need to re-add them or to consider not using `standalone` mode diff --git a/docs/configuring-playbook-etherpad.md b/docs/configuring-playbook-etherpad.md index 22c782f43..76ad2f59c 100644 --- a/docs/configuring-playbook-etherpad.md +++ b/docs/configuring-playbook-etherpad.md @@ -1,19 +1,41 @@ # Setting up Etherpad (optional) -[Etherpad](https://etherpad.org) is is an open source collaborative text editor that can be embedded in a Matrix chat room using the [Dimension integrations manager](https://dimension.t2bot.io) or used as standalone web app. +[Etherpad](https://etherpad.org) is an open source collaborative text editor that can be embedded in a Matrix chat room using the [Dimension integrations manager](https://dimension.t2bot.io) or used as standalone web app. When enabled together with the Jitsi audio/video conferencing system (see [our docs on Jitsi](configuring-playbook-jitsi.md)), it will be made available as an option during the conferences. -## Prerequisites +## Decide on a domain and path -Etherpad can be installed in 2 modes: +By default, Etherpad is configured to use its own dedicated domain (`etherpad.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records). -- (default) `standalone` mode (`matrix_etherpad_mode: standalone`) - Etherpad will be hosted on `etherpad.` (`matrix_server_fqn_etherpad`), so the DNS record for this domian must be created. See [Configuring your DNS server](configuring-dns.md) on how to set up the `etherpad` DNS record correctly +You can override the domain and path like this: -- `dimension` mode (`matrix_etherpad_mode: dimension`) - Etherpad will be hosted on `dimension./etherpad` (`matrix_server_fqn_dimension`). This requires that you **first** configure the **Dimension integrations manager** as described in [the playbook documentation](configuring-playbook-dimension.md) +```yaml +# Switch to the domain used for Matrix services (`matrix.DOMAIN`), +# so we won't need to add additional DNS records for Etherpad. +etherpad_hostname: "{{ matrix_server_fqn_matrix }}" + +# Expose under the /etherpad subpath +etherpad_path_prefix: /etherpad +``` + +**NOTE**: When using the old `matrix-nginx-proxy` reverse-proxy instead of Traefik, you have only 2 choices: + +- serving Etherpad at its own dedicated domain: + - you need to set the domain using the `matrix_server_fqn_etherpad` variable (not `etherpad_hostname`) + - you must use `etherpad_path_prefix: /` +- serving Etherpad at the [Dimension](configuring-playbook-dimension.md) integration manager's domain (`matrix_server_fqn_dimension`) + - you need to have Dimension enabled + - you need to add `etherpad_path_prefix: /etherpad` or another prefix (different than `/`) + - you need to add `etherpad_nginx_proxy_dimension_integration_enabled: true` to enable this integration + + +## Adjusting DNS records -We recomend that you go with the default (`standalone`) mode, which makes Etherpad independent and allows it to be used with or without Dimension. +Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Etherpad domain to the Matrix server. + +If you've decided to reuse the `matrix.` domain, you won't need to do any extra DNS configuration. ## Installing @@ -21,48 +43,51 @@ We recomend that you go with the default (`standalone`) mode, which makes Etherp [Etherpad](https://etherpad.org) installation is disabled by default. You can enable it in your configuration file (`inventory/host_vars/matrix./vars.yml`): ```yaml -matrix_etherpad_enabled: true - -# Uncomment below if you'd like to install Etherpad on the Dimension domain (not recommended) -# matrix_etherpad_mode: dimension +etherpad_enabled: true # Uncomment below to enable the admin web UI -# matrix_etherpad_admin_username: admin -# matrix_etherpad_admin_password: some-password +# etherpad_admin_username: admin +# etherpad_admin_password: some-password ``` -If enabled, the admin web-UI should then be available on `https://etherpad./admin` (or `https://dimension./etherpad/admin`, if `matrix_etherpad_mode: dimension`) +Then, [run the installation process](installing.md) again (e.g. `just install-all`). + + +## Usage + +The Etherpad UI should be available at `https://etherpad.`, while the admin UI (if enabled) should then be available at `https://etherpad./admin`. + +If you've [decided on another hostname or path-prefix](#decide-on-a-domain-and-path) (e.g. `https://matrix.DOMAIN/etherpad`), adjust these URLs accordingly before usage. -## Managing / Deleting old pads +### Managing / Deleting old pads If you want to manage and remove old unused pads from Etherpad, you will first need to able Admin access as described above. -Then from the plugin manager page (`https://etherpad./admin/plugins` or `https://dimension./etherpad/admin/plugins`), install the `adminpads2` plugin. Once installed, you should have a "Manage pads" section in the Admin web-UI. +Then from the plugin manager page (`https://etherpad./admin/plugins`, install the `adminpads2` plugin. Once installed, you should have a "Manage pads" section in the Admin web-UI. -## How to use Etherpad widgets without an Integration Manager (like Dimension) +### How to use Etherpad widgets without an Integration Manager (like Dimension) This is how it works in Element, it might work quite similar with other clients: To integrate a standalone etherpad in a room, create your pad by visiting `https://etherpad.DOMAIN`. When the pad opens, copy the URL and send a command like this to the room: `/addwidget URL`. You will then find your integrated Etherpad within the right sidebar in the `Widgets` section. -## Set Dimension default to the self-hosted Etherpad (optional) +### Set Dimension default to the self-hosted Etherpad (optional) If you decided to install [Dimension integration manager](configuring-playbook-dimension.md) alongside Etherpad, the Dimension administrator users can configure the default URL template. The Dimension configuration menu can be accessed with the sprocket icon as you begin to add a widget to a room in Element. There you will find the Etherpad Widget Configuration action beneath the _Widgets_ tab. -### Removing the integrated Etherpad chat +#### Removing the integrated Etherpad chat -If you wish to disable the Etherpad chat button, you can do it by appending `?showChat=false` to the end of the pad URL, or the template. Examples: -- `https://etherpad./p/$roomId_$padName?showChat=false` (for the default - `matrix_etherpad_mode: standalone`) +If you wish to disable the Etherpad chat button, you can do it by appending `?showChat=false` to the end of the pad URL, or the template. -- `https://dimension./etherpad/p/$roomId_$padName?showChat=false` (for `matrix_etherpad_mode: dimension`) +Example: `https://etherpad./p/$roomId_$padName?showChat=false` -### Known issues +## Known issues If your Etherpad widget fails to load, this might be due to Dimension generating a Pad name so long, the Etherpad app rejects it. `$roomId_$padName` can end up being longer than 50 characters. You can avoid having this problem by altering the template so it only contains the three word random identifier `$padName`. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6e40aba74..6acc7dded 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -304,7 +304,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-email2matrix.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'email2matrix']}] if matrix_email2matrix_enabled else []) + - ([{'name': 'matrix-etherpad.service', 'priority': 4000, 'groups': ['matrix', 'etherpad']}] if matrix_etherpad_enabled else []) + ([{'name': (etherpad_identifier + '.service'), 'priority': 4000, 'groups': ['matrix', 'etherpad']}] if etherpad_enabled else []) + ([{'name': (grafana_identifier + '.service'), 'priority': 4000, 'groups': ['matrix', 'monitoring', 'grafana']}] if grafana_enabled else []) + @@ -2208,29 +2208,55 @@ matrix_dimension_database_password: "{{ '%s' | format(matrix_homeserver_generic_ ###################################################################### # -# matrix-etherpad +# etke/etherpad # ###################################################################### -matrix_etherpad_enabled: false +etherpad_enabled: false -matrix_etherpad_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9001') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +etherpad_identifier: matrix-etherpad -matrix_etherpad_base_url: "{{ 'https://' + matrix_server_fqn_dimension + matrix_etherpad_public_endpoint if matrix_etherpad_mode == 'dimension' else 'https://' + matrix_server_fqn_etherpad + '/' }}" +etherpad_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" -matrix_etherpad_systemd_required_services_list: | +etherpad_base_path: "{{ matrix_base_data_path }}/etherpad" + +etherpad_framing_enabled: "{{ matrix_dimension_enabled or matrix_jitsi_enabled }}" + +etherpad_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}" + +etherpad_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9001') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +etherpad_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else etherpad_identifier }}" + +etherpad_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != etherpad_container_network else []) + ) | unique + }} + +etherpad_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +etherpad_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +etherpad_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +etherpad_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +etherpad_systemd_required_services_list: | {{ ['docker.service'] + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) }} -matrix_etherpad_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" -matrix_etherpad_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'etherpad.db', rounds=655555) | to_uuid }}" +etherpad_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +etherpad_database_name: matrix_etherpad +etherpad_database_username: matrix_etherpad +etherpad_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'etherpad.db', rounds=655555) | to_uuid }}" ###################################################################### # -# /matrix-etherpad +# /etke/etherpad # ###################################################################### @@ -2298,9 +2324,9 @@ matrix_jitsi_web_stun_servers: | # If the self-hosted Etherpad instance is available, it will also show up in Jitsi conferences, # unless explicitly disabled by setting `matrix_jitsi_etherpad_enabled` to false. # Falls back to the scalar.vector.im etherpad in case someone sets `matrix_jitsi_etherpad_enabled` to true, -# while also setting `matrix_etherpad_enabled` to false. -matrix_jitsi_etherpad_enabled: "{{ matrix_etherpad_enabled }}" -matrix_jitsi_etherpad_base: "{{ matrix_etherpad_base_url if matrix_etherpad_enabled else 'https://scalar.vector.im/etherpad' }}" +# while also setting `etherpad_enabled` to false. +matrix_jitsi_etherpad_enabled: "{{ etherpad_enabled }}" +matrix_jitsi_etherpad_base: "{{ etherpad_base_url if etherpad_enabled else 'https://scalar.vector.im/etherpad' }}" # Allow verification using JWT and matrix-UVS matrix_jitsi_prosody_auth_matrix_uvs_auth_token: "{{ matrix_user_verification_service_uvs_auth_token }}" @@ -2468,7 +2494,7 @@ matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled and matr matrix_nginx_proxy_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_rageshake_enabled: "{{ matrix_rageshake_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" -matrix_nginx_proxy_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" +matrix_nginx_proxy_proxy_etherpad_enabled: "{{ etherpad_enabled and not etherpad_nginx_proxy_dimension_integration_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" @@ -2484,7 +2510,6 @@ matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_ent matrix_nginx_proxy_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true -matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" @@ -2576,7 +2601,7 @@ matrix_nginx_proxy_systemd_wanted_services_list: | + (['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled else []) + - (['matrix-etherpad.service'] if matrix_etherpad_enabled else []) + ([etherpad_identifier + '.service'] if etherpad_enabled else []) + (['matrix-hookshot.service'] if matrix_hookshot_enabled else []) }} @@ -2597,7 +2622,7 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([matrix_server_fqn_dimension] if matrix_dimension_enabled else []) + - ([matrix_server_fqn_etherpad] if (matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone') else []) + ([matrix_server_fqn_etherpad] if (etherpad_enabled and not etherpad_nginx_proxy_dimension_integration_enabled) else []) + ([matrix_server_fqn_bot_go_neb] if matrix_bot_go_neb_enabled else []) + @@ -2888,10 +2913,10 @@ devture_postgres_managed_databases_auto: | }] if (matrix_dimension_enabled and matrix_dimension_database_engine == 'postgres' and matrix_dimension_database_hostname == devture_postgres_connection_hostname) else []) + ([{ - 'name': matrix_etherpad_database_name, - 'username': matrix_etherpad_database_username, - 'password': matrix_etherpad_database_password, - }] if (matrix_etherpad_enabled and matrix_etherpad_database_engine == 'postgres' and matrix_etherpad_database_hostname == devture_postgres_connection_hostname) else []) + 'name': etherpad_database_name, + 'username': etherpad_database_username, + 'password': etherpad_database_password, + }] if (etherpad_enabled and etherpad_database_engine == 'postgres' and etherpad_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': prometheus_postgres_exporter_database_name, diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 6a8987bf9..6a66dc585 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -103,7 +103,8 @@ - custom/matrix-ldap-registration-proxy - custom/matrix-ma1sd - custom/matrix-dimension - - custom/matrix-etherpad + - galaxy/etherpad + - custom/etherpad-proxy-connect - custom/matrix-email2matrix - custom/matrix-sygnal - galaxy/ntfy diff --git a/requirements.yml b/requirements.yml index 3fc359f71..89d26802f 100644 --- a/requirements.yml +++ b/requirements.yml @@ -48,6 +48,9 @@ - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.9-0 +- src: git+https://gitlab.com/etke.cc/roles/etherpad.git + version: v1.8.18-0 + - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git version: 4ec9187017cb7832f521fc273fabd0a873ca2736 diff --git a/roles/custom/etherpad-proxy-connect/defaults/main.yml b/roles/custom/etherpad-proxy-connect/defaults/main.yml new file mode 100644 index 000000000..83df826f8 --- /dev/null +++ b/roles/custom/etherpad-proxy-connect/defaults/main.yml @@ -0,0 +1,11 @@ +--- + +# etherpad-proxy-connect is a compatibility role connecting the new Etherpad role with matrix-nginx-proxy. +# It adds back support for serving Etherpad under the Dimension domain (`matrix_server_fqn_dimension`). + +# Controls whether Etherpad will be hosted under the Dimension domain when matrix-nginx-proxy is used (depending on matrix_playbook_reverse_proxy_type). +# If you're not using matrix-nginx-proxy, then this value has no effect. +etherpad_nginx_proxy_dimension_integration_enabled: false + +# Controls the path at which Etherpad will be exposed on the Dimension domain. +etherpad_nginx_proxy_dimension_integration_path_prefix: "{{ etherpad_path_prefix }}" diff --git a/roles/custom/matrix-etherpad/tasks/inject_into_nginx_proxy.yml b/roles/custom/etherpad-proxy-connect/tasks/inject_into_nginx_proxy.yml similarity index 81% rename from roles/custom/matrix-etherpad/tasks/inject_into_nginx_proxy.yml rename to roles/custom/etherpad-proxy-connect/tasks/inject_into_nginx_proxy.yml index e32cdf964..6252dba1c 100644 --- a/roles/custom/matrix-etherpad/tasks/inject_into_nginx_proxy.yml +++ b/roles/custom/etherpad-proxy-connect/tasks/inject_into_nginx_proxy.yml @@ -11,14 +11,14 @@ - name: Generate Etherpad proxying configuration for matrix-nginx-proxy ansible.builtin.set_fact: - matrix_etherpad_matrix_nginx_proxy_configuration: | - rewrite ^{{ matrix_etherpad_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_etherpad_public_endpoint }}/ permanent; + etherpad_matrix_nginx_proxy_configuration: | + rewrite ^{{ etherpad_nginx_proxy_dimension_integration_path_prefix }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ etherpad_nginx_proxy_dimension_integration_path_prefix }}/ permanent; - location {{ matrix_etherpad_public_endpoint }}/ { + location {{ etherpad_nginx_proxy_dimension_integration_path_prefix }}/ { {% if matrix_nginx_proxy_enabled | default(False) %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; - proxy_pass http://matrix-etherpad:9001/; + proxy_pass http://{{ etherpad_identifier }}:9001/; {# These are proxy directives needed specifically by Etherpad #} proxy_buffering off; proxy_http_version 1.1; # recommended with keepalive connections @@ -42,5 +42,5 @@ {{ matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks | default([]) + - [matrix_etherpad_matrix_nginx_proxy_configuration] + [etherpad_matrix_nginx_proxy_configuration] }} diff --git a/roles/custom/etherpad-proxy-connect/tasks/main.yml b/roles/custom/etherpad-proxy-connect/tasks/main.yml new file mode 100644 index 000000000..67bf7d0e3 --- /dev/null +++ b/roles/custom/etherpad-proxy-connect/tasks/main.yml @@ -0,0 +1,12 @@ +--- + +- when: etherpad_enabled | bool and etherpad_nginx_proxy_dimension_integration_enabled | bool + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" + tags: + - install-all + - setup-all + - install-nginx-proxy + - setup-nginx-proxy diff --git a/roles/custom/etherpad-proxy-connect/tasks/validate_config.yml b/roles/custom/etherpad-proxy-connect/tasks/validate_config.yml new file mode 100644 index 000000000..2127ce1a4 --- /dev/null +++ b/roles/custom/etherpad-proxy-connect/tasks/validate_config.yml @@ -0,0 +1,32 @@ +--- + +- when: matrix_playbook_reverse_proxy_type not in ['playbook-managed-nginx', 'other-nginx-non-container'] + name: Fail if reverse-proxy is not nginx + ansible.builtin.fail: + msg: > + Etherpad's integration into matrix-nginx-proxy's Dimension server only makes sense if you're using matrix-nginx-proxy. + `matrix_playbook_reverse_proxy_type` ({{ matrix_playbook_reverse_proxy_type }}) indicates that you're using another reverse-proxy. + If you're using Traefik, you should configure `etherpad_hostname` and `etherpad_path_prefix` instead. + +- when: not matrix_dimension_enabled + name: Fail if Dimension not enabled + ansible.builtin.fail: + msg: > + Etherpad's integration into matrix-nginx-proxy's Dimension server only makes sense if you're using Dimension. + Looks like Dimension is not enabled in your configuration (judging by `matrix_dimension_enabled`). + Consider configuring `etherpad_hostname` and `etherpad_path_prefix` instead. + +- when: etherpad_hostname != matrix_server_fqn_dimension + name: Fail if Etherpad hostname does not match Dimension hostname + ansible.builtin.fail: + msg: > + Etherpad's integration into matrix-nginx-proxy's Dimension server requires that you set `etherpad_hostname` to `matrix_server_fqn_dimension`. + Consider adding this to your configuration: `{% raw %}etherpad_hostname: "{{ matrix_server_fqn_dimension }}"{% endraw %}` + +- when: etherpad_nginx_proxy_dimension_integration_path_prefix == '/' + name: Fail if / path prefix used for Etherpad + ansible.builtin.fail: + msg: > + Etherpad's integration into matrix-nginx-proxy's Dimension server only makes sense if you're using a non-`/` path for Etherpad. + You've chosen a path prefix of `/` in `etherpad_nginx_proxy_dimension_integration_path_prefix`. + The `/` path must go to Dimension itself, so you need to pick a different prefix (e.g. `/etherpad`). diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 403af983c..98a2167ed 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -72,7 +72,7 @@ matrix_server_fqn_buscarron: "buscarron.{{ matrix_domain }}" # This is where you access the Dimension. matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}" -# This is where you access the etherpad (if enabled via matrix_etherpad_enabled; disabled by default). +# This is where you access the etherpad (if enabled via etherpad_enabled; disabled by default). matrix_server_fqn_etherpad: "etherpad.{{ matrix_domain }}" # For use with Go-NEB! (github callback url for example) diff --git a/roles/custom/matrix-etherpad/defaults/main.yml b/roles/custom/matrix-etherpad/defaults/main.yml deleted file mode 100644 index 874e9a300..000000000 --- a/roles/custom/matrix-etherpad/defaults/main.yml +++ /dev/null @@ -1,102 +0,0 @@ ---- -# Project source code URL: https://github.com/ether/etherpad-lite - -matrix_etherpad_enabled: false - -# standalone = etherpad installed on subdomain (etherpad.DOMAIN) and can be used as-is -# dimension = etherpad installed in subdir of dimension (dimension.DOMAIN/etherpad) and can be used with dimension -matrix_etherpad_mode: standalone - -matrix_etherpad_base_path: "{{ matrix_base_data_path }}/etherpad" - -matrix_etherpad_version: 1.8.18 -matrix_etherpad_docker_image: "{{ matrix_container_global_registry_prefix }}etherpad/etherpad:{{ matrix_etherpad_version }}" -matrix_etherpad_docker_image_force_pull: "{{ matrix_etherpad_docker_image.endswith(':latest') }}" - -# List of systemd services that matrix-etherpad.service depends on. -matrix_etherpad_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-etherpad.service wants -matrix_etherpad_systemd_wanted_services_list: [] - -# Container user has to be able to write to the source file directories until this bug is fixed: -# https://github.com/ether/etherpad-lite/issues/2683 -matrix_etherpad_user_uid: '5001' -matrix_etherpad_user_gid: '5001' - -# Controls whether the matrix-etherpad container exposes its HTTP port (tcp/9001 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:9001"), or empty string to not expose. -matrix_etherpad_container_http_host_bind_port: '' - -# A list of extra arguments to pass to the container -matrix_etherpad_container_extra_arguments: [] - -# Used only when `matrix_etherpad_mode: dimension` -matrix_etherpad_public_endpoint: '/etherpad' - -# By default, the Etherpad app can be accessed on etherpad subdomain -matrix_etherpad_base_url: "https://{{ matrix_server_fqn_etherpad }}/" - -# Database-related configuration fields. -# -# Etherpad requires a dedicated database -matrix_etherpad_database_engine: 'postgres' - -matrix_etherpad_database_username: 'matrix_etherpad' -matrix_etherpad_database_password: 'some-password' -matrix_etherpad_database_hostname: '' -matrix_etherpad_database_port: 5432 -matrix_etherpad_database_name: 'matrix_etherpad' - -# If a admin username and password is set, the /admin web page will be -# available. -matrix_etherpad_admin_username: '' -matrix_etherpad_admin_password: '' - -matrix_etherpad_database_connection_string: 'postgres://{{ matrix_etherpad_database_username }}:{{ matrix_etherpad_database_password }}@{{ matrix_etherpad_database_hostname }}:{{ matrix_etherpad_database_port }}/{{ matrix_etherpad_database_name }}' - -# Variables configuring the etherpad -matrix_etherpad_title: 'Etherpad' -matrix_etherpad_abiword: null -matrix_etherpad_soffice: null -matrix_etherpad_default_pad_text: | - Welcome to Etherpad! - - This pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents! - - Get involved with Etherpad at https://etherpad.org - -# Default Etherpad configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -# -# For a more advanced customization, you can extend the default (see `matrix_etherpad_configuration_extension_json`) -# or completely replace this variable with your own template. -matrix_etherpad_configuration_default: "{{ lookup('template', 'templates/settings.json.j2') }}" - -# Your custom JSON configuration for Etherpad goes here. -# This configuration extends the default starting configuration (`matrix_etherpad_configuration_json`). -# -# You can override individual variables from the default configuration, or introduce new ones. -# -# If you need something more special, you can take full control by -# completely redefining `matrix_etherpad_configuration_json`. -# -# Example configuration extension follows: -# -# matrix_etherpad_configuration_extension_json: | -# { -# "loadTest": true, -# "commitRateLimiting": { -# "duration": 1, -# "points": 10 -# } -# } -# -matrix_etherpad_configuration_extension_json: '{}' - -matrix_etherpad_configuration_extension: "{{ matrix_etherpad_configuration_extension_json | from_json if matrix_etherpad_configuration_extension_json | from_json is mapping else {} }}" - -# Holds the final Etherpad configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_etherpad_configuration_json`. -matrix_etherpad_configuration: "{{ matrix_etherpad_configuration_default | combine(matrix_etherpad_configuration_extension, recursive=True) }}" diff --git a/roles/custom/matrix-etherpad/tasks/main.yml b/roles/custom/matrix-etherpad/tasks/main.yml deleted file mode 100644 index eaafd98a9..000000000 --- a/roles/custom/matrix-etherpad/tasks/main.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- - -- block: - - when: matrix_etherpad_enabled | bool and matrix_etherpad_mode == 'dimension' - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: - - setup-all - - setup-nginx-proxy - - install-all - - install-nginx-proxy - -- block: - - when: matrix_etherpad_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - - - when: matrix_etherpad_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: - - setup-all - - setup-etherpad - - install-all - - install-etherpad - -- block: - - when: not matrix_etherpad_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-etherpad diff --git a/roles/custom/matrix-etherpad/tasks/setup_install.yml b/roles/custom/matrix-etherpad/tasks/setup_install.yml deleted file mode 100644 index d4e2952e9..000000000 --- a/roles/custom/matrix-etherpad/tasks/setup_install.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- - -- name: Ensure Etherpad base path exists - ansible.builtin.file: - path: "{{ matrix_etherpad_base_path }}" - state: directory - mode: 0770 - owner: "{{ matrix_etherpad_user_uid }}" - group: "{{ matrix_etherpad_user_gid }}" - -- name: Ensure Etherpad config installed - ansible.builtin.copy: - content: "{{ matrix_etherpad_configuration | to_nice_json }}" - dest: "{{ matrix_etherpad_base_path }}/settings.json" - mode: 0640 - owner: "{{ matrix_etherpad_user_uid }}" - group: "{{ matrix_etherpad_user_gid }}" - -- name: Ensure Etherpad image is pulled - community.docker.docker_image: - name: "{{ matrix_etherpad_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_etherpad_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_etherpad_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure matrix-etherpad.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-etherpad.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-etherpad.service" - mode: 0644 diff --git a/roles/custom/matrix-etherpad/tasks/setup_uninstall.yml b/roles/custom/matrix-etherpad/tasks/setup_uninstall.yml deleted file mode 100644 index e03829845..000000000 --- a/roles/custom/matrix-etherpad/tasks/setup_uninstall.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- - -- name: Check existence of matrix-etherpad service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-etherpad.service" - register: matrix_etherpad_service_stat - -- when: matrix_etherpad_service_stat.stat.exists | bool - block: - - name: Ensure matrix-etherpad is stopped - ansible.builtin.service: - name: matrix-etherpad - state: stopped - enabled: false - daemon_reload: true - - - name: Ensure matrix-etherpad.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-etherpad.service" - state: absent - - - name: Ensure Etherpad base directory doesn't exist - ansible.builtin.file: - path: "{{ matrix_etherpad_base_path }}" - state: absent diff --git a/roles/custom/matrix-etherpad/tasks/validate_config.yml b/roles/custom/matrix-etherpad/tasks/validate_config.yml deleted file mode 100644 index 2bc773a63..000000000 --- a/roles/custom/matrix-etherpad/tasks/validate_config.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- - -- name: Fail if required Etherpad settings not defined - ansible.builtin.fail: - msg: > - You need to define a required configuration setting (`{{ item.name }}`). - when: "item.when | bool and vars[item.name] == ''" - with_items: - - {'name': 'matrix_etherpad_database_hostname', when: true} - -- name: Fail if wrong mode selected - ansible.builtin.fail: - msg: >- - You're using Etherpad in 'dimension' mode (`matrix_etherpad_serving_mode: dimension`), which tries to host Etherpad at the Dimension subdomain - `{{ matrix_server_fqn_dimension }}`. However, this isn't possible because Dimension is not enabled. To resolve the problem, either enable Dimension (`matrix_dimension_enabled: true`) or switch Etherpad to standalone mode (`matrix_etherpad_mode: standalone`) and have it served on its own domain (`{{ matrix_server_fqn_etherpad }}`). - when: matrix_etherpad_enabled | bool and matrix_etherpad_mode == 'dimension' and not matrix_dimension_enabled | default(False) | bool diff --git a/roles/custom/matrix-etherpad/templates/settings.json.j2 b/roles/custom/matrix-etherpad/templates/settings.json.j2 deleted file mode 100644 index cc45d1905..000000000 --- a/roles/custom/matrix-etherpad/templates/settings.json.j2 +++ /dev/null @@ -1,116 +0,0 @@ -{ - "title": {{ matrix_etherpad_title|to_json }}, - "favicon": "favicon.ico", - "skinName": "colibris", - "skinVariants": "super-light-toolbar super-light-editor light-background", - "ip": "::", - "port": 9001, - "showSettingsInAdminPage": true, - "dbType": {{ matrix_etherpad_database_engine|to_json }}, - "dbSettings": { - "database": {{ matrix_etherpad_database_name|to_json }}, - "host": {{ matrix_etherpad_database_hostname|to_json }}, - "password": {{ matrix_etherpad_database_password|to_json }}, - "port": {{ matrix_etherpad_database_port|to_json }}, - "user": {{ matrix_etherpad_database_username|to_json }} - }, - "defaultPadText" : {{ matrix_etherpad_default_pad_text|to_json }}, - "suppressErrorsInPadText": false, - "requireSession": false, - "editOnly": false, - "minify": true, - "maxAge": 21600, - "abiword": {{ matrix_etherpad_abiword|to_json }}, - "soffice": {{ matrix_etherpad_soffice|to_json }}, - "tidyHtml": null, - "allowUnknownFileEnds": true, - "requireAuthentication": false, - "requireAuthorization": false, - "trustProxy": true, - "cookie": { - "sameSite": "Lax" - }, - "disableIPlogging": true, - "automaticReconnectionTimeout": 0, - "scrollWhenFocusLineIsOutOfViewport": { - "percentage": { - "editionAboveViewport": 0, - "editionBelowViewport": 0 - }, - "duration": 0, - "scrollWhenCaretIsInTheLastLineOfViewport": false, - "percentageToScrollWhenUserPressesArrowUp": 0 - }, - "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"], - "socketIo": { - "maxHttpBufferSize": 10000 - }, - "loadTest": false, - "dumpOnUncleanExit": false, - "indentationOnNewLine": false, - "importExportRateLimiting": { - "windowMs": 90000, - "max": 10 - }, - "importMaxFileSize": 52428800, - "commitRateLimiting": { - "duration": 1, - "points": 10 - }, - "exposeVersion": false, - "padOptions": { - "noColors": false, - "showControls": true, - "showChat": false, - "showLineNumbers": true, - "useMonospaceFont": false, - "userName": false, - "userColor": false, - "rtl": false, - "alwaysShowChat": false, - "chatAndUsers": false, - "lang": "en-gb" - }, -{% if matrix_etherpad_admin_username != "" and matrix_etherpad_admin_password != "" %} - "users": { - {{ matrix_etherpad_admin_username|to_json }}: { - "password": {{ matrix_etherpad_admin_password|to_json }}, - "is_admin": true - } - }, -{% endif %} - "padShortcutEnabled" : { - "altF9": true, - "altC": true, - "cmdShift2": true, - "delete": true, - "return": true, - "esc": true, - "cmdS": true, - "tab": true, - "cmdZ": true, - "cmdY": true, - "cmdI": true, - "cmdB": true, - "cmdU": true, - "cmd5": true, - "cmdShiftL": true, - "cmdShiftN": true, - "cmdShift1": true, - "cmdShiftC": true, - "cmdH": true, - "ctrlHome": true, - "pageUp": true, - "pageDown": true - }, - "loglevel": "WARN", - "logconfig" : - { "appenders": [ - { "type": "console", - "layout": {"type": "messagePassThrough"} - } - ] - }, - "customLocaleStrings": {}, - "enableAdminUITests": false -} diff --git a/roles/custom/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 b/roles/custom/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 deleted file mode 100644 index e0a104815..000000000 --- a/roles/custom/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 +++ /dev/null @@ -1,44 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix Etherpad -{% for service in matrix_etherpad_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_etherpad_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} kill matrix-etherpad -ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} rm matrix-etherpad - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-etherpad \ - --log-driver=none \ - --user={{ matrix_etherpad_user_uid }}:{{ matrix_etherpad_user_gid }} \ - --cap-drop=ALL \ - --network={{ matrix_docker_network }} \ - {% if matrix_etherpad_container_http_host_bind_port %} - -p {{ matrix_etherpad_container_http_host_bind_port }}:9001 \ - {% endif %} - --mount type=bind,src={{ matrix_etherpad_base_path }},dst=/data \ - {% for arg in matrix_etherpad_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_etherpad_docker_image }} \ - node --experimental-worker src/node/server.js \ - --settings /data/settings.json --credentials /data/credentials.json \ - --sessionkey /data/sessionkey.json --apikey /data/apijey.json - - -ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} kill matrix-etherpad -ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} rm matrix-etherpad -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-etherpad - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 27978cae9..daabcdb90 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -63,11 +63,6 @@ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: "Host( matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint: "{{ matrix_federation_traefik_entrypoint }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints: "{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint }}" -matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: false -matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_hostname: "{{ matrix_server_fqn_etherpad }}" -matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" -matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_hostname }}`)" - matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: false matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}" matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 index 0aff6a05a..4cf78b2e0 100644 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -39,18 +39,6 @@ traefik.http.routers.matrix-nginx-proxy-matrix-federation.entrypoints={{ matrix_ {% endif %} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled %} -# Etherpad -traefik.http.routers.matrix-nginx-proxy-etherpad.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_rule }} -traefik.http.routers.matrix-nginx-proxy-etherpad.service=matrix-nginx-proxy-web -traefik.http.routers.matrix-nginx-proxy-etherpad.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls | to_json }} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls %} -traefik.http.routers.matrix-nginx-proxy-etherpad.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.routers.matrix-nginx-proxy-etherpad.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} -{% endif %} - - {% if matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled %} # Go NEB bot traefik.http.routers.matrix-nginx-proxy-bot_go_neb.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_rule }} From 795c3353958a9877616faf0c49c0bd09ee96ff9e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 2 Mar 2023 22:58:45 +0200 Subject: [PATCH 552/915] Upgrade Etherpad role (v1.8.18-0 -> v1.8.18-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 89d26802f..d3fdefff4 100644 --- a/requirements.yml +++ b/requirements.yml @@ -49,7 +49,7 @@ version: v7.0.9-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git - version: v1.8.18-0 + version: v1.8.18-1 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git version: 4ec9187017cb7832f521fc273fabd0a873ca2736 From 849248b165b2e1b8a35babe9f49f5ebf05935a71 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 2 Mar 2023 23:00:18 +0200 Subject: [PATCH 553/915] Upgrade Etherpad role (v1.8.18-1 -> v1.8.18-2) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index d3fdefff4..dc1c9d564 100644 --- a/requirements.yml +++ b/requirements.yml @@ -49,7 +49,7 @@ version: v7.0.9-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git - version: v1.8.18-1 + version: v1.8.18-2 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git version: 4ec9187017cb7832f521fc273fabd0a873ca2736 From 47cfec726f1e640fe28dbb28f12ef7c34e01af23 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 3 Mar 2023 06:18:52 +0000 Subject: [PATCH 554/915] update grafana 9.4.1 -> 9.4.2 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index dc1c9d564..025c285c7 100644 --- a/requirements.yml +++ b/requirements.yml @@ -40,7 +40,7 @@ version: v1.2.3-1.7.7-1 - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v9.4.1-0 + version: v9.4.2-0 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git version: v2.1.1-0 From bb19de4a5f63e47fadd46aba65802338b69b6fd9 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 3 Mar 2023 06:21:26 +0000 Subject: [PATCH 555/915] update borgmatic 1.7.7 -> 1.7.8 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index dc1c9d564..4ffbce134 100644 --- a/requirements.yml +++ b/requirements.yml @@ -37,7 +37,7 @@ version: v0.11.1-2 - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.3-1.7.7-1 + version: v1.2.3-1.7.8-0 - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v9.4.1-0 From 49b7d805ee3d03893a3208f0bef9b9d4fc8452a2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Mar 2023 08:58:23 +0200 Subject: [PATCH 556/915] Upgrade com.devture.ansible.role.traefik --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 025c285c7..edb58785d 100644 --- a/requirements.yml +++ b/requirements.yml @@ -52,7 +52,7 @@ version: v1.8.18-2 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: 4ec9187017cb7832f521fc273fabd0a873ca2736 + version: v2.9.8-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: 55051deb663f7a30bf01637df7dd6b6bc2a7ce00 From 0dcfc74fc83b947ad2f841940ed7b31e86c2ba9e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Mar 2023 08:59:57 +0200 Subject: [PATCH 557/915] Upgrade com.devture.ansible.role.traefik_certs_dumper --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index edb58785d..dbe3ded9e 100644 --- a/requirements.yml +++ b/requirements.yml @@ -55,4 +55,4 @@ version: v2.9.8-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git - version: 55051deb663f7a30bf01637df7dd6b6bc2a7ce00 + version: v2.8.1-0 From 70b67b12bcf60d89efc19ea7cce4f7c63d3df955 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Mar 2023 09:04:13 +0200 Subject: [PATCH 558/915] Upgrade com.devture.ansible.role.postgres_backup --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index dbe3ded9e..b2fd25ec3 100644 --- a/requirements.yml +++ b/requirements.yml @@ -22,7 +22,7 @@ version: a1bb78d194434b38005f3a9e623bfa4b2c06c7bc - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git - version: 77b1f9ae1aafa31c9078178c1036bf744c99d08b + version: 8e9ec48a09284c84704d7a2dce17da35f181574d - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git version: 6ccb88ac5fc27e1e70afcd48278ade4b564a9096 From f8966cd8da533516aa1466fb2838045c4c1200cc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Mar 2023 09:47:05 +0200 Subject: [PATCH 559/915] Default etherpad_hostname to matrix_server_fqn_etherpad for backward compatibility --- group_vars/matrix_servers | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6acc7dded..7f1a729f5 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2222,6 +2222,8 @@ etherpad_base_path: "{{ matrix_base_data_path }}/etherpad" etherpad_framing_enabled: "{{ matrix_dimension_enabled or matrix_jitsi_enabled }}" +etherpad_hostname: "{{ matrix_server_fqn_etherpad }}" + etherpad_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}" etherpad_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9001') if matrix_playbook_service_host_bind_interface_prefix else '' }}" From e588f5eaec2329c1217b54a709cfdf5385067638 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 3 Mar 2023 07:47:47 +0000 Subject: [PATCH 560/915] update grafana 9.4.2 -> 9.4.3 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 5154cc73b..3dd089131 100644 --- a/requirements.yml +++ b/requirements.yml @@ -40,7 +40,7 @@ version: v1.2.3-1.7.8-0 - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v9.4.2-0 + version: v9.4.3-0 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git version: v2.1.1-0 From 6085e3a8163cb497ed27e1002d5cd02438a736fe Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Mar 2023 10:37:51 +0200 Subject: [PATCH 561/915] Add validation tasks for Etherpad migration (matrix_etherpad -> etherpad) --- .../matrix_playbook_migration/defaults/main.yml | 3 +++ .../tasks/validate_config.yml | 15 +++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/roles/custom/matrix_playbook_migration/defaults/main.yml b/roles/custom/matrix_playbook_migration/defaults/main.yml index 514125ec0..dbc3b3b86 100644 --- a/roles/custom/matrix_playbook_migration/defaults/main.yml +++ b/roles/custom/matrix_playbook_migration/defaults/main.yml @@ -17,3 +17,6 @@ matrix_playbook_migration_matrix_ntfy_migration_validation_enabled: true # Controls if (`matrix_redis` -> `redis`) validation will run. matrix_playbook_migration_matrix_redis_migration_validation_enabled: true + +# Controls if (`matrix_etherpad` -> `etherpad`) validation will run. +matrix_playbook_migration_matrix_etherpad_migration_validation_enabled: true diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 2241d5023..296f2dafb 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -141,3 +141,18 @@ Please change your configuration (vars.yml) to rename all variables (`matrix_redis_` -> `redis_`). We found usage of the following variables: {{ matrix_playbook_migration_redis_migration_vars.keys() | join(', ') }} when: "matrix_playbook_migration_redis_migration_vars | length > 0" + +- when: matrix_playbook_migration_matrix_etherpad_migration_validation_enabled | bool + block: + - ansible.builtin.set_fact: + matrix_playbook_migration_etherpad_migration_vars: |- + {{ vars | dict2items | selectattr('key', 'match', 'matrix_etherpad_.*') | list | items2dict }} + + - name: (Deprecation) Catch and report matrix_etherpad variables + ansible.builtin.fail: + msg: >- + The matrix-etherpad role that used to be part of this playbook has been replaced by https://gitlab.com/etke.cc/roles/etherpad. + The new role is compatible with the old one, but uses different names for its variables. + Please change your configuration (vars.yml) to rename all variables (`matrix_etherpad_` -> `etherpad_`). + We found usage of the following variables: {{ matrix_playbook_migration_etherpad_migration_vars.keys() | join(', ') }} + when: "matrix_playbook_migration_etherpad_migration_vars | length > 0" From 10b53503704d192d29008745f7d9c28e38f58e25 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Mar 2023 10:38:38 +0200 Subject: [PATCH 562/915] Add Traefik support to Go-NEB bot Completely untested. --- docs/configuring-playbook-bot-go-neb.md | 29 ++++- group_vars/matrix_servers | 31 ++++- .../matrix-bot-go-neb/defaults/main.yml | 118 +++++++++++++++++- .../tasks/{setup_install.yml => install.yml} | 49 ++++---- roles/custom/matrix-bot-go-neb/tasks/main.yml | 4 +- .../{setup_uninstall.yml => uninstall.yml} | 0 .../custom/matrix-bot-go-neb/templates/env.j2 | 8 ++ .../matrix-bot-go-neb/templates/labels.j2 | 45 +++++++ .../systemd/matrix-bot-go-neb.service.j2 | 22 ++-- .../matrix-nginx-proxy/defaults/main.yml | 5 - .../matrix-nginx-proxy/templates/labels.j2 | 12 -- 11 files changed, 265 insertions(+), 58 deletions(-) rename roles/custom/matrix-bot-go-neb/tasks/{setup_install.yml => install.yml} (63%) rename roles/custom/matrix-bot-go-neb/tasks/{setup_uninstall.yml => uninstall.yml} (100%) create mode 100644 roles/custom/matrix-bot-go-neb/templates/env.j2 create mode 100644 roles/custom/matrix-bot-go-neb/templates/labels.j2 diff --git a/docs/configuring-playbook-bot-go-neb.md b/docs/configuring-playbook-bot-go-neb.md index 6ec2056c0..77351de26 100644 --- a/docs/configuring-playbook-bot-go-neb.md +++ b/docs/configuring-playbook-bot-go-neb.md @@ -24,6 +24,31 @@ ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.go-neb Once the user is created you can [obtain an access token](obtaining-access-tokens.md). +## Decide on a domain and path + +By default, Go-NEB is configured to use its own dedicated domain (`goneb.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records). + +You can override the domain and path like this: + +```yaml +# Switch to the domain used for Matrix services (`matrix.DOMAIN`), +# so we won't need to add additional DNS records for Go-NEB. +matrix_bot_go_neb_hostname: "{{ matrix_server_fqn_matrix }}" + +# Expose under the /go-neb subpath +matrix_bot_go_neb_path_prefix: /go-neb +``` + +**NOTE**: When using `matrix-nginx-proxy` instead of Traefik, you won't be able to override the path prefix. You can only override the domain, but that needs to happen using another variable: `matrix_server_fqn_go_neb` (e.g. `matrix_server_fqn_go_neb: "mybot.{{ matrix_domain }}"`). + + +## Adjusting DNS records + +Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Go-NEB domain to the Matrix server. + +If you've decided to reuse the `matrix.` domain, you won't need to do any extra DNS configuration. + + ## Adjusting the playbook configuration Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs): @@ -193,9 +218,7 @@ matrix_bot_go_neb_services: ## Installing -Don't forget to add `goneb.` to DNS as described in [Configuring DNS](configuring-dns.md) before running the playbook. - -After configuring the playbook, run the [installation](installing.md) command again: +After potentially [adjusting DNS records](#adjusting-dns-records) and configuring the playbook, run the [installation](installing.md) command again: ``` ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 7f1a729f5..0a3ff00bc 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1829,17 +1829,41 @@ matrix_bot_chatgpt_container_image_self_build: "{{ matrix_architecture not in [' # We don't enable bots by default. matrix_bot_go_neb_enabled: false +matrix_bot_go_neb_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" + +matrix_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}" + +matrix_bot_go_neb_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-bot-go-neb' }}" + +matrix_bot_go_neb_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([matrix_homeserver_container_network] if matrix_homeserver_container_network != matrix_bot_go_neb_container_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_bot_go_neb_container_network else []) + ) | unique + }} + +matrix_bot_go_neb_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '4050') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +matrix_bot_go_neb_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +matrix_bot_go_neb_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_bot_go_neb_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_bot_go_neb_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + matrix_bot_go_neb_systemd_required_services_list: | {{ ['docker.service'] + ['matrix-' + matrix_homeserver_implementation + '.service'] + + ([devture_postgres_identifier + '.service'] if devture_postgres_enabled else []) + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_bot_go_neb_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '4050') if matrix_playbook_service_host_bind_interface_prefix else '' }}" - ###################################################################### # # /matrix-bot-go-neb @@ -2497,7 +2521,7 @@ matrix_nginx_proxy_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled and matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_rageshake_enabled: "{{ matrix_rageshake_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_etherpad_enabled: "{{ etherpad_enabled and not etherpad_nginx_proxy_dimension_integration_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" -matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" +matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" matrix_nginx_proxy_proxy_jitsi_manage_wellknown: "{{ matrix_jitsi_require_well_known }}" @@ -2512,7 +2536,6 @@ matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_ent matrix_nginx_proxy_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true -matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}" diff --git a/roles/custom/matrix-bot-go-neb/defaults/main.yml b/roles/custom/matrix-bot-go-neb/defaults/main.yml index 61c5d54d4..39b97b088 100644 --- a/roles/custom/matrix-bot-go-neb/defaults/main.yml +++ b/roles/custom/matrix-bot-go-neb/defaults/main.yml @@ -1,11 +1,22 @@ --- + # Go-NEB is a Matrix bot written in Go. It is the successor to Matrix-NEB, the original Matrix bot written in Python. # Project source code URL: https://github.com/matrix-org/go-neb matrix_bot_go_neb_enabled: true + matrix_bot_go_neb_version: latest -matrix_bot_go_neb_docker_image: "matrixdotorg/go-neb:{{ matrix_bot_go_neb_version }}" -matrix_bot_go_neb_docker_image_force_pull: "{{ matrix_bot_go_neb_docker_image.endswith(':latest') }}" + +matrix_bot_go_neb_scheme: https + +# The hostname at which Go-NEB is served. +matrix_bot_go_neb_hostname: '' + +# The path at which Go-NEB is exposed. +# This value must either be `/` or not end with a slash (e.g. `/go-neb`). +matrix_bot_go_neb_path_prefix: / + +matrix_bot_go_neb_base_url: "{{ matrix_bot_go_neb_scheme }}://{{ matrix_bot_go_neb_hostname }}{{ matrix_bot_go_neb_path_prefix }}{{ '' if matrix_bot_go_neb_path_prefix == '/' else '/' }}" matrix_bot_go_neb_base_path: "{{ matrix_base_data_path }}/go-neb" matrix_bot_go_neb_config_path: "{{ matrix_bot_go_neb_base_path }}/config" @@ -13,11 +24,63 @@ matrix_bot_go_neb_config_path_in_container: "/config/config.yaml" matrix_bot_go_neb_data_path: "{{ matrix_bot_go_neb_base_path }}/data" matrix_bot_go_neb_data_store_path: "{{ matrix_bot_go_neb_data_path }}/store" +matrix_bot_go_neb_container_image: "{{ matrix_bot_go_neb_container_image_registry_prefix }}matrixdotorg/go-neb:{{ matrix_bot_go_neb_container_image_tag }}" +matrix_bot_go_neb_container_image_tag: "{{ matrix_bot_go_neb_version }}" +matrix_bot_go_neb_container_image_force_pull: "{{ matrix_bot_go_neb_container_image.endswith(':latest') }}" +matrix_bot_go_neb_container_image_registry_prefix: docker.io/ + +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_bot_go_neb_container_network: matrix-bot-go-neb + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_bot_go_neb_container_additional_networks: [] + # Controls whether the matrix-bot-go-neb container exposes its HTTP port (tcp/4050 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:4050"), or empty string to not expose. matrix_bot_go_neb_container_http_host_bind_port: '' +# matrix_bot_go_neb_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_bot_go_neb_container_labels_additional_labels`. +matrix_bot_go_neb_container_labels_traefik_enabled: true +matrix_bot_go_neb_container_labels_traefik_docker_network: "{{ matrix_bot_go_neb_container_network }}" +matrix_bot_go_neb_container_labels_traefik_hostname: "{{ matrix_bot_go_neb_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/go-neb`). +matrix_bot_go_neb_container_labels_traefik_path_prefix: "{{ matrix_bot_go_neb_path_prefix }}" +matrix_bot_go_neb_container_labels_traefik_rule: "Host(`{{ matrix_bot_go_neb_container_labels_traefik_hostname }}`){% if matrix_bot_go_neb_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_go_neb_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_bot_go_neb_container_labels_traefik_priority: 0 +matrix_bot_go_neb_container_labels_traefik_entrypoints: web-secure +matrix_bot_go_neb_container_labels_traefik_tls: "{{ matrix_bot_go_neb_container_labels_traefik_entrypoints != 'web' }}" +matrix_bot_go_neb_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_bot_go_neb_container_labels_traefik_additional_response_headers_custom` +matrix_bot_go_neb_container_labels_traefik_additional_response_headers: "{{ matrix_bot_go_neb_container_labels_traefik_additional_response_headers_auto | combine(matrix_bot_go_neb_container_labels_traefik_additional_response_headers_custom) }}" +matrix_bot_go_neb_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_bot_go_neb_http_header_xss_protection} if matrix_bot_go_neb_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_bot_go_neb_http_header_frame_options} if matrix_bot_go_neb_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_bot_go_neb_http_header_content_type_options} if matrix_bot_go_neb_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_bot_go_neb_http_header_content_security_policy} if matrix_bot_go_neb_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_bot_go_neb_http_header_content_permission_policy} if matrix_bot_go_neb_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_bot_go_neb_http_header_strict_transport_security} if matrix_bot_go_neb_http_header_strict_transport_security and matrix_bot_go_neb_container_labels_traefik_tls else {}) + }} +matrix_bot_go_neb_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_bot_go_neb_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_bot_go_neb_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_bot_go_neb_container_labels_additional_labels: '' + # A list of extra arguments to pass to the container matrix_bot_go_neb_container_extra_arguments: [] @@ -27,6 +90,57 @@ matrix_bot_go_neb_systemd_required_services_list: ['docker.service'] # List of systemd services that matrix-bot-go-neb.service wants matrix_bot_go_neb_systemd_wanted_services_list: [] +# Specifies the value of the `X-XSS-Protection` header +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. +# +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected +matrix_bot_go_neb_http_header_xss_protection: "1; mode=block" + +# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +matrix_bot_go_neb_http_header_frame_options: SAMEORIGIN + +# Specifies the value of the `X-Content-Type-Options` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +matrix_bot_go_neb_http_header_content_type_options: nosniff + +# Specifies the value of the `Content-Security-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +matrix_bot_go_neb_http_header_content_security_policy: frame-ancestors 'self' + +# Specifies the value of the `Permission-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy +matrix_bot_go_neb_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_bot_go_neb_floc_optout_enabled else '' }}" + +# Specifies the value of the `Strict-Transport-Security` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +matrix_bot_go_neb_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_bot_go_neb_hsts_preload_enabled else '' }}" + +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +# See: `matrix_bot_go_neb_content_permission_policy` +matrix_bot_go_neb_floc_optout_enabled: true + +# Controls if HSTS preloading is enabled +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be "preloaded" into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +# See: `matrix_bot_go_neb_http_header_strict_transport_security` +matrix_bot_go_neb_hsts_preload_enabled: false + # Database-related configuration fields. # # MUST be "sqlite3". No other type is supported. diff --git a/roles/custom/matrix-bot-go-neb/tasks/setup_install.yml b/roles/custom/matrix-bot-go-neb/tasks/install.yml similarity index 63% rename from roles/custom/matrix-bot-go-neb/tasks/setup_install.yml rename to roles/custom/matrix-bot-go-neb/tasks/install.yml index 1db16b911..9cb85db39 100644 --- a/roles/custom/matrix-bot-go-neb/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-go-neb/tasks/install.yml @@ -1,8 +1,5 @@ --- -- ansible.builtin.set_fact: - matrix_bot_go_neb_requires_restart: false - - name: Ensure go-neb paths exist ansible.builtin.file: path: "{{ item.path }}" @@ -16,17 +13,6 @@ - {path: "{{ matrix_bot_go_neb_data_store_path }}", when: true} when: "item.when | bool" -- name: Ensure go-neb image is pulled - community.docker.docker_image: - name: "{{ matrix_bot_go_neb_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_bot_go_neb_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_go_neb_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - - name: Ensure go-neb config installed ansible.builtin.copy: content: "{{ matrix_bot_go_neb_configuration | to_nice_yaml(indent=2, width=999999) }}" @@ -35,16 +21,35 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" +- name: Ensure go-neb support files installed + ansible.builtin.template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_bot_go_neb_base_path }}/{{ item }}" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - env + - labels + +- name: Ensure go-neb container network is created + community.general.docker_network: + name: "{{ matrix_bot_go_neb_container_network }}" + driver: bridge + +- name: Ensure go-neb container image is pulled + community.docker.docker_image: + name: "{{ matrix_bot_go_neb_container_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_bot_go_neb_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_go_neb_container_image_force_pull }}" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + - name: Ensure matrix-bot-go-neb.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-bot-go-neb.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-go-neb.service" mode: 0644 - register: matrix_bot_go_neb_systemd_service_result - -- name: Ensure matrix-bot-go-neb.service restarted, if necessary - ansible.builtin.service: - name: "matrix-bot-go-neb.service" - state: restarted - daemon_reload: true - when: "matrix_bot_go_neb_requires_restart | bool" diff --git a/roles/custom/matrix-bot-go-neb/tasks/main.yml b/roles/custom/matrix-bot-go-neb/tasks/main.yml index 126f6ae03..3249fc7ba 100644 --- a/roles/custom/matrix-bot-go-neb/tasks/main.yml +++ b/roles/custom/matrix-bot-go-neb/tasks/main.yml @@ -4,7 +4,7 @@ - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_bot_go_neb_enabled | bool" - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" when: "run_setup | bool and matrix_bot_go_neb_enabled | bool" tags: - setup-all @@ -13,7 +13,7 @@ - install-bot-go-neb - block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" when: "run_setup | bool and not matrix_bot_go_neb_enabled | bool" tags: - setup-all diff --git a/roles/custom/matrix-bot-go-neb/tasks/setup_uninstall.yml b/roles/custom/matrix-bot-go-neb/tasks/uninstall.yml similarity index 100% rename from roles/custom/matrix-bot-go-neb/tasks/setup_uninstall.yml rename to roles/custom/matrix-bot-go-neb/tasks/uninstall.yml diff --git a/roles/custom/matrix-bot-go-neb/templates/env.j2 b/roles/custom/matrix-bot-go-neb/templates/env.j2 new file mode 100644 index 000000000..22e605e5c --- /dev/null +++ b/roles/custom/matrix-bot-go-neb/templates/env.j2 @@ -0,0 +1,8 @@ +BIND_ADDRESS=:4050 + +DATABASE_TYPE={{ matrix_bot_go_neb_database_engine }} +DATABASE_URL={{ matrix_bot_go_neb_storage_database }} + +BASE_URL={{ matrix_bot_go_neb_base_url }} + +CONFIG_FILE={{ matrix_bot_go_neb_config_path_in_container }} diff --git a/roles/custom/matrix-bot-go-neb/templates/labels.j2 b/roles/custom/matrix-bot-go-neb/templates/labels.j2 new file mode 100644 index 000000000..0ad8d98c4 --- /dev/null +++ b/roles/custom/matrix-bot-go-neb/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_bot_go_neb_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_bot_go_neb_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_bot_go_neb_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_bot_go_neb_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.{{ matrix_bot_go_neb_identifier }}-slashless-redirect.redirectregex.regex=({{ matrix_bot_go_neb_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.{{ matrix_bot_go_neb_identifier }}-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + [matrix_bot_go_neb_identifier + '-slashless-redirect'] %} +{% endif %} + +{% if matrix_bot_go_neb_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.{{ matrix_bot_go_neb_identifier }}-strip-prefix.stripprefix.prefixes={{ matrix_bot_go_neb_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + [matrix_bot_go_neb_identifier + '-strip-prefix'] %} +{% endif %} + +{% if matrix_bot_go_neb_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_bot_go_neb_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.{{ matrix_bot_go_neb_identifier }}-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + [matrix_bot_go_neb_identifier + '-add-headers'] %} +{% endif %} + +traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.rule={{ matrix_bot_go_neb_container_labels_traefik_rule }} +{% if matrix_bot_go_neb_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.priority={{ matrix_bot_go_neb_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.service={{ matrix_bot_go_neb_identifier }} +{% if middlewares | length > 0 %} +traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.entrypoints={{ matrix_bot_go_neb_container_labels_traefik_entrypoints }} +traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.tls={{ matrix_bot_go_neb_container_labels_traefik_tls | to_json }} +{% if matrix_bot_go_neb_container_labels_traefik_tls %} +traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.tls.certResolver={{ matrix_bot_go_neb_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.{{ matrix_bot_go_neb_identifier }}.loadbalancer.server.port=4050 +{% endif %} + +{{ matrix_bot_go_neb_container_labels_additional_labels }} diff --git a/roles/custom/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 b/roles/custom/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 index a57df57e2..150cd665f 100644 --- a/roles/custom/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 +++ b/roles/custom/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 @@ -16,31 +16,37 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-bot-go-neb \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-bot-go-neb \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_bot_go_neb_container_network }} \ {% if matrix_bot_go_neb_container_http_host_bind_port %} -p {{ matrix_bot_go_neb_container_http_host_bind_port }}:4050 \ {% endif %} - -e 'BIND_ADDRESS=:4050' \ - -e 'DATABASE_TYPE={{ matrix_bot_go_neb_database_engine }}' \ - -e 'BASE_URL=https://{{ matrix_server_fqn_bot_go_neb }}' \ - -e 'CONFIG_FILE={{ matrix_bot_go_neb_config_path_in_container }}' \ - -e 'DATABASE_URL={{ matrix_bot_go_neb_storage_database }}' \ + --env-file={{ matrix_bot_go_neb_base_path }}/env \ + --label-file={{ matrix_bot_go_neb_base_path }}/labels \ --mount type=bind,src={{ matrix_bot_go_neb_config_path }},dst=/config,ro \ --mount type=bind,src={{ matrix_bot_go_neb_data_path }},dst=/data \ --entrypoint=/bin/sh \ {% for arg in matrix_bot_go_neb_container_extra_arguments %} {{ arg }} \ {% endfor %} - {{ matrix_bot_go_neb_docker_image }} \ + {{ matrix_bot_go_neb_container_image }} \ -c "go-neb /config/config.yaml" +{% for network in matrix_bot_go_neb_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-bot-go-neb +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-bot-go-neb + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null || true' + Restart=always RestartSec=30 SyslogIdentifier=matrix-bot-go-neb diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index daabcdb90..f7f214f35 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -63,11 +63,6 @@ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: "Host( matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint: "{{ matrix_federation_traefik_entrypoint }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints: "{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint }}" -matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: false -matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}" -matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" -matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_hostname }}`)" - matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: false matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 index 4cf78b2e0..4fb567da2 100644 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -39,18 +39,6 @@ traefik.http.routers.matrix-nginx-proxy-matrix-federation.entrypoints={{ matrix_ {% endif %} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled %} -# Go NEB bot -traefik.http.routers.matrix-nginx-proxy-bot_go_neb.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_rule }} -traefik.http.routers.matrix-nginx-proxy-bot_go_neb.service=matrix-nginx-proxy-web -traefik.http.routers.matrix-nginx-proxy-bot_go_neb.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls | to_json }} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls %} -traefik.http.routers.matrix-nginx-proxy-bot_go_neb.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.routers.matrix-nginx-proxy-bot_go_neb.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} -{% endif %} - - {% if matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled %} # Jitsi traefik.http.routers.matrix-nginx-proxy-jitsi.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_rule }} From 6a6761cb88afe14d26c9458ea98f15cf662bfa91 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sun, 5 Mar 2023 10:17:07 +0000 Subject: [PATCH 563/915] Update ntfy 2.1.1 -> 2.1.2 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 3dd089131..158b4fde3 100644 --- a/requirements.yml +++ b/requirements.yml @@ -43,7 +43,7 @@ version: v9.4.3-0 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git - version: v2.1.1-0 + version: v2.1.2-0 - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.9-0 From 493de7316c2b35b40e7326ef3843803ffdb5ab08 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sun, 5 Mar 2023 14:52:53 +0000 Subject: [PATCH 564/915] update honoroit 0.9.16 -> 0.9.17 * healthchecks.io integration * mutex on forwarding messages into thread * fix in prefixes handling * send error messages as thread reply when possible --- roles/custom/matrix-bot-honoroit/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-honoroit/defaults/main.yml b/roles/custom/matrix-bot-honoroit/defaults/main.yml index e880df4f0..42f766824 100644 --- a/roles/custom/matrix-bot-honoroit/defaults/main.yml +++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml @@ -9,7 +9,7 @@ matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git" matrix_bot_honoroit_docker_repo_version: "{{ matrix_bot_honoroit_version }}" matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src" -matrix_bot_honoroit_version: v0.9.16 +matrix_bot_honoroit_version: v0.9.17 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}etke.cc/honoroit:{{ matrix_bot_honoroit_version }}" matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/' }}" matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" From 449b51588e32a165ccf7e95c14f0370b0edd2b60 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Mar 2023 08:51:21 +0200 Subject: [PATCH 565/915] Remove usage of undefined matrix_bot_go_neb_identifier variable This is a mistake made in 10b53503704d192d29008745. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2540 --- .../matrix-bot-go-neb/templates/labels.j2 | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/roles/custom/matrix-bot-go-neb/templates/labels.j2 b/roles/custom/matrix-bot-go-neb/templates/labels.j2 index 0ad8d98c4..54aa25835 100644 --- a/roles/custom/matrix-bot-go-neb/templates/labels.j2 +++ b/roles/custom/matrix-bot-go-neb/templates/labels.j2 @@ -8,38 +8,38 @@ traefik.docker.network={{ matrix_bot_go_neb_container_labels_traefik_docker_netw {% set middlewares = [] %} {% if matrix_bot_go_neb_container_labels_traefik_path_prefix != '/' %} -traefik.http.middlewares.{{ matrix_bot_go_neb_identifier }}-slashless-redirect.redirectregex.regex=({{ matrix_bot_go_neb_container_labels_traefik_path_prefix | quote }})$ -traefik.http.middlewares.{{ matrix_bot_go_neb_identifier }}-slashless-redirect.redirectregex.replacement=${1}/ -{% set middlewares = middlewares + [matrix_bot_go_neb_identifier + '-slashless-redirect'] %} +traefik.http.middlewares.matrix-bot-go-neb-slashless-redirect.redirectregex.regex=({{ matrix_bot_go_neb_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-bot-go-neb-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-bot-go-neb-slashless-redirect'] %} {% endif %} {% if matrix_bot_go_neb_container_labels_traefik_path_prefix != '/' %} -traefik.http.middlewares.{{ matrix_bot_go_neb_identifier }}-strip-prefix.stripprefix.prefixes={{ matrix_bot_go_neb_container_labels_traefik_path_prefix }} -{% set middlewares = middlewares + [matrix_bot_go_neb_identifier + '-strip-prefix'] %} +traefik.http.middlewares.matrix-bot-go-neb-strip-prefix.stripprefix.prefixes={{ matrix_bot_go_neb_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-bot-go-neb-strip-prefix'] %} {% endif %} {% if matrix_bot_go_neb_container_labels_traefik_additional_response_headers.keys() | length > 0 %} {% for name, value in matrix_bot_go_neb_container_labels_traefik_additional_response_headers.items() %} -traefik.http.middlewares.{{ matrix_bot_go_neb_identifier }}-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +traefik.http.middlewares.matrix-bot-go-neb-add-headers.headers.customresponseheaders.{{ name }}={{ value }} {% endfor %} -{% set middlewares = middlewares + [matrix_bot_go_neb_identifier + '-add-headers'] %} +{% set middlewares = middlewares + ['matrix-bot-go-neb-add-headers'] %} {% endif %} -traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.rule={{ matrix_bot_go_neb_container_labels_traefik_rule }} +traefik.http.routers.matrix-bot-go-neb.rule={{ matrix_bot_go_neb_container_labels_traefik_rule }} {% if matrix_bot_go_neb_container_labels_traefik_priority | int > 0 %} -traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.priority={{ matrix_bot_go_neb_container_labels_traefik_priority }} +traefik.http.routers.matrix-bot-go-neb.priority={{ matrix_bot_go_neb_container_labels_traefik_priority }} {% endif %} -traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.service={{ matrix_bot_go_neb_identifier }} +traefik.http.routers.matrix-bot-go-neb.service=matrix-bot-go-neb {% if middlewares | length > 0 %} -traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.middlewares={{ middlewares | join(',') }} +traefik.http.routers.matrix-bot-go-neb.middlewares={{ middlewares | join(',') }} {% endif %} -traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.entrypoints={{ matrix_bot_go_neb_container_labels_traefik_entrypoints }} -traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.tls={{ matrix_bot_go_neb_container_labels_traefik_tls | to_json }} +traefik.http.routers.matrix-bot-go-neb.entrypoints={{ matrix_bot_go_neb_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-bot-go-neb.tls={{ matrix_bot_go_neb_container_labels_traefik_tls | to_json }} {% if matrix_bot_go_neb_container_labels_traefik_tls %} -traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.tls.certResolver={{ matrix_bot_go_neb_container_labels_traefik_tls_certResolver }} +traefik.http.routers.matrix-bot-go-neb.tls.certResolver={{ matrix_bot_go_neb_container_labels_traefik_tls_certResolver }} {% endif %} -traefik.http.services.{{ matrix_bot_go_neb_identifier }}.loadbalancer.server.port=4050 +traefik.http.services.matrix-bot-go-neb.loadbalancer.server.port=4050 {% endif %} {{ matrix_bot_go_neb_container_labels_additional_labels }} From bf2b54080789f7e82eeeb118f1ddccbc7ffffb83 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Mar 2023 09:08:04 +0200 Subject: [PATCH 566/915] Harden Traefik security by accessing the Docker API through docker-socket-proxy With these changes, we: - install https://github.com/Tecnativa/docker-socket-proxy via the https://github.com/devture/com.devture.ansible.role.container_socket_proxy Ansible role - make Traefik access the Docker API via TCP by connecting to this socket proxy - .. which allows us to run the Traefik container with less privileges (non-`root`, dropped capabilities) --- group_vars/matrix_servers | 43 ++++++++++++++++++++++++++++++++++++++- playbooks/matrix.yml | 2 ++ requirements.yml | 5 ++++- 3 files changed, 48 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 0a3ff00bc..d4bcd027d 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -356,7 +356,9 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-user-verification-service.service', 'priority': 800, 'groups': ['matrix', 'matrix-user-verification-service']}] if matrix_user_verification_service_enabled else []) + - ([{'name': 'devture-traefik.service', 'priority': 3000, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if devture_traefik_enabled else []) + ([{'name': (devture_container_socket_proxy_identifier + '.service'), 'priority': 2900, 'groups': ['matrix', 'reverse-proxies', 'container-socket-proxy']}] if devture_container_socket_proxy_enabled else []) + + + ([{'name': (devture_traefik_identifier + '.service'), 'priority': 3000, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if devture_traefik_enabled else []) + ([{'name': (devture_traefik_certs_dumper_identifier + '.service'), 'priority': 3500, 'groups': ['matrix', 'traefik-certs-dumper']}] if devture_traefik_certs_dumper_enabled else []) }} @@ -3821,6 +3823,31 @@ matrix_user_verification_service_uvs_auth_token: "{{ '%s' | format(matrix_homese ###################################################################### +######################################################################## +# # +# com.devture.ansible.role.container_socket_proxy # +# # +######################################################################## + +devture_container_socket_proxy_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' }}" + +devture_container_socket_proxy_identifier: matrix-container-socket-proxy + +devture_container_socket_proxy_base_path: "{{ matrix_base_data_path }}/container-socket-proxy" + +devture_container_socket_proxy_uid: "{{ matrix_user_uid }}" +devture_container_socket_proxy_gid: "{{ matrix_user_gid }}" + +# Traefik requires read access to the containers APIs to do its job +devture_container_socket_proxy_api_containers_enabled: true + +######################################################################## +# # +# /com.devture.ansible.role.container_socket_proxy # +# # +######################################################################## + + ######################################################################## # # # com.devture.ansible.role.traefik # @@ -3842,6 +3869,20 @@ devture_traefik_additional_entrypoints_auto: devture_traefik_additional_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}" +devture_traefik_config_providers_docker_endpoint: "{{ devture_container_socket_proxy_endpoint if devture_container_socket_proxy_enabled else 'unix:///var/run/docker.sock' }}" + +devture_traefik_container_additional_networks: | + {{ + ([devture_container_socket_proxy_container_network] if devture_container_socket_proxy_enabled else []) + }} + +devture_traefik_systemd_required_services_list: | + {{ + (['docker.service']) + + + ([devture_container_socket_proxy_identifier + '.service'] if devture_container_socket_proxy_enabled else []) + }} + ######################################################################## # # # /com.devture.ansible.role.traefik # diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 6a66dc585..6e348df25 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -119,6 +119,8 @@ - custom/matrix-user-creator - custom/matrix-common-after + - role: galaxy/com.devture.ansible.role.container_socket_proxy + - when: matrix_playbook_traefik_role_enabled | bool role: galaxy/com.devture.ansible.role.traefik diff --git a/requirements.yml b/requirements.yml index 158b4fde3..ad1f5eac2 100644 --- a/requirements.yml +++ b/requirements.yml @@ -51,8 +51,11 @@ - src: git+https://gitlab.com/etke.cc/roles/etherpad.git version: v1.8.18-2 +- src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git + version: v0.1.1-0 + - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.9.8-0 + version: v2.9.8-1 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 From adcc6d9723086f65f1a7284a4d3eee03de56ac22 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Mar 2023 09:32:13 +0200 Subject: [PATCH 567/915] Relocate Traefik (to matrix-traefik.service && /matrix/traefik base path) The migration is automatic. Existing users should experience a bit of downtime until the playbook runs to completion, but don't need to do anything manually. This change is provoked by https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2535 While my statements there ("Traefik is a shared component among sibling/related playbooks and should retain its global non-matrix-prefixed name and path") do make sense, there's another point of view as well. With the addition of docker-socket-proxy support in bf2b54080789f7e, we potentially introduced another non-`matrix-`-prefixed systemd service and global path (`/devture-container-socket-proxy`). It would have started to become messy. Traefik always being called `devture-traefik.service` and using the `/devture-traefik` path has the following downsides: - different playbooks may write to the same place, unintentionally, before you disable the Traefik role in some of them. If each playbook manages its own installation, no such conflicts arise and you'll learn about the conflict when one of them starts its Traefik service and fails because the ports are already in use - the data is scattered - backing up `/matrix` is no longer enough when some stuff lives in `/devture-traefik` or `/devture-container-socket-proxy` as well; similarly, deleting `/matrix` is no longer enough to clean up For this reason, the Traefik instance managed by this playbook will now be called `matrix-traefik` and live under `/matrix/traefik`. This also makes it obvious to users running multiple playbooks, which Traefik instance (powered by which playbook) is the active one. Previously, you'd look at `devture-traefik.service` and wonder which role was managing it. --- group_vars/matrix_servers | 4 +++ .../matrix-base/templates/bin/remove-all.j2 | 11 +++--- .../devture_traefik_to_matrix_traefik.yml | 35 +++++++++++++++++++ .../matrix_playbook_migration/tasks/main.yml | 9 +++++ 4 files changed, 52 insertions(+), 7 deletions(-) create mode 100644 roles/custom/matrix_playbook_migration/tasks/devture_traefik_to_matrix_traefik.yml diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index d4bcd027d..c9f783453 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3858,6 +3858,10 @@ devture_container_socket_proxy_api_containers_enabled: true # See the comment there for more details about why we have both `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`. devture_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' }}" +devture_traefik_identifier: matrix-traefik + +devture_traefik_base_path: "{{ matrix_base_data_path }}/traefik" + devture_traefik_uid: "{{ matrix_user_uid }}" devture_traefik_gid: "{{ matrix_user_gid }}" diff --git a/roles/custom/matrix-base/templates/bin/remove-all.j2 b/roles/custom/matrix-base/templates/bin/remove-all.j2 index 46e1f7573..2733ad784 100644 --- a/roles/custom/matrix-base/templates/bin/remove-all.j2 +++ b/roles/custom/matrix-base/templates/bin/remove-all.j2 @@ -21,19 +21,16 @@ else rm -f {{ devture_systemd_docker_base_systemd_path }}/$s done - echo "Stop and remove devture services" - - for s in $(find {{ devture_systemd_docker_base_systemd_path }}/ -type f -name "devture-*" -printf "%f\n"); do - systemctl disable --now $s - rm -f {{ devture_systemd_docker_base_systemd_path }}/$s - done - systemctl daemon-reload echo "Remove unused Docker images and resources" docker system prune -af + echo "Remove Docker matrix network (should be gone already, but ..)" docker network rm {{ matrix_docker_network }} + + echo "This playbook creates a lot of matrix-* networks. Consider removing them manually ('docker network ls', followed by 'docker network rm NETWORK_NAME')" + echo "Remove {{ matrix_base_data_path }} directory" rm -fr "{{ matrix_base_data_path }}" exit 0 diff --git a/roles/custom/matrix_playbook_migration/tasks/devture_traefik_to_matrix_traefik.yml b/roles/custom/matrix_playbook_migration/tasks/devture_traefik_to_matrix_traefik.yml new file mode 100644 index 000000000..7d1b1190d --- /dev/null +++ b/roles/custom/matrix_playbook_migration/tasks/devture_traefik_to_matrix_traefik.yml @@ -0,0 +1,35 @@ +--- + +# This migrates Traefik from the old path (`/devture-traefik`) to the new path (`/matrix/traefik`, controlled by `devture_traefik_base_path`), +# and from the old hardcoded systemd service name (`devture-traefik.service`) to the new one (`matrix-traefik.service`, controlled by `devture_traefik_identifier`). +# +# Here, we merely disable (and stop) the old systemd service and relocate the data (`/devture-traefik` directory). +# The Traefik role itself (running later) will then ensure this data is up-to-date and will set up the new systemd service. + +# It only makes sense to migrate if the identifier or path are different than the default (what we were using before). +- when: "devture_traefik_identifier != 'devture-postgres' or devture_traefik_base_path != '/devture-traefik'" + block: + - name: Check existence of devture-traefik.service systemd service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/devture-traefik.service" + register: devture_traefik_service_stat + + - when: devture_traefik_service_stat.stat.exists | bool + block: + - name: Ensure devture-traefik.service systemd service is stopped + ansible.builtin.systemd: + name: devture-traefik + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure Traefik systemd service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/devture-traefik.service" + state: absent + + - name: Ensure Traefik directory relocated + ansible.builtin.command: + cmd: "mv /devture-traefik {{ devture_traefik_base_path }}" + creates: "{{ devture_traefik_base_path }}" + removes: "/devture-traefik" diff --git a/roles/custom/matrix_playbook_migration/tasks/main.yml b/roles/custom/matrix_playbook_migration/tasks/main.yml index 96b68b60d..e2b293847 100644 --- a/roles/custom/matrix_playbook_migration/tasks/main.yml +++ b/roles/custom/matrix_playbook_migration/tasks/main.yml @@ -11,3 +11,12 @@ tags: - setup-all - install-all + +- when: matrix_playbook_traefik_role_enabled | bool + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/devture_traefik_to_matrix_traefik.yml" + tags: + - setup-all + - install-all + - setup-traefik + - install-traefik From 30f10347670d2fcc3fafc3ac81659dcb6d909cdc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Mar 2023 09:51:14 +0200 Subject: [PATCH 568/915] Remove matrix_playbook_traefik_role_enabled variable and devture-traefik references The variable was necessary when multiple playbooks could have potentially tried to manage a shared `devture-traefik.serivce` systemd service and shared `/devture-traefik` directory. Since adcc6d9723086f65f1a72, we use our own `/matrix/traefik` (`matrix-traefik.service`) installation and no conflicts can arise. It's safe to always enable the role, just like we do with all the other roles. --- CHANGELOG.md | 4 ++-- docs/configuring-playbook-ssl-certificates.md | 4 ++-- group_vars/matrix_servers | 20 ++----------------- playbooks/matrix.yml | 3 +-- roles/custom/matrix-base/defaults/main.yml | 2 +- .../matrix_playbook_migration/tasks/main.yml | 2 +- .../tasks/validate_config.yml | 1 + 7 files changed, 10 insertions(+), 26 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 790406f3c..1aedacc30 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -223,9 +223,9 @@ devture_traefik_config_certificatesResolvers_acme_email: YOUR_EMAIL_ADDRESS You may still need to keep certain old `matrix_nginx_proxy_*` variables (like `matrix_nginx_proxy_base_domain_serving_enabled`), even when using Traefik. For now, we recommend keeping all `matrix_nginx_proxy_*` variables just in case. In the future, reliance on `matrix-nginx-proxy` will be removed. -Switching to Traefik will obtain new SSL certificates from Let's Encrypt (stored in `/devture-traefik/ssl/acme.json`). **The switch is reversible**. You can always go back to `playbook-managed-nginx` if Traefik is causing you trouble. +Switching to Traefik will obtain new SSL certificates from Let's Encrypt (stored in `/matrix/traefik/ssl/acme.json`). **The switch is reversible**. You can always go back to `playbook-managed-nginx` if Traefik is causing you trouble. -**Note**: toggling `matrix_playbook_reverse_proxy_type` between Traefik and nginx will uninstall the Traefik role and all of its data (under `/devture-traefik`), so you may run into a Let's Encrypt rate limit if you do it often. +**Note**: toggling `matrix_playbook_reverse_proxy_type` between Traefik and nginx will uninstall the Traefik role and all of its data (under `/matrix/traefik`), so you may run into a Let's Encrypt rate limit if you do it often. Treafik directly reverse-proxies to **some** services right now, but for most other services it goes through `matrix-nginx-proxy` (e.g. Traefik -> `matrix-nginx-proxy` -> [Ntfy](docs/configuring-playbook-ntfy.md)). So, even if you opt into Traefik, you'll still see `matrix-nginx-proxy` being installed in local-only mode. This will improve with time. diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index 13d5f609b..9fa9f84b8 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -54,7 +54,7 @@ devture_traefik_ssl_dir_enabled: true # Tell Traefik to load our custom configuration file (certificates.yml). # The file is created below, in `matrix_aux_file_definitions`. -# The `/config/..` path is an in-container path, not a path on the host (like `/devture-traefik/config`). Do not change it! +# The `/config/..` path is an in-container path, not a path on the host (like `/matrix/traefik/config`). Do not change it! devture_traefik_configuration_extension_yaml: | providers: file: @@ -85,7 +85,7 @@ matrix_aux_file_definitions: # HERE # Create the custom Traefik configuration. - # The `/ssl/..` paths below are in-container paths, not paths on the host (/`devture-traefik/ssl/..`). Do not change them! + # The `/ssl/..` paths below are in-container paths, not paths on the host (/`matrix/traefik/ssl/..`). Do not change them! - dest: "{{ devture_traefik_config_dir_path }}/certificates.yml" content: | tls: diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c9f783453..5c4c1bdde 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -19,23 +19,9 @@ # Also see `devture_docker_sdk_for_python_installation_enabled`. matrix_playbook_docker_installation_enabled: true -# Controls whether to run the Traefik role or not -# See the `com.devture.ansible.role.traefik` section below for role configuration. -# -# There's a difference between `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`. -# `devture_traefik_enabled` controls what the Traefik role would do - when not enabled, it will run uninstall tasks, etc. -# `matrix_playbook_traefik_role_enabled` controls if the Traefik role would even run at all. -# -# Sometimes, you're installing Traefik via a different (related playbook) which uses the same role. -# In such cases, you'd like to disable the role in this playbook from bothering with Traefik at all (`matrix_playbook_traefik_role_enabled: false`). -# If you used `devture_traefik_enabled: false` + `matrix_playbook_traefik_role_enabled: true` instead, you'd see the Treafik role here -# try to delete Traefik data (`/devture-traefik`) installed by the other playbook. -matrix_playbook_traefik_role_enabled: "{{ matrix_playbook_reverse_proxy_type != 'other-traefik-container' }}" - # Controls whether to attach Traefik labels to services. -# This is separate from `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`, -# because you may wish to disable Traefik installation by the playbook, yet still use Traefik -# installed in another way. +# This is separate from `devture_traefik_enabled`, because you may wish to disable Traefik installation by the playbook, +# yet still use Traefik installed in another way. matrix_playbook_traefik_labels_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" # Controls the additional network that reverse-proxyable services will be connected to. @@ -3854,8 +3840,6 @@ devture_container_socket_proxy_api_containers_enabled: true # # ######################################################################## -# To completely disable the Traefik role from running, use `matrix_playbook_traefik_role_enabled: false`. -# See the comment there for more details about why we have both `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`. devture_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' }}" devture_traefik_identifier: matrix-traefik diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 6e348df25..e72269eea 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -121,8 +121,7 @@ - role: galaxy/com.devture.ansible.role.container_socket_proxy - - when: matrix_playbook_traefik_role_enabled | bool - role: galaxy/com.devture.ansible.role.traefik + - role: galaxy/com.devture.ansible.role.traefik - role: galaxy/com.devture.ansible.role.traefik_certs_dumper diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 98a2167ed..5e743925c 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -284,7 +284,7 @@ matrix_homeserver_app_service_config_files_auto: [] # Valid options and a description of their behavior: # # - `playbook-managed-traefik` -# - the playbook will install devture-traefik +# - the playbook will run a managed Traefik instance (matrix-traefik) # - Traefik will do SSL termination, unless you disable it (e.g. `devture_traefik_config_entrypoint_web_secure_enabled: false`) # - if SSL termination is enabled (as it is by default), you need to populate: `devture_traefik_config_certificatesResolvers_acme_email` # - it will also install matrix-nginx-proxy in local-only mode, while we migrate the rest of the services to a Traefik-native mode of working diff --git a/roles/custom/matrix_playbook_migration/tasks/main.yml b/roles/custom/matrix_playbook_migration/tasks/main.yml index e2b293847..4a39e2c74 100644 --- a/roles/custom/matrix_playbook_migration/tasks/main.yml +++ b/roles/custom/matrix_playbook_migration/tasks/main.yml @@ -12,7 +12,7 @@ - setup-all - install-all -- when: matrix_playbook_traefik_role_enabled | bool +- when: devture_traefik_enabled | bool block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/devture_traefik_to_matrix_traefik.yml" tags: diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 296f2dafb..d8fe16839 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -37,6 +37,7 @@ - {'old': 'matrix_prometheus_node_exporter_metrics_proxying_enabled', 'new': 'matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled'} - {'old': 'matrix_prometheus_postgres_exporter_metrics_proxying_enabled', 'new': 'matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled'} - {'old': 'matrix_playbook_traefik_certs_dumper_role_enabled', 'new': 'devture_traefik_certs_dumper_enabled'} + - {'old': 'matrix_playbook_traefik_role_enabled', 'new': 'devture_traefik_enabled'} - name: (Deprecation) Catch and report matrix_postgres variables ansible.builtin.fail: From e21c44347f971319c204ca129c7d27714689bc26 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Mar 2023 10:28:44 +0200 Subject: [PATCH 569/915] Add Traefik Dashboard warning --- docs/configuring-playbook-traefik.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/configuring-playbook-traefik.md b/docs/configuring-playbook-traefik.md index 4f6a73356..0485742da 100644 --- a/docs/configuring-playbook-traefik.md +++ b/docs/configuring-playbook-traefik.md @@ -35,6 +35,8 @@ devture_traefik_dashboard_basicauth_user: YOUR_USERNAME_HERE devture_traefik_dashboard_basicauth_password: YOUR_PASSWORD_HERE ``` +**WARNING**: enabling the dashboard on a hostname you use for something else (like `matrix_server_fqn_matrix` in the configuration above) may cause conflicts. Enabling the Traefik Dashboard makes Traefik capture all `/dashboard` and `/api` requests and forward them to itself. If any of the services hosted on the same hostname requires any of these 2 URL prefixes, you will experience problems. So far, we're not aware of any playbook services which occupy these endpoints and are likely to cause conflicts. + ## Additional configuration Use the `devture_traefik_configuration_extension_yaml` variable provided by the Traefik Ansible role to override or inject additional settings, even when no dedicated variable exists. From 26fdae3797419f0df5065109adb53cfe74564559 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Mar 2023 10:29:58 +0200 Subject: [PATCH 570/915] Upgrade com.devture.ansible.role.container_socket_proxy --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index ad1f5eac2..013a6c530 100644 --- a/requirements.yml +++ b/requirements.yml @@ -52,7 +52,7 @@ version: v1.8.18-2 - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git - version: v0.1.1-0 + version: v0.1.1-1 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git version: v2.9.8-1 From 6e3aab65942e2da274fd283cae094ffd988ba4f7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Mar 2023 11:00:42 +0200 Subject: [PATCH 571/915] Make devture-traefik to matrix-traefik migration code a little safer --- .../tasks/devture_traefik_to_matrix_traefik.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/custom/matrix_playbook_migration/tasks/devture_traefik_to_matrix_traefik.yml b/roles/custom/matrix_playbook_migration/tasks/devture_traefik_to_matrix_traefik.yml index 7d1b1190d..f192cf015 100644 --- a/roles/custom/matrix_playbook_migration/tasks/devture_traefik_to_matrix_traefik.yml +++ b/roles/custom/matrix_playbook_migration/tasks/devture_traefik_to_matrix_traefik.yml @@ -23,13 +23,13 @@ enabled: false daemon_reload: true - - name: Ensure Traefik systemd service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/devture-traefik.service" - state: absent - - name: Ensure Traefik directory relocated ansible.builtin.command: cmd: "mv /devture-traefik {{ devture_traefik_base_path }}" creates: "{{ devture_traefik_base_path }}" removes: "/devture-traefik" + + - name: Ensure Traefik systemd service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/devture-traefik.service" + state: absent From db4070fc75d62aa296f55716e67a0561c2767cdb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Mar 2023 13:48:31 +0200 Subject: [PATCH 572/915] Remove some nginx references --- docs/faq.md | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/docs/faq.md b/docs/faq.md index 25d02e7ce..7b67a5bf3 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -125,7 +125,7 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM - this one installs everything in a single directory (`/matrix` by default) and **doesn't "contaminate" your server** with files all over the place -- this one **doesn't necessarily take over** ports 80 and 443. By default, it sets up nginx for you there, but you can also [use your own webserver](configuring-playbook-own-webserver.md) +- this one **doesn't necessarily take over** ports 80 and 443. By default, it sets up [Traefik](https://doc.traefik.io/traefik/) for you there, but you can also [use your own webserver](configuring-playbook-own-webserver.md) - this one **runs everything in Docker containers**, so it's likely more predictable and less fragile (see [Docker images used by this playbook](container-images.md)) @@ -322,7 +322,7 @@ matrix_playbook_docker_installation_enabled: false ### I run another webserver on the same server where I wish to install Matrix. What now? -By default, we install a webserver for you (nginx), but you can also use [your own webserver](configuring-playbook-own-webserver.md). +By default, we install a webserver for you ([Traefik](https://doc.traefik.io/traefik/)), but you can also use [your own webserver](configuring-playbook-own-webserver.md). ### How is the effective configuration determined? @@ -461,15 +461,8 @@ After verifying that everything still works after the Postgres upgrade, you can ### How do I debug or force SSL certificate renewal? -SSL certificate renewal normally happens automatically via [systemd timers](https://wiki.archlinux.org/index.php/Systemd/Timers). +SSL certificates are managed automatically by the [Traefik](https://doc.traefik.io/traefik/) reverse-proxy server. -If you're having trouble with SSL certificate renewal, you can inspect the renewal logs using: +If you're having trouble with SSL certificate renewal, check the Traefik logs (`journalctl -fu matrix-traefik`). -- `journalctl -fu matrix-ssl-lets-encrypt-certificates-renew.service` -- *or* by looking at the log files in `/matrix/ssl/log/` - -To trigger renewal, run: `systemctl start matrix-ssl-lets-encrypt-certificates-renew.service`. You can then take a look at the logs again. - -If you're using the integrated webserver (`matrix-nginx-proxy`), you can reload it manually like this: `systemctl reload matrix-nginx-proxy`. Reloading also happens periodically via a systemd timer. - -If you're [using your own webserver](configuring-playbook-own-webserver.md) instead of the integrated one (`matrix-nginx-proxy`) you may also need to reload/restart it, to make it pick up the renewed SSL certificate files. +If you're [using your own webserver](configuring-playbook-own-webserver.md) instead of the integrated one (Traefik), you should investigate in another way. From 2a872e95fcc171a0bb96317b4a811762957600e3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Mar 2023 13:52:22 +0200 Subject: [PATCH 573/915] Mention external roles in the FAQ --- docs/faq.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/docs/faq.md b/docs/faq.md index 7b67a5bf3..48c658d18 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -336,12 +336,14 @@ Configuration variables are defined in multiple places in this playbook and are ### What configuration variables are available? -You can discover the variables you can override in each role (`role/matrix*/defaults/main.yml`). +You can discover the variables you can override in each role (`roles/*/*/defaults/main.yml`). As described in [How is the effective configuration determined?](#how-is-the-effective-configuration-determined), these role-defaults may be overriden by values defined in `group_vars/matrix_servers`. Refer to both of these for inspiration. Still, as mentioned in [Configuring the playbook](configuring-playbook.md), you're only ever supposed to edit your own `inventory/host_vars/matrix.DOMAIN/vars.yml` file and nothing else inside the playbook (unless you're meaning to contribute new features). +**Note**: some of the roles (`roles/galaxy/*`) live in separate repositories and are only installed after your run `just roles` (or `make roles`). + ### I'd like to adjust some configuration which doesn't have a corresponding variable. How do I do it? The playbook doesn't aim to expose all configuration settings for all services using variables. @@ -352,7 +354,9 @@ See [What configuration variables are available?](#what-configuration-variables- Besides that, each role (component) aims to provide a `matrix_SOME_COMPONENT_configuration_extension_yaml` (or `matrix_SOME_COMPONENT_configuration_extension_json`) variable, which can be used to override the configuration. -Check each role's `role/matrix*/defaults/main.yml` for the corresponding variable and an example for how use it. +Check each role's `roles/*/*/defaults/main.yml` for the corresponding variable and an example for how use it. + +**Note**: some of the roles (`roles/galaxy/*`) live in separate repositories and are only installed after your run `just roles` (or `make roles`). ## Installation From 023fe3ea08593b6786c93d641bd0c0daf2e2618d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 7 Mar 2023 11:57:56 +0200 Subject: [PATCH 574/915] Add sliding-sync support This allows people to try out the new Element X clients, which need to run against the sliding-sync proxy (https://github.com/matrix-org/sliding-sync). Supersedes https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2515 The code is based on the existing PR (#2515), but heavily reworked. Major changes: - lots of internal refactoring and variable renaming - fixed self-building to support non-amd64 architectures - changed to talk to the homeserver locally, over the container network (not publicly) - no more matrix-nginx-proxy support due to complexity (see below) - no more `matrix_server_fqn_sliding_sync_proxy` in favor of `matrix_sliding_sync_hostname` and `matrix_sliding_sync_path_prefix` - runs on `matrix.DOMAIN/sliding-sync` by default, so it can tried easily without having to create new DNS records --- group_vars/matrix_servers | 67 ++++++++++++++ playbooks/matrix.yml | 1 + .../static-files/well-known/matrix-client.j2 | 5 + .../matrix-sliding-sync/defaults/main.yml | 91 +++++++++++++++++++ .../matrix-sliding-sync/tasks/install.yml | 69 ++++++++++++++ .../custom/matrix-sliding-sync/tasks/main.yml | 19 ++++ .../matrix-sliding-sync/tasks/uninstall.yml | 25 +++++ .../tasks/validate_config.yml | 11 +++ .../matrix-sliding-sync/templates/env.j2 | 4 + .../matrix-sliding-sync/templates/labels.j2 | 45 +++++++++ .../systemd/matrix-sliding-sync.service.j2 | 49 ++++++++++ .../custom/matrix-sliding-sync/vars/main.yml | 5 + 12 files changed, 391 insertions(+) create mode 100644 roles/custom/matrix-sliding-sync/defaults/main.yml create mode 100644 roles/custom/matrix-sliding-sync/tasks/install.yml create mode 100644 roles/custom/matrix-sliding-sync/tasks/main.yml create mode 100644 roles/custom/matrix-sliding-sync/tasks/uninstall.yml create mode 100644 roles/custom/matrix-sliding-sync/tasks/validate_config.yml create mode 100644 roles/custom/matrix-sliding-sync/templates/env.j2 create mode 100644 roles/custom/matrix-sliding-sync/templates/labels.j2 create mode 100644 roles/custom/matrix-sliding-sync/templates/systemd/matrix-sliding-sync.service.j2 create mode 100644 roles/custom/matrix-sliding-sync/vars/main.yml diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 5c4c1bdde..85fbfd2ac 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -330,6 +330,8 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-registration.service', 'priority': 4000, 'groups': ['matrix', 'registration']}] if matrix_registration_enabled else []) + + ([{'name': 'matrix-sliding-sync.service', 'priority': 4000, 'groups': ['matrix', 'sliding-sync']}] if matrix_sliding_sync_enabled else []) + + ([{'name': 'matrix-sygnal.service', 'priority': 800, 'groups': ['matrix', 'sygnal']}] if matrix_sygnal_enabled else []) + ([{'name': 'matrix-goofys.service', 'priority': 800, 'groups': ['matrix', 'goofys']}] if matrix_s3_media_store_enabled else []) @@ -2612,6 +2614,8 @@ matrix_nginx_proxy_systemd_wanted_services_list: | + (['matrix-jitsi.service'] if matrix_jitsi_enabled else []) + + (['matrix-sliding-sync-proxy.service'] if matrix_sliding_sync_enabled else []) + + (['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled else []) + ([etherpad_identifier + '.service'] if etherpad_enabled else []) @@ -2745,6 +2749,12 @@ devture_postgres_managed_databases_auto: | 'password': matrix_dendrite_database_password, }] if (matrix_dendrite_enabled and matrix_dendrite_database_hostname == devture_postgres_connection_hostname) else []) + + ([{ + 'name': matrix_sliding_sync_database_name, + 'username': matrix_sliding_sync_database_username, + 'password': matrix_sliding_sync_database_password, + }] if (matrix_sliding_sync_enabled) else []) + + ([{ 'name': matrix_ma1sd_database_name, 'username': matrix_ma1sd_database_username, @@ -3639,6 +3649,63 @@ matrix_registration_database_password: "{{ '%s' | format(matrix_homeserver_gener ###################################################################### + +###################################################################### +# +# matrix-sliding-sync +# +###################################################################### + +# We don't enable the sliding sync proxy by default. +matrix_sliding_sync_enabled: false + +matrix_sliding_sync_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" + +matrix_sliding_sync_hostname: "{{ matrix_server_fqn_matrix }}" + +matrix_sliding_sync_path_prefix: /sliding-sync + +matrix_sliding_sync_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}" + +matrix_sliding_sync_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([matrix_nginx_proxy_container_network] if matrix_nginx_proxy_enabled and matrix_nginx_proxy_container_network != matrix_sliding_sync_container_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_sliding_sync_container_network else []) + ) | unique + }} + +matrix_sliding_sync_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_sliding_sync_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_sliding_sync_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_sliding_sync_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +matrix_sliding_sync_systemd_required_services_list: | + {{ + ['docker.service'] + + + ['matrix-' + matrix_homeserver_implementation + '.service'] + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + }} + +matrix_sliding_sync_environment_variable_syncv3_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ss.secret', rounds=655555) | to_uuid }}" + +matrix_sliding_sync_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_sliding_sync_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ss.db', rounds=655555) | to_uuid }}" + +###################################################################### +# +# /matrix-sliding-sync +# +###################################################################### + + ###################################################################### # # matrix-dendrite diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index e72269eea..a2b7f2b8b 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -105,6 +105,7 @@ - custom/matrix-dimension - galaxy/etherpad - custom/etherpad-proxy-connect + - custom/matrix-sliding-sync - custom/matrix-email2matrix - custom/matrix-sygnal - galaxy/ntfy diff --git a/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 b/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 index 45fc9b66c..45c3ea2a0 100644 --- a/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 +++ b/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 @@ -26,6 +26,11 @@ "preferredDomain": {{ matrix_client_element_jitsi_preferredDomain|to_json }} } {% endif %} + {% if matrix_sliding_sync_enabled %}, + "org.matrix.msc3575.proxy": { + "url": "{{ matrix_sliding_sync_base_url }}" + } + {% endif %} {% if matrix_client_element_location_sharing_enabled %}, "m.tile_server": { "map_style_url": "https://{{ matrix_server_fqn_element }}/map_style.json" diff --git a/roles/custom/matrix-sliding-sync/defaults/main.yml b/roles/custom/matrix-sliding-sync/defaults/main.yml new file mode 100644 index 000000000..f66b3b614 --- /dev/null +++ b/roles/custom/matrix-sliding-sync/defaults/main.yml @@ -0,0 +1,91 @@ +--- + +# Sliding Sync Proxy is an implementation of MSC3575 for the new sliding sync + +matrix_sliding_sync_enabled: true + +matrix_sliding_sync_version: v0.99.1 + +matrix_sliding_sync_scheme: https + +# The hostname at which sliding-sync is served. +matrix_sliding_sync_hostname: '' + +# The path at which sliding-sync is served. +# This value must either be `/` or not end with a slash (e.g. `/sliding-sync`). +matrix_sliding_sync_path_prefix: / + +matrix_sliding_sync_base_path: "{{ matrix_base_data_path }}/sliding-sync" + +matrix_sliding_sync_container_image_self_build: false +matrix_sliding_sync_container_image_self_build_repo: https://github.com/matrix-org/sliding-sync +matrix_sliding_sync_container_image_self_build_repo_version: "{{ 'main' if matrix_sliding_sync_version == 'main' else matrix_sliding_sync_version }}" +matrix_sliding_sync_container_src_path: "{{ matrix_sliding_sync_base_path }}/container-src" + +matrix_sliding_sync_container_image: "{{ matrix_sliding_sync_container_image_name_prefix }}matrix-org/sliding-sync:{{ matrix_sliding_sync_container_image_tag }}" +matrix_sliding_sync_container_image_name_prefix: "{{ 'localhost/' if matrix_sliding_sync_container_image_self_build else matrix_sliding_sync_container_image_registry_prefix }}" +matrix_sliding_sync_container_image_tag: "{{ matrix_sliding_sync_version }}" +matrix_sliding_sync_container_image_force_pull: "{{ matrix_sliding_sync_container_image.endswith(':main') }}" +matrix_sliding_sync_container_image_registry_prefix: ghcr.io/ + +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_sliding_sync_container_network: matrix-sliding-sync + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_sliding_sync_container_additional_networks: [] + +# matrix_sliding_sync_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_sliding_sync_container_labels_additional_labels`. +matrix_sliding_sync_container_labels_traefik_enabled: true +matrix_sliding_sync_container_labels_traefik_docker_network: "{{ matrix_sliding_sync_container_network }}" +matrix_sliding_sync_container_labels_traefik_hostname: "{{ matrix_sliding_sync_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/sliding-sync`). +matrix_sliding_sync_container_labels_traefik_path_prefix: "{{ matrix_sliding_sync_path_prefix }}" +matrix_sliding_sync_container_labels_traefik_rule: "Host(`{{ matrix_sliding_sync_container_labels_traefik_hostname }}`){% if matrix_sliding_sync_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_sliding_sync_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_sliding_sync_container_labels_traefik_priority: 0 +matrix_sliding_sync_container_labels_traefik_entrypoints: web-secure +matrix_sliding_sync_container_labels_traefik_tls: "{{ matrix_sliding_sync_container_labels_traefik_entrypoints != 'web' }}" +matrix_sliding_sync_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_sliding_sync_container_labels_traefik_additional_response_headers_custom` +matrix_sliding_sync_container_labels_traefik_additional_response_headers: "{{ matrix_sliding_sync_container_labels_traefik_additional_response_headers_auto | combine(matrix_sliding_sync_container_labels_traefik_additional_response_headers_custom) }}" +matrix_sliding_sync_container_labels_traefik_additional_response_headers_auto: {} +matrix_sliding_sync_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_sliding_sync_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_sliding_sync_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_sliding_sync_container_labels_additional_labels: '' + +# A list of extra arguments to pass to the container +matrix_sliding_sync_container_extra_arguments: [] + +# List of systemd services that matrix-sliding-sync-proxy.service depends on +matrix_sliding_sync_systemd_required_services_list: ["docker.service"] + +# List of systemd services that matrix-sliding-sync-proxy.service wants +matrix_sliding_sync_systemd_wanted_services_list: [] + +# Controls the SYNCV3_SERVER environment variable +matrix_sliding_sync_environment_variable_syncv3_server: "{{ matrix_homeserver_container_url }}" + +# Controls the SYNCV3_SECRET environment variable +matrix_sliding_sync_environment_variable_syncv3_secret: '' + +# Controls the SYNCV3_DB environment variable +matrix_sliding_sync_environment_variable_syncv3_db: 'user={{ matrix_sliding_sync_database_username }} password={{ matrix_sliding_sync_database_password }} host={{ matrix_sliding_sync_database_hostname }} port={{ matrix_sliding_sync_database_port }} dbname={{ matrix_sliding_sync_database_name }} sslmode=disable' + +matrix_sliding_sync_database_username: 'matrix_sliding_sync' +matrix_sliding_sync_database_password: '' +matrix_sliding_sync_database_hostname: '' +matrix_sliding_sync_database_port: 5432 +matrix_sliding_sync_database_name: 'matrix_sliding_sync' diff --git a/roles/custom/matrix-sliding-sync/tasks/install.yml b/roles/custom/matrix-sliding-sync/tasks/install.yml new file mode 100644 index 000000000..26717afda --- /dev/null +++ b/roles/custom/matrix-sliding-sync/tasks/install.yml @@ -0,0 +1,69 @@ +--- + +- name: Ensure matrix-sliding-sync paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - path: "{{ matrix_sliding_sync_base_path }}" + when: true + - path: "{{ matrix_sliding_sync_container_src_path }}" + when: "{{ matrix_sliding_sync_container_image_self_build }}" + when: item.when | bool + +- name: Ensure matrix-sliding-sync support files installed + ansible.builtin.template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_sliding_sync_base_path }}/{{ item }}" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - env + - labels + +- name: Ensure matrix-sliding-sync container image is pulled + community.docker.docker_image: + name: "{{ matrix_sliding_sync_container_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_sliding_sync_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_sliding_sync_container_image_force_pull }}" + when: "not matrix_sliding_sync_container_image_self_build | bool" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- when: matrix_sliding_sync_container_image_self_build | bool + block: + - name: Ensure matrix-sliding-sync repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_sliding_sync_container_image_self_build_repo }}" + version: "{{ matrix_sliding_sync_container_image_self_build_repo_version }}" + dest: "{{ matrix_sliding_sync_container_src_path }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_sliding_sync_git_pull_results + + - name: Ensure matrix-sliding-sync container image is built + ansible.builtin.command: + cmd: |- + {{ devture_systemd_docker_base_host_command_docker }} buildx build + --tag={{ matrix_sliding_sync_container_image }} + --file={{ matrix_sliding_sync_container_src_path }}/Dockerfile + {{ matrix_sliding_sync_container_src_path }} + +- name: Ensure matrix-sliding-sync container network is created + community.general.docker_network: + name: "{{ matrix_sliding_sync_container_network }}" + driver: bridge + +- name: Ensure matrix-sliding-sync.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-sliding-sync.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-sliding-sync.service" + mode: 0644 diff --git a/roles/custom/matrix-sliding-sync/tasks/main.yml b/roles/custom/matrix-sliding-sync/tasks/main.yml new file mode 100644 index 000000000..71e7391b4 --- /dev/null +++ b/roles/custom/matrix-sliding-sync/tasks/main.yml @@ -0,0 +1,19 @@ +--- +- block: + - when: matrix_sliding_sync_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_sliding_sync_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" + tags: + - setup-all + - setup-sliding-sync + - install-all + - install-sliding-sync + +- block: + - when: not matrix_sliding_sync_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" + tags: + - setup-all + - setup-sliding-sync diff --git a/roles/custom/matrix-sliding-sync/tasks/uninstall.yml b/roles/custom/matrix-sliding-sync/tasks/uninstall.yml new file mode 100644 index 000000000..8a559cacc --- /dev/null +++ b/roles/custom/matrix-sliding-sync/tasks/uninstall.yml @@ -0,0 +1,25 @@ +--- + +- name: Check existence of matrix-sliding-sync service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-sliding-sync.service" + register: matrix_sliding_sync_service_stat + +- when: matrix_sliding_sync_service_stat.stat.exists | bool + block: + - name: Ensure matrix-sliding-sync is stopped + ansible.builtin.service: + name: matrix-sliding-sync + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-sliding-sync.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-sliding-sync.service" + state: absent + + - name: Ensure matrix-sliding-sync paths don't exist + ansible.builtin.file: + path: "{{ matrix_sliding_sync_base_path }}" + state: absent diff --git a/roles/custom/matrix-sliding-sync/tasks/validate_config.yml b/roles/custom/matrix-sliding-sync/tasks/validate_config.yml new file mode 100644 index 000000000..5d36403ce --- /dev/null +++ b/roles/custom/matrix-sliding-sync/tasks/validate_config.yml @@ -0,0 +1,11 @@ +--- +- name: Fail if required matrix-sliding-sync settings not defined + ansible.builtin.fail: + msg: > + You need to define a required configuration setting (`{{ item.name }}`). + when: "vars[item] == ''" + with_items: + - matrix_sliding_sync_hostname + - matrix_sliding_sync_path_prefix + - matrix_sliding_sync_database_hostname + - matrix_sliding_sync_environment_variable_syncv3_secret diff --git a/roles/custom/matrix-sliding-sync/templates/env.j2 b/roles/custom/matrix-sliding-sync/templates/env.j2 new file mode 100644 index 000000000..1269bd2a1 --- /dev/null +++ b/roles/custom/matrix-sliding-sync/templates/env.j2 @@ -0,0 +1,4 @@ +SYNCV3_SERVER={{ matrix_sliding_sync_environment_variable_syncv3_server }} +SYNCV3_SECRET={{ matrix_sliding_sync_environment_variable_syncv3_secret }} +SYNCV3_BINDADDR=:8008 +SYNCV3_DB={{ matrix_sliding_sync_environment_variable_syncv3_db }} diff --git a/roles/custom/matrix-sliding-sync/templates/labels.j2 b/roles/custom/matrix-sliding-sync/templates/labels.j2 new file mode 100644 index 000000000..665492499 --- /dev/null +++ b/roles/custom/matrix-sliding-sync/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_sliding_sync_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_sliding_sync_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_sliding_sync_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_sliding_sync_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-sliding-sync-slashless-redirect.redirectregex.regex=({{ matrix_sliding_sync_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-sliding-sync-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-sliding-sync-slashless-redirect'] %} +{% endif %} + +{% if matrix_sliding_sync_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-sliding-sync-strip-prefix.stripprefix.prefixes={{ matrix_sliding_sync_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-sliding-sync-strip-prefix'] %} +{% endif %} + +{% if matrix_sliding_sync_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_sliding_sync_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-sliding-sync-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-sliding-sync-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-sliding-sync.rule={{ matrix_sliding_sync_container_labels_traefik_rule }} +{% if matrix_sliding_sync_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-sliding-sync.priority={{ matrix_sliding_sync_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-sliding-sync.service=matrix-sliding-sync +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-sliding-sync.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-sliding-sync.entrypoints={{ matrix_sliding_sync_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-sliding-sync.tls={{ matrix_sliding_sync_container_labels_traefik_tls | to_json }} +{% if matrix_sliding_sync_container_labels_traefik_tls %} +traefik.http.routers.matrix-sliding-sync.tls.certResolver={{ matrix_sliding_sync_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-sliding-sync.loadbalancer.server.port=8008 +{% endif %} + +{{ matrix_sliding_sync_container_labels_additional_labels }} diff --git a/roles/custom/matrix-sliding-sync/templates/systemd/matrix-sliding-sync.service.j2 b/roles/custom/matrix-sliding-sync/templates/systemd/matrix-sliding-sync.service.j2 new file mode 100644 index 000000000..ac8d2ffb5 --- /dev/null +++ b/roles/custom/matrix-sliding-sync/templates/systemd/matrix-sliding-sync.service.j2 @@ -0,0 +1,49 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=matrix-sliding-sync +{% for service in matrix_sliding_sync_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_sliding_sync_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-sliding-sync 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-sliding-sync 2>/dev/null || true' + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-sliding-sync \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs /tmp \ + --network={{ matrix_sliding_sync_container_network }} \ + --env-file={{ matrix_sliding_sync_base_path }}/env \ + --label-file={{ matrix_sliding_sync_base_path }}/labels \ + {% for arg in matrix_sliding_sync_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_sliding_sync_container_image }} + +{% for network in matrix_sliding_sync_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-sliding-sync +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-sliding-sync + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-sliding-sync 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-sliding-sync 2>/dev/null || true' + +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-sliding-sync + +[Install] +WantedBy=multi-user.target diff --git a/roles/custom/matrix-sliding-sync/vars/main.yml b/roles/custom/matrix-sliding-sync/vars/main.yml new file mode 100644 index 000000000..8ec69c087 --- /dev/null +++ b/roles/custom/matrix-sliding-sync/vars/main.yml @@ -0,0 +1,5 @@ +--- + +# Public facing base URL of the Sliding Sync service. +# It should not end with a slash. +matrix_sliding_sync_base_url: "{{ matrix_sliding_sync_scheme }}://{{ matrix_sliding_sync_hostname }}{{ '' if matrix_sliding_sync_path_prefix == '/' else matrix_sliding_sync_path_prefix }}" From 6c1a39e6e9efbe0c1637006c8be16238e70845b3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 7 Mar 2023 12:22:04 +0200 Subject: [PATCH 575/915] Announce sliding-sync support Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2515 --- CHANGELOG.md | 11 +++++ README.md | 1 + ...configuring-playbook-sliding-sync-proxy.md | 47 +++++++++++++++++++ docs/configuring-playbook.md | 2 + 4 files changed, 61 insertions(+) create mode 100644 docs/configuring-playbook-sliding-sync-proxy.md diff --git a/CHANGELOG.md b/CHANGELOG.md index 1aedacc30..49262d63b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2023-03-07 + +## Sliding Sync Proxy (Element X) support + +Thanks to [Benjamin Kampmann](https://github.com/gnunicorn) for [getting it started](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2515), [FSG-Cat](https://github.com/FSG-Cat) for fixing it up and me ([Slavi](https://github.com/spantaleev)) for polishing it up, the playbook can now install and configure the [sliding-sync proxy](https://github.com/matrix-org/sliding-sync). + +The new Element X clients ([Element X iOS](https://github.com/vector-im/element-x-ios) and [Element X Android](https://github.com/vector-im/element-x-android)) require the `sliding-sync` proxy to do their job. These clients are still in beta, and now playbook users can easily give them a try and help test them thanks to us having `sliding-sync` support. + +To get started, see our [Setting up Sliding Sync Proxy](docs/configuring-playbook-sliding-sync-proxy.md) documentation page. + + # 2023-03-02 ## The matrix-etherpad role lives independently now diff --git a/README.md b/README.md index bd37d23ef..185c40851 100644 --- a/README.md +++ b/README.md @@ -162,6 +162,7 @@ Various services that don't fit any other category. | Name | Default? | Description | Documentation | | ---- | -------- | ----------- | ------------- | +| [sliding-sync](https://github.com/matrix-org/sliding-sync)| x | Sliding Sync support for clients which require it (e.g. Element X) | [Link](docs/configuring-playbook-sliding-sync-proxy.md) | | [synapse-simple-antispam](https://github.com/t2bot/synapse-simple-antispam) (advanced) | x | A spam checker module | [Link](docs/configuring-playbook-synapse-simple-antispam.md) | | [Matrix Corporal](https://github.com/devture/matrix-corporal) (advanced) | x | Reconciliator and gateway for a managed Matrix server | [Link](docs/configuring-playbook-matrix-corporal.md) | | [Etherpad](https://etherpad.org) | x | An open source collaborative text editor | [Link](docs/configuring-playbook-etherpad.md) | diff --git a/docs/configuring-playbook-sliding-sync-proxy.md b/docs/configuring-playbook-sliding-sync-proxy.md new file mode 100644 index 000000000..c07d1db41 --- /dev/null +++ b/docs/configuring-playbook-sliding-sync-proxy.md @@ -0,0 +1,47 @@ +# Setting up Sliding Sync Proxy (optional) + +The playbook can install and configure [sliding-sync](https://github.com/matrix-org/sliding-sync) proxy for you. + +Sliding Sync is an implementation of [MSC3575](https://github.com/matrix-org/matrix-spec-proposals/blob/kegan/sync-v3/proposals/3575-sync.md) and a prerequisite for running the new (still beta) Element X clients ([Element X iOS](https://github.com/vector-im/element-x-ios) and [Element X Android](https://github.com/vector-im/element-x-android)). + +See the project's [documentation](https://github.com/matrix-org/sliding-syncb) to learn more. + +**NOTE**: The Sliding Sync proxy **only works with the Traefik reverse-proxy**. If you have an old server installation (from the time `matrix-nginx-proxy` was our default reverse-proxy - `matrix_playbook_reverse_proxy_type: playbook-managed-nginx`), you won't be able to use Sliding Sync. + + +## Decide on a domain and path + +By default, the Sliding Sync proxy is configured to be served on the Matrix domain (`matrix.DOMAIN`, controlled by `matrix_server_fqn_matrix`), under the `/sliding-sync` path. + +This makes it easy to set it up, **without** having to [adjust your DNS records](#adjusting-dns-records). + +If you'd like to run the Sliding Sync proxy on another hostname or path, use the `matrix_sliding_sync_hostname` and `matrix_sliding_sync_path_prefix` variables. + + +## Adjusting DNS records + +If you've changed the default hostame, **you may need to adjust your DNS** records. + + +## Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: + +```yaml +matrix_sliding_sync_enabled: true +``` + + +## Installing + +After potentially [adjusting DNS records](#adjusting-dns-records) and configuring the playbook, run the [installation](installing.md) command again: `just install-all`. + + +## Usage + +You **don't need to do anything special** to make use of the Sliding Sync Proxy. +Simply open your client which supports Sliding Sync (like Element X) and log in. + +When the Sliding Sync proxy is [installed](#installing), your `/.well-known/matrix/client` file is also updated. A new `org.matrix.msc3575.proxy` section and `url` property are added there and made to point to your Sliding Sync proxy's base URL (e.g. `https://matrix.DOMAIN/sliding-sync`). + +This allows clients which support Sliding Sync to detect the Sliding Sync Proxy's URL and make use of it. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index b4bae7869..68a2658a6 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -195,6 +195,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins ### Other specialized services +- [Setting up the Sliding Sync Proxy](configuring-playbook-sliding-sync-proxy.md) for clients which require Sliding Sync support (like Element X) (optional) + - [Setting up the Sygnal push gateway](configuring-playbook-sygnal.md) (optional) - [Setting up the ntfy push notifications server](configuring-playbook-ntfy.md) (optional) From bf95204860e79e3e7821fd2380d63e461a74076a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 7 Mar 2023 14:44:30 +0200 Subject: [PATCH 576/915] Mention Element X Android not being quite ready for testing yet --- CHANGELOG.md | 2 +- docs/configuring-playbook-sliding-sync-proxy.md | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 49262d63b..7e9e2545b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ Thanks to [Benjamin Kampmann](https://github.com/gnunicorn) for [getting it started](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2515), [FSG-Cat](https://github.com/FSG-Cat) for fixing it up and me ([Slavi](https://github.com/spantaleev)) for polishing it up, the playbook can now install and configure the [sliding-sync proxy](https://github.com/matrix-org/sliding-sync). -The new Element X clients ([Element X iOS](https://github.com/vector-im/element-x-ios) and [Element X Android](https://github.com/vector-im/element-x-android)) require the `sliding-sync` proxy to do their job. These clients are still in beta, and now playbook users can easily give them a try and help test them thanks to us having `sliding-sync` support. +The upcoming Element X clients ([Element X iOS](https://github.com/vector-im/element-x-ios) and [Element X Android](https://github.com/vector-im/element-x-android)) require the `sliding-sync` proxy to do their job. **These clients are still in beta** (especially Element X Android, which requires manual compilation to get it working with a non-`matrix.org` homeseserver). Playbook users can now easily give these clients a try and help test them thanks to us having `sliding-sync` support. To get started, see our [Setting up Sliding Sync Proxy](docs/configuring-playbook-sliding-sync-proxy.md) documentation page. diff --git a/docs/configuring-playbook-sliding-sync-proxy.md b/docs/configuring-playbook-sliding-sync-proxy.md index c07d1db41..49e0483a3 100644 --- a/docs/configuring-playbook-sliding-sync-proxy.md +++ b/docs/configuring-playbook-sliding-sync-proxy.md @@ -2,9 +2,13 @@ The playbook can install and configure [sliding-sync](https://github.com/matrix-org/sliding-sync) proxy for you. -Sliding Sync is an implementation of [MSC3575](https://github.com/matrix-org/matrix-spec-proposals/blob/kegan/sync-v3/proposals/3575-sync.md) and a prerequisite for running the new (still beta) Element X clients ([Element X iOS](https://github.com/vector-im/element-x-ios) and [Element X Android](https://github.com/vector-im/element-x-android)). +Sliding Sync is an implementation of [MSC3575](https://github.com/matrix-org/matrix-spec-proposals/blob/kegan/sync-v3/proposals/3575-sync.md) and a prerequisite for running the new (**still beta**) Element X clients ([Element X iOS](https://github.com/vector-im/element-x-ios) and [Element X Android](https://github.com/vector-im/element-x-android)). -See the project's [documentation](https://github.com/matrix-org/sliding-syncb) to learn more. +See the project's [documentation](https://github.com/matrix-org/sliding-sync) to learn more. + +Element X iOS is [available on TestFlight](https://testflight.apple.com/join/uZbeZCOi). + +Element X Android requires manual compilation to get it working with a non-`matrix.org` homeseserver. It's also less feature-complete than the iOS version. **NOTE**: The Sliding Sync proxy **only works with the Traefik reverse-proxy**. If you have an old server installation (from the time `matrix-nginx-proxy` was our default reverse-proxy - `matrix_playbook_reverse_proxy_type: playbook-managed-nginx`), you won't be able to use Sliding Sync. From dddfee16bc852fc989b057bd1867f0e85825846d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 7 Mar 2023 17:28:10 +0200 Subject: [PATCH 577/915] Fix all 300+ ansible-lint-reported errors --- .../etherpad-proxy-connect/tasks/main.yml | 8 +-- .../tasks/validate_config.yml | 16 +++--- roles/custom/matrix-aux/tasks/main.yml | 6 +- roles/custom/matrix-base/tasks/main.yml | 24 ++++---- .../matrix-bot-buscarron/tasks/main.yml | 18 +++--- .../custom/matrix-bot-chatgpt/tasks/main.yml | 19 ++++--- .../custom/matrix-bot-draupnir/tasks/main.yml | 18 +++--- roles/custom/matrix-bot-go-neb/tasks/main.yml | 18 +++--- .../custom/matrix-bot-honoroit/tasks/main.yml | 18 +++--- .../tasks/main.yml | 18 +++--- .../tasks/main.yml | 18 +++--- roles/custom/matrix-bot-maubot/tasks/main.yml | 26 ++++----- .../custom/matrix-bot-mjolnir/tasks/main.yml | 18 +++--- .../matrix-bot-postmoogle/tasks/main.yml | 18 +++--- .../tasks/main.yml | 18 +++--- .../tasks/setup_install.yml | 5 +- .../tasks/main.yml | 18 +++--- .../tasks/setup_install.yml | 10 +--- .../tasks/main.yml | 18 +++--- .../tasks/main.yml | 26 ++++----- .../tasks/main.yml | 26 ++++----- .../tasks/main.yml | 18 +++--- .../tasks/main.yml | 18 +++--- .../tasks/setup_install.yml | 10 +++- .../matrix-bridge-heisenbridge/tasks/main.yml | 16 +++--- .../matrix-bridge-hookshot/defaults/main.yml | 10 ++-- .../matrix-bridge-hookshot/tasks/main.yml | 26 ++++----- .../tasks/setup_install.yml | 4 +- .../tasks/main.yml | 18 +++--- .../tasks/main.yml | 26 ++++----- .../tasks/setup_install.yml | 5 +- .../tasks/main.yml | 26 ++++----- .../tasks/setup_install.yml | 5 +- .../tasks/main.yml | 26 ++++----- .../tasks/setup_install.yml | 5 +- .../tasks/main.yml | 26 ++++----- .../tasks/main.yml | 26 ++++----- .../tasks/main.yml | 18 +++--- .../tasks/main.yml | 26 ++++----- .../tasks/setup_install.yml | 5 +- .../tasks/main.yml | 26 ++++----- .../tasks/main.yml | 26 ++++----- .../tasks/setup_install.yml | 10 +++- .../tasks/main.yml | 18 +++--- .../tasks/main.yml | 18 +++--- .../tasks/setup_install.yml | 5 +- .../tasks/main.yml | 18 +++--- .../tasks/main.yml | 26 ++++----- .../tasks/setup_install.yml | 5 +- .../tasks/main.yml | 18 +++--- .../tasks/setup_install.yml | 5 +- .../tasks/main.yml | 26 ++++----- .../tasks/setup_install.yml | 5 +- roles/custom/matrix-bridge-sms/tasks/main.yml | 18 +++--- .../matrix-cactus-comments/tasks/main.yml | 26 ++++----- .../custom/matrix-client-cinny/tasks/main.yml | 24 ++++---- .../matrix-client-element/tasks/main.yml | 24 ++++---- .../tasks/setup_install.yml | 1 + .../matrix-client-hydrogen/tasks/main.yml | 24 ++++---- .../custom/matrix-common-after/tasks/main.yml | 6 +- roles/custom/matrix-conduit/tasks/main.yml | 16 +++--- roles/custom/matrix-corporal/tasks/main.yml | 24 ++++---- roles/custom/matrix-coturn/tasks/main.yml | 18 +++--- .../matrix-coturn/tasks/setup_install.yml | 4 +- roles/custom/matrix-dendrite/tasks/main.yml | 30 +++++----- .../matrix-dendrite/tasks/setup_install.yml | 24 ++++---- roles/custom/matrix-dimension/tasks/main.yml | 18 +++--- .../custom/matrix-dynamic-dns/tasks/main.yml | 18 +++--- .../custom/matrix-email2matrix/tasks/main.yml | 18 +++--- roles/custom/matrix-jitsi/tasks/main.yml | 56 +++++++++---------- .../util/setup_jitsi_auth_uvs_install.yml | 5 ++ .../tasks/main.yml | 26 ++++----- roles/custom/matrix-ma1sd/tasks/main.yml | 24 ++++---- .../matrix-ma1sd/tasks/setup_install.yml | 1 + roles/custom/matrix-mailer/tasks/main.yml | 16 +++--- .../custom/matrix-nginx-proxy/tasks/main.yml | 10 ++-- ...tup_ssl_lets_encrypt_obtain_for_domain.yml | 2 + ...etup_ssl_self_signed_obtain_for_domain.yml | 21 ++++--- .../tasks/main.yml | 24 ++++---- .../tasks/main.yml | 18 +++--- roles/custom/matrix-prometheus/tasks/main.yml | 18 +++--- .../custom/matrix-rageshake/tasks/install.yml | 1 + roles/custom/matrix-rageshake/tasks/main.yml | 19 ++++--- .../custom/matrix-registration/tasks/main.yml | 38 ++++++------- .../matrix-sliding-sync/tasks/install.yml | 1 + .../custom/matrix-sliding-sync/tasks/main.yml | 19 ++++--- roles/custom/matrix-sygnal/tasks/main.yml | 18 +++--- .../matrix-synapse-admin/tasks/main.yml | 26 ++++----- .../tasks/main.yml | 16 +++--- .../tasks/ext/setup_install.yml | 56 +++++++++---------- .../tasks/ext/setup_uninstall.yml | 48 ++++++++-------- roles/custom/matrix-synapse/tasks/main.yml | 56 +++++++++---------- .../matrix-synapse/tasks/setup_install.yml | 26 ++++----- .../matrix-synapse/tasks/setup_uninstall.yml | 26 ++++----- .../tasks/synapse/setup_install.yml | 33 +++++------ .../custom/matrix-user-creator/tasks/main.yml | 8 +-- .../tasks/main.yml | 18 +++--- .../matrix_playbook_migration/tasks/main.yml | 16 +++--- 98 files changed, 935 insertions(+), 888 deletions(-) diff --git a/roles/custom/etherpad-proxy-connect/tasks/main.yml b/roles/custom/etherpad-proxy-connect/tasks/main.yml index 67bf7d0e3..630ab87f1 100644 --- a/roles/custom/etherpad-proxy-connect/tasks/main.yml +++ b/roles/custom/etherpad-proxy-connect/tasks/main.yml @@ -1,12 +1,12 @@ --- - when: etherpad_enabled | bool and etherpad_nginx_proxy_dimension_integration_enabled | bool - block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - install-all - setup-all - install-nginx-proxy - setup-nginx-proxy + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" diff --git a/roles/custom/etherpad-proxy-connect/tasks/validate_config.yml b/roles/custom/etherpad-proxy-connect/tasks/validate_config.yml index 2127ce1a4..51a672ee5 100644 --- a/roles/custom/etherpad-proxy-connect/tasks/validate_config.yml +++ b/roles/custom/etherpad-proxy-connect/tasks/validate_config.yml @@ -1,30 +1,30 @@ --- -- when: matrix_playbook_reverse_proxy_type not in ['playbook-managed-nginx', 'other-nginx-non-container'] - name: Fail if reverse-proxy is not nginx +- name: Fail if reverse-proxy is not nginx + when: matrix_playbook_reverse_proxy_type not in ['playbook-managed-nginx', 'other-nginx-non-container'] ansible.builtin.fail: msg: > Etherpad's integration into matrix-nginx-proxy's Dimension server only makes sense if you're using matrix-nginx-proxy. `matrix_playbook_reverse_proxy_type` ({{ matrix_playbook_reverse_proxy_type }}) indicates that you're using another reverse-proxy. If you're using Traefik, you should configure `etherpad_hostname` and `etherpad_path_prefix` instead. -- when: not matrix_dimension_enabled - name: Fail if Dimension not enabled +- name: Fail if Dimension not enabled + when: not matrix_dimension_enabled ansible.builtin.fail: msg: > Etherpad's integration into matrix-nginx-proxy's Dimension server only makes sense if you're using Dimension. Looks like Dimension is not enabled in your configuration (judging by `matrix_dimension_enabled`). Consider configuring `etherpad_hostname` and `etherpad_path_prefix` instead. -- when: etherpad_hostname != matrix_server_fqn_dimension - name: Fail if Etherpad hostname does not match Dimension hostname +- name: Fail if Etherpad hostname does not match Dimension hostname + when: etherpad_hostname != matrix_server_fqn_dimension ansible.builtin.fail: msg: > Etherpad's integration into matrix-nginx-proxy's Dimension server requires that you set `etherpad_hostname` to `matrix_server_fqn_dimension`. Consider adding this to your configuration: `{% raw %}etherpad_hostname: "{{ matrix_server_fqn_dimension }}"{% endraw %}` -- when: etherpad_nginx_proxy_dimension_integration_path_prefix == '/' - name: Fail if / path prefix used for Etherpad +- name: Fail if / path prefix used for Etherpad + when: etherpad_nginx_proxy_dimension_integration_path_prefix == '/' ansible.builtin.fail: msg: > Etherpad's integration into matrix-nginx-proxy's Dimension server only makes sense if you're using a non-`/` path for Etherpad. diff --git a/roles/custom/matrix-aux/tasks/main.yml b/roles/custom/matrix-aux/tasks/main.yml index 57db09653..3ae8d1791 100644 --- a/roles/custom/matrix-aux/tasks/main.yml +++ b/roles/custom/matrix-aux/tasks/main.yml @@ -1,9 +1,9 @@ --- -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup.yml" - tags: +- tags: - setup-all - setup-aux-files - install-all - install-aux-files + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup.yml" diff --git a/roles/custom/matrix-base/tasks/main.yml b/roles/custom/matrix-base/tasks/main.yml index c67e20908..13ef11d5c 100644 --- a/roles/custom/matrix-base/tasks/main.yml +++ b/roles/custom/matrix-base/tasks/main.yml @@ -1,30 +1,28 @@ --- -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - tags: +- tags: - setup-all - install-all + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" # This needs to always run, because it populates `matrix_user_uid` and `matrix_user_gid`, # which are required by many other roles. -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_user.yml" - tags: +- tags: - always - setup-system-user - common + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_user.yml" -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml" - tags: +- tags: - setup-all - install-all - common + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml" -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_well_known.yml" - tags: +- tags: - setup-all - setup-ma1sd - setup-synapse @@ -37,3 +35,5 @@ - install-dendrite - install-conduit - install-nginx-proxy + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_well_known.yml" diff --git a/roles/custom/matrix-bot-buscarron/tasks/main.yml b/roles/custom/matrix-bot-buscarron/tasks/main.yml index b4a58e910..fbf5c96ac 100644 --- a/roles/custom/matrix-bot-buscarron/tasks/main.yml +++ b/roles/custom/matrix-bot-buscarron/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-bot-buscarron + - install-all + - install-bot-buscarron + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_bot_buscarron_enabled | bool" - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" when: "run_setup | bool and matrix_bot_buscarron_enabled | bool" - tags: + +- tags: - setup-all - setup-bot-buscarron - - install-all - - install-bot-buscarron - -- block: + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" when: "run_setup | bool and not matrix_bot_buscarron_enabled | bool" - tags: - - setup-all - - setup-bot-buscarron diff --git a/roles/custom/matrix-bot-chatgpt/tasks/main.yml b/roles/custom/matrix-bot-chatgpt/tasks/main.yml index c5487fb81..1086a62dd 100644 --- a/roles/custom/matrix-bot-chatgpt/tasks/main.yml +++ b/roles/custom/matrix-bot-chatgpt/tasks/main.yml @@ -1,20 +1,21 @@ --- -- block: +- + tags: + - setup-all + - setup-bot-chatgpt + - install-all + - install-bot-chatgpt + block: - when: matrix_bot_chatgpt_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_bot_chatgpt_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-bot-chatgpt - - install-all - - install-bot-chatgpt - -- block: + block: - when: not matrix_bot_chatgpt_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-bot-chatgpt diff --git a/roles/custom/matrix-bot-draupnir/tasks/main.yml b/roles/custom/matrix-bot-draupnir/tasks/main.yml index 686fe298c..66c7cd06e 100644 --- a/roles/custom/matrix-bot-draupnir/tasks/main.yml +++ b/roles/custom/matrix-bot-draupnir/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-bot-draupnir + - install-all + - install-bot-draupnir + block: - when: matrix_bot_draupnir_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_bot_draupnir_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-bot-draupnir - - install-all - - install-bot-draupnir - -- block: + block: - when: not matrix_bot_draupnir_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-bot-draupnir diff --git a/roles/custom/matrix-bot-go-neb/tasks/main.yml b/roles/custom/matrix-bot-go-neb/tasks/main.yml index 3249fc7ba..9367419da 100644 --- a/roles/custom/matrix-bot-go-neb/tasks/main.yml +++ b/roles/custom/matrix-bot-go-neb/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-bot-go-neb + - install-all + - install-bot-go-neb + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_bot_go_neb_enabled | bool" - ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" when: "run_setup | bool and matrix_bot_go_neb_enabled | bool" - tags: + +- tags: - setup-all - setup-bot-go-neb - - install-all - - install-bot-go-neb - -- block: + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" when: "run_setup | bool and not matrix_bot_go_neb_enabled | bool" - tags: - - setup-all - - setup-bot-go-neb diff --git a/roles/custom/matrix-bot-honoroit/tasks/main.yml b/roles/custom/matrix-bot-honoroit/tasks/main.yml index d4dcbce4b..9b4e29089 100644 --- a/roles/custom/matrix-bot-honoroit/tasks/main.yml +++ b/roles/custom/matrix-bot-honoroit/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-bot-honoroit + - install-all + - install-bot-honoroit + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_bot_honoroit_enabled | bool" - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" when: "run_setup | bool and matrix_bot_honoroit_enabled | bool" - tags: + +- tags: - setup-all - setup-bot-honoroit - - install-all - - install-bot-honoroit - -- block: + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" when: "run_setup | bool and not matrix_bot_honoroit_enabled | bool" - tags: - - setup-all - - setup-bot-honoroit diff --git a/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml b/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml index 90ee56ccf..83291fb6d 100644 --- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml +++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-bot-matrix-registration-bot + - install-all + - install-bot-matrix-registration-bot + block: - when: matrix_bot_matrix_registration_bot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_bot_matrix_registration_bot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-bot-matrix-registration-bot - - install-all - - install-bot-matrix-registration-bot - -- block: + block: - when: not matrix_bot_matrix_registration_bot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-bot-matrix-registration-bot diff --git a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml index 22c014de6..f475afc06 100644 --- a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml +++ b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-bot-matrix-reminder-bot + - install-all + - install-bot-matrix-reminder-bot + block: - when: matrix_bot_matrix_reminder_bot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_bot_matrix_reminder_bot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-bot-matrix-reminder-bot - - install-all - - install-bot-matrix-reminder-bot - -- block: + block: - when: not matrix_bot_matrix_reminder_bot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-bot-matrix-reminder-bot diff --git a/roles/custom/matrix-bot-maubot/tasks/main.yml b/roles/custom/matrix-bot-maubot/tasks/main.yml index 95fad19e5..3241795b5 100644 --- a/roles/custom/matrix-bot-maubot/tasks/main.yml +++ b/roles/custom/matrix-bot-maubot/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_bot_maubot_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_bot_maubot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-bot-maubot + - install-all + - install-bot-maubot + block: - when: matrix_bot_maubot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_bot_maubot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-bot-maubot - - install-all - - install-bot-maubot - -- block: + block: - when: not matrix_bot_maubot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-bot-maubot diff --git a/roles/custom/matrix-bot-mjolnir/tasks/main.yml b/roles/custom/matrix-bot-mjolnir/tasks/main.yml index def5c9f05..03f5ba905 100644 --- a/roles/custom/matrix-bot-mjolnir/tasks/main.yml +++ b/roles/custom/matrix-bot-mjolnir/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-bot-mjolnir + - install-all + - install-bot-mjolnir + block: - when: matrix_bot_mjolnir_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_bot_mjolnir_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-bot-mjolnir - - install-all - - install-bot-mjolnir - -- block: + block: - when: not matrix_bot_mjolnir_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-bot-mjolnir diff --git a/roles/custom/matrix-bot-postmoogle/tasks/main.yml b/roles/custom/matrix-bot-postmoogle/tasks/main.yml index a6bc76a35..b77040392 100644 --- a/roles/custom/matrix-bot-postmoogle/tasks/main.yml +++ b/roles/custom/matrix-bot-postmoogle/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-bot-postmoogle + - install-all + - install-bot-postmoogle + block: - when: matrix_bot_postmoogle_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_bot_postmoogle_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-bot-postmoogle - - install-all - - install-bot-postmoogle - -- block: + block: - when: not matrix_bot_postmoogle_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-bot-postmoogle diff --git a/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml b/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml index 926fe3670..88a772204 100644 --- a/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-appservice-discord + - install-all + - install-appservice-discord + block: - when: matrix_appservice_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_appservice_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-appservice-discord - - install-all - - install-appservice-discord - -- block: + block: - when: not matrix_appservice_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-appservice-discord diff --git a/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml b/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml index 4a6419edd..632948bcd 100644 --- a/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml @@ -65,7 +65,10 @@ when: "matrix_appservice_discord_stat_db.stat.exists" - name: (Data relocation) Move AppService Discord discord.db file to ./data directory - ansible.builtin.command: "mv {{ matrix_appservice_discord_base_path }}/{{ item }} {{ matrix_appservice_discord_data_path }}/{{ item }}" + ansible.builtin.command: + cmd: "mv {{ matrix_appservice_discord_base_path }}/{{ item }} {{ matrix_appservice_discord_data_path }}/{{ item }}" + creates: "{{ matrix_appservice_discord_data_path }}/{{ item }}" + removes: "{{ matrix_appservice_discord_base_path }}/{{ item }}" with_items: - discord.db - user-store.db diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml index 1cc6b35c4..d46698480 100644 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-appservice-irc + - install-all + - install-appservice-irc + block: - when: matrix_appservice_irc_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_appservice_irc_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-appservice-irc - - install-all - - install-appservice-irc - -- block: + block: - when: not matrix_appservice_irc_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-appservice-irc diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml index a5fdacded..69a9aa4c8 100644 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -108,16 +108,12 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" -- name: Check if Appservice IRC passkey exists - ansible.builtin.stat: - path: "{{ matrix_appservice_irc_data_path }}/passkey.pem" - register: irc_passkey_file - - name: Generate Appservice IRC passkey if it doesn't exist - ansible.builtin.shell: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_appservice_irc_data_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048" + ansible.builtin.shell: + cmd: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_appservice_irc_data_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048" + creates: "{{ matrix_appservice_irc_data_path }}/passkey.pem" become: true become_user: "{{ matrix_user_username }}" - when: "not irc_passkey_file.stat.exists" # In the past, we used to generate the passkey.pem file with root, so permissions may not be okay. # Fix it. diff --git a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml index 14a30e65b..7a360024e 100644 --- a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-appservice-kakaotalk + - install-all + - install-appservice-kakaotalk + block: - when: matrix_appservice_kakaotalk_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_appservice_kakaotalk_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-appservice-kakaotalk - - install-all - - install-appservice-kakaotalk - -- block: + block: - when: not matrix_appservice_kakaotalk_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-appservice-kakaotalk diff --git a/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml b/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml index 41e2679ed..6fb8ac7c9 100644 --- a/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_appservice_slack_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_appservice_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-appservice-slack + - install-all + - install-appservice-slack + block: - when: matrix_appservice_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_appservice_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-appservice-slack - - install-all - - install-appservice-slack - -- block: + block: - when: not matrix_appservice_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-appservice-slack diff --git a/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml b/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml index ae36cf700..a40d66ddc 100644 --- a/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_appservice_webhooks_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_appservice_webhooks_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-appservice-webhooks + - install-all + - install-appservice-webhooks + block: - when: matrix_appservice_webhooks_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_appservice_webhooks_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-appservice-webhooks - - install-all - - install-appservice-webhooks - -- block: + block: - when: not matrix_appservice_webhooks_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-appservice-webhooks diff --git a/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml b/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml index 502280428..56eb91e52 100644 --- a/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml +++ b/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-beeper-linkedin + - install-all + - install-beeper-linkedin + block: - when: matrix_beeper_linkedin_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_beeper_linkedin_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-beeper-linkedin - - install-all - - install-beeper-linkedin - -- block: + block: - when: not matrix_beeper_linkedin_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-beeper-linkedin diff --git a/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml b/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml index 5bf9236b5..7ba914213 100644 --- a/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml +++ b/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-go-skype-bridge + - install-all + - install-go-skype-bridge + block: - when: matrix_go_skype_bridge_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_go_skype_bridge_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-go-skype-bridge - - install-all - - install-go-skype-bridge - -- block: + block: - when: not matrix_go_skype_bridge_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-go-skype-bridge diff --git a/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml b/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml index 6146637f5..7d8ccd8dd 100644 --- a/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml @@ -97,11 +97,17 @@ when: "matrix_go_skype_bridge_stat_database.stat.exists" - name: (Data relocation) Move go-skype-bridge database file to ./data directory - ansible.builtin.command: "mv {{ matrix_go_skype_bridge_base_path }}/go-skype-bridge.db {{ matrix_go_skype_bridge_data_path }}/go-skype-bridge.db" + ansible.builtin.command: + cmd: "mv {{ matrix_go_skype_bridge_base_path }}/go-skype-bridge.db {{ matrix_go_skype_bridge_data_path }}/go-skype-bridge.db" + creates: "{{ matrix_go_skype_bridge_data_path }}/go-skype-bridge.db" + removes: "{{ matrix_go_skype_bridge_base_path }}/go-skype-bridge.db" when: "matrix_go_skype_bridge_stat_database.stat.exists" - name: (Data relocation) Move go-skype-bridge mx-state file to ./data directory - ansible.builtin.command: "mv {{ matrix_go_skype_bridge_base_path }}/mx-state.json {{ matrix_go_skype_bridge_data_path }}/mx-state.json" + ansible.builtin.command: + cmd: "mv {{ matrix_go_skype_bridge_base_path }}/mx-state.json {{ matrix_go_skype_bridge_data_path }}/mx-state.json" + creates: "{{ matrix_go_skype_bridge_data_path }}/mx-state.json" + removes: "{{ matrix_go_skype_bridge_base_path }}/mx-state.json" when: "matrix_go_skype_bridge_stat_mx_state.stat.exists" - name: Ensure go-skype-bridge config.yaml installed diff --git a/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml b/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml index 0d8354cf9..5b92520d1 100644 --- a/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml +++ b/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml @@ -1,17 +1,17 @@ --- -- block: - - when: matrix_heisenbridge_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: +- tags: - setup-all - setup-heisenbridge - install-all - install-heisenbridge + block: + - when: matrix_heisenbridge_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- block: - - when: not matrix_heisenbridge_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: +- tags: - setup-all - setup-heisenbridge + block: + - when: not matrix_heisenbridge_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index aa4ae45c2..3b65b92a6 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -122,15 +122,15 @@ matrix_hookshot_jira_oauth_redirect_uri: "{{ matrix_hookshot_urlprefix }}{{ matr # No need to change these matrix_hookshot_generic_enabled: true -matrix_hookshot_generic_enableHttpGet: false +matrix_hookshot_generic_enableHttpGet: false # noqa var-naming # Default value of matrix_hookshot_generic_endpoint: "/hookshot/webhooks" matrix_hookshot_generic_endpoint: "{{ matrix_hookshot_webhook_endpoint }}" # urlprefix gets updated with protocol & port in group_vars/matrix_servers -matrix_hookshot_generic_urlPrefix: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_generic_endpoint }}" +matrix_hookshot_generic_urlPrefix: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_generic_endpoint }}" # noqa var-naming # If you're also using matrix-appservice-webhooks, take care that these prefixes don't overlap -matrix_hookshot_generic_userIdPrefix: '_webhooks_' -matrix_hookshot_generic_allowJsTransformationFunctions: false -matrix_hookshot_generic_waitForComplete: false +matrix_hookshot_generic_userIdPrefix: '_webhooks_' # noqa var-naming +matrix_hookshot_generic_allowJsTransformationFunctions: false # noqa var-naming +matrix_hookshot_generic_waitForComplete: false # noqa var-naming matrix_hookshot_feeds_enabled: true diff --git a/roles/custom/matrix-bridge-hookshot/tasks/main.yml b/roles/custom/matrix-bridge-hookshot/tasks/main.yml index c7ffc3041..e2fa9936a 100644 --- a/roles/custom/matrix-bridge-hookshot/tasks/main.yml +++ b/roles/custom/matrix-bridge-hookshot/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_hookshot_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_hookshot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-hookshot + - install-all + - install-hookshot + block: - when: matrix_hookshot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_hookshot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-hookshot - - install-all - - install-hookshot - -- block: + block: - when: not matrix_hookshot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-hookshot diff --git a/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml b/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml index e9b277ce4..f0e8c1c62 100644 --- a/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml @@ -57,7 +57,9 @@ register: hookshot_passkey_file - name: Generate hookshot passkey if it doesn't exist - ansible.builtin.shell: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_hookshot_base_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096" + ansible.builtin.shell: + cmd: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_hookshot_base_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096" + creates: "{{ matrix_hookshot_base_path }}/passkey.pem" become: true become_user: "{{ matrix_user_username }}" when: "not hookshot_passkey_file.stat.exists" diff --git a/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml index cc90f2fae..19698f9f1 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-mautrix-discord + - install-all + - install-mautrix-discord + block: - when: matrix_mautrix_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-discord - - install-all - - install-mautrix-discord - -- block: + block: - when: not matrix_mautrix_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-discord diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml index fa7cec7dc..110346682 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mautrix_facebook_enabled | bool and matrix_mautrix_facebook_appservice_public_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mautrix_facebook_enabled | bool and matrix_mautrix_facebook_appservice_public_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mautrix-facebook + - install-all + - install-mautrix-facebook + block: - when: matrix_mautrix_facebook_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_facebook_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-facebook - - install-all - - install-mautrix-facebook - -- block: + block: - when: not matrix_mautrix_facebook_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-facebook diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index 758a5feda..fac1d1d2b 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -91,7 +91,10 @@ when: "matrix_mautrix_facebook_stat_database.stat.exists" - name: (Data relocation) Move mautrix-facebook database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db {{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db {{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" + creates: "{{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" + removes: "{{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db" when: "matrix_mautrix_facebook_stat_database.stat.exists" - name: Ensure mautrix-facebook config.yaml installed diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml index 917ba7a9d..a23923b50 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mautrix_googlechat_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mautrix_googlechat_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mautrix-googlechat + - install-all + - install-mautrix-googlechat + block: - when: matrix_mautrix_googlechat_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_googlechat_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-googlechat - - install-all - - install-mautrix-googlechat - -- block: + block: - when: not matrix_mautrix_googlechat_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-googlechat diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml index c1258471c..c1ae8cf53 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml @@ -91,7 +91,10 @@ when: "matrix_mautrix_googlechat_stat_database.stat.exists" - name: (Data relocation) Move mautrix-googlechat database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mautrix_googlechat_base_path }}/mautrix-googlechat.db {{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_googlechat_base_path }}/mautrix-googlechat.db {{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db" + creates: "{{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db" + removes: "{{ matrix_mautrix_googlechat_base_path }}/mautrix-googlechat.db" when: "matrix_mautrix_googlechat_stat_database.stat.exists" - name: Ensure mautrix-googlechat config.yaml installed diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml index e9d8048c7..e7881567e 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mautrix_hangouts_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mautrix_hangouts_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mautrix-hangouts + - install-all + - install-mautrix-hangouts + block: - when: matrix_mautrix_hangouts_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_hangouts_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-hangouts - - install-all - - install-mautrix-hangouts - -- block: + block: - when: not matrix_mautrix_hangouts_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-hangouts diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index f8fdb023d..0fa549941 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -91,7 +91,10 @@ when: "matrix_mautrix_hangouts_stat_database.stat.exists" - name: (Data relocation) Move mautrix-hangouts database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mautrix_hangouts_base_path }}/mautrix-hangouts.db {{ matrix_mautrix_hangouts_data_path }}/mautrix-hangouts.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_hangouts_base_path }}/mautrix-hangouts.db {{ matrix_mautrix_hangouts_data_path }}/mautrix-hangouts.db" + creates: "{{ matrix_mautrix_hangouts_data_path }}/mautrix-hangouts.db" + removes: "{{ matrix_mautrix_hangouts_base_path }}/mautrix-hangouts.db" when: "matrix_mautrix_hangouts_stat_database.stat.exists" - name: Ensure mautrix-hangouts config.yaml installed diff --git a/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml index 0b3a722df..834dec0cc 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mautrix_instagram_enabled | bool and matrix_mautrix_instagram_metrics_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mautrix_instagram_enabled | bool and matrix_mautrix_instagram_metrics_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mautrix-instagram + - install-all + - install-mautrix-instagram + block: - when: matrix_mautrix_instagram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_instagram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-instagram - - install-all - - install-mautrix-instagram - -- block: + block: - when: not matrix_mautrix_instagram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-instagram diff --git a/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml index 9473344b9..f5d769e5c 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mautrix_signal_enabled | bool and matrix_mautrix_signal_metrics_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mautrix_signal_enabled | bool and matrix_mautrix_signal_metrics_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mautrix-signal + - install-all + - install-mautrix-signal + block: - when: matrix_mautrix_signal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_signal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-signal - - install-all - - install-mautrix-signal - -- block: + block: - when: not matrix_mautrix_signal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-signal diff --git a/roles/custom/matrix-bridge-mautrix-slack/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-slack/tasks/main.yml index bff905495..b7a2199d7 100644 --- a/roles/custom/matrix-bridge-mautrix-slack/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-slack/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-mautrix-slack + - install-all + - install-mautrix-slack + block: - when: matrix_mautrix_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-slack - - install-all - - install-mautrix-slack - -- block: + block: - when: not matrix_mautrix_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-slack diff --git a/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml index 3c8e6d044..212848b6a 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mautrix_telegram_enabled | bool and matrix_mautrix_telegram_appservice_public_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mautrix_telegram_enabled | bool and matrix_mautrix_telegram_appservice_public_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mautrix-telegram + - install-all + - install-mautrix-telegram + block: - when: matrix_mautrix_telegram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_telegram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-telegram - - install-all - - install-mautrix-telegram - -- block: + block: - when: not matrix_mautrix_telegram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-telegram diff --git a/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index 383d48275..ddf11d8db 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -116,7 +116,10 @@ when: "matrix_mautrix_telegram_stat_database.stat.exists" - name: (Data relocation) Move mautrix-telegram database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mautrix_telegram_base_path }}/mautrix-telegram.db {{ matrix_mautrix_telegram_data_path }}/mautrix-telegram.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_telegram_base_path }}/mautrix-telegram.db {{ matrix_mautrix_telegram_data_path }}/mautrix-telegram.db" + creates: "{{ matrix_mautrix_telegram_data_path }}/mautrix-telegram.db" + removes: "{{ matrix_mautrix_telegram_base_path }}/mautrix-telegram.db" when: "matrix_mautrix_telegram_stat_database.stat.exists" - name: Ensure mautrix-telegram config.yaml installed diff --git a/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml index 9eb444a76..655e52fbc 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mautrix_twitter_enabled | bool and matrix_mautrix_twitter_metrics_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mautrix_twitter_enabled | bool and matrix_mautrix_twitter_metrics_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mautrix-twitter + - install-all + - install-mautrix-twitter + block: - when: matrix_mautrix_twitter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_twitter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-twitter - - install-all - - install-mautrix-twitter - -- block: + block: - when: not matrix_mautrix_twitter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-twitter diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml index b49a13003..cb4e8deac 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mautrix_whatsapp_enabled | bool and matrix_mautrix_whatsapp_metrics_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mautrix_whatsapp_enabled | bool and matrix_mautrix_whatsapp_metrics_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mautrix-whatsapp + - install-all + - install-mautrix-whatsapp + block: - when: matrix_mautrix_whatsapp_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_whatsapp_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-whatsapp - - install-all - - install-mautrix-whatsapp - -- block: + block: - when: not matrix_mautrix_whatsapp_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-whatsapp diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml index 1cf883c56..e41fe9c3a 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml @@ -97,11 +97,17 @@ when: "matrix_mautrix_whatsapp_stat_database.stat.exists" - name: (Data relocation) Move mautrix-whatsapp database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mautrix_whatsapp_base_path }}/mautrix-whatsapp.db {{ matrix_mautrix_whatsapp_data_path }}/mautrix-whatsapp.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_whatsapp_base_path }}/mautrix-whatsapp.db {{ matrix_mautrix_whatsapp_data_path }}/mautrix-whatsapp.db" + creates: "{{ matrix_mautrix_whatsapp_data_path }}/mautrix-whatsapp.db" + removes: "{{ matrix_mautrix_whatsapp_base_path }}/mautrix-whatsapp.db" when: "matrix_mautrix_whatsapp_stat_database.stat.exists" - name: (Data relocation) Move mautrix-whatsapp mx-state file to ./data directory - ansible.builtin.command: "mv {{ matrix_mautrix_whatsapp_base_path }}/mx-state.json {{ matrix_mautrix_whatsapp_data_path }}/mx-state.json" + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_whatsapp_base_path }}/mx-state.json {{ matrix_mautrix_whatsapp_data_path }}/mx-state.json" + creates: "{{ matrix_mautrix_whatsapp_data_path }}/mx-state.json" + removes: "{{ matrix_mautrix_whatsapp_base_path }}/mx-state.json" when: "matrix_mautrix_whatsapp_stat_mx_state.stat.exists" - name: Ensure mautrix-whatsapp config.yaml installed diff --git a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml index c1403dfa3..c0300b513 100644 --- a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-mx-puppet-discord + - install-all + - install-mx-puppet-discord + block: - when: matrix_mx_puppet_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mx_puppet_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mx-puppet-discord - - install-all - - install-mx-puppet-discord - -- block: + block: - when: not matrix_mx_puppet_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mx-puppet-discord diff --git a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml index ab5b0d445..de225e71d 100644 --- a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-mx-puppet-groupme + - install-all + - install-mx-puppet-groupme + block: - when: matrix_mx_puppet_groupme_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mx_puppet_groupme_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mx-puppet-groupme - - install-all - - install-mx-puppet-groupme - -- block: + block: - when: not matrix_mx_puppet_groupme_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mx-puppet-groupme diff --git a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml index 9db25e864..0ba1e699f 100644 --- a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml @@ -29,7 +29,10 @@ when: "matrix_mx_puppet_groupme_stat_database.stat.exists" - name: (Data relocation) Move mx-puppet-groupme database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mx_puppet_groupme_base_path }}/database.db {{ matrix_mx_puppet_groupme_data_path }}/database.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mx_puppet_groupme_base_path }}/database.db {{ matrix_mx_puppet_groupme_data_path }}/database.db" + creates: "{{ matrix_mx_puppet_groupme_data_path }}/database.db" + removes: "{{ matrix_mx_puppet_groupme_base_path }}/database.db" when: "matrix_mx_puppet_groupme_stat_database.stat.exists" - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml index 3cf027736..0d46532ce 100644 --- a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-mx-puppet-instagram + - install-all + - install-mx-puppet-instagram + block: - when: matrix_mx_puppet_instagram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mx_puppet_instagram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mx-puppet-instagram - - install-all - - install-mx-puppet-instagram - -- block: + block: - when: not matrix_mx_puppet_instagram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mx-puppet-instagram diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml index 3d6e722bf..63e074050 100644 --- a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mx_puppet_slack_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mx_puppet_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mx-puppet-slack + - install-all + - install-mx-puppet-slack + block: - when: matrix_mx_puppet_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mx_puppet_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mx-puppet-slack - - install-all - - install-mx-puppet-slack - -- block: + block: - when: not matrix_mx_puppet_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mx-puppet-slack diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml index e75d47e57..bba2d25c6 100644 --- a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml @@ -91,7 +91,10 @@ when: "matrix_mx_puppet_slack_enabled | bool and matrix_mx_puppet_slack_container_image_self_build" - name: (Data relocation) Move mx-puppet-slack database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mx_puppet_slack_base_path }}/database.db {{ matrix_mx_puppet_slack_data_path }}/database.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mx_puppet_slack_base_path }}/database.db {{ matrix_mx_puppet_slack_data_path }}/database.db" + creates: "{{ matrix_mx_puppet_slack_data_path }}/database.db" + removes: "{{ matrix_mx_puppet_slack_base_path }}/database.db" when: "matrix_mx_puppet_slack_stat_database.stat.exists" - name: Ensure mx-puppet-slack config.yaml installed diff --git a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml index 6eacc6fc8..66d2980d3 100644 --- a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-mx-puppet-steam + - install-all + - install-mx-puppet-steam + block: - when: matrix_mx_puppet_steam_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mx_puppet_steam_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mx-puppet-steam - - install-all - - install-mx-puppet-steam - -- block: + block: - when: not matrix_mx_puppet_steam_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mx-puppet-steam diff --git a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml index ca2de4480..f2ccea594 100644 --- a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml @@ -29,7 +29,10 @@ when: "matrix_mx_puppet_steam_stat_database.stat.exists" - name: (Data relocation) Move mx-puppet-steam database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mx_puppet_steam_base_path }}/database.db {{ matrix_mx_puppet_steam_data_path }}/database.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mx_puppet_steam_base_path }}/database.db {{ matrix_mx_puppet_steam_data_path }}/database.db" + creates: "{{ matrix_mx_puppet_steam_data_path }}/database.db" + removes: "{{ matrix_mx_puppet_steam_base_path }}/database.db" when: "matrix_mx_puppet_steam_stat_database.stat.exists" - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml index 85c06f04b..d6d681037 100644 --- a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mx_puppet_twitter_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mx_puppet_twitter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mx-puppet-twitter + - install-all + - install-mx-puppet-twitter + block: - when: matrix_mx_puppet_twitter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mx_puppet_twitter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mx-puppet-twitter - - install-all - - install-mx-puppet-twitter - -- block: + block: - when: not matrix_mx_puppet_twitter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mx-puppet-twitter diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml index a84502056..9224e9568 100644 --- a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml @@ -29,7 +29,10 @@ when: "matrix_mx_puppet_twitter_stat_database.stat.exists" - name: (Data relocation) Move mx-puppet-twitter database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mx_puppet_twitter_base_path }}/database.db {{ matrix_mx_puppet_twitter_data_path }}/database.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mx_puppet_twitter_base_path }}/database.db {{ matrix_mx_puppet_twitter_data_path }}/database.db" + creates: "{{ matrix_mx_puppet_twitter_data_path }}/database.db" + removes: "{{ matrix_mx_puppet_twitter_base_path }}/database.db" when: "matrix_mx_puppet_twitter_stat_database.stat.exists" - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-bridge-sms/tasks/main.yml b/roles/custom/matrix-bridge-sms/tasks/main.yml index f9bd502c7..57d517275 100644 --- a/roles/custom/matrix-bridge-sms/tasks/main.yml +++ b/roles/custom/matrix-bridge-sms/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-matrix-sms-bridge + - install-all + - install-matrix-sms-bridge + block: - when: matrix_sms_bridge_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_sms_bridge_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-matrix-sms-bridge - - install-all - - install-matrix-sms-bridge - -- block: + block: - when: not matrix_sms_bridge_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-matrix-sms-bridge diff --git a/roles/custom/matrix-cactus-comments/tasks/main.yml b/roles/custom/matrix-cactus-comments/tasks/main.yml index c6108e91f..c1a08d328 100644 --- a/roles/custom/matrix-cactus-comments/tasks/main.yml +++ b/roles/custom/matrix-cactus-comments/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_cactus_comments_enabled | bool and matrix_cactus_comments_serve_client_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_cactus_comments_enabled | bool and matrix_cactus_comments_serve_client_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-cactus-comments + - install-all + - install-cactus-comments + block: - when: matrix_cactus_comments_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_cactus_comments_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-cactus-comments - - install-all - - install-cactus-comments - -- block: + block: - when: not matrix_cactus_comments_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-cactus-comments diff --git a/roles/custom/matrix-client-cinny/tasks/main.yml b/roles/custom/matrix-client-cinny/tasks/main.yml index 1e6d47590..40c6514b5 100644 --- a/roles/custom/matrix-client-cinny/tasks/main.yml +++ b/roles/custom/matrix-client-cinny/tasks/main.yml @@ -1,26 +1,26 @@ --- -- block: +- tags: + - setup-all + - setup-client-cinny + - install-all + - install-client-cinny + block: - when: matrix_client_cinny_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_client_cinny_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-client-cinny - - install-all - - install-client-cinny - -- block: + block: - when: not matrix_client_cinny_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-client-cinny -- block: +- tags: + - self-check + block: - when: matrix_client_cinny_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" - tags: - - self-check diff --git a/roles/custom/matrix-client-element/tasks/main.yml b/roles/custom/matrix-client-element/tasks/main.yml index 89e50ba70..770200678 100644 --- a/roles/custom/matrix-client-element/tasks/main.yml +++ b/roles/custom/matrix-client-element/tasks/main.yml @@ -1,6 +1,11 @@ --- -- block: +- tags: + - setup-all + - setup-client-element + - install-all + - install-client-element + block: - when: matrix_client_element_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" @@ -9,21 +14,16 @@ - when: matrix_client_element_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-client-element - - install-all - - install-client-element - -- block: + block: - when: not matrix_client_element_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-client-element -- block: +- tags: + - self-check + block: - when: matrix_client_element_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" - tags: - - self-check diff --git a/roles/custom/matrix-client-element/tasks/setup_install.yml b/roles/custom/matrix-client-element/tasks/setup_install.yml index fc0532db6..50d6370f7 100644 --- a/roles/custom/matrix-client-element/tasks/setup_install.yml +++ b/roles/custom/matrix-client-element/tasks/setup_install.yml @@ -56,6 +56,7 @@ --tag={{ matrix_client_element_docker_image }} --file={{ matrix_client_element_docker_src_files_path }}/Dockerfile {{ matrix_client_element_docker_src_files_path }} + changed_when: true when: matrix_client_element_container_image_self_build | bool - name: Ensure Element configuration installed diff --git a/roles/custom/matrix-client-hydrogen/tasks/main.yml b/roles/custom/matrix-client-hydrogen/tasks/main.yml index 9bb8bc080..9e7445c0b 100644 --- a/roles/custom/matrix-client-hydrogen/tasks/main.yml +++ b/roles/custom/matrix-client-hydrogen/tasks/main.yml @@ -1,26 +1,26 @@ --- -- block: +- tags: + - setup-all + - setup-client-hydrogen + - install-all + - install-client-hydrogen + block: - when: matrix_client_hydrogen_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_client_hydrogen_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-client-hydrogen - - install-all - - install-client-hydrogen - -- block: + block: - when: not matrix_client_hydrogen_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-client-hydrogen -- block: +- tags: + - self-check + block: - when: matrix_client_hydrogen_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" - tags: - - self-check diff --git a/roles/custom/matrix-common-after/tasks/main.yml b/roles/custom/matrix-common-after/tasks/main.yml index fe23e467b..5e4dc76b9 100644 --- a/roles/custom/matrix-common-after/tasks/main.yml +++ b/roles/custom/matrix-common-after/tasks/main.yml @@ -1,6 +1,6 @@ --- -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/run_docker_prune.yml" - tags: +- tags: - run-docker-prune + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/run_docker_prune.yml" diff --git a/roles/custom/matrix-conduit/tasks/main.yml b/roles/custom/matrix-conduit/tasks/main.yml index d733ac08b..f48e385e0 100644 --- a/roles/custom/matrix-conduit/tasks/main.yml +++ b/roles/custom/matrix-conduit/tasks/main.yml @@ -1,17 +1,17 @@ --- -- block: - - when: matrix_conduit_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: +- tags: - setup-all - setup-conduit - install-all - install-conduit + block: + - when: matrix_conduit_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- block: - - when: not matrix_conduit_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: +- tags: - setup-all - setup-conduit + block: + - when: not matrix_conduit_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-corporal/tasks/main.yml b/roles/custom/matrix-corporal/tasks/main.yml index c4c7b7fc1..e8f3b785a 100644 --- a/roles/custom/matrix-corporal/tasks/main.yml +++ b/roles/custom/matrix-corporal/tasks/main.yml @@ -1,26 +1,26 @@ --- -- block: +- tags: + - setup-all + - setup-corporal + - install-all + - install-corporal + block: - when: matrix_corporal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_corporal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-corporal - - install-all - - install-corporal - -- block: + block: - when: not matrix_corporal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-corporal -- block: +- tags: + - self-check + block: - when: matrix_corporal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" - tags: - - self-check diff --git a/roles/custom/matrix-coturn/tasks/main.yml b/roles/custom/matrix-coturn/tasks/main.yml index 45ce9fd9e..1b1332fb7 100644 --- a/roles/custom/matrix-coturn/tasks/main.yml +++ b/roles/custom/matrix-coturn/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-coturn + - install-all + - install-coturn + block: - when: matrix_coturn_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_coturn_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-coturn - - install-all - - install-coturn - -- block: + block: - when: not matrix_coturn_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-coturn diff --git a/roles/custom/matrix-coturn/tasks/setup_install.yml b/roles/custom/matrix-coturn/tasks/setup_install.yml index 44325f460..1cb8bd696 100644 --- a/roles/custom/matrix-coturn/tasks/setup_install.yml +++ b/roles/custom/matrix-coturn/tasks/setup_install.yml @@ -62,8 +62,8 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" -- when: matrix_coturn_docker_network not in ['', 'host'] - name: Ensure Coturn network is created in Docker +- name: Ensure Coturn network is created in Docker + when: matrix_coturn_docker_network not in ['', 'host'] community.docker.docker_network: name: "{{ matrix_coturn_docker_network }}" driver: bridge diff --git a/roles/custom/matrix-dendrite/tasks/main.yml b/roles/custom/matrix-dendrite/tasks/main.yml index 0e88ec510..78d81524c 100644 --- a/roles/custom/matrix-dendrite/tasks/main.yml +++ b/roles/custom/matrix-dendrite/tasks/main.yml @@ -1,35 +1,35 @@ --- -- block: +- tags: + - setup-all + - setup-dendrite + - install-all + - install-dendrite + block: - when: matrix_dendrite_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_dendrite_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-dendrite - - install-all - - install-dendrite - -- block: + block: - when: not matrix_dendrite_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-dendrite -- block: +- tags: + - self-check + block: - when: matrix_dendrite_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_client_api.yml" - when: matrix_dendrite_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml" - tags: - - self-check -- block: +- tags: + - register-user + block: - when: matrix_dendrite_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/register_user.yml" - tags: - - register-user diff --git a/roles/custom/matrix-dendrite/tasks/setup_install.yml b/roles/custom/matrix-dendrite/tasks/setup_install.yml index 3b8cbd9b2..283e8b019 100644 --- a/roles/custom/matrix-dendrite/tasks/setup_install.yml +++ b/roles/custom/matrix-dendrite/tasks/setup_install.yml @@ -42,24 +42,20 @@ delay: "{{ devture_playbook_help_container_retries_delay }}" until: result is not failed -- name: Check if a Dendrite signing key exists - ansible.builtin.stat: - path: "{{ matrix_dendrite_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.pem" - register: matrix_dendrite_signing_key_stat - # We do this so that the signing key would get generated. # We don't use the `docker_container` module, because using it with `cap_drop` requires # a very recent version, which is not available for a lot of people yet. - name: Generate Dendrite signing key - ansible.builtin.command: | - docker run - --rm - --name=matrix-dendrite-config - --entrypoint=generate-keys - --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data - {{ matrix_dendrite_docker_image }} --private-key=/data/{{ matrix_server_fqn_matrix }}.signing.pem - generate - when: "not matrix_dendrite_signing_key_stat.stat.exists" + ansible.builtin.command: + cmd: | + docker run + --rm + --name=matrix-dendrite-config + --entrypoint=generate-keys + --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data + {{ matrix_dendrite_docker_image }} --private-key=/data/{{ matrix_server_fqn_matrix }}.signing.pem + generate + creates: "{{ matrix_dendrite_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.pem" - name: Ensure Dendrite server key exists ansible.builtin.file: diff --git a/roles/custom/matrix-dimension/tasks/main.yml b/roles/custom/matrix-dimension/tasks/main.yml index efd0f8d47..1e949d3f2 100644 --- a/roles/custom/matrix-dimension/tasks/main.yml +++ b/roles/custom/matrix-dimension/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-dimension + - install-all + - install-dimension + block: - when: matrix_dimension_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_dimension_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-dimension - - install-all - - install-dimension - -- block: + block: - when: not matrix_dimension_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-dimension diff --git a/roles/custom/matrix-dynamic-dns/tasks/main.yml b/roles/custom/matrix-dynamic-dns/tasks/main.yml index ae7503b73..8327a84ac 100644 --- a/roles/custom/matrix-dynamic-dns/tasks/main.yml +++ b/roles/custom/matrix-dynamic-dns/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-dynamic-dns + - install-all + - install-dynamic-dns + block: - when: matrix_dynamic_dns_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_dynamic_dns_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-dynamic-dns - - install-all - - install-dynamic-dns - -- block: + block: - when: not matrix_dynamic_dns_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-dynamic-dns diff --git a/roles/custom/matrix-email2matrix/tasks/main.yml b/roles/custom/matrix-email2matrix/tasks/main.yml index 8fac77ce2..acd2c9c1e 100644 --- a/roles/custom/matrix-email2matrix/tasks/main.yml +++ b/roles/custom/matrix-email2matrix/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-email2matrix + - install-all + - install-email2matrix + block: - when: matrix_email2matrix_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_email2matrix_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-email2matrix - - install-all - - install-email2matrix - -- block: + block: - when: not matrix_email2matrix_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-email2matrix diff --git a/roles/custom/matrix-jitsi/tasks/main.yml b/roles/custom/matrix-jitsi/tasks/main.yml index b35c2c347..0ebf3ad62 100644 --- a/roles/custom/matrix-jitsi/tasks/main.yml +++ b/roles/custom/matrix-jitsi/tasks/main.yml @@ -1,27 +1,32 @@ --- -- block: +- tags: + - setup-additional-jitsi-jvb + - install-additional-jitsi-jvb + block: - when: matrix_jitsi_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/init_additional_jvb.yml" - tags: + +- tags: + - setup-all + - setup-jitsi - setup-additional-jitsi-jvb + - install-all + - install-jitsi - install-additional-jitsi-jvb - -- block: + block: - when: matrix_jitsi_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_jitsi_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml" - tags: + +- tags: - setup-all - setup-jitsi - - setup-additional-jitsi-jvb - install-all - install-jitsi - - install-additional-jitsi-jvb - -- block: + block: - when: matrix_jitsi_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_web_install.yml" @@ -30,13 +35,11 @@ - when: matrix_jitsi_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jicofo_install.yml" - tags: + +- tags: - setup-all - setup-jitsi - - install-all - - install-jitsi - -- block: + block: - when: not matrix_jitsi_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_web_uninstall.yml" @@ -45,31 +48,28 @@ - when: not matrix_jitsi_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jicofo_uninstall.yml" - tags: - - setup-all - - setup-jitsi -- block: - - when: matrix_jitsi_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb_install.yml" - tags: +- tags: - setup-all - setup-jitsi - setup-additional-jitsi-jvb - install-all - install-jitsi - install-additional-jitsi-jvb + block: + - when: matrix_jitsi_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb_install.yml" -- block: - - when: not matrix_jitsi_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb_uninstall.yml" - tags: +- tags: - setup-all - setup-jitsi - setup-additional-jitsi-jvb + block: + - when: not matrix_jitsi_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb_uninstall.yml" -- block: +- tags: + - self-check + block: - when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix' ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_matrix_auth.yml" - tags: - - self-check diff --git a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml index f1d9ff210..4aa67a316 100644 --- a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml +++ b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml @@ -5,11 +5,16 @@ repo: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_location }}" dest: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}" version: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_version }}" + become: true + become_user: "{{ matrix_user_username }}" - name: Install Prosody Auth Matrix User Verification Plugin ansible.builtin.copy: remote_src: true src: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}/{{ item.path }}" dest: "{{ matrix_jitsi_prosody_plugins_path }}/{{ item.path }}" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: "{{ matrix_jitsi_prosody_auth_matrix_files }}" when: item.when | bool diff --git a/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml b/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml index 9309113fe..cc71ae82c 100644 --- a/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml +++ b/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_ldap_registration_proxy_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_ldap_registration_proxy_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-matrix-ldap-registration-proxy + - install-all + - install-matrix-ldap-registration-proxy + block: - when: matrix_ldap_registration_proxy_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_ldap_registration_proxy_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-matrix-ldap-registration-proxy - - install-all - - install-matrix-ldap-registration-proxy - -- block: + block: - when: not matrix_ldap_registration_proxy_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-matrix-ldap-registration-proxy diff --git a/roles/custom/matrix-ma1sd/tasks/main.yml b/roles/custom/matrix-ma1sd/tasks/main.yml index a65cf371e..a9c4ec8b0 100644 --- a/roles/custom/matrix-ma1sd/tasks/main.yml +++ b/roles/custom/matrix-ma1sd/tasks/main.yml @@ -1,25 +1,25 @@ --- -- block: +- tags: + - setup-all + - setup-ma1sd + - install-all + - install-ma1sd + block: - when: matrix_ma1sd_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_ma1sd_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: - - setup-all - - setup-ma1sd - - install-all - - install-ma1sd -- block: +- tags: + - setup-ma1sd + block: - when: not matrix_ma1sd_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-ma1sd -- block: +- tags: + - self-check + block: - when: matrix_ma1sd_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" - tags: - - self-check diff --git a/roles/custom/matrix-ma1sd/tasks/setup_install.yml b/roles/custom/matrix-ma1sd/tasks/setup_install.yml index 6fe20342b..5800b45a7 100644 --- a/roles/custom/matrix-ma1sd/tasks/setup_install.yml +++ b/roles/custom/matrix-ma1sd/tasks/setup_install.yml @@ -89,6 +89,7 @@ chdir: "{{ matrix_ma1sd_docker_src_files_path }}" environment: DOCKER_BUILDKIT: 1 + changed_when: true when: matrix_ma1sd_git_pull_results.changed - name: Ensure ma1sd Docker image is tagged correctly diff --git a/roles/custom/matrix-mailer/tasks/main.yml b/roles/custom/matrix-mailer/tasks/main.yml index b269f63e7..00fa0884e 100644 --- a/roles/custom/matrix-mailer/tasks/main.yml +++ b/roles/custom/matrix-mailer/tasks/main.yml @@ -1,17 +1,17 @@ --- -- block: - - when: matrix_mailer_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: +- tags: - setup-all - setup-mailer - install-all - install-mailer + block: + - when: matrix_mailer_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- block: - - when: not matrix_mailer_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: +- tags: - setup-all - setup-mailer + block: + - when: not matrix_mailer_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-nginx-proxy/tasks/main.yml b/roles/custom/matrix-nginx-proxy/tasks/main.yml index 39cec7e53..7a702fb37 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/main.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/main.yml @@ -29,13 +29,13 @@ - install-all - install-nginx-proxy -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_well_known.yml" - tags: +- tags: - self-check + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_well_known.yml" - name: Mark matrix-nginx-proxy role as executed - ansible.builtin.set_fact: - matrix_nginx_proxy_role_executed: true tags: - always + ansible.builtin.set_fact: + matrix_nginx_proxy_role_executed: true diff --git a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml index b10791a7f..a175b831a 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml @@ -51,6 +51,7 @@ --agree-tos --email={{ matrix_ssl_lets_encrypt_support_email }} -d {{ domain_name }} + changed_when: true when: domain_name_needs_cert | bool register: result_certbot_direct ignore_errors: true @@ -81,6 +82,7 @@ --agree-tos --email={{ matrix_ssl_lets_encrypt_support_email }} -d {{ domain_name }} + changed_when: true when: "domain_name_needs_cert and result_certbot_direct.failed" register: result_certbot_proxy ignore_errors: true diff --git a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml index d0b254a26..c0f195191 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml @@ -28,16 +28,19 @@ # # We'll do it in a more manual way. - name: Generate SSL certificate - ansible.builtin.command: | - openssl req -x509 \ - -sha256 \ - -newkey rsa:4096 \ - -nodes \ - -subj "/CN={{ domain_name }}" \ - -keyout {{ matrix_ssl_certificate_cert_key_path }} \ - -out {{ matrix_ssl_certificate_cert_path }} \ - -days 3650 when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists" + ansible.builtin.command: + cmd: | + openssl req -x509 \ + -sha256 \ + -newkey rsa:4096 \ + -nodes \ + -subj "/CN={{ domain_name }}" \ + -keyout {{ matrix_ssl_certificate_cert_key_path }} \ + -out {{ matrix_ssl_certificate_cert_path }} \ + -days 3650 + # Well, this creates 2 files, but Ansible can only check 1. + creates: "{{ matrix_ssl_certificate_cert_path }}" - name: Adjust SSL certificate file ownership ansible.builtin.file: diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/main.yml b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/main.yml index b205dec36..ad0474604 100644 --- a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/main.yml +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: +- tags: + - setup-all + - setup-prometheus-nginxlog-exporter + - install-all + - install-prometheus-nginxlog-exporter + block: - when: matrix_prometheus_nginxlog_exporter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: + +- tags: - setup-all - setup-prometheus-nginxlog-exporter - install-all - install-prometheus-nginxlog-exporter - -- block: + block: - when: matrix_prometheus_nginxlog_exporter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_prometheus_nginxlog_exporter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-prometheus-nginxlog-exporter - - install-all - - install-prometheus-nginxlog-exporter - -- block: + block: - when: not matrix_prometheus_nginxlog_exporter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-prometheus-nginxlog-exporter diff --git a/roles/custom/matrix-prometheus-services-proxy-connect/tasks/main.yml b/roles/custom/matrix-prometheus-services-proxy-connect/tasks/main.yml index e56546889..ea067bdba 100644 --- a/roles/custom/matrix-prometheus-services-proxy-connect/tasks/main.yml +++ b/roles/custom/matrix-prometheus-services-proxy-connect/tasks/main.yml @@ -1,28 +1,28 @@ --- - name: Fail if matrix-nginx-proxy role executed before matrix-prometheus-services-proxy-connect + when: matrix_nginx_proxy_role_executed | default(False) | bool ansible.builtin.fail: msg: >- Trying to append node-exporter's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-prometheus-services-proxy-connect role. - when: matrix_nginx_proxy_role_executed | default(False) | bool -- block: - - when: prometheus_node_exporter_enabled | bool and matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/prometheus-node-exporter/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: prometheus_node_exporter_enabled | bool and matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/prometheus-node-exporter/inject_into_nginx_proxy.yml" -- block: - - when: prometheus_node_exporter_enabled | bool and matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/prometheus-postgres-exporter/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: prometheus_node_exporter_enabled | bool and matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/prometheus-postgres-exporter/inject_into_nginx_proxy.yml" diff --git a/roles/custom/matrix-prometheus/tasks/main.yml b/roles/custom/matrix-prometheus/tasks/main.yml index 59371d4d4..bbd820014 100644 --- a/roles/custom/matrix-prometheus/tasks/main.yml +++ b/roles/custom/matrix-prometheus/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-prometheus + - install-all + - install-prometheus + block: - when: matrix_prometheus_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_prometheus_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-prometheus - - install-all - - install-prometheus - -- block: + block: - when: not matrix_prometheus_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-prometheus diff --git a/roles/custom/matrix-rageshake/tasks/install.yml b/roles/custom/matrix-rageshake/tasks/install.yml index f9461680f..a1db9a877 100644 --- a/roles/custom/matrix-rageshake/tasks/install.yml +++ b/roles/custom/matrix-rageshake/tasks/install.yml @@ -62,6 +62,7 @@ --tag={{ matrix_rageshake_container_image }} --file={{ matrix_rageshake_container_src_files_path }}/Dockerfile {{ matrix_rageshake_container_src_files_path }} + changed_when: true when: matrix_rageshake_container_image_self_build | bool - name: Ensure rageshake container network is created diff --git a/roles/custom/matrix-rageshake/tasks/main.yml b/roles/custom/matrix-rageshake/tasks/main.yml index c330964a4..a211296d0 100644 --- a/roles/custom/matrix-rageshake/tasks/main.yml +++ b/roles/custom/matrix-rageshake/tasks/main.yml @@ -1,19 +1,20 @@ --- -- block: + +- tags: + - setup-all + - setup-rageshake + - install-all + - install-rageshake + block: - when: matrix_rageshake_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_rageshake_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" - tags: + +- tags: - setup-all - setup-rageshake - - install-all - - install-rageshake - -- block: + block: - when: not matrix_rageshake_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" - tags: - - setup-all - - setup-rageshake diff --git a/roles/custom/matrix-registration/tasks/main.yml b/roles/custom/matrix-registration/tasks/main.yml index bebcebc0b..64843dee2 100644 --- a/roles/custom/matrix-registration/tasks/main.yml +++ b/roles/custom/matrix-registration/tasks/main.yml @@ -1,41 +1,41 @@ --- -- block: - - when: matrix_registration_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_registration_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-matrix-registration + - install-all + - install-matrix-registration + block: - when: matrix_registration_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_registration_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-matrix-registration - - install-all - - install-matrix-registration - -- block: + block: - when: not matrix_registration_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-matrix-registration -- block: +- tags: + - generate-matrix-registration-token + block: - when: matrix_registration_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/generate_token.yml" - tags: - - generate-matrix-registration-token -- block: +- tags: + - list-matrix-registration-tokens + block: - when: matrix_registration_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/list_tokens.yml" - tags: - - list-matrix-registration-tokens diff --git a/roles/custom/matrix-sliding-sync/tasks/install.yml b/roles/custom/matrix-sliding-sync/tasks/install.yml index 26717afda..cb41cec06 100644 --- a/roles/custom/matrix-sliding-sync/tasks/install.yml +++ b/roles/custom/matrix-sliding-sync/tasks/install.yml @@ -56,6 +56,7 @@ --tag={{ matrix_sliding_sync_container_image }} --file={{ matrix_sliding_sync_container_src_path }}/Dockerfile {{ matrix_sliding_sync_container_src_path }} + changed_when: true - name: Ensure matrix-sliding-sync container network is created community.general.docker_network: diff --git a/roles/custom/matrix-sliding-sync/tasks/main.yml b/roles/custom/matrix-sliding-sync/tasks/main.yml index 71e7391b4..521f16fe7 100644 --- a/roles/custom/matrix-sliding-sync/tasks/main.yml +++ b/roles/custom/matrix-sliding-sync/tasks/main.yml @@ -1,19 +1,20 @@ --- -- block: + +- tags: + - setup-all + - setup-sliding-sync + - install-all + - install-sliding-sync + block: - when: matrix_sliding_sync_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_sliding_sync_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" - tags: + +- tags: - setup-all - setup-sliding-sync - - install-all - - install-sliding-sync - -- block: + block: - when: not matrix_sliding_sync_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" - tags: - - setup-all - - setup-sliding-sync diff --git a/roles/custom/matrix-sygnal/tasks/main.yml b/roles/custom/matrix-sygnal/tasks/main.yml index ba4cb8768..a586cbd02 100644 --- a/roles/custom/matrix-sygnal/tasks/main.yml +++ b/roles/custom/matrix-sygnal/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-sygnal + - install-all + - install-sygnal + block: - when: matrix_sygnal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_sygnal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" - tags: + +- tags: - setup-all - setup-sygnal - - install-all - - install-sygnal - -- block: + block: - when: not matrix_sygnal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" - tags: - - setup-all - - setup-sygnal diff --git a/roles/custom/matrix-synapse-admin/tasks/main.yml b/roles/custom/matrix-synapse-admin/tasks/main.yml index f38f1d5e4..da9bdb18c 100644 --- a/roles/custom/matrix-synapse-admin/tasks/main.yml +++ b/roles/custom/matrix-synapse-admin/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_synapse_admin_enabled | bool and matrix_synapse_admin_nginx_proxy_integration_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_synapse_admin_enabled | bool and matrix_synapse_admin_nginx_proxy_integration_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-synapse-admin + - install-all + - install-synapse-admin + block: - when: matrix_synapse_admin_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_synapse_admin_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-synapse-admin - - install-all - - install-synapse-admin - -- block: + block: - when: not matrix_synapse_admin_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-synapse-admin diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml index 0dba0b9c7..680602672 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: - - when: matrix_synapse_reverse_proxy_companion_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: +- tags: - setup-all - setup-synapse-reverse-proxy-companion - setup-synapse - install-all - install-synapse-reverse-proxy-companion - install-synapse + block: + - when: matrix_synapse_reverse_proxy_companion_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- block: - - when: not matrix_synapse_reverse_proxy_companion_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: +- tags: - setup-all - setup-synapse-reverse-proxy-companion - setup-synapse + block: + - when: not matrix_synapse_reverse_proxy_companion_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-synapse/tasks/ext/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/setup_install.yml index a24138038..0d8879392 100644 --- a/roles/custom/matrix-synapse/tasks/ext/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/ext/setup_install.yml @@ -1,60 +1,60 @@ --- # encryption-disabler -- block: - - when: matrix_synapse_ext_encryption_disabler_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_install.yml" - tags: +- tags: - setup-all - setup-synapse + block: + - when: matrix_synapse_ext_encryption_disabler_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_install.yml" # rest-auth -- block: - - when: matrix_synapse_ext_password_provider_rest_auth_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup_install.yml" - tags: +- tags: - setup-all - setup-synapse + block: + - when: matrix_synapse_ext_password_provider_rest_auth_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup_install.yml" # shared-secret-auth -- block: - - when: matrix_synapse_ext_password_provider_shared_secret_auth_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup_install.yml" - tags: +- tags: - setup-all - setup-synapse + block: + - when: matrix_synapse_ext_password_provider_shared_secret_auth_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup_install.yml" # ldap-auth -- block: - - when: matrix_synapse_ext_password_provider_ldap_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/ldap-auth/setup_install.yml" - tags: +- tags: - setup-all - setup-synapse + block: + - when: matrix_synapse_ext_password_provider_ldap_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/ldap-auth/setup_install.yml" # synapse-simple-antispam -- block: - - when: matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup_install.yml" - tags: +- tags: - setup-all - setup-synapse + block: + - when: matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup_install.yml" # mjolnir-antispam -- block: - - when: matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_install.yml" - tags: +- tags: - setup-all - setup-synapse + block: + - when: matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_install.yml" # s3-storage-provider -- block: +- tags: + - setup-all + - setup-synapse + block: - when: matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/validate_config.yml" - when: matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/setup_install.yml" - tags: - - setup-all - - setup-synapse diff --git a/roles/custom/matrix-synapse/tasks/ext/setup_uninstall.yml b/roles/custom/matrix-synapse/tasks/ext/setup_uninstall.yml index cca6c1b8a..f584f584d 100644 --- a/roles/custom/matrix-synapse/tasks/ext/setup_uninstall.yml +++ b/roles/custom/matrix-synapse/tasks/ext/setup_uninstall.yml @@ -1,52 +1,52 @@ --- # encryption-disabler -- block: - - when: not matrix_synapse_ext_encryption_disabler_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_uninstall.yml" - tags: +- tags: - setup-all - setup-synapse + block: + - when: not matrix_synapse_ext_encryption_disabler_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_uninstall.yml" # rest-auth -- block: - - when: not matrix_synapse_ext_password_provider_rest_auth_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup_uninstall.yml" - tags: +- tags: - setup-all - setup-synapse + block: + - when: not matrix_synapse_ext_password_provider_rest_auth_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup_uninstall.yml" # shared-secret-auth -- block: - - when: not matrix_synapse_ext_password_provider_shared_secret_auth_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup_uninstall.yml" - tags: +- tags: - setup-all - setup-synapse + block: + - when: not matrix_synapse_ext_password_provider_shared_secret_auth_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup_uninstall.yml" # ldap-auth has no uninstall tasks # synapse-simple-antispam -- block: - - when: not matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup_uninstall.yml" - tags: +- tags: - setup-all - setup-synapse + block: + - when: not matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup_uninstall.yml" # mjolnir-antispam -- block: - - when: not matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_uninstall.yml" - tags: +- tags: - setup-all - setup-synapse + block: + - when: not matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_uninstall.yml" # s3-storage-provider -- block: - - when: not matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/setup_uninstall.yml" - tags: +- tags: - setup-all - setup-synapse + block: + - when: not matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/setup_uninstall.yml" diff --git a/roles/custom/matrix-synapse/tasks/main.yml b/roles/custom/matrix-synapse/tasks/main.yml index d00c1808c..88a54afc5 100644 --- a/roles/custom/matrix-synapse/tasks/main.yml +++ b/roles/custom/matrix-synapse/tasks/main.yml @@ -1,9 +1,6 @@ --- -- block: - - when: matrix_synapse_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/init.yml" - tags: +- tags: - setup-all - setup-synapse - install-all @@ -19,55 +16,58 @@ - stop - stop-all - stop-group + block: + - when: matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/init.yml" -- block: +- tags: + - setup-all + - setup-synapse + - install-all + - install-synapse + block: - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-synapse - - install-all - - install-synapse - -- block: + block: - when: not matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-synapse -- block: +- tags: + - import-synapse-media-store + block: - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/import_media_store.yml" - tags: - - import-synapse-media-store -- block: +- tags: + - register-user + block: - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/register_user.yml" - tags: - - register-user -- block: +- tags: + - update-user-password + block: - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/update_user_password.yml" - tags: - - update-user-password -- block: +- tags: + - rust-synapse-compress-state + block: - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/rust-synapse-compress-state/main.yml" - tags: - - rust-synapse-compress-state -- block: +- tags: + - self-check + block: - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_client_api.yml" - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml" - tags: - - self-check diff --git a/roles/custom/matrix-synapse/tasks/setup_install.yml b/roles/custom/matrix-synapse/tasks/setup_install.yml index c8b191ec2..378a0dee5 100644 --- a/roles/custom/matrix-synapse/tasks/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/setup_install.yml @@ -23,33 +23,33 @@ # trying to chown/chmod it here will cause trouble. when: item.when | bool -- block: +- tags: + - setup-all + - setup-synapse + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/setup_install.yml" - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/setup_uninstall.yml" - tags: + +- tags: - setup-all - setup-synapse - -- block: + block: - when: matrix_synapse_workers_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/setup_install.yml" - tags: + +- tags: - setup-all - setup-synapse - -- block: + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/setup_install.yml" - tags: + +- tags: - setup-all - setup-synapse - -- block: + block: - when: matrix_s3_media_store_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/goofys/setup_install.yml" - when: not matrix_s3_media_store_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/goofys/setup_uninstall.yml" - tags: - - setup-all - - setup-synapse diff --git a/roles/custom/matrix-synapse/tasks/setup_uninstall.yml b/roles/custom/matrix-synapse/tasks/setup_uninstall.yml index 72b64c879..7ce5e13dd 100644 --- a/roles/custom/matrix-synapse/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-synapse/tasks/setup_uninstall.yml @@ -1,27 +1,27 @@ --- -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/setup_uninstall.yml" - tags: +- tags: - setup-all - setup-synapse + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/setup_uninstall.yml" -- block: +- tags: + - setup-all + - setup-synapse + block: - when: not matrix_synapse_workers_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/setup_uninstall.yml" - tags: + +- tags: - setup-all - setup-synapse - -- block: + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/setup_uninstall.yml" - tags: + +- tags: - setup-all - setup-synapse - -- block: + block: - when: not matrix_s3_media_store_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/goofys/setup_uninstall.yml" - tags: - - setup-all - - setup-synapse diff --git a/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml b/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml index 4a62d88d9..169be60bf 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml @@ -48,6 +48,7 @@ . environment: DOCKER_BUILDKIT: 1 + changed_when: true when: "matrix_synapse_git_pull_results.changed | bool or matrix_synapse_docker_image_check_result.stdout == ''" - name: Ensure Synapse Docker image is pulled @@ -82,11 +83,6 @@ path: "{{ matrix_synapse_customized_docker_src_files_path }}" nocache: "{{ matrix_synapse_docker_image_customized_build_nocache }}" -- name: Check if a Synapse signing key exists - ansible.builtin.stat: - path: "{{ matrix_synapse_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.key" - register: matrix_synapse_signing_key_stat - # We do this so that the signing key would get generated. # # This will also generate a default homeserver.yaml configuration file and a log configuration file. @@ -95,19 +91,20 @@ # We don't use the `docker_container` module, because using it with `cap_drop` requires # a very recent docker-py version, which is not available for a lot of people yet. - name: Generate initial Synapse config and signing key - ansible.builtin.command: | - docker run - --rm - --name=matrix-config - --user={{ matrix_synapse_uid }}:{{ matrix_synapse_gid }} - --cap-drop=ALL - --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data - -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml - -e SYNAPSE_SERVER_NAME={{ matrix_server_fqn_matrix }} - -e SYNAPSE_REPORT_STATS=no - {{ matrix_synapse_docker_image }} - generate - when: "not matrix_synapse_signing_key_stat.stat.exists" + ansible.builtin.command: + cmd: | + docker run + --rm + --name=matrix-config + --user={{ matrix_synapse_uid }}:{{ matrix_synapse_gid }} + --cap-drop=ALL + --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data + -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml + -e SYNAPSE_SERVER_NAME={{ matrix_server_fqn_matrix }} + -e SYNAPSE_REPORT_STATS=no + {{ matrix_synapse_docker_image }} + generate + creates: "{{ matrix_synapse_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.key" - name: Ensure Synapse homeserver config installed ansible.builtin.copy: diff --git a/roles/custom/matrix-user-creator/tasks/main.yml b/roles/custom/matrix-user-creator/tasks/main.yml index 2198b3ebf..ff93a4633 100644 --- a/roles/custom/matrix-user-creator/tasks/main.yml +++ b/roles/custom/matrix-user-creator/tasks/main.yml @@ -1,10 +1,10 @@ --- -- block: - - when: matrix_user_creator_users | length > 0 - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup.yml" - tags: +- tags: # This role intentionally doesn't do work on a `setup-all` tag. # If it did, the initial installation (`--tags=setup-all`) would also potentially polute the database with data, # which would make importing a database dump problematic. - ensure-matrix-users-created + block: + - when: matrix_user_creator_users | length > 0 + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup.yml" diff --git a/roles/custom/matrix-user-verification-service/tasks/main.yml b/roles/custom/matrix-user-verification-service/tasks/main.yml index 6eaaaf232..1b65f86a6 100644 --- a/roles/custom/matrix-user-verification-service/tasks/main.yml +++ b/roles/custom/matrix-user-verification-service/tasks/main.yml @@ -1,19 +1,19 @@ --- -- block: +- tags: + - setup-all + - setup-user-verification-service + - install-all + - install-user-verification-service + block: - when: run_setup | bool and matrix_user_verification_service_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: run_setup | bool and matrix_user_verification_service_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-user-verification-service - - install-all - - install-user-verification-service - -- block: + block: - when: run_setup | bool and not matrix_user_verification_service_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-user-verification-service diff --git a/roles/custom/matrix_playbook_migration/tasks/main.yml b/roles/custom/matrix_playbook_migration/tasks/main.yml index 4a39e2c74..4dbd3554f 100644 --- a/roles/custom/matrix_playbook_migration/tasks/main.yml +++ b/roles/custom/matrix_playbook_migration/tasks/main.yml @@ -1,22 +1,22 @@ --- -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - tags: +- tags: - setup-all - install-all + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/cleanup_usr_local_bin.yml" - tags: +- tags: - setup-all - install-all + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/cleanup_usr_local_bin.yml" - when: devture_traefik_enabled | bool - block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/devture_traefik_to_matrix_traefik.yml" tags: - setup-all - install-all - setup-traefik - install-traefik + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/devture_traefik_to_matrix_traefik.yml" From cdb1452d170d99170af77687380c059a581b4570 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 7 Mar 2023 20:38:36 +0000 Subject: [PATCH 578/915] Update jitsi stable-8252 -> stable-8319 --- roles/custom/matrix-jitsi/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-jitsi/defaults/main.yml b/roles/custom/matrix-jitsi/defaults/main.yml index cc24d3560..ef4cf100d 100644 --- a/roles/custom/matrix-jitsi/defaults/main.yml +++ b/roles/custom/matrix-jitsi/defaults/main.yml @@ -91,7 +91,7 @@ matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false -matrix_jitsi_version: stable-8252 +matrix_jitsi_version: stable-8319 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" From 06a390b6b8b7f199e246b298e4b0c53db265f272 Mon Sep 17 00:00:00 2001 From: Array in a Matrix Date: Wed, 8 Mar 2023 19:22:31 -0500 Subject: [PATCH 579/915] Update configuring-playbook-cactus-comments.md --- docs/configuring-playbook-cactus-comments.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-cactus-comments.md b/docs/configuring-playbook-cactus-comments.md index 00c76f543..4d75c02e0 100644 --- a/docs/configuring-playbook-cactus-comments.md +++ b/docs/configuring-playbook-cactus-comments.md @@ -24,7 +24,7 @@ matrix_cactus_comments_enabled: true # To do this you need to uncomment one of the following lines (depending if you are using synapse or dentrite as a homeserver) # If you don't know which one you use: The default is synapse ;) # matrix_synapse_allow_guest_access: true -# matrix_dentrite_allow_guest_access +# matrix_dentrite_allow_guest_access: true ``` ## Installing From f2ebb5a91d9b008b589ecf57acd2823f38d9b35f Mon Sep 17 00:00:00 2001 From: Joe Kappus Date: Thu, 9 Mar 2023 00:02:54 -0500 Subject: [PATCH 580/915] Bump ChatGPT version and add new config settings OpenAI changed the model a month ago and broke the bot. This bump fixes it and adds the default model. --- roles/custom/matrix-bot-chatgpt/defaults/main.yml | 3 ++- roles/custom/matrix-bot-chatgpt/templates/env.j2 | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-chatgpt/defaults/main.yml b/roles/custom/matrix-bot-chatgpt/defaults/main.yml index 489b22c4a..13b25a00b 100644 --- a/roles/custom/matrix-bot-chatgpt/defaults/main.yml +++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml @@ -9,7 +9,7 @@ matrix_bot_chatgpt_docker_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot matrix_bot_chatgpt_docker_repo_version: "{{ 'latest' if matrix_bot_chatgpt_version == 'latest' else matrix_bot_chatgpt_version }}" matrix_bot_chatgpt_docker_src_files_path: "{{ matrix_base_data_path }}/chatgpt/docker-src" -matrix_bot_chatgpt_version: 2.2.1 +matrix_bot_chatgpt_version: 3.0.0 matrix_bot_chatgpt_docker_image: "{{ matrix_bot_chatgpt_docker_image_name_prefix }}matrixgpt/matrix-chatgpt-bot:{{ matrix_bot_chatgpt_version }}" matrix_bot_chatgpt_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_chatgpt_container_image_self_build else 'ghcr.io/' }}" matrix_bot_chatgpt_docker_image_force_pull: "{{ matrix_bot_chatgpt_docker_image.endswith(':latest') }}" @@ -29,6 +29,7 @@ matrix_bot_chatgpt_systemd_wanted_services_list: [] # ChatGPT Settings matrix_bot_chatgpt_openai_api_key: '' +matrix_bot_chatgpt_api_model: 'gpt-3.5-turbo' matrix_bot_chatgpt_context: 'thread' # CHATGPT_CONTEXT="thread" matrix_bot_chatgpt_keyv_backend: 'file' diff --git a/roles/custom/matrix-bot-chatgpt/templates/env.j2 b/roles/custom/matrix-bot-chatgpt/templates/env.j2 index 40b2f9ffe..bc8c38664 100644 --- a/roles/custom/matrix-bot-chatgpt/templates/env.j2 +++ b/roles/custom/matrix-bot-chatgpt/templates/env.j2 @@ -3,6 +3,7 @@ MATRIX_ACCESS_TOKEN={{ matrix_bot_chatgpt_matrix_access_token }} OPENAI_API_KEY={{ matrix_bot_chatgpt_openai_api_key }} CHATGPT_CONTEXT={{ matrix_bot_chatgpt_context }} +CHATGPT_API_MODEL={{ matrix_bot_chatgpt_api_model }} KEYV_BACKEND={{ matrix_bot_chatgpt_keyv_backend }} KEYV_URL={{ matrix_bot_chatgpt_keyv_url }} From 70af9a44816faff432ecd913cf72cdded6c18f86 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 9 Mar 2023 08:56:51 +0200 Subject: [PATCH 581/915] Upgrade Traefik (v2.9.8-1 -> v2.9.8-2) - not using unprivileged ports anymore --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 013a6c530..05c5aa700 100644 --- a/requirements.yml +++ b/requirements.yml @@ -55,7 +55,7 @@ version: v0.1.1-1 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.9.8-1 + version: v2.9.8-2 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 From 122a834a7f271c302fc1e5ac28e51baa7eb3b733 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 10 Mar 2023 20:23:13 +0000 Subject: [PATCH 582/915] update prometheus-node-exporter 1.5.0-2 -> 1.5.0-3 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 05c5aa700..e841cb4ed 100644 --- a/requirements.yml +++ b/requirements.yml @@ -31,7 +31,7 @@ version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6 - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git - version: v1.5.0-2 + version: v1.5.0-3 - src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git version: v0.11.1-2 From bf3677a9b5a47fa1433bea1ce1e6c4ca2174c67f Mon Sep 17 00:00:00 2001 From: Aine Date: Fri, 10 Mar 2023 23:48:43 +0200 Subject: [PATCH 583/915] add synapse_auto_compressor --- README.md | 1 + ...guring-playbook-synapse-auto-compressor.md | 36 +++++++++++++ playbooks/matrix.yml | 1 + .../defaults/main.yml | 51 ++++++++++++++++++ .../tasks/install.yml | 53 +++++++++++++++++++ .../tasks/main.yml | 17 ++++++ .../tasks/uninstall.yml | 29 ++++++++++ .../matrix-synapse-auto-compressor.service.j2 | 35 ++++++++++++ .../matrix-synapse-auto-compressor.timer.j2 | 9 ++++ 9 files changed, 232 insertions(+) create mode 100644 docs/configuring-playbook-synapse-auto-compressor.md create mode 100644 roles/custom/matrix-synapse-auto-compressor/defaults/main.yml create mode 100644 roles/custom/matrix-synapse-auto-compressor/tasks/install.yml create mode 100644 roles/custom/matrix-synapse-auto-compressor/tasks/main.yml create mode 100644 roles/custom/matrix-synapse-auto-compressor/tasks/uninstall.yml create mode 100644 roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.service.j2 create mode 100644 roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.timer.j2 diff --git a/README.md b/README.md index 185c40851..ff93cd1f6 100644 --- a/README.md +++ b/README.md @@ -163,6 +163,7 @@ Various services that don't fit any other category. | Name | Default? | Description | Documentation | | ---- | -------- | ----------- | ------------- | | [sliding-sync](https://github.com/matrix-org/sliding-sync)| x | Sliding Sync support for clients which require it (e.g. Element X) | [Link](docs/configuring-playbook-sliding-sync-proxy.md) | +| [synapse_auto_compressor](https://github.com/matrix-org/rust-synapse-compress-state/#automated-tool-synapse_auto_compressor) | x | A cli tool that automatically compresses `state_groups` database table in background. | [Link](docs/configuring-playbook-synapse-auto-compressor.md) | | [synapse-simple-antispam](https://github.com/t2bot/synapse-simple-antispam) (advanced) | x | A spam checker module | [Link](docs/configuring-playbook-synapse-simple-antispam.md) | | [Matrix Corporal](https://github.com/devture/matrix-corporal) (advanced) | x | Reconciliator and gateway for a managed Matrix server | [Link](docs/configuring-playbook-matrix-corporal.md) | | [Etherpad](https://etherpad.org) | x | An open source collaborative text editor | [Link](docs/configuring-playbook-etherpad.md) | diff --git a/docs/configuring-playbook-synapse-auto-compressor.md b/docs/configuring-playbook-synapse-auto-compressor.md new file mode 100644 index 000000000..cd6079ca1 --- /dev/null +++ b/docs/configuring-playbook-synapse-auto-compressor.md @@ -0,0 +1,36 @@ +# Setting up synapse_auto_compressor + +The playbook can install and configure [synapse_auto_compressor](https://github.com/matrix-org/rust-synapse-compress-state/#automated-tool-synapse_auto_compressor) for you. + +It's a cli tool that automatically compresses `state_groups` database table in background. + +See the project's [documentation](https://github.com/matrix-org/rust-synapse-compress-state/#automated-tool-synapse_auto_compressor) to learn what it does and why it might be useful to you. + + +## Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: + +```yaml +matrix_synapse_auto_compressor_enabled: true +``` + + +## Installing + +After configuring the playbook, run the [installation](installing.md) command again: + +``` +ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start +``` + + +## Usage + +After installation, synapse_auto_compressor will run automatically every day by the defined schedule + +## Manually start the tool + +For testing your setup it can be helpful to not wait until 00:00. If you want to run the tool immediately, log onto the server +and run `systemctl start matrix-synapse-auto-compressor`. This will not return until the run is done, so possibly a long time. +Consider using [tmux](https://en.wikipedia.org/wiki/Tmux) if your SSH connection is unstable. diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index a2b7f2b8b..b8964aa54 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -84,6 +84,7 @@ - custom/matrix-cactus-comments - custom/matrix-rageshake - custom/matrix-synapse + - custom/matrix-synapse-auto-compressor - custom/matrix-synapse-reverse-proxy-companion - custom/matrix-dendrite - custom/matrix-conduit diff --git a/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml b/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml new file mode 100644 index 000000000..d24564ce0 --- /dev/null +++ b/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml @@ -0,0 +1,51 @@ +--- +# synapse_auto_compressor tool +# Project source code URL: https://github.com/matrix-org/rust-synapse-compress-state + +matrix_synapse_auto_compressor_enabled: false + +matrix_synapse_auto_compressor_container_image_self_build: false +matrix_synapse_auto_compressor_container_repo: "https://gitlab.com/etke.cc/rust-synapse-compress-state.git" +matrix_synapse_auto_compressor_container_repo_version: "{{ 'main' if matrix_synapse_auto_compressor_version == 'latest' else matrix_synapse_auto_compressor_version }}" +matrix_synapse_auto_compressor_container_src_files_path: "{{ matrix_synapse_auto_compressor_base_path }}" + +matrix_synapse_auto_compressor_version: v0.1.3 +matrix_synapse_auto_compressor_container_image: "{{ matrix_synapse_auto_compressor_container_image_name_prefix }}etke.cc/rust-synapse-compress-state:{{ matrix_synapse_auto_compressor_version }}" +matrix_synapse_auto_compressor_container_image_name_prefix: "{{ 'localhost/' if matrix_synapse_auto_compressor_container_image_self_build else 'registry.gitlab.com/' }}" +matrix_synapse_auto_compressor_container_image_force_pull: "{{ matrix_synapse_auto_compressor_container_image.endswith(':latest') }}" + +matrix_synapse_auto_compressor_base_path: "{{ matrix_base_data_path }}/synapse-auto-compressor" + +# A list of extra arguments to pass to the container +matrix_synapse_auto_compressor_container_extra_arguments: [] + +# List of systemd services that matrix-synapse-auto-compressor.service depends on +matrix_synapse_auto_compressor_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-synapse-auto-compressor.service wants +matrix_synapse_auto_compressor_systemd_wanted_services_list: [] + +matrix_synapse_auto_compressor_database_username: 'synapse' +matrix_synapse_auto_compressor_database_password: 'some-password' +matrix_synapse_auto_compressor_database_hostname: '' +matrix_synapse_auto_compressor_database_port: 5432 +matrix_synapse_auto_compressor_database_name: 'synapse' + +# connection string to synapse database (postgres only) +matrix_synapse_auto_compressor_synapse_database: 'postgres://{{ matrix_synapse_auto_compressor_database_username }}:{{ matrix_synapse_auto_compressor_database_password }}@{{ matrix_synapse_auto_compressor_database_hostname }}:{{ matrix_synapse_auto_compressor_database_port }}/{{ matrix_synapse_auto_compressor_database_name }}' + +# systemd calendar configuration for the compressor job +matrix_synapse_auto_compressor_calendar: "*-*-* 00:00:00" + +# The number of state groups to work on at once. +# All of the entries from state_groups_state are requested from the database for state groups that are worked on. +# Therefore small chunk sizes may be needed on machines with low memory. +# Note: if the compressor fails to find space savings on the chunk as a whole +# (which may well happen in rooms with lots of backfill in) then the entire chunk is skipped. +matrix_synapse_auto_compressor_chunk_size: 500 + +# CHUNKS_TO_COMPRESS chunks of size CHUNK_SIZE will be compressed. +# The higher this number is set to, the longer the compressor will run for. +matrix_synapse_auto_compressor_chunks_to_compress: 100 + +matrix_synapse_auto_compressor_command: "synapse_auto_compressor -p {{ matrix_synapse_auto_compressor_synapse_database }} -c {{ matrix_synapse_auto_compressor_chunk_size }} -n {{ matrix_synapse_auto_compressor_chunks_to_compress }}" diff --git a/roles/custom/matrix-synapse-auto-compressor/tasks/install.yml b/roles/custom/matrix-synapse-auto-compressor/tasks/install.yml new file mode 100644 index 000000000..ec825b133 --- /dev/null +++ b/roles/custom/matrix-synapse-auto-compressor/tasks/install.yml @@ -0,0 +1,53 @@ +--- +- name: Ensure synapse-auto-compressor paths exist + ansible.builtin.file: + path: "{{ matrix_synapse_auto_compressor_container_src_files_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: matrix_synapse_auto_compressor_container_image_self_build | bool + +- name: Ensure synapse-auto-compressor image is pulled + community.docker.docker_image: + name: "{{ matrix_synapse_auto_compressor_container_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_synapse_auto_compressor_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_auto_compressor_container_image_force_pull }}" + when: "not matrix_synapse_auto_compressor_container_image_self_build | bool" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure synapse-auto-compressor repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_synapse_auto_compressor_container_repo }}" + version: "{{ matrix_synapse_auto_compressor_container_repo_version }}" + dest: "{{ matrix_synapse_auto_compressor_container_src_files_path }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_synapse_auto_compressor_git_pull_results + when: "matrix_synapse_auto_compressor_container_image_self_build | bool" + +- name: Ensure synapse-auto-compressor image is built + community.docker.docker_image: + name: "{{ matrix_synapse_auto_compressor_container_image }}" + source: build + force_source: "{{ matrix_synapse_auto_compressor_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_synapse_auto_compressor_container_src_files_path }}" + pull: true + when: "matrix_synapse_auto_compressor_container_image_self_build | bool" + +- name: Ensure matrix-synapse-auto-compressor systemd service and timer are installed + ansible.builtin.template: + src: "{{ role_path }}/templates/matrix-synapse-auto-compressor.{{ item }}.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-auto-compressor.{{ item }}" + mode: 0644 + with_items: + - service + - timer diff --git a/roles/custom/matrix-synapse-auto-compressor/tasks/main.yml b/roles/custom/matrix-synapse-auto-compressor/tasks/main.yml new file mode 100644 index 000000000..b3549bd69 --- /dev/null +++ b/roles/custom/matrix-synapse-auto-compressor/tasks/main.yml @@ -0,0 +1,17 @@ +--- + +- block: + - when: matrix_synapse_auto_compressor_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" + tags: + - setup-all + - setup-synapse-auto-compressor + - install-all + - install-synapse-auto-compressor + +- block: + - when: not matrix_synapse_auto_compressor_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" + tags: + - setup-all + - setup-synapse-auto-compressor diff --git a/roles/custom/matrix-synapse-auto-compressor/tasks/uninstall.yml b/roles/custom/matrix-synapse-auto-compressor/tasks/uninstall.yml new file mode 100644 index 000000000..075f3c101 --- /dev/null +++ b/roles/custom/matrix-synapse-auto-compressor/tasks/uninstall.yml @@ -0,0 +1,29 @@ +--- +- name: Check existence of matrix-synapse-auto-compressor service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-auto-compressor.service" + register: matrix_synapse_auto_compressor_service_stat + +- when: matrix_synapse_auto_compressor_service_stat.stat.exists | bool + block: + - name: Ensure matrix-synapse-auto-compressor is stopped + ansible.builtin.service: + name: matrix-synapse-auto-compressor + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-synapse-auto-compressor.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-auto-compressor.service" + state: absent + + - name: Ensure matrix-synapse-auto-compressor.timer doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-auto-compressor.timer" + state: absent + + - name: Ensure Matrix synapse-auto-compressor paths don't exist + ansible.builtin.file: + path: "{{ matrix_synapse_auto_compressor_base_path }}" + state: absent diff --git a/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.service.j2 b/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.service.j2 new file mode 100644 index 000000000..02aef84b3 --- /dev/null +++ b/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.service.j2 @@ -0,0 +1,35 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Synapse State Auto Compressor +{% for service in matrix_synapse_auto_compressor_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_synapse_auto_compressor_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=oneshot +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-synapse-auto-compressor 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-synapse-auto-compressor 2>/dev/null || true' +ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-synapse-auto-compressor \ + --log-driver=none \ + --cap-drop=ALL \ + --read-only \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --network={{ matrix_docker_network }} \ + {% for arg in matrix_synapse_auto_compressor_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_synapse_auto_compressor_container_image }} \ + {{ matrix_synapse_auto_compressor_command }} + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-synapse-auto-compressor 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-synapse-auto-compressor 2>/dev/null || true' +SyslogIdentifier=matrix-synapse-auto-compressor + +[Install] +WantedBy=multi-user.target diff --git a/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.timer.j2 b/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.timer.j2 new file mode 100644 index 000000000..1d7b16d33 --- /dev/null +++ b/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.timer.j2 @@ -0,0 +1,9 @@ +[Unit] +Description=Synapse State Auto Compressor Timer + +[Timer] +Unit=matrix-synapse-auto-compressor.service +OnCalendar={{ matrix_synapse_auto_compressor_calendar }} + +[Install] +WantedBy=timers.target From 43ae0b2943e24444369c9f6f534f5890238c9cf7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 12 Mar 2023 09:44:43 +0200 Subject: [PATCH 584/915] Minor rewording --- docs/configuring-playbook-synapse-auto-compressor.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-synapse-auto-compressor.md b/docs/configuring-playbook-synapse-auto-compressor.md index cd6079ca1..108b6a114 100644 --- a/docs/configuring-playbook-synapse-auto-compressor.md +++ b/docs/configuring-playbook-synapse-auto-compressor.md @@ -2,7 +2,7 @@ The playbook can install and configure [synapse_auto_compressor](https://github.com/matrix-org/rust-synapse-compress-state/#automated-tool-synapse_auto_compressor) for you. -It's a cli tool that automatically compresses `state_groups` database table in background. +It's a CLI tool that automatically compresses Synapse's `state_groups` database table in the background. See the project's [documentation](https://github.com/matrix-org/rust-synapse-compress-state/#automated-tool-synapse_auto_compressor) to learn what it does and why it might be useful to you. @@ -27,10 +27,10 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start ## Usage -After installation, synapse_auto_compressor will run automatically every day by the defined schedule +After installation, `synapse_auto_compressor` will run automatically every day at `00:00:00` (as defined in `matrix_synapse_auto_compressor_calendar` by default). ## Manually start the tool For testing your setup it can be helpful to not wait until 00:00. If you want to run the tool immediately, log onto the server -and run `systemctl start matrix-synapse-auto-compressor`. This will not return until the run is done, so possibly a long time. +and run `systemctl start matrix-synapse-auto-compressor`. Running this command will not return control to your terminal until the compression run is done, which may take a long time. Consider using [tmux](https://en.wikipedia.org/wiki/Tmux) if your SSH connection is unstable. From b28d779c6cc8cc4f80a48295ebd0a93cc63311c5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 12 Mar 2023 09:48:46 +0200 Subject: [PATCH 585/915] Add matrix-synapse-auto-compressor section in group_vars/matrix_servers --- group_vars/matrix_servers | 18 ++++++++++++++++++ .../defaults/main.yml | 3 ++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 85fbfd2ac..6a90114ff 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3326,6 +3326,24 @@ matrix_synapse_app_service_config_files_auto: "{{ matrix_homeserver_app_service_ # ###################################################################### + +###################################################################### +# +# matrix-synapse-auto-compressor +# +###################################################################### + +matrix_synapse_auto_compressor_enabled: false + +matrix_synapse_auto_compressor_container_image_self_build: "{{ matrix_architecture not in ['arm32', 'arm64', 'amd64'] }}" + +###################################################################### +# +# /matrix-synapse-auto-compressor +# +###################################################################### + + ###################################################################### # # matrix-synapse-reverse-proxy-companion diff --git a/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml b/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml index d24564ce0..99fb272f8 100644 --- a/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml +++ b/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml @@ -1,8 +1,9 @@ --- + # synapse_auto_compressor tool # Project source code URL: https://github.com/matrix-org/rust-synapse-compress-state -matrix_synapse_auto_compressor_enabled: false +matrix_synapse_auto_compressor_enabled: true matrix_synapse_auto_compressor_container_image_self_build: false matrix_synapse_auto_compressor_container_repo: "https://gitlab.com/etke.cc/rust-synapse-compress-state.git" From ca69fce64824548d240f69b375f1d6f51cba41b1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 12 Mar 2023 09:55:32 +0200 Subject: [PATCH 586/915] Add missing group vars for matrix-synapse-auto-compressor --- group_vars/matrix_servers | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6a90114ff..5712b0378 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3333,9 +3333,23 @@ matrix_synapse_app_service_config_files_auto: "{{ matrix_homeserver_app_service_ # ###################################################################### +# Not enabled by default, for now matrix_synapse_auto_compressor_enabled: false -matrix_synapse_auto_compressor_container_image_self_build: "{{ matrix_architecture not in ['arm32', 'arm64', 'amd64'] }}" +matrix_synapse_auto_compressor_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}" + +matrix_synapse_auto_compressor_database_username: "{{ matrix_synapse_database_user if matrix_synapse_enabled else '' }}" +matrix_synapse_auto_compressor_database_password: "{{ matrix_synapse_database_password if matrix_synapse_enabled else '' }}" +matrix_synapse_auto_compressor_database_hostname: "{{ matrix_synapse_database_host if matrix_synapse_enabled else '' }}" +matrix_synapse_auto_compressor_database_port: "{{ matrix_synapse_database_port if matrix_synapse_enabled else '5432' }}" +matrix_synapse_auto_compressor_database_name: "{{ matrix_synapse_database_database if matrix_synapse_enabled else '' }}" + +matrix_synapse_auto_compressor_systemd_required_services_list: | + {{ + ['docker.service'] + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + }} ###################################################################### # From 0f2e568b3098e63ca08af94416d0da37ce4a56ac Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 12 Mar 2023 09:56:53 +0200 Subject: [PATCH 587/915] Add validation tasks to matrix-synapse-auto-compressor --- .../matrix-synapse-auto-compressor/defaults/main.yml | 2 +- .../matrix-synapse-auto-compressor/tasks/main.yml | 3 +++ .../tasks/validate_config.yml | 10 ++++++++++ 3 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 roles/custom/matrix-synapse-auto-compressor/tasks/validate_config.yml diff --git a/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml b/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml index 99fb272f8..8de4097e2 100644 --- a/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml +++ b/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml @@ -27,7 +27,7 @@ matrix_synapse_auto_compressor_systemd_required_services_list: ['docker.service' matrix_synapse_auto_compressor_systemd_wanted_services_list: [] matrix_synapse_auto_compressor_database_username: 'synapse' -matrix_synapse_auto_compressor_database_password: 'some-password' +matrix_synapse_auto_compressor_database_password: '' matrix_synapse_auto_compressor_database_hostname: '' matrix_synapse_auto_compressor_database_port: 5432 matrix_synapse_auto_compressor_database_name: 'synapse' diff --git a/roles/custom/matrix-synapse-auto-compressor/tasks/main.yml b/roles/custom/matrix-synapse-auto-compressor/tasks/main.yml index b3549bd69..2cce1f122 100644 --- a/roles/custom/matrix-synapse-auto-compressor/tasks/main.yml +++ b/roles/custom/matrix-synapse-auto-compressor/tasks/main.yml @@ -1,6 +1,9 @@ --- - block: + - when: matrix_synapse_auto_compressor_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + - when: matrix_synapse_auto_compressor_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" tags: diff --git a/roles/custom/matrix-synapse-auto-compressor/tasks/validate_config.yml b/roles/custom/matrix-synapse-auto-compressor/tasks/validate_config.yml new file mode 100644 index 000000000..b0dbfab06 --- /dev/null +++ b/roles/custom/matrix-synapse-auto-compressor/tasks/validate_config.yml @@ -0,0 +1,10 @@ +--- + +- name: Fail if required matrix-synapse-auto-compressor settings not defined + ansible.builtin.fail: + msg: > + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_synapse_auto_compressor_database_hostname + - matrix_synapse_auto_compressor_database_password From 26d5719df414d26f3af8470cac5a36d1f3e65eed Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 12 Mar 2023 10:01:51 +0200 Subject: [PATCH 588/915] Make matrix-synapse-auto-compressor live in its own container network It will, additionally, be connected to the devture-postgres network, if devture-postgres is enabled. --- group_vars/matrix_servers | 5 +++++ .../defaults/main.yml | 8 ++++++++ .../tasks/install.yml | 5 +++++ .../matrix-synapse-auto-compressor.service.j2 | 13 +++++++++++-- 4 files changed, 29 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 5712b0378..c96b34a79 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3338,6 +3338,11 @@ matrix_synapse_auto_compressor_enabled: false matrix_synapse_auto_compressor_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}" +matrix_synapse_auto_compressor_container_additional_networks: | + {{ + ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_synapse_auto_compressor_container_network else []) + }} + matrix_synapse_auto_compressor_database_username: "{{ matrix_synapse_database_user if matrix_synapse_enabled else '' }}" matrix_synapse_auto_compressor_database_password: "{{ matrix_synapse_database_password if matrix_synapse_enabled else '' }}" matrix_synapse_auto_compressor_database_hostname: "{{ matrix_synapse_database_host if matrix_synapse_enabled else '' }}" diff --git a/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml b/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml index 8de4097e2..0649392d2 100644 --- a/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml +++ b/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml @@ -17,6 +17,14 @@ matrix_synapse_auto_compressor_container_image_force_pull: "{{ matrix_synapse_au matrix_synapse_auto_compressor_base_path: "{{ matrix_base_data_path }}/synapse-auto-compressor" +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_synapse_auto_compressor_container_network: matrix-synapse-auto-compressor + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_synapse_auto_compressor_container_additional_networks: [] + # A list of extra arguments to pass to the container matrix_synapse_auto_compressor_container_extra_arguments: [] diff --git a/roles/custom/matrix-synapse-auto-compressor/tasks/install.yml b/roles/custom/matrix-synapse-auto-compressor/tasks/install.yml index ec825b133..6f4524bbc 100644 --- a/roles/custom/matrix-synapse-auto-compressor/tasks/install.yml +++ b/roles/custom/matrix-synapse-auto-compressor/tasks/install.yml @@ -43,6 +43,11 @@ pull: true when: "matrix_synapse_auto_compressor_container_image_self_build | bool" +- name: Ensure matrix-synapse-auto-compressor container network is created + community.general.docker_network: + name: "{{ matrix_synapse_auto_compressor_container_network }}" + driver: bridge + - name: Ensure matrix-synapse-auto-compressor systemd service and timer are installed ansible.builtin.template: src: "{{ role_path }}/templates/matrix-synapse-auto-compressor.{{ item }}.j2" diff --git a/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.service.j2 b/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.service.j2 index 02aef84b3..e769438d1 100644 --- a/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.service.j2 +++ b/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.service.j2 @@ -15,18 +15,27 @@ Type=oneshot Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-synapse-auto-compressor 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-synapse-auto-compressor 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-synapse-auto-compressor \ + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-synapse-auto-compressor \ --log-driver=none \ --cap-drop=ALL \ --read-only \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_synapse_auto_compressor_container_network }} \ {% for arg in matrix_synapse_auto_compressor_container_extra_arguments %} {{ arg }} \ {% endfor %} {{ matrix_synapse_auto_compressor_container_image }} \ {{ matrix_synapse_auto_compressor_command }} +{% for network in matrix_synapse_auto_compressor_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-synapse-auto-compressor +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-synapse-auto-compressor + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-synapse-auto-compressor 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-synapse-auto-compressor 2>/dev/null || true' SyslogIdentifier=matrix-synapse-auto-compressor From 328d0d8a5f47c4f4e15d70cb4c796dbd6a957b6b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 12 Mar 2023 10:17:42 +0200 Subject: [PATCH 589/915] Move synapse-auto-compressor Postgres argument to an environment variable This provides an additional security benefit. The password won't leak in the process list anymore. --- .../defaults/main.yml | 14 +++++++++----- .../tasks/install.yml | 18 ++++++++++++++++-- .../templates/env.j2 | 1 + .../matrix-synapse-auto-compressor.service.j2 | 4 +++- 4 files changed, 29 insertions(+), 8 deletions(-) create mode 100644 roles/custom/matrix-synapse-auto-compressor/templates/env.j2 diff --git a/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml b/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml index 0649392d2..611947144 100644 --- a/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml +++ b/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml @@ -5,18 +5,19 @@ matrix_synapse_auto_compressor_enabled: true +matrix_synapse_auto_compressor_version: v0.1.3 + +matrix_synapse_auto_compressor_base_path: "{{ matrix_base_data_path }}/synapse-auto-compressor" +matrix_synapse_auto_compressor_container_src_files_path: "{{ matrix_synapse_auto_compressor_base_path }}/container-src" + matrix_synapse_auto_compressor_container_image_self_build: false matrix_synapse_auto_compressor_container_repo: "https://gitlab.com/etke.cc/rust-synapse-compress-state.git" matrix_synapse_auto_compressor_container_repo_version: "{{ 'main' if matrix_synapse_auto_compressor_version == 'latest' else matrix_synapse_auto_compressor_version }}" -matrix_synapse_auto_compressor_container_src_files_path: "{{ matrix_synapse_auto_compressor_base_path }}" -matrix_synapse_auto_compressor_version: v0.1.3 matrix_synapse_auto_compressor_container_image: "{{ matrix_synapse_auto_compressor_container_image_name_prefix }}etke.cc/rust-synapse-compress-state:{{ matrix_synapse_auto_compressor_version }}" matrix_synapse_auto_compressor_container_image_name_prefix: "{{ 'localhost/' if matrix_synapse_auto_compressor_container_image_self_build else 'registry.gitlab.com/' }}" matrix_synapse_auto_compressor_container_image_force_pull: "{{ matrix_synapse_auto_compressor_container_image.endswith(':latest') }}" -matrix_synapse_auto_compressor_base_path: "{{ matrix_base_data_path }}/synapse-auto-compressor" - # The base container network. It will be auto-created by this role if it doesn't exist already. matrix_synapse_auto_compressor_container_network: matrix-synapse-auto-compressor @@ -57,4 +58,7 @@ matrix_synapse_auto_compressor_chunk_size: 500 # The higher this number is set to, the longer the compressor will run for. matrix_synapse_auto_compressor_chunks_to_compress: 100 -matrix_synapse_auto_compressor_command: "synapse_auto_compressor -p {{ matrix_synapse_auto_compressor_synapse_database }} -c {{ matrix_synapse_auto_compressor_chunk_size }} -n {{ matrix_synapse_auto_compressor_chunks_to_compress }}" +matrix_synapse_auto_compressor_command: "synapse_auto_compressor -p $POSTGRES_LOCATION -c {{ matrix_synapse_auto_compressor_chunk_size }} -n {{ matrix_synapse_auto_compressor_chunks_to_compress }}" + +# Controls the POSTGRES_LOCATION environment variable +matrix_synapse_auto_compressor_environment_variable_postgres_location: "{{ matrix_synapse_auto_compressor_synapse_database }}" diff --git a/roles/custom/matrix-synapse-auto-compressor/tasks/install.yml b/roles/custom/matrix-synapse-auto-compressor/tasks/install.yml index 6f4524bbc..494a56785 100644 --- a/roles/custom/matrix-synapse-auto-compressor/tasks/install.yml +++ b/roles/custom/matrix-synapse-auto-compressor/tasks/install.yml @@ -1,12 +1,26 @@ --- + - name: Ensure synapse-auto-compressor paths exist ansible.builtin.file: - path: "{{ matrix_synapse_auto_compressor_container_src_files_path }}" + path: "{{ item.path }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: matrix_synapse_auto_compressor_container_image_self_build | bool + when: item.when | bool + with_items: + - path: "{{ matrix_synapse_auto_compressor_base_path }}" + when: true + - path: "{{ matrix_synapse_auto_compressor_container_src_files_path }}" + when: "{{ matrix_synapse_auto_compressor_container_image_self_build }}" + +- name: Ensure synapse-auto-compressor labels installed + ansible.builtin.template: + src: "{{ role_path }}/templates/env.j2" + dest: "{{ matrix_synapse_auto_compressor_base_path }}/env" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure synapse-auto-compressor image is pulled community.docker.docker_image: diff --git a/roles/custom/matrix-synapse-auto-compressor/templates/env.j2 b/roles/custom/matrix-synapse-auto-compressor/templates/env.j2 new file mode 100644 index 000000000..27fb1dd88 --- /dev/null +++ b/roles/custom/matrix-synapse-auto-compressor/templates/env.j2 @@ -0,0 +1 @@ +POSTGRES_LOCATION={{ matrix_synapse_auto_compressor_environment_variable_postgres_location }} diff --git a/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.service.j2 b/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.service.j2 index e769438d1..f530d5b27 100644 --- a/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.service.j2 +++ b/roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.service.j2 @@ -24,11 +24,13 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --read-only \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --network={{ matrix_synapse_auto_compressor_container_network }} \ + --env-file={{ matrix_synapse_auto_compressor_base_path }}/env \ + --entrypoint=/bin/sh \ {% for arg in matrix_synapse_auto_compressor_container_extra_arguments %} {{ arg }} \ {% endfor %} {{ matrix_synapse_auto_compressor_container_image }} \ - {{ matrix_synapse_auto_compressor_command }} + -c '{{ matrix_synapse_auto_compressor_command }}' {% for network in matrix_synapse_auto_compressor_container_additional_networks %} ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-synapse-auto-compressor From 7422337c26c464242b0295aad2c64c1735f65bf1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 12 Mar 2023 10:18:16 +0200 Subject: [PATCH 590/915] Add missing matrix-synapse-auto-compressor.timer in systemd service list --- group_vars/matrix_servers | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c96b34a79..60c8349e3 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -338,6 +338,8 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-synapse-s3-storage-provider-migrate.timer', 'priority': 5000, 'groups': ['matrix']}] if matrix_synapse_ext_synapse_s3_storage_provider_enabled else []) + + ([{'name': 'matrix-synapse-auto-compressor.timer', 'priority': 5000, 'groups': ['matrix', 'synapse-auto-compressor']}] if matrix_synapse_auto_compressor_enabled else []) + + ([{'name': 'matrix-synapse-admin.service', 'priority': 4000, 'groups': ['matrix', 'synapse-admin']}] if matrix_synapse_admin_enabled else []) + ([{'name': 'matrix-synapse-reverse-proxy-companion.service', 'priority': 1500, 'groups': ['matrix', 'homeservers', 'synapse', 'reverse-proxies']}] if matrix_synapse_reverse_proxy_companion_enabled else []) From bb89d7b3fb063339c40dad937cf5a275603e868d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 12 Mar 2023 10:39:19 +0200 Subject: [PATCH 591/915] Fix self-building for matrix-synapse-auto-compressor --- roles/custom/matrix-synapse-auto-compressor/defaults/main.yml | 4 ++-- roles/custom/matrix-synapse-auto-compressor/tasks/install.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml b/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml index 611947144..48ed1b039 100644 --- a/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml +++ b/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml @@ -11,8 +11,8 @@ matrix_synapse_auto_compressor_base_path: "{{ matrix_base_data_path }}/synapse-a matrix_synapse_auto_compressor_container_src_files_path: "{{ matrix_synapse_auto_compressor_base_path }}/container-src" matrix_synapse_auto_compressor_container_image_self_build: false -matrix_synapse_auto_compressor_container_repo: "https://gitlab.com/etke.cc/rust-synapse-compress-state.git" -matrix_synapse_auto_compressor_container_repo_version: "{{ 'main' if matrix_synapse_auto_compressor_version == 'latest' else matrix_synapse_auto_compressor_version }}" +matrix_synapse_auto_compressor_container_image_self_build_repo: "https://github.com/matrix-org/rust-synapse-compress-state.git" +matrix_synapse_auto_compressor_container_image_self_build_version: "{{ 'main' if matrix_synapse_auto_compressor_version == 'latest' else matrix_synapse_auto_compressor_version }}" matrix_synapse_auto_compressor_container_image: "{{ matrix_synapse_auto_compressor_container_image_name_prefix }}etke.cc/rust-synapse-compress-state:{{ matrix_synapse_auto_compressor_version }}" matrix_synapse_auto_compressor_container_image_name_prefix: "{{ 'localhost/' if matrix_synapse_auto_compressor_container_image_self_build else 'registry.gitlab.com/' }}" diff --git a/roles/custom/matrix-synapse-auto-compressor/tasks/install.yml b/roles/custom/matrix-synapse-auto-compressor/tasks/install.yml index 494a56785..be4d5aadb 100644 --- a/roles/custom/matrix-synapse-auto-compressor/tasks/install.yml +++ b/roles/custom/matrix-synapse-auto-compressor/tasks/install.yml @@ -36,8 +36,8 @@ - name: Ensure synapse-auto-compressor repository is present on self-build ansible.builtin.git: - repo: "{{ matrix_synapse_auto_compressor_container_repo }}" - version: "{{ matrix_synapse_auto_compressor_container_repo_version }}" + repo: "{{ matrix_synapse_auto_compressor_container_image_self_build_repo }}" + version: "{{ matrix_synapse_auto_compressor_container_image_self_build_version }}" dest: "{{ matrix_synapse_auto_compressor_container_src_files_path }}" force: "yes" become: true From d3a0ef22b61b97d9242efc9a2021296983fd47a6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 12 Mar 2023 10:55:08 +0200 Subject: [PATCH 592/915] Announce matrix-synapse-auto-compressor --- CHANGELOG.md | 16 ++++++++++++++++ docs/configuring-playbook.md | 2 ++ docs/maintenance-synapse.md | 4 +++- 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7e9e2545b..9ba17ea35 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,19 @@ +# 2023-03-12 + +## synapse-auto-compressor support + +Thanks to [Aine](https://gitlab.com/etke.cc) of [etke.cc](https://etke.cc/), the playbook can now set up [rust-synapse-compress-state](https://github.com/matrix-org/rust-synapse-compress-state)'s `synapse_auto_compressor` tool to run periodically. + +If enabled, `synapse_auto_compressor` runs on a schedule and compresses your Synapse database's `state_groups` table. It was possible to run `rust-synapse-compress-state` manually via the playbook even before - see [Compressing state with rust-synapse-compress-state](docs/maintenance-synapse.md#compressing-state-with-rust-synapse-compress-state). However, using `synapse_auto_compressor` is better, because: + +- it runs on a more up-to-date version of `rust-synapse-compress-state` +- it's a set-it-and-forget-it tool that you can enable and never have to deal with manual compression anymore + +This tool needs to be enabled manually, for now. In the future, we're considering enabling it by default for all Synapse installations. + +See our [Setting up synapse-auto-compressor](docs/configuring-playbook-synapse-auto-compressor.md) documentation to get started. + + # 2023-03-07 ## Sliding Sync Proxy (Element X) support diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 68a2658a6..a65858f00 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -195,6 +195,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins ### Other specialized services +- [Setting up synapse-auto-compressor](configuring-playbook-synapse-auto-compressor.md) for compressing the database on Synapse homeservers (optional) + - [Setting up the Sliding Sync Proxy](configuring-playbook-sliding-sync-proxy.md) for clients which require Sliding Sync support (like Element X) (optional) - [Setting up the Sygnal push gateway](configuring-playbook-sygnal.md) (optional) diff --git a/docs/maintenance-synapse.md b/docs/maintenance-synapse.md index a51811ffa..7c3ecc1b3 100644 --- a/docs/maintenance-synapse.md +++ b/docs/maintenance-synapse.md @@ -29,7 +29,9 @@ After deleting data, you may wish to run a [`FULL` Postgres `VACUUM`](./maintena [rust-synapse-compress-state](https://github.com/matrix-org/rust-synapse-compress-state) can be used to optimize some `_state` tables used by Synapse. If your server participates in large rooms this is the most effective way to reduce the size of your database. -This tool should be safe to use (even when Synapse is running), but it's always a good idea to [make Postgres backups](./maintenance-postgres.md#backing-up-postgresql) first. +**Note**: besides running the `rust-synapse-compress-state` tool manually, you can also enable its `synapse-auto-compressor` tool by [Setting up synapse-auto-compressor](configuring-playbook-synapse-auto-compressor.md). The automatic tool will run on a schedule every day and you won't have to compress state manually ever again. + +`rust-synapse-compress-state` should be safe to use (even when Synapse is running), but it's always a good idea to [make Postgres backups](./maintenance-postgres.md#backing-up-postgresql) first. To ask the playbook to run rust-synapse-compress-state, execute: From cf7f9701b731640e3fde8e8d48914ecfbbf7e200 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 13 Mar 2023 11:59:14 +0200 Subject: [PATCH 593/915] urlencode matrix_synapse_auto_compressor_database_username/matrix_synapse_auto_compressor_database_password --- roles/custom/matrix-synapse-auto-compressor/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml b/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml index 48ed1b039..7b5ea54da 100644 --- a/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml +++ b/roles/custom/matrix-synapse-auto-compressor/defaults/main.yml @@ -42,7 +42,7 @@ matrix_synapse_auto_compressor_database_port: 5432 matrix_synapse_auto_compressor_database_name: 'synapse' # connection string to synapse database (postgres only) -matrix_synapse_auto_compressor_synapse_database: 'postgres://{{ matrix_synapse_auto_compressor_database_username }}:{{ matrix_synapse_auto_compressor_database_password }}@{{ matrix_synapse_auto_compressor_database_hostname }}:{{ matrix_synapse_auto_compressor_database_port }}/{{ matrix_synapse_auto_compressor_database_name }}' +matrix_synapse_auto_compressor_synapse_database: 'postgres://{{ matrix_synapse_auto_compressor_database_username | urlencode() }}:{{ matrix_synapse_auto_compressor_database_password | urlencode() }}@{{ matrix_synapse_auto_compressor_database_hostname }}:{{ matrix_synapse_auto_compressor_database_port }}/{{ matrix_synapse_auto_compressor_database_name }}' # systemd calendar configuration for the compressor job matrix_synapse_auto_compressor_calendar: "*-*-* 00:00:00" From 40f067148d50a4b6d3c7ac0b9a399892b901085d Mon Sep 17 00:00:00 2001 From: array-in-a-matrix Date: Mon, 13 Mar 2023 15:28:58 -0400 Subject: [PATCH 594/915] added dynamic thumbnails var --- roles/custom/matrix-dendrite/defaults/main.yml | 4 ++++ .../matrix-dendrite/templates/dendrite/dendrite.yaml.j2 | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index 8c2dded48..715322603 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -211,3 +211,7 @@ matrix_dendrite_userapi_auto_join_rooms: [] # statistics reporting configuration. These statistics contain the server # name, number of active users and some information on your deployment config. matrix_dendrite_report_stats: false + +# dynamically generate thumbnails for media content +matrix_dendrite_mediaapi_dynamic_thumbnails: false +matrix_dendrite_mediaapi_max_thumbnail_generators: 10 diff --git a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index 005f9bd64..e1d005b5c 100644 --- a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -293,10 +293,10 @@ media_api: max_file_size_bytes: {{ matrix_dendrite_max_file_size_bytes|to_json }} # Whether to dynamically generate thumbnails if needed. - dynamic_thumbnails: false + dynamic_thumbnails: {{ matrix_dendrite_mediaapi_dynamic_thumbnails }} # The maximum number of simultaneous thumbnail generators to run. - max_thumbnail_generators: 10 + max_thumbnail_generators: {{ matrix_dendrite_mediaapi_max_thumbnails_generators }} # A list of thumbnail sizes to be generated for media content. thumbnail_sizes: From 734848a27bf5c3e578387e060d733520047472ce Mon Sep 17 00:00:00 2001 From: array-in-a-matrix Date: Mon, 13 Mar 2023 15:54:07 -0400 Subject: [PATCH 595/915] added full text search for dendrite --- roles/custom/matrix-dendrite/defaults/main.yml | 3 +++ .../custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index 8c2dded48..8688965d4 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -211,3 +211,6 @@ matrix_dendrite_userapi_auto_join_rooms: [] # statistics reporting configuration. These statistics contain the server # name, number of active users and some information on your deployment config. matrix_dendrite_report_stats: false + +# Configuration for the full-text search engine. +matrix_dendrite_syncapi_search_enabled: false diff --git a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index 005f9bd64..1960e19b9 100644 --- a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -355,7 +355,7 @@ sync_api: # Configuration for the full-text search engine. search: # Whether or not search is enabled. - enabled: false + enabled: {{ matrix_dendrite_syncapi_search_enabled }} # The path where the search index will be created in. index_path: "/matrix-media-store-parent/searchindex" # The language most likely to be used on the server - used when indexing, to From d0aa5a1f6ac9fdafc8ef11ecd660c671f3b6f6dc Mon Sep 17 00:00:00 2001 From: Array in a Matrix Date: Mon, 13 Mar 2023 16:11:16 -0400 Subject: [PATCH 596/915] Update main.yml --- roles/custom/matrix-dendrite/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index 8c2dded48..4b4b08c46 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -6,7 +6,7 @@ matrix_dendrite_enabled: true matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "docker.io/" -matrix_dendrite_docker_image_tag: "v0.11.1" +matrix_dendrite_docker_image_tag: "v0.12.0" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" From c93eb1dbf7333ae55cb216a1cd3f76f8dc37824f Mon Sep 17 00:00:00 2001 From: Array in a Matrix Date: Mon, 13 Mar 2023 16:19:49 -0400 Subject: [PATCH 597/915] Update dendrite.yaml.j2 --- .../matrix-dendrite/templates/dendrite/dendrite.yaml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index e1d005b5c..7098a5a14 100644 --- a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -293,10 +293,10 @@ media_api: max_file_size_bytes: {{ matrix_dendrite_max_file_size_bytes|to_json }} # Whether to dynamically generate thumbnails if needed. - dynamic_thumbnails: {{ matrix_dendrite_mediaapi_dynamic_thumbnails }} + dynamic_thumbnails: {{ matrix_dendrite_mediaapi_dynamic_thumbnails|to_json }} # The maximum number of simultaneous thumbnail generators to run. - max_thumbnail_generators: {{ matrix_dendrite_mediaapi_max_thumbnails_generators }} + max_thumbnail_generators: {{ matrix_dendrite_mediaapi_max_thumbnails_generators|to_json }} # A list of thumbnail sizes to be generated for media content. thumbnail_sizes: From 4f0f6bd99570ad226946d02680084d31294b5ff8 Mon Sep 17 00:00:00 2001 From: Array in a Matrix Date: Mon, 13 Mar 2023 16:21:18 -0400 Subject: [PATCH 598/915] Update dendrite.yaml.j2 --- .../custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index 1960e19b9..8e91ae6c9 100644 --- a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -355,7 +355,7 @@ sync_api: # Configuration for the full-text search engine. search: # Whether or not search is enabled. - enabled: {{ matrix_dendrite_syncapi_search_enabled }} + enabled: {{ matrix_dendrite_syncapi_search_enabled|to_json }} # The path where the search index will be created in. index_path: "/matrix-media-store-parent/searchindex" # The language most likely to be used on the server - used when indexing, to From fd2f497ac072f2a1bed88b2073e5f660abcbc4dc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Mar 2023 08:47:01 +0200 Subject: [PATCH 599/915] Fix variable names Related to: - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2565 - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2566 --- roles/custom/matrix-dendrite/defaults/main.yml | 6 +++--- .../matrix-dendrite/templates/dendrite/dendrite.yaml.j2 | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index f95568d20..758a56e88 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -213,8 +213,8 @@ matrix_dendrite_userapi_auto_join_rooms: [] matrix_dendrite_report_stats: false # Contorls whether thumbnails for media content are generated dynamically -matrix_dendrite_mediaapi_dynamic_thumbnails: false -matrix_dendrite_mediaapi_max_thumbnail_generators: 10 +matrix_dendrite_media_api_dynamic_thumbnails: false +matrix_dendrite_media_api_max_thumbnail_generators: 10 # Controls whether the full-text search engine is enabled -matrix_dendrite_syncapi_search_enabled: false +matrix_dendrite_sync_api_search_enabled: false diff --git a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index dd92e7f55..1b31584de 100644 --- a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -293,10 +293,10 @@ media_api: max_file_size_bytes: {{ matrix_dendrite_max_file_size_bytes|to_json }} # Whether to dynamically generate thumbnails if needed. - dynamic_thumbnails: {{ matrix_dendrite_mediaapi_dynamic_thumbnails|to_json }} + dynamic_thumbnails: {{ matrix_dendrite_media_api_dynamic_thumbnails|to_json }} # The maximum number of simultaneous thumbnail generators to run. - max_thumbnail_generators: {{ matrix_dendrite_mediaapi_max_thumbnails_generators|to_json }} + max_thumbnail_generators: {{ matrix_dendrite_media_api_max_thumbnails_generators|to_json }} # A list of thumbnail sizes to be generated for media content. thumbnail_sizes: @@ -355,7 +355,7 @@ sync_api: # Configuration for the full-text search engine. search: # Whether or not search is enabled. - enabled: {{ matrix_dendrite_syncapi_search_enabled|to_json }} + enabled: {{ matrix_dendrite_sync_api_search_enabled|to_json }} # The path where the search index will be created in. index_path: "/matrix-media-store-parent/searchindex" # The language most likely to be used on the server - used when indexing, to From 4c1db32ef920f8fa154868cd424782c234622cf4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Mar 2023 08:52:15 +0200 Subject: [PATCH 600/915] Rename some Dendrite variables to improve consistency --- group_vars/matrix_servers | 12 ++++++------ roles/custom/matrix-dendrite/defaults/main.yml | 14 +++++++------- .../matrix-dendrite/tasks/validate_config.yml | 7 +++++++ .../templates/dendrite/dendrite.yaml.j2 | 14 +++++++------- 4 files changed, 27 insertions(+), 20 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 60c8349e3..18ad756c4 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2718,15 +2718,15 @@ devture_postgres_managed_databases_auto: | }] if (matrix_synapse_enabled and matrix_synapse_database_host == devture_postgres_connection_hostname) else []) + ([{ - 'name': matrix_dendrite_federationapi_database, + 'name': matrix_dendrite_federation_api_database, 'username': matrix_dendrite_database_user, 'password': matrix_dendrite_database_password, },{ - 'name': matrix_dendrite_keyserver_database, + 'name': matrix_dendrite_key_server_database, 'username': matrix_dendrite_database_user, 'password': matrix_dendrite_database_password, },{ - 'name': matrix_dendrite_mediaapi_database, + 'name': matrix_dendrite_media_api_database, 'username': matrix_dendrite_database_user, 'password': matrix_dendrite_database_password, },{ @@ -2734,15 +2734,15 @@ devture_postgres_managed_databases_auto: | 'username': matrix_dendrite_database_user, 'password': matrix_dendrite_database_password, },{ - 'name': matrix_dendrite_syncapi_database, + 'name': matrix_dendrite_sync_api_database, 'username': matrix_dendrite_database_user, 'password': matrix_dendrite_database_password, },{ - 'name': matrix_dendrite_userapi_database, + 'name': matrix_dendrite_user_api_database, 'username': matrix_dendrite_database_user, 'password': matrix_dendrite_database_password, },{ - 'name': matrix_dendrite_pushserver_database, + 'name': matrix_dendrite_push_server_database, 'username': matrix_dendrite_database_user, 'password': matrix_dendrite_database_password, },{ diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index 758a56e88..35793f496 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -150,13 +150,13 @@ matrix_dendrite_database_str: "postgresql://{{ matrix_dendrite_database_user }}: matrix_dendrite_database_hostname: '' matrix_dendrite_database_user: "dendrite" matrix_dendrite_database_password: "itsasecret" -matrix_dendrite_federationapi_database: "dendrite_federationapi" -matrix_dendrite_keyserver_database: "dendrite_keyserver" -matrix_dendrite_mediaapi_database: "dendrite_mediaapi" +matrix_dendrite_federation_api_database: "dendrite_federationapi" +matrix_dendrite_key_server_database: "dendrite_keyserver" +matrix_dendrite_media_api_database: "dendrite_mediaapi" matrix_dendrite_room_database: "dendrite_room" -matrix_dendrite_syncapi_database: "dendrite_syncapi" -matrix_dendrite_userapi_database: "dendrite_userapi" -matrix_dendrite_pushserver_database: "dendrite_pushserver" +matrix_dendrite_sync_api_database: "dendrite_syncapi" +matrix_dendrite_user_api_database: "dendrite_userapi" +matrix_dendrite_push_server_database: "dendrite_pushserver" matrix_dendrite_mscs_database: "dendrite_mscs" matrix_dendrite_client_api_turn_uris: [] @@ -206,7 +206,7 @@ matrix_dendrite_configuration_extension: "{{ matrix_dendrite_configuration_exten # You most likely don't need to touch this variable. Instead, see `matrix_dendrite_configuration_yaml`. matrix_dendrite_configuration: "{{ matrix_dendrite_configuration_yaml | from_yaml | combine(matrix_dendrite_configuration_extension, recursive=True) }}" -matrix_dendrite_userapi_auto_join_rooms: [] +matrix_dendrite_user_api_auto_join_rooms: [] # statistics reporting configuration. These statistics contain the server # name, number of active users and some information on your deployment config. diff --git a/roles/custom/matrix-dendrite/tasks/validate_config.yml b/roles/custom/matrix-dendrite/tasks/validate_config.yml index 53c17498c..1f1b3e411 100644 --- a/roles/custom/matrix-dendrite/tasks/validate_config.yml +++ b/roles/custom/matrix-dendrite/tasks/validate_config.yml @@ -27,3 +27,10 @@ - {'old': 'matrix_dendrite_rate_limiting_enabled', 'new': 'matrix_dendrite_client_api_rate_limiting_enabled'} - {'old': 'matrix_dendrite_rate_limiting_threshold', 'new': 'matrix_dendrite_client_api_rate_limiting_threshold'} - {'old': 'matrix_dendrite_rate_limiting_cooloff_ms', 'new': 'matrix_dendrite_client_api_rate_limiting_cooloff_ms'} + - {'old': 'matrix_dendrite_mediaapi_database', 'new': 'matrix_dendrite_media_api_database'} + - {'old': 'matrix_dendrite_syncapi_database', 'new': 'matrix_dendrite_sync_api_database'} + - {'old': 'matrix_dendrite_userapi_database', 'new': 'matrix_dendrite_user_api_database'} + - {'old': 'matrix_dendrite_userapi_auto_join_rooms', 'new': 'matrix_dendrite_user_api_auto_join_rooms'} + - {'old': 'matrix_dendrite_federationapi_database', 'new': 'matrix_dendrite_federation_api_database'} + - {'old': 'matrix_dendrite_pushserver_database', 'new': 'matrix_dendrite_push_server_database'} + - {'old': 'matrix_dendrite_keyserver_database', 'new': 'matrix_dendrite_key_server_database'} diff --git a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index 1b31584de..37d0064bc 100644 --- a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -223,7 +223,7 @@ federation_api: external_api: listen: http://0.0.0.0:8072 database: - connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_federationapi_database }}?sslmode=disable + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_federation_api_database }}?sslmode=disable max_open_conns: 10 max_idle_conns: 2 conn_max_lifetime: -1 @@ -266,7 +266,7 @@ key_server: listen: http://0.0.0.0:7779 connect: http://key_server:7779 database: - connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_keyserver_database }}?sslmode=disable + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_key_server_database }}?sslmode=disable max_open_conns: 10 max_idle_conns: 2 conn_max_lifetime: -1 @@ -279,7 +279,7 @@ media_api: external_api: listen: http://0.0.0.0:8074 database: - connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_mediaapi_database }}?sslmode=disable + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_media_api_database }}?sslmode=disable max_open_conns: 10 max_idle_conns: 2 conn_max_lifetime: -1 @@ -342,7 +342,7 @@ sync_api: external_api: listen: http://0.0.0.0:8073 database: - connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_syncapi_database }}?sslmode=disable + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_sync_api_database }}?sslmode=disable max_open_conns: 10 max_idle_conns: 2 conn_max_lifetime: -1 @@ -376,7 +376,7 @@ user_api: listen: http://0.0.0.0:7781 connect: http://user_api:7781 account_database: - connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_userapi_database }}?sslmode=disable + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_user_api_database }}?sslmode=disable max_open_conns: 10 max_idle_conns: 2 conn_max_lifetime: -1 @@ -385,7 +385,7 @@ user_api: # is considered to be valid in milliseconds. # The default lifetime is 3600000ms (60 minutes). # openid_token_lifetime_ms: 3600000 - auto_join_rooms: {{ matrix_dendrite_userapi_auto_join_rooms | to_json }} + auto_join_rooms: {{ matrix_dendrite_user_api_auto_join_rooms | to_json }} # Not in dendrite-config.yaml, but is in build/docker/config/dendrite.yaml # Configuration for the Push Server API. @@ -394,7 +394,7 @@ push_server: listen: http://localhost:7782 connect: http://localhost:7782 database: - connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_pushserver_database }}?sslmode=disable + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_push_server_database }}?sslmode=disable max_open_conns: 10 max_idle_conns: 2 conn_max_lifetime: -1 From 5cd3a6188e7c01630c17f121a611a992a9c3bb74 Mon Sep 17 00:00:00 2001 From: Catalan Lover <48515417+FSG-Cat@users.noreply.github.com> Date: Tue, 14 Mar 2023 17:39:41 +0100 Subject: [PATCH 601/915] Upgrade Synapse from 1.78.0 to 1.79.0 --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 41ad0bc4a..a5c7106ff 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,7 +4,7 @@ matrix_synapse_enabled: true -matrix_synapse_version: v1.78.0 +matrix_synapse_version: v1.79.0 matrix_synapse_username: '' matrix_synapse_uid: '' From fab6c03609751919af9467b935c115a7cabd7ebc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Mar 2023 19:20:46 +0200 Subject: [PATCH 602/915] Allow some new endpoints to work on workers Related to: - https://github.com/matrix-org/synapse/commit/682d31c7023b6b7299e74bc631e4d2acc60f91ac - https://github.com/matrix-org/synapse/commit/ecbe0ddbe7c47e05bc27b39dc10a9c30eafd2960 - https://github.com/matrix-org/synapse/commit/f4fc83ac755b8b06ecab1a31592308b03f8d2a5e .. and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2569 --- roles/custom/matrix-synapse/vars/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/custom/matrix-synapse/vars/main.yml b/roles/custom/matrix-synapse/vars/main.yml index 46277c872..faaf6ed6b 100644 --- a/roles/custom/matrix-synapse/vars/main.yml +++ b/roles/custom/matrix-synapse/vars/main.yml @@ -163,7 +163,9 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/ - ^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$ - ^/_matrix/client/v1/rooms/.*/timestamp_to_event$ + - ^/_matrix/client/(api/v1|r0|v3|unstable/.*)/rooms/.*/aliases - ^/_matrix/client/(api/v1|r0|v3|unstable)/search$ + - ^/_matrix/client/(r0|v3|unstable)/user/.*/filter(/|$) # Encryption requests # Note that ^/_matrix/client/(r0|v3|unstable)/keys/upload/ requires `worker_main_http_uri` @@ -184,6 +186,7 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/ - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$ - ^/_matrix/client/(api/v1|r0|v3|unstable)/join/ + - ^/_matrix/client/(api/v1|r0|v3|unstable)/knock/ - ^/_matrix/client/(api/v1|r0|v3|unstable)/profile/ # Start of intentionally-ignored-endpoints From a63860ac750e8aa87e12b06527dabdaa9bb436b7 Mon Sep 17 00:00:00 2001 From: Array in a Matrix Date: Tue, 14 Mar 2023 14:10:16 -0400 Subject: [PATCH 603/915] fix typo --- .../custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index 37d0064bc..89821de1a 100644 --- a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -296,7 +296,7 @@ media_api: dynamic_thumbnails: {{ matrix_dendrite_media_api_dynamic_thumbnails|to_json }} # The maximum number of simultaneous thumbnail generators to run. - max_thumbnail_generators: {{ matrix_dendrite_media_api_max_thumbnails_generators|to_json }} + max_thumbnail_generators: {{ matrix_dendrite_media_api_max_thumbnail_generators|to_json }} # A list of thumbnail sizes to be generated for media content. thumbnail_sizes: From 99cc5e4b2f7ba38c22e50a3e8c8be0b1f3164b44 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 15 Mar 2023 14:14:02 +0200 Subject: [PATCH 604/915] Fix file name typo --- docs/installing.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/installing.md b/docs/installing.md index fccc1caf3..c85ce1e63 100644 --- a/docs/installing.md +++ b/docs/installing.md @@ -17,7 +17,7 @@ Here are some playbook tags that you should be familiar with: - `install-all` - like `setup-all`, but skips uninstallation tasks. Useful for maintaining your setup quickly when its components remain unchanged. If you adjust your `vars.yml` to remove components, you'd need to run `setup-all` though, or these components will still remain installed -- `setup-SERVICE` (e.g. `setup-bot-postmoogle`) - runs the setup tasks only for a given role, but does not start/restart services. You can discover these additional tags in each role (`roles/*/main.yml`). Running per-component setup tasks is **not recommended**, as components sometimes depend on each other and running just the setup tasks for a given component may not be enough. For example, setting up the [mautrix-telegram bridge](configuring-playbook-bridge-mautrix-telegram.md), in addition to the `setup-mautrix-telegram` tag, requires database changes (the `setup-postgres` tag) as well as reverse-proxy changes (the `setup-nginx-proxy` tag). +- `setup-SERVICE` (e.g. `setup-bot-postmoogle`) - runs the setup tasks only for a given role, but does not start/restart services. You can discover these additional tags in each role (`roles/**/tasks/main.yml`). Running per-component setup tasks is **not recommended**, as components sometimes depend on each other and running just the setup tasks for a given component may not be enough. For example, setting up the [mautrix-telegram bridge](configuring-playbook-bridge-mautrix-telegram.md), in addition to the `setup-mautrix-telegram` tag, requires database changes (the `setup-postgres` tag) as well as reverse-proxy changes (the `setup-nginx-proxy` tag). - `install-SERVICE` (e.g. `install-bot-postmoogle`) - like `setup-SERVICE`, but skips uninstallation tasks. See `install-all` above for additional information. From eaa3be282558e958e01a67bba7b85b522d6263f6 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 15 Mar 2023 20:07:51 +0000 Subject: [PATCH 605/915] Update element 1.11.24 -> 1.11.25 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 8e24ca664..972072850 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.24 +matrix_client_element_version: v1.11.25 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 9afc46de72113d5d44b6057b502978b60bd15d72 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 16 Mar 2023 10:06:52 +0200 Subject: [PATCH 606/915] Update matrix_bot_chatgpt_matrix_blacklist/matrix_bot_chatgpt_matrix_whitelist comment --- roles/custom/matrix-bot-chatgpt/defaults/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/custom/matrix-bot-chatgpt/defaults/main.yml b/roles/custom/matrix-bot-chatgpt/defaults/main.yml index 13b25a00b..49947e172 100644 --- a/roles/custom/matrix-bot-chatgpt/defaults/main.yml +++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml @@ -54,6 +54,9 @@ matrix_bot_chatgpt_matrix_default_prefix: "!chatgpt " # MATRIX_DEFAULT_PREFIX= matrix_bot_chatgpt_matrix_default_prefix_reply: false # MATRIX_DEFAULT_PREFIX_REPLY= # Matrix Access Control (optional) +# +# Lists of space-separated entries. Example: +# matrix_bot_chatgpt_matrix_whitelist: ":{{ matrix_domain }} :second-domain.com :third-domain.com" matrix_bot_chatgpt_matrix_blacklist: '' matrix_bot_chatgpt_matrix_whitelist: ':{{ matrix_domain }}' From a55c6b1b5a573fd67ad5ad77a5458c12c3739968 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 16 Mar 2023 10:07:26 +0200 Subject: [PATCH 607/915] Remove non-functional variable matrix_bot_chatgpt_loglevel It wasn't used at all. It doesn't seem like there's a way to control the log level, judging by: - https://github.com/matrixgpt/matrix-chatgpt-bot/blob/8f9eea4114e74597dd7cfcc9454bf327ec32c2a3/.env.example - https://github.com/matrixgpt/matrix-chatgpt-bot/blob/8f9eea4114e74597dd7cfcc9454bf327ec32c2a3/src/env.ts --- roles/custom/matrix-bot-chatgpt/defaults/main.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/roles/custom/matrix-bot-chatgpt/defaults/main.yml b/roles/custom/matrix-bot-chatgpt/defaults/main.yml index 49947e172..f34eb1e1c 100644 --- a/roles/custom/matrix-bot-chatgpt/defaults/main.yml +++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml @@ -76,9 +76,6 @@ matrix_bot_chatgpt_matrix_rich_text: true # MATRIX_RICH_TEXT=true # - @*:another.com # matrix_bot_chatgpt_admins: "{{ [matrix_admin] if matrix_admin else [] }}" -# Log level -# matrix_bot_chatgpt_loglevel: 'INFO' - # Additional environment variables to pass to the chatgpt container # # Example: From 636142c4e0aae733373170087e6bf4681b03c09d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 16 Mar 2023 10:19:23 +0200 Subject: [PATCH 608/915] matrix-bot-chatgpt role refactoring --- .../matrix-bot-chatgpt/defaults/main.yml | 20 +++--- .../matrix-bot-chatgpt/tasks/install.yml | 63 +++++++++++++++++++ .../custom/matrix-bot-chatgpt/tasks/main.yml | 4 +- .../tasks/setup_install.yml | 63 ------------------- .../{setup_uninstall.yml => uninstall.yml} | 0 .../tasks/validate_config.yml | 15 ++++- .../systemd/matrix-bot-chatgpt.service.j2 | 6 +- 7 files changed, 96 insertions(+), 75 deletions(-) create mode 100644 roles/custom/matrix-bot-chatgpt/tasks/install.yml delete mode 100644 roles/custom/matrix-bot-chatgpt/tasks/setup_install.yml rename roles/custom/matrix-bot-chatgpt/tasks/{setup_uninstall.yml => uninstall.yml} (100%) diff --git a/roles/custom/matrix-bot-chatgpt/defaults/main.yml b/roles/custom/matrix-bot-chatgpt/defaults/main.yml index f34eb1e1c..16ad8588a 100644 --- a/roles/custom/matrix-bot-chatgpt/defaults/main.yml +++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml @@ -4,19 +4,22 @@ matrix_bot_chatgpt_enabled: true +matrix_bot_chatgpt_version: 3.0.0 + matrix_bot_chatgpt_container_image_self_build: false -matrix_bot_chatgpt_docker_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot" -matrix_bot_chatgpt_docker_repo_version: "{{ 'latest' if matrix_bot_chatgpt_version == 'latest' else matrix_bot_chatgpt_version }}" -matrix_bot_chatgpt_docker_src_files_path: "{{ matrix_base_data_path }}/chatgpt/docker-src" +matrix_bot_chatgpt_container_image_self_build_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot" +matrix_bot_chatgpt_container_image_self_build_repo_version: "{{ 'main' if matrix_bot_chatgpt_version == 'latest' else matrix_bot_chatgpt_version }}" -matrix_bot_chatgpt_version: 3.0.0 -matrix_bot_chatgpt_docker_image: "{{ matrix_bot_chatgpt_docker_image_name_prefix }}matrixgpt/matrix-chatgpt-bot:{{ matrix_bot_chatgpt_version }}" -matrix_bot_chatgpt_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_chatgpt_container_image_self_build else 'ghcr.io/' }}" -matrix_bot_chatgpt_docker_image_force_pull: "{{ matrix_bot_chatgpt_docker_image.endswith(':latest') }}" +matrix_bot_chatgpt_container_image: "{{ matrix_bot_chatgpt_container_image_name_prefix }}matrixgpt/matrix-chatgpt-bot:{{ matrix_bot_chatgpt_container_image_tag }}" +matrix_bot_chatgpt_container_image_name_prefix: "{{ 'localhost/' if matrix_bot_chatgpt_container_image_self_build else matrix_bot_chatgpt_container_image_registry_prefix }}" +matrix_bot_chatgpt_container_image_tag: "{{ matrix_bot_chatgpt_version }}" +matrix_bot_chatgpt_container_image_force_pull: "{{ matrix_bot_chatgpt_container_image.endswith(':latest') }}" +matrix_bot_chatgpt_container_image_registry_prefix: ghcr.io/ matrix_bot_chatgpt_base_path: "{{ matrix_base_data_path }}/chatgpt" matrix_bot_chatgpt_config_path: "{{ matrix_bot_chatgpt_base_path }}/config" matrix_bot_chatgpt_data_path: "{{ matrix_bot_chatgpt_base_path }}/data" +matrix_bot_chatgpt_container_src_path: "{{ matrix_bot_chatgpt_base_path }}/container-src" # A list of extra arguments to pass to the container matrix_bot_chatgpt_container_extra_arguments: [] @@ -78,6 +81,9 @@ matrix_bot_chatgpt_matrix_rich_text: true # MATRIX_RICH_TEXT=true # Additional environment variables to pass to the chatgpt container # +# You can discover additional environment variables from: +# https://github.com/matrixgpt/matrix-chatgpt-bot/blob/main/src/env.ts +# # Example: # matrix_bot_chatgpt_environment_variables_extension: | # chatgpt_TEXT_DONE=Done diff --git a/roles/custom/matrix-bot-chatgpt/tasks/install.yml b/roles/custom/matrix-bot-chatgpt/tasks/install.yml new file mode 100644 index 000000000..ef31df066 --- /dev/null +++ b/roles/custom/matrix-bot-chatgpt/tasks/install.yml @@ -0,0 +1,63 @@ +--- + +- name: Ensure chatgpt paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {path: "{{ matrix_bot_chatgpt_config_path }}", when: true} + - {path: "{{ matrix_bot_chatgpt_data_path }}", when: true} + - {path: "{{ matrix_bot_chatgpt_container_src_path }}", when: matrix_bot_chatgpt_container_image_self_build} + when: "item.when | bool" + +- name: Ensure chatgpt environment variables file created + ansible.builtin.template: + src: "{{ role_path }}/templates/env.j2" + dest: "{{ matrix_bot_chatgpt_config_path }}/env" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + mode: 0640 + +- name: Ensure chatgpt container image is pulled + community.docker.docker_image: + name: "{{ matrix_bot_chatgpt_container_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_bot_chatgpt_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_chatgpt_container_image_force_pull }}" + when: "not matrix_bot_chatgpt_container_image_self_build | bool" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- when: matrix_bot_chatgpt_container_image_self_build | bool + block: + - name: Ensure chatgpt repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_bot_chatgpt_container_image_self_build_repo }}" + version: "{{ matrix_bot_chatgpt_container_image_self_build_repo_version }}" + dest: "{{ matrix_bot_chatgpt_container_src_path }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_bot_chatgpt_git_pull_results + + - name: Ensure chatgpt container image is built + community.docker.docker_image: + name: "{{ matrix_bot_chatgpt_container_image }}" + source: build + force_source: "{{ matrix_bot_chatgpt_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_bot_chatgpt_container_src_path }}" + pull: true + +- name: Ensure matrix-bot-chatgpt.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-bot-chatgpt.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-chatgpt.service" + mode: 0644 diff --git a/roles/custom/matrix-bot-chatgpt/tasks/main.yml b/roles/custom/matrix-bot-chatgpt/tasks/main.yml index 1086a62dd..3f5a7b7ec 100644 --- a/roles/custom/matrix-bot-chatgpt/tasks/main.yml +++ b/roles/custom/matrix-bot-chatgpt/tasks/main.yml @@ -11,11 +11,11 @@ ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_bot_chatgpt_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" - tags: - setup-all - setup-bot-chatgpt block: - when: not matrix_bot_chatgpt_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" diff --git a/roles/custom/matrix-bot-chatgpt/tasks/setup_install.yml b/roles/custom/matrix-bot-chatgpt/tasks/setup_install.yml deleted file mode 100644 index 5ae5ea953..000000000 --- a/roles/custom/matrix-bot-chatgpt/tasks/setup_install.yml +++ /dev/null @@ -1,63 +0,0 @@ ---- -- name: Ensure chatgpt paths exist - ansible.builtin.file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - {path: "{{ matrix_bot_chatgpt_config_path }}", when: true} - - {path: "{{ matrix_bot_chatgpt_data_path }}", when: true} - - {path: "{{ matrix_bot_chatgpt_docker_src_files_path }}", when: matrix_bot_chatgpt_container_image_self_build} - when: "item.when | bool" - -- name: Ensure chatgpt environment variables file created - ansible.builtin.template: - src: "{{ role_path }}/templates/env.j2" - dest: "{{ matrix_bot_chatgpt_config_path }}/env" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0640 - -- name: Ensure chatgpt image is pulled - community.docker.docker_image: - name: "{{ matrix_bot_chatgpt_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_bot_chatgpt_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_chatgpt_docker_image_force_pull }}" - when: "not matrix_bot_chatgpt_container_image_self_build | bool" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure chatgpt repository is present on self-build - ansible.builtin.git: - repo: "{{ matrix_bot_chatgpt_docker_repo }}" - version: "{{ matrix_bot_chatgpt_docker_repo_version }}" - dest: "{{ matrix_bot_chatgpt_docker_src_files_path }}" - force: "yes" - become: true - become_user: "{{ matrix_user_username }}" - register: matrix_bot_chatgpt_git_pull_results - when: "matrix_bot_chatgpt_container_image_self_build | bool" - -- name: Ensure chatgpt image is built - community.docker.docker_image: - name: "{{ matrix_bot_chatgpt_docker_image }}" - source: build - force_source: "{{ matrix_bot_chatgpt_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" - build: - dockerfile: Dockerfile - path: "{{ matrix_bot_chatgpt_docker_src_files_path }}" - pull: true - when: "matrix_bot_chatgpt_container_image_self_build | bool" - -- name: Ensure matrix-bot-chatgpt.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-bot-chatgpt.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-chatgpt.service" - mode: 0644 - register: matrix_bot_chatgpt_systemd_service_result diff --git a/roles/custom/matrix-bot-chatgpt/tasks/setup_uninstall.yml b/roles/custom/matrix-bot-chatgpt/tasks/uninstall.yml similarity index 100% rename from roles/custom/matrix-bot-chatgpt/tasks/setup_uninstall.yml rename to roles/custom/matrix-bot-chatgpt/tasks/uninstall.yml diff --git a/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml b/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml index ecc2b8d22..c6771823e 100644 --- a/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml +++ b/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml @@ -9,7 +9,6 @@ - {'name': 'matrix_bot_chatgpt_openai_api_key', when: true} - {'name': 'matrix_bot_chatgpt_matrix_bot_username', when: true} - - name: Fail if OpenAI configuration not up-to-date. ansible.builtin.fail: msg: >- @@ -20,3 +19,17 @@ - {'name': 'matrix_bot_chatgpt_openai_email'} - {'name': 'matrix_bot_chatgpt_openai_password'} - {'name': 'matrix_bot_chatgpt_openai_login_type'} + +- name: (Deprecation) Catch and report renamed ChatGPT settings + ansible.builtin.fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_bot_chatgpt_docker_image', 'new': 'matrix_bot_chatgpt_container_image'} + - {'old': 'matrix_bot_chatgpt_docker_image_name_prefix', 'new': 'matrix_bot_chatgpt_container_image_name_prefix'} + - {'old': 'matrix_bot_chatgpt_docker_image_force_pull', 'new': 'matrix_bot_chatgpt_container_image_force_pull'} + - {'old': 'matrix_bot_chatgpt_docker_repo', 'new': 'matrix_bot_chatgpt_container_image_self_build_repo'} + - {'old': 'matrix_bot_chatgpt_docker_repo_version', 'new': 'matrix_bot_chatgpt_container_image_self_build_repo_version'} + - {'old': 'matrix_bot_chatgpt_docker_src_files_path', 'new': 'matrix_bot_chatgpt_container_src_path'} diff --git a/roles/custom/matrix-bot-chatgpt/templates/systemd/matrix-bot-chatgpt.service.j2 b/roles/custom/matrix-bot-chatgpt/templates/systemd/matrix-bot-chatgpt.service.j2 index 8e4a50202..c8fa06c19 100644 --- a/roles/custom/matrix-bot-chatgpt/templates/systemd/matrix-bot-chatgpt.service.j2 +++ b/roles/custom/matrix-bot-chatgpt/templates/systemd/matrix-bot-chatgpt.service.j2 @@ -16,7 +16,9 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-chatgpt 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-chatgpt 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-bot-chatgpt \ +ExecStart={{ devture_systemd_docker_base_host_command_docker }} run \ + --rm \ + --name=matrix-bot-chatgpt \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -29,7 +31,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% for arg in matrix_bot_chatgpt_container_extra_arguments %} {{ arg }} \ {% endfor %} - {{ matrix_bot_chatgpt_docker_image }} + {{ matrix_bot_chatgpt_container_image }} ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-chatgpt 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-chatgpt 2>/dev/null || true' From 2b49ae79ca22f9ef434eb8ca4b7d229ba72a5958 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 16 Mar 2023 11:23:22 +0200 Subject: [PATCH 609/915] Use just for Postgres maintenance command examples --- docs/importing-postgres.md | 14 +++++++------- docs/maintenance-postgres.md | 6 ++++-- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/docs/importing-postgres.md b/docs/importing-postgres.md index a44afdcfb..150164e71 100644 --- a/docs/importing-postgres.md +++ b/docs/importing-postgres.md @@ -20,18 +20,18 @@ Before doing the actual import, **you need to upload your Postgres dump file to ## Importing -To import, run this command (make sure to replace `` with a file path on your server): +To import, run this command (make sure to replace `SERVER_PATH_TO_POSTGRES_DUMP_FILE` with a file path on your server): ```sh -ansible-playbook -i inventory/hosts setup.yml \ ---extra-vars='server_path_postgres_dump= postgres_default_import_database=matrix' \ ---tags=import-postgres +just run-tags import-postgres \ +--extra-vars=server_path_postgres_dump=SERVER_PATH_TO_POSTGRES_DUMP_FILE \ +--extra-vars=postgres_default_import_database=main ``` **Notes**: -- `` must be a file path to a Postgres dump file on the server (not on your local machine!) -- `postgres_default_import_database` defaults to `matrix`, which is useful for importing multiple databases (for dumps made with `pg_dumpall`). If you're importing a single database (e.g. `synapse`), consider changing `postgres_default_import_database` accordingly +- `SERVER_PATH_TO_POSTGRES_DUMP_FILE` must be a file path to a Postgres dump file on the server (not on your local machine!) +- `postgres_default_import_database` defaults to `main`, which is useful for importing multiple databases (for dumps made with `pg_dumpall`). If you're importing a single database (e.g. `synapse`), consider changing `postgres_default_import_database` accordingly ## Troubleshooting @@ -86,7 +86,7 @@ In this case you can use the command suggested in the import task to clear the d # systemctl start matrix-postgres ``` -Now on your local machine run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-postgres` to prepare the database roles etc. +Now on your local machine run `just run-tags setup-postgres` to prepare the database roles etc. If not, you probably get this error. `synapse` is the correct table owner, but the role is missing in database. ``` diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index f2ca907da..cc8898a2a 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -41,7 +41,7 @@ To perform a `FULL` Postgres [VACUUM](https://www.postgresql.org/docs/current/sq Example: ```bash -ansible-playbook -i inventory/hosts setup.yml --tags=run-postgres-vacuum,start +just run-tags run-postgres-vacuum,start ``` **Note**: this will automatically stop Synapse temporarily and restart it later. You'll also need plenty of available disk space in your Postgres data directory (usually `/matrix/postgres/data`). @@ -78,7 +78,9 @@ Upgrades must be performed manually. This playbook can upgrade your existing Postgres setup with the following command: - ansible-playbook -i inventory/hosts setup.yml --tags=upgrade-postgres +```sh +just run-tags upgrade-postgres +``` **Warning: If you're using Borg Backup keep in mind that there is no official Postgres 15 support yet.** From d6975e4ab8e3fd63cf325caae4b7fcd8f7e307f8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 16 Mar 2023 14:57:40 +0200 Subject: [PATCH 610/915] Upgrade com.devture.ansible.role.postgres --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index e841cb4ed..6690f7c0b 100644 --- a/requirements.yml +++ b/requirements.yml @@ -19,7 +19,7 @@ version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git - version: a1bb78d194434b38005f3a9e623bfa4b2c06c7bc + version: 38764398bf82b06a1736c3bfedc71dfd229e4b52 - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git version: 8e9ec48a09284c84704d7a2dce17da35f181574d From ee4bac1988e2ae29e9e89fbc907bfaaca7062df7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 16 Mar 2023 18:29:11 +0200 Subject: [PATCH 611/915] Upgrade matrix-corporal (2.5.1 -> 2.5.2) --- roles/custom/matrix-corporal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-corporal/defaults/main.yml b/roles/custom/matrix-corporal/defaults/main.yml index 9f6da78ae..2b703bdd7 100644 --- a/roles/custom/matrix-corporal/defaults/main.yml +++ b/roles/custom/matrix-corporal/defaults/main.yml @@ -23,7 +23,7 @@ matrix_corporal_container_extra_arguments: [] # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] -matrix_corporal_version: 2.5.1 +matrix_corporal_version: 2.5.2 matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_corporal_docker_image_tag: "{{ matrix_corporal_version }}" # for backward-compatibility From ff6e7f0ac5063aa9e67ccab53ef79a9b66e5702e Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 16 Mar 2023 21:03:55 +0000 Subject: [PATCH 612/915] Update borgmatic 1.7.8 -> 1.7.9 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 6690f7c0b..77f8186bb 100644 --- a/requirements.yml +++ b/requirements.yml @@ -37,7 +37,7 @@ version: v0.11.1-2 - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.3-1.7.8-0 + version: v1.2.3-1.7.9-0 - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v9.4.3-0 From 56b0706863f7c1f2851c1dd08faf3b4fa3128eda Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Mar 2023 08:27:25 +0200 Subject: [PATCH 613/915] Fix default database name For backward-compatibility reasons, this playbook uses `matrix` as its main and default database. --- docs/importing-postgres.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/importing-postgres.md b/docs/importing-postgres.md index 150164e71..3c6935780 100644 --- a/docs/importing-postgres.md +++ b/docs/importing-postgres.md @@ -25,13 +25,13 @@ To import, run this command (make sure to replace `SERVER_PATH_TO_POSTGRES_DUMP_ ```sh just run-tags import-postgres \ --extra-vars=server_path_postgres_dump=SERVER_PATH_TO_POSTGRES_DUMP_FILE \ ---extra-vars=postgres_default_import_database=main +--extra-vars=postgres_default_import_database=matrix ``` **Notes**: - `SERVER_PATH_TO_POSTGRES_DUMP_FILE` must be a file path to a Postgres dump file on the server (not on your local machine!) -- `postgres_default_import_database` defaults to `main`, which is useful for importing multiple databases (for dumps made with `pg_dumpall`). If you're importing a single database (e.g. `synapse`), consider changing `postgres_default_import_database` accordingly +- `postgres_default_import_database` defaults to `matrix`, which is useful for importing multiple databases (for dumps made with `pg_dumpall`). If you're importing a single database (e.g. `synapse`), consider changing `postgres_default_import_database` accordingly ## Troubleshooting From 281bad125d7705bda60e6e98de5520daf53ee9cd Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 17 Mar 2023 20:01:57 +0000 Subject: [PATCH 614/915] Update mautrix-discord 0.1.1 -> 0.2.0 --- roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml index 036b4060e..1bbcb02b4 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_discord_container_image_self_build: false matrix_mautrix_discord_container_image_self_build_repo: "https://mau.dev/mautrix/discord.git" matrix_mautrix_discord_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_discord_version == 'latest' else matrix_mautrix_discord_version }}" -matrix_mautrix_discord_version: v0.1.1 +matrix_mautrix_discord_version: v0.2.0 # See: https://mau.dev/mautrix/discord/container_registry matrix_mautrix_discord_docker_image: "{{ matrix_mautrix_discord_docker_image_name_prefix }}mautrix/discord:{{ matrix_mautrix_discord_version }}" matrix_mautrix_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_discord_container_image_self_build else 'dock.mau.dev/' }}" From e6552a9c3b537f1ca3aad03e8d02e0a447208c28 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 17 Mar 2023 20:03:17 +0000 Subject: [PATCH 615/915] Update mautrix-whatsapp 0.8.2 -> 0.8.3 --- roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 04c242951..ac5796ba6 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_whatsapp_container_image_self_build: false matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git" matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}" -matrix_mautrix_whatsapp_version: v0.8.2 +matrix_mautrix_whatsapp_version: v0.8.3 # See: https://mau.dev/mautrix/whatsapp/container_registry matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}" matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}" From 7ef804f62f107f420e853ecc9ebe416264521d17 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 17 Mar 2023 20:05:38 +0000 Subject: [PATCH 616/915] Update hookshot 2.7.0 -> 3.0.0 Warning! Potentially breaking change: https://github.com/matrix-org/matrix-hookshot/releases/tag/3.0.0 --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 3b65b92a6..db71da794 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 2.7.0 +matrix_hookshot_version: 3.0.0 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" From f1c0321a8ce94f5e86c8b3fc0aecc9c4dac03f9a Mon Sep 17 00:00:00 2001 From: array-in-a-matrix Date: Sat, 18 Mar 2023 03:22:30 -0400 Subject: [PATCH 617/915] add relay api database for dendrite --- group_vars/matrix_servers | 4 ++++ roles/custom/matrix-dendrite/defaults/main.yml | 1 + roles/custom/matrix-dendrite/tasks/validate_config.yml | 1 + .../matrix-dendrite/templates/dendrite/dendrite.yaml.j2 | 6 ++++++ 4 files changed, 12 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 18ad756c4..6be30d7eb 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2741,6 +2741,10 @@ devture_postgres_managed_databases_auto: | 'name': matrix_dendrite_user_api_database, 'username': matrix_dendrite_database_user, 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_relay_api_database, + 'username': matrix_dendrite_relay_api_user, + 'password': matrix_dendrite_relay_api_password, },{ 'name': matrix_dendrite_push_server_database, 'username': matrix_dendrite_database_user, diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index 35793f496..41cd35ed0 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -157,6 +157,7 @@ matrix_dendrite_room_database: "dendrite_room" matrix_dendrite_sync_api_database: "dendrite_syncapi" matrix_dendrite_user_api_database: "dendrite_userapi" matrix_dendrite_push_server_database: "dendrite_pushserver" +matrix_dendrite_relay_api_database: "dendrite_relayapi" matrix_dendrite_mscs_database: "dendrite_mscs" matrix_dendrite_client_api_turn_uris: [] diff --git a/roles/custom/matrix-dendrite/tasks/validate_config.yml b/roles/custom/matrix-dendrite/tasks/validate_config.yml index 1f1b3e411..0b1540bb1 100644 --- a/roles/custom/matrix-dendrite/tasks/validate_config.yml +++ b/roles/custom/matrix-dendrite/tasks/validate_config.yml @@ -33,4 +33,5 @@ - {'old': 'matrix_dendrite_userapi_auto_join_rooms', 'new': 'matrix_dendrite_user_api_auto_join_rooms'} - {'old': 'matrix_dendrite_federationapi_database', 'new': 'matrix_dendrite_federation_api_database'} - {'old': 'matrix_dendrite_pushserver_database', 'new': 'matrix_dendrite_push_server_database'} + - {'old': 'matrix_dendrite_relayapi_database', 'new': 'matrix_dendrite_relay_api_database'} - {'old': 'matrix_dendrite_keyserver_database', 'new': 'matrix_dendrite_key_server_database'} diff --git a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index 89821de1a..3c1e56e53 100644 --- a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -399,6 +399,12 @@ push_server: max_idle_conns: 2 conn_max_lifetime: -1 +# +# +relay_api: + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_relay_api_database }}?sslmode=disable + # Configuration for Opentracing. # See https://github.com/matrix-org/dendrite/tree/master/docs/tracing for information on # how this works and how to set it up. From dd1712d45731675bb05bcf5e7c71922faeca62fd Mon Sep 17 00:00:00 2001 From: Array in a Matrix Date: Sat, 18 Mar 2023 03:43:12 -0400 Subject: [PATCH 618/915] fix typo i was sleepy lol --- group_vars/matrix_servers | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6be30d7eb..ef36a06c2 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2743,8 +2743,8 @@ devture_postgres_managed_databases_auto: | 'password': matrix_dendrite_database_password, },{ 'name': matrix_dendrite_relay_api_database, - 'username': matrix_dendrite_relay_api_user, - 'password': matrix_dendrite_relay_api_password, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, },{ 'name': matrix_dendrite_push_server_database, 'username': matrix_dendrite_database_user, From 88dc5e0de048bba8f4cbb0b5e1c3bc473b46c4dd Mon Sep 17 00:00:00 2001 From: Aine Date: Sat, 18 Mar 2023 10:26:29 +0200 Subject: [PATCH 619/915] migrate prometheus-node-exporter's var --- group_vars/matrix_servers | 2 ++ requirements.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index ef36a06c2..45a3990d3 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3447,7 +3447,9 @@ prometheus_node_exporter_base_path: "{{ matrix_base_data_path }}/prometheus-node prometheus_node_exporter_uid: "{{ matrix_user_uid }}" prometheus_node_exporter_gid: "{{ matrix_user_gid }}" +# _server_fqn is the old var, _hostname - the new one. Seamless migration prometheus_node_exporter_server_fqn: "{{ matrix_server_fqn_matrix }}" +prometheus_node_exporter_hostname: "{{ prometheus_node_exporter_server_fqn }}" prometheus_node_exporter_container_network: "{{ matrix_docker_network }}" diff --git a/requirements.yml b/requirements.yml index 77f8186bb..9f5719c9e 100644 --- a/requirements.yml +++ b/requirements.yml @@ -31,7 +31,7 @@ version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6 - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git - version: v1.5.0-3 + version: v1.5.0-4 - src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git version: v0.11.1-2 From 8202acf74209111d859bb7db4d0b342a6642e12e Mon Sep 17 00:00:00 2001 From: Kabir Kwatra Date: Sat, 18 Mar 2023 10:17:29 +0000 Subject: [PATCH 620/915] fix(sliding-sync): use external syncv3 server url --- roles/custom/matrix-sliding-sync/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-sliding-sync/defaults/main.yml b/roles/custom/matrix-sliding-sync/defaults/main.yml index f66b3b614..fa6e65a46 100644 --- a/roles/custom/matrix-sliding-sync/defaults/main.yml +++ b/roles/custom/matrix-sliding-sync/defaults/main.yml @@ -76,7 +76,7 @@ matrix_sliding_sync_systemd_required_services_list: ["docker.service"] matrix_sliding_sync_systemd_wanted_services_list: [] # Controls the SYNCV3_SERVER environment variable -matrix_sliding_sync_environment_variable_syncv3_server: "{{ matrix_homeserver_container_url }}" +matrix_sliding_sync_environment_variable_syncv3_server: "{{ matrix_homeserver_url }}" # Controls the SYNCV3_SECRET environment variable matrix_sliding_sync_environment_variable_syncv3_secret: '' From b01e7b1ae59ea2602cd9f2da2c7142e97f41a695 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sat, 18 Mar 2023 19:29:20 +0000 Subject: [PATCH 621/915] update ntfy 2.1.2 -> 2.2.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 9f5719c9e..85b396b4f 100644 --- a/requirements.yml +++ b/requirements.yml @@ -43,7 +43,7 @@ version: v9.4.3-0 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git - version: v2.1.2-0 + version: v2.2.0-0 - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.9-0 From 3e84e354a845df9863c67486ec7b2880cc435dd3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 19 Mar 2023 08:12:37 +0200 Subject: [PATCH 622/915] Add "install-service" justfile command It should be noted that this cannot be used for the initial install of services which require a database or have other dependencies. Those would typically need to invoke the playbook with `--tags=install-postgres,install-SERVICE`, etc. The purpose of this shortcut is to easily rebuild and restart a single serice subsequently. For those cases, often times there's no need to reinitialize the database and other components and simply running a single component's tasks is enough. --- justfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/justfile b/justfile index 4b6dfbfb1..3b5c4de33 100644 --- a/justfile +++ b/justfile @@ -14,6 +14,10 @@ lint: # Runs the playbook with --tags=install-all,ensure-matrix-users-created,start and optional arguments install-all *extra_args: (run-tags "install-all,ensure-matrix-users-created,start" extra_args) +# Runs installation tasks for a single service +install-service service: + just --justfile {{ justfile() }} run --tags=install-{{ service }},start-group --extra-vars=group={{ service }} + # Runs the playbook with --tags=setup-all,ensure-matrix-users-created,start and optional arguments setup-all *extra_args: (run-tags "setup-all,ensure-matrix-users-created,start" extra_args) From 39f53e81d0d47d76a28787b9b05a7152cca90a16 Mon Sep 17 00:00:00 2001 From: Justin Croonenberghs Date: Sun, 19 Mar 2023 13:42:41 -0500 Subject: [PATCH 623/915] Update sliding sync doc for external DB users * fixes #2586 --- docs/configuring-playbook-sliding-sync-proxy.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/configuring-playbook-sliding-sync-proxy.md b/docs/configuring-playbook-sliding-sync-proxy.md index 49e0483a3..a0eb36ba4 100644 --- a/docs/configuring-playbook-sliding-sync-proxy.md +++ b/docs/configuring-playbook-sliding-sync-proxy.md @@ -40,6 +40,17 @@ matrix_sliding_sync_enabled: true After potentially [adjusting DNS records](#adjusting-dns-records) and configuring the playbook, run the [installation](installing.md) command again: `just install-all`. +### External databases + +Please note that, if your setup utilizes an external database, you must also establish configuration for the sliding sync proxy. Alter the defaults below to suit your configuration: + +```yaml +matrix_sliding_sync_database_username: 'matrix_sliding_sync' +matrix_sliding_sync_database_password: '' +matrix_sliding_sync_database_hostname: '' +matrix_sliding_sync_database_port: 5432 +matrix_sliding_sync_database_name: 'matrix_sliding_sync' +``` ## Usage From 220d80ac3a40b9ed5541299fbb283e4a1759254d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 20 Mar 2023 11:06:27 +0200 Subject: [PATCH 624/915] Move matrix-aux outside of this playbook --- group_vars/matrix_servers | 20 +++++ playbooks/matrix.yml | 3 +- requirements.yml | 4 + roles/custom/matrix-aux/defaults/main.yml | 81 ------------------- roles/custom/matrix-aux/tasks/main.yml | 9 --- roles/custom/matrix-aux/tasks/setup.yml | 20 ----- .../defaults/main.yml | 3 + .../tasks/validate_config.yml | 16 ++++ 8 files changed, 45 insertions(+), 111 deletions(-) delete mode 100644 roles/custom/matrix-aux/defaults/main.yml delete mode 100644 roles/custom/matrix-aux/tasks/main.yml delete mode 100644 roles/custom/matrix-aux/tasks/setup.yml diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 45a3990d3..bdc2d1235 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -37,6 +37,26 @@ matrix_playbook_ssl_enabled: "{{ matrix_playbook_ssl_retrieval_method in ['lets- # # ######################################################################## + +######################################################################## +# # +# aux # +# # +######################################################################## + +aux_directory_default_owner: "{{ matrix_user_username }}" +aux_directory_default_group: "{{ matrix_user_groupname }}" + +aux_file_default_owner: "{{ matrix_user_username }}" +aux_file_default_group: "{{ matrix_user_groupname }}" + +######################################################################## +# # +# /aux # +# # +######################################################################## + + ######################################################################## # # # base # diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index b8964aa54..93e9208f0 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -112,7 +112,8 @@ - galaxy/ntfy - custom/matrix-nginx-proxy - custom/matrix-coturn - - custom/matrix-aux + + - role: galaxy/aux - role: galaxy/com.devture.ansible.role.postgres_backup diff --git a/requirements.yml b/requirements.yml index 85b396b4f..ffcd86afe 100644 --- a/requirements.yml +++ b/requirements.yml @@ -59,3 +59,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 + +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git + name: aux + version: v1.0.0-0 diff --git a/roles/custom/matrix-aux/defaults/main.yml b/roles/custom/matrix-aux/defaults/main.yml deleted file mode 100644 index 4c1f88796..000000000 --- a/roles/custom/matrix-aux/defaults/main.yml +++ /dev/null @@ -1,81 +0,0 @@ ---- - -# matrix-aux is a role that manages auxiliary files and directories on your Matrix server. -# -# Certain components (like matrix-synapse, etc.) may sometimes require additional templates (email templates, privacy policies, etc.). -# This role allows such files to be managed by the playbook. -# -# Note that files and directories created via this role are not automatically made available for containers to use. -# If you use this role to put files in a directory that's already mounted into a container, -# you can access the files without additional work. -# Otherwise, you'd need to mount the file/directory to the container that needs it. -# Roles usually provide a `matrix_*_additional_volumes` or `matrix_*_container_extra_arguments` variable -# that you can use to mount an additional volume. - -# The default permission mode when creating directories using `matrix_aux_directory_definitions` -matrix_aux_directory_default_mode: '0750' - -# Holds a list of directories to create on the server. -# -# By default, directories are: -# - created with permissions as specified in `matrix_aux_directory_default_mode` -# - owned by the `matrix_user_username` user and `matrix_user_groupname` group (usually `matrix:matrix`) -# -# Example: -# -# matrix_aux_directory_definitions: -# - dest: /matrix/aux -# -# - dest: /matrix/another -# mode: '0700' -# owner: 'some-user' -# group: 'some-group' -matrix_aux_directory_definitions: [] - -# The default permission mode when creating directories using `matrix_aux_directory_definitions` -matrix_aux_file_default_mode: '0640' - -# Holds a list of files to create on the server. -# -# By default, files are: -# - created with permissions as specified in `matrix_aux_file_default_mode` -# - owned by the `matrix_user_username` user and `matrix_user_groupname` group (usually `matrix:matrix`) -# -# You can define the file content inline (in your `vars.yml` file) or as an external file (see the example below). -# Defining the content inline in `vars.yml` has the benefit of not splitting your configuration into multiple files, -# but rather keeping everything inside `vars.yml` (which also gets backed up on the server in `/matrix/vars.yml`). -# -# Note: parent paths for files must exist. -# If you've defined a file with a destination of `/matrix/some/path/file.txt`, -# then you likely need to add `/matrix/some/path` to `matrix_aux_directory_definitions` as well. -# You don't need to do this for directories that the playbook already creates for you. -# -# Use a `content` key for text content and `src` with a location to a file for binary content. -# The `content` key does not support binary content (see https://github.com/ansible/ansible/issues/11594). -# -# Example: -# -# matrix_aux_file_definitions: -# - dest: "{{ matrix_synapse_config_dir_path }}/something.html" -# content: | -# -# Something -# -# - dest: /matrix/aux/some-other-file.txt -# content: "Something" -# mode: '0600' -# owner: 'some-user' -# group: 'some-group' -# -# - dest: /matrix/aux/yet-another-file.txt -# content: "{{ lookup('template', '/path/to/file.txt.j2') }}" -# mode: '0600' -# owner: 'some-user' -# group: 'some-group' -# -# - dest: /matrix/aux/binary-file.dat -# src: "/path/to/binary.dat" -# mode: '0600' -# owner: 'some-user' -# group: 'some-group' -matrix_aux_file_definitions: [] diff --git a/roles/custom/matrix-aux/tasks/main.yml b/roles/custom/matrix-aux/tasks/main.yml deleted file mode 100644 index 3ae8d1791..000000000 --- a/roles/custom/matrix-aux/tasks/main.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- - -- tags: - - setup-all - - setup-aux-files - - install-all - - install-aux-files - block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup.yml" diff --git a/roles/custom/matrix-aux/tasks/setup.yml b/roles/custom/matrix-aux/tasks/setup.yml deleted file mode 100644 index eb0adad49..000000000 --- a/roles/custom/matrix-aux/tasks/setup.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- - -- name: Ensure AUX directories are created - ansible.builtin.file: - dest: "{{ item.dest }}" - state: directory - owner: "{{ item.owner | default(matrix_user_username) }}" - group: "{{ item.group | default(matrix_user_groupname) }}" - mode: "{{ item.mode | default(matrix_aux_directory_default_mode) }}" - with_items: "{{ matrix_aux_directory_definitions }}" - -- name: Ensure AUX files are created - ansible.builtin.copy: - src: "{{ item.src if 'src' in item else omit }}" - content: "{{ item.content if 'content' in item else omit }}" - dest: "{{ item.dest }}" - owner: "{{ item.owner | default(matrix_user_username) }}" - group: "{{ item.group | default(matrix_user_groupname) }}" - mode: "{{ item.mode | default(matrix_aux_file_default_mode) }}" - with_items: "{{ matrix_aux_file_definitions }}" diff --git a/roles/custom/matrix_playbook_migration/defaults/main.yml b/roles/custom/matrix_playbook_migration/defaults/main.yml index dbc3b3b86..ee051193a 100644 --- a/roles/custom/matrix_playbook_migration/defaults/main.yml +++ b/roles/custom/matrix_playbook_migration/defaults/main.yml @@ -20,3 +20,6 @@ matrix_playbook_migration_matrix_redis_migration_validation_enabled: true # Controls if (`matrix_etherpad` -> `etherpad`) validation will run. matrix_playbook_migration_matrix_etherpad_migration_validation_enabled: true + +# Controls if (`matrix_aux` -> `aux`) validation will run. +matrix_playbook_migration_matrix_aux_migration_validation_enabled: true diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index d8fe16839..87292cdb7 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -157,3 +157,19 @@ Please change your configuration (vars.yml) to rename all variables (`matrix_etherpad_` -> `etherpad_`). We found usage of the following variables: {{ matrix_playbook_migration_etherpad_migration_vars.keys() | join(', ') }} when: "matrix_playbook_migration_etherpad_migration_vars | length > 0" + +- when: matrix_playbook_migration_matrix_aux_migration_validation_enabled | bool + block: + - ansible.builtin.set_fact: + matrix_playbook_migration_aux_migration_vars: |- + {{ vars | dict2items | selectattr('key', 'match', 'matrix_aux_.*') | list | items2dict }} + + - name: (Deprecation) Catch and report matrix_aux variables + ansible.builtin.fail: + msg: >- + The matrix-aux role that used to be part of this playbook has been replaced by https://github.com/mother-of-all-self-hosting/ansible-role-aux. + The new role is compatible with the old one, but uses different names for its variables. + Please change your configuration (vars.yml) to rename all variables (`matrix_aux_` -> `aux_`). + We found usage of the following variables: {{ matrix_playbook_migration_aux_migration_vars.keys() | join(', ') }} + when: "matrix_playbook_migration_aux_migration_vars | length > 0" + From d974c0c166012731c5e4ad675c7701c971e77246 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 20 Mar 2023 11:09:59 +0200 Subject: [PATCH 625/915] Make yamllint happy --- roles/custom/matrix_playbook_migration/tasks/validate_config.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 87292cdb7..9c9585057 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -172,4 +172,3 @@ Please change your configuration (vars.yml) to rename all variables (`matrix_aux_` -> `aux_`). We found usage of the following variables: {{ matrix_playbook_migration_aux_migration_vars.keys() | join(', ') }} when: "matrix_playbook_migration_aux_migration_vars | length > 0" - From abf96569e04c3f8025591a5ee6b5a7786f43f004 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 20 Mar 2023 15:05:19 +0200 Subject: [PATCH 626/915] Add extra_args support to install-service justfile command It's now possible to do: `just install-service prometheus -l host.example.com` --- justfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/justfile b/justfile index 3b5c4de33..f50b5217f 100644 --- a/justfile +++ b/justfile @@ -15,8 +15,8 @@ lint: install-all *extra_args: (run-tags "install-all,ensure-matrix-users-created,start" extra_args) # Runs installation tasks for a single service -install-service service: - just --justfile {{ justfile() }} run --tags=install-{{ service }},start-group --extra-vars=group={{ service }} +install-service service *extra_args: + just --justfile {{ justfile() }} run --tags=install-{{ service }},start-group --extra-vars=group={{ service }} {{ extra_args }} # Runs the playbook with --tags=setup-all,ensure-matrix-users-created,start and optional arguments setup-all *extra_args: (run-tags "setup-all,ensure-matrix-users-created,start" extra_args) From 1b6a85e485a73bf07d5b0b34021b98c039165e5c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 20 Mar 2023 15:09:04 +0200 Subject: [PATCH 627/915] Do not consider prometheus-exporters as part of the prometheus group This makes us rebuild/restart exporters when running `just install-service prometheus`, which we don't like. --- group_vars/matrix_servers | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index bdc2d1235..c7750514b 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -340,11 +340,11 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-prometheus.service', 'priority': 4000, 'groups': ['matrix', 'monitoring', 'prometheus', 'prometheus-core']}] if matrix_prometheus_enabled else []) + - ([{'name': (prometheus_node_exporter_identifier + '.service'), 'priority': 3900, 'groups': ['matrix', 'monitoring', 'prometheus', 'prometheus-exporters']}] if prometheus_node_exporter_enabled else []) + ([{'name': (prometheus_node_exporter_identifier + '.service'), 'priority': 3900, 'groups': ['matrix', 'monitoring', 'prometheus-exporters', 'prometheus-node-exporter']}] if prometheus_node_exporter_enabled else []) + - ([{'name': (prometheus_postgres_exporter_identifier + '.service'), 'priority': 3900, 'groups': ['matrix', 'monitoring', 'prometheus', 'prometheus-exporters']}] if prometheus_postgres_exporter_enabled else []) + ([{'name': (prometheus_postgres_exporter_identifier + '.service'), 'priority': 3900, 'groups': ['matrix', 'monitoring', 'prometheus-exporters', 'prometheus-postgres-exporter']}] if prometheus_postgres_exporter_enabled else []) + - ([{'name': 'matrix-prometheus-nginxlog-exporter.service', 'priority': 3900, 'groups': ['matrix', 'monitoring', 'prometheus', 'prometheus-exporters']}] if matrix_prometheus_nginxlog_exporter_enabled else []) + ([{'name': 'matrix-prometheus-nginxlog-exporter.service', 'priority': 3900, 'groups': ['matrix', 'monitoring', 'prometheus-exporters', 'prometheus-nginxlog-exporter']}] if matrix_prometheus_nginxlog_exporter_enabled else []) + ([{'name': (redis_identifier + '.service'), 'priority': 750, 'groups': ['matrix', 'redis']}] if redis_enabled else []) + From ade312e6f621661e1a6a6ca09ee9c3e1114ee084 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 20 Mar 2023 17:03:19 +0200 Subject: [PATCH 628/915] Add matrix_hookshot_container_network --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 ++ roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml | 5 +++++ .../templates/systemd/matrix-hookshot.service.j2 | 4 ++-- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index db71da794..2113f53ab 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -200,6 +200,8 @@ matrix_hookshot_permissions: [] matrix_hookshot_bot_displayname: Hookshot Bot matrix_hookshot_bot_avatar: 'mxc://half-shot.uk/2876e89ccade4cb615e210c458e2a7a6883fe17d' +matrix_hookshot_container_network: "{{ matrix_docker_network }}" + # A list of extra arguments to pass to the container matrix_hookshot_container_extra_arguments: [] diff --git a/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml b/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml index f0e8c1c62..576eb0079 100644 --- a/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml @@ -107,6 +107,11 @@ group: "{{ matrix_user_groupname }}" when: matrix_hookshot_github_enabled | bool and matrix_hookshot_github_private_key|length > 0 +- name: Ensure matrix-hookshot container network is created + community.general.docker_network: + name: "{{ matrix_hookshot_container_network }}" + driver: bridge + - name: Ensure matrix-hookshot.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-hookshot.service.j2" diff --git a/roles/custom/matrix-bridge-hookshot/templates/systemd/matrix-hookshot.service.j2 b/roles/custom/matrix-bridge-hookshot/templates/systemd/matrix-hookshot.service.j2 index 7ebd08b6c..713c7a9fd 100644 --- a/roles/custom/matrix-bridge-hookshot/templates/systemd/matrix-hookshot.service.j2 +++ b/roles/custom/matrix-bridge-hookshot/templates/systemd/matrix-hookshot.service.j2 @@ -20,8 +20,8 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ - --network={{ matrix_docker_network }} \ - -v {{ matrix_hookshot_base_path }}:/data:z \ + --network={{ matrix_hookshot_container_network }} \ + --mount type=bind,src={{ matrix_hookshot_base_path }},dst=/data \ {% for port in matrix_hookshot_container_http_host_bind_ports %} -p {{ port }} \ {% endfor %} From 21c2bbb11fbd51ffd3cc14e66f5d64fded79e07e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 20 Mar 2023 17:04:23 +0200 Subject: [PATCH 629/915] Add matrix_prometheus_nginxlog_exporter_container_network --- .../matrix-prometheus-nginxlog-exporter/defaults/main.yml | 2 ++ .../tasks/setup_install.yml | 5 +++++ .../systemd/matrix-prometheus-nginxlog-exporter.service.j2 | 2 +- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/defaults/main.yml b/roles/custom/matrix-prometheus-nginxlog-exporter/defaults/main.yml index 2e85d6298..806c751c8 100644 --- a/roles/custom/matrix-prometheus-nginxlog-exporter/defaults/main.yml +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/defaults/main.yml @@ -28,6 +28,8 @@ matrix_prometheus_nginxlog_exporter_dashboard_urls: [] matrix_prometheus_nginxlog_exporter_base_path: "{{ matrix_base_data_path }}/prometheus-nginxlog-exporter" matrix_prometheus_nginxlog_exporter_config_path: "{{ matrix_prometheus_nginxlog_exporter_base_path }}/config" +matrix_prometheus_nginxlog_exporter_container_network: "{{ matrix_docker_network }}" + # A list of extra docker arguments to pass to the container matrix_prometheus_nginxlog_exporter_container_extra_arguments: [] diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_install.yml b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_install.yml index ca3bf3a8e..8d3fe1d49 100644 --- a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_install.yml +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_install.yml @@ -30,6 +30,11 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" +- name: Ensure prometheus-nginxlog-exporter container network is created + community.general.docker_network: + name: "{{ matrix_prometheus_nginxlog_exporter_container_network }}" + driver: bridge + - name: Ensure matrix-prometheus-nginxlog-exporter.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-prometheus-nginxlog-exporter.service.j2" diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/templates/systemd/matrix-prometheus-nginxlog-exporter.service.j2 b/roles/custom/matrix-prometheus-nginxlog-exporter/templates/systemd/matrix-prometheus-nginxlog-exporter.service.j2 index e799380e3..0d01aa217 100644 --- a/roles/custom/matrix-prometheus-nginxlog-exporter/templates/systemd/matrix-prometheus-nginxlog-exporter.service.j2 +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/templates/systemd/matrix-prometheus-nginxlog-exporter.service.j2 @@ -22,7 +22,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_prometheus_nginxlog_exporter_container_network }} \ {% if matrix_prometheus_nginxlog_exporter_container_http_host_bind_port %} -p {{ matrix_prometheus_nginxlog_exporter_container_http_host_bind_port }}:{{ matrix_prometheus_nginxlog_exporter_container_metrics_port }} \ {% endif %} From a542a2ff41f1a87ea6c6efa60528ee060c9f63ef Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 20 Mar 2023 17:59:08 +0200 Subject: [PATCH 630/915] Upgrade devture/ansible (2.13.6-r0-2 -> 2.13.6-r0-3) --- docs/ansible.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ansible.md b/docs/ansible.md index dcda338ad..6b246d547 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -65,7 +65,7 @@ docker run -it --rm \ -w /work \ -v `pwd`:/work \ --entrypoint=/bin/sh \ -docker.io/devture/ansible:2.13.6-r0-2 +docker.io/devture/ansible:2.13.6-r0-3 ``` Once you execute the above command, you'll be dropped into a `/work` directory inside a Docker container. From a1a37700b916102b757d9e76c0cdb2500a2ec43e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 20 Mar 2023 18:40:01 +0200 Subject: [PATCH 631/915] Update one more devture/ansible reference --- docs/ansible.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ansible.md b/docs/ansible.md index 6b246d547..6018860e3 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -86,7 +86,7 @@ docker run -it --rm \ -v `pwd`:/work \ -v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \ --entrypoint=/bin/sh \ -docker.io/devture/ansible:2.13.6-r0 +docker.io/devture/ansible:2.13.6-r0-3 ``` The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`). From 01db1ae9b70c2421a8a94fe5c06b324cb1d99c99 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 20 Mar 2023 18:44:01 +0200 Subject: [PATCH 632/915] Mention passlib It's not strictly required yet, but certain versions of Ansible display warnings if passlib is missing. The non-passlib crypto usage is deprecated, so passlib will become a requirement in newer Ansible versions. It's only a matter of time. --- docs/prerequisites.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 83ae42dae..be60a5f45 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -20,6 +20,8 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you - The [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for more information, as well as [version requirements](ansible.md#supported-ansible-versions) and alternative ways to run Ansible. +- the [passlib](https://passlib.readthedocs.io/en/stable/index.html) Python library installed on the computer you run Ansible. On most distros, you need to install some `python-passlib` or `py3-passlib` package, etc. + - [`git`](https://git-scm.com/) is the recommended way to download the playbook to your computer. `git` may also be required on the server if you will be [self-building](self-building.md) components. - [`just`](https://github.com/casey/just) for running `just roles`, etc. (see [`justfile`](../justfile)), although you can also run these commands manually From d351213486400af1cc794a5b8d0e7604dcb115be Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 21 Mar 2023 07:29:21 +0200 Subject: [PATCH 633/915] Upgrade prometheus_node_exporter (v1.5.0-4 -> v1.5.0-6) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index ffcd86afe..c15140164 100644 --- a/requirements.yml +++ b/requirements.yml @@ -31,7 +31,7 @@ version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6 - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git - version: v1.5.0-4 + version: v1.5.0-6 - src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git version: v0.11.1-2 From 14b8efcad262d49958c30df904bcef4dc8153624 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 21 Mar 2023 07:38:12 +0200 Subject: [PATCH 634/915] Replace matrix-prometheus with an external Prometheus role --- CHANGELOG.md | 21 ++- ...configuring-playbook-prometheus-grafana.md | 6 +- ...onfiguring-playbook-prometheus-nginxlog.md | 4 +- group_vars/matrix_servers | 117 ++++++++++---- playbooks/matrix.yml | 3 +- requirements.yml | 4 + .../tasks/setup_uninstall.yml | 2 +- .../tasks/validate_config.yml | 4 +- .../defaults/main.yml | 144 ++++++++++++++++++ .../tasks/install_synapse_rules.yml | 14 ++ .../tasks/main.yml | 11 ++ .../matrix-prometheus/defaults/main.yml | 90 ----------- roles/custom/matrix-prometheus/tasks/main.yml | 20 --- .../matrix-prometheus/tasks/setup_install.yml | 57 ------- .../tasks/setup_uninstall.yml | 20 --- .../tasks/validate_config.yml | 15 -- .../templates/prometheus.yml.j2 | 73 --------- .../systemd/matrix-prometheus.service.j2 | 51 ------- .../tasks/validate_config.yml | 19 +++ 19 files changed, 311 insertions(+), 364 deletions(-) create mode 100644 roles/custom/matrix-prometheus-services-connect/defaults/main.yml create mode 100644 roles/custom/matrix-prometheus-services-connect/tasks/install_synapse_rules.yml create mode 100644 roles/custom/matrix-prometheus-services-connect/tasks/main.yml delete mode 100644 roles/custom/matrix-prometheus/defaults/main.yml delete mode 100644 roles/custom/matrix-prometheus/tasks/main.yml delete mode 100644 roles/custom/matrix-prometheus/tasks/setup_install.yml delete mode 100644 roles/custom/matrix-prometheus/tasks/setup_uninstall.yml delete mode 100644 roles/custom/matrix-prometheus/tasks/validate_config.yml delete mode 100644 roles/custom/matrix-prometheus/templates/prometheus.yml.j2 delete mode 100644 roles/custom/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 9ba17ea35..0c9de0ac3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,22 @@ +# 2023-03-21 + +## The matrix-prometheus role lives independently now + +**TLDR**: the `matrix-prometheus` role is now included from the [ansible-role-prometheus](https://github.com/mother-of-all-self-hosting/ansible-role-prometheus) repository, part of the [MASH playbook](https://github.com/mother-of-all-self-hosting/mash-playbook). Some variables have been renamed. All functionality remains intact. + +The `matrix-prometheus` role has been relocated in its own repository, part of the [MASH playbook](https://github.com/mother-of-all-self-hosting/mash-playbook) project - an Ansible playbook for self-hosting [a growing list of FOSS software](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/supported-services.md). If hosting a Prometheus stack on the Matrix server itself did not stand right with you or you always wanted to host most stuff, you can now use this new playbook to do so. + +Extracting the Prometheus role out of this Matrix playbook required huge internal refactoring to the way the Prometheus configuration (scraping jobs) is generated. If you notice any breakage after upgrading, let us know. + +You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're using Prometheus or not. + +If you're making use of Prometheus via this playbook, you will need to update variable references in your `vars.yml` file: + + - `matrix_prometheus_docker_image_` -> `matrix_prometheus_container_image_` + - `matrix_prometheus_` -> `prometheus_` + - some other internal variables have changed, but the playbook will tell you about them + + # 2023-03-12 ## synapse-auto-compressor support @@ -830,7 +849,7 @@ See our [Setting up the ntfy push notifications server](docs/configuring-playboo **If you are using the [Hookshot bridge](docs/configuring-playbook-bridge-hookshot.md)**, you may find that: 1. **Metrics may not be enabled by default anymore**: - - If Prometheus is enabled (`matrix_prometheus_enabled: true`), then Hookshot metrics will be enabled automatically (`matrix_hookshot_metrics_enabled: true`). These metrics will be collected from the local (in-container) Prometheus over the container network. + - If Prometheus is enabled (`prometheus_enabled: true`), then Hookshot metrics will be enabled automatically (`matrix_hookshot_metrics_enabled: true`). These metrics will be collected from the local (in-container) Prometheus over the container network. - **If Prometheus is not enabled** (you are either not using Prometheus or are using an external one), **Hookshot metrics will not be enabled by default anymore**. Feel free to enable them by setting `matrix_hookshot_metrics_enabled: true`. Also, see below. 2. When metrics are meant to be **consumed by an external Prometheus server**, `matrix_hookshot_metrics_proxying_enabled` needs to be set to `true`, so that metrics would be exposed (proxied) "publicly" on `https://matrix.DOMAIN/metrics/hookshot`. To make use of this, you'll also need to enable the new `https://matrix.DOMAIN/metrics/*` endpoints mentioned above, using `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. Learn more in our [Collecting metrics to an external Prometheus server](docs/configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) documentation. 3. **We've changed the URL we're exposing Hookshot metrics at** for external Prometheus servers. Until now, you were advised to consume Hookshot metrics from `https://stats.DOMAIN/hookshot/metrics` (working in conjunction with `matrix_nginx_proxy_proxy_synapse_metrics`). From now on, **this no longer works**. As described above, you need to start consuming metrics from `https://matrix.DOMAIN/metrics/hookshot`. diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index de05d690c..7e4764c20 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -7,7 +7,7 @@ You can enable this with the following settings in your configuration file (`inv Remember to add `stats.` to DNS as described in [Configuring DNS](configuring-dns.md) before running the playbook. ```yaml -matrix_prometheus_enabled: true +prometheus_enabled: true # You can remove this, if unnecessary. prometheus_node_exporter_enabled: true @@ -39,7 +39,7 @@ The retention policy of Prometheus metrics is [15 days by default](https://prome Name | Description -----|---------- -`matrix_prometheus_enabled`|[Prometheus](https://prometheus.io) is a time series database. It holds all the data we're going to talk about. +`prometheus_enabled`|[Prometheus](https://prometheus.io) is a time series database. It holds all the data we're going to talk about. `prometheus_node_exporter_enabled`|[Node Exporter](https://prometheus.io/docs/guides/node-exporter/) is an addon of sorts to Prometheus that collects generic system information such as CPU, memory, filesystem, and even system temperatures `prometheus_postgres_exporter_enabled`|[Postgres Exporter](configuring-playbook-prometheus-postgres.md) is an addon of sorts to expose Postgres database metrics to Prometheus. `matrix_prometheus_nginxlog_exporter_enabled`|[NGINX Log Exporter](configuring-playbook-prometheus-nginxlog.md) is an addon of sorts to expose NGINX logs to Prometheus. @@ -57,7 +57,7 @@ Most of our docker containers run with limited system access, but the `prometheu ## Collecting metrics to an external Prometheus server -**If the integrated Prometheus server is enabled** (`matrix_prometheus_enabled: true`), metrics are collected by it from each service via communication that happens over the container network. Each service does not need to expose its metrics "publicly". +**If the integrated Prometheus server is enabled** (`prometheus_enabled: true`), metrics are collected by it from each service via communication that happens over the container network. Each service does not need to expose its metrics "publicly". When you'd like **to collect metrics from an external Prometheus server**, you need to expose service metrics outside of the container network. diff --git a/docs/configuring-playbook-prometheus-nginxlog.md b/docs/configuring-playbook-prometheus-nginxlog.md index 321a1d6e6..55272de40 100644 --- a/docs/configuring-playbook-prometheus-nginxlog.md +++ b/docs/configuring-playbook-prometheus-nginxlog.md @@ -12,7 +12,7 @@ You can enable this role by adding the following settings in your configuration matrix_prometheus_nginxlog_exporter_enabled: true # required depency -matrix_prometheus_enabled: true +prometheus_enabled: true # optional for visualization grafana_enabled: true @@ -20,7 +20,7 @@ grafana_enabled: true x | Prerequisites | Variable | Description |:--:|:--:|:--:|:--| -**REQUIRED** | `matrix-prometheus`| `matrix_prometheus_enabled`|[Prometheus](https://prometheus.io) is a time series database. It holds all the data we're going to talk about. +**REQUIRED** | `matrix-prometheus`| `prometheus_enabled`|[Prometheus](https://prometheus.io) is a time series database. It holds all the data we're going to talk about. _Optional_ | [`matrix-grafana`](configuring-playbook-prometheus-grafana.md) | [`grafana_enabled`](configuring-playbook-prometheus-grafana.md)|[Grafana](https://grafana.com) is the visual component. It shows (on the `stats.` subdomain) graphs that we're interested in. When enabled the `NGINX PROXY` dashboard is automatically added. ## Docker Image Compatibility diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c7750514b..0b8d7e25e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -338,7 +338,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': (devture_postgres_backup_identifier + '.service'), 'priority': 5000, 'groups': ['matrix', 'backup', 'postgres-backup']}] if devture_postgres_backup_enabled else []) + - ([{'name': 'matrix-prometheus.service', 'priority': 4000, 'groups': ['matrix', 'monitoring', 'prometheus', 'prometheus-core']}] if matrix_prometheus_enabled else []) + ([{'name': (prometheus_identifier + '.service'), 'priority': 4000, 'groups': ['matrix', 'monitoring', 'prometheus']}] if prometheus_enabled else []) + ([{'name': (prometheus_node_exporter_identifier + '.service'), 'priority': 3900, 'groups': ['matrix', 'monitoring', 'prometheus-exporters', 'prometheus-node-exporter']}] if prometheus_node_exporter_enabled else []) + @@ -871,7 +871,7 @@ matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if # - `matrix_mautrix_facebook_metrics_enabled` # - `matrix_mautrix_facebook_proxying_metrics_enabled` # - `matrix_nginx_proxy_proxy_matrix_metrics_enabled` -matrix_mautrix_facebook_metrics_enabled: "{{ matrix_prometheus_enabled }}" +matrix_mautrix_facebook_metrics_enabled: "{{ prometheus_enabled }}" # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. @@ -1004,7 +1004,7 @@ matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_presence_enabled if # - `matrix_mautrix_instagram_metrics_enabled` # - `matrix_mautrix_instagram_proxying_metrics_enabled` # - `matrix_nginx_proxy_proxy_matrix_metrics_enabled` -matrix_mautrix_instagram_metrics_enabled: "{{ matrix_prometheus_enabled }}" +matrix_mautrix_instagram_metrics_enabled: "{{ prometheus_enabled }}" # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. @@ -1055,7 +1055,7 @@ matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provi # - `matrix_mautrix_signal_metrics_enabled` # - `matrix_mautrix_signal_proxying_metrics_enabled` # - `matrix_nginx_proxy_proxy_matrix_metrics_enabled` -matrix_mautrix_signal_metrics_enabled: "{{ matrix_prometheus_enabled }}" +matrix_mautrix_signal_metrics_enabled: "{{ prometheus_enabled }}" matrix_mautrix_signal_database_engine: 'postgres' matrix_mautrix_signal_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" @@ -1185,7 +1185,7 @@ matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_pro # - `matrix_mautrix_twitter_metrics_enabled` # - `matrix_mautrix_twitter_proxying_metrics_enabled` # - `matrix_nginx_proxy_proxy_matrix_metrics_enabled` -matrix_mautrix_twitter_metrics_enabled: "{{ matrix_prometheus_enabled }}" +matrix_mautrix_twitter_metrics_enabled: "{{ prometheus_enabled }}" # Postgres is the default, except if not using internal Postgres server matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" @@ -1291,7 +1291,7 @@ matrix_hookshot_provisioning_enabled: "{{ matrix_hookshot_provisioning_secret an # - `matrix_hookshot_metrics_enabled` # - `matrix_hookshot_metrics_proxying_enabled` # - `matrix_nginx_proxy_proxy_matrix_metrics_enabled` -matrix_hookshot_metrics_enabled: "{{ matrix_prometheus_enabled }}" +matrix_hookshot_metrics_enabled: "{{ prometheus_enabled }}" matrix_hookshot_urlprefix_port_enabled: "{{ matrix_nginx_proxy_container_https_host_bind_port == 443 if matrix_nginx_proxy_https_enabled else matrix_nginx_proxy_container_https_host_bind_port == 80 }}" matrix_hookshot_urlprefix_port: ":{{ matrix_nginx_proxy_container_https_host_bind_port if matrix_nginx_proxy_https_enabled else matrix_nginx_proxy_container_http_host_bind_port }}" @@ -3034,7 +3034,7 @@ devture_postgres_backup_databases: "{{ devture_postgres_managed_databases | map( matrix_sygnal_enabled: false # If someone instals Prometheus via the playbook, they most likely wish to monitor Sygnal. -matrix_sygnal_metrics_prometheus_enabled: "{{ matrix_prometheus_enabled }}" +matrix_sygnal_metrics_prometheus_enabled: "{{ prometheus_enabled }}" matrix_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}" @@ -3287,7 +3287,7 @@ matrix_synapse_tls_private_key_path: ~ matrix_synapse_federation_port_openid_resource_required: "{{ not matrix_synapse_federation_enabled and (matrix_dimension_enabled or matrix_ma1sd_enabled or matrix_user_verification_service_enabled) }}" # If someone instals Prometheus via the playbook, they most likely wish to monitor Synapse. -matrix_synapse_metrics_enabled: "{{ matrix_prometheus_enabled }}" +matrix_synapse_metrics_enabled: "{{ prometheus_enabled }}" matrix_synapse_email_enabled: "{{ matrix_mailer_enabled }}" matrix_synapse_email_smtp_host: "matrix-mailer" @@ -3452,6 +3452,7 @@ matrix_synapse_admin_container_labels_traefik_tls_certResolver: "{{ devture_trae # ###################################################################### + ###################################################################### # # etke/prometheus_node_exporter @@ -3486,6 +3487,7 @@ prometheus_node_exporter_container_labels_traefik_tls_certResolver: "{{ devture_ # ###################################################################### + ###################################################################### # # etke/prometheus_postgres_exporter @@ -3530,6 +3532,7 @@ prometheus_postgres_exporter_systemd_required_services_list: | # ###################################################################### + ###################################################################### # # matrix-prometheus-nginxlog-exporter @@ -3544,45 +3547,101 @@ matrix_prometheus_nginxlog_exporter_enabled: false # ###################################################################### + ###################################################################### # -# matrix-prometheus +# prometheus # ###################################################################### -matrix_prometheus_enabled: false +prometheus_enabled: false + +prometheus_identifier: matrix-prometheus -matrix_prometheus_container_network: "{{ matrix_docker_network }}" +prometheus_base_path: "{{ matrix_base_data_path }}/prometheus" + +prometheus_uid: "{{ matrix_user_uid }}" +prometheus_gid: "{{ matrix_user_gid }}" + +prometheus_container_additional_networks: | + {{ + ( + ([prometheus_node_exporter_container_network] if prometheus_self_node_scraper_enabled and prometheus_node_exporter_container_network != prometheus_container_network else []) + + + ([matrix_synapse_container_network] if matrix_prometheus_services_connect_scraper_synapse_enabled and matrix_synapse_container_network != prometheus_container_network else []) + + + ([prometheus_postgres_exporter_container_network] if matrix_prometheus_services_connect_scraper_postgres_enabled and prometheus_postgres_exporter_container_network != prometheus_container_network else []) + + + ([matrix_hookshot_container_network] if matrix_prometheus_services_connect_scraper_hookshot_enabled and matrix_hookshot_container_network != prometheus_container_network else []) + + + ([matrix_prometheus_nginxlog_exporter_container_network] if matrix_prometheus_services_connect_scraper_nginxlog_enabled and matrix_prometheus_nginxlog_exporter_container_network != prometheus_container_network else []) + ) | unique + }} # Normally, matrix-nginx-proxy is enabled and nginx can reach Prometheus over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # Prometheus' HTTP port to the local host. -matrix_prometheus_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9090') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +prometheus_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9090') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +prometheus_config_rule_files_auto: | + {{ + (['synapse-v2.rules'] if matrix_prometheus_services_connect_synapse_rules_enabled else []) + }} + +prometheus_self_node_scraper_enabled: "{{ prometheus_node_exporter_enabled }}" +prometheus_self_node_scraper_static_configs_target: "{{ (prometheus_node_exporter_identifier + ':9100') if prometheus_node_exporter_enabled else '' }}" + +prometheus_config_scrape_configs_auto: | + {{ + (matrix_prometheus_services_connect_scraper_synapse_configs if matrix_prometheus_services_connect_scraper_synapse_enabled else []) + + + (matrix_prometheus_services_connect_scraper_postgres_scrape_configs if matrix_prometheus_services_connect_scraper_postgres_enabled else []) + + + (matrix_prometheus_services_connect_scraper_hookshot_scrape_configs if matrix_prometheus_services_connect_scraper_hookshot_enabled else []) + + + (matrix_prometheus_services_connect_scraper_nginxlog_scrape_configs if matrix_prometheus_services_connect_scraper_nginxlog_enabled else []) + }} + +###################################################################### +# +# /prometheus +# +###################################################################### -matrix_prometheus_scraper_synapse_enabled: "{{ matrix_synapse_enabled and matrix_synapse_metrics_enabled }}" -matrix_prometheus_scraper_synapse_targets: ['matrix-synapse:{{ matrix_synapse_metrics_port }}'] -matrix_prometheus_scraper_synapse_workers_enabled_list: "{{ matrix_synapse_workers_enabled_list }}" -matrix_prometheus_scraper_synapse_rules_synapse_tag: "{{ matrix_synapse_docker_image_tag }}" -matrix_prometheus_scraper_node_enabled: "{{ prometheus_node_exporter_enabled }}" -matrix_prometheus_scraper_node_targets: "{{ [prometheus_node_exporter_identifier + ':9100'] if prometheus_node_exporter_enabled else [] }}" +###################################################################### +# +# matrix-prometheus-services-connect +# +###################################################################### + +matrix_prometheus_services_connect_synapse_enabled: "{{ prometheus_enabled and matrix_synapse_enabled }}" -matrix_prometheus_scraper_postgres_enabled: "{{ prometheus_postgres_exporter_enabled }}" -matrix_prometheus_scraper_postgres_targets: "{{ [prometheus_postgres_exporter_identifier + ':' + prometheus_postgres_exporter_port | string] if matrix_prometheus_scraper_postgres_enabled else [] }}" +matrix_prometheus_services_connect_synapse_rules_download_synapse_tag: "{{ matrix_synapse_docker_image_tag }}" +matrix_prometheus_services_connect_synapse_rules_download_dir_path: "{{ prometheus_config_path }}" +matrix_prometheus_services_connect_synapse_rules_download_owner: "{{ prometheus_uid }}" +matrix_prometheus_services_connect_synapse_rules_download_group: "{{ prometheus_gid }}" -matrix_prometheus_scraper_hookshot_enabled: "{{ matrix_hookshot_metrics_enabled|default(false) }}" -matrix_prometheus_scraper_hookshot_targets: "{{ [matrix_hookshot_container_url | string +':'+ matrix_hookshot_metrics_port | string] if matrix_hookshot_metrics_enabled else [] }}" +matrix_prometheus_services_connect_scraper_synapse_enabled: "{{ matrix_synapse_enabled and matrix_synapse_metrics_enabled }}" +matrix_prometheus_services_connect_scraper_synapse_main_process_static_configs_target: "matrix-synapse:{{ matrix_synapse_metrics_port }}" +matrix_prometheus_services_connect_scraper_synapse_workers_enabled_list: "{{ matrix_synapse_workers_enabled_list }}" -matrix_prometheus_scraper_nginxlog_enabled: "{{ matrix_prometheus_nginxlog_exporter_enabled }}" -matrix_prometheus_scraper_nginxlog_server_port: "{{ (matrix_prometheus_nginxlog_exporter_container_hostname | string +':'+ matrix_prometheus_nginxlog_exporter_container_metrics_port | string) -| default('') }}" +matrix_prometheus_services_connect_scraper_postgres_enabled: "{{ prometheus_postgres_exporter_enabled }}" +matrix_prometheus_services_connect_scraper_postgres_static_configs_target: "{{ prometheus_postgres_exporter_identifier }}:{{ prometheus_postgres_exporter_port | string }}" + +matrix_prometheus_services_connect_scraper_hookshot_enabled: "{{ matrix_hookshot_enabled and matrix_hookshot_metrics_enabled }}" +matrix_prometheus_services_connect_scraper_hookshot_static_configs_target: "{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_metrics_port | string }}" + +matrix_prometheus_services_connect_scraper_nginxlog_enabled: "{{ matrix_prometheus_nginxlog_exporter_enabled }}" +matrix_prometheus_services_connect_scraper_nginxlog_static_configs_target: "{{ matrix_prometheus_nginxlog_exporter_container_hostname }}:{{ matrix_prometheus_nginxlog_exporter_container_metrics_port | string }}" ###################################################################### # -# /matrix-prometheus +# /matrix-prometheus-services-connect # ###################################################################### + ###################################################################### # # etke/grafana @@ -3607,7 +3666,7 @@ grafana_container_additional_networks: | ( ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + - ([matrix_prometheus_container_network] if matrix_prometheus_enabled and matrix_prometheus_container_network != grafana_container_network else []) + ([prometheus_container_network] if prometheus_enabled and prometheus_container_network != grafana_container_network else []) ) | unique }} @@ -3628,7 +3687,7 @@ grafana_provisioning_datasources: | 'type': 'prometheus', 'access': 'proxy', 'url': 'http://matrix-prometheus:9090', - }] if matrix_prometheus_enabled else []) + }] if prometheus_enabled else []) }} grafana_dashboard_download_urls: | @@ -3665,6 +3724,8 @@ grafana_default_home_dashboard_path: |- # ###################################################################### + + ###################################################################### # # matrix-registration diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 93e9208f0..5bf19b9d5 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -92,8 +92,9 @@ - galaxy/prometheus_node_exporter - galaxy/prometheus_postgres_exporter - custom/matrix-prometheus-nginxlog-exporter - - custom/matrix-prometheus + - galaxy/prometheus - galaxy/grafana + - custom/matrix-prometheus-services-connect - custom/matrix-prometheus-services-proxy-connect - custom/matrix-registration - custom/matrix-client-element diff --git a/requirements.yml b/requirements.yml index c15140164..ebd3fd0fc 100644 --- a/requirements.yml +++ b/requirements.yml @@ -63,3 +63,7 @@ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git name: aux version: v1.0.0-0 + +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git + name: prometheus + version: v2.42.0-0 diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_uninstall.yml b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_uninstall.yml index 7d27cbae8..93c4aefc1 100644 --- a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_uninstall.yml @@ -13,7 +13,7 @@ This role has added to configs in 'matrix-nginx-proxy', 'matrix-synapse-reverse-proxy-companion' and 'matrix-prometheus'. Running 'setup-synapse-reverse-proxy-companion' WILL NOT remove those settings from those roles. Run the playbook again with the `setup-all` tag or all three 'setup-nginx-proxy,setup-synapse-reverse-proxy-companion,setup-prometheus' tags while - 'matrix_prometheus_enabled: false' to rebuild their configs. + 'prometheus_enabled: false' to rebuild their configs. when: not ('setup-all' in ansible_run_tags or ('setup-nginx-proxy' in ansible_run_tags and 'setup-synapse-reverse-proxy-companion' in ansible_run_tags and 'setup-prometheus' in ansible_run_tags)) - name: Ensure matrix-prometheus-nginxlog-exporter is stopped diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/validate_config.yml b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/validate_config.yml index a8eccaeed..2e308736b 100644 --- a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/validate_config.yml +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/validate_config.yml @@ -3,9 +3,9 @@ - name: Fail if Prometheus not enabled ansible.builtin.fail: msg: > - You need to set `matrix_prometheus_enabled: true` or configure an external Prometheus database + You need to set `prometheus_enabled: true` or configure an external Prometheus database as this roles requires Prometheus for data storage. - when: not matrix_prometheus_enabled and not matrix_prometheus_nginxlog_exporter_metrics_proxying_enabled + when: not prometheus_enabled and not matrix_prometheus_nginxlog_exporter_metrics_proxying_enabled - name: Fail if docker image not availble for arch ansible.builtin.fail: diff --git a/roles/custom/matrix-prometheus-services-connect/defaults/main.yml b/roles/custom/matrix-prometheus-services-connect/defaults/main.yml new file mode 100644 index 000000000..748f88c5c --- /dev/null +++ b/roles/custom/matrix-prometheus-services-connect/defaults/main.yml @@ -0,0 +1,144 @@ +--- + +# matrix-prometheus-services-connect is a role which helps integrate +# the various Matrix services with the Prometheus role. + +# Controls whether Synapse integration should be done +matrix_prometheus_services_connect_synapse_enabled: false + +# Controls whether the synapse rules shall be loaded into Prometheus +matrix_prometheus_services_connect_synapse_rules_enabled: "{{ matrix_prometheus_services_connect_synapse_enabled }}" + +# Controls whether the synapse rules shall be downloaded +matrix_prometheus_services_connect_synapse_rules_download_enabled: "{{ matrix_prometheus_services_connect_synapse_rules_enabled }}" +matrix_prometheus_services_connect_synapse_rules_download_synapse_tag: master +matrix_prometheus_services_connect_synapse_rules_download_src_url: "https://raw.githubusercontent.com/matrix-org/synapse/{{ matrix_prometheus_services_connect_synapse_rules_download_synapse_tag }}/contrib/prometheus/synapse-v2.rules" +matrix_prometheus_services_connect_synapse_rules_download_dir_path: '' +matrix_prometheus_services_connect_synapse_rules_download_owner: '' +matrix_prometheus_services_connect_synapse_rules_download_group: '' + +# Controls whether Synapse shall be scraped +matrix_prometheus_services_connect_scraper_synapse_enabled: false + +# Controls scraping the Synapse processes +matrix_prometheus_services_connect_scraper_synapse_job_name: synapse +matrix_prometheus_services_connect_scraper_synapse_metrics_path: /_synapse/metrics +matrix_prometheus_services_connect_scraper_synapse_scrape_interval: 15s +matrix_prometheus_services_connect_scraper_synapse_scrape_timeout: 15s + +matrix_prometheus_services_connect_scraper_synapse_configs: | + {{ + [{ + 'job_name': matrix_prometheus_services_connect_scraper_synapse_job_name, + 'metrics_path': matrix_prometheus_services_connect_scraper_synapse_metrics_path, + 'scrape_interval': matrix_prometheus_services_connect_scraper_synapse_scrape_interval, + 'scrape_timeout': matrix_prometheus_services_connect_scraper_synapse_scrape_timeout, + 'static_configs': matrix_prometheus_services_connect_scraper_synapse_static_configs, + }] + }} + +matrix_prometheus_services_connect_scraper_synapse_static_configs: | + {{ + (matrix_prometheus_services_connect_scraper_synapse_main_process_static_configs if matrix_prometheus_services_connect_scraper_synapse_main_process_enabled else []) + + + (matrix_prometheus_services_connect_scraper_synapse_workers_static_configs if matrix_prometheus_services_connect_scraper_synapse_workers_enabled else []) + }} + +# Controls whether the Synapse main process shall be scraped +matrix_prometheus_services_connect_scraper_synapse_main_process_enabled: "{{ matrix_prometheus_services_connect_scraper_synapse_enabled }}" + +matrix_prometheus_services_connect_scraper_synapse_main_process_static_configs: | + {{ + [{ + 'targets': [matrix_prometheus_services_connect_scraper_synapse_main_process_static_configs_target], + 'labels': { + 'instance': matrix_prometheus_services_connect_scraper_synapse_main_process_static_configs_instance, + 'job': matrix_prometheus_services_connect_scraper_synapse_main_process_static_configs_job, + 'index': 0, + } + }] + }} +matrix_prometheus_services_connect_scraper_synapse_main_process_static_configs_target: '' +matrix_prometheus_services_connect_scraper_synapse_main_process_static_configs_instance: "{{ matrix_domain }}" +matrix_prometheus_services_connect_scraper_synapse_main_process_static_configs_job: master + +# Controls whether Synapse workers shall be scraped +matrix_prometheus_services_connect_scraper_synapse_workers_enabled: "{{ matrix_prometheus_services_connect_scraper_synapse_enabled and matrix_prometheus_services_connect_scraper_synapse_workers_enabled_list | length > 0 }}" + +matrix_prometheus_services_connect_scraper_synapse_workers_enabled_list: [] + +matrix_prometheus_services_connect_scraper_synapse_workers_static_configs_as_yaml: | + {% for worker in matrix_prometheus_services_connect_scraper_synapse_workers_enabled_list %} + {% if worker.metrics_port != 0 %} + - targets: ['{{ worker.name }}:{{ worker.metrics_port }}'] + labels: + instance: {{ matrix_prometheus_services_connect_scraper_synapse_workers_static_configs_instance | to_json }} + worker_id: {{ worker.id | to_json }} + job: {{ worker.type | to_json }} + app: {{ worker.app | to_json }} + {% endif %} + {% endfor %} + +matrix_prometheus_services_connect_scraper_synapse_workers_static_configs_instance: "{{ matrix_domain }}" + +matrix_prometheus_services_connect_scraper_synapse_workers_static_configs: "{{ [] if matrix_prometheus_services_connect_scraper_synapse_workers_enabled_list | length == 0 else matrix_prometheus_services_connect_scraper_synapse_workers_static_configs_as_yaml | from_yaml }}" + +# Controls whether Postgres (postgres-exporter) shall be scraped +matrix_prometheus_services_connect_scraper_postgres_enabled: false +matrix_prometheus_services_connect_scraper_postgres_job_name: postgres +matrix_prometheus_services_connect_scraper_postgres_metrics_path: /metrics +matrix_prometheus_services_connect_scraper_postgres_scrape_interval: 15s +matrix_prometheus_services_connect_scraper_postgres_scrape_timeout: 15s +matrix_prometheus_services_connect_scraper_postgres_static_configs: "{{ [{'targets': [matrix_prometheus_services_connect_scraper_postgres_static_configs_target]}] }}" +matrix_prometheus_services_connect_scraper_postgres_static_configs_target: '' +# The final scrape config for the Postgers scraper +matrix_prometheus_services_connect_scraper_postgres_scrape_configs: | + {{ + [{ + 'job_name': matrix_prometheus_services_connect_scraper_postgres_job_name, + 'metrics_path': matrix_prometheus_services_connect_scraper_postgres_metrics_path, + 'scrape_interval': matrix_prometheus_services_connect_scraper_postgres_scrape_interval, + 'scrape_timeout': matrix_prometheus_services_connect_scraper_postgres_scrape_timeout, + 'static_configs': matrix_prometheus_services_connect_scraper_postgres_static_configs, + }] + }} + +# Controls whether Hookshot shall be scraped +matrix_prometheus_services_connect_scraper_hookshot_enabled: false +matrix_prometheus_services_connect_scraper_hookshot_job_name: hookshot +matrix_prometheus_services_connect_scraper_hookshot_metrics_path: /metrics +matrix_prometheus_services_connect_scraper_hookshot_scrape_interval: 15s +matrix_prometheus_services_connect_scraper_hookshot_scrape_timeout: 15s +matrix_prometheus_services_connect_scraper_hookshot_static_configs: "{{ [{'targets': [matrix_prometheus_services_connect_scraper_hookshot_static_configs_target]}] }}" +matrix_prometheus_services_connect_scraper_hookshot_static_configs_target: '' +# The final scrape config for the Hookshot scraper +matrix_prometheus_services_connect_scraper_hookshot_scrape_configs: | + {{ + [{ + 'job_name': matrix_prometheus_services_connect_scraper_hookshot_job_name, + 'metrics_path': matrix_prometheus_services_connect_scraper_hookshot_metrics_path, + 'scrape_interval': matrix_prometheus_services_connect_scraper_hookshot_scrape_interval, + 'scrape_timeout': matrix_prometheus_services_connect_scraper_hookshot_scrape_timeout, + 'static_configs': matrix_prometheus_services_connect_scraper_hookshot_static_configs, + }] + }} + +# Controls whether nginxlog shall be scraped +matrix_prometheus_services_connect_scraper_nginxlog_enabled: false +matrix_prometheus_services_connect_scraper_nginxlog_job_name: nginxlog +matrix_prometheus_services_connect_scraper_nginxlog_metrics_path: /metrics +matrix_prometheus_services_connect_scraper_nginxlog_scrape_interval: 15s +matrix_prometheus_services_connect_scraper_nginxlog_scrape_timeout: 15s +matrix_prometheus_services_connect_scraper_nginxlog_static_configs: "{{ [{'targets': [matrix_prometheus_services_connect_scraper_nginxlog_static_configs_target]}] }}" +matrix_prometheus_services_connect_scraper_nginxlog_static_configs_target: '' +# The final scrape config for the nginxlog scraper +matrix_prometheus_services_connect_scraper_nginxlog_scrape_configs: | + {{ + [{ + 'job_name': matrix_prometheus_services_connect_scraper_nginxlog_job_name, + 'metrics_path': matrix_prometheus_services_connect_scraper_nginxlog_metrics_path, + 'scrape_interval': matrix_prometheus_services_connect_scraper_nginxlog_scrape_interval, + 'scrape_timeout': matrix_prometheus_services_connect_scraper_nginxlog_scrape_timeout, + 'static_configs': matrix_prometheus_services_connect_scraper_nginxlog_static_configs, + }] + }} diff --git a/roles/custom/matrix-prometheus-services-connect/tasks/install_synapse_rules.yml b/roles/custom/matrix-prometheus-services-connect/tasks/install_synapse_rules.yml new file mode 100644 index 000000000..78b218aca --- /dev/null +++ b/roles/custom/matrix-prometheus-services-connect/tasks/install_synapse_rules.yml @@ -0,0 +1,14 @@ +--- + +- name: Download synapse-v2.rules + ansible.builtin.get_url: + url: "{{ matrix_prometheus_services_connect_synapse_rules_download_src_url }}" + dest: "{{ matrix_prometheus_services_connect_synapse_rules_download_dir_path }}/synapse-v2.rules" + force: true + mode: 0440 + owner: "{{ matrix_prometheus_services_connect_synapse_rules_download_owner }}" + group: "{{ matrix_prometheus_services_connect_synapse_rules_download_group }}" + register: result + retries: "{{ devture_playbook_help_geturl_retries_count }}" + delay: "{{ devture_playbook_help_geturl_retries_delay }}" + until: result is not failed diff --git a/roles/custom/matrix-prometheus-services-connect/tasks/main.yml b/roles/custom/matrix-prometheus-services-connect/tasks/main.yml new file mode 100644 index 000000000..f2c22b7f4 --- /dev/null +++ b/roles/custom/matrix-prometheus-services-connect/tasks/main.yml @@ -0,0 +1,11 @@ +--- + +- tags: + - setup-all + - setup-prometheus + - setup-prometheus-services-connect + - install-all + - install-prometheus-services-connect + block: + - when: matrix_prometheus_services_connect_synapse_rules_download_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install_synapse_rules.yml" diff --git a/roles/custom/matrix-prometheus/defaults/main.yml b/roles/custom/matrix-prometheus/defaults/main.yml deleted file mode 100644 index fddacfb45..000000000 --- a/roles/custom/matrix-prometheus/defaults/main.yml +++ /dev/null @@ -1,90 +0,0 @@ ---- -# matrix-prometheus is an open-source systems monitoring and alerting toolkit -# See: https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md -# Project source code URL: https://github.com/prometheus/prometheus - -matrix_prometheus_enabled: false - -matrix_prometheus_version: v2.42.0 -matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" -matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" - -matrix_prometheus_base_path: "{{ matrix_base_data_path }}/prometheus" -matrix_prometheus_config_path: "{{ matrix_prometheus_base_path }}/config" -matrix_prometheus_data_path: "{{ matrix_prometheus_base_path }}/data" - -# A list of extra arguments to pass to the container -matrix_prometheus_container_extra_arguments: [] - -# List of systemd services that matrix-prometheus.service depends on -matrix_prometheus_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-prometheus.service wants -matrix_prometheus_systemd_wanted_services_list: [] - -# The base container network. It will be auto-created by this role if it doesn't exist already. -matrix_prometheus_container_network: '' - -# A list of additional container networks that the container would be connected to. -# The role does not create these networks, so make sure they already exist. -# Use this to expose this container to another reverse proxy, which runs in a different container network. -matrix_prometheus_container_additional_networks: [] - -# Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9090 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:9090"), or empty string to not expose. -matrix_prometheus_container_http_host_bind_port: '' - -# A list of default arguments to pass to the prometheus process -matrix_prometheus_process_default_arguments: - - "--config.file=/etc/prometheus/prometheus.yml" - - "--storage.tsdb.path=/prometheus" - - "--web.console.libraries=/usr/share/prometheus/console_libraries" - - "--web.console.templates=/usr/share/prometheus/consoles" - -# A list of extra arguments to pass to the prometheus process -matrix_prometheus_process_extra_arguments: [] - -# holds the final list of process arguments -matrix_prometheus_process_arguments: "{{ matrix_prometheus_process_default_arguments + matrix_prometheus_process_extra_arguments }}" - -# Tells whether the "synapse" scraper configuration is enabled. -matrix_prometheus_scraper_synapse_enabled: false - -# Tells whether to download and load a Synapse rules file -matrix_prometheus_scraper_synapse_rules_enabled: "{{ matrix_prometheus_scraper_synapse_enabled }}" -matrix_prometheus_scraper_synapse_rules_synapse_tag: "master" -matrix_prometheus_scraper_synapse_rules_download_url: "https://raw.githubusercontent.com/matrix-org/synapse/{{ matrix_prometheus_scraper_synapse_rules_synapse_tag }}/contrib/prometheus/synapse-v2.rules" - -matrix_prometheus_scraper_synapse_targets: [] -matrix_prometheus_scraper_synapse_workers_enabled_list: [] - -# Tells whether the "node" scraper configuration is enabled. -# This configuration aims to scrape the current node (this server). -matrix_prometheus_scraper_node_enabled: false - -# Target addresses for the "node" scraper configuration. -# Unless you define this as a non-empty list, it gets populated at runtime with the IP address of `matrix-prometheus-node-exporter` and port 9100. -matrix_prometheus_scraper_node_targets: [] - -# Default prometheus configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -# -# For a more advanced customization, you can extend the default (see `matrix_prometheus_configuration_extension_yaml`) -# or completely replace this variable with your own template. -matrix_prometheus_configuration_yaml: "{{ lookup('template', 'templates/prometheus.yml.j2') }}" - -matrix_prometheus_configuration_extension_yaml: | - # Your custom YAML configuration goes here. - # This configuration extends the default starting configuration (`matrix_prometheus_configuration_yaml`). - # - # You can override individual variables from the default configuration, or introduce new ones. - # - # If you need something more special, you can take full control by - # completely redefining `matrix_prometheus_configuration_yaml`. - -matrix_prometheus_configuration_extension: "{{ matrix_prometheus_configuration_extension_yaml | from_yaml if matrix_prometheus_configuration_extension_yaml | from_yaml is mapping else {} }}" - -# Holds the final configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_prometheus_configuration_yaml`. -matrix_prometheus_configuration: "{{ matrix_prometheus_configuration_yaml | from_yaml | combine(matrix_prometheus_configuration_extension, recursive=True) }}" diff --git a/roles/custom/matrix-prometheus/tasks/main.yml b/roles/custom/matrix-prometheus/tasks/main.yml deleted file mode 100644 index bbd820014..000000000 --- a/roles/custom/matrix-prometheus/tasks/main.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- - -- tags: - - setup-all - - setup-prometheus - - install-all - - install-prometheus - block: - - when: matrix_prometheus_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - - - when: matrix_prometheus_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - -- tags: - - setup-all - - setup-prometheus - block: - - when: not matrix_prometheus_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-prometheus/tasks/setup_install.yml b/roles/custom/matrix-prometheus/tasks/setup_install.yml deleted file mode 100644 index f606e268e..000000000 --- a/roles/custom/matrix-prometheus/tasks/setup_install.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- - -- name: Ensure matrix-prometheus image is pulled - community.docker.docker_image: - name: "{{ matrix_prometheus_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_prometheus_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_prometheus_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure Prometheus paths exists - ansible.builtin.file: - path: "{{ item }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_prometheus_base_path }}" - - "{{ matrix_prometheus_config_path }}" - - "{{ matrix_prometheus_data_path }}" - -- name: Download synapse-v2.rules - ansible.builtin.get_url: - url: "{{ matrix_prometheus_scraper_synapse_rules_download_url }}" - dest: "{{ matrix_prometheus_config_path }}/synapse-v2.rules" - force: true - mode: 0440 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: "matrix_prometheus_scraper_synapse_rules_enabled | bool" - register: result - retries: "{{ devture_playbook_help_geturl_retries_count }}" - delay: "{{ devture_playbook_help_geturl_retries_delay }}" - until: result is not failed - -- name: Ensure prometheus.yml installed - ansible.builtin.copy: - content: "{{ matrix_prometheus_configuration | to_nice_yaml(indent=2, width=999999) }}" - dest: "{{ matrix_prometheus_config_path }}/prometheus.yml" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure Prometheus container network is created - community.general.docker_network: - name: "{{ matrix_prometheus_container_network }}" - driver: bridge - -- name: Ensure matrix-prometheus.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-prometheus.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus.service" - mode: 0644 diff --git a/roles/custom/matrix-prometheus/tasks/setup_uninstall.yml b/roles/custom/matrix-prometheus/tasks/setup_uninstall.yml deleted file mode 100644 index 9d13d2160..000000000 --- a/roles/custom/matrix-prometheus/tasks/setup_uninstall.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- - -- name: Check existence of matrix-prometheus service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus.service" - register: matrix_prometheus_service_stat - -- when: matrix_prometheus_service_stat.stat.exists | bool - block: - - name: Ensure matrix-prometheus is stopped - ansible.builtin.service: - name: matrix-prometheus - state: stopped - enabled: false - daemon_reload: true - - - name: Ensure matrix-prometheus.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-prometheus.service" - state: absent diff --git a/roles/custom/matrix-prometheus/tasks/validate_config.yml b/roles/custom/matrix-prometheus/tasks/validate_config.yml deleted file mode 100644 index 49121e7e0..000000000 --- a/roles/custom/matrix-prometheus/tasks/validate_config.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- - -- name: Fail if Synapse metrics or Prometheus Node Exporter not enabled - ansible.builtin.fail: - msg: > - You need to enable `matrix_prometheus_scraper_synapse_enabled` and/or `matrix_prometheus_scraper_node_enabled` for Prometheus grab metrics. - when: "not matrix_prometheus_scraper_synapse_enabled and not matrix_prometheus_scraper_node_enabled" - -- name: Fail if required Prometheus settings not defined - ansible.builtin.fail: - msg: > - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" - with_items: - - matrix_prometheus_container_network diff --git a/roles/custom/matrix-prometheus/templates/prometheus.yml.j2 b/roles/custom/matrix-prometheus/templates/prometheus.yml.j2 deleted file mode 100644 index 6ed7cd922..000000000 --- a/roles/custom/matrix-prometheus/templates/prometheus.yml.j2 +++ /dev/null @@ -1,73 +0,0 @@ -#jinja2: lstrip_blocks: "True" -global: - scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute. - evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute. - # scrape_timeout is set to the global default (10s). - -# Load rules once and periodically evaluate them according to the global 'evaluation_interval'. -rule_files: - {% if matrix_prometheus_scraper_synapse_rules_enabled %} - - 'synapse-v2.rules' - {% endif %} - -# A scrape configuration containing exactly one endpoint to scrape: -# Here it's Prometheus itself. -scrape_configs: - # The job name is added as a label `job=` to any timeseries scraped from this config. - - job_name: 'prometheus' - - # Override the global default and scrape targets from this job every 5 seconds. - scrape_interval: 5s - scrape_timeout: 5s - - # metrics_path defaults to '/metrics' - # scheme defaults to 'http'. - - static_configs: - - targets: ['localhost:9090'] - - {% if matrix_prometheus_scraper_synapse_enabled %} - - job_name: 'synapse' - metrics_path: '/_synapse/metrics' - static_configs: - - targets: {{ matrix_prometheus_scraper_synapse_targets|to_json }} - labels: - instance: {{ matrix_domain | to_json }} - job: master - index: 0 - {% for worker in matrix_prometheus_scraper_synapse_workers_enabled_list %} - {% if worker.metrics_port != 0 %} - - targets: ['{{ worker.name }}:{{ worker.metrics_port }}'] - labels: - instance: {{ matrix_domain | to_json }} - worker_id: {{ worker.id | to_json }} - job: {{ worker.type | to_json }} - app: {{ worker.app | to_json }} - {% endif %} - {% endfor %} - {% endif %} - - {% if matrix_prometheus_scraper_node_enabled %} - - job_name: node - static_configs: - - targets: {{ matrix_prometheus_scraper_node_targets|to_json }} - {% endif %} - - {% if matrix_prometheus_scraper_postgres_enabled %} - - job_name: postgres - static_configs: - - targets: {{ matrix_prometheus_scraper_postgres_targets|to_json }} - {% endif %} - - {% if matrix_prometheus_scraper_hookshot_enabled %} - - job_name: hookshot - static_configs: - - targets: {{ matrix_prometheus_scraper_hookshot_targets|to_json }} - {% endif %} - - {% if matrix_prometheus_scraper_nginxlog_enabled %} - - job_name: nginxlog - static_configs: - - targets: - - {{ matrix_prometheus_scraper_nginxlog_server_port}} - {% endif %} diff --git a/roles/custom/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 b/roles/custom/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 deleted file mode 100644 index 2b716db6b..000000000 --- a/roles/custom/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 +++ /dev/null @@ -1,51 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=matrix-prometheus -{% for service in matrix_prometheus_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_prometheus_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-prometheus 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-prometheus 2>/dev/null || true' - -ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ - --rm \ - --name=matrix-prometheus \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --network={{ matrix_prometheus_container_network }} \ - {% if matrix_prometheus_container_http_host_bind_port %} - -p {{ matrix_prometheus_container_http_host_bind_port }}:9090 \ - {% endif %} - -v {{ matrix_prometheus_config_path }}:/etc/prometheus:z \ - -v {{ matrix_prometheus_data_path }}:/prometheus:z \ - {% for arg in matrix_prometheus_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_prometheus_docker_image }} {{ matrix_prometheus_process_arguments|join(' ') }} - -{% for network in matrix_prometheus_container_additional_networks %} -ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-prometheus -{% endfor %} - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-prometheus - -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-prometheus 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-prometheus 2>/dev/null || true' - -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-prometheus - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 9c9585057..250b3e965 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -39,6 +39,25 @@ - {'old': 'matrix_playbook_traefik_certs_dumper_role_enabled', 'new': 'devture_traefik_certs_dumper_enabled'} - {'old': 'matrix_playbook_traefik_role_enabled', 'new': 'devture_traefik_enabled'} + # Most important variables from the old Prometheus role here, for people who miss the changelog entry + - {'old': 'matrix_prometheus_enabled', 'new': 'prometheus_enabled'} + - {'old': 'matrix_prometheus_process_default_arguments', 'new': 'prometheus_process_default_arguments'} + - {'old': 'matrix_prometheus_process_extra_arguments', 'new': 'prometheus_process_extra_arguments'} + - {'old': 'matrix_prometheus_configuration_extension_yaml', 'new': 'prometheus_configuration_extension_yaml'} + - {'old': 'matrix_prometheus_scraper_synapse_enabled', 'new': 'matrix_prometheus_services_connect_synapse_enabled'} + - {'old': 'matrix_prometheus_scraper_synapse_targets', 'new': ''} + - {'old': 'matrix_prometheus_scraper_synapse_workers_enabled_list', 'new': 'matrix_prometheus_services_connect_scraper_synapse_workers_enabled_list'} + - {'old': 'matrix_prometheus_scraper_synapse_rules_synapse_tag', 'new': 'matrix_prometheus_services_connect_synapse_rules_download_synapse_tag'} + - {'old': 'matrix_prometheus_scraper_node_enabled', 'new': 'prometheus_self_node_scraper_enabled'} + - {'old': 'matrix_prometheus_scraper_node_targets', 'new': ''} + - {'old': 'matrix_prometheus_scraper_postgres_enabled', 'new': 'matrix_prometheus_services_connect_scraper_postgres_enabled'} + - {'old': 'matrix_prometheus_scraper_postgres_targets', 'new': ''} + - {'old': 'matrix_prometheus_scraper_hookshot_enabled', 'new': 'matrix_prometheus_services_connect_scraper_hookshot_enabled'} + - {'old': 'matrix_prometheus_scraper_hookshot_targets', 'new': ''} + - {'old': 'matrix_prometheus_scraper_nginxlog_enabled', 'new': 'matrix_prometheus_services_connect_scraper_nginxlog_enabled'} + - {'old': 'matrix_prometheus_scraper_nginxlog_server_port', 'new': 'matrix_prometheus_services_connect_scraper_nginxlog_static_configs_target'} + - {'old': 'XXXXX', 'new': 'XXXXX'} + - name: (Deprecation) Catch and report matrix_postgres variables ansible.builtin.fail: msg: |- From 5c0cc0168cb0222f8f67624c457b02f20886d2db Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 21 Mar 2023 17:59:58 +0000 Subject: [PATCH 635/915] Update prometheus v2.42.0 -> v2.43.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index ebd3fd0fc..23cb3a98d 100644 --- a/requirements.yml +++ b/requirements.yml @@ -66,4 +66,4 @@ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git name: prometheus - version: v2.42.0-0 + version: v2.43.0-0 From 38fc864745f438f935e8287315a478d673ac1813 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 21 Mar 2023 18:00:38 +0000 Subject: [PATCH 636/915] Update hookshot 3.0.0 -> 3.0.1 --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 2113f53ab..17567c3b4 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 3.0.0 +matrix_hookshot_version: 3.0.1 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" From 045542be764997d43bbce6f6116c15ffe9427d13 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 21 Mar 2023 18:03:53 +0000 Subject: [PATCH 637/915] Update redis 7.0.9 -> 7.0.10 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index ebd3fd0fc..d6578fb2d 100644 --- a/requirements.yml +++ b/requirements.yml @@ -46,7 +46,7 @@ version: v2.2.0-0 - src: git+https://gitlab.com/etke.cc/roles/redis.git - version: v7.0.9-0 + version: v7.0.10-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git version: v1.8.18-2 From 7a7c75c6a442e73a73aab4e7784e5218f336a2f9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 22 Mar 2023 07:43:47 +0200 Subject: [PATCH 638/915] Upgrade prometheus_postgres_exporter (v0.11.1-2 -> v0.12.0-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 69c9f8e76..d395410d7 100644 --- a/requirements.yml +++ b/requirements.yml @@ -34,7 +34,7 @@ version: v1.5.0-6 - src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git - version: v0.11.1-2 + version: v0.12.0-0 - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git version: v1.2.3-1.7.9-0 From c222391e7756e064c319d3172d9876c18840f170 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 22 Mar 2023 07:46:53 +0200 Subject: [PATCH 639/915] Upgrade Traefik (v2.9.8-2 -> v2.9.9-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index d395410d7..91d16dae2 100644 --- a/requirements.yml +++ b/requirements.yml @@ -55,7 +55,7 @@ version: v0.1.1-1 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.9.8-2 + version: v2.9.9-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 From 69b2df629b5020a13c1c14ee7d98d0f9beefd1d8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 22 Mar 2023 08:04:25 +0200 Subject: [PATCH 640/915] Enable some recommended Coturn options in an effort to lower DDoS amplification factor Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2592 --- roles/custom/matrix-coturn/defaults/main.yml | 14 ++++++++++++++ .../matrix-coturn/templates/turnserver.conf.j2 | 12 ++++++++++++ 2 files changed, 26 insertions(+) diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index 9922f1d01..ee662b25d 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -112,11 +112,25 @@ matrix_coturn_user_quota: null matrix_coturn_total_quota: null # Controls whether `no-tcp-relay` is added to the configuration +# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L419-L422 matrix_coturn_no_tcp_relay_enabled: true # Controls whether `no-multicast-peers` is added to the configuration +# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L629-L632 matrix_coturn_no_multicast_peers_enabled: true +# Controls whether `no-rfc5780` is added to the configuration +# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L770-L781 +matrix_coturn_no_rfc5780_enabled: true + +# Controls whether `no-stun-backward-compatibility` is added to the configuration +# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L783-L789 +matrix_coturn_no_stun_backward_compatibility_enabled: true + +# Controls whether `response-origin-only-with-rfc5780` is added to the configuration +# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L791-L796 +matrix_coturn_response_origin_only_with_rfc5780_enabled: true + # Additional configuration to be passed to turnserver.conf # Example: # matrix_coturn_additional_configuration: | diff --git a/roles/custom/matrix-coturn/templates/turnserver.conf.j2 b/roles/custom/matrix-coturn/templates/turnserver.conf.j2 index dfc3a87d5..3ed7b99fa 100644 --- a/roles/custom/matrix-coturn/templates/turnserver.conf.j2 +++ b/roles/custom/matrix-coturn/templates/turnserver.conf.j2 @@ -35,6 +35,18 @@ prod no-tcp-relay {% endif %} +{% if matrix_coturn_no_rfc5780_enabled %} +no-rfc5780 +{% endif %} + +{% if matrix_coturn_no_stun_backward_compatibility_enabled %} +no-stun-backward-compatibility +{% endif %} + +{% if matrix_coturn_response_origin_only_with_rfc5780_enabled %} +response-origin-only-with-rfc5780 +{% endif %} + {% if matrix_coturn_user_quota != None %} user-quota={{ matrix_coturn_user_quota }} {% endif %} From 87b74e6c3e01f488b2ade1e1998f4e737c73b842 Mon Sep 17 00:00:00 2001 From: Felix Stupp Date: Wed, 22 Mar 2023 09:14:36 +0000 Subject: [PATCH 641/915] ntfy doc: Describe web app & how to enable it See #2529 --- docs/configuring-playbook-ntfy.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/configuring-playbook-ntfy.md b/docs/configuring-playbook-ntfy.md index 27d2fb122..1311afc97 100644 --- a/docs/configuring-playbook-ntfy.md +++ b/docs/configuring-playbook-ntfy.md @@ -21,6 +21,9 @@ ntfy_enabled: true # Uncomment the line below and change it, if you'd like. # matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}" +# Uncomment to enable the ntfy web app (disabled by default) +# ntfy_web_root: app # defaults to "disable" + # Uncomment and change to inject additional configuration options. # ntfy_configuration_extension_yaml: | # log_level: DEBUG @@ -81,6 +84,12 @@ If the matrix app asks, "Choose a distributor: FCM Fallback or ntfy", then choos If the matrix app doesn't seem to pick it up, try restarting it and try the Troubleshooting section below. +### Web App + +ntfy has also an web app to subscribe and push to topics from the browser. This may be helpful to further troubleshoot UnifiedPush problems or to use ntfy for other purposes. The web app only runs in the browser locally (after downloading the JavaScript). + +The web app is disabled in this playbook by default as the expectation is that most users won't use it. You can either use the [official hosted one](https://ntfy.sh/app) (it supports using other public reachable ntfy instances) or host it yourself by setting `ntfy_web_root: "app"` and re-running Ansible. + ## Troubleshooting From e29af490c08b2b651230158738423b3c1dec95f2 Mon Sep 17 00:00:00 2001 From: Felix Stupp Date: Wed, 22 Mar 2023 09:21:29 +0000 Subject: [PATCH 642/915] CHANGELOG: Add disabled ntfy web app See #2529 --- CHANGELOG.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0c9de0ac3..7a7995e0e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2023-03-22 + +## ntfy Web App is disabled by default + +ntfy provides a web app, which is now disabled by default, because it may be unknown to and unused by most users of this playbook. You can enable it by setting `ntfy_web_root: "app"` (see [ntfy documentation](docs/configuring-playbook-ntfy.md)). + +This change was already applied a while before this entry, but as some users were reporting the missing web app, this entry was added (see [#2529](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2529)). + + # 2023-03-21 ## The matrix-prometheus role lives independently now From a54d8f82a0b7923f5ac9234f92c8eb34a8a97541 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 22 Mar 2023 11:28:34 +0200 Subject: [PATCH 643/915] Update configuring-playbook-ntfy.md --- docs/configuring-playbook-ntfy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-ntfy.md b/docs/configuring-playbook-ntfy.md index 1311afc97..c5549dbf4 100644 --- a/docs/configuring-playbook-ntfy.md +++ b/docs/configuring-playbook-ntfy.md @@ -86,7 +86,7 @@ If the matrix app doesn't seem to pick it up, try restarting it and try the Trou ### Web App -ntfy has also an web app to subscribe and push to topics from the browser. This may be helpful to further troubleshoot UnifiedPush problems or to use ntfy for other purposes. The web app only runs in the browser locally (after downloading the JavaScript). +ntfy also has a web app to subscribe to and push to topics from the browser. This may be helpful to further troubleshoot UnifiedPush problems or to use ntfy for other purposes. The web app only runs in the browser locally (after downloading the JavaScript). The web app is disabled in this playbook by default as the expectation is that most users won't use it. You can either use the [official hosted one](https://ntfy.sh/app) (it supports using other public reachable ntfy instances) or host it yourself by setting `ntfy_web_root: "app"` and re-running Ansible. From 7be8943b642960b2ef3759a3df8d441c4838909a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 22 Mar 2023 17:53:57 +0200 Subject: [PATCH 644/915] Pin matrix-rageshake to 1.9.0 Related to: - https://github.com/matrix-org/rageshake/issues/69 - https://github.com/matrix-org/rageshake/pull/70 --- roles/custom/matrix-rageshake/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-rageshake/defaults/main.yml b/roles/custom/matrix-rageshake/defaults/main.yml index 2dca91b1a..8cc2f9054 100644 --- a/roles/custom/matrix-rageshake/defaults/main.yml +++ b/roles/custom/matrix-rageshake/defaults/main.yml @@ -16,7 +16,7 @@ matrix_rageshake_path_prefix: / # There are no stable container image tags yet. # See: https://github.com/matrix-org/rageshake/issues/69 -matrix_rageshake_version: "master" +matrix_rageshake_version: 1.9.0 matrix_rageshake_base_path: "{{ matrix_base_data_path }}/rageshake" matrix_rageshake_config_path: "{{ matrix_rageshake_base_path }}/config" From 1a23016570185b9f01ca209a8559fbb72330a460 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 22 Mar 2023 16:54:39 +0000 Subject: [PATCH 645/915] Update grafana v9.4.3 -> v9.4.7 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 91d16dae2..c3d45f851 100644 --- a/requirements.yml +++ b/requirements.yml @@ -40,7 +40,7 @@ version: v1.2.3-1.7.9-0 - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v9.4.3-0 + version: v9.4.7-0 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git version: v2.2.0-0 From 6b3ab052f6bb76ee8cf7f5339db6357785e28246 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Mar 2023 11:02:20 +0200 Subject: [PATCH 646/915] Upgrade prometheus_node_exporter (v1.5.0-6 -> v1.5.0-7) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index c3d45f851..248b98b10 100644 --- a/requirements.yml +++ b/requirements.yml @@ -31,7 +31,7 @@ version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6 - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git - version: v1.5.0-6 + version: v1.5.0-7 - src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git version: v0.12.0-0 From 0b18f03195367f5f9de9f8e8235fc683bc8006a1 Mon Sep 17 00:00:00 2001 From: Aine Date: Thu, 23 Mar 2023 19:06:16 +0200 Subject: [PATCH 647/915] honoroit - add proper networking configuration and traefik labels --- group_vars/matrix_servers | 21 +++++++++ .../matrix-bot-honoroit/defaults/main.yml | 45 +++++++++++++++++++ .../tasks/setup_install.yml | 9 ++-- .../matrix-bot-honoroit/templates/labels.j2 | 45 +++++++++++++++++++ .../systemd/matrix-bot-honoroit.service.j2 | 13 +++++- 5 files changed, 128 insertions(+), 5 deletions(-) create mode 100644 roles/custom/matrix-bot-honoroit/templates/labels.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 0b8d7e25e..bb892a8b3 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1671,6 +1671,27 @@ matrix_bot_honoroit_database_hostname: "{{ devture_postgres_connection_hostname matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'honoroit.bot.db', rounds=655555) | to_uuid }}" matrix_bot_honoroit_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" +matrix_bot_honoroit_container_network: "{{ matrix_docker_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-bot-honoroit' }}" + +# For now, we attach this to the matrix-nginx-proxy network (unless that's the same network as the main one for us), +# because that's where the homeserver is expected to be accessed from. +# In the future, this will need to be redone. +matrix_bot_honoroit_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([matrix_nginx_proxy_container_network] if matrix_nginx_proxy_enabled and matrix_bot_honoroit_container_network != matrix_nginx_proxy_container_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_bot_honoroit_container_network else []) + ) | unique + }} + +matrix_bot_honoroit_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +matrix_bot_honoroit_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_bot_honoroit_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_bot_honoroit_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + ###################################################################### # # /matrix-bot-honoroit diff --git a/roles/custom/matrix-bot-honoroit/defaults/main.yml b/roles/custom/matrix-bot-honoroit/defaults/main.yml index 42f766824..38d02d343 100644 --- a/roles/custom/matrix-bot-honoroit/defaults/main.yml +++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml @@ -4,6 +4,13 @@ matrix_bot_honoroit_enabled: true +# The hostname at which honoroit is served. +matrix_bot_honoroit_hostname: '' + +# The path at which honoroit is exposed. +# This value must either be `/` or not end with a slash (e.g. `/honoroit`). +matrix_bot_honoroit_path_prefix: / + matrix_bot_honoroit_container_image_self_build: false matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git" matrix_bot_honoroit_docker_repo_version: "{{ matrix_bot_honoroit_version }}" @@ -19,6 +26,44 @@ matrix_bot_honoroit_config_path: "{{ matrix_bot_honoroit_base_path }}/config" matrix_bot_honoroit_data_path: "{{ matrix_bot_honoroit_base_path }}/data" matrix_bot_honoroit_data_store_path: "{{ matrix_bot_honoroit_data_path }}/store" +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_bot_honoroit_container_network: matrix-bot-honoroit + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_bot_honoroit_container_additional_networks: [] + +# matrix_bot_honoroit_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_bot_honoroit_container_labels_additional_labels`. +matrix_bot_honoroit_container_labels_traefik_enabled: true +matrix_bot_honoroit_container_labels_traefik_docker_network: "{{ matrix_bot_honoroit_container_network }}" +matrix_bot_honoroit_container_labels_traefik_hostname: "{{ matrix_bot_honoroit_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/honoroit`). +matrix_bot_honoroit_container_labels_traefik_path_prefix: "{{ matrix_bot_honoroit_path_prefix }}" +matrix_bot_honoroit_container_labels_traefik_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`){% if matrix_bot_honoroit_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_honoroit_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_bot_honoroit_container_labels_traefik_priority: 0 +matrix_bot_honoroit_container_labels_traefik_entrypoints: web-secure +matrix_bot_honoroit_container_labels_traefik_tls: "{{ matrix_bot_honoroit_container_labels_traefik_entrypoints != 'web' }}" +matrix_bot_honoroit_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_bot_honoroit_container_labels_traefik_additional_response_headers_custom` +matrix_bot_honoroit_container_labels_traefik_additional_response_headers: "{{ matrix_bot_honoroit_container_labels_traefik_additional_response_headers_auto | combine(matrix_bot_honoroit_container_labels_traefik_additional_response_headers_custom) }}" +matrix_bot_honoroit_container_labels_traefik_additional_response_headers_auto: {} +matrix_bot_honoroit_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_bot_buscarron_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_bot_buscarron_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_bot_buscarron_container_labels_additional_labels: '' + # A list of extra arguments to pass to the container matrix_bot_honoroit_container_extra_arguments: [] diff --git a/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml b/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml index f7b264a83..14b5a0e47 100644 --- a/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml @@ -40,13 +40,16 @@ - {path: "{{ matrix_bot_honoroit_docker_src_files_path }}", when: true} when: "item.when | bool" -- name: Ensure honoroit environment variables file created +- name: Ensure honoroit support files installed ansible.builtin.template: - src: "{{ role_path }}/templates/env.j2" - dest: "{{ matrix_bot_honoroit_config_path }}/env" + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_bot_honoroit_config_path }}/{{ item }}" owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" mode: 0640 + with_items: + - env + - labels - name: Ensure honoroit image is pulled community.docker.docker_image: diff --git a/roles/custom/matrix-bot-honoroit/templates/labels.j2 b/roles/custom/matrix-bot-honoroit/templates/labels.j2 new file mode 100644 index 000000000..f03af34a2 --- /dev/null +++ b/roles/custom/matrix-bot-honoroit/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_bot_honoroit_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_bot_honoroit_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_bot_honoroit_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_bot_honoroit_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-bot-honoroit-slashless-redirect.redirectregex.regex=({{ matrix_bot_honoroit_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-bot-honoroit-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-bot-honoroit-slashless-redirect'] %} +{% endif %} + +{% if matrix_bot_honoroit_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-bot-honoroit-strip-prefix.stripprefix.prefixes={{ matrix_bot_honoroit_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-bot-honoroit-strip-prefix'] %} +{% endif %} + +{% if matrix_bot_honoroit_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_bot_honoroit_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-bot-honoroit-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-bot-honoroit-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-bot-honoroit.rule={{ matrix_bot_honoroit_container_labels_traefik_rule }} +{% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-bot-honoroit.priority={{ matrix_bot_honoroit_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-bot-honoroit.service=matrix-bot-honoroit +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-bot-honoroit.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-bot-honoroit.entrypoints={{ matrix_bot_honoroit_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-bot-honoroit.tls={{ matrix_bot_honoroit_container_labels_traefik_tls | to_json }} +{% if matrix_bot_honoroit_container_labels_traefik_tls %} +traefik.http.routers.matrix-bot-honoroit.tls.certResolver={{ matrix_bot_honoroit_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-bot-honoroit.loadbalancer.server.port=8080 +{% endif %} + +{{ matrix_bot_honoroit_container_labels_additional_labels }} diff --git a/roles/custom/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 b/roles/custom/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 index 2cce62da5..44fe9a2fc 100644 --- a/roles/custom/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 +++ b/roles/custom/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 @@ -16,19 +16,28 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-honoroit 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-honoroit 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-bot-honoroit \ +ExecStart={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-bot-honoroit \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_bot_honoroit_container_network }} \ --env-file={{ matrix_bot_honoroit_config_path }}/env \ + --label-file={{ matrix_bot_honoroit_config_path }}/labels \ --mount type=bind,src={{ matrix_bot_honoroit_data_path }},dst=/data \ {% for arg in matrix_bot_honoroit_container_extra_arguments %} {{ arg }} \ {% endfor %} {{ matrix_bot_honoroit_docker_image }} +{% for network in matrix_bot_honoroit_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-bot-honoroit +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-bot-honoroit + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-honoroit 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-honoroit 2>/dev/null || true' Restart=always From 15ce37723561958b431a5ed9bdafacc979e3d0ec Mon Sep 17 00:00:00 2001 From: Aine Date: Thu, 23 Mar 2023 19:09:34 +0200 Subject: [PATCH 648/915] honoroit - add matrix_bot_honoroit_hostname into group vars --- group_vars/matrix_servers | 1 + 1 file changed, 1 insertion(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index bb892a8b3..499a714b4 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1653,6 +1653,7 @@ matrix_bot_maubot_database_password: "{{ '%s' | format(matrix_homeserver_generic # We don't enable bots by default. matrix_bot_honoroit_enabled: false +matrix_bot_honoroit_hostname: "{{ matrix_server_fqn_matrix }}" matrix_bot_honoroit_systemd_required_services_list: | {{ From 6d5cf9cbcd99e298352025edfd1b1eef539dbfc6 Mon Sep 17 00:00:00 2001 From: Aine Date: Thu, 23 Mar 2023 20:17:11 +0200 Subject: [PATCH 649/915] fix honoroit networks --- roles/custom/matrix-bot-honoroit/defaults/main.yml | 6 +++--- .../templates/systemd/matrix-bot-honoroit.service.j2 | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/custom/matrix-bot-honoroit/defaults/main.yml b/roles/custom/matrix-bot-honoroit/defaults/main.yml index 38d02d343..5e90ef51f 100644 --- a/roles/custom/matrix-bot-honoroit/defaults/main.yml +++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml @@ -55,14 +55,14 @@ matrix_bot_honoroit_container_labels_traefik_additional_response_headers: "{{ ma matrix_bot_honoroit_container_labels_traefik_additional_response_headers_auto: {} matrix_bot_honoroit_container_labels_traefik_additional_response_headers_custom: {} -# matrix_bot_buscarron_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# matrix_bot_honoroit_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. # # Example: -# matrix_bot_buscarron_container_labels_additional_labels: | +# matrix_bot_honoroit_container_labels_additional_labels: | # my.label=1 # another.label="here" -matrix_bot_buscarron_container_labels_additional_labels: '' +matrix_bot_honoroit_container_labels_additional_labels: '' # A list of extra arguments to pass to the container matrix_bot_honoroit_container_extra_arguments: [] diff --git a/roles/custom/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 b/roles/custom/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 index 44fe9a2fc..9bbc7d10b 100644 --- a/roles/custom/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 +++ b/roles/custom/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 @@ -16,7 +16,7 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-honoroit 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-honoroit 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} create \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --rm \ --name=matrix-bot-honoroit \ --log-driver=none \ From e04894de7cd2a2aff05f8404caff6258b62edc09 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 24 Mar 2023 07:54:06 +0000 Subject: [PATCH 650/915] Update borg 1.2.3 -> 1.2.4 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 248b98b10..1a31c1309 100644 --- a/requirements.yml +++ b/requirements.yml @@ -37,7 +37,7 @@ version: v0.12.0-0 - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.3-1.7.9-0 + version: v1.2.4-1.7.9-0 - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v9.4.7-0 From e60febc9ca4e5a07a2dda195954df52992663139 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Mar 2023 08:56:12 +0200 Subject: [PATCH 651/915] Use git for fetching the geerlingguy.docker role With this change, all dependency roles are downloaded using the same mechanism (git), which makes life simpler for tools like https://gitlab.com/etke.cc/int/agru --- requirements.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 1a31c1309..386c8763e 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,6 +1,7 @@ --- -- src: geerlingguy.docker +- src: git+https://github.com/geerlingguy/ansible-role-docker + name: geerlingguy.docker version: 6.1.0 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git From 34a03cf73284f29db0bcef265f8741d374561d95 Mon Sep 17 00:00:00 2001 From: Aine Date: Sat, 25 Mar 2023 17:47:13 +0200 Subject: [PATCH 652/915] safely integrate agru, format justfile, format requirements.yml --- justfile | 30 ++++++++++++++++++++---------- requirements.yml | 29 +++-------------------------- 2 files changed, 23 insertions(+), 36 deletions(-) diff --git a/justfile b/justfile index f50b5217f..bcacd78cd 100644 --- a/justfile +++ b/justfile @@ -1,48 +1,58 @@ # Shows help default: - @just --list --justfile {{ justfile() }} + @just --list --justfile {{ justfile() }} # Pulls external Ansible roles roles: - rm -rf roles/galaxy - ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force + #!/usr/bin/env sh + set -euo pipefail + if [ -x "$(command -v agru)" ]; then + agru + else + rm -rf roles/galaxy + ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force + fi + +# Updates requirements.yml if there are any new tags available. Requires agru +update: + @agru -u # Runs ansible-lint against all roles in the playbook lint: - ansible-lint + ansible-lint # Runs the playbook with --tags=install-all,ensure-matrix-users-created,start and optional arguments install-all *extra_args: (run-tags "install-all,ensure-matrix-users-created,start" extra_args) # Runs installation tasks for a single service install-service service *extra_args: - just --justfile {{ justfile() }} run --tags=install-{{ service }},start-group --extra-vars=group={{ service }} {{ extra_args }} + just --justfile {{ justfile() }} run --tags=install-{{ service }},start-group --extra-vars=group={{ service }} {{ extra_args }} # Runs the playbook with --tags=setup-all,ensure-matrix-users-created,start and optional arguments setup-all *extra_args: (run-tags "setup-all,ensure-matrix-users-created,start" extra_args) # Runs the playbook with the given list of arguments run +extra_args: - time ansible-playbook -i inventory/hosts setup.yml {{ extra_args }} + time ansible-playbook -i inventory/hosts setup.yml {{ extra_args }} # Runs the playbook with the given list of comma-separated tags and optional arguments run-tags tags *extra_args: - just --justfile {{ justfile() }} run --tags={{ tags }} {{ extra_args }} + just --justfile {{ justfile() }} run --tags={{ tags }} {{ extra_args }} # Runs the playbook in user-registration mode register-user username password admin_yes_or_no *extra_args: - time ansible-playbook -i inventory/hosts setup.yml --tags=register-user --extra-vars="username={{ username }} password={{ password }} admin={{ admin_yes_or_no }}" {{ extra_args }} + time ansible-playbook -i inventory/hosts setup.yml --tags=register-user --extra-vars="username={{ username }} password={{ password }} admin={{ admin_yes_or_no }}" {{ extra_args }} # Starts all services start-all *extra_args: (run-tags "start-all" extra_args) # Starts a specific service group start-group group *extra_args: - @just --justfile {{ justfile() }} run-tags start-group --extra-vars="group={{ group }}" {{ extra_args }} + @just --justfile {{ justfile() }} run-tags start-group --extra-vars="group={{ group }}" {{ extra_args }} # Stops all services stop-all *extra_args: (run-tags "stop-all" extra_args) # Stops a specific service group stop-group group *extra_args: - @just --justfile {{ justfile() }} run-tags stop-group --extra-vars="group={{ group }}" {{ extra_args }} + @just --justfile {{ justfile() }} run-tags stop-group --extra-vars="group={{ group }}" {{ extra_args }} diff --git a/requirements.yml b/requirements.yml index 386c8763e..778e197a2 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,70 +1,47 @@ ---- - - src: git+https://github.com/geerlingguy/ansible-role-docker - name: geerlingguy.docker version: 6.1.0 - + name: geerlingguy.docker - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git version: 129c8590e106b83e6f4c259649a613c6279e937a - - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git version: c1f40e82b4d6b072b6f0e885239322bdaaaf554f - - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git version: 327d2e17f5189ac2480d6012f58cf64a2b46efba - - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git version: 3d5bb2976815958cdce3f368fa34fb51554f899b - - src: git+https://github.com/devture/com.devture.ansible.role.playbook_state_preserver.git version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 - - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git version: 38764398bf82b06a1736c3bfedc71dfd229e4b52 - - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git version: 8e9ec48a09284c84704d7a2dce17da35f181574d - - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git version: 6ccb88ac5fc27e1e70afcd48278ade4b564a9096 - - src: git+https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages.git version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6 - - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.5.0-7 - - src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git version: v0.12.0-0 - - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git version: v1.2.4-1.7.9-0 - - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v9.4.7-0 - - src: git+https://gitlab.com/etke.cc/roles/ntfy.git version: v2.2.0-0 - - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.10-0 - - src: git+https://gitlab.com/etke.cc/roles/etherpad.git version: v1.8.18-2 - - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git version: v0.1.1-1 - - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git version: v2.9.9-0 - - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 - - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git - name: aux version: v1.0.0-0 - + name: aux - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git - name: prometheus version: v2.43.0-0 + name: prometheus From 413049feea13fe5bece06ae0c331514b62d706d2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 26 Mar 2023 14:12:29 +0300 Subject: [PATCH 653/915] Remove shell configuration for better compatibility Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2604 --- justfile | 1 - 1 file changed, 1 deletion(-) diff --git a/justfile b/justfile index bcacd78cd..6eac034ef 100644 --- a/justfile +++ b/justfile @@ -5,7 +5,6 @@ default: # Pulls external Ansible roles roles: #!/usr/bin/env sh - set -euo pipefail if [ -x "$(command -v agru)" ]; then agru else From 6732901c7043c5c4def9d52b6210a0ff070477d5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 28 Mar 2023 10:54:47 +0300 Subject: [PATCH 654/915] Upgrade com.devture.ansible.role.systemd_service_manager --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 778e197a2..1aa65c325 100644 --- a/requirements.yml +++ b/requirements.yml @@ -16,7 +16,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git version: 8e9ec48a09284c84704d7a2dce17da35f181574d - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git - version: 6ccb88ac5fc27e1e70afcd48278ade4b564a9096 + version: v1.0.0-0 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages.git version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6 - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git From d25e7744d99b304b2dd0a33abdc800a09e3e43ae Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 28 Mar 2023 10:55:11 +0300 Subject: [PATCH 655/915] Always restart services one by one when doing install-service This way, something like `just install-service postgres` will definitely do a `restart` and not a `stop` + `start` (which may leave dependant services stopped). This has potentially been addressed by https://github.com/devture/com.devture.ansible.role.systemd_service_manager/commit/7acb5f4b85de1a7009b149f5b6ee3a6eef203047 as well. --- justfile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/justfile b/justfile index 6eac034ef..fed020087 100644 --- a/justfile +++ b/justfile @@ -25,7 +25,10 @@ install-all *extra_args: (run-tags "install-all,ensure-matrix-users-created,star # Runs installation tasks for a single service install-service service *extra_args: - just --justfile {{ justfile() }} run --tags=install-{{ service }},start-group --extra-vars=group={{ service }} {{ extra_args }} + just --justfile {{ justfile() }} run \ + --tags=install-{{ service }},start-group \ + --extra-vars=group={{ service }} \ + --extra-vars=devture_systemd_service_manager_service_restart_mode=one-by-one {{ extra_args }} # Runs the playbook with --tags=setup-all,ensure-matrix-users-created,start and optional arguments setup-all *extra_args: (run-tags "setup-all,ensure-matrix-users-created,start" extra_args) From 9a137a63ac7174aeb3eeb40c0589a597c396209c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 28 Mar 2023 10:55:43 +0300 Subject: [PATCH 656/915] Add justfile to .editorconfig --- .editorconfig | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.editorconfig b/.editorconfig index fac22d42c..dc97b48dd 100644 --- a/.editorconfig +++ b/.editorconfig @@ -23,6 +23,10 @@ indent_size = 2 indent_style = space indent_size = 2 +[justfile] +indent_style = space +indent_size = 4 + # Markdown Files # # Two spaces at the end of a line in Markdown mean "new line", From 3d3212725e411580ed6ae1627aa5c91234444c8c Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 28 Mar 2023 08:01:39 +0000 Subject: [PATCH 657/915] Update borgmatic 1.7.9 -> 1.7.10 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 1aa65c325..e3eca1519 100644 --- a/requirements.yml +++ b/requirements.yml @@ -24,7 +24,7 @@ - src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git version: v0.12.0-0 - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.4-1.7.9-0 + version: v1.2.4-1.7.10-0 - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v9.4.7-0 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git From 82a484c62f8fbbd7bab2394388e691535d560430 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 28 Mar 2023 12:24:37 +0300 Subject: [PATCH 658/915] Upgrade Grafana (v9.4.7-0 -> v9.4.7-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index e3eca1519..3fc08945d 100644 --- a/requirements.yml +++ b/requirements.yml @@ -26,7 +26,7 @@ - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git version: v1.2.4-1.7.10-0 - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v9.4.7-0 + version: v9.4.7-1 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git version: v2.2.0-0 - src: git+https://gitlab.com/etke.cc/roles/redis.git From 09188314dd6fe1e3eb1880f86c568cfe4a21cd4b Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 28 Mar 2023 11:11:12 +0000 Subject: [PATCH 659/915] Update hookshot 3.0.1 -> 3.1.0 --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 17567c3b4..f80ecabfc 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 3.0.1 +matrix_hookshot_version: 3.1.0 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" From 1abd76101adfd3382592b7ded3c9641fc608c619 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 28 Mar 2023 16:10:55 +0300 Subject: [PATCH 660/915] Add matrix_synapse_docker_image_registry_prefix --- roles/custom/matrix-synapse/defaults/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index a5c7106ff..f809f60e3 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -70,9 +70,10 @@ matrix_synapse_container_image_customizations_templates_git_repository_keyscan_h matrix_synapse_container_image_customizations_dockerfile_body_custom: '' matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}" -matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else matrix_container_global_registry_prefix }}" +matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else matrix_synapse_docker_image_registry_prefix }}" matrix_synapse_docker_image_tag: "{{ matrix_synapse_version }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" +matrix_synapse_docker_image_registry_prefix: "{{ matrix_container_global_registry_prefix }}" # matrix_synapse_docker_image_customized is the name of the locally built Synapse image # which adds various customizations on top of the original (upstream) Synapse image. From e55269e14f38ae1b7807993a4f967d0b8c082569 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 28 Mar 2023 16:23:06 +0300 Subject: [PATCH 661/915] Upgrade Synapse (v1.79.0 -> v1.80.0) --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index f809f60e3..73bfa905b 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,7 +4,7 @@ matrix_synapse_enabled: true -matrix_synapse_version: v1.79.0 +matrix_synapse_version: v1.80.0 matrix_synapse_username: '' matrix_synapse_uid: '' From 32fb27c16cdc483c93712f220690419c0d88cb9d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 28 Mar 2023 16:23:25 +0300 Subject: [PATCH 662/915] Whitelist 2 more APIs for Synapse workers Related to: - e55269e14f38 - https://github.com/matrix-org/synapse/commit/3d70cc393fb32235bbeb94a0b97691dff5531f4d - https://github.com/matrix-org/synapse/commit/4fc85e5a921c7200a54a7fd1e9b56b5d2fedc453 --- roles/custom/matrix-synapse/vars/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/custom/matrix-synapse/vars/main.yml b/roles/custom/matrix-synapse/vars/main.yml index faaf6ed6b..406b8314a 100644 --- a/roles/custom/matrix-synapse/vars/main.yml +++ b/roles/custom/matrix-synapse/vars/main.yml @@ -178,7 +178,9 @@ matrix_synapse_workers_generic_worker_endpoints: # Registration/login requests - ^/_matrix/client/(api/v1|r0|v3|unstable)/login$ - ^/_matrix/client/(r0|v3|unstable)/register$ + - ^/_matrix/client/(r0|v3|unstable)/register/available$ - ^/_matrix/client/v1/register/m.login.registration_token/validity$ + - ^/_matrix/client/(r0|v3|unstable)/password_policy$ # Event sending requests - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact From 1fff42d930321d2ac0cb3218b6c41a9010724ad4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 28 Mar 2023 16:24:11 +0300 Subject: [PATCH 663/915] Switch Synapse to being pulled from ghcr.io, not docker.io Related to: - https://github.com/matrix-org/synapse/pull/15281 - https://github.com/matrix-org/synapse/pull/15282 --- roles/custom/matrix-synapse/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 73bfa905b..6c6b73445 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -69,11 +69,11 @@ matrix_synapse_container_image_customizations_templates_git_repository_keyscan_h # RUN echo 'You do NOT need to include a FROM clause yourself.' matrix_synapse_container_image_customizations_dockerfile_body_custom: '' -matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}" +matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrix-org/synapse:{{ matrix_synapse_docker_image_tag }}" matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else matrix_synapse_docker_image_registry_prefix }}" matrix_synapse_docker_image_tag: "{{ matrix_synapse_version }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" -matrix_synapse_docker_image_registry_prefix: "{{ matrix_container_global_registry_prefix }}" +matrix_synapse_docker_image_registry_prefix: ghcr.io/ # matrix_synapse_docker_image_customized is the name of the locally built Synapse image # which adds various customizations on top of the original (upstream) Synapse image. From 3023bc0601d5dfccd67419b81a070197af9ae2a6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 28 Mar 2023 16:56:31 +0300 Subject: [PATCH 664/915] Upgrade Element (v1.11.25 -> v1.11.26) --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 972072850..a4e7c490d 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.25 +matrix_client_element_version: v1.11.26 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 76197df3bcbfcfee086fc0bdfedf1ffb0f70ec72 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 28 Mar 2023 16:57:50 +0300 Subject: [PATCH 665/915] Add some additional groups to client systemd services This allows for doing `just install-service client-element` to get only Element rebuilt and restarted. --- group_vars/matrix_servers | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 499a714b4..85a764a1f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -288,11 +288,11 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-cactus-comments.service', 'priority': 2000, 'groups': ['matrix', 'cactus-comments']}] if matrix_cactus_comments_enabled else []) + - ([{'name': 'matrix-client-cinny.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'cinny']}] if matrix_client_cinny_enabled else []) + ([{'name': 'matrix-client-cinny.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'cinny', 'client-cinny']}] if matrix_client_cinny_enabled else []) + - ([{'name': 'matrix-client-element.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'element']}] if matrix_client_element_enabled else []) + ([{'name': 'matrix-client-element.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'element', 'client-element']}] if matrix_client_element_enabled else []) + - ([{'name': 'matrix-client-hydrogen.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'hydrogen']}] if matrix_client_hydrogen_enabled else []) + ([{'name': 'matrix-client-hydrogen.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'hydrogen', 'client-hydrogen']}] if matrix_client_hydrogen_enabled else []) + ([{'name': ('matrix-' + matrix_homeserver_implementation + '.service'), 'priority': 1000, 'groups': ['matrix', 'homeservers', matrix_homeserver_implementation]}] if matrix_homeserver_enabled else []) + From 45c37188b1c831e3baee89c454a2ba0bcb3ace72 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 28 Mar 2023 15:05:26 +0000 Subject: [PATCH 666/915] Update hookshot 3.1.0 -> 3.1.1 --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index f80ecabfc..2adf08edf 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 3.1.0 +matrix_hookshot_version: 3.1.1 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" From 8a9d76b9901de853597b578fb77edf48590453de Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 29 Mar 2023 07:57:08 +0000 Subject: [PATCH 667/915] Update cinny 2.2.4 -> 2.2.5 --- roles/custom/matrix-client-cinny/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-cinny/defaults/main.yml b/roles/custom/matrix-client-cinny/defaults/main.yml index f1114c366..5bd485026 100644 --- a/roles/custom/matrix-client-cinny/defaults/main.yml +++ b/roles/custom/matrix-client-cinny/defaults/main.yml @@ -6,7 +6,7 @@ matrix_client_cinny_enabled: true matrix_client_cinny_container_image_self_build: false matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/cinny.git" -matrix_client_cinny_version: v2.2.4 +matrix_client_cinny_version: v2.2.5 matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_name_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}" matrix_client_cinny_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_image.endswith(':latest') }}" From 9e2b0a3be2a55aa386f95d54e0be0363ad95e538 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 29 Mar 2023 11:20:23 +0000 Subject: [PATCH 668/915] Update cinny 2.2.5 -> 2.2.6 --- roles/custom/matrix-client-cinny/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-cinny/defaults/main.yml b/roles/custom/matrix-client-cinny/defaults/main.yml index 5bd485026..6b771fdc1 100644 --- a/roles/custom/matrix-client-cinny/defaults/main.yml +++ b/roles/custom/matrix-client-cinny/defaults/main.yml @@ -6,7 +6,7 @@ matrix_client_cinny_enabled: true matrix_client_cinny_container_image_self_build: false matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/cinny.git" -matrix_client_cinny_version: v2.2.5 +matrix_client_cinny_version: v2.2.6 matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_name_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}" matrix_client_cinny_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_image.endswith(':latest') }}" From 44aa0dce7b9f4a0dc57a6a87b6a174a5fc13a691 Mon Sep 17 00:00:00 2001 From: Aeris One Date: Wed, 29 Mar 2023 20:11:22 +0200 Subject: [PATCH 669/915] Add ability to disable password auth (#2612) * Add ability to disable password auth * Allow disabling password authentication --- roles/custom/matrix-synapse/defaults/main.yml | 5 +++++ .../matrix-synapse/templates/synapse/homeserver.yaml.j2 | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 6c6b73445..5e45859c2 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -371,6 +371,11 @@ matrix_synapse_auto_join_rooms: [] # automatically if they don't already exist. matrix_synapse_autocreate_auto_join_rooms: true +# Controls whether password authentication is allowed +# It may be useful when you've configured OAuth, SAML or CAS and want authentication +# to happen only through them +matrix_synapse_password_config_enabled: true + # Controls password-peppering for Synapse. Not to be changed after initial setup. matrix_synapse_password_config_pepper: "" diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 9b039ff52..db693582a 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2241,7 +2241,7 @@ sso: password_config: # Uncomment to disable password login # - #enabled: false + enabled: {{ matrix_synapse_password_config_enabled|to_json }} # Uncomment to disable authentication against the local password # database. This is ignored if `enabled` is false, and is only useful From cc40984b03be06eb3ec877f2524d4eca1b498c7d Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 30 Mar 2023 07:44:14 +0000 Subject: [PATCH 670/915] Update requirements.yml --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 3fc08945d..e564b63c3 100644 --- a/requirements.yml +++ b/requirements.yml @@ -28,7 +28,7 @@ - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v9.4.7-1 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git - version: v2.2.0-0 + version: v2.2.3-0 - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.10-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git From 39c8817aaa22a41109d96f097e1ad73742822c14 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 30 Mar 2023 07:46:41 +0000 Subject: [PATCH 671/915] fix typo --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index e564b63c3..65bab1154 100644 --- a/requirements.yml +++ b/requirements.yml @@ -28,7 +28,7 @@ - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v9.4.7-1 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git - version: v2.2.3-0 + version: v2.3.0-0 - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.10-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git From d6eef6fd0481977d02e5b6c17bfeb1f19d2f31b6 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 31 Mar 2023 11:05:03 +0000 Subject: [PATCH 672/915] Update element v1.11.26 -> v1.11.27 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index a4e7c490d..fe8d839c1 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.26 +matrix_client_element_version: v1.11.27 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From f68038c1dbbe4572bcf985744409297acfc88a01 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 31 Mar 2023 11:05:41 +0000 Subject: [PATCH 673/915] Update ntfy 2.3.0 -> 2.3.1 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 65bab1154..75a11c3eb 100644 --- a/requirements.yml +++ b/requirements.yml @@ -28,7 +28,7 @@ - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v9.4.7-1 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git - version: v2.3.0-0 + version: v2.3.1-0 - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.10-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git From 6538b707fe981bd13138345ed37e2476d61955f1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 31 Mar 2023 17:09:07 +0300 Subject: [PATCH 674/915] Auto-sort roles in requirements.yml with agru --- requirements.yml | 56 ++++++++++++++++++++++++------------------------ 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/requirements.yml b/requirements.yml index 75a11c3eb..495ba0d59 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,47 +1,47 @@ -- src: git+https://github.com/geerlingguy/ansible-role-docker - version: 6.1.0 - name: geerlingguy.docker +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git + version: v1.0.0-0 + name: aux +- src: git+https://gitlab.com/etke.cc/roles/backup_borg.git + version: v1.2.4-1.7.10-0 +- src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git + version: v0.1.1-1 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git version: 129c8590e106b83e6f4c259649a613c6279e937a - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git version: c1f40e82b4d6b072b6f0e885239322bdaaaf554f -- src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git - version: 327d2e17f5189ac2480d6012f58cf64a2b46efba -- src: git+https://github.com/devture/com.devture.ansible.role.timesync.git - version: 3d5bb2976815958cdce3f368fa34fb51554f899b +- src: git+https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages.git + version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_state_preserver.git version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git version: 38764398bf82b06a1736c3bfedc71dfd229e4b52 - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git version: 8e9ec48a09284c84704d7a2dce17da35f181574d +- src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git + version: 327d2e17f5189ac2480d6012f58cf64a2b46efba - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git version: v1.0.0-0 -- src: git+https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages.git - version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6 -- src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git - version: v1.5.0-7 -- src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git - version: v0.12.0-0 -- src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.4-1.7.10-0 -- src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v9.4.7-1 -- src: git+https://gitlab.com/etke.cc/roles/ntfy.git - version: v2.3.1-0 -- src: git+https://gitlab.com/etke.cc/roles/redis.git - version: v7.0.10-0 -- src: git+https://gitlab.com/etke.cc/roles/etherpad.git - version: v1.8.18-2 -- src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git - version: v0.1.1-1 +- src: git+https://github.com/devture/com.devture.ansible.role.timesync.git + version: 3d5bb2976815958cdce3f368fa34fb51554f899b - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git version: v2.9.9-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 -- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git - version: v1.0.0-0 - name: aux +- src: git+https://gitlab.com/etke.cc/roles/etherpad.git + version: v1.8.18-2 +- src: git+https://github.com/geerlingguy/ansible-role-docker + version: 6.1.0 + name: geerlingguy.docker +- src: git+https://gitlab.com/etke.cc/roles/grafana.git + version: v9.4.7-1 +- src: git+https://gitlab.com/etke.cc/roles/ntfy.git + version: v2.3.1-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git version: v2.43.0-0 name: prometheus +- src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git + version: v1.5.0-7 +- src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git + version: v0.12.0-0 +- src: git+https://gitlab.com/etke.cc/roles/redis.git + version: v7.0.10-0 From 9efd5229ada7669619821c43c13e0f1e1bd64080 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 1 Apr 2023 06:34:59 +0300 Subject: [PATCH 675/915] Remove time from "just run" command People who need to time things should do it themselves, explicitly. Forcing `time` on people is a little rude. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2618 --- justfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/justfile b/justfile index fed020087..46abd7bfb 100644 --- a/justfile +++ b/justfile @@ -35,7 +35,7 @@ setup-all *extra_args: (run-tags "setup-all,ensure-matrix-users-created,start" e # Runs the playbook with the given list of arguments run +extra_args: - time ansible-playbook -i inventory/hosts setup.yml {{ extra_args }} + ansible-playbook -i inventory/hosts setup.yml {{ extra_args }} # Runs the playbook with the given list of comma-separated tags and optional arguments run-tags tags *extra_args: @@ -43,7 +43,7 @@ run-tags tags *extra_args: # Runs the playbook in user-registration mode register-user username password admin_yes_or_no *extra_args: - time ansible-playbook -i inventory/hosts setup.yml --tags=register-user --extra-vars="username={{ username }} password={{ password }} admin={{ admin_yes_or_no }}" {{ extra_args }} + ansible-playbook -i inventory/hosts setup.yml --tags=register-user --extra-vars="username={{ username }} password={{ password }} admin={{ admin_yes_or_no }}" {{ extra_args }} # Starts all services start-all *extra_args: (run-tags "start-all" extra_args) From 2135f93c20eadd915f68a3900797f55195c845b1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 2 Apr 2023 09:22:21 +0300 Subject: [PATCH 676/915] Remove jitsi-generate-passwords.sh script The playbook auto-generates these passwords, so there's no need to ask people to do it manually. --- docs/configuring-playbook-jitsi.md | 7 ------ inventory/scripts/jitsi-generate-passwords.sh | 24 ------------------- 2 files changed, 31 deletions(-) delete mode 100755 inventory/scripts/jitsi-generate-passwords.sh diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 6c787bdb4..c157e59c2 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -23,13 +23,6 @@ Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: ```yaml matrix_jitsi_enabled: true - -# Run `bash inventory/scripts/jitsi-generate-passwords.sh` to generate these passwords, -# or define your own strong passwords manually. -matrix_jitsi_jicofo_auth_password: "" -matrix_jitsi_jvb_auth_password: "" -matrix_jitsi_jibri_recorder_password: "" -matrix_jitsi_jibri_xmpp_password: "" ``` diff --git a/inventory/scripts/jitsi-generate-passwords.sh b/inventory/scripts/jitsi-generate-passwords.sh deleted file mode 100755 index f24a3fba5..000000000 --- a/inventory/scripts/jitsi-generate-passwords.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/bin/env bash -# This is a bash script for generating strong passwords for the Jitsi role in this ansible project: -# https://github.com/spantaleev/matrix-docker-ansible-deploy - -function generatePassword() { - openssl rand -hex 16 -} - -echo "# If this script fails, it's likely because you don't have the openssl tool installed." -echo "# Install it before using this script, or simply create your own passwords manually." - -echo "" - -JICOFO_AUTH_PASSWORD=$(generatePassword) -JVB_AUTH_PASSWORD=$(generatePassword) -JIBRI_RECORDER_PASSWORD=$(generatePassword) -JIBRI_XMPP_PASSWORD=$(generatePassword) - -echo "# Paste these variables into your inventory/host_vars/matrix.DOMAIN/vars.yml file:" -echo "" -echo "matrix_jitsi_jicofo_auth_password: $JICOFO_AUTH_PASSWORD" -echo "matrix_jitsi_jvb_auth_password: $JVB_AUTH_PASSWORD" -echo "matrix_jitsi_jibri_recorder_password: $JIBRI_RECORDER_PASSWORD" -echo "matrix_jitsi_jibri_xmpp_password: $JIBRI_XMPP_PASSWORD" From 1d00d15482e8a2ec9e82a50624eda846ecf834d1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 3 Apr 2023 08:53:46 +0300 Subject: [PATCH 677/915] Switch to exported Jitsi role --- CHANGELOG.md | 23 +- docs/configuring-playbook-jitsi.md | 107 +++--- docs/configuring-playbook-turn.md | 2 +- docs/faq.md | 2 +- group_vars/matrix_servers | 104 ++++-- playbooks/jitsi_jvb.yml | 2 +- playbooks/matrix.yml | 2 +- requirements.yml | 3 + roles/custom/matrix-jitsi/defaults/main.yml | 320 ------------------ .../tasks/init_additional_jvb.yml | 5 - roles/custom/matrix-jitsi/tasks/main.yml | 75 ---- .../tasks/self_check_matrix_auth.yml | 63 ---- .../matrix-jitsi/tasks/setup_jitsi_base.yml | 16 - .../tasks/setup_jitsi_jicofo_install.yml | 51 --- .../tasks/setup_jitsi_jicofo_uninstall.yml | 25 -- .../tasks/setup_jitsi_jvb_install.yml | 49 --- .../tasks/setup_jitsi_jvb_uninstall.yml | 25 -- .../tasks/setup_jitsi_prosody_install.yml | 85 ----- .../tasks/setup_jitsi_prosody_uninstall.yml | 25 -- .../tasks/setup_jitsi_web_install.yml | 52 --- .../tasks/setup_jitsi_web_uninstall.yml | 25 -- .../setup_jitsi_auth_internal.yml | 17 - .../util/setup_jitsi_auth_uvs_install.yml | 20 -- .../util/setup_jitsi_auth_uvs_uninstall.yml | 20 -- .../setup_jitsi_prosody_post_setup_hooks.yml | 49 --- .../matrix-jitsi/tasks/validate_config.yml | 81 ----- .../matrix-jitsi/templates/jicofo/env.j2 | 38 --- .../templates/jicofo/logging.properties.j2 | 27 -- .../jicofo/matrix-jitsi-jicofo.service.j2 | 33 -- .../jicofo/sip-communicator.properties.j2 | 9 - .../jvb/custom-sip-communicator.properties.j2 | 7 - .../custom/matrix-jitsi/templates/jvb/env.j2 | 31 -- .../templates/jvb/logging.properties.j2 | 20 -- .../templates/jvb/matrix-jitsi-jvb.service.j2 | 43 --- .../matrix-jitsi/templates/prosody/env.j2 | 70 ---- .../prosody/matrix-jitsi-prosody.service.j2 | 41 --- .../templates/web/custom-config.js.j2 | 22 -- .../web/custom-interface_config.js.j2 | 3 - .../custom/matrix-jitsi/templates/web/env.j2 | 111 ------ .../templates/web/matrix-jitsi-web.service.j2 | 39 --- .../matrix-nginx-proxy/defaults/main.yml | 7 - .../matrix-nginx-proxy/templates/labels.j2 | 13 - .../nginx/conf.d/matrix-jitsi.conf.j2 | 11 +- .../defaults/main.yml | 3 + .../tasks/validate_config.yml | 19 +- 45 files changed, 180 insertions(+), 1615 deletions(-) delete mode 100644 roles/custom/matrix-jitsi/defaults/main.yml delete mode 100644 roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml delete mode 100644 roles/custom/matrix-jitsi/tasks/main.yml delete mode 100644 roles/custom/matrix-jitsi/tasks/self_check_matrix_auth.yml delete mode 100644 roles/custom/matrix-jitsi/tasks/setup_jitsi_base.yml delete mode 100644 roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo_install.yml delete mode 100644 roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo_uninstall.yml delete mode 100644 roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb_install.yml delete mode 100644 roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb_uninstall.yml delete mode 100644 roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_install.yml delete mode 100644 roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_uninstall.yml delete mode 100644 roles/custom/matrix-jitsi/tasks/setup_jitsi_web_install.yml delete mode 100644 roles/custom/matrix-jitsi/tasks/setup_jitsi_web_uninstall.yml delete mode 100644 roles/custom/matrix-jitsi/tasks/util/prosody_post_setup_hooks/setup_jitsi_auth_internal.yml delete mode 100644 roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml delete mode 100644 roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml delete mode 100644 roles/custom/matrix-jitsi/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml delete mode 100644 roles/custom/matrix-jitsi/tasks/validate_config.yml delete mode 100644 roles/custom/matrix-jitsi/templates/jicofo/env.j2 delete mode 100644 roles/custom/matrix-jitsi/templates/jicofo/logging.properties.j2 delete mode 100644 roles/custom/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 delete mode 100644 roles/custom/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 delete mode 100644 roles/custom/matrix-jitsi/templates/jvb/custom-sip-communicator.properties.j2 delete mode 100644 roles/custom/matrix-jitsi/templates/jvb/env.j2 delete mode 100644 roles/custom/matrix-jitsi/templates/jvb/logging.properties.j2 delete mode 100644 roles/custom/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 delete mode 100644 roles/custom/matrix-jitsi/templates/prosody/env.j2 delete mode 100644 roles/custom/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 delete mode 100644 roles/custom/matrix-jitsi/templates/web/custom-config.js.j2 delete mode 100644 roles/custom/matrix-jitsi/templates/web/custom-interface_config.js.j2 delete mode 100644 roles/custom/matrix-jitsi/templates/web/env.j2 delete mode 100644 roles/custom/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 7a7995e0e..3120384cf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,24 @@ +# 2023-04-03 + +## The matrix-jitsi role lives independently now + +**TLDR**: the `matrix-jitsi` role is now included from the [ansible-role-jitsi](https://github.com/mother-of-all-self-hosting/ansible-role-jitsi) repository, part of the [MASH playbook](https://github.com/mother-of-all-self-hosting/mash-playbook). Some variables have been renamed. All functionality remains intact. + +The `matrix-jitsi` role has been relocated in its own repository, part of the [MASH playbook](https://github.com/mother-of-all-self-hosting/mash-playbook) project - an Ansible playbook for self-hosting [a growing list of FOSS software](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/supported-services.md). If hosting a Jitsi stack on the Matrix server itself did not stand right with you or you always wanted to host most stuff, you can now use this new playbook to do so. + +As part of the extraction process of this role out of the Matrix playbook, a few other things improved: + +- **native Traefik support** has been added +- **support for hosting under a subpath** has been added, although it suffers from a few minor issues listed [here](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/jitsi.md#url) + +You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're using Jitsi or not. + +If you're making use of Jitsi via this playbook, you will need to update variable references in your `vars.yml` file: + + - `matrix_jitsi_*_docker_image_` -> `matrix_jitsi_*_container_image_` + - `matrix_jitsi_` -> `jitsi_` + - some other internal variables have changed, but the playbook will tell you about them + # 2023-03-22 ## ntfy Web App is disabled by default @@ -1556,7 +1577,7 @@ People who have [fine-tuned Jitsi](docs/configuring-playbook-jitsi.md#optional-f The next time you run the playbook [installation](docs/installing.md) command, our validation logic will tell you if you're using some variables like that and will recommend a migration path for each one. -Additionally, we've recently disabled transcriptions (`matrix_jitsi_enable_transcriptions: false`) and recording (`matrix_jitsi_enable_recording: false`) by default. These features did not work anyway, because we don't install the required dependencies for them (Jigasi and Jibri, respectively). If you've been somehow pointing your Jitsi installation to some manually installed Jigasi/Jibri service, you may need to toggle these flags back to enabled to have transcriptions and recordings working. +Additionally, we've recently disabled transcriptions (`jitsi_enable_transcriptions: false`) and recording (`jitsi_enable_recording: false`) by default. These features did not work anyway, because we don't install the required dependencies for them (Jigasi and Jibri, respectively). If you've been somehow pointing your Jitsi installation to some manually installed Jigasi/Jibri service, you may need to toggle these flags back to enabled to have transcriptions and recordings working. # 2020-11-23 diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index c157e59c2..4157231a5 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -9,12 +9,12 @@ The setup done by the playbook is very similar to [docker-jitsi-meet](https://gi ## Prerequisites -Before installing Jitsi, make sure you've created the `jitsi.DOMAIN` DNS record. See [Configuring DNS](configuring-dns.md). +Before installing Jitsi, make sure you've created the `jitsi.DOMAIN` DNS record (unless you've changed `jitsi_hostname`, as described below). See [Configuring DNS](configuring-dns.md) for details about DNS changes. You may also need to open the following ports to your server: - `4443/tcp` - RTP media fallback over TCP -- `10000/udp` - RTP media over UDP. Depending on your firewall/NAT setup, incoming RTP packets on port `10000` may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/custom/matrix-jitsi/defaults/main.yml)). +- `10000/udp` - RTP media over UDP. Depending on your firewall/NAT setup, incoming RTP packets on port `10000` may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`jitsi_jvb_stun_servers`](https://github.com/mother-of-all-self-hosting/ansible-role-jitsi/blob/main/defaults/main.yml)). ## Installation @@ -22,9 +22,14 @@ You may also need to open the following ports to your server: Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: ```yaml -matrix_jitsi_enabled: true -``` +jitsi_enabled: true + +# Uncomment and adjust if you need to use another hostname +# jitsi_hostname: "jitsi.{{ matrix_domain }}" +# Uncomment and possible adjust if you'd like to host under a subpath +# jitsi_path_prefix: /jitsi +``` ## (Optional) Configure Jitsi authentication and guests mode @@ -37,19 +42,19 @@ Currently, there are three supported authentication modes: 'internal' (default), **Note:** Authentication is not tested via the playbook's self-checks. We therefore recommend that you manually verify if authentication is required by jitsi. -For this, try to manually create a conference on jitsi.DOMAIN in your browser. +For this, try to manually create a conference on jitsi.DOMAIN in your browser. ### Authenticate using Jitsi accounts (Auth-Type 'internal') -The default authentication mechanism is 'internal' auth, which requires jitsi-accounts to be setup and is the recommended setup, as it also works in federated rooms. +The default authentication mechanism is 'internal' auth, which requires jitsi-accounts to be setup and is the recommended setup, as it also works in federated rooms. With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join. If a registered host is not yet present, guests are put on hold in individual waiting rooms. Add these lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: ```yaml -matrix_jitsi_enable_auth: true -matrix_jitsi_enable_guests: true -matrix_jitsi_prosody_auth_internal_accounts: +jitsi_enable_auth: true +jitsi_enable_guests: true +jitsi_prosody_auth_internal_accounts: - username: "jitsi-moderator" password: "secret-password" - username: "another-user" @@ -62,7 +67,7 @@ matrix_jitsi_prosody_auth_internal_accounts: ### Authenticate using Matrix OpenID (Auth-Type 'matrix') -**Attention: Probably breaks jitsi in federated rooms and does not allow sharing conference links with guests.** +**Attention: Probably breaks Jitsi in federated rooms and does not allow sharing conference links with guests.** Using this authentication type require a [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service). By default, this playbook creates and configures a user-verification-service to run locally, see [configuring-user-verification-service](configuring-playbook-user-verification-service.md). @@ -70,8 +75,8 @@ By default, this playbook creates and configures a user-verification-service to To enable set this configuration at host level: ```yaml -matrix_jitsi_enable_auth: true -matrix_jitsi_auth_type: "matrix" +jitsi_enable_auth: true +jitsi_auth_type: matrix matrix_user_verification_service_enabled: true ``` @@ -82,21 +87,21 @@ For more information see also [https://github.com/matrix-org/prosody-mod-auth-ma An example LDAP configuration could be: ```yaml -matrix_jitsi_enable_auth: true -matrix_jitsi_auth_type: ldap -matrix_jitsi_ldap_url: "ldap://ldap.DOMAIN" -matrix_jitsi_ldap_base: "OU=People,DC=DOMAIN" -#matrix_jitsi_ldap_binddn: "" -#matrix_jitsi_ldap_bindpw: "" -matrix_jitsi_ldap_filter: "uid=%u" -matrix_jitsi_ldap_auth_method: "bind" -matrix_jitsi_ldap_version: "3" -matrix_jitsi_ldap_use_tls: true -matrix_jitsi_ldap_tls_ciphers: "" -matrix_jitsi_ldap_tls_check_peer: true -matrix_jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt" -matrix_jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs" -matrix_jitsi_ldap_start_tls: false +jitsi_enable_auth: true +jitsi_auth_type: ldap +jitsi_ldap_url: "ldap://ldap.DOMAIN" +jitsi_ldap_base: "OU=People,DC=DOMAIN" +#jitsi_ldap_binddn: "" +#jitsi_ldap_bindpw: "" +jitsi_ldap_filter: "uid=%u" +jitsi_ldap_auth_method: "bind" +jitsi_ldap_version: "3" +jitsi_ldap_use_tls: true +jitsi_ldap_tls_ciphers: "" +jitsi_ldap_tls_check_peer: true +jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt" +jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs" +jitsi_ldap_start_tls: false ``` For more information refer to the [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap) and the [saslauthd `LDAP_SASLAUTHD`](https://github.com/winlibs/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD) documentation. @@ -113,7 +118,7 @@ Here is how to do it in the playbook. Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: ```yaml -matrix_jitsi_jvb_container_extra_arguments: +jitsi_jvb_container_extra_arguments: - '--env "JVB_ADVERTISE_IPS="' ``` @@ -122,7 +127,7 @@ matrix_jitsi_jvb_container_extra_arguments: Sample **additional** `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration to save up resources (explained below): ```yaml -matrix_jitsi_web_custom_config_extension: | +jitsi_web_custom_config_extension: | config.enableLayerSuspension = true; config.disableAudioLevels = true; @@ -130,13 +135,12 @@ matrix_jitsi_web_custom_config_extension: | // Limit the number of video feeds forwarded to each client config.channelLastN = 4; -matrix_jitsi_web_config_resolution_width_ideal_and_max: 480 -matrix_jitsi_web_config_resolution_height_ideal_and_max: 240 +jitsi_web_config_resolution_width_ideal_and_max: 480 +jitsi_web_config_resolution_height_ideal_and_max: 240 ``` You may want to **suspend unused video layers** until they are requested again, to save up resources on both server and clients. Read more on this feature [here](https://jitsi.org/blog/new-off-stage-layer-suppression-feature/) -For this add this line to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: You may wish to **disable audio levels** to avoid excessive refresh of the client-side page and decrease the CPU consumption involved. @@ -150,10 +154,10 @@ You may want to **limit the maximum video resolution**, to save up resources on The playbook allows a user to set a max number of participants allowed to join a Jitsi conference. By default there is no limit. -In order to set the max number of participants add the following variable to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: +In order to set the max number of participants use the following **additional** configuration: -``` -matrix_prosody_jitsi_max_participants: +```yaml +jitsi_prosody_max_participants: 4 # example value ``` ## (Optional) Additional JVBs @@ -169,18 +173,18 @@ For this role to work you will need an additional section in the ansible hosts f ansible_host= ``` -Each JVB will require a server id to be set so that it can be uniquely identified and this allows Jitsi to keep track of which conferences are on which JVB. -The server id is set with the variable `matrix_jitsi_jvb_server_id` which ends up as the JVB_WS_SERVER_ID environment variables in the JVB docker container. +Each JVB will require a server id to be set so that it can be uniquely identified and this allows Jitsi to keep track of which conferences are on which JVB. +The server id is set with the variable `jitsi_jvb_server_id` which ends up as the JVB_WS_SERVER_ID environment variables in the JVB docker container. This variable can be set via the host file, a parameter to the ansible command or in the `vars.yaml` for the host which will have the additional JVB. For example: ``` yaml -matrix_jitsi_jvb_server_id: 'jvb-2' +jitsi_jvb_server_id: 'jvb-2' ``` ``` INI [jitsi_jvb_servers] -jvb-2.example.com ansible_host=192.168.0.2 matrix_jitsi_jvb_server_id=jvb-2 -jvb-3.example.com ansible_host=192.168.0.3 matrix_jitsi_jvb_server_id=jvb-2 +jvb-2.example.com ansible_host=192.168.0.2 jitsi_jvb_server_id=jvb-2 +jvb-3.example.com ansible_host=192.168.0.3 jitsi_jvb_server_id=jvb-2 ``` Note that the server id `jvb-1` is reserved for the JVB instance running on the Matrix host and therefore should not be used as the id of an additional jvb host. @@ -188,20 +192,20 @@ Note that the server id `jvb-1` is reserved for the JVB instance running on the The additional JVB will also need to expose the colibri web socket port and this can be done with the following variable: ```yaml -matrix_jitsi_jvb_container_colibri_ws_host_bind_port: 9090 +jitsi_jvb_container_colibri_ws_host_bind_port: 9090 ``` -The JVB will also need to know where the prosody xmpp server is located, similar to the server id this can be set in the vars for the JVB by using the variable -`matrix_jitsi_xmpp_server`. The Jitsi prosody container is deployed on the matrix server by default so the value can be set to the matrix domain. For example: +The JVB will also need to know where the prosody xmpp server is located, similar to the server id this can be set in the vars for the JVB by using the variable +`jitsi_xmpp_server`. The Jitsi prosody container is deployed on the matrix server by default so the value can be set to the matrix domain. For example: ```yaml -matrix_jitsi_xmpp_server: "{{ matrix_domain }}" +jitsi_xmpp_server: "{{ matrix_domain }}" ``` However, it can also be set the ip address of the matrix server. This can be useful if you wish to use a private ip. For example: ```yaml -matrix_jitsi_xmpp_server: "192.168.0.1" +jitsi_xmpp_server: "192.168.0.1" ``` The nginx configuration will also need to be updated in order to deal with the additional JVB servers. This is achieved via its own configuration variable @@ -216,7 +220,7 @@ matrix_nginx_proxy_proxy_jitsi_additional_jvbs: ``` -Applied together this will allow you to provision extra JVB instances which will register themselves with the prosody service and be available for jicofo +Applied together this will allow you to provision extra JVB instances which will register themselves with the prosody service and be available for jicofo to route conferences too. ## (Optional) Enable Gravatar @@ -227,7 +231,7 @@ Since element already sends the url of configured Matrix avatars to Jitsi, we di To enable Gravatar set: ```yaml -matrix_jitsi_disable_gravatar: false +jitsi_disable_gravatar: false ``` **Beware:** This leaks information to a third party, namely the Gravatar-Service (unless configured otherwise: gravatar.com). @@ -255,7 +259,7 @@ You can use the self-hosted Jitsi server in multiple ways: ### Rebuilding your Jitsi installation -**If you ever run into any trouble** or **if you change configuration (`matrix_jitsi_*` variables) too much**, we urge you to rebuild your Jitsi setup. +**If you ever run into any trouble** or **if you change configuration (`jitsi_*` variables) too much**, we urge you to rebuild your Jitsi setup. We normally don't require such manual intervention for other services, but Jitsi services generate a lot of configuration files on their own. @@ -263,7 +267,6 @@ These files are not all managed by Ansible (at least not yet), so you may someti To rebuild your Jitsi configuration: -- SSH into the server and do this: - - stop all Jitsi services (`systemctl stop matrix-jitsi-*`). - - remove all Jitsi configuration & data (`rm -rf /matrix/jitsi`) -- ask Ansible to set up Jitsi anew and restart services (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-jitsi,start`) +- ask Ansible to stop all Jitsi services: `just run-tags stop-group --extra-vars=group=jitsi` +- SSH into the server and do this and remove all Jitsi configuration & data (`rm -rf /matrix/jitsi`) +- ask Ansible to set up Jitsi anew and restart services (`just install-service jitsi`) diff --git a/docs/configuring-playbook-turn.md b/docs/configuring-playbook-turn.md index c1d777a89..df5419bd4 100644 --- a/docs/configuring-playbook-turn.md +++ b/docs/configuring-playbook-turn.md @@ -36,7 +36,7 @@ If you have or want to enable [Jitsi](configuring-playbook-jitsi.md), you might If you do not do it, Jitsi will fall back to an upstream service. ```yaml -matrix_jitsi_web_stun_servers: +jitsi_web_stun_servers: - stun:HOSTNAME_OR_IP:PORT ``` You can put multiple host/port combinations if you like. diff --git a/docs/faq.md b/docs/faq.md index 48c658d18..d47c8b77d 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -262,7 +262,7 @@ matrix_server_fqn_element: "element.YOUR_BASE_DOMAIN" # Feel free to use `dimension.matrix.YOUR_BASE_DOMAIN`, if you'd prefer that. matrix_server_fqn_dimension: "dimension.YOUR_BASE_DOMAIN" -# This is where you access Jitsi (if enabled via `matrix_jitsi_enabled: true`; NOT enabled by default). +# This is where you access Jitsi (if enabled via `jitsi_enabled: true`; NOT enabled by default). # # Feel free to use `jitsi.matrix.YOUR_BASE_DOMAIN`, if you'd prefer that. matrix_server_fqn_jitsi: "jitsi.YOUR_BASE_DOMAIN" diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 85a764a1f..39895152b 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -192,7 +192,7 @@ matrix_homeserver_app_service_config_files_auto: | # This list is not exhaustive and final. # Synapse workers are still injected into the list at runtime. -# Additional JVB workers (playbooks/jitsi_jvb.yml -- roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml) override this variable at runtime as well. +# Additional JVB workers (playbooks/jitsi_jvb.yml -- roles/galaxy/jitsi/tasks/init_additional_jvb.yml) override this variable at runtime as well. # # Priority levels are like this: # - core services (the homeserver) get a level of ~1000 @@ -314,13 +314,13 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': (grafana_identifier + '.service'), 'priority': 4000, 'groups': ['matrix', 'monitoring', 'grafana']}] if grafana_enabled else []) + - ([{'name': 'matrix-jitsi-web.service', 'priority': 4200, 'groups': ['matrix', 'jitsi', 'jitsi-web']}] if matrix_jitsi_enabled else []) + ([{'name': (jitsi_identifier + '-web.service'), 'priority': 4200, 'groups': ['matrix', 'jitsi', 'jitsi-web']}] if jitsi_enabled else []) + - ([{'name': 'matrix-jitsi-prosody.service', 'priority': 4000, 'groups': ['matrix', 'jitsi', 'jitsi-prosody']}] if matrix_jitsi_enabled else []) + ([{'name': (jitsi_identifier + '-prosody.service'), 'priority': 4000, 'groups': ['matrix', 'jitsi', 'jitsi-prosody']}] if jitsi_enabled else []) + - ([{'name': 'matrix-jitsi-jicofo.service', 'priority': 4100, 'groups': ['matrix', 'jitsi', 'jitsi-jicofo']}] if matrix_jitsi_enabled else []) + ([{'name': (jitsi_identifier + '-jicofo.service'), 'priority': 4100, 'groups': ['matrix', 'jitsi', 'jitsi-jicofo']}] if jitsi_enabled else []) + - ([{'name': 'matrix-jitsi-jvb.service', 'priority': 4100, 'groups': ['matrix', 'jitsi', 'jitsi-jvb']}] if matrix_jitsi_enabled else []) + ([{'name': (jitsi_identifier + '-jvb.service'), 'priority': 4100, 'groups': ['matrix', 'jitsi', 'jitsi-jvb']}] if jitsi_enabled else []) + ([{'name': 'matrix-ldap-registration-proxy.service', 'priority': 2000, 'groups': ['matrix', 'ldap-registration-proxy']}] if matrix_ldap_registration_proxy_enabled else []) + @@ -2278,7 +2278,7 @@ etherpad_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" etherpad_base_path: "{{ matrix_base_data_path }}/etherpad" -etherpad_framing_enabled: "{{ matrix_dimension_enabled or matrix_jitsi_enabled }}" +etherpad_framing_enabled: "{{ matrix_dimension_enabled or jitsi_enabled }}" etherpad_hostname: "{{ matrix_server_fqn_etherpad }}" @@ -2352,26 +2352,57 @@ matrix_email2matrix_container_image_self_build: "{{ matrix_architecture not in [ ###################################################################### # -# matrix-jitsi +# jitsi # ###################################################################### -matrix_jitsi_enabled: false +jitsi_enabled: false + +jitsi_architecture: "{{ matrix_architecture }}" + +jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" + +jitsi_identifier: matrix-jitsi + +jitsi_base_path: "{{ matrix_base_data_path }}/jitsi" + +jitsi_uid: "{{ matrix_user_uid }}" +jitsi_gid: "{{ matrix_user_gid }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach jitsi/web over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the Jitsi HTTP port to the local host. -matrix_jitsi_web_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '13080') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +jitsi_web_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '13080') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +jitsi_web_container_additional_networks_auto: | + {{ + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + }} + +jitsi_jvb_container_colibri_ws_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '13090') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +jitsi_jvb_container_additional_networks_auto: | + {{ + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + }} + +jitsi_prosody_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '5280') if matrix_playbook_service_host_bind_interface_prefix else '' }}" -matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '13090') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +jitsi_prosody_container_additional_networks_auto: | + {{ + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + }} -matrix_jitsi_prosody_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '5280') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +jitsi_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +jitsi_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +jitsi_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +jitsi_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" -matrix_jitsi_jibri_xmpp_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jibri', rounds=655555) | to_uuid }}" -matrix_jitsi_jicofo_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jicofo', rounds=655555) | to_uuid }}" -matrix_jitsi_jvb_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jvb', rounds=655555) | to_uuid }}" +jitsi_jibri_xmpp_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jibri', rounds=655555) | to_uuid }}" +jitsi_jicofo_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jicofo', rounds=655555) | to_uuid }}" +jitsi_jvb_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jvb', rounds=655555) | to_uuid }}" -matrix_jitsi_web_stun_servers: | +jitsi_web_stun_servers: | {{ [ 'stun:' + matrix_server_fqn_matrix + ':5349', @@ -2381,24 +2412,39 @@ matrix_jitsi_web_stun_servers: | else [ 'stun:meet-jit-si-turnrelay.jitsi.net:443'] }} +# The Jitsi instance installed by this playbook is meant for embedding into Matrix clients, so framing is allowed. +jitsi_web_framing_enabled: true + +jitsi_turn_credentials: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}" +jitsi_turn_host: "{{ ('turn.' + matrix_server_fqn_matrix) if matrix_coturn_enabled else '' }}" +jitsi_turns_host: "{{ ('turn.' + matrix_server_fqn_matrix) if matrix_coturn_enabled else '' }}" +jitsi_turn_port: "{{ matrix_coturn_container_stun_plain_host_bind_port if matrix_coturn_enabled else '' }}" +jitsi_turns_port: "{{ matrix_coturn_container_stun_tls_host_bind_port if matrix_coturn_enabled else '' }}" + # If the self-hosted Etherpad instance is available, it will also show up in Jitsi conferences, -# unless explicitly disabled by setting `matrix_jitsi_etherpad_enabled` to false. -# Falls back to the scalar.vector.im etherpad in case someone sets `matrix_jitsi_etherpad_enabled` to true, +# unless explicitly disabled by setting `jitsi_etherpad_enabled` to false. +# Falls back to the scalar.vector.im etherpad in case someone sets `jitsi_etherpad_enabled` to true, # while also setting `etherpad_enabled` to false. -matrix_jitsi_etherpad_enabled: "{{ etherpad_enabled }}" -matrix_jitsi_etherpad_base: "{{ etherpad_base_url if etherpad_enabled else 'https://scalar.vector.im/etherpad' }}" +jitsi_etherpad_enabled: "{{ etherpad_enabled }}" +jitsi_etherpad_base: "{{ etherpad_base_url if etherpad_enabled else 'https://scalar.vector.im/etherpad' }}" # Allow verification using JWT and matrix-UVS -matrix_jitsi_prosody_auth_matrix_uvs_auth_token: "{{ matrix_user_verification_service_uvs_auth_token }}" -matrix_jitsi_prosody_auth_matrix_uvs_location: "{{ matrix_user_verification_service_container_url }}" +jitsi_prosody_auth_matrix_uvs_auth_token: "{{ matrix_user_verification_service_uvs_auth_token }}" +jitsi_prosody_auth_matrix_uvs_location: "{{ matrix_user_verification_service_container_url }}" + +jitsi_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" -matrix_jitsi_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +# Gravatar is enabled by default upstream, but there's no need to leak data there needlessly +# when embedding Jitsi in Matrix rooms. +jitsi_disable_gravatar: true ###################################################################### # -# /matrix-jitsi +# /jitsi # ###################################################################### + + ###################################################################### # # matrix-ldap-registration-proxy @@ -2557,8 +2603,7 @@ matrix_nginx_proxy_proxy_rageshake_enabled: "{{ matrix_rageshake_enabled and mat matrix_nginx_proxy_proxy_etherpad_enabled: "{{ etherpad_enabled and not etherpad_nginx_proxy_dimension_integration_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" -matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" -matrix_nginx_proxy_proxy_jitsi_manage_wellknown: "{{ matrix_jitsi_require_well_known }}" +matrix_nginx_proxy_proxy_jitsi_enabled: "{{ jitsi_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_grafana_enabled: "{{ grafana_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" @@ -2570,7 +2615,6 @@ matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_ent matrix_nginx_proxy_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true -matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" @@ -2656,7 +2700,7 @@ matrix_nginx_proxy_systemd_wanted_services_list: | + ([(ntfy_identifier + '.service')] if ntfy_enabled else []) + - (['matrix-jitsi.service'] if matrix_jitsi_enabled else []) + ([(jitsi_identifier + '-web.service')] if jitsi_enabled else []) + (['matrix-sliding-sync-proxy.service'] if matrix_sliding_sync_enabled else []) + @@ -2687,7 +2731,7 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([matrix_server_fqn_bot_go_neb] if matrix_bot_go_neb_enabled else []) + - ([matrix_server_fqn_jitsi] if matrix_jitsi_enabled else []) + ([matrix_server_fqn_jitsi] if jitsi_enabled else []) + ([matrix_server_fqn_grafana] if grafana_enabled else []) + @@ -3185,7 +3229,7 @@ matrix_client_element_enable_presence_by_hs_url: | matrix_client_element_welcome_user_id: ~ -matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matrix_jitsi_enabled else '' }}" +matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if jitsi_enabled else '' }}" ###################################################################### # @@ -4007,7 +4051,7 @@ matrix_user_verification_service_systemd_required_services_list: | # If Jitsi is not managed by this playbook, or you otherwise have a need for it, you can expose # matrix-user-verfification-services's client-server port to port 3003. # By default Matrix-User-Verification-Service binds to port 3000, which collides with grafana, therefore this uses port 3003. -matrix_user_verification_service_container_http_host_bind_port: "{{ '' if (matrix_jitsi_enabled | bool and matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix') else matrix_playbook_service_host_bind_interface_prefix ~ '3003' }}" +matrix_user_verification_service_container_http_host_bind_port: "{{ '' if (jitsi_enabled | bool and jitsi_enable_auth | bool and jitsi_auth_type == 'matrix') else matrix_playbook_service_host_bind_interface_prefix ~ '3003' }}" # URL exposed in the docker network matrix_user_verification_service_container_url: "http://{{ matrix_user_verification_service_container_name }}:3000" diff --git a/playbooks/jitsi_jvb.yml b/playbooks/jitsi_jvb.yml index f19800908..4054d308c 100644 --- a/playbooks/jitsi_jvb.yml +++ b/playbooks/jitsi_jvb.yml @@ -8,5 +8,5 @@ - role: galaxy/com.devture.ansible.role.systemd_docker_base - custom/matrix-base - - custom/matrix-jitsi + - galaxy/jitsi - custom/matrix-common-after diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 5bf19b9d5..9ce1aebea 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -100,7 +100,7 @@ - custom/matrix-client-element - custom/matrix-client-hydrogen - custom/matrix-client-cinny - - custom/matrix-jitsi + - galaxy/jitsi - custom/matrix-user-verification-service - custom/matrix-ldap-registration-proxy - custom/matrix-ma1sd diff --git a/requirements.yml b/requirements.yml index 495ba0d59..97095888c 100644 --- a/requirements.yml +++ b/requirements.yml @@ -34,6 +34,9 @@ name: geerlingguy.docker - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v9.4.7-1 +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git + version: v8319-6 + name: jitsi - src: git+https://gitlab.com/etke.cc/roles/ntfy.git version: v2.3.1-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git diff --git a/roles/custom/matrix-jitsi/defaults/main.yml b/roles/custom/matrix-jitsi/defaults/main.yml deleted file mode 100644 index ef4cf100d..000000000 --- a/roles/custom/matrix-jitsi/defaults/main.yml +++ /dev/null @@ -1,320 +0,0 @@ ---- -# Project source code URL: https://github.com/jitsi/docker-jitsi-meet - -matrix_jitsi_enabled: true - -matrix_jitsi_base_path: "{{ matrix_base_data_path }}/jitsi" - -matrix_jitsi_enable_auth: false -matrix_jitsi_enable_guests: false -matrix_jitsi_enable_recording: false -matrix_jitsi_enable_transcriptions: false -matrix_jitsi_enable_jaas_components: false -matrix_jitsi_enable_p2p: true -matrix_jitsi_enable_av_moderation: true -matrix_jitsi_enable_breakout_rooms: true -matrix_jitsi_disable_gravatar: true - -# Authentication type, must be one of internal, jwt, matrix or ldap. -# Currently, only internal, matrix and ldap mechanisms are supported by this playbook. -# matrix auth verifies against matrix openID, and requires a user-verification-service to run. -matrix_jitsi_auth_type: internal - -# A list of Jitsi (Prosody) accounts to create using the internal authentication mechanism. -# -# Accounts added here and subsequently removed will not be automatically removed -# from the Prosody server until user account cleaning is integrated into the playbook. -# -# Example: -# matrix_jitsi_prosody_auth_internal_accounts: -# - username: "jitsi-moderator" -# password: "secret-password" -# - username: "another-user" -# password: "another-password" -matrix_jitsi_prosody_auth_internal_accounts: [] - -# Configuration options for LDAP authentication. For details see upstream: -# https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap. -# Defaults are taken from: -# https://github.com/jitsi/docker-jitsi-meet/blob/master/prosody/rootfs/defaults/saslauthd.conf -matrix_jitsi_ldap_url: "" -matrix_jitsi_ldap_base: "" -matrix_jitsi_ldap_binddn: "" -matrix_jitsi_ldap_bindpw: "" -matrix_jitsi_ldap_filter: "uid=%u" -matrix_jitsi_ldap_auth_method: "bind" -matrix_jitsi_ldap_version: "3" -matrix_jitsi_ldap_use_tls: false -matrix_jitsi_ldap_tls_ciphers: "" -matrix_jitsi_ldap_tls_check_peer: false -matrix_jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt" -matrix_jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs" -matrix_jitsi_ldap_start_tls: false - -# Auth type: matrix -matrix_jitsi_prosody_auth_matrix_user_verification_repo_location: "https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification" -matrix_jitsi_prosody_auth_matrix_user_verification_repo_target: "{{ matrix_jitsi_prosody_ext_path }}/prosody_auth_matrix_user_verification" -matrix_jitsi_prosody_auth_matrix_user_verification_repo_version: "2839499cb03894d8cfc3e5b2219441427cb133d8" # v1.8.0 -matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels: true -matrix_jitsi_prosody_auth_matrix_uvs_location: "" -# Should match domain, see https://github.com/vector-im/element-web/pull/15114/commits/0410a6b3be82a41457275e4d1ce879dea146e092 -matrix_jitsi_prosody_auth_matrix_jwt_app_id: "{{ matrix_server_fqn_jitsi }}" -matrix_jitsi_prosody_auth_matrix_files: - - path: "mod_auth_matrix_user_verification.lua" - when: true - - path: "mod_matrix_power_sync.lua" - when: "{{ matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels }}" - -# Plugged in group_vars -matrix_jitsi_prosody_auth_matrix_uvs_auth_token: '' - -matrix_jitsi_timezone: UTC - -matrix_jitsi_xmpp_domain: meet.jitsi -matrix_jitsi_xmpp_server: xmpp.meet.jitsi -matrix_jitsi_xmpp_auth_domain: auth.meet.jitsi -matrix_jitsi_xmpp_bosh_url_base: http://{{ matrix_jitsi_xmpp_server }}:5280 -matrix_jitsi_xmpp_guest_domain: guest.meet.jitsi -matrix_jitsi_xmpp_muc_domain: muc.meet.jitsi -matrix_jitsi_xmpp_internal_muc_domain: internal-muc.meet.jitsi -matrix_jitsi_xmpp_modules: '' - -matrix_jitsi_recorder_domain: recorder.meet.jitsi - - -matrix_jitsi_jibri_brewery_muc: jibribrewery -matrix_jitsi_jibri_pending_timeout: 90 -matrix_jitsi_jibri_xmpp_user: jibri -matrix_jitsi_jibri_xmpp_password: '' -matrix_jitsi_jibri_recorder_user: recorder -matrix_jitsi_jibri_recorder_password: '' - -matrix_jitsi_enable_lobby: false - -matrix_jitsi_version: stable-8319 -matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility - -matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" -matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}" - -matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web" -matrix_jitsi_web_config_path: "{{ matrix_jitsi_web_base_path }}/config" -matrix_jitsi_web_transcripts_path: "{{ matrix_jitsi_web_base_path }}/transcripts" -matrix_jitsi_web_crontabs_path: "{{ matrix_jitsi_web_base_path }}/crontabs" - -matrix_jitsi_web_public_url: "https://{{ matrix_server_fqn_jitsi }}" - -# STUN servers used in the web UI. Feel free to point them to your own STUN server. -# Addresses need to be prefixed with one of `stun:`, `turn:` or `turns:`. -matrix_jitsi_web_stun_servers: ['stun:meet-jit-si-turnrelay.jitsi.net:443'] - -# Setting up TURN -# Default set with Coturn container -matrix_jitsi_turn_credentials: "{{ matrix_coturn_turn_static_auth_secret }}" -matrix_jitsi_turn_host: "turn.{{ matrix_server_fqn_matrix }}" -matrix_jitsi_turns_host: "turn.{{ matrix_server_fqn_matrix }}" -matrix_jitsi_turn_port: "{{ matrix_coturn_container_stun_plain_host_bind_port }}" -matrix_jitsi_turns_port: "{{ matrix_coturn_container_stun_tls_host_bind_port }}" -matrix_jitsi_turn_transport: tcp - -# Controls whether Etherpad will be available within Jitsi -matrix_jitsi_etherpad_enabled: false - -# Controls whether the matrix-jitsi-web container exposes its HTTP port (tcp/80 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:13080"), or empty string to not expose. -matrix_jitsi_web_container_http_host_bind_port: '' - -# A list of extra arguments to pass to the container -matrix_jitsi_web_container_extra_arguments: [] - -# List of systemd services that matrix-jitsi-web.service depends on -matrix_jitsi_web_systemd_required_services_list: ['docker.service'] - - -# Custom configuration to be appended to `interface_config.js`, passed to Jitsi Web. -# -# Note: not to be confused with `matrix_jitsi_web_custom_config_extension`. -# -# For interface configuration, the flow is like this: -# - a default `interface_config.js` is generated from within the docker image -# - the contents of `matrix_jitsi_web_custom_interface_config_extension` is appended and can define new settings or override defaults. -# -# Example: -# matrix_jitsi_web_custom_interface_config_extension: | -# interfaceConfig.LANG_DETECTION = false; -# interfaceConfig.SHOW_JITSI_WATERMARK = false; -# interfaceConfig.DISABLE_VIDEO_BACKGROUND = true; -matrix_jitsi_web_custom_interface_config_extension: '' - - -# Controls after which participant audio will be muted. If not specified, defaults to Jitsi's default value (likely 10) -matrix_jitsi_web_config_start_audio_muted_after_nth_participant: ~ -# Controls after which participant video will be muted. If not specified, defaults to Jitsi's default value (likely 10) -matrix_jitsi_web_config_start_video_muted_after_nth_participant: ~ - -matrix_jitsi_web_config_defaultLanguage: 'en' # noqa var-naming - -# Ideal and also maximum resolution width. If not specified, defaults to Jitsi's default value (likely 1280) -matrix_jitsi_web_config_resolution_width_ideal_and_max: ~ -# Minimum resolution width. If not specified, defaults to Jitsi's default value (likely 320) -matrix_jitsi_web_config_resolution_width_min: ~ -# Ideal and also maximum resolution height. If not specified, defaults to Jitsi's default value (likely 720) -matrix_jitsi_web_config_resolution_height_ideal_and_max: ~ -# Minimum resolution height. If not specified, defaults to Jitsi's default value (likely 180) -matrix_jitsi_web_config_resolution_height_min: ~ - -# Custom configuration to be injected into `custom-config.js`, passed to Jitsi Web. -# This configuration gets appended to the final configuration that Jitsi Web uses. -# -# Note: not to be confused with `matrix_jitsi_web_custom_interface_config_extension`. -# -# The flow is like this: -# - some default configuration is automatically generated based on the environment variables passed to the Jitsi Web container -# - the contents of `custom-config.js` is appended to it (see `templates/web/custom-config.js.j2`) -# - said `custom-config.js` contains your custom contents specified in `matrix_jitsi_web_custom_config_extension`. -# -# Example: -# matrix_jitsi_web_custom_config_extension: | -# if (!config.hasOwnProperty('testing')) config.testing = {}; -# config.testing.p2pTestMode = true -matrix_jitsi_web_custom_config_extension: '' - -# Additional environment variables to pass to the Jitsi Web container. -# You can use this to further influence the default configuration generated by the Jitsi Web container on every startup. -# Besides influencing the final configuration by passing environment variables, you can also inject custom configuration -# by using `matrix_jitsi_web_custom_config_extension`. -# -# Example: -# matrix_jitsi_web_environment_variables_extension: | -# ENABLE_FILE_RECORDING_SERVICE=1 -# DROPBOX_APPKEY=something -# DROPBOX_REDIRECT_URI=something -matrix_jitsi_web_environment_variables_extension: '' - - -matrix_jitsi_prosody_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/prosody:{{ matrix_jitsi_container_image_tag }}" -matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" - -matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody" -matrix_jitsi_prosody_config_path: "{{ matrix_jitsi_prosody_base_path }}/config" -matrix_jitsi_prosody_plugins_path: "{{ matrix_jitsi_prosody_base_path }}/prosody-plugins-custom" -matrix_jitsi_prosody_ext_path: "{{ matrix_jitsi_prosody_base_path }}/ext" - -# well known is currently only needed for auth type "matrix" -matrix_jitsi_require_well_known: "{{ matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix' }}" -matrix_jitsi_wellknown_element_jitsi_json: '{"auth": "openidtoken-jwt"}' - -# -matrix_jitsi_muc_modules: | - {{ - (['matrix_power_sync'] if matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels | bool else []) - }} - -# A list of extra arguments to pass to the container -matrix_jitsi_prosody_container_extra_arguments: [] - -# List of systemd services that matrix-jitsi-prosody.service depends on -matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] - -# Neccessary Port binding for those disabling the integrated nginx proxy -matrix_jitsi_prosody_container_http_host_bind_port: '' - -matrix_jitsi_prosody_container_jvb_host_bind_port: 5222 - -matrix_jitsi_jicofo_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jicofo:{{ matrix_jitsi_container_image_tag }}" -matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" - -matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo" -matrix_jitsi_jicofo_config_path: "{{ matrix_jitsi_jicofo_base_path }}/config" - -# A list of extra arguments to pass to the container -matrix_jitsi_jicofo_container_extra_arguments: [] - -# List of systemd services that matrix-jitsi-jicofo.service depends on -matrix_jitsi_jicofo_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service'] - -matrix_jitsi_jicofo_component_secret: '' -matrix_jitsi_jicofo_auth_user: focus -matrix_jitsi_jicofo_auth_password: '' - -# To enable Sentry integration for Jicofo, specify a valid DSN connection string -matrix_jitsi_jicofo_sentry_dsn: '' - -matrix_jitsi_jvb_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jvb:{{ matrix_jitsi_container_image_tag }}" -matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" - -matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb" -matrix_jitsi_jvb_config_path: "{{ matrix_jitsi_jvb_base_path }}/config" - -# A list of extra arguments to pass to the container -matrix_jitsi_jvb_container_extra_arguments: [] - -# List of systemd services that matrix-jitsi-jvb.service depends on -matrix_jitsi_jvb_systemd_required_services_list: ['docker.service'] - -matrix_jitsi_jvb_auth_user: jvb -matrix_jitsi_jvb_auth_password: '' - -# To enable Sentry integration for JVB, specify a valid DSN connection string -matrix_jitsi_jvb_sentry_dsn: '' - -# STUN servers used by JVB on the server-side, so it can discover its own external IP address. -# Pointing this to a STUN server running on the same Docker network may lead to incorrect IP address discovery. -matrix_jitsi_jvb_stun_servers: ['meet-jit-si-turnrelay.jitsi.net:443'] - -matrix_jitsi_jvb_brewery_muc: jvbbrewery -matrix_jitsi_jvb_rtp_udp_port: 10000 -matrix_jitsi_jvb_rtp_tcp_port: 4443 -matrix_jitsi_jvb_server_id: 'jvb-1' - - -# Custom configuration to be injected into `custom-sip-communicator.properties`, passed to Jitsi JVB. -# This configuration gets appended to the final configuration that Jitsi JVB uses. -# -# The flow is like this: -# - some default configuration is automatically generated based on the environment variables passed to the Jitsi JVB container -# - the contents of `custom-sip-communicator.properties` is appended to it (see `templates/jvb/custom-sip-communicator.properties.j2`) -# - said `custom-sip-communicator.properties` contains your custom contents specified in `matrix_jitsi_jvb_custom_config_extension`. -# -# Example: -# matrix_jitsi_jvb_custom_config_extension: | -# org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=false -# org.jitsi.videobridge.ENABLE_STATISTICS=false -matrix_jitsi_jvb_custom_config_extension: '' - -# Additional environment variables to pass to the Jitsi JVB container. -# You can use this to further influence the default configuration generated by the Jitsi JVB container on every startup. -# Besides influencing the final configuration by passing environment variables, you can also inject custom configuration -# by using `matrix_jitsi_jvb_custom_config_extension`. -# -# Example: -# matrix_jitsi_jvb_environment_variables_extension: | -# SOME_VARIABLE=1 -# ANOTHER_VARIABLE=something -matrix_jitsi_jvb_environment_variables_extension: '' - -# Controls whether the matrix-jitsi-jvb container exposes its RTP UDP port (udp/10000 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:10000"), or empty string to not expose. -matrix_jitsi_jvb_container_rtp_udp_host_bind_port: "{{ matrix_jitsi_jvb_rtp_udp_port }}" - -# Controls whether the matrix-jitsi-jvb container exposes its RTP UDP port (udp/4443 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:4443"), or empty string to not expose. -matrix_jitsi_jvb_container_rtp_tcp_host_bind_port: "{{ matrix_jitsi_jvb_rtp_tcp_port }}" - -# Controls whether the matrix-jitsi-jvb container exposes its Colibri WebSocket port (tcp/9090 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:12090"), or empty string to not expose. -matrix_jitsi_jvb_container_colibri_ws_host_bind_port: '' - -# Default max participants to the empty string -# -# The setting requires an integer to be set for usage and allows a user to specify the max number of particpants on a conference. -matrix_prosody_jitsi_max_participants: '' - -# Allows abailty to set XMPP AUTH user if using JIGASI -matrix_jitsi_jigasi_xmpp_user: '' -# Allows abailty to set XMPP AUTH pasword if using JIGASI -matrix_jitsi_jigasi_xmpp_password: '' diff --git a/roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml b/roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml deleted file mode 100644 index 87420bc49..000000000 --- a/roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- ansible.builtin.set_fact: - devture_systemd_service_manager_services_list_auto: "{{ [{'name': 'matrix-jitsi-jvb.service', 'priority': 1000, 'groups': ['matrix', 'jitsi', 'jitsi-jvb']}] }}" - when: matrix_jitsi_enabled | bool diff --git a/roles/custom/matrix-jitsi/tasks/main.yml b/roles/custom/matrix-jitsi/tasks/main.yml deleted file mode 100644 index 0ebf3ad62..000000000 --- a/roles/custom/matrix-jitsi/tasks/main.yml +++ /dev/null @@ -1,75 +0,0 @@ ---- - -- tags: - - setup-additional-jitsi-jvb - - install-additional-jitsi-jvb - block: - - when: matrix_jitsi_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/init_additional_jvb.yml" - -- tags: - - setup-all - - setup-jitsi - - setup-additional-jitsi-jvb - - install-all - - install-jitsi - - install-additional-jitsi-jvb - block: - - when: matrix_jitsi_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - - - when: matrix_jitsi_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml" - -- tags: - - setup-all - - setup-jitsi - - install-all - - install-jitsi - block: - - when: matrix_jitsi_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_web_install.yml" - - - when: matrix_jitsi_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_prosody_install.yml" - - - when: matrix_jitsi_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jicofo_install.yml" - -- tags: - - setup-all - - setup-jitsi - block: - - when: not matrix_jitsi_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_web_uninstall.yml" - - - when: not matrix_jitsi_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_prosody_uninstall.yml" - - - when: not matrix_jitsi_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jicofo_uninstall.yml" - -- tags: - - setup-all - - setup-jitsi - - setup-additional-jitsi-jvb - - install-all - - install-jitsi - - install-additional-jitsi-jvb - block: - - when: matrix_jitsi_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb_install.yml" - -- tags: - - setup-all - - setup-jitsi - - setup-additional-jitsi-jvb - block: - - when: not matrix_jitsi_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb_uninstall.yml" - -- tags: - - self-check - block: - - when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix' - ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_matrix_auth.yml" diff --git a/roles/custom/matrix-jitsi/tasks/self_check_matrix_auth.yml b/roles/custom/matrix-jitsi/tasks/self_check_matrix_auth.yml deleted file mode 100644 index 52d865c5d..000000000 --- a/roles/custom/matrix-jitsi/tasks/self_check_matrix_auth.yml +++ /dev/null @@ -1,63 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_jitsi_prosody_self_check_uvs_health_url: "{{ matrix_jitsi_prosody_auth_matrix_uvs_location }}/health" - matrix_jitsi_element_jitsi_well_known_url: "{{ matrix_jitsi_web_public_url }}/.well-known/element/jitsi" - -- name: Check if jitsi serves the .well-known/element/jitsi - ansible.builtin.uri: - url: "{{ matrix_jitsi_element_jitsi_well_known_url }}" - follow_redirects: none - return_content: true - validate_certs: "{{ matrix_jitsi_self_check_validate_certificates }}" - headers: - Origin: example.com - check_mode: false - register: result_well_known_jitsi_element_jitsi - ignore_errors: true - -- name: Fail if .well-known not working - ansible.builtin.fail: - msg: | - Failed checking that the Jitsi well-known file for Element auth is configured at `{{ matrix_jitsi_element_jitsi_well_known_url }}` - Full error: {{ result_well_known_jitsi_element_jitsi }} - when: "result_well_known_jitsi_element_jitsi.failed" - -- name: Parse JSON for well-known payload at the matrix hostname - ansible.builtin.set_fact: - well_known_matrix_payload: "{{ result_well_known_jitsi_element_jitsi.content | from_json }}" - -- name: Fail if .well-known not CORS-aware - ansible.builtin.fail: - msg: "The well-known file on `{{ matrix_jitsi_element_jitsi_well_known_url }}` is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set." - when: "'access_control_allow_origin' not in result_well_known_jitsi_element_jitsi" - -- name: Report working .well-known - ansible.builtin.debug: - msg: "well-known is configured correctly at `{{ matrix_jitsi_element_jitsi_well_known_url }}`" - -- name: Check if we can reach the user verification service and if it's healthy - ansible.builtin.command: - argv: - - "docker" - - "exec" - - "matrix-jitsi-prosody" - - "wget" - - "-O" - - "-" - - "--quiet" - - "{{ matrix_jitsi_prosody_self_check_uvs_health_url | quote }}" - register: matrix_jitsi_prosody_self_check_uvs_result - changed_when: false - ignore_errors: true - -- name: Fail if user verification service is not (reachable and healthy) - ansible.builtin.fail: - msg: | - Failed checking user verification service is up (checked endpoint: `{{ matrix_jitsi_prosody_self_check_uvs_health_url }}`). - Full error: {{ matrix_jitsi_prosody_self_check_uvs_result }} - when: "matrix_jitsi_prosody_self_check_uvs_result.failed" - -- name: Report healthy user verification service - ansible.builtin.debug: - msg: "User verification service is working (checked endpoint: `{{ matrix_jitsi_prosody_self_check_uvs_health_url }}`)" diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_base.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_base.yml deleted file mode 100644 index 68be1efb7..000000000 --- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_base.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- - -- ansible.builtin.include_role: - name: custom/matrix-base - tasks_from: ensure_openssl_installed - -- name: Ensure Matrix jitsi base path exists - ansible.builtin.file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - {path: "{{ matrix_jitsi_base_path }}", when: true} - when: item.when | bool diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo_install.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo_install.yml deleted file mode 100644 index 6782ecd5b..000000000 --- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo_install.yml +++ /dev/null @@ -1,51 +0,0 @@ ---- - -- name: Ensure Matrix jitsi-jicofo path exists - ansible.builtin.file: - path: "{{ item.path }}" - state: directory - mode: 0777 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - {path: "{{ matrix_jitsi_jicofo_base_path }}", when: true} - - {path: "{{ matrix_jitsi_jicofo_config_path }}", when: true} - when: item.when | bool - -- name: Ensure jitsi-jicofo Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_jitsi_jicofo_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_jitsi_jicofo_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_jicofo_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure jitsi-jicofo environment variables file created - ansible.builtin.template: - src: "{{ role_path }}/templates/jicofo/env.j2" - dest: "{{ matrix_jitsi_jicofo_base_path }}/env" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0640 - when: matrix_jitsi_enabled | bool - -- name: Ensure jitsi-jicofo configuration files created - ansible.builtin.template: - src: "{{ role_path }}/templates/jicofo/{{ item }}.j2" - dest: "{{ matrix_jitsi_jicofo_config_path }}/{{ item }}" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0644 - with_items: - - sip-communicator.properties - - logging.properties - -- name: Ensure matrix-jitsi-jicofo.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/jicofo/matrix-jitsi-jicofo.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jicofo.service" - mode: 0644 - register: matrix_jitsi_jicofo_systemd_service_result diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo_uninstall.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo_uninstall.yml deleted file mode 100644 index 6ddd89375..000000000 --- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo_uninstall.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- - -- name: Check existence of matrix-jitsi-jicofo service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jicofo.service" - register: matrix_jitsi_jicofo_service_stat - -- when: matrix_jitsi_jicofo_service_stat.stat.exists | bool - block: - - name: Ensure matrix-jitsi-jicofo is stopped - ansible.builtin.service: - name: matrix-jitsi-jicofo - state: stopped - enabled: false - daemon_reload: true - - - name: Ensure matrix-jitsi-jicofo.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jicofo.service" - state: absent - - - name: Ensure Matrix jitsi-jicofo paths doesn't exist - ansible.builtin.file: - path: "{{ matrix_jitsi_jicofo_base_path }}" - state: absent diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb_install.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb_install.yml deleted file mode 100644 index 356b40680..000000000 --- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb_install.yml +++ /dev/null @@ -1,49 +0,0 @@ ---- - -- name: Ensure Matrix jitsi-jvb path exists - ansible.builtin.file: - path: "{{ item.path }}" - state: directory - mode: 0777 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - {path: "{{ matrix_jitsi_jvb_base_path }}", when: true} - - {path: "{{ matrix_jitsi_jvb_config_path }}", when: true} - when: item.when | bool - -- name: Ensure jitsi-jvb Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_jitsi_jvb_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_jitsi_jvb_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_jvb_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure jitsi-jvb configuration files created - ansible.builtin.template: - src: "{{ role_path }}/templates/jvb/{{ item }}.j2" - dest: "{{ matrix_jitsi_jvb_config_path }}/{{ item }}" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0644 - with_items: - - custom-sip-communicator.properties - - logging.properties - -- name: Ensure jitsi-jvb environment variables file created - ansible.builtin.template: - src: "{{ role_path }}/templates/jvb/env.j2" - dest: "{{ matrix_jitsi_jvb_base_path }}/env" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0640 - -- name: Ensure matrix-jitsi-jvb.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/jvb/matrix-jitsi-jvb.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jvb.service" - mode: 0644 diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb_uninstall.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb_uninstall.yml deleted file mode 100644 index e3d7094f0..000000000 --- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb_uninstall.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- - -- name: Check existence of matrix-jitsi-jvb service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jvb.service" - register: matrix_jitsi_jvb_service_stat - -- when: matrix_jitsi_jvb_service_stat.stat.exists | bool - block: - - name: Ensure matrix-jitsi-jvb is stopped - ansible.builtin.service: - name: matrix-jitsi-jvb - state: stopped - enabled: false - daemon_reload: true - - - name: Ensure matrix-jitsi-jvb.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jvb.service" - state: absent - - - name: Ensure Matrix jitsi-jvb paths doesn't exist - ansible.builtin.file: - path: "{{ matrix_jitsi_jvb_base_path }}" - state: absent diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_install.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_install.yml deleted file mode 100644 index f5beab2bf..000000000 --- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_install.yml +++ /dev/null @@ -1,85 +0,0 @@ ---- - -- name: Ensure Matrix jitsi-prosody environment exists - ansible.builtin.file: - path: "{{ item.path }}" - state: directory - mode: 0777 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - {path: "{{ matrix_jitsi_prosody_base_path }}", when: true} - - {path: "{{ matrix_jitsi_prosody_config_path }}", when: true} - - {path: "{{ matrix_jitsi_prosody_plugins_path }}", when: true} - - {path: "{{ matrix_jitsi_prosody_ext_path }}", when: true} - when: item.when | bool - -- name: Ensure jitsi-prosody Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_jitsi_prosody_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_jitsi_prosody_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_prosody_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure jitsi-prosody environment variables file is created - ansible.builtin.template: - src: "{{ role_path }}/templates/prosody/env.j2" - dest: "{{ matrix_jitsi_prosody_base_path }}/env" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0640 - -# Configure matrix authentication. -- name: Install user verification plugin - ansible.builtin.include_tasks: - file: "{{ role_path }}/tasks/util/setup_jitsi_auth_uvs_install.yml" - when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "matrix" - -- name: Manage Jitsi .well-known - when: matrix_jitsi_require_well_known | bool - block: - - name: Ensure .well-known directories exist - ansible.builtin.file: - path: "{{ item.path }}" - state: directory - mode: 0775 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - {path: "{{ matrix_static_files_base_path }}/.well-known/element", when: "{{ matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix' }}"} - when: item.when | bool - - # Create .well-known/element/jitsi in the static file directory for nginx-proxy. - - name: Ensure Jitsi /.well-known/element/jitsi configured - ansible.builtin.copy: - content: "{{ matrix_jitsi_wellknown_element_jitsi_json }}" - dest: "{{ matrix_static_files_base_path }}/.well-known/element/jitsi" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "matrix" -# END Block - -# Remove matrix authentication if disabled -- name: Ensure user verification plugin is not present if matrix auth is disabled - ansible.builtin.include_tasks: - file: "{{ role_path }}/tasks/util/setup_jitsi_auth_uvs_uninstall.yml" - when: (not matrix_jitsi_enable_auth | bool) or (matrix_jitsi_auth_type != "matrix") - -- name: Ensure matrix-jitsi-prosody.service file is installed - ansible.builtin.template: - src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-prosody.service" - mode: 0644 - register: matrix_jitsi_prosody_systemd_service_result - -# Tasks that require a running prosody container are called in this file. -- name: Run prosody related tasks, that require a running container. - ansible.builtin.include_tasks: - file: "{{ role_path }}/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml" - when: - - matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "internal" diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_uninstall.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_uninstall.yml deleted file mode 100644 index 4907b2a1d..000000000 --- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_uninstall.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- - -- name: Check if matrix-jitsi-prosody.service file exists - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-prosody.service" - register: matrix_jitsi_prosody_service_stat - -- when: matrix_jitsi_prosody_service_stat.stat.exists | bool - block: - - name: Ensure matrix-jitsi-prosody is stopped - ansible.builtin.service: - name: matrix-jitsi-prosody - state: stopped - enabled: false - daemon_reload: true - - - name: Ensure matrix-jitsi-prosody.service file doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-prosody.service" - state: absent - - - name: Ensure Matrix jitsi-prosody paths doesn't exist - ansible.builtin.file: - path: "{{ matrix_jitsi_prosody_base_path }}" - state: absent diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_web_install.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_web_install.yml deleted file mode 100644 index 710b2b0ca..000000000 --- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_web_install.yml +++ /dev/null @@ -1,52 +0,0 @@ ---- - -- name: Ensure Matrix jitsi-web path exists - ansible.builtin.file: - path: "{{ item.path }}" - state: directory - mode: 0777 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - {path: "{{ matrix_jitsi_web_base_path }}", when: true} - - {path: "{{ matrix_jitsi_web_config_path }}", when: true} - - {path: "{{ matrix_jitsi_web_transcripts_path }}", when: true} - - {path: "{{ matrix_jitsi_web_crontabs_path }}", when: true} - when: item.when | bool - -- name: Ensure jitsi-web Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_jitsi_web_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_jitsi_web_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_web_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure jitsi-web environment variables file created - ansible.builtin.template: - src: "{{ role_path }}/templates/web/env.j2" - dest: "{{ matrix_jitsi_web_base_path }}/env" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0640 - -- name: Ensure jitsi-web configuration files created - ansible.builtin.template: - src: "{{ role_path }}/templates/web/{{ item }}.j2" - dest: "{{ matrix_jitsi_web_config_path }}/{{ item }}" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0644 - with_items: - - custom-config.js - - custom-interface_config.js - -- name: Ensure matrix-jitsi-web.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/web/matrix-jitsi-web.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-web.service" - mode: 0644 - register: matrix_jitsi_web_systemd_service_result diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_web_uninstall.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_web_uninstall.yml deleted file mode 100644 index 1707d7e9b..000000000 --- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_web_uninstall.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- - -- name: Check existence of matrix-jitsi-web service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-web.service" - register: matrix_jitsi_web_service_stat - -- when: matrix_jitsi_web_service_stat.stat.exists | bool - block: - - name: Ensure matrix-jitsi-web is stopped - ansible.builtin.service: - name: matrix-jitsi-web - state: stopped - enabled: false - daemon_reload: true - - - name: Ensure matrix-jitsi-web.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-web.service" - state: absent - - - name: Ensure Matrix jitsi-web paths doesn't exist - ansible.builtin.file: - path: "{{ matrix_jitsi_web_base_path }}" - state: absent diff --git a/roles/custom/matrix-jitsi/tasks/util/prosody_post_setup_hooks/setup_jitsi_auth_internal.yml b/roles/custom/matrix-jitsi/tasks/util/prosody_post_setup_hooks/setup_jitsi_auth_internal.yml deleted file mode 100644 index ac9bda49b..000000000 --- a/roles/custom/matrix-jitsi/tasks/util/prosody_post_setup_hooks/setup_jitsi_auth_internal.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -# -# Tasks related to configuring Jitsi internal authentication on a running prosody instance. -# - -- name: Ensure Jitsi internal authentication users are configured - ansible.builtin.shell: "{{ devture_systemd_docker_base_host_command_docker }} exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}" - with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}" - when: - - matrix_jitsi_prosody_auth_internal_accounts|length > 0 - register: matrix_jitsi_user_configuration_result - changed_when: matrix_jitsi_user_configuration_result.rc == 0 - no_log: true - -# -# Tasks related to clean up after configuring internal authentication. -# diff --git a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml deleted file mode 100644 index 4aa67a316..000000000 --- a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- - -- name: Checkout Prosody Auth Matrix User Verification Plugin Repo - ansible.builtin.git: - repo: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_location }}" - dest: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}" - version: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_version }}" - become: true - become_user: "{{ matrix_user_username }}" - -- name: Install Prosody Auth Matrix User Verification Plugin - ansible.builtin.copy: - remote_src: true - src: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}/{{ item.path }}" - dest: "{{ matrix_jitsi_prosody_plugins_path }}/{{ item.path }}" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: "{{ matrix_jitsi_prosody_auth_matrix_files }}" - when: item.when | bool diff --git a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml deleted file mode 100644 index 2559c7e69..000000000 --- a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- - -- name: Remove all files regarding prosody mod auth_matrix_user_verification and .well-known/element/jitsi - ansible.builtin.file: - path: "{{ item }}" - state: absent - with_flattened: - - "{{ matrix_static_files_base_path }}/.well-known/element/jitsi" - - "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}" - - "{{ matrix_jitsi_prosody_auth_matrix_files | map(attribute='path') | map('regex_replace', '^', matrix_jitsi_prosody_plugins_path+'/') | list }}" - register: matrix_jitsi_prosody_auth_matrix_user_verification_uninstalled - -- when: matrix_jitsi_prosody_auth_matrix_user_verification_uninstalled.changed - block: - - name: Populate service facts - ansible.builtin.service_facts: - - - name: Ensure prosody is restarted later on if currently running - ansible.builtin.set_fact: - matrix_jitsi_prosody_require_restart: "{{ true if ansible_facts.services['matrix-jitsi-prosody.service']['state'] == 'running' else false }}" diff --git a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml deleted file mode 100644 index 6be6092a0..000000000 --- a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml +++ /dev/null @@ -1,49 +0,0 @@ ---- -##### -# -# This tasks file starts and stops (if state before was stopped) a prosody container during setup to run commands, -# that require a running prosody container. -# The task is called in ../setup_jitsi_prosody_install.yml. -# -# Important: The task is called conditionally, as to only start if really needed. -# So if you add or change anything - remember to also change the 'when' in: ../setup_jitsi_prosody_install.yml -# -##### - -# -# Start Necessary Services -# - -- name: Ensure matrix-jitsi-prosody container is running - ansible.builtin.systemd: - state: "{{ 'restarted' if matrix_jitsi_prosody_require_restart | default(false) | bool else 'started' }}" - name: matrix-jitsi-prosody - register: matrix_jitsi_prosody_start_result - -# If the flag was set, we can safely disable now. -- name: Disable require restart flag - ansible.builtin.set_fact: - matrix_jitsi_prosody_require_restart: false - -# -# Tasks related to configuring Jitsi internal authentication -# - -- name: Ensure internal authentication is properly configured - ansible.builtin.include_tasks: - file: "{{ role_path }}/tasks/util/prosody_post_setup_hooks/setup_jitsi_auth_internal.yml" - when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "internal" - -# -# Tasks related to ... -# - - -# -# Stop Necessary Services -# -- name: Ensure matrix-jitsi-prosody container is stopped if necessary - ansible.builtin.systemd: - state: stopped - name: matrix-jitsi-prosody - when: matrix_jitsi_prosody_start_result.changed | bool diff --git a/roles/custom/matrix-jitsi/tasks/validate_config.yml b/roles/custom/matrix-jitsi/tasks/validate_config.yml deleted file mode 100644 index f975e4ac9..000000000 --- a/roles/custom/matrix-jitsi/tasks/validate_config.yml +++ /dev/null @@ -1,81 +0,0 @@ ---- - -- name: Fail if on an unsupported architecture - ansible.builtin.fail: - msg: "Jitsi only supports the amd64 architecture right now. See https://github.com/jitsi/docker-jitsi-meet/issues/1069 and https://github.com/jitsi/docker-jitsi-meet/issues/1214" - when: matrix_jitsi_enabled | bool and matrix_architecture not in ['amd64', 'arm64'] - -- name: Fail if required Jitsi settings not defined - ansible.builtin.fail: - msg: >- - You need to define a required configuration setting (`{{ item }}`) to properly configure Jitsi. - - If you're setting up Jitsi for the first time, you may have missed a step. - Refer to our setup instructions (docs/configuring-playbook-jitsi.md). - - If you had previously setup Jitsi successfully and are only now facing this error, - it means that your installation is most likely using default passwords previously defined by the playbook. - These defaults are insecure. Jitsi should be rebuilt with secure values. - Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md). - when: "vars[item] == ''" - with_items: - - "matrix_jitsi_jibri_xmpp_password" - - "matrix_jitsi_jibri_recorder_password" - - "matrix_jitsi_jicofo_auth_password" - - "matrix_jitsi_jvb_auth_password" - - -- name: Fail if authentication is enabled, but not properly configured. - ansible.builtin.fail: - msg: >- - You have enabled authentication, but the configured auth type is missing required configuration. - - Auth type 'internal': - At least one Jitsi user needs to be defined in `matrix_jitsi_prosody_auth_internal_accounts` when using internal authentication. - If you're setting up Jitsi for the first time, you may have missed a step. - Refer to our setup instructions (docs/configuring-playbook-jitsi.md). - - Auth type 'matrix': - If you want to enable matrix_user_verification in jitsi, - please provide an auth token for the user verification service (uvs) using `matrix_jitsi_prosody_auth_matrix_uvs_auth_token`. - If the user-verfication-service is also managed by this playbook the token is derived from `matrix_homeserver_generic_secret_key` in the group vars. - when: - - matrix_jitsi_enable_auth | bool - - ((matrix_jitsi_auth_type == 'internal' and matrix_jitsi_prosody_auth_internal_accounts|length == 0) - or (matrix_jitsi_auth_type == 'matrix' and matrix_jitsi_prosody_auth_matrix_uvs_auth_token|length == 0)) - - -- name: (Deprecation) Catch and report renamed settings - ansible.builtin.fail: - msg: >- - Your configuration contains a variable, which now has a different name. - Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - when: "item.old in vars" - with_items: - - {'old': 'matrix_jitsi_web_config_constraints_enabled', 'new': ''} - - {'old': 'matrix_jitsi_web_config_constraints_video_aspectRatio', 'new': ''} - - {'old': 'matrix_jitsi_web_config_constraints_video_height_ideal', 'new': 'matrix_jitsi_web_config_resolution_height_ideal_and_max'} - - {'old': 'matrix_jitsi_web_config_constraints_video_height_max', 'new': 'matrix_jitsi_web_config_resolution_height_ideal_and_max'} - - {'old': 'matrix_jitsi_web_config_constraints_video_height_min', 'new': 'matrix_jitsi_web_config_resolution_height_min'} - - {'old': 'matrix_jitsi_web_config_disableAudioLevels', 'new': ''} - - {'old': 'matrix_jitsi_web_config_enableLayerSuspension', 'new': ''} - - {'old': 'matrix_jitsi_web_config_channelLastN', 'new': ''} - - {'old': 'matrix_jitsi_web_config_testing_p2pTestMode', 'new': ''} - - {'old': 'matrix_jitsi_web_config_start_with_audio_muted', 'new': ''} - - {'old': 'matrix_jitsi_web_config_start_with_video_muted', 'new': ''} - - {'old': 'matrix_jitsi_web_interface_config_show_watermark_for_guests', 'new': ''} - - {'old': 'matrix_jitsi_web_interface_config_invitation_powered_by', 'new': ''} - - {'old': 'matrix_jisti_web_interface_config_show_deep_linking_image', 'new': 'matrix_jitsi_web_interface_config_show_deep_linking_image'} - - {'old': 'matrix_jitsi_web_interface_config_lang_detection', 'new': '/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jitsi-jicofo 2>/dev/null || true' - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-jitsi-jicofo \ - --log-driver=none \ - --network={{ matrix_docker_network }} \ - --env-file={{ matrix_jitsi_jicofo_base_path }}/env \ - --mount type=bind,src={{ matrix_jitsi_jicofo_config_path }},dst=/config \ - {% for arg in matrix_jitsi_jicofo_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_jitsi_jicofo_docker_image }} - -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-jitsi-jicofo 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jitsi-jicofo 2>/dev/null || true' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-jitsi-jicofo - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 b/roles/custom/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 deleted file mode 100644 index c62e04ffe..000000000 --- a/roles/custom/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 +++ /dev/null @@ -1,9 +0,0 @@ -org.jitsi.jicofo.ALWAYS_TRUST_MODE_ENABLED=true -org.jitsi.jicofo.BRIDGE_MUC={{ matrix_jitsi_jvb_brewery_muc }}@{{ matrix_jitsi_xmpp_internal_muc_domain }} - -org.jitsi.jicofo.jibri.BREWERY={{ matrix_jitsi_jibri_brewery_muc }}@{{ matrix_jitsi_xmpp_internal_muc_domain }} -org.jitsi.jicofo.jibri.PENDING_TIMEOUT=90 - -{% if matrix_jitsi_enable_auth %} -org.jitsi.jicofo.auth.URL=XMPP:{{ matrix_jitsi_xmpp_domain }} -{% endif %} diff --git a/roles/custom/matrix-jitsi/templates/jvb/custom-sip-communicator.properties.j2 b/roles/custom/matrix-jitsi/templates/jvb/custom-sip-communicator.properties.j2 deleted file mode 100644 index 44b6b8c2c..000000000 --- a/roles/custom/matrix-jitsi/templates/jvb/custom-sip-communicator.properties.j2 +++ /dev/null @@ -1,7 +0,0 @@ -org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=true - -org.jitsi.videobridge.ENABLE_STATISTICS=true -org.jitsi.videobridge.STATISTICS_TRANSPORT=muc -org.jitsi.videobridge.STATISTICS_INTERVAL=5000 - -{{ matrix_jitsi_jvb_custom_config_extension }} diff --git a/roles/custom/matrix-jitsi/templates/jvb/env.j2 b/roles/custom/matrix-jitsi/templates/jvb/env.j2 deleted file mode 100644 index 4b9ce68f1..000000000 --- a/roles/custom/matrix-jitsi/templates/jvb/env.j2 +++ /dev/null @@ -1,31 +0,0 @@ -DOCKER_HOST_ADDRESS -ENABLE_COLIBRI_WEBSOCKET -ENABLE_OCTO -JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} -JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} -JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }} -JVB_PORT={{ matrix_jitsi_jvb_rtp_udp_port }} -JVB_TCP_HARVESTER_DISABLED=true -JVB_TCP_PORT={{ matrix_jitsi_jvb_rtp_tcp_port }} -JVB_TCP_MAPPED_PORT={{ matrix_jitsi_jvb_rtp_tcp_port }} -{% if matrix_jitsi_jvb_stun_servers|length > 0 %} -JVB_STUN_SERVERS={{ matrix_jitsi_jvb_stun_servers|join(',') }} -{% endif %} -JVB_OCTO_BIND_ADDRESS -JVB_OCTO_PUBLIC_ADDRESS -JVB_OCTO_BIND_PORT -JVB_OCTO_REGION -JVB_WS_DOMAIN -JVB_WS_SERVER_ID={{ matrix_jitsi_jvb_server_id }} -PUBLIC_URL={{ matrix_jitsi_web_public_url }} -SENTRY_DSN={{ matrix_jitsi_jvb_sentry_dsn }} -SENTRY_ENVIRONMENT -SENTRY_RELEASE -COLIBRI_REST_ENABLED -SHUTDOWN_REST_ENABLED -TZ={{ matrix_jitsi_timezone }} -XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} -XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} -XMPP_SERVER={{ matrix_jitsi_xmpp_server }} - -{{ matrix_jitsi_jvb_environment_variables_extension }} diff --git a/roles/custom/matrix-jitsi/templates/jvb/logging.properties.j2 b/roles/custom/matrix-jitsi/templates/jvb/logging.properties.j2 deleted file mode 100644 index ff1d30a64..000000000 --- a/roles/custom/matrix-jitsi/templates/jvb/logging.properties.j2 +++ /dev/null @@ -1,20 +0,0 @@ -{% raw %} -{{ if .Env.SENTRY_DSN | default "0" | toBool }} -handlers=java.util.logging.ConsoleHandler,io.sentry.jul.SentryHandler -{{ else }} -handlers= java.util.logging.ConsoleHandler -{{ end }} -{% endraw %} - -java.util.logging.ConsoleHandler.level = ALL -java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter - -net.java.sip.communicator.util.ScLogFormatter.programname=JVB - -.level=INFO - -org.jitsi.videobridge.xmpp.ComponentImpl.level=FINE -io.sentry.jul.SentryHandler.level=WARNING - -# All of the INFO level logs from MediaStreamImpl are unnecessary in the context of jitsi-videobridge. -org.jitsi.impl.neomedia.MediaStreamImpl.level=WARNING diff --git a/roles/custom/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 b/roles/custom/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 deleted file mode 100644 index 922d201a7..000000000 --- a/roles/custom/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 +++ /dev/null @@ -1,43 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix jitsi-jvb server -{% for service in matrix_jitsi_jvb_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-jitsi-jvb 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jitsi-jvb 2>/dev/null || true' - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-jitsi-jvb \ - --log-driver=none \ - --network={{ matrix_docker_network }} \ - --network-alias=jvb.meet.jitsi \ - --env-file={{ matrix_jitsi_jvb_base_path }}/env \ - {% if matrix_jitsi_jvb_container_rtp_udp_host_bind_port %} - -p {{ matrix_jitsi_jvb_container_rtp_udp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_udp_port }}/udp \ - {% endif %} - {% if matrix_jitsi_jvb_container_rtp_tcp_host_bind_port %} - -p {{ matrix_jitsi_jvb_container_rtp_tcp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_tcp_port }} \ - {% endif %} - {% if matrix_jitsi_jvb_container_colibri_ws_host_bind_port %} - -p {{ matrix_jitsi_jvb_container_colibri_ws_host_bind_port }}:9090 \ - {% endif %} - --mount type=bind,src={{ matrix_jitsi_jvb_config_path }},dst=/config \ - {% for arg in matrix_jitsi_jvb_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_jitsi_jvb_docker_image }} - -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-jitsi-jvb 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jitsi-jvb 2>/dev/null || true' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-jitsi-jvb - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix-jitsi/templates/prosody/env.j2 b/roles/custom/matrix-jitsi/templates/prosody/env.j2 deleted file mode 100644 index e4582f6b9..000000000 --- a/roles/custom/matrix-jitsi/templates/prosody/env.j2 +++ /dev/null @@ -1,70 +0,0 @@ -AUTH_TYPE={{ matrix_jitsi_auth_type }} -DISABLE_POLLS -ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} -ENABLE_AV_MODERATION={{1 if matrix_jitsi_enable_av_moderation else 0}} -ENABLE_BREAKOUT_ROOMS={{1 if matrix_jitsi_enable_breakout_rooms else 0}} -ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} -ENABLE_LOBBY={{ 1 if matrix_jitsi_enable_lobby else 0 }} -ENABLE_XMPP_WEBSOCKET -GLOBAL_CONFIG -GLOBAL_MODULES -JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }} -JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }} -JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }} -JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }} -JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} -JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }} -JICOFO_COMPONENT_SECRET -JIGASI_XMPP_USER={{ matrix_jitsi_jigasi_xmpp_user }} -JIGASI_XMPP_PASSWORD={{ matrix_jitsi_jigasi_xmpp_password }} -JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} -JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} -JWT_APP_ID -JWT_APP_SECRET -JWT_ACCEPTED_ISSUERS -JWT_ACCEPTED_AUDIENCES -JWT_ASAP_KEYSERVER -JWT_ALLOW_EMPTY -JWT_AUTH_TYPE -JWT_TOKEN_AUTH_MODULE -LOG_LEVEL -LDAP_AUTH_METHOD={{ matrix_jitsi_ldap_auth_method }} -LDAP_BASE={{ matrix_jitsi_ldap_base }} -LDAP_BINDDN={{ matrix_jitsi_ldap_binddn }} -LDAP_BINDPW={{ matrix_jitsi_ldap_bindpw }} -LDAP_FILTER={{ matrix_jitsi_ldap_filter }} -LDAP_VERSION={{ matrix_jitsi_ldap_version }} -LDAP_TLS_CIPHERS={{ matrix_jitsi_ldap_tls_ciphers }} -LDAP_TLS_CHECK_PEER={{ 1 if matrix_jitsi_ldap_tls_check_peer else 0 }} -LDAP_TLS_CACERT_FILE={{ matrix_jitsi_ldap_tls_cacert_file }} -LDAP_TLS_CACERT_DIR={{ matrix_jitsi_ldap_tls_cacert_dir }} -LDAP_START_TLS={{ 1 if matrix_jitsi_ldap_start_tls else 0 }} -LDAP_URL={{ matrix_jitsi_ldap_url }} -LDAP_USE_TLS={{ 1 if matrix_jitsi_ldap_use_tls else 0 }} -MATRIX_UVS_ISSUER={{ matrix_jitsi_prosody_auth_matrix_jwt_app_id }} -MATRIX_UVS_URL={{ matrix_jitsi_prosody_auth_matrix_uvs_location }} -{% if matrix_jitsi_prosody_auth_matrix_uvs_auth_token is defined %} -MATRIX_UVS_AUTH_TOKEN={{ matrix_jitsi_prosody_auth_matrix_uvs_auth_token }} -{% endif %} -MATRIX_UVS_SYNC_POWER_LEVELS={{ 'true' if matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels else 'false' }} -PUBLIC_URL={{ matrix_jitsi_web_public_url }} -TURN_CREDENTIALS={{ matrix_jitsi_turn_credentials }} -TURN_HOST={{ matrix_jitsi_turn_host }} -TURNS_HOST={{ matrix_jitsi_turns_host }} -TURN_PORT={{ matrix_jitsi_turn_port }} -TURNS_PORT={{ matrix_jitsi_turns_port }} -TURN_TRANSPORT={{ matrix_jitsi_turn_transport }} -TZ={{ matrix_jitsi_timezone }} -XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} -XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} -XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} -XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} -XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} -XMPP_MODULES={{ matrix_jitsi_xmpp_modules }} -XMPP_MUC_MODULES={{ matrix_jitsi_muc_modules | join(',') }} -XMPP_INTERNAL_MUC_MODULES= -XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} -XMPP_CROSS_DOMAIN=true -{% if matrix_prosody_jitsi_max_participants is number %} -MAX_PARTICIPANTS={{ matrix_prosody_jitsi_max_participants }} -{% endif %} diff --git a/roles/custom/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/custom/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 deleted file mode 100644 index 89cec0914..000000000 --- a/roles/custom/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ /dev/null @@ -1,41 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix jitsi-prosody server -{% for service in matrix_jitsi_prosody_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-jitsi-prosody 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jitsi-prosody 2>/dev/null || true' - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-jitsi-prosody \ - --log-driver=none \ - --network={{ matrix_docker_network }} \ - --network-alias={{ matrix_jitsi_xmpp_server }} \ - {% if matrix_jitsi_prosody_container_http_host_bind_port %} - -p {{ matrix_jitsi_prosody_container_http_host_bind_port }}:5280 \ - {% endif %} - {% if matrix_jitsi_prosody_container_jvb_host_bind_port %} - -p {{ matrix_jitsi_prosody_container_jvb_host_bind_port }}:5222 \ - {% endif %} - --env-file={{ matrix_jitsi_prosody_base_path }}/env \ - --mount type=bind,src={{ matrix_jitsi_prosody_config_path }},dst=/config \ - --mount type=bind,src={{ matrix_jitsi_prosody_plugins_path }},dst=/prosody-plugins-custom \ - {% for arg in matrix_jitsi_prosody_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_jitsi_prosody_docker_image }} - -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-jitsi-prosody 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jitsi-prosody 2>/dev/null || true' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-jitsi-prosody - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix-jitsi/templates/web/custom-config.js.j2 b/roles/custom/matrix-jitsi/templates/web/custom-config.js.j2 deleted file mode 100644 index 2bde96a8b..000000000 --- a/roles/custom/matrix-jitsi/templates/web/custom-config.js.j2 +++ /dev/null @@ -1,22 +0,0 @@ -config.defaultLanguage = {{ matrix_jitsi_web_config_defaultLanguage|to_json }}; - - -if (!config.hasOwnProperty('p2p')) config.p2p = {% raw %}{}{% endraw %}; - -{% if matrix_jitsi_web_stun_servers|length > 0 %} -config.p2p.stunServers = [ - {% for url in matrix_jitsi_web_stun_servers %} - { urls: {{ url|to_json }} }{% if not loop.last %},{% endif %} - {% endfor %} -]; -{% endif %} - -{% if matrix_jitsi_disable_gravatar %} -config.gravatar = {'disabled': true}; -{% endif %} - -{% if matrix_jitsi_etherpad_enabled %} -config.etherpad_base = {{ (matrix_jitsi_etherpad_base + '/p/') |to_json }} -{% endif %} - -{{ matrix_jitsi_web_custom_config_extension }} diff --git a/roles/custom/matrix-jitsi/templates/web/custom-interface_config.js.j2 b/roles/custom/matrix-jitsi/templates/web/custom-interface_config.js.j2 deleted file mode 100644 index 0ad470fce..000000000 --- a/roles/custom/matrix-jitsi/templates/web/custom-interface_config.js.j2 +++ /dev/null @@ -1,3 +0,0 @@ - -{{ matrix_jitsi_web_custom_interface_config_extension }} - diff --git a/roles/custom/matrix-jitsi/templates/web/env.j2 b/roles/custom/matrix-jitsi/templates/web/env.j2 deleted file mode 100644 index 3e9f51b71..000000000 --- a/roles/custom/matrix-jitsi/templates/web/env.j2 +++ /dev/null @@ -1,111 +0,0 @@ -AMPLITUDE_ID -ANALYTICS_SCRIPT_URLS -ANALYTICS_WHITELISTED_EVENTS -CALLSTATS_CUSTOM_SCRIPT_URL -CALLSTATS_ID -CALLSTATS_SECRET -CHROME_EXTENSION_BANNER_JSON -CONFCODE_URL -CONFIG_EXTERNAL_CONNECT -DEFAULT_LANGUAGE -DEPLOYMENTINFO_ENVIRONMENT -DEPLOYMENTINFO_ENVIRONMENT_TYPE -DEPLOYMENTINFO_REGION -DEPLOYMENTINFO_SHARD -DEPLOYMENTINFO_USERREGION -DESKTOP_SHARING_FRAMERATE_MIN -DESKTOP_SHARING_FRAMERATE_MAX -DIALIN_NUMBERS_URL -DIALOUT_AUTH_URL -DIALOUT_CODES_URL -DISABLE_AUDIO_LEVELS -DISABLE_DEEP_LINKING -DISABLE_HTTPS=0 -DISABLE_POLLS -DISABLE_REACTIONS -DROPBOX_APPKEY -DROPBOX_REDIRECT_URI -DYNAMIC_BRANDING_URL -ENABLE_AUDIO_PROCESSING -ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} -ENABLE_BREAKOUT_ROOMS={{1 if matrix_jitsi_enable_breakout_rooms else 0}} -ENABLE_CALENDAR -ENABLE_COLIBRI_WEBSOCKET -ENABLE_FILE_RECORDING_SERVICE -ENABLE_FILE_RECORDING_SERVICE_SHARING -ENABLE_FLOC=0 -ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} -ENABLE_HSTS=0 -ENABLE_HTTP_REDIRECT=0 -ENABLE_IPV6 -ENABLE_LETSENCRYPT=0 -ENABLE_LIPSYNC -ENABLE_NO_AUDIO_DETECTION -ENABLE_NOISY_MIC_DETECTION -ENABLE_PREJOIN_PAGE -ENABLE_P2P={{ 1 if matrix_jitsi_enable_p2p else 0 }} -ENABLE_WELCOME_PAGE -ENABLE_CLOSE_PAGE -ENABLE_RECORDING={{ 1 if matrix_jitsi_enable_recording else 0 }} -ENABLE_REMB -ENABLE_REQUIRE_DISPLAY_NAME -ENABLE_SIMULCAST -ENABLE_STATS_ID -ENABLE_STEREO -ENABLE_SUBDOMAINS -ENABLE_TALK_WHILE_MUTED -ENABLE_TCC -ENABLE_TRANSCRIPTIONS={{ 1 if matrix_jitsi_enable_transcriptions else 0 }} -ENABLE_XMPP_WEBSOCKET -ENABLE_JAAS_COMPONENTS={{ 1 if matrix_jitsi_enable_jaas_components else false }} -ETHERPAD_PUBLIC_URL -ETHERPAD_URL_BASE={{ (matrix_jitsi_etherpad_base + '/') if matrix_jitsi_etherpad_enabled else ''}} -GOOGLE_ANALYTICS_ID -GOOGLE_API_APP_CLIENT_ID -INVITE_SERVICE_URL -JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} -LETSENCRYPT_DOMAIN={{ matrix_server_fqn_jitsi }} -LETSENCRYPT_EMAIL={{ matrix_ssl_lets_encrypt_support_email }} -LETSENCRYPT_USE_STAGING=0 -MATOMO_ENDPOINT -MATOMO_SITE_ID -MICROSOFT_API_APP_CLIENT_ID -NGINX_RESOLVER -NGINX_WORKER_PROCESSES -NGINX_WORKER_CONNECTIONS -PEOPLE_SEARCH_URL -PUBLIC_URL={{ matrix_jitsi_web_public_url }} -RESOLUTION={{ matrix_jitsi_web_config_resolution_height_ideal_and_max }} -RESOLUTION_MIN={{ matrix_jitsi_web_config_resolution_height_min }} -RESOLUTION_WIDTH={{ matrix_jitsi_web_config_resolution_width_ideal_and_max }} -RESOLUTION_WIDTH_MIN={{ matrix_jitsi_web_config_resolution_width_min }} -START_AUDIO_MUTED={{ matrix_jitsi_web_config_start_audio_muted_after_nth_participant }} -START_AUDIO_ONLY -START_BITRATE -START_SILENT -START_WITH_AUDIO_MUTED -START_VIDEO_MUTED={{ matrix_jitsi_web_config_start_video_muted_after_nth_participant }} -START_WITH_VIDEO_MUTED -TESTING_CAP_SCREENSHARE_BITRATE -TESTING_OCTO_PROBABILITY -TOKEN_AUTH_URL -TZ={{ matrix_jitsi_timezone }} -VIDEOQUALITY_BITRATE_H264_LOW -VIDEOQUALITY_BITRATE_H264_STANDARD -VIDEOQUALITY_BITRATE_H264_HIGH -VIDEOQUALITY_BITRATE_VP8_LOW -VIDEOQUALITY_BITRATE_VP8_STANDARD -VIDEOQUALITY_BITRATE_VP8_HIGH -VIDEOQUALITY_BITRATE_VP9_LOW -VIDEOQUALITY_BITRATE_VP9_STANDARD -VIDEOQUALITY_BITRATE_VP9_HIGH -VIDEOQUALITY_ENFORCE_PREFERRED_CODEC -VIDEOQUALITY_PREFERRED_CODEC -XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} -XMPP_BOSH_URL_BASE={{ matrix_jitsi_xmpp_bosh_url_base }} -XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} -XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} -XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} -XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} - -{{ matrix_jitsi_web_environment_variables_extension }} diff --git a/roles/custom/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 b/roles/custom/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 deleted file mode 100644 index fcb5f2213..000000000 --- a/roles/custom/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 +++ /dev/null @@ -1,39 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix jitsi-web server -{% for service in matrix_jitsi_web_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-jitsi-web 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jitsi-web 2>/dev/null || true' - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-jitsi-web \ - --log-driver=none \ - --network={{ matrix_docker_network }} \ - --network-alias={{ matrix_jitsi_xmpp_domain }} \ - --env-file={{ matrix_jitsi_web_base_path }}/env \ - {% if matrix_jitsi_web_container_http_host_bind_port %} - -p {{ matrix_jitsi_web_container_http_host_bind_port }}:80 \ - {% endif %} - --mount type=bind,src={{ matrix_jitsi_web_config_path }},dst=/config \ - --mount type=bind,src={{ matrix_jitsi_web_transcripts_path }},dst=/usr/share/jitsi-meet/transcripts \ - --mount type=bind,src={{ matrix_jitsi_web_crontabs_path }},dst=/var/spool/cron/crontabs \ - {% for arg in matrix_jitsi_web_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_jitsi_web_docker_image }} - -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-jitsi-web 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jitsi-web 2>/dev/null || true' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-jitsi-web - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index f7f214f35..77e501b7c 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -63,11 +63,6 @@ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: "Host( matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint: "{{ matrix_federation_traefik_entrypoint }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints: "{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint }}" -matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: false -matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" -matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" -matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_hostname }}`)" - # matrix_nginx_proxy_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. # @@ -249,8 +244,6 @@ matrix_nginx_proxy_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb } # Controls whether proxying the jitsi domain should be done. matrix_nginx_proxy_proxy_jitsi_enabled: false matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" -matrix_nginx_proxy_proxy_jitsi_manage_wellknown: false -matrix_nginx_proxy_proxy_jitsi_well_known_configuration_blocks: [] # Controls whether proxying the grafana domain should be done. matrix_nginx_proxy_proxy_grafana_enabled: false diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 index 4fb567da2..e15d94231 100644 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -38,19 +38,6 @@ traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.certResolver={{ ma traefik.http.routers.matrix-nginx-proxy-matrix-federation.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints }} {% endif %} - -{% if matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled %} -# Jitsi -traefik.http.routers.matrix-nginx-proxy-jitsi.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_rule }} -traefik.http.routers.matrix-nginx-proxy-jitsi.service=matrix-nginx-proxy-web -traefik.http.routers.matrix-nginx-proxy-jitsi.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_tls | to_json }} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_tls %} -traefik.http.routers.matrix-nginx-proxy-jitsi.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.routers.matrix-nginx-proxy-jitsi.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} -{% endif %} - - traefik.http.services.matrix-nginx-proxy-web.loadbalancer.server.port=8080 {% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 39dedfc8c..5493c2b00 100644 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -18,15 +18,6 @@ {{- configuration_block }} {% endfor %} - {% if matrix_nginx_proxy_proxy_jitsi_manage_wellknown %} - location /.well-known { - root {{ matrix_static_files_base_path }}; - expires 4h; - default_type application/json; - add_header Access-Control-Allow-Origin *; - } - {% endif %} - location / { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} @@ -83,7 +74,7 @@ location = /xmpp-websocket { {% if matrix_nginx_proxy_enabled %} resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend {{ matrix_jitsi_xmpp_bosh_url_base }}; + set $backend {{ jitsi_xmpp_bosh_url_base }}; proxy_pass $backend$request_uri; {% else %} {# Generic configuration for use outside of our container setup #} diff --git a/roles/custom/matrix_playbook_migration/defaults/main.yml b/roles/custom/matrix_playbook_migration/defaults/main.yml index ee051193a..c61e71201 100644 --- a/roles/custom/matrix_playbook_migration/defaults/main.yml +++ b/roles/custom/matrix_playbook_migration/defaults/main.yml @@ -23,3 +23,6 @@ matrix_playbook_migration_matrix_etherpad_migration_validation_enabled: true # Controls if (`matrix_aux` -> `aux`) validation will run. matrix_playbook_migration_matrix_aux_migration_validation_enabled: true + +# Controls if (`matrix_jitsi` -> `jitsi`) validation will run. +matrix_playbook_migration_matrix_jitsi_migration_validation_enabled: true diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 250b3e965..c61a51957 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -56,7 +56,9 @@ - {'old': 'matrix_prometheus_scraper_hookshot_targets', 'new': ''} - {'old': 'matrix_prometheus_scraper_nginxlog_enabled', 'new': 'matrix_prometheus_services_connect_scraper_nginxlog_enabled'} - {'old': 'matrix_prometheus_scraper_nginxlog_server_port', 'new': 'matrix_prometheus_services_connect_scraper_nginxlog_static_configs_target'} - - {'old': 'XXXXX', 'new': 'XXXXX'} + - {'old': 'matrix_prosody_jitsi_max_participants', 'new': 'jitsi_prosody_max_participants'} + - {'old': 'jitsi_require_well_known', 'new': 'jitsi_web_well_known_element_jitsi_enabled'} + - {'old': 'jitsi_wellknown_element_jitsi_json', 'new': 'jitsi_web_well_known_element_jitsi_json'} - name: (Deprecation) Catch and report matrix_postgres variables ansible.builtin.fail: @@ -191,3 +193,18 @@ Please change your configuration (vars.yml) to rename all variables (`matrix_aux_` -> `aux_`). We found usage of the following variables: {{ matrix_playbook_migration_aux_migration_vars.keys() | join(', ') }} when: "matrix_playbook_migration_aux_migration_vars | length > 0" + +- when: matrix_playbook_migration_matrix_jitsi_migration_validation_enabled | bool + block: + - ansible.builtin.set_fact: + matrix_playbook_migration_jitsi_migration_vars: |- + {{ vars | dict2items | selectattr('key', 'match', 'matrix_jitsi_.*') | list | items2dict }} + + - name: (Deprecation) Catch and report matrix_jitsi variables + ansible.builtin.fail: + msg: >- + The matrix-jitsi role that used to be part of this playbook has been replaced by https://github.com/mother-of-all-self-hosting/ansible-role-jitsi. + The new role is compatible with the old one, but uses different names for its variables. + Please change your configuration (vars.yml) to rename all variables (`matrix_jitsi_` -> `jitsi_`). + We found usage of the following variables: {{ matrix_playbook_migration_jitsi_migration_vars.keys() | join(', ') }} + when: "matrix_playbook_migration_jitsi_migration_vars | length > 0" From 812b395aa9d31143a1d759f77ac181a0fff6c18f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 3 Apr 2023 08:59:43 +0300 Subject: [PATCH 678/915] Remove various systemd services from matrix-nginx-proxy Wanted list when not proxied via nginx If Traefik is used, these are not Wanted services. --- group_vars/matrix_servers | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 39895152b..95c614c08 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2682,33 +2682,31 @@ matrix_nginx_proxy_systemd_wanted_services_list: | + (['matrix-ma1sd.service'] if matrix_ma1sd_enabled else []) + - (['matrix-client-cinny.service'] if matrix_client_cinny_enabled else []) + (['matrix-client-cinny.service'] if matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + - (['matrix-bot-buscarron.service'] if matrix_bot_buscarron_enabled else []) + (['matrix-bot-buscarron.service'] if matrix_bot_buscarron_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + - (['matrix-client-element.service'] if matrix_client_element_enabled else []) + (['matrix-client-element.service'] if matrix_client_element_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + - (['matrix-client-hydrogen.service'] if matrix_client_hydrogen_enabled else []) + (['matrix-client-hydrogen.service'] if matrix_client_hydrogen_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + - ([(grafana_identifier + '.service')] if grafana_enabled else []) + ([(grafana_identifier + '.service')] if grafana_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + - (['matrix-dimension.service'] if matrix_dimension_enabled else []) + (['matrix-dimension.service'] if matrix_dimension_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + - (['matrix-rageshake.service'] if matrix_rageshake_enabled else []) + (['matrix-rageshake.service'] if matrix_rageshake_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + - (['matrix-sygnal.service'] if matrix_sygnal_enabled else []) + (['matrix-sygnal.service'] if matrix_sygnal_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + - ([(ntfy_identifier + '.service')] if ntfy_enabled else []) + ([(ntfy_identifier + '.service')] if ntfy_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + - ([(jitsi_identifier + '-web.service')] if jitsi_enabled else []) + ([(jitsi_identifier + '-web.service')] if jitsi_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + - (['matrix-sliding-sync-proxy.service'] if matrix_sliding_sync_enabled else []) + (['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + - (['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled else []) + ([etherpad_identifier + '.service'] if etherpad_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + - ([etherpad_identifier + '.service'] if etherpad_enabled else []) - + - (['matrix-hookshot.service'] if matrix_hookshot_enabled else []) + (['matrix-hookshot.service'] if matrix_hookshot_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) }} matrix_ssl_domains_to_obtain_certificates_for: | From 5a44e06e00f775b7da5751c9d7d3b10d9d63ac96 Mon Sep 17 00:00:00 2001 From: Joshua Date: Mon, 3 Apr 2023 18:34:54 +1000 Subject: [PATCH 679/915] Remedy Typo --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3120384cf..6d97705b0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,7 +11,7 @@ As part of the extraction process of this role out of the Matrix playbook, a few - **native Traefik support** has been added - **support for hosting under a subpath** has been added, although it suffers from a few minor issues listed [here](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/jitsi.md#url) -You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're using Jitsi or not. +You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're using Jitsi or not. If you're making use of Jitsi via this playbook, you will need to update variable references in your `vars.yml` file: From e9d48ee9ca0ed6fe6d00511dfe77c048eb545cc3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 3 Apr 2023 12:02:06 +0300 Subject: [PATCH 680/915] Fix typos Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2621 --- CHANGELOG.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6d97705b0..1b5118427 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -38,7 +38,7 @@ The `matrix-prometheus` role has been relocated in its own repository, part of t Extracting the Prometheus role out of this Matrix playbook required huge internal refactoring to the way the Prometheus configuration (scraping jobs) is generated. If you notice any breakage after upgrading, let us know. -You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're using Prometheus or not. +You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're using Prometheus or not. If you're making use of Prometheus via this playbook, you will need to update variable references in your `vars.yml` file: @@ -80,7 +80,7 @@ To get started, see our [Setting up Sliding Sync Proxy](docs/configuring-playboo **TLDR**: the `matrix-etherpad` role is now included from [another repository](https://gitlab.com/etke.cc/roles/etherpad). Some variables have been renamed. All functionality remains intact. -You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're using Etherpad or not. +You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're using Etherpad or not. If you're making use of Etherpad via this playbook, you will need to update variable references in your `vars.yml` file: @@ -188,7 +188,7 @@ Additional details are available in the [Customizing templates](docs/configuring The `matrix-redis` role (which configures [Redis](https://redis.io/)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/redis). This makes it possible to easily use it in other Ansible playbooks. -You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're enabling Ntfy or not. If you're making use of Ntfy via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_redis_` -> `redis_`). +You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're enabling Ntfy or not. If you're making use of Ntfy via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_redis_` -> `redis_`). ## The matrix-ntfy role lives independently now @@ -196,7 +196,7 @@ You need to **update you roles** (`just roles` or `make roles`) regardless of wh The `matrix-ntfy` role (which configures [Ntfy](https://ntfy.sh/)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/ntfy). This makes it possible to easily use it in other Ansible playbooks. -You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're enabling Ntfy or not. If you're making use of Ntfy via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_ntfy_` -> `ntfy_`). +You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're enabling Ntfy or not. If you're making use of Ntfy via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_ntfy_` -> `ntfy_`). # 2023-02-15 @@ -207,7 +207,7 @@ You need to **update you roles** (`just roles` or `make roles`) regardless of wh The `matrix-grafana` role (which configures [Grafana](docs/configuring-playbook-prometheus-grafana.md)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/grafana). This makes it possible to easily use it in other Ansible playbooks. -You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're enabling Grafana or not. If you're making use of Grafana via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_grafana_` -> `grafana_`). +You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're enabling Grafana or not. If you're making use of Grafana via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_grafana_` -> `grafana_`). # 2023-02-13 @@ -218,7 +218,7 @@ You need to **update you roles** (`just roles` or `make roles`) regardless of wh Thanks to [moan0s](https://github.com/moan0s), the `matrix-backup-borg` role (which configures [Borg backups](docs/configuring-playbook-backup-borg.md)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/backup_borg). This makes it possible to easily use it in other Ansible playbooks and will become part of [nextcloud-docker-ansible-deploy](https://github.com/spantaleev/nextcloud-docker-ansible-deploy) soon. -You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're enabling Borg backup functionality or not. If you're making use of Borg backups via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_backup_borg_` -> `backup_borg_`). +You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're enabling Borg backup functionality or not. If you're making use of Borg backups via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_backup_borg_` -> `backup_borg_`). # 2023-02-12 From fa6378510953b96b333c37690086fb21a92606c3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 3 Apr 2023 15:34:19 +0300 Subject: [PATCH 681/915] Upgrade Coturn (4.6.1-r2 -> 4.6.1-r3) --- roles/custom/matrix-coturn/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index ee662b25d..ebeed45f6 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -8,7 +8,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}" matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" -matrix_coturn_version: 4.6.1-r2 +matrix_coturn_version: 4.6.1-r3 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" From 7b876cfc9705719a396cc697dee5977d82522572 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 3 Apr 2023 15:36:16 +0300 Subject: [PATCH 682/915] Upgrade Element (v1.11.27 -> v1.11.28) --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index fe8d839c1..b15d48981 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.27 +matrix_client_element_version: v1.11.28 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From fdab05fa0a989330b17ae688b6c825ec2dd435d1 Mon Sep 17 00:00:00 2001 From: Kabir Kwatra Date: Tue, 4 Apr 2023 02:31:49 +0000 Subject: [PATCH 683/915] fix(traefik): only include federation endpoint if port is new --- group_vars/matrix_servers | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 95c614c08..91a630baf 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -4106,11 +4106,16 @@ devture_traefik_base_path: "{{ matrix_base_data_path }}/traefik" devture_traefik_uid: "{{ matrix_user_uid }}" devture_traefik_gid: "{{ matrix_user_gid }}" -devture_traefik_additional_entrypoints_auto: - - name: matrix-federation - port: "{{ matrix_federation_public_port }}" - host_bind_port: "{{ matrix_federation_public_port }}" - config: {} +devture_traefik_federation_entrypoint: + name: matrix-federation + port: "{{ matrix_federation_public_port }}" + host_bind_port: "{{ matrix_federation_public_port }}" + config: {} + +devture_traefik_additional_entrypoints_auto: | + {{ + ([devture_traefik_federation_entrypoint] if (matrix_federation_public_port != devture_traefik_config_entrypoint_web_port) and (matrix_federation_public_port != devture_traefik_config_entrypoint_web_secure_port) else []) + }} devture_traefik_additional_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}" From 3c600899fba8a4c1e15625abf27f4a432dfc1203 Mon Sep 17 00:00:00 2001 From: Thom Wiggers Date: Tue, 4 Apr 2023 11:39:50 +0200 Subject: [PATCH 684/915] Update Matrix IRC appservice to 0.37.1 https://github.com/matrix-org/matrix-appservice-irc/releases/tag/0.37.1 --- roles/custom/matrix-bridge-appservice-irc/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml index ce39bc56e..0a659555f 100644 --- a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml @@ -11,7 +11,7 @@ matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appser # matrix_appservice_irc_version used to contain the full Docker image tag (e.g. `release-X.X.X`). # It's a bare version number now. We try to somewhat retain compatibility below. -matrix_appservice_irc_version: 0.37.0 +matrix_appservice_irc_version: 0.37.1 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_docker_image_tag }}" matrix_appservice_irc_docker_image_tag: "{{ 'latest' if matrix_appservice_irc_version == 'latest' else ('release-' + matrix_appservice_irc_version) }}" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" From df5df0b386233ed87ef024d46cbe362df4263ae9 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 4 Apr 2023 11:24:14 +0000 Subject: [PATCH 685/915] Update borgmatic 1.7.10 -> 1.7.11 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 97095888c..ff0fe2672 100644 --- a/requirements.yml +++ b/requirements.yml @@ -2,7 +2,7 @@ version: v1.0.0-0 name: aux - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.4-1.7.10-0 + version: v1.2.4-1.7.11-0 - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git version: v0.1.1-1 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git From ec721a2b247ed0e950ec3185cf4ed82495f35a00 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 4 Apr 2023 19:44:24 +0000 Subject: [PATCH 686/915] Update hookshot 3.1.1 -> 3.2.0 --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 2adf08edf..ff53310cb 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 3.1.1 +matrix_hookshot_version: 3.2.0 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" From 8f43385f1684f527ed42188e08e41a78900de817 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 4 Apr 2023 21:05:02 +0000 Subject: [PATCH 687/915] add borgmatic cli --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index ff0fe2672..a53a9d713 100644 --- a/requirements.yml +++ b/requirements.yml @@ -2,7 +2,7 @@ version: v1.0.0-0 name: aux - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.4-1.7.11-0 + version: v1.2.4-1.7.11-1 - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git version: v0.1.1-1 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git From 7399496d33057f145ccd30780102c5dae55a1c7d Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 5 Apr 2023 14:59:48 +0300 Subject: [PATCH 688/915] one var to control encryption across all bridges (#2629) * one var to control encryption across all bridges * move var to matrix-base --- docs/configuring-playbook-mautrix-bridges.md | 7 +++++++ roles/custom/matrix-base/defaults/main.yml | 3 +++ .../matrix-bridge-appservice-kakaotalk/defaults/main.yml | 2 +- .../custom/matrix-bridge-beeper-linkedin/defaults/main.yml | 5 +++++ .../matrix-bridge-beeper-linkedin/templates/config.yaml.j2 | 6 +++--- .../custom/matrix-bridge-go-skype-bridge/defaults/main.yml | 2 +- .../custom/matrix-bridge-mautrix-discord/defaults/main.yml | 2 +- .../matrix-bridge-mautrix-facebook/defaults/main.yml | 5 +++++ .../templates/config.yaml.j2 | 6 +++--- .../matrix-bridge-mautrix-googlechat/defaults/main.yml | 4 ++++ .../templates/config.yaml.j2 | 4 ++-- .../matrix-bridge-mautrix-hangouts/defaults/main.yml | 4 ++++ .../templates/config.yaml.j2 | 4 ++-- .../matrix-bridge-mautrix-instagram/defaults/main.yml | 5 +++++ .../templates/config.yaml.j2 | 6 +++--- .../custom/matrix-bridge-mautrix-signal/defaults/main.yml | 2 +- roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml | 2 +- .../matrix-bridge-mautrix-telegram/defaults/main.yml | 2 +- .../custom/matrix-bridge-mautrix-twitter/defaults/main.yml | 5 +++++ .../matrix-bridge-mautrix-twitter/templates/config.yaml.j2 | 6 +++--- .../matrix-bridge-mautrix-whatsapp/defaults/main.yml | 2 +- 21 files changed, 61 insertions(+), 23 deletions(-) diff --git a/docs/configuring-playbook-mautrix-bridges.md b/docs/configuring-playbook-mautrix-bridges.md index abc6b0f18..392be47df 100644 --- a/docs/configuring-playbook-mautrix-bridges.md +++ b/docs/configuring-playbook-mautrix-bridges.md @@ -33,6 +33,13 @@ matrix_mautrix_SERVICENAME_configuration_extension_yaml: | ``` Encryption support is off by default. If you would like to enable encryption, add the following to your `vars.yml` file: + +**for all bridges with encryption support**: +```yaml +matrix_bridges_encryption_enabled: true +``` + +**Alternatively**, for a specific bridge: ```yaml matrix_mautrix_SERVICENAME_configuration_extension_yaml: | bridge: diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 5e743925c..35974bba9 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -13,6 +13,9 @@ matrix_domain: ~ # Example value: "@someone:{{ matrix_domain }}" matrix_admin: '' +# Global var to enable/disable encryption across all bridges with encryption support +matrix_bridges_encryption_enabled: false + # matrix_homeserver_enabled controls whether to enable the homeserver systemd service, etc. # # Unless you're wrapping this playbook in another one diff --git a/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml b/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml index 681695073..86c3366c3 100644 --- a/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml +++ b/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml @@ -120,7 +120,7 @@ matrix_appservice_kakaotalk_appservice_bot_username: kakaotalkbot matrix_appservice_kakaotalk_user_prefix: 'kakaotalk_' # End-to-bridge encryption configuration -matrix_appservice_kakaotalk_bridge_encryption_allow: false +matrix_appservice_kakaotalk_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" matrix_appservice_kakaotalk_bridge_encryption_default: "{{ matrix_appservice_kakaotalk_bridge_encryption_allow }}" # Specifies the default log level for all bridge loggers. diff --git a/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml b/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml index 513eba14e..ffcae97f1 100644 --- a/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml +++ b/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml @@ -83,6 +83,11 @@ matrix_beeper_linkedin_login_shared_secret: '' # Specifies the default log level for all bridge loggers. matrix_beeper_linkedin_logging_level: WARNING +# Enable End-to-bridge encryption +matrix_beeper_linkedin_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" +matrix_beeper_linkedin_bridge_encryption_default: "{{ matrix_beeper_linkedin_bridge_encryption_allow }}" +matrix_beeper_linkedin_bridge_encryption_key_sharing_allow: "{{ matrix_beeper_linkedin_bridge_encryption_allow }}" + # Default beeper-linkedin configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/custom/matrix-bridge-beeper-linkedin/templates/config.yaml.j2 b/roles/custom/matrix-bridge-beeper-linkedin/templates/config.yaml.j2 index 8b9c81ead..c5a01535f 100644 --- a/roles/custom/matrix-bridge-beeper-linkedin/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-beeper-linkedin/templates/config.yaml.j2 @@ -156,15 +156,15 @@ bridge: # application service. encryption: # Allow encryption, work in group chat rooms with e2ee enabled - allow: false + allow: {{ matrix_beeper_linkedin_bridge_encryption_allow|to_json }} # Default to encryption, force-enable encryption in all portals the bridge creates # This will cause the bridge bot to be in private chats for the encryption to work properly. - default: false + default: {{ matrix_beeper_linkedin_bridge_encryption_default|to_json }} # Options for automatic key sharing. key_sharing: # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. # You must use a client that supports requesting keys from other users to use this feature. - allow: false + allow: {{ matrix_beeper_linkedin_bridge_encryption_key_sharing_allow|to_json }} # Require the requesting device to have a valid cross-signing signature? # This doesn't require that the bridge has verified the device, only that the user has verified it. # Not yet implemented. diff --git a/roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml b/roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml index e3cdea4bb..477f21274 100644 --- a/roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml +++ b/roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml @@ -86,7 +86,7 @@ matrix_go_skype_bridge_bridge_double_puppet_server_map: "{{ matrix_go_skype_bridge_homeserver_domain : matrix_go_skype_bridge_homeserver_address }}" # Enable End-to-bridge encryption -matrix_go_skype_bridge_bridge_encryption_allow: false +matrix_go_skype_bridge_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" matrix_go_skype_bridge_bridge_encryption_default: "{{ matrix_go_skype_bridge_bridge_encryption_allow }}" # Minimum severity of journal log messages. diff --git a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml index 1bbcb02b4..35bfa5c01 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml @@ -137,7 +137,7 @@ matrix_mautrix_discord_registration_yaml: | matrix_mautrix_discord_registration: "{{ matrix_mautrix_discord_registration_yaml | from_yaml }}" # Enable End-to-bridge encryption -matrix_mautrix_discord_bridge_encryption_allow: false +matrix_mautrix_discord_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" matrix_mautrix_discord_bridge_encryption_default: "{{ matrix_mautrix_discord_bridge_encryption_allow }}" matrix_mautrix_discord_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_discord_bridge_encryption_allow }}" diff --git a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml index 8c19139a7..ba718a668 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -149,3 +149,8 @@ matrix_mautrix_facebook_registration_yaml: | de.sorunome.msc2409.push_ephemeral: true matrix_mautrix_facebook_registration: "{{ matrix_mautrix_facebook_registration_yaml | from_yaml }}" + +# Enable End-to-bridge encryption +matrix_mautrix_facebook_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" +matrix_mautrix_facebook_bridge_encryption_default: "{{ matrix_mautrix_facebook_bridge_encryption_allow }}" +matrix_mautrix_facebook_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_facebook_bridge_encryption_allow }}" diff --git a/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 index 184ea7808..636b442b9 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 @@ -126,15 +126,15 @@ bridge: # application service. encryption: # Allow encryption, work in group chat rooms with e2ee enabled - allow: false + allow: {{ matrix_mautrix_facebook_bridge_encryption_allow|to_json }} # Default to encryption, force-enable encryption in all portals the bridge creates # This will cause the bridge bot to be in private chats for the encryption to work properly. - default: false + default: {{ matrix_mautrix_facebook_bridge_encryption_default|to_json }} # Options for automatic key sharing. key_sharing: # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. # You must use a client that supports requesting keys from other users to use this feature. - allow: false + allow_key_sharing: {{ matrix_mautrix_facebook_bridge_encryption_key_sharing_allow|to_json }} # Require the requesting device to have a valid cross-signing signature? # This doesn't require that the bridge has verified the device, only that the user has verified it. # Not yet implemented. diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml index f432cc637..85f07b9d9 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml @@ -129,3 +129,7 @@ matrix_mautrix_googlechat_registration_yaml: | de.sorunome.msc2409.push_ephemeral: true matrix_mautrix_googlechat_registration: "{{ matrix_mautrix_googlechat_registration_yaml | from_yaml }}" + +# Enable End-to-bridge encryption +matrix_mautrix_googlechat_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" +matrix_mautrix_googlechat_bridge_encryption_default: "{{ matrix_mautrix_googlechat_bridge_encryption_allow }}" diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2 index a2560a9fc..4f46aab25 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2 @@ -88,10 +88,10 @@ bridge: # application service. encryption: # Allow encryption, work in group chat rooms with e2ee enabled - allow: false + allow: {{ matrix_mautrix_googlechat_bridge_encryption_allow|to_json }} # Default to encryption, force-enable encryption in all portals the bridge creates # This will cause the bridge bot to be in private chats for the encryption to work properly. - default: false + default: {{ matrix_mautrix_googlechat_bridge_encryption_default|to_json }} # Whether or not created rooms should have federation enabled. # If false, created portal rooms will never be federated. diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-hangouts/defaults/main.yml index 27f3e5930..65b4a6ff5 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -126,3 +126,7 @@ matrix_mautrix_hangouts_registration_yaml: | de.sorunome.msc2409.push_ephemeral: true matrix_mautrix_hangouts_registration: "{{ matrix_mautrix_hangouts_registration_yaml | from_yaml }}" + +# Enable End-to-bridge encryption +matrix_mautrix_hangouts_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" +matrix_mautrix_hangouts_bridge_encryption_default: "{{ matrix_mautrix_hangouts_bridge_encryption_allow }}" diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 index d737f3f17..25dd38ec6 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 @@ -88,10 +88,10 @@ bridge: # application service. encryption: # Allow encryption, work in group chat rooms with e2ee enabled - allow: false + allow: {{ matrix_mautrix_hangouts_bridge_encryption_allow|to_json }} # Default to encryption, force-enable encryption in all portals the bridge creates # This will cause the bridge bot to be in private chats for the encryption to work properly. - default: false + default: {{ matrix_mautrix_hangouts_bridge_encryption_default|to_json }} # Public website and API configs web: diff --git a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml index 80d591629..ef696fa80 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml @@ -129,3 +129,8 @@ matrix_mautrix_instagram_registration_yaml: | de.sorunome.msc2409.push_ephemeral: true matrix_mautrix_instagram_registration: "{{ matrix_mautrix_instagram_registration_yaml | from_yaml }}" + +# Enable End-to-bridge encryption +matrix_mautrix_instagram_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" +matrix_mautrix_instagram_bridge_encryption_default: "{{ matrix_mautrix_instagram_bridge_encryption_allow }}" +matrix_mautrix_instagram_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_instagram_bridge_encryption_allow }}" diff --git a/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 index 93bbfe39f..830adca71 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 @@ -143,15 +143,15 @@ bridge: # application service. encryption: # Allow encryption, work in group chat rooms with e2ee enabled - allow: false + allow: {{ matrix_mautrix_discord_bridge_encryption_allow|to_json }} # Default to encryption, force-enable encryption in all portals the bridge creates # This will cause the bridge bot to be in private chats for the encryption to work properly. - default: false + default: {{ matrix_mautrix_discord_bridge_encryption_default|to_json }} # Options for automatic key sharing. key_sharing: # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. # You must use a client that supports requesting keys from other users to use this feature. - allow: false + allow: {{ matrix_mautrix_discord_bridge_encryption_key_sharing_allow|to_json }} # Require the requesting device to have a valid cross-signing signature? # This doesn't require that the bridge has verified the device, only that the user has verified it. # Not yet implemented. diff --git a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml index 8cd285cac..326e7ee53 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml @@ -152,7 +152,7 @@ matrix_mautrix_signal_registration: "{{ matrix_mautrix_signal_registration_yaml matrix_mautrix_signal_log_level: 'DEBUG' -matrix_mautrix_signal_bridge_encryption_allow: false +matrix_mautrix_signal_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" matrix_mautrix_signal_bridge_encryption_default: "{{ matrix_mautrix_signal_bridge_encryption_allow }}" matrix_mautrix_signal_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_signal_bridge_encryption_allow }}" diff --git a/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml index 4d8e3f2f0..2b6c77522 100644 --- a/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml @@ -133,6 +133,6 @@ matrix_mautrix_slack_registration_yaml: | matrix_mautrix_slack_registration: "{{ matrix_mautrix_slack_registration_yaml | from_yaml }}" # Enable End-to-bridge encryption -matrix_mautrix_slack_bridge_encryption_allow: false +matrix_mautrix_slack_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" matrix_mautrix_slack_bridge_encryption_default: "{{ matrix_mautrix_slack_bridge_encryption_allow }}" matrix_mautrix_slack_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_slack_bridge_encryption_allow }}" diff --git a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml index 4d0401616..d6f44bbcb 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -163,6 +163,6 @@ matrix_mautrix_telegram_alias_template: 'telegram_{groupname}' matrix_mautrix_telegram_displayname_template: '{displayname} (Telegram)' # Enable End-to-bridge encryption -matrix_mautrix_telegram_bridge_encryption_allow: false +matrix_mautrix_telegram_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" matrix_mautrix_telegram_bridge_encryption_default: "{{ matrix_mautrix_telegram_bridge_encryption_allow }}" matrix_mautrix_telegram_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_telegram_bridge_encryption_allow }}" diff --git a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml index 8f38bb004..cc11a69b3 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -127,3 +127,8 @@ matrix_mautrix_twitter_registration_yaml: | de.sorunome.msc2409.push_ephemeral: true matrix_mautrix_twitter_registration: "{{ matrix_mautrix_twitter_registration_yaml | from_yaml }}" + +# Enable End-to-bridge encryption +matrix_mautrix_twitter_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" +matrix_mautrix_twitter_bridge_encryption_default: "{{ matrix_mautrix_twitter_bridge_encryption_allow }}" +matrix_mautrix_twitter_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_twitter_bridge_encryption_allow }}" diff --git a/roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 index 6e12a7552..bfcfdecb4 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 @@ -126,15 +126,15 @@ bridge: # this to work. See https://github.com/tulir/mautrix-telegram/wiki/End‐to‐bridge-encryption encryption: # Allow encryption, work in group chat rooms with e2ee enabled - allow: false + allow: {{ matrix_mautrix_twitter_bridge_encryption_allow|to_json }} # Default to encryption, force-enable encryption in all portals the bridge creates # This will cause the bridge bot to be in private chats for the encryption to work properly. - default: false + default: {{ matrix_mautrix_twitter_bridge_encryption_default|to_json }} # Options for automatic key sharing. key_sharing: # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. # You must use a client that supports requesting keys from other users to use this feature. - allow: false + allow: {{ matrix_mautrix_twitter_bridge_encryption_key_sharing_allow|to_json }} # Require the requesting device to have a valid cross-signing signature? # This doesn't require that the bridge has verified the device, only that the user has verified it. # Not yet implemented. diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml index ac5796ba6..88b917582 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -97,7 +97,7 @@ matrix_mautrix_whatsapp_bridge_login_shared_secret_map: "{{ {matrix_mautrix_whatsapp_homeserver_domain: matrix_mautrix_whatsapp_login_shared_secret} if matrix_mautrix_whatsapp_login_shared_secret else {} }}" # Enable End-to-bridge encryption -matrix_mautrix_whatsapp_bridge_encryption_allow: false +matrix_mautrix_whatsapp_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" matrix_mautrix_whatsapp_bridge_encryption_default: "{{ matrix_mautrix_whatsapp_bridge_encryption_allow }}" matrix_mautrix_whatsapp_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_whatsapp_bridge_encryption_allow }}" From 45c92ba7db4b8a77ccd06304410e0845d2570164 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Apr 2023 08:09:54 +0300 Subject: [PATCH 689/915] Upgrade Traefik (2.9.9 -> 2.9.10) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index a53a9d713..c5d4c8ecd 100644 --- a/requirements.yml +++ b/requirements.yml @@ -24,7 +24,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git version: 3d5bb2976815958cdce3f368fa34fb51554f899b - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.9.9-0 + version: v2.9.10-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git From 418dd953addc104f77547d2ff8c233fe964f424c Mon Sep 17 00:00:00 2001 From: Shreyas Ajjarapu Date: Fri, 7 Apr 2023 11:44:17 -0500 Subject: [PATCH 690/915] Updating maubot to the latest version --- roles/custom/matrix-bot-maubot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-maubot/defaults/main.yml b/roles/custom/matrix-bot-maubot/defaults/main.yml index caee9b132..a31d81913 100644 --- a/roles/custom/matrix-bot-maubot/defaults/main.yml +++ b/roles/custom/matrix-bot-maubot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_bot_maubot_docker_src_files_path: "{{ matrix_bot_maubot_base_path }}/dock matrix_bot_maubot_docker_repo_version: "{{ 'master' if matrix_bot_maubot_version == 'latest' else matrix_bot_maubot_version }}" -matrix_bot_maubot_version: v0.4.0 +matrix_bot_maubot_version: v0.4.1 matrix_bot_maubot_docker_image: "{{ matrix_bot_maubot_docker_image_name_prefix }}maubot/maubot:{{ matrix_bot_maubot_version }}" matrix_bot_maubot_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_maubot_container_image_self_build else 'dock.mau.dev/' }}" matrix_bot_maubot_docker_image_force_pull: "{{ matrix_bot_maubot_docker_image.endswith(':latest') }}" From 717d4417b9104647ae446a22dc4678a914140cbf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 7 Apr 2023 16:59:03 +0000 Subject: [PATCH 691/915] Bump ansible-community/ansible-lint-action from 6.11.0 to 6.14.4 Bumps [ansible-community/ansible-lint-action](https://github.com/ansible-community/ansible-lint-action) from 6.11.0 to 6.14.4. - [Release notes](https://github.com/ansible-community/ansible-lint-action/releases) - [Commits](https://github.com/ansible-community/ansible-lint-action/compare/v6.11.0...v6.14.4) --- updated-dependencies: - dependency-name: ansible-community/ansible-lint-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/matrix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index 2f9e79534..c21db57a3 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -21,6 +21,6 @@ jobs: - name: Check out uses: actions/checkout@v3 - name: Run ansible-lint - uses: ansible-community/ansible-lint-action@v6.11.0 + uses: ansible-community/ansible-lint-action@v6.14.4 with: path: roles/custom From 2649d9d8bb128dffc323d3cd3888f9d1158cf1e7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 8 Apr 2023 08:10:22 +0300 Subject: [PATCH 692/915] Fix lint-reported errors --- requirements.yml | 2 ++ .../matrix-coturn/tasks/setup_install.yml | 8 -------- .../tasks/main.yml | 18 +++++++++--------- 3 files changed, 11 insertions(+), 17 deletions(-) diff --git a/requirements.yml b/requirements.yml index c5d4c8ecd..26414d8e9 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,3 +1,5 @@ +--- + - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git version: v1.0.0-0 name: aux diff --git a/roles/custom/matrix-coturn/tasks/setup_install.yml b/roles/custom/matrix-coturn/tasks/setup_install.yml index 1cb8bd696..503ffae10 100644 --- a/roles/custom/matrix-coturn/tasks/setup_install.yml +++ b/roles/custom/matrix-coturn/tasks/setup_install.yml @@ -73,7 +73,6 @@ src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-coturn.service" mode: 0644 - register: matrix_coturn_systemd_service_change_results # This may be unnecessary when more long-lived certificates are used. # We optimize for the common use-case though (short-lived Let's Encrypt certificates). @@ -83,7 +82,6 @@ src: "{{ role_path }}/templates/systemd/{{ item }}.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ item }}" mode: 0644 - register: "matrix_coturn_systemd_service_change_results" when: "matrix_coturn_tls_enabled | bool" with_items: - matrix-coturn-reload.service @@ -94,13 +92,7 @@ ansible.builtin.file: path: "{{ item }}" state: absent - register: "matrix_coturn_systemd_service_change_results" when: "not matrix_coturn_tls_enabled | bool" with_items: - matrix-coturn-reload.service - matrix-coturn-reload.timer - -- name: Ensure systemd reloaded if systemd units changed - ansible.builtin.service: - daemon_reload: true - when: "matrix_coturn_systemd_service_change_results.changed" diff --git a/roles/custom/matrix-synapse-auto-compressor/tasks/main.yml b/roles/custom/matrix-synapse-auto-compressor/tasks/main.yml index 2cce1f122..5993e4f9b 100644 --- a/roles/custom/matrix-synapse-auto-compressor/tasks/main.yml +++ b/roles/custom/matrix-synapse-auto-compressor/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-synapse-auto-compressor + - install-all + - install-synapse-auto-compressor + block: - when: matrix_synapse_auto_compressor_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_synapse_auto_compressor_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" - tags: + +- tags: - setup-all - setup-synapse-auto-compressor - - install-all - - install-synapse-auto-compressor - -- block: + block: - when: not matrix_synapse_auto_compressor_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" - tags: - - setup-all - - setup-synapse-auto-compressor From 4546410f6a722084d9875034399137058bbbf139 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 10 Apr 2023 15:15:32 +0300 Subject: [PATCH 693/915] Restore matrix-nginx-proxy connectivity to the Jitsi container network Regression since 1d00d15482e8a2ec9e82a50 --- group_vars/matrix_servers | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 91a630baf..f25c4b4e1 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2576,7 +2576,14 @@ matrix_nginx_proxy_container_federation_host_bind_port: "{{ matrix_federation_pu matrix_nginx_proxy_trust_forwarded_proto: "{{ matrix_playbook_reverse_proxy_type != 'playbook-managed-nginx' }}" matrix_nginx_proxy_x_forwarded_for: "{{ '$remote_addr' if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else '$proxy_add_x_forwarded_for' }}" -matrix_nginx_proxy_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" +matrix_nginx_proxy_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([jitsi_container_network] if jitsi_enabled and matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' and jitsi_container_network != matrix_nginx_proxy_container_network else []) + ) | unique + }} matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-nginx-proxy:12080' }}" matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ '127.0.0.1:41080' if matrix_corporal_enabled else '127.0.0.1:12080' }}" From 024d9ed3f3e9d366be3888810b13620448d4d6c5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 11 Apr 2023 17:18:58 +0300 Subject: [PATCH 694/915] Upgrade Synapse (v1.80.0 -> v1.81.0) --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 5e45859c2..ad2fa74dc 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,7 +4,7 @@ matrix_synapse_enabled: true -matrix_synapse_version: v1.80.0 +matrix_synapse_version: v1.81.0 matrix_synapse_username: '' matrix_synapse_uid: '' From fe2df30998759ae51dca9864dc0e2645e392dac2 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 11 Apr 2023 18:29:36 +0000 Subject: [PATCH 695/915] Update element 1.11.28 -> 1.11.29 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index b15d48981..e99ea55b0 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.28 +matrix_client_element_version: v1.11.29 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 591aa077a253e5231d8a344677ec01c10ffdb005 Mon Sep 17 00:00:00 2001 From: mgoerens Date: Wed, 12 Apr 2023 12:14:53 +0200 Subject: [PATCH 696/915] Removing warning that no longer applies Similar to: https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/362954aeab35398e3cd6cd5e735f3fade338b022 This warning was added because of: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2090 The problem has since been fixed by: https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/e9e84341a91fb0013469d74ee8c88c2edb5ad3a5 This current patch was provoked by: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2352 --- docs/configuring-playbook-synapse.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/configuring-playbook-synapse.md b/docs/configuring-playbook-synapse.md index ef562ae88..40ce8fee9 100644 --- a/docs/configuring-playbook-synapse.md +++ b/docs/configuring-playbook-synapse.md @@ -42,8 +42,6 @@ devture_postgres_process_extra_arguments: [ ] ``` -**NOTE**: Disabling `matrix-nginx-proxy` (`matrix_nginx_proxy_enabled: false`) (that is, [using your own other webserver](configuring-playbook-own-webserver.md) when running a Synapse worker setup is likely to cause various troubles (see [this issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2090)). - In case any problems occur, make sure to have a look at the [list of synapse issues about workers](https://github.com/matrix-org/synapse/issues?q=workers+in%3Atitle) and your `journalctl --unit 'matrix-*'`. From 3d60ce496073ef2364a82ed6cbf2986eac49e8b5 Mon Sep 17 00:00:00 2001 From: spatterlight <81454789+spatterIight@users.noreply.github.com> Date: Wed, 12 Apr 2023 15:32:27 +0000 Subject: [PATCH 697/915] Update configuring-playbook-synapse.md This change adds a section that lets the reader know that it is possible to enable synapse metrics and references the relevant documentation. It aims to be short and concise, leaving the specifics to the referenced documentation, while still giving the reader a good idea of what it is and what it is for. --- docs/configuring-playbook-synapse.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/configuring-playbook-synapse.md b/docs/configuring-playbook-synapse.md index 40ce8fee9..4823c88d5 100644 --- a/docs/configuring-playbook-synapse.md +++ b/docs/configuring-playbook-synapse.md @@ -117,3 +117,10 @@ matrix_synapse_container_image_customizations_templates_git_repository_ssh_priva As mentioned in Synapse's Templates documentation, Synapse will fall back to its own templates if a template is not found in that directory. Due to this, it's recommended to only store and maintain template files in your repository if you need to make custom changes. Other files (which you don't need to change), should not be duplicated, so that you don't need to worry about getting out-of-sync with the original Synapse templates. + + +## Monitoring Synapse Metrics with Prometheus and Grafana + +This playbook allows you to enable Synapse metrics, which can provide insight into the performance and activity of Synapse. + +To enable Synapse metrics see [`configuring-playbook-prometheus-grafana.md`](./configuring-playbook-prometheus-grafana.md) From 2f11bf39c3c8204a4dbb47a932449bbe6f063c27 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 14 Apr 2023 06:05:24 +0000 Subject: [PATCH 698/915] Update borgmatic 1.7.11 -> 1.7.12 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 26414d8e9..19fbd79b3 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: v1.0.0-0 name: aux - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.4-1.7.11-1 + version: v1.2.4-1.7.12-0 - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git version: v0.1.1-1 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git From 9c75a1e20dc16bb3fea1e807e23ff1810430506f Mon Sep 17 00:00:00 2001 From: Kanlas <16520060+kanlas-net@users.noreply.github.com> Date: Sun, 16 Apr 2023 18:52:12 +0300 Subject: [PATCH 699/915] Fix recaptcha vars ansible-vault compatibility --- .../matrix-synapse/templates/synapse/homeserver.yaml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index db693582a..ca8289778 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1223,12 +1223,12 @@ oembed: # This homeserver's ReCAPTCHA public key. Must be specified if # enable_registration_captcha is enabled. # -recaptcha_public_key: {{ matrix_synapse_recaptcha_public_key|to_json }} +recaptcha_public_key: {{ matrix_synapse_recaptcha_public_key|string|to_json }} # This homeserver's ReCAPTCHA private key. Must be specified if # enable_registration_captcha is enabled. # -recaptcha_private_key: {{ matrix_synapse_recaptcha_private_key|to_json }} +recaptcha_private_key: {{ matrix_synapse_recaptcha_private_key|string|to_json }} # Uncomment to enable ReCaptcha checks when registering, preventing signup # unless a captcha is answered. Requires a valid ReCaptcha From bf564e8bda8b79a33a4535386f84b25f77297ed4 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sun, 16 Apr 2023 16:58:06 +0000 Subject: [PATCH 700/915] Update mautrix-whatsapp 0.8.3 -> 0.8.4 --- roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 88b917582..d54d2e1c2 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_whatsapp_container_image_self_build: false matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git" matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}" -matrix_mautrix_whatsapp_version: v0.8.3 +matrix_mautrix_whatsapp_version: v0.8.4 # See: https://mau.dev/mautrix/whatsapp/container_registry matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}" matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}" From e323ab31d50413f8a576c80640c2f60f66c87536 Mon Sep 17 00:00:00 2001 From: Lilith Schier Date: Sun, 16 Apr 2023 19:04:35 +0000 Subject: [PATCH 701/915] Added a nix flake --- .envrc | 1 + .gitignore | 1 + flake.nix | 19 +++++++++++++++++++ 3 files changed, 21 insertions(+) create mode 100644 .envrc create mode 100644 flake.nix diff --git a/.envrc b/.envrc new file mode 100644 index 000000000..8392d159f --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use flake \ No newline at end of file diff --git a/.gitignore b/.gitignore index 0b64b8594..421877392 100644 --- a/.gitignore +++ b/.gitignore @@ -5,6 +5,7 @@ /roles/**/files/scratchpad .DS_Store .python-version +flake.lock # ignore roles pulled by ansible-galaxy /roles/galaxy/* diff --git a/flake.nix b/flake.nix new file mode 100644 index 000000000..412309a89 --- /dev/null +++ b/flake.nix @@ -0,0 +1,19 @@ +{ + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable"; + + outputs = { self, nixpkgs, ... }: + let + pkgs = import nixpkgs { system = "x86_64-linux"; }; + in + { + devShell.x86_64-linux = pkgs.mkShell { + buildInputs = with pkgs; [ + just + python311Packages.ansible-core + python311Packages.passlib + ]; + LC_ALL = "C.UTF-8"; + LC_CTYPE = "C.UTF-8"; + }; + }; +} From f5f158f221e672a48148997cbe0f995138d7757d Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sun, 16 Apr 2023 22:22:30 +0000 Subject: [PATCH 702/915] Update mautrix-discord 0.2.0 -> 0.3.0 --- roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml index 35bfa5c01..f088ae15f 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_discord_container_image_self_build: false matrix_mautrix_discord_container_image_self_build_repo: "https://mau.dev/mautrix/discord.git" matrix_mautrix_discord_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_discord_version == 'latest' else matrix_mautrix_discord_version }}" -matrix_mautrix_discord_version: v0.2.0 +matrix_mautrix_discord_version: v0.3.0 # See: https://mau.dev/mautrix/discord/container_registry matrix_mautrix_discord_docker_image: "{{ matrix_mautrix_discord_docker_image_name_prefix }}mautrix/discord:{{ matrix_mautrix_discord_version }}" matrix_mautrix_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_discord_container_image_self_build else 'dock.mau.dev/' }}" From c46f79358f042d495280d7ff0ee69f20d86f878a Mon Sep 17 00:00:00 2001 From: Jost Alemann <58050402+jalemann@users.noreply.github.com> Date: Mon, 17 Apr 2023 10:09:24 +0200 Subject: [PATCH 703/915] fix: add missing word --- examples/nginx/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/nginx/README.md b/examples/nginx/README.md index f9be21fd2..11fca299e 100644 --- a/examples/nginx/README.md +++ b/examples/nginx/README.md @@ -10,7 +10,7 @@ To get started, first follow the [front the integrated reverse-proxy webserver w ## Using the nginx configuration -Copy the [matrix.conf](matrix.conf) file to your nginx server's filesystem, modify it to your needs and include it your nginx configuration (e.g. `include /path/to/matrix.conf;`). +Copy the [matrix.conf](matrix.conf) file to your nginx server's filesystem, modify it to your needs and include it in your nginx configuration (e.g. `include /path/to/matrix.conf;`). This configuration **disables SSL certificate retrieval**, so you will **need to obtain SSL certificates manually** (e.g. by using [certbot](https://certbot.eff.org/)) and set the appropriate path in `matrix.conf`. In the example nginx configuration, a single certificate is used for all subdomains (`matrix.DOMAIN`, `element.DOMAIN`, etc.). For your setup, may wish to change this and use separate `server` blocks and separate certificate files for each host. From 917167915b9a378a7baeb030d73e117f18f618a4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Apr 2023 17:00:42 +0000 Subject: [PATCH 704/915] Bump ansible-community/ansible-lint-action from 6.14.4 to 6.15.0 Bumps [ansible-community/ansible-lint-action](https://github.com/ansible-community/ansible-lint-action) from 6.14.4 to 6.15.0. - [Release notes](https://github.com/ansible-community/ansible-lint-action/releases) - [Commits](https://github.com/ansible-community/ansible-lint-action/compare/v6.14.4...v6.15.0) --- updated-dependencies: - dependency-name: ansible-community/ansible-lint-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/matrix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index c21db57a3..f69e60ff9 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -21,6 +21,6 @@ jobs: - name: Check out uses: actions/checkout@v3 - name: Run ansible-lint - uses: ansible-community/ansible-lint-action@v6.14.4 + uses: ansible-community/ansible-lint-action@v6.15.0 with: path: roles/custom From 66930c9d75d4d6db9dfe608228103af5ed10217c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 18 Apr 2023 10:41:55 +0300 Subject: [PATCH 705/915] Upgrade systemd_docker_base, container_socket_proxy, Traefik These roles now obey `devture_systemd_docker_base_container_image_pull_method` and `devture_systemd_docker_base_container_network_creation_method` and can work on systems which don't have the Docker SDK for Python installed by avoiding the various Ansible Docker modules and using raw `docker` commands for pulling images and creating networks. --- requirements.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements.yml b/requirements.yml index 19fbd79b3..c7032efea 100644 --- a/requirements.yml +++ b/requirements.yml @@ -6,7 +6,7 @@ - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git version: v1.2.4-1.7.12-0 - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git - version: v0.1.1-1 + version: v0.1.1-2 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git version: 129c8590e106b83e6f4c259649a613c6279e937a - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git @@ -20,13 +20,13 @@ - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git version: 8e9ec48a09284c84704d7a2dce17da35f181574d - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git - version: 327d2e17f5189ac2480d6012f58cf64a2b46efba + version: v1.0.0-0 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git version: v1.0.0-0 - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git version: 3d5bb2976815958cdce3f368fa34fb51554f899b - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.9.10-0 + version: v2.9.10-1 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git From c62896b97eff51ef902686acbf54917ed8728481 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 18 Apr 2023 10:59:02 +0300 Subject: [PATCH 706/915] Upgrade Traefik (v2.9.10-1 -> v2.9.10-2) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index c7032efea..559ff4649 100644 --- a/requirements.yml +++ b/requirements.yml @@ -26,7 +26,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git version: 3d5bb2976815958cdce3f368fa34fb51554f899b - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.9.10-1 + version: v2.9.10-2 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git From beb40134b7272447ebd0d1086d026f077b51e2da Mon Sep 17 00:00:00 2001 From: spatterlight <81454789+spatterIight@users.noreply.github.com> Date: Wed, 19 Apr 2023 05:52:03 +0000 Subject: [PATCH 707/915] Add support for backup LDAP servers (#2650) * Update homeserver.yaml.j2 * Update configuring-playbook-ldap-auth.md * Update homeserver.yaml.j2 --- docs/configuring-playbook-ldap-auth.md | 4 +++- .../matrix-synapse/templates/synapse/homeserver.yaml.j2 | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-ldap-auth.md b/docs/configuring-playbook-ldap-auth.md index ecc0f2579..dabc25219 100644 --- a/docs/configuring-playbook-ldap-auth.md +++ b/docs/configuring-playbook-ldap-auth.md @@ -8,7 +8,9 @@ If you decide that you'd like to let this playbook install it for you, you need ```yaml matrix_synapse_ext_password_provider_ldap_enabled: true -matrix_synapse_ext_password_provider_ldap_uri: "ldap://ldap.mydomain.tld:389" +matrix_synapse_ext_password_provider_ldap_uri: + - "ldap://ldap-01.mydomain.tld:389" + - "ldap://ldap-02.mydomain.tld:389" matrix_synapse_ext_password_provider_ldap_start_tls: true matrix_synapse_ext_password_provider_ldap_base: "ou=users,dc=example,dc=com" matrix_synapse_ext_password_provider_ldap_attributes_uid: "uid" diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index ca8289778..63cdafeb0 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2515,7 +2515,7 @@ password_providers: config: enabled: true mode: {{ matrix_synapse_ext_password_provider_ldap_mode | string | to_json }} - uri: {{ matrix_synapse_ext_password_provider_ldap_uri | string|to_json }} + uri: {{ matrix_synapse_ext_password_provider_ldap_uri | to_json }} start_tls: {{ matrix_synapse_ext_password_provider_ldap_start_tls|to_json }} base: {{ matrix_synapse_ext_password_provider_ldap_base | string|to_json }} active_directory: {{ matrix_synapse_ext_password_provider_ldap_active_directory|to_json }} From c20d74af7904d2a867ee2749b39de2cbe2df332a Mon Sep 17 00:00:00 2001 From: Aine Date: Fri, 21 Apr 2023 12:45:32 +0300 Subject: [PATCH 708/915] buscarron and honoroit - add basic auth for metrics --- .../matrix-bot-buscarron/defaults/main.yml | 15 ++++++++++++ .../tasks/setup_install.yml | 22 ++++++++++++++++++ .../matrix-bot-buscarron/templates/labels.j2 | 23 ++++++++++++++++++- .../matrix-bot-honoroit/defaults/main.yml | 15 ++++++++++++ .../tasks/setup_install.yml | 22 ++++++++++++++++++ .../matrix-bot-honoroit/templates/labels.j2 | 23 ++++++++++++++++++- 6 files changed, 118 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-bot-buscarron/defaults/main.yml b/roles/custom/matrix-bot-buscarron/defaults/main.yml index 0596c440f..7a31514b9 100644 --- a/roles/custom/matrix-bot-buscarron/defaults/main.yml +++ b/roles/custom/matrix-bot-buscarron/defaults/main.yml @@ -14,6 +14,10 @@ matrix_bot_buscarron_hostname: '' # This value must either be `/` or not end with a slash (e.g. `/buscarron`). matrix_bot_buscarron_path_prefix: / +# The path at which Buscarron will expose metrics +# This value must either be `/` or not end with a slash (e.g. `/metrics`). +matrix_bot_buscarron_metrics_path: /metrics + matrix_bot_buscarron_base_path: "{{ matrix_base_data_path }}/buscarron" matrix_bot_buscarron_config_path: "{{ matrix_bot_buscarron_base_path }}/config" matrix_bot_buscarron_data_path: "{{ matrix_bot_buscarron_base_path }}/data" @@ -36,6 +40,15 @@ matrix_bot_buscarron_container_network: matrix-bot-buscarron # Use this to expose this container to another reverse proxy, which runs in a different container network. matrix_bot_buscarron_container_additional_networks: [] +# enable basic auth for metrics +matrix_bot_buscarron_basicauth_enabled: false +# temporary file name on the host that runs ansible +matrix_bot_buscarron_basicauth_file: "/tmp/matrix_bot_buscarron_htpasswd" +# username +matrix_bot_buscarron_basicauth_user: '' +# password +matrix_bot_buscarron_basicauth_password: '' + # matrix_bot_buscarron_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. # See `../templates/labels.j2` for details. # @@ -46,6 +59,8 @@ matrix_bot_buscarron_container_labels_traefik_hostname: "{{ matrix_bot_buscarron # The path prefix must either be `/` or not end with a slash (e.g. `/buscarron`). matrix_bot_buscarron_container_labels_traefik_path_prefix: "{{ matrix_bot_buscarron_path_prefix }}" matrix_bot_buscarron_container_labels_traefik_rule: "Host(`{{ matrix_bot_buscarron_container_labels_traefik_hostname }}`){% if matrix_bot_buscarron_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_buscarron_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_bot_buscarron_container_labels_traefik_metrics_path: "{{ matrix_bot_buscarron_metrics_path }}" +matrix_bot_buscarron_container_labels_traefik_metrics_rule: "Host(`{{ matrix_bot_buscarron_container_labels_traefik_hostname }}`) && Path(`{{ matrix_bot_buscarron_container_labels_traefik_metrics_path }}`)" matrix_bot_buscarron_container_labels_traefik_priority: 0 matrix_bot_buscarron_container_labels_traefik_entrypoints: web-secure matrix_bot_buscarron_container_labels_traefik_tls: "{{ matrix_bot_buscarron_container_labels_traefik_entrypoints != 'web' }}" diff --git a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml index 1c2c62e14..2c478e459 100644 --- a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml @@ -40,6 +40,20 @@ - {path: "{{ matrix_bot_buscarron_docker_src_files_path }}", when: true} when: "item.when | bool" +- name: Determine basicauth filename + set_fact: + matrix_bot_buscarron_basicauth_file_tmp: "{{ matrix_bot_buscarron_basicauth_file }}_{{ inventory_hostname }}" + when: matrix_bot_buscarron_basicauth_enabled | bool + +- name: Generate basic auth file + community.general.htpasswd: + path: "{{ matrix_bot_buscarron_basicauth_file }}" + name: "{{ matrix_bot_buscarron_basicauth_user }}" + password: "{{ matrix_bot_buscarron_basicauth_password }}" + become: false + delegate_to: 127.0.0.1 + when: matrix_bot_buscarron_basicauth_enabled | bool + - name: Ensure buscarron support files installed ansible.builtin.template: src: "{{ role_path }}/templates/{{ item }}.j2" @@ -51,6 +65,14 @@ - env - labels +- name: Ensure temporary basic auth file is removed + ansible.builtin.file: + path: "{{ matrix_bot_buscarron_basicauth_file }}" + state: absent + become: false + delegate_to: 127.0.0.1 + when: matrix_bot_buscarron_basicauth_enabled | bool + - name: Ensure buscarron image is pulled community.docker.docker_image: name: "{{ matrix_bot_buscarron_docker_image }}" diff --git a/roles/custom/matrix-bot-buscarron/templates/labels.j2 b/roles/custom/matrix-bot-buscarron/templates/labels.j2 index 5a53805a5..6a1ead33d 100644 --- a/roles/custom/matrix-bot-buscarron/templates/labels.j2 +++ b/roles/custom/matrix-bot-buscarron/templates/labels.j2 @@ -6,6 +6,7 @@ traefik.docker.network={{ matrix_bot_buscarron_container_labels_traefik_docker_n {% endif %} {% set middlewares = [] %} +{% set middlewares_metrics = [] %} {% if matrix_bot_buscarron_container_labels_traefik_path_prefix != '/' %} traefik.http.middlewares.matrix-bot-buscarron-slashless-redirect.redirectregex.regex=({{ matrix_bot_buscarron_container_labels_traefik_path_prefix | quote }})$ @@ -18,6 +19,11 @@ traefik.http.middlewares.matrix-bot-buscarron-strip-prefix.stripprefix.prefixes= {% set middlewares = middlewares + ['matrix-bot-buscarron-strip-prefix'] %} {% endif %} +{% if matrix_bot_buscarron_basicauth_enabled %} +traefik.http.middlewares.matrix-bot-buscarron-auth.basicauth.users={{ lookup('ansible.builtin.file', matrix_bot_buscarron_basicauth_file) }} +{% set middlewares_metrics = middlewares + ['matrix-bot-buscarron-auth'] %} +{% endif %} + {% if matrix_bot_buscarron_container_labels_traefik_additional_response_headers.keys() | length > 0 %} {% for name, value in matrix_bot_buscarron_container_labels_traefik_additional_response_headers.items() %} traefik.http.middlewares.matrix-bot-buscarron-add-headers.headers.customresponseheaders.{{ name }}={{ value }} @@ -38,8 +44,23 @@ traefik.http.routers.matrix-bot-buscarron.tls={{ matrix_bot_buscarron_container_ {% if matrix_bot_buscarron_container_labels_traefik_tls %} traefik.http.routers.matrix-bot-buscarron.tls.certResolver={{ matrix_bot_buscarron_container_labels_traefik_tls_certResolver }} {% endif %} - traefik.http.services.matrix-bot-buscarron.loadbalancer.server.port=8080 + +{% if middlewares_metrics | length > 0 %} +traefik.http.routers.matrix-bot-buscarron-metrics.rule={{ matrix_bot_buscarron_container_labels_traefik_metrics_rule }} +{% if matrix_bot_buscarron_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-bot-buscarron-metrics.priority={{ matrix_bot_buscarron_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-bot-buscarron-metrics.service=matrix-bot-buscarron +traefik.http.routers.matrix-bot-buscarron-metrics.middlewares={{ middlewares_metrics | join(',') }} +traefik.http.routers.matrix-bot-buscarron-metrics.entrypoints={{ matrix_bot_buscarron_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-bot-buscarron-metrics.tls={{ matrix_bot_buscarron_container_labels_traefik_tls | to_json }} +{% if matrix_bot_buscarron_container_labels_traefik_tls %} +traefik.http.routers.matrix-bot-buscarron-metrics.tls.certResolver={{ matrix_bot_buscarron_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.services.matrix-bot-buscarron-metrics.loadbalancer.server.port=8080 +{% endif %} + {% endif %} {{ matrix_bot_buscarron_container_labels_additional_labels }} diff --git a/roles/custom/matrix-bot-honoroit/defaults/main.yml b/roles/custom/matrix-bot-honoroit/defaults/main.yml index 5e90ef51f..ea93d55f2 100644 --- a/roles/custom/matrix-bot-honoroit/defaults/main.yml +++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml @@ -11,6 +11,10 @@ matrix_bot_honoroit_hostname: '' # This value must either be `/` or not end with a slash (e.g. `/honoroit`). matrix_bot_honoroit_path_prefix: / +# The path at which honoroit will expose metrics +# This value must either be `/` or not end with a slash (e.g. `/metrics`). +matrix_bot_honoroit_metrics_path: /metrics + matrix_bot_honoroit_container_image_self_build: false matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git" matrix_bot_honoroit_docker_repo_version: "{{ matrix_bot_honoroit_version }}" @@ -34,6 +38,15 @@ matrix_bot_honoroit_container_network: matrix-bot-honoroit # Use this to expose this container to another reverse proxy, which runs in a different container network. matrix_bot_honoroit_container_additional_networks: [] +# enable basic auth for metrics +matrix_bot_honoroit_basicauth_enabled: false +# temporary file name on the host that runs ansible +matrix_bot_honoroit_basicauth_file: "/tmp/matrix_bot_honoroit_htpasswd" +# username +matrix_bot_honoroit_basicauth_user: '' +# password +matrix_bot_honoroit_basicauth_password: '' + # matrix_bot_honoroit_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. # See `../templates/labels.j2` for details. # @@ -44,6 +57,8 @@ matrix_bot_honoroit_container_labels_traefik_hostname: "{{ matrix_bot_honoroit_h # The path prefix must either be `/` or not end with a slash (e.g. `/honoroit`). matrix_bot_honoroit_container_labels_traefik_path_prefix: "{{ matrix_bot_honoroit_path_prefix }}" matrix_bot_honoroit_container_labels_traefik_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`){% if matrix_bot_honoroit_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_honoroit_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_bot_honoroit_container_labels_traefik_metrics_path: "{{ matrix_bot_honoroit_metrics_path }}" +matrix_bot_honoroit_container_labels_traefik_metrics_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`) && Path(`{{ matrix_bot_honoroit_container_labels_traefik_metrics_path }}`)" matrix_bot_honoroit_container_labels_traefik_priority: 0 matrix_bot_honoroit_container_labels_traefik_entrypoints: web-secure matrix_bot_honoroit_container_labels_traefik_tls: "{{ matrix_bot_honoroit_container_labels_traefik_entrypoints != 'web' }}" diff --git a/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml b/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml index 14b5a0e47..dc490e4c1 100644 --- a/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml @@ -40,6 +40,20 @@ - {path: "{{ matrix_bot_honoroit_docker_src_files_path }}", when: true} when: "item.when | bool" +- name: Determine basicauth filename + set_fact: + matrix_bot_honoroit_basicauth_file_tmp: "{{ matrix_bot_honoroit_basicauth_file }}_{{ inventory_hostname }}" + when: matrix_bot_honoroit_basicauth_enabled | bool + +- name: Generate basic auth file + community.general.htpasswd: + path: "{{ matrix_bot_honoroit_basicauth_file }}" + name: "{{ matrix_bot_honoroit_basicauth_user }}" + password: "{{ matrix_bot_honoroit_basicauth_password }}" + become: false + delegate_to: 127.0.0.1 + when: matrix_bot_honoroit_basicauth_enabled | bool + - name: Ensure honoroit support files installed ansible.builtin.template: src: "{{ role_path }}/templates/{{ item }}.j2" @@ -51,6 +65,14 @@ - env - labels +- name: Ensure temporary basic auth file is removed + ansible.builtin.file: + path: "{{ matrix_bot_honoroit_basicauth_file }}" + state: absent + become: false + delegate_to: 127.0.0.1 + when: matrix_bot_honoroit_basicauth_enabled | bool + - name: Ensure honoroit image is pulled community.docker.docker_image: name: "{{ matrix_bot_honoroit_docker_image }}" diff --git a/roles/custom/matrix-bot-honoroit/templates/labels.j2 b/roles/custom/matrix-bot-honoroit/templates/labels.j2 index f03af34a2..7943e00f1 100644 --- a/roles/custom/matrix-bot-honoroit/templates/labels.j2 +++ b/roles/custom/matrix-bot-honoroit/templates/labels.j2 @@ -6,6 +6,7 @@ traefik.docker.network={{ matrix_bot_honoroit_container_labels_traefik_docker_ne {% endif %} {% set middlewares = [] %} +{% set middlewares_metrics = [] %} {% if matrix_bot_honoroit_container_labels_traefik_path_prefix != '/' %} traefik.http.middlewares.matrix-bot-honoroit-slashless-redirect.redirectregex.regex=({{ matrix_bot_honoroit_container_labels_traefik_path_prefix | quote }})$ @@ -25,6 +26,11 @@ traefik.http.middlewares.matrix-bot-honoroit-add-headers.headers.customresponseh {% set middlewares = middlewares + ['matrix-bot-honoroit-add-headers'] %} {% endif %} +{% if matrix_bot_honoroit_basicauth_enabled %} +traefik.http.middlewares.matrix-bot-honoroit-auth.basicauth.users={{ lookup('ansible.builtin.file', matrix_bot_honoroit_basicauth_file) }} +{% set middlewares_metrics = middlewares + ['matrix-bot-honoroit-auth'] %} +{% endif %} + traefik.http.routers.matrix-bot-honoroit.rule={{ matrix_bot_honoroit_container_labels_traefik_rule }} {% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %} traefik.http.routers.matrix-bot-honoroit.priority={{ matrix_bot_honoroit_container_labels_traefik_priority }} @@ -38,8 +44,23 @@ traefik.http.routers.matrix-bot-honoroit.tls={{ matrix_bot_honoroit_container_la {% if matrix_bot_honoroit_container_labels_traefik_tls %} traefik.http.routers.matrix-bot-honoroit.tls.certResolver={{ matrix_bot_honoroit_container_labels_traefik_tls_certResolver }} {% endif %} - traefik.http.services.matrix-bot-honoroit.loadbalancer.server.port=8080 + +{% if middlewares_metrics | length > 0 %} +traefik.http.routers.matrix-bot-honoroit-metrics.rule={{ matrix_bot_honoroit_container_labels_traefik_metrics_rule }} +{% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-bot-honoroit-metrics.priority={{ matrix_bot_honoroit_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-bot-honoroit-metrics.service=matrix-bot-honoroit +traefik.http.routers.matrix-bot-honoroit-metrics.middlewares={{ middlewares_metrics | join(',') }} +traefik.http.routers.matrix-bot-honoroit-metrics.entrypoints={{ matrix_bot_honoroit_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-bot-honoroit-metrics.tls={{ matrix_bot_honoroit_container_labels_traefik_tls | to_json }} +{% if matrix_bot_honoroit_container_labels_traefik_tls %} +traefik.http.routers.matrix-bot-honoroit-metrics.tls.certResolver={{ matrix_bot_honoroit_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.services.matrix-bot-honoroit-metrics.loadbalancer.server.port=8080 +{% endif %} + {% endif %} {{ matrix_bot_honoroit_container_labels_additional_labels }} From f0be907971aeafd07b072e566628229e7bacf0e8 Mon Sep 17 00:00:00 2001 From: Aine Date: Fri, 21 Apr 2023 12:48:50 +0300 Subject: [PATCH 709/915] create honoroit docker network --- roles/custom/matrix-bot-honoroit/tasks/setup_install.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml b/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml index dc490e4c1..5336e85dc 100644 --- a/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml @@ -108,6 +108,11 @@ pull: true when: "matrix_bot_honoroit_container_image_self_build | bool" +- name: Ensure honoroit container network is created + community.general.docker_network: + name: "{{ matrix_bot_honoroit_container_network }}" + driver: bridge + - name: Ensure matrix-bot-honoroit.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-bot-honoroit.service.j2" From 15884b64c8ed1f0bbcc6c48109ba9b46d8f2341a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 21 Apr 2023 15:22:03 +0300 Subject: [PATCH 710/915] Fix ansible-lint-reported errors Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2654 --- roles/custom/matrix-bot-buscarron/tasks/setup_install.yml | 3 ++- roles/custom/matrix-bot-honoroit/tasks/setup_install.yml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml index 2c478e459..0559efec1 100644 --- a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml @@ -41,7 +41,7 @@ when: "item.when | bool" - name: Determine basicauth filename - set_fact: + ansible.builtin.set_fact: matrix_bot_buscarron_basicauth_file_tmp: "{{ matrix_bot_buscarron_basicauth_file }}_{{ inventory_hostname }}" when: matrix_bot_buscarron_basicauth_enabled | bool @@ -50,6 +50,7 @@ path: "{{ matrix_bot_buscarron_basicauth_file }}" name: "{{ matrix_bot_buscarron_basicauth_user }}" password: "{{ matrix_bot_buscarron_basicauth_password }}" + mode: 0640 become: false delegate_to: 127.0.0.1 when: matrix_bot_buscarron_basicauth_enabled | bool diff --git a/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml b/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml index 5336e85dc..12d3ff1fd 100644 --- a/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml @@ -41,7 +41,7 @@ when: "item.when | bool" - name: Determine basicauth filename - set_fact: + ansible.builtin.set_fact: matrix_bot_honoroit_basicauth_file_tmp: "{{ matrix_bot_honoroit_basicauth_file }}_{{ inventory_hostname }}" when: matrix_bot_honoroit_basicauth_enabled | bool @@ -50,6 +50,7 @@ path: "{{ matrix_bot_honoroit_basicauth_file }}" name: "{{ matrix_bot_honoroit_basicauth_user }}" password: "{{ matrix_bot_honoroit_basicauth_password }}" + mode: 0640 become: false delegate_to: 127.0.0.1 when: matrix_bot_honoroit_basicauth_enabled | bool From 4abd46de42b702bed1f2fcab2f42f3eda86de79a Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 25 Apr 2023 12:03:29 +0000 Subject: [PATCH 711/915] Update element v1.11.29 -> v1.11.30 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index e99ea55b0..3d57b235b 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.29 +matrix_client_element_version: v1.11.30 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 1762fc18f3eb703eb3ea78089df320725c8879bc Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 25 Apr 2023 12:04:23 +0000 Subject: [PATCH 712/915] Update synapse 1.81.0 -> 1.82.0 --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index ad2fa74dc..b7858fde5 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,7 +4,7 @@ matrix_synapse_enabled: true -matrix_synapse_version: v1.81.0 +matrix_synapse_version: v1.82.0 matrix_synapse_username: '' matrix_synapse_uid: '' From 905f0214cde429d2f0f008012a8454c3bb4f2998 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 25 Apr 2023 15:15:13 +0300 Subject: [PATCH 713/915] Load `/directory/room/{roomAlias}` endpoint on workers Related to: - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2656 - https://github.com/matrix-org/synapse/commit/4af0aec54dad261bcad240d8a878a1c16934e77c --- roles/custom/matrix-synapse/vars/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix-synapse/vars/main.yml b/roles/custom/matrix-synapse/vars/main.yml index 406b8314a..b7b829cda 100644 --- a/roles/custom/matrix-synapse/vars/main.yml +++ b/roles/custom/matrix-synapse/vars/main.yml @@ -166,6 +166,7 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/client/(api/v1|r0|v3|unstable/.*)/rooms/.*/aliases - ^/_matrix/client/(api/v1|r0|v3|unstable)/search$ - ^/_matrix/client/(r0|v3|unstable)/user/.*/filter(/|$) + - ^/_matrix/client/(api/v1|r0|v3|unstable)/directory/room/.*$ # Encryption requests # Note that ^/_matrix/client/(r0|v3|unstable)/keys/upload/ requires `worker_main_http_uri` From c8215c98e70cbdb8b78cb39cd53ac6e78a97158a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 25 Apr 2023 15:16:03 +0300 Subject: [PATCH 714/915] Load `/capabilities` endpoint on workers Related to: - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2656 - https://github.com/matrix-org/synapse/commit/e4a25d022c1e4b71e043b07324d95362f7fb4067 --- roles/custom/matrix-synapse/vars/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix-synapse/vars/main.yml b/roles/custom/matrix-synapse/vars/main.yml index b7b829cda..0c6d6296c 100644 --- a/roles/custom/matrix-synapse/vars/main.yml +++ b/roles/custom/matrix-synapse/vars/main.yml @@ -167,6 +167,7 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/client/(api/v1|r0|v3|unstable)/search$ - ^/_matrix/client/(r0|v3|unstable)/user/.*/filter(/|$) - ^/_matrix/client/(api/v1|r0|v3|unstable)/directory/room/.*$ + - ^/_matrix/client/(r0|v3|unstable)/capabilities$ # Encryption requests # Note that ^/_matrix/client/(r0|v3|unstable)/keys/upload/ requires `worker_main_http_uri` From 2d051679c0b3009ad5d7df8eab801e51ba9acf7f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 25 Apr 2023 15:26:30 +0300 Subject: [PATCH 715/915] Ensure instance_map.port is numeric Fixup related to https://github.com/matrix-org/synapse/pull/15431 --- .../matrix-synapse/tasks/synapse/workers/util/inject_worker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/tasks/synapse/workers/util/inject_worker.yml b/roles/custom/matrix-synapse/tasks/synapse/workers/util/inject_worker.yml index 9765be6fc..c52777ebd 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/workers/util/inject_worker.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/workers/util/inject_worker.yml @@ -61,7 +61,7 @@ # Inject stream writers into the instance map. - ansible.builtin.set_fact: - matrix_synapse_instance_map: "{{ matrix_synapse_instance_map | combine({matrix_synapse_worker_details.name: {'host': matrix_synapse_worker_details.name, 'port': matrix_synapse_worker_details.replication_port}}) }}" + matrix_synapse_instance_map: "{{ matrix_synapse_instance_map | combine({matrix_synapse_worker_details.name: {'host': matrix_synapse_worker_details.name, 'port': matrix_synapse_worker_details.replication_port | int}}) }}" when: matrix_synapse_worker_details.type in matrix_synapse_known_instance_map_eligible_worker_types # Inject pusher instances. From b74ddf1c6bc5de8b4756703235a7e1ee81bb50aa Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 26 Apr 2023 21:35:04 +0000 Subject: [PATCH 716/915] update grafana (2.4.7 -> 2.5.1); update ntfy (2.3.1 -> 2.4.0) --- requirements.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements.yml b/requirements.yml index 559ff4649..e0b2613f2 100644 --- a/requirements.yml +++ b/requirements.yml @@ -35,12 +35,12 @@ version: 6.1.0 name: geerlingguy.docker - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v9.4.7-1 + version: v9.5.1-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git version: v8319-6 name: jitsi - src: git+https://gitlab.com/etke.cc/roles/ntfy.git - version: v2.3.1-0 + version: v2.4.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git version: v2.43.0-0 name: prometheus From d2dbd88a38841c60f1b27451f97083436c94e7c5 Mon Sep 17 00:00:00 2001 From: Simon Biggs Date: Thu, 27 Apr 2023 15:02:45 +1000 Subject: [PATCH 717/915] Update configuring-playbook.md --- docs/configuring-playbook.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index a65858f00..2f210f273 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -12,7 +12,7 @@ You can then follow these steps inside the playbook directory: 1. copy the sample configuration file (`cp examples/vars.yml inventory/host_vars/matrix./vars.yml`) -1. edit the configuration file (`inventory/host_vars/matrix./vars.yml`) to your liking. You may also take a look at the various `roles/ROLE_NAME_HERE/defaults/main.yml` files and see if there's something you'd like to copy over and override in your `vars.yml` configuration file. +1. edit the configuration file (`inventory/host_vars/matrix./vars.yml`) to your liking. You may also take a look at the various `roles/custom/ROLE_NAME_HERE/defaults/main.yml` files and see if there's something you'd like to copy over and override in your `vars.yml` configuration file. 1. copy the sample inventory hosts file (`cp examples/hosts inventory/hosts`) From 67cffdfce6d6e70ad08a159630dcf8eeb7b8e6b4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 27 Apr 2023 08:12:09 +0300 Subject: [PATCH 718/915] Update configuring-playbook.md --- docs/configuring-playbook.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 2f210f273..31eea8953 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -12,7 +12,7 @@ You can then follow these steps inside the playbook directory: 1. copy the sample configuration file (`cp examples/vars.yml inventory/host_vars/matrix./vars.yml`) -1. edit the configuration file (`inventory/host_vars/matrix./vars.yml`) to your liking. You may also take a look at the various `roles/custom/ROLE_NAME_HERE/defaults/main.yml` files and see if there's something you'd like to copy over and override in your `vars.yml` configuration file. +1. edit the configuration file (`inventory/host_vars/matrix./vars.yml`) to your liking. You may also take a look at the various `roles/*/ROLE_NAME_HERE/defaults/main.yml` files and see if there's something you'd like to copy over and override in your `vars.yml` configuration file. 1. copy the sample inventory hosts file (`cp examples/hosts inventory/hosts`) From 34ffeb5f2f53f66df932e7fc6902f2e5b7b8bb4c Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 27 Apr 2023 14:11:31 +0000 Subject: [PATCH 719/915] Update hookshot 3.2.0 -> 4.0.0 --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index ff53310cb..18fc01525 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 3.2.0 +matrix_hookshot_version: 4.0.0 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" From f0e5a008025ecc6a315615ed0ab472fe94054314 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 27 Apr 2023 17:55:39 +0300 Subject: [PATCH 720/915] Upgrade backup-borg (v1.2.4-1.7.12-0 -> v1.2.4-1.7.12-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index e0b2613f2..0de34a15e 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: v1.0.0-0 name: aux - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.4-1.7.12-0 + version: v1.2.4-1.7.12-1 - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git version: v0.1.1-2 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git From a4e6f91ebb6bed767cf49e565efe911c10bc516d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 27 Apr 2023 17:55:51 +0300 Subject: [PATCH 721/915] Upgrade com.devture.ansible.role.systemd_service_manager (v1.0.0-0 -> v1.0.0-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 0de34a15e..3c7502662 100644 --- a/requirements.yml +++ b/requirements.yml @@ -22,7 +22,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git version: v1.0.0-0 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git - version: v1.0.0-0 + version: v1.0.0-1 - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git version: 3d5bb2976815958cdce3f368fa34fb51554f899b - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git From d4676f2c7cf64b5e3d98b62a79cec392701c102e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 29 Apr 2023 08:21:02 +0300 Subject: [PATCH 722/915] Upgrade com.devture.ansible.role.timesync to pinned tag (v1.0.0-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 3c7502662..d93b97fed 100644 --- a/requirements.yml +++ b/requirements.yml @@ -24,7 +24,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git version: v1.0.0-1 - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git - version: 3d5bb2976815958cdce3f368fa34fb51554f899b + version: v1.0.0-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git version: v2.9.10-2 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git From 4dae3f0fab47f6d012272f36005c994e60d7a3d4 Mon Sep 17 00:00:00 2001 From: Thom Wiggers Date: Mon, 1 May 2023 14:30:27 +0200 Subject: [PATCH 723/915] Update IRC appservice to 0.38.0 https://github.com/matrix-org/matrix-appservice-irc/releases/tag/0.38.0 --- roles/custom/matrix-bridge-appservice-irc/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml index 0a659555f..b6e6f1195 100644 --- a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml @@ -11,7 +11,7 @@ matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appser # matrix_appservice_irc_version used to contain the full Docker image tag (e.g. `release-X.X.X`). # It's a bare version number now. We try to somewhat retain compatibility below. -matrix_appservice_irc_version: 0.37.1 +matrix_appservice_irc_version: 0.38.0 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_docker_image_tag }}" matrix_appservice_irc_docker_image_tag: "{{ 'latest' if matrix_appservice_irc_version == 'latest' else ('release-' + matrix_appservice_irc_version) }}" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" From 39ae66602c331e3975ef1032e8722453959dde54 Mon Sep 17 00:00:00 2001 From: Yousef Amar Date: Mon, 1 May 2023 14:25:17 +0100 Subject: [PATCH 724/915] Update signald version 0.23.1 no longer syncs groups properly, the solution is to use 0.23.2, which works as expected --- roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml index 326e7ee53..f2b1048d0 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml @@ -10,7 +10,7 @@ matrix_mautrix_signal_docker_repo_version: "{{ 'master' if matrix_mautrix_signal matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src" matrix_mautrix_signal_version: v0.4.2 -matrix_mautrix_signal_daemon_version: 0.23.1 +matrix_mautrix_signal_daemon_version: 0.23.2 # See: https://mau.dev/mautrix/signal/container_registry matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_name_prefix }}mautrix/signal:{{ matrix_mautrix_signal_version }}" matrix_mautrix_signal_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_signal_container_image_self_build else 'dock.mau.dev/' }}" From 1e1ab70965f80200e2e9bc7ec3658b4906d655a2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 2 May 2023 13:22:31 +0300 Subject: [PATCH 725/915] Make use of matrix_synapse_container_network in the matrix-synapse role It's the same as `matrix_docker_network` for now, so this practically doesn't change anything. --- .../tasks/rust-synapse-compress-state/compress_room.yml | 2 +- .../templates/synapse/ext/s3-storage-provider/bin/migrate.j2 | 2 +- .../templates/synapse/ext/s3-storage-provider/bin/shell.j2 | 2 +- .../templates/synapse/systemd/matrix-synapse-worker.service.j2 | 2 +- .../templates/synapse/systemd/matrix-synapse.service.j2 | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml b/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml index 1d71fea64..7f5e05666 100644 --- a/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml +++ b/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml @@ -9,7 +9,7 @@ {{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-rust-synapse-compress-state-compress-room --user={{ matrix_synapse_uid }}:{{ matrix_synapse_gid }} --cap-drop=ALL - --network={{ matrix_docker_network }} + --network={{ matrix_synapse_container_network }} --mount type=bind,src={{ matrix_synapse_rust_synapse_compress_state_base_path }},dst=/work {{ matrix_synapse_rust_synapse_compress_state_docker_image }} {{ matrix_synapse_rust_synapse_compress_state_synapse_compress_state_in_container_path }} -t -o /work/state-compressor.sql diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/migrate.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/migrate.j2 index 0f47b6155..5c3a534b5 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/migrate.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/migrate.j2 @@ -7,7 +7,7 @@ --mount type=bind,src={{ matrix_synapse_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ --mount type=bind,src={{ matrix_synapse_ext_s3_storage_provider_data_path }},dst=/data \ --workdir=/data \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_synapse_container_network }} \ --entrypoint=/bin/bash \ {{ matrix_synapse_docker_image_final }} \ -c 's3_media_upload update-db $UPDATE_DB_DURATION && s3_media_upload --no-progress check-deleted $MEDIA_PATH && s3_media_upload --no-progress upload $MEDIA_PATH $BUCKET --delete --storage-class $STORAGE_CLASS --endpoint-url $ENDPOINT {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %}--sse-customer-algo $SSE_CUSTOMER_ALGO --sse-customer-key $SSE_CUSTOMER_KEY{% endif %}' diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/shell.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/shell.j2 index a54948826..6f3804cc4 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/shell.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/shell.j2 @@ -8,6 +8,6 @@ --mount type=bind,src={{ matrix_synapse_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ --mount type=bind,src={{ matrix_synapse_ext_s3_storage_provider_data_path }},dst=/data \ --workdir=/data \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_synapse_container_network }} \ --entrypoint=/bin/bash \ {{ matrix_synapse_docker_image_final }} diff --git a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 index de475bb44..578d91078 100644 --- a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 @@ -22,7 +22,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --cap-drop=ALL \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_synapse_container_network }} \ {% if matrix_synapse_worker_details.port != 0 %} --health-cmd 'curl -fSs http://localhost:{{ matrix_synapse_worker_details.port }}/health || exit 1' \ {% else %} diff --git a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index a287f5536..bd72f20a9 100644 --- a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -38,7 +38,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --cap-drop=ALL \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_synapse_container_network }} \ {% if matrix_synapse_container_client_api_host_bind_port %} -p {{ matrix_synapse_container_client_api_host_bind_port }}:{{ matrix_synapse_container_client_api_port }} \ {% endif %} From 8ef23a655d414df57a15ecff417ac0e60a200c7f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 2 May 2023 13:32:35 +0300 Subject: [PATCH 726/915] Restore --tags=import-synapse-sqlite-db support Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2669 Removed in 04b9483f0d9e562398e (2022-11-28) when switching from matrix-postgres to the devture-postgres external Ansible role. More details: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#matrix-postgres-has-been-replaced-by-the-comdevtureansiblerolepostgres-external-role The `import_synapse_sqlite_db.yml` file and documentation has been adapted somewhat compared to before, so that: - it doesn't try to start Postgres automatically. You need to handle this part manually - it doesn't rely on the integrated Postgres and may potentially work with external Postgres instances just the same - it doesn't wipe out the whole database anymore. By default, we assume it's empty anyway and there's no need for such things. If it's not, then it's also probably dangerous to be so destructive. This is all completely untested, but will hopefully work. --- docs/importing-synapse-sqlite.md | 16 +++++--- .../tasks/import_synapse_sqlite_db.yml | 40 +++++++++++++++++++ roles/custom/matrix-synapse/tasks/main.yml | 6 +++ 3 files changed, 56 insertions(+), 6 deletions(-) create mode 100644 roles/custom/matrix-synapse/tasks/import_synapse_sqlite_db.yml diff --git a/docs/importing-synapse-sqlite.md b/docs/importing-synapse-sqlite.md index aade22261..b5aa9f218 100644 --- a/docs/importing-synapse-sqlite.md +++ b/docs/importing-synapse-sqlite.md @@ -3,24 +3,28 @@ Run this if you'd like to import your database from a previous default installation of Synapse. (don't forget to import your `media_store` files as well - see [the importing-synapse-media-store guide](importing-synapse-media-store.md)). -While this playbook always sets up PostgreSQL, by default a Synapse installation would run -using an SQLite database. +While this playbook only supports running Synapse in combination with PostgreSQL, a Synapse instance installed manually usually defaults to using an SQLite database. -If you have such a Synapse setup and wish to migrate it here (and over to PostgreSQL), this command is for you. +If you have such a Synapse setup and wish to migrate it to one managed by the playbook (and over to PostgreSQL), this documentation page is for you. ## Prerequisites -Before doing the actual import, **you need to upload your SQLite database file to the server** (any path is okay). +Before doing the actual import: +- **ensure you have NOT started Synapse yet**. That is, make sure you have followed the [Installing step](installing.md), but haven't run the playbook's `start` tag yet. If you had started your new Synapse instance, it may have already initialized your Postgres database and importing onto it may not work. In such cases, you may need to clean up the `synapse` database first. +- **ensure you have uploaded your SQLite database file to the server** (any path is okay) +- if you're using the integrated Postgres server (**by default, you are** using it, unless you've explicitly switched to [Using an external PostgreSQL server](configuring-playbook-external-postgres.md)), **make sure Postgres is started** by running `just start-group postgres` ## Importing Run this command (make sure to replace `` with a file path on your server): - ansible-playbook -i inventory/hosts setup.yml --extra-vars='server_path_homeserver_db=' --tags=import-synapse-sqlite-db +```sh +just run-tags import-synapse-sqlite-db --extra-vars=server_path_homeserver_db= +``` **Notes**: -- `` must be a file path to a `homeserver.db` **file on the server** (not on your local machine!). +- `` must be replaced with a file path to a `homeserver.db` **file on the server** (not on your local machine!). - if the SQLite database is from an older version of Synapse, the **importing procedure may run migrations on it to bring it up to date**. That is, your SQLite database file may get modified and become unusable with your older Synapse version. Keeping a copy of the original is probably wise. diff --git a/roles/custom/matrix-synapse/tasks/import_synapse_sqlite_db.yml b/roles/custom/matrix-synapse/tasks/import_synapse_sqlite_db.yml new file mode 100644 index 000000000..92bd36b42 --- /dev/null +++ b/roles/custom/matrix-synapse/tasks/import_synapse_sqlite_db.yml @@ -0,0 +1,40 @@ +--- + +- name: Fail if playbook called incorrectly + ansible.builtin.fail: + msg: "The `server_path_homeserver_db` variable needs to be provided to this playbook, via --extra-vars" + when: "server_path_homeserver_db is not defined or server_path_homeserver_db.startswith('<')" + +- name: Check if the provided SQLite homeserver.db file exists + ansible.builtin.stat: + path: "{{ server_path_homeserver_db }}" + register: result_server_path_homeserver_db_stat + +- name: Fail if provided SQLite homeserver.db file doesn't exist + ansible.builtin.fail: + msg: "File cannot be found on the server at {{ server_path_homeserver_db }}" + when: "not result_server_path_homeserver_db_stat.stat.exists" + +# We don't use the `docker_container` module, because using it with `cap_drop` requires +# a very recent version, which is not available for a lot of people yet. +# +# Also, some old `docker_container` versions were buggy and would leave containers behind +# on failure, which we had to work around to allow retries (by re-running the playbook). +- name: Import SQLite database into Postgres + ansible.builtin.command: + cmd: | + docker run + --rm + --name=matrix-synapse-migrate + --log-driver=none + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + --network={{ matrix_synapse_container_network }} + --entrypoint=python + --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data + --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/matrix-media-store-parent/media-store + --mount type=bind,src={{ server_path_homeserver_db }},dst=/{{ server_path_homeserver_db | basename }} + {{ matrix_synapse_docker_image_final }} + /usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db | basename }} --postgres-config /data/homeserver.yaml + register: matrix_postgres_import_synapse_sqlite_db_result + changed_when: matrix_postgres_import_synapse_sqlite_db_result.rc == 0 diff --git a/roles/custom/matrix-synapse/tasks/main.yml b/roles/custom/matrix-synapse/tasks/main.yml index 88a54afc5..743dab5fe 100644 --- a/roles/custom/matrix-synapse/tasks/main.yml +++ b/roles/custom/matrix-synapse/tasks/main.yml @@ -45,6 +45,12 @@ - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/import_media_store.yml" +- tags: + - import-synapse-sqlite-db + block: + - when: matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/import_synapse_sqlite_db.yml" + - tags: - register-user block: From 76d50a85fb21d30fd49d34d4b4f276956af51101 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 2 May 2023 11:02:52 +0000 Subject: [PATCH 727/915] Update jitsi stable-8319 -> stable-8615 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index d93b97fed..fc06393f7 100644 --- a/requirements.yml +++ b/requirements.yml @@ -37,7 +37,7 @@ - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v9.5.1-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git - version: v8319-6 + version: v8615-0 name: jitsi - src: git+https://gitlab.com/etke.cc/roles/ntfy.git version: v2.4.0-0 From ed5cf043063ccdc1bb993daabf792b2920b054d1 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 3 May 2023 19:27:57 +0000 Subject: [PATCH 728/915] nginx: fix base domain configuration to allow serving custom content --- .../templates/nginx/conf.d/matrix-base-domain.conf.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 index 44978dc40..07350b1a0 100644 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -1,7 +1,10 @@ #jinja2: lstrip_blocks: "True" {% macro render_vhost_directives() %} + absolute_redirect off; root {{ matrix_nginx_proxy_data_path_in_container if matrix_nginx_proxy_enabled else matrix_nginx_proxy_data_path }}{{ matrix_nginx_proxy_data_path_extension }}; + index index.html index.htm; + try_files $uri $uri/ =404; gzip on; gzip_types text/plain application/json; From 2bd94a52bb657c738aeddb4a53e585e9266f7254 Mon Sep 17 00:00:00 2001 From: Isaiah Becker-Mayer Date: Sun, 7 May 2023 17:07:37 -0700 Subject: [PATCH 729/915] Adds self build option for dendrite --- .../custom/matrix-dendrite/defaults/main.yml | 16 ++++++--- .../matrix-dendrite/tasks/setup_install.yml | 33 +++++++++++++++---- 2 files changed, 38 insertions(+), 11 deletions(-) diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index 41cd35ed0..3c083b99d 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -4,8 +4,12 @@ matrix_dendrite_enabled: true -matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" -matrix_dendrite_docker_image_name_prefix: "docker.io/" +matrix_dendrite_container_image_self_build: false +matrix_dendrite_container_image_self_build_repo: "https://github.com/matrix-org/dendrite.git" + +matrix_dendrite_docker_image_path: "matrixdotorg/dendrite-monolith" +matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}{{ matrix_dendrite_docker_image_path }}:{{ matrix_dendrite_docker_image_tag }}" +matrix_dendrite_docker_image_name_prefix: "{{ 'localhost/' if matrix_dendrite_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_dendrite_docker_image_tag: "v0.12.0" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" @@ -17,6 +21,8 @@ matrix_dendrite_nats_storage_path: "{{ matrix_dendrite_base_path }}/nats" matrix_dendrite_bin_path: "{{ matrix_dendrite_base_path }}/bin" matrix_dendrite_ext_path: "{{ matrix_dendrite_base_path }}/ext" +matrix_dendrite_docker_src_files_path: "{{ matrix_dendrite_base_path }}/docker-src" + # By default, we make Dendrite only serve HTTP (not HTTPS). # HTTPS is usually served at the reverse-proxy side (usually via `matrix-nginx-proxy`). # @@ -85,14 +91,14 @@ matrix_dendrite_systemd_wanted_services_list: [] # matrix_dendrite_template_dendrite_config: "{{ playbook_dir }}/inventory/host_vars//dendrite.yaml.j2" matrix_dendrite_template_dendrite_config: "{{ role_path }}/templates/dendrite/dendrite.yaml.j2" -matrix_dendrite_client_api_registration_shared_secret: '' +matrix_dendrite_client_api_registration_shared_secret: "" matrix_dendrite_allow_guest_access: false matrix_dendrite_max_file_size_bytes: 10485760 # Controls which HTTP header (e.g. 'X-Forwarded-For', 'X-Real-IP') to inspect to find the real remote IP address of the client. # This is likely required if Dendrite is running behind a reverse proxy server. -matrix_dendrite_sync_api_real_ip_header: 'X-Forwarded-For' +matrix_dendrite_sync_api_real_ip_header: "X-Forwarded-For" # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. matrix_dendrite_tmp_directory_size_mb: 500 @@ -147,7 +153,7 @@ matrix_dendrite_metrics_password: "metrics" # Postgres database information matrix_dendrite_database_str: "postgresql://{{ matrix_dendrite_database_user }}:{{ matrix_dendrite_database_password }}@{{ matrix_dendrite_database_hostname }}" -matrix_dendrite_database_hostname: '' +matrix_dendrite_database_hostname: "" matrix_dendrite_database_user: "dendrite" matrix_dendrite_database_password: "itsasecret" matrix_dendrite_federation_api_database: "dendrite_federationapi" diff --git a/roles/custom/matrix-dendrite/tasks/setup_install.yml b/roles/custom/matrix-dendrite/tasks/setup_install.yml index 283e8b019..d96ddaeb6 100644 --- a/roles/custom/matrix-dendrite/tasks/setup_install.yml +++ b/roles/custom/matrix-dendrite/tasks/setup_install.yml @@ -1,17 +1,21 @@ --- - - name: Ensure Dendrite paths exist ansible.builtin.file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" with_items: - - "{{ matrix_dendrite_config_dir_path }}" - - "{{ matrix_dendrite_bin_path }}" - - "{{ matrix_dendrite_ext_path }}" - - "{{ matrix_dendrite_nats_storage_path }}" + - { path: "{{ matrix_dendrite_config_dir_path }}", when: true } + - { path: "{{ matrix_dendrite_bin_path }}", when: true } + - { path: "{{ matrix_dendrite_ext_path }}", when: true } + - { path: "{{ matrix_dendrite_nats_storage_path }}", when: true } + - { + path: "{{ matrix_dendrite_docker_src_files_path }}", + when: "{{ matrix_dendrite_container_image_self_build }}", + } + when: "item.when | bool" # This will throw a Permission Denied error if already mounted using fuse - name: Check Dendrite media store path @@ -37,11 +41,23 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_dendrite_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dendrite_docker_image_force_pull }}" + when: "not matrix_dendrite_container_image_self_build | bool" register: result retries: "{{ devture_playbook_help_container_retries_count }}" delay: "{{ devture_playbook_help_container_retries_delay }}" until: result is not failed +- name: Ensure Dendrite repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_dendrite_container_image_self_build_repo }}" + dest: "{{ matrix_dendrite_docker_src_files_path }}" + version: "{{ matrix_dendrite_docker_image.split(':')[1] }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_dendrite_git_pull_results + when: "matrix_dendrite_container_image_self_build | bool" + # We do this so that the signing key would get generated. # We don't use the `docker_container` module, because using it with `cap_drop` requires # a very recent version, which is not available for a lot of people yet. @@ -72,6 +88,11 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" +- name: Ensure Dendrite Docker image is built + ansible.builtin.command: + cmd: "{{ devture_systemd_docker_base_host_command_docker }} build -t {{ matrix_dendrite_docker_image }} {{ matrix_dendrite_docker_src_files_path }}" + when: "matrix_dendrite_container_image_self_build | bool" + - name: Ensure Dendrite container network is created community.general.docker_network: name: "{{ matrix_dendrite_container_network }}" From c1462c627728967a77ab1dc0ff03da22b3ca1654 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 9 May 2023 20:59:24 +0300 Subject: [PATCH 730/915] Upgrade Synapse (v1.82.0 -> v1.83.0) --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index b7858fde5..a1719461d 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,7 +4,7 @@ matrix_synapse_enabled: true -matrix_synapse_version: v1.82.0 +matrix_synapse_version: v1.83.0 matrix_synapse_username: '' matrix_synapse_uid: '' From 8c0def5dfef589043e58d034cabd5d01c8a7a294 Mon Sep 17 00:00:00 2001 From: darsh12 Date: Tue, 9 May 2023 14:20:27 -0700 Subject: [PATCH 731/915] Update main.yml update matrix_bot_chatgpt_version to 3.1.0 --- roles/custom/matrix-bot-chatgpt/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-chatgpt/defaults/main.yml b/roles/custom/matrix-bot-chatgpt/defaults/main.yml index 16ad8588a..36cc60c0e 100644 --- a/roles/custom/matrix-bot-chatgpt/defaults/main.yml +++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml @@ -4,7 +4,7 @@ matrix_bot_chatgpt_enabled: true -matrix_bot_chatgpt_version: 3.0.0 +matrix_bot_chatgpt_version: 3.1.0 matrix_bot_chatgpt_container_image_self_build: false matrix_bot_chatgpt_container_image_self_build_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot" From 20a04a026139e0c78ce6173ba49413130adb7896 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 10 May 2023 13:54:51 +0000 Subject: [PATCH 732/915] Update element v1.11.30 -> v1.11.31 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 3d57b235b..109b42e87 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.30 +matrix_client_element_version: v1.11.31 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From d448cade3ae98c8c231d046b3d083d7b5af06183 Mon Sep 17 00:00:00 2001 From: Isaiah Becker-Mayer Date: Wed, 10 May 2023 09:36:11 -0700 Subject: [PATCH 733/915] Moves matrix_dendrite_container_image_self_build to a conditional block, similar to synapse. Also adds the DOCKER_BUILDKIT=1 explicitly to ensure buildkit is used. --- .../matrix-dendrite/tasks/setup_install.yml | 41 ++++++++++++------- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/roles/custom/matrix-dendrite/tasks/setup_install.yml b/roles/custom/matrix-dendrite/tasks/setup_install.yml index d96ddaeb6..70ee45b90 100644 --- a/roles/custom/matrix-dendrite/tasks/setup_install.yml +++ b/roles/custom/matrix-dendrite/tasks/setup_install.yml @@ -47,17 +47,6 @@ delay: "{{ devture_playbook_help_container_retries_delay }}" until: result is not failed -- name: Ensure Dendrite repository is present on self-build - ansible.builtin.git: - repo: "{{ matrix_dendrite_container_image_self_build_repo }}" - dest: "{{ matrix_dendrite_docker_src_files_path }}" - version: "{{ matrix_dendrite_docker_image.split(':')[1] }}" - force: "yes" - become: true - become_user: "{{ matrix_user_username }}" - register: matrix_dendrite_git_pull_results - when: "matrix_dendrite_container_image_self_build | bool" - # We do this so that the signing key would get generated. # We don't use the `docker_container` module, because using it with `cap_drop` requires # a very recent version, which is not available for a lot of people yet. @@ -88,10 +77,32 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" -- name: Ensure Dendrite Docker image is built - ansible.builtin.command: - cmd: "{{ devture_systemd_docker_base_host_command_docker }} build -t {{ matrix_dendrite_docker_image }} {{ matrix_dendrite_docker_src_files_path }}" - when: "matrix_dendrite_container_image_self_build | bool" +- when: "matrix_dendrite_container_image_self_build | bool" + block: + - name: Ensure Dendrite repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_dendrite_container_image_self_build_repo }}" + dest: "{{ matrix_dendrite_docker_src_files_path }}" + version: "{{ matrix_dendrite_docker_image.split(':')[1] }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_dendrite_git_pull_results + + - name: Check if Dendrite Docker image exists + ansible.builtin.command: "{{ devture_systemd_docker_base_host_command_docker }} images --quiet --filter 'reference={{ matrix_dendrite_docker_image }}'" + register: matrix_dendrite_docker_image_check_result + changed_when: false + + # Invoking the `docker build` command here, instead of calling the `docker_image` Ansible module, + # because the latter does not support BuildKit. + # See: https://github.com/ansible-collections/community.general/issues/514 + - name: Ensure Dendrite Docker image is built + ansible.builtin.command: + cmd: "{{ devture_systemd_docker_base_host_command_docker }} build -t {{ matrix_dendrite_docker_image }} {{ matrix_dendrite_docker_src_files_path }}" + environment: + DOCKER_BUILDKIT: 1 + when: "matrix_dendrite_git_pull_results.changed | bool or matrix_dendrite_docker_image_check_result.stdout == ''" - name: Ensure Dendrite container network is created community.general.docker_network: From f102d75e13f2c63f8a0f782d311b747c58e44817 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 11 May 2023 09:42:13 +0300 Subject: [PATCH 734/915] Upgrade backup-borg (v1.2.4-1.7.12-1 -> v1.2.4-1.7.12-2) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index fc06393f7..330a9cd4d 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: v1.0.0-0 name: aux - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.4-1.7.12-1 + version: v1.2.4-1.7.12-2 - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git version: v0.1.1-2 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git From 1b9a29fba60aede12d7db8fe0f90f6a0486f9add Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 11 May 2023 09:42:19 +0300 Subject: [PATCH 735/915] Upgrade Grafana (v9.5.1-0 -> v9.5.2-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 330a9cd4d..20f286d88 100644 --- a/requirements.yml +++ b/requirements.yml @@ -35,7 +35,7 @@ version: 6.1.0 name: geerlingguy.docker - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v9.5.1-0 + version: v9.5.2-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git version: v8615-0 name: jitsi From 1649065a4d00b191a66b7ef16f0aa7675f03dfff Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 11 May 2023 09:54:22 +0300 Subject: [PATCH 736/915] Fix yamllint-reported errors in matrix-dendrite Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2674 --- .../matrix-dendrite/tasks/setup_install.yml | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/roles/custom/matrix-dendrite/tasks/setup_install.yml b/roles/custom/matrix-dendrite/tasks/setup_install.yml index 70ee45b90..2606dfea3 100644 --- a/roles/custom/matrix-dendrite/tasks/setup_install.yml +++ b/roles/custom/matrix-dendrite/tasks/setup_install.yml @@ -7,14 +7,16 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" with_items: - - { path: "{{ matrix_dendrite_config_dir_path }}", when: true } - - { path: "{{ matrix_dendrite_bin_path }}", when: true } - - { path: "{{ matrix_dendrite_ext_path }}", when: true } - - { path: "{{ matrix_dendrite_nats_storage_path }}", when: true } - - { - path: "{{ matrix_dendrite_docker_src_files_path }}", - when: "{{ matrix_dendrite_container_image_self_build }}", - } + - path: "{{ matrix_dendrite_config_dir_path }}" + when: true + - path: "{{ matrix_dendrite_bin_path }}" + when: true + - path: "{{ matrix_dendrite_ext_path }}" + when: true + - path: "{{ matrix_dendrite_nats_storage_path }}" + when: true + - path: "{{ matrix_dendrite_docker_src_files_path }}" + when: "{{ matrix_dendrite_container_image_self_build }}" when: "item.when | bool" # This will throw a Permission Denied error if already mounted using fuse From a6a32f24f72bea3b384a2b5046bf83469f1b9774 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 11 May 2023 11:23:09 +0300 Subject: [PATCH 737/915] Add changed_when to Dendrite self-building task to make ansible-lint happy Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2674 --- roles/custom/matrix-dendrite/tasks/setup_install.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix-dendrite/tasks/setup_install.yml b/roles/custom/matrix-dendrite/tasks/setup_install.yml index 2606dfea3..64c047d1c 100644 --- a/roles/custom/matrix-dendrite/tasks/setup_install.yml +++ b/roles/custom/matrix-dendrite/tasks/setup_install.yml @@ -104,6 +104,7 @@ cmd: "{{ devture_systemd_docker_base_host_command_docker }} build -t {{ matrix_dendrite_docker_image }} {{ matrix_dendrite_docker_src_files_path }}" environment: DOCKER_BUILDKIT: 1 + changed_when: true when: "matrix_dendrite_git_pull_results.changed | bool or matrix_dendrite_docker_image_check_result.stdout == ''" - name: Ensure Dendrite container network is created From 18ab8dfdffeaf682ef0322f504145f56f1f51857 Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Thu, 11 May 2023 18:54:43 +0200 Subject: [PATCH 738/915] Remove manual Database Access steps and replace with Admin API Guide --- docs/configuring-playbook-bot-draupnir.md | 24 +++------------------ docs/configuring-playbook-bot-mjolnir.md | 26 +++-------------------- 2 files changed, 6 insertions(+), 44 deletions(-) diff --git a/docs/configuring-playbook-bot-draupnir.md b/docs/configuring-playbook-bot-draupnir.md index 11960474a..62e8c3d68 100644 --- a/docs/configuring-playbook-bot-draupnir.md +++ b/docs/configuring-playbook-bot-draupnir.md @@ -30,30 +30,12 @@ Refer to the documentation on [how to obtain an access token](obtaining-access-t ## 3. Make sure the account is free from rate limiting -You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step draupnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). This can also be manually done by editing the Synapse database. Manually editing the Synapse database is rarely a good idea. Please ask for help if you are uncomfortable with these steps. +You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step draupnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). Please ask for help if you are uncomfortable with these steps or run into issues. -1. Copy the statement below into a text editor. +If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](docs/configuring-playbook-synapse-admin.md) or running `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands. - ``` - INSERT INTO ratelimit_override VALUES ('@bot.draupnir:DOMAIN', 0, 0); - ``` +The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer " -X DELETE https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with your own MXID and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Draupnir it self. If you made Draupnir Admin you can just use the Draupnir token. -1. Change the username (`@bot.draupnir:DOMAIN`) to the username you used when you registered the bot's account. You must change `DOMAIN` to your server's domain. - -1. Get a database terminal by following these steps: [maintenance-postgres.md#getting-a-database-terminal](maintenance-postgres.md#getting-a-database-terminal) - -1. Connect to Synapse's database by typing `\connect synapse` into the database terminal - -1. Paste in the `INSERT INTO` command that you edited and press enter. - -You can run `SELECT * FROM ratelimit_override;` to see if it worked. If the output looks like this: - -``` - user_id | messages_per_second | burst_count ------------------------+---------------------+------------- - @bot.draupnir:raim.ist | 0 | 0` -``` -then you did it correctly. ## 4. Create a management room diff --git a/docs/configuring-playbook-bot-mjolnir.md b/docs/configuring-playbook-bot-mjolnir.md index 5fc6331e3..0b7ce43d5 100644 --- a/docs/configuring-playbook-bot-mjolnir.md +++ b/docs/configuring-playbook-bot-mjolnir.md @@ -29,31 +29,11 @@ Refer to the documentation on [how to obtain an access token](obtaining-access-t ## 3. Make sure the account is free from rate limiting -You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step Mjolnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). This can also be manually done by editing the Synapse database. Manually editing the Synapse database is rarely a good idea. Please ask for help if you are uncomfortable with these steps. +You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step Mjolnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). Please ask for help if you are uncomfortable with these steps or run into issues. -1. Copy the statement below into a text editor. - - ``` - INSERT INTO ratelimit_override VALUES ('@bot.mjolnir:DOMAIN', 0, 0); - ``` - -1. Change the username (`@bot.mjolnir:DOMAIN`) to the username you used when you registered the bot's account. You must change `DOMAIN` to your server's domain. - -1. Get a database terminal by following these steps: [maintenance-postgres.md#getting-a-database-terminal](maintenance-postgres.md#getting-a-database-terminal) - -1. Connect to Synapse's database by typing `\connect synapse` into the database terminal - -1. Paste in the `INSERT INTO` command that you edited and press enter. - -You can run `SELECT * FROM ratelimit_override;` to see if it worked. If the output looks like this: - -``` - user_id | messages_per_second | burst_count ------------------------+---------------------+------------- - @bot.mjolnir:raim.ist | 0 | 0` -``` -then you did it correctly. +If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](docs/configuring-playbook-synapse-admin.md) or running `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands. +The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer " -X DELETE https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with your own MXID and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Mjolnir it self. If you made Mjolnir Admin you can just use the Mjolnir token. ## 4. Create a management room From 6b3ae35ef5e223b56764c12ca3cec1fa93238f07 Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Thu, 11 May 2023 19:07:35 +0200 Subject: [PATCH 739/915] Fix Typo --- docs/configuring-playbook-bot-draupnir.md | 2 +- docs/configuring-playbook-bot-mjolnir.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-bot-draupnir.md b/docs/configuring-playbook-bot-draupnir.md index 62e8c3d68..23fa644f1 100644 --- a/docs/configuring-playbook-bot-draupnir.md +++ b/docs/configuring-playbook-bot-draupnir.md @@ -34,7 +34,7 @@ You will need to prevent Synapse from rate limiting the bot's account. This is n If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](docs/configuring-playbook-synapse-admin.md) or running `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands. -The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer " -X DELETE https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with your own MXID and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Draupnir it self. If you made Draupnir Admin you can just use the Draupnir token. +The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer " -X DELETE https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with the MXID of your Draupnir and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Draupnir it self. If you made Draupnir Admin you can just use the Draupnir token. diff --git a/docs/configuring-playbook-bot-mjolnir.md b/docs/configuring-playbook-bot-mjolnir.md index 0b7ce43d5..e69655aa5 100644 --- a/docs/configuring-playbook-bot-mjolnir.md +++ b/docs/configuring-playbook-bot-mjolnir.md @@ -33,7 +33,7 @@ You will need to prevent Synapse from rate limiting the bot's account. This is n If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](docs/configuring-playbook-synapse-admin.md) or running `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands. -The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer " -X DELETE https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with your own MXID and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Mjolnir it self. If you made Mjolnir Admin you can just use the Mjolnir token. +The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer " -X DELETE https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with the MXID of your Mjolnir and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Mjolnir it self. If you made Mjolnir Admin you can just use the Mjolnir token. ## 4. Create a management room From 73209a0554911d8266b37c15752b993b97140696 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 12 May 2023 07:00:58 +0300 Subject: [PATCH 740/915] Update aux role documentation, removing old matrix-aux references --- docs/configuring-playbook-bridge-hookshot.md | 12 ++++++------ docs/configuring-playbook-matrix-corporal.md | 2 +- docs/configuring-playbook-ssl-certificates.md | 12 ++++++------ docs/configuring-playbook-sygnal.md | 4 ++-- 4 files changed, 15 insertions(+), 15 deletions(-) diff --git a/docs/configuring-playbook-bridge-hookshot.md b/docs/configuring-playbook-bridge-hookshot.md index 54f6636b9..48a66a8ea 100644 --- a/docs/configuring-playbook-bridge-hookshot.md +++ b/docs/configuring-playbook-bridge-hookshot.md @@ -16,7 +16,7 @@ Refer to the [official instructions](https://matrix-org.github.io/matrix-hooksho 1. Enable the bridge by adding `matrix_hookshot_enabled: true` to your `vars.yml` file 2. For each of the services (GitHub, GitLab, Jira, Figma, generic webhooks) fill in the respective variables `matrix_hookshot_service_*` listed in [main.yml](/roles/custom/matrix-bridge-hookshot/defaults/main.yml) as required. 3. Take special note of the `matrix_hookshot_*_enabled` variables. Services that need no further configuration are enabled by default (GitLab, Generic), while you must first add the required configuration and enable the others (GitHub, Jira, Figma). -4. If you're setting up the GitHub bridge, you'll need to generate and download a private key file after you created your GitHub app. Copy the contents of that file to the variable `matrix_hookshot_github_private_key` so the playbook can install it for you, or use one of the [other methods](#manage-github-private-key-with-matrix-aux-role) explained below. +4. If you're setting up the GitHub bridge, you'll need to generate and download a private key file after you created your GitHub app. Copy the contents of that file to the variable `matrix_hookshot_github_private_key` so the playbook can install it for you, or use one of the [other methods](#manage-github-private-key-with-aux-role) explained below. 5. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready. Hookshot can be set up individually using the tag `setup-hookshot`. Other configuration options are available via the `matrix_hookshot_configuration_extension_yaml` and `matrix_hookshot_registration_extension_yaml` variables, see the comments in [main.yml](/roles/custom/matrix-bridge-hookshot/defaults/main.yml) for how to use them. @@ -58,23 +58,23 @@ See also `matrix_hookshot_matrix_nginx_proxy_configuration` in [init.yml](/roles The different listeners are also reachable *internally* in the docker-network via the container's name (configured by `matrix_hookshot_container_url`) and on different ports (e.g. `matrix_hookshot_appservice_port`). Read [main.yml](/roles/custom/matrix-bridge-hookshot/defaults/main.yml) in detail for more info. -### Manage GitHub Private Key with matrix-aux role +### Manage GitHub Private Key with aux role The GitHub bridge requires you to install a private key file. This can be done in multiple ways: - copy the *contents* of the downloaded file and set the variable `matrix_hookshot_github_private_key` to the contents (see example in [main.yml](/roles/custom/matrix-bridge-hookshot/defaults/main.yml)). - somehow copy the file to the path `{{ matrix_hookshot_base_path }}/{{ matrix_hookshot_github_private_key_file }}` (default: `/matrix/hookshot/private-key.pem`) on the server manually. -- use the `matrix-aux` role to copy the file from an arbitrary path on your ansible client to the correct path on the server. +- use the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux) to copy the file from an arbitrary path on your ansible client to the correct path on the server. -To use `matrix-aux`, make sure the `matrix_hookshot_github_private_key` variable is empty. Then add to `matrix-aux` configuration like this: +To use the `aux` role, make sure the `matrix_hookshot_github_private_key` variable is empty. Then add the following additional configuration: ```yaml -matrix_aux_file_definitions: +aux_file_definitions: - dest: "{{ matrix_hookshot_base_path }}/{{ matrix_hookshot_github_private_key_file }}" content: "{{ lookup('file', '/path/to/your-github-private-key.pem') }}" mode: '0400' owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" ``` -For more info see the documentation in the [matrix-aux base configuration file](/roles/custom/matrix-aux/defaults/main.yml). +For more information, see the documentation in the [default configuration of the aux role](https://github.com/mother-of-all-self-hosting/ansible-role-aux/blob/main/defaults/main.yml). ### Provisioning API diff --git a/docs/configuring-playbook-matrix-corporal.md b/docs/configuring-playbook-matrix-corporal.md index eb635c641..2000cfd99 100644 --- a/docs/configuring-playbook-matrix-corporal.md +++ b/docs/configuring-playbook-matrix-corporal.md @@ -91,7 +91,7 @@ matrix_corporal_policy_provider_config: | } # Modify the policy below as you see fit -matrix_aux_file_definitions: +aux_file_definitions: - dest: "{{ matrix_corporal_config_dir_path }}/policy.json" content: | { diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index 9fa9f84b8..6a215973b 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -40,9 +40,9 @@ If you'd like to use your own SSL certificates, instead of the default (SSL cert To use your own SSL certificates with Traefik, you need to: - disable [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) / [Let's Encrypt](https://letsencrypt.org/) support -- put a custom Traefik configuration file on the server, with the help of this Ansible playbook (via the `matrix-aux` role) or manually +- put a custom Traefik configuration file on the server, with the help of this Ansible playbook (via the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux)) or manually - register your custom configuration file with Traefik, by adding an extra provider of type [file](https://doc.traefik.io/traefik/providers/file/) -- put the SSL files on the server, with the help of this Ansible playbook (via the `matrix-aux` role) or manually +- put the SSL files on the server, with the help of this Ansible playbook (via the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux)) or manually ```yaml # Disable ACME / Let's Encrypt support. @@ -53,7 +53,7 @@ devture_traefik_config_certificatesResolvers_acme_enabled: false devture_traefik_ssl_dir_enabled: true # Tell Traefik to load our custom configuration file (certificates.yml). -# The file is created below, in `matrix_aux_file_definitions`. +# The file is created below, in `aux_file_definitions`. # The `/config/..` path is an in-container path, not a path on the host (like `/matrix/traefik/config`). Do not change it! devture_traefik_configuration_extension_yaml: | providers: @@ -61,9 +61,9 @@ devture_traefik_configuration_extension_yaml: | filename: /config/certificates.yml watch: true -# Use the matrix-aux role to create our custom files on the server. -# If you'd like to do this manually, you remove this `matrix_aux_file_definitions` variable. -matrix_aux_file_definitions: +# Use the aux role to create our custom files on the server. +# If you'd like to do this manually, you remove this `aux_file_definitions` variable. +aux_file_definitions: # Create the privkey.pem file on the server by # uploading a file from the computer where Ansible is running. - dest: "{{ devture_traefik_ssl_dir_path }}/privkey.pem" diff --git a/docs/configuring-playbook-sygnal.md b/docs/configuring-playbook-sygnal.md index 786498c64..2fbad04c2 100644 --- a/docs/configuring-playbook-sygnal.md +++ b/docs/configuring-playbook-sygnal.md @@ -55,7 +55,7 @@ matrix_sygnal_apps: api_key: your_api_key_for_gcm # .. more configuration .. -matrix_aux_file_definitions: +aux_file_definitions: - dest: "{{ matrix_sygnal_data_path }}/my_key.p8" content: | some @@ -73,7 +73,7 @@ Configuring [GCM/FCM](https://firebase.google.com/docs/cloud-messaging/) is easi To configure [APNS](https://developer.apple.com/notifications/) (Apple Push Notification Service), you'd need to provide one or more certificate files. To do that, the above example configuration: -- makes use of the `matrix-aux` role (and its `matrix_aux_file_definitions` variable) to make the playbook install files into `/matrix/sygnal/data` (the `matrix_sygnal_data_path` variable). See `roles/custom/matrix-aux/defaults/main.yml` for usage examples. It also makes sure the files are owned by `matrix:matrix`, so that Sygnal can read them. Of course, you can also install these files manually yourself, if you'd rather not use `matrix-aux`. +- makes use of the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux) (and its `aux_file_definitions` variable) to make the playbook install files into `/matrix/sygnal/data` (the `matrix_sygnal_data_path` variable). See [`defaults/main.yml` file](https://github.com/mother-of-all-self-hosting/ansible-role-aux/blob/main/defaults/main.yml) of the `aux` role for usage examples. It also makes sure the files are owned by `matrix:matrix`, so that Sygnal can read them. Of course, you can also install these files manually yourself, if you'd rather not use `aux`. - references these files in the Sygnal configuration (`matrix_sygnal_apps`) using a path like `/data/..` (the `/matrix/sygnal/data` directory on the host system is mounted into the `/data` directory inside the container) From 25a4af1d3bec29e4f64120490b71a053ad8336d1 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sun, 14 May 2023 22:20:29 +0000 Subject: [PATCH 741/915] Update prometheus v2.43.0 -> 2.44.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 20f286d88..c7bbbe47c 100644 --- a/requirements.yml +++ b/requirements.yml @@ -42,7 +42,7 @@ - src: git+https://gitlab.com/etke.cc/roles/ntfy.git version: v2.4.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git - version: v2.43.0-0 + version: v2.44.0-0 name: prometheus - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.5.0-7 From 62c92578b5fab5e1d59c959e3ffb20d32dadb02f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 May 2023 06:57:56 +0300 Subject: [PATCH 742/915] Upgrade Postgres (minor versions upgrade) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index c7bbbe47c..3b9952f76 100644 --- a/requirements.yml +++ b/requirements.yml @@ -16,7 +16,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.playbook_state_preserver.git version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git - version: 38764398bf82b06a1736c3bfedc71dfd229e4b52 + version: v15.3-0 - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git version: 8e9ec48a09284c84704d7a2dce17da35f181574d - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git From 49cb8b7b11a72bb44cfa3227350f4dcbb29188df Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 May 2023 07:33:26 +0300 Subject: [PATCH 743/915] Add Synapse main/master process to instance map Related to https://github.com/matrix-org/synapse/pull/15491 This doesn't hurt to be done early on, while still on Synapse v1.83.0. We'll be able to remove the `worker_replication_*` settings later, when Synapse v1.84.0 gets released and starts making use of the new `main` instance in the instance map instead of looking at the `worker_replication_*` settings. --- roles/custom/matrix-synapse/defaults/main.yml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index a1719461d..5a5e9978d 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -711,9 +711,18 @@ matrix_synapse_run_background_tasks_on: "{{ (matrix_synapse_workers_enabled_list # - { 'id': 'media-repository-0', 'name': 'matrix-synapse-worker-media-repository-0', 'type': 'media_repository', 'port': 18551, 'metrics_port': 19551, 'webserving': true } matrix_synapse_workers_enabled_list: [] -# matrix_synapse_instance_map holds the instance map used for mapping worker names (for certain generic workers only!) to where they live (host, port which handles replication traffic). -# This is populated automatically based on `matrix_synapse_workers_enabled_list` during runtime, so you're not required to tweak it manually. -matrix_synapse_instance_map: {} +# matrix_synapse_instance_map holds the instance map used for mapping worker names (for the main process and certain generic workers only!) to where they live (host, port which handles replication traffic). +# This map starts off being populated with the Synapse main (master) process, +# but will be populated with workers automatically during runtime, based on `matrix_synapse_workers_enabled_list`. +matrix_synapse_instance_map: | + {{ + { + 'main': { + 'host': 'matrix-synapse', + 'port': matrix_synapse_replication_http_port, + }, + } + }} # Redis information matrix_synapse_redis_enabled: false From 8fbe99ac2a1939c9018209c27e39632d10bd7c69 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 May 2023 07:37:25 +0300 Subject: [PATCH 744/915] Do not add main/master Synapse process to instance_map if workers are not in use This is meant to keep the configuration tidy for non-worker setups. Related to 49cb8b7b11a72bb44c --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 5a5e9978d..f159e01b8 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -721,7 +721,7 @@ matrix_synapse_instance_map: | 'host': 'matrix-synapse', 'port': matrix_synapse_replication_http_port, }, - } + } if matrix_synapse_workers_enabled else {} }} # Redis information From 319afc66c19f33c311d2237840e64fe09ac116af Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 16 May 2023 15:29:57 +0300 Subject: [PATCH 745/915] Fix YAML indentation --- docs/configuring-playbook-own-webserver.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index affb565fb..3d8c5b0d0 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -153,11 +153,11 @@ devture_traefik_additional_entrypoints_auto: port: 8449 host_bind_port: '127.0.0.1:8449' config: {} - # If your reverse-proxy runs on another machine, remove the config above and use this config instead: - # config: - # forwardedHeaders: - # insecure: true - # # trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY'] + # If your reverse-proxy runs on another machine, remove the config above and use this config instead: + # config: + # forwardedHeaders: + # insecure: true + # # trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY'] ``` For an example where the playbook's Traefik reverse-proxy is fronted by [Nginx](https://nginx.org/) running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md). From 5e1027960bcecf690391b8b50e64eb9ff0bc0388 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 May 2023 16:59:08 +0000 Subject: [PATCH 746/915] Bump ansible-community/ansible-lint-action from 6.15.0 to 6.16.0 Bumps [ansible-community/ansible-lint-action](https://github.com/ansible-community/ansible-lint-action) from 6.15.0 to 6.16.0. - [Release notes](https://github.com/ansible-community/ansible-lint-action/releases) - [Commits](https://github.com/ansible-community/ansible-lint-action/compare/v6.15.0...v6.16.0) --- updated-dependencies: - dependency-name: ansible-community/ansible-lint-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/matrix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index f69e60ff9..abca55ae2 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -21,6 +21,6 @@ jobs: - name: Check out uses: actions/checkout@v3 - name: Run ansible-lint - uses: ansible-community/ansible-lint-action@v6.15.0 + uses: ansible-community/ansible-lint-action@v6.16.0 with: path: roles/custom From c8aecef8816bae12441f89bd44fc67ced5351822 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 16 May 2023 19:46:06 +0000 Subject: [PATCH 747/915] update mautrix-whatsapp 0.8.4 -> 0.8.5 --- roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml index d54d2e1c2..20cafa7ad 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_whatsapp_container_image_self_build: false matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git" matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}" -matrix_mautrix_whatsapp_version: v0.8.4 +matrix_mautrix_whatsapp_version: v0.8.5 # See: https://mau.dev/mautrix/whatsapp/container_registry matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}" matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}" From 3b28e29b8e8fe88291b6b4862546e93c71eb5559 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 16 May 2023 19:47:10 +0000 Subject: [PATCH 748/915] update mautrix-discord 0.3.0 -> 0.4.0 --- roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml index f088ae15f..98291d80d 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_discord_container_image_self_build: false matrix_mautrix_discord_container_image_self_build_repo: "https://mau.dev/mautrix/discord.git" matrix_mautrix_discord_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_discord_version == 'latest' else matrix_mautrix_discord_version }}" -matrix_mautrix_discord_version: v0.3.0 +matrix_mautrix_discord_version: v0.4.0 # See: https://mau.dev/mautrix/discord/container_registry matrix_mautrix_discord_docker_image: "{{ matrix_mautrix_discord_docker_image_name_prefix }}mautrix/discord:{{ matrix_mautrix_discord_version }}" matrix_mautrix_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_discord_container_image_self_build else 'dock.mau.dev/' }}" From e435c6bb555d989f4b571d313d2a763a03cc641c Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 16 May 2023 19:48:09 +0000 Subject: [PATCH 749/915] update borgmatic 1.7.12 -> 1.7.13 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 3b9952f76..536e7e417 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: v1.0.0-0 name: aux - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.4-1.7.12-2 + version: v1.2.4-1.7.13-0 - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git version: v0.1.1-2 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git From 98d8723694a75ae04de555b8abd57a1f7d732a44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Wed, 17 May 2023 14:58:22 +0200 Subject: [PATCH 750/915] Move postgres-exporter repo --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 536e7e417..d4bea1c6d 100644 --- a/requirements.yml +++ b/requirements.yml @@ -46,7 +46,7 @@ name: prometheus - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.5.0-7 -- src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git version: v0.12.0-0 - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.10-0 From dc4b4d87d2f1fbd5197d8958ea13c548b2a82969 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 17 May 2023 14:55:47 +0000 Subject: [PATCH 751/915] Update mautrix-signal 0.4.2 -> 0.4.3 --- roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml index f2b1048d0..ca9bab54a 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml @@ -9,7 +9,7 @@ matrix_mautrix_signal_docker_repo: "https://mau.dev/mautrix/signal.git" matrix_mautrix_signal_docker_repo_version: "{{ 'master' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}" matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src" -matrix_mautrix_signal_version: v0.4.2 +matrix_mautrix_signal_version: v0.4.3 matrix_mautrix_signal_daemon_version: 0.23.2 # See: https://mau.dev/mautrix/signal/container_registry matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_name_prefix }}mautrix/signal:{{ matrix_mautrix_signal_version }}" From 017a7951051afe2be6c6b9a6298f6a45729d6879 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 17 May 2023 21:19:47 +0300 Subject: [PATCH 752/915] Upgrade aux (v1.0.0-0 -> v1.0.0-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 536e7e417..22a53638f 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,7 +1,7 @@ --- - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git - version: v1.0.0-0 + version: v1.0.0-1 name: aux - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git version: v1.2.4-1.7.13-0 From c8dbb437b959c56ce8479f69bc0057e00209da17 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 17 May 2023 18:29:22 +0000 Subject: [PATCH 753/915] fix prometheus postgres exporter role name --- requirements.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/requirements.yml b/requirements.yml index cd36abd2f..57f4709f2 100644 --- a/requirements.yml +++ b/requirements.yml @@ -47,6 +47,7 @@ - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.5.0-7 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git + name: prometheus_postgres_exporter version: v0.12.0-0 - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.10-0 From 9d77950cd83175dff45845a43351eb1f2fe6dc8d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 18 May 2023 09:41:28 +0300 Subject: [PATCH 754/915] Adjust bot group names, so that they match the install/setup tags Previously `just install-service buscarron` would not fully work, because: - the systemd services were indeed tagged with `buscarron` - however, the actual installation tasks are not `install-buscarron`/`setup-buscarron`, but rather `install-bot-buscarron`/`setup-bot-buscarron` Services are now tagged with the `bot-` prefix to match the tags. --- group_vars/matrix_servers | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f25c4b4e1..f89304f46 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -210,25 +210,25 @@ devture_systemd_service_manager_services_list_auto: | {{ ([{'name': (backup_borg_identifier + '.timer'), 'priority': 5000, 'groups': ['matrix', 'backup', 'borg']}] if backup_borg_enabled else []) + - ([{'name': 'matrix-bot-buscarron.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'buscarron']}] if matrix_bot_buscarron_enabled else []) + ([{'name': 'matrix-bot-buscarron.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'buscarron', 'bot-buscarron']}] if matrix_bot_buscarron_enabled else []) + - ([{'name': 'matrix-bot-go-neb.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'go-neb']}] if matrix_bot_go_neb_enabled else []) + ([{'name': 'matrix-bot-go-neb.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'go-neb', 'bot-go-neb']}] if matrix_bot_go_neb_enabled else []) + - ([{'name': 'matrix-bot-honoroit.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'honoroit']}] if matrix_bot_honoroit_enabled else []) + ([{'name': 'matrix-bot-honoroit.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'honoroit', 'bot-honoroit']}] if matrix_bot_honoroit_enabled else []) + - ([{'name': 'matrix-bot-matrix-registration-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'registration-bot']}] if matrix_bot_matrix_registration_bot_enabled else []) + ([{'name': 'matrix-bot-matrix-registration-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'registration-bot', 'bot-matrix-registration-bot']}] if matrix_bot_matrix_registration_bot_enabled else []) + - ([{'name': 'matrix-bot-matrix-reminder-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'reminder-bot']}] if matrix_bot_matrix_reminder_bot_enabled else []) + ([{'name': 'matrix-bot-matrix-reminder-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'reminder-bot', 'bot-matrix-reminder-bot']}] if matrix_bot_matrix_reminder_bot_enabled else []) + - ([{'name': 'matrix-bot-maubot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'maubot']}] if matrix_bot_maubot_enabled else []) + ([{'name': 'matrix-bot-maubot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'maubot', 'bot-maubot']}] if matrix_bot_maubot_enabled else []) + - ([{'name': 'matrix-bot-mjolnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'mjolnir']}] if matrix_bot_mjolnir_enabled else []) + ([{'name': 'matrix-bot-mjolnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'mjolnir', 'bot-mjolnir']}] if matrix_bot_mjolnir_enabled else []) + - ([{'name': 'matrix-bot-draupnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'draupnir']}] if matrix_bot_draupnir_enabled else []) + ([{'name': 'matrix-bot-draupnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'draupnir', 'bot-draupnir']}] if matrix_bot_draupnir_enabled else []) + - ([{'name': 'matrix-bot-postmoogle.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'postmoogle']}] if matrix_bot_postmoogle_enabled else []) + ([{'name': 'matrix-bot-postmoogle.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'postmoogle', 'bot-postmoogle']}] if matrix_bot_postmoogle_enabled else []) + - ([{'name': 'matrix-bot-chatgpt.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'chatgpt']}] if matrix_bot_chatgpt_enabled else []) + ([{'name': 'matrix-bot-chatgpt.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'chatgpt', 'bot-chatgpt']}] if matrix_bot_chatgpt_enabled else []) + ([{'name': 'matrix-appservice-discord.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'appservice-discord']}] if matrix_appservice_discord_enabled else []) + From 88c7cf21f7d5b454af4449dab6a7fbccb2b1b4d2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 18 May 2023 10:03:02 +0300 Subject: [PATCH 755/915] Make Honoroit not try to capture all matrix.DOMAIN traffic It only serves a metrics endpoint, so it shouldn't try to capture anything else. --- docs/configuring-playbook-bot-honoroit.md | 3 +++ .../custom/matrix-bot-honoroit/defaults/main.yml | 1 - .../matrix-bot-honoroit/templates/labels.j2 | 15 --------------- 3 files changed, 3 insertions(+), 16 deletions(-) diff --git a/docs/configuring-playbook-bot-honoroit.md b/docs/configuring-playbook-bot-honoroit.md index 42f31d49a..26f5c6916 100644 --- a/docs/configuring-playbook-bot-honoroit.md +++ b/docs/configuring-playbook-bot-honoroit.md @@ -14,6 +14,9 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars. ```yaml matrix_bot_honoroit_enabled: true +# Uncomment and adjust if you'd like to change the hostname +# matrix_bot_honoroit_hostname: "{{ matrix_server_fqn_matrix }}" + # Uncomment and adjust this part if you'd like to use a username different than the default # matrix_bot_honoroit_login: honoroit diff --git a/roles/custom/matrix-bot-honoroit/defaults/main.yml b/roles/custom/matrix-bot-honoroit/defaults/main.yml index ea93d55f2..666b40f0a 100644 --- a/roles/custom/matrix-bot-honoroit/defaults/main.yml +++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml @@ -56,7 +56,6 @@ matrix_bot_honoroit_container_labels_traefik_docker_network: "{{ matrix_bot_hono matrix_bot_honoroit_container_labels_traefik_hostname: "{{ matrix_bot_honoroit_hostname }}" # The path prefix must either be `/` or not end with a slash (e.g. `/honoroit`). matrix_bot_honoroit_container_labels_traefik_path_prefix: "{{ matrix_bot_honoroit_path_prefix }}" -matrix_bot_honoroit_container_labels_traefik_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`){% if matrix_bot_honoroit_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_honoroit_container_labels_traefik_path_prefix }}`){% endif %}" matrix_bot_honoroit_container_labels_traefik_metrics_path: "{{ matrix_bot_honoroit_metrics_path }}" matrix_bot_honoroit_container_labels_traefik_metrics_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`) && Path(`{{ matrix_bot_honoroit_container_labels_traefik_metrics_path }}`)" matrix_bot_honoroit_container_labels_traefik_priority: 0 diff --git a/roles/custom/matrix-bot-honoroit/templates/labels.j2 b/roles/custom/matrix-bot-honoroit/templates/labels.j2 index 7943e00f1..12409470d 100644 --- a/roles/custom/matrix-bot-honoroit/templates/labels.j2 +++ b/roles/custom/matrix-bot-honoroit/templates/labels.j2 @@ -31,21 +31,6 @@ traefik.http.middlewares.matrix-bot-honoroit-auth.basicauth.users={{ lookup('ans {% set middlewares_metrics = middlewares + ['matrix-bot-honoroit-auth'] %} {% endif %} -traefik.http.routers.matrix-bot-honoroit.rule={{ matrix_bot_honoroit_container_labels_traefik_rule }} -{% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %} -traefik.http.routers.matrix-bot-honoroit.priority={{ matrix_bot_honoroit_container_labels_traefik_priority }} -{% endif %} -traefik.http.routers.matrix-bot-honoroit.service=matrix-bot-honoroit -{% if middlewares | length > 0 %} -traefik.http.routers.matrix-bot-honoroit.middlewares={{ middlewares | join(',') }} -{% endif %} -traefik.http.routers.matrix-bot-honoroit.entrypoints={{ matrix_bot_honoroit_container_labels_traefik_entrypoints }} -traefik.http.routers.matrix-bot-honoroit.tls={{ matrix_bot_honoroit_container_labels_traefik_tls | to_json }} -{% if matrix_bot_honoroit_container_labels_traefik_tls %} -traefik.http.routers.matrix-bot-honoroit.tls.certResolver={{ matrix_bot_honoroit_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.services.matrix-bot-honoroit.loadbalancer.server.port=8080 - {% if middlewares_metrics | length > 0 %} traefik.http.routers.matrix-bot-honoroit-metrics.rule={{ matrix_bot_honoroit_container_labels_traefik_metrics_rule }} {% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %} From 8f903fa6215863051118143c6b5a2311c8d57f7d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 18 May 2023 10:03:40 +0300 Subject: [PATCH 756/915] Make Honoroit respect matrix_bot_honoroit_path_prefix when building the metrics path --- roles/custom/matrix-bot-honoroit/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-honoroit/defaults/main.yml b/roles/custom/matrix-bot-honoroit/defaults/main.yml index 666b40f0a..3cb4fa5f6 100644 --- a/roles/custom/matrix-bot-honoroit/defaults/main.yml +++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml @@ -56,7 +56,7 @@ matrix_bot_honoroit_container_labels_traefik_docker_network: "{{ matrix_bot_hono matrix_bot_honoroit_container_labels_traefik_hostname: "{{ matrix_bot_honoroit_hostname }}" # The path prefix must either be `/` or not end with a slash (e.g. `/honoroit`). matrix_bot_honoroit_container_labels_traefik_path_prefix: "{{ matrix_bot_honoroit_path_prefix }}" -matrix_bot_honoroit_container_labels_traefik_metrics_path: "{{ matrix_bot_honoroit_metrics_path }}" +matrix_bot_honoroit_container_labels_traefik_metrics_path: "{{ '' if matrix_bot_honoroit_path_prefix = '/' else matrix_bot_honoroit_path_prefix }}{{ matrix_bot_honoroit_metrics_path }}" matrix_bot_honoroit_container_labels_traefik_metrics_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`) && Path(`{{ matrix_bot_honoroit_container_labels_traefik_metrics_path }}`)" matrix_bot_honoroit_container_labels_traefik_priority: 0 matrix_bot_honoroit_container_labels_traefik_entrypoints: web-secure From 2083b10f1abe16054dc634061dadc30fe50f7eb3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 18 May 2023 10:09:07 +0300 Subject: [PATCH 757/915] Fix syntax error --- roles/custom/matrix-bot-honoroit/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-honoroit/defaults/main.yml b/roles/custom/matrix-bot-honoroit/defaults/main.yml index 3cb4fa5f6..90ffa0c64 100644 --- a/roles/custom/matrix-bot-honoroit/defaults/main.yml +++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml @@ -56,7 +56,7 @@ matrix_bot_honoroit_container_labels_traefik_docker_network: "{{ matrix_bot_hono matrix_bot_honoroit_container_labels_traefik_hostname: "{{ matrix_bot_honoroit_hostname }}" # The path prefix must either be `/` or not end with a slash (e.g. `/honoroit`). matrix_bot_honoroit_container_labels_traefik_path_prefix: "{{ matrix_bot_honoroit_path_prefix }}" -matrix_bot_honoroit_container_labels_traefik_metrics_path: "{{ '' if matrix_bot_honoroit_path_prefix = '/' else matrix_bot_honoroit_path_prefix }}{{ matrix_bot_honoroit_metrics_path }}" +matrix_bot_honoroit_container_labels_traefik_metrics_path: "{{ '' if matrix_bot_honoroit_path_prefix == '/' else matrix_bot_honoroit_path_prefix }}{{ matrix_bot_honoroit_metrics_path }}" matrix_bot_honoroit_container_labels_traefik_metrics_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`) && Path(`{{ matrix_bot_honoroit_container_labels_traefik_metrics_path }}`)" matrix_bot_honoroit_container_labels_traefik_priority: 0 matrix_bot_honoroit_container_labels_traefik_entrypoints: web-secure From 018e620ee82b82ec484036a9c1a2cb4273f63f75 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 18 May 2023 10:10:47 +0300 Subject: [PATCH 758/915] Default matrix_bot_honoroit_path_prefix to /honoroit to avoid conflicts with Matrix Client-Server API --- docs/configuring-playbook-bot-honoroit.md | 3 ++- group_vars/matrix_servers | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bot-honoroit.md b/docs/configuring-playbook-bot-honoroit.md index 26f5c6916..2a711fb83 100644 --- a/docs/configuring-playbook-bot-honoroit.md +++ b/docs/configuring-playbook-bot-honoroit.md @@ -14,8 +14,9 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars. ```yaml matrix_bot_honoroit_enabled: true -# Uncomment and adjust if you'd like to change the hostname +# Uncomment and adjust if you'd like to change the hostname or path # matrix_bot_honoroit_hostname: "{{ matrix_server_fqn_matrix }}" +# matrix_bot_honoroit_path_prefix: /honoroit # Uncomment and adjust this part if you'd like to use a username different than the default # matrix_bot_honoroit_login: honoroit diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f89304f46..4a67c2df1 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1653,7 +1653,9 @@ matrix_bot_maubot_database_password: "{{ '%s' | format(matrix_homeserver_generic # We don't enable bots by default. matrix_bot_honoroit_enabled: false + matrix_bot_honoroit_hostname: "{{ matrix_server_fqn_matrix }}" +matrix_bot_honoroit_path_prefix: /honoroit matrix_bot_honoroit_systemd_required_services_list: | {{ From aa44a277f6633a102c1394f8f6666b9ced1c813c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 18 May 2023 10:13:06 +0300 Subject: [PATCH 759/915] Fix service name for Honoroit metrics --- roles/custom/matrix-bot-honoroit/templates/labels.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-honoroit/templates/labels.j2 b/roles/custom/matrix-bot-honoroit/templates/labels.j2 index 12409470d..8e20ea459 100644 --- a/roles/custom/matrix-bot-honoroit/templates/labels.j2 +++ b/roles/custom/matrix-bot-honoroit/templates/labels.j2 @@ -36,7 +36,7 @@ traefik.http.routers.matrix-bot-honoroit-metrics.rule={{ matrix_bot_honoroit_con {% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %} traefik.http.routers.matrix-bot-honoroit-metrics.priority={{ matrix_bot_honoroit_container_labels_traefik_priority }} {% endif %} -traefik.http.routers.matrix-bot-honoroit-metrics.service=matrix-bot-honoroit +traefik.http.routers.matrix-bot-honoroit-metrics.service=matrix-bot-honoroit-metrics traefik.http.routers.matrix-bot-honoroit-metrics.middlewares={{ middlewares_metrics | join(',') }} traefik.http.routers.matrix-bot-honoroit-metrics.entrypoints={{ matrix_bot_honoroit_container_labels_traefik_entrypoints }} traefik.http.routers.matrix-bot-honoroit-metrics.tls={{ matrix_bot_honoroit_container_labels_traefik_tls | to_json }} From d475a4906def9424fd07dd4ea10671c2254833ea Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 18 May 2023 20:51:15 +0000 Subject: [PATCH 760/915] update ntfy 2.4.0 -> 2.5.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 57f4709f2..d6ed01d07 100644 --- a/requirements.yml +++ b/requirements.yml @@ -40,7 +40,7 @@ version: v8615-0 name: jitsi - src: git+https://gitlab.com/etke.cc/roles/ntfy.git - version: v2.4.0-0 + version: v2.5.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git version: v2.44.0-0 name: prometheus From b71375fac736bb96d78d353f63a3711deecdac24 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 19 May 2023 18:26:05 +0300 Subject: [PATCH 761/915] Disable healthcheck for Synapse workers which serve no web traffic This was mostly affecting the stream writer (events) worker, which was being reported as unhealthy. It wasn't causing any issues, but it just looked odd and was confusing people. As an alternative to hitting the regular `/health` healthcheck route (on the "client" API which this stream writer does not expose), we may have went for hitting some "replication" API endpoint instead. This is more complicated and likely unnecessary. --- roles/custom/matrix-synapse/tasks/synapse/workers/init.yml | 2 +- .../templates/synapse/systemd/matrix-synapse-worker.service.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml b/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml index 359fe0316..68b8f37e3 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml @@ -21,7 +21,7 @@ ansible.builtin.set_fact: worker: id: "stream-writer-{{ idx }}-{{ item.stream }}" - # Names must not include understores. Certain stream writer streams (to_device, account_data, ..) do, so we fix them up. + # Names must not include underscores. Certain stream writer streams (to_device, account_data, ..) do, so we fix them up. name: "matrix-synapse-worker-stream-writer-{{ idx }}-{{ item.stream | replace('_', '-') }}" type: 'stream_writer' app: "generic_worker" diff --git a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 index 578d91078..4a6a01b78 100644 --- a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 @@ -23,7 +23,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ --network={{ matrix_synapse_container_network }} \ - {% if matrix_synapse_worker_details.port != 0 %} + {% if matrix_synapse_worker_details.port != 0 and matrix_synapse_worker_details.webserving %} --health-cmd 'curl -fSs http://localhost:{{ matrix_synapse_worker_details.port }}/health || exit 1' \ {% else %} --no-healthcheck \ From b5d5e49235a46d640ae427e1797a11e870ce1968 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 19 May 2023 19:32:34 +0300 Subject: [PATCH 762/915] Move Honoroit metrics from /honoroit/metrics to /metrics/honoroit This restores consistency with other services. Related to 8f903fa6215863051118143c6b5a2311c8d57f7d --- group_vars/matrix_servers | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 4a67c2df1..79a503d5a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1655,8 +1655,13 @@ matrix_bot_maubot_database_password: "{{ '%s' | format(matrix_homeserver_generic matrix_bot_honoroit_enabled: false matrix_bot_honoroit_hostname: "{{ matrix_server_fqn_matrix }}" + matrix_bot_honoroit_path_prefix: /honoroit +# For consistency with other things hosted at the matrix FQN, we adjust the metrics endpoint +# so that metrics would be served at `/metrics/SERVICE_NAME`, and not at the default path for the role (`PREFIX/metrics`). +matrix_bot_honoroit_container_labels_traefik_metrics_path: /metrics/honoroit + matrix_bot_honoroit_systemd_required_services_list: | {{ ['docker.service'] From 014f5def55b944b65fb1b8047b060032ea8de1f7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 May 2023 17:00:26 +0000 Subject: [PATCH 763/915] Bump frenck/action-yamllint from 1.4.0 to 1.4.1 Bumps [frenck/action-yamllint](https://github.com/frenck/action-yamllint) from 1.4.0 to 1.4.1. - [Release notes](https://github.com/frenck/action-yamllint/releases) - [Commits](https://github.com/frenck/action-yamllint/compare/v1.4.0...v1.4.1) --- updated-dependencies: - dependency-name: frenck/action-yamllint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/matrix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index abca55ae2..579ab7192 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -13,7 +13,7 @@ jobs: - name: Check out uses: actions/checkout@v3 - name: Run yamllint - uses: frenck/action-yamllint@v1.4.0 + uses: frenck/action-yamllint@v1.4.1 ansible-lint: name: ansible-lint runs-on: ubuntu-latest From 86abe0680a28e21baa316aeb53de98903e1da765 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Mon, 22 May 2023 18:01:02 +0000 Subject: [PATCH 764/915] Update mautrix-twitter 0.1.5 -> 0.1.6 --- roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml index cc11a69b3..55e8411b6 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_twitter_container_image_self_build: false matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/mautrix/twitter.git" matrix_mautrix_twitter_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_twitter_version == 'latest' else matrix_mautrix_twitter_version }}" -matrix_mautrix_twitter_version: v0.1.5 +matrix_mautrix_twitter_version: v0.1.6 # See: https://mau.dev/tulir/mautrix-twitter/container_registry matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_name_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}" matrix_mautrix_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else 'dock.mau.dev/' }}" From 9350eeb9fb8f95c7cc0e8ad0274dae7051fda593 Mon Sep 17 00:00:00 2001 From: Aine Date: Tue, 23 May 2023 17:33:23 +0300 Subject: [PATCH 765/915] update synapse 1.83.0 -> 1.84.0; set forget_rooms_on_leave = true --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- .../matrix-synapse/templates/synapse/homeserver.yaml.j2 | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index f159e01b8..cda427e39 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,7 +4,7 @@ matrix_synapse_enabled: true -matrix_synapse_version: v1.83.0 +matrix_synapse_version: v1.84.0 matrix_synapse_username: '' matrix_synapse_uid: '' diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 63cdafeb0..ff2533977 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -141,6 +141,10 @@ allow_public_rooms_over_federation: {{ matrix_synapse_allow_public_rooms_over_fe # default_room_version: {{ matrix_synapse_default_room_version|to_json }} +# Set to true to automatically forget rooms for users when they leave them, either +# normally or via a kick or ban. Defaults to false. +forget_rooms_on_leave: true + # The GC threshold parameters to pass to `gc.set_threshold`, if defined # #gc_thresholds: [700, 10, 10] From 428f7a1f75337ef2f7b848e532d8d93f4a540919 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 24 May 2023 20:20:37 +0000 Subject: [PATCH 766/915] Update hookshot 4.0.0 -> 4.1.0 --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 18fc01525..247c542b7 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 4.0.0 +matrix_hookshot_version: 4.1.0 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" From 4b30c4d8128c51b8fffcfc8abe00053e7802772d Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Thu, 25 May 2023 00:52:28 +0200 Subject: [PATCH 767/915] Update Draupnir from 1.80.1 to 1.82.0 --- roles/custom/matrix-bot-draupnir/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml index 92abc7ab0..6ee99a358 100644 --- a/roles/custom/matrix-bot-draupnir/defaults/main.yml +++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml @@ -4,7 +4,7 @@ matrix_bot_draupnir_enabled: true -matrix_bot_draupnir_version: "v1.80.1" +matrix_bot_draupnir_version: "v1.82.0" matrix_bot_draupnir_container_image_self_build: false matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/Gnuxie/Draupnir.git" From c55371e3058b5785aab54c07c567575df87af7f9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 25 May 2023 09:14:09 +0300 Subject: [PATCH 768/915] Add changelog entry for the forget_rooms_on_leave default change for Synapse Related to: - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2698 - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2700 --- CHANGELOG.md | 14 ++++++++++++++ roles/custom/matrix-synapse/defaults/main.yml | 4 ++++ .../templates/synapse/homeserver.yaml.j2 | 2 +- 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1b5118427..70b17b000 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,17 @@ +# 2023-05-25 + +## Enabling `forget_rooms_on_leave` by default for Synapse + +With the [Synapse v1.84.0 update](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2698), we've also **changed the default value** of the `forget_rooms_on_leave` setting of Synapse to a value of `true`. +This way, **when you leave a room, Synapse will now forget it automatically**. + +The upstream Synapse default is `false` (disabled), so that you must forget rooms manually after leaving. + +**We go against the upstream default** ([somewhat controversially](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2700)) in an effort to make Synapse leaner and potentially do what we believe most users would expect their homeserver to be doing. + +If you'd like to go back to the old behavior, add the following to your configuration: `matrix_synapse_forget_rooms_on_leave: false` + + # 2023-04-03 ## The matrix-jitsi role lives independently now diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index cda427e39..5903eb05b 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -928,6 +928,10 @@ matrix_synapse_room_list_publication_rules: matrix_synapse_default_room_version: "10" +# Controls whether leaving a room will automatically forget it. +# The upstream default is `false`, but we try to make Synapse less wasteful of resources, so we do things differently. +matrix_synapse_forget_rooms_on_leave: true + # Controls the Synapse `spam_checker` setting. # # If a spam-checker extension is enabled, this variable's value is set automatically by the playbook during runtime. diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index ff2533977..a36df6fc0 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -143,7 +143,7 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }} # Set to true to automatically forget rooms for users when they leave them, either # normally or via a kick or ban. Defaults to false. -forget_rooms_on_leave: true +forget_rooms_on_leave: {{ matrix_synapse_forget_rooms_on_leave | to_json }} # The GC threshold parameters to pass to `gc.set_threshold`, if defined # From 981805002d8a4f23a6cebdb53f14a4b0773de0a8 Mon Sep 17 00:00:00 2001 From: tammes Date: Thu, 25 May 2023 22:45:09 +0200 Subject: [PATCH 769/915] add example Caddyfile for fronting Traefik, mark the old one as deprecated and update READMEs --- docs/configuring-playbook-own-webserver.md | 2 +- examples/caddy2/Caddyfile | 255 +------------------ examples/caddy2/Caddyfile.deprecated | 269 +++++++++++++++++++++ examples/caddy2/README.md | 26 +- examples/nginx/README.md | 2 +- 5 files changed, 301 insertions(+), 253 deletions(-) create mode 100644 examples/caddy2/Caddyfile.deprecated diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 3d8c5b0d0..f276a554d 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -160,7 +160,7 @@ devture_traefik_additional_entrypoints_auto: # # trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY'] ``` -For an example where the playbook's Traefik reverse-proxy is fronted by [Nginx](https://nginx.org/) running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md). +For an example where the playbook's Traefik reverse-proxy is fronted by another reverse-proxy running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md) or [Caddy reverse-proxy fronting the playbook's Traefik](../examples/caddy2/README.md). ### Using no reverse-proxy on the Matrix side at all diff --git a/examples/caddy2/Caddyfile b/examples/caddy2/Caddyfile index 43005ca41..2ffcea520 100644 --- a/examples/caddy2/Caddyfile +++ b/examples/caddy2/Caddyfile @@ -1,112 +1,10 @@ -(cors) { - @cors_preflight method OPTIONS - - handle @cors_preflight { - header Access-Control-Allow-Origin "{args.0}" - header Access-Control-Allow-Methods "HEAD, GET, POST, PUT, PATCH, DELETE" - header Access-Control-Allow-Headers "Content-Type, Authorization" - header Access-Control-Max-Age "3600" - } -} - - -matrix.DOMAIN.tld { - - # creates letsencrypt certificate - # tls your@email.com - - @identity { - path /_matrix/identity/* - } - - @noidentity { - not path /_matrix/identity/* - } - - @search { - path /_matrix/client/r0/user_directory/search/* - } - - @nosearch { - not path /_matrix/client/r0/user_directory/search/* - } - - @static { - path /matrix/static-files/* - } - - @nostatic { - not path /matrix/static-files/* - } - - @wellknown { - path /.well-known/matrix/* - } - - header { - # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS - Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - # Enable cross-site filter (XSS) and tell browser to block detected attacks - X-XSS-Protection "1; mode=block" - # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type - X-Content-Type-Options "nosniff" - # Disallow the site to be rendered within a frame (clickjacking protection) - X-Frame-Options "DENY" - # X-Robots-Tag - X-Robots-Tag "noindex, noarchive, nofollow" - } - - # Cache - header @static { - # Cache - Cache-Control "public, max-age=31536000" - defer - } - - # identity - handle @identity { - reverse_proxy localhost:8090 { - header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} - header_up X-Forwarded-TlsProto {tls_protocol} - header_up X-Forwarded-TlsCipher {tls_cipher} - header_up X-Forwarded-HttpsProto {proto} - } - } - - # search - handle @search { - reverse_proxy localhost:8090 { - header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} - header_up X-Forwarded-TlsProto {tls_protocol} - header_up X-Forwarded-TlsCipher {tls_cipher} - header_up X-Forwarded-HttpsProto {proto} - } - } - - handle @wellknown { - encode zstd gzip - root * /matrix/static-files - header Cache-Control max-age=14400 - header Content-Type application/json - header Access-Control-Allow-Origin * - file_server - } - - # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the base domain - #handle @wellknown { - # # .well-known is handled by base domain - # reverse_proxy https://DOMAIN.tld { - # header_up Host {http.reverse_proxy.upstream.hostport} - #} +matrix.example.tld { handle { encode zstd gzip - reverse_proxy localhost:8008 { + reverse_proxy localhost:81 { header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} header_up X-Forwarded-TlsProto {tls_protocol} header_up X-Forwarded-TlsCipher {tls_cipher} header_up X-Forwarded-HttpsProto {proto} @@ -114,13 +12,12 @@ matrix.DOMAIN.tld { } } -matrix.DOMAIN.tld:8448 { +matrix.example.tld:8448 { handle { encode zstd gzip - reverse_proxy 127.0.0.1:8048 { + reverse_proxy 127.0.0.1:8449 { header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} header_up X-Forwarded-TlsProto {tls_protocol} header_up X-Forwarded-TlsCipher {tls_cipher} header_up X-Forwarded-HttpsProto {proto} @@ -128,142 +25,16 @@ matrix.DOMAIN.tld:8448 { } } -element.DOMAIN.tld { - # creates letsencrypt certificate - # tls your@email.com - - import cors https://*.DOMAIN.tld - - header { - # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS - Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - # Enable cross-site filter (XSS) and tell browser to block detected attacks - X-XSS-Protection "1; mode=block" - # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type - X-Content-Type-Options "nosniff" - # Disallow the site to be rendered within a frame (clickjacking protection) - X-Frame-Options "DENY" - # If using integrations that add frames to Element, such as Dimension and its integrations running on the same domain, it can be a good idea to limit sources allowed to be rendered - # Content-Security-Policy frame-src https://*.DOMAIN.tld - # X-Robots-Tag - X-Robots-Tag "noindex, noarchive, nofollow" - } - - handle { - encode zstd gzip +example.tld { +# Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server + @wellknown { + path /.well-known/matrix/* + } - reverse_proxy localhost:8765 { - header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} - header_up X-Forwarded-TlsProto {tls_protocol} - header_up X-Forwarded-TlsCipher {tls_cipher} - header_up X-Forwarded-HttpsProto {proto} + handle @wellknown { + reverse_proxy https://matrix.example.tld { + header_up Host {http.reverse_proxy.upstream.hostport} } + } } - -#dimension.DOMAIN.tld { -# -# # creates letsencrypt certificate -# # tls your@email.com -# -# import cors https://*.DOMAIN.tld -# -# header { -# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS -# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" -# # Enable cross-site filter (XSS) and tell browser to block detected attacks -# X-XSS-Protection "1; mode=block" -# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type -# X-Content-Type-Options "nosniff" -# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain (clickjacking protection) -# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld -# # X-Robots-Tag -# X-Robots-Tag "noindex, noarchive, nofollow" -# } -# -# handle { -# encode zstd gzip -# -# reverse_proxy localhost:8184 { -# header_up X-Forwarded-Port {http.request.port} -# header_up X-Forwarded-Proto {http.request.scheme} -# header_up X-Forwarded-TlsProto {tls_protocol} -# header_up X-Forwarded-TlsCipher {tls_cipher} -# header_up X-Forwarded-HttpsProto {proto} -# } -# } -#} - - -#jitsi.DOMAIN.tld { -# -# creates letsencrypt certificate -# tls your@email.com -# -# import cors https://*.DOMAIN.tld -# -# header { -# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS -# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" -# -# # Enable cross-site filter (XSS) and tell browser to block detected attacks -# X-XSS-Protection "1; mode=block" -# -# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type -# X-Content-Type-Options "nosniff" - -# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain -# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld -# -# # Disable some features -# Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" -# -# # Referer -# Referrer-Policy "no-referrer" -# -# # X-Robots-Tag -# X-Robots-Tag "none" -# -# # Remove Server header -# -Server -# } -# -# handle { -# encode zstd gzip -# -# reverse_proxy 127.0.0.1:13080 { -# header_up X-Forwarded-Port {http.request.port} -# header_up X-Forwarded-Proto {http.request.scheme} -# header_up X-Forwarded-TlsProto {tls_protocol} -# header_up X-Forwarded-TlsCipher {tls_cipher} -# header_up X-Forwarded-HttpsProto {proto} -# } -# } -#} -#DOMAIN.com { -# Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server -# @wellknown { -# path /.well-known/matrix/* -# } -# -# handle @wellknown { -# reverse_proxy https://matrix.DOMAIN.com { -# header_up Host {http.reverse_proxy.upstream.hostport} -# } -# } -# # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the matrix subdomain -# # handle /.well-known/* { -# # encode zstd gzip -# # header Cache-Control max-age=14400 -# # header Content-Type application/json -# # header Access-Control-Allow-Origin * -# #} -# -# # Configration for the base domain goes here -# # handle { -# # header -Server -# # encode zstd gzip -# # reverse_proxy localhost:4020 -# # } -#} diff --git a/examples/caddy2/Caddyfile.deprecated b/examples/caddy2/Caddyfile.deprecated new file mode 100644 index 000000000..43005ca41 --- /dev/null +++ b/examples/caddy2/Caddyfile.deprecated @@ -0,0 +1,269 @@ +(cors) { + @cors_preflight method OPTIONS + + handle @cors_preflight { + header Access-Control-Allow-Origin "{args.0}" + header Access-Control-Allow-Methods "HEAD, GET, POST, PUT, PATCH, DELETE" + header Access-Control-Allow-Headers "Content-Type, Authorization" + header Access-Control-Max-Age "3600" + } +} + + +matrix.DOMAIN.tld { + + # creates letsencrypt certificate + # tls your@email.com + + @identity { + path /_matrix/identity/* + } + + @noidentity { + not path /_matrix/identity/* + } + + @search { + path /_matrix/client/r0/user_directory/search/* + } + + @nosearch { + not path /_matrix/client/r0/user_directory/search/* + } + + @static { + path /matrix/static-files/* + } + + @nostatic { + not path /matrix/static-files/* + } + + @wellknown { + path /.well-known/matrix/* + } + + header { + # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + # Enable cross-site filter (XSS) and tell browser to block detected attacks + X-XSS-Protection "1; mode=block" + # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type + X-Content-Type-Options "nosniff" + # Disallow the site to be rendered within a frame (clickjacking protection) + X-Frame-Options "DENY" + # X-Robots-Tag + X-Robots-Tag "noindex, noarchive, nofollow" + } + + # Cache + header @static { + # Cache + Cache-Control "public, max-age=31536000" + defer + } + + # identity + handle @identity { + reverse_proxy localhost:8090 { + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + header_up X-Forwarded-TlsProto {tls_protocol} + header_up X-Forwarded-TlsCipher {tls_cipher} + header_up X-Forwarded-HttpsProto {proto} + } + } + + # search + handle @search { + reverse_proxy localhost:8090 { + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + header_up X-Forwarded-TlsProto {tls_protocol} + header_up X-Forwarded-TlsCipher {tls_cipher} + header_up X-Forwarded-HttpsProto {proto} + } + } + + handle @wellknown { + encode zstd gzip + root * /matrix/static-files + header Cache-Control max-age=14400 + header Content-Type application/json + header Access-Control-Allow-Origin * + file_server + } + + # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the base domain + #handle @wellknown { + # # .well-known is handled by base domain + # reverse_proxy https://DOMAIN.tld { + # header_up Host {http.reverse_proxy.upstream.hostport} + #} + + handle { + encode zstd gzip + + reverse_proxy localhost:8008 { + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + header_up X-Forwarded-TlsProto {tls_protocol} + header_up X-Forwarded-TlsCipher {tls_cipher} + header_up X-Forwarded-HttpsProto {proto} + } + } +} + +matrix.DOMAIN.tld:8448 { + handle { + encode zstd gzip + + reverse_proxy 127.0.0.1:8048 { + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + header_up X-Forwarded-TlsProto {tls_protocol} + header_up X-Forwarded-TlsCipher {tls_cipher} + header_up X-Forwarded-HttpsProto {proto} + } + } +} + +element.DOMAIN.tld { + + # creates letsencrypt certificate + # tls your@email.com + + import cors https://*.DOMAIN.tld + + header { + # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + # Enable cross-site filter (XSS) and tell browser to block detected attacks + X-XSS-Protection "1; mode=block" + # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type + X-Content-Type-Options "nosniff" + # Disallow the site to be rendered within a frame (clickjacking protection) + X-Frame-Options "DENY" + # If using integrations that add frames to Element, such as Dimension and its integrations running on the same domain, it can be a good idea to limit sources allowed to be rendered + # Content-Security-Policy frame-src https://*.DOMAIN.tld + # X-Robots-Tag + X-Robots-Tag "noindex, noarchive, nofollow" + } + + handle { + encode zstd gzip + + reverse_proxy localhost:8765 { + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + header_up X-Forwarded-TlsProto {tls_protocol} + header_up X-Forwarded-TlsCipher {tls_cipher} + header_up X-Forwarded-HttpsProto {proto} + } +} + +#dimension.DOMAIN.tld { +# +# # creates letsencrypt certificate +# # tls your@email.com +# +# import cors https://*.DOMAIN.tld +# +# header { +# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS +# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" +# # Enable cross-site filter (XSS) and tell browser to block detected attacks +# X-XSS-Protection "1; mode=block" +# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type +# X-Content-Type-Options "nosniff" +# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain (clickjacking protection) +# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld +# # X-Robots-Tag +# X-Robots-Tag "noindex, noarchive, nofollow" +# } +# +# handle { +# encode zstd gzip +# +# reverse_proxy localhost:8184 { +# header_up X-Forwarded-Port {http.request.port} +# header_up X-Forwarded-Proto {http.request.scheme} +# header_up X-Forwarded-TlsProto {tls_protocol} +# header_up X-Forwarded-TlsCipher {tls_cipher} +# header_up X-Forwarded-HttpsProto {proto} +# } +# } +#} + + +#jitsi.DOMAIN.tld { +# +# creates letsencrypt certificate +# tls your@email.com +# +# import cors https://*.DOMAIN.tld +# +# header { +# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS +# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" +# +# # Enable cross-site filter (XSS) and tell browser to block detected attacks +# X-XSS-Protection "1; mode=block" +# +# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type +# X-Content-Type-Options "nosniff" + +# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain +# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld +# +# # Disable some features +# Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" +# +# # Referer +# Referrer-Policy "no-referrer" +# +# # X-Robots-Tag +# X-Robots-Tag "none" +# +# # Remove Server header +# -Server +# } +# +# handle { +# encode zstd gzip +# +# reverse_proxy 127.0.0.1:13080 { +# header_up X-Forwarded-Port {http.request.port} +# header_up X-Forwarded-Proto {http.request.scheme} +# header_up X-Forwarded-TlsProto {tls_protocol} +# header_up X-Forwarded-TlsCipher {tls_cipher} +# header_up X-Forwarded-HttpsProto {proto} +# } +# } +#} +#DOMAIN.com { +# Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server +# @wellknown { +# path /.well-known/matrix/* +# } +# +# handle @wellknown { +# reverse_proxy https://matrix.DOMAIN.com { +# header_up Host {http.reverse_proxy.upstream.hostport} +# } +# } +# # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the matrix subdomain +# # handle /.well-known/* { +# # encode zstd gzip +# # header Cache-Control max-age=14400 +# # header Content-Type application/json +# # header Access-Control-Allow-Origin * +# #} +# +# # Configration for the base domain goes here +# # handle { +# # header -Server +# # encode zstd gzip +# # reverse_proxy localhost:4020 +# # } +#} diff --git a/examples/caddy2/README.md b/examples/caddy2/README.md index fe8d57637..d4bfb4755 100644 --- a/examples/caddy2/README.md +++ b/examples/caddy2/README.md @@ -1,12 +1,20 @@ -# Caddyfile +# Caddy reverse-proxy fronting the playbook's integrated Traefik reverse-proxy -This directory contains sample files that show you how to do reverse-proxying using Caddy2. +This directory contains a sample config that shows you how to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with your own [Caddy](https://caddyserver.com/) reverse-proxy. -## Config -| Variable | Function | -| ------------------ | -------- | -| tls your@email.com | Specify an email address for your [ACME account](https://caddyserver.com/docs/caddyfile/directives/tls) (but if only one email is used for all sites, we recommend the email [global option](https://caddyserver.com/docs/caddyfile/options) instead) | -| tls | To enable [tls](https://caddyserver.com/docs/caddyfile/directives/tls) support uncomment the lines for tls | -| Dimension | To enable Dimension support uncomment the lines for Dimension and set your data | -| Jitsi | To enable Jitsi support uncomment the lines for Jitsi and set your data | +## Prerequisite configuration + +To get started, first follow the [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instructions and update your playbook's configuration (`inventory/host_vars/matrix./vars.yml`). + + +## Using the Caddyfile + +You can either just use the [Caddyfile](Caddyfile) directly or append its content to your own Caddyfile. +In both cases make sure to replace all the `example.tld` domains with your own domain. + +This example does not include additional services like element, but you should be able copy the first block and replace the matrix subdomain with the additional services subdomain. I have not tested this though. + +# Caddyfile.deprecated + +This can be used as a [Caddy](https://caddyserver.com/) reverse-proxy without intermediary playbook managed reverse proxy. However, this setup is not supported by the playbook anymore. Instead [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) as described above. diff --git a/examples/nginx/README.md b/examples/nginx/README.md index 11fca299e..d8698ba6b 100644 --- a/examples/nginx/README.md +++ b/examples/nginx/README.md @@ -1,6 +1,6 @@ # Nginx reverse-proxy fronting the playbook's integrated Traefik reverse-proxy -This directory contains a sample config that shows you how use the [nginx](https://nginx.org/) webserver to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with another reverse-proxy. +This directory contains a sample config that shows you how to use the [nginx](https://nginx.org/) webserver to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with another reverse-proxy. ## Prerequisite configuration From f98f803b4404c739e19da6b27fd857ceaac93880 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 26 May 2023 10:17:20 +0300 Subject: [PATCH 770/915] Revert "Update hookshot 4.0.0 -> 4.1.0" This reverts commit 428f7a1f75337ef2f7b848e532d8d93f4a540919. Looks like it won't become a tagged image until a "release" is posted. --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 247c542b7..18fc01525 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 4.1.0 +matrix_hookshot_version: 4.0.0 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" From b9d9a41ea671d35171fc938d8068cf27d37d988a Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 26 May 2023 19:28:27 +0000 Subject: [PATCH 771/915] update mautrix-telegram 0.13.0 -> 0.14.0 --- roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml index d6f44bbcb..c5b7b9a39 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -17,7 +17,7 @@ matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git" matrix_mautrix_telegram_docker_repo_version: "{{ 'master' if matrix_mautrix_telegram_version == 'latest' else matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" -matrix_mautrix_telegram_version: v0.13.0 +matrix_mautrix_telegram_version: v0.14.0 # See: https://mau.dev/mautrix/telegram/container_registry matrix_mautrix_telegram_docker_image: "{{ matrix_mautrix_telegram_docker_image_name_prefix }}mautrix/telegram:{{ matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_telegram_container_image_self_build else 'dock.mau.dev/' }}" From c36fd8cfc29f738143b4212a07f89191574a5f48 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 26 May 2023 19:29:26 +0000 Subject: [PATCH 772/915] Update synapse 1.84.0 -> 1.84.1 --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 5903eb05b..a0169eb0c 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,7 +4,7 @@ matrix_synapse_enabled: true -matrix_synapse_version: v1.84.0 +matrix_synapse_version: v1.84.1 matrix_synapse_username: '' matrix_synapse_uid: '' From 788fa0e766a41761533dd39b466311b71bc41897 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sat, 27 May 2023 15:59:54 +0000 Subject: [PATCH 773/915] update prometheus-node-exporter 1.5.0 -> 1.6.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index d6ed01d07..f754b10a7 100644 --- a/requirements.yml +++ b/requirements.yml @@ -45,7 +45,7 @@ version: v2.44.0-0 name: prometheus - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git - version: v1.5.0-7 + version: v1.6.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git name: prometheus_postgres_exporter version: v0.12.0-0 From cfedf675eef97900c76304075e6e42ef1fe2cc04 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 28 May 2023 21:27:03 +0300 Subject: [PATCH 774/915] Upgrade Traefik (v2.9.10-2 -> v2.10.1-0) --- requirements.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements.yml b/requirements.yml index f754b10a7..bd260d6cc 100644 --- a/requirements.yml +++ b/requirements.yml @@ -26,7 +26,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git version: v1.0.0-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.9.10-2 + version: v2.10.1-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git @@ -47,7 +47,7 @@ - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.6.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git - name: prometheus_postgres_exporter version: v0.12.0-0 + name: prometheus_postgres_exporter - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.10-0 From 90d25bccd274b2edb89876da7ec090730f9441a9 Mon Sep 17 00:00:00 2001 From: Luke D Iremadze Date: Mon, 29 May 2023 03:10:07 -0600 Subject: [PATCH 775/915] Update prerequisites.md These ports need to be open in order to receive emails to the Postmoogle bridge --- docs/prerequisites.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/prerequisites.md b/docs/prerequisites.md index be60a5f45..5fa2b1d2a 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -40,6 +40,8 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you - `5349/udp`: TURN over UDP (used by Coturn) - `8448/tcp`: Matrix Federation API HTTPS webserver. In some cases, this **may necessary even with federation disabled**. Integration Servers (like Dimension) and Identity Servers (like ma1sd) may need to access `openid` APIs on the federation port. - the range `49152-49172/udp`: TURN over UDP + - `25/tcp`: SMTP over TCP (used by Postmoogle) + - `587/tcp`: TLS over TCP (used by Postmoogle) - potentially some other ports, depending on the additional (non-default) services that you enable in the **configuring the playbook** step (later on). Consult each service's documentation page in `docs/` for that. When ready to proceed, continue with [Configuring DNS](configuring-dns.md). From 67bcf4bc8ae93796831898ff99fc1c58689036ea Mon Sep 17 00:00:00 2001 From: Luke D Iremadze Date: Mon, 29 May 2023 04:03:31 -0600 Subject: [PATCH 776/915] Updates to the Postmoogle documentation --- docs/configuring-playbook-bot-postmoogle.md | 37 ++++++++++++++++++- docs/prerequisites.md | 2 - .../matrix-bot-postmoogle/defaults/main.yml | 8 ++-- 3 files changed, 39 insertions(+), 8 deletions(-) diff --git a/docs/configuring-playbook-bot-postmoogle.md b/docs/configuring-playbook-bot-postmoogle.md index 0fa366935..4d4ba520e 100644 --- a/docs/configuring-playbook-bot-postmoogle.md +++ b/docs/configuring-playbook-bot-postmoogle.md @@ -4,12 +4,29 @@ The playbook can install and configure [Postmoogle](https://gitlab.com/etke.cc/postmoogle) for you. -It's a bot/bridge you can use to forward emails to Matrix rooms +It's a bot/bridge you can use to forward emails to Matrix rooms. +Postmoogle runs an email server through SMTP and allaws you to create mailboxes to the domain you define in the DNS settings. See the project's [documentation](https://gitlab.com/etke.cc/postmoogle) to learn what it does and why it might be useful to you. +## Prerequisites -## Adjusting the playbook configuration +### Ports + +Open the following ports to your server (without it you will not recive email, but you can still send): + - `25/tcp`: SMTP + - `587/tcp`: TLS-encrypted SMTP + +You can change the above default ports through the following variables in the playbook: + +```yaml +# on-host ports +matrix_bot_postmoogle_smtp_host_bind_port: '25' +matrix_bot_postmoogle_submission_host_bind_port: '587' +``` + + +### Adjusting the playbook configuration Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: @@ -23,6 +40,13 @@ matrix_bot_postmoogle_enabled: true matrix_bot_postmoogle_password: PASSWORD_FOR_THE_BOT ``` +Add an admin to Postmoogle with: +```yaml +matrix_bot_postmoogle_admins: + - '@yourAdminAccount:domain.com' +``` + +### DNS You will also need to add several DNS records so that postmoogle can send emails. See [Configuring DNS](configuring-dns.md). @@ -51,3 +75,12 @@ Then send `!pm mailbox NAME` to expose this Matrix room as an inbox with the ema Send `!pm help` to the room to see the bot's help menu for additional commands. You can also refer to the upstream [documentation](https://gitlab.com/etke.cc/postmoogle). + +### Debug/Logs +In case you need to debug declare: + +```yaml +matrix_bot_postmoogle_loglevel: 'DEBUG' +``` + +And access it through `journalctl -fu matrix-bot-postmoogle` \ No newline at end of file diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 5fa2b1d2a..be60a5f45 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -40,8 +40,6 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you - `5349/udp`: TURN over UDP (used by Coturn) - `8448/tcp`: Matrix Federation API HTTPS webserver. In some cases, this **may necessary even with federation disabled**. Integration Servers (like Dimension) and Identity Servers (like ma1sd) may need to access `openid` APIs on the federation port. - the range `49152-49172/udp`: TURN over UDP - - `25/tcp`: SMTP over TCP (used by Postmoogle) - - `587/tcp`: TLS over TCP (used by Postmoogle) - potentially some other ports, depending on the additional (non-default) services that you enable in the **configuring the playbook** step (later on). Consult each service's documentation page in `docs/` for that. When ready to proceed, continue with [Configuring DNS](configuring-dns.md). diff --git a/roles/custom/matrix-bot-postmoogle/defaults/main.yml b/roles/custom/matrix-bot-postmoogle/defaults/main.yml index 4eeb835be..0c9db2d70 100644 --- a/roles/custom/matrix-bot-postmoogle/defaults/main.yml +++ b/roles/custom/matrix-bot-postmoogle/defaults/main.yml @@ -81,10 +81,10 @@ matrix_bot_postmoogle_maxsize: '1024' # A list of admins # Example set of rules: # matrix_bot_postmoogle_admins: -# - @someone:example.com -# - @another:example.com -# - @bot.*:example.com -# - @*:another.com +# - '@someone:example.com' +# - '@another:example.com' +# - '@bot.*:example.com' +# - '@*:another.com' matrix_bot_postmoogle_admins: "{{ [matrix_admin] if matrix_admin else [] }}" # Sentry DSN. Deprecated, use matrix_bot_postmoogle_monitoring_sentry_dsn From d3f85c5c7ca53610aa1233f542fd004cabc36daa Mon Sep 17 00:00:00 2001 From: anytimesoon Date: Mon, 29 May 2023 19:05:05 +0200 Subject: [PATCH 777/915] Update configuring-playbook-bot-chatgpt.md added an extra step to creating the chatgpt bot so it can read encrypted messages --- docs/configuring-playbook-bot-chatgpt.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bot-chatgpt.md b/docs/configuring-playbook-bot-chatgpt.md index 7a006816d..fa7972cae 100644 --- a/docs/configuring-playbook-bot-chatgpt.md +++ b/docs/configuring-playbook-bot-chatgpt.md @@ -20,10 +20,12 @@ ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.chatgpt ``` -## 2. Get an access token +## 2. Get an access token and create encryption keys Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md). +To make sure the bot can read encrypted messages, it will need an encryption key, just like any other new user. While obtaining the access token, follow the prompts to setup a backup key. More information can be found in the [element documentation](https://element.io/help#encryption6). + ## 3. Adjusting the playbook configuration From 127b60a1cec2c12623ce7637c2f18ab123a2af0b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 30 May 2023 09:09:24 +0300 Subject: [PATCH 778/915] Fixing typos and rewording --- docs/configuring-playbook-bot-postmoogle.md | 40 +++++++++++---------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/docs/configuring-playbook-bot-postmoogle.md b/docs/configuring-playbook-bot-postmoogle.md index 4d4ba520e..b66285a51 100644 --- a/docs/configuring-playbook-bot-postmoogle.md +++ b/docs/configuring-playbook-bot-postmoogle.md @@ -5,25 +5,22 @@ The playbook can install and configure [Postmoogle](https://gitlab.com/etke.cc/postmoogle) for you. It's a bot/bridge you can use to forward emails to Matrix rooms. -Postmoogle runs an email server through SMTP and allaws you to create mailboxes to the domain you define in the DNS settings. +Postmoogle runs an SMTP email server and allows you to assign mailbox addresses to Matrix rooms. See the project's [documentation](https://gitlab.com/etke.cc/postmoogle) to learn what it does and why it might be useful to you. ## Prerequisites -### Ports +### Networking + +Open the following ports on your server to be able to receive incoming emails: -Open the following ports to your server (without it you will not recive email, but you can still send): - `25/tcp`: SMTP - - `587/tcp`: TLS-encrypted SMTP + - `587/tcp`: Submission (TLS-encrypted SMTP) -You can change the above default ports through the following variables in the playbook: +If you don't open these ports, you will still be able to send emails, but not receive any. -```yaml -# on-host ports -matrix_bot_postmoogle_smtp_host_bind_port: '25' -matrix_bot_postmoogle_submission_host_bind_port: '587' -``` +These port numbers are configurable via the `matrix_bot_postmoogle_smtp_host_bind_port` and `matrix_bot_postmoogle_submission_host_bind_port` variables, but other email servers will try to deliver on these default (standard) ports, so changing them is of little use. ### Adjusting the playbook configuration @@ -38,16 +35,20 @@ matrix_bot_postmoogle_enabled: true # Generate a strong password here. Consider generating it with `pwgen -s 64 1` matrix_bot_postmoogle_password: PASSWORD_FOR_THE_BOT -``` -Add an admin to Postmoogle with: -```yaml -matrix_bot_postmoogle_admins: - - '@yourAdminAccount:domain.com' +# Uncomment to add one or more admins to this bridge: +# +# matrix_bot_postmoogle_admins: +# - '@yourAdminAccount:domain.com' +# +# .. unless you've made yourself an admin of all bridges like this: +# +# matrix_admin: '@yourAdminAccount:domain.com' ``` ### DNS -You will also need to add several DNS records so that postmoogle can send emails. + +You will also need to add several DNS records so that Postmoogle can send emails. See [Configuring DNS](configuring-dns.md). @@ -77,10 +78,11 @@ Send `!pm help` to the room to see the bot's help menu for additional commands. You can also refer to the upstream [documentation](https://gitlab.com/etke.cc/postmoogle). ### Debug/Logs -In case you need to debug declare: + +As with all other services, you can find their logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by running something like `journalctl -fu matrix-bot-postmoogle` + +The default logging level for this bridge is `INFO`, but you can increase it to `DEBUG` with the following additional configuration: ```yaml matrix_bot_postmoogle_loglevel: 'DEBUG' ``` - -And access it through `journalctl -fu matrix-bot-postmoogle` \ No newline at end of file From dca6db15daf35c1c08e25b24639ce1a039ffe88c Mon Sep 17 00:00:00 2001 From: Sergio Durigan Junior Date: Tue, 30 May 2023 22:59:33 -0400 Subject: [PATCH 779/915] Fix prefix path when loading Hydrogen's theme-element.json This is needed when using a prefix path that doesn't end with a slash. Signed-off-by: Sergio Durigan Junior --- roles/custom/matrix-client-hydrogen/templates/config.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-hydrogen/templates/config.json.j2 b/roles/custom/matrix-client-hydrogen/templates/config.json.j2 index e503c105b..519d22615 100644 --- a/roles/custom/matrix-client-hydrogen/templates/config.json.j2 +++ b/roles/custom/matrix-client-hydrogen/templates/config.json.j2 @@ -3,7 +3,7 @@ "defaultHomeServer": {{ matrix_client_hydrogen_default_hs_url | string | to_json }}, "bugReportEndpointUrl": {{ matrix_client_hydrogen_bugReportEndpointUrl | to_json }}, "themeManifests": [ - "{{ matrix_client_hydrogen_path_prefix }}assets/theme-element.json" + "{{ '' if matrix_client_hydrogen_path_prefix == '/' else matrix_client_hydrogen_path_prefix }}/assets/theme-element.json" ], "defaultTheme": { "light": "element-light", From e53c6c802004b89eea994b127b82f60ac012a617 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 26 May 2023 10:17:20 +0300 Subject: [PATCH 780/915] Revert "Revert "Update hookshot 4.0.0 -> 4.1.0"" This reverts commit f98f803b4404c739e19da6b27fd857ceaac93880. As the docker image has been released for this version we can now upgrade to this version --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 18fc01525..247c542b7 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 4.0.0 +matrix_hookshot_version: 4.1.0 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" From 795ce3e21dfe041db83d3fbbc9143684a5f1c273 Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Thu, 1 Jun 2023 02:14:55 +0200 Subject: [PATCH 781/915] Update Draupnir to 1.83.0 from 1.82.0 --- roles/custom/matrix-bot-draupnir/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml index 6ee99a358..bd0e2defa 100644 --- a/roles/custom/matrix-bot-draupnir/defaults/main.yml +++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml @@ -4,7 +4,7 @@ matrix_bot_draupnir_enabled: true -matrix_bot_draupnir_version: "v1.82.0" +matrix_bot_draupnir_version: "v1.83.0" matrix_bot_draupnir_container_image_self_build: false matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/Gnuxie/Draupnir.git" From 4acb54f7967445f3ccfc8685fdf988f0f14b7d57 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 1 Jun 2023 08:18:49 +0000 Subject: [PATCH 782/915] Update mautrix-facebook 0.4.1 -> 0.5.0 --- roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml index ba718a668..dcd9fdfa0 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mautrix_facebook_enabled: true matrix_mautrix_facebook_container_image_self_build: false matrix_mautrix_facebook_container_image_self_build_repo: "https://mau.dev/mautrix/facebook.git" -matrix_mautrix_facebook_version: v0.4.1 +matrix_mautrix_facebook_version: v0.5.0 matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}mautrix/facebook:{{ matrix_mautrix_facebook_version }}" matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}" From 3f89e6191554da62df958bf83eaefedaa4669a2d Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 1 Jun 2023 08:21:16 +0000 Subject: [PATCH 783/915] Update mautrix-instagram 0.2.3 -> 0.3.0 --- roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml index ef696fa80..2288fb776 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_instagram_container_image_self_build: false matrix_mautrix_instagram_container_image_self_build_repo: "https://github.com/mautrix/instagram.git" matrix_mautrix_instagram_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_instagram_version == 'latest' else matrix_mautrix_instagram_version }}" -matrix_mautrix_instagram_version: v0.2.3 +matrix_mautrix_instagram_version: v0.3.0 # See: https://mau.dev/tulir/mautrix-instagram/container_registry matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}mautrix/instagram:{{ matrix_mautrix_instagram_version }}" matrix_mautrix_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_instagram_container_image_self_build else 'dock.mau.dev/' }}" From 0a3e93e47c55c96ba60ed6102ebe72a0172891e7 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 1 Jun 2023 08:22:35 +0000 Subject: [PATCH 784/915] Update chatgpt 3.1.0 -> 3.1.2 --- roles/custom/matrix-bot-chatgpt/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-chatgpt/defaults/main.yml b/roles/custom/matrix-bot-chatgpt/defaults/main.yml index 36cc60c0e..00eae1676 100644 --- a/roles/custom/matrix-bot-chatgpt/defaults/main.yml +++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml @@ -4,7 +4,7 @@ matrix_bot_chatgpt_enabled: true -matrix_bot_chatgpt_version: 3.1.0 +matrix_bot_chatgpt_version: 3.1.2 matrix_bot_chatgpt_container_image_self_build: false matrix_bot_chatgpt_container_image_self_build_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot" From 37165ef20259405e735b5aa2927025202e7573a8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 2 Jun 2023 10:44:31 +0300 Subject: [PATCH 785/915] Upgrade Traefik (v2.10.1-0 -> v2.10.1-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index bd260d6cc..3c2572ab3 100644 --- a/requirements.yml +++ b/requirements.yml @@ -26,7 +26,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git version: v1.0.0-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.10.1-0 + version: v2.10.1-1 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git From e4498f9568667a2914a70942e0a8dc7231a5afe0 Mon Sep 17 00:00:00 2001 From: Luke Moch <19363185+mochman@users.noreply.github.com> Date: Fri, 2 Jun 2023 06:23:30 -0400 Subject: [PATCH 786/915] Fix for hookshot validation failure --- roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml b/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml index 576eb0079..05e5cb856 100644 --- a/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml @@ -81,7 +81,7 @@ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --cap-drop=ALL -v {{ matrix_hookshot_base_path }}/config.yml:/config.yml - {{ matrix_hookshot_docker_image }} node Config/Config.js /config.yml + {{ matrix_hookshot_docker_image }} node config/Config.js /config.yml register: hookshot_config_validation_result changed_when: false From 1f0da9f744156eb36070e301842806046e93b62b Mon Sep 17 00:00:00 2001 From: Luke D Iremadze Date: Fri, 2 Jun 2023 12:50:46 -0600 Subject: [PATCH 787/915] Create hooks for user search ability --- roles/custom/matrix-synapse/defaults/main.yml | 5 +++++ .../matrix-synapse/templates/synapse/homeserver.yaml.j2 | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index a0169eb0c..df2f7bf8c 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -334,6 +334,11 @@ matrix_synapse_limit_profile_requests_to_users_who_share_rooms: false # Defaults to 'true'. matrix_synapse_include_profile_data_on_invite: true + +# User search behaviour +matrix_synapse_search_all_users: false +matrix_synapse_prefer_local_users: false + # Controls whether people with access to the homeserver can register by themselves. matrix_synapse_enable_registration: false # Controls whether people with access to the homeserver can register by themselves without verification (email/msisdn/token) diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index a36df6fc0..ebfc2711c 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2630,7 +2630,7 @@ user_directory: # Uncomment to return search results containing all known users, even if that # user does not share a room with the requester. # - #search_all_users: true + search_all_users: {{ matrix_synapse_search_all_users|to_json }} # Defines whether to prefer local users in search query results. # If True, local users are more likely to appear above remote users @@ -2639,7 +2639,7 @@ user_directory: # Uncomment to prefer local over remote users in user directory search # results. # - #prefer_local_users: true + prefer_local_users: {{ matrix_synapse_prefer_local_users|to_json }} # User Consent configuration From 130c278a3c42b4ba601d6eff830cf7c34fee2b7a Mon Sep 17 00:00:00 2001 From: Luke D Iremadze Date: Fri, 2 Jun 2023 23:38:57 -0600 Subject: [PATCH 788/915] Update roles/custom/matrix-synapse/defaults/main.yml Co-authored-by: Slavi Pantaleev --- roles/custom/matrix-synapse/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index df2f7bf8c..4376a960e 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -336,8 +336,8 @@ matrix_synapse_include_profile_data_on_invite: true # User search behaviour -matrix_synapse_search_all_users: false -matrix_synapse_prefer_local_users: false +matrix_synapse_user_directory_search_all_users: false +matrix_synapse_user_directory_prefer_local_users: false # Controls whether people with access to the homeserver can register by themselves. matrix_synapse_enable_registration: false From 2f4428bf5b4c1f6658d33236f824748db455b2f9 Mon Sep 17 00:00:00 2001 From: Luke D Iremadze Date: Fri, 2 Jun 2023 23:39:17 -0600 Subject: [PATCH 789/915] Update roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 Co-authored-by: Slavi Pantaleev --- .../custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index ebfc2711c..05700c9b5 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2639,7 +2639,7 @@ user_directory: # Uncomment to prefer local over remote users in user directory search # results. # - prefer_local_users: {{ matrix_synapse_prefer_local_users|to_json }} + prefer_local_users: {{ matrix_synapse_user_directory_prefer_local_users | to_json }} # User Consent configuration From 5c0279f0c962b29ab6cf75c7bb7ff94d8e5e3e7e Mon Sep 17 00:00:00 2001 From: Luke D Iremadze Date: Fri, 2 Jun 2023 23:39:55 -0600 Subject: [PATCH 790/915] Update roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 Co-authored-by: Slavi Pantaleev --- .../custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 05700c9b5..f42f6e309 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2630,7 +2630,7 @@ user_directory: # Uncomment to return search results containing all known users, even if that # user does not share a room with the requester. # - search_all_users: {{ matrix_synapse_search_all_users|to_json }} + search_all_users: {{ matrix_synapse_user_directory_search_all_users | to_json }} # Defines whether to prefer local users in search query results. # If True, local users are more likely to appear above remote users From b96792ecf920297c167181f5d7341523db43aee2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 6 Jun 2023 10:46:08 +0300 Subject: [PATCH 791/915] Upgrade ddclient (v3.10.0-ls111 -> v3.10.0-ls123) --- roles/custom/matrix-dynamic-dns/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-dynamic-dns/defaults/main.yml b/roles/custom/matrix-dynamic-dns/defaults/main.yml index 08cf023ca..5a60194a3 100644 --- a/roles/custom/matrix-dynamic-dns/defaults/main.yml +++ b/roles/custom/matrix-dynamic-dns/defaults/main.yml @@ -7,7 +7,7 @@ matrix_dynamic_dns_enabled: true # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' -matrix_dynamic_dns_version: v3.10.0-ls111 +matrix_dynamic_dns_version: v3.10.0-ls123 # The docker container to use when in mode matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" From 69cece9fa32a43217fc057e6bcd858b62c72149d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 6 Jun 2023 13:51:25 +0300 Subject: [PATCH 792/915] Upgrade Synapse (v1.84.1 -> v1.85.0) --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 4376a960e..f9853c3de 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,7 +4,7 @@ matrix_synapse_enabled: true -matrix_synapse_version: v1.84.1 +matrix_synapse_version: v1.85.0 matrix_synapse_username: '' matrix_synapse_uid: '' From 0ce0a62eb7c540513086ba08decb8c697a314d6a Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 6 Jun 2023 23:48:08 +0300 Subject: [PATCH 793/915] Update hookshot 4.0.0 (4.1.0?) -> 4.2.0 --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 247c542b7..55dbdfea7 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 4.1.0 +matrix_hookshot_version: 4.2.0 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" From 63473482baf2b0a1e323bb241883403b3eca11df Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 6 Jun 2023 23:50:38 +0300 Subject: [PATCH 794/915] Update grafana 9.5.2 -> 9.5.3 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 3c2572ab3..c88c27b67 100644 --- a/requirements.yml +++ b/requirements.yml @@ -35,7 +35,7 @@ version: 6.1.0 name: geerlingguy.docker - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v9.5.2-0 + version: v9.5.3-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git version: v8615-0 name: jitsi From aab55d5b5cf471e5b84457c1172d43cabb6960dd Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 6 Jun 2023 23:53:18 +0300 Subject: [PATCH 795/915] Update borgmatic 1.7.13 -> 1.7.14 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 3c2572ab3..845f52fe7 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: v1.0.0-1 name: aux - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.4-1.7.13-0 + version: v1.2.4-1.7.14-0 - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git version: v0.1.1-2 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git From 3a458308a55ae7a70cbba42625e4a31445261ef9 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 6 Jun 2023 23:55:37 +0300 Subject: [PATCH 796/915] Update element 1.11.31 -> 1.11.32 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 109b42e87..ad30f16f7 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.31 +matrix_client_element_version: v1.11.32 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From f320110e902bfe1f995f4a2361db8d7e4917594f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 7 Jun 2023 14:12:38 +0300 Subject: [PATCH 797/915] Enable com.devture.shared_secret_auth login type for matrix-synapse-shared-secret-auth by default Now that Element v1.11.32 is out and https://github.com/vector-im/element-web/issues/19605 is fixed (by https://github.com/matrix-org/matrix-react-sdk/pull/10975), we don't need to force-disable this login type. --- roles/custom/matrix-synapse/defaults/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index f9853c3de..804ef17a4 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -792,8 +792,7 @@ matrix_synapse_ext_password_provider_shared_secret_auth_enabled: false matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/2.0.2/shared_secret_authenticator.py" matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "" matrix_synapse_ext_password_provider_shared_secret_auth_m_login_password_support_enabled: true -# We'd like to enable this, but it causes trouble for Element: https://github.com/vector-im/element-web/issues/19605 -matrix_synapse_ext_password_provider_shared_secret_auth_com_devture_shared_secret_auth_support_enabled: false +matrix_synapse_ext_password_provider_shared_secret_auth_com_devture_shared_secret_auth_support_enabled: true matrix_synapse_ext_password_provider_shared_secret_config: "{{ matrix_synapse_ext_password_provider_shared_secret_config_yaml | from_yaml }}" matrix_synapse_ext_password_provider_shared_secret_config_yaml: | shared_secret: {{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret | string | to_json }} From 672b45648f335c945ec3d9e269326b1eb6ad2319 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 7 Jun 2023 14:20:52 +0300 Subject: [PATCH 798/915] Upgrade matrix-synapse-shared-secret-auth (2.0.2 -> 2.0.3) --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 804ef17a4..5917426b7 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -789,7 +789,7 @@ matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: fals # Enable this to activate the Shared Secret Auth password provider module. # See: https://github.com/devture/matrix-synapse-shared-secret-auth matrix_synapse_ext_password_provider_shared_secret_auth_enabled: false -matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/2.0.2/shared_secret_authenticator.py" +matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/2.0.3/shared_secret_authenticator.py" matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "" matrix_synapse_ext_password_provider_shared_secret_auth_m_login_password_support_enabled: true matrix_synapse_ext_password_provider_shared_secret_auth_com_devture_shared_secret_auth_support_enabled: true From ba868ba6c6d84c6ee1bf7e120bcce90ad6151d3b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 7 Jun 2023 16:50:54 +0300 Subject: [PATCH 799/915] Upgrade Synapse (v1.85.0 -> v1.85.1) --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 5917426b7..1aa5df3fa 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,7 +4,7 @@ matrix_synapse_enabled: true -matrix_synapse_version: v1.85.0 +matrix_synapse_version: v1.85.1 matrix_synapse_username: '' matrix_synapse_uid: '' From 55fcbca681528d63d2216c5be53f22594907f74c Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 8 Jun 2023 18:59:31 +0300 Subject: [PATCH 800/915] Update synapse 1.85.1 -> 1.85.2 --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 1aa5df3fa..32d63df7d 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,7 +4,7 @@ matrix_synapse_enabled: true -matrix_synapse_version: v1.85.1 +matrix_synapse_version: v1.85.2 matrix_synapse_username: '' matrix_synapse_uid: '' From 9709a83a4a845a8bf0e26bf2a44bdb483b6c85df Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sun, 11 Jun 2023 08:37:54 +0300 Subject: [PATCH 801/915] Update element 1.11.32 -> 1.11.33 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index ad30f16f7..f0ddbbede 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.32 +matrix_client_element_version: v1.11.33 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 85f38421e34d4e29f2d01ff85c78f4cb1b6fc2ff Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 11 Jun 2023 21:28:22 +0300 Subject: [PATCH 802/915] Fix matrix-synapse-ldap3 docs link in README Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2734 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ff93cd1f6..8b0265092 100644 --- a/README.md +++ b/README.md @@ -79,7 +79,7 @@ Extend and modify how users are authenticated on your homeserver. | ---- | -------- | ----------- | ------------- | | [matrix-synapse-rest-auth](https://github.com/ma1uta/matrix-synapse-rest-password-provider) (advanced) | x | REST authentication password provider module | [Link](docs/configuring-playbook-rest-auth.md) | |[matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) (advanced) | x | Password provider module | [Link](docs/configuring-playbook-shared-secret-auth.md) | -| [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) (advanced) | x | LDAP Auth password provider module | [Link](configuring-playbook-ldap-auth.md) | +| [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) (advanced) | x | LDAP Auth password provider module | [Link](docs/configuring-playbook-ldap-auth.md) | | [matrix-ldap-registration-proxy](https://gitlab.com/activism.international/matrix_ldap_registration_proxy) (advanced) | x | A proxy that handles Matrix registration requests and forwards them to LDAP. | [Link](docs/configuring-playbook-matrix-ldap-registration-proxy.md) | | [matrix-registration](https://github.com/ZerataX/matrix-registration) | x | A simple python application to have a token based matrix registration | [Link](docs/configuring-playbook-matrix-registration.md) | From 17a0f89775c03f4f05eadd3d6e073fe3d6f32006 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 12 Jun 2023 07:16:53 +0300 Subject: [PATCH 803/915] Upgrade Traefik (v2.10.1-1 -> v2.10.1-2) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index cb9e8f37b..e93903daa 100644 --- a/requirements.yml +++ b/requirements.yml @@ -26,7 +26,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git version: v1.0.0-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.10.1-1 + version: v2.10.1-2 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git From ceda4c41ccdd59f267bdb7eee8995d44a601e271 Mon Sep 17 00:00:00 2001 From: Zac Date: Tue, 13 Jun 2023 10:22:37 -0500 Subject: [PATCH 804/915] remove the offending lines --- .../tasks/ext/s3-storage-provider/validate_config.yml | 2 -- .../templates/synapse/ext/s3-storage-provider/env.j2 | 2 -- .../ext/s3-storage-provider/media_storage_provider.yaml.j2 | 2 -- 3 files changed, 6 deletions(-) diff --git a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml index 317269b3c..dfa3d9e5a 100644 --- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml +++ b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml @@ -8,8 +8,6 @@ with_items: - "matrix_synapse_ext_synapse_s3_storage_provider_config_bucket" - "matrix_synapse_ext_synapse_s3_storage_provider_config_region_name" - - "matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id" - - "matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key" - "matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url" - name: Fail if required matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url looks invalid diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 index 58d262558..d895b742d 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 @@ -1,5 +1,3 @@ -AWS_ACCESS_KEY_ID={{ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id }} -AWS_SECRET_ACCESS_KEY={{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key }} AWS_DEFAULT_REGION={{ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name }} ENDPOINT={{ matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url }} diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 index ac2b58dbb..71394acef 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 @@ -6,8 +6,6 @@ config: bucket: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_bucket | to_json }} region_name: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name | to_json }} endpoint_url: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url | to_json }} - access_key_id: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id | to_json }} - secret_access_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key | to_json }} {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %} sse_customer_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key | to_json }} From 0e701bbecec26df41dab8c65036252532d624f47 Mon Sep 17 00:00:00 2001 From: cbackas Date: Tue, 13 Jun 2023 11:08:14 -0500 Subject: [PATCH 805/915] add var to make the creds optional --- roles/custom/matrix-synapse/defaults/main.yml | 2 ++ .../s3-storage-provider/validate_config.yml | 21 +++++++++++++++---- .../synapse/ext/s3-storage-provider/env.j2 | 4 ++++ .../media_storage_provider.yaml.j2 | 4 ++++ 4 files changed, 27 insertions(+), 4 deletions(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 32d63df7d..fa09d83f7 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -885,6 +885,8 @@ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name: '' matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url: '' matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: '' matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: '' +# Enable this to use EC2 instance profile metadata to grab IAM credentials instead of passing credentials directly. +matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile: false matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled: false matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key: '' matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo: 'AES256' diff --git a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml index dfa3d9e5a..c3034531d 100644 --- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml +++ b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml @@ -1,14 +1,27 @@ --- +- name: Set base required s3-storage-provider settings + set_fact: + base_s3_storage_provider_config: + - "matrix_synapse_ext_synapse_s3_storage_provider_config_bucket" + - "matrix_synapse_ext_synapse_s3_storage_provider_config_region_name" + - "matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url" + +- name: Set optional required s3-storage-provider settings + set_fact: + optional_s3_storage_provider_config: + - "matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id" + - "matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key" + +- name: Prepare a list of required s3-storage-provider settings + set_fact: + required_s3_settings: "{{ base_s3_storage_provider_config + (optional_s3_storage_provider_config if not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile|default(false)|bool else []) }}" - name: Fail if required s3-storage-provider settings not defined ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`) for using s3-storage-provider. when: "vars[item] == ''" - with_items: - - "matrix_synapse_ext_synapse_s3_storage_provider_config_bucket" - - "matrix_synapse_ext_synapse_s3_storage_provider_config_region_name" - - "matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url" + with_items: "{{ required_s3_settings }}" - name: Fail if required matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url looks invalid ansible.builtin.fail: diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 index d895b742d..c5e896032 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 @@ -1,3 +1,7 @@ +{% if not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile|default(false)|bool %} +AWS_ACCESS_KEY_ID={{ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id }} +AWS_SECRET_ACCESS_KEY={{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key }} +{% endif %} AWS_DEFAULT_REGION={{ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name }} ENDPOINT={{ matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url }} diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 index 71394acef..32c8a0d17 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 @@ -6,6 +6,10 @@ config: bucket: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_bucket | to_json }} region_name: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name | to_json }} endpoint_url: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url | to_json }} +{% if not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile|default(false)|bool %} + access_key_id: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id | to_json }} + secret_access_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key | to_json }} +{% endif %} {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %} sse_customer_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key | to_json }} From f6d260dc0036a7049daef262b09dbe0f85b3ff7e Mon Sep 17 00:00:00 2001 From: cbackas Date: Tue, 13 Jun 2023 11:58:19 -0500 Subject: [PATCH 806/915] this is better --- .../s3-storage-provider/validate_config.yml | 31 ++++++++----------- 1 file changed, 13 insertions(+), 18 deletions(-) diff --git a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml index c3034531d..78b02f387 100644 --- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml +++ b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml @@ -1,27 +1,22 @@ --- -- name: Set base required s3-storage-provider settings - set_fact: - base_s3_storage_provider_config: - - "matrix_synapse_ext_synapse_s3_storage_provider_config_bucket" - - "matrix_synapse_ext_synapse_s3_storage_provider_config_region_name" - - "matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url" - -- name: Set optional required s3-storage-provider settings - set_fact: - optional_s3_storage_provider_config: - - "matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id" - - "matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key" - -- name: Prepare a list of required s3-storage-provider settings - set_fact: - required_s3_settings: "{{ base_s3_storage_provider_config + (optional_s3_storage_provider_config if not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile|default(false)|bool else []) }}" - - name: Fail if required s3-storage-provider settings not defined ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`) for using s3-storage-provider. when: "vars[item] == ''" - with_items: "{{ required_s3_settings }}" + with_items: + - "matrix_synapse_ext_synapse_s3_storage_provider_config_bucket" + - "matrix_synapse_ext_synapse_s3_storage_provider_config_region_name" + - "matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url" + +- name: Fail if required s3-storage-provider auth settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`) for using s3-storage-provider. + when: "not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile|default(false)|bool and vars[item] == ''" + with_items: + - "matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id" + - "matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key" - name: Fail if required matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url looks invalid ansible.builtin.fail: From f026c7cee1dff3fe577a0d37bd153ecf5c1f8295 Mon Sep 17 00:00:00 2001 From: Zac Date: Tue, 13 Jun 2023 14:48:44 -0500 Subject: [PATCH 807/915] Apply suggestions from code review Co-authored-by: Slavi Pantaleev --- roles/custom/matrix-synapse/defaults/main.yml | 3 ++- .../tasks/ext/s3-storage-provider/validate_config.yml | 4 ++-- .../templates/synapse/ext/s3-storage-provider/env.j2 | 2 +- .../ext/s3-storage-provider/media_storage_provider.yaml.j2 | 2 +- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index fa09d83f7..88ef768e9 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -885,7 +885,8 @@ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name: '' matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url: '' matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: '' matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: '' -# Enable this to use EC2 instance profile metadata to grab IAM credentials instead of passing credentials directly. +# Enable this to use EC2 instance profile metadata to grab IAM credentials instead of passing credentials directly +# via matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id and matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile: false matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled: false matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key: '' diff --git a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml index 78b02f387..406f186dc 100644 --- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml +++ b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml @@ -9,11 +9,11 @@ - "matrix_synapse_ext_synapse_s3_storage_provider_config_region_name" - "matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url" -- name: Fail if required s3-storage-provider auth settings not defined +- name: Fail if required s3-storage-provider auth settings not defined when not using an EC2 profile ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`) for using s3-storage-provider. - when: "not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile|default(false)|bool and vars[item] == ''" + when: "not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile | bool and vars[item] == ''" with_items: - "matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id" - "matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key" diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 index c5e896032..227fd89e4 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 @@ -1,4 +1,4 @@ -{% if not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile|default(false)|bool %} +{% if not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile | bool %} AWS_ACCESS_KEY_ID={{ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id }} AWS_SECRET_ACCESS_KEY={{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key }} {% endif %} diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 index 32c8a0d17..97387e55c 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 @@ -6,7 +6,7 @@ config: bucket: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_bucket | to_json }} region_name: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name | to_json }} endpoint_url: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url | to_json }} -{% if not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile|default(false)|bool %} +{% if not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile | bool %} access_key_id: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id | to_json }} secret_access_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key | to_json }} {% endif %} From d9f8ac0f8b81a026e0ecd194029c2268980b5e47 Mon Sep 17 00:00:00 2001 From: cbackas Date: Tue, 13 Jun 2023 14:55:07 -0500 Subject: [PATCH 808/915] add thing to docs --- docs/configuring-playbook-synapse-s3-storage-provider.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/configuring-playbook-synapse-s3-storage-provider.md b/docs/configuring-playbook-synapse-s3-storage-provider.md index d5d5ca5e2..549fe6010 100644 --- a/docs/configuring-playbook-synapse-s3-storage-provider.md +++ b/docs/configuring-playbook-synapse-s3-storage-provider.md @@ -37,6 +37,10 @@ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: access-key- matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: secret-key-goes-here matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class: STANDARD # or STANDARD_IA, etc. +# If you're using an EC2 instance with an instance profile that grants it permissions to access S3, set the following variable to true +# Defaulted to false, when this is enabled you do not need to provide the access_key_id or secret_access_key. +matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile: true + # For additional advanced settings, take a look at `roles/custom/matrix-synapse/defaults/main.yml` ``` From ba3534903ac4c6167d11b4f743cfba39f540f7e1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 14 Jun 2023 09:27:40 +0300 Subject: [PATCH 809/915] Make S3 authentication options clearer --- ...uring-playbook-synapse-s3-storage-provider.md | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/docs/configuring-playbook-synapse-s3-storage-provider.md b/docs/configuring-playbook-synapse-s3-storage-provider.md index 549fe6010..c704a747f 100644 --- a/docs/configuring-playbook-synapse-s3-storage-provider.md +++ b/docs/configuring-playbook-synapse-s3-storage-provider.md @@ -30,16 +30,22 @@ After [creating the S3 bucket and configuring it](configuring-playbook-s3.md#buc ```yaml matrix_synapse_ext_synapse_s3_storage_provider_enabled: true + matrix_synapse_ext_synapse_s3_storage_provider_config_bucket: your-bucket-name matrix_synapse_ext_synapse_s3_storage_provider_config_region_name: some-region-name # e.g. eu-central-1 matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url: https://s3.REGION_NAME.amazonaws.com # adjust this -matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: access-key-goes-here -matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: secret-key-goes-here matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class: STANDARD # or STANDARD_IA, etc. -# If you're using an EC2 instance with an instance profile that grants it permissions to access S3, set the following variable to true -# Defaulted to false, when this is enabled you do not need to provide the access_key_id or secret_access_key. -matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile: true +# Authentication Method 1 - (access key id + secret) +# This works on all providers (AWS and other compatible systems). +# Uncomment the variables below to use it. +# matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: access-key-goes-here +# matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: secret-key-goes-here + +# Authentication Method 2 - EC2 instance profile which grants permission to access S3 +# This only works on AWS when your server is hosted on an EC2 instance with the correct instance profile set. +# Uncomment the variable below to use it. +# matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile: true # For additional advanced settings, take a look at `roles/custom/matrix-synapse/defaults/main.yml` ``` From 6a2d90006b47831b756e7ddd866ae0f62ff07dbd Mon Sep 17 00:00:00 2001 From: Tupsi Date: Wed, 14 Jun 2023 15:22:38 +0200 Subject: [PATCH 810/915] Update configuring-playbook-synapse-s3-storage-provider.md added syntax to upload to wasabi (needs --endpoint param) --- ...figuring-playbook-synapse-s3-storage-provider.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/configuring-playbook-synapse-s3-storage-provider.md b/docs/configuring-playbook-synapse-s3-storage-provider.md index c704a747f..62ace208e 100644 --- a/docs/configuring-playbook-synapse-s3-storage-provider.md +++ b/docs/configuring-playbook-synapse-s3-storage-provider.md @@ -112,6 +112,19 @@ docker run -it --rm \ docker.io/amazon/aws-cli:2.9.16 \ -c 'aws s3 sync /work/. s3://$BUCKET/' ``` +#### Copying data to Wasabi + +To copy to Wasabi, start a container on the Matrix server like this: + +```sh +docker run -it --rm \ +-w /work \ +--env-file=/matrix/synapse/ext/s3-storage-provider/env \ +--mount type=bind,src=/matrix/synapse/storage/media-store,dst=/work,ro \ +--entrypoint=/bin/sh \ +docker.io/amazon/aws-cli:2.9.16 \ +-c 'aws s3 sync /work/. s3://$BUCKET/ --endpoint-url=$ENDPOINT' +``` #### Copying data to Backblaze B2 From bfd8ee3977e4514f00dc245956f472821507e6de Mon Sep 17 00:00:00 2001 From: SapuSeven Date: Thu, 15 Jun 2023 22:34:38 +0200 Subject: [PATCH 811/915] Fix installing 'aux'-role on NTFS - Fixes #2738 --- playbooks/matrix.yml | 2 +- requirements.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 9ce1aebea..266f3b9e5 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -114,7 +114,7 @@ - custom/matrix-nginx-proxy - custom/matrix-coturn - - role: galaxy/aux + - role: galaxy/auxiliary - role: galaxy/com.devture.ansible.role.postgres_backup diff --git a/requirements.yml b/requirements.yml index e93903daa..867e6c53b 100644 --- a/requirements.yml +++ b/requirements.yml @@ -2,7 +2,7 @@ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git version: v1.0.0-1 - name: aux + name: auxiliary - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git version: v1.2.4-1.7.14-0 - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git From 76db1587292951ea05bd2cb7dba2ac297d4cc6df Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 16 Jun 2023 09:11:53 +0300 Subject: [PATCH 812/915] Adjust S3 docs section to not be so Wasabi-specific --- ...ng-playbook-synapse-s3-storage-provider.md | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/docs/configuring-playbook-synapse-s3-storage-provider.md b/docs/configuring-playbook-synapse-s3-storage-provider.md index 62ace208e..9fb26212a 100644 --- a/docs/configuring-playbook-synapse-s3-storage-provider.md +++ b/docs/configuring-playbook-synapse-s3-storage-provider.md @@ -112,23 +112,18 @@ docker run -it --rm \ docker.io/amazon/aws-cli:2.9.16 \ -c 'aws s3 sync /work/. s3://$BUCKET/' ``` -#### Copying data to Wasabi -To copy to Wasabi, start a container on the Matrix server like this: +#### Copying data to an S3 alternative using the aws-s3 tool -```sh -docker run -it --rm \ --w /work \ ---env-file=/matrix/synapse/ext/s3-storage-provider/env \ ---mount type=bind,src=/matrix/synapse/storage/media-store,dst=/work,ro \ ---entrypoint=/bin/sh \ -docker.io/amazon/aws-cli:2.9.16 \ --c 'aws s3 sync /work/. s3://$BUCKET/ --endpoint-url=$ENDPOINT' -``` +To copy to a provider other than AWS S3 (e.g. Wasabi, Digital Ocean Spaces, etc.), you can use the command for [Copying data to Amazon S3](#copying-data-to-amazon-s3) with an added `--endpoint-url=$ENDPOINT` argument. + +Add this argument to the command **as-is** (`$ENDPOINT` is an environment variable corresponding to `matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url`, so you don't need to touch it). Make sure to add the argument **before** the final quote (`'`) of the command. #### Copying data to Backblaze B2 -To copy to Backblaze B2, start a container on the Matrix server like this: +You can copy files to Backblaze B2 either by following the [Copying data to an S3 alternative using the aws-s3 tool](#copying-data-to-an-s3-alternative-using-the-aws-s3-tool) or by using the B2-specific [b2 command-line tool](https://www.backblaze.com/b2/docs/quick_command_line.html) as described below. + +To copy the data using the `b2` tool, start a container on the Matrix server like this: ```sh docker run -it --rm \ From bbe11f2612c1fad4162dd3175d11a215ac4817ef Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 16 Jun 2023 16:11:06 +0300 Subject: [PATCH 813/915] Update mautrix-discord 0.4.0 -> 0.5.0 --- roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml index 98291d80d..dbb73aa45 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_discord_container_image_self_build: false matrix_mautrix_discord_container_image_self_build_repo: "https://mau.dev/mautrix/discord.git" matrix_mautrix_discord_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_discord_version == 'latest' else matrix_mautrix_discord_version }}" -matrix_mautrix_discord_version: v0.4.0 +matrix_mautrix_discord_version: v0.5.0 # See: https://mau.dev/mautrix/discord/container_registry matrix_mautrix_discord_docker_image: "{{ matrix_mautrix_discord_docker_image_name_prefix }}mautrix/discord:{{ matrix_mautrix_discord_version }}" matrix_mautrix_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_discord_container_image_self_build else 'dock.mau.dev/' }}" From 245a86f439b78e51a654cc6fb48a2a27b768f6ae Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 16 Jun 2023 16:12:03 +0300 Subject: [PATCH 814/915] Update mautrix-whatsapp 0.8.5 -> 0.8.6 --- roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 20cafa7ad..9ee461b5c 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_whatsapp_container_image_self_build: false matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git" matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}" -matrix_mautrix_whatsapp_version: v0.8.5 +matrix_mautrix_whatsapp_version: v0.8.6 # See: https://mau.dev/mautrix/whatsapp/container_registry matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}" matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}" From df07b8fb7dbd575c260b38dd0389250fed75c17e Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 16 Jun 2023 16:13:15 +0300 Subject: [PATCH 815/915] Update coturn 4.6.1-r3 -> 4.6.2-r3 --- roles/custom/matrix-coturn/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index ebeed45f6..2abfe6f15 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -8,7 +8,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}" matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" -matrix_coturn_version: 4.6.1-r3 +matrix_coturn_version: 4.6.2-r3 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" From 9315ba571d2006fb681e1faf169300f2698dc0ae Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 16 Jun 2023 16:15:02 +0300 Subject: [PATCH 816/915] Update nginx 1.25.1 --- roles/custom/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 77e501b7c..8ad11b375 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -1,7 +1,7 @@ --- # Project source code URL: https://github.com/nginx/nginx matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_version: 1.23.3-alpine +matrix_nginx_proxy_version: 1.25.1-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but From 71e9b04fbe36e5c479847d9334750587b3467e05 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 16 Jun 2023 16:18:34 +0300 Subject: [PATCH 817/915] Update mautrix-googlechat 0.4.0 -> 0.5.0 --- roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml index 85f07b9d9..de0123043 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_googlechat_container_image_self_build: false matrix_mautrix_googlechat_container_image_self_build_repo: "https://github.com/mautrix/googlechat.git" matrix_mautrix_googlechat_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_googlechat_version == 'latest' else matrix_mautrix_googlechat_version }}" -matrix_mautrix_googlechat_version: v0.4.0 +matrix_mautrix_googlechat_version: v0.5.0 # See: https://mau.dev/mautrix/googlechat/container_registry matrix_mautrix_googlechat_docker_image: "{{ matrix_mautrix_googlechat_docker_image_name_prefix }}mautrix/googlechat:{{ matrix_mautrix_googlechat_version }}" matrix_mautrix_googlechat_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_googlechat_container_image_self_build else 'dock.mau.dev/' }}" From 91fdd25e14ab2053caebce14dce66f4b149bff6a Mon Sep 17 00:00:00 2001 From: Antonis Christofides Date: Mon, 5 Jun 2023 17:28:05 +0300 Subject: [PATCH 818/915] Move playbooks to root directory (fixes #2513) Some time ago a "playbooks" subdirectory had been created and setup.yml had been moved there (as matrix.yml), together with the new jitsi_jvb.yml. However, jitsi_jvb.yml wouldn't work at all, unless a symbolic link to it was created from the root directory. A symbolic link setup.yml for playbooks/matrix.yml had already been created and committed. This seems to indicate that the developers thought they should place all playbooks in a subdirectory, but when this didn't work, they linked to one of them, leaving the other one inoperative. We fix this by moving the playbooks to the root directory. This works, and the pollution of the root directory is not too bad since it's only two playbooks. We also change the mode of setup.yml to 644 (it had inexplicably changed to 755 in 9735a2f600). This contribution is provided by GRNET S.A. (grnet.gr). --- playbooks/jitsi_jvb.yml => jitsi_jvb.yml | 0 playbooks/matrix.yml | 143 ---------------------- setup.yml | 144 ++++++++++++++++++++++- 3 files changed, 143 insertions(+), 144 deletions(-) rename playbooks/jitsi_jvb.yml => jitsi_jvb.yml (100%) delete mode 100755 playbooks/matrix.yml mode change 120000 => 100644 setup.yml diff --git a/playbooks/jitsi_jvb.yml b/jitsi_jvb.yml similarity index 100% rename from playbooks/jitsi_jvb.yml rename to jitsi_jvb.yml diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml deleted file mode 100755 index 266f3b9e5..000000000 --- a/playbooks/matrix.yml +++ /dev/null @@ -1,143 +0,0 @@ ---- -- name: "Set up a Matrix server" - hosts: "{{ target if target is defined else 'matrix_servers' }}" - become: true - - roles: - # Most of the roles below are not distributed with the playbook, but downloaded separately using `ansible-galaxy` via the `just roles` command (see `justfile`). - - role: galaxy/com.devture.ansible.role.playbook_help - - - role: galaxy/com.devture.ansible.role.systemd_docker_base - - - role: custom/matrix_playbook_migration - - - when: matrix_playbook_docker_installation_enabled | bool - role: galaxy/geerlingguy.docker - vars: - docker_install_compose: false - tags: - - setup-docker - - setup-all - - install-docker - - install-all - - - when: devture_docker_sdk_for_python_installation_enabled | bool - role: galaxy/com.devture.ansible.role.docker_sdk_for_python - tags: - - setup-docker - - setup-all - - install-docker - - install-all - - - when: devture_timesync_installation_enabled | bool - role: galaxy/com.devture.ansible.role.timesync - tags: - - setup-timesync - - setup-all - - install-timesync - - install-all - - - custom/matrix-base - - custom/matrix-dynamic-dns - - custom/matrix-mailer - - - role: galaxy/com.devture.ansible.role.postgres - - - galaxy/redis - - custom/matrix-corporal - - custom/matrix-bridge-appservice-discord - - custom/matrix-bridge-appservice-slack - - custom/matrix-bridge-appservice-webhooks - - custom/matrix-bridge-appservice-irc - - custom/matrix-bridge-appservice-kakaotalk - - custom/matrix-bridge-beeper-linkedin - - custom/matrix-bridge-go-skype-bridge - - custom/matrix-bridge-mautrix-facebook - - custom/matrix-bridge-mautrix-twitter - - custom/matrix-bridge-mautrix-hangouts - - custom/matrix-bridge-mautrix-googlechat - - custom/matrix-bridge-mautrix-instagram - - custom/matrix-bridge-mautrix-signal - - custom/matrix-bridge-mautrix-telegram - - custom/matrix-bridge-mautrix-whatsapp - - custom/matrix-bridge-mautrix-discord - - custom/matrix-bridge-mautrix-slack - - custom/matrix-bridge-mx-puppet-discord - - custom/matrix-bridge-mx-puppet-groupme - - custom/matrix-bridge-mx-puppet-steam - - custom/matrix-bridge-mx-puppet-slack - - custom/matrix-bridge-mx-puppet-twitter - - custom/matrix-bridge-mx-puppet-instagram - - custom/matrix-bridge-sms - - custom/matrix-bridge-heisenbridge - - custom/matrix-bridge-hookshot - - custom/matrix-bot-matrix-reminder-bot - - custom/matrix-bot-matrix-registration-bot - - custom/matrix-bot-maubot - - custom/matrix-bot-buscarron - - custom/matrix-bot-honoroit - - custom/matrix-bot-postmoogle - - custom/matrix-bot-go-neb - - custom/matrix-bot-mjolnir - - custom/matrix-bot-draupnir - - custom/matrix-bot-chatgpt - - custom/matrix-cactus-comments - - custom/matrix-rageshake - - custom/matrix-synapse - - custom/matrix-synapse-auto-compressor - - custom/matrix-synapse-reverse-proxy-companion - - custom/matrix-dendrite - - custom/matrix-conduit - - custom/matrix-synapse-admin - - galaxy/prometheus_node_exporter - - galaxy/prometheus_postgres_exporter - - custom/matrix-prometheus-nginxlog-exporter - - galaxy/prometheus - - galaxy/grafana - - custom/matrix-prometheus-services-connect - - custom/matrix-prometheus-services-proxy-connect - - custom/matrix-registration - - custom/matrix-client-element - - custom/matrix-client-hydrogen - - custom/matrix-client-cinny - - galaxy/jitsi - - custom/matrix-user-verification-service - - custom/matrix-ldap-registration-proxy - - custom/matrix-ma1sd - - custom/matrix-dimension - - galaxy/etherpad - - custom/etherpad-proxy-connect - - custom/matrix-sliding-sync - - custom/matrix-email2matrix - - custom/matrix-sygnal - - galaxy/ntfy - - custom/matrix-nginx-proxy - - custom/matrix-coturn - - - role: galaxy/auxiliary - - - role: galaxy/com.devture.ansible.role.postgres_backup - - - role: galaxy/backup_borg - - - custom/matrix-user-creator - - custom/matrix-common-after - - - role: galaxy/com.devture.ansible.role.container_socket_proxy - - - role: galaxy/com.devture.ansible.role.traefik - - - role: galaxy/com.devture.ansible.role.traefik_certs_dumper - - - when: devture_systemd_service_manager_enabled | bool - role: galaxy/com.devture.ansible.role.systemd_service_manager - - # This is pretty much last, because we want it to better serve as a "last known good configuration". - # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2217#issuecomment-1301487601 - - when: devture_playbook_state_preserver_enabled | bool - role: galaxy/com.devture.ansible.role.playbook_state_preserver - tags: - - setup-all - - install-all - - - role: galaxy/com.devture.ansible.role.playbook_runtime_messages diff --git a/setup.yml b/setup.yml deleted file mode 120000 index 7acc4c4c9..000000000 --- a/setup.yml +++ /dev/null @@ -1 +0,0 @@ -playbooks/matrix.yml \ No newline at end of file diff --git a/setup.yml b/setup.yml new file mode 100644 index 000000000..266f3b9e5 --- /dev/null +++ b/setup.yml @@ -0,0 +1,143 @@ +--- +- name: "Set up a Matrix server" + hosts: "{{ target if target is defined else 'matrix_servers' }}" + become: true + + roles: + # Most of the roles below are not distributed with the playbook, but downloaded separately using `ansible-galaxy` via the `just roles` command (see `justfile`). + - role: galaxy/com.devture.ansible.role.playbook_help + + - role: galaxy/com.devture.ansible.role.systemd_docker_base + + - role: custom/matrix_playbook_migration + + - when: matrix_playbook_docker_installation_enabled | bool + role: galaxy/geerlingguy.docker + vars: + docker_install_compose: false + tags: + - setup-docker + - setup-all + - install-docker + - install-all + + - when: devture_docker_sdk_for_python_installation_enabled | bool + role: galaxy/com.devture.ansible.role.docker_sdk_for_python + tags: + - setup-docker + - setup-all + - install-docker + - install-all + + - when: devture_timesync_installation_enabled | bool + role: galaxy/com.devture.ansible.role.timesync + tags: + - setup-timesync + - setup-all + - install-timesync + - install-all + + - custom/matrix-base + - custom/matrix-dynamic-dns + - custom/matrix-mailer + + - role: galaxy/com.devture.ansible.role.postgres + + - galaxy/redis + - custom/matrix-corporal + - custom/matrix-bridge-appservice-discord + - custom/matrix-bridge-appservice-slack + - custom/matrix-bridge-appservice-webhooks + - custom/matrix-bridge-appservice-irc + - custom/matrix-bridge-appservice-kakaotalk + - custom/matrix-bridge-beeper-linkedin + - custom/matrix-bridge-go-skype-bridge + - custom/matrix-bridge-mautrix-facebook + - custom/matrix-bridge-mautrix-twitter + - custom/matrix-bridge-mautrix-hangouts + - custom/matrix-bridge-mautrix-googlechat + - custom/matrix-bridge-mautrix-instagram + - custom/matrix-bridge-mautrix-signal + - custom/matrix-bridge-mautrix-telegram + - custom/matrix-bridge-mautrix-whatsapp + - custom/matrix-bridge-mautrix-discord + - custom/matrix-bridge-mautrix-slack + - custom/matrix-bridge-mx-puppet-discord + - custom/matrix-bridge-mx-puppet-groupme + - custom/matrix-bridge-mx-puppet-steam + - custom/matrix-bridge-mx-puppet-slack + - custom/matrix-bridge-mx-puppet-twitter + - custom/matrix-bridge-mx-puppet-instagram + - custom/matrix-bridge-sms + - custom/matrix-bridge-heisenbridge + - custom/matrix-bridge-hookshot + - custom/matrix-bot-matrix-reminder-bot + - custom/matrix-bot-matrix-registration-bot + - custom/matrix-bot-maubot + - custom/matrix-bot-buscarron + - custom/matrix-bot-honoroit + - custom/matrix-bot-postmoogle + - custom/matrix-bot-go-neb + - custom/matrix-bot-mjolnir + - custom/matrix-bot-draupnir + - custom/matrix-bot-chatgpt + - custom/matrix-cactus-comments + - custom/matrix-rageshake + - custom/matrix-synapse + - custom/matrix-synapse-auto-compressor + - custom/matrix-synapse-reverse-proxy-companion + - custom/matrix-dendrite + - custom/matrix-conduit + - custom/matrix-synapse-admin + - galaxy/prometheus_node_exporter + - galaxy/prometheus_postgres_exporter + - custom/matrix-prometheus-nginxlog-exporter + - galaxy/prometheus + - galaxy/grafana + - custom/matrix-prometheus-services-connect + - custom/matrix-prometheus-services-proxy-connect + - custom/matrix-registration + - custom/matrix-client-element + - custom/matrix-client-hydrogen + - custom/matrix-client-cinny + - galaxy/jitsi + - custom/matrix-user-verification-service + - custom/matrix-ldap-registration-proxy + - custom/matrix-ma1sd + - custom/matrix-dimension + - galaxy/etherpad + - custom/etherpad-proxy-connect + - custom/matrix-sliding-sync + - custom/matrix-email2matrix + - custom/matrix-sygnal + - galaxy/ntfy + - custom/matrix-nginx-proxy + - custom/matrix-coturn + + - role: galaxy/auxiliary + + - role: galaxy/com.devture.ansible.role.postgres_backup + + - role: galaxy/backup_borg + + - custom/matrix-user-creator + - custom/matrix-common-after + + - role: galaxy/com.devture.ansible.role.container_socket_proxy + + - role: galaxy/com.devture.ansible.role.traefik + + - role: galaxy/com.devture.ansible.role.traefik_certs_dumper + + - when: devture_systemd_service_manager_enabled | bool + role: galaxy/com.devture.ansible.role.systemd_service_manager + + # This is pretty much last, because we want it to better serve as a "last known good configuration". + # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2217#issuecomment-1301487601 + - when: devture_playbook_state_preserver_enabled | bool + role: galaxy/com.devture.ansible.role.playbook_state_preserver + tags: + - setup-all + - install-all + + - role: galaxy/com.devture.ansible.role.playbook_runtime_messages From 71ed745be67e0132b67541d83ca4bbad61c642fd Mon Sep 17 00:00:00 2001 From: Antonis Christofides Date: Mon, 5 Jun 2023 17:54:29 +0300 Subject: [PATCH 819/915] Documentation typo --- docs/configuring-playbook-jitsi.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 4157231a5..ddae16b03 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -165,7 +165,7 @@ jitsi_prosody_max_participants: 4 # example value By default, a single JVB ([Jitsi VideoBridge](https://github.com/jitsi/jitsi-videobridge)) is deployed on the same host as the Matrix server. To allow more video-conferences to happen at the same time, you may need to provision additional JVB services on other hosts. There is an ansible playbook that can be run with the following tag: -` ansible-playbook -i inventory/hosts --limit jitsi_jvb_servers jitsi_jvb.yml --tags=common,setup-additional-jitsi-jvb,start` +`ansible-playbook -i inventory/hosts --limit jitsi_jvb_servers jitsi_jvb.yml --tags=common,setup-additional-jitsi-jvb,start` For this role to work you will need an additional section in the ansible hosts file with the details of the JVB hosts, for example: ``` From 6ce94ba33f749480a5dc2418a3e273ac132650ff Mon Sep 17 00:00:00 2001 From: Antonis Christofides Date: Sun, 11 Jun 2023 20:04:01 +0300 Subject: [PATCH 820/915] Fix additional JVB broken after move to external Jitsi role (fixes #2733) This contribution is provided by GRNET S.A. (grnet.gr). --- docs/configuring-playbook-jitsi.md | 10 ++++++++++ group_vars/jitsi_jvb_servers | 4 ++++ 2 files changed, 14 insertions(+) create mode 100644 group_vars/jitsi_jvb_servers diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index ddae16b03..d1353bb01 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -208,6 +208,16 @@ However, it can also be set the ip address of the matrix server. This can be use jitsi_xmpp_server: "192.168.0.1" ``` +For the JVB to be able ito contact the XMPP server, the latter must expose the XMPP port (5222). By default, the Matrix server does not expose the +port; only the XMPP container exposes it internally inside the host, which means that the first JVB (which runs on the Matrix server) can reach it but +the additional JVB cannot. The port is exposed by setting `jitsi_prosody_container_jvb_host_bind_port` like this: + +```yaml +jitsi_prosody_container_jvb_host_bind_port: 5222 +``` + +(The default is empty; if it's set then docker forwards the port.) + The nginx configuration will also need to be updated in order to deal with the additional JVB servers. This is achieved via its own configuration variable `matrix_nginx_proxy_proxy_jitsi_additional_jvbs`, which contains a dictionary of server ids to ip addresses. diff --git a/group_vars/jitsi_jvb_servers b/group_vars/jitsi_jvb_servers new file mode 100644 index 000000000..67815f7c0 --- /dev/null +++ b/group_vars/jitsi_jvb_servers @@ -0,0 +1,4 @@ +jitsi_architecture: "{{ matrix_architecture }}" +jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" +jitsi_uid: "{{ matrix_user_uid }}" +jitsi_gid: "{{ matrix_user_gid }}" From 2191136369f26c43129949db7a508f1ebf3aa9eb Mon Sep 17 00:00:00 2001 From: Antonis Christofides Date: Sun, 11 Jun 2023 20:32:54 +0300 Subject: [PATCH 821/915] Enable jitsi_jvb service on additional JVB (fixes #2708) This contribution is provided by GRNET S.A. (grnet.gr). --- group_vars/jitsi_jvb_servers | 5 +++++ jitsi_jvb.yml | 3 +++ 2 files changed, 8 insertions(+) diff --git a/group_vars/jitsi_jvb_servers b/group_vars/jitsi_jvb_servers index 67815f7c0..84009e2ca 100644 --- a/group_vars/jitsi_jvb_servers +++ b/group_vars/jitsi_jvb_servers @@ -2,3 +2,8 @@ jitsi_architecture: "{{ matrix_architecture }}" jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" jitsi_uid: "{{ matrix_user_uid }}" jitsi_gid: "{{ matrix_user_gid }}" + +devture_systemd_service_manager_services_list_auto: | + {{ + ([{'name': (jitsi_identifier + '-jvb.service'), 'priority': 4100, 'groups': ['matrix', 'jitsi', 'jitsi-jvb']}] if jitsi_enabled else []) + }} diff --git a/jitsi_jvb.yml b/jitsi_jvb.yml index 4054d308c..1ea63855a 100644 --- a/jitsi_jvb.yml +++ b/jitsi_jvb.yml @@ -10,3 +10,6 @@ - custom/matrix-base - galaxy/jitsi - custom/matrix-common-after + + - when: devture_systemd_service_manager_enabled | bool + role: galaxy/com.devture.ansible.role.systemd_service_manager From cfc845b45e90082ada9c9d0da70f9f169a8a5166 Mon Sep 17 00:00:00 2001 From: Antonis Christofides Date: Mon, 5 Jun 2023 19:59:27 +0300 Subject: [PATCH 822/915] Ensure docker is installed on additional JVBs (fixes #2706) This contribution is provided by GRNET S.A. (grnet.gr). --- group_vars/jitsi_jvb_servers | 2 ++ jitsi_jvb.yml | 20 ++++++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/group_vars/jitsi_jvb_servers b/group_vars/jitsi_jvb_servers index 84009e2ca..af927c9f1 100644 --- a/group_vars/jitsi_jvb_servers +++ b/group_vars/jitsi_jvb_servers @@ -7,3 +7,5 @@ devture_systemd_service_manager_services_list_auto: | {{ ([{'name': (jitsi_identifier + '-jvb.service'), 'priority': 4100, 'groups': ['matrix', 'jitsi', 'jitsi-jvb']}] if jitsi_enabled else []) }} + +matrix_playbook_docker_installation_enabled: true diff --git a/jitsi_jvb.yml b/jitsi_jvb.yml index 1ea63855a..16acd0ee6 100644 --- a/jitsi_jvb.yml +++ b/jitsi_jvb.yml @@ -7,6 +7,26 @@ - role: galaxy/com.devture.ansible.role.playbook_help - role: galaxy/com.devture.ansible.role.systemd_docker_base + - when: matrix_playbook_docker_installation_enabled | bool + role: galaxy/geerlingguy.docker + vars: + docker_install_compose: false + tags: + - setup-docker + - setup-all + - setup-additional-jitsi-jvb + - install-docker + - install-all + + - when: devture_docker_sdk_for_python_installation_enabled | bool + role: galaxy/com.devture.ansible.role.docker_sdk_for_python + tags: + - setup-docker + - setup-all + - setup-additional-jitsi-jvb + - install-docker + - install-all + - custom/matrix-base - galaxy/jitsi - custom/matrix-common-after From 8c0119d7d89c75e4de04ac444114c211a9ce7c48 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 18 Jun 2023 08:50:55 +0300 Subject: [PATCH 823/915] Fix typo --- docs/configuring-playbook-jitsi.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index d1353bb01..1213f46a7 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -208,7 +208,7 @@ However, it can also be set the ip address of the matrix server. This can be use jitsi_xmpp_server: "192.168.0.1" ``` -For the JVB to be able ito contact the XMPP server, the latter must expose the XMPP port (5222). By default, the Matrix server does not expose the +For the JVB to be able to contact the XMPP server, the latter must expose the XMPP port (5222). By default, the Matrix server does not expose the port; only the XMPP container exposes it internally inside the host, which means that the first JVB (which runs on the Matrix server) can reach it but the additional JVB cannot. The port is exposed by setting `jitsi_prosody_container_jvb_host_bind_port` like this: From 704a9abd9bc203194a3f47bdab1b0dcc0938fb3d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 18 Jun 2023 08:54:55 +0300 Subject: [PATCH 824/915] Fix file path in comment Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2746 --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 79a503d5a..d225cc302 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -192,7 +192,7 @@ matrix_homeserver_app_service_config_files_auto: | # This list is not exhaustive and final. # Synapse workers are still injected into the list at runtime. -# Additional JVB workers (playbooks/jitsi_jvb.yml -- roles/galaxy/jitsi/tasks/init_additional_jvb.yml) override this variable at runtime as well. +# Additional JVB workers (jitsi_jvb.yml -- roles/galaxy/jitsi/tasks/init_additional_jvb.yml) override this variable at runtime as well. # # Priority levels are like this: # - core services (the homeserver) get a level of ~1000 From 0174840296f59c87db01e0334013cc3721834e8e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 19 Jun 2023 18:02:36 +0300 Subject: [PATCH 825/915] Upgrade Hookshot (4.2.0 -> 4.3.0) --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 55dbdfea7..9276b6136 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 4.2.0 +matrix_hookshot_version: 4.3.0 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" From c720d7bb1a37252e274ebaa6fad8ea500e0b4b2c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 20 Jun 2023 10:55:05 +0300 Subject: [PATCH 826/915] Upgrade ddclient (v3.10.0-ls123 -> v3.10.0-ls24) --- roles/custom/matrix-dynamic-dns/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-dynamic-dns/defaults/main.yml b/roles/custom/matrix-dynamic-dns/defaults/main.yml index 5a60194a3..363122c2e 100644 --- a/roles/custom/matrix-dynamic-dns/defaults/main.yml +++ b/roles/custom/matrix-dynamic-dns/defaults/main.yml @@ -7,7 +7,7 @@ matrix_dynamic_dns_enabled: true # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' -matrix_dynamic_dns_version: v3.10.0-ls123 +matrix_dynamic_dns_version: v3.10.0-ls124 # The docker container to use when in mode matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" From 2ca1b6f164d3e314cba3e8aec1939f06a7ba92cc Mon Sep 17 00:00:00 2001 From: Kevin Kengen Date: Tue, 20 Jun 2023 21:09:19 +1200 Subject: [PATCH 827/915] modified: roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 --- .../templates/config.yaml.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 index 830adca71..1949a2532 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 @@ -143,15 +143,15 @@ bridge: # application service. encryption: # Allow encryption, work in group chat rooms with e2ee enabled - allow: {{ matrix_mautrix_discord_bridge_encryption_allow|to_json }} + allow: {{ matrix_mautrix_instagram_bridge_encryption_allow|to_json }} # Default to encryption, force-enable encryption in all portals the bridge creates # This will cause the bridge bot to be in private chats for the encryption to work properly. - default: {{ matrix_mautrix_discord_bridge_encryption_default|to_json }} + default: {{ matrix_mautrix_instagram_bridge_encryption_default|to_json }} # Options for automatic key sharing. key_sharing: # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. # You must use a client that supports requesting keys from other users to use this feature. - allow: {{ matrix_mautrix_discord_bridge_encryption_key_sharing_allow|to_json }} + allow: {{ matrix_mautrix_instagram_bridge_encryption_key_sharing_allow|to_json }} # Require the requesting device to have a valid cross-signing signature? # This doesn't require that the bridge has verified the device, only that the user has verified it. # Not yet implemented. From a94ebe7424d69806445a3f18c257d2ff5db38678 Mon Sep 17 00:00:00 2001 From: Antoine-Ali Zarrouk <3798576+sidewinder94@users.noreply.github.com> Date: Tue, 20 Jun 2023 15:03:12 +0200 Subject: [PATCH 828/915] Add documentation to detail the steps needed to federate using SRV delegation --- docs/howto-server-delegation.md | 1 + docs/howto-srv-server-delegation.md | 203 ++++++++++++++++++++++++++++ 2 files changed, 204 insertions(+) create mode 100644 docs/howto-srv-server-delegation.md diff --git a/docs/howto-server-delegation.md b/docs/howto-server-delegation.md index e9ca5bde6..36b0c2ab8 100644 --- a/docs/howto-server-delegation.md +++ b/docs/howto-server-delegation.md @@ -49,6 +49,7 @@ To use DNS SRV record validation, you need to: - ensure that you are serving the Matrix Federation API (tcp/8448) with a certificate for `` (not `matrix.`!). Getting this certificate to the `matrix.` server may be complicated. The playbook's automatic SSL obtaining/renewal flow will likely not work and you'll need to copy certificates around manually. See below. +For more details on [how to configure the playbook to work with SRV delegation]() ### Obtaining certificates diff --git a/docs/howto-srv-server-delegation.md b/docs/howto-srv-server-delegation.md new file mode 100644 index 000000000..cb0263045 --- /dev/null +++ b/docs/howto-srv-server-delegation.md @@ -0,0 +1,203 @@ +# Server Delegation via a DNS SRV record (advanced) + +**Reminder** : unless you are affected by the [Downsides of well-known-based Server Delegation](#downsides-of-well-known-based-server-delegation), we suggest you stay on the simple/default path : [Server Delegation](howto-server-delegation.md) + +## Prerequisites + +SRV delegation while still using the playbook provided traefik to get / renew the certificate requires a wildcard certificate. + +To obtain / renew one from let's encrypt, one needs to use a dns-01 challenge method instead of the default http-01. + +This means that thi is limited to the list of providers supported by traefik, unless you bring in your own certificate. + +The up-to-date list can be accessed on [traefik's documentation](https://doc.traefik.io/traefik/https/acme/#providers) + +## The changes + +### Federation Endpoint + +```yaml +# To serve the federation from any domain, as long as the path match +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: PathPrefix(`/_matrix`) +``` + +This is because with SRV federation, some servers / tools (one of which being the federation tester) try to access the federation API using the resolved IP address instead of the domain name (or they are not using SNI). This change will make traefik route all traffic for which the path match this rule go to the federation endpoint. + +### Tell Traefik which certificate to serve for the federation endpoint + +Now that the federation endpoint is not bound to a domain anymore we need to explicitely tell traefik to use a wildcard certificate in addition to one containing the base name. + +This is because the matrix specification expects the federation endpoint to be served using a certificate comatible with the base domain, however, the other resources on the endpoint still need a valid certificate to work. + +```yaml +# To let traefik know which domains certificates to serve +matrix_nginx_proxy_container_labels_additional_labels: | + traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.main="example.com" + traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.sans="*.example.com" +``` + +### Configure the DNS-01 challenge for let's encrypt + +Since we're now requesting a wildcard certificate, we need to change the ACME challenge method. To request a wildcard certificate from let's encrypt we are required to use the DNS-01 challenge. + +This will need 3 changes : +1. Add a new certificate resolver that works with DNS-01 +2. Configure the resolver to allow access to the DNS zone to configure the reocrds to answer the challenge (refer to [traefik's documentation](https://doc.traefik.io/traefik/https/acme/#providers) to know which environment variables to set) +3. Tell the playbook to use the new resolver as default + +We cannot just disable the default resolver as that would disable SSL in quite a few places in the playbook. + + +```yaml +# 1. Add a new ACME configuration without having to disable the default one, since it would have a wide range of side effects +devture_traefik_configuration_extension_yaml: | + certificatesResolvers: + dns: + acme: + # caServer: https://acme-staging-v02.api.letsencrypt.org/directory + email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }} + dnsChallenge: + provider: cloudflare + resolvers: + - "1.1.1.1:53" + - "8.8.8.8:53" + storage: {{ devture_traefik_config_certificatesResolvers_acme_storage | to_json }} + +# 2. Configure the environment variables needed by traefik to automate the ACME DNS CHallenge (example for cloudflare) +devture_traefik_environment_variables: | + CF_API_EMAIL=redacted + CF_ZONE_API_TOKEN=redacted + CF_DNS_API_TOKEN=redacted + LEGO_DISABLE_CNAME_SUPPORT=true + +# 3. Instruct thep laybook to use the new ACME configuration +devture_traefik_certResolver_primary: "dns" +``` + +## Adjust coturn's configuration + +Last step is to alter the generated coturn configuration. + +By default, it is configured to wait on the certificate for the matrix subdomain using an instanced service using the domain name as the parameter for this service. However, we need to serve the wildcard certificate, which is incompatible with systemd, it will try to exxpand the "*" preventing coturn from starting. + +We also need to indicate to coturn where the wildcard certificate is. + +**⚠ WARNING ⚠** : On first start of the services, coturn might still fail to start because traefik is still in thep rocess of obtaining the certificates. If you still get an error, make sure traefik obtained the certificates and restart the coturn service. + +This should not happen again afterwards as traefik will renew certificates well before their expiry date, and the coturn service is setup to restart periodically. + +```yaml +# Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things +matrix_coturn_systemd_required_services_list: ['docker.service'] + +# This changes the path of the loaded certificate, while maintaining the original functionality, we're now loading the wildcard certificate. +matrix_coturn_container_additional_volumes: | + {{ + ( + [ + { + 'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/fullchain.pem'), + 'dst': '/fullchain.pem', + 'options': 'ro', + }, + { + 'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/privkey.pem'), + 'dst': '/privkey.pem', + 'options': 'ro', + }, + ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] and matrix_coturn_tls_enabled else [] + ) + + + ( + [ + { + 'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/certificate.crt'), + 'dst': '/certificate.crt', + 'options': 'ro', + }, + { + 'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/privatekey.key'), + 'dst': '/privatekey.key', + 'options': 'ro', + }, + ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else [] + ) + }} +``` + +## Full example of a working configuration + +```yaml +# Choosing the reverse proxy implementation +matrix_playbook_reverse_proxy_type: playbook-managed-traefik +devture_traefik_config_certificatesResolvers_acme_email: redacted@example.com + +# To serve the federation from any domain, as long as the path match +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: PathPrefix(`/_matrix`) + +# To let traefik know which domains certificates to serve +matrix_nginx_proxy_container_labels_additional_labels: | + traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.main="example.com" + traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.sans="*.example.com" + +# Add a new ACME configuration without having to disable the default one, since it would have a wide range of side effects +devture_traefik_configuration_extension_yaml: | + certificatesResolvers: + dns: + acme: + # caServer: https://acme-staging-v02.api.letsencrypt.org/directory + email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }} + dnsChallenge: + provider: cloudflare + resolvers: + - "1.1.1.1:53" + - "8.8.8.8:53" + storage: {{ devture_traefik_config_certificatesResolvers_acme_storage | to_json }} + +# Instruct thep laybook to use the new ACME configuration +devture_traefik_certResolver_primary: "dns" + +# Configure the environment variables needed by traefik to automate the ACME DNS CHallenge +devture_traefik_environment_variables: | + CF_API_EMAIL=redacted + CF_ZONE_API_TOKEN=redacted + CF_DNS_API_TOKEN=redacted + LEGO_DISABLE_CNAME_SUPPORT=true + +# Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things +matrix_coturn_systemd_required_services_list: ['docker.service'] + +# This changes the path of the loaded certificate, while maintaining the original functionality, we're now loading the wildcard certificate. +matrix_coturn_container_additional_volumes: | + {{ + ( + [ + { + 'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/fullchain.pem'), + 'dst': '/fullchain.pem', + 'options': 'ro', + }, + { + 'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/privkey.pem'), + 'dst': '/privkey.pem', + 'options': 'ro', + }, + ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] and matrix_coturn_tls_enabled else [] + ) + + + ( + [ + { + 'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/certificate.crt'), + 'dst': '/certificate.crt', + 'options': 'ro', + }, + { + 'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/privatekey.key'), + 'dst': '/privatekey.key', + 'options': 'ro', + }, + ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else [] + ) + }} +``` \ No newline at end of file From 9ab50ac8de89588accb9748c67bff8c8087833b3 Mon Sep 17 00:00:00 2001 From: Antoine-Ali ZARROUK <3798576+sidewinder94@users.noreply.github.com> Date: Tue, 20 Jun 2023 16:32:50 +0200 Subject: [PATCH 829/915] Fix inter-doc links --- docs/howto-server-delegation.md | 2 +- docs/howto-srv-server-delegation.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/howto-server-delegation.md b/docs/howto-server-delegation.md index 36b0c2ab8..e9a6b23d8 100644 --- a/docs/howto-server-delegation.md +++ b/docs/howto-server-delegation.md @@ -49,7 +49,7 @@ To use DNS SRV record validation, you need to: - ensure that you are serving the Matrix Federation API (tcp/8448) with a certificate for `` (not `matrix.`!). Getting this certificate to the `matrix.` server may be complicated. The playbook's automatic SSL obtaining/renewal flow will likely not work and you'll need to copy certificates around manually. See below. -For more details on [how to configure the playbook to work with SRV delegation]() +For more details on [how to configure the playbook to work with SRV delegation](howto-srv-server-delegation.md) ### Obtaining certificates diff --git a/docs/howto-srv-server-delegation.md b/docs/howto-srv-server-delegation.md index cb0263045..284977aa4 100644 --- a/docs/howto-srv-server-delegation.md +++ b/docs/howto-srv-server-delegation.md @@ -1,6 +1,6 @@ # Server Delegation via a DNS SRV record (advanced) -**Reminder** : unless you are affected by the [Downsides of well-known-based Server Delegation](#downsides-of-well-known-based-server-delegation), we suggest you stay on the simple/default path : [Server Delegation](howto-server-delegation.md) +**Reminder** : unless you are affected by the [Downsides of well-known-based Server Delegation](howto-server-delegation.md#downsides-of-well-known-based-server-delegation), we suggest you stay on the simple/default path : [Server Delegation](howto-server-delegation.md) ## Prerequisites From eece91d7e22653b1b463bf2b0002f14ae264b8ae Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 20 Jun 2023 20:56:39 +0300 Subject: [PATCH 830/915] Update element v1.11.33 -> v1.11.34 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index f0ddbbede..a4e22a784 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.33 +matrix_client_element_version: v1.11.34 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From ce7a3fa6d74c25c7f755201dc97a6252f0d1c82b Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 20 Jun 2023 21:12:39 +0300 Subject: [PATCH 831/915] Update etherpad 1.8.18 -> 1.9.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 867e6c53b..680b23d84 100644 --- a/requirements.yml +++ b/requirements.yml @@ -30,7 +30,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git - version: v1.8.18-2 + version: v1.9.0-0 - src: git+https://github.com/geerlingguy/ansible-role-docker version: 6.1.0 name: geerlingguy.docker From 2da4d81ff6fbefa1b12c05c742e8708042538ef7 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 20 Jun 2023 21:14:23 +0300 Subject: [PATCH 832/915] Update synapse 1.85.2 -> 1.86.0 --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 88ef768e9..964fde115 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,7 +4,7 @@ matrix_synapse_enabled: true -matrix_synapse_version: v1.85.2 +matrix_synapse_version: v1.86.0 matrix_synapse_username: '' matrix_synapse_uid: '' From a60a7d270545c6842bbfca8087e845f6cd999fd6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 21 Jun 2023 09:05:11 +0300 Subject: [PATCH 833/915] Upgrade Traefik (v2.10.1-2 -> v2.10.3-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 867e6c53b..ddc81b7dd 100644 --- a/requirements.yml +++ b/requirements.yml @@ -26,7 +26,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git version: v1.0.0-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.10.1-2 + version: v2.10.3-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git From eef0fd69bfba2974a148fdeb19a4a793e0ba2de2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 21 Jun 2023 09:56:16 +0300 Subject: [PATCH 834/915] Fix some typos, add more links --- docs/howto-srv-server-delegation.md | 51 +++++++++++++++-------------- 1 file changed, 27 insertions(+), 24 deletions(-) diff --git a/docs/howto-srv-server-delegation.md b/docs/howto-srv-server-delegation.md index 284977aa4..a1afe59de 100644 --- a/docs/howto-srv-server-delegation.md +++ b/docs/howto-srv-server-delegation.md @@ -1,14 +1,16 @@ # Server Delegation via a DNS SRV record (advanced) -**Reminder** : unless you are affected by the [Downsides of well-known-based Server Delegation](howto-server-delegation.md#downsides-of-well-known-based-server-delegation), we suggest you stay on the simple/default path : [Server Delegation](howto-server-delegation.md) +**Reminder** : unless you are affected by the [Downsides of well-known-based Server Delegation](howto-server-delegation.md#downsides-of-well-known-based-server-delegation), we suggest you **stay on the simple/default path**: [Server Delegation](howto-server-delegation.md) by [configuring well-known files](configuring-well-known.md) at the base domain. + +This guide is about configuring Server Delegation using DNS SRV records (for the [Traefik](https://doc.traefik.io/traefik/) webserver). This method has special requirements when it comes to SSL certificates, so various changes are required. ## Prerequisites -SRV delegation while still using the playbook provided traefik to get / renew the certificate requires a wildcard certificate. +SRV delegation while still using the playbook provided Traefik to get / renew the certificate requires a wildcard certificate. -To obtain / renew one from let's encrypt, one needs to use a dns-01 challenge method instead of the default http-01. +To obtain / renew one from [Let's Encrypt](https://letsencrypt.org/), one needs to use a [DNS-01 challenge](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) method instead of the default [HTTP-01](https://letsencrypt.org/docs/challenge-types/#http-01-challenge). -This means that thi is limited to the list of providers supported by traefik, unless you bring in your own certificate. +This means that this is **limited to the list of DNS providers supported by Traefik**, unless you bring in your own certificate. The up-to-date list can be accessed on [traefik's documentation](https://doc.traefik.io/traefik/https/acme/#providers) @@ -21,16 +23,16 @@ The up-to-date list can be accessed on [traefik's documentation](https://doc.tra matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: PathPrefix(`/_matrix`) ``` -This is because with SRV federation, some servers / tools (one of which being the federation tester) try to access the federation API using the resolved IP address instead of the domain name (or they are not using SNI). This change will make traefik route all traffic for which the path match this rule go to the federation endpoint. +This is because with SRV federation, some servers / tools (one of which being the federation tester) try to access the federation API using the resolved IP address instead of the domain name (or they are not using SNI). This change will make Traefik route all traffic for which the path match this rule go to the federation endpoint. ### Tell Traefik which certificate to serve for the federation endpoint -Now that the federation endpoint is not bound to a domain anymore we need to explicitely tell traefik to use a wildcard certificate in addition to one containing the base name. +Now that the federation endpoint is not bound to a domain anymore we need to explicitely tell Traefik to use a wildcard certificate in addition to one containing the base name. This is because the matrix specification expects the federation endpoint to be served using a certificate comatible with the base domain, however, the other resources on the endpoint still need a valid certificate to work. ```yaml -# To let traefik know which domains certificates to serve +# To let Traefik know which domains' certificates to serve matrix_nginx_proxy_container_labels_additional_labels: | traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.main="example.com" traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.sans="*.example.com" @@ -38,22 +40,22 @@ matrix_nginx_proxy_container_labels_additional_labels: | ### Configure the DNS-01 challenge for let's encrypt -Since we're now requesting a wildcard certificate, we need to change the ACME challenge method. To request a wildcard certificate from let's encrypt we are required to use the DNS-01 challenge. +Since we're now requesting a wildcard certificate, we need to change the ACME challenge method. To request a wildcard certificate from Let's Encrypt we are required to use the DNS-01 challenge. -This will need 3 changes : +This will need 3 changes: 1. Add a new certificate resolver that works with DNS-01 -2. Configure the resolver to allow access to the DNS zone to configure the reocrds to answer the challenge (refer to [traefik's documentation](https://doc.traefik.io/traefik/https/acme/#providers) to know which environment variables to set) +2. Configure the resolver to allow access to the DNS zone to configure the records to answer the challenge (refer to [Traefik's documentation](https://doc.traefik.io/traefik/https/acme/#providers) to know which environment variables to set) 3. Tell the playbook to use the new resolver as default We cannot just disable the default resolver as that would disable SSL in quite a few places in the playbook. - ```yaml # 1. Add a new ACME configuration without having to disable the default one, since it would have a wide range of side effects devture_traefik_configuration_extension_yaml: | certificatesResolvers: dns: acme: + # To use a staging endpoint for testing purposes, uncomment the line below. # caServer: https://acme-staging-v02.api.letsencrypt.org/directory email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }} dnsChallenge: @@ -63,28 +65,28 @@ devture_traefik_configuration_extension_yaml: | - "8.8.8.8:53" storage: {{ devture_traefik_config_certificatesResolvers_acme_storage | to_json }} -# 2. Configure the environment variables needed by traefik to automate the ACME DNS CHallenge (example for cloudflare) +# 2. Configure the environment variables needed by Rraefik to automate the ACME DNS Challenge (example for Cloudflare) devture_traefik_environment_variables: | CF_API_EMAIL=redacted CF_ZONE_API_TOKEN=redacted CF_DNS_API_TOKEN=redacted LEGO_DISABLE_CNAME_SUPPORT=true -# 3. Instruct thep laybook to use the new ACME configuration -devture_traefik_certResolver_primary: "dns" +# 3. Instruct the playbook to use the new ACME configuration +devture_traefik_certResolver_primary: dns ``` -## Adjust coturn's configuration +## Adjust Coturn's configuration -Last step is to alter the generated coturn configuration. +The last step is to alter the generated Coturn configuration. -By default, it is configured to wait on the certificate for the matrix subdomain using an instanced service using the domain name as the parameter for this service. However, we need to serve the wildcard certificate, which is incompatible with systemd, it will try to exxpand the "*" preventing coturn from starting. +By default, Coturn is configured to wait on the certificate for the `matrix.` subdomain using an [instantiated systemd service](https://www.freedesktop.org/software/systemd/man/systemd.service.html#Service%20Templates) using the domain name as the parameter for this service. However, we need to serve the wildcard certificate, which is incompatible with systemd, it will try to expand the `*`, which will break and prevent Coturn from starting. -We also need to indicate to coturn where the wildcard certificate is. +We also need to indicate to Coturn where the wildcard certificate is. -**⚠ WARNING ⚠** : On first start of the services, coturn might still fail to start because traefik is still in thep rocess of obtaining the certificates. If you still get an error, make sure traefik obtained the certificates and restart the coturn service. +**⚠ WARNING ⚠** : On first start of the services, Coturn might still fail to start because Traefik is still in the process of obtaining the certificates. If you still get an error, make sure Traefik obtained the certificates and restart the Coturn service (`just start-group coturn`). -This should not happen again afterwards as traefik will renew certificates well before their expiry date, and the coturn service is setup to restart periodically. +This should not happen again afterwards as Traefik will renew certificates well before their expiry date, and the Coturn service is setup to restart periodically. ```yaml # Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things @@ -135,7 +137,7 @@ devture_traefik_config_certificatesResolvers_acme_email: redacted@example.com # To serve the federation from any domain, as long as the path match matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: PathPrefix(`/_matrix`) -# To let traefik know which domains certificates to serve +# To let Traefik know which domains' certificates to serve matrix_nginx_proxy_container_labels_additional_labels: | traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.main="example.com" traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.sans="*.example.com" @@ -145,6 +147,7 @@ devture_traefik_configuration_extension_yaml: | certificatesResolvers: dns: acme: + # To use a staging endpoint for testing purposes, uncomment the line below. # caServer: https://acme-staging-v02.api.letsencrypt.org/directory email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }} dnsChallenge: @@ -157,14 +160,14 @@ devture_traefik_configuration_extension_yaml: | # Instruct thep laybook to use the new ACME configuration devture_traefik_certResolver_primary: "dns" -# Configure the environment variables needed by traefik to automate the ACME DNS CHallenge +# Configure the environment variables needed by Traefik to automate the ACME DNS Challenge (example for Cloudflare) devture_traefik_environment_variables: | CF_API_EMAIL=redacted CF_ZONE_API_TOKEN=redacted CF_DNS_API_TOKEN=redacted LEGO_DISABLE_CNAME_SUPPORT=true -# Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things +# Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart Coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things matrix_coturn_systemd_required_services_list: ['docker.service'] # This changes the path of the loaded certificate, while maintaining the original functionality, we're now loading the wildcard certificate. @@ -200,4 +203,4 @@ matrix_coturn_container_additional_volumes: | ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else [] ) }} -``` \ No newline at end of file +``` From b035ef1fa301636aa9815a514e8dc152f882cfc8 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 21 Jun 2023 17:37:29 +0300 Subject: [PATCH 835/915] Update hydrogen 0.3.8 -> 0.4.0 --- roles/custom/matrix-client-hydrogen/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-hydrogen/defaults/main.yml b/roles/custom/matrix-client-hydrogen/defaults/main.yml index f3ddb81b6..de16c8b69 100644 --- a/roles/custom/matrix-client-hydrogen/defaults/main.yml +++ b/roles/custom/matrix-client-hydrogen/defaults/main.yml @@ -6,7 +6,7 @@ matrix_client_hydrogen_enabled: true matrix_client_hydrogen_container_image_self_build: false matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" -matrix_client_hydrogen_version: v0.3.8 +matrix_client_hydrogen_version: v0.4.0 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vector-im/hydrogen-web:{{ matrix_client_hydrogen_version }}" matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build else 'ghcr.io/' }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" From a6e60378d9dd72e1879ca553feb5325b4bfcfed9 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 22 Jun 2023 21:16:39 +0300 Subject: [PATCH 836/915] Update grafana 9.5.3 -> 10.0.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 9ac4f9cef..34995e950 100644 --- a/requirements.yml +++ b/requirements.yml @@ -35,7 +35,7 @@ version: 6.1.0 name: geerlingguy.docker - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v9.5.3-0 + version: v10.0.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git version: v8615-0 name: jitsi From 5e1c7c6cf189a49762e4b9e1d1511096b847be93 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 22 Jun 2023 21:17:18 +0300 Subject: [PATCH 837/915] Update prometheus postgres exporter 0.12.0 -> 0.13.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 9ac4f9cef..c8deb481b 100644 --- a/requirements.yml +++ b/requirements.yml @@ -47,7 +47,7 @@ - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.6.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git - version: v0.12.0-0 + version: v0.13.0-0 name: prometheus_postgres_exporter - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.10-0 From 38c8bd858a1d16f2472fce8c283312f74bc78743 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 22 Jun 2023 21:22:30 +0300 Subject: [PATCH 838/915] Update grafana 10.0.0 -> 10.0.1 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 34995e950..d424f38e5 100644 --- a/requirements.yml +++ b/requirements.yml @@ -35,7 +35,7 @@ version: 6.1.0 name: geerlingguy.docker - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v10.0.0-0 + version: v10.0.1-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git version: v8615-0 name: jitsi From fa2a81fc5ea4096214c0b332a314ff5bf226b00a Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Fri, 23 Jun 2023 18:02:56 -0500 Subject: [PATCH 839/915] Update prometheus_postgres_exporter --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 852fbf6a3..292b7a528 100644 --- a/requirements.yml +++ b/requirements.yml @@ -47,7 +47,7 @@ - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.6.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git - version: v0.13.0-0 + version: v0.13.0-1 name: prometheus_postgres_exporter - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.10-0 From 05faf1f73fc1d13f6c2ac9fe2a666854103fad40 Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Fri, 23 Jun 2023 18:05:47 -0500 Subject: [PATCH 840/915] Update synapse reverse proxy companion --- .../matrix-synapse-reverse-proxy-companion/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml index 364cf2c7e..048ded6bb 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml @@ -25,7 +25,7 @@ matrix_synapse_reverse_proxy_companion_enabled: true -matrix_synapse_reverse_proxy_companion_version: 1.23.3-alpine +matrix_synapse_reverse_proxy_companion_version: 1.25.1-alpine matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion" matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d" From 5b968f47d2c254220be2ecb8afea855b455f1cd1 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sun, 25 Jun 2023 10:35:14 +0300 Subject: [PATCH 841/915] Update prometheus 2.44.0 -> 2.45.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 292b7a528..d4bb1241e 100644 --- a/requirements.yml +++ b/requirements.yml @@ -42,7 +42,7 @@ - src: git+https://gitlab.com/etke.cc/roles/ntfy.git version: v2.5.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git - version: v2.44.0-0 + version: v2.45.0-0 name: prometheus - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.6.0-0 From 9142f4d2ee73f561f14f2aa1bc67b544e4895568 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sun, 25 Jun 2023 10:35:53 +0300 Subject: [PATCH 842/915] Update borgmatic 1.7.14 -> 1.7.15 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 292b7a528..b61e230c8 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: v1.0.0-1 name: auxiliary - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.4-1.7.14-0 + version: v1.2.4-1.7.15-0 - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git version: v0.1.1-2 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git From 7b10e7d4e04c774675374b362c1fec257edcf14b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 26 Jun 2023 17:35:55 +0300 Subject: [PATCH 843/915] Upgrade mautrix-telegram (0.14.0 -> 0.14.1) --- roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml index c5b7b9a39..79f835932 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -17,7 +17,7 @@ matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git" matrix_mautrix_telegram_docker_repo_version: "{{ 'master' if matrix_mautrix_telegram_version == 'latest' else matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" -matrix_mautrix_telegram_version: v0.14.0 +matrix_mautrix_telegram_version: v0.14.1 # See: https://mau.dev/mautrix/telegram/container_registry matrix_mautrix_telegram_docker_image: "{{ matrix_mautrix_telegram_docker_image_name_prefix }}mautrix/telegram:{{ matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_telegram_container_image_self_build else 'dock.mau.dev/' }}" From d5fa6feeef2be95b1bc2b30fdc2ecc52e7e2837a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 27 Jun 2023 10:36:47 +0300 Subject: [PATCH 844/915] Upgrade ddclient (v3.10.0-ls124 -> v3.10.0-ls25) --- roles/custom/matrix-dynamic-dns/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-dynamic-dns/defaults/main.yml b/roles/custom/matrix-dynamic-dns/defaults/main.yml index 363122c2e..98b8e9d45 100644 --- a/roles/custom/matrix-dynamic-dns/defaults/main.yml +++ b/roles/custom/matrix-dynamic-dns/defaults/main.yml @@ -7,7 +7,7 @@ matrix_dynamic_dns_enabled: true # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' -matrix_dynamic_dns_version: v3.10.0-ls124 +matrix_dynamic_dns_version: v3.10.0-ls125 # The docker container to use when in mode matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" From b7d79a95fa65b4b7d07f5b2146526d9acf21bfee Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 28 Jun 2023 13:04:37 +0300 Subject: [PATCH 845/915] Update prometheus postgres exporter 0.13.0 -> 0.13.1 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 42cdf2849..4a8b77b72 100644 --- a/requirements.yml +++ b/requirements.yml @@ -47,7 +47,7 @@ - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.6.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git - version: v0.13.0-1 + version: v0.13.1-0 name: prometheus_postgres_exporter - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.10-0 From 19b83360d06bfb8d066783c7fb97abf956d27594 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 28 Jun 2023 21:54:06 +0300 Subject: [PATCH 846/915] Update ntfy 2.5.0 -> 2.6.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 4a8b77b72..63613a8cc 100644 --- a/requirements.yml +++ b/requirements.yml @@ -40,7 +40,7 @@ version: v8615-0 name: jitsi - src: git+https://gitlab.com/etke.cc/roles/ntfy.git - version: v2.5.0-0 + version: v2.6.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git version: v2.45.0-0 name: prometheus From 47b643f870a3adf583dea54fd5dcbbaad6c810ac Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 28 Jun 2023 21:55:31 +0300 Subject: [PATCH 847/915] Update hookshot 4.3.0 -> 4.4.0 --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 9276b6136..3c1ba5193 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 4.3.0 +matrix_hookshot_version: 4.4.0 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" From 4a34efbe972354a7134c80280368a50fc3af006e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 29 Jun 2023 09:57:03 +0300 Subject: [PATCH 848/915] Upgrade ntfy (v2.6.0-0 -> v2.6.1-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 63613a8cc..6f0262a3a 100644 --- a/requirements.yml +++ b/requirements.yml @@ -40,7 +40,7 @@ version: v8615-0 name: jitsi - src: git+https://gitlab.com/etke.cc/roles/ntfy.git - version: v2.6.0-0 + version: v2.6.1-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git version: v2.45.0-0 name: prometheus From 0db4ca74fa4110bde9fd1f4ab35a928988bb0b6f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 30 Jun 2023 11:49:32 +0300 Subject: [PATCH 849/915] Upgrade Dendrite (0.12.0 -> 0.13.0) Untested. --- roles/custom/matrix-dendrite/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index 3c083b99d..1a83c7039 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -10,7 +10,7 @@ matrix_dendrite_container_image_self_build_repo: "https://github.com/matrix-org/ matrix_dendrite_docker_image_path: "matrixdotorg/dendrite-monolith" matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}{{ matrix_dendrite_docker_image_path }}:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "{{ 'localhost/' if matrix_dendrite_container_image_self_build else matrix_container_global_registry_prefix }}" -matrix_dendrite_docker_image_tag: "v0.12.0" +matrix_dendrite_docker_image_tag: "v0.13.0" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" From d9bbe08771d2349afa98485e5256f386d7acf20d Mon Sep 17 00:00:00 2001 From: David Holdeman Date: Fri, 30 Jun 2023 22:06:36 -0500 Subject: [PATCH 850/915] add note --- examples/hosts | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/hosts b/examples/hosts index ba08107b9..f96725f58 100644 --- a/examples/hosts +++ b/examples/hosts @@ -3,6 +3,7 @@ # # To connect using a non-root user (and elevate to root with sudo later), # replace `ansible_ssh_user=root` with something like this: `ansible_ssh_user=username become=true become_user=root` +# If sudo requires a password, be sure to use the -K flag when calling Ansible to provide the password. # # For improved Ansible performance, SSH pipelining is enabled by default in `ansible.cfg`. # If this causes SSH connection troubles, disable it by adding `ansible_ssh_pipelining=False` From 8f93853845aff568f235d3d6f3ea6a5debfbf2bb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 1 Jul 2023 09:32:30 +0300 Subject: [PATCH 851/915] Upgrade ntfy (v2.6.1-0 -> v2.6.2-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 6f0262a3a..5a20ffe83 100644 --- a/requirements.yml +++ b/requirements.yml @@ -40,7 +40,7 @@ version: v8615-0 name: jitsi - src: git+https://gitlab.com/etke.cc/roles/ntfy.git - version: v2.6.1-0 + version: v2.6.2-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git version: v2.45.0-0 name: prometheus From 321a3a93ab112115b830a6df90d598a020ff8b94 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 1 Jul 2023 09:39:19 +0300 Subject: [PATCH 852/915] Update hosts --- examples/hosts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/examples/hosts b/examples/hosts index f96725f58..cb6459f97 100644 --- a/examples/hosts +++ b/examples/hosts @@ -2,8 +2,9 @@ # If you'd rather use a local IP here, make sure to set up `matrix_coturn_turn_external_ip_address`. # # To connect using a non-root user (and elevate to root with sudo later), -# replace `ansible_ssh_user=root` with something like this: `ansible_ssh_user=username become=true become_user=root` -# If sudo requires a password, be sure to use the -K flag when calling Ansible to provide the password. +# replace `ansible_ssh_user=root` with something like this: `ansible_ssh_user=username become=true become_user=root`. +# If sudo requires a password, either add `become_password=PASSWORD_HERE` to the host line +# or tell Ansible to ask you for the password interactively by adding a `--ask-become-pass` (`-K`) flag to all `ansible-playbook` (or `just`) commands. # # For improved Ansible performance, SSH pipelining is enabled by default in `ansible.cfg`. # If this causes SSH connection troubles, disable it by adding `ansible_ssh_pipelining=False` From 462d48814a42060d468b8b1cac209eafbff081fd Mon Sep 17 00:00:00 2001 From: Paul ALNET Date: Sun, 2 Jul 2023 09:23:35 +0200 Subject: [PATCH 853/915] fix(linkedin): mismatched appservice id Updated to match value in `roles/custom/matrix-bridge-beeper-linkedin/templates/config.yaml.j2`. --- roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml b/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml index ffcae97f1..75e9de550 100644 --- a/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml +++ b/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml @@ -111,7 +111,7 @@ matrix_beeper_linkedin_configuration_extension: "{{ matrix_beeper_linkedin_confi matrix_beeper_linkedin_configuration: "{{ matrix_beeper_linkedin_configuration_yaml | from_yaml | combine(matrix_beeper_linkedin_configuration_extension, recursive=True) }}" matrix_beeper_linkedin_registration_yaml: | - id: linkedin + id: beeper_linkedin url: {{ matrix_beeper_linkedin_appservice_address }} as_token: "{{ matrix_beeper_linkedin_appservice_token }}" hs_token: "{{ matrix_beeper_linkedin_homeserver_token }}" From 36c55bcb331d5de9553b29b2d63dc8c08a79b475 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 4 Jul 2023 14:14:27 +0300 Subject: [PATCH 854/915] Upgrade ddclient (v3.10.0-ls125 -> v3.10.0-ls26) --- roles/custom/matrix-dynamic-dns/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-dynamic-dns/defaults/main.yml b/roles/custom/matrix-dynamic-dns/defaults/main.yml index 98b8e9d45..6369f1096 100644 --- a/roles/custom/matrix-dynamic-dns/defaults/main.yml +++ b/roles/custom/matrix-dynamic-dns/defaults/main.yml @@ -7,7 +7,7 @@ matrix_dynamic_dns_enabled: true # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' -matrix_dynamic_dns_version: v3.10.0-ls125 +matrix_dynamic_dns_version: v3.10.0-ls126 # The docker container to use when in mode matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" From ce0eb973b05109cc7d0489d5ae1439aeb509d5a6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 4 Jul 2023 16:47:35 +0300 Subject: [PATCH 855/915] Upgrade Coturn (4.6.2-r3 -> 4.6.2-r4) --- roles/custom/matrix-coturn/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index 2abfe6f15..dd25df709 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -8,7 +8,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}" matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" -matrix_coturn_version: 4.6.2-r3 +matrix_coturn_version: 4.6.2-r4 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" From 2d941f2e7b20eb82bb30b58bd0bacdb7dff9180a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 4 Jul 2023 17:38:49 +0300 Subject: [PATCH 856/915] Upgrade Element (v1.11.34 -> v1.11.35) --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index a4e22a784..368639cb0 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.34 +matrix_client_element_version: v1.11.35 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 13fb286dbe6568ba15c2ddbda8ddf3823fe6b46e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 4 Jul 2023 22:13:05 +0300 Subject: [PATCH 857/915] Upgrade Synapse (v1.86.0 -> v1.87.0) --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 964fde115..768c71594 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,7 +4,7 @@ matrix_synapse_enabled: true -matrix_synapse_version: v1.86.0 +matrix_synapse_version: v1.87.0 matrix_synapse_username: '' matrix_synapse_uid: '' From 8668b0d772f698aa2b62231b0937d5e389f7b82c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 4 Jul 2023 22:14:34 +0300 Subject: [PATCH 858/915] Do not handle ^/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$ from workers anymore Related to https://github.com/matrix-org/synapse/commit/0f02f0b4da92229e88e27a92ea3bfa523457bfc1 --- roles/custom/matrix-synapse/vars/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/custom/matrix-synapse/vars/main.yml b/roles/custom/matrix-synapse/vars/main.yml index 0c6d6296c..9ac7afeb7 100644 --- a/roles/custom/matrix-synapse/vars/main.yml +++ b/roles/custom/matrix-synapse/vars/main.yml @@ -153,7 +153,6 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/client/v1/rooms/.*/hierarchy$ - ^/_matrix/client/(v1|unstable)/rooms/.*/relations/ - ^/_matrix/client/v1/rooms/.*/threads$ - - ^/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$ - ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$ - ^/_matrix/client/(r0|v3|unstable)/account/3pid$ - ^/_matrix/client/(r0|v3|unstable)/account/whoami$ From c0f89ec2520e68f67488f43cf8b16b0abd55e6ba Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 6 Jul 2023 11:14:22 +0300 Subject: [PATCH 859/915] Upgrade Grafana (v10.0.1-0 -> v10.0.1-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 5a20ffe83..da29a3791 100644 --- a/requirements.yml +++ b/requirements.yml @@ -35,7 +35,7 @@ version: 6.1.0 name: geerlingguy.docker - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v10.0.1-0 + version: v10.0.1-1 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git version: v8615-0 name: jitsi From 9c77486e59641fd6df51c164b53768a665894aaa Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 6 Jul 2023 11:38:07 +0300 Subject: [PATCH 860/915] Upgrade Dendrite (v0.13.0 -> v0.13.1) --- roles/custom/matrix-dendrite/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index 1a83c7039..5cfbfe15e 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -10,7 +10,7 @@ matrix_dendrite_container_image_self_build_repo: "https://github.com/matrix-org/ matrix_dendrite_docker_image_path: "matrixdotorg/dendrite-monolith" matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}{{ matrix_dendrite_docker_image_path }}:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "{{ 'localhost/' if matrix_dendrite_container_image_self_build else matrix_container_global_registry_prefix }}" -matrix_dendrite_docker_image_tag: "v0.13.0" +matrix_dendrite_docker_image_tag: "v0.13.1" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" From d02f6b8b93b5e70039ede01f593b88fad36ebecf Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 6 Jul 2023 20:18:18 +0300 Subject: [PATCH 861/915] Force-build customized container image for Synapse when its Dockerfile changes --- roles/custom/matrix-synapse/tasks/synapse/setup_install.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml b/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml index 169be60bf..7bdf5ddc8 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml @@ -72,12 +72,13 @@ owner: "{{ matrix_synapse_uid }}" group: "{{ matrix_synapse_gid }}" mode: 0640 + register: matrix_synapse_container_image_customizations_dockerfile_result - name: Ensure customized Docker image for Synapse is built community.docker.docker_image: name: "{{ matrix_synapse_docker_image_customized }}" source: build - force_source: "{{ matrix_synapse_docker_image_customized_force_source }}" + force_source: "{{ matrix_synapse_container_image_customizations_dockerfile_result.changed or matrix_synapse_docker_image_customized_force_source }}" build: dockerfile: Dockerfile path: "{{ matrix_synapse_customized_docker_src_files_path }}" From 3fc217ded2a588bb667fde19a778cf51f8d9e1d2 Mon Sep 17 00:00:00 2001 From: David Mehren Date: Sun, 9 Jul 2023 15:45:42 +0200 Subject: [PATCH 862/915] Upgrade sliding-sync (v0.99.1 -> v0.99.3) --- roles/custom/matrix-sliding-sync/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-sliding-sync/defaults/main.yml b/roles/custom/matrix-sliding-sync/defaults/main.yml index fa6e65a46..1f28d3053 100644 --- a/roles/custom/matrix-sliding-sync/defaults/main.yml +++ b/roles/custom/matrix-sliding-sync/defaults/main.yml @@ -4,7 +4,7 @@ matrix_sliding_sync_enabled: true -matrix_sliding_sync_version: v0.99.1 +matrix_sliding_sync_version: v0.99.3 matrix_sliding_sync_scheme: https From db47c6f1e3a5607f731289ffde4863ba0ae68d5e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 11 Jul 2023 14:43:44 +0300 Subject: [PATCH 863/915] Upgrade Grafana (v10.0.1-1 -> v10.0.2-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index da29a3791..05e1120ce 100644 --- a/requirements.yml +++ b/requirements.yml @@ -35,7 +35,7 @@ version: 6.1.0 name: geerlingguy.docker - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v10.0.1-1 + version: v10.0.2-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git version: v8615-0 name: jitsi From c09c1265e8f2ac1da04a38a4269a767e99d4d4d8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 11 Jul 2023 17:20:21 +0300 Subject: [PATCH 864/915] Stop using deprecated worker settings (worker_replication_host, worker_replication_http_port) Related to: - https://github.com/matrix-org/synapse/commit/e4f545c452df817daa2f22dfda906f3451d98351 - https://github.com/matrix-org/synapse/commit/2481b7dfa41c1c890346136f04344a4e1660ef32 We've prepared for this by adding the `main` process to the `instance_map` a long time ago, in 49cb8b7b11a72b. --- roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2 | 5 ----- 1 file changed, 5 deletions(-) diff --git a/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2 index f0e6fe90a..18b96a55f 100644 --- a/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2 @@ -5,11 +5,6 @@ worker_name: {{ matrix_synapse_worker_details.name }} worker_daemonize: false worker_log_config: /data/{{ matrix_server_fqn_matrix }}.log.config -{% if matrix_synapse_replication_listener_enabled %} -worker_replication_host: matrix-synapse -worker_replication_http_port: {{ matrix_synapse_replication_http_port }} -{% endif %} - {% set http_resources = [] %} {% if matrix_synapse_worker_details.type == 'user_dir' %} From 3037bf3a562fb50e91add0962a3ab7467ebb4a38 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 11 Jul 2023 16:16:59 +0000 Subject: [PATCH 865/915] Bump ansible-community/ansible-lint-action from 6.16.0 to 6.17.0 Bumps [ansible-community/ansible-lint-action](https://github.com/ansible-community/ansible-lint-action) from 6.16.0 to 6.17.0. - [Release notes](https://github.com/ansible-community/ansible-lint-action/releases) - [Commits](https://github.com/ansible-community/ansible-lint-action/compare/v6.16.0...v6.17.0) --- updated-dependencies: - dependency-name: ansible-community/ansible-lint-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/matrix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index 579ab7192..f38ae3525 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -21,6 +21,6 @@ jobs: - name: Check out uses: actions/checkout@v3 - name: Run ansible-lint - uses: ansible-community/ansible-lint-action@v6.16.0 + uses: ansible-community/ansible-lint-action@v6.17.0 with: path: roles/custom From 68c9652947d0c32cb6a752e7fe5f73c4fc0dd1ac Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 12 Jul 2023 08:05:40 +0300 Subject: [PATCH 866/915] Upgrade Grafana (v10.0.2-0 -> v10.0.2-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 05e1120ce..3cad12d4a 100644 --- a/requirements.yml +++ b/requirements.yml @@ -35,7 +35,7 @@ version: 6.1.0 name: geerlingguy.docker - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v10.0.2-0 + version: v10.0.2-1 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git version: v8615-0 name: jitsi From 9d76e7391381e8cfdbcac58e525537770ec88c1e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 12 Jul 2023 08:05:45 +0300 Subject: [PATCH 867/915] Upgrade Jitsi (v8615-0 -> v8615-2) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 3cad12d4a..a8c398215 100644 --- a/requirements.yml +++ b/requirements.yml @@ -37,7 +37,7 @@ - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v10.0.2-1 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git - version: v8615-0 + version: v8615-2 name: jitsi - src: git+https://gitlab.com/etke.cc/roles/ntfy.git version: v2.6.2-0 From 54412c361d2bc36f89daaadf4819522ed5ca21bf Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 12 Jul 2023 08:15:58 +0300 Subject: [PATCH 868/915] Disable var-naming[no-role-prefix] ansible-lint rule --- .config/ansible-lint.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.config/ansible-lint.yml b/.config/ansible-lint.yml index 00d62f207..0ff5748cb 100644 --- a/.config/ansible-lint.yml +++ b/.config/ansible-lint.yml @@ -9,6 +9,7 @@ skip_list: - schema - command-instead-of-shell - role-name + - var-naming[no-role-prefix] # We frequently load configuration from a template (into a variable), then merge that with another variable (configuration extension) # before finally dumping it to a file. - template-instead-of-copy From 78bd1dbd1bc8b760e7a1f4fd9d6fa76a91d0655d Mon Sep 17 00:00:00 2001 From: Michael Hollister Date: Wed, 12 Jul 2023 01:09:27 -0500 Subject: [PATCH 869/915] Added matrix-media-repo role --- README.md | 1 + .../configuring-playbook-matrix-media-repo.md | 106 ++ ...configuring-playbook-prometheus-grafana.md | 1 + docs/configuring-playbook-s3.md | 3 +- group_vars/matrix_servers | 67 +- .../matrix-media-repo/defaults/main.yml | 681 ++++++++++++ roles/custom/matrix-media-repo/tasks/main.yml | 17 + .../matrix-media-repo/tasks/setup_install.yml | 74 ++ .../tasks/setup_uninstall.yml | 19 + .../templates/grafana/media-repo.json | 991 ++++++++++++++++++ .../templates/media-repo/media-repo.yaml.j2 | 359 +++++++ .../systemd/matrix-media-repo.service.j2 | 52 + .../matrix-nginx-proxy/defaults/main.yml | 5 + .../nginx/conf.d/matrix-domain.conf.j2 | 90 ++ .../defaults/main.yml | 20 + roles/custom/matrix-synapse/defaults/main.yml | 6 +- setup.yml | 1 + 17 files changed, 2486 insertions(+), 7 deletions(-) create mode 100644 docs/configuring-playbook-matrix-media-repo.md create mode 100644 roles/custom/matrix-media-repo/defaults/main.yml create mode 100644 roles/custom/matrix-media-repo/tasks/main.yml create mode 100644 roles/custom/matrix-media-repo/tasks/setup_install.yml create mode 100644 roles/custom/matrix-media-repo/tasks/setup_uninstall.yml create mode 100644 roles/custom/matrix-media-repo/templates/grafana/media-repo.json create mode 100644 roles/custom/matrix-media-repo/templates/media-repo/media-repo.yaml.j2 create mode 100644 roles/custom/matrix-media-repo/templates/media-repo/systemd/matrix-media-repo.service.j2 diff --git a/README.md b/README.md index 8b0265092..912febc04 100644 --- a/README.md +++ b/README.md @@ -92,6 +92,7 @@ Use alternative file storage to the default `media_store` folder. | ---- | -------- | ----------- | ------------- | | [Goofys](https://github.com/kahing/goofys) | x | [Amazon S3](https://aws.amazon.com/s3/) (or other S3-compatible object store) storage for Synapse's content repository (`media_store`) files | [Link](docs/configuring-playbook-s3-goofys.md) | | [synapse-s3-storage-provider](https://github.com/matrix-org/synapse-s3-storage-provider) | x | [Amazon S3](https://aws.amazon.com/s3/) (or other S3-compatible object store) storage for Synapse's content repository (`media_store`) files | [Link](docs/configuring-playbook-s3.md) | +| [matrix-media-repo](https://github.com/turt2live/matrix-media-repo) | x | matrix-media-repo is a highly customizable multi-domain media repository for Matrix. Intended for medium to large deployments, this media repo de-duplicates media while being fully compliant with the specification. | [Link](docs/configuring-playbook-media-repo.md) | ### Bridges diff --git a/docs/configuring-playbook-matrix-media-repo.md b/docs/configuring-playbook-matrix-media-repo.md new file mode 100644 index 000000000..e011e1e66 --- /dev/null +++ b/docs/configuring-playbook-matrix-media-repo.md @@ -0,0 +1,106 @@ +# Setting up matrix-media-repo (optional) + +matrix-media-repo is a highly customizable multi-domain media repository for Matrix. Intended for medium to large environments consisting of several homeservers, this media repo de-duplicates media (including remote media) while being fully compliant with the specification. + +Smaller/individual homeservers can still make use of this project's features, though it may be difficult to set up or have higher than expected resource consumption - please do your research before deploying this as this project may not be useful for your environment. + +More documentation about the project can be found at: https://docs.t2bot.io/matrix-media-repo/ + +## Quickstart + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: + +```yaml +matrix_media_repo_enabled: true + +# (optional) Turned off by default +# matrix_media_repo_metrics_enabled: true +``` + +The repo is pre-configured for integrating with the postgres database, NGINX proxy and prometheus/grafana (if metrics enabled) from this playbook for all the available homeserver roles. When the media repo is enabled, other media store roles should be disabled (if using Synapse with other media store roles). + +By default, the media-repo will use the local filesystem for data storage. Additional options include `s3` and `IPFS` (experimental). Access token caching is also enabled by default since the logout endpoints are proxied through the media repo. + +## Configuring the media-repo + +Additional common configuration options: +```yaml + +# The postgres database pooling options + +# The maximum number of connects to hold open. More of these allow for more concurrent +# processes to happen. +matrix_media_repo_database_max_connections: 25 + +# The maximum number of connects to leave idle. More of these reduces the time it takes +# to serve requests in low-traffic scenarios. +matrix_media_repo_database_max_idle_connections: 5 + +# These users have full access to the administrative functions of the media repository. +# See https://github.com/turt2live/matrix-media-repo/blob/release-v1.2.8/docs/admin.md for information on what these people can do. They must belong to one of the +# configured homeservers above. +matrix_media_repo_admins: + admins: [] +# admins: +# - "@your_username:example.org" + +# Datastores are places where media should be persisted. This isn't dedicated for just uploads: +# thumbnails and other misc data is also stored in these places. The media repo, when looking +# for a datastore to use, will always use the smallest datastore first. +matrix_media_repo_datastores: + datastores: + - type: file + enabled: true # Enable this to set up data storage. + # Datastores can be split into many areas when handling uploads. Media is still de-duplicated + # across all datastores (local content which duplicates remote content will re-use the remote + # content's location). This option is useful if your datastore is becoming very large, or if + # you want faster storage for a particular kind of media. + # + # The kinds available are: + # thumbnails - Used to store thumbnails of media (local and remote). + # remote_media - Original copies of remote media (servers not configured by this repo). + # local_media - Original uploads for local media. + # archives - Archives of content (GDPR and similar requests). + forKinds: ["thumbnails", "remote_media", "local_media", "archives"] + opts: + path: /data/media + + - type: s3 + enabled: false # Enable this to set up s3 uploads + forKinds: ["thumbnails", "remote_media", "local_media", "archives"] + opts: + # The s3 uploader needs a temporary location to buffer files to reduce memory usage on + # small file uploads. If the file size is unknown, the file is written to this location + # before being uploaded to s3 (then the file is deleted). If you aren't concerned about + # memory usage, set this to an empty string. + tempPath: "/tmp/mediarepo_s3_upload" + endpoint: sfo2.digitaloceanspaces.com + accessKeyId: "" + accessSecret: "" + ssl: true + bucketName: "your-media-bucket" + # An optional region for where this S3 endpoint is located. Typically not needed, though + # some providers will need this (like Scaleway). Uncomment to use. + #region: "sfo2" + # An optional storage class for tuning how the media is stored at s3. + # See https://aws.amazon.com/s3/storage-classes/ for details; uncomment to use. + #storageClass: STANDARD + + # The media repo does support an IPFS datastore, but only if the IPFS feature is enabled. If + # the feature is not enabled, this will not work. Note that IPFS support is experimental at + # the moment and not recommended for general use. + # + # NOTE: Everything you upload to IPFS will be publicly accessible, even when the media repo + # puts authentication on the download endpoints. Only use this option for cases where you + # expect your media to be publicly accessible. + - type: ipfs + enabled: false # Enable this to use IPFS support + forKinds: ["local_media"] + # The IPFS datastore currently has no options. It will use the daemon or HTTP API configured + # in the IPFS section of your main config. + opts: {} + +``` + +Full list of configuration options with documentation can be found in `roles/custom/matrix-media-repo/templates/defaults/main.yml` + diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index 7e4764c20..49a47f1a5 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -83,6 +83,7 @@ Name | Description `matrix_bridge_hookshot_metrics_proxying_enabled`|Set this to `true` to expose the [Hookshot](configuring-playbook-bridge-hookshot.md) metrics on `https://matrix.DOMAIN/metrics/hookshot` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`) `matrix_SERVICE_metrics_proxying_enabled`|Various other services/roles may provide similar `_metrics_enabled` and `_metrics_proxying_enabled` variables for exposing their metrics. Refer to each role for details. Only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true` `matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks`|Add nginx `location` blocks to this list if you'd like to expose additional exporters manually (see below) +`matrix_media_repo_metrics_enabled`|Set this to `true` to make media-repo expose metrics (locally, on the container network) Example for how to make use of `matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks` for exposing additional metrics locations: ```nginx diff --git a/docs/configuring-playbook-s3.md b/docs/configuring-playbook-s3.md index 539f96d32..941ae0db2 100644 --- a/docs/configuring-playbook-s3.md +++ b/docs/configuring-playbook-s3.md @@ -9,7 +9,7 @@ First, [choose an Object Storage provider](#choosing-an-object-storage-provider) Then, [create the S3 bucket](#bucket-creation-and-security-configuration). -Finally, [set up S3 storage for Synapse](#setting-up) (with [Goofys](configuring-playbook-s3-goofys.md) or [synapse-s3-storage-provider](configuring-playbook-synapse-s3-storage-provider.md)). +Finally, [set up S3 storage for Synapse](#setting-up) (with [Goofys](configuring-playbook-s3-goofys.md), [synapse-s3-storage-provider](configuring-playbook-synapse-s3-storage-provider.md), or use s3 datastore with the [matrix-media-repo](https://docs.t2bot.io/matrix-media-repo/configuration/s3-datastore.html)). ## Choosing an Object Storage provider @@ -105,3 +105,4 @@ To set up Synapse to store files in S3, follow the instructions for the method o - using [synapse-s3-storage-provider](configuring-playbook-synapse-s3-storage-provider.md) (recommended) - using [Goofys to mount the S3 store to the local filesystem](configuring-playbook-s3-goofys.md) +- using [matrix-media-repo](https://docs.t2bot.io/matrix-media-repo/configuration/s3-datastore.html) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index d225cc302..cc60b9758 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -326,6 +326,8 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-ma1sd.service', 'priority': 2000, 'groups': ['matrix', 'ma1sd']}] if matrix_ma1sd_enabled else []) + + ([{'name': 'matrix-media-repo.service', 'priority': 4000, 'groups': ['matrix', 'media_store']}] if matrix_media_repo_enabled else []) + + ([{'name': 'matrix-mailer.service', 'priority': 2000, 'groups': ['matrix', 'mailer']}] if matrix_mailer_enabled else []) + ([{'name': 'matrix-nginx-proxy.service', 'priority': 3000, 'groups': ['matrix', 'nginx', 'reverse-proxies']}] if matrix_nginx_proxy_enabled else []) @@ -395,7 +397,6 @@ devture_systemd_service_manager_services_list_auto: | ######################################################################## - ###################################################################### # # com.devture.ansible.role.playbook_state_preserver @@ -418,7 +419,6 @@ devture_playbook_state_preserver_commit_hash_preservation_dst: "{{ matrix_base_d ###################################################################### - ###################################################################### # # matrix-base @@ -2557,6 +2557,38 @@ matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secr # ###################################################################### +###################################################################### +# +# matrix-media-repo +# +###################################################################### + +matrix_media_repo_enabled: false +matrix_media_repo_identifier: matrix-media-repo +matrix_media_repo_container_network: "{{ matrix_docker_network }}" + +matrix_media_repo_container_labels_traefik_enabled: false +matrix_media_repo_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_media_repo_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_media_repo_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +matrix_media_repo_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_media_repo_database_username: matrix_media_repo +matrix_media_repo_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mediarepo.db', rounds=655555) | to_uuid }}" +matrix_media_repo_database_name: matrix_media_repo + +matrix_media_repo_systemd_required_services_list: | + {{ + (['docker.service']) + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + }} + +###################################################################### +# +# /matrix-media-repo +# +###################################################################### ###################################################################### # @@ -2638,6 +2670,10 @@ matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_ma1sd_enabled } matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}" matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}" +matrix_nginx_proxy_proxy_media_repo_enabled: "{{ matrix_media_repo_enabled }}" +matrix_nginx_proxy_proxy_media_repo_addr_with_container: "matrix-media-repo:{{ matrix_media_repo_port }}" +matrix_nginx_proxy_proxy_media_repo_addr_sans_container: "127.0.0.1:{{ matrix_media_repo_port }}" + # By default, we do TLS termination for the Matrix Federation API (port 8448) at matrix-nginx-proxy. # Unless this is handled there OR Synapse's federation listener port is disabled, we'll reverse-proxy. matrix_nginx_proxy_proxy_matrix_federation_api_enabled: |- @@ -2696,6 +2732,8 @@ matrix_nginx_proxy_systemd_wanted_services_list: | + (['matrix-ma1sd.service'] if matrix_ma1sd_enabled else []) + + (['matrix-media-repo.service'] if matrix_media_repo_enabled else []) + + (['matrix-client-cinny.service'] if matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + (['matrix-bot-buscarron.service'] if matrix_bot_buscarron_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) @@ -3050,6 +3088,12 @@ devture_postgres_managed_databases_auto: | 'username': prometheus_postgres_exporter_database_username, 'password': prometheus_postgres_exporter_database_password, }] if (prometheus_postgres_exporter_enabled and prometheus_postgres_exporter_database_hostname == devture_postgres_connection_hostname) else []) + + + ([{ + 'name': matrix_media_repo_database_name, + 'username': matrix_media_repo_database_username, + 'password': matrix_media_repo_database_password, + }] if (matrix_media_repo_enabled and matrix_media_repo_database_hostname == devture_postgres_connection_hostname) else []) }} @@ -3424,6 +3468,9 @@ matrix_synapse_redis_password: "{{ redis_connection_password if redis_enabled el matrix_synapse_container_extra_arguments_auto: "{{ matrix_homeserver_container_extra_arguments_auto }}" matrix_synapse_app_service_config_files_auto: "{{ matrix_homeserver_app_service_config_files_auto }}" +# Disable creation of media repository Synapse worker when using media-repo +matrix_synapse_ext_media_repo_enabled: "{{ matrix_media_repo_enabled }}" + ###################################################################### # # /matrix-synapse @@ -3653,6 +3700,8 @@ prometheus_container_additional_networks: | ([matrix_hookshot_container_network] if matrix_prometheus_services_connect_scraper_hookshot_enabled and matrix_hookshot_container_network != prometheus_container_network else []) + ([matrix_prometheus_nginxlog_exporter_container_network] if matrix_prometheus_services_connect_scraper_nginxlog_enabled and matrix_prometheus_nginxlog_exporter_container_network != prometheus_container_network else []) + + + ([matrix_media_repo_container_network] if matrix_prometheus_services_connect_scraper_media_repo_enabled and matrix_media_repo_container_network != prometheus_container_network else []) ) | unique }} @@ -3678,6 +3727,8 @@ prometheus_config_scrape_configs_auto: | (matrix_prometheus_services_connect_scraper_hookshot_scrape_configs if matrix_prometheus_services_connect_scraper_hookshot_enabled else []) + (matrix_prometheus_services_connect_scraper_nginxlog_scrape_configs if matrix_prometheus_services_connect_scraper_nginxlog_enabled else []) + + + (matrix_prometheus_services_connect_scraper_media_repo_scrape_configs if matrix_prometheus_services_connect_scraper_media_repo_enabled else []) }} ###################################################################### @@ -3713,6 +3764,9 @@ matrix_prometheus_services_connect_scraper_hookshot_static_configs_target: "{{ m matrix_prometheus_services_connect_scraper_nginxlog_enabled: "{{ matrix_prometheus_nginxlog_exporter_enabled }}" matrix_prometheus_services_connect_scraper_nginxlog_static_configs_target: "{{ matrix_prometheus_nginxlog_exporter_container_hostname }}:{{ matrix_prometheus_nginxlog_exporter_container_metrics_port | string }}" +matrix_prometheus_services_connect_scraper_media_repo_enabled: "{{ matrix_media_repo_enabled and matrix_media_repo_metrics_enabled }}" +matrix_prometheus_services_connect_scraper_media_repo_static_configs_target: "{{ matrix_media_repo_identifier }}:{{ matrix_media_repo_metrics_port }}" + ###################################################################### # # /matrix-prometheus-services-connect @@ -3777,6 +3831,8 @@ grafana_dashboard_download_urls: | (prometheus_postgres_exporter_dashboard_urls if prometheus_postgres_exporter_enabled else []) + (matrix_prometheus_nginxlog_exporter_dashboard_urls if matrix_prometheus_nginxlog_exporter_enabled else []) + + + (matrix_media_repo_dashboard_urls if matrix_media_repo_metrics_enabled else []) }} grafana_provisioning_dashboard_template_files: | @@ -3785,6 +3841,11 @@ grafana_provisioning_dashboard_template_files: | 'path': 'roles/custom/matrix-prometheus-nginxlog-exporter/templates/grafana/nginx-proxy.json', 'name': 'nginx-proxy.json', }] if matrix_prometheus_nginxlog_exporter_enabled else []) + + + ([{ + 'path': 'roles/custom/matrix-media-repo/templates/grafana/media-repo.json', + 'name': 'media-repo.json', + }] if matrix_media_repo_metrics_enabled else []) }} grafana_default_home_dashboard_path: |- @@ -3803,7 +3864,6 @@ grafana_default_home_dashboard_path: |- ###################################################################### - ###################################################################### # # matrix-registration @@ -3853,7 +3913,6 @@ matrix_registration_database_password: "{{ '%s' | format(matrix_homeserver_gener ###################################################################### - ###################################################################### # # matrix-sliding-sync diff --git a/roles/custom/matrix-media-repo/defaults/main.yml b/roles/custom/matrix-media-repo/defaults/main.yml new file mode 100644 index 000000000..87ffcbe84 --- /dev/null +++ b/roles/custom/matrix-media-repo/defaults/main.yml @@ -0,0 +1,681 @@ +--- +# matrix-media-repo is a highly customizable multi-domain media repository for Matrix. +# Intended for medium to large environments consisting of several homeservers, this +# media repo de-duplicates media (including remote media) while being fully compliant +# with the specification. +# See: https://github.com/turt2live/matrix-media-repo + +matrix_media_repo_enabled: true + +matrix_media_repo_container_image_self_build: false +matrix_media_repo_container_image_self_build_repo: "https://github.com/turt2live/matrix-media-repo.git" + +matrix_media_repo_docker_image_path: "turt2live/matrix-media-repo" +matrix_media_repo_docker_image: "{{ matrix_media_repo_docker_image_name_prefix }}{{ matrix_media_repo_docker_image_path }}:{{ matrix_media_repo_docker_image_tag }}" +matrix_media_repo_docker_image_name_prefix: "{{ 'localhost/' if matrix_media_repo_container_image_self_build else matrix_container_global_registry_prefix }}" +matrix_media_repo_docker_image_tag: "v1.2.13" +matrix_media_repo_docker_image_force_pull: "{{ matrix_media_repo_docker_image.endswith(':latest') }}" + +matrix_media_repo_base_path: "{{ matrix_base_data_path }}/media-repo" +matrix_media_repo_docker_src_files_path: "{{ matrix_media_repo_base_path }}/docker-src" + +# List of systemd services that matrix-conduit.service depends on +matrix_media_repo_systemd_required_services_list: ["docker.service"] + +# List of systemd services that matrix-conduit.service wants +matrix_media_repo_systemd_wanted_services_list: [] + +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_media_repo_container_network: "{{ matrix_docker_network }}" + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_media_repo_container_additional_networks: [] + +# Extra arguments for the Docker container +matrix_media_repo_container_extra_arguments: [] + +# matrix_media_repo_dashboard_urls contains a list of URLs with Grafana dashboard definitions. +# If the Grafana role is enabled, these dashboards will be downloaded. +matrix_media_repo_dashboard_urls: + - https://raw.githubusercontent.com/spantaleev/matrix-docker-ansible-deploy/master/roles/custom/matrix-media-repo/templates/grafana/media-repo.json + +# ***************************************************************************** +# Configuration File Settings +# ***************************************************************************** + +# General repo configuration +matrix_media_repo_bind_address: '0.0.0.0' +matrix_media_repo_port: 8000 + +# Where to store the logs, relative to where the repo is started from. Logs will be automatically +# rotated every day and held for 14 days. To disable the repo logging to files, set this to +# "-" (including quotation marks). +# +# Note: to change the log directory you'll have to restart the repository. This setting cannot be +# live reloaded. +matrix_media_repo_log_directory: logs + +# Set to true to enable color coding in your logs. Note that this may cause escape sequences to +# appear in logs which render them unreadable, which is why colors are disabled by default. +matrix_media_repo_log_colors: false + +# Set to true to enable JSON logging for consumption by things like logstash. Note that this is +# incompatible with the log color option and will always render without colors. +matrix_media_repo_json_logs: false + +# The log level to log at. Note that this will need to be at least "info" to receive support. +# +# Values (in increasing spam): panic | fatal | error | warn | info | debug | trace +matrix_media_repo_log_level: "info" + +# If true, the media repo will accept any X-Forwarded-For header without validation. In most cases +# this option should be left as "false". Note that the media repo already expects an X-Forwarded-For +# header, but validates it to ensure the IP being given makes sense. +matrix_media_repo_trust_any_forwarded_address: false + +# If false, the media repo will not use the X-Forwarded-Host header commonly added by reverse proxies. +# Typically this should remain as true, though in some circumstances it may need to be disabled. +# See https://github.com/turt2live/matrix-media-repo/issues/202 for more information. +matrix_media_repo_use_forwarded_host: true + +# Options for dealing with federation + +# On a per-host basis, the number of consecutive failures in calling the host before the +# media repo will back off. This defaults to 20 if not given. Note that 404 errors from +# the remote server do not count towards this. +matrix_media_repo_federation_backoff_at: 20 + +# The database configuration for the media repository +# Do NOT put your homeserver's existing database credentials here. Create a new database and +# user instead. Using the same server is fine, just not the same username and database. +matrix_media_repo_database_username: "matrix_media_repo" +matrix_media_repo_database_password: "your_password" +matrix_media_repo_database_hostname: "matrix-postgres" +matrix_media_repo_database_port: 5432 +matrix_media_repo_database_name: "matrix_media_repo" + +# Currently only "postgres" is supported. +matrix_media_repo_database_postgres: "postgres://{{ matrix_media_repo_database_username }}:{{ matrix_media_repo_database_password }}@{{ matrix_media_repo_database_hostname }}:{{ matrix_media_repo_database_port }}/{{ matrix_media_repo_database_name }}?sslmode=disable" + +# The database pooling options + +# The maximum number of connects to hold open. More of these allow for more concurrent +# processes to happen. +matrix_media_repo_database_max_connections: 25 + +# The maximum number of connects to leave idle. More of these reduces the time it takes +# to serve requests in low-traffic scenarios. +matrix_media_repo_database_max_idle_connections: 5 + +# The configuration for the homeservers this media repository is known to control. Servers +# not listed here will not be able to upload media. +matrix_media_repo_homeservers: + homeservers: + # This should match the server_name of your homeserver, and the Host header + # provided to the media repo. + - name: "{{ matrix_server_fqn_matrix }}" + + # The base URL to where the homeserver can actually be reached + csApi: "https://{{ matrix_server_fqn_matrix }}/" + + # The number of consecutive failures in calling this homeserver before the + # media repository will start backing off. This defaults to 10 if not given. + backoffAt: 10 + + # The kind of admin API the homeserver supports. If set to "matrix", + # the media repo will use the Synapse-defined endpoints under the + # unstable client-server API. When this is "synapse", the new /_synapse + # endpoints will be used instead. Unknown values are treated as the + # default, "matrix". + adminApiKind: "matrix" + +# Options for controlling how access tokens work with the media repo. It is recommended that if +# you are going to use these options that the `/logout` and `/logout/all` client-server endpoints +# be proxied through this process. They will also be called on the homeserver, and the response +# sent straight through the client - they are simply used to invalidate the cache faster for +# a particular user. Without these, the access tokens might still work for a short period of time +# after the user has already invalidated them. +# +# This will also cache errors from the homeserver. +# +# Note that when this config block is used outside of a per-domain config, all hosts will be +# subject to the same cache. This also means that application services on limited homeservers +# could be authorized on the wrong domain. +# +# *************************************************************************** +# * IT IS HIGHLY RECOMMENDED TO USE PER-DOMAIN CONFIGS WITH THIS FEATURE. * +# *************************************************************************** +matrix_media_repo_access_tokens: + accessTokens: + # The maximum time a cached access token will be considered valid. Set to zero (the default) + # to disable the cache and constantly hit the homeserver. This is recommended to be set to + # 43200 (12 hours) on servers with the logout endpoints proxied through the media repo, and + # zero for servers who do not proxy the endpoints through. + maxCacheTimeSeconds: 43200 + + # Whether or not to use the `appservices` config option below. If disabled (the default), + # the regular access token cache will be used for each user, potentially leading to high + # memory usage. + useLocalAppserviceConfig: false + + # The application services (and their namespaces) registered on the homeserver. Only used + # if `useLocalAppserviceConfig` is enabled (recommended). + # + # Usually the appservice will provide you with these config details - they'll just need + # translating from the appservice registration to here. Note that this does not require + # all options from the registration, and only requires the bare minimum required to run + # the media repo. + # appservices: + # - id: Name_of_appservice_for_your_reference + # asToken: Secret_token_for_appservices_to_use + # senderUserId: "@_example_bridge:yourdomain.com" + # userNamespaces: + # - regex: "@_example_bridge_.+:yourdomain.com" + # # A note about regexes: it is best to suffix *all* namespaces with the homeserver + # # domain users are valid for, as otherwise the appservice can use any user with + # # any domain name it feels like, even if that domain is not configured with the + # # media repo. This will lead to inaccurate reporting in the case of the media + # # repo, and potentially leading to media being considered "remote". + +# These users have full access to the administrative functions of the media repository. +# See docs/admin.md for information on what these people can do. They must belong to one of the +# configured homeservers above. +matrix_media_repo_admins: + admins: [] +# admins: +# - "@your_username:example.org" + +# Shared secret auth is useful for applications building on top of the media repository, such +# as a management interface. The `token` provided here is treated as a repository administrator +# when shared secret auth is enabled: if the `token` is used in place of an access token, the' +# request will be authorized. This is not limited to any particular domain, giving applications +# the ability to use it on any configured hostname. +# Set this to true to enable shared secret auth. +matrix_media_repo_shared_secret_auth_enabled: false + +# Use a secure value here to prevent unauthorized access to the media repository. +matrix_media_repo_shared_secret_auth_token: "PutSomeRandomSecureValueHere" + +# Datastores are places where media should be persisted. This isn't dedicated for just uploads: +# thumbnails and other misc data is also stored in these places. The media repo, when looking +# for a datastore to use, will always use the smallest datastore first. +matrix_media_repo_datastores: + datastores: + - type: file + enabled: true # Enable this to set up data storage. + # Datastores can be split into many areas when handling uploads. Media is still de-duplicated + # across all datastores (local content which duplicates remote content will re-use the remote + # content's location). This option is useful if your datastore is becoming very large, or if + # you want faster storage for a particular kind of media. + # + # The kinds available are: + # thumbnails - Used to store thumbnails of media (local and remote). + # remote_media - Original copies of remote media (servers not configured by this repo). + # local_media - Original uploads for local media. + # archives - Archives of content (GDPR and similar requests). + forKinds: ["thumbnails", "remote_media", "local_media", "archives"] + opts: + path: /data/media + + - type: s3 + enabled: false # Enable this to set up s3 uploads + forKinds: ["thumbnails", "remote_media", "local_media", "archives"] + opts: + # The s3 uploader needs a temporary location to buffer files to reduce memory usage on + # small file uploads. If the file size is unknown, the file is written to this location + # before being uploaded to s3 (then the file is deleted). If you aren't concerned about + # memory usage, set this to an empty string. + tempPath: "/tmp/mediarepo_s3_upload" + endpoint: sfo2.digitaloceanspaces.com + accessKeyId: "" + accessSecret: "" + ssl: true + bucketName: "your-media-bucket" + # An optional region for where this S3 endpoint is located. Typically not needed, though + # some providers will need this (like Scaleway). Uncomment to use. + # region: "sfo2" + # An optional storage class for tuning how the media is stored at s3. + # See https://aws.amazon.com/s3/storage-classes/ for details; uncomment to use. + # storageClass: STANDARD + + # The media repo does support an IPFS datastore, but only if the IPFS feature is enabled. If + # the feature is not enabled, this will not work. Note that IPFS support is experimental at + # the moment and not recommended for general use. + # + # NOTE: Everything you upload to IPFS will be publicly accessible, even when the media repo + # puts authentication on the download endpoints. Only use this option for cases where you + # expect your media to be publicly accessible. + - type: ipfs + enabled: false # Enable this to use IPFS support + forKinds: ["local_media"] + # The IPFS datastore currently has no options. It will use the daemon or HTTP API configured + # in the IPFS section of your main config. + opts: {} + +# Options for controlling archives. Archives are exports of a particular user's content for +# the purpose of GDPR or moving media to a different server. + +# Whether archiving is enabled or not. Default enabled. +matrix_media_repo_archiving_enabled: true +# If true, users can request a copy of their own data. By default, only repository administrators +# can request a copy. +# This includes the ability for homeserver admins to request a copy of their own server's +# data, as known to the repo. +matrix_media_repo_archiving_self_service: false +# The number of bytes to target per archive before breaking up the files. This is independent +# of any file upload limits and will require a similar amount of memory when performing an export. +# The file size is also a target, not a guarantee - it is possible to have files that are smaller +# or larger than the target. This is recommended to be approximately double the size of your +# file upload limit, provided there is enough memory available for the demand of exporting. +matrix_media_repo_archiving_target_bytes_per_part: 209715200 # 200mb default + +# The file upload settings for the media repository +matrix_media_repo_uploads: + uploads: + # The maximum individual file size a user can upload. + maxBytes: 104857600 # 100MB default, 0 to disable + + # The minimum number of bytes to let people upload. This is recommended to be non-zero to + # ensure that the "cost" of running the media repo is worthwhile - small file uploads tend + # to waste more CPU and database resources than small files, thus a default of 100 bytes + # is applied here as an approximate break-even point. + minBytes: 100 # 100 bytes by default + + # The number of bytes to claim as the maximum size for uploads for the limits API. If this + # is not provided then the maxBytes setting will be used instead. This is useful to provide + # if the media repo's settings and the reverse proxy do not match for maximum request size. + # This is purely for informational reasons and does not actually limit any functionality. + # Set this to -1 to indicate that there is no limit. Zero will force the use of maxBytes. + reportedMaxBytes: 0 + + # Options for limiting how much content a user can upload. Quotas are applied to content + # associated with a user regardless of de-duplication. Quotas which affect remote servers + # or users will not take effect. When a user exceeds their quota they will be unable to + # upload any more media. + quotas: + # Whether or not quotas are enabled/enforced. Note that even when disabled the media repo + # will track how much media a user has uploaded. This is disabled by default. + enabled: false + + # The quota rules that affect users. The first rule to match the uploader will take effect. + # An implied rule which matches all users and has no quota is always last in this list, + # meaning that if no rules are supplied then users will be able to upload anything. Similarly, + # if no rules match a user then the implied rule will match, allowing the user to have no + # quota. The quota will let the user upload to 1 media past their quota, meaning that from + # a statistics perspective the user might exceed their quota however only by a small amount. + users: + - glob: "@*:*" # Affect all users. Use asterisks (*) to match any character. + maxBytes: 53687063712 # 50GB default, 0 to disable + +# Settings related to downloading files from the media repository + +# The maximum number of bytes to download from other servers +matrix_media_repo_downloads_max_bytes: 104857600 # 100MB default, 0 to disable + +# The number of workers to use when downloading remote media. Raise this number if remote +# media is downloading slowly or timing out. +# +# Maximum memory usage = numWorkers multiplied by the maximum download size +# Average memory usage is dependent on how many concurrent downloads your users are doing. +matrix_media_repo_downloads_num_workers: 10 + +# How long, in minutes, to cache errors related to downloading remote media. Once this time +# has passed, the media is able to be re-requested. +matrix_media_repo_downloads_failure_cache_minutes: 5 + +# The cache control settings for downloads. This can help speed up downloads for users by +# keeping popular media in the cache. This cache is also used for thumbnails. +matrix_media_repo_downloads_cache_enabled: true + +# The maximum size of cache to have. Higher numbers are better. +matrix_media_repo_downloads_cache_max_size_bytes: 1048576000 # 1GB default + +# The maximum file size to cache. This should normally be the same size as your maximum +# upload size. +matrix_media_repo_downloads_cache_max_file_size_bytes: 104857600 # 100MB default + +# The number of minutes to track how many downloads a file gets +matrix_media_repo_downloads_cache_tracked_minutes: 30 + +# The number of downloads a file must receive in the window above (trackedMinutes) in +# order to be cached. +matrix_media_repo_downloads_cache_min_downloads: 5 + +# The minimum amount of time an item should remain in the cache. This prevents the cache +# from cycling out the file if it needs more room during this time. Note that the media +# repo regularly cleans out media which is past this point from the cache, so this number +# may need increasing depending on your use case. If the maxSizeBytes is reached for the +# media repo, and some cached items are still under this timer, new items will not be able +# to enter the cache. When this happens, consider raising maxSizeBytes or lowering this +# timer. +matrix_media_repo_downloads_cache_min_cache_time_seconds: 300 + +# The minimum amount of time an item should remain outside the cache once it is removed. +matrix_media_repo_downloads_cache_min_evicted_time_seconds: 60 + +# How many days after a piece of remote content is downloaded before it expires. It can be +# re-downloaded on demand, this just helps free up space in your datastore. Set to zero or +# negative to disable. Defaults to disabled. +matrix_media_repo_downloads_expire_after_days: 0 + +# URL Preview settings +matrix_media_repo_url_previews: + urlPreviews: + enabled: true # If enabled, the preview_url routes will be accessible + maxPageSizeBytes: 10485760 # 10MB default, 0 to disable + + # If true, the media repository will try to provide previews for URLs with invalid or unsafe + # certificates. If false (the default), the media repo will fail requests to said URLs. + previewUnsafeCertificates: false + + # Note: URL previews are limited to a given number of words, which are then limited to a number + # of characters, taking off the last word if it needs to. This also applies for the title. + + numWords: 50 # The number of words to include in a preview (maximum) + maxLength: 200 # The maximum number of characters for a description + + numTitleWords: 30 # The maximum number of words to include in a preview's title + maxTitleLength: 150 # The maximum number of characters for a title + + # The mime types to preview when OpenGraph previews cannot be rendered. OpenGraph previews are + # calculated on anything matching "text/*". To have a thumbnail in the preview the URL must be + # an image and the image's type must be allowed by the thumbnailer. + filePreviewTypes: + - "image/*" + + # The number of workers to use when generating url previews. Raise this number if url + # previews are slow or timing out. + # + # Maximum memory usage = numWorkers multiplied by the maximum page size + # Average memory usage is dependent on how many concurrent urls your users are previewing. + numWorkers: 10 + + # Either allowedNetworks or disallowedNetworks must be provided. If both are provided, they + # will be merged. URL previews will be disabled if neither is supplied. Each entry must be + # a CIDR range. + disallowedNetworks: + - "127.0.0.1/8" + - "10.0.0.0/8" + - "172.16.0.0/12" + - "192.168.0.0/16" + - "100.64.0.0/10" + - "169.254.0.0/16" + - '::1/128' + - 'fe80::/64' + - 'fc00::/7' + allowedNetworks: + # "Everything". The blacklist will help limit this. + # This is the default value for this field. + - "0.0.0.0/0" + + # How many days after a preview is generated before it expires and is deleted. The preview + # can be regenerated safely - this just helps free up some space in your database. Set to + # zero or negative to disable. Defaults to disabled. + expireAfterDays: 0 + + # The default Accept-Language header to supply when generating URL previews when one isn't + # supplied by the client. + # Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language + defaultLanguage: "en-US,en" + + # When true, oEmbed previews will be enabled. Typically these kinds of previews are used for + # sites that do not support OpenGraph or page scraping, such as Twitter. For information on + # specifying providers for oEmbed, including your own, see the following documentation: + # https://docs.t2bot.io/matrix-media-repo/url-previews/oembed.html + # Defaults to disabled. + oEmbed: false + +# The thumbnail configuration for the media repository. +matrix_media_repo_thumbnails: + thumbnails: + # The maximum number of bytes an image can be before the thumbnailer refuses. + maxSourceBytes: 10485760 # 10MB default, 0 to disable + + # The maximum number of pixels an image can have before the thumbnailer refuses. Note that + # this only applies to image types: file types like audio and video are affected solely by + # the maxSourceBytes. + maxPixels: 32000000 # 32M default + + # The number of workers to use when generating thumbnails. Raise this number if thumbnails + # are slow to generate or timing out. + # + # Maximum memory usage = numWorkers multiplied by the maximum image source size + # Average memory usage is dependent on how many thumbnails are being generated by your users + numWorkers: 100 + + # All thumbnails are generated into one of the sizes listed here. The first size is used as + # the default for when no width or height is requested. The media repository will return + # either an exact match or the next largest size of thumbnail. + sizes: + - width: 32 + height: 32 + - width: 96 + height: 96 + - width: 320 + height: 240 + - width: 640 + height: 480 + - width: 768 # This size is primarily used for audio thumbnailing. + height: 240 + - width: 800 + height: 600 + + # To allow for thumbnails to be any size, not just in the sizes specified above, set this to + # true (default false). When enabled, whatever size requested by the client will be generated + # up to a maximum of the largest possible dimensions in the `sizes` list. For best results, + # specify only one size in the `sizes` list when this option is enabled. + dynamicSizing: false + + # The content types to thumbnail when requested. Types that are not supported by the media repo + # will not be thumbnailed (adding application/json here won't work). Clients may still not request + # thumbnails for these types - this won't make clients automatically thumbnail these file types. + types: + - "image/jpeg" + - "image/jpg" + - "image/png" + - "image/apng" + - "image/gif" + - "image/heif" + - "image/webp" + # - "image/svg+xml" # Be sure to have ImageMagick installed to thumbnail SVG files + - "audio/mpeg" + - "audio/ogg" + - "audio/wav" + - "audio/flac" + # - "video/mp4" # Be sure to have ffmpeg installed to thumbnail video files + + # Animated thumbnails can be CPU intensive to generate. To disable the generation of animated + # thumbnails, set this to false. If disabled, regular thumbnails will be returned. + allowAnimated: true + + # Default to animated thumbnails, if available + defaultAnimated: false + + # The maximum file size to thumbnail when a capable animated thumbnail is requested. If the image + # is larger than this, the thumbnail will be generated as a static image. + maxAnimateSizeBytes: 10485760 # 10MB default, 0 to disable + + # On a scale of 0 (start of animation) to 1 (end of animation), where should the thumbnailer try + # and thumbnail animated content? Defaults to 0.5 (middle of animation). + stillFrame: 0.5 + + # How many days after a thumbnail is generated before it expires and is deleted. The thumbnail + # can be regenerated safely - this just helps free up some space in your datastores. Set to + # zero or negative to disable. Defaults to disabled. + expireAfterDays: 0 + +# Controls for the rate limit functionality + +# Set this to false if rate limiting is handled at a higher level or you don't want it enabled. +matrix_media_repo_rate_limit_enabled: true + +# The number of requests per second before an IP will be rate limited. Must be a whole number. +matrix_media_repo_rate_limit_requests_per_second: 1 + +# The number of requests an IP can send at once before the rate limit is actually considered. +matrix_media_repo_rate_limit_burst: 10 + +# Identicons are generated avatars for a given username. Some clients use these to give users a +# default avatar after signing up. Identicons are not part of the official matrix spec, therefore +# this feature is completely optional. +matrix_media_repo_identicons_enabled: true + +# The quarantine media settings. + +# If true, when a thumbnail of quarantined media is requested an image will be returned. If no +# image is given in the thumbnailPath below then a generated image will be provided. This does +# not affect regular downloads of files. +matrix_media_repo_quarantine_replace_thumbnails: true + +# If true, when media which has been quarantined is requested an image will be returned. If +# no image is given in the thumbnailPath below then a generated image will be provided. This +# will replace media which is not an image (ie: quarantining a PDF will replace the PDF with +# an image). +matrix_media_repo_quarantine_replace_downloads: false + +# If provided, the given image will be returned as a thumbnail for media that is quarantined. +matrix_media_repo_quarantine_thumbnail_path: "" + +# If true, administrators of the configured homeservers may quarantine media for their server +# only. Global administrators can quarantine any media (local or remote) regardless of this +# flag. +matrix_media_repo_quarantine_allow_local_admins: true + +# The various timeouts that the media repo will use. + +# The maximum amount of time the media repo should spend trying to fetch a resource that is +# being previewed. +matrix_media_repo_timeouts_url_preview_timeout_seconds: 10 + +# The maximum amount of time the media repo will spend making remote requests to other repos +# or homeservers. This is primarily used to download media. +matrix_media_repo_timeouts_federation_timeout_seconds: 120 + +# The maximum amount of time the media repo will spend talking to your configured homeservers. +# This is usually used to verify a user's identity. +matrix_media_repo_timeouts_client_server_timeout_seconds: 30 + +# Prometheus metrics configuration +# For an example Grafana dashboard, import the following JSON: +# https://github.com/turt2live/matrix-media-repo/blob/master/docs/grafana.json + +# If true, the bindAddress and port below will serve GET /metrics for Prometheus to scrape. +matrix_media_repo_metrics_enabled: false + +# The address to listen on. Typically "127.0.0.1" or "0.0.0.0" for all interfaces. +matrix_media_repo_metrics_bind_address: "0.0.0.0" + +# The port to listen on. Cannot be the same as the general web server port. +matrix_media_repo_metrics_port: 9000 + +# Plugins are optional pieces of the media repo used to extend the functionality offered. +# Currently there are only antispam plugins, but in future there should be more options. +# Plugins are not supported on per-domain paths and are instead repo-wide. For more +# information on writing plugins, please visit #matrix-media-repo:t2bot.io on Matrix. +matrix_media_repo_plugins: + plugins: [] + + # An example OCR plugin to block images with certain text. Note that the Docker image + # for the media repo automatically ships this at /plugins/plugin_antispam_ocr +# - exec: /plugins/plugin_antispam_ocr +# config: +# # The URL to your OCR server (https://github.com/otiai10/ocrserver) +# ocrServer: "http://localhost:8080" +# # The keywords to scan for. The image must contain at least one of the keywords +# # from each list to qualify for spam. +# keywordGroups: +# - - elon +# - musk +# - elonmusk +# - - bitcoin +# # The minimum (and maximum) sizes of images to process. +# minSizeBytes: 20000 +# maxSizeBytes: 200000 +# # The types of files to process +# types: ["image/png", "image/jpeg", "image/jpg"] +# # The user ID regex to check against +# userIds: "@telegram_.*" +# # How much of the image's height, starting from the top, to consider before +# # discarding the rest. Set to 1.0 to consider the whole image. +# percentageOfHeight: 0.35 + +# Options for controlling various MSCs/unstable features of the media repo +# Sections of this config might disappear or be added over time. By default all +# features are disabled in here and must be explicitly enabled to be used. +matrix_media_repo_feature_support: + featureSupport: + # MSC2248 - Blurhash + MSC2448: + # Whether or not this MSC is enabled for use in the media repo + enabled: false + + # Maximum dimensions for converting a blurhash to an image. When no width and + # height options are supplied, the default will be half these values. + maxWidth: 1024 + maxHeight: 1024 + + # Thumbnail size in pixels to use to generate the blurhash string + thumbWidth: 64 + thumbHeight: 64 + + # The X and Y components to use. Higher numbers blur less, lower numbers blur more. + xComponents: 4 + yComponents: 3 + + # The amount of contrast to apply when converting a blurhash to an image. Lower values + # make the effect more subtle, larger values make it stronger. + punch: 1 + + # IPFS Support + # This is currently experimental and might not work at all. + IPFS: + # Whether or not IPFS support is enabled for use in the media repo. + enabled: false + + # Options for the built in IPFS daemon + builtInDaemon: + # Enable this to spawn an in-process IPFS node to use instead of a localhost + # HTTP agent. If this is disabled, the media repo will assume you have an HTTP + # IPFS agent running and accessible. Defaults to using a daemon (true). + enabled: true + + # If the Daemon is enabled, set this to the location where the IPFS files should + # be stored. If you're using Docker, this should be something like "/data/ipfs" + # so it can be mapped to a volume. + repoPath: "./ipfs" + + # Support for redis as a cache mechanism + # + # Note: Enabling Redis support will mean that the existing cache mechanism will do nothing. + # It can be safely disabled once Redis support is enabled. + # + # See docs/redis.md for more information on how this works and how to set it up. + redis: + # Whether or not use Redis instead of in-process caching. + enabled: false + + # The Redis shards that should be used by the media repo in the ring. The names of the + # shards are for your reference and have no bearing on the connection, but must be unique. + shards: + - name: "server1" + addr: ":7000" + - name: "server2" + addr: ":7001" + - name: "server3" + addr: ":7002" + +# Optional sentry (https://sentry.io/) configuration for the media repo + +# Whether or not to set up error reporting. Defaults to off. +matrix_media_repo_sentry_enabled: false + +# Get this value from the setup instructions in Sentry +matrix_media_repo_sentry_dsn: "https://examplePublicKey@ingest.sentry.io/0" + +# Optional environment flag. Defaults to an empty string. +matrix_media_repo_sentry_environment: "" + +# Whether or not to turn on sentry's built in debugging. This will increase log output. +matrix_media_repo_sentry_debug: false diff --git a/roles/custom/matrix-media-repo/tasks/main.yml b/roles/custom/matrix-media-repo/tasks/main.yml new file mode 100644 index 000000000..59f962a28 --- /dev/null +++ b/roles/custom/matrix-media-repo/tasks/main.yml @@ -0,0 +1,17 @@ +--- + +- tags: + - setup-all + - setup-media-repo + - install-all + - install-media-repo + block: + - when: matrix_media_repo_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + +- tags: + - setup-all + - setup-media-repo + block: + - when: not matrix_media_repo_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-media-repo/tasks/setup_install.yml b/roles/custom/matrix-media-repo/tasks/setup_install.yml new file mode 100644 index 000000000..af02d4b09 --- /dev/null +++ b/roles/custom/matrix-media-repo/tasks/setup_install.yml @@ -0,0 +1,74 @@ +--- + +- name: Ensure media-repo paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - path: "{{ matrix_media_repo_base_path }}" + when: true + - path: "{{ matrix_media_repo_docker_src_files_path }}" + when: "{{ matrix_media_repo_container_image_self_build }}" + when: "item.when | bool" + +- name: Ensure media-repo configuration installed + ansible.builtin.template: + src: "{{ role_path }}/templates/media-repo/media-repo.yaml.j2" + dest: "{{ matrix_media_repo_base_path }}/media-repo.yaml" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure media-repo Docker image is pulled + community.docker.docker_image: + name: "{{ matrix_media_repo_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_media_repo_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_media_repo_docker_image_force_pull }}" + when: "not matrix_media_repo_container_image_self_build | bool" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- when: "matrix_media_repo_container_image_self_build | bool" + block: + - name: Ensure media-repo repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_media_repo_container_image_self_build_repo }}" + dest: "{{ matrix_media_repo_docker_src_files_path }}" + version: "{{ matrix_media_repo_docker_image.split(':')[1] }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_media_repo_git_pull_results + + - name: Check if media-repo Docker image exists + ansible.builtin.command: "{{ devture_systemd_docker_base_host_command_docker }} images --quiet --filter 'reference={{ matrix_media_repo_docker_image }}'" + register: matrix_media_repo_docker_image_check_result + changed_when: false + + # Invoking the `docker build` command here, instead of calling the `docker_image` Ansible module, + # because the latter does not support BuildKit. + # See: https://github.com/ansible-collections/community.general/issues/514 + - name: Ensure media-repo Docker image is built + ansible.builtin.command: + cmd: "{{ devture_systemd_docker_base_host_command_docker }} build -t {{ matrix_media_repo_docker_image }} {{ matrix_media_repo_docker_src_files_path }}" + environment: + DOCKER_BUILDKIT: 1 + changed_when: true + when: "matrix_media_repo_git_pull_results.changed | bool or matrix_media_repo_docker_image_check_result.stdout == ''" + +- name: Ensure media-repo container network is created + community.general.docker_network: + name: "{{ matrix_media_repo_container_network }}" + driver: bridge + +- name: Ensure matrix-media-repo.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/media-repo/systemd/matrix-media-repo.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-media-repo.service" + mode: 0640 diff --git a/roles/custom/matrix-media-repo/tasks/setup_uninstall.yml b/roles/custom/matrix-media-repo/tasks/setup_uninstall.yml new file mode 100644 index 000000000..d5f08994e --- /dev/null +++ b/roles/custom/matrix-media-repo/tasks/setup_uninstall.yml @@ -0,0 +1,19 @@ +--- + +- name: Check existence of matrix-media-repo service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-media-repo.service" + register: matrix_media_repo_service_stat + +- when: matrix_media_repo_service_stat.stat.exists | bool + block: + - name: Ensure matrix-media-repo is stopped + ansible.builtin.systemd: + name: matrix-media-repo + state: stopped + daemon_reload: true + + - name: Ensure matrix-media-repo.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-media-repo.service" + state: absent diff --git a/roles/custom/matrix-media-repo/templates/grafana/media-repo.json b/roles/custom/matrix-media-repo/templates/grafana/media-repo.json new file mode 100644 index 000000000..1fb68e0a9 --- /dev/null +++ b/roles/custom/matrix-media-repo/templates/grafana/media-repo.json @@ -0,0 +1,991 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__elements": {}, + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "9.3.1" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "timeseries", + "name": "Time series", + "version": "" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "description": "", + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": 9, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "links": [], + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "hertz" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 0 + }, + "id": 2, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "9.5.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "rate(media_http_requests_total[2m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ '{{host}}: {{method}} {{action}}' }}", + "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "rate(media_invalid_http_requests_total[2m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ 'Invalid Host: {{method}} {{action}}' }}", + "refId": "B" + } + ], + "title": "HTTP Requsts", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "links": [], + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "hertz" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 0 + }, + "id": 3, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "9.5.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "rate(media_http_responses_total[2m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ '{{host}}: {{method}} {{action}} {{statusCode}}' }}", + "refId": "A" + } + ], + "title": "HTTP Responses", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "links": [], + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 9 + }, + "id": 8, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "9.5.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "go_memstats_alloc_bytes", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "memory usage (alloc)", + "refId": "B" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "go_memstats_sys_bytes", + "interval": "", + "legendFormat": "memory usage (sys)", + "refId": "C" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "go_memstats_heap_alloc_bytes", + "interval": "", + "legendFormat": "heap usage (alloc)", + "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "go_memstats_heap_idle_bytes", + "interval": "", + "legendFormat": "heap usage (idle)", + "refId": "D" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "go_memstats_heap_inuse_bytes", + "interval": "", + "legendFormat": "heap usage (used)", + "refId": "E" + } + ], + "title": "Memory Usage", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "links": [], + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 9 + }, + "id": 4, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "9.5.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "media_cache_num_bytes_used", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{ 'size of cache: {{cache}}' }}", + "refId": "B" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "media_cache_num_live_bytes_used", + "interval": "", + "legendFormat": "{{ 'live size of cache: {{cache}}' }}", + "refId": "C" + } + ], + "title": "Cache Size (Bytes)", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "links": [], + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 18 + }, + "id": 9, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "9.5.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "media_cache_num_items", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{ 'items in cache: {{cache}}' }}", + "refId": "B" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "media_cache_num_live_items", + "interval": "", + "legendFormat": "{{ 'live items in cache: {{cache}}' }}", + "refId": "C" + } + ], + "title": "Cache Size (# of items)", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "links": [], + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "hertz" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 18 + }, + "id": 5, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "9.5.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "rate(media_cache_hits_total[2m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ 'hits in {{cache}}' }}", + "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "rate(media_cache_misses_total[2m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ 'misses in {{cache}}' }}", + "refId": "B" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "rate(media_cache_evictions_total[2m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ 'evictions due to {{reason}} in {{cache}}' }}", + "refId": "C" + } + ], + "title": "Cache Operations", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "links": [], + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "hertz" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 27 + }, + "id": 6, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "9.5.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "rate(media_thumbnails_generated_total[2m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ '{{origin}} {{width}}x{{height}} {{method}} animated={{animated}}' }}", + "refId": "A" + } + ], + "title": "Thumbnail Generation", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "links": [], + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "hertz" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 27 + }, + "id": 7, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "9.5.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "rate(media_downloaded_total[2m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ 'downloads from {{origin}}' }}", + "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "rate(media_url_previews_generated_total[2m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ 'preview with engine: {{type}}' }}", + "refId": "B" + } + ], + "title": "Resource Handling", + "type": "timeseries" + } + ], + "refresh": "1m", + "schemaVersion": 38, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "current": { + "selected": true, + "text": "Prometheus", + "value": "Prometheus" + }, + "hide": 0, + "includeAll": false, + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + } + ] + }, + "time": { + "from": "now-1h", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Media Repo Dashboard", + "uid": "xJUZ3xfmk", + "version": 2, + "weekStart": "" +} \ No newline at end of file diff --git a/roles/custom/matrix-media-repo/templates/media-repo/media-repo.yaml.j2 b/roles/custom/matrix-media-repo/templates/media-repo/media-repo.yaml.j2 new file mode 100644 index 000000000..0595f576d --- /dev/null +++ b/roles/custom/matrix-media-repo/templates/media-repo/media-repo.yaml.j2 @@ -0,0 +1,359 @@ +# General repo configuration +repo: + bindAddress: {{ matrix_media_repo_bind_address }} + port: {{ matrix_media_repo_port }} + + # Where to store the logs, relative to where the repo is started from. Logs will be automatically + # rotated every day and held for 14 days. To disable the repo logging to files, set this to + # "-" (including quotation marks). + # + # Note: to change the log directory you'll have to restart the repository. This setting cannot be + # live reloaded. + logDirectory: {{ matrix_media_repo_log_directory }} + + # Set to true to enable color coding in your logs. Note that this may cause escape sequences to + # appear in logs which render them unreadable, which is why colors are disabled by default. + logColors: {{ matrix_media_repo_log_colors }} + + # Set to true to enable JSON logging for consumption by things like logstash. Note that this is + # incompatible with the log color option and will always render without colors. + jsonLogs: {{ matrix_media_repo_json_logs }} + + # The log level to log at. Note that this will need to be at least "info" to receive support. + # + # Values (in increasing spam): panic | fatal | error | warn | info | debug | trace + logLevel: {{ matrix_media_repo_log_level }} + + # If true, the media repo will accept any X-Forwarded-For header without validation. In most cases + # this option should be left as "false". Note that the media repo already expects an X-Forwarded-For + # header, but validates it to ensure the IP being given makes sense. + trustAnyForwardedAddress: {{ matrix_media_repo_trust_any_forwarded_address }} + + # If false, the media repo will not use the X-Forwarded-Host header commonly added by reverse proxies. + # Typically this should remain as true, though in some circumstances it may need to be disabled. + # See https://github.com/turt2live/matrix-media-repo/issues/202 for more information. + useForwardedHost: {{ matrix_media_repo_use_forwarded_host }} + +# Options for dealing with federation +federation: + # On a per-host basis, the number of consecutive failures in calling the host before the + # media repo will back off. This defaults to 20 if not given. Note that 404 errors from + # the remote server do not count towards this. + backoffAt: {{ matrix_media_repo_federation_backoff_at }} + +# The database configuration for the media repository +# Do NOT put your homeserver's existing database credentials here. Create a new database and +# user instead. Using the same server is fine, just not the same username and database. +database: + # Currently only "postgres" is supported. + postgres: {{ matrix_media_repo_database_postgres }} + + # The database pooling options + pool: + # The maximum number of connects to hold open. More of these allow for more concurrent + # processes to happen. + maxConnections: {{ matrix_media_repo_database_max_connections }} + + # The maximum number of connects to leave idle. More of these reduces the time it takes + # to serve requests in low-traffic scenarios. + maxIdleConnections: {{ matrix_media_repo_database_max_idle_connections }} + +# The configuration for the homeservers this media repository is known to control. Servers +# not listed here will not be able to upload media. +{# +homeservers: + - name: example.org # This should match the server_name of your homeserver, and the Host header + # provided to the media repo. + csApi: "https://example.org/" # The base URL to where the homeserver can actually be reached + backoffAt: 10 # The number of consecutive failures in calling this homeserver before the + # media repository will start backing off. This defaults to 10 if not given. + adminApiKind: "matrix" # The kind of admin API the homeserver supports. If set to "matrix", + # the media repo will use the Synapse-defined endpoints under the + # unstable client-server API. When this is "synapse", the new /_synapse + # endpoints will be used instead. Unknown values are treated as the + # default, "matrix". +#} +{{ matrix_media_repo_homeservers | to_nice_yaml(indent=2, sort_keys=false) }} + +# Options for controlling how access tokens work with the media repo. It is recommended that if +# you are going to use these options that the `/logout` and `/logout/all` client-server endpoints +# be proxied through this process. They will also be called on the homeserver, and the response +# sent straight through the client - they are simply used to invalidate the cache faster for +# a particular user. Without these, the access tokens might still work for a short period of time +# after the user has already invalidated them. +# +# This will also cache errors from the homeserver. +# +# Note that when this config block is used outside of a per-domain config, all hosts will be +# subject to the same cache. This also means that application services on limited homeservers +# could be authorized on the wrong domain. +# +# *************************************************************************** +# * IT IS HIGHLY RECOMMENDED TO USE PER-DOMAIN CONFIGS WITH THIS FEATURE. * +# *************************************************************************** +{{ matrix_media_repo_access_tokens | to_nice_yaml(indent=2, sort_keys=false) }} + +# These users have full access to the administrative functions of the media repository. +# See docs/admin.md for information on what these people can do. They must belong to one of the +# configured homeservers above. +{{ matrix_media_repo_admins | to_nice_yaml(indent=2, sort_keys=false) }} + +# Shared secret auth is useful for applications building on top of the media repository, such +# as a management interface. The `token` provided here is treated as a repository administrator +# when shared secret auth is enabled: if the `token` is used in place of an access token, the' +# request will be authorized. This is not limited to any particular domain, giving applications +# the ability to use it on any configured hostname. +sharedSecretAuth: + # Set this to true to enable shared secret auth. + enabled: {{ matrix_media_repo_shared_secret_auth_enabled }} + + # Use a secure value here to prevent unauthorized access to the media repository. + token: {{ matrix_media_repo_shared_secret_auth_token }} + +# Datastores are places where media should be persisted. This isn't dedicated for just uploads: +# thumbnails and other misc data is also stored in these places. The media repo, when looking +# for a datastore to use, will always use the smallest datastore first. +{# +datastores: + - type: file + enabled: false # Enable this to set up data storage. + # Datastores can be split into many areas when handling uploads. Media is still de-duplicated + # across all datastores (local content which duplicates remote content will re-use the remote + # content's location). This option is useful if your datastore is becoming very large, or if + # you want faster storage for a particular kind of media. + # + # The kinds available are: + # thumbnails - Used to store thumbnails of media (local and remote). + # remote_media - Original copies of remote media (servers not configured by this repo). + # local_media - Original uploads for local media. + # archives - Archives of content (GDPR and similar requests). + forKinds: ["thumbnails"] + opts: + path: /var/matrix/media + + - type: s3 + enabled: false # Enable this to set up s3 uploads + forKinds: ["thumbnails", "remote_media", "local_media", "archives"] + opts: + # The s3 uploader needs a temporary location to buffer files to reduce memory usage on + # small file uploads. If the file size is unknown, the file is written to this location + # before being uploaded to s3 (then the file is deleted). If you aren't concerned about + # memory usage, set this to an empty string. + tempPath: "/tmp/mediarepo_s3_upload" + endpoint: sfo2.digitaloceanspaces.com + accessKeyId: "" + accessSecret: "" + ssl: true + bucketName: "your-media-bucket" + # An optional region for where this S3 endpoint is located. Typically not needed, though + # some providers will need this (like Scaleway). Uncomment to use. + #region: "sfo2" + + # The media repo does support an IPFS datastore, but only if the IPFS feature is enabled. If + # the feature is not enabled, this will not work. Note that IPFS support is experimental at + # the moment and not recommended for general use. + # + # NOTE: Everything you upload to IPFS will be publicly accessible, even when the media repo + # puts authentication on the download endpoints. Only use this option for cases where you + # expect your media to be publicly accessible. + - type: ipfs + enabled: false # Enable this to use IPFS support + forKinds: ["local_media"] + # The IPFS datastore currently has no options. It will use the daemon or HTTP API configured + # in the IPFS section of your main config. + opts: {} +#} +{{ matrix_media_repo_datastores | to_nice_yaml(indent=2, sort_keys=false) }} + +# Options for controlling archives. Archives are exports of a particular user's content for +# the purpose of GDPR or moving media to a different server. +archiving: + # Whether archiving is enabled or not. Default enabled. + enabled: {{ matrix_media_repo_archiving_enabled }} + # If true, users can request a copy of their own data. By default, only repository administrators + # can request a copy. + # This includes the ability for homeserver admins to request a copy of their own server's + # data, as known to the repo. + selfService: {{ matrix_media_repo_archiving_self_service }} + # The number of bytes to target per archive before breaking up the files. This is independent + # of any file upload limits and will require a similar amount of memory when performing an export. + # The file size is also a target, not a guarantee - it is possible to have files that are smaller + # or larger than the target. This is recommended to be approximately double the size of your + # file upload limit, provided there is enough memory available for the demand of exporting. + targetBytesPerPart: {{ matrix_media_repo_archiving_target_bytes_per_part }} # 200mb default + +# The file upload settings for the media repository +{{ matrix_media_repo_uploads | to_nice_yaml(indent=2, sort_keys=false) }} + +# Settings related to downloading files from the media repository +downloads: + # The maximum number of bytes to download from other servers + maxBytes: {{ matrix_media_repo_downloads_max_bytes }} # 100MB default, 0 to disable + + # The number of workers to use when downloading remote media. Raise this number if remote + # media is downloading slowly or timing out. + # + # Maximum memory usage = numWorkers multiplied by the maximum download size + # Average memory usage is dependent on how many concurrent downloads your users are doing. + numWorkers: {{ matrix_media_repo_downloads_num_workers }} + + # How long, in minutes, to cache errors related to downloading remote media. Once this time + # has passed, the media is able to be re-requested. + failureCacheMinutes: {{ matrix_media_repo_downloads_failure_cache_minutes }} + + # The cache control settings for downloads. This can help speed up downloads for users by + # keeping popular media in the cache. This cache is also used for thumbnails. + cache: + enabled: {{ matrix_media_repo_downloads_cache_enabled }} + + # The maximum size of cache to have. Higher numbers are better. + maxSizeBytes: {{ matrix_media_repo_downloads_cache_max_size_bytes }} # 1GB default + + # The maximum file size to cache. This should normally be the same size as your maximum + # upload size. + maxFileSizeBytes: {{ matrix_media_repo_downloads_cache_max_file_size_bytes }} # 100MB default + + # The number of minutes to track how many downloads a file gets + trackedMinutes: {{ matrix_media_repo_downloads_cache_tracked_minutes }} + + # The number of downloads a file must receive in the window above (trackedMinutes) in + # order to be cached. + minDownloads: {{ matrix_media_repo_downloads_cache_min_downloads }} + + # The minimum amount of time an item should remain in the cache. This prevents the cache + # from cycling out the file if it needs more room during this time. Note that the media + # repo regularly cleans out media which is past this point from the cache, so this number + # may need increasing depending on your use case. If the maxSizeBytes is reached for the + # media repo, and some cached items are still under this timer, new items will not be able + # to enter the cache. When this happens, consider raising maxSizeBytes or lowering this + # timer. + minCacheTimeSeconds: {{ matrix_media_repo_downloads_cache_min_cache_time_seconds }} + + # The minimum amount of time an item should remain outside the cache once it is removed. + minEvictedTimeSeconds: {{ matrix_media_repo_downloads_cache_min_evicted_time_seconds }} + + # How many days after a piece of remote content is downloaded before it expires. It can be + # re-downloaded on demand, this just helps free up space in your datastore. Set to zero or + # negative to disable. Defaults to disabled. + expireAfterDays: {{ matrix_media_repo_downloads_expire_after_days }} + +# URL Preview settings +{{ matrix_media_repo_url_previews | to_nice_yaml(indent=2) }} + +# The thumbnail configuration for the media repository. +{{ matrix_media_repo_thumbnails | to_nice_yaml(indent=2) }} + +# Controls for the rate limit functionality +rateLimit: + # Set this to false if rate limiting is handled at a higher level or you don't want it enabled. + enabled: {{ matrix_media_repo_rate_limit_enabled }} + + # The number of requests per second before an IP will be rate limited. Must be a whole number. + requestsPerSecond: {{ matrix_media_repo_rate_limit_requests_per_second }} + + # The number of requests an IP can send at once before the rate limit is actually considered. + burst: {{ matrix_media_repo_rate_limit_burst }} + +# Identicons are generated avatars for a given username. Some clients use these to give users a +# default avatar after signing up. Identicons are not part of the official matrix spec, therefore +# this feature is completely optional. +identicons: + enabled: {{ matrix_media_repo_identicons_enabled }} + +# The quarantine media settings. +quarantine: + # If true, when a thumbnail of quarantined media is requested an image will be returned. If no + # image is given in the thumbnailPath below then a generated image will be provided. This does + # not affect regular downloads of files. + replaceThumbnails: {{ matrix_media_repo_quarantine_replace_thumbnails }} + + # If true, when media which has been quarantined is requested an image will be returned. If + # no image is given in the thumbnailPath below then a generated image will be provided. This + # will replace media which is not an image (ie: quarantining a PDF will replace the PDF with + # an image). + replaceDownloads: {{ matrix_media_repo_quarantine_replace_downloads }} + + # If provided, the given image will be returned as a thumbnail for media that is quarantined. + #thumbnailPath: "/path/to/thumbnail.png" + thumbnailPath: {{ "" if matrix_media_repo_quarantine_thumbnail_path == "" else matrix_media_repo_quarantine_thumbnail_path }} + + # If true, administrators of the configured homeservers may quarantine media for their server + # only. Global administrators can quarantine any media (local or remote) regardless of this + # flag. + allowLocalAdmins: {{ matrix_media_repo_quarantine_allow_local_admins }} + +# The various timeouts that the media repo will use. +timeouts: + # The maximum amount of time the media repo should spend trying to fetch a resource that is + # being previewed. + urlPreviewTimeoutSeconds: {{ matrix_media_repo_timeouts_url_preview_timeout_seconds }} + + # The maximum amount of time the media repo will spend making remote requests to other repos + # or homeservers. This is primarily used to download media. + federationTimeoutSeconds: {{ matrix_media_repo_timeouts_federation_timeout_seconds }} + + # The maximum amount of time the media repo will spend talking to your configured homeservers. + # This is usually used to verify a user's identity. + clientServerTimeoutSeconds: {{ matrix_media_repo_timeouts_client_server_timeout_seconds }} + +# Prometheus metrics configuration +# For an example Grafana dashboard, import the following JSON: +# https://github.com/turt2live/matrix-media-repo/blob/master/docs/grafana.json +metrics: + # If true, the bindAddress and port below will serve GET /metrics for Prometheus to scrape. + enabled: {{ matrix_media_repo_metrics_enabled }} + + # The address to listen on. Typically "127.0.0.1" or "0.0.0.0" for all interfaces. + bindAddress: {{ matrix_media_repo_metrics_bind_address }} + + # The port to listen on. Cannot be the same as the general web server port. + port: {{ matrix_media_repo_metrics_port }} + +# Plugins are optional pieces of the media repo used to extend the functionality offered. +# Currently there are only antispam plugins, but in future there should be more options. +# Plugins are not supported on per-domain paths and are instead repo-wide. For more +# information on writing plugins, please visit #matrix-media-repo:t2bot.io on Matrix. +{{ matrix_media_repo_plugins | to_nice_yaml(indent=2) }} + + # An example OCR plugin to block images with certain text. Note that the Docker image + # for the media repo automatically ships this at /plugins/plugin_antispam_ocr +# - exec: /plugins/plugin_antispam_ocr +# config: +# # The URL to your OCR server (https://github.com/otiai10/ocrserver) +# ocrServer: "http://localhost:8080" +# # The keywords to scan for. The image must contain at least one of the keywords +# # from each list to qualify for spam. +# keywordGroups: +# - - elon +# - musk +# - elonmusk +# - - bitcoin +# # The minimum (and maximum) sizes of images to process. +# minSizeBytes: 20000 +# maxSizeBytes: 200000 +# # The types of files to process +# types: ["image/png", "image/jpeg", "image/jpg"] +# # The user ID regex to check against +# userIds: "@telegram_.*" +# # How much of the image's height, starting from the top, to consider before +# # discarding the rest. Set to 1.0 to consider the whole image. +# percentageOfHeight: 0.35 + +# Options for controlling various MSCs/unstable features of the media repo +# Sections of this config might disappear or be added over time. By default all +# features are disabled in here and must be explicitly enabled to be used. +{{ matrix_media_repo_feature_support | to_nice_yaml(indent=2) }} + +# Optional sentry (https://sentry.io/) configuration for the media repo +sentry: + # Whether or not to set up error reporting. Defaults to off. + enabled: {{ matrix_media_repo_sentry_enabled }} + + # Get this value from the setup instructions in Sentry + dsn: {{ matrix_media_repo_sentry_dsn }} + + # Optional environment flag. Defaults to an empty string. + environment: {{ "" if matrix_media_repo_sentry_environment == "" else matrix_media_repo_sentry_environment }} + + # Whether or not to turn on sentry's built in debugging. This will increase log output. + debug: {{ matrix_media_repo_sentry_debug }} \ No newline at end of file diff --git a/roles/custom/matrix-media-repo/templates/media-repo/systemd/matrix-media-repo.service.j2 b/roles/custom/matrix-media-repo/templates/media-repo/systemd/matrix-media-repo.service.j2 new file mode 100644 index 000000000..ac33e3fee --- /dev/null +++ b/roles/custom/matrix-media-repo/templates/media-repo/systemd/matrix-media-repo.service.j2 @@ -0,0 +1,52 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix media-repo +{% for service in matrix_media_repo_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_media_repo_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-media-repo 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-media-repo 2>/dev/null || true' + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-media-repo \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + -p {{ matrix_media_repo_port }}:{{ matrix_media_repo_port }} \ + {% if matrix_media_repo_metrics_enabled %} + -p {{ matrix_media_repo_metrics_port }}:{{ matrix_media_repo_metrics_port }} \ + {% endif %} + -v {{ matrix_media_repo_base_path }}:/data:z \ + --workdir='/data' \ + --entrypoint='media_repo' \ + {% for arg in matrix_media_repo_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_media_repo_docker_image }} + +{% for network in matrix_media_repo_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-media-repo +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-media-repo + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-media-repo 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-media-repo 2>/dev/null || true' +ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-media-repo /bin/sh -c 'kill -HUP 1' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-media-repo + +[Install] +WantedBy=multi-user.target diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 8ad11b375..d8d73a869 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -333,6 +333,11 @@ matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}" matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}" +# Controls whether proxying for the media repo (`/_matrix/media`) should be done (on the matrix domain) +matrix_nginx_proxy_proxy_media_repo_enabled: false +matrix_nginx_proxy_proxy_media_repo_addr_with_container: "matrix-media-repo:{{ matrix_media_repo_port }}" +matrix_nginx_proxy_proxy_media_repo_addr_sans_container: "127.0.0.1:{{ matrix_media_repo_port }}" + # The addresses where the Matrix Client API is. # Certain extensions (like matrix-corporal) may override this in order to capture all traffic. matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-nginx-proxy:12080" diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 63d45bc63..8ecaf64e9 100644 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -94,6 +94,96 @@ } {% endif %} + {% if matrix_nginx_proxy_proxy_media_repo_enabled %} + # Redirect all media endpoints to the media-repo + location ^~ /_matrix/media { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }}; + {% endif %} + + # Make sure this matches your homeserver in media-repo.yaml + # You may have to manually specify it if using delegation or the + # incoming Host doesn't match. + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + } + + # Redirect other endpoints registered by the media-repo to its container + # /_matrix/client/r0/logout + # /_matrix/client/r0/logout/all + location ^~ /_matrix/client/(r0|v1|v3|unstable)/(logout|logout/all) { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }}; + {% endif %} + + # Make sure this matches your homeserver in media-repo.yaml + # You may have to manually specify it if using delegation or the + # incoming Host doesn't match. + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + } + + # Redirect other endpoints registered by the media-repo to its container + # /_matrix/client/r0/admin/purge_media_cache + # /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+} + location ^~ /_matrix/client/(r0|v1|v3|unstable)/admin/(purge_media_cache|quarantine_media/.*) { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }}; + {% endif %} + + # Make sure this matches your homeserver in media-repo.yaml + # You may have to manually specify it if using delegation or the + # incoming Host doesn't match. + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + } + + # Redirect other endpoints registered by the media-repo to its container + location ^~ /_matrix/client/unstable/io.t2bot.media { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }}; + {% endif %} + + # Make sure this matches your homeserver in media-repo.yaml + # You may have to manually specify it if using delegation or the + # incoming Host doesn't match. + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + } + {% endif %} + {% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %} location ^~ /_matrix/client/r0/user_directory/search { {% if matrix_nginx_proxy_enabled %} diff --git a/roles/custom/matrix-prometheus-services-connect/defaults/main.yml b/roles/custom/matrix-prometheus-services-connect/defaults/main.yml index 748f88c5c..f06d8da4e 100644 --- a/roles/custom/matrix-prometheus-services-connect/defaults/main.yml +++ b/roles/custom/matrix-prometheus-services-connect/defaults/main.yml @@ -142,3 +142,23 @@ matrix_prometheus_services_connect_scraper_nginxlog_scrape_configs: | 'static_configs': matrix_prometheus_services_connect_scraper_nginxlog_static_configs, }] }} + +# Controls whether media-repo shall be scraped +matrix_prometheus_services_connect_scraper_media_repo_enabled: false +matrix_prometheus_services_connect_scraper_media_repo_job_name: media-repo +matrix_prometheus_services_connect_scraper_media_repo_metrics_path: /metrics +matrix_prometheus_services_connect_scraper_media_repo_scrape_interval: 15s +matrix_prometheus_services_connect_scraper_media_repo_scrape_timeout: 15s +matrix_prometheus_services_connect_scraper_media_repo_static_configs: "{{ [{'targets': [matrix_prometheus_services_connect_scraper_media_repo_static_configs_target]}] }}" +matrix_prometheus_services_connect_scraper_media_repo_static_configs_target: '' +# The final scrape config for the media-repo scraper +matrix_prometheus_services_connect_scraper_media_repo_scrape_configs: | + {{ + [{ + 'job_name': matrix_prometheus_services_connect_scraper_media_repo_job_name, + 'metrics_path': matrix_prometheus_services_connect_scraper_media_repo_metrics_path, + 'scrape_interval': matrix_prometheus_services_connect_scraper_media_repo_scrape_interval, + 'scrape_timeout': matrix_prometheus_services_connect_scraper_media_repo_scrape_timeout, + 'static_configs': matrix_prometheus_services_connect_scraper_media_repo_static_configs, + }] + }} diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 964fde115..96bb42561 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -633,14 +633,14 @@ matrix_synapse_workers_federation_sender_workers_metrics_range_start: 19400 # Adjusting this value manually is generally not necessary. matrix_synapse_federation_sender_instances: [] -matrix_synapse_workers_media_repository_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['media_repository_workers_count'] }}" +matrix_synapse_workers_media_repository_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['media_repository_workers_count'] if not matrix_synapse_ext_media_repo_enabled else 0 }}" matrix_synapse_workers_media_repository_workers_port_range_start: 18551 matrix_synapse_workers_media_repository_workers_metrics_range_start: 19551 # matrix_synapse_enable_media_repo controls if the main Synapse process should serve media repository endpoints or if it should be left to media_repository workers (see `matrix_synapse_workers_media_repository_workers_count`). # This is enabled if workers are disabled, or if they are enabled, but there are no media repository workers. # Adjusting this value manually is generally not necessary. -matrix_synapse_enable_media_repo: "{{ not matrix_synapse_workers_enabled or (matrix_synapse_workers_enabled_list | selectattr('type', 'equalto', 'media_repository') | list | length == 0) }}" +matrix_synapse_enable_media_repo: "{{ not matrix_synapse_ext_media_repo_enabled and (not matrix_synapse_workers_enabled or (matrix_synapse_workers_enabled_list | selectattr('type', 'equalto', 'media_repository') | list | length == 0)) }}" # matrix_synapse_media_instance_running_background_jobs populates the `media_instance_running_background_jobs` Synapse configuration used when Synapse workers are in use (`matrix_synapse_workers_enabled`). # `media_instance_running_background_jobs` is meant to point to a single media-repository worker, which is dedicated to running background tasks that maintain the media repository. @@ -901,6 +901,8 @@ matrix_synapse_ext_synapse_s3_storage_provider_update_db_day_count: 0 # This is a systemd timer OnCalendar definition. Learn more here: https://man.archlinux.org/man/systemd.time.7#CALENDAR_EVENTS matrix_synapse_ext_synapse_s3_storage_provider_periodic_migration_schedule: '*-*-* 05:00:00' +matrix_synapse_ext_media_repo_enabled: false + matrix_s3_media_store_enabled: false matrix_s3_media_store_custom_endpoint_enabled: false matrix_s3_goofys_docker_image: "{{ matrix_s3_goofys_docker_image_name_prefix }}ewoutp/goofys:latest" diff --git a/setup.yml b/setup.yml index 266f3b9e5..c7a6a3639 100644 --- a/setup.yml +++ b/setup.yml @@ -113,6 +113,7 @@ - galaxy/ntfy - custom/matrix-nginx-proxy - custom/matrix-coturn + - custom/matrix-media-repo - role: galaxy/auxiliary From 036c823a061eb120994a33cef71aa35eecbe8223 Mon Sep 17 00:00:00 2001 From: QEDeD Date: Wed, 12 Jul 2023 18:10:47 +0200 Subject: [PATCH 870/915] Explain the option of manually defining your public IP in the documentation for Coturn I was very surprised by the fact that a rather important configuration for coturn was "hidden" in the Hosts file, but not mentioned here. Therefore my suggestion is to explicitly mention it here, as I believe that is that natural for people to look. --- docs/configuring-playbook-turn.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/configuring-playbook-turn.md b/docs/configuring-playbook-turn.md index df5419bd4..7b2c58bdb 100644 --- a/docs/configuring-playbook-turn.md +++ b/docs/configuring-playbook-turn.md @@ -15,6 +15,13 @@ matrix_coturn_enabled: false In that case, Synapse would not point to any Coturn servers and audio/video call functionality may fail. +## Manually defining your public IP +In the `hosts` file we explicitly ask for your server's external IP address when defining `ansible_host`, because the same value is used for configuring Coturn. +If you'd rather use a local IP for `ansible_host`, make sure to set up `matrix_coturn_turn_external_ip_address` replacing `YOUR_PUBLIC_IP` with the pubic IP used by the server. + +```yaml +matrix_coturn_turn_external_ip_address: "YOUR_PUBLIC_IP" +``` ## Using your own external Coturn server From b7c0690542094fb2f57b499b5f7561e47cdb5431 Mon Sep 17 00:00:00 2001 From: QEDeD Date: Wed, 12 Jul 2023 18:25:20 +0200 Subject: [PATCH 871/915] Explicitly refer users to the relevant roles file Explicitly refer users to the relevant roles file so people know where to find the additional configuration options. --- docs/configuring-playbook-turn.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/configuring-playbook-turn.md b/docs/configuring-playbook-turn.md index 7b2c58bdb..365fea4b1 100644 --- a/docs/configuring-playbook-turn.md +++ b/docs/configuring-playbook-turn.md @@ -47,3 +47,6 @@ jitsi_web_stun_servers: - stun:HOSTNAME_OR_IP:PORT ``` You can put multiple host/port combinations if you like. + +## Further variables and configuration options +To see all the available configuration options, check roles/custom/matrix-coturn/defaults/main.yml From 4ee26fab2f8a80f2d9062b9e36d639e6e1d8100c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 13 Jul 2023 12:29:08 +0300 Subject: [PATCH 872/915] Upgrade postgres_backup --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index a8c398215..b1c4751fc 100644 --- a/requirements.yml +++ b/requirements.yml @@ -18,7 +18,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git version: v15.3-0 - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git - version: 8e9ec48a09284c84704d7a2dce17da35f181574d + version: a0cc7c1c696872ba8880d9c5e5a54098de825030 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git version: v1.0.0-0 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git From 3f2b14f63060fcb5c3f465e565e0dd39079e3e50 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 13 Jul 2023 12:32:51 +0300 Subject: [PATCH 873/915] Upgrade backup-borg (v1.2.4-1.7.15-0 -> v1.2.4-1.7.15-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index b1c4751fc..bac5fea32 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: v1.0.0-1 name: auxiliary - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.4-1.7.15-0 + version: v1.2.4-1.7.15-1 - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git version: v0.1.1-2 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git From facaeb5abe33017ebe114000b1c638d4bd0f9c87 Mon Sep 17 00:00:00 2001 From: Michael Hollister Date: Thu, 13 Jul 2023 11:03:36 -0500 Subject: [PATCH 874/915] Document purpose of media_repo variable Co-authored-by: Slavi Pantaleev --- roles/custom/matrix-synapse/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 96bb42561..2cd119629 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -901,6 +901,8 @@ matrix_synapse_ext_synapse_s3_storage_provider_update_db_day_count: 0 # This is a systemd timer OnCalendar definition. Learn more here: https://man.archlinux.org/man/systemd.time.7#CALENDAR_EVENTS matrix_synapse_ext_synapse_s3_storage_provider_periodic_migration_schedule: '*-*-* 05:00:00' +# Specifies whether an external media repository is enabled. +# If it is, the Synapse media repo and media-repo workers will be disabled automatically. matrix_synapse_ext_media_repo_enabled: false matrix_s3_media_store_enabled: false From d565c1607b989d241b2eef09e520046a34497830 Mon Sep 17 00:00:00 2001 From: Michael Hollister Date: Thu, 13 Jul 2023 11:06:59 -0500 Subject: [PATCH 875/915] Replaced hard coded string with identifier variable Co-authored-by: Slavi Pantaleev --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index cc60b9758..d5184e233 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2671,7 +2671,7 @@ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd: matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}" matrix_nginx_proxy_proxy_media_repo_enabled: "{{ matrix_media_repo_enabled }}" -matrix_nginx_proxy_proxy_media_repo_addr_with_container: "matrix-media-repo:{{ matrix_media_repo_port }}" +matrix_nginx_proxy_proxy_media_repo_addr_with_container: "{{ matrix_media_repo_identifier }}:{{ matrix_media_repo_port }}" matrix_nginx_proxy_proxy_media_repo_addr_sans_container: "127.0.0.1:{{ matrix_media_repo_port }}" # By default, we do TLS termination for the Matrix Federation API (port 8448) at matrix-nginx-proxy. From 6365118067c69a136300cfe763a9aec87fc99ff4 Mon Sep 17 00:00:00 2001 From: Michael Hollister Date: Thu, 13 Jul 2023 12:23:48 -0500 Subject: [PATCH 876/915] Removed additional logging to filesystem by default --- roles/custom/matrix-media-repo/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-media-repo/defaults/main.yml b/roles/custom/matrix-media-repo/defaults/main.yml index 87ffcbe84..707a9e9a5 100644 --- a/roles/custom/matrix-media-repo/defaults/main.yml +++ b/roles/custom/matrix-media-repo/defaults/main.yml @@ -55,7 +55,7 @@ matrix_media_repo_port: 8000 # # Note: to change the log directory you'll have to restart the repository. This setting cannot be # live reloaded. -matrix_media_repo_log_directory: logs +matrix_media_repo_log_directory: "{{ '\"-\"' }}" # Set to true to enable color coding in your logs. Note that this may cause escape sequences to # appear in logs which render them unreadable, which is why colors are disabled by default. From b9f5aa034428d600cacd1b936d9ddbbdfcb1b3a3 Mon Sep 17 00:00:00 2001 From: Michael Hollister Date: Thu, 13 Jul 2023 13:23:34 -0500 Subject: [PATCH 877/915] Removed exposing ports by default --- roles/custom/matrix-media-repo/defaults/main.yml | 10 ++++++++++ .../media-repo/systemd/matrix-media-repo.service.j2 | 8 +++++--- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-media-repo/defaults/main.yml b/roles/custom/matrix-media-repo/defaults/main.yml index 707a9e9a5..d1790a8b2 100644 --- a/roles/custom/matrix-media-repo/defaults/main.yml +++ b/roles/custom/matrix-media-repo/defaults/main.yml @@ -33,6 +33,16 @@ matrix_media_repo_container_network: "{{ matrix_docker_network }}" # Use this to expose this container to another reverse proxy, which runs in a different container network. matrix_media_repo_container_additional_networks: [] +# Controls whether the matrix-media-repo container exposes its HTTP port (tcp/8000 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8000"), or empty string to not expose. +matrix_media_repo_container_http_host_bind_port: "" + +# Controls whether the matrix-media-repo container exposes its metrics port (tcp/9000 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:9000"), or empty string to not expose. +matrix_media_repo_container_metrics_host_bind_port: "" + # Extra arguments for the Docker container matrix_media_repo_container_extra_arguments: [] diff --git a/roles/custom/matrix-media-repo/templates/media-repo/systemd/matrix-media-repo.service.j2 b/roles/custom/matrix-media-repo/templates/media-repo/systemd/matrix-media-repo.service.j2 index ac33e3fee..091337962 100644 --- a/roles/custom/matrix-media-repo/templates/media-repo/systemd/matrix-media-repo.service.j2 +++ b/roles/custom/matrix-media-repo/templates/media-repo/systemd/matrix-media-repo.service.j2 @@ -23,9 +23,11 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --network={{ matrix_docker_network }} \ - -p {{ matrix_media_repo_port }}:{{ matrix_media_repo_port }} \ - {% if matrix_media_repo_metrics_enabled %} - -p {{ matrix_media_repo_metrics_port }}:{{ matrix_media_repo_metrics_port }} \ + {% if matrix_media_repo_container_http_host_bind_port %} + -p {{ matrix_media_repo_container_http_host_bind_port }}:{{ matrix_media_repo_port }} \ + {% endif %} + {% if matrix_media_repo_metrics_enabled and matrix_media_repo_container_metrics_host_bind_port %} + -p {{ matrix_media_repo_container_metrics_host_bind_port }}:{{ matrix_media_repo_metrics_port }} \ {% endif %} -v {{ matrix_media_repo_base_path }}:/data:z \ --workdir='/data' \ From ecb24dcaabafcf4ceccd175bb4b437475c154740 Mon Sep 17 00:00:00 2001 From: Michael Hollister Date: Thu, 13 Jul 2023 15:02:21 -0500 Subject: [PATCH 878/915] Changed volume mounting and directory structure --- roles/custom/matrix-media-repo/defaults/main.yml | 2 ++ .../matrix-media-repo/tasks/setup_install.yml | 16 +++++++++++++++- .../templates/media-repo/env.j2 | 1 + .../systemd/matrix-media-repo.service.j2 | 4 +++- 4 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 roles/custom/matrix-media-repo/templates/media-repo/env.j2 diff --git a/roles/custom/matrix-media-repo/defaults/main.yml b/roles/custom/matrix-media-repo/defaults/main.yml index d1790a8b2..5be31c4b3 100644 --- a/roles/custom/matrix-media-repo/defaults/main.yml +++ b/roles/custom/matrix-media-repo/defaults/main.yml @@ -17,6 +17,8 @@ matrix_media_repo_docker_image_tag: "v1.2.13" matrix_media_repo_docker_image_force_pull: "{{ matrix_media_repo_docker_image.endswith(':latest') }}" matrix_media_repo_base_path: "{{ matrix_base_data_path }}/media-repo" +matrix_media_repo_config_path: "{{ matrix_media_repo_base_path }}/config" +matrix_media_repo_data_path: "{{ matrix_media_repo_base_path }}/data" matrix_media_repo_docker_src_files_path: "{{ matrix_media_repo_base_path }}/docker-src" # List of systemd services that matrix-conduit.service depends on diff --git a/roles/custom/matrix-media-repo/tasks/setup_install.yml b/roles/custom/matrix-media-repo/tasks/setup_install.yml index af02d4b09..5e7399059 100644 --- a/roles/custom/matrix-media-repo/tasks/setup_install.yml +++ b/roles/custom/matrix-media-repo/tasks/setup_install.yml @@ -10,14 +10,28 @@ with_items: - path: "{{ matrix_media_repo_base_path }}" when: true + - path: "{{ matrix_media_repo_config_path }}" + when: true + - path: "{{ matrix_media_repo_data_path }}" + when: true - path: "{{ matrix_media_repo_docker_src_files_path }}" when: "{{ matrix_media_repo_container_image_self_build }}" when: "item.when | bool" +- name: Ensure media-repo support files installed + ansible.builtin.template: + src: "{{ role_path }}/templates/media-repo/{{ item }}.j2" + dest: "{{ matrix_media_repo_base_path }}/{{ item }}" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - env + - name: Ensure media-repo configuration installed ansible.builtin.template: src: "{{ role_path }}/templates/media-repo/media-repo.yaml.j2" - dest: "{{ matrix_media_repo_base_path }}/media-repo.yaml" + dest: "{{ matrix_media_repo_config_path }}/media-repo.yaml" mode: 0640 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" diff --git a/roles/custom/matrix-media-repo/templates/media-repo/env.j2 b/roles/custom/matrix-media-repo/templates/media-repo/env.j2 new file mode 100644 index 000000000..8b26f77d7 --- /dev/null +++ b/roles/custom/matrix-media-repo/templates/media-repo/env.j2 @@ -0,0 +1 @@ +REPO_CONFIG=/config/media-repo.yaml diff --git a/roles/custom/matrix-media-repo/templates/media-repo/systemd/matrix-media-repo.service.j2 b/roles/custom/matrix-media-repo/templates/media-repo/systemd/matrix-media-repo.service.j2 index 091337962..33b5199a6 100644 --- a/roles/custom/matrix-media-repo/templates/media-repo/systemd/matrix-media-repo.service.j2 +++ b/roles/custom/matrix-media-repo/templates/media-repo/systemd/matrix-media-repo.service.j2 @@ -23,13 +23,15 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --network={{ matrix_docker_network }} \ + --env-file={{ matrix_media_repo_base_path }}/env \ {% if matrix_media_repo_container_http_host_bind_port %} -p {{ matrix_media_repo_container_http_host_bind_port }}:{{ matrix_media_repo_port }} \ {% endif %} {% if matrix_media_repo_metrics_enabled and matrix_media_repo_container_metrics_host_bind_port %} -p {{ matrix_media_repo_container_metrics_host_bind_port }}:{{ matrix_media_repo_metrics_port }} \ {% endif %} - -v {{ matrix_media_repo_base_path }}:/data:z \ + --mount type=bind,src={{ matrix_media_repo_config_path }},dst=/config,ro \ + --mount type=bind,src={{ matrix_media_repo_data_path }},dst=/data \ --workdir='/data' \ --entrypoint='media_repo' \ {% for arg in matrix_media_repo_container_extra_arguments %} From c043463ee18fac2a080c6af0c8f41eef88936856 Mon Sep 17 00:00:00 2001 From: Michael Hollister Date: Thu, 13 Jul 2023 15:19:12 -0500 Subject: [PATCH 879/915] Fixed conflicting default values for enabling media-repo --- roles/custom/matrix-media-repo/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-media-repo/defaults/main.yml b/roles/custom/matrix-media-repo/defaults/main.yml index 5be31c4b3..a89ea8a58 100644 --- a/roles/custom/matrix-media-repo/defaults/main.yml +++ b/roles/custom/matrix-media-repo/defaults/main.yml @@ -5,7 +5,7 @@ # with the specification. # See: https://github.com/turt2live/matrix-media-repo -matrix_media_repo_enabled: true +matrix_media_repo_enabled: false matrix_media_repo_container_image_self_build: false matrix_media_repo_container_image_self_build_repo: "https://github.com/turt2live/matrix-media-repo.git" From d120b0c153e3313171017baf89d1c97a5e5b51e1 Mon Sep 17 00:00:00 2001 From: Michael Hollister Date: Thu, 13 Jul 2023 21:16:07 -0500 Subject: [PATCH 880/915] Updated code to use identifier variable --- .../custom/matrix-media-repo/defaults/main.yml | 9 +++++++-- .../matrix-media-repo/tasks/setup_install.yml | 4 ++-- .../tasks/setup_uninstall.yml | 12 ++++++------ .../systemd/matrix-media-repo.service.j2 | 18 +++++++++--------- 4 files changed, 24 insertions(+), 19 deletions(-) diff --git a/roles/custom/matrix-media-repo/defaults/main.yml b/roles/custom/matrix-media-repo/defaults/main.yml index a89ea8a58..a08ad0418 100644 --- a/roles/custom/matrix-media-repo/defaults/main.yml +++ b/roles/custom/matrix-media-repo/defaults/main.yml @@ -7,6 +7,11 @@ matrix_media_repo_enabled: false +# matrix_media_repo_identifier controls the identifier of this media-repo instance, which influences: +# - the default storage path +# - the names of systemd services +matrix_media_repo_identifier: matrix-media-repo + matrix_media_repo_container_image_self_build: false matrix_media_repo_container_image_self_build_repo: "https://github.com/turt2live/matrix-media-repo.git" @@ -16,7 +21,7 @@ matrix_media_repo_docker_image_name_prefix: "{{ 'localhost/' if matrix_media_rep matrix_media_repo_docker_image_tag: "v1.2.13" matrix_media_repo_docker_image_force_pull: "{{ matrix_media_repo_docker_image.endswith(':latest') }}" -matrix_media_repo_base_path: "{{ matrix_base_data_path }}/media-repo" +matrix_media_repo_base_path: "{{ matrix_base_data_path }}/{{ matrix_media_repo_identifier }}" matrix_media_repo_config_path: "{{ matrix_media_repo_base_path }}/config" matrix_media_repo_data_path: "{{ matrix_media_repo_base_path }}/data" matrix_media_repo_docker_src_files_path: "{{ matrix_media_repo_base_path }}/docker-src" @@ -104,7 +109,7 @@ matrix_media_repo_federation_backoff_at: 20 # user instead. Using the same server is fine, just not the same username and database. matrix_media_repo_database_username: "matrix_media_repo" matrix_media_repo_database_password: "your_password" -matrix_media_repo_database_hostname: "matrix-postgres" +matrix_media_repo_database_hostname: "{{ devture_postgres_identifier }}" matrix_media_repo_database_port: 5432 matrix_media_repo_database_name: "matrix_media_repo" diff --git a/roles/custom/matrix-media-repo/tasks/setup_install.yml b/roles/custom/matrix-media-repo/tasks/setup_install.yml index 5e7399059..3bcbed966 100644 --- a/roles/custom/matrix-media-repo/tasks/setup_install.yml +++ b/roles/custom/matrix-media-repo/tasks/setup_install.yml @@ -81,8 +81,8 @@ name: "{{ matrix_media_repo_container_network }}" driver: bridge -- name: Ensure matrix-media-repo.service installed +- name: Ensure media-repo service installed ansible.builtin.template: src: "{{ role_path }}/templates/media-repo/systemd/matrix-media-repo.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-media-repo.service" + dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_media_repo_identifier }}.service" mode: 0640 diff --git a/roles/custom/matrix-media-repo/tasks/setup_uninstall.yml b/roles/custom/matrix-media-repo/tasks/setup_uninstall.yml index d5f08994e..449cd48b8 100644 --- a/roles/custom/matrix-media-repo/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-media-repo/tasks/setup_uninstall.yml @@ -1,19 +1,19 @@ --- -- name: Check existence of matrix-media-repo service +- name: Check existence of media-repo service ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-media-repo.service" + path: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_media_repo_identifier }}.service" register: matrix_media_repo_service_stat - when: matrix_media_repo_service_stat.stat.exists | bool block: - - name: Ensure matrix-media-repo is stopped + - name: Ensure media-repo is stopped ansible.builtin.systemd: - name: matrix-media-repo + name: "{{ matrix_media_repo_identifier }}" state: stopped daemon_reload: true - - name: Ensure matrix-media-repo.service doesn't exist + - name: Ensure media-repo service doesn't exist ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-media-repo.service" + path: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_media_repo_identifier }}.service" state: absent diff --git a/roles/custom/matrix-media-repo/templates/media-repo/systemd/matrix-media-repo.service.j2 b/roles/custom/matrix-media-repo/templates/media-repo/systemd/matrix-media-repo.service.j2 index 33b5199a6..0e73cb6ce 100644 --- a/roles/custom/matrix-media-repo/templates/media-repo/systemd/matrix-media-repo.service.j2 +++ b/roles/custom/matrix-media-repo/templates/media-repo/systemd/matrix-media-repo.service.j2 @@ -13,12 +13,12 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-media-repo 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-media-repo 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_media_repo_identifier }} 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_media_repo_identifier }} 2>/dev/null || true' ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --rm \ - --name=matrix-media-repo \ + --name={{ matrix_media_repo_identifier }} \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -40,17 +40,17 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ {{ matrix_media_repo_docker_image }} {% for network in matrix_media_repo_container_additional_networks %} -ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-media-repo +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} {{ matrix_media_repo_identifier }} {% endfor %} -ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-media-repo +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach {{ matrix_media_repo_identifier }} -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-media-repo 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-media-repo 2>/dev/null || true' -ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-media-repo /bin/sh -c 'kill -HUP 1' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_media_repo_identifier }} 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_media_repo_identifier }} 2>/dev/null || true' +ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec {{ matrix_media_repo_identifier }} /bin/sh -c 'kill -HUP 1' Restart=always RestartSec=30 -SyslogIdentifier=matrix-media-repo +SyslogIdentifier={{ matrix_media_repo_identifier }} [Install] WantedBy=multi-user.target From 28fa644c30d29b05deb82812027a985ad077cff0 Mon Sep 17 00:00:00 2001 From: Michael Hollister Date: Thu, 13 Jul 2023 21:19:07 -0500 Subject: [PATCH 881/915] Removed redeclration of matrix_media_repo_identifier --- group_vars/matrix_servers | 1 - 1 file changed, 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index d5184e233..aa709f86f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2564,7 +2564,6 @@ matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secr ###################################################################### matrix_media_repo_enabled: false -matrix_media_repo_identifier: matrix-media-repo matrix_media_repo_container_network: "{{ matrix_docker_network }}" matrix_media_repo_container_labels_traefik_enabled: false From 73edde39920eba64abbd58891def7f3253e45128 Mon Sep 17 00:00:00 2001 From: Michael Hollister Date: Thu, 13 Jul 2023 23:12:24 -0500 Subject: [PATCH 882/915] Replaced additional hardcoded service names with identifer variable --- group_vars/matrix_servers | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index aa709f86f..b008d694c 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -326,7 +326,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-ma1sd.service', 'priority': 2000, 'groups': ['matrix', 'ma1sd']}] if matrix_ma1sd_enabled else []) + - ([{'name': 'matrix-media-repo.service', 'priority': 4000, 'groups': ['matrix', 'media_store']}] if matrix_media_repo_enabled else []) + ([{'name': (matrix_media_repo_identifier + '.service'), 'priority': 4000, 'groups': ['matrix', 'media_store']}] if matrix_media_repo_enabled else []) + ([{'name': 'matrix-mailer.service', 'priority': 2000, 'groups': ['matrix', 'mailer']}] if matrix_mailer_enabled else []) + @@ -2731,7 +2731,7 @@ matrix_nginx_proxy_systemd_wanted_services_list: | + (['matrix-ma1sd.service'] if matrix_ma1sd_enabled else []) + - (['matrix-media-repo.service'] if matrix_media_repo_enabled else []) + ([(matrix_media_repo_identifier + '.service')] if matrix_media_repo_enabled else []) + (['matrix-client-cinny.service'] if matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) + From c8b6b6e0347a92f7e92c0ceb673611d4cf290897 Mon Sep 17 00:00:00 2001 From: Michael Hollister Date: Fri, 14 Jul 2023 00:20:07 -0500 Subject: [PATCH 883/915] Added additioanl documentation to rendered config and added to_json filters --- .../matrix-media-repo/defaults/main.yml | 4 +- .../templates/media-repo/media-repo.yaml.j2 | 500 +++++++++++++----- 2 files changed, 382 insertions(+), 122 deletions(-) diff --git a/roles/custom/matrix-media-repo/defaults/main.yml b/roles/custom/matrix-media-repo/defaults/main.yml index a08ad0418..e2304d42e 100644 --- a/roles/custom/matrix-media-repo/defaults/main.yml +++ b/roles/custom/matrix-media-repo/defaults/main.yml @@ -72,7 +72,7 @@ matrix_media_repo_port: 8000 # # Note: to change the log directory you'll have to restart the repository. This setting cannot be # live reloaded. -matrix_media_repo_log_directory: "{{ '\"-\"' }}" +matrix_media_repo_log_directory: "-" # Set to true to enable color coding in your logs. Note that this may cause escape sequences to # appear in logs which render them unreadable, which is why colors are disabled by default. @@ -146,7 +146,7 @@ matrix_media_repo_homeservers: # unstable client-server API. When this is "synapse", the new /_synapse # endpoints will be used instead. Unknown values are treated as the # default, "matrix". - adminApiKind: "matrix" + adminApiKind: "{{ 'synapse' if matrix_homeserver_implementation == 'synapse' else 'matrix' }}" # Options for controlling how access tokens work with the media repo. It is recommended that if # you are going to use these options that the `/logout` and `/logout/all` client-server endpoints diff --git a/roles/custom/matrix-media-repo/templates/media-repo/media-repo.yaml.j2 b/roles/custom/matrix-media-repo/templates/media-repo/media-repo.yaml.j2 index 0595f576d..c304c1c2c 100644 --- a/roles/custom/matrix-media-repo/templates/media-repo/media-repo.yaml.j2 +++ b/roles/custom/matrix-media-repo/templates/media-repo/media-repo.yaml.j2 @@ -1,7 +1,7 @@ # General repo configuration repo: - bindAddress: {{ matrix_media_repo_bind_address }} - port: {{ matrix_media_repo_port }} + bindAddress: {{ matrix_media_repo_bind_address | to_json }} + port: {{ matrix_media_repo_port | to_json }} # Where to store the logs, relative to where the repo is started from. Logs will be automatically # rotated every day and held for 14 days. To disable the repo logging to files, set this to @@ -9,71 +9,69 @@ repo: # # Note: to change the log directory you'll have to restart the repository. This setting cannot be # live reloaded. - logDirectory: {{ matrix_media_repo_log_directory }} + logDirectory: {{ matrix_media_repo_log_directory | to_json }} # Set to true to enable color coding in your logs. Note that this may cause escape sequences to # appear in logs which render them unreadable, which is why colors are disabled by default. - logColors: {{ matrix_media_repo_log_colors }} + logColors: {{ matrix_media_repo_log_colors | to_json }} # Set to true to enable JSON logging for consumption by things like logstash. Note that this is # incompatible with the log color option and will always render without colors. - jsonLogs: {{ matrix_media_repo_json_logs }} + jsonLogs: {{ matrix_media_repo_json_logs | to_json }} # The log level to log at. Note that this will need to be at least "info" to receive support. # # Values (in increasing spam): panic | fatal | error | warn | info | debug | trace - logLevel: {{ matrix_media_repo_log_level }} + logLevel: {{ matrix_media_repo_log_level | to_json }} # If true, the media repo will accept any X-Forwarded-For header without validation. In most cases # this option should be left as "false". Note that the media repo already expects an X-Forwarded-For # header, but validates it to ensure the IP being given makes sense. - trustAnyForwardedAddress: {{ matrix_media_repo_trust_any_forwarded_address }} + trustAnyForwardedAddress: {{ matrix_media_repo_trust_any_forwarded_address | to_json }} # If false, the media repo will not use the X-Forwarded-Host header commonly added by reverse proxies. # Typically this should remain as true, though in some circumstances it may need to be disabled. # See https://github.com/turt2live/matrix-media-repo/issues/202 for more information. - useForwardedHost: {{ matrix_media_repo_use_forwarded_host }} + useForwardedHost: {{ matrix_media_repo_use_forwarded_host | to_json }} # Options for dealing with federation federation: # On a per-host basis, the number of consecutive failures in calling the host before the # media repo will back off. This defaults to 20 if not given. Note that 404 errors from # the remote server do not count towards this. - backoffAt: {{ matrix_media_repo_federation_backoff_at }} + backoffAt: {{ matrix_media_repo_federation_backoff_at | to_json }} # The database configuration for the media repository # Do NOT put your homeserver's existing database credentials here. Create a new database and # user instead. Using the same server is fine, just not the same username and database. database: # Currently only "postgres" is supported. - postgres: {{ matrix_media_repo_database_postgres }} + postgres: {{ matrix_media_repo_database_postgres | to_json }} # The database pooling options pool: # The maximum number of connects to hold open. More of these allow for more concurrent # processes to happen. - maxConnections: {{ matrix_media_repo_database_max_connections }} + maxConnections: {{ matrix_media_repo_database_max_connections | to_json }} # The maximum number of connects to leave idle. More of these reduces the time it takes # to serve requests in low-traffic scenarios. - maxIdleConnections: {{ matrix_media_repo_database_max_idle_connections }} + maxIdleConnections: {{ matrix_media_repo_database_max_idle_connections | to_json }} # The configuration for the homeservers this media repository is known to control. Servers # not listed here will not be able to upload media. -{# -homeservers: - - name: example.org # This should match the server_name of your homeserver, and the Host header - # provided to the media repo. - csApi: "https://example.org/" # The base URL to where the homeserver can actually be reached - backoffAt: 10 # The number of consecutive failures in calling this homeserver before the - # media repository will start backing off. This defaults to 10 if not given. - adminApiKind: "matrix" # The kind of admin API the homeserver supports. If set to "matrix", - # the media repo will use the Synapse-defined endpoints under the - # unstable client-server API. When this is "synapse", the new /_synapse - # endpoints will be used instead. Unknown values are treated as the - # default, "matrix". -#} -{{ matrix_media_repo_homeservers | to_nice_yaml(indent=2, sort_keys=false) }} +#homeservers: +# - name: example.org # This should match the server_name of your homeserver, and the Host header +# # provided to the media repo. +# csApi: "https://example.org/" # The base URL to where the homeserver can actually be reached +# backoffAt: 10 # The number of consecutive failures in calling this homeserver before the +# # media repository will start backing off. This defaults to 10 if not given. +# adminApiKind: "matrix" # The kind of admin API the homeserver supports. If set to "matrix", +# # the media repo will use the Synapse-defined endpoints under the +# # unstable client-server API. When this is "synapse", the new /_synapse +# # endpoints will be used instead. Unknown values are treated as the +# # default, "matrix". +{{ matrix_media_repo_homeservers | to_json | from_json | to_nice_yaml(indent=2, width=999999, sort_keys=false) }} # Options for controlling how access tokens work with the media repo. It is recommended that if # you are going to use these options that the `/logout` and `/logout/all` client-server endpoints @@ -91,12 +89,42 @@ homeservers: # *************************************************************************** # * IT IS HIGHLY RECOMMENDED TO USE PER-DOMAIN CONFIGS WITH THIS FEATURE. * # *************************************************************************** -{{ matrix_media_repo_access_tokens | to_nice_yaml(indent=2, sort_keys=false) }} +# accessTokens: +# # The maximum time a cached access token will be considered valid. Set to zero (the default) +# # to disable the cache and constantly hit the homeserver. This is recommended to be set to +# # 43200 (12 hours) on servers with the logout endpoints proxied through the media repo, and +# # zero for servers who do not proxy the endpoints through. +# maxCacheTimeSeconds: 0 +# +# # Whether or not to use the `appservices` config option below. If disabled (the default), +# # the regular access token cache will be used for each user, potentially leading to high +# # memory usage. +# useLocalAppserviceConfig: false +# +# # The application services (and their namespaces) registered on the homeserver. Only used +# # if `useLocalAppserviceConfig` is enabled (recommended). +# # +# # Usually the appservice will provide you with these config details - they'll just need +# # translating from the appservice registration to here. Note that this does not require +# # all options from the registration, and only requires the bare minimum required to run +# # the media repo. +# appservices: +# - id: Name_of_appservice_for_your_reference +# asToken: Secret_token_for_appservices_to_use +# senderUserId: "@_example_bridge:yourdomain.com" +# userNamespaces: +# - regex: "@_example_bridge_.+:yourdomain.com" +# # A note about regexes: it is best to suffix *all* namespaces with the homeserver +# # domain users are valid for, as otherwise the appservice can use any user with +# # any domain name it feels like, even if that domain is not configured with the +# # media repo. This will lead to inaccurate reporting in the case of the media +# # repo, and potentially leading to media being considered "remote". +{{ matrix_media_repo_access_tokens | to_json | from_json | to_nice_yaml(indent=2, width=999999, sort_keys=false) }} # These users have full access to the administrative functions of the media repository. # See docs/admin.md for information on what these people can do. They must belong to one of the # configured homeservers above. -{{ matrix_media_repo_admins | to_nice_yaml(indent=2, sort_keys=false) }} +{{ matrix_media_repo_admins | to_json | from_json | to_nice_yaml(indent=2, width=999999, sort_keys=false) }} # Shared secret auth is useful for applications building on top of the media repository, such # as a management interface. The `token` provided here is treated as a repository administrator @@ -105,120 +133,153 @@ homeservers: # the ability to use it on any configured hostname. sharedSecretAuth: # Set this to true to enable shared secret auth. - enabled: {{ matrix_media_repo_shared_secret_auth_enabled }} + enabled: {{ matrix_media_repo_shared_secret_auth_enabled | to_json }} # Use a secure value here to prevent unauthorized access to the media repository. - token: {{ matrix_media_repo_shared_secret_auth_token }} + token: {{ matrix_media_repo_shared_secret_auth_token | to_json }} # Datastores are places where media should be persisted. This isn't dedicated for just uploads: # thumbnails and other misc data is also stored in these places. The media repo, when looking # for a datastore to use, will always use the smallest datastore first. -{# -datastores: - - type: file - enabled: false # Enable this to set up data storage. - # Datastores can be split into many areas when handling uploads. Media is still de-duplicated - # across all datastores (local content which duplicates remote content will re-use the remote - # content's location). This option is useful if your datastore is becoming very large, or if - # you want faster storage for a particular kind of media. - # - # The kinds available are: - # thumbnails - Used to store thumbnails of media (local and remote). - # remote_media - Original copies of remote media (servers not configured by this repo). - # local_media - Original uploads for local media. - # archives - Archives of content (GDPR and similar requests). - forKinds: ["thumbnails"] - opts: - path: /var/matrix/media - - - type: s3 - enabled: false # Enable this to set up s3 uploads - forKinds: ["thumbnails", "remote_media", "local_media", "archives"] - opts: - # The s3 uploader needs a temporary location to buffer files to reduce memory usage on - # small file uploads. If the file size is unknown, the file is written to this location - # before being uploaded to s3 (then the file is deleted). If you aren't concerned about - # memory usage, set this to an empty string. - tempPath: "/tmp/mediarepo_s3_upload" - endpoint: sfo2.digitaloceanspaces.com - accessKeyId: "" - accessSecret: "" - ssl: true - bucketName: "your-media-bucket" - # An optional region for where this S3 endpoint is located. Typically not needed, though - # some providers will need this (like Scaleway). Uncomment to use. - #region: "sfo2" - - # The media repo does support an IPFS datastore, but only if the IPFS feature is enabled. If - # the feature is not enabled, this will not work. Note that IPFS support is experimental at - # the moment and not recommended for general use. - # - # NOTE: Everything you upload to IPFS will be publicly accessible, even when the media repo - # puts authentication on the download endpoints. Only use this option for cases where you - # expect your media to be publicly accessible. - - type: ipfs - enabled: false # Enable this to use IPFS support - forKinds: ["local_media"] - # The IPFS datastore currently has no options. It will use the daemon or HTTP API configured - # in the IPFS section of your main config. - opts: {} -#} -{{ matrix_media_repo_datastores | to_nice_yaml(indent=2, sort_keys=false) }} +# datastores: +# - type: file +# enabled: false # Enable this to set up data storage. +# # Datastores can be split into many areas when handling uploads. Media is still de-duplicated +# # across all datastores (local content which duplicates remote content will re-use the remote +# # content's location). This option is useful if your datastore is becoming very large, or if +# # you want faster storage for a particular kind of media. +# # +# # The kinds available are: +# # thumbnails - Used to store thumbnails of media (local and remote). +# # remote_media - Original copies of remote media (servers not configured by this repo). +# # local_media - Original uploads for local media. +# # archives - Archives of content (GDPR and similar requests). +# forKinds: ["thumbnails"] +# opts: +# path: /var/matrix/media +# +# - type: s3 +# enabled: false # Enable this to set up s3 uploads +# forKinds: ["thumbnails", "remote_media", "local_media", "archives"] +# opts: +# # The s3 uploader needs a temporary location to buffer files to reduce memory usage on +# # small file uploads. If the file size is unknown, the file is written to this location +# # before being uploaded to s3 (then the file is deleted). If you aren't concerned about +# # memory usage, set this to an empty string. +# tempPath: "/tmp/mediarepo_s3_upload" +# endpoint: sfo2.digitaloceanspaces.com +# accessKeyId: "" +# accessSecret: "" +# ssl: true +# bucketName: "your-media-bucket" +# # An optional region for where this S3 endpoint is located. Typically not needed, though +# # some providers will need this (like Scaleway). Uncomment to use. +# #region: "sfo2" +# +# # The media repo does support an IPFS datastore, but only if the IPFS feature is enabled. If +# # the feature is not enabled, this will not work. Note that IPFS support is experimental at +# # the moment and not recommended for general use. +# # +# # NOTE: Everything you upload to IPFS will be publicly accessible, even when the media repo +# # puts authentication on the download endpoints. Only use this option for cases where you +# # expect your media to be publicly accessible. +# - type: ipfs +# enabled: false # Enable this to use IPFS support +# forKinds: ["local_media"] +# # The IPFS datastore currently has no options. It will use the daemon or HTTP API configured +# # in the IPFS section of your main config. +# opts: {} +{{ matrix_media_repo_datastores | to_json | from_json | to_nice_yaml(indent=2, width=999999, sort_keys=false) }} # Options for controlling archives. Archives are exports of a particular user's content for # the purpose of GDPR or moving media to a different server. archiving: # Whether archiving is enabled or not. Default enabled. - enabled: {{ matrix_media_repo_archiving_enabled }} + enabled: {{ matrix_media_repo_archiving_enabled | to_json }} # If true, users can request a copy of their own data. By default, only repository administrators # can request a copy. # This includes the ability for homeserver admins to request a copy of their own server's # data, as known to the repo. - selfService: {{ matrix_media_repo_archiving_self_service }} + selfService: {{ matrix_media_repo_archiving_self_service | to_json }} # The number of bytes to target per archive before breaking up the files. This is independent # of any file upload limits and will require a similar amount of memory when performing an export. # The file size is also a target, not a guarantee - it is possible to have files that are smaller # or larger than the target. This is recommended to be approximately double the size of your # file upload limit, provided there is enough memory available for the demand of exporting. - targetBytesPerPart: {{ matrix_media_repo_archiving_target_bytes_per_part }} # 200mb default + targetBytesPerPart: {{ matrix_media_repo_archiving_target_bytes_per_part | to_json }} # 200mb default # The file upload settings for the media repository -{{ matrix_media_repo_uploads | to_nice_yaml(indent=2, sort_keys=false) }} +# uploads: +# # The maximum individual file size a user can upload. +# maxBytes: 104857600 # 100MB default, 0 to disable +# +# # The minimum number of bytes to let people upload. This is recommended to be non-zero to +# # ensure that the "cost" of running the media repo is worthwhile - small file uploads tend +# # to waste more CPU and database resources than small files, thus a default of 100 bytes +# # is applied here as an approximate break-even point. +# minBytes: 100 # 100 bytes by default +# +# # The number of bytes to claim as the maximum size for uploads for the limits API. If this +# # is not provided then the maxBytes setting will be used instead. This is useful to provide +# # if the media repo's settings and the reverse proxy do not match for maximum request size. +# # This is purely for informational reasons and does not actually limit any functionality. +# # Set this to -1 to indicate that there is no limit. Zero will force the use of maxBytes. +# #reportedMaxBytes: 104857600 +# +# # Options for limiting how much content a user can upload. Quotas are applied to content +# # associated with a user regardless of de-duplication. Quotas which affect remote servers +# # or users will not take effect. When a user exceeds their quota they will be unable to +# # upload any more media. +# quotas: +# # Whether or not quotas are enabled/enforced. Note that even when disabled the media repo +# # will track how much media a user has uploaded. This is disabled by default. +# enabled: false +# +# # The quota rules that affect users. The first rule to match the uploader will take effect. +# # An implied rule which matches all users and has no quota is always last in this list, +# # meaning that if no rules are supplied then users will be able to upload anything. Similarly, +# # if no rules match a user then the implied rule will match, allowing the user to have no +# # quota. The quota will let the user upload to 1 media past their quota, meaning that from +# # a statistics perspective the user might exceed their quota however only by a small amount. +# users: +# - glob: "@*:*" # Affect all users. Use asterisks (*) to match any character. +# maxBytes: 53687063712 # 50GB default, 0 to disable +{{ matrix_media_repo_uploads | to_json | from_json | to_nice_yaml(indent=2, width=999999, sort_keys=false) }} # Settings related to downloading files from the media repository downloads: # The maximum number of bytes to download from other servers - maxBytes: {{ matrix_media_repo_downloads_max_bytes }} # 100MB default, 0 to disable + maxBytes: {{ matrix_media_repo_downloads_max_bytes | to_json }} # 100MB default, 0 to disable # The number of workers to use when downloading remote media. Raise this number if remote # media is downloading slowly or timing out. # # Maximum memory usage = numWorkers multiplied by the maximum download size # Average memory usage is dependent on how many concurrent downloads your users are doing. - numWorkers: {{ matrix_media_repo_downloads_num_workers }} + numWorkers: {{ matrix_media_repo_downloads_num_workers | to_json }} # How long, in minutes, to cache errors related to downloading remote media. Once this time # has passed, the media is able to be re-requested. - failureCacheMinutes: {{ matrix_media_repo_downloads_failure_cache_minutes }} + failureCacheMinutes: {{ matrix_media_repo_downloads_failure_cache_minutes | to_json }} # The cache control settings for downloads. This can help speed up downloads for users by # keeping popular media in the cache. This cache is also used for thumbnails. cache: - enabled: {{ matrix_media_repo_downloads_cache_enabled }} + enabled: {{ matrix_media_repo_downloads_cache_enabled | to_json }} # The maximum size of cache to have. Higher numbers are better. - maxSizeBytes: {{ matrix_media_repo_downloads_cache_max_size_bytes }} # 1GB default + maxSizeBytes: {{ matrix_media_repo_downloads_cache_max_size_bytes | to_json }} # 1GB default # The maximum file size to cache. This should normally be the same size as your maximum # upload size. - maxFileSizeBytes: {{ matrix_media_repo_downloads_cache_max_file_size_bytes }} # 100MB default + maxFileSizeBytes: {{ matrix_media_repo_downloads_cache_max_file_size_bytes | to_json }} # 100MB default # The number of minutes to track how many downloads a file gets - trackedMinutes: {{ matrix_media_repo_downloads_cache_tracked_minutes }} + trackedMinutes: {{ matrix_media_repo_downloads_cache_tracked_minutes | to_json }} # The number of downloads a file must receive in the window above (trackedMinutes) in # order to be cached. - minDownloads: {{ matrix_media_repo_downloads_cache_min_downloads }} + minDownloads: {{ matrix_media_repo_downloads_cache_min_downloads | to_json }} # The minimum amount of time an item should remain in the cache. This prevents the cache # from cycling out the file if it needs more room during this time. Note that the media @@ -227,96 +288,234 @@ downloads: # media repo, and some cached items are still under this timer, new items will not be able # to enter the cache. When this happens, consider raising maxSizeBytes or lowering this # timer. - minCacheTimeSeconds: {{ matrix_media_repo_downloads_cache_min_cache_time_seconds }} + minCacheTimeSeconds: {{ matrix_media_repo_downloads_cache_min_cache_time_seconds | to_json }} # The minimum amount of time an item should remain outside the cache once it is removed. - minEvictedTimeSeconds: {{ matrix_media_repo_downloads_cache_min_evicted_time_seconds }} + minEvictedTimeSeconds: {{ matrix_media_repo_downloads_cache_min_evicted_time_seconds | to_json }} # How many days after a piece of remote content is downloaded before it expires. It can be # re-downloaded on demand, this just helps free up space in your datastore. Set to zero or # negative to disable. Defaults to disabled. - expireAfterDays: {{ matrix_media_repo_downloads_expire_after_days }} + expireAfterDays: {{ matrix_media_repo_downloads_expire_after_days | to_json }} # URL Preview settings -{{ matrix_media_repo_url_previews | to_nice_yaml(indent=2) }} +# urlPreviews: +# enabled: true # If enabled, the preview_url routes will be accessible +# maxPageSizeBytes: 10485760 # 10MB default, 0 to disable +# +# # If true, the media repository will try to provide previews for URLs with invalid or unsafe +# # certificates. If false (the default), the media repo will fail requests to said URLs. +# previewUnsafeCertificates: false +# +# # Note: URL previews are limited to a given number of words, which are then limited to a number +# # of characters, taking off the last word if it needs to. This also applies for the title. +# +# numWords: 50 # The number of words to include in a preview (maximum) +# maxLength: 200 # The maximum number of characters for a description +# +# numTitleWords: 30 # The maximum number of words to include in a preview's title +# maxTitleLength: 150 # The maximum number of characters for a title +# +# # The mime types to preview when OpenGraph previews cannot be rendered. OpenGraph previews are +# # calculated on anything matching "text/*". To have a thumbnail in the preview the URL must be +# # an image and the image's type must be allowed by the thumbnailer. +# filePreviewTypes: +# - "image/*" +# +# # The number of workers to use when generating url previews. Raise this number if url +# # previews are slow or timing out. +# # +# # Maximum memory usage = numWorkers multiplied by the maximum page size +# # Average memory usage is dependent on how many concurrent urls your users are previewing. +# numWorkers: 10 +# +# # Either allowedNetworks or disallowedNetworks must be provided. If both are provided, they +# # will be merged. URL previews will be disabled if neither is supplied. Each entry must be +# # a CIDR range. +# disallowedNetworks: +# - "127.0.0.1/8" +# - "10.0.0.0/8" +# - "172.16.0.0/12" +# - "192.168.0.0/16" +# - "100.64.0.0/10" +# - "169.254.0.0/16" +# - '::1/128' +# - 'fe80::/64' +# - 'fc00::/7' +# allowedNetworks: +# - "0.0.0.0/0" # "Everything". The blacklist will help limit this. +# # This is the default value for this field. +# +# # How many days after a preview is generated before it expires and is deleted. The preview +# # can be regenerated safely - this just helps free up some space in your database. Set to +# # zero or negative to disable. Defaults to disabled. +# expireAfterDays: 0 +# +# # The default Accept-Language header to supply when generating URL previews when one isn't +# # supplied by the client. +# # Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language +# defaultLanguage: "en-US,en" +# +# # When true, oEmbed previews will be enabled. Typically these kinds of previews are used for +# # sites that do not support OpenGraph or page scraping, such as Twitter. For information on +# # specifying providers for oEmbed, including your own, see the following documentation: +# # https://docs.t2bot.io/matrix-media-repo/url-previews/oembed.html +# # Defaults to disabled. +# oEmbed: false +{{ matrix_media_repo_url_previews | to_json | from_json | to_nice_yaml(indent=2, width=999999, sort_keys=false)}} # The thumbnail configuration for the media repository. -{{ matrix_media_repo_thumbnails | to_nice_yaml(indent=2) }} +# thumbnails: +# # The maximum number of bytes an image can be before the thumbnailer refuses. +# maxSourceBytes: 10485760 # 10MB default, 0 to disable +# +# # The maximum number of pixels an image can have before the thumbnailer refuses. Note that +# # this only applies to image types: file types like audio and video are affected solely by +# # the maxSourceBytes. +# maxPixels: 32000000 # 32M default +# +# # The number of workers to use when generating thumbnails. Raise this number if thumbnails +# # are slow to generate or timing out. +# # +# # Maximum memory usage = numWorkers multiplied by the maximum image source size +# # Average memory usage is dependent on how many thumbnails are being generated by your users +# numWorkers: 100 +# +# # All thumbnails are generated into one of the sizes listed here. The first size is used as +# # the default for when no width or height is requested. The media repository will return +# # either an exact match or the next largest size of thumbnail. +# sizes: +# - width: 32 +# height: 32 +# - width: 96 +# height: 96 +# - width: 320 +# height: 240 +# - width: 640 +# height: 480 +# - width: 768 # This size is primarily used for audio thumbnailing. +# height: 240 +# - width: 800 +# height: 600 +# +# # To allow for thumbnails to be any size, not just in the sizes specified above, set this to +# # true (default false). When enabled, whatever size requested by the client will be generated +# # up to a maximum of the largest possible dimensions in the `sizes` list. For best results, +# # specify only one size in the `sizes` list when this option is enabled. +# dynamicSizing: false +# +# # The content types to thumbnail when requested. Types that are not supported by the media repo +# # will not be thumbnailed (adding application/json here won't work). Clients may still not request +# # thumbnails for these types - this won't make clients automatically thumbnail these file types. +# types: +# - "image/jpeg" +# - "image/jpg" +# - "image/png" +# - "image/apng" +# - "image/gif" +# - "image/heif" +# - "image/webp" +# #- "image/svg+xml" # Be sure to have ImageMagick installed to thumbnail SVG files +# - "audio/mpeg" +# - "audio/ogg" +# - "audio/wav" +# - "audio/flac" +# #- "video/mp4" # Be sure to have ffmpeg installed to thumbnail video files +# +# # Animated thumbnails can be CPU intensive to generate. To disable the generation of animated +# # thumbnails, set this to false. If disabled, regular thumbnails will be returned. +# allowAnimated: true +# +# # Default to animated thumbnails, if available +# defaultAnimated: false +# +# # The maximum file size to thumbnail when a capable animated thumbnail is requested. If the image +# # is larger than this, the thumbnail will be generated as a static image. +# maxAnimateSizeBytes: 10485760 # 10MB default, 0 to disable +# +# # On a scale of 0 (start of animation) to 1 (end of animation), where should the thumbnailer try +# # and thumbnail animated content? Defaults to 0.5 (middle of animation). +# stillFrame: 0.5 +# +# # How many days after a thumbnail is generated before it expires and is deleted. The thumbnail +# # can be regenerated safely - this just helps free up some space in your datastores. Set to +# # zero or negative to disable. Defaults to disabled. +# expireAfterDays: 0 +{{ matrix_media_repo_thumbnails | to_json | from_json | to_nice_yaml(indent=2, width=999999, sort_keys=false) }} # Controls for the rate limit functionality rateLimit: # Set this to false if rate limiting is handled at a higher level or you don't want it enabled. - enabled: {{ matrix_media_repo_rate_limit_enabled }} + enabled: {{ matrix_media_repo_rate_limit_enabled | to_json }} # The number of requests per second before an IP will be rate limited. Must be a whole number. - requestsPerSecond: {{ matrix_media_repo_rate_limit_requests_per_second }} + requestsPerSecond: {{ matrix_media_repo_rate_limit_requests_per_second | to_json }} # The number of requests an IP can send at once before the rate limit is actually considered. - burst: {{ matrix_media_repo_rate_limit_burst }} + burst: {{ matrix_media_repo_rate_limit_burst | to_json }} # Identicons are generated avatars for a given username. Some clients use these to give users a # default avatar after signing up. Identicons are not part of the official matrix spec, therefore # this feature is completely optional. identicons: - enabled: {{ matrix_media_repo_identicons_enabled }} + enabled: {{ matrix_media_repo_identicons_enabled | to_json }} # The quarantine media settings. quarantine: # If true, when a thumbnail of quarantined media is requested an image will be returned. If no # image is given in the thumbnailPath below then a generated image will be provided. This does # not affect regular downloads of files. - replaceThumbnails: {{ matrix_media_repo_quarantine_replace_thumbnails }} + replaceThumbnails: {{ matrix_media_repo_quarantine_replace_thumbnails | to_json }} # If true, when media which has been quarantined is requested an image will be returned. If # no image is given in the thumbnailPath below then a generated image will be provided. This # will replace media which is not an image (ie: quarantining a PDF will replace the PDF with # an image). - replaceDownloads: {{ matrix_media_repo_quarantine_replace_downloads }} + replaceDownloads: {{ matrix_media_repo_quarantine_replace_downloads | to_json }} # If provided, the given image will be returned as a thumbnail for media that is quarantined. #thumbnailPath: "/path/to/thumbnail.png" - thumbnailPath: {{ "" if matrix_media_repo_quarantine_thumbnail_path == "" else matrix_media_repo_quarantine_thumbnail_path }} + thumbnailPath: {{ "" if matrix_media_repo_quarantine_thumbnail_path == "" else matrix_media_repo_quarantine_thumbnail_path | to_json }} # If true, administrators of the configured homeservers may quarantine media for their server # only. Global administrators can quarantine any media (local or remote) regardless of this # flag. - allowLocalAdmins: {{ matrix_media_repo_quarantine_allow_local_admins }} + allowLocalAdmins: {{ matrix_media_repo_quarantine_allow_local_admins | to_json }} # The various timeouts that the media repo will use. timeouts: # The maximum amount of time the media repo should spend trying to fetch a resource that is # being previewed. - urlPreviewTimeoutSeconds: {{ matrix_media_repo_timeouts_url_preview_timeout_seconds }} + urlPreviewTimeoutSeconds: {{ matrix_media_repo_timeouts_url_preview_timeout_seconds | to_json }} # The maximum amount of time the media repo will spend making remote requests to other repos # or homeservers. This is primarily used to download media. - federationTimeoutSeconds: {{ matrix_media_repo_timeouts_federation_timeout_seconds }} + federationTimeoutSeconds: {{ matrix_media_repo_timeouts_federation_timeout_seconds | to_json }} # The maximum amount of time the media repo will spend talking to your configured homeservers. # This is usually used to verify a user's identity. - clientServerTimeoutSeconds: {{ matrix_media_repo_timeouts_client_server_timeout_seconds }} + clientServerTimeoutSeconds: {{ matrix_media_repo_timeouts_client_server_timeout_seconds | to_json }} # Prometheus metrics configuration # For an example Grafana dashboard, import the following JSON: # https://github.com/turt2live/matrix-media-repo/blob/master/docs/grafana.json metrics: # If true, the bindAddress and port below will serve GET /metrics for Prometheus to scrape. - enabled: {{ matrix_media_repo_metrics_enabled }} + enabled: {{ matrix_media_repo_metrics_enabled | to_json }} # The address to listen on. Typically "127.0.0.1" or "0.0.0.0" for all interfaces. - bindAddress: {{ matrix_media_repo_metrics_bind_address }} + bindAddress: {{ matrix_media_repo_metrics_bind_address | to_json }} # The port to listen on. Cannot be the same as the general web server port. - port: {{ matrix_media_repo_metrics_port }} + port: {{ matrix_media_repo_metrics_port | to_json }} # Plugins are optional pieces of the media repo used to extend the functionality offered. # Currently there are only antispam plugins, but in future there should be more options. # Plugins are not supported on per-domain paths and are instead repo-wide. For more # information on writing plugins, please visit #matrix-media-repo:t2bot.io on Matrix. -{{ matrix_media_repo_plugins | to_nice_yaml(indent=2) }} - # An example OCR plugin to block images with certain text. Note that the Docker image - # for the media repo automatically ships this at /plugins/plugin_antispam_ocr +# An example OCR plugin to block images with certain text. Note that the Docker image +# for the media repo automatically ships this at /plugins/plugin_antispam_ocr # - exec: /plugins/plugin_antispam_ocr # config: # # The URL to your OCR server (https://github.com/otiai10/ocrserver) @@ -338,22 +537,83 @@ metrics: # # How much of the image's height, starting from the top, to consider before # # discarding the rest. Set to 1.0 to consider the whole image. # percentageOfHeight: 0.35 +{{ matrix_media_repo_plugins | to_json | from_json | to_nice_yaml(indent=2, width=999999, sort_keys=false) }} # Options for controlling various MSCs/unstable features of the media repo # Sections of this config might disappear or be added over time. By default all # features are disabled in here and must be explicitly enabled to be used. -{{ matrix_media_repo_feature_support | to_nice_yaml(indent=2) }} +# featureSupport: +# # MSC2248 - Blurhash +# MSC2448: +# # Whether or not this MSC is enabled for use in the media repo +# enabled: false +# +# # Maximum dimensions for converting a blurhash to an image. When no width and +# # height options are supplied, the default will be half these values. +# maxWidth: 1024 +# maxHeight: 1024 +# +# # Thumbnail size in pixels to use to generate the blurhash string +# thumbWidth: 64 +# thumbHeight: 64 +# +# # The X and Y components to use. Higher numbers blur less, lower numbers blur more. +# xComponents: 4 +# yComponents: 3 +# +# # The amount of contrast to apply when converting a blurhash to an image. Lower values +# # make the effect more subtle, larger values make it stronger. +# punch: 1 +# +# # IPFS Support +# # This is currently experimental and might not work at all. +# IPFS: +# # Whether or not IPFS support is enabled for use in the media repo. +# enabled: false +# +# # Options for the built in IPFS daemon +# builtInDaemon: +# # Enable this to spawn an in-process IPFS node to use instead of a localhost +# # HTTP agent. If this is disabled, the media repo will assume you have an HTTP +# # IPFS agent running and accessible. Defaults to using a daemon (true). +# enabled: true +# +# # If the Daemon is enabled, set this to the location where the IPFS files should +# # be stored. If you're using Docker, this should be something like "/data/ipfs" +# # so it can be mapped to a volume. +# repoPath: "./ipfs" +# +# # Support for redis as a cache mechanism +# # +# # Note: Enabling Redis support will mean that the existing cache mechanism will do nothing. +# # It can be safely disabled once Redis support is enabled. +# # +# # See docs/redis.md for more information on how this works and how to set it up. +# redis: +# # Whether or not use Redis instead of in-process caching. +# enabled: false +# +# # The Redis shards that should be used by the media repo in the ring. The names of the +# # shards are for your reference and have no bearing on the connection, but must be unique. +# shards: +# - name: "server1" +# addr: ":7000" +# - name: "server2" +# addr: ":7001" +# - name: "server3" +# addr: ":7002" +{{ matrix_media_repo_feature_support | to_json | from_json | to_nice_yaml(indent=2, width=999999, sort_keys=false) }} # Optional sentry (https://sentry.io/) configuration for the media repo sentry: # Whether or not to set up error reporting. Defaults to off. - enabled: {{ matrix_media_repo_sentry_enabled }} + enabled: {{ matrix_media_repo_sentry_enabled | to_json }} # Get this value from the setup instructions in Sentry - dsn: {{ matrix_media_repo_sentry_dsn }} + dsn: {{ matrix_media_repo_sentry_dsn | to_json }} # Optional environment flag. Defaults to an empty string. - environment: {{ "" if matrix_media_repo_sentry_environment == "" else matrix_media_repo_sentry_environment }} + environment: {{ "" if matrix_media_repo_sentry_environment == "" else matrix_media_repo_sentry_environment | to_json }} # Whether or not to turn on sentry's built in debugging. This will increase log output. - debug: {{ matrix_media_repo_sentry_debug }} \ No newline at end of file + debug: {{ matrix_media_repo_sentry_debug | to_json }} \ No newline at end of file From 63ee8e5bb9ac624f6041098cc9f3d9f42090d090 Mon Sep 17 00:00:00 2001 From: Michael Hollister Date: Fri, 14 Jul 2023 01:31:35 -0500 Subject: [PATCH 884/915] Replaced csApi config with proxy container url --- roles/custom/matrix-media-repo/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-media-repo/defaults/main.yml b/roles/custom/matrix-media-repo/defaults/main.yml index e2304d42e..312e02588 100644 --- a/roles/custom/matrix-media-repo/defaults/main.yml +++ b/roles/custom/matrix-media-repo/defaults/main.yml @@ -135,7 +135,7 @@ matrix_media_repo_homeservers: - name: "{{ matrix_server_fqn_matrix }}" # The base URL to where the homeserver can actually be reached - csApi: "https://{{ matrix_server_fqn_matrix }}/" + csApi: "http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}" # The number of consecutive failures in calling this homeserver before the # media repository will start backing off. This defaults to 10 if not given. From 3e93613a3f280e1ca9253bab7f496aa4fbef0f49 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 14 Jul 2023 09:49:30 +0300 Subject: [PATCH 885/915] Upgrade Heisenbridge (1.14.2 -> 1.14.3) --- roles/custom/matrix-bridge-heisenbridge/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml b/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml index ba5471cce..5dfe38105 100644 --- a/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml +++ b/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml @@ -4,7 +4,7 @@ matrix_heisenbridge_enabled: true -matrix_heisenbridge_version: 1.14.2 +matrix_heisenbridge_version: 1.14.3 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" From 4e4f107daaa165541c384407fb47ed90246dc09d Mon Sep 17 00:00:00 2001 From: David Mehren Date: Sun, 16 Jul 2023 09:21:30 +0200 Subject: [PATCH 886/915] Upgrade sliding-sync (v0.99.3 -> v0.99.4) --- roles/custom/matrix-sliding-sync/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-sliding-sync/defaults/main.yml b/roles/custom/matrix-sliding-sync/defaults/main.yml index 1f28d3053..cfc55ecd2 100644 --- a/roles/custom/matrix-sliding-sync/defaults/main.yml +++ b/roles/custom/matrix-sliding-sync/defaults/main.yml @@ -4,7 +4,7 @@ matrix_sliding_sync_enabled: true -matrix_sliding_sync_version: v0.99.3 +matrix_sliding_sync_version: v0.99.4 matrix_sliding_sync_scheme: https From ccc99d6c73a2693c0f9c889da7c251d7e0a25eb7 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sun, 16 Jul 2023 14:12:11 +0300 Subject: [PATCH 887/915] Update mautrix-discord 0.5.0 -> 0.6.0 --- roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml index dbb73aa45..f9b853bc6 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_discord_container_image_self_build: false matrix_mautrix_discord_container_image_self_build_repo: "https://mau.dev/mautrix/discord.git" matrix_mautrix_discord_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_discord_version == 'latest' else matrix_mautrix_discord_version }}" -matrix_mautrix_discord_version: v0.5.0 +matrix_mautrix_discord_version: v0.6.0 # See: https://mau.dev/mautrix/discord/container_registry matrix_mautrix_discord_docker_image: "{{ matrix_mautrix_discord_docker_image_name_prefix }}mautrix/discord:{{ matrix_mautrix_discord_version }}" matrix_mautrix_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_discord_container_image_self_build else 'dock.mau.dev/' }}" From bc0b73dd70128fbc11162e8c705038a5f11ed515 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 17 Jul 2023 08:07:49 +0300 Subject: [PATCH 888/915] Improve if condition for including Postgres in matrix_media_repo_systemd_required_services_list --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index b008d694c..0a7c9543f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2580,7 +2580,7 @@ matrix_media_repo_systemd_required_services_list: | {{ (['docker.service']) + - ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and matrix_media_repo_database_hostname == devture_postgres_connection_hostname else []) }} ###################################################################### From 5fb1020adaeedea57f232ef48187109b3cac1475 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 17 Jul 2023 08:09:31 +0300 Subject: [PATCH 889/915] Use full name of matrix-media-repo for Ansible tags (*-media-repo -> *-matrix-media-repo) --- roles/custom/matrix-media-repo/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-media-repo/tasks/main.yml b/roles/custom/matrix-media-repo/tasks/main.yml index 59f962a28..03c26ec5b 100644 --- a/roles/custom/matrix-media-repo/tasks/main.yml +++ b/roles/custom/matrix-media-repo/tasks/main.yml @@ -2,16 +2,16 @@ - tags: - setup-all - - setup-media-repo + - setup-matrix-media-repo - install-all - - install-media-repo + - install-matrix-media-repo block: - when: matrix_media_repo_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: - setup-all - - setup-media-repo + - setup-matrix-media-repo block: - when: not matrix_media_repo_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" From 95bfa4e87e25c8c53687bd3bc055bb2fa27c6138 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 17 Jul 2023 08:11:23 +0300 Subject: [PATCH 890/915] Put matrix-media-repo.service in the matrix-media-repo group Making the group match the Ansible task tags allows people to do `just install-service matrix-media-repo` and have that trigger both `--tags=matrix-media-repo` and also restart just that single group (`matrix-media-repo`). --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 0a7c9543f..f932dcc35 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -326,7 +326,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-ma1sd.service', 'priority': 2000, 'groups': ['matrix', 'ma1sd']}] if matrix_ma1sd_enabled else []) + - ([{'name': (matrix_media_repo_identifier + '.service'), 'priority': 4000, 'groups': ['matrix', 'media_store']}] if matrix_media_repo_enabled else []) + ([{'name': (matrix_media_repo_identifier + '.service'), 'priority': 4000, 'groups': ['matrix', 'matrix-media-repo']}] if matrix_media_repo_enabled else []) + ([{'name': 'matrix-mailer.service', 'priority': 2000, 'groups': ['matrix', 'mailer']}] if matrix_mailer_enabled else []) + From 1df533d351213792252d83c8759ef5cf4f8ebbe9 Mon Sep 17 00:00:00 2001 From: Shreyas Ajjarapu Date: Mon, 17 Jul 2023 11:20:11 -0500 Subject: [PATCH 891/915] Update main.yml --- roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 9ee461b5c..ab2921e31 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_whatsapp_container_image_self_build: false matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git" matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}" -matrix_mautrix_whatsapp_version: v0.8.6 +matrix_mautrix_whatsapp_version: v0.9.0 # See: https://mau.dev/mautrix/whatsapp/container_registry matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}" matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}" From 68556400ba74030a78ad09ee3d6411fb5861b1f4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 17 Jul 2023 22:37:53 +0300 Subject: [PATCH 892/915] Announce matrix-media-repo Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2783 --- CHANGELOG.md | 9 +++++++++ docs/configuring-playbook-matrix-media-repo.md | 8 ++++---- docs/configuring-playbook-s3.md | 2 ++ docs/configuring-playbook.md | 2 ++ 4 files changed, 17 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 70b17b000..c1870a273 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2023-07-17 + +## matrix-media-repo support + +Thanks to [Michael Hollister](https://github.com/Michael-Hollister) from [FUTO](https://www.futo.org/), the creators of the [Circles app](https://circu.li/), the playbook can now set up [matrix-media-repo](https://github.com/turt2live/matrix-media-repo) - an alternative way to store homeserver media files, powered by a homeserver-independent implementation which supports S3 storage, IPFS, deduplication and other advanced features. + +To learn more see our [Storing Matrix media files using matrix-media-repo](docs/configuring-playbook-matrix-media-repo.md) documentation page. + + # 2023-05-25 ## Enabling `forget_rooms_on_leave` by default for Synapse diff --git a/docs/configuring-playbook-matrix-media-repo.md b/docs/configuring-playbook-matrix-media-repo.md index e011e1e66..d5d6eda37 100644 --- a/docs/configuring-playbook-matrix-media-repo.md +++ b/docs/configuring-playbook-matrix-media-repo.md @@ -1,10 +1,10 @@ # Setting up matrix-media-repo (optional) -matrix-media-repo is a highly customizable multi-domain media repository for Matrix. Intended for medium to large environments consisting of several homeservers, this media repo de-duplicates media (including remote media) while being fully compliant with the specification. +[matrix-media-repo](https://docs.t2bot.io/matrix-media-repo/) is a highly customizable multi-domain media repository for Matrix. Intended for medium to large environments consisting of several homeservers, this media repo de-duplicates media (including remote media) while being fully compliant with the specification. -Smaller/individual homeservers can still make use of this project's features, though it may be difficult to set up or have higher than expected resource consumption - please do your research before deploying this as this project may not be useful for your environment. +Smaller/individual homeservers can still make use of this project's features, though it may be difficult to set up or have higher than expected resource consumption. Please do your research before deploying this as this project may not be useful for your environment. -More documentation about the project can be found at: https://docs.t2bot.io/matrix-media-repo/ +For a simpler alternative (which allows you to offload your media repository storage to S3, etc.), you can [configure S3 storage](configuring-playbook-s3.md) instead of setting up matrix-media-repo. ## Quickstart @@ -17,7 +17,7 @@ matrix_media_repo_enabled: true # matrix_media_repo_metrics_enabled: true ``` -The repo is pre-configured for integrating with the postgres database, NGINX proxy and prometheus/grafana (if metrics enabled) from this playbook for all the available homeserver roles. When the media repo is enabled, other media store roles should be disabled (if using Synapse with other media store roles). +The repo is pre-configured for integrating with the Postgres database, NGINX proxy and [Prometheus/Grafana](configuring-playbook-prometheus-grafana.md) (if metrics enabled) from this playbook for all the available homeserver roles. When the media repo is enabled, other media store roles should be disabled (if using Synapse with other media store roles). By default, the media-repo will use the local filesystem for data storage. Additional options include `s3` and `IPFS` (experimental). Access token caching is also enabled by default since the logout endpoints are proxied through the media repo. diff --git a/docs/configuring-playbook-s3.md b/docs/configuring-playbook-s3.md index 941ae0db2..f5a182840 100644 --- a/docs/configuring-playbook-s3.md +++ b/docs/configuring-playbook-s3.md @@ -5,6 +5,8 @@ If that's alright, you can skip this. As an alternative to storing media files on the local filesystem, you can store them on [Amazon S3](https://aws.amazon.com/s3/) or another S3-compatible object store. +You can do this either by sticking to Synapse's media repository and making that use S3 (read below for this method), or by switching to an external media storage implementation like [matrix-media-repo](configuring-playbook-matrix-media-repo.md). + First, [choose an Object Storage provider](#choosing-an-object-storage-provider). Then, [create the S3 bucket](#bucket-creation-and-security-configuration). diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 31eea8953..8f598f6bd 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -51,6 +51,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Configuring Element](configuring-playbook-client-element.md) (optional) +- [Storing Matrix media files using matrix-media-repo](configuring-playbook-matrix-media-repo.md) (optional) + - [Storing Matrix media files on Amazon S3](configuring-playbook-s3.md) (optional) - [Using an external PostgreSQL server](configuring-playbook-external-postgres.md) (optional) From 60c34d701af574926971d2c965c12590e955da6d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 18 Jul 2023 18:12:47 +0300 Subject: [PATCH 893/915] Use prebuilt container images for matrix-sliding-sync on ARM64 As mentioned in https://github.com/matrix-org/sliding-sync/issues/31#issuecomment-1640321110 images are available for arm64 already. --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f932dcc35..8d7197f15 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3927,7 +3927,7 @@ matrix_sliding_sync_hostname: "{{ matrix_server_fqn_matrix }}" matrix_sliding_sync_path_prefix: /sliding-sync -matrix_sliding_sync_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}" +matrix_sliding_sync_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" matrix_sliding_sync_container_additional_networks: | {{ From 2fad66a3719ad09347e70e012ea4ca3e2175e40d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 18 Jul 2023 20:04:51 +0300 Subject: [PATCH 894/915] Upgrade Synapse (v1.87.0 -> v1.88.0) --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 6548f3561..9cc5fffcf 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,7 +4,7 @@ matrix_synapse_enabled: true -matrix_synapse_version: v1.87.0 +matrix_synapse_version: v1.88.0 matrix_synapse_username: '' matrix_synapse_uid: '' From 64396419ba8c70fdde5679324a7f7c2fbdb1eaa5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 18 Jul 2023 20:40:44 +0300 Subject: [PATCH 895/915] Upgrade synapse-s3-storage-provider (1.2.0 -> 1.2.1) --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 9cc5fffcf..48d8e8d98 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -870,7 +870,7 @@ matrix_synapse_ext_encryption_config_yaml: | # Installing it requires building a customized Docker image for Synapse (see `matrix_synapse_container_image_customizations_enabled`). # Enabling this will enable customizations and inject the appropriate Dockerfile clauses for installing synapse-s3-storage-provider. matrix_synapse_ext_synapse_s3_storage_provider_enabled: false -matrix_synapse_ext_synapse_s3_storage_provider_version: 1.2.0 +matrix_synapse_ext_synapse_s3_storage_provider_version: 1.2.1 # Controls whether media from this (local) server is stored in s3-storage-provider matrix_synapse_ext_synapse_s3_storage_provider_store_local: true # Controls whether media from remote servers is stored in s3-storage-provider From 330dfd4eaf804bcefdb44ab9efe635d49c663df0 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 18 Jul 2023 22:38:37 +0300 Subject: [PATCH 896/915] Update element 1.11.35 -> 1.11.36 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 368639cb0..9199a1d5a 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.35 +matrix_client_element_version: v1.11.36 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From a5cb6272d8891532735aee79238059f1d9ea5ef6 Mon Sep 17 00:00:00 2001 From: Aine Date: Fri, 21 Jul 2023 13:22:05 +0300 Subject: [PATCH 897/915] add global bridges relay mode switch --- docs/configuring-playbook-mautrix-bridges.md | 22 +++++++++++++++++++ roles/custom/matrix-base/defaults/main.yml | 3 +++ .../defaults/main.yml | 2 ++ .../templates/config.yaml.j2 | 2 +- .../defaults/main.yml | 3 +++ .../templates/config.yaml.j2 | 2 +- .../defaults/main.yml | 3 +++ .../templates/config.yaml.j2 | 17 ++++++++++++++ .../defaults/main.yml | 2 +- .../defaults/main.yml | 2 +- 10 files changed, 54 insertions(+), 4 deletions(-) diff --git a/docs/configuring-playbook-mautrix-bridges.md b/docs/configuring-playbook-mautrix-bridges.md index 392be47df..c6e78d02d 100644 --- a/docs/configuring-playbook-mautrix-bridges.md +++ b/docs/configuring-playbook-mautrix-bridges.md @@ -32,14 +32,18 @@ matrix_mautrix_SERVICENAME_configuration_extension_yaml: | '@YOUR_USERNAME:{{ matrix_domain }}': admin ``` +## encryption + Encryption support is off by default. If you would like to enable encryption, add the following to your `vars.yml` file: **for all bridges with encryption support**: + ```yaml matrix_bridges_encryption_enabled: true ``` **Alternatively**, for a specific bridge: + ```yaml matrix_mautrix_SERVICENAME_configuration_extension_yaml: | bridge: @@ -48,6 +52,24 @@ matrix_mautrix_SERVICENAME_configuration_extension_yaml: | default: true ``` +## relay mode + +Relay mode is off by default. If you would like to enable relay mode, add the following to your `vars.yml` file: + +**for all bridges with relay mode support**: + +```yaml +matrix_bridges_relay_enabled: true +``` + +**Alternatively**, for a specific bridge: + +```yaml +matrix_mautrix_SERVICENAME_configuration_extension_yaml: | + bridge: + relay: + enabled: true +``` You can only have one `matrix_mautrix_SERVICENAME_configuration_extension_yaml` definition in `vars.yml` per bridge, so if you need multiple pieces of configuration there, just merge them like this: diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 35974bba9..637ce3bb9 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -16,6 +16,9 @@ matrix_admin: '' # Global var to enable/disable encryption across all bridges with encryption support matrix_bridges_encryption_enabled: false +# Global var to enable/disable relay mode across all bridges with relay mode support +matrix_bridges_relay_enabled: false + # matrix_homeserver_enabled controls whether to enable the homeserver systemd service, etc. # # Unless you're wrapping this playbook in another one diff --git a/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml b/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml index 86c3366c3..9f86be5fb 100644 --- a/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml +++ b/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml @@ -110,6 +110,8 @@ matrix_appservice_kakaotalk_login_shared_secret: '' matrix_appservice_kakaotalk_bridge_login_shared_secret_map: "{{ {matrix_appservice_kakaotalk_homeserver_domain: matrix_appservice_kakaotalk_login_shared_secret} if matrix_appservice_kakaotalk_login_shared_secret else {} }}" +matrix_appservice_kakaotalk_bridge_relay_enabled: "{{ matrix_bridges_relay_enabled }}" + matrix_appservice_kakaotalk_bridge_permissions: | {{ {matrix_appservice_kakaotalk_homeserver_domain: 'user'} diff --git a/roles/custom/matrix-bridge-appservice-kakaotalk/templates/config.yaml.j2 b/roles/custom/matrix-bridge-appservice-kakaotalk/templates/config.yaml.j2 index 803d443fd..cf3644a9b 100644 --- a/roles/custom/matrix-bridge-appservice-kakaotalk/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-appservice-kakaotalk/templates/config.yaml.j2 @@ -220,7 +220,7 @@ bridge: relay: # Whether relay mode should be allowed. If allowed, `!kt set-relay` can be used to turn any # authenticated user into a relaybot for that chat. - enabled: false + enabled: {{ matrix_appservice_kakaotalk_bridge_relay_enabled }} # The formats to use when sending messages to KakaoTalk via a relay user. # # Available variables: diff --git a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml index dcd9fdfa0..0b48aaad5 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -103,6 +103,9 @@ matrix_mautrix_facebook_login_shared_secret: '' matrix_mautrix_facebook_bridge_login_shared_secret_map: "{{ {matrix_mautrix_facebook_homeserver_domain: matrix_mautrix_facebook_login_shared_secret} if matrix_mautrix_facebook_login_shared_secret else {} }}" +# Enable bridge relay bot functionality +matrix_mautrix_facebook_relay_enabled: "{{ matrix_bridges_relay_enabled }}" + matrix_mautrix_facebook_appservice_bot_username: facebookbot matrix_mautrix_facebook_bridge_presence: true diff --git a/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 index 636b442b9..7ec9342a2 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 @@ -206,7 +206,7 @@ bridge: relay: # Whether relay mode should be allowed. If allowed, `!fb set-relay` can be used to turn any # authenticated user into a relaybot for that chat. - enabled: false + enabled: {{ matrix_mautrix_facebook_relay_enabled }} # The formats to use when sending messages to Messenger via a relay user. # # Available variables: diff --git a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml index 2288fb776..cef492889 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml @@ -83,6 +83,9 @@ matrix_mautrix_instagram_login_shared_secret: '' matrix_mautrix_instagram_bridge_login_shared_secret_map: "{{ {matrix_mautrix_instagram_homeserver_domain: matrix_mautrix_instagram_login_shared_secret} if matrix_mautrix_instagram_login_shared_secret else {} }}" +# Enable bridge relay bot functionality +matrix_mautrix_instagram_relay_enabled: "{{ matrix_bridges_relay_enabled }}" + matrix_mautrix_instagram_appservice_bot_username: instagrambot matrix_mautrix_instagram_bridge_presence: true diff --git a/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 index 1949a2532..e3d4be521 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 @@ -196,6 +196,23 @@ bridge: # The shared secret to authorize users of the API. # Set to "generate" to generate and save a new token. shared_secret: generate + relay: + # Whether relay mode should be allowed. If allowed, `!ig set-relay` can be used to turn any + # authenticated user into a relaybot for that chat. + enabled: {{ matrix_mautrix_instagram_relay_enabled }} + # The formats to use when sending messages to Instagram via a relay user. + # + # Available variables: + # $sender_displayname - The display name of the sender (e.g. Example User) + # $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser) + # $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.com) + # $message - The message content + # + # Note that Instagram doesn't support captions for images, so images won't include any indication of being relayed. + message_formats: + m.text: '$sender_displayname: $message' + m.notice: '$sender_displayname: $message' + m.emote: '* $sender_displayname $message' # Python logging configuration. # diff --git a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml index ca9bab54a..7675e7b17 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml @@ -104,7 +104,7 @@ matrix_mautrix_signal_appservice_database: "{{ matrix_mautrix_signal_login_shared_secret: '' # Enable bridge relay bot functionality -matrix_mautrix_signal_relaybot_enabled: false +matrix_mautrix_signal_relaybot_enabled: "{{ matrix_bridges_relay_enabled }}" # Permissions for using the bridge. # Permitted values: diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml index ab2921e31..a308811a7 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -113,7 +113,7 @@ matrix_mautrix_whatsapp_bridge_permissions: | }} # Enable bridge relay functionality -matrix_mautrix_whatsapp_bridge_relay_enabled: false +matrix_mautrix_whatsapp_bridge_relay_enabled: "{{ matrix_bridges_relay_enabled }}" # Only allow admins on this home server to set themselves as a relay user matrix_mautrix_whatsapp_bridge_relay_admin_only: true From 5ea6aa3e50d20a4a2e50e84810c20411a1f58448 Mon Sep 17 00:00:00 2001 From: Shreyas Ajjarapu Date: Fri, 21 Jul 2023 06:33:52 -0500 Subject: [PATCH 898/915] Added Google Messager Bridge (#2794) * intial commit * changed * Reorderd * merge old changes * added changes to matrix_servers * Remove duplicate discord * Update main.yml * added google message to configuring-playbook.md * Changed docs to add new changes * Changed bug? * Removed problem j2 values * Rename a service files * change how password hash string * Changed port number * Change how the local part works * Revert "Merge pull request #8 from shreyasajj/wsproxy" This reverts commit bb1b8fc67ca39f63ca77e70077be99cb2b32c4de, reversing changes made to cce6ba5f9d74f89172488afc8b1ef124031de8c1. --------- Co-authored-by: Shreyas Ajjarapu --- README.md | 1 + ...uring-playbook-bridge-mautrix-gmessages.md | 38 +++ docs/configuring-playbook.md | 2 + docs/container-images.md | 2 + docs/self-building.md | 1 + group_vars/matrix_servers | 63 +++- .../defaults/main.yml | 151 +++++++++ .../tasks/inject_into_nginx_proxy.yml | 35 ++ .../tasks/main.yml | 29 ++ .../tasks/setup_install.yml | 140 ++++++++ .../tasks/setup_uninstall.yml | 20 ++ .../tasks/validate_config.yml | 20 ++ .../templates/config.yaml.j2 | 298 ++++++++++++++++++ .../matrix-mautrix-gmessages.service.j2 | 43 +++ setup.yml | 1 + 15 files changed, 841 insertions(+), 3 deletions(-) create mode 100644 docs/configuring-playbook-bridge-mautrix-gmessages.md create mode 100644 roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml create mode 100644 roles/custom/matrix-bridge-mautrix-gmessages/tasks/inject_into_nginx_proxy.yml create mode 100644 roles/custom/matrix-bridge-mautrix-gmessages/tasks/main.yml create mode 100644 roles/custom/matrix-bridge-mautrix-gmessages/tasks/setup_install.yml create mode 100644 roles/custom/matrix-bridge-mautrix-gmessages/tasks/setup_uninstall.yml create mode 100644 roles/custom/matrix-bridge-mautrix-gmessages/tasks/validate_config.yml create mode 100644 roles/custom/matrix-bridge-mautrix-gmessages/templates/config.yaml.j2 create mode 100644 roles/custom/matrix-bridge-mautrix-gmessages/templates/systemd/matrix-mautrix-gmessages.service.j2 diff --git a/README.md b/README.md index 912febc04..71d46f822 100644 --- a/README.md +++ b/README.md @@ -103,6 +103,7 @@ Bridges can be used to connect your matrix installation with third-party communi | [mautrix-discord](https://github.com/mautrix/discord) | x | Bridge for bridging your Matrix server to [Discord](https://discord.com/) | [Link](docs/configuring-playbook-bridge-mautrix-discord.md) | | [mautrix-slack](https://github.com/mautrix/slack) | x | Bridge for bridging your Matrix server to [Slack](https://slack.com/) | [Link](docs/configuring-playbook-bridge-mautrix-slack.md) | | [mautrix-telegram](https://github.com/mautrix/telegram) | x | Bridge for bridging your Matrix server to [Telegram](https://telegram.org/) | [Link](docs/configuring-playbook-bridge-mautrix-telegram.md) | +| [mautrix-gmessages](https://github.com/mautrix/gmessages) | x | Bridge for bridging your Matrix server to [Google Messages](https://messages.google.com/) | [Link](docs/configuring-playbook-bridge-mautrix-gmessages.md) | | [mautrix-whatsapp](https://github.com/mautrix/whatsapp) | x | Bridge for bridging your Matrix server to [WhatsApp](https://www.whatsapp.com/) | [Link](docs/configuring-playbook-bridge-mautrix-whatsapp.md) | | [mautrix-facebook](https://github.com/mautrix/facebook) | x | Bridge for bridging your Matrix server to [Facebook](https://facebook.com/) | [Link](docs/configuring-playbook-bridge-mautrix-facebook.md) | | [mautrix-twitter](https://github.com/mautrix/twitter) | x | Bridge for bridging your Matrix server to [Twitter](https://twitter.com/) | [Link](docs/configuring-playbook-bridge-mautrix-twitter.md) | diff --git a/docs/configuring-playbook-bridge-mautrix-gmessages.md b/docs/configuring-playbook-bridge-mautrix-gmessages.md new file mode 100644 index 000000000..6b2b18e61 --- /dev/null +++ b/docs/configuring-playbook-bridge-mautrix-gmessages.md @@ -0,0 +1,38 @@ +# Setting up Mautrix gmessages (optional) + +The playbook can install and configure [mautrix-gmessages](https://github.com/mautrix/gmessages) for you. + +See the project's [documentation](https://docs.mau.fi/bridges/go/gmessages/index.html) to learn what it does and why it might be useful to you. + +Use the following playbook configuration: + +```yaml +matrix_mautrix_gmessages_enabled: true +``` + +## Set up Double Puppeting + +If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it. + +### Method 1: automatically, by enabling Shared Secret Auth + +The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook. + +This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future. + +### Method 2: manually, by asking each user to provide a working access token + +**Note**: This method for enabling Double Puppeting can be configured only after you've already set up bridging (see [Usage](#usage)). + +When using this method, **each user** that wishes to enable Double Puppeting needs to follow the following steps: + +- retrieve a Matrix access token for yourself. Refer to the documentation on [how to do that](obtaining-access-tokens.md). + +- send the access token to the bot. Example: `login-matrix MATRIX_ACCESS_TOKEN_HERE` + +- make sure you don't log out the `Mautrix-gmessages` device some time in the future, as that would break the Double Puppeting feature + + +## Usage + +You then need to start a chat with `@gmessagesbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 8f598f6bd..a4746a62c 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -114,6 +114,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Mautrix Slack bridging](configuring-playbook-bridge-mautrix-slack.md) (optional) +- [Setting up Mautrix Google Messages bridging](configuring-playbook-bridge-mautrix-gmessages.md) (optional) + - [Setting up Mautrix Whatsapp bridging](configuring-playbook-bridge-mautrix-whatsapp.md) (optional) - [Setting up Mautrix Facebook bridging](configuring-playbook-bridge-mautrix-facebook.md) (optional) diff --git a/docs/container-images.md b/docs/container-images.md index 737a44578..e89161f7e 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -46,6 +46,8 @@ These services are not part of our default installation, but can be enabled by [ - [mautrix/telegram](https://mau.dev/mautrix/telegram/container_registry) - the [mautrix-telegram](https://github.com/mautrix/telegram) bridge to [Telegram](https://telegram.org/) (optional) +- [mautrix/gmessages](https://mau.dev/mautrix/gmessages/container_registry) - the [mautrix-gmessages](https://github.com/mautrix/gmessages) bridge to [Google Messages](https://messages.google.com/) (optional) + - [mautrix/whatsapp](https://mau.dev/mautrix/whatsapp/container_registry) - the [mautrix-whatsapp](https://github.com/mautrix/whatsapp) bridge to [Whatsapp](https://www.whatsapp.com/) (optional) - [mautrix/facebook](https://mau.dev/mautrix/facebook/container_registry) - the [mautrix-facebook](https://github.com/mautrix/facebook) bridge to [Facebook](https://facebook.com/) (optional) diff --git a/docs/self-building.md b/docs/self-building.md index ad29fc2da..3fe826da1 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -32,6 +32,7 @@ Possibly outdated list of roles where self-building the Docker image is currentl - `matrix-bridge-mautrix-googlechat` - `matrix-bridge-mautrix-telegram` - `matrix-bridge-mautrix-signal` +- `matrix-bridge-mautrix-gmessages` - `matrix-bridge-mautrix-whatsapp` - `matrix-bridge-mx-puppet-steam` - `matrix-bot-mjolnir` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 8d7197f15..5fc5c25d8 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -101,6 +101,8 @@ matrix_homeserver_container_extra_arguments_auto: | + (['--mount type=bind,src=' + matrix_mautrix_twitter_config_path + '/registration.yaml,dst=/matrix-mautrix-twitter-registration.yaml,ro'] if matrix_mautrix_twitter_enabled else []) + + (['--mount type=bind,src=' + matrix_mautrix_gmessages_config_path + '/registration.yaml,dst=/matrix-mautrix-gmessages-registration.yaml,ro'] if matrix_mautrix_gmessages_enabled else []) + + (['--mount type=bind,src=' + matrix_mautrix_whatsapp_config_path + '/registration.yaml,dst=/matrix-mautrix-whatsapp-registration.yaml,ro'] if matrix_mautrix_whatsapp_enabled else []) + (['--mount type=bind,src=' + matrix_mx_puppet_discord_config_path + '/registration.yaml,dst=/matrix-mx-puppet-discord-registration.yaml,ro'] if matrix_mx_puppet_discord_enabled else []) @@ -158,6 +160,8 @@ matrix_homeserver_app_service_config_files_auto: | + (['/matrix-mautrix-twitter-registration.yaml'] if matrix_mautrix_twitter_enabled else []) + + (['/matrix-mautrix-gmessages-registration.yaml'] if matrix_mautrix_gmessages_enabled else []) + + (['/matrix-mautrix-whatsapp-registration.yaml'] if matrix_mautrix_whatsapp_enabled else []) + (['/matrix-mx-puppet-discord-registration.yaml'] if matrix_mx_puppet_discord_enabled else []) @@ -270,6 +274,8 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-mautrix-twitter.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-twitter']}] if matrix_mautrix_twitter_enabled else []) + + ([{'name': 'matrix-mautrix-gmessages.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-gmessages']}] if matrix_mautrix_gmessages_enabled else []) + + ([{'name': 'matrix-mautrix-whatsapp.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-whatsapp']}] if matrix_mautrix_whatsapp_enabled else []) + ([{'name': 'matrix-mx-puppet-discord.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mx-puppet-discord']}] if matrix_mx_puppet_discord_enabled else []) @@ -1153,6 +1159,51 @@ matrix_mautrix_twitter_database_password: "{{ '%s' | format(matrix_homeserver_ge # ###################################################################### +###################################################################### +# +# matrix-bridge-mautrix-gmessages +# +###################################################################### + +# We don't enable bridges by default. +matrix_mautrix_gmessages_enabled: false + +matrix_mautrix_gmessages_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" + +matrix_mautrix_gmessages_systemd_required_services_list: | + {{ + ['docker.service'] + + + ['matrix-' + matrix_homeserver_implementation + '.service'] + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + }} + +matrix_mautrix_gmessages_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gmessage.as.token', rounds=655555) | to_uuid }}" + +matrix_mautrix_gmessages_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gmessage.hs.token', rounds=655555) | to_uuid }}" + +matrix_mautrix_gmessages_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" + +# People using an external Prometheus server will need to toggle all of these to be able to consume metrics remotely: +# - `matrix_mautrix_gmessages_metrics_enabled` +# - `matrix_mautrix_gmessages_proxying_metrics_enabled` +# - `matrix_nginx_proxy_proxy_matrix_metrics_enabled` +matrix_mautrix_gmessages_metrics_enabled: "{{ prometheus_enabled }}" + +# Postgres is the default, except if not using internal Postgres server +matrix_mautrix_gmessages_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" +matrix_mautrix_gmessages_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_mautrix_gmessages_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maugmessages.db', rounds=655555) | to_uuid }}" + +###################################################################### +# +# /matrix-bridge-mautrix-gmessages +# +###################################################################### + ###################################################################### # # matrix-bridge-mautrix-whatsapp @@ -1182,10 +1233,10 @@ matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_homeserver_ge matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # People using an external Prometheus server will need to toggle all of these to be able to consume metrics remotely: -# - `matrix_mautrix_twitter_metrics_enabled` -# - `matrix_mautrix_twitter_proxying_metrics_enabled` +# - `matrix_mautrix_whatsapp_metrics_enabled` +# - `matrix_mautrix_whatsapp_proxying_metrics_enabled` # - `matrix_nginx_proxy_proxy_matrix_metrics_enabled` -matrix_mautrix_twitter_metrics_enabled: "{{ prometheus_enabled }}" +matrix_mautrix_whatsapp_metrics_enabled: "{{ prometheus_enabled }}" # Postgres is the default, except if not using internal Postgres server matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" @@ -3016,6 +3067,12 @@ devture_postgres_managed_databases_auto: | 'password': matrix_mautrix_twitter_database_password, }] if (matrix_mautrix_twitter_enabled and matrix_mautrix_twitter_database_engine == 'postgres' and matrix_mautrix_twitter_database_hostname == devture_postgres_connection_hostname) else []) + + ([{ + 'name': matrix_mautrix_gmessages_database_name, + 'username': matrix_mautrix_gmessages_database_username, + 'password': matrix_mautrix_gmessages_database_password, + }] if (matrix_mautrix_gmessages_enabled and matrix_mautrix_gmessages_database_engine == 'postgres' and matrix_mautrix_gmessages_database_hostname == devture_postgres_connection_hostname) else []) + + ([{ 'name': matrix_mautrix_whatsapp_database_name, 'username': matrix_mautrix_whatsapp_database_username, diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml new file mode 100644 index 000000000..6a6c14b0a --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml @@ -0,0 +1,151 @@ +--- +# mautrix-gmessages is a Matrix <-> gmessages bridge +# Project source code URL: https://github.com/mautrix/gmessages + +matrix_mautrix_gmessages_enabled: true + +matrix_mautrix_gmessages_container_image_self_build: false +matrix_mautrix_gmessages_container_image_self_build_repo: "https://github.com/mautrix/gmessages.git" +matrix_mautrix_gmessages_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_gmessages_version == 'latest' else matrix_mautrix_gmessages_version }}" + +matrix_mautrix_gmessages_version: latest +# See: https://mau.dev/mautrix/gmessages/container_registry +matrix_mautrix_gmessages_docker_image: "{{ matrix_mautrix_gmessages_docker_image_name_prefix }}mautrix/gmessages:{{ matrix_mautrix_gmessages_version }}" +matrix_mautrix_gmessages_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_gmessages_container_image_self_build else 'dock.mau.dev/' }}" +matrix_mautrix_gmessages_docker_image_force_pull: "{{ matrix_mautrix_gmessages_docker_image.endswith(':latest') }}" + +matrix_mautrix_gmessages_base_path: "{{ matrix_base_data_path }}/mautrix-gmessages" +matrix_mautrix_gmessages_config_path: "{{ matrix_mautrix_gmessages_base_path }}/config" +matrix_mautrix_gmessages_data_path: "{{ matrix_mautrix_gmessages_base_path }}/data" +matrix_mautrix_gmessages_docker_src_files_path: "{{ matrix_mautrix_gmessages_base_path }}/docker-src" + +matrix_mautrix_gmessages_homeserver_address: "{{ matrix_homeserver_container_url }}" +matrix_mautrix_gmessages_homeserver_domain: "{{ matrix_domain }}" +matrix_mautrix_gmessages_appservice_address: "http://matrix-mautrix-gmessages:8080" + +matrix_mautrix_gmessages_command_prefix: "!gm" + +# A list of extra arguments to pass to the container +matrix_mautrix_gmessages_container_extra_arguments: [] + +# List of systemd services that matrix-mautrix-gmessages.service depends on. +matrix_mautrix_gmessages_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-mautrix-gmessages.service wants +matrix_mautrix_gmessages_systemd_wanted_services_list: [] + +matrix_mautrix_gmessages_appservice_token: '' +matrix_mautrix_gmessages_homeserver_token: '' + +matrix_mautrix_gmessages_appservice_bot_username: gmessagesbot + +# Minimum severity of journal log messages. +# Options: debug, info, warn, error, fatal +matrix_mautrix_gmessages_logging_level: 'warn' + +# Whether or not created rooms should have federation enabled. +# If false, created portal rooms will never be federated. +matrix_mautrix_gmessages_federate_rooms: true + +# Whether or not metrics endpoint should be enabled. +# Enabling them is usually enough for a local (in-container) Prometheus to consume them. +# If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_gmessages_metrics_proxying_enabled`. +matrix_mautrix_gmessages_metrics_enabled: false + +# Controls whether metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/mautrix-gmessages`. +# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`. +# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. +matrix_mautrix_gmessages_metrics_proxying_enabled: false + +# Database-related configuration fields. +# +# To use SQLite, stick to these defaults. +# +# To use Postgres: +# - change the engine (`matrix_mautrix_gmessages_database_engine: 'postgres'`) +# - adjust your database credentials via the `matrix_mautrix_gmessages_database_*` variables +matrix_mautrix_gmessages_database_engine: 'sqlite' + +matrix_mautrix_gmessages_sqlite_database_path_local: "{{ matrix_mautrix_gmessages_data_path }}/mautrix-gmessages.db" +matrix_mautrix_gmessages_sqlite_database_path_in_container: "/data/mautrix-gmessages.db" + +matrix_mautrix_gmessages_database_username: 'matrix_mautrix_gmessages' +matrix_mautrix_gmessages_database_password: 'some-password' +matrix_mautrix_gmessages_database_hostname: '' +matrix_mautrix_gmessages_database_port: 5432 +matrix_mautrix_gmessages_database_name: 'matrix_mautrix_gmessages' + +matrix_mautrix_gmessages_database_connection_string: 'postgresql://{{ matrix_mautrix_gmessages_database_username }}:{{ matrix_mautrix_gmessages_database_password }}@{{ matrix_mautrix_gmessages_database_hostname }}:{{ matrix_mautrix_gmessages_database_port }}/{{ matrix_mautrix_gmessages_database_name }}?sslmode=disable' + +matrix_mautrix_gmessages_appservice_database_type: "{{ + { + 'sqlite': 'sqlite3', + 'postgres':'postgres', + }[matrix_mautrix_gmessages_database_engine] +}}" + +matrix_mautrix_gmessages_appservice_database_uri: "{{ + { + 'sqlite': matrix_mautrix_gmessages_sqlite_database_path_in_container, + 'postgres': matrix_mautrix_gmessages_database_connection_string, + }[matrix_mautrix_gmessages_database_engine] +}}" + +# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). +matrix_mautrix_gmessages_login_shared_secret: '' +matrix_mautrix_gmessages_bridge_login_shared_secret_map: + "{{ {matrix_mautrix_gmessages_homeserver_domain: matrix_mautrix_gmessages_login_shared_secret} if matrix_mautrix_gmessages_login_shared_secret else {} }}" + +# Enable End-to-bridge encryption +matrix_mautrix_gmessages_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" +matrix_mautrix_gmessages_bridge_encryption_default: "{{ matrix_mautrix_gmessages_bridge_encryption_allow }}" +matrix_mautrix_gmessages_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_gmessages_bridge_encryption_allow }}" + +matrix_mautrix_gmessages_bridge_personal_filtering_spaces: true +matrix_mautrix_gmessages_bridge_mute_bridging: true + +matrix_mautrix_gmessages_bridge_permissions: | + {{ + {matrix_mautrix_gmessages_homeserver_domain: 'user'} + | combine({matrix_admin: 'admin'} if matrix_admin else {}) + }} + +# Default mautrix-gmessages configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_mautrix_gmessages_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_mautrix_gmessages_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" + +matrix_mautrix_gmessages_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_mautrix_gmessages_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_mautrix_gmessages_configuration_yaml`. + +matrix_mautrix_gmessages_configuration_extension: "{{ matrix_mautrix_gmessages_configuration_extension_yaml | from_yaml if matrix_mautrix_gmessages_configuration_extension_yaml | from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_gmessages_configuration_yaml`. +matrix_mautrix_gmessages_configuration: "{{ matrix_mautrix_gmessages_configuration_yaml | from_yaml | combine(matrix_mautrix_gmessages_configuration_extension, recursive=True) }}" + +matrix_mautrix_gmessages_registration_yaml: | + id: gmessages + url: {{ matrix_mautrix_gmessages_appservice_address }} + as_token: "{{ matrix_mautrix_gmessages_appservice_token }}" + hs_token: "{{ matrix_mautrix_gmessages_homeserver_token }}" + # See https://github.com/mautrix/signal/issues/43 + sender_localpart: _bot_{{ matrix_mautrix_gmessages_appservice_bot_username }} + rate_limited: false + namespaces: + users: + - regex: '^@gmessages_.+:{{ matrix_mautrix_gmessages_homeserver_domain | regex_escape }}$' + exclusive: true + - exclusive: true + regex: '^@{{ matrix_mautrix_gmessages_appservice_bot_username | regex_escape }}:{{ matrix_mautrix_gmessages_homeserver_domain | regex_escape }}$' + de.sorunome.msc2409.push_ephemeral: true + +matrix_mautrix_gmessages_registration: "{{ matrix_mautrix_gmessages_registration_yaml | from_yaml }}" diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/inject_into_nginx_proxy.yml new file mode 100644 index 000000000..c5cb1ba8a --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/inject_into_nginx_proxy.yml @@ -0,0 +1,35 @@ +--- + +- name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append mautrix-gmessages-metrics's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-gmessages role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + +- when: matrix_mautrix_gmessages_metrics_proxying_enabled | bool + block: + - name: Generate mautrix-gmessages metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-gmessages) + ansible.builtin.set_fact: + matrix_mautrix_gmessages_nginx_metrics_configuration_block: | + location /metrics/mautrix-gmessages { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-gmessages:8001"; + proxy_pass http://$backend/metrics; + {% else %} + return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable"; + {% endif %} + } + + - name: Register mautrix-gmessages metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-gmessages) + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([]) + + + [matrix_mautrix_gmessages_nginx_metrics_configuration_block] + }} diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/main.yml new file mode 100644 index 000000000..45da31da8 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/main.yml @@ -0,0 +1,29 @@ +--- + +- tags: + - setup-all + - setup-nginx-proxy + - install-all + - install-nginx-proxy + block: + - when: matrix_mautrix_gmessages_enabled | bool and matrix_mautrix_gmessages_metrics_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" + +- tags: + - setup-all + - setup-mautrix-gmessages + - install-all + - install-mautrix-gmessages + block: + - when: matrix_mautrix_gmessages_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_mautrix_gmessages_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + +- tags: + - setup-all + - setup-mautrix-gmessages + block: + - when: not matrix_mautrix_gmessages_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/setup_install.yml new file mode 100644 index 000000000..73038c4c1 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/setup_install.yml @@ -0,0 +1,140 @@ +--- + +- ansible.builtin.set_fact: + matrix_mautrix_gmessages_requires_restart: false + +- when: "matrix_mautrix_gmessages_database_engine == 'postgres'" + block: + - name: Check if an SQLite database already exists + ansible.builtin.stat: + path: "{{ matrix_mautrix_gmessages_sqlite_database_path_local }}" + register: matrix_mautrix_gmessages_sqlite_database_path_local_stat_result + + - when: "matrix_mautrix_gmessages_sqlite_database_path_local_stat_result.stat.exists | bool" + block: + - ansible.builtin.include_role: + name: galaxy/com.devture.ansible.role.postgres + tasks_from: migrate_db_to_postgres + vars: + devture_postgres_db_migration_request: + src: "{{ matrix_mautrix_gmessages_sqlite_database_path_local }}" + dst: "{{ matrix_mautrix_gmessages_database_connection_string }}" + caller: "{{ role_path | basename }}" + engine_variable_name: 'matrix_mautrix_gmessages_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-mautrix-gmessages.service'] + pgloader_options: ['--with "quote identifiers"'] + + - ansible.builtin.set_fact: + matrix_mautrix_gmessages_requires_restart: true + +- name: Ensure Mautrix gmessages paths exists + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {path: "{{ matrix_mautrix_gmessages_base_path }}", when: true} + - {path: "{{ matrix_mautrix_gmessages_config_path }}", when: true} + - {path: "{{ matrix_mautrix_gmessages_data_path }}", when: true} + - {path: "{{ matrix_mautrix_gmessages_docker_src_files_path }}", when: "{{ matrix_mautrix_gmessages_container_image_self_build }}"} + when: item.when | bool + +- name: Ensure Mautrix gmessages image is pulled + community.docker.docker_image: + name: "{{ matrix_mautrix_gmessages_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mautrix_gmessages_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_gmessages_docker_image_force_pull }}" + when: not matrix_mautrix_gmessages_container_image_self_build + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure Mautrix gmessages repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_mautrix_gmessages_container_image_self_build_repo }}" + dest: "{{ matrix_mautrix_gmessages_docker_src_files_path }}" + version: "{{ matrix_mautrix_gmessages_container_image_self_build_branch }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_mautrix_gmessages_git_pull_results + when: "matrix_mautrix_gmessages_container_image_self_build | bool" + +- name: Ensure Mautrix gmessages Docker image is built + community.docker.docker_image: + name: "{{ matrix_mautrix_gmessages_docker_image }}" + source: build + force_source: "{{ matrix_mautrix_gmessages_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_gmessages_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_mautrix_gmessages_docker_src_files_path }}" + pull: true + when: "matrix_mautrix_gmessages_container_image_self_build | bool" + +- name: Check if an old database file exists + ansible.builtin.stat: + path: "{{ matrix_mautrix_gmessages_base_path }}/mautrix-gmessages.db" + register: matrix_mautrix_gmessages_stat_database + +- name: Check if an old matrix state file exists + ansible.builtin.stat: + path: "{{ matrix_mautrix_gmessages_base_path }}/mx-state.json" + register: matrix_mautrix_gmessages_stat_mx_state + +- name: (Data relocation) Ensure matrix-mautrix-gmessages.service is stopped + ansible.builtin.service: + name: matrix-mautrix-gmessages + state: stopped + enabled: false + daemon_reload: true + failed_when: false + when: "matrix_mautrix_gmessages_stat_database.stat.exists" + +- name: (Data relocation) Move mautrix-gmessages database file to ./data directory + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_gmessages_base_path }}/mautrix-gmessages.db {{ matrix_mautrix_gmessages_data_path }}/mautrix-gmessages.db" + creates: "{{ matrix_mautrix_gmessages_data_path }}/mautrix-gmessages.db" + removes: "{{ matrix_mautrix_gmessages_base_path }}/mautrix-gmessages.db" + when: "matrix_mautrix_gmessages_stat_database.stat.exists" + +- name: (Data relocation) Move mautrix-gmessages mx-state file to ./data directory + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_gmessages_base_path }}/mx-state.json {{ matrix_mautrix_gmessages_data_path }}/mx-state.json" + creates: "{{ matrix_mautrix_gmessages_data_path }}/mx-state.json" + removes: "{{ matrix_mautrix_gmessages_base_path }}/mx-state.json" + when: "matrix_mautrix_gmessages_stat_mx_state.stat.exists" + +- name: Ensure mautrix-gmessages config.yaml installed + ansible.builtin.copy: + content: "{{ matrix_mautrix_gmessages_configuration | to_nice_yaml(indent=2, width=999999) }}" + dest: "{{ matrix_mautrix_gmessages_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure mautrix-gmessages registration.yaml installed + ansible.builtin.copy: + content: "{{ matrix_mautrix_gmessages_registration | to_nice_yaml(indent=2, width=999999) }}" + dest: "{{ matrix_mautrix_gmessages_config_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-mautrix-gmessages.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-mautrix-gmessages.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-gmessages.service" + mode: 0644 + +- name: Ensure matrix-mautrix-gmessages.service restarted, if necessary + ansible.builtin.service: + name: "matrix-mautrix-gmessages.service" + state: restarted + daemon_reload: true + when: "matrix_mautrix_gmessages_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/setup_uninstall.yml new file mode 100644 index 000000000..e324a523e --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/setup_uninstall.yml @@ -0,0 +1,20 @@ +--- + +- name: Check existence of matrix-mautrix-gmessages service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-gmessages.service" + register: matrix_mautrix_gmessages_service_stat + +- when: matrix_mautrix_gmessages_service_stat.stat.exists | bool + block: + - name: Ensure matrix-mautrix-gmessages is stopped + ansible.builtin.service: + name: matrix-mautrix-gmessages + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-mautrix-gmessages.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-gmessages.service" + state: absent diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/validate_config.yml new file mode 100644 index 000000000..acfffa75e --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/validate_config.yml @@ -0,0 +1,20 @@ +--- + +- name: Fail if required mautrix-gmessages settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" + with_items: + - {'name': 'matrix_mautrix_gmessages_appservice_token', when: true} + - {'name': 'matrix_mautrix_gmessages_homeserver_token', when: true} + - {'name': 'matrix_mautrix_gmessages_database_hostname', when: "{{ matrix_mautrix_gmessages_database_engine == 'postgres' }}"} + +- name: (Deprecation) Catch and report renamed settings + ansible.builtin.fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_mautrix_gmessages_log_level', 'new': 'matrix_mautrix_gmessages_logging_level'} diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-gmessages/templates/config.yaml.j2 new file mode 100644 index 000000000..a17f6cd1e --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-gmessages/templates/config.yaml.j2 @@ -0,0 +1,298 @@ +#jinja2: lstrip_blocks: "True" +# Homeserver details. +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: {{ matrix_mautrix_gmessages_homeserver_address }} + # The domain of the homeserver (also known as server_name, used for MXIDs, etc). + domain: {{ matrix_mautrix_gmessages_homeserver_domain }} + + # What software is the homeserver running? + # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here. + software: standard + # The URL to push real-time bridge status to. + # If set, the bridge will make POST requests to this URL whenever a user's google messages connection state changes. + # The bridge will use the appservice as_token to authorize requests. + status_endpoint: null + # Endpoint for reporting per-message status. + message_send_checkpoint_endpoint: null + # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246? + async_media: false + + # Should the bridge use a websocket for connecting to the homeserver? + # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy, + # mautrix-asmux (deprecated), and hungryserv (proprietary). + websocket: false + # How often should the websocket be pinged? Pinging will be disabled if this is zero. + ping_interval_seconds: 0 + +# Application service host/registration related details. +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: {{ matrix_mautrix_gmessages_appservice_address }} + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 8080 + + # Database config. + database: + # The database type. "sqlite3-fk-wal" and "postgres" are supported. + type: postgres + # The database URI. + # SQLite: A raw file path is supported, but `file:?_txlock=immediate` is recommended. + # https://github.com/mattn/go-sqlite3#connection-string + # Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable + # To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql + uri: {{ matrix_mautrix_gmessages_appservice_database_uri|to_json }} + # Maximum number of connections. Mostly relevant for Postgres. + max_open_conns: 20 + max_idle_conns: 2 + # Maximum connection idle time and lifetime before they're closed. Disabled if null. + # Parsed with https://pkg.go.dev/time#ParseDuration + max_conn_idle_time: null + max_conn_lifetime: null + + # The unique ID of this appservice. + id: gmessages + # Appservice bot details. + bot: + # Username of the appservice bot. + username: {{ matrix_mautrix_gmessages_appservice_bot_username|to_json }} + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + displayname: Google Messages bridge bot + avatar: mxc://maunium.net/yGOdcrJcwqARZqdzbfuxfhzb + + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + ephemeral_events: true + + # Should incoming events be handled asynchronously? + # This may be necessary for large public instances with lots of messages going through. + # However, messages will not be guaranteed to be bridged in the same order they were sent in. + async_transactions: false + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: "{{ matrix_mautrix_gmessages_appservice_token }}" + hs_token: "{{ matrix_mautrix_gmessages_homeserver_token }}" + +# Segment API key to track some events, like provisioning API login and encryption errors. +segment_key: null +# Optional user_id to use when sending Segment events. If null, defaults to using mxID. +segment_user_id: null + +# Prometheus config. +metrics: + # Enable prometheus metrics? + enabled: {{ matrix_mautrix_gmessages_metrics_enabled | to_json }} + # IP and port where the metrics listener should be. The path is always /metrics + listen: 127.0.0.1:8001 + +google_messages: + # OS name to tell the phone. This is the name that shows up in the paired devices list. + os: mautrix-gmessages + # Browser type to tell the phone. This decides which icon is shown. + # Valid types: OTHER, CHROME, FIREFOX, SAFARI, OPERA, IE, EDGE + browser: OTHER + + # Should the bridge aggressively set itself as the active device if the user opens Google Messages in a browser? + # If this is disabled, the user must manually use the `reconnect` command to reactivate the bridge. + aggressive_reconnect: false + +# Bridge config +bridge: + # Localpart template of MXIDs for SMS users. + # {{ '{{.}}' }} is replaced with an identifier of the recipient. + username_template: "{{ 'gmessages_{{.}}' }}" + # Displayname template for SMS users. + # {{ '{{.FullName}}' }} - Full name provided by the phone + # {{ '{{.FirstName}}' }} - First name provided by the phone + # {{ '{{.PhoneNumber}}' }} - Formatted phone number provided by the phone + displayname_template: "{{ '{{or .FullName .PhoneNumber}}' }}" + # Should the bridge create a space for each logged-in user and add bridged rooms to it? + personal_filtering_spaces: {{ matrix_mautrix_gmessages_bridge_personal_filtering_spaces | to_json }} + # Should the bridge send a read receipt from the bridge bot when a message has been sent to the phone? + delivery_receipts: false + # Whether the bridge should send the message status as a custom com.beeper.message_send_status event. + message_status_events: false + # Whether the bridge should send error notices via m.notice events when a message fails to bridge. + message_error_notices: true + + portal_message_buffer: 128 + + # Should the bridge update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: false + # Number of chats to sync when connecting to Google Messages. + initial_chat_sync_count: 25 + # Backfill settings + backfill: + # Number of messages to backfill in new chats. + initial_limit: 50 + # Number of messages to backfill on startup if the last message ID in the chat sync doesn't match the last bridged message. + missed_limit: 100 + + # Servers to always allow double puppeting from + double_puppet_server_map: + "{{ matrix_mautrix_gmessages_homeserver_domain }}": {{ matrix_mautrix_gmessages_homeserver_address }} + # Allow using double puppeting from any server with a valid client .well-known file. + double_puppet_allow_discovery: false + # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, double puppeting will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + login_shared_secret_map: {{ matrix_mautrix_gmessages_bridge_login_shared_secret_map|to_json }} + + # Whether to explicitly set the avatar and room name for private chat portal rooms. + # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms. + # If set to `always`, all DM rooms will have explicit names and avatars set. + # If set to `never`, DM rooms will never have names and avatars set. + private_chat_portal_meta: default + # Should Matrix m.notice-type messages be bridged? + bridge_notices: true + # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. + # This field will automatically be changed back to false after it, except if the config file is not writable. + resend_bridge_info: false + # When using double puppeting, should muted chats be muted in Matrix? + mute_bridging: {{ matrix_mautrix_gmessages_bridge_mute_bridging | to_json }} + # When using double puppeting, should archived chats be moved to a specific tag in Matrix? + # This can be set to a tag (e.g. m.lowpriority), or null to disable. + archive_tag: null + # Same as above, but for pinned chats. The favorite tag is called m.favourite + pinned_tag: null + # Should mute status and tags only be bridged when the portal room is created? + tag_only_on_create: true + # Whether or not created rooms should have federation enabled. + # If false, created portal rooms will never be federated. + federate_rooms: {{ matrix_mautrix_gmessages_federate_rooms|to_json }} + # Should the bridge never send alerts to the bridge management room? + # These are mostly things like the user being logged out. + disable_bridge_alerts: false + # Send captions in the same message as images. This will send data compatible with both MSC2530 and MSC3552. + # This is currently not supported in most clients. + caption_in_message: false + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!gm" + + # Messages sent upon joining a management room. + # Markdown is supported. The defaults are listed below. + management_room_text: + # Sent when joining a room. + welcome: "Hello, I'm a Google Messages bridge bot." + # Sent when joining a management room and the user is already logged in. + welcome_connected: "Use `help` for help." + # Sent when joining a management room and the user is not logged in. + welcome_unconnected: "Use `help` for help or `login` to log in." + # Optional extra text sent when joining a management room. + additional_help: "" + + # End-to-bridge encryption support options. + # + # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: {{ matrix_mautrix_gmessages_bridge_encryption_allow|to_json }} + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: {{ matrix_mautrix_gmessages_bridge_encryption_default|to_json }} + # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data. + appservice: false + # Require encryption, drop any unencrypted messages. + require: false + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow_key_sharing: {{ matrix_mautrix_gmessages_bridge_encryption_key_sharing_allow|to_json }} + # Options for deleting megolm sessions from the bridge. + delete_keys: + # Beeper-specific: delete outbound sessions when hungryserv confirms + # that the user has uploaded the key to key backup. + delete_outbound_on_ack: false + # Don't store outbound sessions in the inbound table. + dont_store_outbound: false + # Ratchet megolm sessions forward after decrypting messages. + ratchet_on_decrypt: false + # Delete fully used keys (index >= max_messages) after decrypting messages. + delete_fully_used_on_decrypt: false + # Delete previous megolm sessions from same device when receiving a new one. + delete_prev_on_new_session: false + # Delete megolm sessions received from a device when the device is deleted. + delete_on_device_delete: false + # Periodically delete megolm sessions when 2x max_age has passed since receiving the session. + periodically_delete_expired: false + # Delete inbound megolm sessions that don't have the received_at field used for + # automatic ratcheting and expired session deletion. This is meant as a migration + # to delete old keys prior to the bridge update. + delete_outdated_inbound: false + # What level of device verification should be required from users? + # + # Valid levels: + # unverified - Send keys to all device in the room. + # cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys. + # cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes). + # cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot. + # Note that creating user signatures from the bridge bot is not currently possible. + # verified - Require manual per-device verification + # (currently only possible by modifying the `trust` column in the `crypto_device` database table). + verification_levels: + # Minimum level for which the bridge should send keys to when bridging messages from SMS to Matrix. + receive: unverified + # Minimum level that the bridge should accept for incoming Matrix messages. + send: unverified + # Minimum level that the bridge should require for accepting key requests. + share: cross-signed-tofu + # Options for Megolm room key rotation. These options allow you to + # configure the m.room.encryption event content. See: + # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for + # more information about that event. + rotation: + # Enable custom Megolm room key rotation settings. Note that these + # settings will only apply to rooms created after this option is + # set. + enable_custom: false + # The maximum number of milliseconds a session should be used + # before changing it. The Matrix spec recommends 604800000 (a week) + # as the default. + milliseconds: 604800000 + # The maximum number of messages that should be sent with a given a + # session before changing it. The Matrix spec recommends 100 as the + # default. + messages: 100 + + # Disable rotating keys when a user's devices change? + # You should not enable this option unless you understand all the implications. + disable_device_change_key_rotation: false + + # Settings for provisioning API + provisioning: + # Prefix for the provisioning API paths. + prefix: /_matrix/provision + # Shared secret for authentication. If set to "generate", a random secret will be generated, + # or if set to "disable", the provisioning API will be disabled. + shared_secret: generate + + # Permissions for using the bridge. + # Permitted values: + # user - Access to use the bridge to link their own Google Messages on android. + # admin - User level and some additional administration tools + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: {{ matrix_mautrix_gmessages_bridge_permissions|to_json }} + +# Logging config. See https://github.com/tulir/zeroconfig for details. +logging: + min_level: debug + writers: + - type: stdout + format: pretty-colored + - type: file + format: json + filename: ./logs/mautrix-gmessages.log + max_size: 100 + max_backups: 10 + compress: true diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/templates/systemd/matrix-mautrix-gmessages.service.j2 b/roles/custom/matrix-bridge-mautrix-gmessages/templates/systemd/matrix-mautrix-gmessages.service.j2 new file mode 100644 index 000000000..fb34e95b9 --- /dev/null +++ b/roles/custom/matrix-bridge-mautrix-gmessages/templates/systemd/matrix-mautrix-gmessages.service.j2 @@ -0,0 +1,43 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Mautrix gmessages bridge +{% for service in matrix_mautrix_gmessages_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_mautrix_gmessages_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-mautrix-gmessages 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-gmessages 2>/dev/null || true' + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-mautrix-gmessages \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + -v {{ matrix_mautrix_gmessages_config_path }}:/config:z \ + -v {{ matrix_mautrix_gmessages_data_path }}:/data:z \ + --workdir=/data \ + {% for arg in matrix_mautrix_gmessages_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_mautrix_gmessages_docker_image }} \ + /usr/bin/mautrix-gmessages -c /config/config.yaml -r /config/registration.yaml + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-mautrix-gmessages 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-gmessages 2>/dev/null || true' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-mautrix-gmessages + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index c7a6a3639..4da64ff4b 100644 --- a/setup.yml +++ b/setup.yml @@ -59,6 +59,7 @@ - custom/matrix-bridge-mautrix-instagram - custom/matrix-bridge-mautrix-signal - custom/matrix-bridge-mautrix-telegram + - custom/matrix-bridge-mautrix-gmessages - custom/matrix-bridge-mautrix-whatsapp - custom/matrix-bridge-mautrix-discord - custom/matrix-bridge-mautrix-slack From 0a81083e7dc5932146cc7c75a51e01d6eb49c13b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 21 Jul 2023 14:37:05 +0300 Subject: [PATCH 899/915] Announce mautrix-gmessages support Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2794 --- CHANGELOG.md | 6 ++++++ docs/configuring-playbook-bridge-mautrix-gmessages.md | 4 ++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c1870a273..950e38e4e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +# 2023-07-21 + +## mautrix-gmessages support + +Thanks to [Shreyas Ajjarapu](https://github.com/shreyasajj)'s efforts, the playbook now supports bridging to [Google Messages](https://messages.google.com/) via the [mautrix-gmessages](https://github.com/mautrix/gmessages) bridge. See our [Setting up Mautrix Google Messages bridging](docs/configuring-playbook-bridge-mautrix-gmessages.md) documentation page for getting started. + # 2023-07-17 ## matrix-media-repo support diff --git a/docs/configuring-playbook-bridge-mautrix-gmessages.md b/docs/configuring-playbook-bridge-mautrix-gmessages.md index 6b2b18e61..10981bf16 100644 --- a/docs/configuring-playbook-bridge-mautrix-gmessages.md +++ b/docs/configuring-playbook-bridge-mautrix-gmessages.md @@ -1,6 +1,6 @@ # Setting up Mautrix gmessages (optional) -The playbook can install and configure [mautrix-gmessages](https://github.com/mautrix/gmessages) for you. +The playbook can install and configure [mautrix-gmessages](https://github.com/mautrix/gmessages) for you, for bridging to [Google Messages](https://messages.google.com/). See the project's [documentation](https://docs.mau.fi/bridges/go/gmessages/index.html) to learn what it does and why it might be useful to you. @@ -8,7 +8,7 @@ Use the following playbook configuration: ```yaml matrix_mautrix_gmessages_enabled: true -``` +``` ## Set up Double Puppeting From eea143e6eb8c87cfbd9e785081baad815969f40b Mon Sep 17 00:00:00 2001 From: ThellraAK Date: Fri, 21 Jul 2023 05:47:51 -0800 Subject: [PATCH 900/915] Shortened gmessages salt The salts need to be shorter than 16 chars --- group_vars/matrix_servers | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 5fc5c25d8..f1fbb6c37 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1176,14 +1176,14 @@ matrix_mautrix_gmessages_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else [])gmessage.as.token + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_gmessages_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gmessage.as.token', rounds=655555) | to_uuid }}" +matrix_mautrix_gmessages_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gmessa.as.token', rounds=655555) | to_uuid }}" -matrix_mautrix_gmessages_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gmessage.hs.token', rounds=655555) | to_uuid }}" +matrix_mautrix_gmessages_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gmessa.hs.token', rounds=655555) | to_uuid }}" matrix_mautrix_gmessages_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" From 2153c310f76eedc9d715cd2c2fdec3a175ea7fa6 Mon Sep 17 00:00:00 2001 From: ThellraAK Date: Fri, 21 Jul 2023 05:49:52 -0800 Subject: [PATCH 901/915] Update matrix_servers --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f1fbb6c37..0a30f217b 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1176,7 +1176,7 @@ matrix_mautrix_gmessages_systemd_required_services_list: | + ['matrix-' + matrix_homeserver_implementation + '.service'] + - ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else [])gmessage.as.token + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} From 856a328e96c679bc7d51760d00708d921a08cb17 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 24 Jul 2023 08:44:33 +0300 Subject: [PATCH 902/915] Upgrade prometheus-postgres-exporter (v0.13.1-0 -> v0.13.2-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index bac5fea32..91912c901 100644 --- a/requirements.yml +++ b/requirements.yml @@ -47,7 +47,7 @@ - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.6.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git - version: v0.13.1-0 + version: v0.13.2-0 name: prometheus_postgres_exporter - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.10-0 From 14f7eed9324b58f4acb264f0cab3b15bfd10ac07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Mon, 24 Jul 2023 12:57:06 +0200 Subject: [PATCH 903/915] Update matrix-registration-bot, improve authentication config (#2723) * Adjust to new mrb docker versioning * Stabilze authentication * fix lint * Move & document mrb password usage * Add clean cache role * Document clean cache * Fix lint * Update CHANGELOG.md * Automate access tokens * Improve changelog * Make use of mrb's function to fetch API tokens * Adjust changelog * Use ansible.builtin.file to clear directory * Fix typo --------- Co-authored-by: Slavi Pantaleev --- CHANGELOG.md | 11 +++++ ...ng-playbook-bot-matrix-registration-bot.md | 47 +++++++++---------- group_vars/matrix_servers | 6 +++ .../defaults/main.yml | 22 +++++---- .../tasks/clean_cache.yml | 12 +++++ .../tasks/main.yml | 6 +++ .../tasks/setup_install.yml | 2 +- .../tasks/validate_config.yml | 9 +++- .../templates/config/config.yml.j2 | 6 ++- 9 files changed, 83 insertions(+), 38 deletions(-) create mode 100644 roles/custom/matrix-bot-matrix-registration-bot/tasks/clean_cache.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 950e38e4e..3db319afe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2023-07-24 + +## matrix-registration-bot usage changed + +[matrix-registration-bot](docs/configuring-playbook-bot-matrix-registration-bot.md) got some updates and now supports password-only-based login. Therefore the bot now doesn't need any manual configuration except setting a password in your `vars.yml`. The bot will be registered as admin and access tokens will be obtained automatically by the bot. + +**For existing users** You need to set `matrix_bot_matrix_registration_bot_bot_password` if you previously only used `matrix_bot_matrix_registration_bot_bot_access_token`. Please also remove the following deprecated settings + +* `matrix_bot_matrix_registration_bot_bot_access_token` +* `matrix_bot_matrix_registration_bot_api_token` + # 2023-07-21 ## mautrix-gmessages support diff --git a/docs/configuring-playbook-bot-matrix-registration-bot.md b/docs/configuring-playbook-bot-matrix-registration-bot.md index b1e3fdc6c..f0bffc85c 100644 --- a/docs/configuring-playbook-bot-matrix-registration-bot.md +++ b/docs/configuring-playbook-bot-matrix-registration-bot.md @@ -2,40 +2,30 @@ The playbook can install and configure [matrix-registration-bot](https://github.com/moan0s/matrix-registration-bot) for you. -The bot allows you to easily **create and manage registration tokens**. It can be used for an invitation-based server, -where you invite someone by sending them a registration token. They can register as normal but have to provide a valid -registration token in a final step of the registration. +The bot allows you to easily **create and manage registration tokens** aka. invitation codes. +It can be used for an invitation-based server, +where you invite someone by sending them a registration token (loook like this: `rbalQ0zkaDSRQCOp`). They can register as normal but have to provide a valid registration token in a final step of the registration. See the project's [documentation](https://github.com/moan0s/matrix-registration-bot#supported-commands) to learn what it does and why it might be useful to you. -## Registering the bot user +## Configuration -By default, the playbook will set use the bot with a username like this: `@bot.matrix-registration-bot:DOMAIN`. +To enable the bot, add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: -(to use a different username, adjust the `matrix_bot_matrix_registration_bot_matrix_user_id_localpart` variable). - -For [other bots supported by the playbook](configuring-playbook.md#bots), Matrix bot user accounts are created and put to use automatically. For `matrix-registration-bot`, however, this is not the case - you **need to register the bot user manually** before setting up the bot. You can use the playbook to [register a new user](registering-users.md): - -``` -ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.matrix-registration-bot password=PASSWORD_FOR_THE_BOT admin=yes' --tags=register-user -``` - -Choose a strong password for the bot. You can generate a good password with a command like this: `pwgen -s 64 1`. - -## Obtaining an admin access token - -In order to use the bot you need to add an admin user's access token token to the configuration. Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md). - -## Adjusting the playbook configuration - -Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: +For `matrix_bot_matrix_registration_bot_api_token`you need an access token with the permission to access the admin api. Access to the API is needed for all restricted actions of the bot (list, create etc..). Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md). ```yaml matrix_bot_matrix_registration_bot_enabled: true -# Token obtained via logging into the bot account (see above) -matrix_bot_matrix_registration_bot_bot_access_token: "syt_bW9hbm9z_XXXXXXXXXXXXXr_2kuzbE" + +#By default, the playbook will set use the bot with a username like +## this: `@bot.matrix-registration-bot:DOMAIN`. +# To use a different username, uncomment & adjust the variable. +# matrix_bot_matrix_registration_bot_matrix_user_id_localpart: bot.matrix-registration-bot + +# Generate a strong password here. Consider generating it with `pwgen -s 64 1` +matrix_bot_matrix_registration_bot_password: PASSWORD_FOR_THE_BOT # Enables registration matrix_synapse_enable_registration: true @@ -44,6 +34,7 @@ matrix_synapse_enable_registration: true matrix_synapse_registration_requires_token: true ``` +The bot account will be automatically created. ## Installing @@ -56,10 +47,16 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start ## Usage -To use the bot, create a **non-encrypted** room and invite `@bot.matrix-registration-bot:DOMAIN` (where `DOMAIN` is your base domain, not the `matrix.` domain). +To use the bot, message `@bot.matrix-registration-bot:DOMAIN` (where `DOMAIN` is your base domain, not the `matrix.` domain). In this room send `help` and the bot will reply with all options. You can also refer to the upstream [Usage documentation](https://github.com/moan0s/matrix-registration-bot#supported-commands). If you have any questions, or if you need help setting it up, read the [troublshooting guide](https://github.com/moan0s/matrix-registration-bot/blob/main/docs/troubleshooting.md) or join [#matrix-registration-bot:hyteck.de](https://matrix.to/#/#matrix-registration-bot:hyteck.de). + +To clean the cache (session&encryption data) after you changed the bot's username, changed the login methon form access_token to password etc.. you can use + +```bash +just run-tags bot-matrix-registration-bot-clean-cache +``` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 0a30f217b..bf9928d0e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -4123,6 +4123,12 @@ matrix_conduit_systemd_required_services_list: | matrix_user_creator_users_auto: | {{ + ([{ + 'username': matrix_bot_matrix_registration_bot_matrix_user_id_localpart, + 'initial_password': matrix_bot_matrix_registration_bot_bot_password, + 'initial_type': 'admin', + }] if matrix_bot_matrix_registration_bot_enabled else []) + + ([{ 'username': matrix_bot_matrix_reminder_bot_matrix_user_id_localpart, 'initial_password': matrix_bot_matrix_reminder_bot_matrix_user_password, diff --git a/roles/custom/matrix-bot-matrix-registration-bot/defaults/main.yml b/roles/custom/matrix-bot-matrix-registration-bot/defaults/main.yml index d8e52b719..41143566a 100644 --- a/roles/custom/matrix-bot-matrix-registration-bot/defaults/main.yml +++ b/roles/custom/matrix-bot-matrix-registration-bot/defaults/main.yml @@ -8,8 +8,10 @@ matrix_bot_matrix_registration_bot_docker_repo: "https://github.com/moan0s/matri matrix_bot_matrix_registration_bot_docker_repo_version: "{{ matrix_bot_matrix_registration_bot_version if matrix_bot_matrix_registration_bot_version != 'latest' else 'main' }}" matrix_bot_matrix_registration_bot_docker_src_files_path: "{{ matrix_bot_matrix_registration_bot_base_path }}/docker-src" -matrix_bot_matrix_registration_bot_version: latest -matrix_bot_matrix_registration_bot_docker_image: "{{ matrix_container_global_registry_prefix }}moanos/matrix-registration-bot:{{ matrix_bot_matrix_registration_bot_version }}" +matrix_bot_matrix_registration_bot_version: 1.3.0 +matrix_bot_matrix_registration_bot_docker_iteration: 0 +matrix_bot_matrix_registration_bot_docker_tag: "{{ matrix_bot_matrix_registration_bot_version }}-{{ matrix_bot_matrix_registration_bot_docker_iteration}}" +matrix_bot_matrix_registration_bot_docker_image: "{{ matrix_container_global_registry_prefix }}moanos/matrix-registration-bot:{{ matrix_bot_matrix_registration_bot_docker_tag }}" matrix_bot_matrix_registration_bot_docker_image_force_pull: "{{ matrix_bot_matrix_registration_bot_docker_image.endswith(':latest') }}" matrix_bot_matrix_registration_bot_base_path: "{{ matrix_base_data_path }}/matrix-registration-bot" @@ -19,15 +21,15 @@ matrix_bot_matrix_registration_bot_data_path: "{{ matrix_bot_matrix_registration matrix_bot_matrix_registration_bot_bot_server: "https://{{ matrix_server_fqn_matrix }}" matrix_bot_matrix_registration_bot_api_base_url: "https://{{ matrix_server_fqn_matrix }}" -# The access token that the bot uses to communicate in Matrix chats -# This does not necessarily need to be a privileged (admin) access token. -matrix_bot_matrix_registration_bot_bot_access_token: '' -# The access token that the bot uses to call the Matrix API for creating registration tokens. -# This needs to be a privileged (admin) access token. -# By default, we assume `matrix_bot_matrix_registration_bot_bot_access_token` is such a privileged token and we use it as is. -# If necessary, you can define your own other access token here, which might even be for a different Matrix user. -matrix_bot_matrix_registration_bot_api_token: "{{ matrix_bot_matrix_registration_bot_bot_access_token }}" +# The bot's password (can also be used to login via a client like element) +matrix_bot_matrix_registration_bot_bot_password: '' + +# Optional variable that only needs to be set if the bot account is not admin +# Needs to be a valid access token of an admin account +matrix_bot_matrix_registration_bot_api_token: '' + +matrix_bot_matrix_registration_bot_device_id: "matrix-docker-ansible-deploy" matrix_bot_matrix_registration_bot_logging_level: info matrix_bot_matrix_registration_environment_variables_extension: '' diff --git a/roles/custom/matrix-bot-matrix-registration-bot/tasks/clean_cache.yml b/roles/custom/matrix-bot-matrix-registration-bot/tasks/clean_cache.yml new file mode 100644 index 000000000..ae4433b8f --- /dev/null +++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/clean_cache.yml @@ -0,0 +1,12 @@ +--- + +- name: Delete cache files + ansible.builtin.file: + state: "{{ item }}" + path: "{{ matrix_bot_matrix_registration_bot_data_path }}" + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - absent + - directory diff --git a/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml b/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml index 83291fb6d..cd11c1d5d 100644 --- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml +++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml @@ -18,3 +18,9 @@ block: - when: not matrix_bot_matrix_registration_bot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + +- tags: + - bot-matrix-registration-bot-clean-cache + block: + - when: matrix_bot_matrix_registration_bot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/clean_cache.yml" diff --git a/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_install.yml b/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_install.yml index 515cd9973..655f3d275 100644 --- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_install.yml @@ -9,7 +9,7 @@ group: "{{ matrix_user_groupname }}" with_items: - {path: "{{ matrix_bot_matrix_registration_bot_config_path }}", when: true} - - - {path: "{{ matrix_bot_matrix_registration_bot_data_path }}", when: true} + - {path: "{{ matrix_bot_matrix_registration_bot_data_path }}", when: true} - {path: "{{ matrix_bot_matrix_registration_bot_docker_src_files_path }}", when: true} when: "item.when | bool" diff --git a/roles/custom/matrix-bot-matrix-registration-bot/tasks/validate_config.yml b/roles/custom/matrix-bot-matrix-registration-bot/tasks/validate_config.yml index 39e97cde2..b7a475639 100644 --- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/validate_config.yml +++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/validate_config.yml @@ -5,6 +5,13 @@ msg: >- You need to define a required configuration setting (`{{ item }}`). when: "vars[item] == ''" + with_items: + - "matrix_bot_matrix_registration_bot_bot_password" + +- name: (Deprecation) Catch and report old settings + ansible.builtin.fail: + msg: >- + Your configuration contains a variable, which is deprecated - Please check the documentation on how to configure the matrix-registration-bot. + when: "item in vars" with_items: - "matrix_bot_matrix_registration_bot_bot_access_token" - - "matrix_bot_matrix_registration_bot_api_token" diff --git a/roles/custom/matrix-bot-matrix-registration-bot/templates/config/config.yml.j2 b/roles/custom/matrix-bot-matrix-registration-bot/templates/config/config.yml.j2 index 756efb018..4a2242aa2 100644 --- a/roles/custom/matrix-bot-matrix-registration-bot/templates/config/config.yml.j2 +++ b/roles/custom/matrix-bot-matrix-registration-bot/templates/config/config.yml.j2 @@ -1,12 +1,16 @@ bot: server: {{ matrix_bot_matrix_registration_bot_bot_server|to_json }} username: {{ matrix_bot_matrix_registration_bot_matrix_user_id_localpart|to_json }} - access_token: {{ matrix_bot_matrix_registration_bot_bot_access_token|to_json }} + password: {{ matrix_bot_matrix_registration_bot_bot_password|to_json }} + api: # API endpoint of the registration tokens base_url: {{ matrix_bot_matrix_registration_bot_api_base_url|to_json }} # Access token of an administrator on the server +{% if matrix_bot_matrix_registration_bot_api_token | length > 0 %} token: {{ matrix_bot_matrix_registration_bot_api_token|to_json }} +{% endif %} + logging: level: {{ matrix_bot_matrix_registration_bot_logging_level|to_json }} From 6666d230795fa1efb1cda13c7f868f282a1ed7fc Mon Sep 17 00:00:00 2001 From: ThellraAK Date: Tue, 25 Jul 2023 00:04:02 -0800 Subject: [PATCH 904/915] Remove file logging, and add existing log level variable to config --- .../templates/config.yaml.j2 | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-gmessages/templates/config.yaml.j2 index a17f6cd1e..6dc136bb4 100644 --- a/roles/custom/matrix-bridge-mautrix-gmessages/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-gmessages/templates/config.yaml.j2 @@ -286,13 +286,7 @@ bridge: # Logging config. See https://github.com/tulir/zeroconfig for details. logging: - min_level: debug + min_level: {{ matrix_mautrix_gmessages_logging_level }} writers: - - type: stdout - format: pretty-colored - - type: file - format: json - filename: ./logs/mautrix-gmessages.log - max_size: 100 - max_backups: 10 - compress: true + - type: stdout + format: pretty-colored From 02de889656eee73bd457a2c39d9894d99001a2ac Mon Sep 17 00:00:00 2001 From: wuast94 Date: Tue, 25 Jul 2023 12:35:51 +0200 Subject: [PATCH 905/915] Fix Variable Registration bot variable need to be named: matrix_bot_matrix_registration_bot_bot_password and not: matrix_bot_matrix_registration_bot_password Dont know if it need fixed in every rule or just change the docs --- docs/configuring-playbook-bot-matrix-registration-bot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bot-matrix-registration-bot.md b/docs/configuring-playbook-bot-matrix-registration-bot.md index f0bffc85c..babfd2689 100644 --- a/docs/configuring-playbook-bot-matrix-registration-bot.md +++ b/docs/configuring-playbook-bot-matrix-registration-bot.md @@ -25,7 +25,7 @@ matrix_bot_matrix_registration_bot_enabled: true # matrix_bot_matrix_registration_bot_matrix_user_id_localpart: bot.matrix-registration-bot # Generate a strong password here. Consider generating it with `pwgen -s 64 1` -matrix_bot_matrix_registration_bot_password: PASSWORD_FOR_THE_BOT +matrix_bot_matrix_registration_bot_bot_password: PASSWORD_FOR_THE_BOT # Enables registration matrix_synapse_enable_registration: true From 9703d1d1e5866e781168fd3255f26103b6de9020 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 25 Jul 2023 17:28:30 +0300 Subject: [PATCH 906/915] Upgrade Traefik (v2.10.3-0 -> v2.10.4-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 91912c901..4f2fd7f80 100644 --- a/requirements.yml +++ b/requirements.yml @@ -26,7 +26,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git version: v1.0.0-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.10.3-0 + version: v2.10.4-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git From 52ed1f7a0bb4adf39842965892bc78b1a5e88602 Mon Sep 17 00:00:00 2001 From: greentore <117551249+greentore@users.noreply.github.com> Date: Tue, 25 Jul 2023 19:26:20 +0200 Subject: [PATCH 907/915] Update Element logo location --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 9199a1d5a..123cbd32a 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -159,7 +159,7 @@ matrix_client_element_welcome_user_id: ~ matrix_client_element_brand: "Element" # URL to Logo on welcome page -matrix_client_element_welcome_logo: "welcome/images/logo.svg" +matrix_client_element_welcome_logo: "themes/element/img/logos/element-logo.svg" # URL of link on welcome image matrix_client_element_welcome_logo_link: "https://element.io" From ae2f67e15f5dd5a5fe88b64a837348d7fdd3cc7f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 26 Jul 2023 15:27:38 +0300 Subject: [PATCH 908/915] Make maubot communicate with the homeserver via the container network Supersedes https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2791 --- roles/custom/matrix-bot-maubot/templates/config/config.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-maubot/templates/config/config.yaml.j2 b/roles/custom/matrix-bot-maubot/templates/config/config.yaml.j2 index 49bbcb878..7750ec9a3 100644 --- a/roles/custom/matrix-bot-maubot/templates/config/config.yaml.j2 +++ b/roles/custom/matrix-bot-maubot/templates/config/config.yaml.j2 @@ -60,7 +60,7 @@ server: homeservers: {{ matrix_domain }}: # Client-server API URL - url: "https://{{ matrix_server_fqn_matrix }}" + url: {{ matrix_homeserver_container_url | to_json }} # registration_shared_secret from synapse config # You can leave this empty if you don't have access to the homeserver. # When this is empty, `mbc auth --register` won't work, but `mbc auth` (login) will. From 08b433a8f7b02b5f3fc88dfc3b2f85f2feb1730c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 26 Jul 2023 19:50:18 +0300 Subject: [PATCH 909/915] Upgrade Grafana (v10.0.2-1 -> v10.0.3-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 4f2fd7f80..1ef1f4da0 100644 --- a/requirements.yml +++ b/requirements.yml @@ -35,7 +35,7 @@ version: 6.1.0 name: geerlingguy.docker - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v10.0.2-1 + version: v10.0.3-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git version: v8615-2 name: jitsi From ba1d665bd993cc07f2b3a2a5077804cc3b5719ea Mon Sep 17 00:00:00 2001 From: Alexis Yushin Date: Thu, 27 Jul 2023 11:26:15 +0200 Subject: [PATCH 910/915] make smtp tls configurable / optional --- .gitignore | 1 + .../custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 2 +- roles/custom/matrix-synapse/vars/main.yml | 3 +++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 421877392..6b56900a8 100644 --- a/.gitignore +++ b/.gitignore @@ -5,6 +5,7 @@ /roles/**/files/scratchpad .DS_Store .python-version +.idea/ flake.lock # ignore roles pulled by ansible-galaxy diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index f42f6e309..e12bdb194 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2351,7 +2351,7 @@ email: # must present a certificate that is valid for 'smtp_host'. If this option # is set to false, TLS will not be used. # - #enable_tls: false + enable_tls: {{ matrix_synapse_email_smtp_enable_tls|to_json }} # notif_from defines the "From" address to use when sending emails. # It must be set if email sending is enabled. diff --git a/roles/custom/matrix-synapse/vars/main.yml b/roles/custom/matrix-synapse/vars/main.yml index 9ac7afeb7..a12b44017 100644 --- a/roles/custom/matrix-synapse/vars/main.yml +++ b/roles/custom/matrix-synapse/vars/main.yml @@ -5,6 +5,9 @@ matrix_synapse_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn matrix_synapse_media_store_directory_name: "{{ matrix_synapse_media_store_path | basename }}" +# Optionally: `false` to fully disable tls on outbound smtp +matrix_synapse_email_smtp_enable_tls: true + # A Synapse generic worker can handle both federation and client-server API endpoints. # We wish to split these, as we normally serve federation separately and don't want them mixed up. # From 92ea0480805a11c17fc9535332f0a9d2a27d8ac7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 28 Jul 2023 08:40:43 +0300 Subject: [PATCH 911/915] Add some missing install-all/install-synapse tags to Synapse role --- .../matrix-synapse/tasks/ext/setup_install.yml | 14 ++++++++++++++ .../custom/matrix-synapse/tasks/setup_install.yml | 8 ++++++++ 2 files changed, 22 insertions(+) diff --git a/roles/custom/matrix-synapse/tasks/ext/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/setup_install.yml index 0d8879392..4adb6566a 100644 --- a/roles/custom/matrix-synapse/tasks/ext/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/ext/setup_install.yml @@ -4,6 +4,8 @@ - tags: - setup-all - setup-synapse + - install-all + - install-synapse block: - when: matrix_synapse_ext_encryption_disabler_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_install.yml" @@ -12,6 +14,8 @@ - tags: - setup-all - setup-synapse + - install-all + - install-synapse block: - when: matrix_synapse_ext_password_provider_rest_auth_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup_install.yml" @@ -20,6 +24,8 @@ - tags: - setup-all - setup-synapse + - install-all + - install-synapse block: - when: matrix_synapse_ext_password_provider_shared_secret_auth_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup_install.yml" @@ -28,6 +34,8 @@ - tags: - setup-all - setup-synapse + - install-all + - install-synapse block: - when: matrix_synapse_ext_password_provider_ldap_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/ldap-auth/setup_install.yml" @@ -36,6 +44,8 @@ - tags: - setup-all - setup-synapse + - install-all + - install-synapse block: - when: matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup_install.yml" @@ -44,6 +54,8 @@ - tags: - setup-all - setup-synapse + - install-all + - install-synapse block: - when: matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_install.yml" @@ -52,6 +64,8 @@ - tags: - setup-all - setup-synapse + - install-all + - install-synapse block: - when: matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/validate_config.yml" diff --git a/roles/custom/matrix-synapse/tasks/setup_install.yml b/roles/custom/matrix-synapse/tasks/setup_install.yml index 378a0dee5..a2185da57 100644 --- a/roles/custom/matrix-synapse/tasks/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/setup_install.yml @@ -26,6 +26,8 @@ - tags: - setup-all - setup-synapse + - install-all + - install-synapse block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/setup_install.yml" @@ -34,6 +36,8 @@ - tags: - setup-all - setup-synapse + - install-all + - install-synapse block: - when: matrix_synapse_workers_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/setup_install.yml" @@ -41,12 +45,16 @@ - tags: - setup-all - setup-synapse + - install-all + - install-synapse block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/setup_install.yml" - tags: - setup-all - setup-synapse + - install-all + - install-synapse block: - when: matrix_s3_media_store_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/goofys/setup_install.yml" From 621578399fe1e400b67140a8e5e18e226dfc3da4 Mon Sep 17 00:00:00 2001 From: "System user; root" Date: Thu, 27 Jul 2023 23:00:59 -0800 Subject: [PATCH 912/915] Adding variable for messing with the prompt and setting the default to the example --- roles/custom/matrix-bot-chatgpt/defaults/main.yml | 2 ++ roles/custom/matrix-bot-chatgpt/templates/env.j2 | 2 ++ 2 files changed, 4 insertions(+) diff --git a/roles/custom/matrix-bot-chatgpt/defaults/main.yml b/roles/custom/matrix-bot-chatgpt/defaults/main.yml index 00eae1676..298437ca3 100644 --- a/roles/custom/matrix-bot-chatgpt/defaults/main.yml +++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml @@ -88,3 +88,5 @@ matrix_bot_chatgpt_matrix_rich_text: true # MATRIX_RICH_TEXT=true # matrix_bot_chatgpt_environment_variables_extension: | # chatgpt_TEXT_DONE=Done matrix_bot_chatgpt_environment_variables_extension: '' + +matrix_bot_chatgpt_matrix_bot_prompt_prefix: 'Instructions:\nYou are ChatGPT, a large language model trained by OpenAI.' diff --git a/roles/custom/matrix-bot-chatgpt/templates/env.j2 b/roles/custom/matrix-bot-chatgpt/templates/env.j2 index bc8c38664..d9ca2d50c 100644 --- a/roles/custom/matrix-bot-chatgpt/templates/env.j2 +++ b/roles/custom/matrix-bot-chatgpt/templates/env.j2 @@ -25,6 +25,8 @@ MATRIX_ENCRYPTION={{ matrix_bot_chatgpt_matrix_encryption|lower }} MATRIX_THREADS={{ matrix_bot_chatgpt_matrix_threads|lower }} MATRIX_RICH_TEXT={{ matrix_bot_chatgpt_matrix_rich_text|lower }} +CHATGPT_PROMPT_PREFIX={{ matrix_bot_chatgpt_matrix_bot_prompt_prefix }} + DATA_PATH=/data/ {{ matrix_bot_chatgpt_environment_variables_extension }} From 0a6b934a44a4f2a6a7d0f146b026d4aeb66024f7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 28 Jul 2023 17:17:48 +0300 Subject: [PATCH 913/915] Rename Element configuration key (preferredDomain -> preferred_domain) Related to: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2375#issuecomment-1655758296 --- .../templates/static-files/well-known/matrix-client.j2 | 4 ++-- roles/custom/matrix-client-element/templates/config.json.j2 | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 b/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 index 45c3ea2a0..e3a3172e6 100644 --- a/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 +++ b/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 @@ -20,10 +20,10 @@ {% endif %} {% if matrix_client_element_jitsi_preferredDomain %}, "io.element.jitsi": { - "preferredDomain": {{ matrix_client_element_jitsi_preferredDomain|to_json }} + "preferred_domain": {{ matrix_client_element_jitsi_preferredDomain|to_json }} }, "im.vector.riot.jitsi": { - "preferredDomain": {{ matrix_client_element_jitsi_preferredDomain|to_json }} + "preferred_domain": {{ matrix_client_element_jitsi_preferredDomain|to_json }} } {% endif %} {% if matrix_sliding_sync_enabled %}, diff --git a/roles/custom/matrix-client-element/templates/config.json.j2 b/roles/custom/matrix-client-element/templates/config.json.j2 index 6f2498fd8..c0d11abdb 100644 --- a/roles/custom/matrix-client-element/templates/config.json.j2 +++ b/roles/custom/matrix-client-element/templates/config.json.j2 @@ -35,7 +35,7 @@ }, {% if matrix_client_element_jitsi_preferredDomain %} "jitsi": { - "preferredDomain": {{ matrix_client_element_jitsi_preferredDomain | to_json }} + "preferred_domain": {{ matrix_client_element_jitsi_preferredDomain | to_json }} }, {% endif %} {% if matrix_client_element_location_sharing_enabled %} From f3445c124c088b0122ee0bb8dd7ae327c96a7fb4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 28 Jul 2023 17:26:05 +0300 Subject: [PATCH 914/915] Fix Traefik support for matrix-user-verification-service Related to: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2375#issuecomment-1655758296 --- group_vars/matrix_servers | 21 ++++++++++++------- .../defaults/main.yml | 8 +++++++ .../tasks/setup_install.yml | 5 +++++ ...atrix-user-verification-service.service.j2 | 10 +++++++-- 4 files changed, 35 insertions(+), 9 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index bf9928d0e..74f382fa3 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -4172,13 +4172,20 @@ matrix_user_verification_service_docker_image: "{{ matrix_user_verification_serv matrix_user_verification_service_enabled: false matrix_user_verification_service_systemd_required_services_list: | - {{ - ['docker.service'] - + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) - + - ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) - }} + {{ + ['docker.service'] + + + (['matrix-' + matrix_homeserver_implementation + '.service']) + }} + +matrix_user_verification_service_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([matrix_homeserver_container_network] if matrix_homeserver_container_network != matrix_user_verification_service_container_network else []) + ) | unique + }} # If Jitsi is managed by this playbook we can use the docker network - no need to expose a port. # If Jitsi is not managed by this playbook, or you otherwise have a need for it, you can expose diff --git a/roles/custom/matrix-user-verification-service/defaults/main.yml b/roles/custom/matrix-user-verification-service/defaults/main.yml index 5b3611b88..b553ad12b 100644 --- a/roles/custom/matrix-user-verification-service/defaults/main.yml +++ b/roles/custom/matrix-user-verification-service/defaults/main.yml @@ -18,6 +18,14 @@ matrix_user_verification_service_docker_image_name_prefix: "{{ matrix_container_ matrix_user_verification_service_docker_image: "{{ matrix_user_verification_service_docker_image_name_prefix }}matrixdotorg/matrix-user-verification-service:{{ matrix_user_verification_service_version }}" matrix_user_verification_service_docker_image_force_pull: "{{ matrix_user_verification_service_docker_image.endswith(':latest') }}" +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_user_verification_service_container_network: "{{ matrix_docker_network }}" + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_user_verification_service_container_additional_networks: [] + matrix_user_verification_service_container_name: "matrix-user-verification-service" # This will be set in group vars matrix_user_verification_service_container_http_host_bind_port: '' diff --git a/roles/custom/matrix-user-verification-service/tasks/setup_install.yml b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml index 185b4b642..54d5d979b 100644 --- a/roles/custom/matrix-user-verification-service/tasks/setup_install.yml +++ b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml @@ -30,6 +30,11 @@ group: "{{ matrix_user_groupname }}" mode: 0644 +- name: Ensure matrix-user-verification-service container network is created + community.general.docker_network: + name: "{{ matrix_user_verification_service_container_network }}" + driver: bridge + - name: Ensure matrix-user-verification-service.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-user-verification-service.service.j2" diff --git a/roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 b/roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 index eb24b1281..d42dc2d93 100644 --- a/roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 +++ b/roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 @@ -17,12 +17,14 @@ ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_s ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_user_verification_service_container_name }} 2>/dev/null' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {{ matrix_user_verification_service_container_name }}\ +ExecStart={{ devture_systemd_docker_base_host_command_docker }} run \ + --rm \ + --name={{ matrix_user_verification_service_container_name }}\ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_user_verification_service_container_network }} \ {% if matrix_user_verification_service_container_http_host_bind_port %} -p {{ matrix_user_verification_service_container_http_host_bind_port }}:3000 \ {% endif %} @@ -32,6 +34,10 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% endfor %} {{ matrix_user_verification_service_docker_image }} +{% for network in matrix_user_verification_service_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} {{ matrix_user_verification_service_container_name }} +{% endfor %} + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_user_verification_service_container_name }} 2>/dev/null' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_user_verification_service_container_name }} 2>/dev/null' Restart=always From 06e2ab94fdebba0ad2be29307986f66828436548 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 28 Jul 2023 20:53:44 +0300 Subject: [PATCH 915/915] Add missing space Related to: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2375#issuecomment-1656064975 --- .../systemd/matrix-user-verification-service.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 b/roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 index d42dc2d93..683982632 100644 --- a/roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 +++ b/roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 @@ -19,7 +19,7 @@ ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_s ExecStart={{ devture_systemd_docker_base_host_command_docker }} run \ --rm \ - --name={{ matrix_user_verification_service_container_name }}\ + --name={{ matrix_user_verification_service_container_name }} \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \