From db70230ae16ff8351450b21d007f336003ff873e Mon Sep 17 00:00:00 2001 From: Charles Wright Date: Tue, 16 Jan 2024 09:17:24 -0600 Subject: [PATCH 001/118] Add room-workers as a new preset, with new room workers, sync workers, client readers, and federation readers. Based on https://tcpipuk.github.io/synapse/index.html --- group_vars/matrix_servers | 5 ++ .../defaults/main.yml | 5 ++ ...ix-synapse-reverse-proxy-companion.conf.j2 | 81 ++++++++++++++----- roles/custom/matrix-synapse/defaults/main.yml | 47 +++++++++++ .../tasks/synapse/workers/init.yml | 52 ++++++++++++ roles/custom/matrix-synapse/vars/main.yml | 19 +++++ 6 files changed, 190 insertions(+), 19 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 3ebe649be..d4f4ea1bc 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -4081,6 +4081,11 @@ matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_trae matrix_synapse_reverse_proxy_companion_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}" matrix_synapse_reverse_proxy_companion_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}" +matrix_synapse_reverse_proxy_companion_synapse_room_worker_client_server_locations: "{{ matrix_synapse_workers_room_worker_client_server_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_room_worker_federation_locations: "{{ matrix_synapse_workers_room_worker_federation_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_sync_worker_client_server_locations: "{{ matrix_synapse_workers_sync_worker_client_server_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_client_reader_client_server_locations: "{{ matrix_synapse_workers_client_reader_client_server_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_federation_reader_federation_locations: "{{ matrix_synapse_workers_federation_reader_federation_endpoints }}" matrix_synapse_reverse_proxy_companion_synapse_generic_worker_client_server_locations: "{{ matrix_synapse_workers_generic_worker_client_server_endpoints }}" matrix_synapse_reverse_proxy_companion_synapse_generic_worker_federation_locations: "{{ matrix_synapse_workers_generic_worker_federation_endpoints }}" matrix_synapse_reverse_proxy_companion_synapse_stream_writer_typing_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_typing_stream_worker_client_server_endpoints }}" diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml index 7a3f4f709..3f19e3a2b 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml @@ -206,6 +206,11 @@ matrix_synapse_reverse_proxy_companion_synapse_federation_api_additional_server_ # synapse worker activation and endpoint mappings matrix_synapse_reverse_proxy_companion_synapse_workers_enabled: false matrix_synapse_reverse_proxy_companion_synapse_workers_list: [] +matrix_synapse_reverse_proxy_companion_synapse_room_worker_client_server_locations: [] +matrix_synapse_reverse_proxy_companion_synapse_room_worker_federation_locations: [] +matrix_synapse_reverse_proxy_companion_synapse_sync_worker_client_server_locations: [] +matrix_synapse_reverse_proxy_companion_synapse_client_reader_client_server_locations: [] +matrix_synapse_reverse_proxy_companion_synapse_federation_reader_federation_locations: [] matrix_synapse_reverse_proxy_companion_synapse_generic_worker_client_server_locations: [] matrix_synapse_reverse_proxy_companion_synapse_generic_worker_federation_locations: [] matrix_synapse_reverse_proxy_companion_synapse_stream_writer_typing_stream_worker_client_server_locations: [] diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 index c94855d59..c3164e963 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 @@ -1,5 +1,9 @@ #jinja2: lstrip_blocks: "True" +{% set room_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'room_worker') | list %} +{% set sync_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'sync_worker') | list %} +{% set client_reader_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'client_reader') | list %} +{% set federation_reader_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'federation_reader') | list %} {% set generic_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'generic_worker') | list %} {% set stream_writer_typing_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'typing') | list %} {% set stream_writer_to_device_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'to_device') | list %} @@ -9,9 +13,31 @@ {% set media_repository_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'media_repository') | list %} {% set user_dir_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'user_dir') | list %} -{% macro render_worker_upstream(name, workers) %} + +# Maps from https://tcpipuk.github.io/synapse/deployment/nginx.html#mapsconf +# Client username from MXID +map $http_authorization $mxid_localpart { + default $http_authorization; + "~Bearer syt_(?.*?)_.*" $username; + "" $accesstoken_from_urlparam; +} + +# Whether to upgrade HTTP connection +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +#Extract room name from URI +map $request_uri $room_name { + ~^/_matrix/(client|federation)/.*?(?:%21|!)(?[A-Za-z0-9._=\-\/]+)(?::|%3A)[A-Za-z0-9._=\-\/]+ $room; +} +# End maps + +{% macro render_worker_upstream(name, workers, load_balance) %} {% if workers | length > 0 %} upstream {{ name }} { + {{ load_balance }} keepalive {{ workers | length * 2 }}; {% for worker in workers %} server "{{ worker.name }}:{{ worker.port }}"; @@ -37,28 +63,22 @@ {% endif %} # Round Robin "upstream" pools for workers - {% if generic_workers |length > 0 %} - upstream generic_workers_upstream { - # ensures that requests from the same client will always be passed - # to the same server (except when this server is unavailable) - hash $http_x_forwarded_for; - keepalive {{ generic_workers | length * 2 }}; + {{ render_worker_upstream('room_workers_upstream', room_workers, 'hash $room_name consistent;') + {{ render_worker_upstream('sync_workers_upstream', room_workers, 'hash $mxid_localpart consistent;') + {{ render_worker_upstream('client_reader_workers_upstream', client_reader_workers, 'least_conn;') + {{ render_worker_upstream('federation_reader_workers_upstream', federation_reader_workers, 'hash $http_x_forwarded_for;') }} - {% for worker in generic_workers %} - server "{{ worker.name }}:{{ worker.port }}"; - {% endfor %} - } - {% endif %} + {{ render_worker_upstream('generic_workers_upstream', generic_workers, 'hash $http_x_forwarded_for;') }} - {{ render_worker_upstream('stream_writer_typing_stream_workers_upstream', stream_writer_typing_stream_workers) }} - {{ render_worker_upstream('stream_writer_to_device_stream_workers_upstream', stream_writer_to_device_stream_workers) }} - {{ render_worker_upstream('stream_writer_account_data_stream_workers_upstream', stream_writer_account_data_stream_workers) }} - {{ render_worker_upstream('stream_writer_receipts_stream_workers_upstream', stream_writer_receipts_stream_workers) }} - {{ render_worker_upstream('stream_writer_presence_stream_workers_upstream', stream_writer_presence_stream_workers) }} + {{ render_worker_upstream('stream_writer_typing_stream_workers_upstream', stream_writer_typing_stream_workers, '') }} + {{ render_worker_upstream('stream_writer_to_device_stream_workers_upstream', stream_writer_to_device_stream_workers, '') }} + {{ render_worker_upstream('stream_writer_account_data_stream_workers_upstream', stream_writer_account_data_stream_workers, '') }} + {{ render_worker_upstream('stream_writer_receipts_stream_workers_upstream', stream_writer_receipts_stream_workers, '') }} + {{ render_worker_upstream('stream_writer_presence_stream_workers_upstream', stream_writer_presence_stream_workers, '') }} - {{ render_worker_upstream('media_repository_workers_upstream', media_repository_workers) }} + {{ render_worker_upstream('media_repository_workers_upstream', media_repository_workers, 'least_conn;') }} - {{ render_worker_upstream('user_dir_workers_upstream', user_dir_workers) }} + {{ render_worker_upstream('user_dir_workers_upstream', user_dir_workers, '') }} {% endif %} server { @@ -74,6 +94,21 @@ server { {% if matrix_synapse_reverse_proxy_companion_synapse_workers_enabled %} {# Workers redirects BEGIN #} + {% if room_workers | length > 0 %} + # https://tcpipuk.github.io/synapse/deployment/workers.html + {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_room_worker_client_server_locations, 'room_workers_upstream') }} + {% endif %} + + {% if sync_workers | length > 0 %} + # https://tcpipuk.github.io/synapse/deployment/workers.html + {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_sync_worker_client_server_locations, 'sync_workers_upstream') }} + {% endif %} + + {% if client_reader_workers | length > 0 %} + # https://tcpipuk.github.io/synapse/deployment/workers.html + {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_client_reader_client_server_locations, 'client_reader_workers_upstream') }} + {% endif %} + {% if generic_workers | length > 0 %} # https://matrix-org.github.io/synapse/latest/workers.html#synapseappgeneric_worker {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_generic_worker_client_server_locations, 'generic_workers_upstream') }} @@ -165,6 +200,14 @@ server { gzip_types text/plain application/json; {% if matrix_synapse_reverse_proxy_companion_synapse_workers_enabled %} + {% if room_workers | length > 0 %} + # https://tcpipuk.github.io/synapse/deployment/workers.html + {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_room_worker_federation_locations, 'room_workers_upstream') }} + {% endif %} + {% if federation_reader_workers | length > 0 %} + # https://tcpipuk.github.io/synapse/deployment/workers.html + {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_federation_reader_federation_locations, 'federation_reader_workers_upstream') }} + {% endif %} {% if generic_workers | length > 0 %} # https://matrix-org.github.io/synapse/latest/workers.html#synapseappgeneric_worker {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_generic_worker_federation_locations, 'generic_workers_upstream') }} diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 4b1513fa5..7dd7ec227 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -666,6 +666,10 @@ matrix_synapse_workers_preset: one-of-each matrix_synapse_workers_presets: little-federation-helper: + room_workers_count: 0 + sync_workers_count: 0 + client_reader_workers_count: 0 + federation_reader_workers_count: 0 generic_workers_count: 0 pusher_workers_count: 0 federation_sender_workers_count: 1 @@ -680,6 +684,10 @@ matrix_synapse_workers_presets: stream_writer_receipts_stream_workers_count: 0 stream_writer_presence_stream_workers_count: 0 one-of-each: + room_workers_count: 0 + sync_workers_count: 0 + client_reader_workers_count: 0 + federation_reader_workers_count: 0 generic_workers_count: 1 pusher_workers_count: 1 federation_sender_workers_count: 1 @@ -693,6 +701,24 @@ matrix_synapse_workers_presets: stream_writer_account_data_stream_workers_count: 1 stream_writer_receipts_stream_workers_count: 1 stream_writer_presence_stream_workers_count: 1 + room-workers: + room_workers_count: 1 + sync_workers_count: 1 + client_reader_workers_count: 1 + federation_reader_workers_count: 1 + generic_workers_count: 0 + pusher_workers_count: 1 + federation_sender_workers_count: 1 + media_repository_workers_count: 1 + appservice_workers_count: 1 + user_dir_workers_count: 1 + background_workers_count: 1 + stream_writer_events_stream_workers_count: 1 + stream_writer_typing_stream_workers_count: 1 + stream_writer_to_device_stream_workers_count: 1 + stream_writer_account_data_stream_workers_count: 1 + stream_writer_receipts_stream_workers_count: 1 + stream_writer_presence_stream_workers_count: 1 # Controls whether the matrix-synapse container exposes the various worker ports # (see `port` and `metrics_port` in `matrix_synapse_workers_enabled_list`) outside of the container. @@ -733,6 +759,27 @@ matrix_synapse_worker_container_labels_public_metrics_middleware_basic_auth_user # another.label="here" matrix_synapse_worker_container_labels_additional_labels: '' +# Room workers +matrix_synapse_workers_room_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['room_workers_count'] }}" +matrix_synapse_workers_room_workers_port_range_start: 28111 +matrix_synapse_workers_room_workers_metrics_range_start: 29111 + +# Sync workers +matrix_synapse_workers_sync_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['sync_workers_count'] }}" +matrix_synapse_workers_sync_workers_port_range_start: 28211 +matrix_synapse_workers_sync_workers_metrics_range_start: 29211 + +# Client reader workers +matrix_synapse_workers_client_reader_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['client_reader_workers_count'] }}" +matrix_synapse_workers_client_reader_workers_port_range_start: 28311 +matrix_synapse_workers_client_reader_workers_metrics_range_start: 29311 + +# Federation reader workers +matrix_synapse_workers_federation_reader_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['federation_reader_workers_count'] }}" +matrix_synapse_workers_federation_reader_workers_port_range_start: 28411 +matrix_synapse_workers_federation_reader_workers_metrics_range_start: 29411 + +# Generic workers matrix_synapse_workers_generic_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['generic_workers_count'] }}" matrix_synapse_workers_generic_workers_port_range_start: 18111 matrix_synapse_workers_generic_workers_metrics_range_start: 19111 diff --git a/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml b/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml index 68b8f37e3..a1bc4cc72 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml @@ -4,6 +4,58 @@ # set_fact within a loop does not work reliably in Ansible (it only executes on the first iteration for some reason), # so we're forced to do something much uglier. +- name: Build room workers + ansible.builtin.set_fact: + worker: + id: "room-worker-{{ item }}" + name: "matrix-synapse-worker-room-{{ item }}" + type: 'room_worker' + app: 'generic_worker' + webserving: true + port: "{{ matrix_synapse_workers_room_workers_port_range_start + item }}" + metrics_port: "{{ matrix_synapse_workers_room_workers_metrics_range_start + item }}" + register: "matrix_synapse_workers_list_results_room_workers" + loop: "{{ range(0, matrix_synapse_workers_room_workers_count | int) | list }}" + +- name: Build client sync workers + ansible.builtin.set_fact: + worker: + id: "sync-worker-{{ item }}" + name: "matrix-synapse-worker-sync-{{ item }}" + type: 'sync_worker' + app: 'generic_worker' + webserving: true + port: "{{ matrix_synapse_workers_sync_workers_port_range_start + item }}" + metrics_port: "{{ matrix_synapse_workers_sync_workers_metrics_range_start + item }}" + register: "matrix_synapse_workers_list_results_sync_workers" + loop: "{{ range(0, matrix_synapse_workers_sync_workers_count | int) | list }}" + +- name: Build client reader workers + ansible.builtin.set_fact: + worker: + id: "client-reader-{{ item }}" + name: "matrix-synapse-worker-client-reader-{{ item }}" + type: 'client_reader' + app: 'generic_worker' + webserving: true + port: "{{ matrix_synapse_workers_client_reader_workers_port_range_start + item }}" + metrics_port: "{{ matrix_synapse_workers_client_reader_workers_metrics_range_start + item }}" + register: "matrix_synapse_workers_list_results_client_reader_workers" + loop: "{{ range(0, matrix_synapse_workers_client_reader_workers_count | int) | list }}" + +- name: Build federation reader workers + ansible.builtin.set_fact: + worker: + id: "federation-reader-{{ item }}" + name: "matrix-synapse-worker-federation-reader-{{ item }}" + type: 'federation_reader' + app: 'generic_worker' + webserving: true + port: "{{ matrix_synapse_workers_federation_reader_workers_port_range_start + item }}" + metrics_port: "{{ matrix_synapse_workers_federation_reader_workers_metrics_range_start + item }}" + register: "matrix_synapse_workers_list_results_federation_reader_workers" + loop: "{{ range(0, matrix_synapse_workers_federation_reader_workers_count | int) | list }}" + - name: Build generic workers ansible.builtin.set_fact: worker: diff --git a/roles/custom/matrix-synapse/vars/main.yml b/roles/custom/matrix-synapse/vars/main.yml index 137a59737..63ad48550 100644 --- a/roles/custom/matrix-synapse/vars/main.yml +++ b/roles/custom/matrix-synapse/vars/main.yml @@ -8,6 +8,25 @@ matrix_synapse_media_store_directory_name: "{{ matrix_synapse_media_store_path | # Optionally: `false` to fully disable tls on outbound smtp matrix_synapse_email_smtp_enable_tls: true +# Room workers handle any URL that contains a room id, either through the client-server API or the federation API +# - see https://tcpipuk.github.io/synapse/deployment/nginx.html#locationsconf +matrix_synapse_workers_room_worker_client_server_endpoints: + - ^/_matrix/client/.*?!(?[A-Za-z0-9._=\-\/]+):[A-Za-z0-9.\-]+ +matrix_synapse_workers_room_worker_federation_endpoints: + - ^/_matrix/federation/v[12]/(?:state_ids|get_missing_events)/(?:%21|!)(?[A-Za-z0-9._=\-\/]+)(:|%3A)[A-Za-z0-9.\-]+ + +# Sync workers handle /sync and the (now deprecated) related endpoints +matrix_synapse_workers_sync_worker_client_server_endpoints: + - ^/_matrix/client/(api/v1|r0|v3|unstable)/(sync|events|initialSync|rooms/[^/]+/initialSync)$ + +# Client reader workers handle generic client-server endpoints that don't contain a roomid or sync +matrix_synapse_workers_client_reader_client_server_endpoints: + - ^/_matrix/client/(api/v1|r0|v3|unstable)/(room_keys/|keys/(query|changes|claim|upload/|room_keys/)|login|register(/available|/m.login.registration_token/validity|)|password_policy|profile|rooms/.*/(joined_members|context/.*|members|state|hierarchy|relations/|event/|aliases|timestamp_to_event|redact|send|state/|(join|invite|leave|ban|unban|kick))|createRoom|publicRooms|account/(3pid|whoami|devices)|versions|voip/turnServer|joined_rooms|search|user/.*/filter(/|$)|directory/room/.*|capabilities) + +# Federation reader workers handle generic federation endpoints that don't contain a roomid +matrix_synapse_workers_federation_reader_federation_endpoints: + - ^/_matrix/(federation/(v1|v2)|key/v2)/ + # A Synapse generic worker can handle both federation and client-server API endpoints. # We wish to split these, as we normally serve federation separately and don't want them mixed up. # From 0175a472d73556eb25ab0cededf25c5e891ac948 Mon Sep 17 00:00:00 2001 From: Charles Wright Date: Tue, 16 Jan 2024 10:02:36 -0600 Subject: [PATCH 002/118] Typo: forgot closing }}'s --- .../conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 index c3164e963..f44823aa8 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 @@ -63,9 +63,9 @@ map $request_uri $room_name { {% endif %} # Round Robin "upstream" pools for workers - {{ render_worker_upstream('room_workers_upstream', room_workers, 'hash $room_name consistent;') - {{ render_worker_upstream('sync_workers_upstream', room_workers, 'hash $mxid_localpart consistent;') - {{ render_worker_upstream('client_reader_workers_upstream', client_reader_workers, 'least_conn;') + {{ render_worker_upstream('room_workers_upstream', room_workers, 'hash $room_name consistent;') }} + {{ render_worker_upstream('sync_workers_upstream', room_workers, 'hash $mxid_localpart consistent;') }} + {{ render_worker_upstream('client_reader_workers_upstream', client_reader_workers, 'least_conn;') }} {{ render_worker_upstream('federation_reader_workers_upstream', federation_reader_workers, 'hash $http_x_forwarded_for;') }} {{ render_worker_upstream('generic_workers_upstream', generic_workers, 'hash $http_x_forwarded_for;') }} From 12a8d535e81ad95fef232aa997c1afc5aa7dc624 Mon Sep 17 00:00:00 2001 From: Charles Wright Date: Tue, 16 Jan 2024 10:53:20 -0600 Subject: [PATCH 003/118] Move maps inside the if-workers block; Add Tom's map to extract access token from the URI arg --- ...ix-synapse-reverse-proxy-companion.conf.j2 | 45 ++++++++++--------- 1 file changed, 24 insertions(+), 21 deletions(-) diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 index f44823aa8..11619f204 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 @@ -13,27 +13,6 @@ {% set media_repository_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'media_repository') | list %} {% set user_dir_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'user_dir') | list %} - -# Maps from https://tcpipuk.github.io/synapse/deployment/nginx.html#mapsconf -# Client username from MXID -map $http_authorization $mxid_localpart { - default $http_authorization; - "~Bearer syt_(?.*?)_.*" $username; - "" $accesstoken_from_urlparam; -} - -# Whether to upgrade HTTP connection -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - -#Extract room name from URI -map $request_uri $room_name { - ~^/_matrix/(client|federation)/.*?(?:%21|!)(?[A-Za-z0-9._=\-\/]+)(?::|%3A)[A-Za-z0-9._=\-\/]+ $room; -} -# End maps - {% macro render_worker_upstream(name, workers, load_balance) %} {% if workers | length > 0 %} upstream {{ name }} { @@ -58,6 +37,30 @@ map $request_uri $room_name { {% endmacro %} {% if matrix_synapse_reverse_proxy_companion_synapse_workers_enabled %} + +# Maps from https://tcpipuk.github.io/synapse/deployment/nginx.html#mapsconf +# Client username from access token +map $arg_access_token $accesstoken_from_urlparam { + default $arg_access_token; + "~syt_(?.*?)_.*" $username; +} +# Client username from MXID +map $http_authorization $mxid_localpart { + default $http_authorization; + "~Bearer syt_(?.*?)_.*" $username; + "" $accesstoken_from_urlparam; +} +# Whether to upgrade HTTP connection +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} +#Extract room name from URI +map $request_uri $room_name { + ~^/_matrix/(client|federation)/.*?(?:%21|!)(?[A-Za-z0-9._=\-\/]+)(?::|%3A)[A-Za-z0-9._=\-\/]+ $room; +} +# End maps + {% if matrix_synapse_reverse_proxy_companion_synapse_cache_enabled %} proxy_cache_path {{ matrix_synapse_reverse_proxy_companion_synapse_cache_path }} levels=1:2 keys_zone={{ matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_name }}:{{ matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_size }} inactive={{ matrix_synapse_reverse_proxy_companion_synapse_cache_inactive_time }} max_size={{ matrix_synapse_reverse_proxy_companion_synapse_cache_max_size_mb }}m; {% endif %} From 5ca9a7269a3ad6aee0c0c654ca348161cfdc2b2c Mon Sep 17 00:00:00 2001 From: Charles Wright Date: Tue, 16 Jan 2024 10:58:46 -0600 Subject: [PATCH 004/118] Add the new worker types to the list of available worker types --- roles/custom/matrix-synapse/vars/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/custom/matrix-synapse/vars/main.yml b/roles/custom/matrix-synapse/vars/main.yml index 63ad48550..828dcbeab 100644 --- a/roles/custom/matrix-synapse/vars/main.yml +++ b/roles/custom/matrix-synapse/vars/main.yml @@ -261,9 +261,13 @@ matrix_synapse_workers_user_dir_endpoints: matrix_synapse_workers_avail_list: - appservice + - client_reader + - federation_reader - federation_sender - generic_worker - media_repository - pusher + - room_worker + - sync_worker - user_dir ### workers:end From 1379200e9dc8a8064d91a3a7ab14baba3e4ec5d3 Mon Sep 17 00:00:00 2001 From: Charles Wright Date: Tue, 16 Jan 2024 11:13:51 -0600 Subject: [PATCH 005/118] Add new worker types to the dynamic workers list --- .../custom/matrix-synapse/tasks/synapse/workers/init.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml b/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml index a1bc4cc72..8bf8201a0 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml @@ -182,6 +182,14 @@ matrix_synapse_dynamic_workers_list: "{{ matrix_synapse_dynamic_workers_list | default([]) + [item.ansible_facts.worker] }}" with_items: | {{ + matrix_synapse_workers_list_results_room_workers.results + + + matrix_synapse_workers_list_results_sync_workers.results + + + matrix_synapse_workers_list_results_client_reader_workers.results + + + matrix_synapse_workers_list_results_federation_reader_workers.results + + matrix_synapse_workers_list_results_generic_workers.results + matrix_synapse_workers_list_results_stream_writer_workers.results From 124524ea1fa28f3a2c9573ace834d9f1aa190f26 Mon Sep 17 00:00:00 2001 From: Charles Wright Date: Tue, 16 Jan 2024 11:22:46 -0600 Subject: [PATCH 006/118] Typo: Send sync endpoints to sync workers, not room workers --- .../nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 index 11619f204..781b2edb3 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 @@ -67,7 +67,7 @@ map $request_uri $room_name { # Round Robin "upstream" pools for workers {{ render_worker_upstream('room_workers_upstream', room_workers, 'hash $room_name consistent;') }} - {{ render_worker_upstream('sync_workers_upstream', room_workers, 'hash $mxid_localpart consistent;') }} + {{ render_worker_upstream('sync_workers_upstream', sync_workers, 'hash $mxid_localpart consistent;') }} {{ render_worker_upstream('client_reader_workers_upstream', client_reader_workers, 'least_conn;') }} {{ render_worker_upstream('federation_reader_workers_upstream', federation_reader_workers, 'hash $http_x_forwarded_for;') }} From a1cbe7f39b43b6016543db02b8d6e102e62f2ff9 Mon Sep 17 00:00:00 2001 From: Charles Wright Date: Tue, 16 Jan 2024 16:32:32 -0600 Subject: [PATCH 007/118] Add overrides for locations that must go to the main Synapse process --- .../defaults/main.yml | 4 +- ...ix-synapse-reverse-proxy-companion.conf.j2 | 45 +++++++++++++++++++ 2 files changed, 48 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml index 3f19e3a2b..4a330e7a8 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml @@ -220,7 +220,9 @@ matrix_synapse_reverse_proxy_companion_synapse_stream_writer_receipts_stream_wor matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_worker_client_server_locations: [] matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations: [] matrix_synapse_reverse_proxy_companion_synapse_user_dir_locations: [] - +matrix_synapse_reverse_proxy_companion_client_server_main_override_locations_regex: ^/_matrix/client/(api/v1|r0|v3|unstable)/(account/3pid/|directory/list/room/|pushrules/|rooms/[^/]+/(forget|upgrade)|login/sso/redirect/|register) +matrix_synapse_reverse_proxy_companion_client_server_sso_override_locations_regex: ^(/_matrix/client/(api/v1|r0|v3|unstable)/login/sso/redirect|/_synapse/client/(pick_username|(new_user_consent|oidc/callback|pick_idp|sso_register)$)) +matrix_synapse_reverse_proxy_companion_federation_override_locations_regex: ^/_matrix/federation/v1/openid/userinfo$ # synapse content caching matrix_synapse_reverse_proxy_companion_synapse_cache_enabled: false diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 index 781b2edb3..81c9ced20 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 @@ -95,6 +95,36 @@ server { gzip_types text/plain application/json; {% if matrix_synapse_reverse_proxy_companion_synapse_workers_enabled %} + # Client-server overrides -- These locations must go to the main Synapse process + location ~ {{ matrix_synapse_reverse_proxy_companion_client_server_main_override_locations_regex }} { + {# FIXME: This block was copied from the main Synapse fallback below. It would be better to have it in one place and avoid duplication. #} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver {{ matrix_synapse_reverse_proxy_companion_http_level_resolver }} valid=5s; + set $backend "{{ matrix_synapse_reverse_proxy_companion_client_api_addr }}"; + proxy_pass http://$backend; + + proxy_set_header Host $host; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + } + + # Client-server SSO overrides -- These locations must go to the main Synapse process + location ~ {{ matrix_synapse_reverse_proxy_companion_client_server_sso_override_locations_regex }} { + {# FIXME: This block was copied from the main Synapse fallback below. It would be better to have it in one place and avoid duplication. #} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver {{ matrix_synapse_reverse_proxy_companion_http_level_resolver }} valid=5s; + set $backend "{{ matrix_synapse_reverse_proxy_companion_client_api_addr }}"; + proxy_pass http://$backend; + + proxy_set_header Host $host; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + } + {# Workers redirects BEGIN #} {% if room_workers | length > 0 %} @@ -203,6 +233,21 @@ server { gzip_types text/plain application/json; {% if matrix_synapse_reverse_proxy_companion_synapse_workers_enabled %} + # Federation overrides -- These locations must go to the main Synapse process + location ~ {{ matrix_synapse_reverse_proxy_companion_federation_override_locations_regex }} { + {# FIXME: This block was copied from the fallback location below. It would be better to have it in one place and avoid duplication. #} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver {{ matrix_synapse_reverse_proxy_companion_http_level_resolver }} valid=5s; + set $backend "{{ matrix_synapse_reverse_proxy_companion_federation_api_addr }}"; + proxy_pass http://$backend; + + proxy_set_header Host $host; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + } + {% if room_workers | length > 0 %} # https://tcpipuk.github.io/synapse/deployment/workers.html {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_room_worker_federation_locations, 'room_workers_upstream') }} From 0dbdaf5b9f2e339684e8c916787cf623b20a2cab Mon Sep 17 00:00:00 2001 From: Charles Wright Date: Tue, 16 Jan 2024 16:51:23 -0600 Subject: [PATCH 008/118] Enable HTTP resources for new worker types --- .../matrix-synapse/templates/synapse/worker.yaml.j2 | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2 index 18b96a55f..738f0fa33 100644 --- a/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2 @@ -7,10 +7,17 @@ worker_log_config: /data/{{ matrix_server_fqn_matrix }}.log.config {% set http_resources = [] %} -{% if matrix_synapse_worker_details.type == 'user_dir' %} +{% if matrix_synapse_worker_details.type == 'room_worker' %} + {% set http_resources = http_resources + ['client', 'federation'] %} +{% elif matrix_synapse_worker_details.type == 'sync_worker' %} {% set http_resources = http_resources + ['client'] %} -{% endif %} -{% if matrix_synapse_worker_details.type == 'generic_worker' %} +{% elif matrix_synapse_worker_details.type == 'client_reader' %} + {% set http_resources = http_resources + ['client'] %} +{% elif matrix_synapse_worker_details.type == 'federation_reader' %} + {% set http_resources = http_resources + ['federation'] %} +{% elif matrix_synapse_worker_details.type == 'user_dir' %} + {% set http_resources = http_resources + ['client'] %} +{% elif matrix_synapse_worker_details.type == 'generic_worker' %} {% set http_resources = http_resources + ['client', 'federation'] %} {% endif %} {# From 55604f73c5d0726e006a936af8d302bdcafa0cff Mon Sep 17 00:00:00 2001 From: Charles Wright Date: Tue, 16 Jan 2024 17:24:13 -0600 Subject: [PATCH 009/118] Bugfix: Locations for new workers must go *after* the stream writers --- ...ix-synapse-reverse-proxy-companion.conf.j2 | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 index 81c9ced20..dcb6ebeea 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 @@ -127,21 +127,6 @@ server { {# Workers redirects BEGIN #} - {% if room_workers | length > 0 %} - # https://tcpipuk.github.io/synapse/deployment/workers.html - {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_room_worker_client_server_locations, 'room_workers_upstream') }} - {% endif %} - - {% if sync_workers | length > 0 %} - # https://tcpipuk.github.io/synapse/deployment/workers.html - {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_sync_worker_client_server_locations, 'sync_workers_upstream') }} - {% endif %} - - {% if client_reader_workers | length > 0 %} - # https://tcpipuk.github.io/synapse/deployment/workers.html - {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_client_reader_client_server_locations, 'client_reader_workers_upstream') }} - {% endif %} - {% if generic_workers | length > 0 %} # https://matrix-org.github.io/synapse/latest/workers.html#synapseappgeneric_worker {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_generic_worker_client_server_locations, 'generic_workers_upstream') }} @@ -172,6 +157,21 @@ server { {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_worker_client_server_locations, 'stream_writer_presence_stream_workers_upstream') }} {% endif %} + {% if room_workers | length > 0 %} + # https://tcpipuk.github.io/synapse/deployment/workers.html + {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_room_worker_client_server_locations, 'room_workers_upstream') }} + {% endif %} + + {% if sync_workers | length > 0 %} + # https://tcpipuk.github.io/synapse/deployment/workers.html + {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_sync_worker_client_server_locations, 'sync_workers_upstream') }} + {% endif %} + + {% if client_reader_workers | length > 0 %} + # https://tcpipuk.github.io/synapse/deployment/workers.html + {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_client_reader_client_server_locations, 'client_reader_workers_upstream') }} + {% endif %} + {% if media_repository_workers | length > 0 %} # https://matrix-org.github.io/synapse/latest/workers.html#synapseappmedia_repository {% for location in matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations %} From f9ea76f034eac41b5b4cfd9f775e6bb0eace8f08 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 17 Jan 2024 11:51:53 +0200 Subject: [PATCH 010/118] Upgrade systemd_service_manager (v1.0.0-3 -> v1.0.0-4) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index ff581863d..258ace316 100644 --- a/requirements.yml +++ b/requirements.yml @@ -61,7 +61,7 @@ version: v1.0.0-2 name: systemd_docker_base - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git - version: v1.0.0-3 + version: v1.0.0-4 name: systemd_service_manager - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git version: v1.0.0-0 From 0bf8aec8f3c5b37dfb99046ff2c04e2f93453af1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 17 Jan 2024 11:52:46 +0200 Subject: [PATCH 011/118] Adjust service priorities to better reflect our new dependencies Traefik also serves an internal entrypoint that all addon services (bridges, bots, etc.) depend on, so it makes sense to have it be available early on. It is injected as a systemd `required` dependency for all services, so it would have been pulled earlier anyway (despite the priority). Nevertheless, it's better to make the playbook-defined priotities for services match, so that services are explicitly asked to start in a more correct order. With these changes in place now, all "start service" tasks executed by Ansible cause a "change", indicating that all these services are started in the correct order and none of them is unintentionally started as a dependency for another. --- group_vars/matrix_servers | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index a33aa35a5..43127fe3b 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -218,17 +218,18 @@ matrix_homeserver_sliding_sync_url: "{{ matrix_sliding_sync_base_url if matrix_s # Additional JVB workers (jitsi_jvb.yml -- roles/galaxy/jitsi/tasks/init_additional_jvb.yml) override this variable at runtime as well. # # Priority levels are like this: +# - Traefik starts first with a level of 250, so that: +# - it can get an early start on obtaining SSL certificates and routing to other services as soon as they start (later) +# - so that addon services (starting later) can communicte with the homeserver via Traefik's internal entrypoint +# (see `matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled`) # - core services (the homeserver) get a level of ~1000 -# - services that core services depend on (database, Redis, ntfy, etc.) get a lower level - between 500 and 1000 +# - services that the homeserver depends on (database, Redis, ntfy, Coturn, etc.) get a lower level - between 500 and 1000 # - reverse-proxying services get level 3000 # - Matrix utility services (bridges, bots) get a level of 2000/2200, so that: # - they can start before the reverse-proxy # - so that, when the reverse-proxy is up (Matrix is up), all bots and bridges can be interacted with # - monitoring services (Prometheus, Grafana, ..) get a level of 4000 - they can start later than all-of-Matrix # - services which aren't time-sensitive (various crons and timers) get a level of 5000 - they can start later than all-of-Matrix -# -# `matrix-bot-postmoogle.service` has a higher priority number (4000), unlike other bots' priority (2200), -# because it requires SSL certificates. If Traefik is used, then Postmoogle needs to start at least after Traefik (3500) and Traefik certs dumper (3500). devture_systemd_service_manager_services_list_auto: | {{ ([{'name': (backup_borg_identifier + '.timer'), 'priority': 5000, 'groups': ['matrix', 'backup', 'borg']}] if backup_borg_enabled else []) @@ -249,7 +250,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-bot-draupnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'draupnir', 'bot-draupnir']}] if matrix_bot_draupnir_enabled else []) + - ([{'name': 'matrix-bot-postmoogle.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'postmoogle', 'bot-postmoogle']}] if matrix_bot_postmoogle_enabled else []) + ([{'name': 'matrix-bot-postmoogle.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'postmoogle', 'bot-postmoogle']}] if matrix_bot_postmoogle_enabled else []) + ([{'name': 'matrix-bot-chatgpt.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'chatgpt', 'bot-chatgpt']}] if matrix_bot_chatgpt_enabled else []) + @@ -329,7 +330,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-corporal.service', 'priority': 1500, 'groups': ['matrix', 'corporal']}] if matrix_corporal_enabled else []) + - ([{'name': 'matrix-coturn.service', 'priority': 4000, 'groups': ['matrix', 'coturn']}] if matrix_coturn_enabled else []) + ([{'name': 'matrix-coturn.service', 'priority': 900, 'groups': ['matrix', 'coturn']}] if matrix_coturn_enabled else []) + ([{'name': 'matrix-rageshake.service', 'priority': 4000, 'groups': ['matrix', 'rageshake']}] if matrix_rageshake_enabled else []) + @@ -359,7 +360,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': (matrix_media_repo_identifier + '.service'), 'priority': 4000, 'groups': ['matrix', 'matrix-media-repo']}] if matrix_media_repo_enabled else []) + - ([{'name': (exim_relay_identifier ~ '.service'), 'priority': 2000, 'groups': ['matrix', 'mailer', 'exim-relay']}] if exim_relay_enabled else []) + ([{'name': (exim_relay_identifier ~ '.service'), 'priority': 800, 'groups': ['matrix', 'mailer', 'exim-relay']}] if exim_relay_enabled else []) + ([{'name': (ntfy_identifier + '.service'), 'priority': 800, 'groups': ['matrix', 'ntfy']}] if ntfy_enabled else []) + @@ -379,7 +380,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-registration.service', 'priority': 4000, 'groups': ['matrix', 'registration', 'matrix-registration']}] if matrix_registration_enabled else []) + - ([{'name': 'matrix-sliding-sync.service', 'priority': 4000, 'groups': ['matrix', 'sliding-sync']}] if matrix_sliding_sync_enabled else []) + ([{'name': 'matrix-sliding-sync.service', 'priority': 1500, 'groups': ['matrix', 'sliding-sync']}] if matrix_sliding_sync_enabled else []) + ([{'name': 'matrix-sygnal.service', 'priority': 800, 'groups': ['matrix', 'sygnal']}] if matrix_sygnal_enabled else []) + @@ -397,11 +398,11 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': (matrix_static_files_identifier + '.service'), 'priority': 4000, 'groups': ['matrix', 'matrix-static-files']}] if matrix_static_files_enabled else []) + - ([{'name': (devture_container_socket_proxy_identifier + '.service'), 'priority': 2900, 'groups': ['matrix', 'reverse-proxies', 'container-socket-proxy']}] if devture_container_socket_proxy_enabled else []) + ([{'name': (devture_container_socket_proxy_identifier + '.service'), 'priority': 200, 'groups': ['matrix', 'reverse-proxies', 'container-socket-proxy']}] if devture_container_socket_proxy_enabled else []) + - ([{'name': (devture_traefik_identifier + '.service'), 'priority': 3000, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if devture_traefik_enabled else []) + ([{'name': (devture_traefik_identifier + '.service'), 'priority': 250, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if devture_traefik_enabled else []) + - ([{'name': (devture_traefik_certs_dumper_identifier + '.service'), 'priority': 3500, 'groups': ['matrix', 'traefik-certs-dumper']}] if devture_traefik_certs_dumper_enabled else []) + ([{'name': (devture_traefik_certs_dumper_identifier + '.service'), 'priority': 300, 'groups': ['matrix', 'traefik-certs-dumper']}] if devture_traefik_certs_dumper_enabled else []) }} ######################################################################## From 3ba0642bcfec4906e2ab9a687a704e9f214d2e4f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 17 Jan 2024 12:21:19 +0200 Subject: [PATCH 012/118] Increase delay after starting of matrix-synapse 10 seconds is a better default for slower (or overloaded) servers --- .../templates/synapse/systemd/matrix-synapse.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 2ed1bbd49..788bfaf2b 100644 --- a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -68,7 +68,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach m # Intentional delay, so that the homeserver can manage to start and various services # that depend on it (After/Requires) may only start after the homeserver is up and running. -ExecStartPost=-{{ matrix_host_command_sleep }} 5 +ExecStartPost=-{{ matrix_host_command_sleep }} 10 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-synapse 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-synapse 2>/dev/null || true' From cd06e044977c57aea3e2692edce4a0a86a991219 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 17 Jan 2024 12:24:11 +0200 Subject: [PATCH 013/118] Make post-start delay for matrix-synapse configurable --- roles/custom/matrix-synapse/defaults/main.yml | 9 +++++++++ .../templates/synapse/systemd/matrix-synapse.service.j2 | 6 +++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 0da535fd8..2a8143ff3 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -322,6 +322,15 @@ matrix_synapse_systemd_wanted_services_list_default: [] matrix_synapse_systemd_wanted_services_list_auto: [] matrix_synapse_systemd_wanted_services_list_custom: [] +# Controls how long to sleep for after starting the matrix-synapse container. +# +# Delaying, so that the homeserver can manage to fully start and various services +# that depend on it (`matrix_synapse_systemd_required_services_list` and `matrix_synapse_systemd_wanted_services_list`) +# may only start after the homeserver is up and running. +# +# This can be set to 0 to remove the delay. +matrix_synapse_systemd_service_post_start_delay_seconds: 10 + matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.11/site-packages" # Specifies which template files to use when configuring Synapse. diff --git a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 788bfaf2b..3d9d5f5af 100644 --- a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -66,9 +66,9 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network conne ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-synapse -# Intentional delay, so that the homeserver can manage to start and various services -# that depend on it (After/Requires) may only start after the homeserver is up and running. -ExecStartPost=-{{ matrix_host_command_sleep }} 10 +{% if matrix_synapse_systemd_service_post_start_delay_seconds > 0 %} +ExecStartPost=-{{ matrix_host_command_sleep }} {{ matrix_synapse_systemd_service_post_start_delay_seconds }} +{% endif %} ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-synapse 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-synapse 2>/dev/null || true' From 4407403ab726f5dd2a97da4406b527821749e2df Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 17 Jan 2024 12:25:31 +0200 Subject: [PATCH 014/118] Make post-start delay for matrix-dendrite configurable --- roles/custom/matrix-dendrite/defaults/main.yml | 9 +++++++++ .../templates/systemd/matrix-dendrite.service.j2 | 6 +++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index d957c556e..d602a860e 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -186,6 +186,15 @@ matrix_dendrite_systemd_wanted_services_list_default: ["docker.service"] matrix_dendrite_systemd_wanted_services_list_auto: [] matrix_dendrite_systemd_wanted_services_list_custom: [] +# Controls how long to sleep for after starting the matrix-dendrite container. +# +# Delaying, so that the homeserver can manage to fully start and various services +# that depend on it (`matrix_dendrite_systemd_required_services_list` and `matrix_dendrite_systemd_wanted_services_list`) +# may only start after the homeserver is up and running. +# +# This can be set to 0 to remove the delay. +matrix_dendrite_systemd_service_post_start_delay_seconds: 3 + # Specifies which template files to use when configuring Dendrite. # If you'd like to have your own different configuration, feel free to copy and paste # the original files into your inventory (e.g. in `inventory/host_vars//`) diff --git a/roles/custom/matrix-dendrite/templates/systemd/matrix-dendrite.service.j2 b/roles/custom/matrix-dendrite/templates/systemd/matrix-dendrite.service.j2 index ba2fe29d1..0a06dda6e 100644 --- a/roles/custom/matrix-dendrite/templates/systemd/matrix-dendrite.service.j2 +++ b/roles/custom/matrix-dendrite/templates/systemd/matrix-dendrite.service.j2 @@ -63,9 +63,9 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network conne ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-dendrite -# Intentional delay, so that the homeserver can manage to start and various services -# that depend on it (After/Requires) may only start after the homeserver is up and running. -ExecStartPost=-{{ matrix_host_command_sleep }} 3 +{% if matrix_dendrite_systemd_service_post_start_delay_seconds != 0 %} +ExecStartPost=-{{ matrix_host_command_sleep }} {{ matrix_dendrite_systemd_service_post_start_delay_seconds }} +{% endif %} ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-dendrite 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-dendrite 2>/dev/null || true' From f3a9a2b35e3f8b50fecb2b753fac5284ec213986 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 17 Jan 2024 12:26:28 +0200 Subject: [PATCH 015/118] Make post-start delay for matrix-conduit configurable --- roles/custom/matrix-conduit/defaults/main.yml | 9 +++++++++ .../templates/systemd/matrix-conduit.service.j2 | 6 +++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-conduit/defaults/main.yml b/roles/custom/matrix-conduit/defaults/main.yml index 1872515fe..37d83fd10 100644 --- a/roles/custom/matrix-conduit/defaults/main.yml +++ b/roles/custom/matrix-conduit/defaults/main.yml @@ -30,6 +30,15 @@ matrix_conduit_systemd_required_services_list_custom: [] # List of systemd services that matrix-conduit.service wants matrix_conduit_systemd_wanted_services_list: [] +# Controls how long to sleep for after starting the matrix-synapse container. +# +# Delaying, so that the homeserver can manage to fully start and various services +# that depend on it (`matrix_conduit_systemd_required_services_list` and `matrix_conduit_systemd_wanted_services_list`) +# may only start after the homeserver is up and running. +# +# This can be set to 0 to remove the delay. +matrix_conduit_systemd_service_post_start_delay_seconds: 3 + # The base container network. It will be auto-created by this role if it doesn't exist already. matrix_conduit_container_network: "" diff --git a/roles/custom/matrix-conduit/templates/systemd/matrix-conduit.service.j2 b/roles/custom/matrix-conduit/templates/systemd/matrix-conduit.service.j2 index 1e29cf888..4084f6a11 100644 --- a/roles/custom/matrix-conduit/templates/systemd/matrix-conduit.service.j2 +++ b/roles/custom/matrix-conduit/templates/systemd/matrix-conduit.service.j2 @@ -36,9 +36,9 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network conne ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-conduit -# Intentional delay, so that the homeserver can manage to start and various services -# that depend on it (After/Requires) may only start after the homeserver is up and running. -ExecStartPost=-{{ matrix_host_command_sleep }} 3 +{% if matrix_conduit_systemd_service_post_start_delay_seconds != 0 %} +ExecStartPost=-{{ matrix_host_command_sleep }} {{ matrix_conduit_systemd_service_post_start_delay_seconds }} +{% endif %} ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-conduit 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-conduit 2>/dev/null || true' From 042c74f90c6eaf680ac7df6f0cca4e79800be0bb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 17 Jan 2024 14:45:19 +0200 Subject: [PATCH 016/118] Remove some useless oidc variables and /_synapse/oidc route handling After some checking, it seems like there's `/_synapse/client/oidc`, but no such thing as `/_synapse/oidc`. I'm not sure why we've been reverse-proxying these paths for so long (even in as far back as the `matrix-nginx-proxy` days), but it's time we put a stop to it. The OIDC docs have been simplified. There's no need to ask people to expose the useless `/_synapse/oidc` endpoint. OIDC requires `/_synapse/client/oidc` and `/_synapse/client` is exposed by default already. --- docs/configuring-playbook-synapse.md | 2 -- group_vars/matrix_servers | 1 - .../defaults/main.yml | 11 ------- .../tasks/validate_config.yml | 1 - .../templates/labels.j2 | 29 ------------------- roles/custom/matrix-synapse/defaults/main.yml | 14 --------- .../matrix-synapse/tasks/validate_config.yml | 1 - .../templates/synapse/labels.j2 | 29 ------------------- .../tasks/validate_config.yml | 22 ++++++++++++++ 9 files changed, 22 insertions(+), 88 deletions(-) diff --git a/docs/configuring-playbook-synapse.md b/docs/configuring-playbook-synapse.md index 81d945ef5..e9a3c3520 100644 --- a/docs/configuring-playbook-synapse.md +++ b/docs/configuring-playbook-synapse.md @@ -73,8 +73,6 @@ matrix_synapse_oidc_providers: backchannel_logout_enabled: true # Optional ``` -**NOTE**: if you inject the OIDC configuration using `matrix_synapse_configuration_extension_yaml` (instead of `matrix_synapse_oidc_enabled: true` + `matrix_synapse_oidc_providers` as explained above), then the OIDC routes (`/_synapse/oidc`) will not be publicly exposed automatically. In such a case, you'd need to expose them manually by toggling: `matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled: true`. - ## Customizing templates diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 43127fe3b..d9456a3e8 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -4071,7 +4071,6 @@ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname: "{{ matrix_server_fqn_matrix }}" matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_enabled: "{{ matrix_synapse_container_labels_public_client_synapse_client_api_enabled }}" -matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_enabled: "{{ matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled }}" matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_enabled: "{{ matrix_synapse_container_labels_public_client_synapse_admin_api_enabled }}" matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_synapse_container_labels_public_federation_api_traefik_entrypoints }}" diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml index 6aebc2449..5ab3b85a6 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml @@ -85,17 +85,6 @@ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_cl matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_entrypoints != 'web' }}" matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming -# Controls whether labels will be added that expose the /_synapse/oidc paths -# Enable this if you need OpenID Connect authentication support. -matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_enabled: false -matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}" -matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_path_prefix: /_synapse/oidc -matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_path_prefix }}`)" -matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_priority: 0 -matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}" -matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_entrypoints != 'web' }}" -matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming - # Controls whether labels will be added that expose the /_synapse/admin paths # Following these recommendations (https://github.com/element-hq/synapse/blob/master/docs/reverse_proxy.md), by default, we don't. matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_enabled: false diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/validate_config.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/validate_config.yml index 5aac71e72..92d89b57a 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/validate_config.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/validate_config.yml @@ -11,7 +11,6 @@ - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_enabled }}"} - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_enabled }}"} - - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_enabled }}"} - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_enabled }}"} - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_enabled }}"} diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/labels.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/labels.j2 index e2a580aca..44c7e7a82 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/labels.j2 +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/labels.j2 @@ -91,35 +91,6 @@ traefik.http.routers.matrix-synapse-reverse-proxy-companion-public-client-synaps {% endif %} -{% if matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_enabled %} -############################################################ -# # -# Public Synapse OIDC API (/_synapse/oidc) # -# # -############################################################ - -traefik.http.routers.matrix-synapse-reverse-proxy-companion-public-client-synapse-oidc-api.rule={{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_rule }} - -{% if matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_priority | int > 0 %} -traefik.http.routers.matrix-synapse-reverse-proxy-companion-public-client-synapse-oidc-api.priority={{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_priority }} -{% endif %} - -traefik.http.routers.matrix-synapse-reverse-proxy-companion-public-client-synapse-oidc-api.service=matrix-synapse-reverse-proxy-companion-client-api -traefik.http.routers.matrix-synapse-reverse-proxy-companion-public-client-synapse-oidc-api.entrypoints={{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_entrypoints }} -traefik.http.routers.matrix-synapse-reverse-proxy-companion-public-client-synapse-oidc-api.tls={{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_tls | to_json }} - -{% if matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_tls %} -traefik.http.routers.matrix-synapse-reverse-proxy-companion-public-client-synapse-oidc-api.tls.certResolver={{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_tls_certResolver }} -{% endif %} - -############################################################ -# # -# /Public Synapse OIDC API (/_synapse/oidc) # -# # -############################################################ -{% endif %} - - {% if matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_enabled %} ############################################################ # # diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 2a8143ff3..008166f08 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -183,7 +183,6 @@ matrix_synapse_container_labels_traefik_hostname: '' # When set to false, variables like the following take no effect: # - `matrix_synapse_container_labels_public_client_api_enabled` # - `matrix_synapse_container_labels_public_client_synapse_client_api_enabled` -# - `matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled` # - `matrix_synapse_container_labels_public_client_synapse_admin_api_enabled` # - `matrix_synapse_container_labels_public_federation_api_enabled` # @@ -236,19 +235,6 @@ matrix_synapse_container_labels_public_client_synapse_client_api_traefik_entrypo matrix_synapse_container_labels_public_client_synapse_client_api_traefik_tls: "{{ matrix_synapse_container_labels_public_client_synapse_client_api_traefik_entrypoints != 'web' }}" matrix_synapse_container_labels_public_client_synapse_client_api_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}" # noqa var-naming -# Controls whether labels will be added that expose the /_synapse/oidc paths -# Enable this if you need OpenID Connect authentication support. -# Regardless of whether this is enabled, it may or may not take effect due to the value of other variables. -# See `matrix_synapse_container_labels_traefik_enabled` or `matrix_synapse_container_labels_matrix_related_labels_enabled` -matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled: "{{ matrix_synapse_oidc_enabled }}" -matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_hostname: "{{ matrix_synapse_container_labels_traefik_hostname }}" -matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_path_prefix: /_synapse/oidc -matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_rule: "Host(`{{ matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_path_prefix }}`)" -matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_priority: 0 -matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_entrypoints: "{{ matrix_synapse_container_labels_traefik_entrypoints }}" -matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_tls: "{{ matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_entrypoints != 'web' }}" -matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}" # noqa var-naming - # Controls whether labels will be added that expose the /_synapse/admin paths # Following these recommendations (https://github.com/element-hq/synapse/blob/master/docs/reverse_proxy.md), by default, we don't. # Regardless of whether this is enabled, it may or may not take effect due to the value of other variables. diff --git a/roles/custom/matrix-synapse/tasks/validate_config.yml b/roles/custom/matrix-synapse/tasks/validate_config.yml index cea1d4bee..ab389a432 100644 --- a/roles/custom/matrix-synapse/tasks/validate_config.yml +++ b/roles/custom/matrix-synapse/tasks/validate_config.yml @@ -24,7 +24,6 @@ - {'name': 'matrix_synapse_container_labels_internal_client_api_traefik_entrypoints', when: "{{ matrix_synapse_container_labels_internal_client_api_enabled }}"} - {'name': 'matrix_synapse_container_labels_public_client_synapse_client_api_traefik_hostname', when: "{{ matrix_synapse_container_labels_public_client_synapse_client_api_enabled }}"} - - {'name': 'matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_hostname', when: "{{ matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled }}"} - {'name': 'matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_hostname', when: "{{ matrix_synapse_container_labels_public_client_synapse_admin_api_enabled }}"} - {'name': 'matrix_synapse_container_labels_public_federation_api_traefik_hostname', when: "{{ matrix_synapse_container_labels_public_federation_api_enabled }}"} diff --git a/roles/custom/matrix-synapse/templates/synapse/labels.j2 b/roles/custom/matrix-synapse/templates/synapse/labels.j2 index 9d68227ca..fd472b3fc 100644 --- a/roles/custom/matrix-synapse/templates/synapse/labels.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/labels.j2 @@ -142,35 +142,6 @@ traefik.http.routers.matrix-synapse-public-client-synapse-client-api.tls.certRes {% endif %} -{% if matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled %} -############################################################ -# # -# Public Synapse OIDC API (/_synapse/oidc) # -# # -############################################################ - -traefik.http.routers.matrix-synapse-public-client-synapse-oidc-api.rule={{ matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_rule }} - -{% if matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_priority | int > 0 %} -traefik.http.routers.matrix-synapse-public-client-synapse-oidc-api.priority={{ matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_priority }} -{% endif %} - -traefik.http.routers.matrix-synapse-public-client-synapse-oidc-api.service=matrix-synapse-client-api -traefik.http.routers.matrix-synapse-public-client-synapse-oidc-api.entrypoints={{ matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_entrypoints }} -traefik.http.routers.matrix-synapse-public-client-synapse-oidc-api.tls={{ matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_tls | to_json }} - -{% if matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_tls %} -traefik.http.routers.matrix-synapse-public-client-synapse-oidc-api.tls.certResolver={{ matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_tls_certResolver }} -{% endif %} - -############################################################ -# # -# /Public Synapse OIDC API (/_synapse/oidc) # -# # -############################################################ -{% endif %} - - {% if matrix_synapse_container_labels_public_client_synapse_admin_api_enabled %} ############################################################ # # diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 982107080..bc428b386 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -339,3 +339,25 @@ You should remove all its variables (`matrix_ssl_*`) from your vars.yml file. We found usage of the following variables: {{ matrix_playbook_migration_ssl_migration_vars.keys() | join(', ') }} when: "matrix_playbook_migration_ssl_migration_vars | length > 0" + +- block: + - ansible.builtin.set_fact: + matrix_playbook_migration_matrix_synapse_container_labels_public_client_synapse_oidc_vars: |- + {{ vars | dict2items | selectattr('key', 'match', 'matrix_synapse_container_labels_public_client_synapse_oidc_*') | list | items2dict }} + + - name: (Deprecation) Catch and report matrix_ssl variables + ansible.builtin.fail: + msg: >- + We found usage of the following variables which are now removed: {{ matrix_playbook_migration_matrix_synapse_container_labels_public_client_synapse_oidc_vars.keys() | join(', ') }} + when: "matrix_playbook_migration_matrix_synapse_container_labels_public_client_synapse_oidc_vars | length > 0" + +- block: + - ansible.builtin.set_fact: + matrix_playbook_migration_matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_vars: |- + {{ vars | dict2items | selectattr('key', 'match', 'matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_*') | list | items2dict }} + + - name: (Deprecation) Catch and report matrix_ssl variables + ansible.builtin.fail: + msg: >- + We found usage of the following variables which are now removed: {{ matrix_playbook_migration_matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_vars.keys() | join(', ') }} + when: "matrix_playbook_migration_matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_vars | length > 0" From 28a26dde4e511d47fc73a273baae39b9021755aa Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 17 Jan 2024 16:57:06 +0200 Subject: [PATCH 017/118] Make it safer to reference variables from alternative homeserver implementations This allows people to not include the `matrix-conduit` or `matrix-dendrite` roles in their custom playbook (based on our roles) and still not have the playbook choke on variables from these roles missing. For getting rid of the `matrix-synapse` role in a similar way, more work is likely necessary. --- group_vars/matrix_servers | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index d9456a3e8..1354a5aed 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -471,18 +471,18 @@ matrix_homeserver_systemd_services_list: |- matrix_homeserver_container_client_api_endpoint: |- {{ { - 'synapse': ('matrix-synapse-reverse-proxy-companion:8008' if matrix_synapse_reverse_proxy_companion_enabled else 'matrix-synapse:'+ matrix_synapse_container_client_api_port|string), - 'dendrite': ('matrix-dendrite:' + matrix_dendrite_http_bind_port|string), - 'conduit': ('matrix-conduit:' + matrix_conduit_port_number|string), + 'synapse': ('matrix-synapse-reverse-proxy-companion:8008' if matrix_synapse_reverse_proxy_companion_enabled | default(false) else ('matrix-synapse:'+ matrix_synapse_container_client_api_port | default('8008') | string)), + 'dendrite': ('matrix-dendrite:' + matrix_dendrite_http_bind_port | default('8008') | string), + 'conduit': ('matrix-conduit:' + matrix_conduit_port_number | default('8008') | string), }[matrix_homeserver_implementation] }} matrix_homeserver_container_federation_api_endpoint: |- {{ { - 'synapse': ('matrix-synapse-reverse-proxy-companion:8048' if matrix_synapse_reverse_proxy_companion_enabled else 'matrix-synapse:'+ matrix_synapse_container_federation_api_plain_port|string), - 'dendrite': ('matrix-dendrite:' + matrix_dendrite_http_bind_port|string), - 'conduit': ('matrix-conduit:' + matrix_conduit_port_number|string), + 'synapse': ('matrix-synapse-reverse-proxy-companion:8048' if matrix_synapse_reverse_proxy_companion_enabled else ('matrix-synapse:'+ matrix_synapse_container_federation_api_plain_port | default('8008') | string)), + 'dendrite': ('matrix-dendrite:' + matrix_dendrite_http_bind_port | default('8008') | string), + 'conduit': ('matrix-conduit:' + matrix_conduit_port_number | default('8008') | string), }[matrix_homeserver_implementation] }} @@ -2152,8 +2152,8 @@ matrix_bot_maubot_homeserver_url: "{{ matrix_addons_homeserver_client_api_url }} matrix_bot_maubot_homeserver_secret: |- {{ { - 'synapse': matrix_synapse_registration_shared_secret, - 'dendrite': matrix_dendrite_client_api_registration_shared_secret, + 'synapse': matrix_synapse_registration_shared_secret | default(''), + 'dendrite': matrix_dendrite_client_api_registration_shared_secret | default(''), }[matrix_homeserver_implementation] }} @@ -4485,8 +4485,8 @@ matrix_registration_riot_instance: "{{ ('https://' + matrix_server_fqn_element) matrix_registration_shared_secret: |- {{ { - 'synapse': matrix_synapse_registration_shared_secret, - 'dendrite': matrix_dendrite_client_api_registration_shared_secret, + 'synapse': matrix_synapse_registration_shared_secret | default (''), + 'dendrite': matrix_dendrite_client_api_registration_shared_secret | default (''), 'conduit': '', }[matrix_homeserver_implementation] }} From f9e19e962347b21abd93d1fa6feda031c1c82ce2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 17 Jan 2024 17:22:08 +0200 Subject: [PATCH 018/118] Always uninstall matrix-nginx-proxy, if discovered This changes the behavior of `matrix_playbook_migration_matrix_nginx_proxy_uninstallation_enabled` and is against what we initially described in the changelog entry, but I've discovered some problems when the `matrix-nginx-proxy` service and container remain running. They need to go. --- CHANGELOG.md | 12 +++++++----- .../matrix_playbook_migration/defaults/main.yml | 4 ++-- .../custom/matrix_playbook_migration/tasks/main.yml | 3 +-- .../tasks/uninstall_matrix_nginx_proxy.yml | 9 +++++---- 4 files changed, 15 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 29e692850..7bb44f665 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -205,15 +205,17 @@ If this is still not convincing enough for you and you want the best possible pe The updated playbook will automatically perform some migration tasks for you: -1. It will uninstall `matrix-nginx-proxy` for you and delete the `/matrix/nginx-proxy` directory and all files within it. You can disable this behavior by adding `matrix_playbook_migration_matrix_nginx_proxy_uninstallation_enabled: false` to your `vars.yml` configuration file. Doing so will leave an orphan (and unusable) `matrix-nginx-proxy` container and its data around. It will not let you continue using nginx for a while longer. You need to migrate - now! +1. It will stop and remove the `matrix-nginx-proxy` systemd service and container for you. This behavior cannot be disabled. It's essential that this service gets stopped, because it remaining running (and having container labels) may confuse Traefik as to where to route HTTP requests. -2. It will delete the `/matrix/ssl` directory and all files within it. You can disable this behavior by adding `matrix_playbook_migration_matrix_ssl_uninstallation_enabled: false` to your `vars.yml` configuration file. If you have some important certificates there for some reason, take them out or temporarily disable removal of these files until you do. +2. It will delete the `/matrix/nginx-proxy` directory and all files within it. You can disable this behavior by adding `matrix_playbook_migration_matrix_nginx_proxy_uninstallation_enabled: false` to your `vars.yml` configuration file. Doing so will leave its data around. -3. It will tell you about all variables (`matrix_nginx_proxy_*` and many others - even from other roles) that have changed during this large nginx-elimination upgrade. You can disable this behavior by adding `matrix_playbook_migration_matrix_nginx_proxy_elimination_variable_transition_checks_enabled: false` to your `vars.yml` configuration file. +3. It will delete the `/matrix/ssl` directory and all files within it. You can disable this behavior by adding `matrix_playbook_migration_matrix_ssl_uninstallation_enabled: false` to your `vars.yml` configuration file. If you have some important certificates there for some reason, take them out or temporarily disable removal of these files until you do. -4. It will tell you about any leftover `matrix_nginx_proxy_*` variables in your `vars.yml` file. You can disable this behavior by adding `matrix_playbook_migration_matrix_nginx_proxy_leftover_variable_validation_checks_enabled: false` to your `vars.yml` configuration file. +4. It will tell you about all variables (`matrix_nginx_proxy_*` and many others - even from other roles) that have changed during this large nginx-elimination upgrade. You can disable this behavior by adding `matrix_playbook_migration_matrix_nginx_proxy_elimination_variable_transition_checks_enabled: false` to your `vars.yml` configuration file. -5. It will tell you about any leftover `matrix_ssl_*` variables in your `vars.yml` file. You can disable this behavior by adding `matrix_playbook_migration_matrix_ssl_leftover_variable_checks_enabled: false` to your `vars.yml` configuration file. +5. It will tell you about any leftover `matrix_nginx_proxy_*` variables in your `vars.yml` file. You can disable this behavior by adding `matrix_playbook_migration_matrix_nginx_proxy_leftover_variable_validation_checks_enabled: false` to your `vars.yml` configuration file. + +6. It will tell you about any leftover `matrix_ssl_*` variables in your `vars.yml` file. You can disable this behavior by adding `matrix_playbook_migration_matrix_ssl_leftover_variable_checks_enabled: false` to your `vars.yml` configuration file. We don't recommend changing these variables and suppressing warnings, unless you know what you're doing. diff --git a/roles/custom/matrix_playbook_migration/defaults/main.yml b/roles/custom/matrix_playbook_migration/defaults/main.yml index b870309d5..0c797cb10 100644 --- a/roles/custom/matrix_playbook_migration/defaults/main.yml +++ b/roles/custom/matrix_playbook_migration/defaults/main.yml @@ -56,8 +56,8 @@ matrix_playbook_migration_matrix_nginx_proxy_leftover_variable_validation_checks # Controls if (`matrix_ssl_`) leftover variable checks will run. matrix_playbook_migration_matrix_ssl_leftover_variable_checks_enabled: true -# Controls whether this role will try to detect and clean up after the matrix-nginx-proxy role. -# When enabled, the systemd serivce will be stopped and removed, as well as all data in `/matrix/nginx-proxy +# Controls whether this role will delete old files left over from `matrix-nginx-proxy`. +# Regardless of this value, if discovered, a `matrix-nginx-proxy.service` systemd serivce will be stopped and removed. matrix_playbook_migration_matrix_nginx_proxy_uninstallation_enabled: true # Controls whether this role will try to detect and clean up the /matrix/ssl files. diff --git a/roles/custom/matrix_playbook_migration/tasks/main.yml b/roles/custom/matrix_playbook_migration/tasks/main.yml index 552b0af29..bbee3000f 100644 --- a/roles/custom/matrix_playbook_migration/tasks/main.yml +++ b/roles/custom/matrix_playbook_migration/tasks/main.yml @@ -33,8 +33,7 @@ block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/cleanup_matrix_static_files_well_known.yml" -- when: matrix_playbook_migration_matrix_nginx_proxy_uninstallation_enabled | bool - tags: +- tags: - setup-all - install-all block: diff --git a/roles/custom/matrix_playbook_migration/tasks/uninstall_matrix_nginx_proxy.yml b/roles/custom/matrix_playbook_migration/tasks/uninstall_matrix_nginx_proxy.yml index f1fa4f518..adb005369 100644 --- a/roles/custom/matrix_playbook_migration/tasks/uninstall_matrix_nginx_proxy.yml +++ b/roles/custom/matrix_playbook_migration/tasks/uninstall_matrix_nginx_proxy.yml @@ -19,7 +19,8 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-nginx-proxy.service" state: absent - - name: Ensure matrix-proxy-files files are deleted - ansible.builtin.file: - path: "{{ matrix_base_data_path }}/nginx-proxy" - state: absent +- when: matrix_playbook_migration_matrix_nginx_proxy_uninstallation_enabled | bool + name: Ensure matrix-proxy-files files are deleted + ansible.builtin.file: + path: "{{ matrix_base_data_path }}/nginx-proxy" + state: absent From 474db10238b114b3724066b1f6024c212567720f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 17 Jan 2024 17:27:31 +0200 Subject: [PATCH 019/118] Reorder Ansible task module parameters to make ansible-lint happy --- .../tasks/uninstall_matrix_nginx_proxy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix_playbook_migration/tasks/uninstall_matrix_nginx_proxy.yml b/roles/custom/matrix_playbook_migration/tasks/uninstall_matrix_nginx_proxy.yml index adb005369..acfacddb0 100644 --- a/roles/custom/matrix_playbook_migration/tasks/uninstall_matrix_nginx_proxy.yml +++ b/roles/custom/matrix_playbook_migration/tasks/uninstall_matrix_nginx_proxy.yml @@ -19,8 +19,8 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-nginx-proxy.service" state: absent -- when: matrix_playbook_migration_matrix_nginx_proxy_uninstallation_enabled | bool - name: Ensure matrix-proxy-files files are deleted +- name: Ensure matrix-proxy-files files are deleted + when: matrix_playbook_migration_matrix_nginx_proxy_uninstallation_enabled | bool ansible.builtin.file: path: "{{ matrix_base_data_path }}/nginx-proxy" state: absent From 51df34e7ae3fbf2a500a10cfdf85f34b31bcfad6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 17 Jan 2024 17:56:45 +0200 Subject: [PATCH 020/118] Ensure each container labels file defines at least one service Most of these files were defining a service, usually toward the end. These lines have been moved upward. Some components (mautrix-signal, mautrix-gmessages, etc.) were defining a service conditionally (only if metrics are exposed, etc). This was causing issues like these in the Traefik logs: > level=error msg="service \"matrix-mautrix-twitter\" error: port is missing" providerName=docker container=matrix-mautrix-twitter-.. --- .../matrix-bot-buscarron/templates/labels.j2 | 3 ++- .../custom/matrix-bot-go-neb/templates/labels.j2 | 3 ++- .../matrix-bot-honoroit/templates/labels.j2 | 3 ++- .../matrix-bridge-hookshot/templates/labels.j2 | 16 ++++++---------- .../templates/labels.j2 | 7 +++---- .../templates/labels.j2 | 4 ++-- .../templates/labels.j2 | 7 +++---- .../templates/labels.j2 | 7 +++---- .../templates/labels.j2 | 4 ++-- .../templates/labels.j2 | 4 ++-- .../templates/labels.j2 | 4 ++-- .../templates/labels.j2 | 4 ++-- .../templates/labels.j2 | 4 ++-- .../templates/labels.j2 | 3 ++- .../templates/labels.j2 | 4 ++-- .../matrix-client-cinny/templates/labels.j2 | 3 ++- .../matrix-client-element/templates/labels.j2 | 3 ++- .../matrix-client-hydrogen/templates/labels.j2 | 3 ++- .../templates/labels.j2 | 3 ++- roles/custom/matrix-corporal/templates/labels.j2 | 6 ++---- .../custom/matrix-dimension/templates/labels.j2 | 3 ++- .../custom/matrix-rageshake/templates/labels.j2 | 3 ++- .../matrix-sliding-sync/templates/labels.j2 | 3 ++- roles/custom/matrix-sygnal/templates/labels.j2 | 3 ++- .../matrix-synapse-admin/templates/labels.j2 | 3 ++- 25 files changed, 57 insertions(+), 53 deletions(-) diff --git a/roles/custom/matrix-bot-buscarron/templates/labels.j2 b/roles/custom/matrix-bot-buscarron/templates/labels.j2 index 9150a44bf..b5f020a17 100644 --- a/roles/custom/matrix-bot-buscarron/templates/labels.j2 +++ b/roles/custom/matrix-bot-buscarron/templates/labels.j2 @@ -5,6 +5,8 @@ traefik.enable=true traefik.docker.network={{ matrix_bot_buscarron_container_labels_traefik_docker_network }} {% endif %} +traefik.http.services.matrix-bot-buscarron.loadbalancer.server.port=8080 + {% set middlewares = [] %} {% set middlewares_metrics = [] %} @@ -39,7 +41,6 @@ traefik.http.routers.matrix-bot-buscarron.tls={{ matrix_bot_buscarron_container_ {% if matrix_bot_buscarron_container_labels_traefik_tls %} traefik.http.routers.matrix-bot-buscarron.tls.certResolver={{ matrix_bot_buscarron_container_labels_traefik_tls_certResolver }} {% endif %} -traefik.http.services.matrix-bot-buscarron.loadbalancer.server.port=8080 {% endif %} diff --git a/roles/custom/matrix-bot-go-neb/templates/labels.j2 b/roles/custom/matrix-bot-go-neb/templates/labels.j2 index 54aa25835..1f0123add 100644 --- a/roles/custom/matrix-bot-go-neb/templates/labels.j2 +++ b/roles/custom/matrix-bot-go-neb/templates/labels.j2 @@ -5,6 +5,8 @@ traefik.enable=true traefik.docker.network={{ matrix_bot_go_neb_container_labels_traefik_docker_network }} {% endif %} +traefik.http.services.matrix-bot-go-neb.loadbalancer.server.port=4050 + {% set middlewares = [] %} {% if matrix_bot_go_neb_container_labels_traefik_path_prefix != '/' %} @@ -39,7 +41,6 @@ traefik.http.routers.matrix-bot-go-neb.tls={{ matrix_bot_go_neb_container_labels traefik.http.routers.matrix-bot-go-neb.tls.certResolver={{ matrix_bot_go_neb_container_labels_traefik_tls_certResolver }} {% endif %} -traefik.http.services.matrix-bot-go-neb.loadbalancer.server.port=4050 {% endif %} {{ matrix_bot_go_neb_container_labels_additional_labels }} diff --git a/roles/custom/matrix-bot-honoroit/templates/labels.j2 b/roles/custom/matrix-bot-honoroit/templates/labels.j2 index 8e20ea459..ef210c49d 100644 --- a/roles/custom/matrix-bot-honoroit/templates/labels.j2 +++ b/roles/custom/matrix-bot-honoroit/templates/labels.j2 @@ -5,6 +5,8 @@ traefik.enable=true traefik.docker.network={{ matrix_bot_honoroit_container_labels_traefik_docker_network }} {% endif %} +traefik.http.services.matrix-bot-honoroit-metrics.loadbalancer.server.port=8080 + {% set middlewares = [] %} {% set middlewares_metrics = [] %} @@ -43,7 +45,6 @@ traefik.http.routers.matrix-bot-honoroit-metrics.tls={{ matrix_bot_honoroit_cont {% if matrix_bot_honoroit_container_labels_traefik_tls %} traefik.http.routers.matrix-bot-honoroit-metrics.tls.certResolver={{ matrix_bot_honoroit_container_labels_traefik_tls_certResolver }} {% endif %} -traefik.http.services.matrix-bot-honoroit-metrics.loadbalancer.server.port=8080 {% endif %} {% endif %} diff --git a/roles/custom/matrix-bridge-hookshot/templates/labels.j2 b/roles/custom/matrix-bridge-hookshot/templates/labels.j2 index 35d47b9fd..07f015723 100644 --- a/roles/custom/matrix-bridge-hookshot/templates/labels.j2 +++ b/roles/custom/matrix-bridge-hookshot/templates/labels.j2 @@ -5,6 +5,12 @@ traefik.enable=true traefik.docker.network={{ matrix_hookshot_container_labels_traefik_docker_network }} {% endif %} +traefik.http.services.matrix-hookshot-webhooks.loadbalancer.server.port={{ matrix_hookshot_webhook_port }} +traefik.http.services.matrix-hookshot-appservice.loadbalancer.server.port={{ matrix_hookshot_appservice_port }} +traefik.http.services.matrix-hookshot-widgets.loadbalancer.server.port={{ matrix_hookshot_widgets_port }} +traefik.http.services.matrix-hookshot-provisioning.loadbalancer.server.port={{ matrix_hookshot_provisioning_port }} +traefik.http.services.matrix-hookshot-metrics.loadbalancer.server.port={{ matrix_hookshot_metrics_port }} + {% if matrix_hookshot_container_labels_webhooks_enabled %} ############################################################ # # @@ -12,8 +18,6 @@ traefik.docker.network={{ matrix_hookshot_container_labels_traefik_docker_networ # # ############################################################ -traefik.http.services.matrix-hookshot-webhooks.loadbalancer.server.port={{ matrix_hookshot_webhook_port }} - traefik.http.middlewares.matrix-hookshot-webhooks-strip-prefix.stripprefix.prefixes={{ matrix_hookshot_webhook_endpoint }} traefik.http.routers.matrix-hookshot-webhooks.rule={{ matrix_hookshot_container_labels_webhooks_traefik_rule }} @@ -47,8 +51,6 @@ traefik.http.routers.matrix-hookshot-webhooks.tls.certResolver={{ matrix_hooksho # # ############################################################ -traefik.http.services.matrix-hookshot-appservice.loadbalancer.server.port={{ matrix_hookshot_appservice_port }} - traefik.http.middlewares.matrix-hookshot-appservice-strip-prefix.stripprefix.prefixes={{ matrix_hookshot_appservice_endpoint }} traefik.http.routers.matrix-hookshot-appservice.rule={{ matrix_hookshot_container_labels_appservice_traefik_rule }} @@ -81,8 +83,6 @@ traefik.http.routers.matrix-hookshot-appservice.tls.certResolver={{ matrix_hooks # # ############################################################ -traefik.http.services.matrix-hookshot-widgets.loadbalancer.server.port={{ matrix_hookshot_widgets_port }} - traefik.http.middlewares.matrix-hookshot-widgets-strip-prefix.stripprefix.prefixes={{ matrix_hookshot_widgets_endpoint }} traefik.http.routers.matrix-hookshot-widgets.rule={{ matrix_hookshot_container_labels_widgets_traefik_rule }} @@ -114,8 +114,6 @@ traefik.http.routers.matrix-hookshot-widgets.tls.certResolver={{ matrix_hookshot # # ############################################################ -traefik.http.services.matrix-hookshot-provisioning.loadbalancer.server.port={{ matrix_hookshot_provisioning_port }} - traefik.http.middlewares.matrix-hookshot-provisioning-strip-prefix.stripprefix.prefixes={{ matrix_hookshot_provisioning_endpoint }} traefik.http.routers.matrix-hookshot-provisioning.rule={{ matrix_hookshot_container_labels_provisioning_traefik_rule }} @@ -148,8 +146,6 @@ traefik.http.routers.matrix-hookshot-provisioning.tls.certResolver={{ matrix_hoo # # ############################################################ -traefik.http.services.matrix-hookshot-metrics.loadbalancer.server.port={{ matrix_hookshot_metrics_port }} - {% set metricsMiddlewares = ['matrix-hookshot-metrics-replace-path'] %} traefik.http.middlewares.matrix-hookshot-metrics-replace-path.replacepath.path=/metrics diff --git a/roles/custom/matrix-bridge-mautrix-facebook/templates/labels.j2 b/roles/custom/matrix-bridge-mautrix-facebook/templates/labels.j2 index a1cce4e45..d71e7eed2 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/templates/labels.j2 +++ b/roles/custom/matrix-bridge-mautrix-facebook/templates/labels.j2 @@ -5,6 +5,9 @@ traefik.enable=true traefik.docker.network={{ matrix_mautrix_facebook_container_labels_traefik_docker_network }} {% endif %} +traefik.http.services.matrix-mautrix-facebook-appservice.loadbalancer.server.port=29319 +traefik.http.services.matrix-mautrix-facebook-metrics.loadbalancer.server.port=8000 + {% if matrix_mautrix_facebook_container_labels_public_endpoint_enabled %} ############################################################ # # @@ -12,8 +15,6 @@ traefik.docker.network={{ matrix_mautrix_facebook_container_labels_traefik_docke # # ############################################################ -traefik.http.services.matrix-mautrix-facebook-appservice.loadbalancer.server.port=29319 - traefik.http.routers.matrix-mautrix-facebook-public.rule={{ matrix_mautrix_facebook_container_labels_public_endpoint_traefik_rule }} {% if matrix_mautrix_facebook_container_labels_public_endpoint_traefik_priority | int > 0 %} @@ -43,8 +44,6 @@ traefik.http.routers.matrix-mautrix-facebook-public.tls.certResolver={{ matrix_m # # ############################################################ -traefik.http.services.matrix-mautrix-facebook-metrics.loadbalancer.server.port=8000 - {% if matrix_mautrix_facebook_container_labels_metrics_middleware_basic_auth_enabled %} traefik.http.middlewares.matrix-mautrix-facebook-metrics-basic-auth.basicauth.users={{ matrix_mautrix_facebook_container_labels_metrics_middleware_basic_auth_users }} traefik.http.routers.matrix-mautrix-facebook-metrics.middlewares=matrix-mautrix-facebook-metrics-basic-auth diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/templates/labels.j2 b/roles/custom/matrix-bridge-mautrix-gmessages/templates/labels.j2 index f960ef01e..1beea2c1c 100644 --- a/roles/custom/matrix-bridge-mautrix-gmessages/templates/labels.j2 +++ b/roles/custom/matrix-bridge-mautrix-gmessages/templates/labels.j2 @@ -5,6 +5,8 @@ traefik.enable=true traefik.docker.network={{ matrix_mautrix_gmessages_container_labels_traefik_docker_network }} {% endif %} +traefik.http.services.matrix-mautrix-gmessages-metrics.loadbalancer.server.port=8001 + {% if matrix_mautrix_gmessages_container_labels_metrics_enabled %} ############################################################ # # @@ -12,8 +14,6 @@ traefik.docker.network={{ matrix_mautrix_gmessages_container_labels_traefik_dock # # ############################################################ -traefik.http.services.matrix-mautrix-gmessages-metrics.loadbalancer.server.port=8001 - {% if matrix_mautrix_gmessages_container_labels_metrics_middleware_basic_auth_enabled %} traefik.http.middlewares.matrix-mautrix-gmessages-metrics-basic-auth.basicauth.users={{ matrix_mautrix_gmessages_container_labels_metrics_middleware_basic_auth_users }} traefik.http.routers.matrix-mautrix-gmessages-metrics.middlewares=matrix-mautrix-gmessages-metrics-basic-auth diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/templates/labels.j2 b/roles/custom/matrix-bridge-mautrix-googlechat/templates/labels.j2 index d43bb1ad8..8f35f5c51 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/templates/labels.j2 +++ b/roles/custom/matrix-bridge-mautrix-googlechat/templates/labels.j2 @@ -5,6 +5,9 @@ traefik.enable=true traefik.docker.network={{ matrix_mautrix_googlechat_container_labels_traefik_docker_network }} {% endif %} +traefik.http.services.matrix-mautrix-googlechat-public.loadbalancer.server.port=8080 +traefik.http.services.matrix-mautrix-googlechat-metrics.loadbalancer.server.port=8000 + {% if matrix_mautrix_googlechat_container_labels_public_endpoint_enabled %} ############################################################ # # @@ -12,8 +15,6 @@ traefik.docker.network={{ matrix_mautrix_googlechat_container_labels_traefik_doc # # ############################################################ -traefik.http.services.matrix-mautrix-googlechat-public.loadbalancer.server.port=8080 - traefik.http.routers.matrix-mautrix-googlechat-public.rule={{ matrix_mautrix_googlechat_container_labels_public_endpoint_traefik_rule }} {% if matrix_mautrix_googlechat_container_labels_public_endpoint_traefik_priority | int > 0 %} @@ -43,8 +44,6 @@ traefik.http.routers.matrix-mautrix-googlechat-public.tls.certResolver={{ matrix # # ############################################################ -traefik.http.services.matrix-mautrix-googlechat-metrics.loadbalancer.server.port=8000 - {% if matrix_mautrix_googlechat_container_labels_metrics_middleware_basic_auth_enabled %} traefik.http.middlewares.matrix-mautrix-googlechat-metrics-basic-auth.basicauth.users={{ matrix_mautrix_googlechat_container_labels_metrics_middleware_basic_auth_users }} traefik.http.routers.matrix-mautrix-googlechat-metrics.middlewares=matrix-mautrix-googlechat-metrics-basic-auth diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/templates/labels.j2 b/roles/custom/matrix-bridge-mautrix-hangouts/templates/labels.j2 index b5e561fdf..31dd03e2d 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/templates/labels.j2 +++ b/roles/custom/matrix-bridge-mautrix-hangouts/templates/labels.j2 @@ -5,6 +5,9 @@ traefik.enable=true traefik.docker.network={{ matrix_mautrix_hangouts_container_labels_traefik_docker_network }} {% endif %} +traefik.http.services.matrix-mautrix-hangouts-public.loadbalancer.server.port=8080 +traefik.http.services.matrix-mautrix-hangouts-metrics.loadbalancer.server.port=8000 + {% if matrix_mautrix_hangouts_container_labels_public_endpoint_enabled %} ############################################################ # # @@ -12,8 +15,6 @@ traefik.docker.network={{ matrix_mautrix_hangouts_container_labels_traefik_docke # # ############################################################ -traefik.http.services.matrix-mautrix-hangouts-public.loadbalancer.server.port=8080 - traefik.http.routers.matrix-mautrix-hangouts-public.rule={{ matrix_mautrix_hangouts_container_labels_public_endpoint_traefik_rule }} {% if matrix_mautrix_hangouts_container_labels_public_endpoint_traefik_priority | int > 0 %} @@ -43,8 +44,6 @@ traefik.http.routers.matrix-mautrix-hangouts-public.tls.certResolver={{ matrix_m # # ############################################################ -traefik.http.services.matrix-mautrix-hangouts-metrics.loadbalancer.server.port=8000 - {% if matrix_mautrix_hangouts_container_labels_metrics_middleware_basic_auth_enabled %} traefik.http.middlewares.matrix-mautrix-hangouts-metrics-basic-auth.basicauth.users={{ matrix_mautrix_hangouts_container_labels_metrics_middleware_basic_auth_users }} traefik.http.routers.matrix-mautrix-hangouts-metrics.middlewares=matrix-mautrix-hangouts-metrics-basic-auth diff --git a/roles/custom/matrix-bridge-mautrix-instagram/templates/labels.j2 b/roles/custom/matrix-bridge-mautrix-instagram/templates/labels.j2 index e05a2162b..c67f2264d 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/templates/labels.j2 +++ b/roles/custom/matrix-bridge-mautrix-instagram/templates/labels.j2 @@ -5,6 +5,8 @@ traefik.enable=true traefik.docker.network={{ matrix_mautrix_instagram_container_labels_traefik_docker_network }} {% endif %} +traefik.http.services.matrix-mautrix-instagram-metrics.loadbalancer.server.port=8000 + {% if matrix_mautrix_instagram_container_labels_metrics_enabled %} ############################################################ # # @@ -12,8 +14,6 @@ traefik.docker.network={{ matrix_mautrix_instagram_container_labels_traefik_dock # # ############################################################ -traefik.http.services.matrix-mautrix-instagram-metrics.loadbalancer.server.port=8000 - {% if matrix_mautrix_instagram_container_labels_metrics_middleware_basic_auth_enabled %} traefik.http.middlewares.matrix-mautrix-instagram-metrics-basic-auth.basicauth.users={{ matrix_mautrix_instagram_container_labels_metrics_middleware_basic_auth_users }} traefik.http.routers.matrix-mautrix-instagram-metrics.middlewares=matrix-mautrix-instagram-metrics-basic-auth diff --git a/roles/custom/matrix-bridge-mautrix-signal/templates/labels.j2 b/roles/custom/matrix-bridge-mautrix-signal/templates/labels.j2 index cbc35ed36..fb912080a 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/templates/labels.j2 +++ b/roles/custom/matrix-bridge-mautrix-signal/templates/labels.j2 @@ -5,6 +5,8 @@ traefik.enable=true traefik.docker.network={{ matrix_mautrix_signal_container_labels_traefik_docker_network }} {% endif %} +traefik.http.services.matrix-mautrix-signal-metrics.loadbalancer.server.port=8000 + {% if matrix_mautrix_signal_container_labels_metrics_enabled %} ############################################################ # # @@ -12,8 +14,6 @@ traefik.docker.network={{ matrix_mautrix_signal_container_labels_traefik_docker_ # # ############################################################ -traefik.http.services.matrix-mautrix-signal-metrics.loadbalancer.server.port=8000 - {% if matrix_mautrix_signal_container_labels_metrics_middleware_basic_auth_enabled %} traefik.http.middlewares.matrix-mautrix-signal-metrics-basic-auth.basicauth.users={{ matrix_mautrix_signal_container_labels_metrics_middleware_basic_auth_users }} traefik.http.routers.matrix-mautrix-signal-metrics.middlewares=matrix-mautrix-signal-metrics-basic-auth diff --git a/roles/custom/matrix-bridge-mautrix-twitter/templates/labels.j2 b/roles/custom/matrix-bridge-mautrix-twitter/templates/labels.j2 index 15018362f..e54502e74 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/templates/labels.j2 +++ b/roles/custom/matrix-bridge-mautrix-twitter/templates/labels.j2 @@ -5,6 +5,8 @@ traefik.enable=true traefik.docker.network={{ matrix_mautrix_twitter_container_labels_traefik_docker_network }} {% endif %} +traefik.http.services.matrix-mautrix-twitter-metrics.loadbalancer.server.port=8000 + {% if matrix_mautrix_twitter_container_labels_metrics_enabled %} ############################################################ # # @@ -12,8 +14,6 @@ traefik.docker.network={{ matrix_mautrix_twitter_container_labels_traefik_docker # # ############################################################ -traefik.http.services.matrix-mautrix-twitter-metrics.loadbalancer.server.port=8000 - {% if matrix_mautrix_twitter_container_labels_metrics_middleware_basic_auth_enabled %} traefik.http.middlewares.matrix-mautrix-twitter-metrics-basic-auth.basicauth.users={{ matrix_mautrix_twitter_container_labels_metrics_middleware_basic_auth_users }} traefik.http.routers.matrix-mautrix-twitter-metrics.middlewares=matrix-mautrix-twitter-metrics-basic-auth diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/templates/labels.j2 b/roles/custom/matrix-bridge-mautrix-whatsapp/templates/labels.j2 index 1483f9305..23f94361e 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/templates/labels.j2 +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/templates/labels.j2 @@ -5,6 +5,8 @@ traefik.enable=true traefik.docker.network={{ matrix_mautrix_whatsapp_container_labels_traefik_docker_network }} {% endif %} +traefik.http.services.matrix-mautrix-whatsapp-metrics.loadbalancer.server.port=8001 + {% if matrix_mautrix_whatsapp_container_labels_metrics_enabled %} ############################################################ # # @@ -12,8 +14,6 @@ traefik.docker.network={{ matrix_mautrix_whatsapp_container_labels_traefik_docke # # ############################################################ -traefik.http.services.matrix-mautrix-whatsapp-metrics.loadbalancer.server.port=8001 - {% if matrix_mautrix_whatsapp_container_labels_metrics_middleware_basic_auth_enabled %} traefik.http.middlewares.matrix-mautrix-whatsapp-metrics-basic-auth.basicauth.users={{ matrix_mautrix_whatsapp_container_labels_metrics_middleware_basic_auth_users }} traefik.http.routers.matrix-mautrix-whatsapp-metrics.middlewares=matrix-mautrix-whatsapp-metrics-basic-auth diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/templates/labels.j2 b/roles/custom/matrix-bridge-mx-puppet-slack/templates/labels.j2 index 5f24230d3..aec01387f 100644 --- a/roles/custom/matrix-bridge-mx-puppet-slack/templates/labels.j2 +++ b/roles/custom/matrix-bridge-mx-puppet-slack/templates/labels.j2 @@ -5,6 +5,8 @@ traefik.enable=true traefik.docker.network={{ matrix_mx_puppet_slack_container_labels_traefik_docker_network }} {% endif %} +traefik.http.services.matrix-mx-puppet-slack.loadbalancer.server.port={{ matrix_mx_puppet_slack_appservice_address }} + {% if matrix_mx_puppet_slack_container_labels_public_endpoint_enabled %} ############################################################ # # @@ -12,8 +14,6 @@ traefik.docker.network={{ matrix_mx_puppet_slack_container_labels_traefik_docker # # ############################################################ -traefik.http.services.matrix-mx-puppet-slack.loadbalancer.server.port={{ matrix_mx_puppet_slack_appservice_address }} - traefik.http.routers.matrix-mx-puppet-slack-public.rule={{ matrix_mx_puppet_slack_container_labels_public_endpoint_traefik_rule }} {% if matrix_mx_puppet_slack_container_labels_public_endpoint_traefik_priority | int > 0 %} diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/templates/labels.j2 b/roles/custom/matrix-bridge-mx-puppet-twitter/templates/labels.j2 index 1c20ab174..9aef5fe0d 100644 --- a/roles/custom/matrix-bridge-mx-puppet-twitter/templates/labels.j2 +++ b/roles/custom/matrix-bridge-mx-puppet-twitter/templates/labels.j2 @@ -5,13 +5,14 @@ traefik.enable=true traefik.docker.network={{ matrix_mx_puppet_twitter_container_labels_traefik_docker_network }} {% endif %} +traefik.http.services.martix-mx-puppet-twitter.loadbalancer.server.port={{ matrix_mx_puppet_twitter_appservice_port }} + {% if matrix_mx_puppet_twitter_container_labels_public_endpoint_enabled %} ############################################################ # # # Public # # # ############################################################ -traefik.http.services.martix-mx-puppet-twitter.loadbalancer.server.port={{ matrix_mx_puppet_twitter_appservice_port }} traefik.http.routers.matrix-mx-puppet-twitter-public.rule={{ matrix_mx_puppet_twitter_container_labels_public_endpoint_traefik_rule }} diff --git a/roles/custom/matrix-cactus-comments-client/templates/labels.j2 b/roles/custom/matrix-cactus-comments-client/templates/labels.j2 index 83c140ca7..274ba9e07 100644 --- a/roles/custom/matrix-cactus-comments-client/templates/labels.j2 +++ b/roles/custom/matrix-cactus-comments-client/templates/labels.j2 @@ -5,6 +5,8 @@ traefik.enable=true traefik.docker.network={{ matrix_cactus_comments_client_container_labels_traefik_docker_network }} {% endif %} +traefik.http.services.matrix-cactus-comments-client.loadbalancer.server.port={{ matrix_cactus_comments_client_environment_variable_server_port }} + {% if matrix_cactus_comments_client_container_labels_public_enabled %} ############################################################ @@ -13,8 +15,6 @@ traefik.docker.network={{ matrix_cactus_comments_client_container_labels_traefik # # ############################################################ -traefik.http.services.matrix-cactus-comments-client.loadbalancer.server.port={{ matrix_cactus_comments_client_environment_variable_server_port }} - {% set public_middlewares = [] %} {% if matrix_cactus_comments_client_container_labels_public_traefik_path_prefix != '/' %} diff --git a/roles/custom/matrix-client-cinny/templates/labels.j2 b/roles/custom/matrix-client-cinny/templates/labels.j2 index f1c4f49ad..ede967226 100644 --- a/roles/custom/matrix-client-cinny/templates/labels.j2 +++ b/roles/custom/matrix-client-cinny/templates/labels.j2 @@ -5,6 +5,8 @@ traefik.enable=true traefik.docker.network={{ matrix_client_cinny_container_labels_traefik_docker_network }} {% endif %} +traefik.http.services.matrix-client-cinny.loadbalancer.server.port=8080 + {% set middlewares = [] %} {% if matrix_client_cinny_container_labels_traefik_path_prefix != '/' %} @@ -39,7 +41,6 @@ traefik.http.routers.matrix-client-cinny.tls={{ matrix_client_cinny_container_la traefik.http.routers.matrix-client-cinny.tls.certResolver={{ matrix_client_cinny_container_labels_traefik_tls_certResolver }} {% endif %} -traefik.http.services.matrix-client-cinny.loadbalancer.server.port=8080 {% endif %} {{ matrix_client_cinny_container_labels_additional_labels }} diff --git a/roles/custom/matrix-client-element/templates/labels.j2 b/roles/custom/matrix-client-element/templates/labels.j2 index de67299e2..8de199918 100644 --- a/roles/custom/matrix-client-element/templates/labels.j2 +++ b/roles/custom/matrix-client-element/templates/labels.j2 @@ -5,6 +5,8 @@ traefik.enable=true traefik.docker.network={{ matrix_client_element_container_labels_traefik_docker_network }} {% endif %} +traefik.http.services.matrix-client-element.loadbalancer.server.port=8080 + {% set middlewares = [] %} {% if matrix_client_element_container_labels_traefik_path_prefix != '/' %} @@ -39,7 +41,6 @@ traefik.http.routers.matrix-client-element.tls={{ matrix_client_element_containe traefik.http.routers.matrix-client-element.tls.certResolver={{ matrix_client_element_container_labels_traefik_tls_certResolver }} {% endif %} -traefik.http.services.matrix-client-element.loadbalancer.server.port=8080 {% endif %} {{ matrix_client_element_container_labels_additional_labels }} diff --git a/roles/custom/matrix-client-hydrogen/templates/labels.j2 b/roles/custom/matrix-client-hydrogen/templates/labels.j2 index 71c3ca59e..f5ccf8c97 100644 --- a/roles/custom/matrix-client-hydrogen/templates/labels.j2 +++ b/roles/custom/matrix-client-hydrogen/templates/labels.j2 @@ -5,6 +5,8 @@ traefik.enable=true traefik.docker.network={{ matrix_client_hydrogen_container_labels_traefik_docker_network }} {% endif %} +traefik.http.services.matrix-client-hydrogen.loadbalancer.server.port=8080 + {% set middlewares = [] %} {% if matrix_client_hydrogen_container_labels_traefik_path_prefix != '/' %} @@ -39,7 +41,6 @@ traefik.http.routers.matrix-client-hydrogen.tls={{ matrix_client_hydrogen_contai traefik.http.routers.matrix-client-hydrogen.tls.certResolver={{ matrix_client_hydrogen_container_labels_traefik_tls_certResolver }} {% endif %} -traefik.http.services.matrix-client-hydrogen.loadbalancer.server.port=8080 {% endif %} {{ matrix_client_hydrogen_container_labels_additional_labels }} diff --git a/roles/custom/matrix-client-schildichat/templates/labels.j2 b/roles/custom/matrix-client-schildichat/templates/labels.j2 index 85e279821..25f19f6b4 100644 --- a/roles/custom/matrix-client-schildichat/templates/labels.j2 +++ b/roles/custom/matrix-client-schildichat/templates/labels.j2 @@ -5,6 +5,8 @@ traefik.enable=true traefik.docker.network={{ matrix_client_schildichat_container_labels_traefik_docker_network }} {% endif %} +traefik.http.services.matrix-client-schildichat.loadbalancer.server.port=8080 + {% set middlewares = [] %} {% if matrix_client_schildichat_container_labels_traefik_path_prefix != '/' %} @@ -39,7 +41,6 @@ traefik.http.routers.matrix-client-schildichat.tls={{ matrix_client_schildichat_ traefik.http.routers.matrix-client-schildichat.tls.certResolver={{ matrix_client_schildichat_container_labels_traefik_tls_certResolver }} {% endif %} -traefik.http.services.matrix-client-schildichat.loadbalancer.server.port=8080 {% endif %} {{ matrix_client_schildichat_container_labels_additional_labels }} diff --git a/roles/custom/matrix-corporal/templates/labels.j2 b/roles/custom/matrix-corporal/templates/labels.j2 index 7b650edee..e28fd7761 100644 --- a/roles/custom/matrix-corporal/templates/labels.j2 +++ b/roles/custom/matrix-corporal/templates/labels.j2 @@ -5,6 +5,8 @@ traefik.enable=true traefik.docker.network={{ matrix_corporal_container_labels_traefik_docker_network }} {% endif %} +traefik.http.services.matrix-corporal-api.loadbalancer.server.port=41081 +traefik.http.services.matrix-corporal-gateway.loadbalancer.server.port=41080 {% if matrix_corporal_container_labels_api_enabled %} ############################################################ @@ -13,8 +15,6 @@ traefik.docker.network={{ matrix_corporal_container_labels_traefik_docker_networ # # ############################################################ -traefik.http.services.matrix-corporal-api.loadbalancer.server.port=41081 - traefik.http.routers.matrix-corporal-api.rule={{ matrix_corporal_container_labels_api_traefik_rule }} {% if matrix_corporal_container_labels_api_traefik_priority | int > 0 %} @@ -44,8 +44,6 @@ traefik.http.routers.matrix-corporal-api.tls.certResolver={{ matrix_corporal_con # # ############################################################ -traefik.http.services.matrix-corporal-gateway.loadbalancer.server.port=41080 - traefik.http.routers.matrix-corporal-matrix-client-api.rule={{ matrix_corporal_container_labels_matrix_client_api_traefik_rule }} {% if matrix_corporal_container_labels_matrix_client_api_traefik_priority | int > 0 %} diff --git a/roles/custom/matrix-dimension/templates/labels.j2 b/roles/custom/matrix-dimension/templates/labels.j2 index 24b570cbb..09ad07b96 100644 --- a/roles/custom/matrix-dimension/templates/labels.j2 +++ b/roles/custom/matrix-dimension/templates/labels.j2 @@ -5,6 +5,8 @@ traefik.enable=true traefik.docker.network={{ matrix_dimension_container_labels_traefik_docker_network }} {% endif %} +traefik.http.services.matrix-dimension.loadbalancer.server.port=8184 + {% set middlewares = [] %} {% if matrix_dimension_container_labels_traefik_path_prefix != '/' %} @@ -39,7 +41,6 @@ traefik.http.routers.matrix-dimension.tls={{ matrix_dimension_container_labels_t traefik.http.routers.matrix-dimension.tls.certResolver={{ matrix_dimension_container_labels_traefik_tls_certResolver }} {% endif %} -traefik.http.services.matrix-dimension.loadbalancer.server.port=8184 {% endif %} {{ matrix_dimension_container_labels_additional_labels }} diff --git a/roles/custom/matrix-rageshake/templates/labels.j2 b/roles/custom/matrix-rageshake/templates/labels.j2 index cdaf5f6af..626c2fb7c 100644 --- a/roles/custom/matrix-rageshake/templates/labels.j2 +++ b/roles/custom/matrix-rageshake/templates/labels.j2 @@ -5,6 +5,8 @@ traefik.enable=true traefik.docker.network={{ matrix_rageshake_container_labels_traefik_docker_network }} {% endif %} +traefik.http.services.matrix-rageshake.loadbalancer.server.port=9110 + {% set middlewares = [] %} {% if matrix_rageshake_container_labels_traefik_path_prefix != '/' %} @@ -39,7 +41,6 @@ traefik.http.routers.matrix-rageshake.tls={{ matrix_rageshake_container_labels_t traefik.http.routers.matrix-rageshake.tls.certResolver={{ matrix_rageshake_container_labels_traefik_tls_certResolver }} {% endif %} -traefik.http.services.matrix-rageshake.loadbalancer.server.port=9110 {% endif %} {{ matrix_rageshake_container_labels_additional_labels }} diff --git a/roles/custom/matrix-sliding-sync/templates/labels.j2 b/roles/custom/matrix-sliding-sync/templates/labels.j2 index 665492499..aecc5a8a9 100644 --- a/roles/custom/matrix-sliding-sync/templates/labels.j2 +++ b/roles/custom/matrix-sliding-sync/templates/labels.j2 @@ -5,6 +5,8 @@ traefik.enable=true traefik.docker.network={{ matrix_sliding_sync_container_labels_traefik_docker_network }} {% endif %} +traefik.http.services.matrix-sliding-sync.loadbalancer.server.port=8008 + {% set middlewares = [] %} {% if matrix_sliding_sync_container_labels_traefik_path_prefix != '/' %} @@ -39,7 +41,6 @@ traefik.http.routers.matrix-sliding-sync.tls={{ matrix_sliding_sync_container_la traefik.http.routers.matrix-sliding-sync.tls.certResolver={{ matrix_sliding_sync_container_labels_traefik_tls_certResolver }} {% endif %} -traefik.http.services.matrix-sliding-sync.loadbalancer.server.port=8008 {% endif %} {{ matrix_sliding_sync_container_labels_additional_labels }} diff --git a/roles/custom/matrix-sygnal/templates/labels.j2 b/roles/custom/matrix-sygnal/templates/labels.j2 index 964805894..3ef6731c3 100644 --- a/roles/custom/matrix-sygnal/templates/labels.j2 +++ b/roles/custom/matrix-sygnal/templates/labels.j2 @@ -5,6 +5,8 @@ traefik.enable=true traefik.docker.network={{ matrix_sygnal_container_labels_traefik_docker_network }} {% endif %} +traefik.http.services.matrix-sygnal.loadbalancer.server.port=6000 + {% set middlewares = [] %} {% if matrix_sygnal_container_labels_traefik_path_prefix != '/' %} @@ -39,7 +41,6 @@ traefik.http.routers.matrix-sygnal.tls={{ matrix_sygnal_container_labels_traefik traefik.http.routers.matrix-sygnal.tls.certResolver={{ matrix_sygnal_container_labels_traefik_tls_certResolver }} {% endif %} -traefik.http.services.matrix-sygnal.loadbalancer.server.port=6000 {% endif %} {{ matrix_sygnal_container_labels_additional_labels }} diff --git a/roles/custom/matrix-synapse-admin/templates/labels.j2 b/roles/custom/matrix-synapse-admin/templates/labels.j2 index 946fd6c98..b4e973e00 100644 --- a/roles/custom/matrix-synapse-admin/templates/labels.j2 +++ b/roles/custom/matrix-synapse-admin/templates/labels.j2 @@ -5,6 +5,8 @@ traefik.enable=true traefik.docker.network={{ matrix_synapse_admin_container_labels_traefik_docker_network }} {% endif %} +traefik.http.services.matrix-synapse-admin.loadbalancer.server.port=80 + {% set middlewares = [] %} {% if matrix_synapse_admin_container_labels_traefik_path_prefix != '/' %} @@ -39,7 +41,6 @@ traefik.http.routers.matrix-synapse-admin.tls={{ matrix_synapse_admin_container_ traefik.http.routers.matrix-synapse-admin.tls.certResolver={{ matrix_synapse_admin_container_labels_traefik_tls_certResolver }} {% endif %} -traefik.http.services.matrix-synapse-admin.loadbalancer.server.port=80 {% endif %} {{ matrix_synapse_admin_container_labels_additional_labels }} From ce883a5fcea8f48d73fdf961d128cfaabfc78f42 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 17 Jan 2024 19:18:01 +0200 Subject: [PATCH 021/118] Upgrade Postgres (v16.1-4 -> v16.1-5) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 258ace316..9b557b48c 100644 --- a/requirements.yml +++ b/requirements.yml @@ -40,7 +40,7 @@ version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 name: playbook_state_preserver - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git - version: v16.1-4 + version: v16.1-5 name: postgres - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git version: 7eadc992ca952fc29bf3fab5aa6335fa82ff01e5 From 7d9eb561644811c912d9e074d4b7f70198060f10 Mon Sep 17 00:00:00 2001 From: Charles Wright Date: Wed, 17 Jan 2024 15:22:27 -0600 Subject: [PATCH 022/118] Add a validation step to fail when the user allocates generic workers together with all of the new worker types --- roles/custom/matrix-synapse/tasks/validate_config.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/custom/matrix-synapse/tasks/validate_config.yml b/roles/custom/matrix-synapse/tasks/validate_config.yml index ab389a432..fdf208e8d 100644 --- a/roles/custom/matrix-synapse/tasks/validate_config.yml +++ b/roles/custom/matrix-synapse/tasks/validate_config.yml @@ -47,6 +47,12 @@ - "matrix_synapse_workers_stream_writer_receipts_stream_workers_count" - "matrix_synapse_workers_stream_writer_presence_stream_workers_count" +- name: Fail when mixing generic workers with new specialized workers + ansible.builtin.fail: + msg: >- + Generic workers should not be mixed with the new specialized worker types (room workers, sync workers, client readers, and federation readers) + when: matrix_synapse_workers_generic_workers_count | int > 0 and matrix_synapse_workers_room_workers_count | int > 0 and matrix_synapse_workers_sync_workers_count | int > 0 and matrix_synapse_workers_client_reader_workers_count | int > 0 and matrix_synapse_workers_federation_reader_workers_count | int > 0 + - name: (Deprecation) Catch and report renamed settings ansible.builtin.fail: msg: >- From 775000883a46498e368d7bcedfdb3cd81bf5527f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 18 Jan 2024 11:31:59 +0200 Subject: [PATCH 023/118] Fix Jinja issue related to Synapse workers keepalive templating Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3114 --- .../conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 index c94855d59..8b5446d91 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 @@ -12,7 +12,7 @@ {% macro render_worker_upstream(name, workers) %} {% if workers | length > 0 %} upstream {{ name }} { - keepalive {{ workers | length * 2 }}; + keepalive {{ ((workers | length) * 2) | string }}; {% for worker in workers %} server "{{ worker.name }}:{{ worker.port }}"; {% endfor %} @@ -42,7 +42,7 @@ # ensures that requests from the same client will always be passed # to the same server (except when this server is unavailable) hash $http_x_forwarded_for; - keepalive {{ generic_workers | length * 2 }}; + keepalive {{ ((generic_workers | length) * 2) | string }}; {% for worker in generic_workers %} server "{{ worker.name }}:{{ worker.port }}"; From aed641e694e2191407723a8c7578cadd96db98b3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 18 Jan 2024 12:12:41 +0200 Subject: [PATCH 024/118] Disable addons communicating with the homeserver via Traefik if there is no Traefik at all --- roles/custom/matrix-base/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index e2fef17bd..a4c31bfcd 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -291,7 +291,7 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_definition: # because addon services (e.g. bridges, bots) cannot properly pass a `Host` HTTP header when making # requests to the endpoint's address (e.g. `http://devture-traefik:8008/`). # This entrypoint only aims to handle a single "virtual host" - one dealing with the homeserver's Client-Server API. -matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled: true +matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name: matrix-internal-matrix-client-api matrix_playbook_internal_matrix_client_api_traefik_entrypoint_port: 8008 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_host_bind_port: '' From 66bf8589ae9d5a4e1fc0eed84560cba4feae398e Mon Sep 17 00:00:00 2001 From: mcnesium Date: Thu, 18 Jan 2024 11:16:01 +0100 Subject: [PATCH 025/118] fix ProxyPass directive by adding mandatory trailing slash --- examples/reverse-proxies/apache/matrix-domain.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/reverse-proxies/apache/matrix-domain.conf b/examples/reverse-proxies/apache/matrix-domain.conf index ba4af4f44..4c79558b2 100644 --- a/examples/reverse-proxies/apache/matrix-domain.conf +++ b/examples/reverse-proxies/apache/matrix-domain.conf @@ -29,7 +29,7 @@ RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME} AllowEncodedSlashes NoDecode - ProxyPass / http://127.0.0.1:81 retry=0 nocanon + ProxyPass / http://127.0.0.1:81/ retry=0 nocanon ProxyPassReverse / http://127.0.0.1:81/ ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log From 0ec62855bbc259a49b9fad8adcc41e166308c109 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 18 Jan 2024 15:25:44 +0200 Subject: [PATCH 026/118] Avoid configuring SSL certificate settings for services when certs dumper is disabled Some of these variables were ending up configuring services to expect certificates.. yet there's no way they could get them. --- group_vars/matrix_servers | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 1354a5aed..92653ee3b 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2314,8 +2314,8 @@ matrix_bot_postmoogle_container_image_self_build: "{{ matrix_architecture not in matrix_bot_postmoogle_ssl_path: |- {{ { - 'playbook-managed-traefik': devture_traefik_certs_dumper_dumped_certificates_dir_path, - 'other-traefik-container': devture_traefik_certs_dumper_dumped_certificates_dir_path, + 'playbook-managed-traefik': (devture_traefik_certs_dumper_dumped_certificates_dir_path if devture_traefik_certs_dumper_enabled else ''), + 'other-traefik-container': (devture_traefik_certs_dumper_dumped_certificates_dir_path if devture_traefik_certs_dumper_enabled else ''), 'none': '', }[matrix_playbook_reverse_proxy_type] }} @@ -2326,8 +2326,8 @@ matrix_playbook_bot_postmoogle_traefik_key: "{% for domain in matrix_bot_postmoo matrix_bot_postmoogle_tls_cert: |- {{ { - 'playbook-managed-traefik': matrix_playbook_bot_postmoogle_traefik_tls_cert, - 'other-traefik-container': matrix_playbook_bot_postmoogle_traefik_tls_cert, + 'playbook-managed-traefik': (matrix_playbook_bot_postmoogle_traefik_tls_cert if devture_traefik_certs_dumper_enabled else ''), + 'other-traefik-container': (matrix_playbook_bot_postmoogle_traefik_tls_cert if devture_traefik_certs_dumper_enabled else ''), 'none': '', }[matrix_playbook_reverse_proxy_type] }} @@ -2335,8 +2335,8 @@ matrix_bot_postmoogle_tls_cert: |- matrix_bot_postmoogle_tls_key: |- {{ { - 'playbook-managed-traefik': matrix_playbook_bot_postmoogle_traefik_key, - 'other-traefik-container': matrix_playbook_bot_postmoogle_traefik_key, + 'playbook-managed-traefik': (matrix_playbook_bot_postmoogle_traefik_key if devture_traefik_certs_dumper_enabled else ''), + 'other-traefik-container': (matrix_playbook_bot_postmoogle_traefik_key if devture_traefik_certs_dumper_enabled else ''), 'none': '', }[matrix_playbook_reverse_proxy_type] }} @@ -2724,8 +2724,8 @@ matrix_coturn_tls_enabled: "{{ matrix_playbook_ssl_enabled }}" matrix_coturn_tls_cert_path: |- {{ { - 'playbook-managed-traefik': '/certificate.crt', - 'other-traefik-container': '/certificate.crt', + 'playbook-managed-traefik': ('/certificate.crt' if devture_traefik_certs_dumper_enabled else ''), + 'other-traefik-container': ('/certificate.crt' if devture_traefik_certs_dumper_enabled else ''), 'none': '', }[matrix_playbook_reverse_proxy_type] }} @@ -2733,8 +2733,8 @@ matrix_coturn_tls_cert_path: |- matrix_coturn_tls_key_path: |- {{ { - 'playbook-managed-traefik': '/privatekey.key', - 'other-traefik-container': '/privatekey.key', + 'playbook-managed-traefik': ('/privatekey.key' if devture_traefik_certs_dumper_enabled else ''), + 'other-traefik-container': ('/privatekey.key' if devture_traefik_certs_dumper_enabled else ''), 'none': '', }[matrix_playbook_reverse_proxy_type] }} @@ -2753,7 +2753,7 @@ matrix_coturn_container_additional_volumes: | 'dst': '/privatekey.key', 'options': 'ro', }, - ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else [] + ] if (matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled and (matrix_coturn_tls_cert_path and matrix_coturn_tls_key_path)) else [] ) }} From dbebe7c59825ad439ccf0939acf94bd01efbedbc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 19 Jan 2024 08:19:28 +0200 Subject: [PATCH 027/118] Add variable for controlling force_disable in io.element.e2ee in /.well-known/matrix/client --- roles/custom/matrix-static-files/defaults/main.yml | 6 ++++++ .../templates/public/.well-known/matrix/client.j2 | 3 ++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-static-files/defaults/main.yml b/roles/custom/matrix-static-files/defaults/main.yml index 966d04437..75c87494a 100644 --- a/roles/custom/matrix-static-files/defaults/main.yml +++ b/roles/custom/matrix-static-files/defaults/main.yml @@ -176,6 +176,12 @@ matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_re # See: https://github.com/element-hq/element-web/blob/develop/docs/e2ee.md matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_setup_methods: [] +# Controls the io.element.e2ee/force_disable property in the /.well-known/matrix/client file, +# which can be set to `true` to instruct Element whether to disable End-to-End Encryption by default +# and to not show encryption related-settings in room settings. +# See: https://github.com/element-hq/element-web/blob/develop/docs/e2ee.md +matrix_static_files_file_matrix_client_property_io_element_e2ee_force_disable: false + # Default /.well-known/matrix/client configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/custom/matrix-static-files/templates/public/.well-known/matrix/client.j2 b/roles/custom/matrix-static-files/templates/public/.well-known/matrix/client.j2 index ca272fe35..5a3deb6a2 100644 --- a/roles/custom/matrix-static-files/templates/public/.well-known/matrix/client.j2 +++ b/roles/custom/matrix-static-files/templates/public/.well-known/matrix/client.j2 @@ -39,7 +39,8 @@ "io.element.e2ee": { "default": {{ matrix_static_files_file_matrix_client_property_io_element_e2ee_default|to_json }}, "secure_backup_required": {{ matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_required|to_json }}, - "secure_backup_setup_methods": {{ matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_setup_methods|to_json }} + "secure_backup_setup_methods": {{ matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_setup_methods|to_json }}, + "force_disable": {{ matrix_static_files_file_matrix_client_property_io_element_e2ee_force_disable|to_json }} } {% endif %} {% if matrix_static_files_file_matrix_client_property_io_element_e2ee_entries_enabled %}, From db7ed0e830e46e032e6ce04f0e85092911a3cfba Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 19 Jan 2024 12:13:22 +0200 Subject: [PATCH 028/118] Fix Traefik load balancer port for matrix-mx-puppet-slack --- roles/custom/matrix-bridge-mx-puppet-slack/templates/labels.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/templates/labels.j2 b/roles/custom/matrix-bridge-mx-puppet-slack/templates/labels.j2 index aec01387f..0937c9d75 100644 --- a/roles/custom/matrix-bridge-mx-puppet-slack/templates/labels.j2 +++ b/roles/custom/matrix-bridge-mx-puppet-slack/templates/labels.j2 @@ -5,7 +5,7 @@ traefik.enable=true traefik.docker.network={{ matrix_mx_puppet_slack_container_labels_traefik_docker_network }} {% endif %} -traefik.http.services.matrix-mx-puppet-slack.loadbalancer.server.port={{ matrix_mx_puppet_slack_appservice_address }} +traefik.http.services.matrix-mx-puppet-slack.loadbalancer.server.port={{ matrix_mx_puppet_slack_appservice_port }} {% if matrix_mx_puppet_slack_container_labels_public_endpoint_enabled %} ############################################################ From f953dd2cd6c8cef1121728077d793bd4c255116f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 19 Jan 2024 17:02:16 +0200 Subject: [PATCH 029/118] Only strip /hookshot prefix for Hookshot widgetapi Public URLs are like: `/hookshot/widgetapi/v1/static/` .. which get translated to requests for: `/widgetapi/v1/static/` Previously, we were stripping the whole `/hookshot/widgetapi` prefix, which is wrong. --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 1 - roles/custom/matrix-bridge-hookshot/templates/labels.j2 | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 6d9210245..1c1ab4c5c 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -201,7 +201,6 @@ matrix_hookshot_widgets_roomSetupWidget_addOnInvite: false # noqa var-naming # - fec0::/10 matrix_hookshot_widgets_disallowedIpRanges: '' # noqa var-naming matrix_hookshot_widgets_internal: "/widgetapi" -# Default value of matrix_hookshot_widgets_endpoint: "/hookshot/widgetapi" matrix_hookshot_widgets_hostname: "{{ matrix_hookshot_public_hostname }}" matrix_hookshot_widgets_endpoint: "{{ matrix_hookshot_public_endpoint }}{{ matrix_hookshot_widgets_internal }}" matrix_hookshot_widgets_publicUrl: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_widgets_endpoint }}/v1/static" # noqa var-naming diff --git a/roles/custom/matrix-bridge-hookshot/templates/labels.j2 b/roles/custom/matrix-bridge-hookshot/templates/labels.j2 index 07f015723..4aa3f6420 100644 --- a/roles/custom/matrix-bridge-hookshot/templates/labels.j2 +++ b/roles/custom/matrix-bridge-hookshot/templates/labels.j2 @@ -83,7 +83,7 @@ traefik.http.routers.matrix-hookshot-appservice.tls.certResolver={{ matrix_hooks # # ############################################################ -traefik.http.middlewares.matrix-hookshot-widgets-strip-prefix.stripprefix.prefixes={{ matrix_hookshot_widgets_endpoint }} +traefik.http.middlewares.matrix-hookshot-widgets-strip-prefix.stripprefix.prefixes={{ matrix_hookshot_public_endpoint }} traefik.http.routers.matrix-hookshot-widgets.rule={{ matrix_hookshot_container_labels_widgets_traefik_rule }} traefik.http.routers.matrix-hookshot-widgets.middlewares=matrix-hookshot-widgets-strip-prefix From 90332f8c3d75c75a53d6a097ddd2c0a5b2f83397 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 19 Jan 2024 17:08:14 +0200 Subject: [PATCH 030/118] Fix problematic Hookshot redirect for /hookshot/widgetapi/v1/static Hookshot wants a trailing slash for this route. If we let Hookshot redirect, it goes to `/widgetapi/v1/static/`, instead of `/hookshot/widgetapi/v1/static/`, so we take this matter into our own hands. --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- roles/custom/matrix-bridge-hookshot/templates/labels.j2 | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 1c1ab4c5c..e7f46a7cc 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -203,7 +203,7 @@ matrix_hookshot_widgets_disallowedIpRanges: '' # noqa var-naming matrix_hookshot_widgets_internal: "/widgetapi" matrix_hookshot_widgets_hostname: "{{ matrix_hookshot_public_hostname }}" matrix_hookshot_widgets_endpoint: "{{ matrix_hookshot_public_endpoint }}{{ matrix_hookshot_widgets_internal }}" -matrix_hookshot_widgets_publicUrl: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_widgets_endpoint }}/v1/static" # noqa var-naming +matrix_hookshot_widgets_publicUrl: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_widgets_endpoint }}/v1/static/" # noqa var-naming matrix_hookshot_widgets_branding_widgetTitle: "Hookshot Configuration" # noqa var-naming diff --git a/roles/custom/matrix-bridge-hookshot/templates/labels.j2 b/roles/custom/matrix-bridge-hookshot/templates/labels.j2 index 4aa3f6420..31c035300 100644 --- a/roles/custom/matrix-bridge-hookshot/templates/labels.j2 +++ b/roles/custom/matrix-bridge-hookshot/templates/labels.j2 @@ -83,10 +83,15 @@ traefik.http.routers.matrix-hookshot-appservice.tls.certResolver={{ matrix_hooks # # ############################################################ +# Redirect `{PREFIX}/widgetapi/v1/static` to `{PREFIX}/widgetapi/v1/static/`. +# Hookshot does it too, but does not obey the prefix, which leads people elsewhere. +traefik.http.middlewares.matrix-hookshot-widgets-slashless-redirect.redirectregex.regex=({{ matrix_hookshot_widgets_endpoint | quote }}/v1/static)$ +traefik.http.middlewares.matrix-hookshot-widgets-slashless-redirect.redirectregex.replacement=${1}/ + traefik.http.middlewares.matrix-hookshot-widgets-strip-prefix.stripprefix.prefixes={{ matrix_hookshot_public_endpoint }} traefik.http.routers.matrix-hookshot-widgets.rule={{ matrix_hookshot_container_labels_widgets_traefik_rule }} -traefik.http.routers.matrix-hookshot-widgets.middlewares=matrix-hookshot-widgets-strip-prefix +traefik.http.routers.matrix-hookshot-widgets.middlewares=matrix-hookshot-widgets-slashless-redirect,matrix-hookshot-widgets-strip-prefix {% if matrix_hookshot_container_labels_widgets_traefik_priority | int > 0 %} traefik.http.routers.matrix-hookshot-widgets.priority={{ matrix_hookshot_container_labels_widgets_traefik_priority }} From 0823efe22e5a9878471091db796c07a61ff7e53f Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 19 Jan 2024 15:31:02 +0000 Subject: [PATCH 031/118] Update vectorim/element-web Docker tag to v1.11.55 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 4fb7b2eeb..305deae19 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -11,7 +11,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" # renovate: datasource=docker depName=vectorim/element-web -matrix_client_element_version: v1.11.54 +matrix_client_element_version: v1.11.55 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" From 6c1069fd16a81615ee2f96f38525ec675be7fcd9 Mon Sep 17 00:00:00 2001 From: SirHazza <31993698+SirHazza@users.noreply.github.com> Date: Fri, 19 Jan 2024 22:46:58 +0000 Subject: [PATCH 032/118] Updated nginx proxy fronting with NPM guide Updated the 'nginx reverse-proxy fronting' documentation with a guide for Nginx Proxy Manager, as you can't use the pre-existing nginx matrix.conf --- examples/reverse-proxies/nginx/README.md | 72 ++++++++++++++++++++++++ 1 file changed, 72 insertions(+) diff --git a/examples/reverse-proxies/nginx/README.md b/examples/reverse-proxies/nginx/README.md index 5501cf1e6..246d24ed3 100644 --- a/examples/reverse-proxies/nginx/README.md +++ b/examples/reverse-proxies/nginx/README.md @@ -15,3 +15,75 @@ Copy the [matrix.conf](matrix.conf) file to your nginx server's filesystem, modi This configuration **disables SSL certificate retrieval**, so you will **need to obtain SSL certificates manually** (e.g. by using [certbot](https://certbot.eff.org/)) and set the appropriate path in `matrix.conf`. In the example nginx configuration, a single certificate is used for all subdomains (`matrix.DOMAIN`, `element.DOMAIN`, etc.). For your setup, may wish to change this and use separate `server` blocks and separate certificate files for each host. Also note that your copy of the `matrix.conf` file has to be adapted to whatever services you are using. For example, remove `element.domain.com` from the `server_name` list if you don't use [Element](../../../docs/configuring-playbook-client-element.md) web client or add `dimension.domain.com` to it if you do use the [Dimension](../../../docs/configuring-playbook-dimension.md) integration manager. + +## Using Nginx Proxy Manager + +Similar to standard nginx, [Nginx Proxy Manager](https://nginxproxymanager.com/) provides nginx capabilities but inside a pre-built Docker container. With the ability for managing proxy hosts and automatic SSL certificates via a simple web interface. + +If Matrix federation is enabled, then you will need to make changes to [NPM's Docker configuration](https://nginxproxymanager.com/guide/#quick-setup). By default NPM has access to ports 443, 80 and 81, but you would also need to **provide access to the fedderation ports** `8448` and `8449`. + + +### Creating proxy hosts in Nginx Proxy Manager + +Open the 'Proxy Hosts' page in the NPM web interface and select `Add Proxy Host`, the first being for matrix web traffic. Apply the proxys configuration like this: + +```md +# Details +# Matrix web proxy config +Domain Names: matrix.DOMAIN +Scheme: http +Forward Hostname/IP: IP-ADDRESS-OF-YOUR-MATRIX +Forward Port: 81 + +# Custom locations +# Add one custom location +Define location: / +Scheme: http +Forward Hostname/IP: IP-ADDRESS-OF-YOUR-MATRIX +Forward Port: 81 +Custom config: + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + client_max_body_size 50M; + +# SSL +# Either 'Request a new certificate' or select an existing one +SSL Certificate: matrix.DOMAIN or *.DOMAIN +Force SSL: true +HTTP/2 Support: true +``` + +Again, under the 'Proxy Hosts' page select `Add Proxy Host`, this time for your federation traffic. Apply the proxys configuration like this: + +```md +# Details +# Matrix Federation proxy config +Domain Names: matrix.DOMAIN:8448 +Scheme: http +Forward Hostname/IP: IP-ADDRESS-OF-YOUR-MATRIX +Forward Port: 8449 + +# Custom locations +# Add one custom location +Define location: / +Scheme: http +Forward Hostname/IP: IP-ADDRESS-OF-YOUR-MATRIX +Forward Port: 8449 +Custom config: + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + client_max_body_size 50M; + +# SSL +# Either 'Request a new certificate' or select an existing one +SSL Certificate: matrix.DOMAIN or *.DOMAIN +Force SSL: true +HTTP/2 Support: true + +# Advanced +# Allows NPM to listen on the federation port +Custom Nginx Configuration: listen 8448 ssl http2; +``` + +Also note, NPM would need to be configured for whatever other services you are using. For example, you would need to create additional proxy hosts for `element.DOMAIN` or `jitsi.DOMAIN`, which would use the forwarding port `81`. From 3c7f89624679e2d59a524a9070ba82915cc2f3d5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 20 Jan 2024 11:10:34 +0200 Subject: [PATCH 033/118] Prevent generic workers being combined with any of the other types Until now, the validation check would only get tripped up if generic workers are used, combined with at least one EACH other type of specialized workers. This means that someone doing this: ``` matrix_synapse_workers_preset: one-of-each matrix_synapse_workers_client_reader_workers_count: 5 ``` .. would not have triggered this safety check. Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3100 --- roles/custom/matrix-synapse/tasks/validate_config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/tasks/validate_config.yml b/roles/custom/matrix-synapse/tasks/validate_config.yml index fdf208e8d..2f1a5e1c0 100644 --- a/roles/custom/matrix-synapse/tasks/validate_config.yml +++ b/roles/custom/matrix-synapse/tasks/validate_config.yml @@ -51,7 +51,7 @@ ansible.builtin.fail: msg: >- Generic workers should not be mixed with the new specialized worker types (room workers, sync workers, client readers, and federation readers) - when: matrix_synapse_workers_generic_workers_count | int > 0 and matrix_synapse_workers_room_workers_count | int > 0 and matrix_synapse_workers_sync_workers_count | int > 0 and matrix_synapse_workers_client_reader_workers_count | int > 0 and matrix_synapse_workers_federation_reader_workers_count | int > 0 + when: matrix_synapse_workers_generic_workers_count | int > 0 and ((matrix_synapse_workers_room_workers_count | int + matrix_synapse_workers_sync_workers_count | int + matrix_synapse_workers_client_reader_workers_count | int + matrix_synapse_workers_federation_reader_workers_count | int) > 0) - name: (Deprecation) Catch and report renamed settings ansible.builtin.fail: From 16ca50c6ef4f37759ff7c1fce040958158e9e011 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 20 Jan 2024 11:24:59 +0200 Subject: [PATCH 034/118] Add a few more comments in matrix-synapse-reverse-proxy-companion.conf.j2 Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3100 --- .../conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 index b3b8165e8..0dac97120 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 @@ -158,17 +158,23 @@ server { {% endif %} {% if room_workers | length > 0 %} + # room workers # https://tcpipuk.github.io/synapse/deployment/workers.html + # https://tcpipuk.github.io/synapse/deployment/nginx.html#locationsconf {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_room_worker_client_server_locations, 'room_workers_upstream') }} {% endif %} {% if sync_workers | length > 0 %} + # sync workers # https://tcpipuk.github.io/synapse/deployment/workers.html + # https://tcpipuk.github.io/synapse/deployment/nginx.html#locationsconf {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_sync_worker_client_server_locations, 'sync_workers_upstream') }} {% endif %} {% if client_reader_workers | length > 0 %} + # client_reader workers # https://tcpipuk.github.io/synapse/deployment/workers.html + # https://tcpipuk.github.io/synapse/deployment/nginx.html#locationsconf {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_client_reader_client_server_locations, 'client_reader_workers_upstream') }} {% endif %} From 7cb33da46ad4645709f8809506f99b8b03aaa232 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 20 Jan 2024 11:35:20 +0200 Subject: [PATCH 035/118] Add some clarification comment in matrix-synapse-reverse-proxy-companion/defaults/main.yml --- .../matrix-synapse-reverse-proxy-companion/defaults/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml index cebb259eb..f480f2891 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml @@ -192,7 +192,8 @@ matrix_synapse_reverse_proxy_companion_synapse_client_api_additional_server_conf matrix_synapse_reverse_proxy_companion_synapse_federation_api_additional_server_configuration_blocks: [] -# synapse worker activation and endpoint mappings +# synapse worker activation and endpoint mappings. +# These are all populated via Ansible group variables. matrix_synapse_reverse_proxy_companion_synapse_workers_enabled: false matrix_synapse_reverse_proxy_companion_synapse_workers_list: [] matrix_synapse_reverse_proxy_companion_synapse_room_worker_client_server_locations: [] From 84446e52e983f9cf1a1441f980d55773406b0a8c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 20 Jan 2024 12:39:20 +0200 Subject: [PATCH 036/118] Rename Synapse worker preset name (room-workers -> specialized-workers) I believe `specialized-workers` is a better name than `room-workers`, because when enabled, 4 different types of specialized workers are created: - Room workers - Sync workers - Client readers - Federation readers Only one of these is called room-workers. In the future, more specialized workers may be added, making the `room-workers` preset name an even poorer choice. Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3100 --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- roles/custom/matrix-synapse/tasks/init.yml | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 84bc9ff8a..ac382622b 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -706,7 +706,7 @@ matrix_synapse_workers_presets: stream_writer_account_data_stream_workers_count: 1 stream_writer_receipts_stream_workers_count: 1 stream_writer_presence_stream_workers_count: 1 - room-workers: + specialized-workers: room_workers_count: 1 sync_workers_count: 1 client_reader_workers_count: 1 diff --git a/roles/custom/matrix-synapse/tasks/init.yml b/roles/custom/matrix-synapse/tasks/init.yml index 234eb78e5..341350a49 100644 --- a/roles/custom/matrix-synapse/tasks/init.yml +++ b/roles/custom/matrix-synapse/tasks/init.yml @@ -1,5 +1,16 @@ --- +# This validation task is here, not in validate_config.yml, +# because init.yml runs before it. +# +# validate_config.yml aims to validate the configuration based on the work we do, +# so we can't change the order. +- name: Fail when using the old (renamed) room-workers preset + ansible.builtin.fail: + msg: >- + The `room-workers` preset has been renamed to `specialized-workers`. Update your `matrix_synapse_workers_preset` variable to use the new name. + when: matrix_synapse_workers_preset == 'room-workers' + # Unless `matrix_synapse_workers_enabled_list` is explicitly defined, # we'll generate it dynamically. - ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/init.yml" From 9fb2d53b542820165295b526fd6bfe257b0afdd5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 20 Jan 2024 12:41:21 +0200 Subject: [PATCH 037/118] Rework Synapse workers documentation Related to: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3100 --- docs/configuring-playbook-synapse.md | 53 +++++++++++++++++-- roles/custom/matrix-synapse/defaults/main.yml | 3 +- 2 files changed, 50 insertions(+), 6 deletions(-) diff --git a/docs/configuring-playbook-synapse.md b/docs/configuring-playbook-synapse.md index e9a3c3520..e99a56e7f 100644 --- a/docs/configuring-playbook-synapse.md +++ b/docs/configuring-playbook-synapse.md @@ -20,22 +20,65 @@ Alternatively, **if there is no pre-defined variable** for a Synapse setting you ## Load balancing with workers -To have Synapse gracefully handle thousands of users, worker support should be enabled. It factors out some homeserver tasks and spreads the load of incoming client and server-to-server traffic between multiple processes. More information can be found in the [official Synapse workers documentation](https://github.com/element-hq/synapse/blob/master/docs/workers.md). +To have Synapse gracefully handle thousands of users, worker support should be enabled. It factors out some homeserver tasks and spreads the load of incoming client and server-to-server traffic between multiple processes. More information can be found in the [official Synapse workers documentation](https://github.com/element-hq/synapse/blob/master/docs/workers.md) and [Tom Foster](https://github.com/tcpipuk)'s [Synapse homeserver guide](https://tcpipuk.github.io/synapse/index.html). To enable Synapse worker support, update your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: ```yaml matrix_synapse_workers_enabled: true + +matrix_synapse_workers_preset: one-of-each ``` -We support a few configuration presets (`matrix_synapse_workers_preset: one-of-each` being the default configuration): -- `little-federation-helper` - a very minimal worker configuration to improve federation performance -- `one-of-each` - one worker of each supported type +By default, this enables the `one-of-each` [worker preset](#worker-presets), but you may wish to use another preset or [control the number of worker instances](#controlling-the-number-of-worker-instances). + +### Worker presets + +We support a few configuration presets (`matrix_synapse_workers_preset: one-of-each` being the default configuration right now): + +- (federation-only) `little-federation-helper` - a very minimal worker configuration to improve federation performance +- (generic) `one-of-each` - defaults to one worker of each supported type - no smart routing, just generic workers +- (specialized) `specialized-workers` - defaults to one worker of each supported type, but disables generic workers and uses [specialized workers](#specialized-workers) instead + +These presets represent a few common configurations. There are many worker types which can be mixed and matched based on your needs. + +#### Generic workers + +Previously, the playbook only supported the most basic type of load-balancing. We call it **generic load-balancing** below, because incoming HTTP requests are sent to a generic worker. Load-balancing was done based on the requestor's IP address. This is simple, but not necessarily optimal. If you're accessing your account from multiple IP addresses (e.g. your mobile phone being on a different network than your PC), these separate requests may potentially be routed to different workers, each of which would need to cache roughly the same data. + +This is **still the default load-balancing method (preset) used by the playbook**. + +To use generic load-balancing, do not specify `matrix_synapse_workers_preset` to make it use the default value (`one-of-each`), or better yet - explicitly set it as `one-of-each`. + +You may also consider [tweaking the number of workers of each type](#controlling-the-number-of-worker-instances) from the default (one of each). -If you'd like more customization power, you can start with one of the presets and tweak various `matrix_synapse_workers_*_count` variables manually. +#### Specialized workers + +The playbook now supports a smarter **specialized load-balancing** inspired by [Tom Foster](https://github.com/tcpipuk)'s [Synapse homeserver guide](https://tcpipuk.github.io/synapse/index.html). Instead of routing requests to one or more [generic workers](#generic-workers) based only on the requestor's IP adddress, specialized load-balancing routes to **4 different types of specialized workers** based on **smarter criteria** - the access token (username) of the requestor and/or on the resource (room, etc.) being requested. + +The playbook supports these **4 types** of specialized workers: + +- Room workers - handles various [Client-Server](https://spec.matrix.org/v1.9/client-server-api/) & [Federation](https://spec.matrix.org/v1.9/server-server-api) APIs dedicated to handling specific rooms +- Sync workers - handles various [Client-Server](https://spec.matrix.org/v1.9/client-server-api/) APIs related to synchronization (most notably [the `/sync` endpoint](https://spec.matrix.org/v1.9/client-server-api/#get_matrixclientv3sync)) +- Client readers - handles various [Client-Server](https://spec.matrix.org/v1.9/client-server-api/) APIs which are not for specific rooms (handled by **room workers**) or for synchronization (handled by **sync workers**) +- Federation readers - handles various [Federation](https://spec.matrix.org/v1.9/server-server-api) APIs which are not for specific rooms (handled by **room workers**) + +To use specialized load-balancing, consider enabling the `specialized-workers` [worker preset](#worker-presets) and potentially [tweaking the number of workers of each type](#controlling-the-number-of-worker-instances) from the default (one of each). + +#### Controlling the number of worker instances + +If you'd like more customization power, you can start with one of the [worker presets](#worker-presets) and then tweak various `matrix_synapse_workers_*_count` variables manually. + +To find what variables are available for you to override in your own `vars.yml` configuration file, see the [`defaults/main.yml` file for the `matrix-synapse` Ansible role](../roles/custom/matrix-synapse/defaults/main.yml). + +The only thing you **cannot** do is mix [generic workers](#generic-workers) and [specialized workers](#specialized-workers). + +#### Effect of enabling workers on the rest of your server When Synapse workers are enabled, the integrated [Postgres database is tuned](maintenance-postgres.md#tuning-postgresql), so that the maximum number of Postgres connections are increased from `200` to `500`. If you need to decrease or increase the number of maximum Postgres connections further, use the `devture_postgres_max_connections` variable. +A separate Ansible role (`matrix-synapse-reverse-proxy-companion`) and component handles load-balancing for workers. This role/component is automatically enabled when you enable workers. Make sure to use the `setup-all` tag (not `install-all`!) during the playbook's [installation](./installing.md) process, especially if you're disabling workers, so that components may be installed/uninstalled correctly. + In case any problems occur, make sure to have a look at the [list of synapse issues about workers](https://github.com/matrix-org/synapse/issues?q=workers+in%3Atitle) and your `journalctl --unit 'matrix-*'`. diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index ac382622b..dd4ac05a2 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -663,7 +663,8 @@ matrix_synapse_workers_enabled: false # # The posible values (as seen in `matrix_synapse_workers_presets`) are: # - "little-federation-helper" - a very minimal worker configuration to improve federation performance -# - "one-of-each" - one worker of each supported type +# - "one-of-each" - one worker of each supported type + a generic worker +# - "specialized-workers" - one worker of each supported type + specialized workers # # You can override `matrix_synapse_workers_presets` to define your own presets, which is ill-advised, because it's fragile. # To use a more custom configuration, start with one of these presets as a base and configure `matrix_synapse_workers_*_count` variables manually, to suit your liking. From 24394d3ec42b5381e2fcd0f671b88cd7cc35beca Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 20 Jan 2024 12:41:46 +0200 Subject: [PATCH 038/118] Announce support for specialized Synapse workers Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3100 --- CHANGELOG.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7bb44f665..aecd10d5b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,16 @@ +# 2024-01-20 + +## Support for more efficient (specialized) Synapse workers + +Thanks to [Charles Wright](https://github.com/cvwright) from [FUTO](https://www.futo.org/), the creators of the [Circles app](https://circu.li/), the playbook has [received support](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3100) for load-balancing the Synapse workload via [specialized workers](./docs/configuring-playbook-synapse.md#specialized-workers) which are supposed to work better than our old [generic workers]((./docs/configuring-playbook-synapse.md#generic-workers)) implementation. + +For now, playbook defaults remain unchanged and the `one-of-each` [workers preset](./docs/configuring-playbook-synapse.md#worker-presets) continues being the default. However, the default may change in the future. If you'd like to remain on this preset even if/when the defaults change, consider explicitly adding `matrix_synapse_workers_preset: one-of-each` to your `vars.yml` configuration. + +Our specialized workers setup is based on recommendations found in [Tom Foster](https://github.com/tcpipuk)'s [Synapse homeserver guide](https://tcpipuk.github.io/synapse/index.html). What's special about our new setup is that we try to parse information out of the request (who the user is; which room is being operated on) and try to forward similar requests to the same worker. As an example, this means that once a worker caches some room information, subsequent requests for the same room will be routed to the same worker (which supposedly still has the room's state cached). + +To get started, refer to our [Specialized workers](./docs/configuring-playbook-synapse.md#specialized-workers) documentation section. + + # 2024-01-17 ## Switching to Element's AGPLv3-licensed Synapse release From 9a7cb0f716e0ea73cf956ca84e736ab37b6e29bf Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 20 Jan 2024 12:45:10 +0200 Subject: [PATCH 039/118] Fix broken link in changelog entry --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index aecd10d5b..0e8ece22b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ ## Support for more efficient (specialized) Synapse workers -Thanks to [Charles Wright](https://github.com/cvwright) from [FUTO](https://www.futo.org/), the creators of the [Circles app](https://circu.li/), the playbook has [received support](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3100) for load-balancing the Synapse workload via [specialized workers](./docs/configuring-playbook-synapse.md#specialized-workers) which are supposed to work better than our old [generic workers]((./docs/configuring-playbook-synapse.md#generic-workers)) implementation. +Thanks to [Charles Wright](https://github.com/cvwright) from [FUTO](https://www.futo.org/), the creators of the [Circles app](https://circu.li/), the playbook has [received support](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3100) for load-balancing the Synapse workload via [specialized workers](./docs/configuring-playbook-synapse.md#specialized-workers) which are supposed to work better than our old [generic workers](./docs/configuring-playbook-synapse.md#generic-workers) implementation. For now, playbook defaults remain unchanged and the `one-of-each` [workers preset](./docs/configuring-playbook-synapse.md#worker-presets) continues being the default. However, the default may change in the future. If you'd like to remain on this preset even if/when the defaults change, consider explicitly adding `matrix_synapse_workers_preset: one-of-each` to your `vars.yml` configuration. From f10bc264da3f9323f9487d0e45d4db27caf7c0e2 Mon Sep 17 00:00:00 2001 From: Pierre 'McFly' Marty Date: Sat, 20 Jan 2024 12:58:14 +0100 Subject: [PATCH 040/118] chore(deps): update Telegrambot config --- group_vars/matrix_servers | 1 + .../defaults/main.yml | 8 + .../templates/config.yaml.j2 | 366 +++++++++++++++--- 3 files changed, 312 insertions(+), 63 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index b97da1813..19da2c483 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1331,6 +1331,7 @@ matrix_mautrix_telegram_container_labels_metrics_middleware_basic_auth_users: "{ matrix_mautrix_telegram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegr.as.token', rounds=655555) | to_uuid }}" +matrix_mautrix_telegram_homeserver_domain: "{{ matrix_domain }}" matrix_mautrix_telegram_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}" matrix_mautrix_telegram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegr.hs.token', rounds=655555) | to_uuid }}" diff --git a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml index 04ea86411..863e3a012 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -1,3 +1,9 @@ +# File : roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml +# Author : Pierre (McFly) Marty +# Date : 17.01.2024 +# Last Modified Date: 17.01.2024 +# Last Modified By : Pierre (McFly) Marty +# ----- --- # mautrix-telegram is a Matrix <-> Telegram bridge # Project source code URL: https://github.com/mautrix/telegram @@ -175,6 +181,8 @@ matrix_mautrix_telegram_appservice_database: "{{ # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). matrix_mautrix_telegram_login_shared_secret: '' +matrix_mautrix_telegram_bridge_login_shared_secret_map: + "{{ {matrix_mautrix_telegram_homeserver_domain: matrix_mautrix_telegram_login_shared_secret} if matrix_mautrix_telegram_login_shared_secret else {} }}" # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/custom/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 index 350ac31d5..30145b0e0 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 @@ -8,6 +8,20 @@ homeserver: # Whether or not to verify the SSL certificate of the homeserver. # Only applies if address starts with https:// verify_ssl: true + # What software is the homeserver running? + # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here. + software: standard + # Number of retries for all HTTP requests if the homeserver isn't reachable. + http_retry_count: 4 + # The URL to push real-time bridge status to. + # If set, the bridge will make POST requests to this URL whenever a user's Telegram connection state changes. + # The bridge will use the appservice as_token to authorize requests. + status_endpoint: null + # Endpoint for reporting per-message status. + message_send_checkpoint_endpoint: null + # Whether asynchronous uploads via MSC2246 should be enabled for media. + # Requires a media repo that supports MSC2246. + async_media: false # Application service host/registration related details # Changing these values requires regeneration of the registration. @@ -22,12 +36,19 @@ appservice: # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s max_body_size: 1 - # The full URI to the database. SQLite and Postgres are fully supported. - # Other DBMSes supported by SQLAlchemy may or may not work. + # The full URI to the database. SQLite and Postgres are supported. # Format examples: - # SQLite: sqlite:///filename.db + # SQLite: sqlite:filename.db # Postgres: postgres://username:password@hostname/dbname database: {{ matrix_mautrix_telegram_appservice_database|to_json }} + # Additional arguments for asyncpg.create_pool() or sqlite3.connect() + # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool + # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect + # For sqlite, min_size is used as the connection thread pool size and max_size is ignored. + # Additionally, SQLite supports init_commands as an array of SQL queries to run on connect (e.g. to set PRAGMAs). + database_opts: + min_size: 1 + max_size: 10 # Public part of web server for out-of-Matrix interaction with the bridge. # Used for things like login if the user wants to make sure the 2FA password isn't stored in @@ -61,6 +82,11 @@ appservice: bot_displayname: Telegram bridge bot bot_avatar: mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + # You should disable bridge -> sync_with_custom_puppets when this is enabled. + ephemeral_events: true + # Authentication tokens for AS <-> HS communication. as_token: {{ matrix_mautrix_telegram_appservice_token|to_json }} hs_token: {{ matrix_mautrix_telegram_homeserver_token|to_json }} @@ -70,6 +96,17 @@ metrics: enabled: {{ matrix_mautrix_telegram_metrics_enabled | to_json }} listen_port: 8000 +# Manhole config. +manhole: + # Whether or not opening the manhole is allowed. + enabled: false + # The path for the unix socket. + path: /var/tmp/mautrix-telegram.manhole + # The list of UIDs who can be added to the whitelist. + # If empty, any UIDs can be specified in the open-manhole command. + whitelist: + - 0 + # Bridge config bridge: # Localpart template of MXIDs for Telegram users. @@ -105,12 +142,23 @@ bridge: - phone number # Maximum length of displayname displayname_max_length: 100 + # Remove avatars from Telegram ghost users when removed on Telegram. This is disabled by default + # as there's no way to determine whether an avatar is removed or just hidden from some users. If + # you're on a single-user instance, this should be safe to enable. + allow_avatar_remove: false + # Should contact names and profile pictures be allowed? + # This is only safe to enable on single-user instances. + allow_contact_info: false # Maximum number of members to sync per portal when starting up. Other members will be # synced when they send messages. The maximum is 10000, after which the Telegram server # will not send any more members. - # Defaults to no local limit (-> limited to 10000 by server) - max_initial_member_sync: 10 + # -1 means no limit (which means it's limited to 10000 by the server) + max_initial_member_sync: 100 + # Maximum number of participants in chats to bridge. Only applies when the portal is being created. + # If there are more members when trying to create a room, the room creation will be cancelled. + # -1 means no limit (which means all chats can be bridged) + max_member_count: -1 # Whether or not to sync the member list in channels. # If no channel admins have logged into the bridge, the bridge won't be able to sync the member # list regardless of this setting. @@ -119,11 +167,16 @@ bridge: skip_deleted_members: true # Whether or not to automatically synchronize contacts and chats of Matrix users logged into # their Telegram account at startup. - startup_sync: true + startup_sync: false # Number of most recently active dialogs to check when syncing chats. - # Dialogs include groups and private chats, but only groups are synced. # Set to 0 to remove limit. - sync_dialog_limit: 30 + sync_update_limit: 0 + # Number of most recently active dialogs to create portals for when syncing chats. + # Set to 0 to remove limit. + sync_create_limit: 15 + # Should all chats be scheduled to be created later? + # This is best used in combination with MSC2716 infinite backfill. + sync_deferred_create_all: false # Whether or not to sync and create portals for direct chats at startup. sync_direct_chats: false # The maximum number of simultaneous Telegram deletions to handle. @@ -135,52 +188,76 @@ bridge: # Allow logging in within Matrix. If false, users can only log in using login-qr or the # out-of-Matrix login website (see appservice.public config section) allow_matrix_login: true - # Whether or not to bridge plaintext highlights. - # Only enable this if your displayname_template has some static part that the bridge can use to - # reliably identify what is a plaintext highlight. - plaintext_highlights: false # Whether or not to make portals of publicly joinable channels/supergroups publicly joinable on Matrix. - public_portals: true - # Whether or not to use /sync to get presence, read receipts and typing notifications when using - # your own Matrix account as the Matrix puppet for your Telegram account. - sync_with_custom_puppets: true - # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth + public_portals: false + # Whether or not to use /sync to get presence, read receipts and typing notifications + # when double puppeting is enabled + sync_with_custom_puppets: false + # Whether or not to update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: false + # Servers to always allow double puppeting from + double_puppet_server_map: + "{{ matrix_mautrix_telegram_homeserver_domain }}": {{ matrix_mautrix_telegram_homeserver_address }} + # Allow using double puppeting from any server with a valid client .well-known file. + double_puppet_allow_discovery: false + # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth # # If set, custom puppets will be enabled automatically for local users # instead of users having to find an access token and run `login-matrix` # manually. - login_shared_secret: {{ matrix_mautrix_telegram_login_shared_secret|to_json }} + # If using this for other servers than the bridge's server, + # you must also set the URL in the double_puppet_server_map. + login_shared_secret_map: {{ matrix_mautrix_telegram_bridge_login_shared_secret_map|to_json }} # Set to false to disable link previews in messages sent to Telegram. telegram_link_preview: true - # Use inline images instead of a separate message for the caption. - # N.B. Inline images are not supported on all clients (e.g. Element iOS). - inline_images: false + # Whether or not the !tg join command should do a HTTP request + # to resolve redirects in invite links. + invite_link_resolve: false + # Send captions in the same message as images. This will send data compatible with both MSC2530 and MSC3552. + # This is currently not supported in most clients. + caption_in_message: false # Maximum size of image in megabytes before sending to Telegram as a document. image_as_file_size: 10 - # Maximum size of Telegram documents in megabytes to bridge. - max_document_size: 100 + # Maximum number of pixels in an image before sending to Telegram as a document. Defaults to 4096x4096 = 16777216. + image_as_file_pixels: 16777216 # Enable experimental parallel file transfer, which makes uploads/downloads much faster by # streaming from/to Matrix and using many connections for Telegram. # Note that generating HQ thumbnails for videos is not possible with streamed transfers. + # This option uses internal Telethon implementation details and may break with minor updates. parallel_file_transfer: false # Whether or not created rooms should have federation enabled. # If false, created portal rooms will never be federated. federate_rooms: {{ matrix_mautrix_telegram_federate_rooms|to_json }} + # Should the bridge send all unicode reactions as custom emoji reactions to Telegram? + # By default, the bridge only uses custom emojis for unicode emojis that aren't allowed in reactions. + always_custom_emoji_reaction: false # Settings for converting animated stickers. animated_sticker: # Format to which animated stickers should be converted. # disable - No conversion, send as-is (gzipped lottie) # png - converts to non-animated png (fastest), - # gif - converts to animated gif, but loses transparency + # gif - converts to animated gif # webm - converts to webm video, requires ffmpeg executable with vp9 codec and webm container support + # webp - converts to animated webp, requires ffmpeg executable with webp codec/container support target: gif + # Should video stickers be converted to the specified format as well? + convert_from_webm: false # Arguments for converter. All converters take width and height. - # GIF converter takes background as a hex color. args: width: 256 height: 256 - background: "020202" # only for gif - fps: 30 # only for webm + fps: 25 # only for webm, webp and gif (2, 5, 10, 20 or 25 recommended) + # Settings for converting animated emoji. + # Same as animated_sticker, but webm is not supported as the target + # (because inline images can only contain images, not videos). + animated_emoji: + target: webp + args: + width: 64 + height: 64 + fps: 25 # End-to-bridge encryption support options. # # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info. @@ -190,32 +267,164 @@ bridge: # Default to encryption, force-enable encryption in all portals the bridge creates # This will cause the bridge bot to be in private chats for the encryption to work properly. default: {{ matrix_mautrix_telegram_bridge_encryption_default|to_json }} - # Database for the encryption data. If set to `default`, will use the appservice database. - database: default - # Options for automatic key sharing. - key_sharing: - # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. - # You must use a client that supports requesting keys from other users to use this feature. - allow: {{ matrix_mautrix_telegram_bridge_encryption_key_sharing_allow|to_json }} - # Require the requesting device to have a valid cross-signing signature? - # This doesn't require that the bridge has verified the device, only that the user has verified it. - # Not yet implemented. - require_cross_signing: false - # Require devices to be verified by the bridge? - # Verification by the bridge is not yet implemented. - require_verification: true - # Whether or not to explicitly set the avatar and room name for private - # chat portal rooms. This will be implicitly enabled if encryption.default is true. - private_chat_portal_meta: false + # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data. + appservice: false + # Require encryption, drop any unencrypted messages. + require: false + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow_key_sharing: {{ matrix_mautrix_telegram_bridge_encryption_key_sharing_allow|to_json }} + # Options for deleting megolm sessions from the bridge. + delete_keys: + # Beeper-specific: delete outbound sessions when hungryserv confirms + # that the user has uploaded the key to key backup. + delete_outbound_on_ack: false + # Don't store outbound sessions in the inbound table. + dont_store_outbound: false + # Ratchet megolm sessions forward after decrypting messages. + ratchet_on_decrypt: false + # Delete fully used keys (index >= max_messages) after decrypting messages. + delete_fully_used_on_decrypt: false + # Delete previous megolm sessions from same device when receiving a new one. + delete_prev_on_new_session: false + # Delete megolm sessions received from a device when the device is deleted. + delete_on_device_delete: false + # Periodically delete megolm sessions when 2x max_age has passed since receiving the session. + periodically_delete_expired: false + # Delete inbound megolm sessions that don't have the received_at field used for + # automatic ratcheting and expired session deletion. This is meant as a migration + # to delete old keys prior to the bridge update. + delete_outdated_inbound: false + # What level of device verification should be required from users? + # + # Valid levels: + # unverified - Send keys to all device in the room. + # cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys. + # cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes). + # cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot. + # Note that creating user signatures from the bridge bot is not currently possible. + # verified - Require manual per-device verification + # (currently only possible by modifying the `trust` column in the `crypto_device` database table). + verification_levels: + # Minimum level for which the bridge should send keys to when bridging messages from Telegram to Matrix. + receive: unverified + # Minimum level that the bridge should accept for incoming Matrix messages. + send: unverified + # Minimum level that the bridge should require for accepting key requests. + share: cross-signed-tofu + # Options for Megolm room key rotation. These options allow you to + # configure the m.room.encryption event content. See: + # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for + # more information about that event. + rotation: + # Enable custom Megolm room key rotation settings. Note that these + # settings will only apply to rooms created after this option is + # set. + enable_custom: false + # The maximum number of milliseconds a session should be used + # before changing it. The Matrix spec recommends 604800000 (a week) + # as the default. + milliseconds: 604800000 + # The maximum number of messages that should be sent with a given a + # session before changing it. The Matrix spec recommends 100 as the + # default. + messages: 100 + + # Disable rotating keys when a user's devices change? + # You should not enable this option unless you understand all the implications. + disable_device_change_key_rotation: false + + # Whether to explicitly set the avatar and room name for private chat portal rooms. + # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms. + # If set to `always`, all DM rooms will have explicit names and avatars set. + # If set to `never`, DM rooms will never have names and avatars set. + private_chat_portal_meta: default + # Disable generating reply fallbacks? Some extremely bad clients still rely on them, + # but they're being phased out and will be completely removed in the future. + disable_reply_fallbacks: false + # Should cross-chat replies from Telegram be bridged? Most servers and clients don't support this. + cross_room_replies: false # Whether or not the bridge should send a read receipt from the bridge bot when a message has # been sent to Telegram. delivery_receipts: false # Whether or not delivery errors should be reported as messages in the Matrix room. - delivery_error_reports: true + delivery_error_reports: false + # Should errors in incoming message handling send a message to the Matrix room? + incoming_bridge_error_reports: false + # Whether the bridge should send the message status as a custom com.beeper.message_send_status event. + message_status_events: false # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. # This field will automatically be changed back to false after it, # except if the config file is not writable. resend_bridge_info: false + # When using double puppeting, should muted chats be muted in Matrix? + mute_bridging: false + # When using double puppeting, should pinned chats be moved to a specific tag in Matrix? + # The favorites tag is `m.favourite`. + pinned_tag: null + # Same as above for archived chats, the low priority tag is `m.lowpriority`. + archive_tag: null + # Whether or not mute status and tags should only be bridged when the portal room is created. + tag_only_on_create: true + # Should leaving the room on Matrix make the user leave on Telegram? + bridge_matrix_leave: true + # Should the user be kicked out of all portals when logging out of the bridge? + kick_on_logout: true + # Should the "* user joined Telegram" notice always be marked as read automatically? + always_read_joined_telegram_notice: true + # Should the bridge auto-create a group chat on Telegram when a ghost is invited to a room? + # Requires the user to have sufficient power level and double puppeting enabled. + create_group_on_invite: true + # Settings for backfilling messages from Telegram. + backfill: + # Allow backfilling at all? + enable: true + # Whether or not to enable backfilling in normal groups. + # Normal groups have numerous technical problems in Telegram, and backfilling normal groups + # will likely cause problems if there are multiple Matrix users in the group. + normal_groups: false + + # If a backfilled chat is older than this number of hours, mark it as read even if it's unread on Telegram. + # Set to -1 to let any chat be unread. + unread_hours_threshold: 720 + + # Forward backfilling limits. + # + # Using a negative initial limit is not recommended, as it would try to backfill everything in a single batch. + forward_limits: + # Number of messages to backfill immediately after creating a portal. + initial: + user: 50 + normal_group: 100 + supergroup: 10 + channel: 10 + # Number of messages to backfill when syncing chats. + sync: + user: 100 + normal_group: 100 + supergroup: 100 + channel: 100 + # Timeout for forward backfills in seconds. If you have a high limit, you'll have to increase this too. + forward_timeout: 900 + + # Settings for incremental backfill of history. These only apply to Beeper, as upstream abandoned MSC2716. + incremental: + # Maximum number of messages to backfill per batch. + messages_per_batch: 100 + # The number of seconds to wait after backfilling the batch of messages. + post_batch_delay: 20 + # The maximum number of batches to backfill per portal, split by the chat type. + # If set to -1, all messages in the chat will eventually be backfilled. + max_batches: + # Direct chats + user: -1 + # Normal groups. Note that the normal_groups option above must be enabled + # for these to be backfilled. + normal_group: -1 + # Supergroups + supergroup: 10 + # Broadcast channels + channel: -1 # Overrides for base power levels. initial_power_level_overrides: @@ -232,24 +441,28 @@ bridge: # notices from users listed here will be bridged. exceptions: [] + # An array of possible values for the $distinguisher variable in message formats. + # Each user gets one of the values here, based on a hash of their user ID. + # If the array is empty, the $distinguisher variable will also be empty. + relay_user_distinguishers: ["🟦", "🟣", "🟩", "⭕️", "🔶", "⬛️", "🔵", "🟢"] # The formats to use when sending messages to Telegram via the relay bot. - # - # Telegram doesn't have built-in emotes, so the m.emote format is also used for non-relaybot users. + # Text msgtypes (m.text, m.notice and m.emote) support HTML, media msgtypes don't. # # Available variables: - # $sender_displayname - The display name of the sender (e.g. Example User) - # $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser) - # $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.com) - # $message - The message content as HTML + # $sender_displayname - The display name of the sender (e.g. Example User) + # $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser) + # $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.com) + # $distinguisher - A random string from the options in the relay_user_distinguishers array. + # $message - The message content message_formats: - m.text: "$sender_displayname: $message" - m.notice: "$sender_displayname: $message" - m.emote: "* $sender_displayname $message" - m.file: "$sender_displayname sent a file: $message" - m.image: "$sender_displayname sent an image: $message" - m.audio: "$sender_displayname sent an audio file: $message" - m.video: "$sender_displayname sent a video: $message" - m.location: "$sender_displayname sent a location: $message" + m.text: "$distinguisher $sender_displayname: $message" + m.notice: "$distinguisher $sender_displayname: $message" + m.emote: "* $distinguisher $sender_displayname $message" + m.file: "$distinguisher $sender_displayname sent a file: $message" + m.image: "$distinguisher $sender_displayname sent an image: $message" + m.audio: "$distinguisher $sender_displayname sent an audio file: $message" + m.video: "$distinguisher $sender_displayname sent a video: $message" + m.location: "$distinguisher $sender_displayname sent a location: $message" # Telegram doesn't have built-in emotes, this field specifies how m.emote's from authenticated # users are sent to telegram. All fields in message_formats are supported. Additionally, the # Telegram user info is available in the following variables: @@ -265,14 +478,13 @@ bridge: # # Set format to an empty string to disable the messages for that event. state_event_formats: - join: "$displayname joined the room." - leave: "$displayname left the room." - name_change: "$prev_displayname changed their name to $displayname" + join: "$distinguisher $displayname joined the room." + leave: "$distinguisher $displayname left the room." + name_change: "$distinguisher $prev_displayname changed their name to $distinguisher $displayname" # Filter rooms that can/can't be bridged. Can also be managed using the `filter` and # `filter-mode` management commands. # - # Filters do not affect direct chats. # An empty blacklist will essentially disable the filter. filter: # Filter mode to use. Either "blacklist" or "whitelist". @@ -281,10 +493,30 @@ bridge: mode: {{ matrix_mautrix_telegram_filter_mode | to_json }} # The list of group/channel IDs to filter. list: [] + # How to handle direct chats: + # If users is "null", direct chats will follow the previous settings. + # If users is "true", direct chats will always be bridged. + # If users is "false", direct chats will never be bridged. + users: true # The prefix for commands. Only required in non-management rooms. command_prefix: {{ matrix_mautrix_telegram_command_prefix | to_json }} + # Messages sent upon joining a management room. + # Markdown is supported. The defaults are listed below. + management_room_text: + # Sent when joining a room. + welcome: "Hello, I'm a Telegram bridge bot." + # Sent when joining a management room and the user is already logged in. + welcome_connected: "Use `help` for help." + # Sent when joining a management room and the user is not logged in. + welcome_unconnected: "Use `help` for help or `login` to log in." + # Optional extra text sent when joining a management room. + additional_help: "" + + # Send each message separately (for readability in some clients) + management_room_multiple_messages: false + # Permissions for using the bridge. # Permitted values: # relaybot - Only use the bridge via the relaybot, no access to commands. @@ -333,6 +565,12 @@ telegram: # (Optional) Create your own bot at https://t.me/BotFather bot_token: {{ matrix_mautrix_telegram_bot_token|to_json }} + # Should the bridge request missed updates from Telegram when restarting? + catch_up: true + # Should incoming updates be handled sequentially to make sure order is preserved on Matrix? + sequential_updates: true + exit_on_update_error: false + # Telethon connection options. connection: # The timeout in seconds to be used when connecting. @@ -354,6 +592,8 @@ telegram: # is not recommended, since some requests can always trigger a call fail (such as searching # for messages). request_retries: 5 + # Use IPv6 for Telethon connection + use_ipv6: false # Device info sent to Telegram. device_info: From 5c66485c991b8a79a62c105d35eab661da0c2e3e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 20 Jan 2024 15:40:56 +0200 Subject: [PATCH 041/118] Ensure matrix-bot-mjolnir container network is created Most addons live in the same network by default (matrix-addons) right now, so this network would have usually been created by some other addon. Howevre, if this is the only addon someone uses, it may have remained uncreated causing a problem. --- roles/custom/matrix-bot-mjolnir/tasks/setup_install.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/custom/matrix-bot-mjolnir/tasks/setup_install.yml b/roles/custom/matrix-bot-mjolnir/tasks/setup_install.yml index 3088fe8bd..085049bdd 100644 --- a/roles/custom/matrix-bot-mjolnir/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-mjolnir/tasks/setup_install.yml @@ -59,6 +59,11 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" +- name: Ensure matrix-bot-mjolnir container network is created + community.general.docker_network: + name: "{{ matrix_bot_mjolnir_container_network }}" + driver: bridge + - name: Ensure matrix-bot-mjolnir.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-bot-mjolnir.service.j2" From 55a8f2ee67b7e67e9b7258d6ea1faf1cd25dc10f Mon Sep 17 00:00:00 2001 From: SirHazza <31993698+SirHazza@users.noreply.github.com> Date: Sat, 20 Jan 2024 13:58:37 +0000 Subject: [PATCH 042/118] Added mention of nginx proxy manager in fronting the proxy doc --- docs/configuring-playbook-own-webserver.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 2295ecb3a..74d0d06c6 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -181,7 +181,7 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom: Such a configuration would expose all services on a local port `81` and Matrix Federation on a local port `8449`. -Your reverse-proxy configuration needs to send traffic to these ports. The [`examples/reverse-proxies` directory](../examples/reverse-proxies/) contains sample configuration for various webservers (Apache2, Caddy, HAproxy, nginx). +Your reverse-proxy configuration needs to send traffic to these ports. The [`examples/reverse-proxies` directory](../examples/reverse-proxies/) contains sample configuration for various webservers (Apache2, Caddy, HAproxy, nginx, Nginx Proxy Manager). It's important that these webservers proxy-pass requests to the correct place and also set the `Host` HTTP header appropriately. If you don't pass the `Host` header correctly, you would get a 404 not found error from Traefik. From 448484a6252b1591194fc6a060b681abd832b045 Mon Sep 17 00:00:00 2001 From: SirHazza <31993698+SirHazza@users.noreply.github.com> Date: Sat, 20 Jan 2024 13:59:58 +0000 Subject: [PATCH 043/118] Created dedicated guide on Nginx Proxy Manager --- .../nginx-proxy-manager/README.md | 80 +++++++++++++++++++ examples/reverse-proxies/nginx/README.md | 74 +---------------- 2 files changed, 81 insertions(+), 73 deletions(-) create mode 100644 examples/reverse-proxies/nginx-proxy-manager/README.md diff --git a/examples/reverse-proxies/nginx-proxy-manager/README.md b/examples/reverse-proxies/nginx-proxy-manager/README.md new file mode 100644 index 000000000..c349af2c8 --- /dev/null +++ b/examples/reverse-proxies/nginx-proxy-manager/README.md @@ -0,0 +1,80 @@ +# Nginx Proxy Manager fronting the playbook's integrated Traefik reverse-proxy + +Similar to standard nginx, [Nginx Proxy Manager](https://nginxproxymanager.com/) provides nginx capabilities but inside a pre-built Docker container. With the ability for managing proxy hosts and automatic SSL certificates via a simple web interface. + +This page summarizes how to use Nginx Proxy Manager (NPM) to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with another reverse-proxy. + + +## Prerequisite configuration + +To get started, first follow the [front the integrated reverse-proxy webserver with another reverse-proxy](../../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instructions and update your playbook's configuration (`inventory/host_vars/matrix./vars.yml`). + +If Matrix federation is enabled, then you will need to make changes to [NPM's Docker configuration](https://nginxproxymanager.com/guide/#quick-setup). By default NPM has access to ports 443, 80 and 81, but you would also need to **provide access to the federation ports** `8448` and `8449`. + + +## Using Nginx Proxy Manager + +You'll need to create two proxy hosts in NPM for matrix web and federation traffic. + +Open the 'Proxy Hosts' page in the NPM web interface and select `Add Proxy Host`, the first being for matrix web traffic. Apply the proxys configuration like this: + +```md +# Details +# Matrix web proxy config +Domain Names: matrix.DOMAIN +Scheme: http +Forward Hostname/IP: IP-ADDRESS-OF-YOUR-MATRIX +Forward Port: 81 + +# Custom locations +# Add one custom location +Define location: / +Scheme: http +Forward Hostname/IP: IP-ADDRESS-OF-YOUR-MATRIX +Forward Port: 81 +Custom config: + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + client_max_body_size 50M; + +# SSL +# Either 'Request a new certificate' or select an existing one +SSL Certificate: matrix.DOMAIN or *.DOMAIN +Force SSL: true +HTTP/2 Support: true +``` + +Again, under the 'Proxy Hosts' page select `Add Proxy Host`, this time for your federation traffic. Apply the proxys configuration like this: + +```md +# Details +# Matrix Federation proxy config +Domain Names: matrix.DOMAIN:8448 +Scheme: http +Forward Hostname/IP: IP-ADDRESS-OF-YOUR-MATRIX +Forward Port: 8449 + +# Custom locations +# Add one custom location +Define location: / +Scheme: http +Forward Hostname/IP: IP-ADDRESS-OF-YOUR-MATRIX +Forward Port: 8449 +Custom config: + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + client_max_body_size 50M; + +# SSL +# Either 'Request a new certificate' or select an existing one +SSL Certificate: matrix.DOMAIN or *.DOMAIN +Force SSL: true +HTTP/2 Support: true + +# Advanced +# Allows NPM to listen on the federation port +Custom Nginx Configuration: listen 8448 ssl http2; +``` + +Also note, NPM would need to be configured for whatever other services you are using. For example, you would need to create additional proxy hosts for `element.DOMAIN` or `jitsi.DOMAIN`, which would use the forwarding port `81`. \ No newline at end of file diff --git a/examples/reverse-proxies/nginx/README.md b/examples/reverse-proxies/nginx/README.md index 246d24ed3..fd7df72af 100644 --- a/examples/reverse-proxies/nginx/README.md +++ b/examples/reverse-proxies/nginx/README.md @@ -14,76 +14,4 @@ Copy the [matrix.conf](matrix.conf) file to your nginx server's filesystem, modi This configuration **disables SSL certificate retrieval**, so you will **need to obtain SSL certificates manually** (e.g. by using [certbot](https://certbot.eff.org/)) and set the appropriate path in `matrix.conf`. In the example nginx configuration, a single certificate is used for all subdomains (`matrix.DOMAIN`, `element.DOMAIN`, etc.). For your setup, may wish to change this and use separate `server` blocks and separate certificate files for each host. -Also note that your copy of the `matrix.conf` file has to be adapted to whatever services you are using. For example, remove `element.domain.com` from the `server_name` list if you don't use [Element](../../../docs/configuring-playbook-client-element.md) web client or add `dimension.domain.com` to it if you do use the [Dimension](../../../docs/configuring-playbook-dimension.md) integration manager. - -## Using Nginx Proxy Manager - -Similar to standard nginx, [Nginx Proxy Manager](https://nginxproxymanager.com/) provides nginx capabilities but inside a pre-built Docker container. With the ability for managing proxy hosts and automatic SSL certificates via a simple web interface. - -If Matrix federation is enabled, then you will need to make changes to [NPM's Docker configuration](https://nginxproxymanager.com/guide/#quick-setup). By default NPM has access to ports 443, 80 and 81, but you would also need to **provide access to the fedderation ports** `8448` and `8449`. - - -### Creating proxy hosts in Nginx Proxy Manager - -Open the 'Proxy Hosts' page in the NPM web interface and select `Add Proxy Host`, the first being for matrix web traffic. Apply the proxys configuration like this: - -```md -# Details -# Matrix web proxy config -Domain Names: matrix.DOMAIN -Scheme: http -Forward Hostname/IP: IP-ADDRESS-OF-YOUR-MATRIX -Forward Port: 81 - -# Custom locations -# Add one custom location -Define location: / -Scheme: http -Forward Hostname/IP: IP-ADDRESS-OF-YOUR-MATRIX -Forward Port: 81 -Custom config: - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - client_max_body_size 50M; - -# SSL -# Either 'Request a new certificate' or select an existing one -SSL Certificate: matrix.DOMAIN or *.DOMAIN -Force SSL: true -HTTP/2 Support: true -``` - -Again, under the 'Proxy Hosts' page select `Add Proxy Host`, this time for your federation traffic. Apply the proxys configuration like this: - -```md -# Details -# Matrix Federation proxy config -Domain Names: matrix.DOMAIN:8448 -Scheme: http -Forward Hostname/IP: IP-ADDRESS-OF-YOUR-MATRIX -Forward Port: 8449 - -# Custom locations -# Add one custom location -Define location: / -Scheme: http -Forward Hostname/IP: IP-ADDRESS-OF-YOUR-MATRIX -Forward Port: 8449 -Custom config: - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - client_max_body_size 50M; - -# SSL -# Either 'Request a new certificate' or select an existing one -SSL Certificate: matrix.DOMAIN or *.DOMAIN -Force SSL: true -HTTP/2 Support: true - -# Advanced -# Allows NPM to listen on the federation port -Custom Nginx Configuration: listen 8448 ssl http2; -``` - -Also note, NPM would need to be configured for whatever other services you are using. For example, you would need to create additional proxy hosts for `element.DOMAIN` or `jitsi.DOMAIN`, which would use the forwarding port `81`. +Also note that your copy of the `matrix.conf` file has to be adapted to whatever services you are using. For example, remove `element.domain.com` from the `server_name` list if you don't use [Element](../../../docs/configuring-playbook-client-element.md) web client or add `dimension.domain.com` to it if you do use the [Dimension](../../../docs/configuring-playbook-dimension.md) integration manager. \ No newline at end of file From 60a01622cfbdbb328d979aac3206b6943b1803ef Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 20 Jan 2024 16:09:14 +0200 Subject: [PATCH 044/118] Minor improvements to the nginx-proxy-manager docs --- examples/reverse-proxies/nginx-proxy-manager/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/reverse-proxies/nginx-proxy-manager/README.md b/examples/reverse-proxies/nginx-proxy-manager/README.md index c349af2c8..38de85897 100644 --- a/examples/reverse-proxies/nginx-proxy-manager/README.md +++ b/examples/reverse-proxies/nginx-proxy-manager/README.md @@ -2,14 +2,14 @@ Similar to standard nginx, [Nginx Proxy Manager](https://nginxproxymanager.com/) provides nginx capabilities but inside a pre-built Docker container. With the ability for managing proxy hosts and automatic SSL certificates via a simple web interface. -This page summarizes how to use Nginx Proxy Manager (NPM) to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with another reverse-proxy. +This page summarizes how to use Nginx Proxy Manager (NPM) to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver. ## Prerequisite configuration To get started, first follow the [front the integrated reverse-proxy webserver with another reverse-proxy](../../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instructions and update your playbook's configuration (`inventory/host_vars/matrix./vars.yml`). -If Matrix federation is enabled, then you will need to make changes to [NPM's Docker configuration](https://nginxproxymanager.com/guide/#quick-setup). By default NPM has access to ports 443, 80 and 81, but you would also need to **provide access to the federation ports** `8448` and `8449`. +If Matrix federation is enabled, then you will need to make changes to [NPM's Docker configuration](https://nginxproxymanager.com/guide/#quick-setup). By default NPM already exposes ports `80` and `443`, but you would also need to **additionally expose the Matrix Federation port** (as it appears on the public side): `8448`. ## Using Nginx Proxy Manager @@ -77,4 +77,4 @@ HTTP/2 Support: true Custom Nginx Configuration: listen 8448 ssl http2; ``` -Also note, NPM would need to be configured for whatever other services you are using. For example, you would need to create additional proxy hosts for `element.DOMAIN` or `jitsi.DOMAIN`, which would use the forwarding port `81`. \ No newline at end of file +Also note, NPM would need to be configured for whatever other services you are using. For example, you would need to create additional proxy hosts for `element.DOMAIN` or `jitsi.DOMAIN`, which would use the forwarding port `81`. From ecb5591743d1cc8e76194606fe5a2b30a49e1085 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 22 Jan 2024 14:36:05 +0200 Subject: [PATCH 045/118] Upgrade sliding-sync (v0.99.14 -> v0.99.15) --- roles/custom/matrix-sliding-sync/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-sliding-sync/defaults/main.yml b/roles/custom/matrix-sliding-sync/defaults/main.yml index 31e4e3e59..f7028f120 100644 --- a/roles/custom/matrix-sliding-sync/defaults/main.yml +++ b/roles/custom/matrix-sliding-sync/defaults/main.yml @@ -6,7 +6,7 @@ matrix_sliding_sync_enabled: true # renovate: datasource=docker depName=ghcr.io/matrix-org/sliding-sync -matrix_sliding_sync_version: v0.99.14 +matrix_sliding_sync_version: v0.99.15 matrix_sliding_sync_scheme: https From e2a4f119f1618d6b100cc9e8ff117a18c709aad8 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 23 Jan 2024 01:50:56 +0000 Subject: [PATCH 046/118] chore(deps): update joseluisq/static-web-server docker tag to v2.25.0 --- roles/custom/matrix-cactus-comments-client/defaults/main.yml | 2 +- roles/custom/matrix-static-files/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-cactus-comments-client/defaults/main.yml b/roles/custom/matrix-cactus-comments-client/defaults/main.yml index df20cbeaf..66662aad6 100644 --- a/roles/custom/matrix-cactus-comments-client/defaults/main.yml +++ b/roles/custom/matrix-cactus-comments-client/defaults/main.yml @@ -13,7 +13,7 @@ matrix_cactus_comments_client_public_path: "{{ matrix_cactus_comments_client_bas matrix_cactus_comments_client_public_path_file_permissions: "0644" # renovate: datasource=docker depName=joseluisq/static-web-server -matrix_cactus_comments_client_version: 2.24.2 +matrix_cactus_comments_client_version: 2.25.0 matrix_cactus_comments_client_container_image: "{{ matrix_container_global_registry_prefix }}joseluisq/static-web-server:{{ matrix_cactus_comments_client_container_image_tag }}" matrix_cactus_comments_client_container_image_tag: "{{ 'latest' if matrix_cactus_comments_client_version == 'latest' else (matrix_cactus_comments_client_version + '-alpine') }}" diff --git a/roles/custom/matrix-static-files/defaults/main.yml b/roles/custom/matrix-static-files/defaults/main.yml index 75c87494a..16f0c7d58 100644 --- a/roles/custom/matrix-static-files/defaults/main.yml +++ b/roles/custom/matrix-static-files/defaults/main.yml @@ -8,7 +8,7 @@ matrix_static_files_enabled: true matrix_static_files_identifier: matrix-static-files # renovate: datasource=docker depName=joseluisq/static-web-server -matrix_static_files_version: 2.24.2 +matrix_static_files_version: 2.25.0 matrix_static_files_base_path: "{{ matrix_base_data_path }}/{{ 'static-files' if matrix_static_files_identifier == 'matrix-static-files' else matrix_static_files_identifier }}" matrix_static_files_config_path: "{{ matrix_static_files_base_path }}/config" From 2536b15aeda8fd3403759da36308bc3c07a4e495 Mon Sep 17 00:00:00 2001 From: darksnakezero Date: Tue, 23 Jan 2024 09:51:32 +0100 Subject: [PATCH 047/118] Added docu on how to host another server behind traefik. (#3120) * Update configuring-playbook-traefik.md Added docu on how to host another server behind traefik. * Added MASH and docker options Added the link to mash and the compatibility adjustments. Mentioned the prefered method with docker containers. Some rephrasing to make clear, the intended guide ios for reverse proxying non-docker services. * Improve wording in configuring-playbook-traefik.md --------- Co-authored-by: Slavi Pantaleev --- docs/configuring-playbook-traefik.md | 91 +++++++++++++++++++++++++++- 1 file changed, 90 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-traefik.md b/docs/configuring-playbook-traefik.md index 0485742da..5f4753891 100644 --- a/docs/configuring-playbook-traefik.md +++ b/docs/configuring-playbook-traefik.md @@ -35,7 +35,7 @@ devture_traefik_dashboard_basicauth_user: YOUR_USERNAME_HERE devture_traefik_dashboard_basicauth_password: YOUR_PASSWORD_HERE ``` -**WARNING**: enabling the dashboard on a hostname you use for something else (like `matrix_server_fqn_matrix` in the configuration above) may cause conflicts. Enabling the Traefik Dashboard makes Traefik capture all `/dashboard` and `/api` requests and forward them to itself. If any of the services hosted on the same hostname requires any of these 2 URL prefixes, you will experience problems. So far, we're not aware of any playbook services which occupy these endpoints and are likely to cause conflicts. +**WARNING**: Enabling the dashboard on a hostname you use for something else (like `matrix_server_fqn_matrix` in the configuration above) may cause conflicts. Enabling the Traefik Dashboard makes Traefik capture all `/dashboard` and `/api` requests and forward them to itself. If any of the services hosted on the same hostname requires any of these 2 URL prefixes, you will experience problems. So far, we're not aware of any playbook services which occupy these endpoints and are likely to cause conflicts. ## Additional configuration @@ -48,3 +48,92 @@ devture_traefik_configuration_extension_yaml: | api: dashboard: true ``` + +## Reverse-proxying another service behind Traefik + +The preferred way to reverse-proxy additional services behind Traefik would be to start the service as another container, configure the container with the corresponding Traefik [container labels](https://docs.docker.com/config/labels-custom-metadata/) (see [Traefik & Docker](https://doc.traefik.io/traefik/routing/providers/docker/)), and connect the service to the `traefik` network. Some services are also already available via the compatible [mash-playbook](https://github.com/mother-of-all-self-hosting/mash-playbook), but take a look at the minor [interoperability adjustments](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/interoperability.md). + +However, if your service does not run on a container or runs on another machine, the following configuration might be what you are looking for. + +## Reverse-proxying a remote HTTP/HTTPS service behind Traefik + +If you want to host another webserver would be reachable via `my-fancy-website.mydomain.com` from the internet and via `https://:` from inside your network, you can make the playbook's integrated Traefik instance reverse-proxy the traffic to the correct host. + +Prerequisites: DNS and routing for the domain `my-fancy-website.mydomain.com` need to be set up correctly. In this case, you'd be pointing the domain name to your Matrix server - `my-fancy-website.mydomain.com` would be a CNAME going to `matrix.example.com`. + +First, we have to adjust the static configuration of Traefik, so that we can add additional configuration files: + +```yaml +# We enable all config files in the /config/ folder to be loaded. +# `/config` is the path as it appears in the Traefik container. +# On the host, it's actually `/matrix/traefik/config` (as defined in `devture_traefik_config_dir_path`). +devture_traefik_configuration_extension_yaml: | + providers: + file: + directory: /config/ + watch: true + filename: "" +``` + +If you are using a self-signed certificate on your webserver, you can tell Traefik to trust your own backend servers by adding more configuration to the static configuration file. If you do so, bear in mind the security implications of disabling the certificate validity checks towards your back end. + +```yaml +# We enable all config files in the /config/ folder to be loaded and +devture_traefik_configuration_extension_yaml: | + providers: + file: + directory: /config/ + watch: true + filename: "" + serversTransport: + insecureSkipVerify: true +``` + + +Next, you have to add a new dynamic configuration file for Traefik that contains the actual information of the server using the `aux_file_definitions` variable. In this example, we will terminate SSL at the Traefik instance and connect to the other server via HTTPS. Traefik will now take care of managing the certificates. + +```yaml +aux_file_definitions: + - dest: "{{ devture_traefik_config_dir_path }}/provider_my_fancy_website.yml" + content: | + http: + routers: + webserver-router: + rule: Host(`my_fancy_website.mydomain.com`) + service: webserver-service + tls: + certResolver: default + services: + webserver-service: + loadBalancer: + servers: + - url: "https://:" +``` +Changing the `url` to one with an `http://` prefix would allow to connect to the server via HTTP. + +## Reverse-proxying another service behind Traefik without terminating SSL + +If you do not want to terminate SSL at the Traefik instance (for example, because you're already terminating SSL at other webserver), you need to adjust the static configuration in the same way as in the previous chapter in order to be able to add our own dynamic configuration files. Afterwards, you can add the following configuration to your `vars.yml` configuration file: + +```yaml +aux_file_definitions: + - dest: "{{ devture_traefik_config_dir_path }}/providers_my_fancy_website.yml" + content: | + tcp: + routers: + webserver-router: + rule: Host(`my_fancy_website.mydomain.com`) + service: webserver-service + tls: + passthrough: true + services: + webserver-service: + loadBalancer: + servers: + - url: "https://:" +``` +Changing the `url` to one with an `http://` prefix would allow to connect to the server via HTTP. + +With these changes, all TCP traffic will be reverse-proxied to the target system. + +**WARNING**: This configuration might lead to problems or need additional steps when a [certbot](https://certbot.eff.org/) behind Traefik also tries to manage [Let's Encrypt](https://letsencrypt.org/) certificates, as Traefik captures all traffic to ```PathPrefix(`/.well-known/acme-challenge/`)```. From af86ec6dbf3a01240e4d40d84d42895f9776bb95 Mon Sep 17 00:00:00 2001 From: mcnesium Date: Tue, 23 Jan 2024 11:09:52 +0100 Subject: [PATCH 048/118] fix setting root path because the script moved one level up in 2f457b2a --- bin/ansible-all-hosts.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/ansible-all-hosts.sh b/bin/ansible-all-hosts.sh index 4929e1050..c4b903162 100755 --- a/bin/ansible-all-hosts.sh +++ b/bin/ansible-all-hosts.sh @@ -8,7 +8,7 @@ # # set playbook root path -root=$(dirname "$(readlink -f "$0")")/../.. +root=$(dirname "$(readlink -f "$0")")/.. # set default tags or get from first argument if any tags="${1:-setup-all,start}" From 35d22fdba39d6929f40440fda463991f84203ef0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 23 Jan 2024 08:58:25 +0200 Subject: [PATCH 049/118] Upgrade playbook_help Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2448 --- requirements.yml | 2 +- setup.yml | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 9b557b48c..af1dfde24 100644 --- a/requirements.yml +++ b/requirements.yml @@ -31,7 +31,7 @@ version: v2.8.0-1 name: ntfy - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git - version: c1f40e82b4d6b072b6f0e885239322bdaaaf554f + version: 201c939eed363de269a83ba29784fc3244846048 name: playbook_help - src: git+https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages.git version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6 diff --git a/setup.yml b/setup.yml index ea5070aa6..beb0b0a58 100644 --- a/setup.yml +++ b/setup.yml @@ -6,6 +6,9 @@ roles: # Most of the roles below are not distributed with the playbook, but downloaded separately using `ansible-galaxy` via the `just roles` command (see `justfile`). - role: galaxy/playbook_help + tags: + - setup-all + - install-all - role: galaxy/systemd_docker_base From 01b9a09863cf88a89d952b522459cd9f702b758f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 23 Jan 2024 15:55:24 +0200 Subject: [PATCH 050/118] Intentionally start Coturn after the homeserver when devture_systemd_service_manager_service_restart_mode is 'one-by-one' --- group_vars/matrix_servers | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 19da2c483..14747eb0c 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -224,6 +224,12 @@ matrix_homeserver_sliding_sync_url: "{{ matrix_sliding_sync_base_url if matrix_s # (see `matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled`) # - core services (the homeserver) get a level of ~1000 # - services that the homeserver depends on (database, Redis, ntfy, Coturn, etc.) get a lower level - between 500 and 1000 +# - Coturn gets a higher level if `devture_systemd_service_manager_service_restart_mode == 'one-by-one'` to intentionally delay it, because: +# - starting services one by one means that the service manager role waits for each service to fully start before proceeding to the next one +# - if Coturn has a lower priority than the homeserver, it would be started before it +# - since Coturn is started before the homeserver, there's no container label telling Traefik to get a `matrix.DOMAIN` certificate +# - thus, Coturn would spin and wait for a certificate until it fails. We'd get a playbook failure due to it, but service manager will proceed to start all other services anyway. +# - only later, when the homeserver actually starts, would that certificate be fetched and dumped # - reverse-proxying services get level 3000 # - Matrix utility services (bridges, bots) get a level of 2000/2200, so that: # - they can start before the reverse-proxy @@ -330,7 +336,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-corporal.service', 'priority': 1500, 'groups': ['matrix', 'corporal']}] if matrix_corporal_enabled else []) + - ([{'name': 'matrix-coturn.service', 'priority': 900, 'groups': ['matrix', 'coturn']}] if matrix_coturn_enabled else []) + ([{'name': 'matrix-coturn.service', 'priority': (900 if devture_systemd_service_manager_service_restart_mode == 'clean-stop-start' else 1500), 'groups': ['matrix', 'coturn']}] if matrix_coturn_enabled else []) + ([{'name': 'matrix-rageshake.service', 'priority': 4000, 'groups': ['matrix', 'rageshake']}] if matrix_rageshake_enabled else []) + From 07a77cb4d396dd565da4b2f69f3d4db8a9833c57 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 23 Jan 2024 16:43:23 +0200 Subject: [PATCH 051/118] Auto-enable metrics for services when matrix_metrics_exposure_enabled, even when not hosting Prometheus Previously, we only enabled metrics when the playbook was installing Prometheus (as indicated by `prometheus_enabled`). We are exposing metrics when `matrix_metrics_exposure_enabled` is toggled to `true` though, but people need to toggle various `_metrics_enabled` variables to make services actually serve metrics. No more. If `matrix_metrics_exposure_enabled` is `true`, we'll automatically enable metrics for all services. --- group_vars/matrix_servers | 29 +++++++++++++---------------- 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 14747eb0c..df5b12ebb 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1004,7 +1004,7 @@ matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_pro matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" -matrix_mautrix_facebook_metrics_enabled: "{{ prometheus_enabled }}" +matrix_mautrix_facebook_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}" matrix_mautrix_facebook_metrics_proxying_enabled: "{{ matrix_mautrix_facebook_metrics_enabled and matrix_metrics_exposure_enabled }}" matrix_mautrix_facebook_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}" @@ -1073,7 +1073,7 @@ matrix_mautrix_googlechat_homeserver_token: "{{ '%s' | format(matrix_homeserver_ matrix_mautrix_googlechat_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -matrix_mautrix_googlechat_metrics_enabled: "{{ prometheus_enabled }}" +matrix_mautrix_googlechat_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}" matrix_mautrix_googlechat_metrics_proxying_enabled: "{{ matrix_mautrix_googlechat_metrics_enabled and matrix_metrics_exposure_enabled }}" matrix_mautrix_googlechat_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}" @@ -1141,7 +1141,7 @@ matrix_mautrix_hangouts_homeserver_token: "{{ '%s' | format(matrix_homeserver_ge matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -matrix_mautrix_hangouts_metrics_enabled: "{{ prometheus_enabled }}" +matrix_mautrix_hangouts_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}" matrix_mautrix_hangouts_metrics_proxying_enabled: "{{ matrix_mautrix_hangouts_metrics_enabled and matrix_metrics_exposure_enabled }}" matrix_mautrix_hangouts_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}" @@ -1207,7 +1207,7 @@ matrix_mautrix_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_pr matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" -matrix_mautrix_instagram_metrics_enabled: "{{ prometheus_enabled }}" +matrix_mautrix_instagram_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}" matrix_mautrix_instagram_metrics_proxying_enabled: "{{ matrix_mautrix_instagram_metrics_enabled and matrix_metrics_exposure_enabled }}" matrix_mautrix_instagram_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}" @@ -1272,7 +1272,7 @@ matrix_mautrix_signal_appservice_token: "{{ '%s' | format(matrix_homeserver_gene matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -matrix_mautrix_signal_metrics_enabled: "{{ prometheus_enabled }}" +matrix_mautrix_signal_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}" matrix_mautrix_signal_metrics_proxying_enabled: "{{ matrix_mautrix_signal_metrics_enabled and matrix_metrics_exposure_enabled }}" matrix_mautrix_signal_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}" @@ -1343,7 +1343,7 @@ matrix_mautrix_telegram_homeserver_token: "{{ '%s' | format(matrix_homeserver_ge matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -matrix_mautrix_telegram_metrics_enabled: "{{ prometheus_enabled }}" +matrix_mautrix_telegram_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}" matrix_mautrix_telegram_metrics_proxying_enabled: "{{ matrix_mautrix_telegram_metrics_enabled and matrix_metrics_exposure_enabled }}" matrix_mautrix_telegram_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}" @@ -1406,7 +1406,7 @@ matrix_mautrix_twitter_homeserver_token: "{{ '%s' | format(matrix_homeserver_gen matrix_mautrix_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -matrix_mautrix_twitter_metrics_enabled: "{{ prometheus_enabled }}" +matrix_mautrix_twitter_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}" matrix_mautrix_twitter_metrics_proxying_enabled: "{{ matrix_mautrix_twitter_metrics_enabled and matrix_metrics_exposure_enabled }}" matrix_mautrix_twitter_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}" @@ -1467,7 +1467,7 @@ matrix_mautrix_gmessages_homeserver_token: "{{ '%s' | format(matrix_homeserver_g matrix_mautrix_gmessages_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -matrix_mautrix_gmessages_metrics_enabled: "{{ prometheus_enabled }}" +matrix_mautrix_gmessages_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}" matrix_mautrix_gmessages_metrics_proxying_enabled: "{{ matrix_mautrix_gmessages_metrics_enabled and matrix_metrics_exposure_enabled }}" matrix_mautrix_gmessages_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}" @@ -1580,7 +1580,7 @@ matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_homeserver_ge matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -matrix_mautrix_whatsapp_metrics_enabled: "{{ prometheus_enabled }}" +matrix_mautrix_whatsapp_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}" matrix_mautrix_whatsapp_metrics_proxying_enabled: "{{ matrix_mautrix_whatsapp_metrics_enabled and matrix_metrics_exposure_enabled }}" matrix_mautrix_whatsapp_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}" @@ -1722,8 +1722,7 @@ matrix_hookshot_container_labels_traefik_tls_certResolver: "{{ devture_traefik_c matrix_hookshot_provisioning_enabled: "{{ matrix_hookshot_provisioning_secret and matrix_dimension_enabled }}" -# We only enable metrics (locally, in the container network) for the bridge if Prometheus is enabled. -matrix_hookshot_metrics_enabled: "{{ prometheus_enabled }}" +matrix_hookshot_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}" matrix_hookshot_metrics_proxying_enabled: "{{ matrix_hookshot_metrics_enabled and matrix_metrics_exposure_enabled }}" matrix_hookshot_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}" @@ -3617,8 +3616,7 @@ devture_postgres_backup_databases: "{{ devture_postgres_managed_databases | map( # Most people don't need their own push-server, because they also need their own app to utilize it from. matrix_sygnal_enabled: false -# If someone instals Prometheus via the playbook, they most likely wish to monitor Sygnal. -matrix_sygnal_metrics_prometheus_enabled: "{{ prometheus_enabled }}" +matrix_sygnal_metrics_prometheus_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}" matrix_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}" @@ -3948,8 +3946,7 @@ matrix_synapse_tls_private_key_path: ~ matrix_synapse_federation_port_openid_resource_required: "{{ not matrix_synapse_federation_enabled and (matrix_dimension_enabled or matrix_ma1sd_enabled or matrix_user_verification_service_enabled) }}" -# If someone instals Prometheus via the playbook, they most likely wish to monitor Synapse. -matrix_synapse_metrics_enabled: "{{ prometheus_enabled }}" +matrix_synapse_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}" matrix_synapse_metrics_proxying_enabled: "{{ matrix_synapse_metrics_enabled and matrix_metrics_exposure_enabled }}" matrix_synapse_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}" @@ -4616,7 +4613,7 @@ matrix_dendrite_container_labels_public_federation_api_traefik_tls: "{{ matrix_f matrix_dendrite_container_labels_public_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}" matrix_dendrite_container_labels_public_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}" -matrix_dendrite_metrics_enabled: "{{ prometheus_enabled }}" +matrix_dendrite_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}" matrix_dendrite_metrics_proxying_enabled: "{{ matrix_dendrite_metrics_enabled and matrix_metrics_exposure_enabled }}" matrix_dendrite_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}" From 6ee7fbceae74914eafd90039eedb9e302399259b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 23 Jan 2024 17:19:24 +0200 Subject: [PATCH 052/118] Upgrade prometheus-node-exporter (v1.7.0-2 -> v1.7.0-3) The new version drops support for the legacy basic auth method (`prometheus_node_exporter_basicauth_*` variables). --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index af1dfde24..072fd84f2 100644 --- a/requirements.yml +++ b/requirements.yml @@ -49,7 +49,7 @@ version: v2.49.1-0 name: prometheus - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git - version: v1.7.0-2 + version: v1.7.0-3 name: prometheus_node_exporter - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git version: v0.14.0-3 From 82faab928f230cf0cfa985788d20206ff88cdc20 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 23 Jan 2024 17:55:45 +0200 Subject: [PATCH 053/118] Upgrade prometheus-postgres-exporter (v0.14.0-3 -> v0.14.0-4) The new version drops support for the legacy basic auth method (`prometheus_postgres_exporter_basicauth_*` variables). --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 072fd84f2..caaea8639 100644 --- a/requirements.yml +++ b/requirements.yml @@ -52,7 +52,7 @@ version: v1.7.0-3 name: prometheus_node_exporter - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git - version: v0.14.0-3 + version: v0.14.0-4 name: prometheus_postgres_exporter - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.2.3-2 From 9dd33263e0b7adbaf26aabf127ca48fee8a62283 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 23 Jan 2024 20:05:58 +0200 Subject: [PATCH 054/118] Upgrade Grafana (v10.2.3-0 -> v10.3.1-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index caaea8639..ae08139ea 100644 --- a/requirements.yml +++ b/requirements.yml @@ -22,7 +22,7 @@ version: v4.97-r0-0-1 name: exim_relay - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v10.2.3-0 + version: v10.3.1-0 name: grafana - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git version: v9111-1 From c4992ca018cbf676c5b69ad0949579e880a16658 Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Wed, 24 Jan 2024 15:26:05 +0100 Subject: [PATCH 055/118] Explicitly Declare Draupnir and Mjolnir Config and enter Bot Mode This should resolve [#2296](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2296) by fixing the noted issue. This also paves the way for in the future working on D4A mode but that would require a rework to how these variables are done. --- .../templates/systemd/matrix-bot-draupnir.service.j2 | 3 ++- .../templates/systemd/matrix-bot-mjolnir.service.j2 | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2 b/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2 index b9a0912fa..7a88d2d3f 100644 --- a/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2 +++ b/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2 @@ -29,7 +29,8 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ {% for arg in matrix_bot_draupnir_container_extra_arguments %} {{ arg }} \ {% endfor %} - {{ matrix_bot_draupnir_docker_image }} + {{ matrix_bot_draupnir_docker_image }} \ + bot --draupnir-config /data/config/production.yaml {% for network in matrix_bot_draupnir_container_additional_networks %} ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-bot-draupnir diff --git a/roles/custom/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 b/roles/custom/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 index 8c131e3c0..b87601891 100644 --- a/roles/custom/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 +++ b/roles/custom/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 @@ -29,7 +29,8 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ {% for arg in matrix_bot_mjolnir_container_extra_arguments %} {{ arg }} \ {% endfor %} - {{ matrix_bot_mjolnir_docker_image }} + {{ matrix_bot_mjolnir_docker_image }} \ + bot --mjolnir-config /data/config/production.yaml {% for network in matrix_bot_mjolnir_container_additional_networks %} ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-bot-mjolnir From c2ba5c6412822b9af4bd5c1bdf71f1d6fcc6637e Mon Sep 17 00:00:00 2001 From: Jost Alemann Date: Wed, 24 Jan 2024 19:22:35 +0100 Subject: [PATCH 056/118] add missing ' in config --- docs/configuring-playbook-own-webserver.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 74d0d06c6..702103670 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -169,7 +169,7 @@ devture_traefik_config_entrypoint_web_forwardedHeaders_insecure: true # If your reverse-proxy runs on another machine, consider: # - using `0.0.0.0:8449`, just `8449` or `SOME_IP_ADDRESS_OF_THIS_MACHINE:8449` below # - adjusting `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom` (below) - removing `insecure: true` and enabling/configuring `trustedIPs` -matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: 127.0.0.1:8449 +matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: '127.0.0.1:8449' # Depending on the value of `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port` above, # this may need to be reconfigured. See the comments above. From bd027159b10e3e8bd912e2a189a212c9d2ec7ec8 Mon Sep 17 00:00:00 2001 From: Michael Hollister Date: Wed, 24 Jan 2024 13:14:34 -0600 Subject: [PATCH 057/118] Added extra systemd service arguments to synapse workers and proxy companion --- .../defaults/main.yml | 14 +++++++++ ...synapse-reverse-proxy-companion.service.j2 | 3 ++ roles/custom/matrix-synapse/defaults/main.yml | 17 ++++++++++ .../workers/util/setup_files_for_worker.yml | 1 + .../systemd/matrix-synapse-worker.service.j2 | 31 +++++++++++++++++++ .../synapse/systemd/matrix-synapse.service.j2 | 3 ++ 6 files changed, 69 insertions(+) diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml index f480f2891..d0638a244 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml @@ -116,6 +116,20 @@ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_tr # another.label="here" matrix_synapse_reverse_proxy_companion_container_labels_additional_labels: '' +# A list of extra arguments to pass to the container +# Also see `matrix_synapse_reverse_proxy_companion_container_arguments` +matrix_synapse_reverse_proxy_companion_container_extra_arguments: [] + +# matrix_synapse_reverse_proxy_companion_container_extra_arguments_auto is a list of extra arguments to pass to the container. +# This list is managed by the playbook. You're not meant to override this variable. +# If you'd like to inject your own arguments, see `matrix_synapse_reverse_proxy_companion_container_extra_arguments`. +matrix_synapse_reverse_proxy_companion_container_extra_arguments_auto: [] + +# matrix_synapse_reverse_proxy_companion_container_arguments holds the final list of extra arguments to pass to the container. +# You're not meant to override this variable. +# If you'd like to inject your own arguments, see `matrix_synapse_reverse_proxy_companion_container_extra_arguments`. +matrix_synapse_reverse_proxy_companion_container_arguments: "{{ matrix_synapse_reverse_proxy_companion_container_extra_arguments + matrix_synapse_reverse_proxy_companion_container_extra_arguments_auto }}" + # The amount of worker processes and connections # Consider increasing these when you are expecting high amounts of traffic # http://nginx.org/en/docs/ngx_core_module.html#worker_connections diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 index 1afb81c89..3e1732369 100755 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 @@ -37,6 +37,9 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --mount type=bind,src={{ matrix_synapse_reverse_proxy_companion_base_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ --mount type=bind,src={{ matrix_synapse_reverse_proxy_companion_confd_path }},dst=/etc/nginx/conf.d,ro \ --label-file={{ matrix_synapse_reverse_proxy_companion_base_path }}/labels \ + {% for arg in matrix_synapse_reverse_proxy_companion_container_arguments %} + {{ arg }} \ + {% endfor %} {{ matrix_synapse_reverse_proxy_companion_container_image }} {% for network in matrix_synapse_reverse_proxy_companion_container_additional_networks %} diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index dd4ac05a2..eecd061b8 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -296,6 +296,10 @@ matrix_synapse_container_extra_arguments_auto: [] # If you'd like to inject your own arguments, see `matrix_synapse_container_extra_arguments`. matrix_synapse_container_arguments: "{{ matrix_synapse_container_extra_arguments + matrix_synapse_container_extra_arguments_auto }}" +# matrix_synapse_container_master_extra_arguments contains arguments specific to the master process whereas +# matrix_synapse_container_extra_arguments contains arguments the apply to all synapse worker processes. +matrix_synapse_container_master_extra_arguments: [] + # List of systemd services that matrix-synapse.service depends on matrix_synapse_systemd_required_services_list: "{{ matrix_synapse_systemd_required_services_list_default + matrix_synapse_systemd_required_services_list_auto + matrix_synapse_systemd_required_services_list_custom }}" matrix_synapse_systemd_required_services_list_default: ['docker.service'] @@ -769,26 +773,31 @@ matrix_synapse_worker_container_labels_additional_labels: '' matrix_synapse_workers_room_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['room_workers_count'] }}" matrix_synapse_workers_room_workers_port_range_start: 28111 matrix_synapse_workers_room_workers_metrics_range_start: 29111 +matrix_synapse_workers_room_workers_container_arguments: [] # Sync workers matrix_synapse_workers_sync_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['sync_workers_count'] }}" matrix_synapse_workers_sync_workers_port_range_start: 28211 matrix_synapse_workers_sync_workers_metrics_range_start: 29211 +matrix_synapse_workers_sync_workers_container_arguments: [] # Client reader workers matrix_synapse_workers_client_reader_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['client_reader_workers_count'] }}" matrix_synapse_workers_client_reader_workers_port_range_start: 28311 matrix_synapse_workers_client_reader_workers_metrics_range_start: 29311 +matrix_synapse_workers_client_reader_workers_container_arguments: [] # Federation reader workers matrix_synapse_workers_federation_reader_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['federation_reader_workers_count'] }}" matrix_synapse_workers_federation_reader_workers_port_range_start: 28411 matrix_synapse_workers_federation_reader_workers_metrics_range_start: 29411 +matrix_synapse_workers_federation_reader_workers_container_arguments: [] # Generic workers matrix_synapse_workers_generic_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['generic_workers_count'] }}" matrix_synapse_workers_generic_workers_port_range_start: 18111 matrix_synapse_workers_generic_workers_metrics_range_start: 19111 +matrix_synapse_workers_generic_workers_container_arguments: [] # matrix_synapse_workers_stream_writer_events_stream_workers_count controls how many stream writers that handle the `events` stream to spawn. # More than 1 worker is also supported of this type. @@ -833,6 +842,8 @@ matrix_synapse_workers_stream_writers: | ([{'stream': 'presence'}] * matrix_synapse_workers_stream_writer_presence_stream_workers_count | int) }} +matrix_synapse_workers_stream_writers_container_arguments: [] + # matrix_synapse_stream_writers populates the `stream_writers` Synapse configuration used when Synapse workers are in use (`matrix_synapse_workers_enabled`). # What you see below is an initial default value which will be adjusted at runtime based on the value of `matrix_synapse_workers_stream_writers`. # Adjusting this value manually is generally not necessary. @@ -859,6 +870,7 @@ matrix_synapse_workers_stream_writer_workers_metrics_range_start: 19211 # See https://matrix-org.github.io/synapse/latest/workers.html#synapseapppusher matrix_synapse_workers_pusher_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['pusher_workers_count'] }}" matrix_synapse_workers_pusher_workers_metrics_range_start: 19200 +matrix_synapse_workers_pusher_workers_container_arguments: [] # matrix_synapse_federation_pusher_instances populates the `pusher_instances` Synapse configuration used when Synapse workers are in use (`matrix_synapse_workers_enabled`). # What you see below is an initial default value which will be adjusted at runtime based on the value of `matrix_synapse_workers_pusher_workers_count` or `matrix_synapse_workers_enabled_list`. @@ -869,6 +881,7 @@ matrix_synapse_federation_pusher_instances: [] # See https://matrix-org.github.io/synapse/latest/workers.html#synapseappfederation_sender matrix_synapse_workers_federation_sender_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['federation_sender_workers_count'] }}" matrix_synapse_workers_federation_sender_workers_metrics_range_start: 19400 +matrix_synapse_workers_federation_sender_workers_container_arguments: [] # matrix_synapse_federation_sender_instances populates the `federation_sender_instances` Synapse configuration used when Synapse workers are in use (`matrix_synapse_workers_enabled`). # What you see below is an initial default value which will be adjusted at runtime based on the value of `matrix_synapse_workers_federation_sender_workers_count` or `matrix_synapse_workers_enabled_list`. @@ -878,6 +891,7 @@ matrix_synapse_federation_sender_instances: [] matrix_synapse_workers_media_repository_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['media_repository_workers_count'] if not matrix_synapse_ext_media_repo_enabled else 0 }}" matrix_synapse_workers_media_repository_workers_port_range_start: 18551 matrix_synapse_workers_media_repository_workers_metrics_range_start: 19551 +matrix_synapse_workers_media_repository_workers_container_arguments: [] # matrix_synapse_enable_media_repo controls if the main Synapse process should serve media repository endpoints or if it should be left to media_repository workers (see `matrix_synapse_workers_media_repository_workers_count`). # This is enabled if workers are disabled, or if they are enabled, but there are no media repository workers. @@ -894,6 +908,7 @@ matrix_synapse_media_instance_running_background_jobs: "{{ (matrix_synapse_worke # Our implementation uses generic worker services and assigns them to perform appservice work using the `notify_appservices_from_worker` Synapse option. matrix_synapse_workers_appservice_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['appservice_workers_count'] }}" matrix_synapse_workers_appservice_workers_metrics_range_start: 19300 +matrix_synapse_workers_appservice_workers_container_arguments: [] # matrix_synapse_notify_appservices_from_worker populates the `notify_appservices_from_worker` Synapse configuration used when Synapse workers are in use (`matrix_synapse_workers_enabled`). # `notify_appservices_from_worker` is meant to point to a worker, which is dedicated to sending output traffic to Application Services. @@ -905,6 +920,7 @@ matrix_synapse_notify_appservices_from_worker: "{{ (matrix_synapse_workers_enabl matrix_synapse_workers_user_dir_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['user_dir_workers_count'] }}" matrix_synapse_workers_user_dir_workers_port_range_start: 18661 matrix_synapse_workers_user_dir_workers_metrics_range_start: 19661 +matrix_synapse_workers_user_dir_workers_container_arguments: [] # matrix_synapse_update_user_directory_from_worker populates the `update_user_directory_from_worker` Synapse configuration used when Synapse workers are in use (`matrix_synapse_workers_enabled`). # `update_user_directory_from_worker` is meant to point to a worker, which is dedicated to updating the user directory and servicing some user directory URL endpoints (`matrix_synapse_workers_user_dir_worker_client_server_endpoints`). @@ -914,6 +930,7 @@ matrix_synapse_update_user_directory_from_worker: "{{ (matrix_synapse_workers_en # Our implementation uses a generic worker and assigns Synapse to perform background work on this worker using the `run_background_tasks_on` Synapse option. matrix_synapse_workers_background_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['background_workers_count'] }}" matrix_synapse_workers_background_workers_metrics_range_start: 19700 +matrix_synapse_workers_background_workers_container_arguments: [] # matrix_synapse_run_background_tasks_on populates the `run_background_tasks_on` Synapse configuration used when Synapse workers are in use (`matrix_synapse_workers_enabled`). # `run_background_tasks_on` is meant to point to a worker, which is dedicated to processing background tasks. diff --git a/roles/custom/matrix-synapse/tasks/synapse/workers/util/setup_files_for_worker.yml b/roles/custom/matrix-synapse/tasks/synapse/workers/util/setup_files_for_worker.yml index 5b652c475..480ffba02 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/workers/util/setup_files_for_worker.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/workers/util/setup_files_for_worker.yml @@ -3,6 +3,7 @@ - ansible.builtin.set_fact: matrix_synapse_worker_systemd_service_name: "{{ matrix_synapse_worker_details.name }}" matrix_synapse_worker_container_name: "{{ matrix_synapse_worker_details.name }}" + matrix_synapse_worker_type: "{{ matrix_synapse_worker_details.type }}" matrix_synapse_worker_config_file_name: "worker.{{ matrix_synapse_worker_details.name }}.yaml" matrix_synapse_worker_labels_file_name: "worker.{{ matrix_synapse_worker_details.name }}.labels" diff --git a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 index 4163efc3d..21b747b0e 100644 --- a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 @@ -5,6 +5,34 @@ AssertPathExists={{ matrix_synapse_config_dir_path }}/{{ matrix_synapse_worker_c After=matrix-synapse.service Requires=matrix-synapse.service +{% set matrix_synapse_container_worker_arguments = [] %} + +{% if matrix_synapse_worker_type == "room_worker" %} + {% set matrix_synapse_container_worker_arguments = matrix_synapse_workers_room_workers_container_arguments %} +{% elif matrix_synapse_worker_type == "sync_worker" %} + {% set matrix_synapse_container_worker_arguments = matrix_synapse_workers_sync_workers_container_arguments %} +{% elif matrix_synapse_worker_type == "client_reader" %} + {% set matrix_synapse_container_worker_arguments = matrix_synapse_workers_client_reader_workers_container_arguments %} +{% elif matrix_synapse_worker_type == "federation_reader" %} + {% set matrix_synapse_container_worker_arguments = matrix_synapse_workers_federation_reader_workers_container_arguments %} +{% elif matrix_synapse_worker_type == "generic_worker" %} + {% set matrix_synapse_container_worker_arguments = matrix_synapse_workers_generic_workers_container_arguments %} +{% elif matrix_synapse_worker_type == "stream_writer" %} + {% set matrix_synapse_container_worker_arguments = matrix_synapse_workers_stream_writers_container_arguments %} +{% elif matrix_synapse_worker_type == "federation_sender" %} + {% set matrix_synapse_container_worker_arguments = matrix_synapse_workers_federation_sender_workers_container_arguments %} +{% elif matrix_synapse_worker_type == "pusher" %} + {% set matrix_synapse_container_worker_arguments = matrix_synapse_workers_pusher_workers_container_arguments %} +{% elif matrix_synapse_worker_type == "appservice" %} + {% set matrix_synapse_container_worker_arguments = matrix_synapse_workers_appservice_workers_container_arguments %} +{% elif matrix_synapse_worker_type == "user_dir" %} + {% set matrix_synapse_container_worker_arguments = matrix_synapse_workers_user_dir_workers_container_arguments %} +{% elif matrix_synapse_worker_type == "background" %} + {% set matrix_synapse_container_worker_arguments = matrix_synapse_workers_background_workers_container_arguments %} +{% elif matrix_synapse_worker_type == "media_repository" %} + {% set matrix_synapse_container_worker_arguments = matrix_synapse_workers_media_repository_workers_container_arguments %} +{% endif %} + [Service] Type=simple Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" @@ -43,6 +71,9 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ {% for arg in matrix_synapse_container_arguments %} {{ arg }} \ {% endfor %} + {% for arg in matrix_synapse_container_worker_arguments %} + {{ arg }} \ + {% endfor %} {{ matrix_synapse_docker_image_final }} \ run -m synapse.app.{{ matrix_synapse_worker_details.app }} -c /data/homeserver.yaml -c /data/{{ matrix_synapse_worker_config_file_name }} diff --git a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 3d9d5f5af..a22c09b1e 100644 --- a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -57,6 +57,9 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ {% for arg in matrix_synapse_container_arguments %} {{ arg }} \ {% endfor %} + {% for arg in matrix_synapse_container_master_extra_arguments %} + {{ arg }} \ + {% endfor %} {{ matrix_synapse_docker_image_final }} \ run -m synapse.app.homeserver -c /data/homeserver.yaml From 4ed522e8fefff632523d68c7d2f2f9a6d86e3b1b Mon Sep 17 00:00:00 2001 From: needo37 Date: Wed, 24 Jan 2024 19:41:58 -0600 Subject: [PATCH 058/118] Bring default config inline with upstream --- .../templates/config.yaml.j2 | 84 ++++++++++++++++++- 1 file changed, 81 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-bridge-mautrix-discord/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-discord/templates/config.yaml.j2 index f5ccd4f7e..c54201c9a 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-discord/templates/config.yaml.j2 @@ -72,11 +72,14 @@ bridge: # Displayname template for Discord users. This is also used as the room name in DMs if private_chat_portal_meta is enabled. # Available variables: # {{ '{{.ID}}' }} - Internal user ID - # {{ '{{.Username}}' }} - User's displayname on Discord + # {{ '{{.Username}}' }} - Legacy display/username on Discord + # {{ '{{.GlobalName}}' }} - New displayname on Discord # {{ '{{.Discriminator}}' }} - The 4 numbers after the name on Discord # {{ '{{.Bot}}' }} - Whether the user is a bot # {{ '{{.System}}' }} - Whether the user is an official system user - displayname_template: "{{ '{{.Username}} {{if .Bot}} (bot){{end}}' }}" + # {{ '{{.Webhook}}' }} - Whether the user is a webhook and is not an application + # {{ '{{.Application}}' }} - Whether the user is an application + displayname_template: "{{ '{{or .GlobalName .Username}}{{if .Bot}} (bot){{end}}' }}" # Displayname template for Discord channels (bridged as rooms, or spaces when type=4). # Available variables: # {{ '{{.Name}}' }} - Channel name, or user displayname (pre-formatted with displayname_template) in DMs. @@ -91,7 +94,11 @@ bridge: guild_name_template: "{{ '{{.Name}}' }}" # Should the bridge explicitly set the avatar and room name for DM portal rooms? # This is implicitly enabled in encrypted rooms. - private_chat_portal_meta: false + # Whether to explicitly set the avatar and room name for private chat portal rooms. + # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms. + # If set to `always`, all DM rooms will have explicit names and avatars set. + # If set to `never`, DM rooms will never have names and avatars set. + private_chat_portal_meta: default portal_message_buffer: 128 # Number of private channel portals to create on bridge startup. # Other portals will be created when receiving messages. @@ -112,12 +119,59 @@ bridge: # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. # This field will automatically be changed back to false after it, except if the config file is not writable. resend_bridge_info: false + # Should incoming custom emoji reactions be bridged as mxc:// URIs? + # If set to false, custom emoji reactions will be bridged as the shortcode instead, and the image wont be available. + custom_emoji_reactions: true # Should the bridge attempt to completely delete portal rooms when a channel is deleted on Discord? # If true, the bridge will try to kick Matrix users from the room. Otherwise, the bridge only makes ghosts leave. delete_portal_on_channel_delete: false + # Should the bridge delete all portal rooms when you leave a guild on Discord? + # This only applies if the guild has no other Matrix users on this bridge instance. + delete_guild_on_leave: true # Whether or not created rooms should have federation enabled. # If false, created portal rooms will never be federated. federate_rooms: {{ matrix_mautrix_discord_federate_rooms|to_json }} + # Prefix messages from webhooks with the profile info? This can be used along with a custom displayname_template + # to better handle webhooks that change their name all the time (like ones used by bridges). + prefix_webhook_messages: false + # Bridge webhook avatars? + enable_webhook_avatars: true + # Should the bridge upload media to the Discord CDN directly before sending the message when using a user token, + # like the official client does? The other option is sending the media in the message send request as a form part + # (which is always used by bots and webhooks). + use_discord_cdn_upload: true + # Should mxc uris copied from Discord be cached? + # This can be `never` to never cache, `unencrypted` to only cache unencrypted mxc uris, or `always` to cache everything. + # If you have a media repo that generates non-unique mxc uris, you should set this to never. + cache_media: unencrypted + # Patterns for converting Discord media to custom mxc:// URIs instead of reuploading. + # Each of the patterns can be set to null to disable custom URIs for that type of media. + # More details can be found at https://docs.mau.fi/bridges/go/discord/direct-media.html + media_patterns: + # Should custom mxc:// URIs be used instead of reuploading media? + enabled: true + # Pattern for normal message attachments. + attachments: mxc://discord-media.mau.dev/attachments|{{.ChannelID}}|{{.AttachmentID}}|{{.FileName}} + # Pattern for custom emojis. + emojis: mxc://discord-media.mau.dev/emojis|{{.ID}}.{{.Ext}} + # Pattern for stickers. Note that animated lottie stickers will not be converted if this is enabled. + stickers: mxc://discord-media.mau.dev/stickers|{{.ID}}.{{.Ext}} + # Pattern for static user avatars. + avatars: mxc://discord-media.mau.dev/avatars|{{.UserID}}|{{.AvatarID}}.{{.Ext}} + # Settings for converting animated stickers. + animated_sticker: + # Format to which animated stickers should be converted. + # disable - No conversion, send as-is (lottie JSON) + # png - converts to non-animated png (fastest) + # gif - converts to animated gif + # webm - converts to webm video, requires ffmpeg executable with vp9 codec and webm container support + # webp - converts to animated webp, requires ffmpeg executable with webp codec/container support + target: webp + # Arguments for converter. All converters take width and height. + args: + width: 320 + height: 320 + fps: 25 # only for webm, webp and gif (2, 5, 10, 20 or 25 recommended) # Servers to always allow double puppeting from double_puppet_server_map: "{{ matrix_mautrix_discord_homeserver_domain }}": {{ matrix_mautrix_discord_homeserver_address }} @@ -145,6 +199,30 @@ bridge: # Optional extra text sent when joining a management room. additional_help: "" + # Settings for backfilling messages. + backfill: + # Limits for forward backfilling. + forward_limits: + # Initial backfill (when creating portal). 0 means backfill is disabled. + # A special unlimited value is not supported, you must set a limit. Initial backfill will + # fetch all messages first before backfilling anything, so high limits can take a lot of time. + initial: + dm: 0 + channel: 0 + thread: 0 + # Missed message backfill (on startup). + # 0 means backfill is disabled, -1 means fetch all messages since last bridged message. + # When using unlimited backfill (-1), messages are backfilled as they are fetched. + # With limits, all messages up to the limit are fetched first and backfilled afterwards. + missed: + dm: 0 + channel: 0 + thread: 0 + # Maximum members in a guild to enable backfilling. Set to -1 to disable limit. + # This can be used as a rough heuristic to disable backfilling in channels that are too active. + # Currently only applies to missed message backfill. + max_guild_members: -1 + # End-to-bridge encryption support options. # # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info. From 243d828e50b17fe35170c1448416e70f6b9ba798 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 25 Jan 2024 07:35:16 +0200 Subject: [PATCH 059/118] Fix mautrix-discord config Jinja2 syntax error Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3133 Regression since 4ed522e8fefff63252 --- .../templates/config.yaml.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/custom/matrix-bridge-mautrix-discord/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-discord/templates/config.yaml.j2 index c54201c9a..561a9c3c7 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-discord/templates/config.yaml.j2 @@ -151,13 +151,13 @@ bridge: # Should custom mxc:// URIs be used instead of reuploading media? enabled: true # Pattern for normal message attachments. - attachments: mxc://discord-media.mau.dev/attachments|{{.ChannelID}}|{{.AttachmentID}}|{{.FileName}} + attachments: {% raw %}mxc://discord-media.mau.dev/attachments|{{.ChannelID}}|{{.AttachmentID}}|{{.FileName}}{% endraw %} # Pattern for custom emojis. - emojis: mxc://discord-media.mau.dev/emojis|{{.ID}}.{{.Ext}} + emojis: {% raw %}mxc://discord-media.mau.dev/emojis|{{.ID}}.{{.Ext}}{% endraw %} # Pattern for stickers. Note that animated lottie stickers will not be converted if this is enabled. - stickers: mxc://discord-media.mau.dev/stickers|{{.ID}}.{{.Ext}} + stickers: {% raw %}mxc://discord-media.mau.dev/stickers|{{.ID}}.{{.Ext}}{% endraw %} # Pattern for static user avatars. - avatars: mxc://discord-media.mau.dev/avatars|{{.UserID}}|{{.AvatarID}}.{{.Ext}} + avatars: {% raw %}mxc://discord-media.mau.dev/avatars|{{.UserID}}|{{.AvatarID}}.{{.Ext}}{% endraw %} # Settings for converting animated stickers. animated_sticker: # Format to which animated stickers should be converted. From ad9ba1e2bd67767f85025a58d6c03242ce4417a7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 25 Jan 2024 07:39:25 +0200 Subject: [PATCH 060/118] Fix variable name typo --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index eecd061b8..1804d243c 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -297,7 +297,7 @@ matrix_synapse_container_extra_arguments_auto: [] matrix_synapse_container_arguments: "{{ matrix_synapse_container_extra_arguments + matrix_synapse_container_extra_arguments_auto }}" # matrix_synapse_container_master_extra_arguments contains arguments specific to the master process whereas -# matrix_synapse_container_extra_arguments contains arguments the apply to all synapse worker processes. +# matrix_synapse_container_arguments contains arguments the apply to all Synapse containers (master and worker). matrix_synapse_container_master_extra_arguments: [] # List of systemd services that matrix-synapse.service depends on From 185f54a4c7626b550e4003a5c2f1564051eaa48c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 26 Jan 2024 08:55:53 +0200 Subject: [PATCH 061/118] Upgrade Prometheus (v2.49.1-0 -> v2.49.1-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index ae08139ea..d5067141f 100644 --- a/requirements.yml +++ b/requirements.yml @@ -46,7 +46,7 @@ version: 7eadc992ca952fc29bf3fab5aa6335fa82ff01e5 name: postgres_backup - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git - version: v2.49.1-0 + version: v2.49.1-1 name: prometheus - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git version: v1.7.0-3 From 5ca4d6ebc5baa402d34508570e3f571f929d39d7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 26 Jan 2024 12:09:54 +0200 Subject: [PATCH 062/118] Add validation check for matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_hostname --- roles/custom/matrix_playbook_migration/tasks/validate_config.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index bc428b386..51e0440d1 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -301,6 +301,7 @@ - {'old': 'matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks', 'new': ''} - {'old': 'matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks', 'new': ''} - {'old': 'matrix_nginx_proxy_access_log_enabled', 'new': 'devture_traefik_config_accessLog_enabled'} + - {'old': 'matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_hostname', 'new': ''} - {'old': 'etherpad_nginx_proxy_dimension_integration_path_prefix', 'new': ''} - {'old': 'matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled', 'new': ''} From b48b06d2f82f2d8481ca791b3c4f193b87993eae Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 26 Jan 2024 12:10:34 +0200 Subject: [PATCH 063/118] Add missing bracket --- .../custom/matrix_playbook_migration/tasks/validate_config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 51e0440d1..2100905db 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -301,7 +301,7 @@ - {'old': 'matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks', 'new': ''} - {'old': 'matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks', 'new': ''} - {'old': 'matrix_nginx_proxy_access_log_enabled', 'new': 'devture_traefik_config_accessLog_enabled'} - - {'old': 'matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_hostname', 'new': ''} - {'old': 'etherpad_nginx_proxy_dimension_integration_enabled', 'new': ''} - {'old': 'etherpad_nginx_proxy_dimension_integration_path_prefix', 'new': ''} - {'old': 'matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled', 'new': ''} From dafeee92f4e2dc6016cb41a8669b37e38af1ee17 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 26 Jan 2024 12:17:49 +0200 Subject: [PATCH 064/118] Adjust matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_hostname validation check message to mention matrix_static_files_file_matrix_server_property_m_server --- .../custom/matrix_playbook_migration/tasks/validate_config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 2100905db..c46fb7fc4 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -301,7 +301,7 @@ - {'old': 'matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks', 'new': ''} - {'old': 'matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks', 'new': ''} - {'old': 'matrix_nginx_proxy_access_log_enabled', 'new': 'devture_traefik_config_accessLog_enabled'} - - {'old': 'matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_hostname', 'new': ''} + - {'old': 'matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_hostname', 'new': ''} - {'old': 'etherpad_nginx_proxy_dimension_integration_enabled', 'new': ''} - {'old': 'etherpad_nginx_proxy_dimension_integration_path_prefix', 'new': ''} - {'old': 'matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled', 'new': ''} From a1179289a1dc8c8bb8c72e923beff0f407260310 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 26 Jan 2024 12:55:01 +0200 Subject: [PATCH 065/118] Split some homeserver _additional_networks variables into _auto and _custom --- group_vars/matrix_servers | 6 +++--- roles/custom/matrix-dendrite/defaults/main.yml | 4 +++- .../defaults/main.yml | 4 +++- roles/custom/matrix-synapse/defaults/main.yml | 4 +++- 4 files changed, 12 insertions(+), 6 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index df5b12ebb..d5034917c 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3893,7 +3893,7 @@ matrix_synapse_container_manhole_api_host_bind_port: "{{ (matrix_playbook_servic matrix_synapse_container_network: "{{ matrix_homeserver_container_network }}" -matrix_synapse_container_additional_networks: | +matrix_synapse_container_additional_networks_auto: | {{ ( ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_synapse_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network else []) @@ -4052,7 +4052,7 @@ matrix_synapse_reverse_proxy_companion_enabled: "{{ matrix_synapse_enabled and m matrix_synapse_reverse_proxy_companion_container_network: "{{ matrix_synapse_container_network }}" -matrix_synapse_reverse_proxy_companion_container_additional_networks: | +matrix_synapse_reverse_proxy_companion_container_additional_networks_auto: | {{ ( ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network else []) @@ -4585,7 +4585,7 @@ matrix_dendrite_federation_enabled: "{{ matrix_homeserver_federation_enabled }}" matrix_dendrite_container_network: "{{ matrix_homeserver_container_network }}" -matrix_dendrite_container_additional_networks: | +matrix_dendrite_container_additional_networks_auto: | {{ ( ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_dendrite_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network else []) diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index d602a860e..a3854315f 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -48,7 +48,9 @@ matrix_dendrite_container_network: "" # A list of additional container networks that the container would be connected to. # The role does not create these networks, so make sure they already exist. # Use this to expose this container to another reverse proxy, which runs in a different container network. -matrix_dendrite_container_additional_networks: [] +matrix_dendrite_container_additional_networks: "{{ matrix_dendrite_container_additional_networks_auto + matrix_dendrite_container_additional_networks_custom }}" +matrix_dendrite_container_additional_networks_auto: [] +matrix_dendrite_container_additional_networks_custom: [] # Controls whether the matrix-dendrite container exposes the HTTP port (tcp/{{ matrix_dendrite_http_bind_port }} in the container). # diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml index d0638a244..b4ab73b0d 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml @@ -35,7 +35,9 @@ matrix_synapse_reverse_proxy_companion_container_network: "" # A list of additional container networks that matrix-synapse-reverse-proxy-companion would be connected to. # The playbook does not create these networks, so make sure they already exist. -matrix_synapse_reverse_proxy_companion_container_additional_networks: [] +matrix_synapse_reverse_proxy_companion_container_additional_networks: "{{ matrix_synapse_reverse_proxy_companion_container_additional_networks_auto + matrix_synapse_reverse_proxy_companion_container_additional_networks_custom }}" +matrix_synapse_reverse_proxy_companion_container_additional_networks_auto: [] +matrix_synapse_reverse_proxy_companion_container_additional_networks_custom: [] # Controls whether the matrix-synapse-reverse-proxy-companion container exposes its HTTP Client-Server API port (tcp/8008 in the container). # diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 1804d243c..d35fe2e5a 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -132,7 +132,9 @@ matrix_synapse_container_network: '' # A list of additional container networks that the container would be connected to. # The role does not create these networks, so make sure they already exist. # Use this to expose this container to another reverse proxy, which runs in a different container network. -matrix_synapse_container_additional_networks: [] +matrix_synapse_container_additional_networks: "{{ matrix_synapse_container_additional_networks_auto + matrix_synapse_container_additional_networks_custom }}" +matrix_synapse_container_additional_networks_auto: [] +matrix_synapse_container_additional_networks_custom: [] # Controls whether the matrix-synapse container exposes the Client/Server API port (tcp/{{ matrix_synapse_container_client_api_port }} in the container). # From a9eba7ab329f3c61e19df08a5d37217f60d4c97f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 26 Jan 2024 13:07:09 +0200 Subject: [PATCH 066/118] Fix turn: fallback URIs missing due to Jinja operator priorities --- group_vars/matrix_servers | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index d5034917c..d32f73cf1 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3960,17 +3960,15 @@ matrix_synapse_email_notif_from: "Matrix <{{ exim_relay_sender_address }}>" matrix_synapse_turn_uris: | {{ - [] - + - [ + ([ 'turns:' + matrix_server_fqn_matrix + '?transport=udp', 'turns:' + matrix_server_fqn_matrix + '?transport=tcp', - ] if matrix_coturn_enabled and matrix_coturn_tls_enabled else [] + ] if matrix_coturn_enabled and matrix_coturn_tls_enabled else []) + - [ + ([ 'turn:' + matrix_server_fqn_matrix + '?transport=udp', 'turn:' + matrix_server_fqn_matrix + '?transport=tcp', - ] if matrix_coturn_enabled else [] + ] if matrix_coturn_enabled else []) }} matrix_synapse_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}" @@ -4705,17 +4703,15 @@ matrix_conduit_container_labels_internal_client_api_traefik_entrypoints: "{{ mat matrix_conduit_turn_uris: | {{ - [] - + - [ + ([ 'turns:' + matrix_server_fqn_matrix + '?transport=udp', 'turns:' + matrix_server_fqn_matrix + '?transport=tcp', - ] if matrix_coturn_enabled and matrix_coturn_tls_enabled else [] + ] if matrix_coturn_enabled and matrix_coturn_tls_enabled else []) + - [ + ([ 'turn:' + matrix_server_fqn_matrix + '?transport=udp', 'turn:' + matrix_server_fqn_matrix + '?transport=tcp', - ] if matrix_coturn_enabled else [] + ] if matrix_coturn_enabled else []) }} matrix_conduit_turn_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}" From 1468c080656b0fa26dc3d6f070a65f3c8224f718 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 26 Jan 2024 16:04:55 +0200 Subject: [PATCH 067/118] Wire matrix_server_fqn_matrix_federation to matrix_SERVICE_*_public_federation_api_traefik_hostname for ease of use --- group_vars/matrix_servers | 3 +++ .../custom/matrix_playbook_migration/tasks/validate_config.yml | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index d32f73cf1..4075308d1 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3921,6 +3921,7 @@ matrix_synapse_container_labels_public_client_root_redirection_url: "{{ (('https matrix_synapse_container_labels_public_client_synapse_admin_api_enabled: "{{ matrix_synapse_admin_enabled }}" +matrix_synapse_container_labels_public_federation_api_traefik_hostname: "{{ matrix_server_fqn_matrix_federation }}" matrix_synapse_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}" matrix_synapse_container_labels_public_federation_api_traefik_tls: "{{ matrix_federation_traefik_entrypoint_tls }}" matrix_synapse_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}" # noqa var-naming @@ -4605,6 +4606,7 @@ matrix_dendrite_container_labels_public_client_synapse_admin_api_enabled: "{{ ma matrix_dendrite_container_labels_public_client_root_redirection_enabled: "{{ matrix_dendrite_container_labels_public_client_root_redirection_url != '' }}" matrix_dendrite_container_labels_public_client_root_redirection_url: "{{ (('https://' if matrix_playbook_ssl_enabled else 'http://') + matrix_server_fqn_element) if matrix_client_element_enabled else '' }}" +matrix_dendrite_container_labels_public_federation_api_traefik_hostname: "{{ matrix_server_fqn_matrix_federation }}" matrix_dendrite_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}" matrix_dendrite_container_labels_public_federation_api_traefik_tls: "{{ matrix_federation_traefik_entrypoint_tls }}" @@ -4695,6 +4697,7 @@ matrix_conduit_container_labels_traefik_tls_certResolver: "{{ devture_traefik_ce matrix_conduit_container_labels_public_client_root_redirection_enabled: "{{ matrix_conduit_container_labels_public_client_root_redirection_url != '' }}" matrix_conduit_container_labels_public_client_root_redirection_url: "{{ (('https://' if matrix_playbook_ssl_enabled else 'http://') + matrix_server_fqn_element) if matrix_client_element_enabled else '' }}" +matrix_conduit_container_labels_public_federation_api_traefik_hostname: "{{ matrix_server_fqn_matrix_federation }}" matrix_conduit_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}" matrix_conduit_container_labels_public_federation_api_traefik_tls: "{{ matrix_federation_traefik_entrypoint_tls }}" diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index c46fb7fc4..d8958fdd1 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -301,7 +301,7 @@ - {'old': 'matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks', 'new': ''} - {'old': 'matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks', 'new': ''} - {'old': 'matrix_nginx_proxy_access_log_enabled', 'new': 'devture_traefik_config_accessLog_enabled'} - - {'old': 'matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_hostname', 'new': ''} + - {'old': 'matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_hostname', 'new': 'matrix_server_fqn_matrix_federation'} - {'old': 'etherpad_nginx_proxy_dimension_integration_enabled', 'new': ''} - {'old': 'etherpad_nginx_proxy_dimension_integration_path_prefix', 'new': ''} - {'old': 'matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled', 'new': ''} From 4a2ad1583e5b8d4026f1256adc9ddf00dedad7a1 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 26 Jan 2024 14:05:29 +0000 Subject: [PATCH 068/118] Update matrixdotorg/dendrite-monolith Docker tag to v0.13.6 --- roles/custom/matrix-dendrite/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index a3854315f..0e2c7223b 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -13,7 +13,7 @@ matrix_dendrite_docker_image_path: "matrixdotorg/dendrite-monolith" matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}{{ matrix_dendrite_docker_image_path }}:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "{{ 'localhost/' if matrix_dendrite_container_image_self_build else matrix_container_global_registry_prefix }}" # renovate: datasource=docker depName=matrixdotorg/dendrite-monolith -matrix_dendrite_docker_image_tag: "v0.13.5" +matrix_dendrite_docker_image_tag: "v0.13.6" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" From 5ca527066d1b8ff34d2d84b3dfbc9d48c5afad9a Mon Sep 17 00:00:00 2001 From: Tiago Carrondo <2323546+tcarrondo@users.noreply.github.com> Date: Sat, 27 Jan 2024 16:03:37 +0000 Subject: [PATCH 069/118] Fix s3-storage migrate and shell (#3136) * Fix s3-storage migrate and shell: container needs attachment to postgres network also * Connect to s3-storage-provider migrate to multiple networks in multiple steps Multiple `--network` calls lead to: > docker: Error response from daemon: Container cannot be connected to network endpoints: NETWORK_1 NETWORK_2. * Connect to s3-storage-provider shell to multiple networks in multiple steps --------- Co-authored-by: Slavi Pantaleev --- .../ext/s3-storage-provider/bin/migrate.j2 | 14 ++++++++++++-- .../synapse/ext/s3-storage-provider/bin/shell.j2 | 15 +++++++++++++-- 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/migrate.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/migrate.j2 index 5c3a534b5..8d8c4d0d7 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/migrate.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/migrate.j2 @@ -1,7 +1,9 @@ #jinja2: lstrip_blocks: "True" #!/bin/bash +set -euo pipefail -{{ devture_systemd_docker_base_host_command_docker }} run \ +container_id=$(\ + {{ devture_systemd_docker_base_host_command_docker }} create \ --rm \ --env-file={{ matrix_synapse_ext_s3_storage_provider_base_path }}/env \ --mount type=bind,src={{ matrix_synapse_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ @@ -10,4 +12,12 @@ --network={{ matrix_synapse_container_network }} \ --entrypoint=/bin/bash \ {{ matrix_synapse_docker_image_final }} \ - -c 's3_media_upload update-db $UPDATE_DB_DURATION && s3_media_upload --no-progress check-deleted $MEDIA_PATH && s3_media_upload --no-progress upload $MEDIA_PATH $BUCKET --delete --storage-class $STORAGE_CLASS --endpoint-url $ENDPOINT {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %}--sse-customer-algo $SSE_CUSTOMER_ALGO --sse-customer-key $SSE_CUSTOMER_KEY{% endif %}' + -c 's3_media_upload update-db $UPDATE_DB_DURATION && s3_media_upload --no-progress check-deleted $MEDIA_PATH && s3_media_upload --no-progress upload $MEDIA_PATH $BUCKET --delete --storage-class $STORAGE_CLASS --endpoint-url $ENDPOINT {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %}--sse-customer-algo $SSE_CUSTOMER_ALGO --sse-customer-key $SSE_CUSTOMER_KEY{% endif %}' \ +) + +{# We need to connect to the Postgres network, which should be in this list. #} +{% for network in matrix_synapse_container_additional_networks %} +{{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} $container_id +{% endfor %} + +{{ devture_systemd_docker_base_host_command_docker }} start --attach $container_id diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/shell.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/shell.j2 index 6f3804cc4..239554a1c 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/shell.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/shell.j2 @@ -1,13 +1,24 @@ #jinja2: lstrip_blocks: "True" #!/bin/bash +set -euo pipefail -{{ devture_systemd_docker_base_host_command_docker }} run \ +container_id=$(\ + {{ devture_systemd_docker_base_host_command_docker }} create \ -it \ --rm \ + --name=matrix-synapse-s3-storage-provider-shell \ --env-file={{ matrix_synapse_ext_s3_storage_provider_base_path }}/env \ --mount type=bind,src={{ matrix_synapse_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ --mount type=bind,src={{ matrix_synapse_ext_s3_storage_provider_data_path }},dst=/data \ --workdir=/data \ --network={{ matrix_synapse_container_network }} \ --entrypoint=/bin/bash \ - {{ matrix_synapse_docker_image_final }} + {{ matrix_synapse_docker_image_final }} \ +) + +{# We need to connect to the Postgres network, which should be in this list. #} +{% for network in matrix_synapse_container_additional_networks %} +{{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} $container_id +{% endfor %} + +{{ devture_systemd_docker_base_host_command_docker }} start --attach -i $container_id From 45e46f82bbcd24c221044d2cf655f11e919f87ce Mon Sep 17 00:00:00 2001 From: Wave <86343914+Wave6677@users.noreply.github.com> Date: Sun, 28 Jan 2024 04:56:43 +0000 Subject: [PATCH 070/118] Fix typo in configuring-playbook-bot-matrix-registration-bot.md (#3137) * Fix typo in configuring-playbook-bot-matrix-registration-bot.md changed "loook like" to "Tokens look like" * Minor rewording --------- Co-authored-by: Slavi Pantaleev --- docs/configuring-playbook-bot-matrix-registration-bot.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/configuring-playbook-bot-matrix-registration-bot.md b/docs/configuring-playbook-bot-matrix-registration-bot.md index 30a9a1a78..703714836 100644 --- a/docs/configuring-playbook-bot-matrix-registration-bot.md +++ b/docs/configuring-playbook-bot-matrix-registration-bot.md @@ -3,8 +3,7 @@ The playbook can install and configure [matrix-registration-bot](https://github.com/moan0s/matrix-registration-bot) for you. The bot allows you to easily **create and manage registration tokens** aka. invitation codes. -It can be used for an invitation-based server, -where you invite someone by sending them a registration token (loook like this: `rbalQ0zkaDSRQCOp`). They can register as normal but have to provide a valid registration token in a final step of the registration. +It can be used for an invitation-based server, where you invite someone by sending them a registration token (tokens look like this: `rbalQ0zkaDSRQCOp`). They can register as per normal but have to provide a valid registration token in the final step of the registration process. See the project's [documentation](https://github.com/moan0s/matrix-registration-bot#supported-commands) to learn what it does and why it might be useful to you. From 4bf4fc4f621cf4b99a3570838212e1b48f41b839 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 30 Jan 2024 20:31:24 +0200 Subject: [PATCH 071/118] Upgrade Prometheus (v2.49.1-1 -> v2.49.1-2) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index d5067141f..da1d49f8c 100644 --- a/requirements.yml +++ b/requirements.yml @@ -46,7 +46,7 @@ version: 7eadc992ca952fc29bf3fab5aa6335fa82ff01e5 name: postgres_backup - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git - version: v2.49.1-1 + version: v2.49.1-2 name: prometheus - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git version: v1.7.0-3 From 2ba4b94b998d0c49137f77a011c7dd9ad4c9923b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 30 Jan 2024 20:31:47 +0200 Subject: [PATCH 072/118] Use prometheus_container_additional_networks_auto, instead of prometheus_container_additional_networks --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 4075308d1..115aea49d 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -4279,7 +4279,7 @@ prometheus_gid: "{{ matrix_user_gid }}" prometheus_container_network: "{{ matrix_monitoring_container_network }}" -prometheus_container_additional_networks: | +prometheus_container_additional_networks_auto: | {{ ( ([prometheus_node_exporter_container_network] if prometheus_self_node_scraper_enabled and prometheus_node_exporter_container_network != prometheus_container_network else []) From b167f483965a3789fab5e72b5208a7913f0db89c Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 30 Jan 2024 18:32:14 +0000 Subject: [PATCH 073/118] Update ghcr.io/element-hq/synapse Docker tag to v1.100.0 --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index d35fe2e5a..8e3169b7b 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -16,7 +16,7 @@ matrix_synapse_enabled: true matrix_synapse_github_org_and_repo: element-hq/synapse # renovate: datasource=docker depName=ghcr.io/element-hq/synapse -matrix_synapse_version: v1.99.0 +matrix_synapse_version: v1.100.0 matrix_synapse_username: '' matrix_synapse_uid: '' From a91f14ee0d871b5bdc01702f64ac7bc38afdec7b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 30 Jan 2024 21:08:51 +0200 Subject: [PATCH 074/118] Upgrade Grafana (v10.3.1-0 -> v10.3.1-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index da1d49f8c..87c0533c0 100644 --- a/requirements.yml +++ b/requirements.yml @@ -22,7 +22,7 @@ version: v4.97-r0-0-1 name: exim_relay - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v10.3.1-0 + version: v10.3.1-1 name: grafana - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git version: v9111-1 From 674658039e69ba64358660d48530d4dad7de752e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 30 Jan 2024 21:09:33 +0200 Subject: [PATCH 075/118] Switch from grafana_container_additional_networks to grafana_container_additional_networks_auto --- group_vars/matrix_servers | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 115aea49d..c594ee26e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -4381,10 +4381,10 @@ grafana_base_path: "{{ matrix_base_data_path }}/grafana" grafana_container_network: "{{ matrix_monitoring_container_network }}" -grafana_container_additional_networks: | +grafana_container_additional_networks_auto: | {{ ( - ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network and grafana_container_labels_traefik_enabled else []) + ([prometheus_container_network] if prometheus_enabled and prometheus_container_network != grafana_container_network else []) ) | unique From 672b42848fc2059af4f70317b8094a07084b4d0d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 30 Jan 2024 21:18:31 +0200 Subject: [PATCH 076/118] Upgrade Grafana (v10.3.1-1 -> v10.3.1-2) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 87c0533c0..649ff5463 100644 --- a/requirements.yml +++ b/requirements.yml @@ -22,7 +22,7 @@ version: v4.97-r0-0-1 name: exim_relay - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v10.3.1-1 + version: v10.3.1-2 name: grafana - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git version: v9111-1 From 8c69ff8d03ab1db45765745e6cffd77110daa28f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 30 Jan 2024 21:37:18 +0200 Subject: [PATCH 077/118] Upgrade Postgres (v16.1-5 -> v16.1-6) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 649ff5463..6fffac1f4 100644 --- a/requirements.yml +++ b/requirements.yml @@ -40,7 +40,7 @@ version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 name: playbook_state_preserver - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git - version: v16.1-5 + version: v16.1-6 name: postgres - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git version: 7eadc992ca952fc29bf3fab5aa6335fa82ff01e5 From 578d00a54a75267e44098725c284217ecf577b7b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 31 Jan 2024 12:13:20 +0200 Subject: [PATCH 078/118] Default to root-path-redirection on the base domain if index.html creation is disabled This is a break in backward-compatibility for people disabling `index.html` creation via the playbook but are managing their static website files in another way (AUX role, etc). --- group_vars/matrix_servers | 4 ++++ roles/custom/matrix-static-files/defaults/main.yml | 6 ++++++ .../matrix-static-files/tasks/validate_config.yml | 2 ++ roles/custom/matrix-static-files/templates/labels.j2 | 12 ++++++++++++ 4 files changed, 24 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c594ee26e..f735cd1da 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -4848,6 +4848,10 @@ matrix_static_files_container_labels_well_known_matrix_endpoint_traefik_hostname # but we pass the hostname, so that enabling it is easy. matrix_static_files_container_labels_base_domain_traefik_hostname: "{{ matrix_domain }}" +# If we're not serving a static webpage, serve a redirect instead of a 404. +matrix_static_files_container_labels_base_domain_root_path_redirection_enabled: "{{ not matrix_static_files_file_index_html_enabled }}" +matrix_static_files_container_labels_base_domain_root_path_redirection_url: "https://{{ matrix_server_fqn_matrix }}" + matrix_static_files_file_matrix_client_property_io_element_jitsi_preferred_domain: "{{ matrix_server_fqn_jitsi if jitsi_enabled else '' }}" matrix_static_files_file_matrix_client_property_org_matrix_msc3575_proxy_url: "{{ matrix_homeserver_sliding_sync_url }}" diff --git a/roles/custom/matrix-static-files/defaults/main.yml b/roles/custom/matrix-static-files/defaults/main.yml index 16f0c7d58..045004f46 100644 --- a/roles/custom/matrix-static-files/defaults/main.yml +++ b/roles/custom/matrix-static-files/defaults/main.yml @@ -81,6 +81,9 @@ matrix_static_files_container_labels_base_domain_traefik_priority: 0 matrix_static_files_container_labels_base_domain_traefik_entrypoints: "{{ matrix_static_files_container_labels_traefik_entrypoints }}" matrix_static_files_container_labels_base_domain_traefik_tls: "{{ matrix_static_files_container_labels_base_domain_traefik_entrypoints != 'web' }}" matrix_static_files_container_labels_base_domain_traefik_tls_certResolver: "{{ matrix_static_files_container_labels_traefik_tls_certResolver }}" # noqa var-naming +# Controls whether the root path (/) at the base domain would respond with a redirect to some URL. +matrix_static_files_container_labels_base_domain_root_path_redirection_enabled: false +matrix_static_files_container_labels_base_domain_root_path_redirection_url: "" # matrix_static_files_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. @@ -343,6 +346,9 @@ matrix_static_files_file_matrix_support_configuration: "{{ matrix_static_files_f # # You can also use the auxiliary role (https://github.com/mother-of-all-self-hosting/ansible-role-aux) to create files in # the public directory (matrix_static_files_public_path) by yourself. +# If you're disabling this but are preparing some HTML files by yourself, +# consider explicitly disabling `matrix_static_files_container_labels_base_domain_root_path_redirection_enabled` as well. +# The default behavior when this is disabled is to enable root-path-redirection. # # Because you may wish to manage these static files yourself, disabling this variable will intentionally not delete an already existing `index.html` file. matrix_static_files_file_index_html_enabled: "{{ matrix_static_files_container_labels_base_domain_enabled }}" diff --git a/roles/custom/matrix-static-files/tasks/validate_config.yml b/roles/custom/matrix-static-files/tasks/validate_config.yml index 6d4cc7978..ca079d029 100644 --- a/roles/custom/matrix-static-files/tasks/validate_config.yml +++ b/roles/custom/matrix-static-files/tasks/validate_config.yml @@ -11,3 +11,5 @@ - {'name': 'matrix_static_files_container_labels_base_domain_traefik_hostname', when: "{{ matrix_static_files_container_labels_base_domain_enabled }}"} - {'name': 'matrix_static_files_container_labels_base_domain_traefik_path_prefix', when: "{{ matrix_static_files_container_labels_base_domain_enabled }}"} + + - {'name': 'matrix_static_files_container_labels_base_domain_root_path_redirection_url', when: "{{ matrix_static_files_container_labels_base_domain_enabled and matrix_static_files_container_labels_base_domain_root_path_redirection_enabled }}"} diff --git a/roles/custom/matrix-static-files/templates/labels.j2 b/roles/custom/matrix-static-files/templates/labels.j2 index e7776cb82..46fc49490 100644 --- a/roles/custom/matrix-static-files/templates/labels.j2 +++ b/roles/custom/matrix-static-files/templates/labels.j2 @@ -56,12 +56,24 @@ traefik.http.routers.{{ matrix_static_files_identifier }}-well-known.tls.certRes # # ############################################################ +{% set middlewares = [] %} + +{% if matrix_static_files_container_labels_base_domain_root_path_redirection_enabled %} +traefik.http.middlewares.{{ matrix_static_files_identifier }}-root-path-redirect.redirectregex.regex=^https://{{ matrix_static_files_container_labels_base_domain_traefik_hostname }}{{ matrix_static_files_container_labels_base_domain_traefik_path_prefix }}$ +traefik.http.middlewares.{{ matrix_static_files_identifier }}-root-path-redirect.redirectregex.replacement={{ matrix_static_files_container_labels_base_domain_root_path_redirection_url }} +{% set middlewares = middlewares + [matrix_static_files_identifier + '-root-path-redirect'] %} +{% endif %} + traefik.http.routers.{{ matrix_static_files_identifier }}-base-domain.rule={{ matrix_static_files_container_labels_base_domain_traefik_rule }} {% if matrix_static_files_container_labels_base_domain_traefik_priority | int > 0 %} traefik.http.routers.{{ matrix_static_files_identifier }}-base-domain.priority={{ matrix_static_files_container_labels_base_domain_traefik_priority }} {% endif %} +{% if middlewares | length > 0 %} +traefik.http.routers.{{ matrix_static_files_identifier }}-base-domain.middlewares={{ middlewares | join(',') }} +{% endif %} + traefik.http.routers.{{ matrix_static_files_identifier }}-base-domain.service={{ matrix_static_files_identifier }} traefik.http.routers.{{ matrix_static_files_identifier }}-base-domain.entrypoints={{ matrix_static_files_container_labels_base_domain_traefik_entrypoints }} traefik.http.routers.{{ matrix_static_files_identifier }}-base-domain.tls={{ matrix_static_files_container_labels_base_domain_traefik_tls | to_json }} From 502db3583133cf2de80c634ba74a8e0553df2243 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 31 Jan 2024 20:11:11 +0000 Subject: [PATCH 079/118] Update vectorim/element-web Docker tag to v1.11.57 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 305deae19..934bf885a 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -11,7 +11,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" # renovate: datasource=docker depName=vectorim/element-web -matrix_client_element_version: v1.11.55 +matrix_client_element_version: v1.11.57 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" From 2e08d65e7afd6cae0da8ccb9dd608635520200a6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 1 Feb 2024 15:56:20 +0200 Subject: [PATCH 080/118] Upgrade Jitsi (v9111-1 -> v9220-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 6fffac1f4..5e8fd6783 100644 --- a/requirements.yml +++ b/requirements.yml @@ -25,7 +25,7 @@ version: v10.3.1-2 name: grafana - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git - version: v9111-1 + version: v9220-0 name: jitsi - src: git+https://gitlab.com/etke.cc/roles/ntfy.git version: v2.8.0-1 From 533f42fe08c67fff7ad2396b9b29d34f887420e1 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 1 Feb 2024 17:11:26 +0000 Subject: [PATCH 081/118] Update dependency docker to v7.1.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 5e8fd6783..3c51ab86e 100644 --- a/requirements.yml +++ b/requirements.yml @@ -10,7 +10,7 @@ version: v0.1.1-3 name: container_socket_proxy - src: git+https://github.com/geerlingguy/ansible-role-docker - version: 7.0.2 + version: 7.1.0 name: docker - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git version: 129c8590e106b83e6f4c259649a613c6279e937a From 2c06aa1d04256b9764e4f0f45f625f82867889ff Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 1 Feb 2024 20:11:51 +0000 Subject: [PATCH 082/118] Update gnuxie/draupnir Docker tag to v1.86.1 --- roles/custom/matrix-bot-draupnir/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml index e8ab01146..3a4bdc250 100644 --- a/roles/custom/matrix-bot-draupnir/defaults/main.yml +++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml @@ -5,7 +5,7 @@ matrix_bot_draupnir_enabled: true # renovate: datasource=docker depName=gnuxie/draupnir -matrix_bot_draupnir_version: "v1.86.0" +matrix_bot_draupnir_version: "v1.86.1" matrix_bot_draupnir_container_image_self_build: false matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git" From 6e2bcc79324e02094449154b707a26e543a4ef9c Mon Sep 17 00:00:00 2001 From: Ed Geraghty Date: Fri, 2 Feb 2024 20:09:21 +0000 Subject: [PATCH 083/118] Add upstream `proxy_protocol` instructions to traefik (#3150) * Add upstream `proxy_protocol` instructions to traefik * Fix YAML indentation to use spaces --------- Co-authored-by: Slavi Pantaleev --- docs/configuring-playbook-traefik.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/docs/configuring-playbook-traefik.md b/docs/configuring-playbook-traefik.md index 5f4753891..dc4d88cf6 100644 --- a/docs/configuring-playbook-traefik.md +++ b/docs/configuring-playbook-traefik.md @@ -137,3 +137,25 @@ Changing the `url` to one with an `http://` prefix would allow to connect to the With these changes, all TCP traffic will be reverse-proxied to the target system. **WARNING**: This configuration might lead to problems or need additional steps when a [certbot](https://certbot.eff.org/) behind Traefik also tries to manage [Let's Encrypt](https://letsencrypt.org/) certificates, as Traefik captures all traffic to ```PathPrefix(`/.well-known/acme-challenge/`)```. + + +## Traefik behind a `proxy_protocol` reverse-proxy + +If you run a reverse-proxy which speaks `proxy_protocol`, add the following to your configuration file: + +```yaml +devture_traefik_configuration_extension_yaml: | + entryPoints: + web-secure: + proxyProtocol: + trustedIPs: + - "127.0.0.1/32" + - "/32" + - "/128" + matrix-federation: + proxyProtocol: + trustedIPs: + - "127.0.0.1/32" + - "/32" + - "/128" +``` From 76a265f9a1b9024810f2e67cdff09786a6dfc01a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 3 Feb 2024 08:05:52 +0200 Subject: [PATCH 084/118] Document new base-domain root-path redirection behavior --- CHANGELOG.md | 11 +++++++++++ docs/configuring-playbook-base-domain-serving.md | 4 ++++ 2 files changed, 15 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0e8ece22b..7a9473760 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2024-01-31 + +## (Backward-compatibility break) Minor changes necessary for some people serving a static website at the base domain + +This only affects people who are [Serving a static website at the base domain](./docs/configuring-playbook-base-domain-serving.md#serving-a-static-website-at-the-base-domain), but not managing its `index.html` through the playbook. + +That is, for people who have `matrix_static_files_file_index_html_enabled: false` in their `vars.yml` configuration, the playbook has a new default behavior. Since the playbook is not managing the `index.html` file, it will default to a more sensible way of handling the base domain - redirecting `https://DOMAIN/` to `https://matrix.DOMAIN/`, instead of serving a 404 page. + +If you are managing your static website by yourself (by dropping files into `/matrix/static-files/public` somehow), then you probably don't wish for such redirection to happen. You can disable it by adding `matrix_static_files_container_labels_base_domain_enabled: false` to your `vars.yml` configuration file. + + # 2024-01-20 ## Support for more efficient (specialized) Synapse workers diff --git a/docs/configuring-playbook-base-domain-serving.md b/docs/configuring-playbook-base-domain-serving.md index f1cf992d1..d070abc59 100644 --- a/docs/configuring-playbook-base-domain-serving.md +++ b/docs/configuring-playbook-base-domain-serving.md @@ -42,6 +42,10 @@ matrix_static_files_container_labels_base_domain_enabled: true # Prevent the default index.html file from being installed matrix_static_files_file_index_html_enabled: false + +# Disable the automatic redirectin of `https://DOMAIN/` to `https://matrix.DOMAIN/`. +# This gets automatically enabled when you disable `matrix_static_files_file_index_html_enabled`, as we're doing above. +matrix_static_files_container_labels_base_domain_enabled: false ``` With this configuration, Ansible will no longer mess around with the `/matrix/static-files/public/index.html` file. From 1160e3212621d2bba1c67ef32780a8c0f6252236 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 3 Feb 2024 18:48:24 +0200 Subject: [PATCH 085/118] Fix incorrect variable name for base-domain root-path redirection Fixes a typo in 76a265f9a1b902481 Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3153 --- CHANGELOG.md | 2 +- docs/configuring-playbook-base-domain-serving.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7a9473760..d96326a17 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ This only affects people who are [Serving a static website at the base domain](. That is, for people who have `matrix_static_files_file_index_html_enabled: false` in their `vars.yml` configuration, the playbook has a new default behavior. Since the playbook is not managing the `index.html` file, it will default to a more sensible way of handling the base domain - redirecting `https://DOMAIN/` to `https://matrix.DOMAIN/`, instead of serving a 404 page. -If you are managing your static website by yourself (by dropping files into `/matrix/static-files/public` somehow), then you probably don't wish for such redirection to happen. You can disable it by adding `matrix_static_files_container_labels_base_domain_enabled: false` to your `vars.yml` configuration file. +If you are managing your static website by yourself (by dropping files into `/matrix/static-files/public` somehow), then you probably don't wish for such redirection to happen. You can disable it by adding `matrix_static_files_container_labels_base_domain_root_path_redirection_enabled: false` to your `vars.yml` configuration file. # 2024-01-20 diff --git a/docs/configuring-playbook-base-domain-serving.md b/docs/configuring-playbook-base-domain-serving.md index d070abc59..95f7547a3 100644 --- a/docs/configuring-playbook-base-domain-serving.md +++ b/docs/configuring-playbook-base-domain-serving.md @@ -45,7 +45,7 @@ matrix_static_files_file_index_html_enabled: false # Disable the automatic redirectin of `https://DOMAIN/` to `https://matrix.DOMAIN/`. # This gets automatically enabled when you disable `matrix_static_files_file_index_html_enabled`, as we're doing above. -matrix_static_files_container_labels_base_domain_enabled: false +matrix_static_files_container_labels_base_domain_root_path_redirection_enabled: false ``` With this configuration, Ansible will no longer mess around with the `/matrix/static-files/public/index.html` file. From 929aee302240e56e0ea37c8f94cf76d8447362d2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 3 Feb 2024 18:52:26 +0200 Subject: [PATCH 086/118] Fix incorrect prefix for Synapse worker metrics Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3154 --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 8e3169b7b..cbb8d2196 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -752,7 +752,7 @@ matrix_synapse_worker_container_labels_traefik_hostname: "{{ matrix_synapse_cont # Controls whether labels will be added that expose metrics (see `matrix_synapse_metrics_proxying_enabled`) matrix_synapse_worker_container_labels_public_metrics_enabled: "{{ matrix_synapse_metrics_enabled and matrix_synapse_metrics_proxying_enabled }}" # The `__WORKER_ID__` placeholder will be replaced with the actual worker id during label-file generation (see `../templates/worker-labels.j2`). -matrix_synapse_worker_container_labels_public_metrics_traefik_path: "{{ matrix_synapse_metrics_proxying_path_prefix }}/__WORKER_ID__" +matrix_synapse_worker_container_labels_public_metrics_traefik_path: "{{ matrix_synapse_metrics_proxying_path_prefix }}/worker/__WORKER_ID__" matrix_synapse_worker_container_labels_public_metrics_traefik_rule: "Host(`{{ matrix_synapse_metrics_proxying_hostname }}`) && Path(`{{ matrix_synapse_worker_container_labels_public_metrics_traefik_path }}`)" matrix_synapse_worker_container_labels_public_metrics_traefik_priority: 0 matrix_synapse_worker_container_labels_public_metrics_traefik_entrypoints: "{{ matrix_synapse_container_labels_traefik_entrypoints }}" From e01aa667e7dd0a34f1f5af1572d73db7b602a9fd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 3 Feb 2024 18:53:14 +0200 Subject: [PATCH 087/118] Fix some comments in worker-labels for Synapse Related to 929aee302240e56e0e and https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3154 --- .../custom/matrix-synapse/templates/synapse/worker-labels.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-synapse/templates/synapse/worker-labels.j2 b/roles/custom/matrix-synapse/templates/synapse/worker-labels.j2 index 35ef12da1..9cf4feaed 100644 --- a/roles/custom/matrix-synapse/templates/synapse/worker-labels.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/worker-labels.j2 @@ -8,7 +8,7 @@ traefik.docker.network={{ matrix_synapse_worker_container_labels_traefik_docker_ traefik.http.services.{{ matrix_synapse_worker_container_name }}-metrics.loadbalancer.server.port={{ matrix_synapse_worker_details.metrics_port }} {# - Metrics (e.g. /metrics/synapse/__WORKER_ID__) + Metrics (e.g. /metrics/synapse/worker/__WORKER_ID__) #} {% if matrix_synapse_worker_container_labels_public_metrics_enabled %} @@ -42,7 +42,7 @@ traefik.http.routers.{{ matrix_synapse_worker_container_name }}-metrics.tls.cert {% endif %} {# - /Metrics (e.g. /metrics/synapse/__WORKER_ID__) + /Metrics (e.g. /metrics/synapse/worker/__WORKER_ID__) #} From c68e9dc2eb5d5a66b5a43615c2787b4c69c834ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ingy=20d=C3=B6t=20Net?= Date: Sun, 4 Feb 2024 09:31:32 -0800 Subject: [PATCH 088/118] Update configuring-playbook.md `mkdir` with multiple subdirs needs `-p` --- docs/configuring-playbook.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 1d6227856..413db7b8d 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -8,7 +8,7 @@ To configure the playbook, you need to have done the following things: You can then follow these steps inside the playbook directory: -1. create a directory to hold your configuration (`mkdir inventory/host_vars/matrix.`) +1. create a directory to hold your configuration (`mkdir -p inventory/host_vars/matrix.`) 1. copy the sample configuration file (`cp examples/vars.yml inventory/host_vars/matrix./vars.yml`) From 8b027efb65e6f0febee39cadf87054ef508934ed Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 5 Feb 2024 18:39:36 +0200 Subject: [PATCH 089/118] Upgrade mautrix-signal (de8c8d97c23 -> 103666990f3) --- roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml index dd255070c..3a30d9d1c 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml @@ -9,7 +9,7 @@ matrix_mautrix_signal_container_image_self_build_repo: "https://mau.dev/mautrix/ matrix_mautrix_signal_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}" # renovate: datasource=docker depName=dock.mau.dev/mautrix/signal -matrix_mautrix_signal_version: de8c8d97c23dc1982686a698162b45f1f112155b +matrix_mautrix_signal_version: 103666990f30a692c63dd84a499b0dd390cef8a4 # See: https://mau.dev/mautrix/signal/container_registry matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_name_prefix }}mautrix/signal:{{ matrix_mautrix_signal_docker_image_tag }}" From 7f337fc9a67b47bd10cfe2122e552a48ddccd81c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 5 Feb 2024 19:07:51 +0200 Subject: [PATCH 090/118] Upgrade synapse-admin (0.8.7 -> 0.9.0) --- roles/custom/matrix-synapse-admin/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index 1dee1d756..a23416134 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -12,7 +12,7 @@ matrix_synapse_admin_container_image_self_build: false matrix_synapse_admin_container_image_self_build_repo: "https://github.com/Awesome-Technologies/synapse-admin.git" # renovate: datasource=docker depName=awesometechnologies/synapse-admin -matrix_synapse_admin_version: 0.8.7 +matrix_synapse_admin_version: 0.9.0 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" From 2baea7ce7b8c896bf75e450a0459f36ff90fe356 Mon Sep 17 00:00:00 2001 From: Aine Date: Mon, 5 Feb 2024 22:07:45 +0200 Subject: [PATCH 091/118] buscarron v1.4.0 --- .../matrix-bot-buscarron/defaults/main.yml | 17 +---------------- .../matrix-bot-buscarron/templates/env.j2 | 4 +++- 2 files changed, 4 insertions(+), 17 deletions(-) diff --git a/roles/custom/matrix-bot-buscarron/defaults/main.yml b/roles/custom/matrix-bot-buscarron/defaults/main.yml index f06320ed4..116155cef 100644 --- a/roles/custom/matrix-bot-buscarron/defaults/main.yml +++ b/roles/custom/matrix-bot-buscarron/defaults/main.yml @@ -6,7 +6,7 @@ matrix_bot_buscarron_enabled: true # renovate: datasource=docker depName=registry.gitlab.com/etke.cc/buscarron -matrix_bot_buscarron_version: v1.3.1 +matrix_bot_buscarron_version: v1.4.0 # The hostname at which Buscarron is served. matrix_bot_buscarron_hostname: '' @@ -145,9 +145,6 @@ matrix_bot_buscarron_homeserver: "" # forms configuration matrix_bot_buscarron_forms: [] -# Disable encryption -matrix_bot_buscarron_noencryption: false - # Sentry DSN matrix_bot_buscarron_sentry: '' @@ -157,18 +154,6 @@ matrix_bot_buscarron_loglevel: INFO # list of spammers with wildcards support, eg: *@spam.com spam@*, spam@spam.com matrix_bot_buscarron_spamlist: [] -# spam hosts/domains. -# deprecated, use matrix_bot_buscarron_spamlist -matrix_bot_buscarron_spam_hosts: [] - -# spam email addresses -# deprecated, use matrix_bot_buscarron_spamlist -matrix_bot_buscarron_spam_emails: [] - -# spam email localparts -# deprecated, use matrix_bot_buscarron_spamlist -matrix_bot_buscarron_spam_localparts: [] - # Banlist size matrix_bot_buscarron_ban_size: 10000 diff --git a/roles/custom/matrix-bot-buscarron/templates/env.j2 b/roles/custom/matrix-bot-buscarron/templates/env.j2 index 1f71802a5..ea3f8c21f 100644 --- a/roles/custom/matrix-bot-buscarron/templates/env.j2 +++ b/roles/custom/matrix-bot-buscarron/templates/env.j2 @@ -16,17 +16,19 @@ BUSCARRON_PM_FROM={{ matrix_bot_buscarron_pm_from }} BUSCARRON_PM_REPLYTO={{ matrix_bot_buscarron_pm_replyto }} BUSCARRON_SMTP_FROM={{ matrix_bot_buscarron_smtp_from }} BUSCARRON_SMTP_VALIDATION={{ matrix_bot_buscarron_smtp_validation }} -BUSCARRON_NOENCRYPTION={{ matrix_bot_buscarron_noencryption }} BUSCARRON_METRICS_LOGIN={{ matrix_bot_buscarron_metrics_login }} BUSCARRON_METRICS_PASSWORD={{ matrix_bot_buscarron_metrics_password }} BUSCARRON_METRICS_IPS={{ matrix_bot_buscarron_metrics_ips|default([])|join(" ") }} {% set forms = [] %} {% for form in matrix_bot_buscarron_forms -%}{{- forms.append(form.name) -}} BUSCARRON_{{ form.name|upper }}_ROOM={{ form.room|default('') }} +BUSCARRON_{{ form.name|upper }}_TEXT={{ form.text|default('') }} BUSCARRON_{{ form.name|upper }}_REDIRECT={{ form.redirect|default('') }} +BUSCARRON_{{ form.name|upper }}_REDIRECT_REJECT={{ form.redirect_reject|default('') }} BUSCARRON_{{ form.name|upper }}_HASDOMAIN={{ form.hasdomain|default('') }} BUSCARRON_{{ form.name|upper }}_HASEMAIL={{ form.hasemail|default('') }} BUSCARRON_{{ form.name|upper }}_RATELIMIT={{ form.ratelimit|default('') }} +BUSCARRON_{{ form.name|upper }}_RATELIMIT_SHARED={{ form.ratelimit_shared|default(false) }} BUSCARRON_{{ form.name|upper }}_EXTENSIONS={{ form.extensions|default('')|join(' ') }} BUSCARRON_{{ form.name|upper }}_CONFIRMATION_SUBJECT={{ form.confirmation_subject|default('') }} BUSCARRON_{{ form.name|upper }}_CONFIRMATION_BODY={{ form.confirmation_body|default('') }} From a07345a42ee9081eaf2ff71cb0b3b7c7e4d73bdb Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Mon, 5 Feb 2024 22:12:24 +0200 Subject: [PATCH 092/118] update honoroit (v0.9.19 -> v0.9.20) **Warning**: [CI pipeline is in progress](https://gitlab.com/etke.cc/honoroit/-/pipelines/1165360868) changelog: * safer reaction forwarding * fix duplicated prefix and suffix on completed requests * add missing `!ho help` entries * add new `!ho count` command * count requests by homeserver and by MXID * add new `!ho config` command set - configure honoroit directly from the chat * mautrix-go 0.15.x+ migration * shared secret auth support * account data encyption support removed env vars (automatic migration): * HONOROIT_TEXT_* * HONOROIT_ALLOWEDUSERS * HONOROIT_IGNOREDROOMS * HONOROIT_IGNORENOTHREAD * HONOROIT_NOENCRYPTION --- roles/custom/matrix-bot-honoroit/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-honoroit/defaults/main.yml b/roles/custom/matrix-bot-honoroit/defaults/main.yml index a3430ab24..76ab590f6 100644 --- a/roles/custom/matrix-bot-honoroit/defaults/main.yml +++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml @@ -21,7 +21,7 @@ matrix_bot_honoroit_docker_repo_version: "{{ matrix_bot_honoroit_version }}" matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src" # renovate: datasource=docker depName=registry.gitlab.com/etke.cc/honoroit -matrix_bot_honoroit_version: v0.9.19 +matrix_bot_honoroit_version: v0.9.20 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}etke.cc/honoroit:{{ matrix_bot_honoroit_version }}" matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/' }}" matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" From 928b21acf4c0e356409d72f819acde8ccd90dd4d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 6 Feb 2024 07:23:56 +0200 Subject: [PATCH 093/118] Add variable-deprecation task for Buscarron Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3157 --- .../matrix-bot-buscarron/tasks/validate_config.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/roles/custom/matrix-bot-buscarron/tasks/validate_config.yml b/roles/custom/matrix-bot-buscarron/tasks/validate_config.yml index 0694a6578..0e968e55a 100644 --- a/roles/custom/matrix-bot-buscarron/tasks/validate_config.yml +++ b/roles/custom/matrix-bot-buscarron/tasks/validate_config.yml @@ -1,4 +1,15 @@ --- +- name: (Deprecation) Catch and report renamed Buscarron settings + ansible.builtin.fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_bot_buscarron_noencryption', 'new': ''} + - {'old': 'matrix_bot_buscarron_spam_hosts', 'new': ''} + - {'old': 'matrix_bot_buscarron_spam_emails', 'new': ''} + - {'old': 'matrix_bot_buscarron_spam_localparts', 'new': ''} - name: Fail if required Buscarron settings not defined ansible.builtin.fail: From 066790783275dbf5a521652337c056c263066256 Mon Sep 17 00:00:00 2001 From: needo37 Date: Thu, 8 Feb 2024 03:44:38 +0000 Subject: [PATCH 094/118] Update configuring-playbook-bridge-mautrix-whatsapp.md Backfilling is now supported. Updating documentation. --- ...figuring-playbook-bridge-mautrix-whatsapp.md | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/docs/configuring-playbook-bridge-mautrix-whatsapp.md b/docs/configuring-playbook-bridge-mautrix-whatsapp.md index 1794afbd4..caa7edee3 100644 --- a/docs/configuring-playbook-bridge-mautrix-whatsapp.md +++ b/docs/configuring-playbook-bridge-mautrix-whatsapp.md @@ -24,23 +24,6 @@ matrix_mautrix_whatsapp_bridge_relay_admin_only: false If you want to activate the relay bot in a room, use `!wa set-relay`. Use `!wa unset-relay` to deactivate. -## Enable backfilling history -This requires a server with MSC2716 support, which is currently an experimental feature in synapse. -Note that as of Synapse 1.46, there are still some bugs with the implementation, especially if using event persistence workers. -Use the following playbook configuration: - -```yaml -matrix_synapse_configuration_extension_yaml: | - experimental_features: - msc2716_enabled: true -``` -```yaml -matrix_mautrix_whatsapp_configuration_extension_yaml: - bridge: - history_sync: - backfill: true -``` - ## Set up Double Puppeting If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it. From 518615a97933db64ebbd562a198e4e1370fd9117 Mon Sep 17 00:00:00 2001 From: needo37 Date: Thu, 8 Feb 2024 06:13:07 +0000 Subject: [PATCH 095/118] Update signal config.yaml.j2 merging upstream changes (#3164) * Update signal config.yaml.j2 merging upstream changes * Add raw/endraw around displayname_template for mautrix-signal --------- Co-authored-by: Slavi Pantaleev --- .../matrix-bridge-mautrix-signal/templates/config.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index 181637c03..182e43eb1 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -101,7 +101,7 @@ bridge: # {{.UUID}} - The UUID of the Signal user. # {{.AboutEmoji}} - The emoji set by the user in their profile. # {% endraw %} - displayname_template: "{{ '{{.ProfileName}} (Signal)' }}" + displayname_template: {% raw %}'{{or .ProfileName .PhoneNumber "Unknown user"}}'{% endraw %} # Whether to explicitly set the avatar and room name for private chat portal rooms. # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms. # If set to `always`, all DM rooms will have explicit names and avatars set. From 8a9a700cfca59ee1c9be528960d64c3d222b2cfc Mon Sep 17 00:00:00 2001 From: needo37 Date: Thu, 8 Feb 2024 06:15:17 +0000 Subject: [PATCH 096/118] Bring config.yaml.j2 in line with upstream (#3163) * Bring config.yaml.j2 in line with upstream * Update config.yaml.j2 --- .../templates/config.yaml.j2 | 116 +++++++++++------- 1 file changed, 73 insertions(+), 43 deletions(-) diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 index ad381f6aa..80e0f683a 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 @@ -54,16 +54,17 @@ appservice: # Whether or not to receive ephemeral events via appservice transactions. # Requires MSC2409 support (i.e. Synapse 1.22+). - # You should disable bridge -> sync_with_custom_puppets when this is enabled. - ephemeral_events: false + ephemeral_events: true + + # Should incoming events be handled asynchronously? + # This may be necessary for large public instances with lots of messages going through. + # However, messages will not be guaranteed to be bridged in the same order they were sent in. + async_transactions: false # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. as_token: "{{ matrix_mautrix_whatsapp_appservice_token }}" hs_token: "{{ matrix_mautrix_whatsapp_homeserver_token }}" -# Segment API key to track some events, like provisioning API login and encryption errors. -segment_key: null - # Prometheus config. metrics: # Enable prometheus metrics? @@ -92,7 +93,7 @@ bridge: # The following variables are also available, but will cause problems on multi-user instances: # {{ '{{.FullName}}' }} - full name from contact list # {{ '{{.FirstName}}' }} - first name from contact list - displayname_template: "{{ '{{if .BusinessName}}{{.BusinessName}}{{else if .PushName}}{{.PushName}}{{else}}{{.JID}}{{end}} (WA)' }}" + displayname_template: "{{ '{{or .BusinessName .PushName .JID}} (WhatsApp)' }}" # Should the bridge create a space for each logged-in user and add bridged rooms to it? # Users who logged in before turning this on should run `!wa sync space` to create and fill the space for the first time. personal_filtering_spaces: {{ matrix_mautrix_whatsapp_bridge_personal_filtering_spaces | to_json }} @@ -109,23 +110,38 @@ bridge: portal_message_buffer: 128 # Settings for handling history sync payloads. history_sync: - # Should the bridge create portals for chats in the history sync payload? - create_portals: true - # Enable backfilling history sync payloads from WhatsApp using batch sending? - # This requires a server with MSC2716 support, which is currently an experimental feature in synapse. - # It can be enabled by setting experimental_features -> msc2716_enabled to true in homeserver.yaml. - # Note that prior to Synapse 1.49, there were some bugs with the implementation, especially if using event persistence workers. - # There are also still some issues in Synapse's federation implementation. - backfill: false - # Use double puppets for backfilling? - # In order to use this, the double puppets must be in the appservice's user ID namespace - # (because the bridge can't use the double puppet access token with batch sending). - # This only affects double puppets on the local server, double puppets on other servers will never be used. - # Doesn't work out of box with this playbook - double_puppet_backfill: false + # Enable backfilling history sync payloads from WhatsApp? + backfill: true + # The maximum number of initial conversations that should be synced. + # Other conversations will be backfilled on demand when receiving a message or when initiating a direct chat. + max_initial_conversations: -1 + # Maximum number of messages to backfill in each conversation. + # Set to -1 to disable limit. + message_count: 50 # Should the bridge request a full sync from the phone when logging in? # This bumps the size of history syncs from 3 months to 1 year. request_full_sync: false + # Configuration parameters that are sent to the phone along with the request full sync flag. + # By default (when the values are null or 0), the config isn't sent at all. + full_sync_config: + # Number of days of history to request. + # The limit seems to be around 3 years, but using higher values doesn't break. + days_limit: null + # This is presumably the maximum size of the transferred history sync blob, which may affect what the phone includes in the blob. + size_mb_limit: null + # This is presumably the local storage quota, which may affect what the phone includes in the history sync blob. + storage_quota_mb: null + # If this value is greater than 0, then if the conversation's last message was more than + # this number of hours ago, then the conversation will automatically be marked it as read. + # Conversations that have a last message that is less than this number of hours ago will + # have their unread status synced from WhatsApp. + unread_hours_threshold: 0 + + ############################################################################### + # The settings below are only applicable for backfilling using batch sending, # + # which is no longer supported in Synapse. # + ############################################################################### + # Settings for media requests. If the media expired, then it will not # be on the WA servers. # Media can always be requested by reacting with the ♻️ (recycle) emoji. @@ -142,17 +158,6 @@ bridge: # If request_method is "local_time", what time should the requests # be sent (in minutes after midnight)? request_local_time: 120 - # The maximum number of initial conversations that should be synced. - # Other conversations will be backfilled on demand when the start PM - # provisioning endpoint is used or when a message comes in from that - # chat. - max_initial_conversations: -1 - # If this value is greater than 0, then if the conversation's last - # message was more than this number of hours ago, then the conversation - # will automatically be marked it as read. - # Conversations that have a last message that is less than this number - # of hours ago will have their unread status synced from WhatsApp. - unread_hours_threshold: 0 # Settings for immediate backfills. These backfills should generally be # small and their main purpose is to populate each of the initial chats # (as configured by max_initial_conversations) with a few messages so @@ -192,12 +197,11 @@ bridge: - start_days_ago: -1 max_batch_events: 500 batch_delay: 10 + # Should puppet avatars be fetched from the server even if an avatar is already set? user_avatar_sync: true # Should Matrix users leaving groups be bridged to WhatsApp? bridge_matrix_leave: true - # Should the bridge sync with double puppeting to receive EDUs that aren't normally sent to appservices. - sync_with_custom_puppets: true # Should the bridge update the m.direct account data event when double puppeting is enabled. # Note that updating the m.direct event is not atomic (except with mautrix-asmux) # and is therefore prone to race conditions. @@ -210,7 +214,6 @@ bridge: # When double puppeting is enabled, users can use `!wa toggle` to change whether # presence and read receipts are bridged. These settings set the default values. # Existing users won't be affected when these are changed. - default_bridge_receipts: true default_bridge_presence: true # Send the presence as "available" to whatsapp when users start typing on a portal. # This works as a workaround for homeservers that do not support presence, and allows @@ -235,7 +238,7 @@ bridge: login_shared_secret_map: {{ matrix_mautrix_whatsapp_bridge_login_shared_secret_map|to_json }} # Should the bridge explicitly set the avatar and room name for private chat portal rooms? # This is implicitly enabled in encrypted rooms. - private_chat_portal_meta: false + private_chat_portal_meta: default # Should group members be synced in parallel? This makes member sync faster parallel_member_sync: false # Should Matrix m.notice-type messages be bridged? @@ -273,10 +276,6 @@ bridge: # Whether or not created rooms should have federation enabled. # If false, created portal rooms will never be federated. federate_rooms: {{ matrix_mautrix_whatsapp_federate_rooms|to_json }} - # Whether to enable disappearing messages in groups. If enabled, then the expiration time of - # the messages will be determined by the first user to read the message, rather than individually. - # If the bridge only has a single user, this can be turned on safely. - disappearing_messages_in_groups: false # Should the bridge never send alerts to the bridge management room? # These are mostly things like the user being logged out. disable_bridge_alerts: false @@ -290,11 +289,15 @@ bridge: # Send captions in the same message as images. This will send data compatible with both MSC2530 and MSC3552. # This is currently not supported in most clients. caption_in_message: false + # Send galleries as a single event? This is not an MSC (yet). + beeper_galleries: false # Should polls be sent using MSC3381 event types? extev_polls: false - # Should Matrix edits be bridged to WhatsApp edits? - # Official WhatsApp clients don't render edits yet, but once they do, the bridge should work with them right away. - send_whatsapp_edits: false + # Should cross-chat replies from WhatsApp be bridged? Most servers and clients don't support this. + cross_room_replies: false + # Disable generating reply fallbacks? Some extremely bad clients still rely on them, + # but they're being phased out and will be completely removed in the future. + disable_reply_fallbacks: false # Maximum time for handling Matrix events. Duration strings formatted for https://pkg.go.dev/time#ParseDuration # Null means there's no enforced timeout. message_handling_timeout: @@ -338,7 +341,30 @@ bridge: # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. # You must use a client that supports requesting keys from other users to use this feature. allow_key_sharing: {{ matrix_mautrix_whatsapp_bridge_encryption_key_sharing_allow|to_json }} - # What level of device verification should be required from users? + # Should users mentions be in the event wire content to enable the server to send push notifications? + plaintext_mentions: false + # Options for deleting megolm sessions from the bridge. + delete_keys: + # Beeper-specific: delete outbound sessions when hungryserv confirms + # that the user has uploaded the key to key backup. + delete_outbound_on_ack: false + # Don't store outbound sessions in the inbound table. + dont_store_outbound: false + # Ratchet megolm sessions forward after decrypting messages. + ratchet_on_decrypt: false + # Delete fully used keys (index >= max_messages) after decrypting messages. + delete_fully_used_on_decrypt: false + # Delete previous megolm sessions from same device when receiving a new one. + delete_prev_on_new_session: false + # Delete megolm sessions received from a device when the device is deleted. + delete_on_device_delete: false + # Periodically delete megolm sessions when 2x max_age has passed since receiving the session. + periodically_delete_expired: false + # Delete inbound megolm sessions that don't have the received_at field used for + # automatic ratcheting and expired session deletion. This is meant as a migration + # to delete old keys prior to the bridge update. + delete_outdated_inbound: false + # What level of device verification should be required from users? # # Valid levels: # unverified - Send keys to all device in the room. @@ -373,6 +399,10 @@ bridge: # default. messages: 100 + # Disable rotating keys when a user's devices change? + # You should not enable this option unless you understand all the implications. + disable_device_change_key_rotation: false + # Settings for provisioning API provisioning: # Prefix for the provisioning API paths. From 193d20013fe20596b40ed1117d8ac851162f44fa Mon Sep 17 00:00:00 2001 From: needo37 Date: Thu, 8 Feb 2024 09:16:29 +0000 Subject: [PATCH 097/118] Update Signal config.yaml.j2 Not sure why but the endraw is not working. --- .../matrix-bridge-mautrix-signal/templates/config.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index 182e43eb1..0dd496aa8 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -101,7 +101,7 @@ bridge: # {{.UUID}} - The UUID of the Signal user. # {{.AboutEmoji}} - The emoji set by the user in their profile. # {% endraw %} - displayname_template: {% raw %}'{{or .ProfileName .PhoneNumber "Unknown user"}}'{% endraw %} + displayname_template: "{{ '{{or .ProfileName .PhoneNumber "Unknown user"}} (Signal)' }}" # Whether to explicitly set the avatar and room name for private chat portal rooms. # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms. # If set to `always`, all DM rooms will have explicit names and avatars set. From f3c69562fae30e67fdbc690a02c52e38bdff09e1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 8 Feb 2024 11:46:59 +0200 Subject: [PATCH 098/118] Use devture_postgres_container_network for all rust-synapse-compress-state tasks Using `matrix_synapse_container_network` for this task may have worked before, when everything was in the same `matrix` network, but not anymore. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3165 --- .../tasks/rust-synapse-compress-state/compress_room.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml b/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml index 7f5e05666..07fdbd1b1 100644 --- a/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml +++ b/roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml @@ -9,7 +9,7 @@ {{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-rust-synapse-compress-state-compress-room --user={{ matrix_synapse_uid }}:{{ matrix_synapse_gid }} --cap-drop=ALL - --network={{ matrix_synapse_container_network }} + --network={{ devture_postgres_container_network }} --mount type=bind,src={{ matrix_synapse_rust_synapse_compress_state_base_path }},dst=/work {{ matrix_synapse_rust_synapse_compress_state_docker_image }} {{ matrix_synapse_rust_synapse_compress_state_synapse_compress_state_in_container_path }} -t -o /work/state-compressor.sql From e9a2b91da6ce9523089ab835b95f1806f27311da Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 8 Feb 2024 12:42:59 +0200 Subject: [PATCH 099/118] Enable federation API labels if the federation port is enabled `matrix_synapse_federation_port_enabled` is defined like this: ``` matrix_synapse_federation_port_enabled: "{{ matrix_synapse_federation_enabled or matrix_synapse_federation_port_openid_resource_required }}" ``` Previously, people that disabled federation, but needed the `openid` listener were running without these federation-related labels. In this patch, we're also dropping the `not matrix_synapse_workers_enabled` condition, because.. none of the Matrix-related labels would be applied anyway when workers are enabled, thanks to `matrix_synapse_container_labels_matrix_related_labels_enabled`. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3127 --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index cbb8d2196..5067a1432 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -253,7 +253,7 @@ matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_tls_cert # Controls whether labels will be added that expose the Server-Server API (Federation API). # Regardless of whether this is enabled, it may or may not take effect due to the value of other variables. # See `matrix_synapse_container_labels_traefik_enabled` or `matrix_synapse_container_labels_matrix_related_labels_enabled` -matrix_synapse_container_labels_public_federation_api_enabled: "{{ matrix_synapse_federation_enabled and matrix_synapse_federation_port_enabled and not matrix_synapse_workers_enabled }}" +matrix_synapse_container_labels_public_federation_api_enabled: "{{ matrix_synapse_federation_port_enabled }}" matrix_synapse_container_labels_public_federation_api_traefik_hostname: "{{ matrix_synapse_container_labels_traefik_hostname }}" matrix_synapse_container_labels_public_federation_api_traefik_path_prefix: /_matrix matrix_synapse_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_synapse_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_container_labels_public_federation_api_traefik_path_prefix }}`)" From 41ca1a1d964e4dd5889b847003611ea95a2151b8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 8 Feb 2024 16:39:29 +0200 Subject: [PATCH 100/118] Upgrade synapse-admin (0.9.0 -> 0.9.1) --- roles/custom/matrix-synapse-admin/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index a23416134..c69e66be2 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -12,7 +12,7 @@ matrix_synapse_admin_container_image_self_build: false matrix_synapse_admin_container_image_self_build_repo: "https://github.com/Awesome-Technologies/synapse-admin.git" # renovate: datasource=docker depName=awesometechnologies/synapse-admin -matrix_synapse_admin_version: 0.9.0 +matrix_synapse_admin_version: 0.9.1 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" From 2096d13bbddf7b9da29827bc0e127e93603c3a3f Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 8 Feb 2024 21:17:12 +0200 Subject: [PATCH 101/118] fix buscarron old vars --- roles/custom/matrix-bot-buscarron/templates/env.j2 | 3 --- 1 file changed, 3 deletions(-) diff --git a/roles/custom/matrix-bot-buscarron/templates/env.j2 b/roles/custom/matrix-bot-buscarron/templates/env.j2 index ea3f8c21f..acfe99eba 100644 --- a/roles/custom/matrix-bot-buscarron/templates/env.j2 +++ b/roles/custom/matrix-bot-buscarron/templates/env.j2 @@ -4,9 +4,6 @@ BUSCARRON_HOMESERVER={{ matrix_bot_buscarron_homeserver }} BUSCARRON_DB_DSN={{ matrix_bot_buscarron_database_connection_string }} BUSCARRON_DB_DIALECT={{ matrix_bot_buscarron_database_dialect }} BUSCARRON_SPAMLIST={{ matrix_bot_buscarron_spamlist|join(" ") }} -BUSCARRON_SPAM_HOSTS={{ matrix_bot_buscarron_spam_hosts|join(" ") }} -BUSCARRON_SPAM_EMAILS={{ matrix_bot_buscarron_spam_emails|join(" ") }} -BUSCARRON_SPAM_LOCALPARTS={{ matrix_bot_buscarron_spam_localparts|join(" ") }} BUSCARRON_SENTRY={{ matrix_bot_buscarron_sentry }} BUSCARRON_LOGLEVEL={{ matrix_bot_buscarron_loglevel }} BUSCARRON_BAN_SIZE={{ matrix_bot_buscarron_ban_size }} From 68d4e04f4f2e7eb05e43d6c6a76c1f7d633fd4bf Mon Sep 17 00:00:00 2001 From: Nikolai Raitsev Date: Fri, 9 Feb 2024 14:17:16 +0100 Subject: [PATCH 102/118] allow to configure whatsapp polls via extev_polls parameter. --- roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 2 ++ .../matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 4011ff40c..9919a3071 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -25,6 +25,8 @@ matrix_mautrix_whatsapp_homeserver_address: "" matrix_mautrix_whatsapp_homeserver_domain: "{{ matrix_domain }}" matrix_mautrix_whatsapp_appservice_address: "http://matrix-mautrix-whatsapp:8080" +matrix_mautrix_whatsapp_extev_polls: false + matrix_mautrix_whatsapp_command_prefix: "!wa" matrix_mautrix_whatsapp_container_network: "" diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 index 80e0f683a..d543ddd15 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 @@ -292,7 +292,7 @@ bridge: # Send galleries as a single event? This is not an MSC (yet). beeper_galleries: false # Should polls be sent using MSC3381 event types? - extev_polls: false + extev_polls: {{ matrix_mautrix_whatsapp_extev_polls }} # Should cross-chat replies from WhatsApp be bridged? Most servers and clients don't support this. cross_room_replies: false # Disable generating reply fallbacks? Some extremely bad clients still rely on them, From 1bfafa70045d96ab959b8948587c3c5608539ef7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 9 Feb 2024 16:42:48 +0200 Subject: [PATCH 103/118] Use to_json for matrix_mautrix_whatsapp_extev_polls --- .../matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 index d543ddd15..cbaef5921 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 @@ -292,7 +292,7 @@ bridge: # Send galleries as a single event? This is not an MSC (yet). beeper_galleries: false # Should polls be sent using MSC3381 event types? - extev_polls: {{ matrix_mautrix_whatsapp_extev_polls }} + extev_polls: {{ matrix_mautrix_whatsapp_extev_polls | to_json }} # Should cross-chat replies from WhatsApp be bridged? Most servers and clients don't support this. cross_room_replies: false # Disable generating reply fallbacks? Some extremely bad clients still rely on them, From 89288cce0e624adc6ae6c5ed8d2469c53a8bcd85 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 9 Feb 2024 21:13:33 +0000 Subject: [PATCH 104/118] Update gnuxie/draupnir Docker tag to v1.86.2 --- roles/custom/matrix-bot-draupnir/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml index 3a4bdc250..e2a7ca9cb 100644 --- a/roles/custom/matrix-bot-draupnir/defaults/main.yml +++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml @@ -5,7 +5,7 @@ matrix_bot_draupnir_enabled: true # renovate: datasource=docker depName=gnuxie/draupnir -matrix_bot_draupnir_version: "v1.86.1" +matrix_bot_draupnir_version: "v1.86.2" matrix_bot_draupnir_container_image_self_build: false matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git" From 2d4b96e0c5a904857bc440d0a4d49fcade11fa8f Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 10 Feb 2024 01:50:50 +0000 Subject: [PATCH 105/118] Update turt2live/matrix-media-repo Docker tag to v1.3.4 --- roles/custom/matrix-media-repo/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-media-repo/defaults/main.yml b/roles/custom/matrix-media-repo/defaults/main.yml index 0fa520e72..b931943c0 100755 --- a/roles/custom/matrix-media-repo/defaults/main.yml +++ b/roles/custom/matrix-media-repo/defaults/main.yml @@ -19,7 +19,7 @@ matrix_media_repo_docker_image_path: "turt2live/matrix-media-repo" matrix_media_repo_docker_image: "{{ matrix_media_repo_docker_image_name_prefix }}{{ matrix_media_repo_docker_image_path }}:{{ matrix_media_repo_docker_image_tag }}" matrix_media_repo_docker_image_name_prefix: "{{ 'localhost/' if matrix_media_repo_container_image_self_build else matrix_container_global_registry_prefix }}" # renovate: datasource=docker depName=turt2live/matrix-media-repo -matrix_media_repo_docker_image_tag: "v1.3.3" +matrix_media_repo_docker_image_tag: "v1.3.4" matrix_media_repo_docker_image_force_pull: "{{ matrix_media_repo_docker_image.endswith(':latest') }}" matrix_media_repo_base_path: "{{ matrix_base_data_path }}/{{ matrix_media_repo_identifier }}" From 05e1fa3546ec597abdc7da398bd4d80145fd53fe Mon Sep 17 00:00:00 2001 From: Antoine-Ali Zarrouk <3798576+sidewinder94@users.noreply.github.com> Date: Sat, 10 Feb 2024 10:18:46 +0100 Subject: [PATCH 106/118] Update SRV delegation docs The path rule was not working because for federation fo work it needs several endpoints. Two of them are not under /_matrix/federation : - /_matrix/key - /_matrix/media --- docs/howto-srv-server-delegation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/howto-srv-server-delegation.md b/docs/howto-srv-server-delegation.md index a5c1990de..ba45a1c09 100644 --- a/docs/howto-srv-server-delegation.md +++ b/docs/howto-srv-server-delegation.md @@ -27,7 +27,7 @@ Also, all instructions below are from an older version of the playbook and may n ```yaml # To serve the federation from any domain, as long as the path matches -matrix_synapse_container_labels_public_federation_api_traefik_rule: PathPrefix(`/_matrix/federation`) +matrix_synapse_container_labels_public_federation_api_traefik_rule: PathPrefix(`/_matrix/`) ``` This is because with SRV federation, some servers / tools (one of which being the federation tester) try to access the federation API using the resolved IP address instead of the domain name (or they are not using SNI). This change will make Traefik route all traffic for which the path match this rule go to the federation endpoint. From e2ab3396348e431cbd2421d3e6cf36773f230510 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 11 Feb 2024 00:58:31 +0000 Subject: [PATCH 107/118] Update joseluisq/static-web-server Docker tag to v2.26.0 --- roles/custom/matrix-cactus-comments-client/defaults/main.yml | 2 +- roles/custom/matrix-static-files/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-cactus-comments-client/defaults/main.yml b/roles/custom/matrix-cactus-comments-client/defaults/main.yml index 66662aad6..20532c8db 100644 --- a/roles/custom/matrix-cactus-comments-client/defaults/main.yml +++ b/roles/custom/matrix-cactus-comments-client/defaults/main.yml @@ -13,7 +13,7 @@ matrix_cactus_comments_client_public_path: "{{ matrix_cactus_comments_client_bas matrix_cactus_comments_client_public_path_file_permissions: "0644" # renovate: datasource=docker depName=joseluisq/static-web-server -matrix_cactus_comments_client_version: 2.25.0 +matrix_cactus_comments_client_version: 2.26.0 matrix_cactus_comments_client_container_image: "{{ matrix_container_global_registry_prefix }}joseluisq/static-web-server:{{ matrix_cactus_comments_client_container_image_tag }}" matrix_cactus_comments_client_container_image_tag: "{{ 'latest' if matrix_cactus_comments_client_version == 'latest' else (matrix_cactus_comments_client_version + '-alpine') }}" diff --git a/roles/custom/matrix-static-files/defaults/main.yml b/roles/custom/matrix-static-files/defaults/main.yml index 045004f46..9b3864d78 100644 --- a/roles/custom/matrix-static-files/defaults/main.yml +++ b/roles/custom/matrix-static-files/defaults/main.yml @@ -8,7 +8,7 @@ matrix_static_files_enabled: true matrix_static_files_identifier: matrix-static-files # renovate: datasource=docker depName=joseluisq/static-web-server -matrix_static_files_version: 2.25.0 +matrix_static_files_version: 2.26.0 matrix_static_files_base_path: "{{ matrix_base_data_path }}/{{ 'static-files' if matrix_static_files_identifier == 'matrix-static-files' else matrix_static_files_identifier }}" matrix_static_files_config_path: "{{ matrix_static_files_base_path }}/config" From cf9388c546dacfc322c28791c62312bc27f2911d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 11 Feb 2024 09:03:48 +0200 Subject: [PATCH 108/118] Make base domain root path redirect regex configurable --- roles/custom/matrix-static-files/defaults/main.yml | 1 + roles/custom/matrix-static-files/templates/labels.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-static-files/defaults/main.yml b/roles/custom/matrix-static-files/defaults/main.yml index 9b3864d78..39fd06750 100644 --- a/roles/custom/matrix-static-files/defaults/main.yml +++ b/roles/custom/matrix-static-files/defaults/main.yml @@ -83,6 +83,7 @@ matrix_static_files_container_labels_base_domain_traefik_tls: "{{ matrix_static_ matrix_static_files_container_labels_base_domain_traefik_tls_certResolver: "{{ matrix_static_files_container_labels_traefik_tls_certResolver }}" # noqa var-naming # Controls whether the root path (/) at the base domain would respond with a redirect to some URL. matrix_static_files_container_labels_base_domain_root_path_redirection_enabled: false +matrix_static_files_container_labels_base_domain_root_path_redirection_regex: "^https://{{ matrix_static_files_container_labels_base_domain_traefik_hostname }}{{ matrix_static_files_container_labels_base_domain_traefik_path_prefix }}$" matrix_static_files_container_labels_base_domain_root_path_redirection_url: "" # matrix_static_files_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. diff --git a/roles/custom/matrix-static-files/templates/labels.j2 b/roles/custom/matrix-static-files/templates/labels.j2 index 46fc49490..dd3cad544 100644 --- a/roles/custom/matrix-static-files/templates/labels.j2 +++ b/roles/custom/matrix-static-files/templates/labels.j2 @@ -59,7 +59,7 @@ traefik.http.routers.{{ matrix_static_files_identifier }}-well-known.tls.certRes {% set middlewares = [] %} {% if matrix_static_files_container_labels_base_domain_root_path_redirection_enabled %} -traefik.http.middlewares.{{ matrix_static_files_identifier }}-root-path-redirect.redirectregex.regex=^https://{{ matrix_static_files_container_labels_base_domain_traefik_hostname }}{{ matrix_static_files_container_labels_base_domain_traefik_path_prefix }}$ +traefik.http.middlewares.{{ matrix_static_files_identifier }}-root-path-redirect.redirectregex.regex={{ matrix_static_files_container_labels_base_domain_root_path_redirection_regex }} traefik.http.middlewares.{{ matrix_static_files_identifier }}-root-path-redirect.redirectregex.replacement={{ matrix_static_files_container_labels_base_domain_root_path_redirection_url }} {% set middlewares = middlewares + [matrix_static_files_identifier + '-root-path-redirect'] %} {% endif %} From ce9a8d3a2c00cd3307fa07516ca024c34423141d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 11 Feb 2024 09:07:32 +0200 Subject: [PATCH 109/118] Rename base domain root path redirect middleware to improve consistency --- roles/custom/matrix-static-files/templates/labels.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-static-files/templates/labels.j2 b/roles/custom/matrix-static-files/templates/labels.j2 index dd3cad544..e9fcf1945 100644 --- a/roles/custom/matrix-static-files/templates/labels.j2 +++ b/roles/custom/matrix-static-files/templates/labels.j2 @@ -59,9 +59,9 @@ traefik.http.routers.{{ matrix_static_files_identifier }}-well-known.tls.certRes {% set middlewares = [] %} {% if matrix_static_files_container_labels_base_domain_root_path_redirection_enabled %} -traefik.http.middlewares.{{ matrix_static_files_identifier }}-root-path-redirect.redirectregex.regex={{ matrix_static_files_container_labels_base_domain_root_path_redirection_regex }} -traefik.http.middlewares.{{ matrix_static_files_identifier }}-root-path-redirect.redirectregex.replacement={{ matrix_static_files_container_labels_base_domain_root_path_redirection_url }} -{% set middlewares = middlewares + [matrix_static_files_identifier + '-root-path-redirect'] %} +traefik.http.middlewares.{{ matrix_static_files_identifier }}-base-domain-root-path-redirect.redirectregex.regex={{ matrix_static_files_container_labels_base_domain_root_path_redirection_regex }} +traefik.http.middlewares.{{ matrix_static_files_identifier }}-base-domain-root-path-redirect.redirectregex.replacement={{ matrix_static_files_container_labels_base_domain_root_path_redirection_url }} +{% set middlewares = middlewares + [matrix_static_files_identifier + '-base-domain-root-path-redirect'] %} {% endif %} traefik.http.routers.{{ matrix_static_files_identifier }}-base-domain.rule={{ matrix_static_files_container_labels_base_domain_traefik_rule }} From cf9ca9e602afaf05e4dc2ea38db59ade333d1c85 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 11 Feb 2024 19:45:35 +0000 Subject: [PATCH 110/118] Update registry.gitlab.com/etke.cc/postmoogle Docker tag to v0.9.17 --- roles/custom/matrix-bot-postmoogle/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-postmoogle/defaults/main.yml b/roles/custom/matrix-bot-postmoogle/defaults/main.yml index fc7d9749a..9d3556a0c 100644 --- a/roles/custom/matrix-bot-postmoogle/defaults/main.yml +++ b/roles/custom/matrix-bot-postmoogle/defaults/main.yml @@ -10,7 +10,7 @@ matrix_bot_postmoogle_docker_repo_version: "{{ 'main' if matrix_bot_postmoogle_v matrix_bot_postmoogle_docker_src_files_path: "{{ matrix_base_data_path }}/postmoogle/docker-src" # renovate: datasource=docker depName=registry.gitlab.com/etke.cc/postmoogle -matrix_bot_postmoogle_version: v0.9.16 +matrix_bot_postmoogle_version: v0.9.17 matrix_bot_postmoogle_docker_image: "{{ matrix_bot_postmoogle_docker_image_name_prefix }}etke.cc/postmoogle:{{ matrix_bot_postmoogle_version }}" matrix_bot_postmoogle_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_postmoogle_container_image_self_build else 'registry.gitlab.com/' }}" matrix_bot_postmoogle_docker_image_force_pull: "{{ matrix_bot_postmoogle_docker_image.endswith(':latest') }}" From 1aafb58d00410ea482fee0273aa1005b7db2f383 Mon Sep 17 00:00:00 2001 From: Catalan Lover <48515417+FSG-Cat@users.noreply.github.com> Date: Sun, 11 Feb 2024 23:28:45 +0100 Subject: [PATCH 111/118] Update container-images.md to mention Draupnir Adds a Draupnir mention to the list and as for why we pull from Gnuxie its because that is the official source of docker images as Draupnir used to be Gnuxie/Draupnir before it moved to The Draupnir Project. --- docs/container-images.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/container-images.md b/docs/container-images.md index 6a0157ad7..787a10506 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -108,6 +108,8 @@ These services are not part of our default installation, but can be enabled by [ - [matrixdotorg/mjolnir](https://hub.docker.com/r/matrixdotorg/mjolnir) - the [mjolnir](https://github.com/matrix-org/mjolnir) moderation bot (optional) +- [gnuxie/draupnir](https://hub.docker.com/r/gnuxie/draupnir) - the [Draupnir](https://github.com/the-draupnir-project/Draupnir/) moderation bot (optional) + - [awesometechnologies/synapse-admin](https://hub.docker.com/r/awesometechnologies/synapse-admin) - the [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin) web UI tool for administrating users and rooms on your Matrix server (optional) - [prom/prometheus](https://hub.docker.com/r/prom/prometheus/) - [Prometheus](https://github.com/prometheus/prometheus/) is a systems and service monitoring system From a27464a5469d34058b23f16cb13bd0b67fbac56a Mon Sep 17 00:00:00 2001 From: chagai95 <31655082+chagai95@users.noreply.github.com> Date: Mon, 12 Feb 2024 16:35:48 +0100 Subject: [PATCH 112/118] Update CHANGELOG.md (#3181) * Update CHANGELOG.md * Update CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d96326a17..d8ebdd0ed 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -207,7 +207,7 @@ As mentioned above, static files like `/.well-known/matrix/*` or your base domai All of this has been extracted into a new `matrix-static-files` Ansible role that's part of the playbook. The static files generated by this new role still live at roughly the same place (`/matrix/static-files/public` directory, instead of `/matrix/static-files`). -The playbook will migrate and update the files automatically. It will also warn you about usage of old variable names, so you can adapt to the new names. +The playbook will migrate and update the `/.well-known/matrix/*` files automatically but not your own files in `nginx-proxy/data/matrix-domain/` you will need to back these up yourself otherwise they will be lost. It will also warn you about usage of old variable names, so you can adapt to the new names. ### A note on performance From 2bc6dcf4f3cfad75315aef8fc085c5b3bf3cc6f2 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 12 Feb 2024 18:56:15 +0000 Subject: [PATCH 113/118] Update dependency traefik to v2.11.0-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 3c51ab86e..2ed436791 100644 --- a/requirements.yml +++ b/requirements.yml @@ -67,7 +67,7 @@ version: v1.0.0-0 name: timesync - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.10.7-0 + version: v2.11.0-0 name: traefik - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.3-1 From 4242f4f7cd4aa4b6684cde220130a8f6040f5962 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 13 Feb 2024 03:02:42 +0000 Subject: [PATCH 114/118] Update joseluisq/static-web-server Docker tag to v2.27.0 --- roles/custom/matrix-cactus-comments-client/defaults/main.yml | 2 +- roles/custom/matrix-static-files/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-cactus-comments-client/defaults/main.yml b/roles/custom/matrix-cactus-comments-client/defaults/main.yml index 20532c8db..ef318b716 100644 --- a/roles/custom/matrix-cactus-comments-client/defaults/main.yml +++ b/roles/custom/matrix-cactus-comments-client/defaults/main.yml @@ -13,7 +13,7 @@ matrix_cactus_comments_client_public_path: "{{ matrix_cactus_comments_client_bas matrix_cactus_comments_client_public_path_file_permissions: "0644" # renovate: datasource=docker depName=joseluisq/static-web-server -matrix_cactus_comments_client_version: 2.26.0 +matrix_cactus_comments_client_version: 2.27.0 matrix_cactus_comments_client_container_image: "{{ matrix_container_global_registry_prefix }}joseluisq/static-web-server:{{ matrix_cactus_comments_client_container_image_tag }}" matrix_cactus_comments_client_container_image_tag: "{{ 'latest' if matrix_cactus_comments_client_version == 'latest' else (matrix_cactus_comments_client_version + '-alpine') }}" diff --git a/roles/custom/matrix-static-files/defaults/main.yml b/roles/custom/matrix-static-files/defaults/main.yml index 39fd06750..e76c383b2 100644 --- a/roles/custom/matrix-static-files/defaults/main.yml +++ b/roles/custom/matrix-static-files/defaults/main.yml @@ -8,7 +8,7 @@ matrix_static_files_enabled: true matrix_static_files_identifier: matrix-static-files # renovate: datasource=docker depName=joseluisq/static-web-server -matrix_static_files_version: 2.26.0 +matrix_static_files_version: 2.27.0 matrix_static_files_base_path: "{{ matrix_base_data_path }}/{{ 'static-files' if matrix_static_files_identifier == 'matrix-static-files' else matrix_static_files_identifier }}" matrix_static_files_config_path: "{{ matrix_static_files_base_path }}/config" From 1e9f472077e361e2fbfe6a2ac4b7693d43ad2040 Mon Sep 17 00:00:00 2001 From: Array in a Matrix Date: Mon, 12 Feb 2024 23:10:50 -0500 Subject: [PATCH 115/118] Add missing link to synapse config docs --- docs/configuring-playbook-synapse-admin.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-synapse-admin.md b/docs/configuring-playbook-synapse-admin.md index bb89b1660..1e3e8980e 100644 --- a/docs/configuring-playbook-synapse-admin.md +++ b/docs/configuring-playbook-synapse-admin.md @@ -17,7 +17,7 @@ matrix_synapse_admin_enabled: true **Note**: Synapse Admin requires Synapse's [Admin APIs](https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/index.html) to function. Access to them is restricted with a valid access token, so exposing them publicly should not be a real security concern. Still, for additional security, we normally leave them unexposed, following [official Synapse reverse-proxying recommendations](https://github.com/element-hq/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints). Because Synapse Admin needs these APIs to function, when installing Synapse Admin, the playbook **automatically** exposes the Synapse Admin API publicly for you. Depending on the homeserver implementation you're using (Synapse, Dendrite), this is equivalent to: -- for Synapse (our default homeserver implementation): `matrix_synapse_container_labels_public_client_synapse_admin_api_enabled: true` +- for [Synapse](./configuring-playbook-synapse.md) (our default homeserver implementation): `matrix_synapse_container_labels_public_client_synapse_admin_api_enabled: true` - for [Dendrite](./configuring-playbook-dendrite.md): `matrix_dendrite_container_labels_public_client_synapse_admin_api_enabled: true` From a381fa4b212e75d02664563dacd97baeb7e0780c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 13 Feb 2024 14:56:42 +0200 Subject: [PATCH 116/118] Upgrade Synapse (v1.100.0 -> v1.101.0) --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 5067a1432..13e16b360 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -16,7 +16,7 @@ matrix_synapse_enabled: true matrix_synapse_github_org_and_repo: element-hq/synapse # renovate: datasource=docker depName=ghcr.io/element-hq/synapse -matrix_synapse_version: v1.100.0 +matrix_synapse_version: v1.101.0 matrix_synapse_username: '' matrix_synapse_uid: '' From 60fbcebd597f10654d3c3bbc943380a3d2ff021d Mon Sep 17 00:00:00 2001 From: Tupsi Date: Tue, 13 Feb 2024 17:42:09 +0100 Subject: [PATCH 117/118] Update configuring-playbook-bot-maubot.md works in encrypted rooms now, so I removed the notion that it does not. --- docs/configuring-playbook-bot-maubot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bot-maubot.md b/docs/configuring-playbook-bot-maubot.md index 11ab1cce2..bf2b1d14b 100644 --- a/docs/configuring-playbook-bot-maubot.md +++ b/docs/configuring-playbook-bot-maubot.md @@ -55,4 +55,4 @@ Choose a strong password for the bot. You can generate a good password with a co ## Obtaining an admin access token This can be done via `mbc login` then `mbc auth` (see the [maubot documentation](https://docs.mau.fi/maubot/usage/cli/auth.html)). To run these commands you'll need to open the bot docker container with `docker exec -it matrix-bot-maubot sh` -Alternatively, use Element or curl to [obtain an access token](obtaining-access-tokens.md). However these two methods won't allow the bot to work in encrypted rooms. +Alternatively, use Element or curl to [obtain an access token](obtaining-access-tokens.md). From d9940bd8074b84619f9443c6539d05a399879923 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 13 Feb 2024 19:06:14 +0200 Subject: [PATCH 118/118] Upgrade Element (v1.11.57 -> v1.11.58) --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 934bf885a..cc65b6402 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -11,7 +11,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" # renovate: datasource=docker depName=vectorim/element-web -matrix_client_element_version: v1.11.57 +matrix_client_element_version: v1.11.58 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"