diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index abca55ae2..579ab7192 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -13,7 +13,7 @@ jobs: - name: Check out uses: actions/checkout@v3 - name: Run yamllint - uses: frenck/action-yamllint@v1.4.0 + uses: frenck/action-yamllint@v1.4.1 ansible-lint: name: ansible-lint runs-on: ubuntu-latest diff --git a/CHANGELOG.md b/CHANGELOG.md index d78a36bba..4ab63e73b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,20 @@ The matrix registration bot got some updates and supports password-based login. **For existing users** You need to set `matrix_bot_matrix_registration_bot_bot_password`. If previously only used `matrix_bot_matrix_registration_bot_bot_access_token` this was also used as `matrix_bot_matrix_registration_bot_api_token`. You now need to define the `api_token` explicitly while the `bot_access_token` is depreacted. You can therefore rename `matrix_bot_matrix_registration_bot_bot_access_token` -> `matrix_bot_matrix_registration_bot_api_token`. +# 2023-05-25 + +## Enabling `forget_rooms_on_leave` by default for Synapse + +With the [Synapse v1.84.0 update](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2698), we've also **changed the default value** of the `forget_rooms_on_leave` setting of Synapse to a value of `true`. +This way, **when you leave a room, Synapse will now forget it automatically**. + +The upstream Synapse default is `false` (disabled), so that you must forget rooms manually after leaving. + +**We go against the upstream default** ([somewhat controversially](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2700)) in an effort to make Synapse leaner and potentially do what we believe most users would expect their homeserver to be doing. + +If you'd like to go back to the old behavior, add the following to your configuration: `matrix_synapse_forget_rooms_on_leave: false` + + # 2023-04-03 ## The matrix-jitsi role lives independently now diff --git a/docs/configuring-playbook-bot-chatgpt.md b/docs/configuring-playbook-bot-chatgpt.md index 7a006816d..fa7972cae 100644 --- a/docs/configuring-playbook-bot-chatgpt.md +++ b/docs/configuring-playbook-bot-chatgpt.md @@ -20,10 +20,12 @@ ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.chatgpt ``` -## 2. Get an access token +## 2. Get an access token and create encryption keys Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md). +To make sure the bot can read encrypted messages, it will need an encryption key, just like any other new user. While obtaining the access token, follow the prompts to setup a backup key. More information can be found in the [element documentation](https://element.io/help#encryption6). + ## 3. Adjusting the playbook configuration diff --git a/docs/configuring-playbook-bot-honoroit.md b/docs/configuring-playbook-bot-honoroit.md index 42f31d49a..2a711fb83 100644 --- a/docs/configuring-playbook-bot-honoroit.md +++ b/docs/configuring-playbook-bot-honoroit.md @@ -14,6 +14,10 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars. ```yaml matrix_bot_honoroit_enabled: true +# Uncomment and adjust if you'd like to change the hostname or path +# matrix_bot_honoroit_hostname: "{{ matrix_server_fqn_matrix }}" +# matrix_bot_honoroit_path_prefix: /honoroit + # Uncomment and adjust this part if you'd like to use a username different than the default # matrix_bot_honoroit_login: honoroit diff --git a/docs/configuring-playbook-bot-postmoogle.md b/docs/configuring-playbook-bot-postmoogle.md index 0fa366935..b66285a51 100644 --- a/docs/configuring-playbook-bot-postmoogle.md +++ b/docs/configuring-playbook-bot-postmoogle.md @@ -4,12 +4,26 @@ The playbook can install and configure [Postmoogle](https://gitlab.com/etke.cc/postmoogle) for you. -It's a bot/bridge you can use to forward emails to Matrix rooms +It's a bot/bridge you can use to forward emails to Matrix rooms. +Postmoogle runs an SMTP email server and allows you to assign mailbox addresses to Matrix rooms. See the project's [documentation](https://gitlab.com/etke.cc/postmoogle) to learn what it does and why it might be useful to you. +## Prerequisites -## Adjusting the playbook configuration +### Networking + +Open the following ports on your server to be able to receive incoming emails: + + - `25/tcp`: SMTP + - `587/tcp`: Submission (TLS-encrypted SMTP) + +If you don't open these ports, you will still be able to send emails, but not receive any. + +These port numbers are configurable via the `matrix_bot_postmoogle_smtp_host_bind_port` and `matrix_bot_postmoogle_submission_host_bind_port` variables, but other email servers will try to deliver on these default (standard) ports, so changing them is of little use. + + +### Adjusting the playbook configuration Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: @@ -21,9 +35,20 @@ matrix_bot_postmoogle_enabled: true # Generate a strong password here. Consider generating it with `pwgen -s 64 1` matrix_bot_postmoogle_password: PASSWORD_FOR_THE_BOT + +# Uncomment to add one or more admins to this bridge: +# +# matrix_bot_postmoogle_admins: +# - '@yourAdminAccount:domain.com' +# +# .. unless you've made yourself an admin of all bridges like this: +# +# matrix_admin: '@yourAdminAccount:domain.com' ``` -You will also need to add several DNS records so that postmoogle can send emails. +### DNS + +You will also need to add several DNS records so that Postmoogle can send emails. See [Configuring DNS](configuring-dns.md). @@ -51,3 +76,13 @@ Then send `!pm mailbox NAME` to expose this Matrix room as an inbox with the ema Send `!pm help` to the room to see the bot's help menu for additional commands. You can also refer to the upstream [documentation](https://gitlab.com/etke.cc/postmoogle). + +### Debug/Logs + +As with all other services, you can find their logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by running something like `journalctl -fu matrix-bot-postmoogle` + +The default logging level for this bridge is `INFO`, but you can increase it to `DEBUG` with the following additional configuration: + +```yaml +matrix_bot_postmoogle_loglevel: 'DEBUG' +``` diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 3d8c5b0d0..f276a554d 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -160,7 +160,7 @@ devture_traefik_additional_entrypoints_auto: # # trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY'] ``` -For an example where the playbook's Traefik reverse-proxy is fronted by [Nginx](https://nginx.org/) running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md). +For an example where the playbook's Traefik reverse-proxy is fronted by another reverse-proxy running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md) or [Caddy reverse-proxy fronting the playbook's Traefik](../examples/caddy2/README.md). ### Using no reverse-proxy on the Matrix side at all diff --git a/examples/caddy2/Caddyfile b/examples/caddy2/Caddyfile index 43005ca41..2ffcea520 100644 --- a/examples/caddy2/Caddyfile +++ b/examples/caddy2/Caddyfile @@ -1,112 +1,10 @@ -(cors) { - @cors_preflight method OPTIONS - - handle @cors_preflight { - header Access-Control-Allow-Origin "{args.0}" - header Access-Control-Allow-Methods "HEAD, GET, POST, PUT, PATCH, DELETE" - header Access-Control-Allow-Headers "Content-Type, Authorization" - header Access-Control-Max-Age "3600" - } -} - - -matrix.DOMAIN.tld { - - # creates letsencrypt certificate - # tls your@email.com - - @identity { - path /_matrix/identity/* - } - - @noidentity { - not path /_matrix/identity/* - } - - @search { - path /_matrix/client/r0/user_directory/search/* - } - - @nosearch { - not path /_matrix/client/r0/user_directory/search/* - } - - @static { - path /matrix/static-files/* - } - - @nostatic { - not path /matrix/static-files/* - } - - @wellknown { - path /.well-known/matrix/* - } - - header { - # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS - Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - # Enable cross-site filter (XSS) and tell browser to block detected attacks - X-XSS-Protection "1; mode=block" - # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type - X-Content-Type-Options "nosniff" - # Disallow the site to be rendered within a frame (clickjacking protection) - X-Frame-Options "DENY" - # X-Robots-Tag - X-Robots-Tag "noindex, noarchive, nofollow" - } - - # Cache - header @static { - # Cache - Cache-Control "public, max-age=31536000" - defer - } - - # identity - handle @identity { - reverse_proxy localhost:8090 { - header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} - header_up X-Forwarded-TlsProto {tls_protocol} - header_up X-Forwarded-TlsCipher {tls_cipher} - header_up X-Forwarded-HttpsProto {proto} - } - } - - # search - handle @search { - reverse_proxy localhost:8090 { - header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} - header_up X-Forwarded-TlsProto {tls_protocol} - header_up X-Forwarded-TlsCipher {tls_cipher} - header_up X-Forwarded-HttpsProto {proto} - } - } - - handle @wellknown { - encode zstd gzip - root * /matrix/static-files - header Cache-Control max-age=14400 - header Content-Type application/json - header Access-Control-Allow-Origin * - file_server - } - - # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the base domain - #handle @wellknown { - # # .well-known is handled by base domain - # reverse_proxy https://DOMAIN.tld { - # header_up Host {http.reverse_proxy.upstream.hostport} - #} +matrix.example.tld { handle { encode zstd gzip - reverse_proxy localhost:8008 { + reverse_proxy localhost:81 { header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} header_up X-Forwarded-TlsProto {tls_protocol} header_up X-Forwarded-TlsCipher {tls_cipher} header_up X-Forwarded-HttpsProto {proto} @@ -114,13 +12,12 @@ matrix.DOMAIN.tld { } } -matrix.DOMAIN.tld:8448 { +matrix.example.tld:8448 { handle { encode zstd gzip - reverse_proxy 127.0.0.1:8048 { + reverse_proxy 127.0.0.1:8449 { header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} header_up X-Forwarded-TlsProto {tls_protocol} header_up X-Forwarded-TlsCipher {tls_cipher} header_up X-Forwarded-HttpsProto {proto} @@ -128,142 +25,16 @@ matrix.DOMAIN.tld:8448 { } } -element.DOMAIN.tld { - # creates letsencrypt certificate - # tls your@email.com - - import cors https://*.DOMAIN.tld - - header { - # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS - Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - # Enable cross-site filter (XSS) and tell browser to block detected attacks - X-XSS-Protection "1; mode=block" - # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type - X-Content-Type-Options "nosniff" - # Disallow the site to be rendered within a frame (clickjacking protection) - X-Frame-Options "DENY" - # If using integrations that add frames to Element, such as Dimension and its integrations running on the same domain, it can be a good idea to limit sources allowed to be rendered - # Content-Security-Policy frame-src https://*.DOMAIN.tld - # X-Robots-Tag - X-Robots-Tag "noindex, noarchive, nofollow" - } - - handle { - encode zstd gzip +example.tld { +# Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server + @wellknown { + path /.well-known/matrix/* + } - reverse_proxy localhost:8765 { - header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} - header_up X-Forwarded-TlsProto {tls_protocol} - header_up X-Forwarded-TlsCipher {tls_cipher} - header_up X-Forwarded-HttpsProto {proto} + handle @wellknown { + reverse_proxy https://matrix.example.tld { + header_up Host {http.reverse_proxy.upstream.hostport} } + } } - -#dimension.DOMAIN.tld { -# -# # creates letsencrypt certificate -# # tls your@email.com -# -# import cors https://*.DOMAIN.tld -# -# header { -# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS -# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" -# # Enable cross-site filter (XSS) and tell browser to block detected attacks -# X-XSS-Protection "1; mode=block" -# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type -# X-Content-Type-Options "nosniff" -# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain (clickjacking protection) -# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld -# # X-Robots-Tag -# X-Robots-Tag "noindex, noarchive, nofollow" -# } -# -# handle { -# encode zstd gzip -# -# reverse_proxy localhost:8184 { -# header_up X-Forwarded-Port {http.request.port} -# header_up X-Forwarded-Proto {http.request.scheme} -# header_up X-Forwarded-TlsProto {tls_protocol} -# header_up X-Forwarded-TlsCipher {tls_cipher} -# header_up X-Forwarded-HttpsProto {proto} -# } -# } -#} - - -#jitsi.DOMAIN.tld { -# -# creates letsencrypt certificate -# tls your@email.com -# -# import cors https://*.DOMAIN.tld -# -# header { -# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS -# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" -# -# # Enable cross-site filter (XSS) and tell browser to block detected attacks -# X-XSS-Protection "1; mode=block" -# -# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type -# X-Content-Type-Options "nosniff" - -# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain -# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld -# -# # Disable some features -# Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" -# -# # Referer -# Referrer-Policy "no-referrer" -# -# # X-Robots-Tag -# X-Robots-Tag "none" -# -# # Remove Server header -# -Server -# } -# -# handle { -# encode zstd gzip -# -# reverse_proxy 127.0.0.1:13080 { -# header_up X-Forwarded-Port {http.request.port} -# header_up X-Forwarded-Proto {http.request.scheme} -# header_up X-Forwarded-TlsProto {tls_protocol} -# header_up X-Forwarded-TlsCipher {tls_cipher} -# header_up X-Forwarded-HttpsProto {proto} -# } -# } -#} -#DOMAIN.com { -# Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server -# @wellknown { -# path /.well-known/matrix/* -# } -# -# handle @wellknown { -# reverse_proxy https://matrix.DOMAIN.com { -# header_up Host {http.reverse_proxy.upstream.hostport} -# } -# } -# # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the matrix subdomain -# # handle /.well-known/* { -# # encode zstd gzip -# # header Cache-Control max-age=14400 -# # header Content-Type application/json -# # header Access-Control-Allow-Origin * -# #} -# -# # Configration for the base domain goes here -# # handle { -# # header -Server -# # encode zstd gzip -# # reverse_proxy localhost:4020 -# # } -#} diff --git a/examples/caddy2/Caddyfile.deprecated b/examples/caddy2/Caddyfile.deprecated new file mode 100644 index 000000000..43005ca41 --- /dev/null +++ b/examples/caddy2/Caddyfile.deprecated @@ -0,0 +1,269 @@ +(cors) { + @cors_preflight method OPTIONS + + handle @cors_preflight { + header Access-Control-Allow-Origin "{args.0}" + header Access-Control-Allow-Methods "HEAD, GET, POST, PUT, PATCH, DELETE" + header Access-Control-Allow-Headers "Content-Type, Authorization" + header Access-Control-Max-Age "3600" + } +} + + +matrix.DOMAIN.tld { + + # creates letsencrypt certificate + # tls your@email.com + + @identity { + path /_matrix/identity/* + } + + @noidentity { + not path /_matrix/identity/* + } + + @search { + path /_matrix/client/r0/user_directory/search/* + } + + @nosearch { + not path /_matrix/client/r0/user_directory/search/* + } + + @static { + path /matrix/static-files/* + } + + @nostatic { + not path /matrix/static-files/* + } + + @wellknown { + path /.well-known/matrix/* + } + + header { + # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + # Enable cross-site filter (XSS) and tell browser to block detected attacks + X-XSS-Protection "1; mode=block" + # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type + X-Content-Type-Options "nosniff" + # Disallow the site to be rendered within a frame (clickjacking protection) + X-Frame-Options "DENY" + # X-Robots-Tag + X-Robots-Tag "noindex, noarchive, nofollow" + } + + # Cache + header @static { + # Cache + Cache-Control "public, max-age=31536000" + defer + } + + # identity + handle @identity { + reverse_proxy localhost:8090 { + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + header_up X-Forwarded-TlsProto {tls_protocol} + header_up X-Forwarded-TlsCipher {tls_cipher} + header_up X-Forwarded-HttpsProto {proto} + } + } + + # search + handle @search { + reverse_proxy localhost:8090 { + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + header_up X-Forwarded-TlsProto {tls_protocol} + header_up X-Forwarded-TlsCipher {tls_cipher} + header_up X-Forwarded-HttpsProto {proto} + } + } + + handle @wellknown { + encode zstd gzip + root * /matrix/static-files + header Cache-Control max-age=14400 + header Content-Type application/json + header Access-Control-Allow-Origin * + file_server + } + + # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the base domain + #handle @wellknown { + # # .well-known is handled by base domain + # reverse_proxy https://DOMAIN.tld { + # header_up Host {http.reverse_proxy.upstream.hostport} + #} + + handle { + encode zstd gzip + + reverse_proxy localhost:8008 { + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + header_up X-Forwarded-TlsProto {tls_protocol} + header_up X-Forwarded-TlsCipher {tls_cipher} + header_up X-Forwarded-HttpsProto {proto} + } + } +} + +matrix.DOMAIN.tld:8448 { + handle { + encode zstd gzip + + reverse_proxy 127.0.0.1:8048 { + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + header_up X-Forwarded-TlsProto {tls_protocol} + header_up X-Forwarded-TlsCipher {tls_cipher} + header_up X-Forwarded-HttpsProto {proto} + } + } +} + +element.DOMAIN.tld { + + # creates letsencrypt certificate + # tls your@email.com + + import cors https://*.DOMAIN.tld + + header { + # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + # Enable cross-site filter (XSS) and tell browser to block detected attacks + X-XSS-Protection "1; mode=block" + # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type + X-Content-Type-Options "nosniff" + # Disallow the site to be rendered within a frame (clickjacking protection) + X-Frame-Options "DENY" + # If using integrations that add frames to Element, such as Dimension and its integrations running on the same domain, it can be a good idea to limit sources allowed to be rendered + # Content-Security-Policy frame-src https://*.DOMAIN.tld + # X-Robots-Tag + X-Robots-Tag "noindex, noarchive, nofollow" + } + + handle { + encode zstd gzip + + reverse_proxy localhost:8765 { + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + header_up X-Forwarded-TlsProto {tls_protocol} + header_up X-Forwarded-TlsCipher {tls_cipher} + header_up X-Forwarded-HttpsProto {proto} + } +} + +#dimension.DOMAIN.tld { +# +# # creates letsencrypt certificate +# # tls your@email.com +# +# import cors https://*.DOMAIN.tld +# +# header { +# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS +# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" +# # Enable cross-site filter (XSS) and tell browser to block detected attacks +# X-XSS-Protection "1; mode=block" +# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type +# X-Content-Type-Options "nosniff" +# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain (clickjacking protection) +# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld +# # X-Robots-Tag +# X-Robots-Tag "noindex, noarchive, nofollow" +# } +# +# handle { +# encode zstd gzip +# +# reverse_proxy localhost:8184 { +# header_up X-Forwarded-Port {http.request.port} +# header_up X-Forwarded-Proto {http.request.scheme} +# header_up X-Forwarded-TlsProto {tls_protocol} +# header_up X-Forwarded-TlsCipher {tls_cipher} +# header_up X-Forwarded-HttpsProto {proto} +# } +# } +#} + + +#jitsi.DOMAIN.tld { +# +# creates letsencrypt certificate +# tls your@email.com +# +# import cors https://*.DOMAIN.tld +# +# header { +# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS +# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" +# +# # Enable cross-site filter (XSS) and tell browser to block detected attacks +# X-XSS-Protection "1; mode=block" +# +# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type +# X-Content-Type-Options "nosniff" + +# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain +# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld +# +# # Disable some features +# Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" +# +# # Referer +# Referrer-Policy "no-referrer" +# +# # X-Robots-Tag +# X-Robots-Tag "none" +# +# # Remove Server header +# -Server +# } +# +# handle { +# encode zstd gzip +# +# reverse_proxy 127.0.0.1:13080 { +# header_up X-Forwarded-Port {http.request.port} +# header_up X-Forwarded-Proto {http.request.scheme} +# header_up X-Forwarded-TlsProto {tls_protocol} +# header_up X-Forwarded-TlsCipher {tls_cipher} +# header_up X-Forwarded-HttpsProto {proto} +# } +# } +#} +#DOMAIN.com { +# Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server +# @wellknown { +# path /.well-known/matrix/* +# } +# +# handle @wellknown { +# reverse_proxy https://matrix.DOMAIN.com { +# header_up Host {http.reverse_proxy.upstream.hostport} +# } +# } +# # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the matrix subdomain +# # handle /.well-known/* { +# # encode zstd gzip +# # header Cache-Control max-age=14400 +# # header Content-Type application/json +# # header Access-Control-Allow-Origin * +# #} +# +# # Configration for the base domain goes here +# # handle { +# # header -Server +# # encode zstd gzip +# # reverse_proxy localhost:4020 +# # } +#} diff --git a/examples/caddy2/README.md b/examples/caddy2/README.md index fe8d57637..d4bfb4755 100644 --- a/examples/caddy2/README.md +++ b/examples/caddy2/README.md @@ -1,12 +1,20 @@ -# Caddyfile +# Caddy reverse-proxy fronting the playbook's integrated Traefik reverse-proxy -This directory contains sample files that show you how to do reverse-proxying using Caddy2. +This directory contains a sample config that shows you how to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with your own [Caddy](https://caddyserver.com/) reverse-proxy. -## Config -| Variable | Function | -| ------------------ | -------- | -| tls your@email.com | Specify an email address for your [ACME account](https://caddyserver.com/docs/caddyfile/directives/tls) (but if only one email is used for all sites, we recommend the email [global option](https://caddyserver.com/docs/caddyfile/options) instead) | -| tls | To enable [tls](https://caddyserver.com/docs/caddyfile/directives/tls) support uncomment the lines for tls | -| Dimension | To enable Dimension support uncomment the lines for Dimension and set your data | -| Jitsi | To enable Jitsi support uncomment the lines for Jitsi and set your data | +## Prerequisite configuration + +To get started, first follow the [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instructions and update your playbook's configuration (`inventory/host_vars/matrix./vars.yml`). + + +## Using the Caddyfile + +You can either just use the [Caddyfile](Caddyfile) directly or append its content to your own Caddyfile. +In both cases make sure to replace all the `example.tld` domains with your own domain. + +This example does not include additional services like element, but you should be able copy the first block and replace the matrix subdomain with the additional services subdomain. I have not tested this though. + +# Caddyfile.deprecated + +This can be used as a [Caddy](https://caddyserver.com/) reverse-proxy without intermediary playbook managed reverse proxy. However, this setup is not supported by the playbook anymore. Instead [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) as described above. diff --git a/examples/nginx/README.md b/examples/nginx/README.md index 11fca299e..d8698ba6b 100644 --- a/examples/nginx/README.md +++ b/examples/nginx/README.md @@ -1,6 +1,6 @@ # Nginx reverse-proxy fronting the playbook's integrated Traefik reverse-proxy -This directory contains a sample config that shows you how use the [nginx](https://nginx.org/) webserver to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with another reverse-proxy. +This directory contains a sample config that shows you how to use the [nginx](https://nginx.org/) webserver to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with another reverse-proxy. ## Prerequisite configuration diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 704c27b2a..a17e968b2 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -210,25 +210,25 @@ devture_systemd_service_manager_services_list_auto: | {{ ([{'name': (backup_borg_identifier + '.timer'), 'priority': 5000, 'groups': ['matrix', 'backup', 'borg']}] if backup_borg_enabled else []) + - ([{'name': 'matrix-bot-buscarron.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'buscarron']}] if matrix_bot_buscarron_enabled else []) + ([{'name': 'matrix-bot-buscarron.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'buscarron', 'bot-buscarron']}] if matrix_bot_buscarron_enabled else []) + - ([{'name': 'matrix-bot-go-neb.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'go-neb']}] if matrix_bot_go_neb_enabled else []) + ([{'name': 'matrix-bot-go-neb.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'go-neb', 'bot-go-neb']}] if matrix_bot_go_neb_enabled else []) + - ([{'name': 'matrix-bot-honoroit.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'honoroit']}] if matrix_bot_honoroit_enabled else []) + ([{'name': 'matrix-bot-honoroit.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'honoroit', 'bot-honoroit']}] if matrix_bot_honoroit_enabled else []) + - ([{'name': 'matrix-bot-matrix-registration-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'registration-bot']}] if matrix_bot_matrix_registration_bot_enabled else []) + ([{'name': 'matrix-bot-matrix-registration-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'registration-bot', 'bot-matrix-registration-bot']}] if matrix_bot_matrix_registration_bot_enabled else []) + - ([{'name': 'matrix-bot-matrix-reminder-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'reminder-bot']}] if matrix_bot_matrix_reminder_bot_enabled else []) + ([{'name': 'matrix-bot-matrix-reminder-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'reminder-bot', 'bot-matrix-reminder-bot']}] if matrix_bot_matrix_reminder_bot_enabled else []) + - ([{'name': 'matrix-bot-maubot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'maubot']}] if matrix_bot_maubot_enabled else []) + ([{'name': 'matrix-bot-maubot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'maubot', 'bot-maubot']}] if matrix_bot_maubot_enabled else []) + - ([{'name': 'matrix-bot-mjolnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'mjolnir']}] if matrix_bot_mjolnir_enabled else []) + ([{'name': 'matrix-bot-mjolnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'mjolnir', 'bot-mjolnir']}] if matrix_bot_mjolnir_enabled else []) + - ([{'name': 'matrix-bot-draupnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'draupnir']}] if matrix_bot_draupnir_enabled else []) + ([{'name': 'matrix-bot-draupnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'draupnir', 'bot-draupnir']}] if matrix_bot_draupnir_enabled else []) + - ([{'name': 'matrix-bot-postmoogle.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'postmoogle']}] if matrix_bot_postmoogle_enabled else []) + ([{'name': 'matrix-bot-postmoogle.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'postmoogle', 'bot-postmoogle']}] if matrix_bot_postmoogle_enabled else []) + - ([{'name': 'matrix-bot-chatgpt.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'chatgpt']}] if matrix_bot_chatgpt_enabled else []) + ([{'name': 'matrix-bot-chatgpt.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'chatgpt', 'bot-chatgpt']}] if matrix_bot_chatgpt_enabled else []) + ([{'name': 'matrix-appservice-discord.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'appservice-discord']}] if matrix_appservice_discord_enabled else []) + @@ -1653,8 +1653,15 @@ matrix_bot_maubot_database_password: "{{ '%s' | format(matrix_homeserver_generic # We don't enable bots by default. matrix_bot_honoroit_enabled: false + matrix_bot_honoroit_hostname: "{{ matrix_server_fqn_matrix }}" +matrix_bot_honoroit_path_prefix: /honoroit + +# For consistency with other things hosted at the matrix FQN, we adjust the metrics endpoint +# so that metrics would be served at `/metrics/SERVICE_NAME`, and not at the default path for the role (`PREFIX/metrics`). +matrix_bot_honoroit_container_labels_traefik_metrics_path: /metrics/honoroit + matrix_bot_honoroit_systemd_required_services_list: | {{ ['docker.service'] diff --git a/requirements.yml b/requirements.yml index 536e7e417..3c2572ab3 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,7 +1,7 @@ --- - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git - version: v1.0.0-0 + version: v1.0.0-1 name: aux - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git version: v1.2.4-1.7.13-0 @@ -26,7 +26,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git version: v1.0.0-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.9.10-2 + version: v2.10.1-1 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git @@ -40,13 +40,14 @@ version: v8615-0 name: jitsi - src: git+https://gitlab.com/etke.cc/roles/ntfy.git - version: v2.4.0-0 + version: v2.5.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git version: v2.44.0-0 name: prometheus - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git - version: v1.5.0-7 -- src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git + version: v1.6.0-0 +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git version: v0.12.0-0 + name: prometheus_postgres_exporter - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.10-0 diff --git a/roles/custom/matrix-bot-chatgpt/defaults/main.yml b/roles/custom/matrix-bot-chatgpt/defaults/main.yml index 36cc60c0e..00eae1676 100644 --- a/roles/custom/matrix-bot-chatgpt/defaults/main.yml +++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml @@ -4,7 +4,7 @@ matrix_bot_chatgpt_enabled: true -matrix_bot_chatgpt_version: 3.1.0 +matrix_bot_chatgpt_version: 3.1.2 matrix_bot_chatgpt_container_image_self_build: false matrix_bot_chatgpt_container_image_self_build_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot" diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml index 92abc7ab0..bd0e2defa 100644 --- a/roles/custom/matrix-bot-draupnir/defaults/main.yml +++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml @@ -4,7 +4,7 @@ matrix_bot_draupnir_enabled: true -matrix_bot_draupnir_version: "v1.80.1" +matrix_bot_draupnir_version: "v1.83.0" matrix_bot_draupnir_container_image_self_build: false matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/Gnuxie/Draupnir.git" diff --git a/roles/custom/matrix-bot-honoroit/defaults/main.yml b/roles/custom/matrix-bot-honoroit/defaults/main.yml index ea93d55f2..90ffa0c64 100644 --- a/roles/custom/matrix-bot-honoroit/defaults/main.yml +++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml @@ -56,8 +56,7 @@ matrix_bot_honoroit_container_labels_traefik_docker_network: "{{ matrix_bot_hono matrix_bot_honoroit_container_labels_traefik_hostname: "{{ matrix_bot_honoroit_hostname }}" # The path prefix must either be `/` or not end with a slash (e.g. `/honoroit`). matrix_bot_honoroit_container_labels_traefik_path_prefix: "{{ matrix_bot_honoroit_path_prefix }}" -matrix_bot_honoroit_container_labels_traefik_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`){% if matrix_bot_honoroit_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_honoroit_container_labels_traefik_path_prefix }}`){% endif %}" -matrix_bot_honoroit_container_labels_traefik_metrics_path: "{{ matrix_bot_honoroit_metrics_path }}" +matrix_bot_honoroit_container_labels_traefik_metrics_path: "{{ '' if matrix_bot_honoroit_path_prefix == '/' else matrix_bot_honoroit_path_prefix }}{{ matrix_bot_honoroit_metrics_path }}" matrix_bot_honoroit_container_labels_traefik_metrics_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`) && Path(`{{ matrix_bot_honoroit_container_labels_traefik_metrics_path }}`)" matrix_bot_honoroit_container_labels_traefik_priority: 0 matrix_bot_honoroit_container_labels_traefik_entrypoints: web-secure diff --git a/roles/custom/matrix-bot-honoroit/templates/labels.j2 b/roles/custom/matrix-bot-honoroit/templates/labels.j2 index 7943e00f1..8e20ea459 100644 --- a/roles/custom/matrix-bot-honoroit/templates/labels.j2 +++ b/roles/custom/matrix-bot-honoroit/templates/labels.j2 @@ -31,27 +31,12 @@ traefik.http.middlewares.matrix-bot-honoroit-auth.basicauth.users={{ lookup('ans {% set middlewares_metrics = middlewares + ['matrix-bot-honoroit-auth'] %} {% endif %} -traefik.http.routers.matrix-bot-honoroit.rule={{ matrix_bot_honoroit_container_labels_traefik_rule }} -{% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %} -traefik.http.routers.matrix-bot-honoroit.priority={{ matrix_bot_honoroit_container_labels_traefik_priority }} -{% endif %} -traefik.http.routers.matrix-bot-honoroit.service=matrix-bot-honoroit -{% if middlewares | length > 0 %} -traefik.http.routers.matrix-bot-honoroit.middlewares={{ middlewares | join(',') }} -{% endif %} -traefik.http.routers.matrix-bot-honoroit.entrypoints={{ matrix_bot_honoroit_container_labels_traefik_entrypoints }} -traefik.http.routers.matrix-bot-honoroit.tls={{ matrix_bot_honoroit_container_labels_traefik_tls | to_json }} -{% if matrix_bot_honoroit_container_labels_traefik_tls %} -traefik.http.routers.matrix-bot-honoroit.tls.certResolver={{ matrix_bot_honoroit_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.services.matrix-bot-honoroit.loadbalancer.server.port=8080 - {% if middlewares_metrics | length > 0 %} traefik.http.routers.matrix-bot-honoroit-metrics.rule={{ matrix_bot_honoroit_container_labels_traefik_metrics_rule }} {% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %} traefik.http.routers.matrix-bot-honoroit-metrics.priority={{ matrix_bot_honoroit_container_labels_traefik_priority }} {% endif %} -traefik.http.routers.matrix-bot-honoroit-metrics.service=matrix-bot-honoroit +traefik.http.routers.matrix-bot-honoroit-metrics.service=matrix-bot-honoroit-metrics traefik.http.routers.matrix-bot-honoroit-metrics.middlewares={{ middlewares_metrics | join(',') }} traefik.http.routers.matrix-bot-honoroit-metrics.entrypoints={{ matrix_bot_honoroit_container_labels_traefik_entrypoints }} traefik.http.routers.matrix-bot-honoroit-metrics.tls={{ matrix_bot_honoroit_container_labels_traefik_tls | to_json }} diff --git a/roles/custom/matrix-bot-postmoogle/defaults/main.yml b/roles/custom/matrix-bot-postmoogle/defaults/main.yml index 4eeb835be..0c9db2d70 100644 --- a/roles/custom/matrix-bot-postmoogle/defaults/main.yml +++ b/roles/custom/matrix-bot-postmoogle/defaults/main.yml @@ -81,10 +81,10 @@ matrix_bot_postmoogle_maxsize: '1024' # A list of admins # Example set of rules: # matrix_bot_postmoogle_admins: -# - @someone:example.com -# - @another:example.com -# - @bot.*:example.com -# - @*:another.com +# - '@someone:example.com' +# - '@another:example.com' +# - '@bot.*:example.com' +# - '@*:another.com' matrix_bot_postmoogle_admins: "{{ [matrix_admin] if matrix_admin else [] }}" # Sentry DSN. Deprecated, use matrix_bot_postmoogle_monitoring_sentry_dsn diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 18fc01525..247c542b7 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 4.0.0 +matrix_hookshot_version: 4.1.0 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" diff --git a/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml b/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml index 576eb0079..05e5cb856 100644 --- a/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml @@ -81,7 +81,7 @@ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --cap-drop=ALL -v {{ matrix_hookshot_base_path }}/config.yml:/config.yml - {{ matrix_hookshot_docker_image }} node Config/Config.js /config.yml + {{ matrix_hookshot_docker_image }} node config/Config.js /config.yml register: hookshot_config_validation_result changed_when: false diff --git a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml index ba718a668..dcd9fdfa0 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mautrix_facebook_enabled: true matrix_mautrix_facebook_container_image_self_build: false matrix_mautrix_facebook_container_image_self_build_repo: "https://mau.dev/mautrix/facebook.git" -matrix_mautrix_facebook_version: v0.4.1 +matrix_mautrix_facebook_version: v0.5.0 matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}mautrix/facebook:{{ matrix_mautrix_facebook_version }}" matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}" diff --git a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml index ef696fa80..2288fb776 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_instagram_container_image_self_build: false matrix_mautrix_instagram_container_image_self_build_repo: "https://github.com/mautrix/instagram.git" matrix_mautrix_instagram_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_instagram_version == 'latest' else matrix_mautrix_instagram_version }}" -matrix_mautrix_instagram_version: v0.2.3 +matrix_mautrix_instagram_version: v0.3.0 # See: https://mau.dev/tulir/mautrix-instagram/container_registry matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}mautrix/instagram:{{ matrix_mautrix_instagram_version }}" matrix_mautrix_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_instagram_container_image_self_build else 'dock.mau.dev/' }}" diff --git a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml index f2b1048d0..ca9bab54a 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml @@ -9,7 +9,7 @@ matrix_mautrix_signal_docker_repo: "https://mau.dev/mautrix/signal.git" matrix_mautrix_signal_docker_repo_version: "{{ 'master' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}" matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src" -matrix_mautrix_signal_version: v0.4.2 +matrix_mautrix_signal_version: v0.4.3 matrix_mautrix_signal_daemon_version: 0.23.2 # See: https://mau.dev/mautrix/signal/container_registry matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_name_prefix }}mautrix/signal:{{ matrix_mautrix_signal_version }}" diff --git a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml index d6f44bbcb..c5b7b9a39 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -17,7 +17,7 @@ matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git" matrix_mautrix_telegram_docker_repo_version: "{{ 'master' if matrix_mautrix_telegram_version == 'latest' else matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" -matrix_mautrix_telegram_version: v0.13.0 +matrix_mautrix_telegram_version: v0.14.0 # See: https://mau.dev/mautrix/telegram/container_registry matrix_mautrix_telegram_docker_image: "{{ matrix_mautrix_telegram_docker_image_name_prefix }}mautrix/telegram:{{ matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_telegram_container_image_self_build else 'dock.mau.dev/' }}" diff --git a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml index cc11a69b3..55e8411b6 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_twitter_container_image_self_build: false matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/mautrix/twitter.git" matrix_mautrix_twitter_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_twitter_version == 'latest' else matrix_mautrix_twitter_version }}" -matrix_mautrix_twitter_version: v0.1.5 +matrix_mautrix_twitter_version: v0.1.6 # See: https://mau.dev/tulir/mautrix-twitter/container_registry matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_name_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}" matrix_mautrix_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else 'dock.mau.dev/' }}" diff --git a/roles/custom/matrix-client-hydrogen/templates/config.json.j2 b/roles/custom/matrix-client-hydrogen/templates/config.json.j2 index e503c105b..519d22615 100644 --- a/roles/custom/matrix-client-hydrogen/templates/config.json.j2 +++ b/roles/custom/matrix-client-hydrogen/templates/config.json.j2 @@ -3,7 +3,7 @@ "defaultHomeServer": {{ matrix_client_hydrogen_default_hs_url | string | to_json }}, "bugReportEndpointUrl": {{ matrix_client_hydrogen_bugReportEndpointUrl | to_json }}, "themeManifests": [ - "{{ matrix_client_hydrogen_path_prefix }}assets/theme-element.json" + "{{ '' if matrix_client_hydrogen_path_prefix == '/' else matrix_client_hydrogen_path_prefix }}/assets/theme-element.json" ], "defaultTheme": { "light": "element-light", diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index f159e01b8..4376a960e 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,7 +4,7 @@ matrix_synapse_enabled: true -matrix_synapse_version: v1.83.0 +matrix_synapse_version: v1.84.1 matrix_synapse_username: '' matrix_synapse_uid: '' @@ -334,6 +334,11 @@ matrix_synapse_limit_profile_requests_to_users_who_share_rooms: false # Defaults to 'true'. matrix_synapse_include_profile_data_on_invite: true + +# User search behaviour +matrix_synapse_user_directory_search_all_users: false +matrix_synapse_user_directory_prefer_local_users: false + # Controls whether people with access to the homeserver can register by themselves. matrix_synapse_enable_registration: false # Controls whether people with access to the homeserver can register by themselves without verification (email/msisdn/token) @@ -928,6 +933,10 @@ matrix_synapse_room_list_publication_rules: matrix_synapse_default_room_version: "10" +# Controls whether leaving a room will automatically forget it. +# The upstream default is `false`, but we try to make Synapse less wasteful of resources, so we do things differently. +matrix_synapse_forget_rooms_on_leave: true + # Controls the Synapse `spam_checker` setting. # # If a spam-checker extension is enabled, this variable's value is set automatically by the playbook during runtime. diff --git a/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml b/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml index 359fe0316..68b8f37e3 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml @@ -21,7 +21,7 @@ ansible.builtin.set_fact: worker: id: "stream-writer-{{ idx }}-{{ item.stream }}" - # Names must not include understores. Certain stream writer streams (to_device, account_data, ..) do, so we fix them up. + # Names must not include underscores. Certain stream writer streams (to_device, account_data, ..) do, so we fix them up. name: "matrix-synapse-worker-stream-writer-{{ idx }}-{{ item.stream | replace('_', '-') }}" type: 'stream_writer' app: "generic_worker" diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 63cdafeb0..f42f6e309 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -141,6 +141,10 @@ allow_public_rooms_over_federation: {{ matrix_synapse_allow_public_rooms_over_fe # default_room_version: {{ matrix_synapse_default_room_version|to_json }} +# Set to true to automatically forget rooms for users when they leave them, either +# normally or via a kick or ban. Defaults to false. +forget_rooms_on_leave: {{ matrix_synapse_forget_rooms_on_leave | to_json }} + # The GC threshold parameters to pass to `gc.set_threshold`, if defined # #gc_thresholds: [700, 10, 10] @@ -2626,7 +2630,7 @@ user_directory: # Uncomment to return search results containing all known users, even if that # user does not share a room with the requester. # - #search_all_users: true + search_all_users: {{ matrix_synapse_user_directory_search_all_users | to_json }} # Defines whether to prefer local users in search query results. # If True, local users are more likely to appear above remote users @@ -2635,7 +2639,7 @@ user_directory: # Uncomment to prefer local over remote users in user directory search # results. # - #prefer_local_users: true + prefer_local_users: {{ matrix_synapse_user_directory_prefer_local_users | to_json }} # User Consent configuration diff --git a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 index 578d91078..4a6a01b78 100644 --- a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 @@ -23,7 +23,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ --network={{ matrix_synapse_container_network }} \ - {% if matrix_synapse_worker_details.port != 0 %} + {% if matrix_synapse_worker_details.port != 0 and matrix_synapse_worker_details.webserving %} --health-cmd 'curl -fSs http://localhost:{{ matrix_synapse_worker_details.port }}/health || exit 1' \ {% else %} --no-healthcheck \