From 98d8723694a75ae04de555b8abd57a1f7d732a44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Wed, 17 May 2023 14:58:22 +0200 Subject: [PATCH 01/41] Move postgres-exporter repo --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 536e7e417..d4bea1c6d 100644 --- a/requirements.yml +++ b/requirements.yml @@ -46,7 +46,7 @@ name: prometheus - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.5.0-7 -- src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git version: v0.12.0-0 - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.10-0 From dc4b4d87d2f1fbd5197d8958ea13c548b2a82969 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 17 May 2023 14:55:47 +0000 Subject: [PATCH 02/41] Update mautrix-signal 0.4.2 -> 0.4.3 --- roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml index f2b1048d0..ca9bab54a 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml @@ -9,7 +9,7 @@ matrix_mautrix_signal_docker_repo: "https://mau.dev/mautrix/signal.git" matrix_mautrix_signal_docker_repo_version: "{{ 'master' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}" matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src" -matrix_mautrix_signal_version: v0.4.2 +matrix_mautrix_signal_version: v0.4.3 matrix_mautrix_signal_daemon_version: 0.23.2 # See: https://mau.dev/mautrix/signal/container_registry matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_name_prefix }}mautrix/signal:{{ matrix_mautrix_signal_version }}" From 017a7951051afe2be6c6b9a6298f6a45729d6879 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 17 May 2023 21:19:47 +0300 Subject: [PATCH 03/41] Upgrade aux (v1.0.0-0 -> v1.0.0-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 536e7e417..22a53638f 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,7 +1,7 @@ --- - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git - version: v1.0.0-0 + version: v1.0.0-1 name: aux - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git version: v1.2.4-1.7.13-0 From c8dbb437b959c56ce8479f69bc0057e00209da17 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 17 May 2023 18:29:22 +0000 Subject: [PATCH 04/41] fix prometheus postgres exporter role name --- requirements.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/requirements.yml b/requirements.yml index cd36abd2f..57f4709f2 100644 --- a/requirements.yml +++ b/requirements.yml @@ -47,6 +47,7 @@ - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.5.0-7 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git + name: prometheus_postgres_exporter version: v0.12.0-0 - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.10-0 From 9d77950cd83175dff45845a43351eb1f2fe6dc8d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 18 May 2023 09:41:28 +0300 Subject: [PATCH 05/41] Adjust bot group names, so that they match the install/setup tags Previously `just install-service buscarron` would not fully work, because: - the systemd services were indeed tagged with `buscarron` - however, the actual installation tasks are not `install-buscarron`/`setup-buscarron`, but rather `install-bot-buscarron`/`setup-bot-buscarron` Services are now tagged with the `bot-` prefix to match the tags. --- group_vars/matrix_servers | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f25c4b4e1..f89304f46 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -210,25 +210,25 @@ devture_systemd_service_manager_services_list_auto: | {{ ([{'name': (backup_borg_identifier + '.timer'), 'priority': 5000, 'groups': ['matrix', 'backup', 'borg']}] if backup_borg_enabled else []) + - ([{'name': 'matrix-bot-buscarron.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'buscarron']}] if matrix_bot_buscarron_enabled else []) + ([{'name': 'matrix-bot-buscarron.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'buscarron', 'bot-buscarron']}] if matrix_bot_buscarron_enabled else []) + - ([{'name': 'matrix-bot-go-neb.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'go-neb']}] if matrix_bot_go_neb_enabled else []) + ([{'name': 'matrix-bot-go-neb.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'go-neb', 'bot-go-neb']}] if matrix_bot_go_neb_enabled else []) + - ([{'name': 'matrix-bot-honoroit.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'honoroit']}] if matrix_bot_honoroit_enabled else []) + ([{'name': 'matrix-bot-honoroit.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'honoroit', 'bot-honoroit']}] if matrix_bot_honoroit_enabled else []) + - ([{'name': 'matrix-bot-matrix-registration-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'registration-bot']}] if matrix_bot_matrix_registration_bot_enabled else []) + ([{'name': 'matrix-bot-matrix-registration-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'registration-bot', 'bot-matrix-registration-bot']}] if matrix_bot_matrix_registration_bot_enabled else []) + - ([{'name': 'matrix-bot-matrix-reminder-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'reminder-bot']}] if matrix_bot_matrix_reminder_bot_enabled else []) + ([{'name': 'matrix-bot-matrix-reminder-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'reminder-bot', 'bot-matrix-reminder-bot']}] if matrix_bot_matrix_reminder_bot_enabled else []) + - ([{'name': 'matrix-bot-maubot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'maubot']}] if matrix_bot_maubot_enabled else []) + ([{'name': 'matrix-bot-maubot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'maubot', 'bot-maubot']}] if matrix_bot_maubot_enabled else []) + - ([{'name': 'matrix-bot-mjolnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'mjolnir']}] if matrix_bot_mjolnir_enabled else []) + ([{'name': 'matrix-bot-mjolnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'mjolnir', 'bot-mjolnir']}] if matrix_bot_mjolnir_enabled else []) + - ([{'name': 'matrix-bot-draupnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'draupnir']}] if matrix_bot_draupnir_enabled else []) + ([{'name': 'matrix-bot-draupnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'draupnir', 'bot-draupnir']}] if matrix_bot_draupnir_enabled else []) + - ([{'name': 'matrix-bot-postmoogle.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'postmoogle']}] if matrix_bot_postmoogle_enabled else []) + ([{'name': 'matrix-bot-postmoogle.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'postmoogle', 'bot-postmoogle']}] if matrix_bot_postmoogle_enabled else []) + - ([{'name': 'matrix-bot-chatgpt.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'chatgpt']}] if matrix_bot_chatgpt_enabled else []) + ([{'name': 'matrix-bot-chatgpt.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'chatgpt', 'bot-chatgpt']}] if matrix_bot_chatgpt_enabled else []) + ([{'name': 'matrix-appservice-discord.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'appservice-discord']}] if matrix_appservice_discord_enabled else []) + From 88c7cf21f7d5b454af4449dab6a7fbccb2b1b4d2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 18 May 2023 10:03:02 +0300 Subject: [PATCH 06/41] Make Honoroit not try to capture all matrix.DOMAIN traffic It only serves a metrics endpoint, so it shouldn't try to capture anything else. --- docs/configuring-playbook-bot-honoroit.md | 3 +++ .../custom/matrix-bot-honoroit/defaults/main.yml | 1 - .../matrix-bot-honoroit/templates/labels.j2 | 15 --------------- 3 files changed, 3 insertions(+), 16 deletions(-) diff --git a/docs/configuring-playbook-bot-honoroit.md b/docs/configuring-playbook-bot-honoroit.md index 42f31d49a..26f5c6916 100644 --- a/docs/configuring-playbook-bot-honoroit.md +++ b/docs/configuring-playbook-bot-honoroit.md @@ -14,6 +14,9 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars. ```yaml matrix_bot_honoroit_enabled: true +# Uncomment and adjust if you'd like to change the hostname +# matrix_bot_honoroit_hostname: "{{ matrix_server_fqn_matrix }}" + # Uncomment and adjust this part if you'd like to use a username different than the default # matrix_bot_honoroit_login: honoroit diff --git a/roles/custom/matrix-bot-honoroit/defaults/main.yml b/roles/custom/matrix-bot-honoroit/defaults/main.yml index ea93d55f2..666b40f0a 100644 --- a/roles/custom/matrix-bot-honoroit/defaults/main.yml +++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml @@ -56,7 +56,6 @@ matrix_bot_honoroit_container_labels_traefik_docker_network: "{{ matrix_bot_hono matrix_bot_honoroit_container_labels_traefik_hostname: "{{ matrix_bot_honoroit_hostname }}" # The path prefix must either be `/` or not end with a slash (e.g. `/honoroit`). matrix_bot_honoroit_container_labels_traefik_path_prefix: "{{ matrix_bot_honoroit_path_prefix }}" -matrix_bot_honoroit_container_labels_traefik_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`){% if matrix_bot_honoroit_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_honoroit_container_labels_traefik_path_prefix }}`){% endif %}" matrix_bot_honoroit_container_labels_traefik_metrics_path: "{{ matrix_bot_honoroit_metrics_path }}" matrix_bot_honoroit_container_labels_traefik_metrics_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`) && Path(`{{ matrix_bot_honoroit_container_labels_traefik_metrics_path }}`)" matrix_bot_honoroit_container_labels_traefik_priority: 0 diff --git a/roles/custom/matrix-bot-honoroit/templates/labels.j2 b/roles/custom/matrix-bot-honoroit/templates/labels.j2 index 7943e00f1..12409470d 100644 --- a/roles/custom/matrix-bot-honoroit/templates/labels.j2 +++ b/roles/custom/matrix-bot-honoroit/templates/labels.j2 @@ -31,21 +31,6 @@ traefik.http.middlewares.matrix-bot-honoroit-auth.basicauth.users={{ lookup('ans {% set middlewares_metrics = middlewares + ['matrix-bot-honoroit-auth'] %} {% endif %} -traefik.http.routers.matrix-bot-honoroit.rule={{ matrix_bot_honoroit_container_labels_traefik_rule }} -{% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %} -traefik.http.routers.matrix-bot-honoroit.priority={{ matrix_bot_honoroit_container_labels_traefik_priority }} -{% endif %} -traefik.http.routers.matrix-bot-honoroit.service=matrix-bot-honoroit -{% if middlewares | length > 0 %} -traefik.http.routers.matrix-bot-honoroit.middlewares={{ middlewares | join(',') }} -{% endif %} -traefik.http.routers.matrix-bot-honoroit.entrypoints={{ matrix_bot_honoroit_container_labels_traefik_entrypoints }} -traefik.http.routers.matrix-bot-honoroit.tls={{ matrix_bot_honoroit_container_labels_traefik_tls | to_json }} -{% if matrix_bot_honoroit_container_labels_traefik_tls %} -traefik.http.routers.matrix-bot-honoroit.tls.certResolver={{ matrix_bot_honoroit_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.services.matrix-bot-honoroit.loadbalancer.server.port=8080 - {% if middlewares_metrics | length > 0 %} traefik.http.routers.matrix-bot-honoroit-metrics.rule={{ matrix_bot_honoroit_container_labels_traefik_metrics_rule }} {% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %} From 8f903fa6215863051118143c6b5a2311c8d57f7d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 18 May 2023 10:03:40 +0300 Subject: [PATCH 07/41] Make Honoroit respect matrix_bot_honoroit_path_prefix when building the metrics path --- roles/custom/matrix-bot-honoroit/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-honoroit/defaults/main.yml b/roles/custom/matrix-bot-honoroit/defaults/main.yml index 666b40f0a..3cb4fa5f6 100644 --- a/roles/custom/matrix-bot-honoroit/defaults/main.yml +++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml @@ -56,7 +56,7 @@ matrix_bot_honoroit_container_labels_traefik_docker_network: "{{ matrix_bot_hono matrix_bot_honoroit_container_labels_traefik_hostname: "{{ matrix_bot_honoroit_hostname }}" # The path prefix must either be `/` or not end with a slash (e.g. `/honoroit`). matrix_bot_honoroit_container_labels_traefik_path_prefix: "{{ matrix_bot_honoroit_path_prefix }}" -matrix_bot_honoroit_container_labels_traefik_metrics_path: "{{ matrix_bot_honoroit_metrics_path }}" +matrix_bot_honoroit_container_labels_traefik_metrics_path: "{{ '' if matrix_bot_honoroit_path_prefix = '/' else matrix_bot_honoroit_path_prefix }}{{ matrix_bot_honoroit_metrics_path }}" matrix_bot_honoroit_container_labels_traefik_metrics_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`) && Path(`{{ matrix_bot_honoroit_container_labels_traefik_metrics_path }}`)" matrix_bot_honoroit_container_labels_traefik_priority: 0 matrix_bot_honoroit_container_labels_traefik_entrypoints: web-secure From 2083b10f1abe16054dc634061dadc30fe50f7eb3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 18 May 2023 10:09:07 +0300 Subject: [PATCH 08/41] Fix syntax error --- roles/custom/matrix-bot-honoroit/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-honoroit/defaults/main.yml b/roles/custom/matrix-bot-honoroit/defaults/main.yml index 3cb4fa5f6..90ffa0c64 100644 --- a/roles/custom/matrix-bot-honoroit/defaults/main.yml +++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml @@ -56,7 +56,7 @@ matrix_bot_honoroit_container_labels_traefik_docker_network: "{{ matrix_bot_hono matrix_bot_honoroit_container_labels_traefik_hostname: "{{ matrix_bot_honoroit_hostname }}" # The path prefix must either be `/` or not end with a slash (e.g. `/honoroit`). matrix_bot_honoroit_container_labels_traefik_path_prefix: "{{ matrix_bot_honoroit_path_prefix }}" -matrix_bot_honoroit_container_labels_traefik_metrics_path: "{{ '' if matrix_bot_honoroit_path_prefix = '/' else matrix_bot_honoroit_path_prefix }}{{ matrix_bot_honoroit_metrics_path }}" +matrix_bot_honoroit_container_labels_traefik_metrics_path: "{{ '' if matrix_bot_honoroit_path_prefix == '/' else matrix_bot_honoroit_path_prefix }}{{ matrix_bot_honoroit_metrics_path }}" matrix_bot_honoroit_container_labels_traefik_metrics_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`) && Path(`{{ matrix_bot_honoroit_container_labels_traefik_metrics_path }}`)" matrix_bot_honoroit_container_labels_traefik_priority: 0 matrix_bot_honoroit_container_labels_traefik_entrypoints: web-secure From 018e620ee82b82ec484036a9c1a2cb4273f63f75 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 18 May 2023 10:10:47 +0300 Subject: [PATCH 09/41] Default matrix_bot_honoroit_path_prefix to /honoroit to avoid conflicts with Matrix Client-Server API --- docs/configuring-playbook-bot-honoroit.md | 3 ++- group_vars/matrix_servers | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bot-honoroit.md b/docs/configuring-playbook-bot-honoroit.md index 26f5c6916..2a711fb83 100644 --- a/docs/configuring-playbook-bot-honoroit.md +++ b/docs/configuring-playbook-bot-honoroit.md @@ -14,8 +14,9 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars. ```yaml matrix_bot_honoroit_enabled: true -# Uncomment and adjust if you'd like to change the hostname +# Uncomment and adjust if you'd like to change the hostname or path # matrix_bot_honoroit_hostname: "{{ matrix_server_fqn_matrix }}" +# matrix_bot_honoroit_path_prefix: /honoroit # Uncomment and adjust this part if you'd like to use a username different than the default # matrix_bot_honoroit_login: honoroit diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f89304f46..4a67c2df1 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1653,7 +1653,9 @@ matrix_bot_maubot_database_password: "{{ '%s' | format(matrix_homeserver_generic # We don't enable bots by default. matrix_bot_honoroit_enabled: false + matrix_bot_honoroit_hostname: "{{ matrix_server_fqn_matrix }}" +matrix_bot_honoroit_path_prefix: /honoroit matrix_bot_honoroit_systemd_required_services_list: | {{ From aa44a277f6633a102c1394f8f6666b9ced1c813c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 18 May 2023 10:13:06 +0300 Subject: [PATCH 10/41] Fix service name for Honoroit metrics --- roles/custom/matrix-bot-honoroit/templates/labels.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-honoroit/templates/labels.j2 b/roles/custom/matrix-bot-honoroit/templates/labels.j2 index 12409470d..8e20ea459 100644 --- a/roles/custom/matrix-bot-honoroit/templates/labels.j2 +++ b/roles/custom/matrix-bot-honoroit/templates/labels.j2 @@ -36,7 +36,7 @@ traefik.http.routers.matrix-bot-honoroit-metrics.rule={{ matrix_bot_honoroit_con {% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %} traefik.http.routers.matrix-bot-honoroit-metrics.priority={{ matrix_bot_honoroit_container_labels_traefik_priority }} {% endif %} -traefik.http.routers.matrix-bot-honoroit-metrics.service=matrix-bot-honoroit +traefik.http.routers.matrix-bot-honoroit-metrics.service=matrix-bot-honoroit-metrics traefik.http.routers.matrix-bot-honoroit-metrics.middlewares={{ middlewares_metrics | join(',') }} traefik.http.routers.matrix-bot-honoroit-metrics.entrypoints={{ matrix_bot_honoroit_container_labels_traefik_entrypoints }} traefik.http.routers.matrix-bot-honoroit-metrics.tls={{ matrix_bot_honoroit_container_labels_traefik_tls | to_json }} From d475a4906def9424fd07dd4ea10671c2254833ea Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 18 May 2023 20:51:15 +0000 Subject: [PATCH 11/41] update ntfy 2.4.0 -> 2.5.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 57f4709f2..d6ed01d07 100644 --- a/requirements.yml +++ b/requirements.yml @@ -40,7 +40,7 @@ version: v8615-0 name: jitsi - src: git+https://gitlab.com/etke.cc/roles/ntfy.git - version: v2.4.0-0 + version: v2.5.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git version: v2.44.0-0 name: prometheus From b71375fac736bb96d78d353f63a3711deecdac24 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 19 May 2023 18:26:05 +0300 Subject: [PATCH 12/41] Disable healthcheck for Synapse workers which serve no web traffic This was mostly affecting the stream writer (events) worker, which was being reported as unhealthy. It wasn't causing any issues, but it just looked odd and was confusing people. As an alternative to hitting the regular `/health` healthcheck route (on the "client" API which this stream writer does not expose), we may have went for hitting some "replication" API endpoint instead. This is more complicated and likely unnecessary. --- roles/custom/matrix-synapse/tasks/synapse/workers/init.yml | 2 +- .../templates/synapse/systemd/matrix-synapse-worker.service.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml b/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml index 359fe0316..68b8f37e3 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml @@ -21,7 +21,7 @@ ansible.builtin.set_fact: worker: id: "stream-writer-{{ idx }}-{{ item.stream }}" - # Names must not include understores. Certain stream writer streams (to_device, account_data, ..) do, so we fix them up. + # Names must not include underscores. Certain stream writer streams (to_device, account_data, ..) do, so we fix them up. name: "matrix-synapse-worker-stream-writer-{{ idx }}-{{ item.stream | replace('_', '-') }}" type: 'stream_writer' app: "generic_worker" diff --git a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 index 578d91078..4a6a01b78 100644 --- a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 @@ -23,7 +23,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ --network={{ matrix_synapse_container_network }} \ - {% if matrix_synapse_worker_details.port != 0 %} + {% if matrix_synapse_worker_details.port != 0 and matrix_synapse_worker_details.webserving %} --health-cmd 'curl -fSs http://localhost:{{ matrix_synapse_worker_details.port }}/health || exit 1' \ {% else %} --no-healthcheck \ From b5d5e49235a46d640ae427e1797a11e870ce1968 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 19 May 2023 19:32:34 +0300 Subject: [PATCH 13/41] Move Honoroit metrics from /honoroit/metrics to /metrics/honoroit This restores consistency with other services. Related to 8f903fa6215863051118143c6b5a2311c8d57f7d --- group_vars/matrix_servers | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 4a67c2df1..79a503d5a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1655,8 +1655,13 @@ matrix_bot_maubot_database_password: "{{ '%s' | format(matrix_homeserver_generic matrix_bot_honoroit_enabled: false matrix_bot_honoroit_hostname: "{{ matrix_server_fqn_matrix }}" + matrix_bot_honoroit_path_prefix: /honoroit +# For consistency with other things hosted at the matrix FQN, we adjust the metrics endpoint +# so that metrics would be served at `/metrics/SERVICE_NAME`, and not at the default path for the role (`PREFIX/metrics`). +matrix_bot_honoroit_container_labels_traefik_metrics_path: /metrics/honoroit + matrix_bot_honoroit_systemd_required_services_list: | {{ ['docker.service'] From 014f5def55b944b65fb1b8047b060032ea8de1f7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 May 2023 17:00:26 +0000 Subject: [PATCH 14/41] Bump frenck/action-yamllint from 1.4.0 to 1.4.1 Bumps [frenck/action-yamllint](https://github.com/frenck/action-yamllint) from 1.4.0 to 1.4.1. - [Release notes](https://github.com/frenck/action-yamllint/releases) - [Commits](https://github.com/frenck/action-yamllint/compare/v1.4.0...v1.4.1) --- updated-dependencies: - dependency-name: frenck/action-yamllint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/matrix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index abca55ae2..579ab7192 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -13,7 +13,7 @@ jobs: - name: Check out uses: actions/checkout@v3 - name: Run yamllint - uses: frenck/action-yamllint@v1.4.0 + uses: frenck/action-yamllint@v1.4.1 ansible-lint: name: ansible-lint runs-on: ubuntu-latest From 86abe0680a28e21baa316aeb53de98903e1da765 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Mon, 22 May 2023 18:01:02 +0000 Subject: [PATCH 15/41] Update mautrix-twitter 0.1.5 -> 0.1.6 --- roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml index cc11a69b3..55e8411b6 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_twitter_container_image_self_build: false matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/mautrix/twitter.git" matrix_mautrix_twitter_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_twitter_version == 'latest' else matrix_mautrix_twitter_version }}" -matrix_mautrix_twitter_version: v0.1.5 +matrix_mautrix_twitter_version: v0.1.6 # See: https://mau.dev/tulir/mautrix-twitter/container_registry matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_name_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}" matrix_mautrix_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else 'dock.mau.dev/' }}" From 9350eeb9fb8f95c7cc0e8ad0274dae7051fda593 Mon Sep 17 00:00:00 2001 From: Aine Date: Tue, 23 May 2023 17:33:23 +0300 Subject: [PATCH 16/41] update synapse 1.83.0 -> 1.84.0; set forget_rooms_on_leave = true --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- .../matrix-synapse/templates/synapse/homeserver.yaml.j2 | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index f159e01b8..cda427e39 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,7 +4,7 @@ matrix_synapse_enabled: true -matrix_synapse_version: v1.83.0 +matrix_synapse_version: v1.84.0 matrix_synapse_username: '' matrix_synapse_uid: '' diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 63cdafeb0..ff2533977 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -141,6 +141,10 @@ allow_public_rooms_over_federation: {{ matrix_synapse_allow_public_rooms_over_fe # default_room_version: {{ matrix_synapse_default_room_version|to_json }} +# Set to true to automatically forget rooms for users when they leave them, either +# normally or via a kick or ban. Defaults to false. +forget_rooms_on_leave: true + # The GC threshold parameters to pass to `gc.set_threshold`, if defined # #gc_thresholds: [700, 10, 10] From 428f7a1f75337ef2f7b848e532d8d93f4a540919 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 24 May 2023 20:20:37 +0000 Subject: [PATCH 17/41] Update hookshot 4.0.0 -> 4.1.0 --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 18fc01525..247c542b7 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 4.0.0 +matrix_hookshot_version: 4.1.0 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" From 4b30c4d8128c51b8fffcfc8abe00053e7802772d Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Thu, 25 May 2023 00:52:28 +0200 Subject: [PATCH 18/41] Update Draupnir from 1.80.1 to 1.82.0 --- roles/custom/matrix-bot-draupnir/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml index 92abc7ab0..6ee99a358 100644 --- a/roles/custom/matrix-bot-draupnir/defaults/main.yml +++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml @@ -4,7 +4,7 @@ matrix_bot_draupnir_enabled: true -matrix_bot_draupnir_version: "v1.80.1" +matrix_bot_draupnir_version: "v1.82.0" matrix_bot_draupnir_container_image_self_build: false matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/Gnuxie/Draupnir.git" From c55371e3058b5785aab54c07c567575df87af7f9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 25 May 2023 09:14:09 +0300 Subject: [PATCH 19/41] Add changelog entry for the forget_rooms_on_leave default change for Synapse Related to: - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2698 - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2700 --- CHANGELOG.md | 14 ++++++++++++++ roles/custom/matrix-synapse/defaults/main.yml | 4 ++++ .../templates/synapse/homeserver.yaml.j2 | 2 +- 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1b5118427..70b17b000 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,17 @@ +# 2023-05-25 + +## Enabling `forget_rooms_on_leave` by default for Synapse + +With the [Synapse v1.84.0 update](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2698), we've also **changed the default value** of the `forget_rooms_on_leave` setting of Synapse to a value of `true`. +This way, **when you leave a room, Synapse will now forget it automatically**. + +The upstream Synapse default is `false` (disabled), so that you must forget rooms manually after leaving. + +**We go against the upstream default** ([somewhat controversially](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2700)) in an effort to make Synapse leaner and potentially do what we believe most users would expect their homeserver to be doing. + +If you'd like to go back to the old behavior, add the following to your configuration: `matrix_synapse_forget_rooms_on_leave: false` + + # 2023-04-03 ## The matrix-jitsi role lives independently now diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index cda427e39..5903eb05b 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -928,6 +928,10 @@ matrix_synapse_room_list_publication_rules: matrix_synapse_default_room_version: "10" +# Controls whether leaving a room will automatically forget it. +# The upstream default is `false`, but we try to make Synapse less wasteful of resources, so we do things differently. +matrix_synapse_forget_rooms_on_leave: true + # Controls the Synapse `spam_checker` setting. # # If a spam-checker extension is enabled, this variable's value is set automatically by the playbook during runtime. diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index ff2533977..a36df6fc0 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -143,7 +143,7 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }} # Set to true to automatically forget rooms for users when they leave them, either # normally or via a kick or ban. Defaults to false. -forget_rooms_on_leave: true +forget_rooms_on_leave: {{ matrix_synapse_forget_rooms_on_leave | to_json }} # The GC threshold parameters to pass to `gc.set_threshold`, if defined # From 981805002d8a4f23a6cebdb53f14a4b0773de0a8 Mon Sep 17 00:00:00 2001 From: tammes Date: Thu, 25 May 2023 22:45:09 +0200 Subject: [PATCH 20/41] add example Caddyfile for fronting Traefik, mark the old one as deprecated and update READMEs --- docs/configuring-playbook-own-webserver.md | 2 +- examples/caddy2/Caddyfile | 255 +------------------ examples/caddy2/Caddyfile.deprecated | 269 +++++++++++++++++++++ examples/caddy2/README.md | 26 +- examples/nginx/README.md | 2 +- 5 files changed, 301 insertions(+), 253 deletions(-) create mode 100644 examples/caddy2/Caddyfile.deprecated diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 3d8c5b0d0..f276a554d 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -160,7 +160,7 @@ devture_traefik_additional_entrypoints_auto: # # trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY'] ``` -For an example where the playbook's Traefik reverse-proxy is fronted by [Nginx](https://nginx.org/) running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md). +For an example where the playbook's Traefik reverse-proxy is fronted by another reverse-proxy running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md) or [Caddy reverse-proxy fronting the playbook's Traefik](../examples/caddy2/README.md). ### Using no reverse-proxy on the Matrix side at all diff --git a/examples/caddy2/Caddyfile b/examples/caddy2/Caddyfile index 43005ca41..2ffcea520 100644 --- a/examples/caddy2/Caddyfile +++ b/examples/caddy2/Caddyfile @@ -1,112 +1,10 @@ -(cors) { - @cors_preflight method OPTIONS - - handle @cors_preflight { - header Access-Control-Allow-Origin "{args.0}" - header Access-Control-Allow-Methods "HEAD, GET, POST, PUT, PATCH, DELETE" - header Access-Control-Allow-Headers "Content-Type, Authorization" - header Access-Control-Max-Age "3600" - } -} - - -matrix.DOMAIN.tld { - - # creates letsencrypt certificate - # tls your@email.com - - @identity { - path /_matrix/identity/* - } - - @noidentity { - not path /_matrix/identity/* - } - - @search { - path /_matrix/client/r0/user_directory/search/* - } - - @nosearch { - not path /_matrix/client/r0/user_directory/search/* - } - - @static { - path /matrix/static-files/* - } - - @nostatic { - not path /matrix/static-files/* - } - - @wellknown { - path /.well-known/matrix/* - } - - header { - # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS - Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - # Enable cross-site filter (XSS) and tell browser to block detected attacks - X-XSS-Protection "1; mode=block" - # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type - X-Content-Type-Options "nosniff" - # Disallow the site to be rendered within a frame (clickjacking protection) - X-Frame-Options "DENY" - # X-Robots-Tag - X-Robots-Tag "noindex, noarchive, nofollow" - } - - # Cache - header @static { - # Cache - Cache-Control "public, max-age=31536000" - defer - } - - # identity - handle @identity { - reverse_proxy localhost:8090 { - header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} - header_up X-Forwarded-TlsProto {tls_protocol} - header_up X-Forwarded-TlsCipher {tls_cipher} - header_up X-Forwarded-HttpsProto {proto} - } - } - - # search - handle @search { - reverse_proxy localhost:8090 { - header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} - header_up X-Forwarded-TlsProto {tls_protocol} - header_up X-Forwarded-TlsCipher {tls_cipher} - header_up X-Forwarded-HttpsProto {proto} - } - } - - handle @wellknown { - encode zstd gzip - root * /matrix/static-files - header Cache-Control max-age=14400 - header Content-Type application/json - header Access-Control-Allow-Origin * - file_server - } - - # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the base domain - #handle @wellknown { - # # .well-known is handled by base domain - # reverse_proxy https://DOMAIN.tld { - # header_up Host {http.reverse_proxy.upstream.hostport} - #} +matrix.example.tld { handle { encode zstd gzip - reverse_proxy localhost:8008 { + reverse_proxy localhost:81 { header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} header_up X-Forwarded-TlsProto {tls_protocol} header_up X-Forwarded-TlsCipher {tls_cipher} header_up X-Forwarded-HttpsProto {proto} @@ -114,13 +12,12 @@ matrix.DOMAIN.tld { } } -matrix.DOMAIN.tld:8448 { +matrix.example.tld:8448 { handle { encode zstd gzip - reverse_proxy 127.0.0.1:8048 { + reverse_proxy 127.0.0.1:8449 { header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} header_up X-Forwarded-TlsProto {tls_protocol} header_up X-Forwarded-TlsCipher {tls_cipher} header_up X-Forwarded-HttpsProto {proto} @@ -128,142 +25,16 @@ matrix.DOMAIN.tld:8448 { } } -element.DOMAIN.tld { - # creates letsencrypt certificate - # tls your@email.com - - import cors https://*.DOMAIN.tld - - header { - # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS - Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - # Enable cross-site filter (XSS) and tell browser to block detected attacks - X-XSS-Protection "1; mode=block" - # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type - X-Content-Type-Options "nosniff" - # Disallow the site to be rendered within a frame (clickjacking protection) - X-Frame-Options "DENY" - # If using integrations that add frames to Element, such as Dimension and its integrations running on the same domain, it can be a good idea to limit sources allowed to be rendered - # Content-Security-Policy frame-src https://*.DOMAIN.tld - # X-Robots-Tag - X-Robots-Tag "noindex, noarchive, nofollow" - } - - handle { - encode zstd gzip +example.tld { +# Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server + @wellknown { + path /.well-known/matrix/* + } - reverse_proxy localhost:8765 { - header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} - header_up X-Forwarded-TlsProto {tls_protocol} - header_up X-Forwarded-TlsCipher {tls_cipher} - header_up X-Forwarded-HttpsProto {proto} + handle @wellknown { + reverse_proxy https://matrix.example.tld { + header_up Host {http.reverse_proxy.upstream.hostport} } + } } - -#dimension.DOMAIN.tld { -# -# # creates letsencrypt certificate -# # tls your@email.com -# -# import cors https://*.DOMAIN.tld -# -# header { -# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS -# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" -# # Enable cross-site filter (XSS) and tell browser to block detected attacks -# X-XSS-Protection "1; mode=block" -# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type -# X-Content-Type-Options "nosniff" -# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain (clickjacking protection) -# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld -# # X-Robots-Tag -# X-Robots-Tag "noindex, noarchive, nofollow" -# } -# -# handle { -# encode zstd gzip -# -# reverse_proxy localhost:8184 { -# header_up X-Forwarded-Port {http.request.port} -# header_up X-Forwarded-Proto {http.request.scheme} -# header_up X-Forwarded-TlsProto {tls_protocol} -# header_up X-Forwarded-TlsCipher {tls_cipher} -# header_up X-Forwarded-HttpsProto {proto} -# } -# } -#} - - -#jitsi.DOMAIN.tld { -# -# creates letsencrypt certificate -# tls your@email.com -# -# import cors https://*.DOMAIN.tld -# -# header { -# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS -# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" -# -# # Enable cross-site filter (XSS) and tell browser to block detected attacks -# X-XSS-Protection "1; mode=block" -# -# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type -# X-Content-Type-Options "nosniff" - -# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain -# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld -# -# # Disable some features -# Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" -# -# # Referer -# Referrer-Policy "no-referrer" -# -# # X-Robots-Tag -# X-Robots-Tag "none" -# -# # Remove Server header -# -Server -# } -# -# handle { -# encode zstd gzip -# -# reverse_proxy 127.0.0.1:13080 { -# header_up X-Forwarded-Port {http.request.port} -# header_up X-Forwarded-Proto {http.request.scheme} -# header_up X-Forwarded-TlsProto {tls_protocol} -# header_up X-Forwarded-TlsCipher {tls_cipher} -# header_up X-Forwarded-HttpsProto {proto} -# } -# } -#} -#DOMAIN.com { -# Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server -# @wellknown { -# path /.well-known/matrix/* -# } -# -# handle @wellknown { -# reverse_proxy https://matrix.DOMAIN.com { -# header_up Host {http.reverse_proxy.upstream.hostport} -# } -# } -# # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the matrix subdomain -# # handle /.well-known/* { -# # encode zstd gzip -# # header Cache-Control max-age=14400 -# # header Content-Type application/json -# # header Access-Control-Allow-Origin * -# #} -# -# # Configration for the base domain goes here -# # handle { -# # header -Server -# # encode zstd gzip -# # reverse_proxy localhost:4020 -# # } -#} diff --git a/examples/caddy2/Caddyfile.deprecated b/examples/caddy2/Caddyfile.deprecated new file mode 100644 index 000000000..43005ca41 --- /dev/null +++ b/examples/caddy2/Caddyfile.deprecated @@ -0,0 +1,269 @@ +(cors) { + @cors_preflight method OPTIONS + + handle @cors_preflight { + header Access-Control-Allow-Origin "{args.0}" + header Access-Control-Allow-Methods "HEAD, GET, POST, PUT, PATCH, DELETE" + header Access-Control-Allow-Headers "Content-Type, Authorization" + header Access-Control-Max-Age "3600" + } +} + + +matrix.DOMAIN.tld { + + # creates letsencrypt certificate + # tls your@email.com + + @identity { + path /_matrix/identity/* + } + + @noidentity { + not path /_matrix/identity/* + } + + @search { + path /_matrix/client/r0/user_directory/search/* + } + + @nosearch { + not path /_matrix/client/r0/user_directory/search/* + } + + @static { + path /matrix/static-files/* + } + + @nostatic { + not path /matrix/static-files/* + } + + @wellknown { + path /.well-known/matrix/* + } + + header { + # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + # Enable cross-site filter (XSS) and tell browser to block detected attacks + X-XSS-Protection "1; mode=block" + # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type + X-Content-Type-Options "nosniff" + # Disallow the site to be rendered within a frame (clickjacking protection) + X-Frame-Options "DENY" + # X-Robots-Tag + X-Robots-Tag "noindex, noarchive, nofollow" + } + + # Cache + header @static { + # Cache + Cache-Control "public, max-age=31536000" + defer + } + + # identity + handle @identity { + reverse_proxy localhost:8090 { + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + header_up X-Forwarded-TlsProto {tls_protocol} + header_up X-Forwarded-TlsCipher {tls_cipher} + header_up X-Forwarded-HttpsProto {proto} + } + } + + # search + handle @search { + reverse_proxy localhost:8090 { + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + header_up X-Forwarded-TlsProto {tls_protocol} + header_up X-Forwarded-TlsCipher {tls_cipher} + header_up X-Forwarded-HttpsProto {proto} + } + } + + handle @wellknown { + encode zstd gzip + root * /matrix/static-files + header Cache-Control max-age=14400 + header Content-Type application/json + header Access-Control-Allow-Origin * + file_server + } + + # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the base domain + #handle @wellknown { + # # .well-known is handled by base domain + # reverse_proxy https://DOMAIN.tld { + # header_up Host {http.reverse_proxy.upstream.hostport} + #} + + handle { + encode zstd gzip + + reverse_proxy localhost:8008 { + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + header_up X-Forwarded-TlsProto {tls_protocol} + header_up X-Forwarded-TlsCipher {tls_cipher} + header_up X-Forwarded-HttpsProto {proto} + } + } +} + +matrix.DOMAIN.tld:8448 { + handle { + encode zstd gzip + + reverse_proxy 127.0.0.1:8048 { + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + header_up X-Forwarded-TlsProto {tls_protocol} + header_up X-Forwarded-TlsCipher {tls_cipher} + header_up X-Forwarded-HttpsProto {proto} + } + } +} + +element.DOMAIN.tld { + + # creates letsencrypt certificate + # tls your@email.com + + import cors https://*.DOMAIN.tld + + header { + # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + # Enable cross-site filter (XSS) and tell browser to block detected attacks + X-XSS-Protection "1; mode=block" + # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type + X-Content-Type-Options "nosniff" + # Disallow the site to be rendered within a frame (clickjacking protection) + X-Frame-Options "DENY" + # If using integrations that add frames to Element, such as Dimension and its integrations running on the same domain, it can be a good idea to limit sources allowed to be rendered + # Content-Security-Policy frame-src https://*.DOMAIN.tld + # X-Robots-Tag + X-Robots-Tag "noindex, noarchive, nofollow" + } + + handle { + encode zstd gzip + + reverse_proxy localhost:8765 { + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + header_up X-Forwarded-TlsProto {tls_protocol} + header_up X-Forwarded-TlsCipher {tls_cipher} + header_up X-Forwarded-HttpsProto {proto} + } +} + +#dimension.DOMAIN.tld { +# +# # creates letsencrypt certificate +# # tls your@email.com +# +# import cors https://*.DOMAIN.tld +# +# header { +# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS +# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" +# # Enable cross-site filter (XSS) and tell browser to block detected attacks +# X-XSS-Protection "1; mode=block" +# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type +# X-Content-Type-Options "nosniff" +# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain (clickjacking protection) +# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld +# # X-Robots-Tag +# X-Robots-Tag "noindex, noarchive, nofollow" +# } +# +# handle { +# encode zstd gzip +# +# reverse_proxy localhost:8184 { +# header_up X-Forwarded-Port {http.request.port} +# header_up X-Forwarded-Proto {http.request.scheme} +# header_up X-Forwarded-TlsProto {tls_protocol} +# header_up X-Forwarded-TlsCipher {tls_cipher} +# header_up X-Forwarded-HttpsProto {proto} +# } +# } +#} + + +#jitsi.DOMAIN.tld { +# +# creates letsencrypt certificate +# tls your@email.com +# +# import cors https://*.DOMAIN.tld +# +# header { +# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS +# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" +# +# # Enable cross-site filter (XSS) and tell browser to block detected attacks +# X-XSS-Protection "1; mode=block" +# +# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type +# X-Content-Type-Options "nosniff" + +# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain +# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld +# +# # Disable some features +# Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" +# +# # Referer +# Referrer-Policy "no-referrer" +# +# # X-Robots-Tag +# X-Robots-Tag "none" +# +# # Remove Server header +# -Server +# } +# +# handle { +# encode zstd gzip +# +# reverse_proxy 127.0.0.1:13080 { +# header_up X-Forwarded-Port {http.request.port} +# header_up X-Forwarded-Proto {http.request.scheme} +# header_up X-Forwarded-TlsProto {tls_protocol} +# header_up X-Forwarded-TlsCipher {tls_cipher} +# header_up X-Forwarded-HttpsProto {proto} +# } +# } +#} +#DOMAIN.com { +# Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server +# @wellknown { +# path /.well-known/matrix/* +# } +# +# handle @wellknown { +# reverse_proxy https://matrix.DOMAIN.com { +# header_up Host {http.reverse_proxy.upstream.hostport} +# } +# } +# # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the matrix subdomain +# # handle /.well-known/* { +# # encode zstd gzip +# # header Cache-Control max-age=14400 +# # header Content-Type application/json +# # header Access-Control-Allow-Origin * +# #} +# +# # Configration for the base domain goes here +# # handle { +# # header -Server +# # encode zstd gzip +# # reverse_proxy localhost:4020 +# # } +#} diff --git a/examples/caddy2/README.md b/examples/caddy2/README.md index fe8d57637..d4bfb4755 100644 --- a/examples/caddy2/README.md +++ b/examples/caddy2/README.md @@ -1,12 +1,20 @@ -# Caddyfile +# Caddy reverse-proxy fronting the playbook's integrated Traefik reverse-proxy -This directory contains sample files that show you how to do reverse-proxying using Caddy2. +This directory contains a sample config that shows you how to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with your own [Caddy](https://caddyserver.com/) reverse-proxy. -## Config -| Variable | Function | -| ------------------ | -------- | -| tls your@email.com | Specify an email address for your [ACME account](https://caddyserver.com/docs/caddyfile/directives/tls) (but if only one email is used for all sites, we recommend the email [global option](https://caddyserver.com/docs/caddyfile/options) instead) | -| tls | To enable [tls](https://caddyserver.com/docs/caddyfile/directives/tls) support uncomment the lines for tls | -| Dimension | To enable Dimension support uncomment the lines for Dimension and set your data | -| Jitsi | To enable Jitsi support uncomment the lines for Jitsi and set your data | +## Prerequisite configuration + +To get started, first follow the [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instructions and update your playbook's configuration (`inventory/host_vars/matrix./vars.yml`). + + +## Using the Caddyfile + +You can either just use the [Caddyfile](Caddyfile) directly or append its content to your own Caddyfile. +In both cases make sure to replace all the `example.tld` domains with your own domain. + +This example does not include additional services like element, but you should be able copy the first block and replace the matrix subdomain with the additional services subdomain. I have not tested this though. + +# Caddyfile.deprecated + +This can be used as a [Caddy](https://caddyserver.com/) reverse-proxy without intermediary playbook managed reverse proxy. However, this setup is not supported by the playbook anymore. Instead [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) as described above. diff --git a/examples/nginx/README.md b/examples/nginx/README.md index 11fca299e..d8698ba6b 100644 --- a/examples/nginx/README.md +++ b/examples/nginx/README.md @@ -1,6 +1,6 @@ # Nginx reverse-proxy fronting the playbook's integrated Traefik reverse-proxy -This directory contains a sample config that shows you how use the [nginx](https://nginx.org/) webserver to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with another reverse-proxy. +This directory contains a sample config that shows you how to use the [nginx](https://nginx.org/) webserver to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with another reverse-proxy. ## Prerequisite configuration From f98f803b4404c739e19da6b27fd857ceaac93880 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 26 May 2023 10:17:20 +0300 Subject: [PATCH 21/41] Revert "Update hookshot 4.0.0 -> 4.1.0" This reverts commit 428f7a1f75337ef2f7b848e532d8d93f4a540919. Looks like it won't become a tagged image until a "release" is posted. --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 247c542b7..18fc01525 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 4.1.0 +matrix_hookshot_version: 4.0.0 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" From b9d9a41ea671d35171fc938d8068cf27d37d988a Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 26 May 2023 19:28:27 +0000 Subject: [PATCH 22/41] update mautrix-telegram 0.13.0 -> 0.14.0 --- roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml index d6f44bbcb..c5b7b9a39 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -17,7 +17,7 @@ matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git" matrix_mautrix_telegram_docker_repo_version: "{{ 'master' if matrix_mautrix_telegram_version == 'latest' else matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" -matrix_mautrix_telegram_version: v0.13.0 +matrix_mautrix_telegram_version: v0.14.0 # See: https://mau.dev/mautrix/telegram/container_registry matrix_mautrix_telegram_docker_image: "{{ matrix_mautrix_telegram_docker_image_name_prefix }}mautrix/telegram:{{ matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_telegram_container_image_self_build else 'dock.mau.dev/' }}" From c36fd8cfc29f738143b4212a07f89191574a5f48 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 26 May 2023 19:29:26 +0000 Subject: [PATCH 23/41] Update synapse 1.84.0 -> 1.84.1 --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 5903eb05b..a0169eb0c 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,7 +4,7 @@ matrix_synapse_enabled: true -matrix_synapse_version: v1.84.0 +matrix_synapse_version: v1.84.1 matrix_synapse_username: '' matrix_synapse_uid: '' From 788fa0e766a41761533dd39b466311b71bc41897 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sat, 27 May 2023 15:59:54 +0000 Subject: [PATCH 24/41] update prometheus-node-exporter 1.5.0 -> 1.6.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index d6ed01d07..f754b10a7 100644 --- a/requirements.yml +++ b/requirements.yml @@ -45,7 +45,7 @@ version: v2.44.0-0 name: prometheus - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git - version: v1.5.0-7 + version: v1.6.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git name: prometheus_postgres_exporter version: v0.12.0-0 From cfedf675eef97900c76304075e6e42ef1fe2cc04 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 28 May 2023 21:27:03 +0300 Subject: [PATCH 25/41] Upgrade Traefik (v2.9.10-2 -> v2.10.1-0) --- requirements.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements.yml b/requirements.yml index f754b10a7..bd260d6cc 100644 --- a/requirements.yml +++ b/requirements.yml @@ -26,7 +26,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git version: v1.0.0-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.9.10-2 + version: v2.10.1-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git @@ -47,7 +47,7 @@ - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.6.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git - name: prometheus_postgres_exporter version: v0.12.0-0 + name: prometheus_postgres_exporter - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.10-0 From 90d25bccd274b2edb89876da7ec090730f9441a9 Mon Sep 17 00:00:00 2001 From: Luke D Iremadze Date: Mon, 29 May 2023 03:10:07 -0600 Subject: [PATCH 26/41] Update prerequisites.md These ports need to be open in order to receive emails to the Postmoogle bridge --- docs/prerequisites.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/prerequisites.md b/docs/prerequisites.md index be60a5f45..5fa2b1d2a 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -40,6 +40,8 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you - `5349/udp`: TURN over UDP (used by Coturn) - `8448/tcp`: Matrix Federation API HTTPS webserver. In some cases, this **may necessary even with federation disabled**. Integration Servers (like Dimension) and Identity Servers (like ma1sd) may need to access `openid` APIs on the federation port. - the range `49152-49172/udp`: TURN over UDP + - `25/tcp`: SMTP over TCP (used by Postmoogle) + - `587/tcp`: TLS over TCP (used by Postmoogle) - potentially some other ports, depending on the additional (non-default) services that you enable in the **configuring the playbook** step (later on). Consult each service's documentation page in `docs/` for that. When ready to proceed, continue with [Configuring DNS](configuring-dns.md). From 67bcf4bc8ae93796831898ff99fc1c58689036ea Mon Sep 17 00:00:00 2001 From: Luke D Iremadze Date: Mon, 29 May 2023 04:03:31 -0600 Subject: [PATCH 27/41] Updates to the Postmoogle documentation --- docs/configuring-playbook-bot-postmoogle.md | 37 ++++++++++++++++++- docs/prerequisites.md | 2 - .../matrix-bot-postmoogle/defaults/main.yml | 8 ++-- 3 files changed, 39 insertions(+), 8 deletions(-) diff --git a/docs/configuring-playbook-bot-postmoogle.md b/docs/configuring-playbook-bot-postmoogle.md index 0fa366935..4d4ba520e 100644 --- a/docs/configuring-playbook-bot-postmoogle.md +++ b/docs/configuring-playbook-bot-postmoogle.md @@ -4,12 +4,29 @@ The playbook can install and configure [Postmoogle](https://gitlab.com/etke.cc/postmoogle) for you. -It's a bot/bridge you can use to forward emails to Matrix rooms +It's a bot/bridge you can use to forward emails to Matrix rooms. +Postmoogle runs an email server through SMTP and allaws you to create mailboxes to the domain you define in the DNS settings. See the project's [documentation](https://gitlab.com/etke.cc/postmoogle) to learn what it does and why it might be useful to you. +## Prerequisites -## Adjusting the playbook configuration +### Ports + +Open the following ports to your server (without it you will not recive email, but you can still send): + - `25/tcp`: SMTP + - `587/tcp`: TLS-encrypted SMTP + +You can change the above default ports through the following variables in the playbook: + +```yaml +# on-host ports +matrix_bot_postmoogle_smtp_host_bind_port: '25' +matrix_bot_postmoogle_submission_host_bind_port: '587' +``` + + +### Adjusting the playbook configuration Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: @@ -23,6 +40,13 @@ matrix_bot_postmoogle_enabled: true matrix_bot_postmoogle_password: PASSWORD_FOR_THE_BOT ``` +Add an admin to Postmoogle with: +```yaml +matrix_bot_postmoogle_admins: + - '@yourAdminAccount:domain.com' +``` + +### DNS You will also need to add several DNS records so that postmoogle can send emails. See [Configuring DNS](configuring-dns.md). @@ -51,3 +75,12 @@ Then send `!pm mailbox NAME` to expose this Matrix room as an inbox with the ema Send `!pm help` to the room to see the bot's help menu for additional commands. You can also refer to the upstream [documentation](https://gitlab.com/etke.cc/postmoogle). + +### Debug/Logs +In case you need to debug declare: + +```yaml +matrix_bot_postmoogle_loglevel: 'DEBUG' +``` + +And access it through `journalctl -fu matrix-bot-postmoogle` \ No newline at end of file diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 5fa2b1d2a..be60a5f45 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -40,8 +40,6 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you - `5349/udp`: TURN over UDP (used by Coturn) - `8448/tcp`: Matrix Federation API HTTPS webserver. In some cases, this **may necessary even with federation disabled**. Integration Servers (like Dimension) and Identity Servers (like ma1sd) may need to access `openid` APIs on the federation port. - the range `49152-49172/udp`: TURN over UDP - - `25/tcp`: SMTP over TCP (used by Postmoogle) - - `587/tcp`: TLS over TCP (used by Postmoogle) - potentially some other ports, depending on the additional (non-default) services that you enable in the **configuring the playbook** step (later on). Consult each service's documentation page in `docs/` for that. When ready to proceed, continue with [Configuring DNS](configuring-dns.md). diff --git a/roles/custom/matrix-bot-postmoogle/defaults/main.yml b/roles/custom/matrix-bot-postmoogle/defaults/main.yml index 4eeb835be..0c9db2d70 100644 --- a/roles/custom/matrix-bot-postmoogle/defaults/main.yml +++ b/roles/custom/matrix-bot-postmoogle/defaults/main.yml @@ -81,10 +81,10 @@ matrix_bot_postmoogle_maxsize: '1024' # A list of admins # Example set of rules: # matrix_bot_postmoogle_admins: -# - @someone:example.com -# - @another:example.com -# - @bot.*:example.com -# - @*:another.com +# - '@someone:example.com' +# - '@another:example.com' +# - '@bot.*:example.com' +# - '@*:another.com' matrix_bot_postmoogle_admins: "{{ [matrix_admin] if matrix_admin else [] }}" # Sentry DSN. Deprecated, use matrix_bot_postmoogle_monitoring_sentry_dsn From d3f85c5c7ca53610aa1233f542fd004cabc36daa Mon Sep 17 00:00:00 2001 From: anytimesoon Date: Mon, 29 May 2023 19:05:05 +0200 Subject: [PATCH 28/41] Update configuring-playbook-bot-chatgpt.md added an extra step to creating the chatgpt bot so it can read encrypted messages --- docs/configuring-playbook-bot-chatgpt.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bot-chatgpt.md b/docs/configuring-playbook-bot-chatgpt.md index 7a006816d..fa7972cae 100644 --- a/docs/configuring-playbook-bot-chatgpt.md +++ b/docs/configuring-playbook-bot-chatgpt.md @@ -20,10 +20,12 @@ ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.chatgpt ``` -## 2. Get an access token +## 2. Get an access token and create encryption keys Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md). +To make sure the bot can read encrypted messages, it will need an encryption key, just like any other new user. While obtaining the access token, follow the prompts to setup a backup key. More information can be found in the [element documentation](https://element.io/help#encryption6). + ## 3. Adjusting the playbook configuration From 127b60a1cec2c12623ce7637c2f18ab123a2af0b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 30 May 2023 09:09:24 +0300 Subject: [PATCH 29/41] Fixing typos and rewording --- docs/configuring-playbook-bot-postmoogle.md | 40 +++++++++++---------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/docs/configuring-playbook-bot-postmoogle.md b/docs/configuring-playbook-bot-postmoogle.md index 4d4ba520e..b66285a51 100644 --- a/docs/configuring-playbook-bot-postmoogle.md +++ b/docs/configuring-playbook-bot-postmoogle.md @@ -5,25 +5,22 @@ The playbook can install and configure [Postmoogle](https://gitlab.com/etke.cc/postmoogle) for you. It's a bot/bridge you can use to forward emails to Matrix rooms. -Postmoogle runs an email server through SMTP and allaws you to create mailboxes to the domain you define in the DNS settings. +Postmoogle runs an SMTP email server and allows you to assign mailbox addresses to Matrix rooms. See the project's [documentation](https://gitlab.com/etke.cc/postmoogle) to learn what it does and why it might be useful to you. ## Prerequisites -### Ports +### Networking + +Open the following ports on your server to be able to receive incoming emails: -Open the following ports to your server (without it you will not recive email, but you can still send): - `25/tcp`: SMTP - - `587/tcp`: TLS-encrypted SMTP + - `587/tcp`: Submission (TLS-encrypted SMTP) -You can change the above default ports through the following variables in the playbook: +If you don't open these ports, you will still be able to send emails, but not receive any. -```yaml -# on-host ports -matrix_bot_postmoogle_smtp_host_bind_port: '25' -matrix_bot_postmoogle_submission_host_bind_port: '587' -``` +These port numbers are configurable via the `matrix_bot_postmoogle_smtp_host_bind_port` and `matrix_bot_postmoogle_submission_host_bind_port` variables, but other email servers will try to deliver on these default (standard) ports, so changing them is of little use. ### Adjusting the playbook configuration @@ -38,16 +35,20 @@ matrix_bot_postmoogle_enabled: true # Generate a strong password here. Consider generating it with `pwgen -s 64 1` matrix_bot_postmoogle_password: PASSWORD_FOR_THE_BOT -``` -Add an admin to Postmoogle with: -```yaml -matrix_bot_postmoogle_admins: - - '@yourAdminAccount:domain.com' +# Uncomment to add one or more admins to this bridge: +# +# matrix_bot_postmoogle_admins: +# - '@yourAdminAccount:domain.com' +# +# .. unless you've made yourself an admin of all bridges like this: +# +# matrix_admin: '@yourAdminAccount:domain.com' ``` ### DNS -You will also need to add several DNS records so that postmoogle can send emails. + +You will also need to add several DNS records so that Postmoogle can send emails. See [Configuring DNS](configuring-dns.md). @@ -77,10 +78,11 @@ Send `!pm help` to the room to see the bot's help menu for additional commands. You can also refer to the upstream [documentation](https://gitlab.com/etke.cc/postmoogle). ### Debug/Logs -In case you need to debug declare: + +As with all other services, you can find their logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by running something like `journalctl -fu matrix-bot-postmoogle` + +The default logging level for this bridge is `INFO`, but you can increase it to `DEBUG` with the following additional configuration: ```yaml matrix_bot_postmoogle_loglevel: 'DEBUG' ``` - -And access it through `journalctl -fu matrix-bot-postmoogle` \ No newline at end of file From dca6db15daf35c1c08e25b24639ce1a039ffe88c Mon Sep 17 00:00:00 2001 From: Sergio Durigan Junior Date: Tue, 30 May 2023 22:59:33 -0400 Subject: [PATCH 30/41] Fix prefix path when loading Hydrogen's theme-element.json This is needed when using a prefix path that doesn't end with a slash. Signed-off-by: Sergio Durigan Junior --- roles/custom/matrix-client-hydrogen/templates/config.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-hydrogen/templates/config.json.j2 b/roles/custom/matrix-client-hydrogen/templates/config.json.j2 index e503c105b..519d22615 100644 --- a/roles/custom/matrix-client-hydrogen/templates/config.json.j2 +++ b/roles/custom/matrix-client-hydrogen/templates/config.json.j2 @@ -3,7 +3,7 @@ "defaultHomeServer": {{ matrix_client_hydrogen_default_hs_url | string | to_json }}, "bugReportEndpointUrl": {{ matrix_client_hydrogen_bugReportEndpointUrl | to_json }}, "themeManifests": [ - "{{ matrix_client_hydrogen_path_prefix }}assets/theme-element.json" + "{{ '' if matrix_client_hydrogen_path_prefix == '/' else matrix_client_hydrogen_path_prefix }}/assets/theme-element.json" ], "defaultTheme": { "light": "element-light", From e53c6c802004b89eea994b127b82f60ac012a617 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 26 May 2023 10:17:20 +0300 Subject: [PATCH 31/41] Revert "Revert "Update hookshot 4.0.0 -> 4.1.0"" This reverts commit f98f803b4404c739e19da6b27fd857ceaac93880. As the docker image has been released for this version we can now upgrade to this version --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 18fc01525..247c542b7 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 4.0.0 +matrix_hookshot_version: 4.1.0 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" From 795ce3e21dfe041db83d3fbbc9143684a5f1c273 Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Thu, 1 Jun 2023 02:14:55 +0200 Subject: [PATCH 32/41] Update Draupnir to 1.83.0 from 1.82.0 --- roles/custom/matrix-bot-draupnir/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml index 6ee99a358..bd0e2defa 100644 --- a/roles/custom/matrix-bot-draupnir/defaults/main.yml +++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml @@ -4,7 +4,7 @@ matrix_bot_draupnir_enabled: true -matrix_bot_draupnir_version: "v1.82.0" +matrix_bot_draupnir_version: "v1.83.0" matrix_bot_draupnir_container_image_self_build: false matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/Gnuxie/Draupnir.git" From 4acb54f7967445f3ccfc8685fdf988f0f14b7d57 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 1 Jun 2023 08:18:49 +0000 Subject: [PATCH 33/41] Update mautrix-facebook 0.4.1 -> 0.5.0 --- roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml index ba718a668..dcd9fdfa0 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mautrix_facebook_enabled: true matrix_mautrix_facebook_container_image_self_build: false matrix_mautrix_facebook_container_image_self_build_repo: "https://mau.dev/mautrix/facebook.git" -matrix_mautrix_facebook_version: v0.4.1 +matrix_mautrix_facebook_version: v0.5.0 matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}mautrix/facebook:{{ matrix_mautrix_facebook_version }}" matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}" From 3f89e6191554da62df958bf83eaefedaa4669a2d Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 1 Jun 2023 08:21:16 +0000 Subject: [PATCH 34/41] Update mautrix-instagram 0.2.3 -> 0.3.0 --- roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml index ef696fa80..2288fb776 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_instagram_container_image_self_build: false matrix_mautrix_instagram_container_image_self_build_repo: "https://github.com/mautrix/instagram.git" matrix_mautrix_instagram_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_instagram_version == 'latest' else matrix_mautrix_instagram_version }}" -matrix_mautrix_instagram_version: v0.2.3 +matrix_mautrix_instagram_version: v0.3.0 # See: https://mau.dev/tulir/mautrix-instagram/container_registry matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}mautrix/instagram:{{ matrix_mautrix_instagram_version }}" matrix_mautrix_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_instagram_container_image_self_build else 'dock.mau.dev/' }}" From 0a3e93e47c55c96ba60ed6102ebe72a0172891e7 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 1 Jun 2023 08:22:35 +0000 Subject: [PATCH 35/41] Update chatgpt 3.1.0 -> 3.1.2 --- roles/custom/matrix-bot-chatgpt/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-chatgpt/defaults/main.yml b/roles/custom/matrix-bot-chatgpt/defaults/main.yml index 36cc60c0e..00eae1676 100644 --- a/roles/custom/matrix-bot-chatgpt/defaults/main.yml +++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml @@ -4,7 +4,7 @@ matrix_bot_chatgpt_enabled: true -matrix_bot_chatgpt_version: 3.1.0 +matrix_bot_chatgpt_version: 3.1.2 matrix_bot_chatgpt_container_image_self_build: false matrix_bot_chatgpt_container_image_self_build_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot" From 37165ef20259405e735b5aa2927025202e7573a8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 2 Jun 2023 10:44:31 +0300 Subject: [PATCH 36/41] Upgrade Traefik (v2.10.1-0 -> v2.10.1-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index bd260d6cc..3c2572ab3 100644 --- a/requirements.yml +++ b/requirements.yml @@ -26,7 +26,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git version: v1.0.0-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.10.1-0 + version: v2.10.1-1 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git From e4498f9568667a2914a70942e0a8dc7231a5afe0 Mon Sep 17 00:00:00 2001 From: Luke Moch <19363185+mochman@users.noreply.github.com> Date: Fri, 2 Jun 2023 06:23:30 -0400 Subject: [PATCH 37/41] Fix for hookshot validation failure --- roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml b/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml index 576eb0079..05e5cb856 100644 --- a/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml @@ -81,7 +81,7 @@ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --cap-drop=ALL -v {{ matrix_hookshot_base_path }}/config.yml:/config.yml - {{ matrix_hookshot_docker_image }} node Config/Config.js /config.yml + {{ matrix_hookshot_docker_image }} node config/Config.js /config.yml register: hookshot_config_validation_result changed_when: false From 1f0da9f744156eb36070e301842806046e93b62b Mon Sep 17 00:00:00 2001 From: Luke D Iremadze Date: Fri, 2 Jun 2023 12:50:46 -0600 Subject: [PATCH 38/41] Create hooks for user search ability --- roles/custom/matrix-synapse/defaults/main.yml | 5 +++++ .../matrix-synapse/templates/synapse/homeserver.yaml.j2 | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index a0169eb0c..df2f7bf8c 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -334,6 +334,11 @@ matrix_synapse_limit_profile_requests_to_users_who_share_rooms: false # Defaults to 'true'. matrix_synapse_include_profile_data_on_invite: true + +# User search behaviour +matrix_synapse_search_all_users: false +matrix_synapse_prefer_local_users: false + # Controls whether people with access to the homeserver can register by themselves. matrix_synapse_enable_registration: false # Controls whether people with access to the homeserver can register by themselves without verification (email/msisdn/token) diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index a36df6fc0..ebfc2711c 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2630,7 +2630,7 @@ user_directory: # Uncomment to return search results containing all known users, even if that # user does not share a room with the requester. # - #search_all_users: true + search_all_users: {{ matrix_synapse_search_all_users|to_json }} # Defines whether to prefer local users in search query results. # If True, local users are more likely to appear above remote users @@ -2639,7 +2639,7 @@ user_directory: # Uncomment to prefer local over remote users in user directory search # results. # - #prefer_local_users: true + prefer_local_users: {{ matrix_synapse_prefer_local_users|to_json }} # User Consent configuration From 130c278a3c42b4ba601d6eff830cf7c34fee2b7a Mon Sep 17 00:00:00 2001 From: Luke D Iremadze Date: Fri, 2 Jun 2023 23:38:57 -0600 Subject: [PATCH 39/41] Update roles/custom/matrix-synapse/defaults/main.yml Co-authored-by: Slavi Pantaleev --- roles/custom/matrix-synapse/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index df2f7bf8c..4376a960e 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -336,8 +336,8 @@ matrix_synapse_include_profile_data_on_invite: true # User search behaviour -matrix_synapse_search_all_users: false -matrix_synapse_prefer_local_users: false +matrix_synapse_user_directory_search_all_users: false +matrix_synapse_user_directory_prefer_local_users: false # Controls whether people with access to the homeserver can register by themselves. matrix_synapse_enable_registration: false From 2f4428bf5b4c1f6658d33236f824748db455b2f9 Mon Sep 17 00:00:00 2001 From: Luke D Iremadze Date: Fri, 2 Jun 2023 23:39:17 -0600 Subject: [PATCH 40/41] Update roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 Co-authored-by: Slavi Pantaleev --- .../custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index ebfc2711c..05700c9b5 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2639,7 +2639,7 @@ user_directory: # Uncomment to prefer local over remote users in user directory search # results. # - prefer_local_users: {{ matrix_synapse_prefer_local_users|to_json }} + prefer_local_users: {{ matrix_synapse_user_directory_prefer_local_users | to_json }} # User Consent configuration From 5c0279f0c962b29ab6cf75c7bb7ff94d8e5e3e7e Mon Sep 17 00:00:00 2001 From: Luke D Iremadze Date: Fri, 2 Jun 2023 23:39:55 -0600 Subject: [PATCH 41/41] Update roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 Co-authored-by: Slavi Pantaleev --- .../custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 05700c9b5..f42f6e309 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2630,7 +2630,7 @@ user_directory: # Uncomment to return search results containing all known users, even if that # user does not share a room with the requester. # - search_all_users: {{ matrix_synapse_search_all_users|to_json }} + search_all_users: {{ matrix_synapse_user_directory_search_all_users | to_json }} # Defines whether to prefer local users in search query results. # If True, local users are more likely to appear above remote users