diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index a238e5037..e203ff0d8 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -101,6 +101,9 @@ matrix_client_element_e2ee_secure_backup_setup_methods: [] # The Docker network that all services would be put into matrix_docker_network: "matrix" +# Controls whether we'll enable IPv6 in docker +matrix_docker_ipv6_enabled: true + # Controls whether we'll preserve the vars.yml file on the Matrix server. # If you have a differently organized inventory, you may wish to disable this feature, # or to repoint `matrix_vars_yml_snapshotting_src` to the file you'd like to preserve. diff --git a/roles/matrix-base/tasks/server_base/docker_ipv6.yml b/roles/matrix-base/tasks/server_base/docker_ipv6.yml new file mode 100644 index 000000000..cebbac784 --- /dev/null +++ b/roles/matrix-base/tasks/server_base/docker_ipv6.yml @@ -0,0 +1,52 @@ +--- + +- block: + - name: Ensure matrix-ip6tables.service exists + template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_systemd_path }}/{{ item }}" + owner: "root" + group: "root" + mode: 0644 + with_items: + - matrix-ip6tables.service + register: matrix_ip6tables_systemd_service_result + + - name: Ensure systemd reloaded after matrix-ip6tables.service installation + service: + daemon_reload: yes + when: "matrix_ip6tables_systemd_service_result.changed" + + - name: Ensure matrix-ip6tables.service is started and autoruns + service: + name: matrix-ip6tables + state: started + enabled: yes + + when: "matrix_docker_ipv6_enabled|bool" + + +- block: + - name: Check existence of matrix-ip6tables service + stat: + path: "{{ matrix_systemd_path }}/matrix-ip6tables.service" + register: matrix_ip6tables_service_stat + + - name: Ensure matrix-ip6tables.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-ip6tables.service" + state: absent + when: "matrix_ip6tables_service_stat.stat.exists" + + - name: Ensure systemd reloaded after matrix-ip6tables.service removal + service: + daemon_reload: yes + when: "matrix_ip6tables_service_stat.stat.exists" + + - name: Ensure /etc/docker/daemon.json doesn't exist + file: + path: "/etc/docker/daemon.json" + state: absent + + when: "not matrix_docker_ipv6_enabled|bool" + diff --git a/roles/matrix-base/tasks/server_base/setup.yml b/roles/matrix-base/tasks/server_base/setup.yml index 64f461ef1..89a48b661 100644 --- a/roles/matrix-base/tasks/server_base/setup.yml +++ b/roles/matrix-base/tasks/server_base/setup.yml @@ -27,6 +27,8 @@ - include_tasks: "{{ role_path }}/tasks/server_base/setup_archlinux.yml" when: ansible_distribution == 'Archlinux' +- include_tasks: "{{ role_path }}/tasks/server_base/docker_ipv6.yml" + - name: Ensure Docker is started and autoruns service: name: docker diff --git a/roles/matrix-base/tasks/setup_matrix_base.yml b/roles/matrix-base/tasks/setup_matrix_base.yml index 0fad2b3d6..155015019 100644 --- a/roles/matrix-base/tasks/setup_matrix_base.yml +++ b/roles/matrix-base/tasks/setup_matrix_base.yml @@ -23,6 +23,9 @@ docker_network: name: "{{ matrix_docker_network }}" driver: bridge + enable_ipv6: " {{ matrix_docker_ipv6_enabled|bool }}" + ipam_config: + - subnet: "fd00::/80" - name: Ensure matrix-remove-all script created template: diff --git a/roles/matrix-base/templates/matrix-ip6tables.service.j2 b/roles/matrix-base/templates/matrix-ip6tables.service.j2 new file mode 100644 index 000000000..cf4f8d032 --- /dev/null +++ b/roles/matrix-base/templates/matrix-ip6tables.service.j2 @@ -0,0 +1,15 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix ip6tables rule to enable IPv6 internet access from containers +DefaultDependencies=no + +[Service] +Type=oneshot +Environment="HOME={{ matrix_systemd_unit_home_path }}" + +ExecStart=ip6tables -t nat -A POSTROUTING -s fd00::/80 ! -o docker0 -j MASQUERADE + +SyslogIdentifier=matrix-ip6tables + +[Install] +WantedBy=multi-user.target