From 18ab8dfdffeaf682ef0322f504145f56f1f51857 Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Thu, 11 May 2023 18:54:43 +0200 Subject: [PATCH 01/47] Remove manual Database Access steps and replace with Admin API Guide --- docs/configuring-playbook-bot-draupnir.md | 24 +++------------------ docs/configuring-playbook-bot-mjolnir.md | 26 +++-------------------- 2 files changed, 6 insertions(+), 44 deletions(-) diff --git a/docs/configuring-playbook-bot-draupnir.md b/docs/configuring-playbook-bot-draupnir.md index 11960474a..62e8c3d68 100644 --- a/docs/configuring-playbook-bot-draupnir.md +++ b/docs/configuring-playbook-bot-draupnir.md @@ -30,30 +30,12 @@ Refer to the documentation on [how to obtain an access token](obtaining-access-t ## 3. Make sure the account is free from rate limiting -You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step draupnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). This can also be manually done by editing the Synapse database. Manually editing the Synapse database is rarely a good idea. Please ask for help if you are uncomfortable with these steps. +You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step draupnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). Please ask for help if you are uncomfortable with these steps or run into issues. -1. Copy the statement below into a text editor. +If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](docs/configuring-playbook-synapse-admin.md) or running `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands. - ``` - INSERT INTO ratelimit_override VALUES ('@bot.draupnir:DOMAIN', 0, 0); - ``` +The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer " -X DELETE https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with your own MXID and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Draupnir it self. If you made Draupnir Admin you can just use the Draupnir token. -1. Change the username (`@bot.draupnir:DOMAIN`) to the username you used when you registered the bot's account. You must change `DOMAIN` to your server's domain. - -1. Get a database terminal by following these steps: [maintenance-postgres.md#getting-a-database-terminal](maintenance-postgres.md#getting-a-database-terminal) - -1. Connect to Synapse's database by typing `\connect synapse` into the database terminal - -1. Paste in the `INSERT INTO` command that you edited and press enter. - -You can run `SELECT * FROM ratelimit_override;` to see if it worked. If the output looks like this: - -``` - user_id | messages_per_second | burst_count ------------------------+---------------------+------------- - @bot.draupnir:raim.ist | 0 | 0` -``` -then you did it correctly. ## 4. Create a management room diff --git a/docs/configuring-playbook-bot-mjolnir.md b/docs/configuring-playbook-bot-mjolnir.md index 5fc6331e3..0b7ce43d5 100644 --- a/docs/configuring-playbook-bot-mjolnir.md +++ b/docs/configuring-playbook-bot-mjolnir.md @@ -29,31 +29,11 @@ Refer to the documentation on [how to obtain an access token](obtaining-access-t ## 3. Make sure the account is free from rate limiting -You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step Mjolnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). This can also be manually done by editing the Synapse database. Manually editing the Synapse database is rarely a good idea. Please ask for help if you are uncomfortable with these steps. +You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step Mjolnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). Please ask for help if you are uncomfortable with these steps or run into issues. -1. Copy the statement below into a text editor. - - ``` - INSERT INTO ratelimit_override VALUES ('@bot.mjolnir:DOMAIN', 0, 0); - ``` - -1. Change the username (`@bot.mjolnir:DOMAIN`) to the username you used when you registered the bot's account. You must change `DOMAIN` to your server's domain. - -1. Get a database terminal by following these steps: [maintenance-postgres.md#getting-a-database-terminal](maintenance-postgres.md#getting-a-database-terminal) - -1. Connect to Synapse's database by typing `\connect synapse` into the database terminal - -1. Paste in the `INSERT INTO` command that you edited and press enter. - -You can run `SELECT * FROM ratelimit_override;` to see if it worked. If the output looks like this: - -``` - user_id | messages_per_second | burst_count ------------------------+---------------------+------------- - @bot.mjolnir:raim.ist | 0 | 0` -``` -then you did it correctly. +If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](docs/configuring-playbook-synapse-admin.md) or running `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands. +The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer " -X DELETE https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with your own MXID and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Mjolnir it self. If you made Mjolnir Admin you can just use the Mjolnir token. ## 4. Create a management room From 6b3ae35ef5e223b56764c12ca3cec1fa93238f07 Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Thu, 11 May 2023 19:07:35 +0200 Subject: [PATCH 02/47] Fix Typo --- docs/configuring-playbook-bot-draupnir.md | 2 +- docs/configuring-playbook-bot-mjolnir.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-bot-draupnir.md b/docs/configuring-playbook-bot-draupnir.md index 62e8c3d68..23fa644f1 100644 --- a/docs/configuring-playbook-bot-draupnir.md +++ b/docs/configuring-playbook-bot-draupnir.md @@ -34,7 +34,7 @@ You will need to prevent Synapse from rate limiting the bot's account. This is n If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](docs/configuring-playbook-synapse-admin.md) or running `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands. -The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer " -X DELETE https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with your own MXID and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Draupnir it self. If you made Draupnir Admin you can just use the Draupnir token. +The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer " -X DELETE https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with the MXID of your Draupnir and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Draupnir it self. If you made Draupnir Admin you can just use the Draupnir token. diff --git a/docs/configuring-playbook-bot-mjolnir.md b/docs/configuring-playbook-bot-mjolnir.md index 0b7ce43d5..e69655aa5 100644 --- a/docs/configuring-playbook-bot-mjolnir.md +++ b/docs/configuring-playbook-bot-mjolnir.md @@ -33,7 +33,7 @@ You will need to prevent Synapse from rate limiting the bot's account. This is n If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](docs/configuring-playbook-synapse-admin.md) or running `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands. -The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer " -X DELETE https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with your own MXID and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Mjolnir it self. If you made Mjolnir Admin you can just use the Mjolnir token. +The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer " -X DELETE https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with the MXID of your Mjolnir and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Mjolnir it self. If you made Mjolnir Admin you can just use the Mjolnir token. ## 4. Create a management room From 73209a0554911d8266b37c15752b993b97140696 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 12 May 2023 07:00:58 +0300 Subject: [PATCH 03/47] Update aux role documentation, removing old matrix-aux references --- docs/configuring-playbook-bridge-hookshot.md | 12 ++++++------ docs/configuring-playbook-matrix-corporal.md | 2 +- docs/configuring-playbook-ssl-certificates.md | 12 ++++++------ docs/configuring-playbook-sygnal.md | 4 ++-- 4 files changed, 15 insertions(+), 15 deletions(-) diff --git a/docs/configuring-playbook-bridge-hookshot.md b/docs/configuring-playbook-bridge-hookshot.md index 54f6636b9..48a66a8ea 100644 --- a/docs/configuring-playbook-bridge-hookshot.md +++ b/docs/configuring-playbook-bridge-hookshot.md @@ -16,7 +16,7 @@ Refer to the [official instructions](https://matrix-org.github.io/matrix-hooksho 1. Enable the bridge by adding `matrix_hookshot_enabled: true` to your `vars.yml` file 2. For each of the services (GitHub, GitLab, Jira, Figma, generic webhooks) fill in the respective variables `matrix_hookshot_service_*` listed in [main.yml](/roles/custom/matrix-bridge-hookshot/defaults/main.yml) as required. 3. Take special note of the `matrix_hookshot_*_enabled` variables. Services that need no further configuration are enabled by default (GitLab, Generic), while you must first add the required configuration and enable the others (GitHub, Jira, Figma). -4. If you're setting up the GitHub bridge, you'll need to generate and download a private key file after you created your GitHub app. Copy the contents of that file to the variable `matrix_hookshot_github_private_key` so the playbook can install it for you, or use one of the [other methods](#manage-github-private-key-with-matrix-aux-role) explained below. +4. If you're setting up the GitHub bridge, you'll need to generate and download a private key file after you created your GitHub app. Copy the contents of that file to the variable `matrix_hookshot_github_private_key` so the playbook can install it for you, or use one of the [other methods](#manage-github-private-key-with-aux-role) explained below. 5. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready. Hookshot can be set up individually using the tag `setup-hookshot`. Other configuration options are available via the `matrix_hookshot_configuration_extension_yaml` and `matrix_hookshot_registration_extension_yaml` variables, see the comments in [main.yml](/roles/custom/matrix-bridge-hookshot/defaults/main.yml) for how to use them. @@ -58,23 +58,23 @@ See also `matrix_hookshot_matrix_nginx_proxy_configuration` in [init.yml](/roles The different listeners are also reachable *internally* in the docker-network via the container's name (configured by `matrix_hookshot_container_url`) and on different ports (e.g. `matrix_hookshot_appservice_port`). Read [main.yml](/roles/custom/matrix-bridge-hookshot/defaults/main.yml) in detail for more info. -### Manage GitHub Private Key with matrix-aux role +### Manage GitHub Private Key with aux role The GitHub bridge requires you to install a private key file. This can be done in multiple ways: - copy the *contents* of the downloaded file and set the variable `matrix_hookshot_github_private_key` to the contents (see example in [main.yml](/roles/custom/matrix-bridge-hookshot/defaults/main.yml)). - somehow copy the file to the path `{{ matrix_hookshot_base_path }}/{{ matrix_hookshot_github_private_key_file }}` (default: `/matrix/hookshot/private-key.pem`) on the server manually. -- use the `matrix-aux` role to copy the file from an arbitrary path on your ansible client to the correct path on the server. +- use the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux) to copy the file from an arbitrary path on your ansible client to the correct path on the server. -To use `matrix-aux`, make sure the `matrix_hookshot_github_private_key` variable is empty. Then add to `matrix-aux` configuration like this: +To use the `aux` role, make sure the `matrix_hookshot_github_private_key` variable is empty. Then add the following additional configuration: ```yaml -matrix_aux_file_definitions: +aux_file_definitions: - dest: "{{ matrix_hookshot_base_path }}/{{ matrix_hookshot_github_private_key_file }}" content: "{{ lookup('file', '/path/to/your-github-private-key.pem') }}" mode: '0400' owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" ``` -For more info see the documentation in the [matrix-aux base configuration file](/roles/custom/matrix-aux/defaults/main.yml). +For more information, see the documentation in the [default configuration of the aux role](https://github.com/mother-of-all-self-hosting/ansible-role-aux/blob/main/defaults/main.yml). ### Provisioning API diff --git a/docs/configuring-playbook-matrix-corporal.md b/docs/configuring-playbook-matrix-corporal.md index eb635c641..2000cfd99 100644 --- a/docs/configuring-playbook-matrix-corporal.md +++ b/docs/configuring-playbook-matrix-corporal.md @@ -91,7 +91,7 @@ matrix_corporal_policy_provider_config: | } # Modify the policy below as you see fit -matrix_aux_file_definitions: +aux_file_definitions: - dest: "{{ matrix_corporal_config_dir_path }}/policy.json" content: | { diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index 9fa9f84b8..6a215973b 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -40,9 +40,9 @@ If you'd like to use your own SSL certificates, instead of the default (SSL cert To use your own SSL certificates with Traefik, you need to: - disable [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) / [Let's Encrypt](https://letsencrypt.org/) support -- put a custom Traefik configuration file on the server, with the help of this Ansible playbook (via the `matrix-aux` role) or manually +- put a custom Traefik configuration file on the server, with the help of this Ansible playbook (via the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux)) or manually - register your custom configuration file with Traefik, by adding an extra provider of type [file](https://doc.traefik.io/traefik/providers/file/) -- put the SSL files on the server, with the help of this Ansible playbook (via the `matrix-aux` role) or manually +- put the SSL files on the server, with the help of this Ansible playbook (via the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux)) or manually ```yaml # Disable ACME / Let's Encrypt support. @@ -53,7 +53,7 @@ devture_traefik_config_certificatesResolvers_acme_enabled: false devture_traefik_ssl_dir_enabled: true # Tell Traefik to load our custom configuration file (certificates.yml). -# The file is created below, in `matrix_aux_file_definitions`. +# The file is created below, in `aux_file_definitions`. # The `/config/..` path is an in-container path, not a path on the host (like `/matrix/traefik/config`). Do not change it! devture_traefik_configuration_extension_yaml: | providers: @@ -61,9 +61,9 @@ devture_traefik_configuration_extension_yaml: | filename: /config/certificates.yml watch: true -# Use the matrix-aux role to create our custom files on the server. -# If you'd like to do this manually, you remove this `matrix_aux_file_definitions` variable. -matrix_aux_file_definitions: +# Use the aux role to create our custom files on the server. +# If you'd like to do this manually, you remove this `aux_file_definitions` variable. +aux_file_definitions: # Create the privkey.pem file on the server by # uploading a file from the computer where Ansible is running. - dest: "{{ devture_traefik_ssl_dir_path }}/privkey.pem" diff --git a/docs/configuring-playbook-sygnal.md b/docs/configuring-playbook-sygnal.md index 786498c64..2fbad04c2 100644 --- a/docs/configuring-playbook-sygnal.md +++ b/docs/configuring-playbook-sygnal.md @@ -55,7 +55,7 @@ matrix_sygnal_apps: api_key: your_api_key_for_gcm # .. more configuration .. -matrix_aux_file_definitions: +aux_file_definitions: - dest: "{{ matrix_sygnal_data_path }}/my_key.p8" content: | some @@ -73,7 +73,7 @@ Configuring [GCM/FCM](https://firebase.google.com/docs/cloud-messaging/) is easi To configure [APNS](https://developer.apple.com/notifications/) (Apple Push Notification Service), you'd need to provide one or more certificate files. To do that, the above example configuration: -- makes use of the `matrix-aux` role (and its `matrix_aux_file_definitions` variable) to make the playbook install files into `/matrix/sygnal/data` (the `matrix_sygnal_data_path` variable). See `roles/custom/matrix-aux/defaults/main.yml` for usage examples. It also makes sure the files are owned by `matrix:matrix`, so that Sygnal can read them. Of course, you can also install these files manually yourself, if you'd rather not use `matrix-aux`. +- makes use of the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux) (and its `aux_file_definitions` variable) to make the playbook install files into `/matrix/sygnal/data` (the `matrix_sygnal_data_path` variable). See [`defaults/main.yml` file](https://github.com/mother-of-all-self-hosting/ansible-role-aux/blob/main/defaults/main.yml) of the `aux` role for usage examples. It also makes sure the files are owned by `matrix:matrix`, so that Sygnal can read them. Of course, you can also install these files manually yourself, if you'd rather not use `aux`. - references these files in the Sygnal configuration (`matrix_sygnal_apps`) using a path like `/data/..` (the `/matrix/sygnal/data` directory on the host system is mounted into the `/data` directory inside the container) From 25a4af1d3bec29e4f64120490b71a053ad8336d1 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sun, 14 May 2023 22:20:29 +0000 Subject: [PATCH 04/47] Update prometheus v2.43.0 -> 2.44.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 20f286d88..c7bbbe47c 100644 --- a/requirements.yml +++ b/requirements.yml @@ -42,7 +42,7 @@ - src: git+https://gitlab.com/etke.cc/roles/ntfy.git version: v2.4.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git - version: v2.43.0-0 + version: v2.44.0-0 name: prometheus - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.5.0-7 From 62c92578b5fab5e1d59c959e3ffb20d32dadb02f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 May 2023 06:57:56 +0300 Subject: [PATCH 05/47] Upgrade Postgres (minor versions upgrade) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index c7bbbe47c..3b9952f76 100644 --- a/requirements.yml +++ b/requirements.yml @@ -16,7 +16,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.playbook_state_preserver.git version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git - version: 38764398bf82b06a1736c3bfedc71dfd229e4b52 + version: v15.3-0 - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git version: 8e9ec48a09284c84704d7a2dce17da35f181574d - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git From 49cb8b7b11a72bb44cfa3227350f4dcbb29188df Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 May 2023 07:33:26 +0300 Subject: [PATCH 06/47] Add Synapse main/master process to instance map Related to https://github.com/matrix-org/synapse/pull/15491 This doesn't hurt to be done early on, while still on Synapse v1.83.0. We'll be able to remove the `worker_replication_*` settings later, when Synapse v1.84.0 gets released and starts making use of the new `main` instance in the instance map instead of looking at the `worker_replication_*` settings. --- roles/custom/matrix-synapse/defaults/main.yml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index a1719461d..5a5e9978d 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -711,9 +711,18 @@ matrix_synapse_run_background_tasks_on: "{{ (matrix_synapse_workers_enabled_list # - { 'id': 'media-repository-0', 'name': 'matrix-synapse-worker-media-repository-0', 'type': 'media_repository', 'port': 18551, 'metrics_port': 19551, 'webserving': true } matrix_synapse_workers_enabled_list: [] -# matrix_synapse_instance_map holds the instance map used for mapping worker names (for certain generic workers only!) to where they live (host, port which handles replication traffic). -# This is populated automatically based on `matrix_synapse_workers_enabled_list` during runtime, so you're not required to tweak it manually. -matrix_synapse_instance_map: {} +# matrix_synapse_instance_map holds the instance map used for mapping worker names (for the main process and certain generic workers only!) to where they live (host, port which handles replication traffic). +# This map starts off being populated with the Synapse main (master) process, +# but will be populated with workers automatically during runtime, based on `matrix_synapse_workers_enabled_list`. +matrix_synapse_instance_map: | + {{ + { + 'main': { + 'host': 'matrix-synapse', + 'port': matrix_synapse_replication_http_port, + }, + } + }} # Redis information matrix_synapse_redis_enabled: false From 8fbe99ac2a1939c9018209c27e39632d10bd7c69 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 May 2023 07:37:25 +0300 Subject: [PATCH 07/47] Do not add main/master Synapse process to instance_map if workers are not in use This is meant to keep the configuration tidy for non-worker setups. Related to 49cb8b7b11a72bb44c --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 5a5e9978d..f159e01b8 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -721,7 +721,7 @@ matrix_synapse_instance_map: | 'host': 'matrix-synapse', 'port': matrix_synapse_replication_http_port, }, - } + } if matrix_synapse_workers_enabled else {} }} # Redis information From 319afc66c19f33c311d2237840e64fe09ac116af Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 16 May 2023 15:29:57 +0300 Subject: [PATCH 08/47] Fix YAML indentation --- docs/configuring-playbook-own-webserver.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index affb565fb..3d8c5b0d0 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -153,11 +153,11 @@ devture_traefik_additional_entrypoints_auto: port: 8449 host_bind_port: '127.0.0.1:8449' config: {} - # If your reverse-proxy runs on another machine, remove the config above and use this config instead: - # config: - # forwardedHeaders: - # insecure: true - # # trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY'] + # If your reverse-proxy runs on another machine, remove the config above and use this config instead: + # config: + # forwardedHeaders: + # insecure: true + # # trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY'] ``` For an example where the playbook's Traefik reverse-proxy is fronted by [Nginx](https://nginx.org/) running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md). From 5e1027960bcecf690391b8b50e64eb9ff0bc0388 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 May 2023 16:59:08 +0000 Subject: [PATCH 09/47] Bump ansible-community/ansible-lint-action from 6.15.0 to 6.16.0 Bumps [ansible-community/ansible-lint-action](https://github.com/ansible-community/ansible-lint-action) from 6.15.0 to 6.16.0. - [Release notes](https://github.com/ansible-community/ansible-lint-action/releases) - [Commits](https://github.com/ansible-community/ansible-lint-action/compare/v6.15.0...v6.16.0) --- updated-dependencies: - dependency-name: ansible-community/ansible-lint-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/matrix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index f69e60ff9..abca55ae2 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -21,6 +21,6 @@ jobs: - name: Check out uses: actions/checkout@v3 - name: Run ansible-lint - uses: ansible-community/ansible-lint-action@v6.15.0 + uses: ansible-community/ansible-lint-action@v6.16.0 with: path: roles/custom From c8aecef8816bae12441f89bd44fc67ced5351822 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 16 May 2023 19:46:06 +0000 Subject: [PATCH 10/47] update mautrix-whatsapp 0.8.4 -> 0.8.5 --- roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml index d54d2e1c2..20cafa7ad 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_whatsapp_container_image_self_build: false matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git" matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}" -matrix_mautrix_whatsapp_version: v0.8.4 +matrix_mautrix_whatsapp_version: v0.8.5 # See: https://mau.dev/mautrix/whatsapp/container_registry matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}" matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}" From 3b28e29b8e8fe88291b6b4862546e93c71eb5559 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 16 May 2023 19:47:10 +0000 Subject: [PATCH 11/47] update mautrix-discord 0.3.0 -> 0.4.0 --- roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml index f088ae15f..98291d80d 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_discord_container_image_self_build: false matrix_mautrix_discord_container_image_self_build_repo: "https://mau.dev/mautrix/discord.git" matrix_mautrix_discord_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_discord_version == 'latest' else matrix_mautrix_discord_version }}" -matrix_mautrix_discord_version: v0.3.0 +matrix_mautrix_discord_version: v0.4.0 # See: https://mau.dev/mautrix/discord/container_registry matrix_mautrix_discord_docker_image: "{{ matrix_mautrix_discord_docker_image_name_prefix }}mautrix/discord:{{ matrix_mautrix_discord_version }}" matrix_mautrix_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_discord_container_image_self_build else 'dock.mau.dev/' }}" From e435c6bb555d989f4b571d313d2a763a03cc641c Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 16 May 2023 19:48:09 +0000 Subject: [PATCH 12/47] update borgmatic 1.7.12 -> 1.7.13 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 3b9952f76..536e7e417 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: v1.0.0-0 name: aux - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.4-1.7.12-2 + version: v1.2.4-1.7.13-0 - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git version: v0.1.1-2 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git From 98d8723694a75ae04de555b8abd57a1f7d732a44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Wed, 17 May 2023 14:58:22 +0200 Subject: [PATCH 13/47] Move postgres-exporter repo --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 536e7e417..d4bea1c6d 100644 --- a/requirements.yml +++ b/requirements.yml @@ -46,7 +46,7 @@ name: prometheus - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.5.0-7 -- src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git version: v0.12.0-0 - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.10-0 From dc4b4d87d2f1fbd5197d8958ea13c548b2a82969 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 17 May 2023 14:55:47 +0000 Subject: [PATCH 14/47] Update mautrix-signal 0.4.2 -> 0.4.3 --- roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml index f2b1048d0..ca9bab54a 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml @@ -9,7 +9,7 @@ matrix_mautrix_signal_docker_repo: "https://mau.dev/mautrix/signal.git" matrix_mautrix_signal_docker_repo_version: "{{ 'master' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}" matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src" -matrix_mautrix_signal_version: v0.4.2 +matrix_mautrix_signal_version: v0.4.3 matrix_mautrix_signal_daemon_version: 0.23.2 # See: https://mau.dev/mautrix/signal/container_registry matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_name_prefix }}mautrix/signal:{{ matrix_mautrix_signal_version }}" From 017a7951051afe2be6c6b9a6298f6a45729d6879 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 17 May 2023 21:19:47 +0300 Subject: [PATCH 15/47] Upgrade aux (v1.0.0-0 -> v1.0.0-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 536e7e417..22a53638f 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,7 +1,7 @@ --- - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git - version: v1.0.0-0 + version: v1.0.0-1 name: aux - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git version: v1.2.4-1.7.13-0 From c8dbb437b959c56ce8479f69bc0057e00209da17 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 17 May 2023 18:29:22 +0000 Subject: [PATCH 16/47] fix prometheus postgres exporter role name --- requirements.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/requirements.yml b/requirements.yml index cd36abd2f..57f4709f2 100644 --- a/requirements.yml +++ b/requirements.yml @@ -47,6 +47,7 @@ - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.5.0-7 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git + name: prometheus_postgres_exporter version: v0.12.0-0 - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.10-0 From 9d77950cd83175dff45845a43351eb1f2fe6dc8d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 18 May 2023 09:41:28 +0300 Subject: [PATCH 17/47] Adjust bot group names, so that they match the install/setup tags Previously `just install-service buscarron` would not fully work, because: - the systemd services were indeed tagged with `buscarron` - however, the actual installation tasks are not `install-buscarron`/`setup-buscarron`, but rather `install-bot-buscarron`/`setup-bot-buscarron` Services are now tagged with the `bot-` prefix to match the tags. --- group_vars/matrix_servers | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f25c4b4e1..f89304f46 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -210,25 +210,25 @@ devture_systemd_service_manager_services_list_auto: | {{ ([{'name': (backup_borg_identifier + '.timer'), 'priority': 5000, 'groups': ['matrix', 'backup', 'borg']}] if backup_borg_enabled else []) + - ([{'name': 'matrix-bot-buscarron.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'buscarron']}] if matrix_bot_buscarron_enabled else []) + ([{'name': 'matrix-bot-buscarron.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'buscarron', 'bot-buscarron']}] if matrix_bot_buscarron_enabled else []) + - ([{'name': 'matrix-bot-go-neb.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'go-neb']}] if matrix_bot_go_neb_enabled else []) + ([{'name': 'matrix-bot-go-neb.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'go-neb', 'bot-go-neb']}] if matrix_bot_go_neb_enabled else []) + - ([{'name': 'matrix-bot-honoroit.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'honoroit']}] if matrix_bot_honoroit_enabled else []) + ([{'name': 'matrix-bot-honoroit.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'honoroit', 'bot-honoroit']}] if matrix_bot_honoroit_enabled else []) + - ([{'name': 'matrix-bot-matrix-registration-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'registration-bot']}] if matrix_bot_matrix_registration_bot_enabled else []) + ([{'name': 'matrix-bot-matrix-registration-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'registration-bot', 'bot-matrix-registration-bot']}] if matrix_bot_matrix_registration_bot_enabled else []) + - ([{'name': 'matrix-bot-matrix-reminder-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'reminder-bot']}] if matrix_bot_matrix_reminder_bot_enabled else []) + ([{'name': 'matrix-bot-matrix-reminder-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'reminder-bot', 'bot-matrix-reminder-bot']}] if matrix_bot_matrix_reminder_bot_enabled else []) + - ([{'name': 'matrix-bot-maubot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'maubot']}] if matrix_bot_maubot_enabled else []) + ([{'name': 'matrix-bot-maubot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'maubot', 'bot-maubot']}] if matrix_bot_maubot_enabled else []) + - ([{'name': 'matrix-bot-mjolnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'mjolnir']}] if matrix_bot_mjolnir_enabled else []) + ([{'name': 'matrix-bot-mjolnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'mjolnir', 'bot-mjolnir']}] if matrix_bot_mjolnir_enabled else []) + - ([{'name': 'matrix-bot-draupnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'draupnir']}] if matrix_bot_draupnir_enabled else []) + ([{'name': 'matrix-bot-draupnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'draupnir', 'bot-draupnir']}] if matrix_bot_draupnir_enabled else []) + - ([{'name': 'matrix-bot-postmoogle.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'postmoogle']}] if matrix_bot_postmoogle_enabled else []) + ([{'name': 'matrix-bot-postmoogle.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'postmoogle', 'bot-postmoogle']}] if matrix_bot_postmoogle_enabled else []) + - ([{'name': 'matrix-bot-chatgpt.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'chatgpt']}] if matrix_bot_chatgpt_enabled else []) + ([{'name': 'matrix-bot-chatgpt.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'chatgpt', 'bot-chatgpt']}] if matrix_bot_chatgpt_enabled else []) + ([{'name': 'matrix-appservice-discord.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'appservice-discord']}] if matrix_appservice_discord_enabled else []) + From 88c7cf21f7d5b454af4449dab6a7fbccb2b1b4d2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 18 May 2023 10:03:02 +0300 Subject: [PATCH 18/47] Make Honoroit not try to capture all matrix.DOMAIN traffic It only serves a metrics endpoint, so it shouldn't try to capture anything else. --- docs/configuring-playbook-bot-honoroit.md | 3 +++ .../custom/matrix-bot-honoroit/defaults/main.yml | 1 - .../matrix-bot-honoroit/templates/labels.j2 | 15 --------------- 3 files changed, 3 insertions(+), 16 deletions(-) diff --git a/docs/configuring-playbook-bot-honoroit.md b/docs/configuring-playbook-bot-honoroit.md index 42f31d49a..26f5c6916 100644 --- a/docs/configuring-playbook-bot-honoroit.md +++ b/docs/configuring-playbook-bot-honoroit.md @@ -14,6 +14,9 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars. ```yaml matrix_bot_honoroit_enabled: true +# Uncomment and adjust if you'd like to change the hostname +# matrix_bot_honoroit_hostname: "{{ matrix_server_fqn_matrix }}" + # Uncomment and adjust this part if you'd like to use a username different than the default # matrix_bot_honoroit_login: honoroit diff --git a/roles/custom/matrix-bot-honoroit/defaults/main.yml b/roles/custom/matrix-bot-honoroit/defaults/main.yml index ea93d55f2..666b40f0a 100644 --- a/roles/custom/matrix-bot-honoroit/defaults/main.yml +++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml @@ -56,7 +56,6 @@ matrix_bot_honoroit_container_labels_traefik_docker_network: "{{ matrix_bot_hono matrix_bot_honoroit_container_labels_traefik_hostname: "{{ matrix_bot_honoroit_hostname }}" # The path prefix must either be `/` or not end with a slash (e.g. `/honoroit`). matrix_bot_honoroit_container_labels_traefik_path_prefix: "{{ matrix_bot_honoroit_path_prefix }}" -matrix_bot_honoroit_container_labels_traefik_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`){% if matrix_bot_honoroit_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_honoroit_container_labels_traefik_path_prefix }}`){% endif %}" matrix_bot_honoroit_container_labels_traefik_metrics_path: "{{ matrix_bot_honoroit_metrics_path }}" matrix_bot_honoroit_container_labels_traefik_metrics_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`) && Path(`{{ matrix_bot_honoroit_container_labels_traefik_metrics_path }}`)" matrix_bot_honoroit_container_labels_traefik_priority: 0 diff --git a/roles/custom/matrix-bot-honoroit/templates/labels.j2 b/roles/custom/matrix-bot-honoroit/templates/labels.j2 index 7943e00f1..12409470d 100644 --- a/roles/custom/matrix-bot-honoroit/templates/labels.j2 +++ b/roles/custom/matrix-bot-honoroit/templates/labels.j2 @@ -31,21 +31,6 @@ traefik.http.middlewares.matrix-bot-honoroit-auth.basicauth.users={{ lookup('ans {% set middlewares_metrics = middlewares + ['matrix-bot-honoroit-auth'] %} {% endif %} -traefik.http.routers.matrix-bot-honoroit.rule={{ matrix_bot_honoroit_container_labels_traefik_rule }} -{% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %} -traefik.http.routers.matrix-bot-honoroit.priority={{ matrix_bot_honoroit_container_labels_traefik_priority }} -{% endif %} -traefik.http.routers.matrix-bot-honoroit.service=matrix-bot-honoroit -{% if middlewares | length > 0 %} -traefik.http.routers.matrix-bot-honoroit.middlewares={{ middlewares | join(',') }} -{% endif %} -traefik.http.routers.matrix-bot-honoroit.entrypoints={{ matrix_bot_honoroit_container_labels_traefik_entrypoints }} -traefik.http.routers.matrix-bot-honoroit.tls={{ matrix_bot_honoroit_container_labels_traefik_tls | to_json }} -{% if matrix_bot_honoroit_container_labels_traefik_tls %} -traefik.http.routers.matrix-bot-honoroit.tls.certResolver={{ matrix_bot_honoroit_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.services.matrix-bot-honoroit.loadbalancer.server.port=8080 - {% if middlewares_metrics | length > 0 %} traefik.http.routers.matrix-bot-honoroit-metrics.rule={{ matrix_bot_honoroit_container_labels_traefik_metrics_rule }} {% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %} From 8f903fa6215863051118143c6b5a2311c8d57f7d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 18 May 2023 10:03:40 +0300 Subject: [PATCH 19/47] Make Honoroit respect matrix_bot_honoroit_path_prefix when building the metrics path --- roles/custom/matrix-bot-honoroit/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-honoroit/defaults/main.yml b/roles/custom/matrix-bot-honoroit/defaults/main.yml index 666b40f0a..3cb4fa5f6 100644 --- a/roles/custom/matrix-bot-honoroit/defaults/main.yml +++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml @@ -56,7 +56,7 @@ matrix_bot_honoroit_container_labels_traefik_docker_network: "{{ matrix_bot_hono matrix_bot_honoroit_container_labels_traefik_hostname: "{{ matrix_bot_honoroit_hostname }}" # The path prefix must either be `/` or not end with a slash (e.g. `/honoroit`). matrix_bot_honoroit_container_labels_traefik_path_prefix: "{{ matrix_bot_honoroit_path_prefix }}" -matrix_bot_honoroit_container_labels_traefik_metrics_path: "{{ matrix_bot_honoroit_metrics_path }}" +matrix_bot_honoroit_container_labels_traefik_metrics_path: "{{ '' if matrix_bot_honoroit_path_prefix = '/' else matrix_bot_honoroit_path_prefix }}{{ matrix_bot_honoroit_metrics_path }}" matrix_bot_honoroit_container_labels_traefik_metrics_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`) && Path(`{{ matrix_bot_honoroit_container_labels_traefik_metrics_path }}`)" matrix_bot_honoroit_container_labels_traefik_priority: 0 matrix_bot_honoroit_container_labels_traefik_entrypoints: web-secure From 2083b10f1abe16054dc634061dadc30fe50f7eb3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 18 May 2023 10:09:07 +0300 Subject: [PATCH 20/47] Fix syntax error --- roles/custom/matrix-bot-honoroit/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-honoroit/defaults/main.yml b/roles/custom/matrix-bot-honoroit/defaults/main.yml index 3cb4fa5f6..90ffa0c64 100644 --- a/roles/custom/matrix-bot-honoroit/defaults/main.yml +++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml @@ -56,7 +56,7 @@ matrix_bot_honoroit_container_labels_traefik_docker_network: "{{ matrix_bot_hono matrix_bot_honoroit_container_labels_traefik_hostname: "{{ matrix_bot_honoroit_hostname }}" # The path prefix must either be `/` or not end with a slash (e.g. `/honoroit`). matrix_bot_honoroit_container_labels_traefik_path_prefix: "{{ matrix_bot_honoroit_path_prefix }}" -matrix_bot_honoroit_container_labels_traefik_metrics_path: "{{ '' if matrix_bot_honoroit_path_prefix = '/' else matrix_bot_honoroit_path_prefix }}{{ matrix_bot_honoroit_metrics_path }}" +matrix_bot_honoroit_container_labels_traefik_metrics_path: "{{ '' if matrix_bot_honoroit_path_prefix == '/' else matrix_bot_honoroit_path_prefix }}{{ matrix_bot_honoroit_metrics_path }}" matrix_bot_honoroit_container_labels_traefik_metrics_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`) && Path(`{{ matrix_bot_honoroit_container_labels_traefik_metrics_path }}`)" matrix_bot_honoroit_container_labels_traefik_priority: 0 matrix_bot_honoroit_container_labels_traefik_entrypoints: web-secure From 018e620ee82b82ec484036a9c1a2cb4273f63f75 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 18 May 2023 10:10:47 +0300 Subject: [PATCH 21/47] Default matrix_bot_honoroit_path_prefix to /honoroit to avoid conflicts with Matrix Client-Server API --- docs/configuring-playbook-bot-honoroit.md | 3 ++- group_vars/matrix_servers | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bot-honoroit.md b/docs/configuring-playbook-bot-honoroit.md index 26f5c6916..2a711fb83 100644 --- a/docs/configuring-playbook-bot-honoroit.md +++ b/docs/configuring-playbook-bot-honoroit.md @@ -14,8 +14,9 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars. ```yaml matrix_bot_honoroit_enabled: true -# Uncomment and adjust if you'd like to change the hostname +# Uncomment and adjust if you'd like to change the hostname or path # matrix_bot_honoroit_hostname: "{{ matrix_server_fqn_matrix }}" +# matrix_bot_honoroit_path_prefix: /honoroit # Uncomment and adjust this part if you'd like to use a username different than the default # matrix_bot_honoroit_login: honoroit diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f89304f46..4a67c2df1 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1653,7 +1653,9 @@ matrix_bot_maubot_database_password: "{{ '%s' | format(matrix_homeserver_generic # We don't enable bots by default. matrix_bot_honoroit_enabled: false + matrix_bot_honoroit_hostname: "{{ matrix_server_fqn_matrix }}" +matrix_bot_honoroit_path_prefix: /honoroit matrix_bot_honoroit_systemd_required_services_list: | {{ From aa44a277f6633a102c1394f8f6666b9ced1c813c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 18 May 2023 10:13:06 +0300 Subject: [PATCH 22/47] Fix service name for Honoroit metrics --- roles/custom/matrix-bot-honoroit/templates/labels.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-honoroit/templates/labels.j2 b/roles/custom/matrix-bot-honoroit/templates/labels.j2 index 12409470d..8e20ea459 100644 --- a/roles/custom/matrix-bot-honoroit/templates/labels.j2 +++ b/roles/custom/matrix-bot-honoroit/templates/labels.j2 @@ -36,7 +36,7 @@ traefik.http.routers.matrix-bot-honoroit-metrics.rule={{ matrix_bot_honoroit_con {% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %} traefik.http.routers.matrix-bot-honoroit-metrics.priority={{ matrix_bot_honoroit_container_labels_traefik_priority }} {% endif %} -traefik.http.routers.matrix-bot-honoroit-metrics.service=matrix-bot-honoroit +traefik.http.routers.matrix-bot-honoroit-metrics.service=matrix-bot-honoroit-metrics traefik.http.routers.matrix-bot-honoroit-metrics.middlewares={{ middlewares_metrics | join(',') }} traefik.http.routers.matrix-bot-honoroit-metrics.entrypoints={{ matrix_bot_honoroit_container_labels_traefik_entrypoints }} traefik.http.routers.matrix-bot-honoroit-metrics.tls={{ matrix_bot_honoroit_container_labels_traefik_tls | to_json }} From d475a4906def9424fd07dd4ea10671c2254833ea Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 18 May 2023 20:51:15 +0000 Subject: [PATCH 23/47] update ntfy 2.4.0 -> 2.5.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 57f4709f2..d6ed01d07 100644 --- a/requirements.yml +++ b/requirements.yml @@ -40,7 +40,7 @@ version: v8615-0 name: jitsi - src: git+https://gitlab.com/etke.cc/roles/ntfy.git - version: v2.4.0-0 + version: v2.5.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git version: v2.44.0-0 name: prometheus From b71375fac736bb96d78d353f63a3711deecdac24 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 19 May 2023 18:26:05 +0300 Subject: [PATCH 24/47] Disable healthcheck for Synapse workers which serve no web traffic This was mostly affecting the stream writer (events) worker, which was being reported as unhealthy. It wasn't causing any issues, but it just looked odd and was confusing people. As an alternative to hitting the regular `/health` healthcheck route (on the "client" API which this stream writer does not expose), we may have went for hitting some "replication" API endpoint instead. This is more complicated and likely unnecessary. --- roles/custom/matrix-synapse/tasks/synapse/workers/init.yml | 2 +- .../templates/synapse/systemd/matrix-synapse-worker.service.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml b/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml index 359fe0316..68b8f37e3 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml @@ -21,7 +21,7 @@ ansible.builtin.set_fact: worker: id: "stream-writer-{{ idx }}-{{ item.stream }}" - # Names must not include understores. Certain stream writer streams (to_device, account_data, ..) do, so we fix them up. + # Names must not include underscores. Certain stream writer streams (to_device, account_data, ..) do, so we fix them up. name: "matrix-synapse-worker-stream-writer-{{ idx }}-{{ item.stream | replace('_', '-') }}" type: 'stream_writer' app: "generic_worker" diff --git a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 index 578d91078..4a6a01b78 100644 --- a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 @@ -23,7 +23,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ --network={{ matrix_synapse_container_network }} \ - {% if matrix_synapse_worker_details.port != 0 %} + {% if matrix_synapse_worker_details.port != 0 and matrix_synapse_worker_details.webserving %} --health-cmd 'curl -fSs http://localhost:{{ matrix_synapse_worker_details.port }}/health || exit 1' \ {% else %} --no-healthcheck \ From b5d5e49235a46d640ae427e1797a11e870ce1968 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 19 May 2023 19:32:34 +0300 Subject: [PATCH 25/47] Move Honoroit metrics from /honoroit/metrics to /metrics/honoroit This restores consistency with other services. Related to 8f903fa6215863051118143c6b5a2311c8d57f7d --- group_vars/matrix_servers | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 4a67c2df1..79a503d5a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1655,8 +1655,13 @@ matrix_bot_maubot_database_password: "{{ '%s' | format(matrix_homeserver_generic matrix_bot_honoroit_enabled: false matrix_bot_honoroit_hostname: "{{ matrix_server_fqn_matrix }}" + matrix_bot_honoroit_path_prefix: /honoroit +# For consistency with other things hosted at the matrix FQN, we adjust the metrics endpoint +# so that metrics would be served at `/metrics/SERVICE_NAME`, and not at the default path for the role (`PREFIX/metrics`). +matrix_bot_honoroit_container_labels_traefik_metrics_path: /metrics/honoroit + matrix_bot_honoroit_systemd_required_services_list: | {{ ['docker.service'] From 014f5def55b944b65fb1b8047b060032ea8de1f7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 May 2023 17:00:26 +0000 Subject: [PATCH 26/47] Bump frenck/action-yamllint from 1.4.0 to 1.4.1 Bumps [frenck/action-yamllint](https://github.com/frenck/action-yamllint) from 1.4.0 to 1.4.1. - [Release notes](https://github.com/frenck/action-yamllint/releases) - [Commits](https://github.com/frenck/action-yamllint/compare/v1.4.0...v1.4.1) --- updated-dependencies: - dependency-name: frenck/action-yamllint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/matrix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index abca55ae2..579ab7192 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -13,7 +13,7 @@ jobs: - name: Check out uses: actions/checkout@v3 - name: Run yamllint - uses: frenck/action-yamllint@v1.4.0 + uses: frenck/action-yamllint@v1.4.1 ansible-lint: name: ansible-lint runs-on: ubuntu-latest From 86abe0680a28e21baa316aeb53de98903e1da765 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Mon, 22 May 2023 18:01:02 +0000 Subject: [PATCH 27/47] Update mautrix-twitter 0.1.5 -> 0.1.6 --- roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml index cc11a69b3..55e8411b6 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_twitter_container_image_self_build: false matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/mautrix/twitter.git" matrix_mautrix_twitter_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_twitter_version == 'latest' else matrix_mautrix_twitter_version }}" -matrix_mautrix_twitter_version: v0.1.5 +matrix_mautrix_twitter_version: v0.1.6 # See: https://mau.dev/tulir/mautrix-twitter/container_registry matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_name_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}" matrix_mautrix_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else 'dock.mau.dev/' }}" From 9350eeb9fb8f95c7cc0e8ad0274dae7051fda593 Mon Sep 17 00:00:00 2001 From: Aine Date: Tue, 23 May 2023 17:33:23 +0300 Subject: [PATCH 28/47] update synapse 1.83.0 -> 1.84.0; set forget_rooms_on_leave = true --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- .../matrix-synapse/templates/synapse/homeserver.yaml.j2 | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index f159e01b8..cda427e39 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,7 +4,7 @@ matrix_synapse_enabled: true -matrix_synapse_version: v1.83.0 +matrix_synapse_version: v1.84.0 matrix_synapse_username: '' matrix_synapse_uid: '' diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 63cdafeb0..ff2533977 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -141,6 +141,10 @@ allow_public_rooms_over_federation: {{ matrix_synapse_allow_public_rooms_over_fe # default_room_version: {{ matrix_synapse_default_room_version|to_json }} +# Set to true to automatically forget rooms for users when they leave them, either +# normally or via a kick or ban. Defaults to false. +forget_rooms_on_leave: true + # The GC threshold parameters to pass to `gc.set_threshold`, if defined # #gc_thresholds: [700, 10, 10] From 428f7a1f75337ef2f7b848e532d8d93f4a540919 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 24 May 2023 20:20:37 +0000 Subject: [PATCH 29/47] Update hookshot 4.0.0 -> 4.1.0 --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 18fc01525..247c542b7 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 4.0.0 +matrix_hookshot_version: 4.1.0 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" From 4b30c4d8128c51b8fffcfc8abe00053e7802772d Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Thu, 25 May 2023 00:52:28 +0200 Subject: [PATCH 30/47] Update Draupnir from 1.80.1 to 1.82.0 --- roles/custom/matrix-bot-draupnir/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml index 92abc7ab0..6ee99a358 100644 --- a/roles/custom/matrix-bot-draupnir/defaults/main.yml +++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml @@ -4,7 +4,7 @@ matrix_bot_draupnir_enabled: true -matrix_bot_draupnir_version: "v1.80.1" +matrix_bot_draupnir_version: "v1.82.0" matrix_bot_draupnir_container_image_self_build: false matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/Gnuxie/Draupnir.git" From c55371e3058b5785aab54c07c567575df87af7f9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 25 May 2023 09:14:09 +0300 Subject: [PATCH 31/47] Add changelog entry for the forget_rooms_on_leave default change for Synapse Related to: - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2698 - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2700 --- CHANGELOG.md | 14 ++++++++++++++ roles/custom/matrix-synapse/defaults/main.yml | 4 ++++ .../templates/synapse/homeserver.yaml.j2 | 2 +- 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1b5118427..70b17b000 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,17 @@ +# 2023-05-25 + +## Enabling `forget_rooms_on_leave` by default for Synapse + +With the [Synapse v1.84.0 update](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2698), we've also **changed the default value** of the `forget_rooms_on_leave` setting of Synapse to a value of `true`. +This way, **when you leave a room, Synapse will now forget it automatically**. + +The upstream Synapse default is `false` (disabled), so that you must forget rooms manually after leaving. + +**We go against the upstream default** ([somewhat controversially](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2700)) in an effort to make Synapse leaner and potentially do what we believe most users would expect their homeserver to be doing. + +If you'd like to go back to the old behavior, add the following to your configuration: `matrix_synapse_forget_rooms_on_leave: false` + + # 2023-04-03 ## The matrix-jitsi role lives independently now diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index cda427e39..5903eb05b 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -928,6 +928,10 @@ matrix_synapse_room_list_publication_rules: matrix_synapse_default_room_version: "10" +# Controls whether leaving a room will automatically forget it. +# The upstream default is `false`, but we try to make Synapse less wasteful of resources, so we do things differently. +matrix_synapse_forget_rooms_on_leave: true + # Controls the Synapse `spam_checker` setting. # # If a spam-checker extension is enabled, this variable's value is set automatically by the playbook during runtime. diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index ff2533977..a36df6fc0 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -143,7 +143,7 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }} # Set to true to automatically forget rooms for users when they leave them, either # normally or via a kick or ban. Defaults to false. -forget_rooms_on_leave: true +forget_rooms_on_leave: {{ matrix_synapse_forget_rooms_on_leave | to_json }} # The GC threshold parameters to pass to `gc.set_threshold`, if defined # From 981805002d8a4f23a6cebdb53f14a4b0773de0a8 Mon Sep 17 00:00:00 2001 From: tammes Date: Thu, 25 May 2023 22:45:09 +0200 Subject: [PATCH 32/47] add example Caddyfile for fronting Traefik, mark the old one as deprecated and update READMEs --- docs/configuring-playbook-own-webserver.md | 2 +- examples/caddy2/Caddyfile | 255 +------------------ examples/caddy2/Caddyfile.deprecated | 269 +++++++++++++++++++++ examples/caddy2/README.md | 26 +- examples/nginx/README.md | 2 +- 5 files changed, 301 insertions(+), 253 deletions(-) create mode 100644 examples/caddy2/Caddyfile.deprecated diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 3d8c5b0d0..f276a554d 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -160,7 +160,7 @@ devture_traefik_additional_entrypoints_auto: # # trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY'] ``` -For an example where the playbook's Traefik reverse-proxy is fronted by [Nginx](https://nginx.org/) running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md). +For an example where the playbook's Traefik reverse-proxy is fronted by another reverse-proxy running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md) or [Caddy reverse-proxy fronting the playbook's Traefik](../examples/caddy2/README.md). ### Using no reverse-proxy on the Matrix side at all diff --git a/examples/caddy2/Caddyfile b/examples/caddy2/Caddyfile index 43005ca41..2ffcea520 100644 --- a/examples/caddy2/Caddyfile +++ b/examples/caddy2/Caddyfile @@ -1,112 +1,10 @@ -(cors) { - @cors_preflight method OPTIONS - - handle @cors_preflight { - header Access-Control-Allow-Origin "{args.0}" - header Access-Control-Allow-Methods "HEAD, GET, POST, PUT, PATCH, DELETE" - header Access-Control-Allow-Headers "Content-Type, Authorization" - header Access-Control-Max-Age "3600" - } -} - - -matrix.DOMAIN.tld { - - # creates letsencrypt certificate - # tls your@email.com - - @identity { - path /_matrix/identity/* - } - - @noidentity { - not path /_matrix/identity/* - } - - @search { - path /_matrix/client/r0/user_directory/search/* - } - - @nosearch { - not path /_matrix/client/r0/user_directory/search/* - } - - @static { - path /matrix/static-files/* - } - - @nostatic { - not path /matrix/static-files/* - } - - @wellknown { - path /.well-known/matrix/* - } - - header { - # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS - Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - # Enable cross-site filter (XSS) and tell browser to block detected attacks - X-XSS-Protection "1; mode=block" - # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type - X-Content-Type-Options "nosniff" - # Disallow the site to be rendered within a frame (clickjacking protection) - X-Frame-Options "DENY" - # X-Robots-Tag - X-Robots-Tag "noindex, noarchive, nofollow" - } - - # Cache - header @static { - # Cache - Cache-Control "public, max-age=31536000" - defer - } - - # identity - handle @identity { - reverse_proxy localhost:8090 { - header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} - header_up X-Forwarded-TlsProto {tls_protocol} - header_up X-Forwarded-TlsCipher {tls_cipher} - header_up X-Forwarded-HttpsProto {proto} - } - } - - # search - handle @search { - reverse_proxy localhost:8090 { - header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} - header_up X-Forwarded-TlsProto {tls_protocol} - header_up X-Forwarded-TlsCipher {tls_cipher} - header_up X-Forwarded-HttpsProto {proto} - } - } - - handle @wellknown { - encode zstd gzip - root * /matrix/static-files - header Cache-Control max-age=14400 - header Content-Type application/json - header Access-Control-Allow-Origin * - file_server - } - - # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the base domain - #handle @wellknown { - # # .well-known is handled by base domain - # reverse_proxy https://DOMAIN.tld { - # header_up Host {http.reverse_proxy.upstream.hostport} - #} +matrix.example.tld { handle { encode zstd gzip - reverse_proxy localhost:8008 { + reverse_proxy localhost:81 { header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} header_up X-Forwarded-TlsProto {tls_protocol} header_up X-Forwarded-TlsCipher {tls_cipher} header_up X-Forwarded-HttpsProto {proto} @@ -114,13 +12,12 @@ matrix.DOMAIN.tld { } } -matrix.DOMAIN.tld:8448 { +matrix.example.tld:8448 { handle { encode zstd gzip - reverse_proxy 127.0.0.1:8048 { + reverse_proxy 127.0.0.1:8449 { header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} header_up X-Forwarded-TlsProto {tls_protocol} header_up X-Forwarded-TlsCipher {tls_cipher} header_up X-Forwarded-HttpsProto {proto} @@ -128,142 +25,16 @@ matrix.DOMAIN.tld:8448 { } } -element.DOMAIN.tld { - # creates letsencrypt certificate - # tls your@email.com - - import cors https://*.DOMAIN.tld - - header { - # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS - Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - # Enable cross-site filter (XSS) and tell browser to block detected attacks - X-XSS-Protection "1; mode=block" - # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type - X-Content-Type-Options "nosniff" - # Disallow the site to be rendered within a frame (clickjacking protection) - X-Frame-Options "DENY" - # If using integrations that add frames to Element, such as Dimension and its integrations running on the same domain, it can be a good idea to limit sources allowed to be rendered - # Content-Security-Policy frame-src https://*.DOMAIN.tld - # X-Robots-Tag - X-Robots-Tag "noindex, noarchive, nofollow" - } - - handle { - encode zstd gzip +example.tld { +# Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server + @wellknown { + path /.well-known/matrix/* + } - reverse_proxy localhost:8765 { - header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} - header_up X-Forwarded-TlsProto {tls_protocol} - header_up X-Forwarded-TlsCipher {tls_cipher} - header_up X-Forwarded-HttpsProto {proto} + handle @wellknown { + reverse_proxy https://matrix.example.tld { + header_up Host {http.reverse_proxy.upstream.hostport} } + } } - -#dimension.DOMAIN.tld { -# -# # creates letsencrypt certificate -# # tls your@email.com -# -# import cors https://*.DOMAIN.tld -# -# header { -# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS -# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" -# # Enable cross-site filter (XSS) and tell browser to block detected attacks -# X-XSS-Protection "1; mode=block" -# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type -# X-Content-Type-Options "nosniff" -# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain (clickjacking protection) -# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld -# # X-Robots-Tag -# X-Robots-Tag "noindex, noarchive, nofollow" -# } -# -# handle { -# encode zstd gzip -# -# reverse_proxy localhost:8184 { -# header_up X-Forwarded-Port {http.request.port} -# header_up X-Forwarded-Proto {http.request.scheme} -# header_up X-Forwarded-TlsProto {tls_protocol} -# header_up X-Forwarded-TlsCipher {tls_cipher} -# header_up X-Forwarded-HttpsProto {proto} -# } -# } -#} - - -#jitsi.DOMAIN.tld { -# -# creates letsencrypt certificate -# tls your@email.com -# -# import cors https://*.DOMAIN.tld -# -# header { -# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS -# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" -# -# # Enable cross-site filter (XSS) and tell browser to block detected attacks -# X-XSS-Protection "1; mode=block" -# -# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type -# X-Content-Type-Options "nosniff" - -# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain -# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld -# -# # Disable some features -# Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" -# -# # Referer -# Referrer-Policy "no-referrer" -# -# # X-Robots-Tag -# X-Robots-Tag "none" -# -# # Remove Server header -# -Server -# } -# -# handle { -# encode zstd gzip -# -# reverse_proxy 127.0.0.1:13080 { -# header_up X-Forwarded-Port {http.request.port} -# header_up X-Forwarded-Proto {http.request.scheme} -# header_up X-Forwarded-TlsProto {tls_protocol} -# header_up X-Forwarded-TlsCipher {tls_cipher} -# header_up X-Forwarded-HttpsProto {proto} -# } -# } -#} -#DOMAIN.com { -# Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server -# @wellknown { -# path /.well-known/matrix/* -# } -# -# handle @wellknown { -# reverse_proxy https://matrix.DOMAIN.com { -# header_up Host {http.reverse_proxy.upstream.hostport} -# } -# } -# # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the matrix subdomain -# # handle /.well-known/* { -# # encode zstd gzip -# # header Cache-Control max-age=14400 -# # header Content-Type application/json -# # header Access-Control-Allow-Origin * -# #} -# -# # Configration for the base domain goes here -# # handle { -# # header -Server -# # encode zstd gzip -# # reverse_proxy localhost:4020 -# # } -#} diff --git a/examples/caddy2/Caddyfile.deprecated b/examples/caddy2/Caddyfile.deprecated new file mode 100644 index 000000000..43005ca41 --- /dev/null +++ b/examples/caddy2/Caddyfile.deprecated @@ -0,0 +1,269 @@ +(cors) { + @cors_preflight method OPTIONS + + handle @cors_preflight { + header Access-Control-Allow-Origin "{args.0}" + header Access-Control-Allow-Methods "HEAD, GET, POST, PUT, PATCH, DELETE" + header Access-Control-Allow-Headers "Content-Type, Authorization" + header Access-Control-Max-Age "3600" + } +} + + +matrix.DOMAIN.tld { + + # creates letsencrypt certificate + # tls your@email.com + + @identity { + path /_matrix/identity/* + } + + @noidentity { + not path /_matrix/identity/* + } + + @search { + path /_matrix/client/r0/user_directory/search/* + } + + @nosearch { + not path /_matrix/client/r0/user_directory/search/* + } + + @static { + path /matrix/static-files/* + } + + @nostatic { + not path /matrix/static-files/* + } + + @wellknown { + path /.well-known/matrix/* + } + + header { + # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + # Enable cross-site filter (XSS) and tell browser to block detected attacks + X-XSS-Protection "1; mode=block" + # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type + X-Content-Type-Options "nosniff" + # Disallow the site to be rendered within a frame (clickjacking protection) + X-Frame-Options "DENY" + # X-Robots-Tag + X-Robots-Tag "noindex, noarchive, nofollow" + } + + # Cache + header @static { + # Cache + Cache-Control "public, max-age=31536000" + defer + } + + # identity + handle @identity { + reverse_proxy localhost:8090 { + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + header_up X-Forwarded-TlsProto {tls_protocol} + header_up X-Forwarded-TlsCipher {tls_cipher} + header_up X-Forwarded-HttpsProto {proto} + } + } + + # search + handle @search { + reverse_proxy localhost:8090 { + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + header_up X-Forwarded-TlsProto {tls_protocol} + header_up X-Forwarded-TlsCipher {tls_cipher} + header_up X-Forwarded-HttpsProto {proto} + } + } + + handle @wellknown { + encode zstd gzip + root * /matrix/static-files + header Cache-Control max-age=14400 + header Content-Type application/json + header Access-Control-Allow-Origin * + file_server + } + + # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the base domain + #handle @wellknown { + # # .well-known is handled by base domain + # reverse_proxy https://DOMAIN.tld { + # header_up Host {http.reverse_proxy.upstream.hostport} + #} + + handle { + encode zstd gzip + + reverse_proxy localhost:8008 { + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + header_up X-Forwarded-TlsProto {tls_protocol} + header_up X-Forwarded-TlsCipher {tls_cipher} + header_up X-Forwarded-HttpsProto {proto} + } + } +} + +matrix.DOMAIN.tld:8448 { + handle { + encode zstd gzip + + reverse_proxy 127.0.0.1:8048 { + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + header_up X-Forwarded-TlsProto {tls_protocol} + header_up X-Forwarded-TlsCipher {tls_cipher} + header_up X-Forwarded-HttpsProto {proto} + } + } +} + +element.DOMAIN.tld { + + # creates letsencrypt certificate + # tls your@email.com + + import cors https://*.DOMAIN.tld + + header { + # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + # Enable cross-site filter (XSS) and tell browser to block detected attacks + X-XSS-Protection "1; mode=block" + # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type + X-Content-Type-Options "nosniff" + # Disallow the site to be rendered within a frame (clickjacking protection) + X-Frame-Options "DENY" + # If using integrations that add frames to Element, such as Dimension and its integrations running on the same domain, it can be a good idea to limit sources allowed to be rendered + # Content-Security-Policy frame-src https://*.DOMAIN.tld + # X-Robots-Tag + X-Robots-Tag "noindex, noarchive, nofollow" + } + + handle { + encode zstd gzip + + reverse_proxy localhost:8765 { + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + header_up X-Forwarded-TlsProto {tls_protocol} + header_up X-Forwarded-TlsCipher {tls_cipher} + header_up X-Forwarded-HttpsProto {proto} + } +} + +#dimension.DOMAIN.tld { +# +# # creates letsencrypt certificate +# # tls your@email.com +# +# import cors https://*.DOMAIN.tld +# +# header { +# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS +# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" +# # Enable cross-site filter (XSS) and tell browser to block detected attacks +# X-XSS-Protection "1; mode=block" +# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type +# X-Content-Type-Options "nosniff" +# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain (clickjacking protection) +# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld +# # X-Robots-Tag +# X-Robots-Tag "noindex, noarchive, nofollow" +# } +# +# handle { +# encode zstd gzip +# +# reverse_proxy localhost:8184 { +# header_up X-Forwarded-Port {http.request.port} +# header_up X-Forwarded-Proto {http.request.scheme} +# header_up X-Forwarded-TlsProto {tls_protocol} +# header_up X-Forwarded-TlsCipher {tls_cipher} +# header_up X-Forwarded-HttpsProto {proto} +# } +# } +#} + + +#jitsi.DOMAIN.tld { +# +# creates letsencrypt certificate +# tls your@email.com +# +# import cors https://*.DOMAIN.tld +# +# header { +# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS +# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" +# +# # Enable cross-site filter (XSS) and tell browser to block detected attacks +# X-XSS-Protection "1; mode=block" +# +# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type +# X-Content-Type-Options "nosniff" + +# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain +# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld +# +# # Disable some features +# Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" +# +# # Referer +# Referrer-Policy "no-referrer" +# +# # X-Robots-Tag +# X-Robots-Tag "none" +# +# # Remove Server header +# -Server +# } +# +# handle { +# encode zstd gzip +# +# reverse_proxy 127.0.0.1:13080 { +# header_up X-Forwarded-Port {http.request.port} +# header_up X-Forwarded-Proto {http.request.scheme} +# header_up X-Forwarded-TlsProto {tls_protocol} +# header_up X-Forwarded-TlsCipher {tls_cipher} +# header_up X-Forwarded-HttpsProto {proto} +# } +# } +#} +#DOMAIN.com { +# Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server +# @wellknown { +# path /.well-known/matrix/* +# } +# +# handle @wellknown { +# reverse_proxy https://matrix.DOMAIN.com { +# header_up Host {http.reverse_proxy.upstream.hostport} +# } +# } +# # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the matrix subdomain +# # handle /.well-known/* { +# # encode zstd gzip +# # header Cache-Control max-age=14400 +# # header Content-Type application/json +# # header Access-Control-Allow-Origin * +# #} +# +# # Configration for the base domain goes here +# # handle { +# # header -Server +# # encode zstd gzip +# # reverse_proxy localhost:4020 +# # } +#} diff --git a/examples/caddy2/README.md b/examples/caddy2/README.md index fe8d57637..d4bfb4755 100644 --- a/examples/caddy2/README.md +++ b/examples/caddy2/README.md @@ -1,12 +1,20 @@ -# Caddyfile +# Caddy reverse-proxy fronting the playbook's integrated Traefik reverse-proxy -This directory contains sample files that show you how to do reverse-proxying using Caddy2. +This directory contains a sample config that shows you how to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with your own [Caddy](https://caddyserver.com/) reverse-proxy. -## Config -| Variable | Function | -| ------------------ | -------- | -| tls your@email.com | Specify an email address for your [ACME account](https://caddyserver.com/docs/caddyfile/directives/tls) (but if only one email is used for all sites, we recommend the email [global option](https://caddyserver.com/docs/caddyfile/options) instead) | -| tls | To enable [tls](https://caddyserver.com/docs/caddyfile/directives/tls) support uncomment the lines for tls | -| Dimension | To enable Dimension support uncomment the lines for Dimension and set your data | -| Jitsi | To enable Jitsi support uncomment the lines for Jitsi and set your data | +## Prerequisite configuration + +To get started, first follow the [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instructions and update your playbook's configuration (`inventory/host_vars/matrix./vars.yml`). + + +## Using the Caddyfile + +You can either just use the [Caddyfile](Caddyfile) directly or append its content to your own Caddyfile. +In both cases make sure to replace all the `example.tld` domains with your own domain. + +This example does not include additional services like element, but you should be able copy the first block and replace the matrix subdomain with the additional services subdomain. I have not tested this though. + +# Caddyfile.deprecated + +This can be used as a [Caddy](https://caddyserver.com/) reverse-proxy without intermediary playbook managed reverse proxy. However, this setup is not supported by the playbook anymore. Instead [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) as described above. diff --git a/examples/nginx/README.md b/examples/nginx/README.md index 11fca299e..d8698ba6b 100644 --- a/examples/nginx/README.md +++ b/examples/nginx/README.md @@ -1,6 +1,6 @@ # Nginx reverse-proxy fronting the playbook's integrated Traefik reverse-proxy -This directory contains a sample config that shows you how use the [nginx](https://nginx.org/) webserver to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with another reverse-proxy. +This directory contains a sample config that shows you how to use the [nginx](https://nginx.org/) webserver to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with another reverse-proxy. ## Prerequisite configuration From f98f803b4404c739e19da6b27fd857ceaac93880 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 26 May 2023 10:17:20 +0300 Subject: [PATCH 33/47] Revert "Update hookshot 4.0.0 -> 4.1.0" This reverts commit 428f7a1f75337ef2f7b848e532d8d93f4a540919. Looks like it won't become a tagged image until a "release" is posted. --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 247c542b7..18fc01525 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 4.1.0 +matrix_hookshot_version: 4.0.0 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" From b9d9a41ea671d35171fc938d8068cf27d37d988a Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 26 May 2023 19:28:27 +0000 Subject: [PATCH 34/47] update mautrix-telegram 0.13.0 -> 0.14.0 --- roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml index d6f44bbcb..c5b7b9a39 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -17,7 +17,7 @@ matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git" matrix_mautrix_telegram_docker_repo_version: "{{ 'master' if matrix_mautrix_telegram_version == 'latest' else matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" -matrix_mautrix_telegram_version: v0.13.0 +matrix_mautrix_telegram_version: v0.14.0 # See: https://mau.dev/mautrix/telegram/container_registry matrix_mautrix_telegram_docker_image: "{{ matrix_mautrix_telegram_docker_image_name_prefix }}mautrix/telegram:{{ matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_telegram_container_image_self_build else 'dock.mau.dev/' }}" From c36fd8cfc29f738143b4212a07f89191574a5f48 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 26 May 2023 19:29:26 +0000 Subject: [PATCH 35/47] Update synapse 1.84.0 -> 1.84.1 --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 5903eb05b..a0169eb0c 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,7 +4,7 @@ matrix_synapse_enabled: true -matrix_synapse_version: v1.84.0 +matrix_synapse_version: v1.84.1 matrix_synapse_username: '' matrix_synapse_uid: '' From 788fa0e766a41761533dd39b466311b71bc41897 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sat, 27 May 2023 15:59:54 +0000 Subject: [PATCH 36/47] update prometheus-node-exporter 1.5.0 -> 1.6.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index d6ed01d07..f754b10a7 100644 --- a/requirements.yml +++ b/requirements.yml @@ -45,7 +45,7 @@ version: v2.44.0-0 name: prometheus - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git - version: v1.5.0-7 + version: v1.6.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git name: prometheus_postgres_exporter version: v0.12.0-0 From cfedf675eef97900c76304075e6e42ef1fe2cc04 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 28 May 2023 21:27:03 +0300 Subject: [PATCH 37/47] Upgrade Traefik (v2.9.10-2 -> v2.10.1-0) --- requirements.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements.yml b/requirements.yml index f754b10a7..bd260d6cc 100644 --- a/requirements.yml +++ b/requirements.yml @@ -26,7 +26,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git version: v1.0.0-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.9.10-2 + version: v2.10.1-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git @@ -47,7 +47,7 @@ - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.6.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git - name: prometheus_postgres_exporter version: v0.12.0-0 + name: prometheus_postgres_exporter - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.10-0 From 90d25bccd274b2edb89876da7ec090730f9441a9 Mon Sep 17 00:00:00 2001 From: Luke D Iremadze Date: Mon, 29 May 2023 03:10:07 -0600 Subject: [PATCH 38/47] Update prerequisites.md These ports need to be open in order to receive emails to the Postmoogle bridge --- docs/prerequisites.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/prerequisites.md b/docs/prerequisites.md index be60a5f45..5fa2b1d2a 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -40,6 +40,8 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you - `5349/udp`: TURN over UDP (used by Coturn) - `8448/tcp`: Matrix Federation API HTTPS webserver. In some cases, this **may necessary even with federation disabled**. Integration Servers (like Dimension) and Identity Servers (like ma1sd) may need to access `openid` APIs on the federation port. - the range `49152-49172/udp`: TURN over UDP + - `25/tcp`: SMTP over TCP (used by Postmoogle) + - `587/tcp`: TLS over TCP (used by Postmoogle) - potentially some other ports, depending on the additional (non-default) services that you enable in the **configuring the playbook** step (later on). Consult each service's documentation page in `docs/` for that. When ready to proceed, continue with [Configuring DNS](configuring-dns.md). From 67bcf4bc8ae93796831898ff99fc1c58689036ea Mon Sep 17 00:00:00 2001 From: Luke D Iremadze Date: Mon, 29 May 2023 04:03:31 -0600 Subject: [PATCH 39/47] Updates to the Postmoogle documentation --- docs/configuring-playbook-bot-postmoogle.md | 37 ++++++++++++++++++- docs/prerequisites.md | 2 - .../matrix-bot-postmoogle/defaults/main.yml | 8 ++-- 3 files changed, 39 insertions(+), 8 deletions(-) diff --git a/docs/configuring-playbook-bot-postmoogle.md b/docs/configuring-playbook-bot-postmoogle.md index 0fa366935..4d4ba520e 100644 --- a/docs/configuring-playbook-bot-postmoogle.md +++ b/docs/configuring-playbook-bot-postmoogle.md @@ -4,12 +4,29 @@ The playbook can install and configure [Postmoogle](https://gitlab.com/etke.cc/postmoogle) for you. -It's a bot/bridge you can use to forward emails to Matrix rooms +It's a bot/bridge you can use to forward emails to Matrix rooms. +Postmoogle runs an email server through SMTP and allaws you to create mailboxes to the domain you define in the DNS settings. See the project's [documentation](https://gitlab.com/etke.cc/postmoogle) to learn what it does and why it might be useful to you. +## Prerequisites -## Adjusting the playbook configuration +### Ports + +Open the following ports to your server (without it you will not recive email, but you can still send): + - `25/tcp`: SMTP + - `587/tcp`: TLS-encrypted SMTP + +You can change the above default ports through the following variables in the playbook: + +```yaml +# on-host ports +matrix_bot_postmoogle_smtp_host_bind_port: '25' +matrix_bot_postmoogle_submission_host_bind_port: '587' +``` + + +### Adjusting the playbook configuration Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: @@ -23,6 +40,13 @@ matrix_bot_postmoogle_enabled: true matrix_bot_postmoogle_password: PASSWORD_FOR_THE_BOT ``` +Add an admin to Postmoogle with: +```yaml +matrix_bot_postmoogle_admins: + - '@yourAdminAccount:domain.com' +``` + +### DNS You will also need to add several DNS records so that postmoogle can send emails. See [Configuring DNS](configuring-dns.md). @@ -51,3 +75,12 @@ Then send `!pm mailbox NAME` to expose this Matrix room as an inbox with the ema Send `!pm help` to the room to see the bot's help menu for additional commands. You can also refer to the upstream [documentation](https://gitlab.com/etke.cc/postmoogle). + +### Debug/Logs +In case you need to debug declare: + +```yaml +matrix_bot_postmoogle_loglevel: 'DEBUG' +``` + +And access it through `journalctl -fu matrix-bot-postmoogle` \ No newline at end of file diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 5fa2b1d2a..be60a5f45 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -40,8 +40,6 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you - `5349/udp`: TURN over UDP (used by Coturn) - `8448/tcp`: Matrix Federation API HTTPS webserver. In some cases, this **may necessary even with federation disabled**. Integration Servers (like Dimension) and Identity Servers (like ma1sd) may need to access `openid` APIs on the federation port. - the range `49152-49172/udp`: TURN over UDP - - `25/tcp`: SMTP over TCP (used by Postmoogle) - - `587/tcp`: TLS over TCP (used by Postmoogle) - potentially some other ports, depending on the additional (non-default) services that you enable in the **configuring the playbook** step (later on). Consult each service's documentation page in `docs/` for that. When ready to proceed, continue with [Configuring DNS](configuring-dns.md). diff --git a/roles/custom/matrix-bot-postmoogle/defaults/main.yml b/roles/custom/matrix-bot-postmoogle/defaults/main.yml index 4eeb835be..0c9db2d70 100644 --- a/roles/custom/matrix-bot-postmoogle/defaults/main.yml +++ b/roles/custom/matrix-bot-postmoogle/defaults/main.yml @@ -81,10 +81,10 @@ matrix_bot_postmoogle_maxsize: '1024' # A list of admins # Example set of rules: # matrix_bot_postmoogle_admins: -# - @someone:example.com -# - @another:example.com -# - @bot.*:example.com -# - @*:another.com +# - '@someone:example.com' +# - '@another:example.com' +# - '@bot.*:example.com' +# - '@*:another.com' matrix_bot_postmoogle_admins: "{{ [matrix_admin] if matrix_admin else [] }}" # Sentry DSN. Deprecated, use matrix_bot_postmoogle_monitoring_sentry_dsn From d3f85c5c7ca53610aa1233f542fd004cabc36daa Mon Sep 17 00:00:00 2001 From: anytimesoon Date: Mon, 29 May 2023 19:05:05 +0200 Subject: [PATCH 40/47] Update configuring-playbook-bot-chatgpt.md added an extra step to creating the chatgpt bot so it can read encrypted messages --- docs/configuring-playbook-bot-chatgpt.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bot-chatgpt.md b/docs/configuring-playbook-bot-chatgpt.md index 7a006816d..fa7972cae 100644 --- a/docs/configuring-playbook-bot-chatgpt.md +++ b/docs/configuring-playbook-bot-chatgpt.md @@ -20,10 +20,12 @@ ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.chatgpt ``` -## 2. Get an access token +## 2. Get an access token and create encryption keys Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md). +To make sure the bot can read encrypted messages, it will need an encryption key, just like any other new user. While obtaining the access token, follow the prompts to setup a backup key. More information can be found in the [element documentation](https://element.io/help#encryption6). + ## 3. Adjusting the playbook configuration From 127b60a1cec2c12623ce7637c2f18ab123a2af0b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 30 May 2023 09:09:24 +0300 Subject: [PATCH 41/47] Fixing typos and rewording --- docs/configuring-playbook-bot-postmoogle.md | 40 +++++++++++---------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/docs/configuring-playbook-bot-postmoogle.md b/docs/configuring-playbook-bot-postmoogle.md index 4d4ba520e..b66285a51 100644 --- a/docs/configuring-playbook-bot-postmoogle.md +++ b/docs/configuring-playbook-bot-postmoogle.md @@ -5,25 +5,22 @@ The playbook can install and configure [Postmoogle](https://gitlab.com/etke.cc/postmoogle) for you. It's a bot/bridge you can use to forward emails to Matrix rooms. -Postmoogle runs an email server through SMTP and allaws you to create mailboxes to the domain you define in the DNS settings. +Postmoogle runs an SMTP email server and allows you to assign mailbox addresses to Matrix rooms. See the project's [documentation](https://gitlab.com/etke.cc/postmoogle) to learn what it does and why it might be useful to you. ## Prerequisites -### Ports +### Networking + +Open the following ports on your server to be able to receive incoming emails: -Open the following ports to your server (without it you will not recive email, but you can still send): - `25/tcp`: SMTP - - `587/tcp`: TLS-encrypted SMTP + - `587/tcp`: Submission (TLS-encrypted SMTP) -You can change the above default ports through the following variables in the playbook: +If you don't open these ports, you will still be able to send emails, but not receive any. -```yaml -# on-host ports -matrix_bot_postmoogle_smtp_host_bind_port: '25' -matrix_bot_postmoogle_submission_host_bind_port: '587' -``` +These port numbers are configurable via the `matrix_bot_postmoogle_smtp_host_bind_port` and `matrix_bot_postmoogle_submission_host_bind_port` variables, but other email servers will try to deliver on these default (standard) ports, so changing them is of little use. ### Adjusting the playbook configuration @@ -38,16 +35,20 @@ matrix_bot_postmoogle_enabled: true # Generate a strong password here. Consider generating it with `pwgen -s 64 1` matrix_bot_postmoogle_password: PASSWORD_FOR_THE_BOT -``` -Add an admin to Postmoogle with: -```yaml -matrix_bot_postmoogle_admins: - - '@yourAdminAccount:domain.com' +# Uncomment to add one or more admins to this bridge: +# +# matrix_bot_postmoogle_admins: +# - '@yourAdminAccount:domain.com' +# +# .. unless you've made yourself an admin of all bridges like this: +# +# matrix_admin: '@yourAdminAccount:domain.com' ``` ### DNS -You will also need to add several DNS records so that postmoogle can send emails. + +You will also need to add several DNS records so that Postmoogle can send emails. See [Configuring DNS](configuring-dns.md). @@ -77,10 +78,11 @@ Send `!pm help` to the room to see the bot's help menu for additional commands. You can also refer to the upstream [documentation](https://gitlab.com/etke.cc/postmoogle). ### Debug/Logs -In case you need to debug declare: + +As with all other services, you can find their logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by running something like `journalctl -fu matrix-bot-postmoogle` + +The default logging level for this bridge is `INFO`, but you can increase it to `DEBUG` with the following additional configuration: ```yaml matrix_bot_postmoogle_loglevel: 'DEBUG' ``` - -And access it through `journalctl -fu matrix-bot-postmoogle` \ No newline at end of file From dca6db15daf35c1c08e25b24639ce1a039ffe88c Mon Sep 17 00:00:00 2001 From: Sergio Durigan Junior Date: Tue, 30 May 2023 22:59:33 -0400 Subject: [PATCH 42/47] Fix prefix path when loading Hydrogen's theme-element.json This is needed when using a prefix path that doesn't end with a slash. Signed-off-by: Sergio Durigan Junior --- roles/custom/matrix-client-hydrogen/templates/config.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-hydrogen/templates/config.json.j2 b/roles/custom/matrix-client-hydrogen/templates/config.json.j2 index e503c105b..519d22615 100644 --- a/roles/custom/matrix-client-hydrogen/templates/config.json.j2 +++ b/roles/custom/matrix-client-hydrogen/templates/config.json.j2 @@ -3,7 +3,7 @@ "defaultHomeServer": {{ matrix_client_hydrogen_default_hs_url | string | to_json }}, "bugReportEndpointUrl": {{ matrix_client_hydrogen_bugReportEndpointUrl | to_json }}, "themeManifests": [ - "{{ matrix_client_hydrogen_path_prefix }}assets/theme-element.json" + "{{ '' if matrix_client_hydrogen_path_prefix == '/' else matrix_client_hydrogen_path_prefix }}/assets/theme-element.json" ], "defaultTheme": { "light": "element-light", From e53c6c802004b89eea994b127b82f60ac012a617 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 26 May 2023 10:17:20 +0300 Subject: [PATCH 43/47] Revert "Revert "Update hookshot 4.0.0 -> 4.1.0"" This reverts commit f98f803b4404c739e19da6b27fd857ceaac93880. As the docker image has been released for this version we can now upgrade to this version --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 18fc01525..247c542b7 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 4.0.0 +matrix_hookshot_version: 4.1.0 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" From 795ce3e21dfe041db83d3fbbc9143684a5f1c273 Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Thu, 1 Jun 2023 02:14:55 +0200 Subject: [PATCH 44/47] Update Draupnir to 1.83.0 from 1.82.0 --- roles/custom/matrix-bot-draupnir/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml index 6ee99a358..bd0e2defa 100644 --- a/roles/custom/matrix-bot-draupnir/defaults/main.yml +++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml @@ -4,7 +4,7 @@ matrix_bot_draupnir_enabled: true -matrix_bot_draupnir_version: "v1.82.0" +matrix_bot_draupnir_version: "v1.83.0" matrix_bot_draupnir_container_image_self_build: false matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/Gnuxie/Draupnir.git" From 4acb54f7967445f3ccfc8685fdf988f0f14b7d57 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 1 Jun 2023 08:18:49 +0000 Subject: [PATCH 45/47] Update mautrix-facebook 0.4.1 -> 0.5.0 --- roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml index ba718a668..dcd9fdfa0 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mautrix_facebook_enabled: true matrix_mautrix_facebook_container_image_self_build: false matrix_mautrix_facebook_container_image_self_build_repo: "https://mau.dev/mautrix/facebook.git" -matrix_mautrix_facebook_version: v0.4.1 +matrix_mautrix_facebook_version: v0.5.0 matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}mautrix/facebook:{{ matrix_mautrix_facebook_version }}" matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}" From 3f89e6191554da62df958bf83eaefedaa4669a2d Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 1 Jun 2023 08:21:16 +0000 Subject: [PATCH 46/47] Update mautrix-instagram 0.2.3 -> 0.3.0 --- roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml index ef696fa80..2288fb776 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_instagram_container_image_self_build: false matrix_mautrix_instagram_container_image_self_build_repo: "https://github.com/mautrix/instagram.git" matrix_mautrix_instagram_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_instagram_version == 'latest' else matrix_mautrix_instagram_version }}" -matrix_mautrix_instagram_version: v0.2.3 +matrix_mautrix_instagram_version: v0.3.0 # See: https://mau.dev/tulir/mautrix-instagram/container_registry matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}mautrix/instagram:{{ matrix_mautrix_instagram_version }}" matrix_mautrix_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_instagram_container_image_self_build else 'dock.mau.dev/' }}" From 0a3e93e47c55c96ba60ed6102ebe72a0172891e7 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 1 Jun 2023 08:22:35 +0000 Subject: [PATCH 47/47] Update chatgpt 3.1.0 -> 3.1.2 --- roles/custom/matrix-bot-chatgpt/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-chatgpt/defaults/main.yml b/roles/custom/matrix-bot-chatgpt/defaults/main.yml index 36cc60c0e..00eae1676 100644 --- a/roles/custom/matrix-bot-chatgpt/defaults/main.yml +++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml @@ -4,7 +4,7 @@ matrix_bot_chatgpt_enabled: true -matrix_bot_chatgpt_version: 3.1.0 +matrix_bot_chatgpt_version: 3.1.2 matrix_bot_chatgpt_container_image_self_build: false matrix_bot_chatgpt_container_image_self_build_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot"