diff --git a/README.md b/README.md index ff93cd1f6..8b0265092 100644 --- a/README.md +++ b/README.md @@ -79,7 +79,7 @@ Extend and modify how users are authenticated on your homeserver. | ---- | -------- | ----------- | ------------- | | [matrix-synapse-rest-auth](https://github.com/ma1uta/matrix-synapse-rest-password-provider) (advanced) | x | REST authentication password provider module | [Link](docs/configuring-playbook-rest-auth.md) | |[matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) (advanced) | x | Password provider module | [Link](docs/configuring-playbook-shared-secret-auth.md) | -| [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) (advanced) | x | LDAP Auth password provider module | [Link](configuring-playbook-ldap-auth.md) | +| [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) (advanced) | x | LDAP Auth password provider module | [Link](docs/configuring-playbook-ldap-auth.md) | | [matrix-ldap-registration-proxy](https://gitlab.com/activism.international/matrix_ldap_registration_proxy) (advanced) | x | A proxy that handles Matrix registration requests and forwards them to LDAP. | [Link](docs/configuring-playbook-matrix-ldap-registration-proxy.md) | | [matrix-registration](https://github.com/ZerataX/matrix-registration) | x | A simple python application to have a token based matrix registration | [Link](docs/configuring-playbook-matrix-registration.md) | diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 4157231a5..1213f46a7 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -165,7 +165,7 @@ jitsi_prosody_max_participants: 4 # example value By default, a single JVB ([Jitsi VideoBridge](https://github.com/jitsi/jitsi-videobridge)) is deployed on the same host as the Matrix server. To allow more video-conferences to happen at the same time, you may need to provision additional JVB services on other hosts. There is an ansible playbook that can be run with the following tag: -` ansible-playbook -i inventory/hosts --limit jitsi_jvb_servers jitsi_jvb.yml --tags=common,setup-additional-jitsi-jvb,start` +`ansible-playbook -i inventory/hosts --limit jitsi_jvb_servers jitsi_jvb.yml --tags=common,setup-additional-jitsi-jvb,start` For this role to work you will need an additional section in the ansible hosts file with the details of the JVB hosts, for example: ``` @@ -208,6 +208,16 @@ However, it can also be set the ip address of the matrix server. This can be use jitsi_xmpp_server: "192.168.0.1" ``` +For the JVB to be able to contact the XMPP server, the latter must expose the XMPP port (5222). By default, the Matrix server does not expose the +port; only the XMPP container exposes it internally inside the host, which means that the first JVB (which runs on the Matrix server) can reach it but +the additional JVB cannot. The port is exposed by setting `jitsi_prosody_container_jvb_host_bind_port` like this: + +```yaml +jitsi_prosody_container_jvb_host_bind_port: 5222 +``` + +(The default is empty; if it's set then docker forwards the port.) + The nginx configuration will also need to be updated in order to deal with the additional JVB servers. This is achieved via its own configuration variable `matrix_nginx_proxy_proxy_jitsi_additional_jvbs`, which contains a dictionary of server ids to ip addresses. diff --git a/docs/configuring-playbook-synapse-s3-storage-provider.md b/docs/configuring-playbook-synapse-s3-storage-provider.md index d5d5ca5e2..9fb26212a 100644 --- a/docs/configuring-playbook-synapse-s3-storage-provider.md +++ b/docs/configuring-playbook-synapse-s3-storage-provider.md @@ -30,13 +30,23 @@ After [creating the S3 bucket and configuring it](configuring-playbook-s3.md#buc ```yaml matrix_synapse_ext_synapse_s3_storage_provider_enabled: true + matrix_synapse_ext_synapse_s3_storage_provider_config_bucket: your-bucket-name matrix_synapse_ext_synapse_s3_storage_provider_config_region_name: some-region-name # e.g. eu-central-1 matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url: https://s3.REGION_NAME.amazonaws.com # adjust this -matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: access-key-goes-here -matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: secret-key-goes-here matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class: STANDARD # or STANDARD_IA, etc. +# Authentication Method 1 - (access key id + secret) +# This works on all providers (AWS and other compatible systems). +# Uncomment the variables below to use it. +# matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: access-key-goes-here +# matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: secret-key-goes-here + +# Authentication Method 2 - EC2 instance profile which grants permission to access S3 +# This only works on AWS when your server is hosted on an EC2 instance with the correct instance profile set. +# Uncomment the variable below to use it. +# matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile: true + # For additional advanced settings, take a look at `roles/custom/matrix-synapse/defaults/main.yml` ``` @@ -103,9 +113,17 @@ docker.io/amazon/aws-cli:2.9.16 \ -c 'aws s3 sync /work/. s3://$BUCKET/' ``` +#### Copying data to an S3 alternative using the aws-s3 tool + +To copy to a provider other than AWS S3 (e.g. Wasabi, Digital Ocean Spaces, etc.), you can use the command for [Copying data to Amazon S3](#copying-data-to-amazon-s3) with an added `--endpoint-url=$ENDPOINT` argument. + +Add this argument to the command **as-is** (`$ENDPOINT` is an environment variable corresponding to `matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url`, so you don't need to touch it). Make sure to add the argument **before** the final quote (`'`) of the command. + #### Copying data to Backblaze B2 -To copy to Backblaze B2, start a container on the Matrix server like this: +You can copy files to Backblaze B2 either by following the [Copying data to an S3 alternative using the aws-s3 tool](#copying-data-to-an-s3-alternative-using-the-aws-s3-tool) or by using the B2-specific [b2 command-line tool](https://www.backblaze.com/b2/docs/quick_command_line.html) as described below. + +To copy the data using the `b2` tool, start a container on the Matrix server like this: ```sh docker run -it --rm \ diff --git a/docs/howto-server-delegation.md b/docs/howto-server-delegation.md index e9ca5bde6..e9a6b23d8 100644 --- a/docs/howto-server-delegation.md +++ b/docs/howto-server-delegation.md @@ -49,6 +49,7 @@ To use DNS SRV record validation, you need to: - ensure that you are serving the Matrix Federation API (tcp/8448) with a certificate for `` (not `matrix.`!). Getting this certificate to the `matrix.` server may be complicated. The playbook's automatic SSL obtaining/renewal flow will likely not work and you'll need to copy certificates around manually. See below. +For more details on [how to configure the playbook to work with SRV delegation](howto-srv-server-delegation.md) ### Obtaining certificates diff --git a/docs/howto-srv-server-delegation.md b/docs/howto-srv-server-delegation.md new file mode 100644 index 000000000..a1afe59de --- /dev/null +++ b/docs/howto-srv-server-delegation.md @@ -0,0 +1,206 @@ +# Server Delegation via a DNS SRV record (advanced) + +**Reminder** : unless you are affected by the [Downsides of well-known-based Server Delegation](howto-server-delegation.md#downsides-of-well-known-based-server-delegation), we suggest you **stay on the simple/default path**: [Server Delegation](howto-server-delegation.md) by [configuring well-known files](configuring-well-known.md) at the base domain. + +This guide is about configuring Server Delegation using DNS SRV records (for the [Traefik](https://doc.traefik.io/traefik/) webserver). This method has special requirements when it comes to SSL certificates, so various changes are required. + +## Prerequisites + +SRV delegation while still using the playbook provided Traefik to get / renew the certificate requires a wildcard certificate. + +To obtain / renew one from [Let's Encrypt](https://letsencrypt.org/), one needs to use a [DNS-01 challenge](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) method instead of the default [HTTP-01](https://letsencrypt.org/docs/challenge-types/#http-01-challenge). + +This means that this is **limited to the list of DNS providers supported by Traefik**, unless you bring in your own certificate. + +The up-to-date list can be accessed on [traefik's documentation](https://doc.traefik.io/traefik/https/acme/#providers) + +## The changes + +### Federation Endpoint + +```yaml +# To serve the federation from any domain, as long as the path match +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: PathPrefix(`/_matrix`) +``` + +This is because with SRV federation, some servers / tools (one of which being the federation tester) try to access the federation API using the resolved IP address instead of the domain name (or they are not using SNI). This change will make Traefik route all traffic for which the path match this rule go to the federation endpoint. + +### Tell Traefik which certificate to serve for the federation endpoint + +Now that the federation endpoint is not bound to a domain anymore we need to explicitely tell Traefik to use a wildcard certificate in addition to one containing the base name. + +This is because the matrix specification expects the federation endpoint to be served using a certificate comatible with the base domain, however, the other resources on the endpoint still need a valid certificate to work. + +```yaml +# To let Traefik know which domains' certificates to serve +matrix_nginx_proxy_container_labels_additional_labels: | + traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.main="example.com" + traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.sans="*.example.com" +``` + +### Configure the DNS-01 challenge for let's encrypt + +Since we're now requesting a wildcard certificate, we need to change the ACME challenge method. To request a wildcard certificate from Let's Encrypt we are required to use the DNS-01 challenge. + +This will need 3 changes: +1. Add a new certificate resolver that works with DNS-01 +2. Configure the resolver to allow access to the DNS zone to configure the records to answer the challenge (refer to [Traefik's documentation](https://doc.traefik.io/traefik/https/acme/#providers) to know which environment variables to set) +3. Tell the playbook to use the new resolver as default + +We cannot just disable the default resolver as that would disable SSL in quite a few places in the playbook. + +```yaml +# 1. Add a new ACME configuration without having to disable the default one, since it would have a wide range of side effects +devture_traefik_configuration_extension_yaml: | + certificatesResolvers: + dns: + acme: + # To use a staging endpoint for testing purposes, uncomment the line below. + # caServer: https://acme-staging-v02.api.letsencrypt.org/directory + email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }} + dnsChallenge: + provider: cloudflare + resolvers: + - "1.1.1.1:53" + - "8.8.8.8:53" + storage: {{ devture_traefik_config_certificatesResolvers_acme_storage | to_json }} + +# 2. Configure the environment variables needed by Rraefik to automate the ACME DNS Challenge (example for Cloudflare) +devture_traefik_environment_variables: | + CF_API_EMAIL=redacted + CF_ZONE_API_TOKEN=redacted + CF_DNS_API_TOKEN=redacted + LEGO_DISABLE_CNAME_SUPPORT=true + +# 3. Instruct the playbook to use the new ACME configuration +devture_traefik_certResolver_primary: dns +``` + +## Adjust Coturn's configuration + +The last step is to alter the generated Coturn configuration. + +By default, Coturn is configured to wait on the certificate for the `matrix.` subdomain using an [instantiated systemd service](https://www.freedesktop.org/software/systemd/man/systemd.service.html#Service%20Templates) using the domain name as the parameter for this service. However, we need to serve the wildcard certificate, which is incompatible with systemd, it will try to expand the `*`, which will break and prevent Coturn from starting. + +We also need to indicate to Coturn where the wildcard certificate is. + +**⚠ WARNING ⚠** : On first start of the services, Coturn might still fail to start because Traefik is still in the process of obtaining the certificates. If you still get an error, make sure Traefik obtained the certificates and restart the Coturn service (`just start-group coturn`). + +This should not happen again afterwards as Traefik will renew certificates well before their expiry date, and the Coturn service is setup to restart periodically. + +```yaml +# Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things +matrix_coturn_systemd_required_services_list: ['docker.service'] + +# This changes the path of the loaded certificate, while maintaining the original functionality, we're now loading the wildcard certificate. +matrix_coturn_container_additional_volumes: | + {{ + ( + [ + { + 'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/fullchain.pem'), + 'dst': '/fullchain.pem', + 'options': 'ro', + }, + { + 'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/privkey.pem'), + 'dst': '/privkey.pem', + 'options': 'ro', + }, + ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] and matrix_coturn_tls_enabled else [] + ) + + + ( + [ + { + 'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/certificate.crt'), + 'dst': '/certificate.crt', + 'options': 'ro', + }, + { + 'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/privatekey.key'), + 'dst': '/privatekey.key', + 'options': 'ro', + }, + ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else [] + ) + }} +``` + +## Full example of a working configuration + +```yaml +# Choosing the reverse proxy implementation +matrix_playbook_reverse_proxy_type: playbook-managed-traefik +devture_traefik_config_certificatesResolvers_acme_email: redacted@example.com + +# To serve the federation from any domain, as long as the path match +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: PathPrefix(`/_matrix`) + +# To let Traefik know which domains' certificates to serve +matrix_nginx_proxy_container_labels_additional_labels: | + traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.main="example.com" + traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.sans="*.example.com" + +# Add a new ACME configuration without having to disable the default one, since it would have a wide range of side effects +devture_traefik_configuration_extension_yaml: | + certificatesResolvers: + dns: + acme: + # To use a staging endpoint for testing purposes, uncomment the line below. + # caServer: https://acme-staging-v02.api.letsencrypt.org/directory + email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }} + dnsChallenge: + provider: cloudflare + resolvers: + - "1.1.1.1:53" + - "8.8.8.8:53" + storage: {{ devture_traefik_config_certificatesResolvers_acme_storage | to_json }} + +# Instruct thep laybook to use the new ACME configuration +devture_traefik_certResolver_primary: "dns" + +# Configure the environment variables needed by Traefik to automate the ACME DNS Challenge (example for Cloudflare) +devture_traefik_environment_variables: | + CF_API_EMAIL=redacted + CF_ZONE_API_TOKEN=redacted + CF_DNS_API_TOKEN=redacted + LEGO_DISABLE_CNAME_SUPPORT=true + +# Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart Coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things +matrix_coturn_systemd_required_services_list: ['docker.service'] + +# This changes the path of the loaded certificate, while maintaining the original functionality, we're now loading the wildcard certificate. +matrix_coturn_container_additional_volumes: | + {{ + ( + [ + { + 'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/fullchain.pem'), + 'dst': '/fullchain.pem', + 'options': 'ro', + }, + { + 'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/privkey.pem'), + 'dst': '/privkey.pem', + 'options': 'ro', + }, + ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] and matrix_coturn_tls_enabled else [] + ) + + + ( + [ + { + 'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/certificate.crt'), + 'dst': '/certificate.crt', + 'options': 'ro', + }, + { + 'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/privatekey.key'), + 'dst': '/privatekey.key', + 'options': 'ro', + }, + ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else [] + ) + }} +``` diff --git a/examples/hosts b/examples/hosts index ba08107b9..cb6459f97 100644 --- a/examples/hosts +++ b/examples/hosts @@ -2,7 +2,9 @@ # If you'd rather use a local IP here, make sure to set up `matrix_coturn_turn_external_ip_address`. # # To connect using a non-root user (and elevate to root with sudo later), -# replace `ansible_ssh_user=root` with something like this: `ansible_ssh_user=username become=true become_user=root` +# replace `ansible_ssh_user=root` with something like this: `ansible_ssh_user=username become=true become_user=root`. +# If sudo requires a password, either add `become_password=PASSWORD_HERE` to the host line +# or tell Ansible to ask you for the password interactively by adding a `--ask-become-pass` (`-K`) flag to all `ansible-playbook` (or `just`) commands. # # For improved Ansible performance, SSH pipelining is enabled by default in `ansible.cfg`. # If this causes SSH connection troubles, disable it by adding `ansible_ssh_pipelining=False` diff --git a/group_vars/jitsi_jvb_servers b/group_vars/jitsi_jvb_servers new file mode 100644 index 000000000..af927c9f1 --- /dev/null +++ b/group_vars/jitsi_jvb_servers @@ -0,0 +1,11 @@ +jitsi_architecture: "{{ matrix_architecture }}" +jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" +jitsi_uid: "{{ matrix_user_uid }}" +jitsi_gid: "{{ matrix_user_gid }}" + +devture_systemd_service_manager_services_list_auto: | + {{ + ([{'name': (jitsi_identifier + '-jvb.service'), 'priority': 4100, 'groups': ['matrix', 'jitsi', 'jitsi-jvb']}] if jitsi_enabled else []) + }} + +matrix_playbook_docker_installation_enabled: true diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index a17e968b2..461e27512 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -192,7 +192,7 @@ matrix_homeserver_app_service_config_files_auto: | # This list is not exhaustive and final. # Synapse workers are still injected into the list at runtime. -# Additional JVB workers (playbooks/jitsi_jvb.yml -- roles/galaxy/jitsi/tasks/init_additional_jvb.yml) override this variable at runtime as well. +# Additional JVB workers (jitsi_jvb.yml -- roles/galaxy/jitsi/tasks/init_additional_jvb.yml) override this variable at runtime as well. # # Priority levels are like this: # - core services (the homeserver) get a level of ~1000 diff --git a/jitsi_jvb.yml b/jitsi_jvb.yml new file mode 100644 index 000000000..16acd0ee6 --- /dev/null +++ b/jitsi_jvb.yml @@ -0,0 +1,35 @@ +--- +- name: "Set up additional Jitsi JVB servers" + hosts: "jitsi_jvb_servers" + become: true + + roles: + - role: galaxy/com.devture.ansible.role.playbook_help + - role: galaxy/com.devture.ansible.role.systemd_docker_base + + - when: matrix_playbook_docker_installation_enabled | bool + role: galaxy/geerlingguy.docker + vars: + docker_install_compose: false + tags: + - setup-docker + - setup-all + - setup-additional-jitsi-jvb + - install-docker + - install-all + + - when: devture_docker_sdk_for_python_installation_enabled | bool + role: galaxy/com.devture.ansible.role.docker_sdk_for_python + tags: + - setup-docker + - setup-all + - setup-additional-jitsi-jvb + - install-docker + - install-all + + - custom/matrix-base + - galaxy/jitsi + - custom/matrix-common-after + + - when: devture_systemd_service_manager_enabled | bool + role: galaxy/com.devture.ansible.role.systemd_service_manager diff --git a/playbooks/jitsi_jvb.yml b/playbooks/jitsi_jvb.yml deleted file mode 100644 index 4054d308c..000000000 --- a/playbooks/jitsi_jvb.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: "Set up additional Jitsi JVB servers" - hosts: "jitsi_jvb_servers" - become: true - - roles: - - role: galaxy/com.devture.ansible.role.playbook_help - - role: galaxy/com.devture.ansible.role.systemd_docker_base - - - custom/matrix-base - - galaxy/jitsi - - custom/matrix-common-after diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml deleted file mode 100755 index 9ce1aebea..000000000 --- a/playbooks/matrix.yml +++ /dev/null @@ -1,143 +0,0 @@ ---- -- name: "Set up a Matrix server" - hosts: "{{ target if target is defined else 'matrix_servers' }}" - become: true - - roles: - # Most of the roles below are not distributed with the playbook, but downloaded separately using `ansible-galaxy` via the `just roles` command (see `justfile`). - - role: galaxy/com.devture.ansible.role.playbook_help - - - role: galaxy/com.devture.ansible.role.systemd_docker_base - - - role: custom/matrix_playbook_migration - - - when: matrix_playbook_docker_installation_enabled | bool - role: galaxy/geerlingguy.docker - vars: - docker_install_compose: false - tags: - - setup-docker - - setup-all - - install-docker - - install-all - - - when: devture_docker_sdk_for_python_installation_enabled | bool - role: galaxy/com.devture.ansible.role.docker_sdk_for_python - tags: - - setup-docker - - setup-all - - install-docker - - install-all - - - when: devture_timesync_installation_enabled | bool - role: galaxy/com.devture.ansible.role.timesync - tags: - - setup-timesync - - setup-all - - install-timesync - - install-all - - - custom/matrix-base - - custom/matrix-dynamic-dns - - custom/matrix-mailer - - - role: galaxy/com.devture.ansible.role.postgres - - - galaxy/redis - - custom/matrix-corporal - - custom/matrix-bridge-appservice-discord - - custom/matrix-bridge-appservice-slack - - custom/matrix-bridge-appservice-webhooks - - custom/matrix-bridge-appservice-irc - - custom/matrix-bridge-appservice-kakaotalk - - custom/matrix-bridge-beeper-linkedin - - custom/matrix-bridge-go-skype-bridge - - custom/matrix-bridge-mautrix-facebook - - custom/matrix-bridge-mautrix-twitter - - custom/matrix-bridge-mautrix-hangouts - - custom/matrix-bridge-mautrix-googlechat - - custom/matrix-bridge-mautrix-instagram - - custom/matrix-bridge-mautrix-signal - - custom/matrix-bridge-mautrix-telegram - - custom/matrix-bridge-mautrix-whatsapp - - custom/matrix-bridge-mautrix-discord - - custom/matrix-bridge-mautrix-slack - - custom/matrix-bridge-mx-puppet-discord - - custom/matrix-bridge-mx-puppet-groupme - - custom/matrix-bridge-mx-puppet-steam - - custom/matrix-bridge-mx-puppet-slack - - custom/matrix-bridge-mx-puppet-twitter - - custom/matrix-bridge-mx-puppet-instagram - - custom/matrix-bridge-sms - - custom/matrix-bridge-heisenbridge - - custom/matrix-bridge-hookshot - - custom/matrix-bot-matrix-reminder-bot - - custom/matrix-bot-matrix-registration-bot - - custom/matrix-bot-maubot - - custom/matrix-bot-buscarron - - custom/matrix-bot-honoroit - - custom/matrix-bot-postmoogle - - custom/matrix-bot-go-neb - - custom/matrix-bot-mjolnir - - custom/matrix-bot-draupnir - - custom/matrix-bot-chatgpt - - custom/matrix-cactus-comments - - custom/matrix-rageshake - - custom/matrix-synapse - - custom/matrix-synapse-auto-compressor - - custom/matrix-synapse-reverse-proxy-companion - - custom/matrix-dendrite - - custom/matrix-conduit - - custom/matrix-synapse-admin - - galaxy/prometheus_node_exporter - - galaxy/prometheus_postgres_exporter - - custom/matrix-prometheus-nginxlog-exporter - - galaxy/prometheus - - galaxy/grafana - - custom/matrix-prometheus-services-connect - - custom/matrix-prometheus-services-proxy-connect - - custom/matrix-registration - - custom/matrix-client-element - - custom/matrix-client-hydrogen - - custom/matrix-client-cinny - - galaxy/jitsi - - custom/matrix-user-verification-service - - custom/matrix-ldap-registration-proxy - - custom/matrix-ma1sd - - custom/matrix-dimension - - galaxy/etherpad - - custom/etherpad-proxy-connect - - custom/matrix-sliding-sync - - custom/matrix-email2matrix - - custom/matrix-sygnal - - galaxy/ntfy - - custom/matrix-nginx-proxy - - custom/matrix-coturn - - - role: galaxy/aux - - - role: galaxy/com.devture.ansible.role.postgres_backup - - - role: galaxy/backup_borg - - - custom/matrix-user-creator - - custom/matrix-common-after - - - role: galaxy/com.devture.ansible.role.container_socket_proxy - - - role: galaxy/com.devture.ansible.role.traefik - - - role: galaxy/com.devture.ansible.role.traefik_certs_dumper - - - when: devture_systemd_service_manager_enabled | bool - role: galaxy/com.devture.ansible.role.systemd_service_manager - - # This is pretty much last, because we want it to better serve as a "last known good configuration". - # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2217#issuecomment-1301487601 - - when: devture_playbook_state_preserver_enabled | bool - role: galaxy/com.devture.ansible.role.playbook_state_preserver - tags: - - setup-all - - install-all - - - role: galaxy/com.devture.ansible.role.playbook_runtime_messages diff --git a/requirements.yml b/requirements.yml index 3c2572ab3..5a20ffe83 100644 --- a/requirements.yml +++ b/requirements.yml @@ -2,9 +2,9 @@ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git version: v1.0.0-1 - name: aux + name: auxiliary - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.4-1.7.13-0 + version: v1.2.4-1.7.15-0 - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git version: v0.1.1-2 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git @@ -26,28 +26,28 @@ - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git version: v1.0.0-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.10.1-1 + version: v2.10.3-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git - version: v1.8.18-2 + version: v1.9.0-0 - src: git+https://github.com/geerlingguy/ansible-role-docker version: 6.1.0 name: geerlingguy.docker - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v9.5.2-0 + version: v10.0.1-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git version: v8615-0 name: jitsi - src: git+https://gitlab.com/etke.cc/roles/ntfy.git - version: v2.5.0-0 + version: v2.6.2-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git - version: v2.44.0-0 + version: v2.45.0-0 name: prometheus - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.6.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git - version: v0.12.0-0 + version: v0.13.1-0 name: prometheus_postgres_exporter - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.10-0 diff --git a/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml b/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml index ffcae97f1..75e9de550 100644 --- a/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml +++ b/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml @@ -111,7 +111,7 @@ matrix_beeper_linkedin_configuration_extension: "{{ matrix_beeper_linkedin_confi matrix_beeper_linkedin_configuration: "{{ matrix_beeper_linkedin_configuration_yaml | from_yaml | combine(matrix_beeper_linkedin_configuration_extension, recursive=True) }}" matrix_beeper_linkedin_registration_yaml: | - id: linkedin + id: beeper_linkedin url: {{ matrix_beeper_linkedin_appservice_address }} as_token: "{{ matrix_beeper_linkedin_appservice_token }}" hs_token: "{{ matrix_beeper_linkedin_homeserver_token }}" diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 247c542b7..3c1ba5193 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" -matrix_hookshot_version: 4.1.0 +matrix_hookshot_version: 4.4.0 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" diff --git a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml index 98291d80d..dbb73aa45 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_discord_container_image_self_build: false matrix_mautrix_discord_container_image_self_build_repo: "https://mau.dev/mautrix/discord.git" matrix_mautrix_discord_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_discord_version == 'latest' else matrix_mautrix_discord_version }}" -matrix_mautrix_discord_version: v0.4.0 +matrix_mautrix_discord_version: v0.5.0 # See: https://mau.dev/mautrix/discord/container_registry matrix_mautrix_discord_docker_image: "{{ matrix_mautrix_discord_docker_image_name_prefix }}mautrix/discord:{{ matrix_mautrix_discord_version }}" matrix_mautrix_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_discord_container_image_self_build else 'dock.mau.dev/' }}" diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml index 85f07b9d9..de0123043 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_googlechat_container_image_self_build: false matrix_mautrix_googlechat_container_image_self_build_repo: "https://github.com/mautrix/googlechat.git" matrix_mautrix_googlechat_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_googlechat_version == 'latest' else matrix_mautrix_googlechat_version }}" -matrix_mautrix_googlechat_version: v0.4.0 +matrix_mautrix_googlechat_version: v0.5.0 # See: https://mau.dev/mautrix/googlechat/container_registry matrix_mautrix_googlechat_docker_image: "{{ matrix_mautrix_googlechat_docker_image_name_prefix }}mautrix/googlechat:{{ matrix_mautrix_googlechat_version }}" matrix_mautrix_googlechat_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_googlechat_container_image_self_build else 'dock.mau.dev/' }}" diff --git a/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 index 830adca71..1949a2532 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 @@ -143,15 +143,15 @@ bridge: # application service. encryption: # Allow encryption, work in group chat rooms with e2ee enabled - allow: {{ matrix_mautrix_discord_bridge_encryption_allow|to_json }} + allow: {{ matrix_mautrix_instagram_bridge_encryption_allow|to_json }} # Default to encryption, force-enable encryption in all portals the bridge creates # This will cause the bridge bot to be in private chats for the encryption to work properly. - default: {{ matrix_mautrix_discord_bridge_encryption_default|to_json }} + default: {{ matrix_mautrix_instagram_bridge_encryption_default|to_json }} # Options for automatic key sharing. key_sharing: # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. # You must use a client that supports requesting keys from other users to use this feature. - allow: {{ matrix_mautrix_discord_bridge_encryption_key_sharing_allow|to_json }} + allow: {{ matrix_mautrix_instagram_bridge_encryption_key_sharing_allow|to_json }} # Require the requesting device to have a valid cross-signing signature? # This doesn't require that the bridge has verified the device, only that the user has verified it. # Not yet implemented. diff --git a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml index c5b7b9a39..79f835932 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -17,7 +17,7 @@ matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git" matrix_mautrix_telegram_docker_repo_version: "{{ 'master' if matrix_mautrix_telegram_version == 'latest' else matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" -matrix_mautrix_telegram_version: v0.14.0 +matrix_mautrix_telegram_version: v0.14.1 # See: https://mau.dev/mautrix/telegram/container_registry matrix_mautrix_telegram_docker_image: "{{ matrix_mautrix_telegram_docker_image_name_prefix }}mautrix/telegram:{{ matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_telegram_container_image_self_build else 'dock.mau.dev/' }}" diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 20cafa7ad..9ee461b5c 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_whatsapp_container_image_self_build: false matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git" matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}" -matrix_mautrix_whatsapp_version: v0.8.5 +matrix_mautrix_whatsapp_version: v0.8.6 # See: https://mau.dev/mautrix/whatsapp/container_registry matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}" matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}" diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 109b42e87..368639cb0 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.31 +matrix_client_element_version: v1.11.35 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" diff --git a/roles/custom/matrix-client-hydrogen/defaults/main.yml b/roles/custom/matrix-client-hydrogen/defaults/main.yml index f3ddb81b6..de16c8b69 100644 --- a/roles/custom/matrix-client-hydrogen/defaults/main.yml +++ b/roles/custom/matrix-client-hydrogen/defaults/main.yml @@ -6,7 +6,7 @@ matrix_client_hydrogen_enabled: true matrix_client_hydrogen_container_image_self_build: false matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" -matrix_client_hydrogen_version: v0.3.8 +matrix_client_hydrogen_version: v0.4.0 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vector-im/hydrogen-web:{{ matrix_client_hydrogen_version }}" matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build else 'ghcr.io/' }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index ebeed45f6..dd25df709 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -8,7 +8,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}" matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" -matrix_coturn_version: 4.6.1-r3 +matrix_coturn_version: 4.6.2-r4 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index 3c083b99d..1a83c7039 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -10,7 +10,7 @@ matrix_dendrite_container_image_self_build_repo: "https://github.com/matrix-org/ matrix_dendrite_docker_image_path: "matrixdotorg/dendrite-monolith" matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}{{ matrix_dendrite_docker_image_path }}:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "{{ 'localhost/' if matrix_dendrite_container_image_self_build else matrix_container_global_registry_prefix }}" -matrix_dendrite_docker_image_tag: "v0.12.0" +matrix_dendrite_docker_image_tag: "v0.13.0" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" diff --git a/roles/custom/matrix-dynamic-dns/defaults/main.yml b/roles/custom/matrix-dynamic-dns/defaults/main.yml index 08cf023ca..6369f1096 100644 --- a/roles/custom/matrix-dynamic-dns/defaults/main.yml +++ b/roles/custom/matrix-dynamic-dns/defaults/main.yml @@ -7,7 +7,7 @@ matrix_dynamic_dns_enabled: true # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' -matrix_dynamic_dns_version: v3.10.0-ls111 +matrix_dynamic_dns_version: v3.10.0-ls126 # The docker container to use when in mode matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 77e501b7c..8ad11b375 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -1,7 +1,7 @@ --- # Project source code URL: https://github.com/nginx/nginx matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_version: 1.23.3-alpine +matrix_nginx_proxy_version: 1.25.1-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml index 364cf2c7e..048ded6bb 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml @@ -25,7 +25,7 @@ matrix_synapse_reverse_proxy_companion_enabled: true -matrix_synapse_reverse_proxy_companion_version: 1.23.3-alpine +matrix_synapse_reverse_proxy_companion_version: 1.25.1-alpine matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion" matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d" diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 4376a960e..768c71594 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,7 +4,7 @@ matrix_synapse_enabled: true -matrix_synapse_version: v1.84.1 +matrix_synapse_version: v1.87.0 matrix_synapse_username: '' matrix_synapse_uid: '' @@ -789,11 +789,10 @@ matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: fals # Enable this to activate the Shared Secret Auth password provider module. # See: https://github.com/devture/matrix-synapse-shared-secret-auth matrix_synapse_ext_password_provider_shared_secret_auth_enabled: false -matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/2.0.2/shared_secret_authenticator.py" +matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/2.0.3/shared_secret_authenticator.py" matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "" matrix_synapse_ext_password_provider_shared_secret_auth_m_login_password_support_enabled: true -# We'd like to enable this, but it causes trouble for Element: https://github.com/vector-im/element-web/issues/19605 -matrix_synapse_ext_password_provider_shared_secret_auth_com_devture_shared_secret_auth_support_enabled: false +matrix_synapse_ext_password_provider_shared_secret_auth_com_devture_shared_secret_auth_support_enabled: true matrix_synapse_ext_password_provider_shared_secret_config: "{{ matrix_synapse_ext_password_provider_shared_secret_config_yaml | from_yaml }}" matrix_synapse_ext_password_provider_shared_secret_config_yaml: | shared_secret: {{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret | string | to_json }} @@ -886,6 +885,9 @@ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name: '' matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url: '' matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: '' matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: '' +# Enable this to use EC2 instance profile metadata to grab IAM credentials instead of passing credentials directly +# via matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id and matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key +matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile: false matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled: false matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key: '' matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo: 'AES256' diff --git a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml index 317269b3c..406f186dc 100644 --- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml +++ b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml @@ -1,5 +1,4 @@ --- - - name: Fail if required s3-storage-provider settings not defined ansible.builtin.fail: msg: >- @@ -8,9 +7,16 @@ with_items: - "matrix_synapse_ext_synapse_s3_storage_provider_config_bucket" - "matrix_synapse_ext_synapse_s3_storage_provider_config_region_name" + - "matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url" + +- name: Fail if required s3-storage-provider auth settings not defined when not using an EC2 profile + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`) for using s3-storage-provider. + when: "not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile | bool and vars[item] == ''" + with_items: - "matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id" - "matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key" - - "matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url" - name: Fail if required matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url looks invalid ansible.builtin.fail: diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 index 58d262558..227fd89e4 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 @@ -1,5 +1,7 @@ +{% if not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile | bool %} AWS_ACCESS_KEY_ID={{ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id }} AWS_SECRET_ACCESS_KEY={{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key }} +{% endif %} AWS_DEFAULT_REGION={{ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name }} ENDPOINT={{ matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url }} diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 index ac2b58dbb..97387e55c 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 @@ -6,8 +6,10 @@ config: bucket: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_bucket | to_json }} region_name: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name | to_json }} endpoint_url: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url | to_json }} +{% if not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile | bool %} access_key_id: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id | to_json }} secret_access_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key | to_json }} +{% endif %} {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %} sse_customer_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key | to_json }} diff --git a/roles/custom/matrix-synapse/vars/main.yml b/roles/custom/matrix-synapse/vars/main.yml index 0c6d6296c..9ac7afeb7 100644 --- a/roles/custom/matrix-synapse/vars/main.yml +++ b/roles/custom/matrix-synapse/vars/main.yml @@ -153,7 +153,6 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/client/v1/rooms/.*/hierarchy$ - ^/_matrix/client/(v1|unstable)/rooms/.*/relations/ - ^/_matrix/client/v1/rooms/.*/threads$ - - ^/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$ - ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$ - ^/_matrix/client/(r0|v3|unstable)/account/3pid$ - ^/_matrix/client/(r0|v3|unstable)/account/whoami$ diff --git a/setup.yml b/setup.yml deleted file mode 120000 index 7acc4c4c9..000000000 --- a/setup.yml +++ /dev/null @@ -1 +0,0 @@ -playbooks/matrix.yml \ No newline at end of file diff --git a/setup.yml b/setup.yml new file mode 100644 index 000000000..266f3b9e5 --- /dev/null +++ b/setup.yml @@ -0,0 +1,143 @@ +--- +- name: "Set up a Matrix server" + hosts: "{{ target if target is defined else 'matrix_servers' }}" + become: true + + roles: + # Most of the roles below are not distributed with the playbook, but downloaded separately using `ansible-galaxy` via the `just roles` command (see `justfile`). + - role: galaxy/com.devture.ansible.role.playbook_help + + - role: galaxy/com.devture.ansible.role.systemd_docker_base + + - role: custom/matrix_playbook_migration + + - when: matrix_playbook_docker_installation_enabled | bool + role: galaxy/geerlingguy.docker + vars: + docker_install_compose: false + tags: + - setup-docker + - setup-all + - install-docker + - install-all + + - when: devture_docker_sdk_for_python_installation_enabled | bool + role: galaxy/com.devture.ansible.role.docker_sdk_for_python + tags: + - setup-docker + - setup-all + - install-docker + - install-all + + - when: devture_timesync_installation_enabled | bool + role: galaxy/com.devture.ansible.role.timesync + tags: + - setup-timesync + - setup-all + - install-timesync + - install-all + + - custom/matrix-base + - custom/matrix-dynamic-dns + - custom/matrix-mailer + + - role: galaxy/com.devture.ansible.role.postgres + + - galaxy/redis + - custom/matrix-corporal + - custom/matrix-bridge-appservice-discord + - custom/matrix-bridge-appservice-slack + - custom/matrix-bridge-appservice-webhooks + - custom/matrix-bridge-appservice-irc + - custom/matrix-bridge-appservice-kakaotalk + - custom/matrix-bridge-beeper-linkedin + - custom/matrix-bridge-go-skype-bridge + - custom/matrix-bridge-mautrix-facebook + - custom/matrix-bridge-mautrix-twitter + - custom/matrix-bridge-mautrix-hangouts + - custom/matrix-bridge-mautrix-googlechat + - custom/matrix-bridge-mautrix-instagram + - custom/matrix-bridge-mautrix-signal + - custom/matrix-bridge-mautrix-telegram + - custom/matrix-bridge-mautrix-whatsapp + - custom/matrix-bridge-mautrix-discord + - custom/matrix-bridge-mautrix-slack + - custom/matrix-bridge-mx-puppet-discord + - custom/matrix-bridge-mx-puppet-groupme + - custom/matrix-bridge-mx-puppet-steam + - custom/matrix-bridge-mx-puppet-slack + - custom/matrix-bridge-mx-puppet-twitter + - custom/matrix-bridge-mx-puppet-instagram + - custom/matrix-bridge-sms + - custom/matrix-bridge-heisenbridge + - custom/matrix-bridge-hookshot + - custom/matrix-bot-matrix-reminder-bot + - custom/matrix-bot-matrix-registration-bot + - custom/matrix-bot-maubot + - custom/matrix-bot-buscarron + - custom/matrix-bot-honoroit + - custom/matrix-bot-postmoogle + - custom/matrix-bot-go-neb + - custom/matrix-bot-mjolnir + - custom/matrix-bot-draupnir + - custom/matrix-bot-chatgpt + - custom/matrix-cactus-comments + - custom/matrix-rageshake + - custom/matrix-synapse + - custom/matrix-synapse-auto-compressor + - custom/matrix-synapse-reverse-proxy-companion + - custom/matrix-dendrite + - custom/matrix-conduit + - custom/matrix-synapse-admin + - galaxy/prometheus_node_exporter + - galaxy/prometheus_postgres_exporter + - custom/matrix-prometheus-nginxlog-exporter + - galaxy/prometheus + - galaxy/grafana + - custom/matrix-prometheus-services-connect + - custom/matrix-prometheus-services-proxy-connect + - custom/matrix-registration + - custom/matrix-client-element + - custom/matrix-client-hydrogen + - custom/matrix-client-cinny + - galaxy/jitsi + - custom/matrix-user-verification-service + - custom/matrix-ldap-registration-proxy + - custom/matrix-ma1sd + - custom/matrix-dimension + - galaxy/etherpad + - custom/etherpad-proxy-connect + - custom/matrix-sliding-sync + - custom/matrix-email2matrix + - custom/matrix-sygnal + - galaxy/ntfy + - custom/matrix-nginx-proxy + - custom/matrix-coturn + + - role: galaxy/auxiliary + + - role: galaxy/com.devture.ansible.role.postgres_backup + + - role: galaxy/backup_borg + + - custom/matrix-user-creator + - custom/matrix-common-after + + - role: galaxy/com.devture.ansible.role.container_socket_proxy + + - role: galaxy/com.devture.ansible.role.traefik + + - role: galaxy/com.devture.ansible.role.traefik_certs_dumper + + - when: devture_systemd_service_manager_enabled | bool + role: galaxy/com.devture.ansible.role.systemd_service_manager + + # This is pretty much last, because we want it to better serve as a "last known good configuration". + # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2217#issuecomment-1301487601 + - when: devture_playbook_state_preserver_enabled | bool + role: galaxy/com.devture.ansible.role.playbook_state_preserver + tags: + - setup-all + - install-all + + - role: galaxy/com.devture.ansible.role.playbook_runtime_messages