diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index d1d3bf27e..090e9c7c0 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -76,6 +76,8 @@ matrix_host_command_fusermount: "/usr/bin/env fusermount" matrix_host_command_openssl: "/usr/bin/env openssl" matrix_host_command_systemctl: "/usr/bin/env systemctl" matrix_host_command_sh: "/usr/bin/env sh" +matrix_host_command_iptables: "/usr/bin/env iptables" +matrix_host_command_ip6tables: "/usr/bin/env ip6tables" matrix_ntpd_package: "ntp" matrix_ntpd_service: "{{ 'ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp' }}" @@ -115,6 +117,9 @@ matrix_client_element_e2ee_secure_backup_setup_methods: [] # The Docker network that all services would be put into matrix_docker_network: "matrix" +# Controls whether we'll enable IPv6 in docker +matrix_docker_ipv6_enabled: true + # Controls whether we'll preserve the vars.yml file on the Matrix server. # If you have a differently organized inventory, you may wish to disable this feature, # or to repoint `matrix_vars_yml_snapshotting_src` to the file you'd like to preserve. diff --git a/roles/matrix-base/tasks/server_base/docker_ipv6.yml b/roles/matrix-base/tasks/server_base/docker_ipv6.yml new file mode 100644 index 000000000..ea1f477e0 --- /dev/null +++ b/roles/matrix-base/tasks/server_base/docker_ipv6.yml @@ -0,0 +1,47 @@ +--- + +- block: + - name: Ensure matrix-ip6tables.service exists + template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_systemd_path }}/{{ item }}" + owner: "root" + group: "root" + mode: 0644 + with_items: + - matrix-ip6tables.service + register: matrix_ip6tables_systemd_service_result + + - name: Ensure systemd reloaded after matrix-ip6tables.service installation + service: + daemon_reload: yes + when: "matrix_ip6tables_systemd_service_result.changed" + + - name: Ensure matrix-ip6tables.service is started and autoruns + service: + name: matrix-ip6tables + state: started + enabled: yes + + when: "matrix_docker_ipv6_enabled|bool" + + +- block: + - name: Check existence of matrix-ip6tables service + stat: + path: "{{ matrix_systemd_path }}/matrix-ip6tables.service" + register: matrix_ip6tables_service_stat + + - name: Ensure matrix-ip6tables.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-ip6tables.service" + state: absent + when: "matrix_ip6tables_service_stat.stat.exists" + + - name: Ensure systemd reloaded after matrix-ip6tables.service removal + service: + daemon_reload: yes + when: "matrix_ip6tables_service_stat.stat.exists" + + when: "not matrix_docker_ipv6_enabled|bool" + diff --git a/roles/matrix-base/tasks/server_base/setup.yml b/roles/matrix-base/tasks/server_base/setup.yml index 64f461ef1..89a48b661 100644 --- a/roles/matrix-base/tasks/server_base/setup.yml +++ b/roles/matrix-base/tasks/server_base/setup.yml @@ -27,6 +27,8 @@ - include_tasks: "{{ role_path }}/tasks/server_base/setup_archlinux.yml" when: ansible_distribution == 'Archlinux' +- include_tasks: "{{ role_path }}/tasks/server_base/docker_ipv6.yml" + - name: Ensure Docker is started and autoruns service: name: docker diff --git a/roles/matrix-base/tasks/setup_matrix_base.yml b/roles/matrix-base/tasks/setup_matrix_base.yml index 0fad2b3d6..d6f2b80bb 100644 --- a/roles/matrix-base/tasks/setup_matrix_base.yml +++ b/roles/matrix-base/tasks/setup_matrix_base.yml @@ -23,6 +23,10 @@ docker_network: name: "{{ matrix_docker_network }}" driver: bridge + enable_ipv6: " {{ matrix_docker_ipv6_enabled|bool }}" + ipam_config: + - subnet: "fd00::/80" + register: matrix_docker_network_info - name: Ensure matrix-remove-all script created template: diff --git a/roles/matrix-base/templates/matrix-ip6tables.service.j2 b/roles/matrix-base/templates/matrix-ip6tables.service.j2 new file mode 100644 index 000000000..ff5bdd50c --- /dev/null +++ b/roles/matrix-base/templates/matrix-ip6tables.service.j2 @@ -0,0 +1,16 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix ip6tables rule to enable IPv6 internet access from containers +DefaultDependencies=no + +[Service] +Type=oneshot +Environment="HOME={{ matrix_systemd_unit_home_path }}" + +ExecStart={{ matrix_host_command_ip6tables }} -t nat -A POSTROUTING -s fd00::/80 ! -o docker0 -j MASQUERADE +ExecStart={{ matrix_host_command_ip6tables }} -P FORWARD ACCEPT + +SyslogIdentifier=matrix-ip6tables + +[Install] +WantedBy=multi-user.target