diff --git a/roles/custom/matrix-conduwuit/defaults/main.yml b/roles/custom/matrix-conduwuit/defaults/main.yml deleted file mode 100644 index 17507c824..000000000 --- a/roles/custom/matrix-conduwuit/defaults/main.yml +++ /dev/null @@ -1,194 +0,0 @@ -# SPDX-FileCopyrightText: 2025 MDAD project contributors -# SPDX-FileCopyrightText: 2025 Slavi Pantaleev -# -# SPDX-License-Identifier: AGPL-3.0-or-later - ---- -# conduwuit is a very cool, featureful fork of conduit (https://gitlab.com/famedly/conduit). -# Project source code URL: https://github.com/girlbossceo/conduwuit -# See: https://conduwuit.puppyirl.gay/ - -matrix_conduwuit_enabled: true - -matrix_conduwuit_hostname: '' - -matrix_conduwuit_docker_image: "{{ matrix_conduwuit_docker_image_registry_prefix }}girlbossceo/conduwuit:{{ matrix_conduwuit_docker_image_tag }}" -matrix_conduwuit_docker_image_tag: v0.4.6-8f7ade4c22533a3177bfd8f175e178573ba6c1d4 -matrix_conduwuit_docker_image_force_pull: "{{ matrix_conduwuit_docker_image.endswith(':latest') }}" -matrix_conduwuit_docker_image_registry_prefix: "{{ matrix_conduwuit_docker_image_registry_prefix_upstream }}" -matrix_conduwuit_docker_image_registry_prefix_upstream: "{{ matrix_conduwuit_docker_image_registry_prefix_upstream_default }}" -matrix_conduwuit_docker_image_registry_prefix_upstream_default: ghcr.io/ - -matrix_conduwuit_base_path: "{{ matrix_base_data_path }}/conduwuit" -matrix_conduwuit_config_path: "{{ matrix_conduwuit_base_path }}/config" -matrix_conduwuit_data_path: "{{ matrix_conduwuit_base_path }}/data" - -matrix_conduwuit_config_port_number: 6167 - -matrix_conduwuit_tmp_directory_size_mb: 500 - -# List of systemd services that matrix-conduwuit.service depends on -matrix_conduwuit_systemd_required_services_list: "{{ matrix_conduwuit_systemd_required_services_list_default + matrix_conduwuit_systemd_required_services_list_auto + matrix_conduwuit_systemd_required_services_list_custom }}" -matrix_conduwuit_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" -matrix_conduwuit_systemd_required_services_list_auto: [] -matrix_conduwuit_systemd_required_services_list_custom: [] - -# List of systemd services that matrix-conduwuit.service wants -matrix_conduwuit_systemd_wanted_services_list: [] - -# Controls how long to sleep for after starting the matrix-synapse container. -# -# Delaying, so that the homeserver can manage to fully start and various services -# that depend on it (`matrix_conduwuit_systemd_required_services_list` and `matrix_conduwuit_systemd_wanted_services_list`) -# may only start after the homeserver is up and running. -# -# This can be set to 0 to remove the delay. -matrix_conduwuit_systemd_service_post_start_delay_seconds: 3 - -# The base container network. It will be auto-created by this role if it doesn't exist already. -matrix_conduwuit_container_network: "" - -# A list of additional container networks that the container would be connected to. -# The role does not create these networks, so make sure they already exist. -# Use this to expose this container to another reverse proxy, which runs in a different container network. -matrix_conduwuit_container_additional_networks: "{{ matrix_conduwuit_container_additional_networks_auto + matrix_conduwuit_container_additional_networks_custom }}" -matrix_conduwuit_container_additional_networks_auto: [] -matrix_conduwuit_container_additional_networks_custom: [] - -# matrix_conduwuit_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. -# See `../templates/labels.j2` for details. -# -# To inject your own other container labels, see `matrix_conduwuit_container_labels_additional_labels`. -matrix_conduwuit_container_labels_traefik_enabled: true -matrix_conduwuit_container_labels_traefik_docker_network: "{{ matrix_conduwuit_container_network }}" -matrix_conduwuit_container_labels_traefik_entrypoints: web-secure -matrix_conduwuit_container_labels_traefik_tls_certResolver: default # noqa var-naming - -# Controls whether labels will be added for handling the root (/) path on a public Traefik entrypoint. -matrix_conduwuit_container_labels_public_client_root_enabled: true -matrix_conduwuit_container_labels_public_client_root_traefik_hostname: "{{ matrix_conduwuit_hostname }}" -matrix_conduwuit_container_labels_public_client_root_traefik_rule: "Host(`{{ matrix_conduwuit_container_labels_public_client_root_traefik_hostname }}`) && Path(`/`)" -matrix_conduwuit_container_labels_public_client_root_traefik_priority: 0 -matrix_conduwuit_container_labels_public_client_root_traefik_entrypoints: "{{ matrix_conduwuit_container_labels_traefik_entrypoints }}" -matrix_conduwuit_container_labels_public_client_root_traefik_tls: "{{ matrix_conduwuit_container_labels_public_client_root_traefik_entrypoints != 'web' }}" -matrix_conduwuit_container_labels_public_client_root_traefik_tls_certResolver: "{{ matrix_conduwuit_container_labels_traefik_tls_certResolver }}" # noqa var-naming -matrix_conduwuit_container_labels_public_client_root_redirection_enabled: false -matrix_conduwuit_container_labels_public_client_root_redirection_url: "" - -# Controls whether labels will be added that expose the Client-Server API on a public Traefik entrypoint. -matrix_conduwuit_container_labels_public_client_api_enabled: true -matrix_conduwuit_container_labels_public_client_api_traefik_hostname: "{{ matrix_conduwuit_hostname }}" -matrix_conduwuit_container_labels_public_client_api_traefik_path_prefix: /_matrix -matrix_conduwuit_container_labels_public_client_api_traefik_rule: "Host(`{{ matrix_conduwuit_container_labels_public_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_conduwuit_container_labels_public_client_api_traefik_path_prefix }}`)" -matrix_conduwuit_container_labels_public_client_api_traefik_priority: 0 -matrix_conduwuit_container_labels_public_client_api_traefik_entrypoints: "{{ matrix_conduwuit_container_labels_traefik_entrypoints }}" -matrix_conduwuit_container_labels_public_client_api_traefik_tls: "{{ matrix_conduwuit_container_labels_public_client_api_traefik_entrypoints != 'web' }}" -matrix_conduwuit_container_labels_public_client_api_traefik_tls_certResolver: "{{ matrix_conduwuit_container_labels_traefik_tls_certResolver }}" # noqa var-naming - -# Controls whether labels will be added that expose the Client-Server API on the internal Traefik entrypoint. -# This is similar to `matrix_conduwuit_container_labels_public_client_api_enabled`, but the entrypoint and intent is different. -matrix_conduwuit_container_labels_internal_client_api_enabled: false -matrix_conduwuit_container_labels_internal_client_api_traefik_path_prefix: "{{ matrix_conduwuit_container_labels_public_client_api_traefik_path_prefix }}" -matrix_conduwuit_container_labels_internal_client_api_traefik_rule: "PathPrefix(`{{ matrix_conduwuit_container_labels_internal_client_api_traefik_path_prefix }}`)" -matrix_conduwuit_container_labels_internal_client_api_traefik_priority: "{{ matrix_conduwuit_container_labels_public_client_api_traefik_priority }}" -matrix_conduwuit_container_labels_internal_client_api_traefik_entrypoints: "" - -# Controls whether labels will be added that expose the Server-Server API (Federation API) on a public Traefik entrypoint. -matrix_conduwuit_container_labels_public_federation_api_enabled: "{{ matrix_conduwuit_config_allow_federation }}" -matrix_conduwuit_container_labels_public_federation_api_traefik_hostname: "{{ matrix_conduwuit_hostname }}" -matrix_conduwuit_container_labels_public_federation_api_traefik_path_prefix: /_matrix -matrix_conduwuit_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_conduwuit_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_conduwuit_container_labels_public_federation_api_traefik_path_prefix }}`)" -matrix_conduwuit_container_labels_public_federation_api_traefik_priority: 0 -matrix_conduwuit_container_labels_public_federation_api_traefik_entrypoints: '' -# TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS. -matrix_conduwuit_container_labels_public_federation_api_traefik_tls: true -matrix_conduwuit_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_conduwuit_container_labels_traefik_tls_certResolver }}" # noqa var-naming - -# Controls whether labels will be added that expose the `/_conduwuit` path prefix on a public Traefik entrypoint. -matrix_conduwuit_container_labels_public_conduwuit_api_enabled: true -matrix_conduwuit_container_labels_public_conduwuit_api_traefik_hostname: "{{ matrix_conduwuit_hostname }}" -matrix_conduwuit_container_labels_public_conduwuit_api_traefik_path_prefix: /_conduwuit -matrix_conduwuit_container_labels_public_conduwuit_api_traefik_rule: "Host(`{{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_path_prefix }}`)" -matrix_conduwuit_container_labels_public_conduwuit_api_traefik_priority: 0 -matrix_conduwuit_container_labels_public_conduwuit_api_traefik_entrypoints: "{{ matrix_conduwuit_container_labels_traefik_entrypoints }}" -matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls: "{{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_entrypoints != 'web' }}" -matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls_certResolver: "{{ matrix_conduwuit_container_labels_traefik_tls_certResolver }}" # noqa var-naming - -# matrix_conduwuit_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. -# See `../templates/labels.j2` for details. -# -# Example: -# matrix_conduwuit_container_labels_additional_labels: | -# my.label=1 -# another.label="here" -matrix_conduwuit_container_labels_additional_labels: '' - -# Extra arguments for the Docker container -matrix_conduwuit_container_extra_arguments: [] - -# Specifies which template files to use when configuring conduwuit. -# If you'd like to have your own different configuration, feel free to copy and paste -# the original files into your inventory (e.g. in `inventory/host_vars/matrix.example.com/`) -# and then change the specific host's `vars.yml` file like this: -# matrix_conduwuit_template_conduwuit_config: "{{ playbook_dir }}/inventory/host_vars/matrix.example.com/conduwuit.toml.j2" -matrix_conduwuit_template_conduwuit_config: "{{ role_path }}/templates/conduwuit.toml.j2" - -# Max size for uploads, in bytes -matrix_conduwuit_config_server_name: "{{ matrix_domain }}" - -# Max size for uploads, in bytes -matrix_conduwuit_config_max_request_size: 20_000_000 - -# Enables registration. If set to false, no users can register on this server. -matrix_conduwuit_config_allow_registration: false - -# Controls the `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` setting. -# This is only used when `matrix_conduwuit_config_allow_registration` is set to true and no registration token is configured. -matrix_conduwuit_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse: false - -# Controls the `registration_token` setting. -# When registration is enabled (`matrix_conduwuit_config_allow_registration`) you: -# - either need to set a token to protect registration from abuse -# - or you need to enable the `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` setting -# (see `matrix_conduwuit_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`), -# to allow registration without any form of 2nd-step. -matrix_conduwuit_config_registration_token: '' - -# Controls the `new_user_displayname_suffix` setting. -# This is the suffix that will be added to the displayname of new users. -# Upstream defaults this to "🏳️‍⚧️", but we keep this consistent across all homeserver implementations and do not enable a suffix. -matrix_conduwuit_config_new_user_displayname_suffix: "" - -# Controls the `allow_check_for_updates` setting. -matrix_conduwuit_config_allow_check_for_updates: false - -# Controls the `emergency_password` setting. -matrix_conduwuit_config_emergency_password: '' - -# Controls the `allow_federation` setting. -matrix_conduwuit_config_allow_federation: true - -matrix_conduwuit_trusted_servers: - - "matrix.org" - -matrix_conduwuit_config_log: "info,state_res=warn,rocket=off,_=off,sled=off" - -# TURN integration. -# See: https://conduwuit.puppyirl.gay/turn.html -matrix_conduwuit_config_turn_uris: [] -matrix_conduwuit_config_turn_secret: '' -matrix_conduwuit_config_turn_username: '' -matrix_conduwuit_config_turn_password: '' - -# Controls whether the self-check feature should validate SSL certificates. -matrix_conduwuit_self_check_validate_certificates: true - -# Additional environment variables to pass to the container. -# -# Environment variables take priority over settings in the configuration file. -# -# Example: -# matrix_conduwuit_environment_variables_extension: | -# CONDUWUIT_MAX_REQUEST_SIZE=50000000 -# CONDUWUIT_REQUEST_TIMEOUT=60 -matrix_conduwuit_environment_variables_extension: '' diff --git a/roles/custom/matrix-conduwuit/tasks/install.yml b/roles/custom/matrix-conduwuit/tasks/install.yml deleted file mode 100644 index aa1e2941b..000000000 --- a/roles/custom/matrix-conduwuit/tasks/install.yml +++ /dev/null @@ -1,64 +0,0 @@ -# SPDX-FileCopyrightText: 2025 Slavi Pantaleev -# -# SPDX-License-Identifier: AGPL-3.0-or-later - ---- - -- name: Ensure conduwuit config path exists - ansible.builtin.file: - path: "{{ matrix_conduwuit_config_path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_name }}" - group: "{{ matrix_group_name }}" - -- name: Ensure conduwuit data path exists - ansible.builtin.file: - path: "{{ matrix_conduwuit_data_path }}" - state: directory - mode: 0770 - owner: "{{ matrix_user_name }}" - group: "{{ matrix_group_name }}" - -- name: Ensure conduwuit configuration installed - ansible.builtin.template: - src: "{{ matrix_conduwuit_template_conduwuit_config }}" - dest: "{{ matrix_conduwuit_config_path }}/conduwuit.toml" - mode: 0644 - owner: "{{ matrix_user_name }}" - group: "{{ matrix_group_name }}" - -- name: Ensure conduwuit support files installed - ansible.builtin.template: - src: "{{ role_path }}/templates/{{ item }}.j2" - dest: "{{ matrix_conduwuit_base_path }}/{{ item }}" - mode: 0640 - owner: "{{ matrix_user_name }}" - group: "{{ matrix_group_name }}" - with_items: - - labels - - env - -- name: Ensure conduwuit container network is created - community.general.docker_network: - enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}" - name: "{{ matrix_conduwuit_container_network }}" - driver: bridge - driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}" - -- name: Ensure conduwuit container image is pulled - community.docker.docker_image: - name: "{{ matrix_conduwuit_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_conduwuit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_conduwuit_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure matrix-conduwuit.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-conduwuit.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service" - mode: 0644 diff --git a/roles/custom/matrix-conduwuit/tasks/main.yml b/roles/custom/matrix-conduwuit/tasks/main.yml deleted file mode 100644 index 425f81bee..000000000 --- a/roles/custom/matrix-conduwuit/tasks/main.yml +++ /dev/null @@ -1,34 +0,0 @@ -# SPDX-FileCopyrightText: 2025 MDAD project contributors -# SPDX-FileCopyrightText: 2025 Slavi Pantaleev -# -# SPDX-License-Identifier: AGPL-3.0-or-later - ---- - -- tags: - - setup-all - - setup-conduwuit - - install-all - - install-conduwuit - block: - - when: matrix_conduwuit_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - - - when: matrix_conduwuit_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" - -- tags: - - setup-all - - setup-conduwuit - block: - - when: not matrix_conduwuit_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" - -- tags: - - self-check - block: - - when: matrix_conduwuit_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_client_api.yml" - - - when: matrix_conduwuit_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml" diff --git a/roles/custom/matrix-conduwuit/tasks/self_check_client_api.yml b/roles/custom/matrix-conduwuit/tasks/self_check_client_api.yml deleted file mode 100644 index 5ea3f830f..000000000 --- a/roles/custom/matrix-conduwuit/tasks/self_check_client_api.yml +++ /dev/null @@ -1,28 +0,0 @@ -# SPDX-FileCopyrightText: 2025 Slavi Pantaleev -# SPDX-FileCopyrightText: 2025 Suguru Hirahara -# -# SPDX-License-Identifier: AGPL-3.0-or-later - ---- - -- name: Check Matrix Client API - ansible.builtin.uri: - url: "{{ matrix_conduwuit_client_api_url_endpoint_public }}" - follow_redirects: none - validate_certs: "{{ matrix_conduwuit_self_check_validate_certificates }}" - register: result_matrix_conduwuit_client_api - ignore_errors: true - check_mode: false - when: matrix_conduwuit_enabled | bool - delegate_to: 127.0.0.1 - become: false - -- name: Fail if Matrix Client API not working - ansible.builtin.fail: - msg: "Failed checking Matrix Client API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_conduwuit_client_api_url_endpoint_public }}`). Is conduwuit running? Is port 443 open in your firewall? Full error: {{ result_matrix_conduwuit_client_api }}" - when: "matrix_conduwuit_enabled | bool and (result_matrix_conduwuit_client_api.failed or 'json' not in result_matrix_conduwuit_client_api)" - -- name: Report working Matrix Client API - ansible.builtin.debug: - msg: "The Matrix Client API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_conduwuit_client_api_url_endpoint_public }}`) is working" - when: matrix_conduwuit_enabled | bool diff --git a/roles/custom/matrix-conduwuit/tasks/self_check_federation_api.yml b/roles/custom/matrix-conduwuit/tasks/self_check_federation_api.yml deleted file mode 100644 index 000a4b608..000000000 --- a/roles/custom/matrix-conduwuit/tasks/self_check_federation_api.yml +++ /dev/null @@ -1,32 +0,0 @@ -# SPDX-FileCopyrightText: 2025 Slavi Pantaleev -# -# SPDX-License-Identifier: AGPL-3.0-or-later - ---- - -- name: Check Matrix Federation API - ansible.builtin.uri: - url: "{{ matrix_synapse_federation_api_url_endpoint_public }}" - follow_redirects: none - validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}" - register: result_matrix_synapse_federation_api - ignore_errors: true - check_mode: false - when: matrix_synapse_enabled | bool - delegate_to: 127.0.0.1 - become: false - -- name: Fail if Matrix Federation API not working - ansible.builtin.fail: - msg: "Failed checking Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`). Is Synapse running? Is port {{ matrix_federation_public_port }} open in your firewall? Full error: {{ result_matrix_synapse_federation_api }}" - when: "matrix_synapse_enabled | bool and matrix_synapse_federation_enabled | bool and (result_matrix_synapse_federation_api.failed or 'json' not in result_matrix_synapse_federation_api)" - -- name: Fail if Matrix Federation API unexpectedly enabled - ansible.builtin.fail: - msg: "Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) despite being disabled." - when: "matrix_synapse_enabled | bool and not matrix_synapse_federation_enabled | bool and not result_matrix_synapse_federation_api.failed" - -- name: Report working Matrix Federation API - ansible.builtin.debug: - msg: "The Matrix Federation API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) is working" - when: "matrix_synapse_enabled | bool and matrix_synapse_federation_enabled | bool" diff --git a/roles/custom/matrix-conduwuit/tasks/setup_install.yml b/roles/custom/matrix-conduwuit/tasks/setup_install.yml deleted file mode 100644 index bc51bc3e5..000000000 --- a/roles/custom/matrix-conduwuit/tasks/setup_install.yml +++ /dev/null @@ -1,63 +0,0 @@ -# SPDX-FileCopyrightText: 2025 MDAD project contributors -# -# SPDX-License-Identifier: AGPL-3.0-or-later - ---- - -- name: Ensure conduwuit config path exists - ansible.builtin.file: - path: "{{ matrix_conduwuit_config_path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_name }}" - group: "{{ matrix_group_name }}" - -- name: Ensure conduwuit data path exists - ansible.builtin.file: - path: "{{ matrix_conduwuit_data_path }}" - state: directory - mode: 0770 - owner: "{{ matrix_user_name }}" - group: "{{ matrix_group_name }}" - -- name: Ensure conduwuit configuration installed - ansible.builtin.template: - src: "{{ matrix_conduwuit_template_conduwuit_config }}" - dest: "{{ matrix_conduwuit_config_path }}/conduwuit.toml" - mode: 0644 - owner: "{{ matrix_user_name }}" - group: "{{ matrix_group_name }}" - -- name: Ensure conduwuit support files installed - ansible.builtin.template: - src: "{{ role_path }}/templates/{{ item }}.j2" - dest: "{{ matrix_conduwuit_base_path }}/{{ item }}" - mode: 0640 - owner: "{{ matrix_user_name }}" - group: "{{ matrix_group_name }}" - with_items: - - labels - -- name: Ensure conduwuit container network is created - community.general.docker_network: - enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}" - name: "{{ matrix_conduwuit_container_network }}" - driver: bridge - driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}" - -- name: Ensure conduwuit container image is pulled - community.docker.docker_image: - name: "{{ matrix_conduwuit_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_conduwuit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_conduwuit_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure matrix-conduwuit.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-conduwuit.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service" - mode: 0644 diff --git a/roles/custom/matrix-conduwuit/tasks/setup_uninstall.yml b/roles/custom/matrix-conduwuit/tasks/setup_uninstall.yml deleted file mode 100644 index 24326b337..000000000 --- a/roles/custom/matrix-conduwuit/tasks/setup_uninstall.yml +++ /dev/null @@ -1,23 +0,0 @@ -# SPDX-FileCopyrightText: 2025 MDAD project contributors -# -# SPDX-License-Identifier: AGPL-3.0-or-later - ---- - -- name: Check existence of matrix-conduwuit service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service" - register: matrix_conduwuit_service_stat - -- when: matrix_conduwuit_service_stat.stat.exists | bool - block: - - name: Ensure matrix-conduwuit is stopped - ansible.builtin.systemd: - name: matrix-conduwuit - state: stopped - daemon_reload: true - - - name: Ensure matrix-conduwuit.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service" - state: absent diff --git a/roles/custom/matrix-conduwuit/tasks/uninstall.yml b/roles/custom/matrix-conduwuit/tasks/uninstall.yml deleted file mode 100644 index 9755d5ad1..000000000 --- a/roles/custom/matrix-conduwuit/tasks/uninstall.yml +++ /dev/null @@ -1,23 +0,0 @@ -# SPDX-FileCopyrightText: 2025 Slavi Pantaleev -# -# SPDX-License-Identifier: AGPL-3.0-or-later - ---- - -- name: Check existence of matrix-conduwuit service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service" - register: matrix_conduwuit_service_stat - -- when: matrix_conduwuit_service_stat.stat.exists | bool - block: - - name: Ensure matrix-conduwuit is stopped - ansible.builtin.systemd: - name: matrix-conduwuit - state: stopped - daemon_reload: true - - - name: Ensure matrix-conduwuit.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service" - state: absent diff --git a/roles/custom/matrix-conduwuit/tasks/validate_config.yml b/roles/custom/matrix-conduwuit/tasks/validate_config.yml deleted file mode 100644 index d044ddf3d..000000000 --- a/roles/custom/matrix-conduwuit/tasks/validate_config.yml +++ /dev/null @@ -1,15 +0,0 @@ -# SPDX-FileCopyrightText: 2025 MDAD project contributors -# -# SPDX-License-Identifier: AGPL-3.0-or-later - ---- - -- name: Fail if required conduwuit settings not defined - ansible.builtin.fail: - msg: >- - You need to define a required configuration setting (`{{ item.name }}`). - when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0" - with_items: - - {'name': 'matrix_conduwuit_hostname', when: true} - - {'name': 'matrix_conduwuit_container_network', when: true} - - {'name': 'matrix_conduwuit_container_labels_internal_client_api_traefik_entrypoints', when: "{{ matrix_conduwuit_container_labels_internal_client_api_enabled }}"} diff --git a/roles/custom/matrix-conduwuit/templates/conduwuit.toml.j2 b/roles/custom/matrix-conduwuit/templates/conduwuit.toml.j2 deleted file mode 100644 index 91ee6760f..000000000 --- a/roles/custom/matrix-conduwuit/templates/conduwuit.toml.j2 +++ /dev/null @@ -1,1546 +0,0 @@ -{# -SPDX-FileCopyrightText: 2025 MDAD project contributors -SPDX-FileCopyrightText: 2025 Slavi Pantaleev -SPDX-FileCopyrightText: 2025 Suguru Hirahara - -SPDX-License-Identifier: AGPL-3.0-or-later -#} - -### conduwuit Configuration -### See: -### https://conduwuit.puppyirl.gay/configuration.html - -[global] - -# The server_name is the pretty name of this server. It is used as a -# suffix for user and room IDs/aliases. -# -# See the docs for reverse proxying and delegation: -# https://conduwuit.puppyirl.gay/deploying/generic.html#setting-up-the-reverse-proxy -# -# Also see the `[global.well_known]` config section at the very bottom. -# -# Examples of delegation: -# - https://puppygock.gay/.well-known/matrix/server -# - https://puppygock.gay/.well-known/matrix/client -# -# YOU NEED TO EDIT THIS. THIS CANNOT BE CHANGED AFTER WITHOUT A DATABASE -# WIPE. -# -# example: "conduwuit.woof" -# -server_name = {{ matrix_conduwuit_config_server_name | to_json }} - -# The default address (IPv4 or IPv6) conduwuit will listen on. -# -# If you are using Docker or a container NAT networking setup, this must -# be "0.0.0.0". -# -# To listen on multiple addresses, specify a vector e.g. ["127.0.0.1", -# "::1"] -# -address = "0.0.0.0" - -# The port(s) conduwuit will listen on. -# -# For reverse proxying, see: -# https://conduwuit.puppyirl.gay/deploying/generic.html#setting-up-the-reverse-proxy -# -# If you are using Docker, don't change this, you'll need to map an -# external port to this. -# -# To listen on multiple ports, specify a vector e.g. [8080, 8448] -# -port = {{ matrix_conduwuit_config_port_number }} - -# The UNIX socket conduwuit will listen on. -# -# conduwuit cannot listen on both an IP address and a UNIX socket. If -# listening on a UNIX socket, you MUST remove/comment the `address` key. -# -# Remember to make sure that your reverse proxy has access to this socket -# file, either by adding your reverse proxy to the 'conduwuit' group or -# granting world R/W permissions with `unix_socket_perms` (666 minimum). -# -# example: "/run/conduwuit/conduwuit.sock" -# -#unix_socket_path = - -# The default permissions (in octal) to create the UNIX socket with. -# -#unix_socket_perms = 660 - -# This is the only directory where conduwuit will save its data, including -# media. Note: this was previously "/var/lib/matrix-conduit". -# -# YOU NEED TO EDIT THIS. -# -# example: "/var/lib/conduwuit" -# -database_path = "/var/lib/conduwuit" - -# conduwuit supports online database backups using RocksDB's Backup engine -# API. To use this, set a database backup path that conduwuit can write -# to. -# -# For more information, see: -# https://conduwuit.puppyirl.gay/maintenance.html#backups -# -# example: "/opt/conduwuit-db-backups" -# -#database_backup_path = - -# The amount of online RocksDB database backups to keep/retain, if using -# "database_backup_path", before deleting the oldest one. -# -#database_backups_to_keep = 1 - -# Text which will be added to the end of the user's displayname upon -# registration with a space before the text. In Conduit, this was the -# lightning bolt emoji. -# -# To disable, set this to "" (an empty string). -# -# The default is the trans pride flag. -# -# example: "🏳️‍⚧️" -# -new_user_displayname_suffix = {{ matrix_conduwuit_config_new_user_displayname_suffix | to_json }} - -# If enabled, conduwuit will send a simple GET request periodically to -# `https://pupbrain.dev/check-for-updates/stable` for any new -# announcements made. Despite the name, this is not an update check -# endpoint, it is simply an announcement check endpoint. -# -# This is disabled by default as this is rarely used except for security -# updates or major updates. -# -allow_check_for_updates = {{ matrix_conduwuit_config_allow_check_for_updates | to_json }} - -# Set this to any float value to multiply conduwuit's in-memory LRU caches -# with such as "auth_chain_cache_capacity". -# -# May be useful if you have significant memory to spare to increase -# performance. -# -# If you have low memory, reducing this may be viable. -# -# By default, the individual caches such as "auth_chain_cache_capacity" -# are scaled by your CPU core count. -# -#cache_capacity_modifier = 1.0 - -# Set this to any float value in megabytes for conduwuit to tell the -# database engine that this much memory is available for database read -# caches. -# -# May be useful if you have significant memory to spare to increase -# performance. -# -# Similar to the individual LRU caches, this is scaled up with your CPU -# core count. -# -# This defaults to 128.0 + (64.0 * CPU core count). -# -#db_cache_capacity_mb = varies by system - -# Set this to any float value in megabytes for conduwuit to tell the -# database engine that this much memory is available for database write -# caches. -# -# May be useful if you have significant memory to spare to increase -# performance. -# -# Similar to the individual LRU caches, this is scaled up with your CPU -# core count. -# -# This defaults to 48.0 + (4.0 * CPU core count). -# -#db_write_buffer_capacity_mb = varies by system - -# This item is undocumented. Please contribute documentation for it. -# -#pdu_cache_capacity = varies by system - -# This item is undocumented. Please contribute documentation for it. -# -#auth_chain_cache_capacity = varies by system - -# This item is undocumented. Please contribute documentation for it. -# -#shorteventid_cache_capacity = varies by system - -# This item is undocumented. Please contribute documentation for it. -# -#eventidshort_cache_capacity = varies by system - -# This item is undocumented. Please contribute documentation for it. -# -#eventid_pdu_cache_capacity = varies by system - -# This item is undocumented. Please contribute documentation for it. -# -#shortstatekey_cache_capacity = varies by system - -# This item is undocumented. Please contribute documentation for it. -# -#statekeyshort_cache_capacity = varies by system - -# This item is undocumented. Please contribute documentation for it. -# -#servernameevent_data_cache_capacity = varies by system - -# This item is undocumented. Please contribute documentation for it. -# -#server_visibility_cache_capacity = varies by system - -# This item is undocumented. Please contribute documentation for it. -# -#user_visibility_cache_capacity = varies by system - -# This item is undocumented. Please contribute documentation for it. -# -#stateinfo_cache_capacity = varies by system - -# This item is undocumented. Please contribute documentation for it. -# -#roomid_spacehierarchy_cache_capacity = varies by system - -# Maximum entries stored in DNS memory-cache. The size of an entry may -# vary so please take care if raising this value excessively. Only -# decrease this when using an external DNS cache. Please note that -# systemd-resolved does *not* count as an external cache, even when -# configured to do so. -# -#dns_cache_entries = 32768 - -# Minimum time-to-live in seconds for entries in the DNS cache. The -# default may appear high to most administrators; this is by design as the -# majority of NXDOMAINs are correct for a long time (e.g. the server is no -# longer running Matrix). Only decrease this if you are using an external -# DNS cache. -# -#dns_min_ttl = 10800 - -# Minimum time-to-live in seconds for NXDOMAIN entries in the DNS cache. -# This value is critical for the server to federate efficiently. -# NXDOMAIN's are assumed to not be returning to the federation and -# aggressively cached rather than constantly rechecked. -# -# Defaults to 3 days as these are *very rarely* false negatives. -# -#dns_min_ttl_nxdomain = 259200 - -# Number of DNS nameserver retries after a timeout or error. -# -#dns_attempts = 10 - -# The number of seconds to wait for a reply to a DNS query. Please note -# that recursive queries can take up to several seconds for some domains, -# so this value should not be too low, especially on slower hardware or -# resolvers. -# -#dns_timeout = 10 - -# Fallback to TCP on DNS errors. Set this to false if unsupported by -# nameserver. -# -#dns_tcp_fallback = true - -# Enable to query all nameservers until the domain is found. Referred to -# as "trust_negative_responses" in hickory_resolver. This can avoid -# useless DNS queries if the first nameserver responds with NXDOMAIN or -# an empty NOERROR response. -# -#query_all_nameservers = true - -# Enable using *only* TCP for querying your specified nameservers instead -# of UDP. -# -# If you are running conduwuit in a container environment, this config -# option may need to be enabled. For more details, see: -# https://conduwuit.puppyirl.gay/troubleshooting.html#potential-dns-issues-when-using-docker -# -#query_over_tcp_only = false - -# DNS A/AAAA record lookup strategy -# -# Takes a number of one of the following options: -# 1 - Ipv4Only (Only query for A records, no AAAA/IPv6) -# -# 2 - Ipv6Only (Only query for AAAA records, no A/IPv4) -# -# 3 - Ipv4AndIpv6 (Query for A and AAAA records in parallel, uses whatever -# returns a successful response first) -# -# 4 - Ipv6thenIpv4 (Query for AAAA record, if that fails then query the A -# record) -# -# 5 - Ipv4thenIpv6 (Query for A record, if that fails then query the AAAA -# record) -# -# If you don't have IPv6 networking, then for better DNS performance it -# may be suitable to set this to Ipv4Only (1) as you will never ever use -# the AAAA record contents even if the AAAA record is successful instead -# of the A record. -# -#ip_lookup_strategy = 5 - -# Max request size for file uploads in bytes. Defaults to 20MB. -# -max_request_size = {{ matrix_conduwuit_config_max_request_size }} - -# This item is undocumented. Please contribute documentation for it. -# -#max_fetch_prev_events = 192 - -# Default/base connection timeout (seconds). This is used only by URL -# previews and update/news endpoint checks. -# -#request_conn_timeout = 10 - -# Default/base request timeout (seconds). The time waiting to receive more -# data from another server. This is used only by URL previews, -# update/news, and misc endpoint checks. -# -#request_timeout = 35 - -# Default/base request total timeout (seconds). The time limit for a whole -# request. This is set very high to not cancel healthy requests while -# serving as a backstop. This is used only by URL previews and update/news -# endpoint checks. -# -#request_total_timeout = 320 - -# Default/base idle connection pool timeout (seconds). This is used only -# by URL previews and update/news endpoint checks. -# -#request_idle_timeout = 5 - -# Default/base max idle connections per host. This is used only by URL -# previews and update/news endpoint checks. Defaults to 1 as generally the -# same open connection can be re-used. -# -#request_idle_per_host = 1 - -# Federation well-known resolution connection timeout (seconds). -# -#well_known_conn_timeout = 6 - -# Federation HTTP well-known resolution request timeout (seconds). -# -#well_known_timeout = 10 - -# Federation client request timeout (seconds). You most definitely want -# this to be high to account for extremely large room joins, slow -# homeservers, your own resources etc. -# -#federation_timeout = 300 - -# Federation client idle connection pool timeout (seconds). -# -#federation_idle_timeout = 25 - -# Federation client max idle connections per host. Defaults to 1 as -# generally the same open connection can be re-used. -# -#federation_idle_per_host = 1 - -# Federation sender request timeout (seconds). The time it takes for the -# remote server to process sent transactions can take a while. -# -#sender_timeout = 180 - -# Federation sender idle connection pool timeout (seconds). -# -#sender_idle_timeout = 180 - -# Federation sender transaction retry backoff limit (seconds). -# -#sender_retry_backoff_limit = 86400 - -# Appservice URL request connection timeout. Defaults to 35 seconds as -# generally appservices are hosted within the same network. -# -#appservice_timeout = 35 - -# Appservice URL idle connection pool timeout (seconds). -# -#appservice_idle_timeout = 300 - -# Notification gateway pusher idle connection pool timeout. -# -#pusher_idle_timeout = 15 - -# Enables registration. If set to false, no users can register on this -# server. -# -# If set to true without a token configured, users can register with no -# form of 2nd-step only if you set the following option to true: -# `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` -# -# If you would like registration only via token reg, please configure -# `registration_token` or `registration_token_file`. -# -allow_registration = {{ matrix_conduwuit_config_allow_registration | to_json }} - -yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = {{ matrix_conduwuit_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse | to_json }} - -allow_federation = {{ matrix_conduwuit_config_allow_federation | to_json }} - -# This item is undocumented. Please contribute documentation for it. -# -#yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = false - -# A static registration token that new users will have to provide when -# creating an account. If unset and `allow_registration` is true, -# registration is open without any condition. -# -# YOU NEED TO EDIT THIS OR USE registration_token_file. -# -# example: "o&^uCtes4HPf0Vu@F20jQeeWE7" -# -registration_token = {{ matrix_conduwuit_config_registration_token | to_json }} - -# Path to a file on the system that gets read for the registration token. -# this config option takes precedence/priority over "registration_token". -# -# conduwuit must be able to access the file, and it must not be empty -# -# example: "/etc/conduwuit/.reg_token" -# -#registration_token_file = - -# Controls whether encrypted rooms and events are allowed. -# -#allow_encryption = true - -# Controls whether federation is allowed or not. It is not recommended to -# disable this after the fact due to potential federation breakage. -# -#allow_federation = true - -# This item is undocumented. Please contribute documentation for it. -# -#federation_loopback = false - -# Set this to true to require authentication on the normally -# unauthenticated profile retrieval endpoints (GET) -# "/_matrix/client/v3/profile/{userId}". -# -# This can prevent profile scraping. -# -#require_auth_for_profile_requests = false - -# Set this to true to allow your server's public room directory to be -# federated. Set this to false to protect against /publicRooms spiders, -# but will forbid external users from viewing your server's public room -# directory. If federation is disabled entirely (`allow_federation`), this -# is inherently false. -# -#allow_public_room_directory_over_federation = false - -# Set this to true to allow your server's public room directory to be -# queried without client authentication (access token) through the Client -# APIs. Set this to false to protect against /publicRooms spiders. -# -#allow_public_room_directory_without_auth = false - -# Allow guests/unauthenticated users to access TURN credentials. -# -# This is the equivalent of Synapse's `turn_allow_guests` config option. -# This allows any unauthenticated user to call the endpoint -# `/_matrix/client/v3/voip/turnServer`. -# -# It is unlikely you need to enable this as all major clients support -# authentication for this endpoint and prevents misuse of your TURN server -# from potential bots. -# -#turn_allow_guests = false - -# Set this to true to lock down your server's public room directory and -# only allow admins to publish rooms to the room directory. Unpublishing -# is still allowed by all users with this enabled. -# -#lockdown_public_room_directory = false - -# Set this to true to allow federating device display names / allow -# external users to see your device display name. If federation is -# disabled entirely (`allow_federation`), this is inherently false. For -# privacy reasons, this is best left disabled. -# -#allow_device_name_federation = false - -# Config option to allow or disallow incoming federation requests that -# obtain the profiles of our local users from -# `/_matrix/federation/v1/query/profile` -# -# Increases privacy of your local user's such as display names, but some -# remote users may get a false "this user does not exist" error when they -# try to invite you to a DM or room. Also can protect against profile -# spiders. -# -# This is inherently false if `allow_federation` is disabled -# -#allow_inbound_profile_lookup_federation_requests = true - -# Allow standard users to create rooms. Appservices and admins are always -# allowed to create rooms -# -#allow_room_creation = true - -# Set to false to disable users from joining or creating room versions -# that aren't officially supported by conduwuit. -# -# conduwuit officially supports room versions 6 - 11. -# -# conduwuit has slightly experimental (though works fine in practice) -# support for versions 3 - 5. -# -#allow_unstable_room_versions = true - -# Default room version conduwuit will create rooms with. -# -# Per spec, room version 10 is the default. -# -#default_room_version = 10 - -# This item is undocumented. Please contribute documentation for it. -# -#allow_jaeger = false - -# This item is undocumented. Please contribute documentation for it. -# -#jaeger_filter = "info" - -# If the 'perf_measurements' compile-time feature is enabled, enables -# collecting folded stack trace profile of tracing spans using -# tracing_flame. The resulting profile can be visualized with inferno[1], -# speedscope[2], or a number of other tools. -# -# [1]: https://github.com/jonhoo/inferno -# [2]: www.speedscope.app -# -#tracing_flame = false - -# This item is undocumented. Please contribute documentation for it. -# -#tracing_flame_filter = "info" - -# This item is undocumented. Please contribute documentation for it. -# -#tracing_flame_output_path = "./tracing.folded" - -# Examples: -# -# - No proxy (default): -# -# proxy = "none" -# -# - For global proxy, create the section at the bottom of this file: -# -# [global.proxy] -# global = { url = "socks5h://localhost:9050" } -# -# - To proxy some domains: -# -# [global.proxy] -# [[global.proxy.by_domain]] -# url = "socks5h://localhost:9050" -# include = ["*.onion", "matrix.myspecial.onion"] -# exclude = ["*.myspecial.onion"] -# -# Include vs. Exclude: -# -# - If include is an empty list, it is assumed to be `["*"]`. -# -# - If a domain matches both the exclude and include list, the proxy will -# only be used if it was included because of a more specific rule than -# it was excluded. In the above example, the proxy would be used for -# `ordinary.onion`, `matrix.myspecial.onion`, but not -# `hello.myspecial.onion`. -# -#proxy = "none" - -# Servers listed here will be used to gather public keys of other servers -# (notary trusted key servers). -# -# Currently, conduwuit doesn't support inbound batched key requests, so -# this list should only contain other Synapse servers. -# -# example: ["matrix.org", "envs.net", "constellatory.net", "tchncs.de"] -# -trusted_servers = {{ matrix_conduwuit_trusted_servers | to_json }} - -# Whether to query the servers listed in trusted_servers first or query -# the origin server first. For best security, querying the origin server -# first is advised to minimize the exposure to a compromised trusted -# server. For maximum federation/join performance this can be set to true, -# however other options exist to query trusted servers first under -# specific high-load circumstances and should be evaluated before setting -# this to true. -# -#query_trusted_key_servers_first = false - -# Whether to query the servers listed in trusted_servers first -# specifically on room joins. This option limits the exposure to a -# compromised trusted server to room joins only. The join operation -# requires gathering keys from many origin servers which can cause -# significant delays. Therefore this defaults to true to mitigate -# unexpected delays out-of-the-box. The security-paranoid or those willing -# to tolerate delays are advised to set this to false. Note that setting -# query_trusted_key_servers_first to true causes this option to be -# ignored. -# -#query_trusted_key_servers_first_on_join = true - -# Only query trusted servers for keys and never the origin server. This is -# intended for clusters or custom deployments using their trusted_servers -# as forwarding-agents to cache and deduplicate requests. Notary servers -# do not act as forwarding-agents by default, therefore do not enable this -# unless you know exactly what you are doing. -# -#only_query_trusted_key_servers = false - -# Maximum number of keys to request in each trusted server batch query. -# -#trusted_server_batch_size = 1024 - -# Max log level for conduwuit. Allows debug, info, warn, or error. -# -# See also: -# https://docs.rs/tracing-subscriber/latest/tracing_subscriber/filter/struct.EnvFilter.html#directives -# -# **Caveat**: -# For release builds, the tracing crate is configured to only implement -# levels higher than error to avoid unnecessary overhead in the compiled -# binary from trace macros. For debug builds, this restriction is not -# applied. -# -log = {{ matrix_conduwuit_config_log | to_json }} - -# Output logs with ANSI colours. -# -#log_colors = true - -# Configures the span events which will be outputted with the log. -# -#log_span_events = "none" - -# Configures whether CONDUWUIT_LOG EnvFilter matches values using regular -# expressions. See the tracing_subscriber documentation on Directives. -# -#log_filter_regex = true - -# Toggles the display of ThreadId in tracing log output. -# -#log_thread_ids = false - -# OpenID token expiration/TTL in seconds. -# -# These are the OpenID tokens that are primarily used for Matrix account -# integrations (e.g. Vector Integrations in Element), *not* OIDC/OpenID -# Connect/etc. -# -#openid_token_ttl = 3600 - -# Allow an existing session to mint a login token for another client. -# This requires interactive authentication, but has security ramifications -# as a malicious client could use the mechanism to spawn more than one -# session. -# Enabled by default. -# -#login_via_existing_session = true - -# Login token expiration/TTL in milliseconds. -# -# These are short-lived tokens for the m.login.token endpoint. -# This is used to allow existing sessions to create new sessions. -# see login_via_existing_session. -# -#login_token_ttl = 120000 - -# Static TURN username to provide the client if not using a shared secret -# ("turn_secret"), It is recommended to use a shared secret over static -# credentials. -# -#turn_username = false - -# Static TURN password to provide the client if not using a shared secret -# ("turn_secret"). It is recommended to use a shared secret over static -# credentials. -# -#turn_password = false - -# Vector list of TURN URIs/servers to use. -# -# Replace "example.turn.uri" with your TURN domain, such as the coturn -# "realm" config option. If using TURN over TLS, replace the URI prefix -# "turn:" with "turns:". -# -# example: ["turn:example.turn.uri?transport=udp", -# "turn:example.turn.uri?transport=tcp"] -# -turn_uris = {{ matrix_conduwuit_config_turn_uris | to_json }} - -# TURN secret to use for generating the HMAC-SHA1 hash apart of username -# and password generation. -# -# This is more secure, but if needed you can use traditional static -# username/password credentials. -# -#turn_secret = false -{% if matrix_conduwuit_config_turn_secret != '' %} -turn_secret = {{ matrix_conduwuit_config_turn_secret | to_json }} -{% endif %} - -# If you have your TURN server configured to use a username and password -# you can provide these information too. In this case comment out `turn_secret above`! -{% if matrix_conduwuit_config_turn_username != '' or matrix_conduwuit_config_turn_password != '' %} -turn_username = {{ matrix_conduwuit_config_turn_username | to_json }} -turn_password = {{ matrix_conduwuit_config_turn_password | to_json }} -{% endif %} - -# TURN secret to use that's read from the file path specified. -# -# This takes priority over "turn_secret" first, and falls back to -# "turn_secret" if invalid or failed to open. -# -# example: "/etc/conduwuit/.turn_secret" -# -#turn_secret_file = - -# TURN TTL, in seconds. -# -#turn_ttl = 86400 - -# List/vector of room IDs or room aliases that conduwuit will make newly -# registered users join. The rooms specified must be rooms that you have -# joined at least once on the server, and must be public. -# -# example: ["#conduwuit:puppygock.gay", -# "!eoIzvAvVwY23LPDay8:puppygock.gay"] -# -#auto_join_rooms = [] - -# Config option to automatically deactivate the account of any user who -# attempts to join a: -# - banned room -# - forbidden room alias -# - room alias or ID with a forbidden server name -# -# This may be useful if all your banned lists consist of toxic rooms or -# servers that no good faith user would ever attempt to join, and -# to automatically remediate the problem without any admin user -# intervention. -# -# This will also make the user leave all rooms. Federation (e.g. remote -# room invites) are ignored here. -# -# Defaults to false as rooms can be banned for non-moderation-related -# reasons and this performs a full user deactivation. -# -#auto_deactivate_banned_room_attempts = false - -# RocksDB log level. This is not the same as conduwuit's log level. This -# is the log level for the RocksDB engine/library which show up in your -# database folder/path as `LOG` files. conduwuit will log RocksDB errors -# as normal through tracing or panics if severe for safety. -# -#rocksdb_log_level = "error" - -# This item is undocumented. Please contribute documentation for it. -# -#rocksdb_log_stderr = false - -# Max RocksDB `LOG` file size before rotating in bytes. Defaults to 4MB in -# bytes. -# -#rocksdb_max_log_file_size = 4194304 - -# Time in seconds before RocksDB will forcibly rotate logs. -# -#rocksdb_log_time_to_roll = 0 - -# Set this to true to use RocksDB config options that are tailored to HDDs -# (slower device storage). -# -# It is worth noting that by default, conduwuit will use RocksDB with -# Direct IO enabled. *Generally* speaking this improves performance as it -# bypasses buffered I/O (system page cache). However there is a potential -# chance that Direct IO may cause issues with database operations if your -# setup is uncommon. This has been observed with FUSE filesystems, and -# possibly ZFS filesystem. RocksDB generally deals/corrects these issues -# but it cannot account for all setups. If you experience any weird -# RocksDB issues, try enabling this option as it turns off Direct IO and -# feel free to report in the conduwuit Matrix room if this option fixes -# your DB issues. -# -# For more information, see: -# https://github.com/facebook/rocksdb/wiki/Direct-IO -# -#rocksdb_optimize_for_spinning_disks = false - -# Enables direct-io to increase database performance via unbuffered I/O. -# -# For more details about direct I/O and RockDB, see: -# https://github.com/facebook/rocksdb/wiki/Direct-IO -# -# Set this option to false if the database resides on a filesystem which -# does not support direct-io like FUSE, or any form of complex filesystem -# setup such as possibly ZFS. -# -#rocksdb_direct_io = true - -# Amount of threads that RocksDB will use for parallelism on database -# operations such as cleanup, sync, flush, compaction, etc. Set to 0 to -# use all your logical threads. Defaults to your CPU logical thread count. -# -#rocksdb_parallelism_threads = varies by system - -# Maximum number of LOG files RocksDB will keep. This must *not* be set to -# 0. It must be at least 1. Defaults to 3 as these are not very useful -# unless troubleshooting/debugging a RocksDB bug. -# -#rocksdb_max_log_files = 3 - -# Type of RocksDB database compression to use. -# -# Available options are "zstd", "zlib", "bz2", "lz4", or "none". -# -# It is best to use ZSTD as an overall good balance between -# speed/performance, storage, IO amplification, and CPU usage. For more -# performance but less compression (more storage used) and less CPU usage, -# use LZ4. -# -# For more details, see: -# https://github.com/facebook/rocksdb/wiki/Compression -# -# "none" will disable compression. -# -#rocksdb_compression_algo = "zstd" - -# Level of compression the specified compression algorithm for RocksDB to -# use. -# -# Default is 32767, which is internally read by RocksDB as the default -# magic number and translated to the library's default compression level -# as they all differ. See their `kDefaultCompressionLevel`. -# -#rocksdb_compression_level = 32767 - -# Level of compression the specified compression algorithm for the -# bottommost level/data for RocksDB to use. Default is 32767, which is -# internally read by RocksDB as the default magic number and translated to -# the library's default compression level as they all differ. See their -# `kDefaultCompressionLevel`. -# -# Since this is the bottommost level (generally old and least used data), -# it may be desirable to have a very high compression level here as it's -# less likely for this data to be used. Research your chosen compression -# algorithm. -# -#rocksdb_bottommost_compression_level = 32767 - -# Whether to enable RocksDB's "bottommost_compression". -# -# At the expense of more CPU usage, this will further compress the -# database to reduce more storage. It is recommended to use ZSTD -# compression with this for best compression results. This may be useful -# if you're trying to reduce storage usage from the database. -# -# See https://github.com/facebook/rocksdb/wiki/Compression for more details. -# -#rocksdb_bottommost_compression = false - -# Database recovery mode (for RocksDB WAL corruption). -# -# Use this option when the server reports corruption and refuses to start. -# Set mode 2 (PointInTime) to cleanly recover from this corruption. The -# server will continue from the last good state, several seconds or -# minutes prior to the crash. Clients may have to run "clear-cache & -# reload" to account for the rollback. Upon success, you may reset the -# mode back to default and restart again. Please note in some cases the -# corruption error may not be cleared for at least 30 minutes of operation -# in PointInTime mode. -# -# As a very last ditch effort, if PointInTime does not fix or resolve -# anything, you can try mode 3 (SkipAnyCorruptedRecord) but this will -# leave the server in a potentially inconsistent state. -# -# The default mode 1 (TolerateCorruptedTailRecords) will automatically -# drop the last entry in the database if corrupted during shutdown, but -# nothing more. It is extraordinarily unlikely this will desynchronize -# clients. To disable any form of silent rollback set mode 0 -# (AbsoluteConsistency). -# -# The options are: -# 0 = AbsoluteConsistency -# 1 = TolerateCorruptedTailRecords (default) -# 2 = PointInTime (use me if trying to recover) -# 3 = SkipAnyCorruptedRecord (you now voided your conduwuit warranty) -# -# For more information on these modes, see: -# https://github.com/facebook/rocksdb/wiki/WAL-Recovery-Modes -# -# For more details on recovering a corrupt database, see: -# https://conduwuit.puppyirl.gay/troubleshooting.html#database-corruption -# -#rocksdb_recovery_mode = 1 - -# Enables or disables paranoid SST file checks. This can improve RocksDB -# database consistency at a potential performance impact due to further -# safety checks ran. -# -# For more information, see: -# https://github.com/facebook/rocksdb/wiki/Online-Verification#columnfamilyoptionsparanoid_file_checks -# -#rocksdb_paranoid_file_checks = false - -# Database repair mode (for RocksDB SST corruption). -# -# Use this option when the server reports corruption while running or -# panics. If the server refuses to start use the recovery mode options -# first. Corruption errors containing the acronym 'SST' which occur after -# startup will likely require this option. -# -# - Backing up your database directory is recommended prior to running the -# repair. -# -# - Disabling repair mode and restarting the server is recommended after -# running the repair. -# -# See https://conduwuit.puppyirl.gay/troubleshooting.html#database-corruption for more details on recovering a corrupt database. -# -#rocksdb_repair = false - -# This item is undocumented. Please contribute documentation for it. -# -#rocksdb_read_only = false - -# This item is undocumented. Please contribute documentation for it. -# -#rocksdb_secondary = false - -# Enables idle CPU priority for compaction thread. This is not enabled by -# default to prevent compaction from falling too far behind on busy -# systems. -# -#rocksdb_compaction_prio_idle = false - -# Enables idle IO priority for compaction thread. This prevents any -# unexpected lag in the server's operation and is usually a good idea. -# Enabled by default. -# -#rocksdb_compaction_ioprio_idle = true - -# Disables RocksDB compaction. You should never ever have to set this -# option to true. If you for some reason find yourself needing to use this -# option as part of troubleshooting or a bug, please reach out to us in -# the conduwuit Matrix room with information and details. -# -# Disabling compaction will lead to a significantly bloated and -# explosively large database, gradually poor performance, unnecessarily -# excessive disk read/writes, and slower shutdowns and startups. -# -#rocksdb_compaction = true - -# Level of statistics collection. Some admin commands to display database -# statistics may require this option to be set. Database performance may -# be impacted by higher settings. -# -# Option is a number ranging from 0 to 6: -# 0 = No statistics. -# 1 = No statistics in release mode (default). -# 2 to 3 = Statistics with no performance impact. -# 3 to 5 = Statistics with possible performance impact. -# 6 = All statistics. -# -#rocksdb_stats_level = 1 - -# This is a password that can be configured that will let you login to the -# server bot account (currently `@conduit`) for emergency troubleshooting -# purposes such as recovering/recreating your admin room, or inviting -# yourself back. -# -# See https://conduwuit.puppyirl.gay/troubleshooting.html#lost-access-to-admin-room for other ways to get back into your admin room. -# -# Once this password is unset, all sessions will be logged out for -# security purposes. -# -# example: "F670$2CP@Hw8mG7RY1$%!#Ic7YA" -# -emergency_password = {{ matrix_conduwuit_config_emergency_password | to_json }} - -# This item is undocumented. Please contribute documentation for it. -# -#notification_push_path = "/_matrix/push/v1/notify" - -# Allow local (your server only) presence updates/requests. -# -# Note that presence on conduwuit is very fast unlike Synapse's. If using -# outgoing presence, this MUST be enabled. -# -#allow_local_presence = true - -# Allow incoming federated presence updates/requests. -# -# This option receives presence updates from other servers, but does not -# send any unless `allow_outgoing_presence` is true. Note that presence on -# conduwuit is very fast unlike Synapse's. -# -#allow_incoming_presence = true - -# Allow outgoing presence updates/requests. -# -# This option sends presence updates to other servers, but does not -# receive any unless `allow_incoming_presence` is true. Note that presence -# on conduwuit is very fast unlike Synapse's. If using outgoing presence, -# you MUST enable `allow_local_presence` as well. -# -#allow_outgoing_presence = true - -# How many seconds without presence updates before you become idle. -# Defaults to 5 minutes. -# -#presence_idle_timeout_s = 300 - -# How many seconds without presence updates before you become offline. -# Defaults to 30 minutes. -# -#presence_offline_timeout_s = 1800 - -# Enable the presence idle timer for remote users. -# -# Disabling is offered as an optimization for servers participating in -# many large rooms or when resources are limited. Disabling it may cause -# incorrect presence states (i.e. stuck online) to be seen for some remote -# users. -# -#presence_timeout_remote_users = true - -# Allow receiving incoming read receipts from remote servers. -# -#allow_incoming_read_receipts = true - -# Allow sending read receipts to remote servers. -# -#allow_outgoing_read_receipts = true - -# Allow outgoing typing updates to federation. -# -#allow_outgoing_typing = true - -# Allow incoming typing updates from federation. -# -#allow_incoming_typing = true - -# Maximum time federation user can indicate typing. -# -#typing_federation_timeout_s = 30 - -# Minimum time local client can indicate typing. This does not override a -# client's request to stop typing. It only enforces a minimum value in -# case of no stop request. -# -#typing_client_timeout_min_s = 15 - -# Maximum time local client can indicate typing. -# -#typing_client_timeout_max_s = 45 - -# Set this to true for conduwuit to compress HTTP response bodies using -# zstd. This option does nothing if conduwuit was not built with -# `zstd_compression` feature. Please be aware that enabling HTTP -# compression may weaken TLS. Most users should not need to enable this. -# See https://breachattack.com/ and https://wikipedia.org/wiki/BREACH -# before deciding to enable this. -# -#zstd_compression = false - -# Set this to true for conduwuit to compress HTTP response bodies using -# gzip. This option does nothing if conduwuit was not built with -# `gzip_compression` feature. Please be aware that enabling HTTP -# compression may weaken TLS. Most users should not need to enable this. -# See https://breachattack.com/ and https://wikipedia.org/wiki/BREACH before -# deciding to enable this. -# -# If you are in a large amount of rooms, you may find that enabling this -# is necessary to reduce the significantly large response bodies. -# -#gzip_compression = false - -# Set this to true for conduwuit to compress HTTP response bodies using -# brotli. This option does nothing if conduwuit was not built with -# `brotli_compression` feature. Please be aware that enabling HTTP -# compression may weaken TLS. Most users should not need to enable this. -# See https://breachattack.com/ and https://wikipedia.org/wiki/BREACH -# before deciding to enable this. -# -#brotli_compression = false - -# Set to true to allow user type "guest" registrations. Some clients like -# Element attempt to register guest users automatically. -# -#allow_guest_registration = false - -# Set to true to log guest registrations in the admin room. Note that -# these may be noisy or unnecessary if you're a public homeserver. -# -#log_guest_registrations = false - -# Set to true to allow guest registrations/users to auto join any rooms -# specified in `auto_join_rooms`. -# -#allow_guests_auto_join_rooms = false - -# Enable the legacy unauthenticated Matrix media repository endpoints. -# These endpoints consist of: -# - /_matrix/media/*/config -# - /_matrix/media/*/upload -# - /_matrix/media/*/preview_url -# - /_matrix/media/*/download/* -# - /_matrix/media/*/thumbnail/* -# -# The authenticated equivalent endpoints are always enabled. -# -# Defaults to true for now, but this is highly subject to change, likely -# in the next release. -# -#allow_legacy_media = true - -# This item is undocumented. Please contribute documentation for it. -# -#freeze_legacy_media = true - -# Check consistency of the media directory at startup: -# 1. When `media_compat_file_link` is enabled, this check will upgrade -# media when switching back and forth between Conduit and conduwuit. -# Both options must be enabled to handle this. -# 2. When media is deleted from the directory, this check will also delete -# its database entry. -# -# If none of these checks apply to your use cases, and your media -# directory is significantly large setting this to false may reduce -# startup time. -# -#media_startup_check = true - -# Enable backward-compatibility with Conduit's media directory by creating -# symlinks of media. -# -# This option is only necessary if you plan on using Conduit again. -# Otherwise setting this to false reduces filesystem clutter and overhead -# for managing these symlinks in the directory. This is now disabled by -# default. You may still return to upstream Conduit but you have to run -# conduwuit at least once with this set to true and allow the -# media_startup_check to take place before shutting down to return to -# Conduit. -# -#media_compat_file_link = false - -# Prune missing media from the database as part of the media startup -# checks. -# -# This means if you delete files from the media directory the -# corresponding entries will be removed from the database. This is -# disabled by default because if the media directory is accidentally moved -# or inaccessible, the metadata entries in the database will be lost with -# sadness. -# -#prune_missing_media = false - -# Vector list of servers that conduwuit will refuse to download remote -# media from. -# -#prevent_media_downloads_from = [] - -# List of forbidden server names that we will block incoming AND outgoing -# federation with, and block client room joins / remote user invites. -# -# This check is applied on the room ID, room alias, sender server name, -# sender user's server name, inbound federation X-Matrix origin, and -# outbound federation handler. -# -# Basically "global" ACLs. -# -#forbidden_remote_server_names = [] - -# List of forbidden server names that we will block all outgoing federated -# room directory requests for. Useful for preventing our users from -# wandering into bad servers or spaces. -# -#forbidden_remote_room_directory_server_names = [] - -# Vector list of IPv4 and IPv6 CIDR ranges / subnets *in quotes* that you -# do not want conduwuit to send outbound requests to. Defaults to -# RFC1918, unroutable, loopback, multicast, and testnet addresses for -# security. -# -# Please be aware that this is *not* a guarantee. You should be using a -# firewall with zones as doing this on the application layer may have -# bypasses. -# -# Currently this does not account for proxies in use like Synapse does. -# -# To disable, set this to be an empty vector (`[]`). -# -# Defaults to: -# ["127.0.0.0/8", "10.0.0.0/8", "172.16.0.0/12", -# "192.168.0.0/16", "100.64.0.0/10", "192.0.0.0/24", "169.254.0.0/16", -# "192.88.99.0/24", "198.18.0.0/15", "192.0.2.0/24", "198.51.100.0/24", -# "203.0.113.0/24", "224.0.0.0/4", "::1/128", "fe80::/10", "fc00::/7", -# "2001:db8::/32", "ff00::/8", "fec0::/10"] -# -#ip_range_denylist = - -# Optional IP address or network interface-name to bind as the source of -# URL preview requests. If not set, it will not bind to a specific -# address or interface. -# -# Interface names only supported on Linux, Android, and Fuchsia platforms; -# all other platforms can specify the IP address. To list the interfaces -# on your system, use the command `ip link show`. -# -# example: `"eth0"` or `"1.2.3.4"` -# -#url_preview_bound_interface = - -# Vector list of domains allowed to send requests to for URL previews. -# -# This is a *contains* match, not an explicit match. Putting "google.com" -# will match "https://google.com" and -# "http://mymaliciousdomainexamplegoogle.com" Setting this to "*" will -# allow all URL previews. Please note that this opens up significant -# attack surface to your server, you are expected to be aware of the risks -# by doing so. -# -#url_preview_domain_contains_allowlist = [] - -# Vector list of explicit domains allowed to send requests to for URL -# previews. -# -# This is an *explicit* match, not a contains match. Putting "google.com" -# will match "https://google.com", "http://google.com", but not -# "https://mymaliciousdomainexamplegoogle.com". Setting this to "*" will -# allow all URL previews. Please note that this opens up significant -# attack surface to your server, you are expected to be aware of the risks -# by doing so. -# -#url_preview_domain_explicit_allowlist = [] - -# Vector list of explicit domains not allowed to send requests to for URL -# previews. -# -# This is an *explicit* match, not a contains match. Putting "google.com" -# will match "https://google.com", "http://google.com", but not -# "https://mymaliciousdomainexamplegoogle.com". The denylist is checked -# first before allowlist. Setting this to "*" will not do anything. -# -#url_preview_domain_explicit_denylist = [] - -# Vector list of URLs allowed to send requests to for URL previews. -# -# Note that this is a *contains* match, not an explicit match. Putting -# "google.com" will match "https://google.com/", -# "https://google.com/url?q=https://mymaliciousdomainexample.com", and -# "https://mymaliciousdomainexample.com/hi/google.com" Setting this to "*" -# will allow all URL previews. Please note that this opens up significant -# attack surface to your server, you are expected to be aware of the risks -# by doing so. -# -#url_preview_url_contains_allowlist = [] - -# Maximum amount of bytes allowed in a URL preview body size when -# spidering. Defaults to 256KB in bytes. -# -#url_preview_max_spider_size = 256000 - -# Option to decide whether you would like to run the domain allowlist -# checks (contains and explicit) on the root domain or not. Does not apply -# to URL contains allowlist. Defaults to false. -# -# Example usecase: If this is enabled and you have "wikipedia.org" allowed -# in the explicit and/or contains domain allowlist, it will allow all -# subdomains under "wikipedia.org" such as "en.m.wikipedia.org" as the -# root domain is checked and matched. Useful if the domain contains -# allowlist is still too broad for you but you still want to allow all the -# subdomains under a root domain. -# -#url_preview_check_root_domain = false - -# List of forbidden room aliases and room IDs as strings of regex -# patterns. -# -# Regex can be used or explicit contains matches can be done by just -# specifying the words (see example). -# -# This is checked upon room alias creation, custom room ID creation if -# used, and startup as warnings if any room aliases in your database have -# a forbidden room alias/ID. -# -# example: ["19dollarfortnitecards", "b[4a]droom"] -# -#forbidden_alias_names = [] - -# List of forbidden username patterns/strings. -# -# Regex can be used or explicit contains matches can be done by just -# specifying the words (see example). -# -# This is checked upon username availability check, registration, and -# startup as warnings if any local users in your database have a forbidden -# username. -# -# example: ["administrator", "b[a4]dusernam[3e]"] -# -#forbidden_usernames = [] - -# Retry failed and incomplete messages to remote servers immediately upon -# startup. This is called bursting. If this is disabled, said messages may -# not be delivered until more messages are queued for that server. Do not -# change this option unless server resources are extremely limited or the -# scale of the server's deployment is huge. Do not disable this unless you -# know what you are doing. -# -#startup_netburst = true - -# Messages are dropped and not reattempted. The `startup_netburst` option -# must be enabled for this value to have any effect. Do not change this -# value unless you know what you are doing. Set this value to -1 to -# reattempt every message without trimming the queues; this may consume -# significant disk. Set this value to 0 to drop all messages without any -# attempt at redelivery. -# -#startup_netburst_keep = 50 - -# Block non-admin local users from sending room invites (local and -# remote), and block non-admin users from receiving remote room invites. -# -# Admins are always allowed to send and receive all room invites. -# -#block_non_admin_invites = false - -# Allow admins to enter commands in rooms other than "#admins" (admin -# room) by prefixing your message with "\!admin" or "\\!admin" followed up -# a normal conduwuit admin command. The reply will be publicly visible to -# the room, originating from the sender. -# -# example: \\!admin debug ping puppygock.gay -# -#admin_escape_commands = true - -# Automatically activate the conduwuit admin room console / CLI on -# startup. This option can also be enabled with `--console` conduwuit -# argument. -# -#admin_console_automatic = false - -# List of admin commands to execute on startup. -# -# This option can also be configured with the `--execute` conduwuit -# argument and can take standard shell commands and environment variables -# -# For example: `./conduwuit --execute "server admin-notice conduwuit has -# started up at $(date)"` -# -# example: admin_execute = ["debug ping puppygock.gay", "debug echo hi"]` -# -#admin_execute = [] - -# Ignore errors in startup commands. -# -# If false, conduwuit will error and fail to start if an admin execute -# command (`--execute` / `admin_execute`) fails. -# -#admin_execute_errors_ignore = false - -# Controls the max log level for admin command log captures (logs -# generated from running admin commands). Defaults to "info" on release -# builds, else "debug" on debug builds. -# -#admin_log_capture = "info" - -# The default room tag to apply on the admin room. -# -# On some clients like Element, the room tag "m.server_notice" is a -# special pinned room at the very bottom of your room list. The conduwuit -# admin room can be pinned here so you always have an easy-to-access -# shortcut dedicated to your admin room. -# -#admin_room_tag = "m.server_notice" - -# Sentry.io crash/panic reporting, performance monitoring/metrics, etc. -# This is NOT enabled by default. conduwuit's default Sentry reporting -# endpoint domain is `o4506996327251968.ingest.us.sentry.io`. -# -#sentry = false - -# Sentry reporting URL, if a custom one is desired. -# -#sentry_endpoint = "https://fe2eb4536aa04949e28eff3128d64757@o4506996327251968.ingest.us.sentry.io/4506996334657536" - -# Report your conduwuit server_name in Sentry.io crash reports and -# metrics. -# -#sentry_send_server_name = false - -# Performance monitoring/tracing sample rate for Sentry.io. -# -# Note that too high values may impact performance, and can be disabled by -# setting it to 0.0 (0%) This value is read as a percentage to Sentry, -# represented as a decimal. Defaults to 15% of traces (0.15) -# -#sentry_traces_sample_rate = 0.15 - -# Whether to attach a stacktrace to Sentry reports. -# -#sentry_attach_stacktrace = false - -# Send panics to Sentry. This is true by default, but Sentry has to be -# enabled. The global `sentry` config option must be enabled to send any -# data. -# -#sentry_send_panic = true - -# Send errors to sentry. This is true by default, but sentry has to be -# enabled. This option is only effective in release-mode; forced to false -# in debug-mode. -# -#sentry_send_error = true - -# Controls the tracing log level for Sentry to send things like -# breadcrumbs and transactions -# -#sentry_filter = "info" - -# Enable the tokio-console. This option is only relevant to developers. -# -# For more information, see: -# https://conduwuit.puppyirl.gay/development.html#debugging-with-tokio-console -# -#tokio_console = false - -# This item is undocumented. Please contribute documentation for it. -# -#test = false - -# Controls whether admin room notices like account registrations, password -# changes, account deactivations, room directory publications, etc will be -# sent to the admin room. Update notices and normal admin command -# responses will still be sent. -# -#admin_room_notices = true - -# Enable database pool affinity support. On supporting systems, block -# device queue topologies are detected and the request pool is optimized -# for the hardware; db_pool_workers is determined automatically. -# -#db_pool_affinity = true - -# Sets the number of worker threads in the frontend-pool of the database. -# This number should reflect the I/O capabilities of the system, -# such as the queue-depth or the number of simultaneous requests in -# flight. Defaults to 32 or four times the number of CPU cores, whichever -# is greater. -# -# Note: This value is only used if db_pool_affinity is disabled or not -# detected on the system, otherwise it is determined automatically. -# -#db_pool_workers = 32 - -# When db_pool_affinity is enabled and detected, the size of any worker -# group will not exceed the determined value. This is necessary when -# thread-pooling approach does not scale to the full capabilities of -# high-end hardware; using detected values without limitation could -# degrade performance. -# -# The value is multiplied by the number of cores which share a device -# queue, since group workers can be scheduled on any of those cores. -# -#db_pool_workers_limit = 64 - -# Determines the size of the queues feeding the database's frontend-pool. -# The size of the queue is determined by multiplying this value with the -# number of pool workers. When this queue is full, tokio tasks conducting -# requests will yield until space is available; this is good for -# flow-control by avoiding buffer-bloat, but can inhibit throughput if -# too low. -# -#db_pool_queue_mult = 4 - -# Sets the initial value for the concurrency of streams. This value simply -# allows overriding the default in the code. The default is 32, which is -# the same as the default in the code. Note this value is itself -# overridden by the computed stream_width_scale, unless that is disabled; -# this value can serve as a fixed-width instead. -# -#stream_width_default = 32 - -# Scales the stream width starting from a base value detected for the -# specific system. The base value is the database pool worker count -# determined from the hardware queue size (e.g. 32 for SSD or 64 or 128+ -# for NVMe). This float allows scaling the width up or down by multiplying -# it (e.g. 1.5, 2.0, etc). The maximum result can be the size of the pool -# queue (see: db_pool_queue_mult) as any larger value will stall the tokio -# task. The value can also be scaled down (e.g. 0.5) to improve -# responsiveness for many users at the cost of throughput for each. -# -# Setting this value to 0.0 causes the stream width to be fixed at the -# value of stream_width_default. The default scale is 1.0 to match the -# capabilities detected for the system. -# -#stream_width_scale = 1.0 - -# Sets the initial amplification factor. This controls batch sizes of -# requests made by each pool worker, multiplying the throughput of each -# stream. This value is somewhat abstract from specific hardware -# characteristics and can be significantly larger than any thread count or -# queue size. This is because each database query may require several -# index lookups, thus many database queries in a batch may make progress -# independently while also sharing index and data blocks which may or may -# not be cached. It is worthwhile to submit huge batches to reduce -# complexity. The maximum value is 32768, though sufficient hardware is -# still advised for that. -# -#stream_amplification = 1024 - -# Number of sender task workers; determines sender parallelism. Default is -# '0' which means the value is determined internally, likely matching the -# number of tokio worker-threads or number of cores, etc. Override by -# setting a non-zero value. -# -#sender_workers = 0 - -[global.well_known] - -# The server URL that the client well-known file will serve. This should -# not contain a port, and should just be a valid HTTPS URL. -# -# example: "https://matrix.example.com" -# -#client = - -# The server base domain of the URL with a specific port that the server -# well-known file will serve. This should contain a port at the end, and -# should not be a URL. -# -# example: "matrix.example.com:443" -# -#server = - -# This item is undocumented. Please contribute documentation for it. -# -#support_page = - -# This item is undocumented. Please contribute documentation for it. -# -#support_role = - -# This item is undocumented. Please contribute documentation for it. -# -#support_email = - -# This item is undocumented. Please contribute documentation for it. -# -#support_mxid = diff --git a/roles/custom/matrix-conduwuit/templates/env.j2 b/roles/custom/matrix-conduwuit/templates/env.j2 deleted file mode 100644 index 026bfe308..000000000 --- a/roles/custom/matrix-conduwuit/templates/env.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ matrix_conduwuit_environment_variables_extension }} diff --git a/roles/custom/matrix-conduwuit/templates/env.j2.license b/roles/custom/matrix-conduwuit/templates/env.j2.license deleted file mode 100644 index a149c4232..000000000 --- a/roles/custom/matrix-conduwuit/templates/env.j2.license +++ /dev/null @@ -1,3 +0,0 @@ -SPDX-FileCopyrightText: 2025 Slavi Pantaleev - -SPDX-License-Identifier: AGPL-3.0-or-later diff --git a/roles/custom/matrix-conduwuit/templates/labels.j2 b/roles/custom/matrix-conduwuit/templates/labels.j2 deleted file mode 100644 index bcaf3b2dc..000000000 --- a/roles/custom/matrix-conduwuit/templates/labels.j2 +++ /dev/null @@ -1,173 +0,0 @@ -{# -SPDX-FileCopyrightText: 2025 MDAD project contributors -SPDX-FileCopyrightText: 2025 Slavi Pantaleev -SPDX-FileCopyrightText: 2025 Suguru Hirahara - -SPDX-License-Identifier: AGPL-3.0-or-later -#} - -{% if matrix_conduwuit_container_labels_traefik_enabled %} -traefik.enable=true - -{% if matrix_conduwuit_container_labels_traefik_docker_network %} -traefik.docker.network={{ matrix_conduwuit_container_labels_traefik_docker_network }} -{% endif %} - -traefik.http.services.matrix-conduwuit.loadbalancer.server.port={{ matrix_conduwuit_config_port_number }} - - -{% if matrix_conduwuit_container_labels_public_client_root_enabled %} -############################################################ -# # -# Public Root path (/) # -# # -############################################################ - -{% set client_root_middlewares = [] %} - -{% if matrix_conduwuit_container_labels_public_client_root_redirection_enabled %} -{% set client_root_middlewares = client_root_middlewares + ['matrix-conduwuit-client-root-redirect'] %} -traefik.http.middlewares.matrix-conduwuit-client-root-redirect.redirectregex.regex=(.*) -traefik.http.middlewares.matrix-conduwuit-client-root-redirect.redirectregex.replacement={{ matrix_conduwuit_container_labels_public_client_root_redirection_url }} -{% endif %} - -traefik.http.routers.matrix-conduwuit-public-client-root.rule={{ matrix_conduwuit_container_labels_public_client_root_traefik_rule }} - -traefik.http.routers.matrix-conduwuit-public-client-root.middlewares={{ client_root_middlewares | join(',') }} - -{% if matrix_conduwuit_container_labels_public_client_root_traefik_priority | int > 0 %} -traefik.http.routers.matrix-conduwuit-public-client-root.priority={{ matrix_conduwuit_container_labels_public_client_root_traefik_priority }} -{% endif %} - -traefik.http.routers.matrix-conduwuit-public-client-root.service=matrix-conduwuit -traefik.http.routers.matrix-conduwuit-public-client-root.entrypoints={{ matrix_conduwuit_container_labels_public_client_root_traefik_entrypoints }} -traefik.http.routers.matrix-conduwuit-public-client-root.tls={{ matrix_conduwuit_container_labels_public_client_root_traefik_tls | to_json }} - -{% if matrix_conduwuit_container_labels_public_client_root_traefik_tls %} -traefik.http.routers.matrix-conduwuit-public-client-root.tls.certResolver={{ matrix_conduwuit_container_labels_public_client_root_traefik_tls_certResolver }} -{% endif %} - -############################################################ -# # -# /Public Root path (/) # -# # -############################################################ -{% endif %} - - -{% if matrix_conduwuit_container_labels_public_client_api_enabled %} -############################################################ -# # -# Public Client-API (/_matrix) # -# # -############################################################ - -traefik.http.routers.matrix-conduwuit-public-client-api.rule={{ matrix_conduwuit_container_labels_public_client_api_traefik_rule }} - -{% if matrix_conduwuit_container_labels_public_client_api_traefik_priority | int > 0 %} -traefik.http.routers.matrix-conduwuit-public-client-api.priority={{ matrix_conduwuit_container_labels_public_client_api_traefik_priority }} -{% endif %} - -traefik.http.routers.matrix-conduwuit-public-client-api.service=matrix-conduwuit -traefik.http.routers.matrix-conduwuit-public-client-api.entrypoints={{ matrix_conduwuit_container_labels_public_client_api_traefik_entrypoints }} - -traefik.http.routers.matrix-conduwuit-public-client-api.tls={{ matrix_conduwuit_container_labels_public_client_api_traefik_tls | to_json }} -{% if matrix_conduwuit_container_labels_public_client_api_traefik_tls %} -traefik.http.routers.matrix-conduwuit-public-client-api.tls.certResolver={{ matrix_conduwuit_container_labels_public_client_api_traefik_tls_certResolver }} -{% endif %} - -############################################################ -# # -# /Public Client-API (/_matrix) # -# # -############################################################ -{% endif %} - - -{% if matrix_conduwuit_container_labels_internal_client_api_enabled %} -############################################################ -# # -# Internal Client-API (/_matrix) # -# # -############################################################ - -traefik.http.routers.matrix-conduwuit-internal-client-api.rule={{ matrix_conduwuit_container_labels_internal_client_api_traefik_rule }} - -{% if matrix_conduwuit_container_labels_internal_client_api_traefik_priority | int > 0 %} -traefik.http.routers.matrix-conduwuit-internal-client-api.priority={{ matrix_conduwuit_container_labels_internal_client_api_traefik_priority }} -{% endif %} - -traefik.http.routers.matrix-conduwuit-internal-client-api.service=matrix-conduwuit -traefik.http.routers.matrix-conduwuit-internal-client-api.entrypoints={{ matrix_conduwuit_container_labels_internal_client_api_traefik_entrypoints }} - -############################################################ -# # -# /Internal Client-API (/_matrix) # -# # -############################################################ -{% endif %} - - -{% if matrix_conduwuit_container_labels_public_federation_api_enabled %} -############################################################ -# # -# Public Federation-API (/_matrix) # -# # -############################################################ - -traefik.http.routers.matrix-conduwuit-public-federation-api.rule={{ matrix_conduwuit_container_labels_public_federation_api_traefik_rule }} - -{% if matrix_conduwuit_container_labels_public_federation_api_traefik_priority | int > 0 %} -traefik.http.routers.matrix-conduwuit-public-federation-api.priority={{ matrix_conduwuit_container_labels_public_federation_api_traefik_priority }} -{% endif %} - -traefik.http.routers.matrix-conduwuit-public-federation-api.service=matrix-conduwuit -traefik.http.routers.matrix-conduwuit-public-federation-api.entrypoints={{ matrix_conduwuit_container_labels_public_federation_api_traefik_entrypoints }} - -traefik.http.routers.matrix-conduwuit-public-federation-api.tls={{ matrix_conduwuit_container_labels_public_federation_api_traefik_tls | to_json }} -{% if matrix_conduwuit_container_labels_public_federation_api_traefik_tls %} -traefik.http.routers.matrix-conduwuit-public-federation-api.tls.certResolver={{ matrix_conduwuit_container_labels_public_federation_api_traefik_tls_certResolver }} -{% endif %} - -############################################################ -# # -# /Public Federation-API (/_matrix) # -# # -############################################################ -{% endif %} - - - - -{% if matrix_conduwuit_container_labels_public_conduwuit_api_enabled %} -############################################################ -# # -# Public conduwuit-API (/_conduwuit) # -# # -############################################################ - -traefik.http.routers.matrix-conduwuit-public-conduwuit-api.rule={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_rule }} - -{% if matrix_conduwuit_container_labels_public_conduwuit_api_traefik_priority | int > 0 %} -traefik.http.routers.matrix-conduwuit-public-conduwuit-api.priority={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_priority }} -{% endif %} - -traefik.http.routers.matrix-conduwuit-public-conduwuit-api.service=matrix-conduwuit -traefik.http.routers.matrix-conduwuit-public-conduwuit-api.entrypoints={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_entrypoints }} - -traefik.http.routers.matrix-conduwuit-public-conduwuit-api.tls={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls | to_json }} -{% if matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls %} -traefik.http.routers.matrix-conduwuit-public-conduwuit-api.tls.certResolver={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls_certResolver }} -{% endif %} - -############################################################ -# # -# /Public conduwuit-API (/_conduwuit) # -# # -############################################################ -{% endif %} - - -{% endif %} - -{{ matrix_conduwuit_container_labels_additional_labels }} diff --git a/roles/custom/matrix-conduwuit/templates/systemd/matrix-conduwuit.service.j2 b/roles/custom/matrix-conduwuit/templates/systemd/matrix-conduwuit.service.j2 deleted file mode 100644 index 5e32edc28..000000000 --- a/roles/custom/matrix-conduwuit/templates/systemd/matrix-conduwuit.service.j2 +++ /dev/null @@ -1,51 +0,0 @@ -#jinja2: lstrip_blocks: True -[Unit] -Description=conduwuit Matrix homeserver -{% for service in matrix_conduwuit_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-conduwuit 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-conduwuit 2>/dev/null || true' - -ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ - --rm \ - --name=matrix-conduwuit \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_conduwuit_tmp_directory_size_mb }}m \ - --network={{ matrix_conduwuit_container_network }} \ - --env CONDUWUIT_CONFIG=/etc/conduwuit/conduwuit.toml \ - --label-file={{ matrix_conduwuit_base_path }}/labels \ - --mount type=bind,src={{ matrix_conduwuit_data_path }},dst=/var/lib/conduwuit \ - --mount type=bind,src={{ matrix_conduwuit_config_path }},dst=/etc/conduwuit,ro \ - {% for arg in matrix_conduwuit_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_conduwuit_docker_image }} - -{% for network in matrix_conduwuit_container_additional_networks %} -ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-conduwuit -{% endfor %} - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-conduwuit - -{% if matrix_conduwuit_systemd_service_post_start_delay_seconds != 0 %} -ExecStartPost=-{{ matrix_host_command_sleep }} {{ matrix_conduwuit_systemd_service_post_start_delay_seconds }} -{% endif %} - -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-conduwuit 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-conduwuit 2>/dev/null || true' -ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-conduwuit /bin/sh -c 'kill -HUP 1' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-conduwuit - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix-conduwuit/templates/systemd/matrix-conduwuit.service.j2.license b/roles/custom/matrix-conduwuit/templates/systemd/matrix-conduwuit.service.j2.license deleted file mode 100644 index 6fe7fc50c..000000000 --- a/roles/custom/matrix-conduwuit/templates/systemd/matrix-conduwuit.service.j2.license +++ /dev/null @@ -1,4 +0,0 @@ -SPDX-FileCopyrightText: 2025 MDAD project contributors -SPDX-FileCopyrightText: 2025 Slavi Pantaleev - -SPDX-License-Identifier: AGPL-3.0-or-later diff --git a/roles/custom/matrix-conduwuit/vars/main.yml b/roles/custom/matrix-conduwuit/vars/main.yml deleted file mode 100644 index fa5ec9d6e..000000000 --- a/roles/custom/matrix-conduwuit/vars/main.yml +++ /dev/null @@ -1,9 +0,0 @@ -# SPDX-FileCopyrightText: 2025 MDAD project contributors -# SPDX-FileCopyrightText: 2025 Slavi Pantaleev -# -# SPDX-License-Identifier: AGPL-3.0-or-later - ---- - -matrix_conduwuit_client_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_conduwuit_hostname }}/_matrix/client/versions" -matrix_conduwuit_federation_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_conduwuit_hostname }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version"