overmind
/
matrix-docker-ansible-deploy
Mirror von https://github.com/spantaleev/matrix-docker-ansible-deploy
1
0
Fork 0
Code Issues 0 Releases 0 Wiki Aktivität
Matrix Docker Ansible eploy
Du kannst nicht mehr als 25 Themen auswählen Themen müssen entweder mit einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
11292 Commits
12 Branches
405 MiB
 
 
Branch: master
Branches Tags
${ item.name }
Erstelle Branch ${ searchTerm }
von „master“
${ noResults }
matrix-docker-ansible-deploy/roles/custom/matrix-tuwunel/defaults/main.yml

316 Zeilen
16 KiB
Originalformat Permalink Blame Verlauf 

  1. # SPDX-FileCopyrightText: 2025 - 2026 MDAD project contributors

  2. # SPDX-FileCopyrightText: 2025 - 2026 Slavi Pantaleev

  3. #

  4. # SPDX-License-Identifier: AGPL-3.0-or-later

  5. 

  6. ---

  7. # Tuwunel is a Matrix homeserver, the official successor to conduwuit.

  8. # Project source code URL: https://github.com/matrix-construct/tuwunel

  9. # See: https://matrix-construct.github.io/tuwunel/

  10. 

  11. matrix_tuwunel_enabled: true

  12. 

  13. matrix_tuwunel_hostname: ''

  14. 

  15. # renovate: datasource=docker depName=ghcr.io/matrix-construct/tuwunel

  16. matrix_tuwunel_version: v1.6.1

  17. 

  18. matrix_tuwunel_container_image: "{{ matrix_tuwunel_container_image_registry_prefix }}matrix-construct/tuwunel:{{ matrix_tuwunel_container_image_tag }}"

  19. matrix_tuwunel_container_image_tag: "{{ matrix_tuwunel_version }}"

  20. matrix_tuwunel_container_image_registry_prefix: "{{ matrix_tuwunel_container_image_registry_prefix_upstream }}"

  21. matrix_tuwunel_container_image_registry_prefix_upstream: "{{ matrix_tuwunel_container_image_registry_prefix_upstream_default }}"

  22. matrix_tuwunel_container_image_registry_prefix_upstream_default: ghcr.io/

  23. 

  24. matrix_tuwunel_base_path: "{{ matrix_base_data_path }}/tuwunel"

  25. matrix_tuwunel_config_path: "{{ matrix_tuwunel_base_path }}/config"

  26. matrix_tuwunel_data_path: "{{ matrix_tuwunel_base_path }}/data"

  27. 

  28. matrix_tuwunel_config_port_number: 6167

  29. 

  30. matrix_tuwunel_tmp_directory_size_mb: 500

  31. 

  32. # List of systemd services that matrix-tuwunel.service depends on

  33. matrix_tuwunel_systemd_required_services_list: "{{ matrix_tuwunel_systemd_required_services_list_default + matrix_tuwunel_systemd_required_services_list_auto + matrix_tuwunel_systemd_required_services_list_custom }}"

  34. matrix_tuwunel_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"

  35. matrix_tuwunel_systemd_required_services_list_auto: []

  36. matrix_tuwunel_systemd_required_services_list_custom: []

  37. 

  38. # List of systemd services that matrix-tuwunel.service wants

  39. matrix_tuwunel_systemd_wanted_services_list: "{{ matrix_tuwunel_systemd_wanted_services_list_default + matrix_tuwunel_systemd_wanted_services_list_auto + matrix_tuwunel_systemd_wanted_services_list_custom }}"

  40. matrix_tuwunel_systemd_wanted_services_list_default: []

  41. matrix_tuwunel_systemd_wanted_services_list_auto: []

  42. matrix_tuwunel_systemd_wanted_services_list_custom: []

  43. 

  44. # Controls how long to sleep for after starting the matrix-tuwunel container,

  45. # so that subsequent services that depend on it can start after the homeserver

  46. # is fully up.

  47. #

  48. # Set to 0 to remove the delay.

  49. matrix_tuwunel_systemd_service_post_start_delay_seconds: 3

  50. 

  51. # The base container network. It will be auto-created by this role if it doesn't exist already.

  52. matrix_tuwunel_container_network: ""

  53. 

  54. # A list of additional container networks that the container would be connected to.

  55. # The role does not create these networks, so make sure they already exist.

  56. # Use this to expose this container to another reverse proxy, which runs in a different container network.

  57. matrix_tuwunel_container_additional_networks: "{{ matrix_tuwunel_container_additional_networks_auto + matrix_tuwunel_container_additional_networks_custom }}"

  58. matrix_tuwunel_container_additional_networks_auto: []

  59. matrix_tuwunel_container_additional_networks_custom: []

  60. 

  61. # matrix_tuwunel_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.

  62. # See `../templates/labels.j2` for details.

  63. #

  64. # To inject your own other container labels, see `matrix_tuwunel_container_labels_additional_labels`.

  65. matrix_tuwunel_container_labels_traefik_enabled: true

  66. matrix_tuwunel_container_labels_traefik_docker_network: "{{ matrix_tuwunel_container_network }}"

  67. matrix_tuwunel_container_labels_traefik_entrypoints: web-secure

  68. matrix_tuwunel_container_labels_traefik_tls_certResolver: default  # noqa var-naming

  69. 

  70. # Controls whether labels will be added for handling the root (/) path on a public Traefik entrypoint.

  71. matrix_tuwunel_container_labels_public_client_root_enabled: true

  72. matrix_tuwunel_container_labels_public_client_root_traefik_hostname: "{{ matrix_tuwunel_hostname }}"

  73. matrix_tuwunel_container_labels_public_client_root_traefik_rule: "Host(`{{ matrix_tuwunel_container_labels_public_client_root_traefik_hostname }}`) && Path(`/`)"

  74. matrix_tuwunel_container_labels_public_client_root_traefik_priority: 0

  75. matrix_tuwunel_container_labels_public_client_root_traefik_entrypoints: "{{ matrix_tuwunel_container_labels_traefik_entrypoints }}"

  76. matrix_tuwunel_container_labels_public_client_root_traefik_tls: "{{ matrix_tuwunel_container_labels_public_client_root_traefik_entrypoints != 'web' }}"

  77. matrix_tuwunel_container_labels_public_client_root_traefik_tls_certResolver: "{{ matrix_tuwunel_container_labels_traefik_tls_certResolver }}"  # noqa var-naming

  78. matrix_tuwunel_container_labels_public_client_root_redirection_enabled: false

  79. matrix_tuwunel_container_labels_public_client_root_redirection_url: ""

  80. 

  81. # Controls whether labels will be added that expose the Client-Server API on a public Traefik entrypoint.

  82. matrix_tuwunel_container_labels_public_client_api_enabled: true

  83. matrix_tuwunel_container_labels_public_client_api_traefik_hostname: "{{ matrix_tuwunel_hostname }}"

  84. matrix_tuwunel_container_labels_public_client_api_traefik_path_prefix: /_matrix

  85. matrix_tuwunel_container_labels_public_client_api_traefik_rule: "Host(`{{ matrix_tuwunel_container_labels_public_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_tuwunel_container_labels_public_client_api_traefik_path_prefix }}`)"

  86. matrix_tuwunel_container_labels_public_client_api_traefik_priority: 0

  87. matrix_tuwunel_container_labels_public_client_api_traefik_entrypoints: "{{ matrix_tuwunel_container_labels_traefik_entrypoints }}"

  88. matrix_tuwunel_container_labels_public_client_api_traefik_tls: "{{ matrix_tuwunel_container_labels_public_client_api_traefik_entrypoints != 'web' }}"

  89. matrix_tuwunel_container_labels_public_client_api_traefik_tls_certResolver: "{{ matrix_tuwunel_container_labels_traefik_tls_certResolver }}"  # noqa var-naming

  90. 

  91. # Controls whether labels will be added that expose the Client-Server API on the internal Traefik entrypoint.

  92. matrix_tuwunel_container_labels_internal_client_api_enabled: false

  93. matrix_tuwunel_container_labels_internal_client_api_traefik_path_prefix: "{{ matrix_tuwunel_container_labels_public_client_api_traefik_path_prefix }}"

  94. matrix_tuwunel_container_labels_internal_client_api_traefik_rule: "PathPrefix(`{{ matrix_tuwunel_container_labels_internal_client_api_traefik_path_prefix }}`)"

  95. matrix_tuwunel_container_labels_internal_client_api_traefik_priority: "{{ matrix_tuwunel_container_labels_public_client_api_traefik_priority }}"

  96. matrix_tuwunel_container_labels_internal_client_api_traefik_entrypoints: ""

  97. 

  98. # Controls whether labels will be added that expose the Server-Server (Federation) API on a public Traefik entrypoint.

  99. matrix_tuwunel_container_labels_public_federation_api_enabled: "{{ matrix_tuwunel_config_allow_federation }}"

  100. matrix_tuwunel_container_labels_public_federation_api_traefik_hostname: "{{ matrix_tuwunel_hostname }}"

  101. matrix_tuwunel_container_labels_public_federation_api_traefik_path_prefix: /_matrix

  102. matrix_tuwunel_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_tuwunel_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_tuwunel_container_labels_public_federation_api_traefik_path_prefix }}`)"

  103. matrix_tuwunel_container_labels_public_federation_api_traefik_priority: 0

  104. matrix_tuwunel_container_labels_public_federation_api_traefik_entrypoints: ''

  105. # TLS is force-enabled because the spec (https://spec.matrix.org/latest/server-server-api/#tls) requires the federation API use HTTPS.

  106. matrix_tuwunel_container_labels_public_federation_api_traefik_tls: true

  107. matrix_tuwunel_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_tuwunel_container_labels_traefik_tls_certResolver }}"  # noqa var-naming

  108. 

  109. # Additional Docker container labels (multiline string) appended verbatim to the label file.

  110. # See `../templates/labels.j2`.

  111. matrix_tuwunel_container_labels_additional_labels: ''

  112. 

  113. # Extra arguments for the Docker container

  114. matrix_tuwunel_container_extra_arguments: []

  115. 

  116. # Specifies which template files to use when configuring tuwunel.

  117. # To override the rendered config wholesale, copy the template into your inventory and point this at it:

  118. # matrix_tuwunel_template_tuwunel_config: "{{ playbook_dir }}/inventory/host_vars/matrix.example.com/tuwunel.toml.j2"

  119. matrix_tuwunel_template_tuwunel_config: "{{ role_path }}/templates/tuwunel.toml.j2"

  120. 

  121. # The pretty server name used as a suffix on user/room IDs. Cannot be changed after first start without a database wipe.

  122. matrix_tuwunel_config_server_name: "{{ matrix_domain }}"

  123. 

  124. # Max size for uploads, in bytes

  125. matrix_tuwunel_config_max_request_size: 20000000

  126. 

  127. # Enables open registration. If false, no users can register on this server.

  128. matrix_tuwunel_config_allow_registration: false

  129. 

  130. # When registration is enabled, set a strong token to protect the endpoint from abuse.

  131. # Generate one with e.g. `pwgen -s 64 1`. If left empty AND `allow_registration` is true,

  132. # you must explicitly opt in via the open-registration acknowledgement variable below.

  133. matrix_tuwunel_config_registration_token: ''

  134. 

  135. # Acknowledgement required to allow registration with no token.

  136. # Maps to tuwunel's `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`.

  137. matrix_tuwunel_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse: false

  138. 

  139. # Suffix appended to new-user displaynames upon registration. Empty disables it.

  140. # Upstream defaults to a flag glyph; we keep MDAD homeserver behavior consistent and leave this empty.

  141. matrix_tuwunel_config_new_user_displayname_suffix: ""

  142. 

  143. # Emergency password to grant access to the admin user when locked out. Empty disables.

  144. matrix_tuwunel_config_emergency_password: ''

  145. 

  146. # Trusted notary servers used for key verification.

  147. matrix_tuwunel_config_trusted_servers:

  148.   - "matrix.org"

  149. 

  150. # Logging directives in `tracing-subscriber` env-filter syntax.

  151. matrix_tuwunel_config_log: "info,state_res=warn"

  152. 

  153. # TURN integration

  154. matrix_tuwunel_config_turn_uris: []

  155. matrix_tuwunel_config_turn_secret: ''

  156. matrix_tuwunel_config_turn_username: ''

  157. matrix_tuwunel_config_turn_password: ''

  158. 

  159. # Self-check toggles

  160. matrix_tuwunel_self_check_validate_certificates: true

  161. 

  162. # Encryption / room creation policy

  163. matrix_tuwunel_config_allow_encryption: true

  164. matrix_tuwunel_config_allow_room_creation: true

  165. 

  166. # Default room version newly created rooms will use.

  167. matrix_tuwunel_config_default_room_version: '12'

  168. 

  169. # Rooms newly registered users will be auto-joined to.

  170. # Must be rooms this server has joined at least once and that are public.

  171. matrix_tuwunel_config_auto_join_rooms: []

  172. 

  173. # (De)federation toggles

  174. matrix_tuwunel_config_allow_federation: true

  175. matrix_tuwunel_config_allowed_remote_server_names: []

  176. matrix_tuwunel_config_forbidden_remote_server_names: []

  177. matrix_tuwunel_config_forbidden_remote_room_directory_server_names: []

  178. matrix_tuwunel_config_prevent_media_downloads_from: []

  179. 

  180. # Outgoing presence is heavy on CPU and network and almost no clients use it. Off by default.

  181. matrix_tuwunel_config_allow_outgoing_presence: false

  182. 

  183. # URL preview gating

  184. matrix_tuwunel_config_url_preview_domain_contains_allowlist: []

  185. matrix_tuwunel_config_url_preview_domain_explicit_allowlist: []

  186. matrix_tuwunel_config_url_preview_check_root_domain: false

  187. 

  188. # Well-known overrides

  189. # Maps to `[global.well_known] client = "..."` and `server = "host:port"`.

  190. matrix_tuwunel_config_well_known_client: ''

  191. matrix_tuwunel_config_well_known_server: ''

  192. matrix_tuwunel_config_well_known_support_page: ''

  193. matrix_tuwunel_config_well_known_support_email: ''

  194. matrix_tuwunel_config_well_known_support_mxid: ''

  195. 

  196. # MatrixRTC foci served via /_matrix/client/v1/rtc/transports (MSC4143)

  197. matrix_tuwunel_config_well_known_livekit_url: ''

  198. 

  199. # RocksDB tuning. Empty values let tuwunel auto-pick.

  200. matrix_tuwunel_config_rocksdb_compression_algo: 'zstd'  # one of: zstd, lz4, bz2, none

  201. matrix_tuwunel_config_rocksdb_compression_level: ''

  202. matrix_tuwunel_config_rocksdb_bottommost_compression_level: ''

  203. matrix_tuwunel_config_rocksdb_direct_io: false

  204. matrix_tuwunel_config_rocksdb_parallelism_threads: 0

  205. matrix_tuwunel_config_rocksdb_max_log_file_size: ''

  206. matrix_tuwunel_config_rocksdb_log_time_to_roll: ''

  207. matrix_tuwunel_config_database_backup_path: ''

  208. matrix_tuwunel_config_database_backups_to_keep: 1

  209. 

  210. # Cache sizing. Empty values let tuwunel auto-pick (scaled by CPU count).

  211. matrix_tuwunel_config_cache_capacity_modifier: ''

  212. matrix_tuwunel_config_db_cache_capacity_mb: ''

  213. matrix_tuwunel_config_db_write_buffer_capacity_mb: ''

  214. 

  215. # Admin room

  216. matrix_tuwunel_config_create_admin_room: true

  217. matrix_tuwunel_config_federate_admin_room: false

  218. matrix_tuwunel_config_grant_admin_to_first_user: true

  219. 

  220. # Sentry crash/error reporting (off by default)

  221. matrix_tuwunel_config_sentry_enabled: false

  222. matrix_tuwunel_config_sentry_endpoint: ''

  223. matrix_tuwunel_config_sentry_send_server_name: false

  224. matrix_tuwunel_config_sentry_traces_sample_rate: 0.15

  225. 

  226. # Blurhashing for image previews

  227. matrix_tuwunel_config_blurhashing_enabled: true

  228. matrix_tuwunel_config_blurhashing_components_x: 4

  229. matrix_tuwunel_config_blurhashing_components_y: 3

  230. matrix_tuwunel_config_blurhashing_max_raw_size: 33554432

  231. 

  232. # Native TLS (use only when reverse-proxying is not desired)

  233. matrix_tuwunel_config_tls_certs: ''

  234. matrix_tuwunel_config_tls_key: ''

  235. matrix_tuwunel_config_tls_dual_protocol: false

  236. 

  237. # LDAP authentication ([global.ldap] in tuwunel.toml).

  238. # See: https://matrix-construct.github.io/tuwunel/authentication/providers.html

  239. matrix_tuwunel_config_ldap_enabled: false

  240. matrix_tuwunel_config_ldap_uri: ''

  241. matrix_tuwunel_config_ldap_base_dn: ''

  242. matrix_tuwunel_config_ldap_bind_dn: ''

  243. matrix_tuwunel_config_ldap_bind_password_file: ''

  244. matrix_tuwunel_config_ldap_filter: '(objectClass=*)'

  245. matrix_tuwunel_config_ldap_uid_attribute: 'uid'

  246. matrix_tuwunel_config_ldap_name_attribute: 'givenName'

  247. matrix_tuwunel_config_ldap_admin_base_dn: ''

  248. matrix_tuwunel_config_ldap_admin_filter: ''

  249. 

  250. # JWT authentication ([global.jwt] in tuwunel.toml).

  251. matrix_tuwunel_config_jwt_enabled: false

  252. matrix_tuwunel_config_jwt_key: ''

  253. matrix_tuwunel_config_jwt_format: 'HMAC'  # one of: HMAC, B64HMAC, ECDSA, EDDSA

  254. matrix_tuwunel_config_jwt_algorithm: 'HS256'

  255. matrix_tuwunel_config_jwt_register_user: true

  256. matrix_tuwunel_config_jwt_audience: []

  257. matrix_tuwunel_config_jwt_issuer: []

  258. matrix_tuwunel_config_jwt_require_exp: false

  259. matrix_tuwunel_config_jwt_require_nbf: false

  260. matrix_tuwunel_config_jwt_validate_exp: true

  261. matrix_tuwunel_config_jwt_validate_nbf: true

  262. 

  263. # OAuth2/OIDC identity providers.

  264. #

  265. # Each entry becomes a `[[global.identity_provider]]` block. Only fields you set are emitted;

  266. # tuwunel applies brand-aware defaults for known providers (Google, GitHub, Keycloak, MAS, etc).

  267. #

  268. # Example:

  269. # matrix_tuwunel_config_identity_providers:

  270. #   - brand: keycloak

  271. #     client_id: matrix

  272. #     client_secret: '...'

  273. #     issuer_url: https://sso.example.com/realms/matrix

  274. #     callback_url: https://matrix.example.com/_matrix/client/unstable/login/sso/callback/matrix

  275. #     trusted: true

  276. #   - brand: github

  277. #     client_id: '...'

  278. #     client_secret: '...'

  279. #

  280. # See: https://matrix-construct.github.io/tuwunel/authentication/providers.html

  281. matrix_tuwunel_config_identity_providers: []

  282. 

  283. # Media storage providers.

  284. #

  285. # Each entry maps an ID to a backend. `kind` is `local` or `s3`; remaining keys map directly

  286. # to fields under `[global.storage_provider.<ID>.<kind>]`.

  287. #

  288. # Examples:

  289. # matrix_tuwunel_config_storage_providers:

  290. #   - id: primary

  291. #     kind: local

  292. #     base_path: /var/lib/tuwunel/media

  293. #   - id: archive

  294. #     kind: s3

  295. #     url: s3://my-bucket/media

  296. #     region: us-east-1

  297. #     key: AKIA...

  298. #     secret: '...'

  299. #

  300. # See: https://matrix-construct.github.io/tuwunel/media/storage.html

  301. matrix_tuwunel_config_storage_providers: []

  302. 

  303. # Additional environment variables to pass to the container, one per line.

  304. # Environment variables override the rendered config file.

  305. #

  306. # Example:

  307. # matrix_tuwunel_environment_variables_extension: |

  308. #   TUWUNEL_REQUEST_TIMEOUT=60

  309. #   TUWUNEL_DNS_CACHE_SIZE=131072

  310. matrix_tuwunel_environment_variables_extension: ''

  311. 

  312. # matrix_tuwunel_restart_necessary controls whether the service will be restarted (when true)

  313. # or merely started (when false) by the systemd service-manager role when conditional restart

  314. # is enabled. Computed during installation based on whether config / unit / image changed.

  315. matrix_tuwunel_restart_necessary: false