overmind
/
matrix-docker-ansible-deploy
mirror of https://github.com/spantaleev/matrix-docker-ansible-deploy
1
0
Fork 0
Code Issues 0 Releases 0 Wiki Activity
Matrix Docker Ansible eploy
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7483 Commits
12 Branches
668 MiB
 
 
Tree: 07e900d6a2
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '07e900d6a2'
${ noResults }
matrix-docker-ansible-deploy/roles/custom/matrix-base/defaults/main.yml

341 lines
19 KiB
Raw Blame History 

  1. ---

  2. 

  3. # The bare domain name which represents your Matrix identity.

  4. # Matrix user ids for your server will be of the form (`@user:<matrix-domain>`).

  5. #

  6. # Note: this playbook does not touch the server referenced here.

  7. # Installation happens on another server ("matrix.<matrix-domain>", see `matrix_server_fqn_matrix`).

  8. #

  9. # Example value: example.com

  10. matrix_domain: ~

  11. 

  12. # The optional matrix admin MXID, used in bridges' configs to set bridge admin user

  13. # Example value: "@someone:{{ matrix_domain }}"

  14. matrix_admin: ''

  15. 

  16. # Global var to enable/disable encryption across all bridges with encryption support

  17. matrix_bridges_encryption_enabled: false

  18. 

  19. # Global var to enable/disable relay mode across all bridges with relay mode support

  20. matrix_bridges_relay_enabled: false

  21. 

  22. # A container network where all addon services (bridges, bots, etc.) would live.

  23. matrix_addons_container_network: matrix-addons

  24. 

  25. # The container network that the homeserver lives on and addon services (bridges, bots, etc.) should be connected to

  26. matrix_addons_homeserver_container_network: "{{ matrix_homeserver_container_network }}"

  27. 

  28. # The URL where addon services (bridges, bots, etc.) can reach the homeserver.

  29. # By default, this is configured to go directly to the homeserver, but the playbook may

  30. # override it to go through an intermediary service.

  31. matrix_addons_homeserver_client_api_url: "{{ matrix_homeserver_container_url }}"

  32. 

  33. # The systemd services (representing the homeserver) that addon services (bridges, bots, etc.) should depend on

  34. matrix_addons_homeserver_systemd_services_list: "{{ matrix_homeserver_systemd_services_list }}"

  35. 

  36. # A container network where all monitoring services would live.

  37. matrix_monitoring_container_network: matrix-monitoring

  38. 

  39. # matrix_homeserver_enabled controls whether to enable the homeserver systemd service, etc.

  40. #

  41. # Unless you're wrapping this playbook in another one

  42. # where you optionally wish to disable homeserver integration, you don't need to use this.

  43. #

  44. # Note: disabling this does not mean that a homeserver won't get installed.

  45. # Whether homeserver software is installed depends on other (`matrix_HOMESERVER_enabled`) variables - see `group_vars/matrix_servers`.

  46. matrix_homeserver_enabled: true

  47. 

  48. # This will contain the homeserver implementation that is in use.

  49. # Valid values: synapse, dendrite, conduit

  50. #

  51. # By default, we use Synapse, because it's the only full-featured Matrix server at the moment.

  52. #

  53. # This value automatically influences other variables (`matrix_synapse_enabled`, `matrix_dendrite_enabled`, etc.).

  54. # The homeserver implementation of an existing server cannot be changed without data loss.

  55. matrix_homeserver_implementation: synapse

  56. 

  57. # This contains a secret, which is used for generating various other secrets later on.

  58. matrix_homeserver_generic_secret_key: ''

  59. 

  60. # This is where your data lives and what we set up.

  61. # This and the Element FQN (see below) are expected to be on the same server.

  62. matrix_server_fqn_matrix: "matrix.{{ matrix_domain }}"

  63. 

  64. # This is where you access federation API.

  65. matrix_server_fqn_matrix_federation: '{{ matrix_server_fqn_matrix }}'

  66. 

  67. # This is where you access the Element web UI from (if enabled via matrix_client_element_enabled; enabled by default).

  68. # This and the Matrix FQN (see above) are expected to be on the same server.

  69. matrix_server_fqn_element: "element.{{ matrix_domain }}"

  70. 

  71. # This is where you access the Hydrogen web client from (if enabled via matrix_client_hydrogen_enabled; disabled by default).

  72. matrix_server_fqn_hydrogen: "hydrogen.{{ matrix_domain }}"

  73. 

  74. # This is where you access the Cinny web client from (if enabled via matrix_client_cinny_enabled; disabled by default).

  75. matrix_server_fqn_cinny: "cinny.{{ matrix_domain }}"

  76. 

  77. # This is where you access the schildichat web client from (if enabled via matrix_client_schildichat_enabled; disabled by default).

  78. matrix_server_fqn_schildichat: "schildichat.{{ matrix_domain }}"

  79. 

  80. # This is where you access the buscarron bot from (if enabled via matrix_bot_buscarron_enabled; disabled by default).

  81. matrix_server_fqn_buscarron: "buscarron.{{ matrix_domain }}"

  82. 

  83. # This is where you access the Dimension.

  84. matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}"

  85. 

  86. # This is where you access the etherpad (if enabled via etherpad_enabled; disabled by default).

  87. matrix_server_fqn_etherpad: "etherpad.{{ matrix_domain }}"

  88. 

  89. # For use with Go-NEB! (github callback url for example)

  90. matrix_server_fqn_bot_go_neb: "goneb.{{ matrix_domain }}"

  91. 

  92. # This is where you access Jitsi.

  93. matrix_server_fqn_jitsi: "jitsi.{{ matrix_domain }}"

  94. 

  95. # This is where you access Grafana.

  96. matrix_server_fqn_grafana: "stats.{{ matrix_domain }}"

  97. 

  98. # This is where you access the Sygnal push gateway.

  99. matrix_server_fqn_sygnal: "sygnal.{{ matrix_domain }}"

  100. 

  101. # This is where you access the mautrix wsproxy push gateway.

  102. matrix_server_fqn_mautrix_wsproxy: "wsproxy.{{ matrix_domain }}"

  103. 

  104. # This is where you access the ntfy push notification service.

  105. matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}"

  106. 

  107. # This is where you access rageshake.

  108. matrix_server_fqn_rageshake: "rageshake.{{ matrix_domain }}"

  109. 

  110. matrix_federation_public_port: 8448

  111. 

  112. # The name of the Traefik entrypoint for handling Matrix Federation

  113. # Also see the `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_*` variables.

  114. matrix_federation_traefik_entrypoint_name: matrix-federation

  115. 

  116. # Controls whether the federation entrypoint supports TLS.

  117. # TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS.

  118. # This may be changed at the playbook level for setups explicitly disabling TLS.

  119. # `matrix_playbook_ssl_enabled` has no influence over this.

  120. matrix_federation_traefik_entrypoint_tls: true

  121. 

  122. # The architecture that your server runs.

  123. # Recognized values by us are 'amd64', 'arm32' and 'arm64'.

  124. # Not all architectures support all services, so your experience (on non-amd64) may vary.

  125. # See docs/alternative-architectures.md

  126. matrix_architecture: "{{ 'amd64' if ansible_architecture == 'x86_64' else ('arm64' if ansible_architecture == 'aarch64' else ('arm32' if ansible_architecture.startswith('armv') else '')) }}"

  127. 

  128. # The architecture for Debian packages.

  129. # See: https://wiki.debian.org/SupportedArchitectures

  130. # We just remap from our `matrix_architecture` values to what Debian and possibly other distros call things.

  131. matrix_debian_arch: "{{ 'armhf' if matrix_architecture == 'arm32' else matrix_architecture }}"

  132. 

  133. matrix_container_global_registry_prefix: "docker.io/"

  134. 

  135. matrix_user_username: "matrix"

  136. matrix_user_groupname: "matrix"

  137. 

  138. # By default, the playbook creates the user (`matrix_user_username`)

  139. # and group (`matrix_user_groupname`) with a random id.

  140. # To use a specific user/group id, override these variables.

  141. matrix_user_uid: ~

  142. matrix_user_gid: ~

  143. 

  144. matrix_base_data_path: "/matrix"

  145. matrix_base_data_path_mode: "750"

  146. 

  147. matrix_bin_path: "{{ matrix_base_data_path }}/bin"

  148. 

  149. matrix_host_command_sleep: "/usr/bin/env sleep"

  150. matrix_host_command_chown: "/usr/bin/env chown"

  151. matrix_host_command_fusermount: "/usr/bin/env fusermount"

  152. matrix_host_command_openssl: "/usr/bin/env openssl"

  153. 

  154. matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}"

  155. 

  156. # Specifies on which container network the homeserver is.

  157. matrix_homeserver_container_network: "matrix-homeserver"

  158. 

  159. # Controls whether to enable IPv6 for all Docker container networks used by the various services.

  160. # This only affects Matrix services that are part of this playbook (`roles/custom/matrix-*`),

  161. # but doesn't affect external (non-Matrix-related) roles (`roles/galaxy/*`).

  162. #

  163. # For this to work the Docker daemon needs to be configured for IPv6: https://docs.docker.com/config/daemon/ipv6/

  164. # You may be able to apply the required Docker Daemon settings via Ansible by using the `docker_daemon_options` variable.

  165. # See: https://github.com/geerlingguy/ansible-role-docker/blob/dc1c9a16066506c09f426713544581dc9b38e747/defaults/main.yml#L58

  166. # Example:

  167. # docker_daemon_options:

  168. #   experimental: true

  169. #   ip6tables: true

  170. #

  171. # Changing `matrix_ipv6_enabled` subsequently may not adjust existing container networks.

  172. # When changing `matrix_ipv6_enabled`, consider:

  173. # - stopping all services (`just stop-all`)

  174. # - deleting all container networks on the server: `docker network rm $(docker network ls -q)`

  175. # - re-running the playbook fully: `just install-all`

  176. matrix_ipv6_enabled: false

  177. 

  178. # Specifies whether the homeserver will federate at all.

  179. # Disable this to completely isolate your server from the rest of the Matrix network.

  180. matrix_homeserver_federation_enabled: true

  181. 

  182. # Specifies which systemd services are responsible for the homeserver

  183. matrix_homeserver_systemd_services_list: []

  184. 

  185. # Specifies where the homeserver's Client-Server API is on the container network (matrix_homeserver_container_network).

  186. # Most services that need to reach the homeserver do not use `matrix_homeserver_container_url`, but

  187. # rather `matrix_addons_homeserver_client_api_url`.

  188. matrix_homeserver_container_url: "http://{{ matrix_homeserver_container_client_api_endpoint }}"

  189. 

  190. # Specifies where the homeserver's Client-Server API is on the container network (matrix_homeserver_container_network).

  191. # Where this is depends on whether there's a reverse-proxy in front of the homeserver, which homeserver it is, etc.

  192. # This likely gets overriden elsewhere.

  193. matrix_homeserver_container_client_api_endpoint: ""

  194. 

  195. # Specifies where the homeserver's Federation API is on the container network (matrix_homeserver_container_network).

  196. matrix_homeserver_container_federation_url: "http://{{ matrix_homeserver_container_federation_api_endpoint }}"

  197. 

  198. # Specifies where the homeserver's Federation API is on the container network (matrix_homeserver_container_network).

  199. # Where this is depends on whether there's a reverse-proxy in front of the homeserver, which homeserver it is, etc.

  200. # This likely gets overriden elsewhere.

  201. matrix_homeserver_container_federation_api_endpoint: ""

  202. 

  203. # Specifies the public url of the Sync v3 (sliding-sync) API.

  204. # This will be used to set the `org.matrix.msc3575.proxy` property in `/.well-known/matrix/client`.

  205. # Once the API is stabilized, this will no longer be required.

  206. # See MSC3575: https://github.com/matrix-org/matrix-spec-proposals/blob/kegan/sync-v3/proposals/3575-sync.md

  207. matrix_homeserver_sliding_sync_url: ""

  208. 

  209. matrix_identity_server_url: ~

  210. 

  211. matrix_integration_manager_rest_url: ~

  212. matrix_integration_manager_ui_url: ~

  213. 

  214. matrix_homeserver_container_extra_arguments_auto: []

  215. matrix_homeserver_app_service_config_files_auto: []

  216. 

  217. # Controls whether various services should expose metrics publicly.

  218. # If Prometheus is operating on the same machine, exposing metrics publicly is not necessary.

  219. matrix_metrics_exposure_enabled: false

  220. matrix_metrics_exposure_hostname: "{{ matrix_server_fqn_matrix }}"

  221. matrix_metrics_exposure_path_prefix: /metrics

  222. matrix_metrics_exposure_http_basic_auth_enabled: false

  223. # See https://doc.traefik.io/traefik/middlewares/http/basicauth/#users

  224. matrix_metrics_exposure_http_basic_auth_users: ''

  225. 

  226. # Specifies the type of reverse-proxy used by the playbook.

  227. #

  228. # Changing this has an effect on whether a reverse-proxy is installed at all and what its type is,

  229. # as well as how all other services are configured.

  230. #

  231. # Valid options and a description of their behavior:

  232. #

  233. # - `playbook-managed-traefik`

  234. #     - the playbook will run a managed Traefik instance (matrix-traefik)

  235. #     - Traefik will do SSL termination, unless you disable it (e.g. `devture_traefik_config_entrypoint_web_secure_enabled: false`)

  236. #     - if SSL termination is enabled (as it is by default), you need to populate: `devture_traefik_config_certificatesResolvers_acme_email`

  237. #

  238. # - `other-traefik-container`

  239. #     - this playbook will not install Traefik

  240. #     - nevertheless, the playbook expects that you would install Traefik yourself via other means

  241. #     - you should make sure your Traefik configuration is compatible with what the playbook would have configured (web, web-secure, matrix-federation entrypoints, etc.)

  242. #     - you need to set `matrix_playbook_reverse_proxyable_services_additional_network` to the name of your Traefik network

  243. #     - Traefik certs dumper will be enabled by default (`devture_traefik_certs_dumper_enabled`). You need to point it to your Traefik's SSL certificates (`devture_traefik_certs_dumper_ssl_dir_path`)

  244. #

  245. # - `none`

  246. #     - no reverse-proxy will be installed

  247. #     - no port exposure will be done for any of the container services

  248. #     - it's up to you to expose the ports you want, etc.

  249. #     - this is unlikely to work well (if at all)

  250. matrix_playbook_reverse_proxy_type: ''

  251. 

  252. # Specifies the network that the reverse-proxy is operating at

  253. matrix_playbook_reverse_proxy_container_network: 'traefik'

  254. 

  255. # Specifies the hostname that the reverse-proxy is available at

  256. matrix_playbook_reverse_proxy_hostname: 'matrix-traefik'

  257. 

  258. # Controls the additional network that reverse-proxyable services will be connected to.

  259. matrix_playbook_reverse_proxyable_services_additional_network: "{{ matrix_playbook_reverse_proxy_container_network }}"

  260. 

  261. # Controls if various services think if SSL is enabled or not.

  262. # Disabling this does not actually disable Treafik's web-secure entrypoint and TLS termination settings.

  263. # For that, you'd need to use another variable (`devture_traefik_config_entrypoint_web_secure_enabled`).

  264. # This variable merely serves as an indicator if SSL is used or not.

  265. matrix_playbook_ssl_enabled: true

  266. 

  267. # Controls on which network interface services are exposed.

  268. # You can use this to tell all services to expose themselves on the loopback interface, on a local network IP or or publicly.

  269. # Possibly not all services support exposure via this variable.

  270. # We recommend not using it.

  271. #

  272. # Example value: `127.0.0.1:` (note the trailing `:`).

  273. matrix_playbook_service_host_bind_interface_prefix: ""

  274. 

  275. # Controls whether to enable an additional Traefik entrypoint for the purpose of serving Matrix Federation.

  276. # By default, federation is served on a special port (8448), so a separate entrypoint is necessary.

  277. # Group variables may influence whether this is enabled based on the port number and on the default entrypoints of the Traefik reverse-proxy.

  278. matrix_playbook_public_matrix_federation_api_traefik_entrypoint_enabled: true

  279. matrix_playbook_public_matrix_federation_api_traefik_entrypoint_name: "{{ matrix_federation_traefik_entrypoint_name }}"

  280. matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port: "{{ matrix_federation_public_port }}"

  281. matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: "{{ matrix_federation_public_port }}"

  282. matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_auto | combine(matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom, recursive=True) }}"

  283. matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_auto: {}

  284. matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom: {}

  285. 

  286. matrix_playbook_public_matrix_federation_api_traefik_entrypoint_definition:

  287.   name: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_name }}"

  288.   port: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port }}"

  289.   host_bind_port: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port }}"

  290.   config: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config }}"

  291. 

  292. # Controls whether to enable an additional Traefik entrypoint for the purpose of serving the homeserver's Client-Server API internally.

  293. #

  294. # Homeserver software and other core components which are part of the homeserver's Client-Server API

  295. # may wish to register their routes with this additional entrypoint and provide their services on it for internal (no-public-network and non-TLS) use.

  296. #

  297. # This entrypoint provides local addons (e.g. bridges, bots, etc.) with the ability to easily & quickly communicate with the homeserver and/or related software.

  298. # Such services can reach the homeserver over the public internet (e.g. https://matrix.DOMAIN), but this is slow due to networking and SSL-termination.

  299. # Talking directly to the homeserver (e.g. `http://matrix-synapse:8008`) is another option, but does not allow other homeserver-related software

  300. # (e.g. identity servers like ma1sd, media repository servers like matrix-media-repo, firewalls like matrix-corporal)

  301. # to register itself for certain homeserver routes.

  302. #

  303. # For example: when matrix-media-repo is enabled, it wishes to handle `/_matrix/media` both publicly and internally.

  304. # Bots/bridges that try to upload media should not hit `/_matrix/media` on the homeserver directly, but actually go through matrix-media-repo.

  305. #

  306. # This entrypoint gives us a layer of indirection, so that all these homeserver-related services can register themselves on this entrypoint

  307. # the same way they register themselves for the public (e.g. `web-secure`) entrypoint.

  308. #

  309. # Routers enabled on this entrypoint should use Traefik rules which do NOT do Host-matching (Host/HostRegexp),

  310. # because addon services (e.g. bridges, bots) cannot properly pass a `Host` HTTP header when making

  311. # requests to the endpoint's address (e.g. `http://devture-traefik:8008/`).

  312. # This entrypoint only aims to handle a single "virtual host" - one dealing with the homeserver's Client-Server API.

  313. matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"

  314. matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name: matrix-internal-matrix-client-api

  315. matrix_playbook_internal_matrix_client_api_traefik_entrypoint_port: 8008

  316. matrix_playbook_internal_matrix_client_api_traefik_entrypoint_host_bind_port: ''

  317. matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto | combine(matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom, recursive=True) }}"

  318. matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto: {}

  319. matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom: {}

  320. 

  321. matrix_playbook_internal_matrix_client_api_traefik_entrypoint_definition:

  322.   name: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"

  323.   port: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_port }}"

  324.   host_bind_port: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_host_bind_port }}"

  325.   config: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config }}"

  326. 

  327. # Variables to Control which parts of our roles run.

  328. run_postgres_import: true

  329. run_postgres_upgrade: true

  330. run_postgres_import_sqlite_db: true

  331. run_postgres_vacuum: true

  332. run_synapse_register_user: true

  333. run_synapse_update_user_password: true

  334. run_synapse_import_media_store: true

  335. run_synapse_rust_synapse_compress_state: true

  336. run_dendrite_register_user: true

  337. run_setup: true

  338. run_self_check: true

  339. run_start: true

  340. run_stop: true