From 134faa3139c16ccae648fed34638ddd108d7c97e Mon Sep 17 00:00:00 2001 From: Lyubomir Popov Date: Tue, 30 Apr 2019 16:30:26 +0300 Subject: [PATCH 01/23] Add the ability to update user passwords with ansible (when using the matrix-postgres container). --- docs/README.md | 2 + docs/updating-users-passwords.md | 19 ++++++++ roles/matrix-base/defaults/main.yml | 1 + roles/matrix-base/tasks/setup_server_base.yml | 4 +- .../matrix-postgres/tasks/setup_postgres.yml | 7 +++ ...trix-postgres-update-user-password-hash.j2 | 15 ++++++ roles/matrix-synapse/tasks/main.yml | 5 ++ .../tasks/setup_synapse_main.yml | 6 +++ .../tasks/update_user_password.yml | 48 +++++++++++++++++++ .../matrix-synapse-generate-password-hash.j2 | 31 ++++++++++++ 10 files changed, 137 insertions(+), 1 deletion(-) create mode 100644 docs/updating-users-passwords.md create mode 100644 roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 create mode 100644 roles/matrix-synapse/tasks/update_user_password.yml create mode 100644 roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2 diff --git a/docs/README.md b/docs/README.md index 1718c6ace..f623085bb 100644 --- a/docs/README.md +++ b/docs/README.md @@ -12,6 +12,8 @@ - [Registering users](registering-users.md) +- [Updating users passwords](updating-users-passwords.md) + - [Configuring service discovery via .well-known](configuring-well-known.md) - [Maintenance / checking if services work](maintenance-checking-services.md) diff --git a/docs/updating-users-passwords.md b/docs/updating-users-passwords.md new file mode 100644 index 000000000..72b1f2783 --- /dev/null +++ b/docs/updating-users-passwords.md @@ -0,0 +1,19 @@ +# Updating users passwords + +If you are using the matrix-postgres container(default), you can do it via this Ansible playbook (make sure to edit the `` and `` part below): + + ansible-playbook -i inventory/hosts setup.yml --extra-vars='username= password=' --tags=update-user-password + +**Note**: `` is just a plain username (like `john`), not your full `@:` identifier. + +**You can then log in with that user** via the riot-web service that this playbook has created for you at a URL like this: `https://riot./`. + +If you are NOT using the matrix-postgres container, you can generate the password hash by using the command-line after **SSH**-ing to your server (requires that [all services have been started](#starting-the-services)): + + docker exec -it matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml + +and then connecting to the postgres server and executing: + + UPDATE users SET password_hash = '' WHERE name = '@someone:server.com' + +where `` is the hash returned by the docker command above. diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 863694082..ab38084b8 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -48,6 +48,7 @@ run_import_postgres: true run_upgrade_postgres: true run_start: true run_register_user: true +run_update_user_password: true run_import_sqlite_db: true run_import_media_store: true run_self_check: true diff --git a/roles/matrix-base/tasks/setup_server_base.yml b/roles/matrix-base/tasks/setup_server_base.yml index f4a8352f2..2ccdbd837 100644 --- a/roles/matrix-base/tasks/setup_server_base.yml +++ b/roles/matrix-base/tasks/setup_server_base.yml @@ -25,6 +25,7 @@ - docker-python - ntp - fuse + - expect state: latest update_cache: yes when: ansible_distribution == 'CentOS' @@ -62,13 +63,14 @@ - python-docker - ntp - fuse + - expect state: latest update_cache: yes when: ansible_os_family == 'Debian' - name: Ensure Docker is started and autoruns service: - name: docker + name: docker state: started enabled: yes diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml index e22e10240..659650db7 100644 --- a/roles/matrix-postgres/tasks/setup_postgres.yml +++ b/roles/matrix-postgres/tasks/setup_postgres.yml @@ -123,3 +123,10 @@ debug: msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in `{{ matrix_postgres_data_path }}`. Feel free to delete it." when: "not matrix_postgres_enabled and matrix_postgres_data_path_stat.stat.exists" + +- name: Ensure matrix-postgres-update-user-password-hash script created + template: + src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2" + dest: "/usr/local/bin/matrix-postgres-update-user-password-hash" + mode: 0750 + when: matrix_postgres_enabled \ No newline at end of file diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 new file mode 100644 index 000000000..bd99211c6 --- /dev/null +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 @@ -0,0 +1,15 @@ +#!/bin/bash + +if [ $# -ne 2 ]; then + echo "Usage: "$0" " + exit 1 +fi + +docker run \ + --rm \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ + --network {{ matrix_docker_network }} \ + {{ matrix_postgres_docker_image_to_use }} \ + psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set password_hash='$2' WHERE name = '@$1:{{ matrix_domain }}'" diff --git a/roles/matrix-synapse/tasks/main.yml b/roles/matrix-synapse/tasks/main.yml index 1049cb5f1..058cf05f2 100644 --- a/roles/matrix-synapse/tasks/main.yml +++ b/roles/matrix-synapse/tasks/main.yml @@ -37,3 +37,8 @@ when: run_self_check tags: - self-check + +- import_tasks: "{{ role_path }}/tasks/update_user_password.yml" + when: run_update_user_password + tags: + - update-user-password \ No newline at end of file diff --git a/roles/matrix-synapse/tasks/setup_synapse_main.yml b/roles/matrix-synapse/tasks/setup_synapse_main.yml index 6e56b659f..7be5f0455 100644 --- a/roles/matrix-synapse/tasks/setup_synapse_main.yml +++ b/roles/matrix-synapse/tasks/setup_synapse_main.yml @@ -79,3 +79,9 @@ dest: "/usr/local/bin/matrix-synapse-register-user" mode: 0750 +- name: Ensure matrix-synapse-generate-password-hash script created + template: + src: "{{ role_path }}/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2" + dest: "/usr/local/bin/matrix-synapse-generate-password-hash" + mode: 0750 + diff --git a/roles/matrix-synapse/tasks/update_user_password.yml b/roles/matrix-synapse/tasks/update_user_password.yml new file mode 100644 index 000000000..c464e0d72 --- /dev/null +++ b/roles/matrix-synapse/tasks/update_user_password.yml @@ -0,0 +1,48 @@ +--- + +- name: Fail if playbook called incorrectly + fail: + msg: "The `username` variable needs to be provided to this playbook, via --extra-vars" + when: "username is not defined or username == ''" + +- name: Fail if playbook called incorrectly + fail: + msg: "The `password` variable needs to be provided to this playbook, via --extra-vars" + when: "password is not defined or password == ''" + +- name: Fail if not using matrix-postgres container + fail: + msg: "This command is working only when matrix-postgres container is being used" + when: "not matrix_postgres_enabled" + +- name: Ensure matrix-synapse is started + service: + name: matrix-synapse + state: started + daemon_reload: yes + register: start_result + +- name: Ensure matrix-postgres is started + service: + name: matrix-postgres + state: started + daemon_reload: yes + register: postgres_start_result + + +- name: Wait a while, so that Matrix Synapse can manage to start + pause: + seconds: 7 + when: start_result.changed + +- name: Wait a while, so that Matrix Postgres can manage to start + pause: + seconds: 7 + when: postgres_start_result.changed + +- name: Generate password hash + shell: "/usr/local/bin/matrix-synapse-generate-password-hash {{ password }}" + register: password_hash + +- name: Update user password hash + shell: "/usr/local/bin/matrix-postgres-update-user-password-hash {{ username }} '{{ password_hash.stdout }}'" diff --git a/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2 b/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2 new file mode 100644 index 000000000..c6858aa8b --- /dev/null +++ b/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2 @@ -0,0 +1,31 @@ +#!/usr/bin/env expect + +# Read the password string +set pass [lindex $argv 0] + +# Check if password was provided +if { $pass == "" } { + puts "Usage: $argv0 " + exit 1 +} + +# Disable output +log_user 0 + +# Execute password hashing script +spawn docker exec -it matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml +expect "Password: " +send "$pass\r" +expect "Confirm password: " +send "$pass\r" +expect "%" + +# Save the hash output to a variable +set output $expect_out(buffer) + +# Trim the whitespace +regexp {\S+} $output passwordHash + +# Output the password hash +puts -nonewline stdout $passwordHash +close stdout From 75b1528d139117f5cfc19151b6af3838b6a3aad0 Mon Sep 17 00:00:00 2001 From: Sylvia van Os Date: Tue, 30 Apr 2019 16:35:18 +0200 Subject: [PATCH 02/23] Add the possibility to pass extra flags to the docker container --- roles/matrix-corporal/defaults/main.yml | 3 +++ .../templates/systemd/matrix-corporal.service.j2 | 3 +++ roles/matrix-coturn/defaults/main.yml | 3 +++ roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 | 3 +++ roles/matrix-dimension/defaults/main.yml | 3 +++ .../templates/systemd/matrix-dimension.service.j2 | 3 +++ roles/matrix-mailer/defaults/main.yml | 3 +++ roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 | 3 +++ roles/matrix-mxisd/defaults/main.yml | 3 +++ roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 | 3 +++ roles/matrix-nginx-proxy/defaults/main.yml | 3 +++ .../templates/systemd/matrix-nginx-proxy.service.j2 | 3 +++ roles/matrix-postgres/defaults/main.yml | 3 +++ .../templates/systemd/matrix-postgres.service.j2 | 3 +++ roles/matrix-riot-web/defaults/main.yml | 3 +++ .../templates/systemd/matrix-riot-web.service.j2 | 3 +++ roles/matrix-synapse/defaults/main.yml | 3 +++ .../templates/synapse/systemd/matrix-synapse.service.j2 | 3 +++ 18 files changed, 54 insertions(+) diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index a1406f033..09bdbb564 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -6,6 +6,9 @@ matrix_corporal_enabled: true # Controls whether the matrix-corporal web server's ports (`41080` and `41081`) are exposed outside of the container. matrix_corporal_container_expose_ports: false +# A list of extra arguments to pass to the container +matrix_corporal_container_extra_arguments: [] + # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] diff --git a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 index 4035aa651..d0adbf9d0 100644 --- a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 +++ b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 @@ -22,6 +22,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-corporal \ -v {{ matrix_corporal_config_dir_path }}:/etc/matrix-corporal:ro \ -v {{ matrix_corporal_cache_dir_path }}:/var/cache/matrix-corporal:rw \ -v {{ matrix_corporal_var_dir_path }}:/var/matrix-corporal:rw \ + {% for arg in matrix_corporal_container_extra_arguments %} + {{ arg }} \ + {% endfor %} {{ matrix_corporal_docker_image }} \ /matrix-corporal -config=/etc/matrix-corporal/config.json ExecStop=-/usr/bin/docker kill matrix-corporal diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index b70c40589..b12cabe70 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -23,6 +23,9 @@ matrix_coturn_systemd_required_services_list: ['docker.service'] # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} matrix_coturn_container_additional_volumes: [] +# A list of extra arguments to pass to the container +matrix_coturn_container_extra_arguments: [] + # A shared secret (between Synapse and Coturn) used for authentication. # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). matrix_coturn_turn_static_auth_secret: "" diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index b2d909f2d..c1f007890 100644 --- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -27,6 +27,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-coturn \ {% for volume in matrix_coturn_container_additional_volumes %} -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ {% endfor %} + {% for arg in matrix_coturn_container_extra_arguments %} + {{ arg }} \ + {% endfor %} {{ matrix_coturn_docker_image }} \ -c /turnserver.conf diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index 43841fee4..b8acb9d75 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -20,6 +20,9 @@ matrix_dimension_user_gid: 1000 matrix_dimension_container_expose_port: false +# A list of extra arguments to pass to the container +matrix_dimension_container_extra_arguments: [] + matrix_dimension_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/riot" matrix_dimension_integrations_rest_url: "https://{{ matrix_server_fqn_dimension }}/api/v1/scalar" matrix_dimension_integrations_widgets_urls: ["https://{{ matrix_server_fqn_dimension }}/widgets"] diff --git a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 index 12f111f35..c176b3e7a 100644 --- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 +++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -19,6 +19,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-dimension \ -p 127.0.0.1:8184:8184 \ {% endif %} -v {{ matrix_dimension_base_path }}:/data:rw \ + {% for arg in matrix_dimension_container_extra_arguments %} + {{ arg }} \ + {% endfor %} {{ matrix_dimension_docker_image }} ExecStop=-/usr/bin/docker kill matrix-dimension ExecStop=-/usr/bin/docker rm matrix-dimension diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index ffd00e363..184fd3cc1 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -9,6 +9,9 @@ matrix_mailer_docker_image: "devture/exim-relay:4.91-r3-0" matrix_mailer_container_user_uid: 100 matrix_mailer_container_user_gid: 101 +# A list of extra arguments to pass to the container +matrix_mailer_container_extra_arguments: [] + matrix_mailer_sender_address: "matrix@{{ matrix_domain }}" matrix_mailer_relay_use: false matrix_mailer_relay_host_name: "mail.example.com" diff --git a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 index f9e1348e8..de07a687b 100644 --- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 +++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 @@ -16,6 +16,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mailer \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_mailer_base_path }}/env-mailer \ --hostname={{ matrix_server_fqn_matrix }} \ + {% for arg in matrix_mailer_container_extra_arguments %} + {{ arg }} \ + {% endfor %} {{ matrix_mailer_docker_image }} ExecStop=-/usr/bin/docker kill matrix-mailer ExecStop=-/usr/bin/docker rm matrix-mailer diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index caaccfd0a..9ddeb72e7 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -8,6 +8,9 @@ matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" # Controls whether the mxisd web server's port (`8090`) is exposed outside of the container. matrix_mxisd_container_expose_port: false +# A list of extra arguments to pass to the container +matrix_mxisd_container_extra_arguments: [] + # List of systemd services that matrix-mxisd.service depends on matrix_mxisd_systemd_required_services_list: ['docker.service'] diff --git a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 index de0c06814..6d9516432 100644 --- a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 +++ b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 @@ -27,6 +27,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mxisd \ {% endif %} -v {{ matrix_mxisd_config_path }}:/etc/mxisd:ro \ -v {{ matrix_mxisd_data_path }}:/var/mxisd:rw \ + {% for arg in matrix_mxisd_container_extra_arguments %} + {{ arg }} \ + {% endfor %} {{ matrix_mxisd_docker_image }} ExecStop=-/usr/bin/docker kill matrix-mxisd diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index beb0850e1..96ceccd92 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -21,6 +21,9 @@ matrix_nginx_proxy_systemd_wanted_services_list: [] # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} matrix_nginx_proxy_container_additional_volumes: [] +# A list of extra arguments to pass to the container +matrix_nginx_proxy_container_extra_arguments: [] + # Controls whether matrix-nginx-proxy should serve the base domain. # # This is useful for when you only have your Matrix server, but you need to serve diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index cb2c4da27..d3cf40448 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -33,6 +33,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ {% for volume in matrix_nginx_proxy_container_additional_volumes %} -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ {% endfor %} + {% for arg in matrix_nginx_proxy_container_extra_arguments %} + {{ arg }} \ + {% endfor %} {{ matrix_nginx_proxy_docker_image }} ExecStop=-/usr/bin/docker kill matrix-nginx-proxy diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 4b26f42dc..1729a2758 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -12,3 +12,6 @@ matrix_postgres_docker_image_v9: "postgres:9.6.12-alpine" matrix_postgres_docker_image_v10: "postgres:10.7-alpine" matrix_postgres_docker_image_v11: "postgres:11.2-alpine" matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v11 }}" + +# A list of extra arguments to pass to the container +matrix_postgres_container_extra_arguments: [] diff --git a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 index 0d2b9fcf0..14321efd5 100644 --- a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 @@ -18,6 +18,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-postgres \ --env-file={{ matrix_postgres_base_path }}/env-postgres-server \ -v {{ matrix_postgres_data_path }}:/var/lib/postgresql/data:rw \ -v /etc/passwd:/etc/passwd:ro \ + {% for arg in matrix_postgres_container_extra_arguments %} + {{ arg }} \ + {% endfor %} {{ matrix_postgres_docker_image_to_use }} ExecStop=-/usr/bin/docker stop matrix-postgres ExecStop=-/usr/bin/docker rm matrix-postgres diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index e17663b09..10c5773a9 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -6,6 +6,9 @@ matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" matrix_riot_web_container_expose_port: false +# A list of extra arguments to pass to the container +matrix_riot_web_container_extra_arguments: [] + # List of systemd services that matrix-riot-web.service depends on matrix_riot_web_systemd_required_services_list: ['docker.service'] diff --git a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 index 06f60cc58..a270e0e37 100644 --- a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 @@ -26,6 +26,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ -v {{ matrix_riot_web_data_path }}/home.html:/etc/riot-web/home.html:ro \ {% endif %} -v {{ matrix_riot_web_data_path }}/welcome.html:/etc/riot-web/welcome.html:ro \ + {% for arg in matrix_riot_web_container_extra_arguments %} + {{ arg }} \ + {% endfor %} {{ matrix_riot_web_docker_image }} ExecStop=-/usr/bin/docker kill matrix-riot-web ExecStop=-/usr/bin/docker rm matrix-riot-web diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index ee454b5a7..56e81d02d 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -24,6 +24,9 @@ matrix_appservice_discord_container_expose_client_server_api_port: false # Controls whether the matrix-synapse container exposes the metrics port (tcp/9100). matrix_synapse_container_expose_metrics_port: false +# A list of extra arguments to pass to the container +matrix_synapse_container_extra_arguments: [] + # List of systemd services that matrix-synapse.service depends on matrix_synapse_systemd_required_services_list: ['docker.service'] diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index fe8d0c8aa..2470256c0 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -46,6 +46,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ {% for volume in matrix_synapse_container_additional_volumes %} -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ {% endfor %} + {% for arg in matrix_synapse_container_extra_arguments %} + {{ arg }} \ + {% endfor %} {{ matrix_synapse_docker_image }} \ -m synapse.app.homeserver -c /data/homeserver.yaml From a206b65ed7e1d5f2e1e8af48a7537c8dbe0913be Mon Sep 17 00:00:00 2001 From: Lyubomir Popov Date: Fri, 3 May 2019 11:02:17 +0300 Subject: [PATCH 03/23] Use the '-p' non-interactive option to generate password hash instead of 'expect' --- roles/matrix-base/tasks/setup_server_base.yml | 2 -- .../tasks/setup_synapse_main.yml | 6 ---- .../tasks/update_user_password.yml | 2 +- .../matrix-synapse-generate-password-hash.j2 | 31 ------------------- 4 files changed, 1 insertion(+), 40 deletions(-) delete mode 100644 roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2 diff --git a/roles/matrix-base/tasks/setup_server_base.yml b/roles/matrix-base/tasks/setup_server_base.yml index 2ccdbd837..1aadfb126 100644 --- a/roles/matrix-base/tasks/setup_server_base.yml +++ b/roles/matrix-base/tasks/setup_server_base.yml @@ -25,7 +25,6 @@ - docker-python - ntp - fuse - - expect state: latest update_cache: yes when: ansible_distribution == 'CentOS' @@ -63,7 +62,6 @@ - python-docker - ntp - fuse - - expect state: latest update_cache: yes when: ansible_os_family == 'Debian' diff --git a/roles/matrix-synapse/tasks/setup_synapse_main.yml b/roles/matrix-synapse/tasks/setup_synapse_main.yml index 7be5f0455..6e56b659f 100644 --- a/roles/matrix-synapse/tasks/setup_synapse_main.yml +++ b/roles/matrix-synapse/tasks/setup_synapse_main.yml @@ -79,9 +79,3 @@ dest: "/usr/local/bin/matrix-synapse-register-user" mode: 0750 -- name: Ensure matrix-synapse-generate-password-hash script created - template: - src: "{{ role_path }}/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2" - dest: "/usr/local/bin/matrix-synapse-generate-password-hash" - mode: 0750 - diff --git a/roles/matrix-synapse/tasks/update_user_password.yml b/roles/matrix-synapse/tasks/update_user_password.yml index c464e0d72..d28adfb4b 100644 --- a/roles/matrix-synapse/tasks/update_user_password.yml +++ b/roles/matrix-synapse/tasks/update_user_password.yml @@ -41,7 +41,7 @@ when: postgres_start_result.changed - name: Generate password hash - shell: "/usr/local/bin/matrix-synapse-generate-password-hash {{ password }}" + shell: "/usr/bin/docker exec matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password }}" register: password_hash - name: Update user password hash diff --git a/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2 b/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2 deleted file mode 100644 index c6858aa8b..000000000 --- a/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2 +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/env expect - -# Read the password string -set pass [lindex $argv 0] - -# Check if password was provided -if { $pass == "" } { - puts "Usage: $argv0 " - exit 1 -} - -# Disable output -log_user 0 - -# Execute password hashing script -spawn docker exec -it matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -expect "Password: " -send "$pass\r" -expect "Confirm password: " -send "$pass\r" -expect "%" - -# Save the hash output to a variable -set output $expect_out(buffer) - -# Trim the whitespace -regexp {\S+} $output passwordHash - -# Output the password hash -puts -nonewline stdout $passwordHash -close stdout From 172d59ba05486640c4e67a500ef9edb021a743ca Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Fri, 3 May 2019 10:37:14 -0500 Subject: [PATCH 04/23] Fix template indentation --- roles/matrix-mxisd/defaults/main.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index caaccfd0a..e28640620 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -107,23 +107,23 @@ matrix_mxisd_configuration_yaml: | {% if matrix_mxisd_threepid_medium_email_custom_templates_enabled %} generators: template: - {% if matrix_mxisd_threepid_medium_email_custom_invite_template %} + {% if matrix_mxisd_threepid_medium_email_custom_invite_template %} invite: '/var/mxisd/invite-template.eml' - {% endif %} - {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template or matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} + {% endif %} + {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template or matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} session: - {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template %} + {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template %} validation: '/var/mxisd/validate-template.eml' - {% endif %} - {% if matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} + {% endif %} + {% if matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} unbind: frandulent: '/var/mxisd/unbind-fraudulent.eml' - {% endif %} - {% endif %} - {% if matrix_mxisd_threepid_medium_email_custom_matrixid_template %} + {% endif %} + {% endif %} + {% if matrix_mxisd_threepid_medium_email_custom_matrixid_template %} generic: matrixId: '/var/mxisd/mxid-template.eml' - {% endif %} + {% endif %} {% endif %} synapseSql: From 4e998f52c52ef0ef6fc188150db0c2b62cd9a233 Mon Sep 17 00:00:00 2001 From: Stuart Mumford Date: Fri, 3 May 2019 17:39:43 +0100 Subject: [PATCH 05/23] urlencode mxisd password --- group_vars/matrix-servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index 6f1048929..b85b2f5a4 100755 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -169,7 +169,7 @@ matrix_mxisd_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}" # your own configuration in `matrix_mxisd_configuration_extension_yaml`. matrix_mxisd_synapsesql_enabled: true matrix_mxisd_synapsesql_type: postgresql -matrix_mxisd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user }}&password={{ matrix_synapse_database_password }} +matrix_mxisd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user }}&password={{ matrix_synapse_database_password|urlencode() }} matrix_mxisd_dns_overwrite_enabled: true matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" From d1646bb49772e13bea551ce4903fd311b38554b2 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 3 May 2019 12:07:58 -0500 Subject: [PATCH 06/23] Update Synapse (0.99.3 -> 0.99.3.1) --- roles/matrix-synapse/defaults/main.yml | 2 +- .../templates/synapse/homeserver.yaml.j2 | 15 +++++++++++---- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 8edc6b621..be449a466 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -1,4 +1,4 @@ -matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.3-py3" +matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.3.1" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 4c8b96547..386c392bb 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -521,9 +521,10 @@ max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M" # height: 600 # method: scale -# Is the preview URL API enabled? If enabled, you *must* specify -# an explicit url_preview_ip_range_blacklist of IPs that the spider is -# denied from accessing. +# Is the preview URL API enabled? +# +# 'false' by default: uncomment the following to enable it (and specify a +# url_preview_ip_range_blacklist blacklist). # url_preview_enabled: true @@ -534,7 +535,13 @@ url_preview_enabled: true # to connect to, otherwise anyone in any Matrix room could cause your # synapse to issue arbitrary GET requests to your internal services, # causing serious security issues. - +# +# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly +# listed here, since they correspond to unroutable addresses.) +# +# This must be specified if url_preview_enabled is set. It is recommended that +# you uncomment the following list as a starting point. +# url_preview_ip_range_blacklist: - '127.0.0.0/8' - '10.0.0.0/8' From 8051ea9ef9230fc0183d0c56978b00b28c866fec Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 3 May 2019 13:34:45 -0500 Subject: [PATCH 07/23] Update Synapse (0.99.3.1 -> 0.99.3.2) --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index be449a466..abf85ad10 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -1,4 +1,4 @@ -matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.3.1" +matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.3.2" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" From e1d0667ead744d38b85e3b5947060c908ba9d05a Mon Sep 17 00:00:00 2001 From: Stuart Mumford Date: Fri, 3 May 2019 22:23:03 +0100 Subject: [PATCH 08/23] url encode username as well --- group_vars/matrix-servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index b85b2f5a4..44318970e 100755 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -169,7 +169,7 @@ matrix_mxisd_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}" # your own configuration in `matrix_mxisd_configuration_extension_yaml`. matrix_mxisd_synapsesql_enabled: true matrix_mxisd_synapsesql_type: postgresql -matrix_mxisd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user }}&password={{ matrix_synapse_database_password|urlencode() }} +matrix_mxisd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user | urlencode() }}&password={{ matrix_synapse_database_password | urlencode() }} matrix_mxisd_dns_overwrite_enabled: true matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" From e6fecd51d50e82cac25d00cff1c94eb89875a56b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 5 May 2019 11:04:52 +0300 Subject: [PATCH 09/23] Explain DNS SRV vs /.well-known/matrix/server better Hopefully, we no longer lead people to believe that DNS SRV records are going away forever and for all use-cases. Fixes #156 (Github Issue) --- docs/configuring-dns.md | 4 ++-- docs/configuring-well-known.md | 14 +++++++++----- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index f6f7906c2..7638033be 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -54,9 +54,9 @@ The SRV record should look like this: - Name: `_matrix._tcp` (use this text as-is) - Content: `10 0 8448 matrix.` (replace `` with your own) -A [new file-based mechanism for Federation Server Discovery](configuring-well-known.md#introduction-to-federation-server-discovery) is superseding the `_matrix._tcp` SRV record. **During the transition phase, you'll need to set up both mechanisms**. We'll instruct you how to set up the file-based mechanism after the [installation phase](installing.md) for this playbook. +A [new file-based mechanism for Federation Server Discovery](configuring-well-known.md#introduction-to-federation-server-discovery) is superseding the `_matrix._tcp` SRV record for our use case. **During the transition phase, you'll need to set up both mechanisms**. We'll instruct you how to set up the file-based mechanism after the [installation phase](installing.md) for this playbook. -Doing delegation/redirection of Matrix services using a DNS SRV record (`_matrix._tcp`) is a **temporary measure** that is only necessary before Synapse v1.0 is released. +Doing delegation/redirection of Matrix services using a DNS SRV record (`_matrix._tcp`) is a **temporary measure** for our use-case, that will only be necessary before Synapse v1.0 is released. As more and more people upgrade to the Synapse v0.99 transitional release and just before the final Synapse v1.0 gets released, at some point in the near future **you will need to remove the `_matrix._tcp` SRV record** and leave only the [new file-based mechanism for Federation Server Discovery](configuring-well-known.md#introduction-to-federation-server-discovery) in place. diff --git a/docs/configuring-well-known.md b/docs/configuring-well-known.md index 59807f287..50344c05f 100644 --- a/docs/configuring-well-known.md +++ b/docs/configuring-well-known.md @@ -13,15 +13,19 @@ There are 2 types of well-known service discovery that Matrix makes use of: All services created by this playbook are meant to be installed on their own server (such as `matrix.`). -As [per the Server-Server specification](https://matrix.org/docs/spec/server_server/r0.1.0.html#server-discovery), to use a Matrix user identifier like `@:` while hosting services on a subdomain like `matrix.`, we need to instruct the Matrix network of such a delegation/redirection by means of setting up a `/.well-known/matrix/server` file on the base domain (`). +As [per the Server-Server specification](https://matrix.org/docs/spec/server_server/r0.1.0.html#server-discovery), to use a Matrix user identifier like `@:` while hosting services on a subdomain like `matrix.`, the Matrix network needs to be instructed of such delegation/redirection. -We have discussed this same thing already in the "`_matrix._tcp` SRV record setup (temporary requirement)" section of [Configuring DNS](configuring-dns.md). +Server delegation can be configured using DNS SRV records or by setting up a `/.well-known/matrix/server` file on the base domain (``). -In short, you are required to set up both a `_matrix._tcp` DNS SRV record and the `/.well-known/matrix/server` file at the moment. +We have discussed the DNS SRV record method already in the "`_matrix._tcp` SRV record setup (temporary requirement)" section of [Configuring DNS](configuring-dns.md). -As the Synapse server progresses towards v1.0, only the `/.well-known/matrix/server` file will be used. At that future moment, you would need to remove the `_matrix._tcp` SRV record because Synapse v1.0+ will do the wrong thing if a SRV record exists. During the transitional phase (before Synapse 1.0), we do need to have both a SRV record and a `/.well-known/matrix/server` file, in order to federate correctly with v0.99 and older Synapse versions. +Both methods have their place and will continue to do so. Usually, you would need to use just one of these delegation methods. +For simplicity reasons, our setup advocates for the `/.well-known/matrix/server` method and guides you into using that. +For backward compatibility with older Synapse servers (< v0.99), however, for now you are also required to set up a `_matrix._tcp` DNS SRV record (in addition to the `/.well-known/matrix/server` file on the base domain). -To learn how to set it up, read the Installing section below. +As the Synapse server progresses towards v1.0, only the `/.well-known/matrix/server` file will be used by us, unless you have a more special setup necessitating a DNS SRV record. At that future moment, you would need to remove the `_matrix._tcp` SRV record because Synapse v1.0+ will do the wrong thing if a SRV record exists. + +To learn how to set up `/.well-known/matrix/server`, read the Installing section below. ## Introduction to Client Server Discovery From ed0ecf5bea979864cb0e1cbab6da75f318484989 Mon Sep 17 00:00:00 2001 From: Sylvia van Os Date: Mon, 6 May 2019 10:10:27 +0200 Subject: [PATCH 10/23] string before to_json when string value is expected This prevents Ansible from sometimes failing to decrypt vault variables --- .../matrix-riot-web/templates/config.json.j2 | 16 +++---- .../templates/synapse/homeserver.yaml.j2 | 48 +++++++++---------- 2 files changed, 32 insertions(+), 32 deletions(-) diff --git a/roles/matrix-riot-web/templates/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2 index 477fe4da1..5ae601a48 100644 --- a/roles/matrix-riot-web/templates/config.json.j2 +++ b/roles/matrix-riot-web/templates/config.json.j2 @@ -1,23 +1,23 @@ { - "default_hs_url": {{ matrix_riot_web_default_hs_url|to_json }}, - "default_is_url": {{ matrix_riot_web_default_is_url|to_json }}, + "default_hs_url": {{ matrix_riot_web_default_hs_url|string|to_json }}, + "default_is_url": {{ matrix_riot_web_default_is_url|string|to_json }}, "disable_custom_urls": {{ matrix_riot_web_disable_custom_urls|to_json }}, "disable_guests": {{ matrix_riot_web_disable_guests|to_json }}, "brand": "Riot", - "integrations_ui_url": {{ matrix_riot_web_integrations_ui_url|to_json }}, - "integrations_rest_url": {{ matrix_riot_web_integrations_rest_url|to_json }}, + "integrations_ui_url": {{ matrix_riot_web_integrations_ui_url|string|to_json }}, + "integrations_rest_url": {{ matrix_riot_web_integrations_rest_url|string|to_json }}, "integrations_widgets_urls": {{ matrix_riot_web_integrations_widgets_urls|to_json }}, - "integrations_jitsi_widget_url": {{ matrix_riot_web_integrations_jitsi_widget_url|to_json }}, + "integrations_jitsi_widget_url": {{ matrix_riot_web_integrations_jitsi_widget_url|string|to_json }}, "bug_report_endpoint_url": "https://riot.im/bugreports/submit", "enableLabs": true, "roomDirectory": { "servers": {{ matrix_riot_web_roomdir_servers|to_json }} }, - "welcomeUserId": {{ matrix_riot_web_welcome_user_id|to_json }}, + "welcomeUserId": {{ matrix_riot_web_welcome_user_id|string|to_json }}, {% if matrix_riot_web_enable_presence_by_hs_url is not none %} - "enable_presence_by_hs_url": {{ matrix_riot_web_enable_presence_by_hs_url|to_json }}, + "enable_presence_by_hs_url": {{ matrix_riot_web_enable_presence_by_hs_url|string|to_json }}, {% endif %} "embeddedPages": { - "homeUrl": {{ matrix_riot_web_embedded_pages_home_url|to_json }} + "homeUrl": {{ matrix_riot_web_embedded_pages_home_url|string}to_json }} } } diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index c5edf9b17..5b9b7f775 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -255,11 +255,11 @@ listeners: # instance, if using certbot, use `fullchain.pem` as your certificate, # not `cert.pem`). # -tls_certificate_path: {{ matrix_synapse_tls_certificate_path|to_json }} +tls_certificate_path: {{ matrix_synapse_tls_certificate_path|string|to_json }} # PEM-encoded private key for TLS # -tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }} +tls_private_key_path: {{ matrix_synapse_tls_private_key_path|string|to_json }} # ACME support: This will configure Synapse to request a valid TLS certificate # for your configured `server_name` via Let's Encrypt. @@ -358,8 +358,8 @@ database: # The database engine name name: "psycopg2" args: - user: {{ matrix_synapse_database_user|to_json }} - password: {{ matrix_synapse_database_password|to_json }} + user: {{ matrix_synapse_database_user|string|to_json }} + password: {{ matrix_synapse_database_password|string|to_json }} database: "{{ matrix_synapse_database_database }}" host: "{{ matrix_synapse_database_host }}" cp_min: 5 @@ -628,7 +628,7 @@ turn_uris: {{ matrix_synapse_turn_uris|to_json }} # The shared secret used to compute passwords for the TURN server # -turn_shared_secret: {{ matrix_synapse_turn_shared_secret|to_json }} +turn_shared_secret: {{ matrix_synapse_turn_shared_secret|string|to_json }} # The Username and password if the TURN server needs them and # does not use a token @@ -683,7 +683,7 @@ enable_registration: {{ matrix_synapse_enable_registration|to_json }} # If set, allows registration of standard or admin accounts by anyone who # has the shared secret, even if registration is otherwise disabled. # -registration_shared_secret: {{ matrix_synapse_registration_shared_secret|to_json }} +registration_shared_secret: {{ matrix_synapse_registration_shared_secret|string|to_json }} # Set the number of bcrypt rounds used to generate password hash. # Larger numbers increase the work factor needed to generate the hash. @@ -784,7 +784,7 @@ app_service_config_files: {{ matrix_synapse_app_service_config_files }} # the registration_shared_secret is used, if one is given; otherwise, # a secret key is derived from the signing key. # -macaroon_secret_key: {{ matrix_synapse_macaroon_secret_key|to_json }} +macaroon_secret_key: {{ matrix_synapse_macaroon_secret_key|string|to_json }} # Used to enable access token expiration. # @@ -794,7 +794,7 @@ macaroon_secret_key: {{ matrix_synapse_macaroon_secret_key|to_json }} # falsification of values. Must be specified for the User Consent # forms to work. # -form_secret: {{ matrix_synapse_form_secret|to_json }} +form_secret: {{ matrix_synapse_form_secret|string|to_json }} ## Signing Keys ## @@ -899,7 +899,7 @@ password_config: # Uncomment and change to a secret random string for extra security. # DO NOT CHANGE THIS AFTER INITIAL SETUP! # - pepper: {{ matrix_synapse_password_config_pepper|to_json }} + pepper: {{ matrix_synapse_password_config_pepper|string|to_json }} @@ -914,15 +914,15 @@ password_config: {% if matrix_synapse_email_enabled %} email: enable_notifs: true - smtp_host: {{ matrix_synapse_email_smtp_host|to_json }} - smtp_port: {{ matrix_synapse_email_smtp_port|to_json }} + smtp_host: {{ matrix_synapse_email_smtp_host|string|to_json }} + smtp_port: {{ matrix_synapse_email_smtp_port|string|to_json }} require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }} - notif_from: {{ matrix_synapse_email_notif_from|to_json }} + notif_from: {{ matrix_synapse_email_notif_from|string|to_json }} app_name: Matrix notif_template_html: notif_mail.html notif_template_text: notif_mail.txt notif_for_new_users: True - riot_base_url: {{ matrix_synapse_email_riot_base_url|to_json }} + riot_base_url: {{ matrix_synapse_email_riot_base_url|string|to_json }} {% endif %} @@ -945,12 +945,12 @@ password_providers: {% if matrix_synapse_ext_password_provider_shared_secret_auth_enabled %} - module: "shared_secret_authenticator.SharedSecretAuthenticator" config: - sharedSecret: {{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret|to_json }} + sharedSecret: {{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret|string|to_json }} {% endif %} {% if matrix_synapse_ext_password_provider_rest_auth_enabled %} - module: "rest_auth_provider.RestAuthProvider" config: - endpoint: {{ matrix_synapse_ext_password_provider_rest_auth_endpoint|to_json }} + endpoint: {{ matrix_synapse_ext_password_provider_rest_auth_endpoint|string|to_json }} policy: registration: username: @@ -965,16 +965,16 @@ password_providers: - module: "ldap_auth_provider.LdapAuthProvider" config: enabled: true - uri: {{ matrix_synapse_ext_password_provider_ldap_uri|to_json }} - start_tls: {{ matrix_synapse_ext_password_provider_ldap_start_tls|to_json }} - base: {{ matrix_synapse_ext_password_provider_ldap_base|to_json }} + uri: {{ matrix_synapse_ext_password_provider_ldap_uri|string|to_json }} + start_tls: {{ matrix_synapse_ext_password_provider_ldap_start_tls|string|to_json }} + base: {{ matrix_synapse_ext_password_provider_ldap_base|string|to_json }} attributes: - uid: {{ matrix_synapse_ext_password_provider_ldap_attributes_uid|to_json }} - mail: {{ matrix_synapse_ext_password_provider_ldap_attributes_mail|to_json }} - name: {{ matrix_synapse_ext_password_provider_ldap_attributes_name|to_json }} - bind_dn: {{ matrix_synapse_ext_password_provider_ldap_bind_dn|to_json }} - bind_password: {{ matrix_synapse_ext_password_provider_ldap_bind_password|to_json }} - filter: {{ matrix_synapse_ext_password_provider_ldap_filter|to_json }} + uid: {{ matrix_synapse_ext_password_provider_ldap_attributes_uid|string|to_json }} + mail: {{ matrix_synapse_ext_password_provider_ldap_attributes_mail|string|to_json }} + name: {{ matrix_synapse_ext_password_provider_ldap_attributes_name|string|to_json }} + bind_dn: {{ matrix_synapse_ext_password_provider_ldap_bind_dn|string|to_json }} + bind_password: {{ matrix_synapse_ext_password_provider_ldap_bind_password|string|to_json }} + filter: {{ matrix_synapse_ext_password_provider_ldap_filter|string|to_json }} {% endif %} {% endif %} From 9ea593df3763130620274e0d265a32bd654e9c1b Mon Sep 17 00:00:00 2001 From: Sylvia van Os Date: Tue, 7 May 2019 09:35:51 +0200 Subject: [PATCH 11/23] Fix incorrect casts --- roles/matrix-riot-web/templates/config.json.j2 | 4 ++-- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/matrix-riot-web/templates/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2 index 5ae601a48..0179cc355 100644 --- a/roles/matrix-riot-web/templates/config.json.j2 +++ b/roles/matrix-riot-web/templates/config.json.j2 @@ -15,9 +15,9 @@ }, "welcomeUserId": {{ matrix_riot_web_welcome_user_id|string|to_json }}, {% if matrix_riot_web_enable_presence_by_hs_url is not none %} - "enable_presence_by_hs_url": {{ matrix_riot_web_enable_presence_by_hs_url|string|to_json }}, + "enable_presence_by_hs_url": {{ matrix_riot_web_enable_presence_by_hs_url|to_json }}, {% endif %} "embeddedPages": { - "homeUrl": {{ matrix_riot_web_embedded_pages_home_url|string}to_json }} + "homeUrl": {{ matrix_riot_web_embedded_pages_home_url|string|to_json }} } } diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 5b9b7f775..e0ff67d30 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -255,11 +255,11 @@ listeners: # instance, if using certbot, use `fullchain.pem` as your certificate, # not `cert.pem`). # -tls_certificate_path: {{ matrix_synapse_tls_certificate_path|string|to_json }} +tls_certificate_path: {{ matrix_synapse_tls_certificate_path|to_json }} # PEM-encoded private key for TLS # -tls_private_key_path: {{ matrix_synapse_tls_private_key_path|string|to_json }} +tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }} # ACME support: This will configure Synapse to request a valid TLS certificate # for your configured `server_name` via Let's Encrypt. @@ -915,7 +915,7 @@ password_config: email: enable_notifs: true smtp_host: {{ matrix_synapse_email_smtp_host|string|to_json }} - smtp_port: {{ matrix_synapse_email_smtp_port|string|to_json }} + smtp_port: {{ matrix_synapse_email_smtp_port|to_json }} require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }} notif_from: {{ matrix_synapse_email_notif_from|string|to_json }} app_name: Matrix From 07e7d518d53961e57d2d2a9506aaf3aa98c07d6f Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Tue, 7 May 2019 05:57:20 -0500 Subject: [PATCH 12/23] Revert "Fix template indentation" This reverts commit 172d59ba05486640c4e67a500ef9edb021a743ca. --- roles/matrix-mxisd/defaults/main.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index e28640620..caaccfd0a 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -107,23 +107,23 @@ matrix_mxisd_configuration_yaml: | {% if matrix_mxisd_threepid_medium_email_custom_templates_enabled %} generators: template: - {% if matrix_mxisd_threepid_medium_email_custom_invite_template %} + {% if matrix_mxisd_threepid_medium_email_custom_invite_template %} invite: '/var/mxisd/invite-template.eml' - {% endif %} - {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template or matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} + {% endif %} + {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template or matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} session: - {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template %} + {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template %} validation: '/var/mxisd/validate-template.eml' - {% endif %} - {% if matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} + {% endif %} + {% if matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} unbind: frandulent: '/var/mxisd/unbind-fraudulent.eml' - {% endif %} - {% endif %} - {% if matrix_mxisd_threepid_medium_email_custom_matrixid_template %} + {% endif %} + {% endif %} + {% if matrix_mxisd_threepid_medium_email_custom_matrixid_template %} generic: matrixId: '/var/mxisd/mxid-template.eml' - {% endif %} + {% endif %} {% endif %} synapseSql: From 3abed49764900f23ae0b8de5d0fa8b7a6ae1b66f Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Tue, 7 May 2019 06:02:38 -0500 Subject: [PATCH 13/23] Fix jinja config for indented code blocks --- roles/matrix-dimension/defaults/main.yml | 3 +-- roles/matrix-mxisd/defaults/main.yml | 1 + roles/matrix-synapse/defaults/main.yml | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index 43841fee4..211e89882 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -31,6 +31,7 @@ matrix_dimension_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_di # For a more advanced customization, you can extend the default (see `matrix_dimension_configuration_extension_yaml`) # or completely replace this variable with your own template. matrix_dimension_configuration_yaml: | + #jinja2: lstrip_blocks: True # The web settings for the service (API and UI). # It is best to have this run on localhost and use a reverse proxy to access Dimension. web: @@ -125,5 +126,3 @@ matrix_dimension_configuration_extension_yaml: | # Holds the final Dimension configuration (a combination of the default and its extension). # You most likely don't need to touch this variable. Instead, see `matrix_dimension_configuration_yaml`. matrix_dimension_configuration: "{{ matrix_dimension_configuration_yaml|from_yaml|combine(matrix_dimension_configuration_extension, recursive=True) }}" - - diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index caaccfd0a..4b2b22ff1 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -64,6 +64,7 @@ matrix_mxisd_self_check_validate_certificates: true # For a more advanced customization, you can extend the default (see `matrix_mxisd_configuration_extension_yaml`) # or completely replace this variable with your own template. matrix_mxisd_configuration_yaml: | + #jinja2: lstrip_blocks: True matrix: domain: {{ matrix_domain }} diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index ee454b5a7..813d5a0fd 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -267,6 +267,7 @@ matrix_appservice_irc_docker_image: "tedomum/matrix-appservice-irc:latest" matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc" matrix_appservice_irc_configuration_yaml: | + #jinja2: lstrip_blocks: True homeserver: url: "https://{{ matrix_server_fqn_matrix }}" domain: "{{ matrix_domain }}" From c451025134c63b429a5853a7d77e7b2f3736fd14 Mon Sep 17 00:00:00 2001 From: Hugues De Keyzer Date: Tue, 7 May 2019 21:23:35 +0200 Subject: [PATCH 14/23] Fix indentation in templates Use Jinja2 lstrip_blocks option in templates to ensure consistent indentation in generated files. --- .../templates/static-files/well-known/matrix-client.j2 | 1 + .../templates/static-files/well-known/matrix-server.j2 | 1 + roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 | 1 + roles/matrix-corporal/templates/config.json.j2 | 1 + .../matrix-corporal/templates/systemd/matrix-corporal.service.j2 | 1 + roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 | 1 + roles/matrix-coturn/templates/turnserver.conf.j2 | 1 + .../templates/systemd/matrix-dimension.service.j2 | 1 + roles/matrix-mailer/templates/env-mailer.j2 | 1 + roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 | 1 + roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 | 1 + .../templates/nginx/conf.d/matrix-dimension.conf.j2 | 1 + .../templates/nginx/conf.d/matrix-domain.conf.j2 | 1 + .../templates/nginx/conf.d/matrix-riot-web.conf.j2 | 1 + .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 1 + .../matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 | 1 + .../templates/nginx/matrix-synapse-metrics-htpasswd.j2 | 1 + roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 | 1 + .../templates/systemd/matrix-nginx-proxy.service.j2 | 1 + .../usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 | 1 + roles/matrix-postgres/templates/env-postgres-psql.j2 | 1 + roles/matrix-postgres/templates/env-postgres-server.j2 | 1 + .../matrix-postgres/templates/systemd/matrix-postgres.service.j2 | 1 + .../templates/usr-local-bin/matrix-make-user-admin.j2 | 1 + .../templates/usr-local-bin/matrix-postgres-cli.j2 | 1 + .../usr-local-bin/matrix-postgres-update-user-password-hash.j2 | 1 + roles/matrix-riot-web/templates/config.json.j2 | 1 + roles/matrix-riot-web/templates/nginx.conf.j2 | 1 + .../matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 | 1 + roles/matrix-riot-web/templates/welcome.html.j2 | 1 + .../systemd/matrix-appservice-discord.service.j2 | 1 + .../ext/appservice-irc/systemd/matrix-appservice-irc.service.j2 | 1 + .../matrix-synapse/templates/ext/mautrix-telegram/config.yaml.j2 | 1 + .../mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2 | 1 + .../matrix-synapse/templates/ext/mautrix-whatsapp/config.yaml.j2 | 1 + .../mautrix-whatsapp/systemd/matrix-mautrix-whatsapp.service.j2 | 1 + roles/matrix-synapse/templates/goofys/env-goofys.j2 | 1 + .../templates/goofys/systemd/matrix-goofys.service.j2 | 1 + roles/matrix-synapse/templates/synapse/env-synapse.j2 | 1 + roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 1 + roles/matrix-synapse/templates/synapse/synapse.log.config.j2 | 1 + .../templates/synapse/systemd/matrix-synapse.service.j2 | 1 + .../synapse/usr-local-bin/matrix-synapse-register-user.j2 | 1 + 43 files changed, 43 insertions(+) diff --git a/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 b/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 index e3b0d767a..120f9c973 100644 --- a/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 +++ b/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" { "m.homeserver": { "base_url": "{{ matrix_homeserver_url }}" diff --git a/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 b/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 index a8e191674..de0f57225 100644 --- a/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 +++ b/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" { "m.server": "{{ matrix_server_fqn_matrix }}:8448" } diff --git a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 index 9fad37d99..ac810595f 100644 --- a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 +++ b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" #!/bin/bash if [ "$(id -u)" != "0" ]; then diff --git a/roles/matrix-corporal/templates/config.json.j2 b/roles/matrix-corporal/templates/config.json.j2 index 378b2c19b..e2333bccb 100644 --- a/roles/matrix-corporal/templates/config.json.j2 +++ b/roles/matrix-corporal/templates/config.json.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" { "Matrix": { "HomeserverDomainName": "{{ matrix_corporal_matrix_homeserver_domain_name }}", diff --git a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 index d0adbf9d0..74de96809 100644 --- a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 +++ b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" [Unit] Description=Matrix Corporal {% for service in matrix_corporal_systemd_required_services_list %} diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index c1f007890..e288c0e51 100644 --- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" [Unit] Description=Matrix Coturn server {% for service in matrix_coturn_systemd_required_services_list %} diff --git a/roles/matrix-coturn/templates/turnserver.conf.j2 b/roles/matrix-coturn/templates/turnserver.conf.j2 index 2bf7649c0..3fcf0b679 100644 --- a/roles/matrix-coturn/templates/turnserver.conf.j2 +++ b/roles/matrix-coturn/templates/turnserver.conf.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" use-auth-secret static-auth-secret={{ matrix_coturn_turn_static_auth_secret }} realm=turn.{{ matrix_server_fqn_matrix }} diff --git a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 index c176b3e7a..bd04be185 100644 --- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 +++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" [Unit] Description=Matrix Dimension After=docker.service diff --git a/roles/matrix-mailer/templates/env-mailer.j2 b/roles/matrix-mailer/templates/env-mailer.j2 index 7765b8f92..180bc5009 100644 --- a/roles/matrix-mailer/templates/env-mailer.j2 +++ b/roles/matrix-mailer/templates/env-mailer.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" {% if matrix_mailer_relay_use %} SMARTHOST={{ matrix_mailer_relay_host_name }}::{{ matrix_mailer_relay_host_port }} {% endif %} diff --git a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 index de07a687b..9b07f6c7f 100644 --- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 +++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" [Unit] Description=Matrix mailer After=docker.service diff --git a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 index 6d9516432..d30ba718e 100644 --- a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 +++ b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" [Unit] Description=Matrix mxisd Identity server {% for service in matrix_mxisd_systemd_required_services_list %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index 1886496b8..dbfe96ce7 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" server { listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; server_name {{ matrix_nginx_proxy_proxy_dimension_hostname }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 679f3efa7..0d2348272 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" server { listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; server_name {{ matrix_nginx_proxy_base_domain_hostname }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index 661a5f31b..4a97ebfaf 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" server { listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; server_name {{ matrix_nginx_proxy_proxy_riot_hostname }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 00e7a1beb..8298a4d5e 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" server { listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 index ed171cfaf..290e1a981 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" # The default is aligned to the CPU's cache size, # which can sometimes be too low to handle our 2 vhosts (Synapse and Riot). # diff --git a/roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2 b/roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2 index 27cf298fc..1a7247ace 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2 @@ -1,2 +1,3 @@ +#jinja2: lstrip_blocks: "True" # User and password for protecting /_synapse/metrics URI prometheus:{{ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 index 3382d6c65..51aa8a006 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" # This is a custom nginx configuration file that we use in the container (instead of the default one), # because it allows us to run nginx with a non-root user. # diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index d3cf40448..1a154c0da 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" [Unit] Description=Matrix nginx-proxy server {% for service in matrix_nginx_proxy_systemd_required_services_list %} diff --git a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 index 7e5610179..93306d782 100644 --- a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 +++ b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" #!/bin/bash # For renewal to work, matrix-nginx-proxy (or another webserver, if matrix-nginx-proxy is disabled) diff --git a/roles/matrix-postgres/templates/env-postgres-psql.j2 b/roles/matrix-postgres/templates/env-postgres-psql.j2 index c503450a3..c61927a3e 100644 --- a/roles/matrix-postgres/templates/env-postgres-psql.j2 +++ b/roles/matrix-postgres/templates/env-postgres-psql.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" PGUSER={{ matrix_postgres_connection_username }} PGPASSWORD={{ matrix_postgres_connection_password }} PGDATABASE={{ matrix_postgres_db_name }} \ No newline at end of file diff --git a/roles/matrix-postgres/templates/env-postgres-server.j2 b/roles/matrix-postgres/templates/env-postgres-server.j2 index f9ff4dc33..34f75aee4 100644 --- a/roles/matrix-postgres/templates/env-postgres-server.j2 +++ b/roles/matrix-postgres/templates/env-postgres-server.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" POSTGRES_USER={{ matrix_postgres_connection_username }} POSTGRES_PASSWORD={{ matrix_postgres_connection_password }} POSTGRES_DB={{ matrix_postgres_db_name }} \ No newline at end of file diff --git a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 index 14321efd5..2d1c9118e 100644 --- a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" [Unit] Description=Matrix Postgres server After=docker.service diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 index 20f9fda28..f8daa6a76 100644 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" #!/bin/bash if [ $# -ne 1 ]; then diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 index 348366299..8f0c4c5b4 100644 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" #!/bin/bash docker run \ diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 index bd99211c6..d950ce974 100644 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" #!/bin/bash if [ $# -ne 2 ]; then diff --git a/roles/matrix-riot-web/templates/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2 index 0179cc355..92753a15f 100644 --- a/roles/matrix-riot-web/templates/config.json.j2 +++ b/roles/matrix-riot-web/templates/config.json.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" { "default_hs_url": {{ matrix_riot_web_default_hs_url|string|to_json }}, "default_is_url": {{ matrix_riot_web_default_is_url|string|to_json }}, diff --git a/roles/matrix-riot-web/templates/nginx.conf.j2 b/roles/matrix-riot-web/templates/nginx.conf.j2 index 84789954d..fba16bbdc 100644 --- a/roles/matrix-riot-web/templates/nginx.conf.j2 +++ b/roles/matrix-riot-web/templates/nginx.conf.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" # This is a custom nginx configuration file that we use in the container (instead of the default one), # because it allows us to run nginx with a non-root user. # diff --git a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 index a270e0e37..63a6c7a6e 100644 --- a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" [Unit] Description=Matrix riot-web server {% for service in matrix_riot_web_systemd_required_services_list %} diff --git a/roles/matrix-riot-web/templates/welcome.html.j2 b/roles/matrix-riot-web/templates/welcome.html.j2 index 6456e9475..319f9795f 100644 --- a/roles/matrix-riot-web/templates/welcome.html.j2 +++ b/roles/matrix-riot-web/templates/welcome.html.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True"