From 6b9b824964fddb9b7ad9a70089d49705a0be1377 Mon Sep 17 00:00:00 2001 From: Matthew Cengia Date: Sun, 11 Apr 2021 16:11:45 +1000 Subject: [PATCH 001/144] Copy matrix-bridge-mautrix-facebook as base for matrix-bridge-mautrix-twitter --- .../defaults/main.yml | 115 +++++++++ .../tasks/init.yml | 23 ++ .../tasks/main.yml | 21 ++ .../tasks/setup_install.yml | 128 ++++++++++ .../tasks/setup_uninstall.yml | 24 ++ .../tasks/validate_config.yml | 31 +++ .../templates/config.yaml.j2 | 227 ++++++++++++++++++ .../matrix-mautrix-facebook.service.j2 | 42 ++++ 8 files changed, 611 insertions(+) create mode 100644 roles/matrix-bridge-mautrix-twitter/defaults/main.yml create mode 100644 roles/matrix-bridge-mautrix-twitter/tasks/init.yml create mode 100644 roles/matrix-bridge-mautrix-twitter/tasks/main.yml create mode 100644 roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml create mode 100644 roles/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml create mode 100644 roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml create mode 100644 roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 create mode 100644 roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-facebook.service.j2 diff --git a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml new file mode 100644 index 000000000..71a225f7c --- /dev/null +++ b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -0,0 +1,115 @@ +# mautrix-facebook is a Matrix <-> Facebook bridge +# See: https://github.com/tulir/mautrix-facebook + +matrix_mautrix_facebook_enabled: true + +matrix_mautrix_facebook_container_image_self_build: false +matrix_mautrix_facebook_container_image_self_build_repo: "https://github.com/tulir/mautrix-facebook.git" + +matrix_mautrix_facebook_version: latest +# See: https://mau.dev/tulir/mautrix-facebook/container_registry +matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:{{ matrix_mautrix_facebook_version }}" +matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}" +matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}" + +matrix_mautrix_facebook_base_path: "{{ matrix_base_data_path }}/mautrix-facebook" +matrix_mautrix_facebook_config_path: "{{ matrix_mautrix_facebook_base_path }}/config" +matrix_mautrix_facebook_data_path: "{{ matrix_mautrix_facebook_base_path }}/data" +matrix_mautrix_facebook_docker_src_files_path: "{{ matrix_mautrix_facebook_base_path }}/docker-src" + +matrix_mautrix_facebook_homeserver_address: "{{ matrix_homeserver_container_url }}" +matrix_mautrix_facebook_homeserver_domain: '{{ matrix_domain }}' +matrix_mautrix_facebook_appservice_address: 'http://matrix-mautrix-facebook:29319' + +# A list of extra arguments to pass to the container +matrix_mautrix_facebook_container_extra_arguments: [] + +# List of systemd services that matrix-mautrix-facebook.service depends on. +matrix_mautrix_facebook_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-mautrix-facebook.service wants +matrix_mautrix_facebook_systemd_wanted_services_list: [] + +matrix_mautrix_facebook_appservice_token: '' +matrix_mautrix_facebook_homeserver_token: '' + + +# Database-related configuration fields. +# +# To use SQLite: +# - change the engine (`matrix_mautrix_facebook_database_engine: 'sqlite'`) +# - change to the last bridge version that supported SQLite: +# `matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:da1b4ec596e334325a1589e70829dea46e73064b"` +# - plan your migration to Postgres, as this bridge does not support SQLite anymore (and neither will the playbook in the future). +# +# To use Postgres: +# - adjust your database credentials via the `matrix_mautrix_facebook_postgres_*` variables +matrix_mautrix_facebook_database_engine: 'postgres' + +matrix_mautrix_facebook_sqlite_database_path_local: "{{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" +matrix_mautrix_facebook_sqlite_database_path_in_container: "/data/mautrix-facebook.db" + +matrix_mautrix_facebook_database_username: 'matrix_mautrix_facebook' +matrix_mautrix_facebook_database_password: 'some-password' +matrix_mautrix_facebook_database_hostname: 'matrix-postgres' +matrix_mautrix_facebook_database_port: 5432 +matrix_mautrix_facebook_database_name: 'matrix_mautrix_facebook' + +matrix_mautrix_facebook_database_connection_string: 'postgres://{{ matrix_mautrix_facebook_database_username }}:{{ matrix_mautrix_facebook_database_password }}@{{ matrix_mautrix_facebook_database_hostname }}:{{ matrix_mautrix_facebook_database_port }}/{{ matrix_mautrix_facebook_database_name }}' + +matrix_mautrix_facebook_appservice_database: "{{ + { + 'sqlite': ('sqlite:///' + matrix_mautrix_facebook_sqlite_database_path_in_container), + 'postgres': matrix_mautrix_facebook_database_connection_string, + }[matrix_mautrix_facebook_database_engine] +}}" + + +# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). +matrix_mautrix_facebook_login_shared_secret: '' + +matrix_mautrix_facebook_bridge_login_shared_secret_map: "{{ {matrix_mautrix_facebook_homeserver_domain: matrix_mautrix_facebook_login_shared_secret} if matrix_mautrix_facebook_login_shared_secret else {} }}" + +matrix_mautrix_facebook_appservice_bot_username: facebookbot + +matrix_mautrix_facebook_bridge_presence: true + +# Default configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_mautrix_facebook_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_mautrix_facebook_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" + +matrix_mautrix_facebook_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_mautrix_facebook_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_mautrix_facebook_configuration_yaml`. + +matrix_mautrix_facebook_configuration_extension: "{{ matrix_mautrix_facebook_configuration_extension_yaml|from_yaml if matrix_mautrix_facebook_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_facebook_configuration_yaml`. +matrix_mautrix_facebook_configuration: "{{ matrix_mautrix_facebook_configuration_yaml|from_yaml|combine(matrix_mautrix_facebook_configuration_extension, recursive=True) }}" + +matrix_mautrix_facebook_registration_yaml: | + id: facebook + as_token: "{{ matrix_mautrix_facebook_appservice_token }}" + hs_token: "{{ matrix_mautrix_facebook_homeserver_token }}" + namespaces: + users: + - exclusive: true + regex: '^@facebook_.+:{{ matrix_mautrix_facebook_homeserver_domain|regex_escape }}$' + - exclusive: true + regex: '^@{{ matrix_mautrix_facebook_appservice_bot_username|regex_escape }}:{{ matrix_mautrix_facebook_homeserver_domain|regex_escape }}$' + url: {{ matrix_mautrix_facebook_appservice_address }} + # See https://github.com/tulir/mautrix-signal/issues/43 + sender_localpart: _bot_{{ matrix_mautrix_facebook_appservice_bot_username }} + rate_limited: false + de.sorunome.msc2409.push_ephemeral: true + +matrix_mautrix_facebook_registration: "{{ matrix_mautrix_facebook_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/init.yml b/roles/matrix-bridge-mautrix-twitter/tasks/init.yml new file mode 100644 index 000000000..9e1273163 --- /dev/null +++ b/roles/matrix-bridge-mautrix-twitter/tasks/init.yml @@ -0,0 +1,23 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-facebook.service'] }}" + when: matrix_mautrix_facebook_enabled|bool + +# If the matrix-synapse role is not used, these variables may not exist. +- set_fact: + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_mautrix_facebook_config_path }}/registration.yaml,dst=/matrix-mautrix-facebook-registration.yaml,ro"] + + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files|default([]) }} + + + {{ ["/matrix-mautrix-facebook-registration.yaml"] }} + when: matrix_mautrix_facebook_enabled|bool + +# ansible lower than 2.8, does not support docker_image build parameters +# for self buildig it is explicitly needed, so we rather fail here +- name: Fail if running on Ansible lower than 2.8 and trying self building + fail: + msg: "To self build Mautrix Facebook image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_facebook_container_image_self_build" diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/main.yml b/roles/matrix-bridge-mautrix-twitter/tasks/main.yml new file mode 100644 index 000000000..54fb6f9df --- /dev/null +++ b/roles/matrix-bridge-mautrix-twitter/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_mautrix_facebook_enabled|bool" + tags: + - setup-all + - setup-mautrix-facebook + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_mautrix_facebook_enabled|bool" + tags: + - setup-all + - setup-mautrix-facebook + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_mautrix_facebook_enabled|bool" + tags: + - setup-all + - setup-mautrix-facebook diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml new file mode 100644 index 000000000..599984634 --- /dev/null +++ b/roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml @@ -0,0 +1,128 @@ +--- + +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-mautrix-facebook role needs to execute before the matrix-synapse role. + when: "matrix_synapse_role_executed|default(False)" + +- set_fact: + matrix_mautrix_facebook_requires_restart: false + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_mautrix_facebook_sqlite_database_path_local }}" + register: matrix_mautrix_facebook_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_mautrix_facebook_sqlite_database_path_local }}" + dst: "{{ matrix_mautrix_facebook_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_mautrix_facebook_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-mautrix-facebook.service'] + + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_mautrix_facebook_requires_restart: true + when: "matrix_mautrix_facebook_sqlite_database_path_local_stat_result.stat.exists|bool" + when: "matrix_mautrix_facebook_database_engine == 'postgres'" + +- name: Ensure Mautrix Facebook image is pulled + docker_image: + name: "{{ matrix_mautrix_facebook_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mautrix_facebook_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_facebook_docker_image_force_pull }}" + when: matrix_mautrix_facebook_enabled|bool and not matrix_mautrix_facebook_container_image_self_build + +- name: Ensure Mautrix Facebook paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_mautrix_facebook_base_path }}", when: true } + - { path: "{{ matrix_mautrix_facebook_config_path }}", when: true } + - { path: "{{ matrix_mautrix_facebook_data_path }}", when: true } + - { path: "{{ matrix_mautrix_facebook_docker_src_files_path }}", when: "{{ matrix_mautrix_facebook_container_image_self_build }}" } + when: item.when|bool + +- name: Ensure Mautrix Facebook repository is present on self-build + git: + repo: "{{ matrix_mautrix_facebook_container_image_self_build_repo }}" + dest: "{{ matrix_mautrix_facebook_docker_src_files_path }}" +# version: "{{ matrix_coturn_docker_image.split(':')[1] }}" + force: "yes" + register: matrix_mautrix_facebook_git_pull_results + when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build" + +- name: Ensure Mautrix Facebook Docker image is built + docker_image: + name: "{{ matrix_mautrix_facebook_docker_image }}" + source: build + force_source: "{{ matrix_mautrix_facebook_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_mautrix_facebook_docker_src_files_path }}" + pull: yes + when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build|bool" + +- name: Check if an old database file already exists + stat: + path: "{{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db" + register: matrix_mautrix_facebook_stat_database + +- name: (Data relocation) Ensure matrix-mautrix-facebook.service is stopped + service: + name: matrix-mautrix-facebook + state: stopped + daemon_reload: yes + failed_when: false + when: "matrix_mautrix_facebook_stat_database.stat.exists" + +- name: (Data relocation) Move mautrix-facebook database file to ./data directory + command: "mv {{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db {{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" + when: "matrix_mautrix_facebook_stat_database.stat.exists" + +- name: Ensure mautrix-facebook config.yaml installed + copy: + content: "{{ matrix_mautrix_facebook_configuration|to_nice_yaml }}" + dest: "{{ matrix_mautrix_facebook_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure mautrix-facebook registration.yaml installed + copy: + content: "{{ matrix_mautrix_facebook_registration|to_nice_yaml }}" + dest: "{{ matrix_mautrix_facebook_config_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-mautrix-facebook.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-mautrix-facebook.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-mautrix-facebook.service" + mode: 0644 + register: matrix_mautrix_facebook_systemd_service_result + +- name: Ensure systemd reloaded after matrix-mautrix-facebook.service installation + service: + daemon_reload: yes + when: "matrix_mautrix_facebook_systemd_service_result.changed" + +- name: Ensure matrix-mautrix-facebook.service restarted, if necessary + service: + name: "matrix-mautrix-facebook.service" + state: restarted + when: "matrix_mautrix_facebook_requires_restart|bool" diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml b/roles/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml new file mode 100644 index 000000000..efc8aa748 --- /dev/null +++ b/roles/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml @@ -0,0 +1,24 @@ +--- + +- name: Check existence of matrix-mautrix-facebook service + stat: + path: "{{ matrix_systemd_path }}/matrix-mautrix-facebook.service" + register: matrix_mautrix_facebook_service_stat + +- name: Ensure matrix-mautrix-facebook is stopped + service: + name: matrix-mautrix-facebook + state: stopped + daemon_reload: yes + when: "matrix_mautrix_facebook_service_stat.stat.exists" + +- name: Ensure matrix-mautrix-facebook.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-mautrix-facebook.service" + state: absent + when: "matrix_mautrix_facebook_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-mautrix-facebook.service removal + service: + daemon_reload: yes + when: "matrix_mautrix_facebook_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml new file mode 100644 index 000000000..0879bad9c --- /dev/null +++ b/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml @@ -0,0 +1,31 @@ +--- + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_mautrix_facebook_appservice_token" + - "matrix_mautrix_facebook_homeserver_token" + +- block: + - name: Fail if on SQLite, unless on the last version supporting SQLite + fail: + msg: >- + You're trying to use the mautrix-facebook bridge with an SQLite database. + Going forward, this bridge only supports Postgres. + To learn more about this, see our changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-the-mautrix-facebook-bridge-now-requires-a-postgres-database + when: "not matrix_mautrix_facebook_docker_image.endswith(':da1b4ec596e334325a1589e70829dea46e73064b')" + + - name: Inject warning if still on SQLite + set_fact: + matrix_playbook_runtime_results: | + {{ + matrix_playbook_runtime_results|default([]) + + + [ + "NOTE: Your mautrix-facebook bridge setup is still on SQLite. Your bridge is not getting any updates and will likely stop working at some point. To learn more about this, see our changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-the-mautrix-facebook-bridge-now-requires-a-postgres-database" + ] + }} + when: "matrix_mautrix_facebook_database_engine == 'sqlite'" diff --git a/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 new file mode 100644 index 000000000..628db713d --- /dev/null +++ b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 @@ -0,0 +1,227 @@ +#jinja2: lstrip_blocks: "True" +# Homeserver details +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: {{ matrix_mautrix_facebook_homeserver_address }} + # The domain of the homeserver (for MXIDs, etc). + domain: {{ matrix_mautrix_facebook_homeserver_domain }} + # Whether or not to verify the SSL certificate of the homeserver. + # Only applies if address starts with https:// + verify_ssl: true + # Whether or not the homeserver supports asmux-specific endpoints, + # such as /_matrix/client/unstable/net.maunium.asmux/dms for atomically + # updating m.direct. + asmux: false + +# Application service host/registration related details +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: {{ matrix_mautrix_facebook_appservice_address }} + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 29319 + # The maximum body size of appservice API requests (from the homeserver) in mebibytes + # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s + max_body_size: 1 + + # The full URI to the database. Only Postgres is currently supported. + database: {{ matrix_mautrix_facebook_appservice_database|to_json }} + + # Public part of web server for out-of-Matrix interaction with the bridge. + public: + # Whether or not the public-facing endpoints should be enabled. + enabled: false + # The prefix to use in the public-facing endpoints. + prefix: /public + # The base URL where the public-facing endpoints are available. The prefix is not added + # implicitly. + external: https://example.com/public + # Shared secret for integration managers such as mautrix-manager. + # If set to "generate", a random string will be generated on the next startup. + # If null, integration manager access to the API will not be possible. + shared_secret: generate + + # The unique ID of this appservice. + id: facebook + # Username of the appservice bot. + bot_username: {{ matrix_mautrix_facebook_appservice_bot_username|to_json }} + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + bot_displayname: Facebook bridge bot + bot_avatar: mxc://maunium.net/ygtkteZsXnGJLJHRchUwYWak + + # Authentication tokens for AS <-> HS communication. + as_token: "{{ matrix_mautrix_facebook_appservice_token }}" + hs_token: "{{ matrix_mautrix_facebook_homeserver_token }}" + +# Prometheus telemetry config. Requires prometheus-client to be installed. +metrics: + enabled: false + listen_port: 8000 + +# Bridge config +bridge: + # Localpart template of MXIDs for Facebook users. + # {userid} is replaced with the user ID of the Facebook user. + username_template: "facebook_{userid}" + # Localpart template for per-user room grouping community IDs. + # The bridge will create these communities and add all of the specific user's portals to the community. + # {localpart} is the MXID localpart and {server} is the MXID server part of the user. + # + # `facebook_{localpart}={server}` is a good value. + community_template: null + # Displayname template for Facebook users. + # {displayname} is replaced with the display name of the Facebook user + # as defined below in displayname_preference. + # Keys available for displayname_preference are also available here. + displayname_template: '{displayname} (FB)' + # Available keys: + # "name" (full name) + # "first_name" + # "last_name" + # "nickname" + # "own_nickname" (user-specific!) + displayname_preference: + - name + - first_name + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!fb" + + # Number of chats to sync (and create portals for) on startup/login. + # Set 0 to disable automatic syncing. + initial_chat_sync: 10 + # Whether or not the Facebook users of logged in Matrix users should be + # invited to private chats when the user sends a message from another client. + invite_own_puppet_to_pm: false + # Whether or not to use /sync to get presence, read receipts and typing notifications + # when double puppeting is enabled + sync_with_custom_puppets: true + # Whether or not to update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: false + # Servers to always allow double puppeting from + double_puppet_server_map: {} + # example.com: https://example.com + # Allow using double puppeting from any server with a valid client .well-known file. + double_puppet_allow_discovery: false + # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, custom puppets will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + # If using this for other servers than the bridge's server, + # you must also set the URL in the double_puppet_server_map. + login_shared_secret_map: {{ matrix_mautrix_facebook_bridge_login_shared_secret_map|to_json }} + presence: {{ matrix_mautrix_facebook_bridge_presence|to_json }} + # Whether or not to update avatars when syncing all contacts at startup. + update_avatar_initial_sync: true + # End-to-bridge encryption support options. These require matrix-nio to be installed with pip + # and login_shared_secret to be configured in order to get a device for the bridge bot. + # + # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal + # application service. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: false + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + # Options for automatic key sharing. + key_sharing: + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow: false + # Require the requesting device to have a valid cross-signing signature? + # This doesn't require that the bridge has verified the device, only that the user has verified it. + # Not yet implemented. + require_cross_signing: false + # Require devices to be verified by the bridge? + # Verification by the bridge is not yet implemented. + require_verification: true + # Whether or not the bridge should send a read receipt from the bridge bot when a message has + # been sent to Facebook. + delivery_receipts: false + # Whether to allow inviting arbitrary mxids to portal rooms + allow_invites: false + # Settings for backfilling messages from Facebook. + backfill: + # Whether or not the Facebook users of logged in Matrix users should be + # invited to private chats when backfilling history from Facebook. This is + # usually needed to prevent rate limits and to allow timestamp massaging. + invite_own_puppet: true + # Maximum number of messages to backfill initially. + # Set to 0 to disable backfilling when creating portal. + initial_limit: 0 + # Maximum number of messages to backfill if messages were missed while + # the bridge was disconnected. + # Set to 0 to disable backfilling missed messages. + missed_limit: 1000 + # If using double puppeting, should notifications be disabled + # while the initial backfill is in progress? + disable_notifications: false + periodic_reconnect: + # Interval in seconds in which to automatically reconnect all users. + # This can be used to automatically mitigate the bug where Facebook stops sending messages. + # Set to -1 to disable periodic reconnections entirely. + interval: -1 + # What to do in periodic reconnects. Either "refresh" or "reconnect" + mode: refresh + # Should even disconnected users be reconnected? + always: false + # The number of seconds that a disconnection can last without triggering an automatic re-sync + # and missed message backfilling when reconnecting. + # Set to 0 to always re-sync, or -1 to never re-sync automatically. + resync_max_disconnected_time: 5 + # Whether or not temporary disconnections should send notices to the notice room. + # If this is false, disconnections will never send messages and connections will only send + # messages if it was disconnected for more than resync_max_disconnected_time seconds. + temporary_disconnect_notices: true + # Whether or not the bridge should try to "refresh" the connection if a normal reconnection + # attempt fails. + refresh_on_reconnection_fail: false + # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. + # This field will automatically be changed back to false after it, + # except if the config file is not writable. + resend_bridge_info: false + + # Permissions for using the bridge. + # Permitted values: + # user - Use the bridge with puppeting. + # admin - Use and administrate the bridge. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + '{{ matrix_mautrix_facebook_homeserver_domain }}': user + +# Python logging configuration. +# +# See section 16.7.2 of the Python documentation for more info: +# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema +logging: + version: 1 + formatters: + colored: + (): mautrix_facebook.util.ColorFormatter + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + normal: + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + handlers: + console: + class: logging.StreamHandler + formatter: colored + loggers: + mau: + level: DEBUG + paho: + level: INFO + aiohttp: + level: INFO + root: + level: DEBUG + handlers: [console] diff --git a/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-facebook.service.j2 b/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-facebook.service.j2 new file mode 100644 index 000000000..f3af4b9ff --- /dev/null +++ b/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-facebook.service.j2 @@ -0,0 +1,42 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Mautrix Facebook bridge +{% for service in matrix_mautrix_facebook_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_mautrix_facebook_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-facebook 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-facebook 2>/dev/null' + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-facebook \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + -v {{ matrix_mautrix_facebook_config_path }}:/config:z \ + -v {{ matrix_mautrix_facebook_data_path }}:/data:z \ + {% for arg in matrix_mautrix_facebook_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_mautrix_facebook_docker_image }} \ + python3 -m mautrix_facebook -c /config/config.yaml --no-update + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-facebook 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-facebook 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-mautrix-facebook + +[Install] +WantedBy=multi-user.target From e9e4d8f250061055c0f71682f5a649687d5315c7 Mon Sep 17 00:00:00 2001 From: Matthew Cengia Date: Sun, 11 Apr 2021 16:12:26 +1000 Subject: [PATCH 002/144] Rename mautrix-twitter systemd file --- ...trix-facebook.service.j2 => matrix-mautrix-twitter.service.j2} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename roles/matrix-bridge-mautrix-twitter/templates/systemd/{matrix-mautrix-facebook.service.j2 => matrix-mautrix-twitter.service.j2} (100%) diff --git a/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-facebook.service.j2 b/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2 similarity index 100% rename from roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-facebook.service.j2 rename to roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2 From 7afe8103da1c247a7d281689ff8a3f9595a51d97 Mon Sep 17 00:00:00 2001 From: Matthew Cengia Date: Sun, 11 Apr 2021 16:18:31 +1000 Subject: [PATCH 003/144] Find/replace Facebook with Twitter find roles/matrix-bridge-mautrix-twitter -type f -exec sed -i \ -e 's/facebook/twitter/g' \ -e 's/Facebook/Twitter/g' \ -e 's/FB/Twitter/g' \ -e 's/fb/twitter/g' {} + --- .../defaults/main.yml | 122 +++++++++--------- .../tasks/init.yml | 14 +- .../tasks/main.yml | 12 +- .../tasks/setup_install.yml | 108 ++++++++-------- .../tasks/setup_uninstall.yml | 22 ++-- .../tasks/validate_config.yml | 14 +- .../templates/config.yaml.j2 | 54 ++++---- .../systemd/matrix-mautrix-twitter.service.j2 | 28 ++-- 8 files changed, 187 insertions(+), 187 deletions(-) diff --git a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml index 71a225f7c..02eff7788 100644 --- a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -1,115 +1,115 @@ -# mautrix-facebook is a Matrix <-> Facebook bridge -# See: https://github.com/tulir/mautrix-facebook +# mautrix-twitter is a Matrix <-> Twitter bridge +# See: https://github.com/tulir/mautrix-twitter -matrix_mautrix_facebook_enabled: true +matrix_mautrix_twitter_enabled: true -matrix_mautrix_facebook_container_image_self_build: false -matrix_mautrix_facebook_container_image_self_build_repo: "https://github.com/tulir/mautrix-facebook.git" +matrix_mautrix_twitter_container_image_self_build: false +matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/tulir/mautrix-twitter.git" -matrix_mautrix_facebook_version: latest -# See: https://mau.dev/tulir/mautrix-facebook/container_registry -matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:{{ matrix_mautrix_facebook_version }}" -matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}" -matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}" +matrix_mautrix_twitter_version: latest +# See: https://mau.dev/tulir/mautrix-twitter/container_registry +matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_name_prefix }}tulir/mautrix-twitter:{{ matrix_mautrix_twitter_version }}" +matrix_mautrix_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else 'dock.mau.dev/' }}" +matrix_mautrix_twitter_docker_image_force_pull: "{{ matrix_mautrix_twitter_docker_image.endswith(':latest') }}" -matrix_mautrix_facebook_base_path: "{{ matrix_base_data_path }}/mautrix-facebook" -matrix_mautrix_facebook_config_path: "{{ matrix_mautrix_facebook_base_path }}/config" -matrix_mautrix_facebook_data_path: "{{ matrix_mautrix_facebook_base_path }}/data" -matrix_mautrix_facebook_docker_src_files_path: "{{ matrix_mautrix_facebook_base_path }}/docker-src" +matrix_mautrix_twitter_base_path: "{{ matrix_base_data_path }}/mautrix-twitter" +matrix_mautrix_twitter_config_path: "{{ matrix_mautrix_twitter_base_path }}/config" +matrix_mautrix_twitter_data_path: "{{ matrix_mautrix_twitter_base_path }}/data" +matrix_mautrix_twitter_docker_src_files_path: "{{ matrix_mautrix_twitter_base_path }}/docker-src" -matrix_mautrix_facebook_homeserver_address: "{{ matrix_homeserver_container_url }}" -matrix_mautrix_facebook_homeserver_domain: '{{ matrix_domain }}' -matrix_mautrix_facebook_appservice_address: 'http://matrix-mautrix-facebook:29319' +matrix_mautrix_twitter_homeserver_address: "{{ matrix_homeserver_container_url }}" +matrix_mautrix_twitter_homeserver_domain: '{{ matrix_domain }}' +matrix_mautrix_twitter_appservice_address: 'http://matrix-mautrix-twitter:29319' # A list of extra arguments to pass to the container -matrix_mautrix_facebook_container_extra_arguments: [] +matrix_mautrix_twitter_container_extra_arguments: [] -# List of systemd services that matrix-mautrix-facebook.service depends on. -matrix_mautrix_facebook_systemd_required_services_list: ['docker.service'] +# List of systemd services that matrix-mautrix-twitter.service depends on. +matrix_mautrix_twitter_systemd_required_services_list: ['docker.service'] -# List of systemd services that matrix-mautrix-facebook.service wants -matrix_mautrix_facebook_systemd_wanted_services_list: [] +# List of systemd services that matrix-mautrix-twitter.service wants +matrix_mautrix_twitter_systemd_wanted_services_list: [] -matrix_mautrix_facebook_appservice_token: '' -matrix_mautrix_facebook_homeserver_token: '' +matrix_mautrix_twitter_appservice_token: '' +matrix_mautrix_twitter_homeserver_token: '' # Database-related configuration fields. # # To use SQLite: -# - change the engine (`matrix_mautrix_facebook_database_engine: 'sqlite'`) +# - change the engine (`matrix_mautrix_twitter_database_engine: 'sqlite'`) # - change to the last bridge version that supported SQLite: -# `matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:da1b4ec596e334325a1589e70829dea46e73064b"` +# `matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_name_prefix }}tulir/mautrix-twitter:da1b4ec596e334325a1589e70829dea46e73064b"` # - plan your migration to Postgres, as this bridge does not support SQLite anymore (and neither will the playbook in the future). # # To use Postgres: -# - adjust your database credentials via the `matrix_mautrix_facebook_postgres_*` variables -matrix_mautrix_facebook_database_engine: 'postgres' +# - adjust your database credentials via the `matrix_mautrix_twitter_postgres_*` variables +matrix_mautrix_twitter_database_engine: 'postgres' -matrix_mautrix_facebook_sqlite_database_path_local: "{{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" -matrix_mautrix_facebook_sqlite_database_path_in_container: "/data/mautrix-facebook.db" +matrix_mautrix_twitter_sqlite_database_path_local: "{{ matrix_mautrix_twitter_data_path }}/mautrix-twitter.db" +matrix_mautrix_twitter_sqlite_database_path_in_container: "/data/mautrix-twitter.db" -matrix_mautrix_facebook_database_username: 'matrix_mautrix_facebook' -matrix_mautrix_facebook_database_password: 'some-password' -matrix_mautrix_facebook_database_hostname: 'matrix-postgres' -matrix_mautrix_facebook_database_port: 5432 -matrix_mautrix_facebook_database_name: 'matrix_mautrix_facebook' +matrix_mautrix_twitter_database_username: 'matrix_mautrix_twitter' +matrix_mautrix_twitter_database_password: 'some-password' +matrix_mautrix_twitter_database_hostname: 'matrix-postgres' +matrix_mautrix_twitter_database_port: 5432 +matrix_mautrix_twitter_database_name: 'matrix_mautrix_twitter' -matrix_mautrix_facebook_database_connection_string: 'postgres://{{ matrix_mautrix_facebook_database_username }}:{{ matrix_mautrix_facebook_database_password }}@{{ matrix_mautrix_facebook_database_hostname }}:{{ matrix_mautrix_facebook_database_port }}/{{ matrix_mautrix_facebook_database_name }}' +matrix_mautrix_twitter_database_connection_string: 'postgres://{{ matrix_mautrix_twitter_database_username }}:{{ matrix_mautrix_twitter_database_password }}@{{ matrix_mautrix_twitter_database_hostname }}:{{ matrix_mautrix_twitter_database_port }}/{{ matrix_mautrix_twitter_database_name }}' -matrix_mautrix_facebook_appservice_database: "{{ +matrix_mautrix_twitter_appservice_database: "{{ { - 'sqlite': ('sqlite:///' + matrix_mautrix_facebook_sqlite_database_path_in_container), - 'postgres': matrix_mautrix_facebook_database_connection_string, - }[matrix_mautrix_facebook_database_engine] + 'sqlite': ('sqlite:///' + matrix_mautrix_twitter_sqlite_database_path_in_container), + 'postgres': matrix_mautrix_twitter_database_connection_string, + }[matrix_mautrix_twitter_database_engine] }}" # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). -matrix_mautrix_facebook_login_shared_secret: '' +matrix_mautrix_twitter_login_shared_secret: '' -matrix_mautrix_facebook_bridge_login_shared_secret_map: "{{ {matrix_mautrix_facebook_homeserver_domain: matrix_mautrix_facebook_login_shared_secret} if matrix_mautrix_facebook_login_shared_secret else {} }}" +matrix_mautrix_twitter_bridge_login_shared_secret_map: "{{ {matrix_mautrix_twitter_homeserver_domain: matrix_mautrix_twitter_login_shared_secret} if matrix_mautrix_twitter_login_shared_secret else {} }}" -matrix_mautrix_facebook_appservice_bot_username: facebookbot +matrix_mautrix_twitter_appservice_bot_username: twitterbot -matrix_mautrix_facebook_bridge_presence: true +matrix_mautrix_twitter_bridge_presence: true # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # -# For a more advanced customization, you can extend the default (see `matrix_mautrix_facebook_configuration_extension_yaml`) +# For a more advanced customization, you can extend the default (see `matrix_mautrix_twitter_configuration_extension_yaml`) # or completely replace this variable with your own template. -matrix_mautrix_facebook_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" +matrix_mautrix_twitter_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" -matrix_mautrix_facebook_configuration_extension_yaml: | +matrix_mautrix_twitter_configuration_extension_yaml: | # Your custom YAML configuration goes here. - # This configuration extends the default starting configuration (`matrix_mautrix_facebook_configuration_yaml`). + # This configuration extends the default starting configuration (`matrix_mautrix_twitter_configuration_yaml`). # # You can override individual variables from the default configuration, or introduce new ones. # # If you need something more special, you can take full control by - # completely redefining `matrix_mautrix_facebook_configuration_yaml`. + # completely redefining `matrix_mautrix_twitter_configuration_yaml`. -matrix_mautrix_facebook_configuration_extension: "{{ matrix_mautrix_facebook_configuration_extension_yaml|from_yaml if matrix_mautrix_facebook_configuration_extension_yaml|from_yaml is mapping else {} }}" +matrix_mautrix_twitter_configuration_extension: "{{ matrix_mautrix_twitter_configuration_extension_yaml|from_yaml if matrix_mautrix_twitter_configuration_extension_yaml|from_yaml is mapping else {} }}" # Holds the final configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_facebook_configuration_yaml`. -matrix_mautrix_facebook_configuration: "{{ matrix_mautrix_facebook_configuration_yaml|from_yaml|combine(matrix_mautrix_facebook_configuration_extension, recursive=True) }}" +# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_twitter_configuration_yaml`. +matrix_mautrix_twitter_configuration: "{{ matrix_mautrix_twitter_configuration_yaml|from_yaml|combine(matrix_mautrix_twitter_configuration_extension, recursive=True) }}" -matrix_mautrix_facebook_registration_yaml: | - id: facebook - as_token: "{{ matrix_mautrix_facebook_appservice_token }}" - hs_token: "{{ matrix_mautrix_facebook_homeserver_token }}" +matrix_mautrix_twitter_registration_yaml: | + id: twitter + as_token: "{{ matrix_mautrix_twitter_appservice_token }}" + hs_token: "{{ matrix_mautrix_twitter_homeserver_token }}" namespaces: users: - exclusive: true - regex: '^@facebook_.+:{{ matrix_mautrix_facebook_homeserver_domain|regex_escape }}$' + regex: '^@twitter_.+:{{ matrix_mautrix_twitter_homeserver_domain|regex_escape }}$' - exclusive: true - regex: '^@{{ matrix_mautrix_facebook_appservice_bot_username|regex_escape }}:{{ matrix_mautrix_facebook_homeserver_domain|regex_escape }}$' - url: {{ matrix_mautrix_facebook_appservice_address }} + regex: '^@{{ matrix_mautrix_twitter_appservice_bot_username|regex_escape }}:{{ matrix_mautrix_twitter_homeserver_domain|regex_escape }}$' + url: {{ matrix_mautrix_twitter_appservice_address }} # See https://github.com/tulir/mautrix-signal/issues/43 - sender_localpart: _bot_{{ matrix_mautrix_facebook_appservice_bot_username }} + sender_localpart: _bot_{{ matrix_mautrix_twitter_appservice_bot_username }} rate_limited: false de.sorunome.msc2409.push_ephemeral: true -matrix_mautrix_facebook_registration: "{{ matrix_mautrix_facebook_registration_yaml|from_yaml }}" +matrix_mautrix_twitter_registration: "{{ matrix_mautrix_twitter_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/init.yml b/roles/matrix-bridge-mautrix-twitter/tasks/init.yml index 9e1273163..4f8df9e0c 100644 --- a/roles/matrix-bridge-mautrix-twitter/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-twitter/tasks/init.yml @@ -1,23 +1,23 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-facebook.service'] }}" - when: matrix_mautrix_facebook_enabled|bool + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-twitter.service'] }}" + when: matrix_mautrix_twitter_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. - set_fact: matrix_synapse_container_extra_arguments: > {{ matrix_synapse_container_extra_arguments|default([]) }} + - ["--mount type=bind,src={{ matrix_mautrix_facebook_config_path }}/registration.yaml,dst=/matrix-mautrix-facebook-registration.yaml,ro"] + ["--mount type=bind,src={{ matrix_mautrix_twitter_config_path }}/registration.yaml,dst=/matrix-mautrix-twitter-registration.yaml,ro"] matrix_synapse_app_service_config_files: > {{ matrix_synapse_app_service_config_files|default([]) }} + - {{ ["/matrix-mautrix-facebook-registration.yaml"] }} - when: matrix_mautrix_facebook_enabled|bool + {{ ["/matrix-mautrix-twitter-registration.yaml"] }} + when: matrix_mautrix_twitter_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters # for self buildig it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: - msg: "To self build Mautrix Facebook image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_facebook_container_image_self_build" + msg: "To self build Mautrix Twitter image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_twitter_container_image_self_build" diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/main.yml b/roles/matrix-bridge-mautrix-twitter/tasks/main.yml index 54fb6f9df..60eea0995 100644 --- a/roles/matrix-bridge-mautrix-twitter/tasks/main.yml +++ b/roles/matrix-bridge-mautrix-twitter/tasks/main.yml @@ -3,19 +3,19 @@ - always - import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup|bool and matrix_mautrix_facebook_enabled|bool" + when: "run_setup|bool and matrix_mautrix_twitter_enabled|bool" tags: - setup-all - - setup-mautrix-facebook + - setup-mautrix-twitter - import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup|bool and matrix_mautrix_facebook_enabled|bool" + when: "run_setup|bool and matrix_mautrix_twitter_enabled|bool" tags: - setup-all - - setup-mautrix-facebook + - setup-mautrix-twitter - import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup|bool and not matrix_mautrix_facebook_enabled|bool" + when: "run_setup|bool and not matrix_mautrix_twitter_enabled|bool" tags: - setup-all - - setup-mautrix-facebook + - setup-mautrix-twitter diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml index 599984634..416439729 100644 --- a/roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml @@ -5,44 +5,44 @@ - name: Fail if matrix-synapse role already executed fail: msg: >- - The matrix-bridge-mautrix-facebook role needs to execute before the matrix-synapse role. + The matrix-bridge-mautrix-twitter role needs to execute before the matrix-synapse role. when: "matrix_synapse_role_executed|default(False)" - set_fact: - matrix_mautrix_facebook_requires_restart: false + matrix_mautrix_twitter_requires_restart: false - block: - name: Check if an SQLite database already exists stat: - path: "{{ matrix_mautrix_facebook_sqlite_database_path_local }}" - register: matrix_mautrix_facebook_sqlite_database_path_local_stat_result + path: "{{ matrix_mautrix_twitter_sqlite_database_path_local }}" + register: matrix_mautrix_twitter_sqlite_database_path_local_stat_result - block: - set_fact: matrix_postgres_db_migration_request: - src: "{{ matrix_mautrix_facebook_sqlite_database_path_local }}" - dst: "{{ matrix_mautrix_facebook_database_connection_string }}" + src: "{{ matrix_mautrix_twitter_sqlite_database_path_local }}" + dst: "{{ matrix_mautrix_twitter_database_connection_string }}" caller: "{{ role_path|basename }}" - engine_variable_name: 'matrix_mautrix_facebook_database_engine' + engine_variable_name: 'matrix_mautrix_twitter_database_engine' engine_old: 'sqlite' - systemd_services_to_stop: ['matrix-mautrix-facebook.service'] + systemd_services_to_stop: ['matrix-mautrix-twitter.service'] - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" - set_fact: - matrix_mautrix_facebook_requires_restart: true - when: "matrix_mautrix_facebook_sqlite_database_path_local_stat_result.stat.exists|bool" - when: "matrix_mautrix_facebook_database_engine == 'postgres'" + matrix_mautrix_twitter_requires_restart: true + when: "matrix_mautrix_twitter_sqlite_database_path_local_stat_result.stat.exists|bool" + when: "matrix_mautrix_twitter_database_engine == 'postgres'" -- name: Ensure Mautrix Facebook image is pulled +- name: Ensure Mautrix Twitter image is pulled docker_image: - name: "{{ matrix_mautrix_facebook_docker_image }}" + name: "{{ matrix_mautrix_twitter_docker_image }}" source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_mautrix_facebook_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_facebook_docker_image_force_pull }}" - when: matrix_mautrix_facebook_enabled|bool and not matrix_mautrix_facebook_container_image_self_build + force_source: "{{ matrix_mautrix_twitter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_twitter_docker_image_force_pull }}" + when: matrix_mautrix_twitter_enabled|bool and not matrix_mautrix_twitter_container_image_self_build -- name: Ensure Mautrix Facebook paths exist +- name: Ensure Mautrix Twitter paths exist file: path: "{{ item.path }}" state: directory @@ -50,79 +50,79 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" with_items: - - { path: "{{ matrix_mautrix_facebook_base_path }}", when: true } - - { path: "{{ matrix_mautrix_facebook_config_path }}", when: true } - - { path: "{{ matrix_mautrix_facebook_data_path }}", when: true } - - { path: "{{ matrix_mautrix_facebook_docker_src_files_path }}", when: "{{ matrix_mautrix_facebook_container_image_self_build }}" } + - { path: "{{ matrix_mautrix_twitter_base_path }}", when: true } + - { path: "{{ matrix_mautrix_twitter_config_path }}", when: true } + - { path: "{{ matrix_mautrix_twitter_data_path }}", when: true } + - { path: "{{ matrix_mautrix_twitter_docker_src_files_path }}", when: "{{ matrix_mautrix_twitter_container_image_self_build }}" } when: item.when|bool -- name: Ensure Mautrix Facebook repository is present on self-build +- name: Ensure Mautrix Twitter repository is present on self-build git: - repo: "{{ matrix_mautrix_facebook_container_image_self_build_repo }}" - dest: "{{ matrix_mautrix_facebook_docker_src_files_path }}" + repo: "{{ matrix_mautrix_twitter_container_image_self_build_repo }}" + dest: "{{ matrix_mautrix_twitter_docker_src_files_path }}" # version: "{{ matrix_coturn_docker_image.split(':')[1] }}" force: "yes" - register: matrix_mautrix_facebook_git_pull_results - when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build" + register: matrix_mautrix_twitter_git_pull_results + when: "matrix_mautrix_twitter_enabled|bool and matrix_mautrix_twitter_container_image_self_build" -- name: Ensure Mautrix Facebook Docker image is built +- name: Ensure Mautrix Twitter Docker image is built docker_image: - name: "{{ matrix_mautrix_facebook_docker_image }}" + name: "{{ matrix_mautrix_twitter_docker_image }}" source: build - force_source: "{{ matrix_mautrix_facebook_git_pull_results.changed }}" + force_source: "{{ matrix_mautrix_twitter_git_pull_results.changed }}" build: dockerfile: Dockerfile - path: "{{ matrix_mautrix_facebook_docker_src_files_path }}" + path: "{{ matrix_mautrix_twitter_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build|bool" + when: "matrix_mautrix_twitter_enabled|bool and matrix_mautrix_twitter_container_image_self_build|bool" - name: Check if an old database file already exists stat: - path: "{{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db" - register: matrix_mautrix_facebook_stat_database + path: "{{ matrix_mautrix_twitter_base_path }}/mautrix-twitter.db" + register: matrix_mautrix_twitter_stat_database -- name: (Data relocation) Ensure matrix-mautrix-facebook.service is stopped +- name: (Data relocation) Ensure matrix-mautrix-twitter.service is stopped service: - name: matrix-mautrix-facebook + name: matrix-mautrix-twitter state: stopped daemon_reload: yes failed_when: false - when: "matrix_mautrix_facebook_stat_database.stat.exists" + when: "matrix_mautrix_twitter_stat_database.stat.exists" -- name: (Data relocation) Move mautrix-facebook database file to ./data directory - command: "mv {{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db {{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" - when: "matrix_mautrix_facebook_stat_database.stat.exists" +- name: (Data relocation) Move mautrix-twitter database file to ./data directory + command: "mv {{ matrix_mautrix_twitter_base_path }}/mautrix-twitter.db {{ matrix_mautrix_twitter_data_path }}/mautrix-twitter.db" + when: "matrix_mautrix_twitter_stat_database.stat.exists" -- name: Ensure mautrix-facebook config.yaml installed +- name: Ensure mautrix-twitter config.yaml installed copy: - content: "{{ matrix_mautrix_facebook_configuration|to_nice_yaml }}" - dest: "{{ matrix_mautrix_facebook_config_path }}/config.yaml" + content: "{{ matrix_mautrix_twitter_configuration|to_nice_yaml }}" + dest: "{{ matrix_mautrix_twitter_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" -- name: Ensure mautrix-facebook registration.yaml installed +- name: Ensure mautrix-twitter registration.yaml installed copy: - content: "{{ matrix_mautrix_facebook_registration|to_nice_yaml }}" - dest: "{{ matrix_mautrix_facebook_config_path }}/registration.yaml" + content: "{{ matrix_mautrix_twitter_registration|to_nice_yaml }}" + dest: "{{ matrix_mautrix_twitter_config_path }}/registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" -- name: Ensure matrix-mautrix-facebook.service installed +- name: Ensure matrix-mautrix-twitter.service installed template: - src: "{{ role_path }}/templates/systemd/matrix-mautrix-facebook.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-mautrix-facebook.service" + src: "{{ role_path }}/templates/systemd/matrix-mautrix-twitter.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-mautrix-twitter.service" mode: 0644 - register: matrix_mautrix_facebook_systemd_service_result + register: matrix_mautrix_twitter_systemd_service_result -- name: Ensure systemd reloaded after matrix-mautrix-facebook.service installation +- name: Ensure systemd reloaded after matrix-mautrix-twitter.service installation service: daemon_reload: yes - when: "matrix_mautrix_facebook_systemd_service_result.changed" + when: "matrix_mautrix_twitter_systemd_service_result.changed" -- name: Ensure matrix-mautrix-facebook.service restarted, if necessary +- name: Ensure matrix-mautrix-twitter.service restarted, if necessary service: - name: "matrix-mautrix-facebook.service" + name: "matrix-mautrix-twitter.service" state: restarted - when: "matrix_mautrix_facebook_requires_restart|bool" + when: "matrix_mautrix_twitter_requires_restart|bool" diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml b/roles/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml index efc8aa748..28819726e 100644 --- a/roles/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml @@ -1,24 +1,24 @@ --- -- name: Check existence of matrix-mautrix-facebook service +- name: Check existence of matrix-mautrix-twitter service stat: - path: "{{ matrix_systemd_path }}/matrix-mautrix-facebook.service" - register: matrix_mautrix_facebook_service_stat + path: "{{ matrix_systemd_path }}/matrix-mautrix-twitter.service" + register: matrix_mautrix_twitter_service_stat -- name: Ensure matrix-mautrix-facebook is stopped +- name: Ensure matrix-mautrix-twitter is stopped service: - name: matrix-mautrix-facebook + name: matrix-mautrix-twitter state: stopped daemon_reload: yes - when: "matrix_mautrix_facebook_service_stat.stat.exists" + when: "matrix_mautrix_twitter_service_stat.stat.exists" -- name: Ensure matrix-mautrix-facebook.service doesn't exist +- name: Ensure matrix-mautrix-twitter.service doesn't exist file: - path: "{{ matrix_systemd_path }}/matrix-mautrix-facebook.service" + path: "{{ matrix_systemd_path }}/matrix-mautrix-twitter.service" state: absent - when: "matrix_mautrix_facebook_service_stat.stat.exists" + when: "matrix_mautrix_twitter_service_stat.stat.exists" -- name: Ensure systemd reloaded after matrix-mautrix-facebook.service removal +- name: Ensure systemd reloaded after matrix-mautrix-twitter.service removal service: daemon_reload: yes - when: "matrix_mautrix_facebook_service_stat.stat.exists" + when: "matrix_mautrix_twitter_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml index 0879bad9c..a9e63fd0c 100644 --- a/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml @@ -6,17 +6,17 @@ You need to define a required configuration setting (`{{ item }}`). when: "vars[item] == ''" with_items: - - "matrix_mautrix_facebook_appservice_token" - - "matrix_mautrix_facebook_homeserver_token" + - "matrix_mautrix_twitter_appservice_token" + - "matrix_mautrix_twitter_homeserver_token" - block: - name: Fail if on SQLite, unless on the last version supporting SQLite fail: msg: >- - You're trying to use the mautrix-facebook bridge with an SQLite database. + You're trying to use the mautrix-twitter bridge with an SQLite database. Going forward, this bridge only supports Postgres. - To learn more about this, see our changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-the-mautrix-facebook-bridge-now-requires-a-postgres-database - when: "not matrix_mautrix_facebook_docker_image.endswith(':da1b4ec596e334325a1589e70829dea46e73064b')" + To learn more about this, see our changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-the-mautrix-twitter-bridge-now-requires-a-postgres-database + when: "not matrix_mautrix_twitter_docker_image.endswith(':da1b4ec596e334325a1589e70829dea46e73064b')" - name: Inject warning if still on SQLite set_fact: @@ -25,7 +25,7 @@ matrix_playbook_runtime_results|default([]) + [ - "NOTE: Your mautrix-facebook bridge setup is still on SQLite. Your bridge is not getting any updates and will likely stop working at some point. To learn more about this, see our changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-the-mautrix-facebook-bridge-now-requires-a-postgres-database" + "NOTE: Your mautrix-twitter bridge setup is still on SQLite. Your bridge is not getting any updates and will likely stop working at some point. To learn more about this, see our changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-the-mautrix-twitter-bridge-now-requires-a-postgres-database" ] }} - when: "matrix_mautrix_facebook_database_engine == 'sqlite'" + when: "matrix_mautrix_twitter_database_engine == 'sqlite'" diff --git a/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 index 628db713d..93bf537b9 100644 --- a/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 @@ -2,9 +2,9 @@ # Homeserver details homeserver: # The address that this appservice can use to connect to the homeserver. - address: {{ matrix_mautrix_facebook_homeserver_address }} + address: {{ matrix_mautrix_twitter_homeserver_address }} # The domain of the homeserver (for MXIDs, etc). - domain: {{ matrix_mautrix_facebook_homeserver_domain }} + domain: {{ matrix_mautrix_twitter_homeserver_domain }} # Whether or not to verify the SSL certificate of the homeserver. # Only applies if address starts with https:// verify_ssl: true @@ -17,7 +17,7 @@ homeserver: # Changing these values requires regeneration of the registration. appservice: # The address that the homeserver can use to connect to this appservice. - address: {{ matrix_mautrix_facebook_appservice_address }} + address: {{ matrix_mautrix_twitter_appservice_address }} # The hostname and port where this appservice should listen. hostname: 0.0.0.0 @@ -27,7 +27,7 @@ appservice: max_body_size: 1 # The full URI to the database. Only Postgres is currently supported. - database: {{ matrix_mautrix_facebook_appservice_database|to_json }} + database: {{ matrix_mautrix_twitter_appservice_database|to_json }} # Public part of web server for out-of-Matrix interaction with the bridge. public: @@ -44,17 +44,17 @@ appservice: shared_secret: generate # The unique ID of this appservice. - id: facebook + id: twitter # Username of the appservice bot. - bot_username: {{ matrix_mautrix_facebook_appservice_bot_username|to_json }} + bot_username: {{ matrix_mautrix_twitter_appservice_bot_username|to_json }} # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty # to leave display name/avatar as-is. - bot_displayname: Facebook bridge bot + bot_displayname: Twitter bridge bot bot_avatar: mxc://maunium.net/ygtkteZsXnGJLJHRchUwYWak # Authentication tokens for AS <-> HS communication. - as_token: "{{ matrix_mautrix_facebook_appservice_token }}" - hs_token: "{{ matrix_mautrix_facebook_homeserver_token }}" + as_token: "{{ matrix_mautrix_twitter_appservice_token }}" + hs_token: "{{ matrix_mautrix_twitter_homeserver_token }}" # Prometheus telemetry config. Requires prometheus-client to be installed. metrics: @@ -63,20 +63,20 @@ metrics: # Bridge config bridge: - # Localpart template of MXIDs for Facebook users. - # {userid} is replaced with the user ID of the Facebook user. - username_template: "facebook_{userid}" + # Localpart template of MXIDs for Twitter users. + # {userid} is replaced with the user ID of the Twitter user. + username_template: "twitter_{userid}" # Localpart template for per-user room grouping community IDs. # The bridge will create these communities and add all of the specific user's portals to the community. # {localpart} is the MXID localpart and {server} is the MXID server part of the user. # - # `facebook_{localpart}={server}` is a good value. + # `twitter_{localpart}={server}` is a good value. community_template: null - # Displayname template for Facebook users. - # {displayname} is replaced with the display name of the Facebook user + # Displayname template for Twitter users. + # {displayname} is replaced with the display name of the Twitter user # as defined below in displayname_preference. # Keys available for displayname_preference are also available here. - displayname_template: '{displayname} (FB)' + displayname_template: '{displayname} (Twitter)' # Available keys: # "name" (full name) # "first_name" @@ -88,12 +88,12 @@ bridge: - first_name # The prefix for commands. Only required in non-management rooms. - command_prefix: "!fb" + command_prefix: "!twitter" # Number of chats to sync (and create portals for) on startup/login. # Set 0 to disable automatic syncing. initial_chat_sync: 10 - # Whether or not the Facebook users of logged in Matrix users should be + # Whether or not the Twitter users of logged in Matrix users should be # invited to private chats when the user sends a message from another client. invite_own_puppet_to_pm: false # Whether or not to use /sync to get presence, read receipts and typing notifications @@ -115,8 +115,8 @@ bridge: # manually. # If using this for other servers than the bridge's server, # you must also set the URL in the double_puppet_server_map. - login_shared_secret_map: {{ matrix_mautrix_facebook_bridge_login_shared_secret_map|to_json }} - presence: {{ matrix_mautrix_facebook_bridge_presence|to_json }} + login_shared_secret_map: {{ matrix_mautrix_twitter_bridge_login_shared_secret_map|to_json }} + presence: {{ matrix_mautrix_twitter_bridge_presence|to_json }} # Whether or not to update avatars when syncing all contacts at startup. update_avatar_initial_sync: true # End-to-bridge encryption support options. These require matrix-nio to be installed with pip @@ -143,14 +143,14 @@ bridge: # Verification by the bridge is not yet implemented. require_verification: true # Whether or not the bridge should send a read receipt from the bridge bot when a message has - # been sent to Facebook. + # been sent to Twitter. delivery_receipts: false # Whether to allow inviting arbitrary mxids to portal rooms allow_invites: false - # Settings for backfilling messages from Facebook. + # Settings for backfilling messages from Twitter. backfill: - # Whether or not the Facebook users of logged in Matrix users should be - # invited to private chats when backfilling history from Facebook. This is + # Whether or not the Twitter users of logged in Matrix users should be + # invited to private chats when backfilling history from Twitter. This is # usually needed to prevent rate limits and to allow timestamp massaging. invite_own_puppet: true # Maximum number of messages to backfill initially. @@ -165,7 +165,7 @@ bridge: disable_notifications: false periodic_reconnect: # Interval in seconds in which to automatically reconnect all users. - # This can be used to automatically mitigate the bug where Facebook stops sending messages. + # This can be used to automatically mitigate the bug where Twitter stops sending messages. # Set to -1 to disable periodic reconnections entirely. interval: -1 # What to do in periodic reconnects. Either "refresh" or "reconnect" @@ -197,7 +197,7 @@ bridge: # domain - All users on that homeserver # mxid - Specific user permissions: - '{{ matrix_mautrix_facebook_homeserver_domain }}': user + '{{ matrix_mautrix_twitter_homeserver_domain }}': user # Python logging configuration. # @@ -207,7 +207,7 @@ logging: version: 1 formatters: colored: - (): mautrix_facebook.util.ColorFormatter + (): mautrix_twitter.util.ColorFormatter format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" normal: format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" diff --git a/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2 b/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2 index f3af4b9ff..73bdbc866 100644 --- a/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2 +++ b/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2 @@ -1,11 +1,11 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=Matrix Mautrix Facebook bridge -{% for service in matrix_mautrix_facebook_systemd_required_services_list %} +Description=Matrix Mautrix Twitter bridge +{% for service in matrix_mautrix_twitter_systemd_required_services_list %} Requires={{ service }} After={{ service }} {% endfor %} -{% for service in matrix_mautrix_facebook_systemd_wanted_services_list %} +{% for service in matrix_mautrix_twitter_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} DefaultDependencies=no @@ -13,30 +13,30 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-facebook 2>/dev/null' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-facebook 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-twitter 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-twitter 2>/dev/null' # Intentional delay, so that the homeserver (we likely depend on) can manage to start. ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-facebook \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-twitter \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --network={{ matrix_docker_network }} \ - -v {{ matrix_mautrix_facebook_config_path }}:/config:z \ - -v {{ matrix_mautrix_facebook_data_path }}:/data:z \ - {% for arg in matrix_mautrix_facebook_container_extra_arguments %} + -v {{ matrix_mautrix_twitter_config_path }}:/config:z \ + -v {{ matrix_mautrix_twitter_data_path }}:/data:z \ + {% for arg in matrix_mautrix_twitter_container_extra_arguments %} {{ arg }} \ {% endfor %} - {{ matrix_mautrix_facebook_docker_image }} \ - python3 -m mautrix_facebook -c /config/config.yaml --no-update + {{ matrix_mautrix_twitter_docker_image }} \ + python3 -m mautrix_twitter -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-facebook 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-facebook 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-twitter 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-twitter 2>/dev/null' Restart=always RestartSec=30 -SyslogIdentifier=matrix-mautrix-facebook +SyslogIdentifier=matrix-mautrix-twitter [Install] WantedBy=multi-user.target From 8282ab48c789690389a4a56855c14a92aefeafc9 Mon Sep 17 00:00:00 2001 From: Matthew Cengia Date: Sun, 11 Apr 2021 16:21:06 +1000 Subject: [PATCH 004/144] Replace bridge config with one from upstream Source: https://github.com/tulir/mautrix-twitter/blob/12f420ab95c2b1b1862109dc14f6af64b2bf7914/mautrix_twitter/example-config.yaml --- .../templates/config.yaml.j2 | 202 +++++++++--------- 1 file changed, 96 insertions(+), 106 deletions(-) diff --git a/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 index 93bf537b9..e4f6ba1f8 100644 --- a/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 @@ -1,60 +1,72 @@ -#jinja2: lstrip_blocks: "True" # Homeserver details homeserver: # The address that this appservice can use to connect to the homeserver. - address: {{ matrix_mautrix_twitter_homeserver_address }} + address: https://example.com # The domain of the homeserver (for MXIDs, etc). - domain: {{ matrix_mautrix_twitter_homeserver_domain }} + domain: example.com # Whether or not to verify the SSL certificate of the homeserver. # Only applies if address starts with https:// verify_ssl: true - # Whether or not the homeserver supports asmux-specific endpoints, - # such as /_matrix/client/unstable/net.maunium.asmux/dms for atomically - # updating m.direct. asmux: false # Application service host/registration related details # Changing these values requires regeneration of the registration. appservice: # The address that the homeserver can use to connect to this appservice. - address: {{ matrix_mautrix_twitter_appservice_address }} + address: http://localhost:29327 + # When using https:// the TLS certificate and key files for the address. + tls_cert: false + tls_key: false # The hostname and port where this appservice should listen. hostname: 0.0.0.0 - port: 29319 + port: 29327 # The maximum body size of appservice API requests (from the homeserver) in mebibytes # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s max_body_size: 1 # The full URI to the database. Only Postgres is currently supported. - database: {{ matrix_mautrix_twitter_appservice_database|to_json }} + database: postgres://username:password@hostname/db + # Additional arguments for asyncpg.create_pool() + # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool + database_opts: + min_size: 5 + max_size: 10 - # Public part of web server for out-of-Matrix interaction with the bridge. - public: - # Whether or not the public-facing endpoints should be enabled. - enabled: false - # The prefix to use in the public-facing endpoints. - prefix: /public - # The base URL where the public-facing endpoints are available. The prefix is not added - # implicitly. - external: https://example.com/public - # Shared secret for integration managers such as mautrix-manager. - # If set to "generate", a random string will be generated on the next startup. - # If null, integration manager access to the API will not be possible. + # Provisioning API part of the web server for automated portal creation and fetching information. + # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager). + provisioning: + # Whether or not the provisioning API should be enabled. + enabled: true + # The prefix to use in the provisioning API endpoints. + prefix: /_matrix/provision/v1 + # The shared secret to authorize users of the API. + # Set to "generate" to generate and save a new token. shared_secret: generate # The unique ID of this appservice. id: twitter # Username of the appservice bot. - bot_username: {{ matrix_mautrix_twitter_appservice_bot_username|to_json }} + bot_username: twitterbot # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty # to leave display name/avatar as-is. bot_displayname: Twitter bridge bot - bot_avatar: mxc://maunium.net/ygtkteZsXnGJLJHRchUwYWak + bot_avatar: mxc://maunium.net/HVHcnusJkQcpVcsVGZRELLCn - # Authentication tokens for AS <-> HS communication. - as_token: "{{ matrix_mautrix_twitter_appservice_token }}" - hs_token: "{{ matrix_mautrix_twitter_homeserver_token }}" + # Community ID for bridged users (changes registration file) and rooms. + # Must be created manually. + # + # Example: "+twitter:example.com". Set to false to disable. + community_id: false + + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + # You should disable bridge -> sync_with_custom_puppets when this is enabled. + ephemeral_events: false + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: "This value is generated when generating the registration" + hs_token: "This value is generated when generating the registration" # Prometheus telemetry config. Requires prometheus-client to be installed. metrics: @@ -66,64 +78,59 @@ bridge: # Localpart template of MXIDs for Twitter users. # {userid} is replaced with the user ID of the Twitter user. username_template: "twitter_{userid}" - # Localpart template for per-user room grouping community IDs. - # The bridge will create these communities and add all of the specific user's portals to the community. - # {localpart} is the MXID localpart and {server} is the MXID server part of the user. - # - # `twitter_{localpart}={server}` is a good value. - community_template: null # Displayname template for Twitter users. - # {displayname} is replaced with the display name of the Twitter user - # as defined below in displayname_preference. - # Keys available for displayname_preference are also available here. - displayname_template: '{displayname} (Twitter)' - # Available keys: - # "name" (full name) - # "first_name" - # "last_name" - # "nickname" - # "own_nickname" (user-specific!) - displayname_preference: - - name - - first_name + # {displayname} is replaced with the display name of the Twitter user. + # {username} is replaced with the username of the Twitter user. + displayname_template: "{displayname} (Twitter)" - # The prefix for commands. Only required in non-management rooms. - command_prefix: "!twitter" + # Maximum length of displayname + displayname_max_length: 100 - # Number of chats to sync (and create portals for) on startup/login. + # Number of conversations to sync (and create portals for) on login. # Set 0 to disable automatic syncing. - initial_chat_sync: 10 - # Whether or not the Twitter users of logged in Matrix users should be - # invited to private chats when the user sends a message from another client. - invite_own_puppet_to_pm: false - # Whether or not to use /sync to get presence, read receipts and typing notifications + initial_conversation_sync: 10 + # Whether or not to use /sync to get read receipts and typing notifications # when double puppeting is enabled sync_with_custom_puppets: true # Whether or not to update the m.direct account data event when double puppeting is enabled. # Note that updating the m.direct event is not atomic (except with mautrix-asmux) # and is therefore prone to race conditions. sync_direct_chat_list: false - # Servers to always allow double puppeting from - double_puppet_server_map: {} - # example.com: https://example.com # Allow using double puppeting from any server with a valid client .well-known file. double_puppet_allow_discovery: false - # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth + # Servers to allow double puppeting from, even if double_puppet_allow_discovery is false. + double_puppet_server_map: + example.com: https://example.com + # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth # # If set, custom puppets will be enabled automatically for local users # instead of users having to find an access token and run `login-matrix` # manually. # If using this for other servers than the bridge's server, # you must also set the URL in the double_puppet_server_map. - login_shared_secret_map: {{ matrix_mautrix_twitter_bridge_login_shared_secret_map|to_json }} - presence: {{ matrix_mautrix_twitter_bridge_presence|to_json }} - # Whether or not to update avatars when syncing all contacts at startup. - update_avatar_initial_sync: true - # End-to-bridge encryption support options. These require matrix-nio to be installed with pip - # and login_shared_secret to be configured in order to get a device for the bridge bot. + login_shared_secret_map: + example.com: foo + # Whether or not created rooms should have federation enabled. + # If false, created portal rooms will never be federated. + federate_rooms: true + # Settings for backfilling messages from Twitter. # - # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal - # application service. + # Missed message backfilling is currently based on receiving them from the Twitter polling API, + # rather than manually asking for messages in each conversation. Due to this, there's no way to + # set a limit for missed message backfilling. + backfill: + # Whether or not the Twitter users of logged in Matrix users should be + # invited to private chats when backfilling history from Twitter. This is + # usually needed to prevent rate limits and to allow timestamp massaging. + invite_own_puppet: true + # Maximum number of messages to backfill initially. + # Set to 0 to disable backfilling when creating portal. + initial_limit: 0 + # If using double puppeting, should notifications be disabled + # while the initial backfill is in progress? + disable_notifications: false + # End-to-bridge encryption support options. You must install the e2be optional dependency for + # this to work. See https://github.com/tulir/mautrix-telegram/wiki/End‐to‐bridge-encryption encryption: # Allow encryption, work in group chat rooms with e2ee enabled allow: false @@ -142,52 +149,29 @@ bridge: # Require devices to be verified by the bridge? # Verification by the bridge is not yet implemented. require_verification: true + # Whether or not to explicitly set the avatar and room name for private + # chat portal rooms. This will be implicitly enabled if encryption.default is true. + private_chat_portal_meta: false # Whether or not the bridge should send a read receipt from the bridge bot when a message has # been sent to Twitter. delivery_receipts: false - # Whether to allow inviting arbitrary mxids to portal rooms - allow_invites: false - # Settings for backfilling messages from Twitter. - backfill: - # Whether or not the Twitter users of logged in Matrix users should be - # invited to private chats when backfilling history from Twitter. This is - # usually needed to prevent rate limits and to allow timestamp massaging. - invite_own_puppet: true - # Maximum number of messages to backfill initially. - # Set to 0 to disable backfilling when creating portal. - initial_limit: 0 - # Maximum number of messages to backfill if messages were missed while - # the bridge was disconnected. - # Set to 0 to disable backfilling missed messages. - missed_limit: 1000 - # If using double puppeting, should notifications be disabled - # while the initial backfill is in progress? - disable_notifications: false - periodic_reconnect: - # Interval in seconds in which to automatically reconnect all users. - # This can be used to automatically mitigate the bug where Twitter stops sending messages. - # Set to -1 to disable periodic reconnections entirely. - interval: -1 - # What to do in periodic reconnects. Either "refresh" or "reconnect" - mode: refresh - # Should even disconnected users be reconnected? - always: false - # The number of seconds that a disconnection can last without triggering an automatic re-sync - # and missed message backfilling when reconnecting. - # Set to 0 to always re-sync, or -1 to never re-sync automatically. - resync_max_disconnected_time: 5 - # Whether or not temporary disconnections should send notices to the notice room. - # If this is false, disconnections will never send messages and connections will only send - # messages if it was disconnected for more than resync_max_disconnected_time seconds. + # Whether or not delivery errors should be reported as messages in the Matrix room. + delivery_error_reports: false + # Whether or not non-fatal polling errors should send notices to the notice room. temporary_disconnect_notices: true - # Whether or not the bridge should try to "refresh" the connection if a normal reconnection - # attempt fails. - refresh_on_reconnection_fail: false + # Number of seconds to sleep more than the previous error when a polling error occurs. + # Growth is capped at 15 minutes. + error_sleep: 5 + # Maximum number of polling errors before giving up. Set to -1 to retry forever. + max_poll_errors: 12 # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. # This field will automatically be changed back to false after it, # except if the config file is not writable. resend_bridge_info: false + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!tw" + # Permissions for using the bridge. # Permitted values: # user - Use the bridge with puppeting. @@ -197,7 +181,9 @@ bridge: # domain - All users on that homeserver # mxid - Specific user permissions: - '{{ matrix_mautrix_twitter_homeserver_domain }}': user + "example.com": "user" + "@admin:example.com": "admin" + # Python logging configuration. # @@ -212,16 +198,20 @@ logging: normal: format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" handlers: + file: + class: logging.handlers.RotatingFileHandler + formatter: normal + filename: ./mautrix-twitter.log + maxBytes: 10485760 + backupCount: 10 console: class: logging.StreamHandler formatter: colored loggers: mau: level: DEBUG - paho: - level: INFO aiohttp: level: INFO root: level: DEBUG - handlers: [console] + handlers: [file, console] From 68e6311a9f0f47138c379d5cbea5dbbc2781c0ce Mon Sep 17 00:00:00 2001 From: Matthew Cengia Date: Sun, 11 Apr 2021 16:29:12 +1000 Subject: [PATCH 005/144] Update mautrix-twitter config to be Jinja2 template Updates based off the variable names used in mautrix-facebook role. Also update port number in defauts/main.yml, and disable presence checking, because Twitter doesn't support that. --- .../defaults/main.yml | 4 +-- .../templates/config.yaml.j2 | 32 +++++++------------ 2 files changed, 13 insertions(+), 23 deletions(-) diff --git a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml index 02eff7788..ad162cae5 100644 --- a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -19,7 +19,7 @@ matrix_mautrix_twitter_docker_src_files_path: "{{ matrix_mautrix_twitter_base_pa matrix_mautrix_twitter_homeserver_address: "{{ matrix_homeserver_container_url }}" matrix_mautrix_twitter_homeserver_domain: '{{ matrix_domain }}' -matrix_mautrix_twitter_appservice_address: 'http://matrix-mautrix-twitter:29319' +matrix_mautrix_twitter_appservice_address: 'http://matrix-mautrix-twitter:29327' # A list of extra arguments to pass to the container matrix_mautrix_twitter_container_extra_arguments: [] @@ -72,8 +72,6 @@ matrix_mautrix_twitter_bridge_login_shared_secret_map: "{{ {matrix_mautrix_twitt matrix_mautrix_twitter_appservice_bot_username: twitterbot -matrix_mautrix_twitter_bridge_presence: true - # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 index e4f6ba1f8..2c10585d3 100644 --- a/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 @@ -1,9 +1,10 @@ +#jinja2: lstrip_blocks: "True" # Homeserver details homeserver: # The address that this appservice can use to connect to the homeserver. - address: https://example.com + address: {{ matrix_mautrix_twitter_homeserver_address }} # The domain of the homeserver (for MXIDs, etc). - domain: example.com + domain: {{ matrix_mautrix_twitter_homeserver_domain }} # Whether or not to verify the SSL certificate of the homeserver. # Only applies if address starts with https:// verify_ssl: true @@ -13,7 +14,7 @@ homeserver: # Changing these values requires regeneration of the registration. appservice: # The address that the homeserver can use to connect to this appservice. - address: http://localhost:29327 + address: {{ matrix_mautrix_twitter_appservice_address }} # When using https:// the TLS certificate and key files for the address. tls_cert: false tls_key: false @@ -26,7 +27,7 @@ appservice: max_body_size: 1 # The full URI to the database. Only Postgres is currently supported. - database: postgres://username:password@hostname/db + database: {{ matrix_mautrix_twitter_appservice_database|to_json }} # Additional arguments for asyncpg.create_pool() # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool database_opts: @@ -47,7 +48,7 @@ appservice: # The unique ID of this appservice. id: twitter # Username of the appservice bot. - bot_username: twitterbot + bot_username: {{ matrix_mautrix_twitter_appservice_bot_username|to_json }} # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty # to leave display name/avatar as-is. bot_displayname: Twitter bridge bot @@ -65,8 +66,8 @@ appservice: ephemeral_events: false # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. - as_token: "This value is generated when generating the registration" - hs_token: "This value is generated when generating the registration" + as_token: "{{ matrix_mautrix_twitter_appservice_token }}" + hs_token: "{{ matrix_mautrix_twitter_homeserver_token }}" # Prometheus telemetry config. Requires prometheus-client to be installed. metrics: @@ -99,8 +100,7 @@ bridge: # Allow using double puppeting from any server with a valid client .well-known file. double_puppet_allow_discovery: false # Servers to allow double puppeting from, even if double_puppet_allow_discovery is false. - double_puppet_server_map: - example.com: https://example.com + double_puppet_server_map: {} # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth # # If set, custom puppets will be enabled automatically for local users @@ -108,8 +108,7 @@ bridge: # manually. # If using this for other servers than the bridge's server, # you must also set the URL in the double_puppet_server_map. - login_shared_secret_map: - example.com: foo + login_shared_secret_map: {{ matrix_mautrix_twitter_bridge_login_shared_secret_map|to_json }} # Whether or not created rooms should have federation enabled. # If false, created portal rooms will never be federated. federate_rooms: true @@ -181,8 +180,7 @@ bridge: # domain - All users on that homeserver # mxid - Specific user permissions: - "example.com": "user" - "@admin:example.com": "admin" + '{{ matrix_mautrix_twitter_homeserver_domain }}': user # Python logging configuration. @@ -198,12 +196,6 @@ logging: normal: format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" handlers: - file: - class: logging.handlers.RotatingFileHandler - formatter: normal - filename: ./mautrix-twitter.log - maxBytes: 10485760 - backupCount: 10 console: class: logging.StreamHandler formatter: colored @@ -214,4 +206,4 @@ logging: level: INFO root: level: DEBUG - handlers: [file, console] + handlers: [console] From cb608c06aaaa876b19761a40bcef846669f10139 Mon Sep 17 00:00:00 2001 From: Matthew Cengia Date: Sun, 11 Apr 2021 14:18:17 +1000 Subject: [PATCH 006/144] Remove references to sqlite Remove references to sqlite since we should just use postgres from the outset. --- .../defaults/main.yml | 10 ----- .../tasks/setup_install.yml | 40 ------------------- .../tasks/validate_config.yml | 21 ---------- 3 files changed, 71 deletions(-) diff --git a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml index ad162cae5..ed81f2d4c 100644 --- a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -36,19 +36,10 @@ matrix_mautrix_twitter_homeserver_token: '' # Database-related configuration fields. # -# To use SQLite: -# - change the engine (`matrix_mautrix_twitter_database_engine: 'sqlite'`) -# - change to the last bridge version that supported SQLite: -# `matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_name_prefix }}tulir/mautrix-twitter:da1b4ec596e334325a1589e70829dea46e73064b"` -# - plan your migration to Postgres, as this bridge does not support SQLite anymore (and neither will the playbook in the future). -# # To use Postgres: # - adjust your database credentials via the `matrix_mautrix_twitter_postgres_*` variables matrix_mautrix_twitter_database_engine: 'postgres' -matrix_mautrix_twitter_sqlite_database_path_local: "{{ matrix_mautrix_twitter_data_path }}/mautrix-twitter.db" -matrix_mautrix_twitter_sqlite_database_path_in_container: "/data/mautrix-twitter.db" - matrix_mautrix_twitter_database_username: 'matrix_mautrix_twitter' matrix_mautrix_twitter_database_password: 'some-password' matrix_mautrix_twitter_database_hostname: 'matrix-postgres' @@ -59,7 +50,6 @@ matrix_mautrix_twitter_database_connection_string: 'postgres://{{ matrix_mautrix matrix_mautrix_twitter_appservice_database: "{{ { - 'sqlite': ('sqlite:///' + matrix_mautrix_twitter_sqlite_database_path_in_container), 'postgres': matrix_mautrix_twitter_database_connection_string, }[matrix_mautrix_twitter_database_engine] }}" diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml index 416439729..c27eeccd3 100644 --- a/roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml @@ -11,29 +11,6 @@ - set_fact: matrix_mautrix_twitter_requires_restart: false -- block: - - name: Check if an SQLite database already exists - stat: - path: "{{ matrix_mautrix_twitter_sqlite_database_path_local }}" - register: matrix_mautrix_twitter_sqlite_database_path_local_stat_result - - - block: - - set_fact: - matrix_postgres_db_migration_request: - src: "{{ matrix_mautrix_twitter_sqlite_database_path_local }}" - dst: "{{ matrix_mautrix_twitter_database_connection_string }}" - caller: "{{ role_path|basename }}" - engine_variable_name: 'matrix_mautrix_twitter_database_engine' - engine_old: 'sqlite' - systemd_services_to_stop: ['matrix-mautrix-twitter.service'] - - - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" - - - set_fact: - matrix_mautrix_twitter_requires_restart: true - when: "matrix_mautrix_twitter_sqlite_database_path_local_stat_result.stat.exists|bool" - when: "matrix_mautrix_twitter_database_engine == 'postgres'" - - name: Ensure Mautrix Twitter image is pulled docker_image: name: "{{ matrix_mautrix_twitter_docker_image }}" @@ -76,23 +53,6 @@ pull: yes when: "matrix_mautrix_twitter_enabled|bool and matrix_mautrix_twitter_container_image_self_build|bool" -- name: Check if an old database file already exists - stat: - path: "{{ matrix_mautrix_twitter_base_path }}/mautrix-twitter.db" - register: matrix_mautrix_twitter_stat_database - -- name: (Data relocation) Ensure matrix-mautrix-twitter.service is stopped - service: - name: matrix-mautrix-twitter - state: stopped - daemon_reload: yes - failed_when: false - when: "matrix_mautrix_twitter_stat_database.stat.exists" - -- name: (Data relocation) Move mautrix-twitter database file to ./data directory - command: "mv {{ matrix_mautrix_twitter_base_path }}/mautrix-twitter.db {{ matrix_mautrix_twitter_data_path }}/mautrix-twitter.db" - when: "matrix_mautrix_twitter_stat_database.stat.exists" - - name: Ensure mautrix-twitter config.yaml installed copy: content: "{{ matrix_mautrix_twitter_configuration|to_nice_yaml }}" diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml index a9e63fd0c..4c95f7bfa 100644 --- a/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml @@ -8,24 +8,3 @@ with_items: - "matrix_mautrix_twitter_appservice_token" - "matrix_mautrix_twitter_homeserver_token" - -- block: - - name: Fail if on SQLite, unless on the last version supporting SQLite - fail: - msg: >- - You're trying to use the mautrix-twitter bridge with an SQLite database. - Going forward, this bridge only supports Postgres. - To learn more about this, see our changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-the-mautrix-twitter-bridge-now-requires-a-postgres-database - when: "not matrix_mautrix_twitter_docker_image.endswith(':da1b4ec596e334325a1589e70829dea46e73064b')" - - - name: Inject warning if still on SQLite - set_fact: - matrix_playbook_runtime_results: | - {{ - matrix_playbook_runtime_results|default([]) - + - [ - "NOTE: Your mautrix-twitter bridge setup is still on SQLite. Your bridge is not getting any updates and will likely stop working at some point. To learn more about this, see our changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-the-mautrix-twitter-bridge-now-requires-a-postgres-database" - ] - }} - when: "matrix_mautrix_twitter_database_engine == 'sqlite'" From 0f49ce06389f4c79fcb67d9933498a41c7bf820f Mon Sep 17 00:00:00 2001 From: Matthew Cengia Date: Sun, 11 Apr 2021 16:41:58 +1000 Subject: [PATCH 007/144] Set up vars for mautrix-twitter playbook * Copy/update mautrix_facebook group_vars to mautrix_twitter * Replace facebook -> twitter, fb -> twt, remove presence var * Enable playbook in setup.yml --- group_vars/matrix_servers | 45 +++++++++++++++++++++++++++++++++++++++ setup.yml | 1 + 2 files changed, 46 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f9763c560..c4caef049 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -511,6 +511,45 @@ matrix_mautrix_telegram_database_password: "{{ '%s' | format(matrix_synapse_maca # ###################################################################### +###################################################################### +# +# matrix-bridge-mautrix-twitter +# +###################################################################### + +# We don't enable bridges by default. +matrix_mautrix_twitter_enabled: false + +matrix_mautrix_twitter_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" + +matrix_mautrix_twitter_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + }} + +matrix_mautrix_twitter_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'twt.as.token') | to_uuid }}" + +matrix_mautrix_twitter_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'twt.hs.token') | to_uuid }}" + +matrix_mautrix_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" + +# We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain +# and point them to a migration path. +matrix_mautrix_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_mautrix_twitter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.twt.db') | to_uuid }}" + +###################################################################### +# +# /matrix-bridge-mautrix-twitter +# +###################################################################### + ###################################################################### # # matrix-bridge-mautrix-whatsapp @@ -1511,6 +1550,12 @@ matrix_postgres_additional_databases: | 'password': matrix_mautrix_telegram_database_password, }] if (matrix_mautrix_telegram_enabled and matrix_mautrix_telegram_database_engine == 'postgres' and matrix_mautrix_telegram_database_hostname == 'matrix-postgres') else []) + + ([{ + 'name': matrix_mautrix_twitter_database_name, + 'username': matrix_mautrix_twitter_database_username, + 'password': matrix_mautrix_twitter_database_password, + }] if (matrix_mautrix_twitter_enabled and matrix_mautrix_twitter_database_engine == 'postgres' and matrix_mautrix_twitter_database_hostname == 'matrix-postgres') else []) + + ([{ 'name': matrix_mautrix_whatsapp_database_name, 'username': matrix_mautrix_whatsapp_database_username, diff --git a/setup.yml b/setup.yml index 42613d96f..edd212057 100755 --- a/setup.yml +++ b/setup.yml @@ -20,6 +20,7 @@ - matrix-bridge-appservice-irc - matrix-bridge-beeper-linkedin - matrix-bridge-mautrix-facebook + - matrix-bridge-mautrix-twitter - matrix-bridge-mautrix-hangouts - matrix-bridge-mautrix-googlechat - matrix-bridge-mautrix-instagram From 35033bbc0c2a9d232f3faa9e8763ba8fbf861afd Mon Sep 17 00:00:00 2001 From: Matthew Cengia Date: Sun, 11 Apr 2021 16:45:27 +1000 Subject: [PATCH 008/144] Update documentation to include mautrix-twitter Playbook config copied from mautrix-facebook and altered accordingly. --- README.md | 2 ++ ...iguring-playbook-bridge-mautrix-twitter.md | 35 +++++++++++++++++++ docs/configuring-playbook.md | 2 ++ docs/container-images.md | 2 ++ 4 files changed, 41 insertions(+) create mode 100644 docs/configuring-playbook-bridge-mautrix-twitter.md diff --git a/README.md b/README.md index 6e1b5c145..59bd915ee 100644 --- a/README.md +++ b/README.md @@ -51,6 +51,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [mautrix-facebook](https://github.com/mautrix/facebook) bridge for bridging your Matrix server to [Facebook](https://facebook.com/) +- (optional) the [mautrix-twitter](https://github.com/mautrix/twitter) bridge for bridging your Matrix server to [Twitter](https://twitter.com/) + - (optional) the [mautrix-hangouts](https://github.com/mautrix/hangouts) bridge for bridging your Matrix server to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) - (optional) the [mautrix-googlechat](https://github.com/mautrix/googlechat) bridge for bridging your Matrix server to [Google Chat](https://en.wikipedia.org/wiki/Google_Chat) diff --git a/docs/configuring-playbook-bridge-mautrix-twitter.md b/docs/configuring-playbook-bridge-mautrix-twitter.md new file mode 100644 index 000000000..cfc145064 --- /dev/null +++ b/docs/configuring-playbook-bridge-mautrix-twitter.md @@ -0,0 +1,35 @@ +# Setting up Mautrix Twitter (optional) + +The playbook can install and configure [mautrix-twitter](https://github.com/tulir/mautrix-twitter) for you. + +See the project's [documentation](https://github.com/tulir/mautrix-twitter/wiki#usage) to learn what it does and why it might be useful to you. + +```yaml +matrix_mautrix_twitter_enabled: true +``` + + +## Set up Double Puppeting + +If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-twitter/wiki/Authentication#double-puppeting) (hint: you most likely do), you have 2 ways of going about it. + +### Method 1: automatically, by enabling Shared Secret Auth + +The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook. + +This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future. + +### Method 2: manually, by asking each user to provide a working access token + +This method is currently not available for the Mautrix-Twitter bridge, but is on the [roadmap](https://github.com/tulir/mautrix-twitter/blob/master/ROADMAP.md) under Misc/Manual login with `login-matrix` + +## Usage + +1. You then need to start a chat with `@twitterbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). +2. Send login-cookie to start the login. The bot should respond with instructions on how to proceed. + +You can learn more here about authentication from the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/python/twitter/authentication.html). + +If you run into trouble, check the [Troubleshooting](#troubleshooting) section below. + +After successfully enabling bridging, you may wish to [set up Double Puppeting](#set-up-double-puppeting), if you haven't already done so. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 243440ddc..0f35325d3 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -102,6 +102,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Mautrix Instagram bridging](configuring-playbook-bridge-mautrix-instagram.md) (optional) +- [Setting up Mautrix Twitter bridging](configuring-playbook-bridge-mautrix-twitter.md) (optional) + - [Setting up Mautrix Signal bridging](configuring-playbook-bridge-mautrix-signal.md) (optional) - [Setting up Appservice IRC bridging](configuring-playbook-bridge-appservice-irc.md) (optional) diff --git a/docs/container-images.md b/docs/container-images.md index 6fbb92054..18436c917 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -46,6 +46,8 @@ These services are not part of our default installation, but can be enabled by [ - [mautrix/facebook](https://mau.dev/mautrix/facebook/container_registry) - the [mautrix-facebook](https://github.com/mautrix/facebook) bridge to [Facebook](https://facebook.com/) (optional) +- [tulir/mautrix-twitter](https://mau.dev/mautrix/twitter/container_registry) - the [mautrix-twitter](https://github.com/tulir/mautrix-twitter) bridge to [Twitter](https://twitter.com/) (optional) + - [mautrix/hangouts](https://mau.dev/mautrix/hangouts/container_registry) - the [mautrix-hangouts](https://github.com/mautrix/hangouts) bridge to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) (optional) - [mautrix/googlechat](https://mau.dev/mautrix/googlechat/container_registry) - the [mautrix-googlechat](https://github.com/mautrix/googlechat) bridge to [Google Chat](https://en.wikipedia.org/wiki/Google_Chat) (optional) From 2b83aeb87ed26ed1182e257ad80dfaef409dc065 Mon Sep 17 00:00:00 2001 From: Matthew Cengia Date: Tue, 9 Nov 2021 14:47:02 +1100 Subject: [PATCH 009/144] Update Mautrix-Twitter image path --- roles/matrix-bridge-mautrix-twitter/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml index ed81f2d4c..2d6b4b20c 100644 --- a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/tuli matrix_mautrix_twitter_version: latest # See: https://mau.dev/tulir/mautrix-twitter/container_registry -matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_name_prefix }}tulir/mautrix-twitter:{{ matrix_mautrix_twitter_version }}" +matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_name_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}" matrix_mautrix_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_twitter_docker_image_force_pull: "{{ matrix_mautrix_twitter_docker_image.endswith(':latest') }}" From aef9a1ea1f5e08119b8434b8630212d3d36ae1d2 Mon Sep 17 00:00:00 2001 From: PC-Admin Date: Mon, 6 Dec 2021 11:54:31 +0800 Subject: [PATCH 010/144] GoMatrixHosting v0.6.7 --- roles/matrix-awx/tasks/purge_database_main.yml | 4 ++-- roles/matrix-awx/tasks/purge_media_main.yml | 4 ++-- roles/matrix-awx/tasks/self_check.yml | 2 ++ .../tasks/set_variables_dimension.yml | 4 ++-- roles/matrix-common-after/tasks/awx_post.yml | 18 +++++++++--------- 5 files changed, 17 insertions(+), 15 deletions(-) diff --git a/roles/matrix-awx/tasks/purge_database_main.yml b/roles/matrix-awx/tasks/purge_database_main.yml index 1e16c4ad4..f29061fb3 100644 --- a/roles/matrix-awx/tasks/purge_database_main.yml +++ b/roles/matrix-awx/tasks/purge_database_main.yml @@ -29,9 +29,9 @@ when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) register: awx_synapse_container_ip -- name: Collect access token for @_janitor user +- name: Collect access token for @admin-janitor user shell: | - curl -X POST -d '{"type":"m.login.password", "user":"_janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token' + curl -X POST -d '{"type":"m.login.password", "user":"admin-janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token' when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) register: awx_janitors_token no_log: True diff --git a/roles/matrix-awx/tasks/purge_media_main.yml b/roles/matrix-awx/tasks/purge_media_main.yml index 59e0d89c9..c836d16cf 100644 --- a/roles/matrix-awx/tasks/purge_media_main.yml +++ b/roles/matrix-awx/tasks/purge_media_main.yml @@ -21,9 +21,9 @@ shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse" register: awx_synapse_container_ip -- name: Collect access token for @_janitor user +- name: Collect access token for @admin-janitor user shell: | - curl -XPOST -d '{"type":"m.login.password", "user":"_janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token' + curl -XPOST -d '{"type":"m.login.password", "user":"admin-janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token' register: awx_janitors_token no_log: True diff --git a/roles/matrix-awx/tasks/self_check.yml b/roles/matrix-awx/tasks/self_check.yml index 510b9f9e7..a7b0cb3ab 100644 --- a/roles/matrix-awx/tasks/self_check.yml +++ b/roles/matrix-awx/tasks/self_check.yml @@ -50,12 +50,14 @@ - name: Calculate size of local media repository shell: du -sh /matrix/synapse/storage/media-store/local* register: awx_local_media_size_stat + async: 600 ignore_errors: yes no_log: True - name: Calculate size of remote media repository shell: du -sh /matrix/synapse/storage/media-store/remote* register: awx_remote_media_size_stat + async: 600 ignore_errors: yes no_log: True diff --git a/roles/matrix-awx/tasks/set_variables_dimension.yml b/roles/matrix-awx/tasks/set_variables_dimension.yml index 0db01c579..eee4e6f22 100644 --- a/roles/matrix-awx/tasks/set_variables_dimension.yml +++ b/roles/matrix-awx/tasks/set_variables_dimension.yml @@ -12,9 +12,9 @@ - curl state: present -- name: Collect access token of @_dimension user +- name: Collect access token of @admin-dimension user shell: | - curl -X POST --header 'Content-Type: application/json' -d '{ "identifier": { "type": "m.id.user","user": "_dimension" }, "password": "{{ awx_dimension_user_password }}", "type": "m.login.password"}' 'https://matrix.{{ matrix_domain }}/_matrix/client/r0/login' | jq -c '. | {access_token}' | sed 's/.*\":\"//' | sed 's/\"}//' + curl -X POST --header 'Content-Type: application/json' -d '{ "identifier": { "type": "m.id.user","user": "admin-dimension" }, "password": "{{ awx_dimension_user_password }}", "type": "m.login.password"}' 'https://matrix.{{ matrix_domain }}/_matrix/client/r0/login' | jq -c '. | {access_token}' | sed 's/.*\":\"//' | sed 's/\"}//' register: awx_dimension_user_access_token - name: Record Synapse variables locally on AWX diff --git a/roles/matrix-common-after/tasks/awx_post.yml b/roles/matrix-common-after/tasks/awx_post.yml index 278855fb8..9c472ca3a 100644 --- a/roles/matrix-common-after/tasks/awx_post.yml +++ b/roles/matrix-common-after/tasks/awx_post.yml @@ -1,11 +1,11 @@ --- -- name: Create user account @_janitor +- name: Create user account @admin-janitor command: | - /usr/local/bin/matrix-synapse-register-user _janitor {{ awx_janitor_user_password | quote }} 1 + /usr/local/bin/matrix-synapse-register-user admin-janitor {{ awx_janitor_user_password | quote }} 1 register: cmd when: not awx_janitor_user_created|bool - no_log: True + no_log: false - name: Update AWX janitor user created variable delegate_to: 127.0.0.1 @@ -18,12 +18,12 @@ 'awx_janitor_user_created': 'true' when: not awx_janitor_user_created|bool -- name: Create user account @_dimension +- name: Create user account @admin-dimension command: | - /usr/local/bin/matrix-synapse-register-user _dimension {{ awx_dimension_user_password | quote }} 0 + /usr/local/bin/matrix-synapse-register-user admin-dimension {{ awx_dimension_user_password | quote }} 0 register: cmd when: not awx_dimension_user_created|bool - no_log: True + no_log: false - name: Update AWX dimension user created variable delegate_to: 127.0.0.1 @@ -36,12 +36,12 @@ 'awx_dimension_user_created': 'true' when: not awx_dimension_user_created|bool -- name: Create user account @_mjolnir +- name: Create user account @admin-mjolnir command: | - /usr/local/bin/matrix-synapse-register-user _mjolnir {{ awx_mjolnir_user_password | quote }} 0 + /usr/local/bin/matrix-synapse-register-user admin-mjolnir {{ awx_mjolnir_user_password | quote }} 0 register: cmd when: not awx_mjolnir_user_created|bool - no_log: True + no_log: false - name: Update AWX dimension user created variable delegate_to: 127.0.0.1 From 12832d8a686ec4283d62e62241f03d3c6b3553f7 Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Wed, 15 Dec 2021 18:05:52 +0530 Subject: [PATCH 011/144] jitsi update --- roles/matrix-jitsi/defaults/main.yml | 4 +- roles/matrix-jitsi/templates/jicofo/env.j2 | 4 ++ roles/matrix-jitsi/templates/jvb/env.j2 | 20 +++--- roles/matrix-jitsi/templates/prosody/env.j2 | 65 ++++++++++--------- roles/matrix-jitsi/templates/web/env.j2 | 58 ++++++++++------- .../templates/web/matrix-jitsi-web.service.j2 | 1 + 6 files changed, 90 insertions(+), 62 deletions(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index b1002a7f2..3f61f4fff 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -8,6 +8,7 @@ matrix_jitsi_enable_recording: false matrix_jitsi_enable_transcriptions: false matrix_jitsi_enable_p2p: true matrix_jitsi_enable_av_moderation: true +matrix_jitsi_enable_breakout_rooms: true # Authentication type, must be one of internal, jwt or ldap. # Currently only internal and ldap mechanisms are supported by this playbook. @@ -67,7 +68,7 @@ matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false -matrix_jitsi_version: stable-6726 +matrix_jitsi_version: stable-6726-1 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" @@ -76,6 +77,7 @@ matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.ends matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web" matrix_jitsi_web_config_path: "{{ matrix_jitsi_web_base_path }}/config" matrix_jitsi_web_transcripts_path: "{{ matrix_jitsi_web_base_path }}/transcripts" +matrix_jitsi_web_crontabs_path: "{{ matrix_jitsi_web_base_path }}/crontabs" matrix_jitsi_web_public_url: "https://{{ matrix_server_fqn_jitsi }}" diff --git a/roles/matrix-jitsi/templates/jicofo/env.j2 b/roles/matrix-jitsi/templates/jicofo/env.j2 index 687df714d..1f2cb68c4 100644 --- a/roles/matrix-jitsi/templates/jicofo/env.j2 +++ b/roles/matrix-jitsi/templates/jicofo/env.j2 @@ -9,6 +9,7 @@ ENABLE_CODEC_H264 ENABLE_OCTO ENABLE_RECORDING ENABLE_SCTP +ENABLE_AUTO_LOGIN JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }} JICOFO_ENABLE_BRIDGE_HEALTH_CHECKS @@ -26,6 +27,9 @@ JIGASI_SIP_URI JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }} MAX_BRIDGE_PARTICIPANTS OCTO_BRIDGE_SELECTION_STRATEGY +SENTRY_DSN="${JICOFO_SENTRY_DSN:-0}" +SENTRY_ENVIRONMENT +SENTRY_RELEASE TZ={{ matrix_jitsi_timezone }} XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} diff --git a/roles/matrix-jitsi/templates/jvb/env.j2 b/roles/matrix-jitsi/templates/jvb/env.j2 index 6edae6d45..43569268d 100644 --- a/roles/matrix-jitsi/templates/jvb/env.j2 +++ b/roles/matrix-jitsi/templates/jvb/env.j2 @@ -1,9 +1,6 @@ +DOCKER_HOST_ADDRESS ENABLE_COLIBRI_WEBSOCKET ENABLE_OCTO -DOCKER_HOST_ADDRESS -XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} -XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} -XMPP_SERVER={{ matrix_jitsi_xmpp_server }} JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }} @@ -14,14 +11,21 @@ JVB_TCP_MAPPED_PORT={{ matrix_jitsi_jvb_rtp_tcp_port }} {% if matrix_jitsi_jvb_stun_servers|length > 0 %} JVB_STUN_SERVERS={{ matrix_jitsi_jvb_stun_servers|join(',') }} {% endif %} -JVB_ENABLE_APIS -JVB_WS_DOMAIN -JVB_WS_SERVER_ID -PUBLIC_URL={{ matrix_jitsi_web_public_url }} JVB_OCTO_BIND_ADDRESS JVB_OCTO_PUBLIC_ADDRESS JVB_OCTO_BIND_PORT JVB_OCTO_REGION +JVB_WS_DOMAIN +JVB_WS_SERVER_ID +PUBLIC_URL={{ matrix_jitsi_web_public_url }} +SENTRY_DSN="${JVB_SENTRY_DSN:-0}" +SENTRY_ENVIRONMENT +SENTRY_RELEASE +COLIBRI_REST_ENABLED +SHUTDOWN_REST_ENABLED TZ={{ matrix_jitsi_timezone }} +XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} +XMPP_INTERNAL_MUC_DOMAIN= {{ matrix_jitsi_xmpp_internal_muc_domain }} +XMPP_SERVER={{ matrix_jitsi_xmpp_server }} {{ matrix_jitsi_jvb_environment_variables_extension }} diff --git a/roles/matrix-jitsi/templates/prosody/env.j2 b/roles/matrix-jitsi/templates/prosody/env.j2 index 70feda6e3..941f2c253 100644 --- a/roles/matrix-jitsi/templates/prosody/env.j2 +++ b/roles/matrix-jitsi/templates/prosody/env.j2 @@ -1,24 +1,53 @@ AUTH_TYPE={{ matrix_jitsi_auth_type }} +DISABLE_POLLS ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} +ENABLE_AV_MODERATION={{1 if matrix_jitsi_enable_av_moderation else 0}} +ENABLE_BREAKOUT_ROOMS={{1 if matrix_jitsi_enable_breakout_rooms else 0}} ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} ENABLE_LOBBY={{ 1 if matrix_jitsi_enable_lobby else 0 }} -ENABLE_AV_MODERATION={{1 if matrix_jitsi_enable_av_moderation else 0}} ENABLE_XMPP_WEBSOCKET -GLOBAL_MODULES GLOBAL_CONFIG -LDAP_URL={{ matrix_jitsi_ldap_url }} +GLOBAL_MODULES +JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }} +JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }} +JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }} +JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }} +JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} +JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }} +JICOFO_COMPONENT_SECRET +JIGASI_XMPP_USER= +JIGASI_XMPP_PASSWORD= +JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} +JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} +JWT_APP_ID +JWT_APP_SECRET +JWT_ACCEPTED_ISSUERS +JWT_ACCEPTED_AUDIENCES +JWT_ASAP_KEYSERVER +JWT_ALLOW_EMPTY +JWT_AUTH_TYPE +JWT_TOKEN_AUTH_MODULE +LOG_LEVEL +LDAP_AUTH_METHOD={{ matrix_jitsi_ldap_auth_method }} LDAP_BASE={{ matrix_jitsi_ldap_base }} LDAP_BINDDN={{ matrix_jitsi_ldap_binddn }} LDAP_BINDPW={{ matrix_jitsi_ldap_bindpw }} LDAP_FILTER={{ matrix_jitsi_ldap_filter }} -LDAP_AUTH_METHOD={{ matrix_jitsi_ldap_auth_method }} LDAP_VERSION={{ matrix_jitsi_ldap_version }} -LDAP_USE_TLS={{ 1 if matrix_jitsi_ldap_use_tls else 0 }} LDAP_TLS_CIPHERS={{ matrix_jitsi_ldap_tls_ciphers }} LDAP_TLS_CHECK_PEER={{ 1 if matrix_jitsi_ldap_tls_check_peer else 0 }} LDAP_TLS_CACERT_FILE={{ matrix_jitsi_ldap_tls_cacert_file }} LDAP_TLS_CACERT_DIR={{ matrix_jitsi_ldap_tls_cacert_dir }} LDAP_START_TLS={{ 1 if matrix_jitsi_ldap_start_tls else 0 }} +LDAP_URL={{ matrix_jitsi_ldap_url }} +LDAP_USE_TLS={{ 1 if matrix_jitsi_ldap_use_tls else 0 }} +PUBLIC_URL={{ matrix_jitsi_web_public_url }} +TURN_CREDENTIALS={{ matrix_jitsi_turn_credentials }} +TURN_HOST={{ matrix_jitsi_turn_host }} +TURNS_HOST={{ matrix_jitsi_turns_host }} +TURN_PORT={{ matrix_jitsi_turn_port }} +TURNS_PORT={{ matrix_jitsi_turns_port }} +TZ={{ matrix_jitsi_timezone }} XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} @@ -29,29 +58,3 @@ XMPP_MUC_MODULES= XMPP_INTERNAL_MUC_MODULES= XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} XMPP_CROSS_DOMAIN=true -JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} -JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }} -JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} -JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} -JIGASI_XMPP_USER= -JIGASI_XMPP_PASSWORD= -JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }} -JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }} -JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }} -JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }} -JWT_APP_ID -JWT_APP_SECRET -JWT_ACCEPTED_ISSUERS -JWT_ACCEPTED_AUDIENCES -JWT_ASAP_KEYSERVER -JWT_ALLOW_EMPTY -JWT_AUTH_TYPE -JWT_TOKEN_AUTH_MODULE -LOG_LEVEL -PUBLIC_URL={{ matrix_jitsi_web_public_url }} -TURN_CREDENTIALS={{ matrix_jitsi_turn_credentials }} -TURN_HOST={{ matrix_jitsi_turn_host }} -TURNS_HOST={{ matrix_jitsi_turns_host }} -TURN_PORT={{ matrix_jitsi_turn_port }} -TURNS_PORT={{ matrix_jitsi_turns_port }} -TZ={{ matrix_jitsi_timezone }} diff --git a/roles/matrix-jitsi/templates/web/env.j2 b/roles/matrix-jitsi/templates/web/env.j2 index 2ff6befc5..ac15c0879 100644 --- a/roles/matrix-jitsi/templates/web/env.j2 +++ b/roles/matrix-jitsi/templates/web/env.j2 @@ -1,16 +1,3 @@ -ENABLE_COLIBRI_WEBSOCKET -ENABLE_FLOC=0 -ENABLE_LETSENCRYPT=0 -ENABLE_HTTP_REDIRECT=0 -ENABLE_HSTS=0 -ENABLE_XMPP_WEBSOCKET -DISABLE_HTTPS=0 -DISABLE_DEEP_LINKING -LETSENCRYPT_DOMAIN={{ matrix_server_fqn_jitsi }} -LETSENCRYPT_EMAIL={{ matrix_ssl_lets_encrypt_support_email }} -LETSENCRYPT_USE_STAGING=0 -PUBLIC_URL={{ matrix_jitsi_web_public_url }} -TZ={{ matrix_jitsi_timezone }} AMPLITUDE_ID ANALYTICS_SCRIPT_URLS ANALYTICS_WHITELISTED_EVENTS @@ -26,23 +13,37 @@ DEPLOYMENTINFO_ENVIRONMENT_TYPE DEPLOYMENTINFO_REGION DEPLOYMENTINFO_SHARD DEPLOYMENTINFO_USERREGION +DESKTOP_SHARING_FRAMERATE_MIN +DESKTOP_SHARING_FRAMERATE_MAX DIALIN_NUMBERS_URL DIALOUT_AUTH_URL DIALOUT_CODES_URL +DISABLE_AUDIO_LEVELS +DISABLE_DEEP_LINKING +DISABLE_HTTPS=0 +DISABLE_POLLS +DISABLE_REACTIONS DROPBOX_APPKEY DROPBOX_REDIRECT_URI DYNAMIC_BRANDING_URL ENABLE_AUDIO_PROCESSING ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} +ENABLE_BREAKOUT_ROOMS={{1 if matrix_jitsi_enable_breakout_rooms else 0}} ENABLE_CALENDAR +ENABLE_COLIBRI_WEBSOCKET ENABLE_FILE_RECORDING_SERVICE ENABLE_FILE_RECORDING_SERVICE_SHARING +ENABLE_FLOC=0 ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} +ENABLE_HSTS=0 +ENABLE_HTTP_REDIRECT=0 ENABLE_IPV6 +ENABLE_LETSENCRYPT=0 ENABLE_LIPSYNC ENABLE_NO_AUDIO_DETECTION -ENABLE_P2P={{ 1 if matrix_jitsi_enable_p2p else 0 }} +ENABLE_NOISY_MIC_DETECTION ENABLE_PREJOIN_PAGE +ENABLE_P2P={{ 1 if matrix_jitsi_enable_p2p else 0 }} ENABLE_WELCOME_PAGE ENABLE_CLOSE_PAGE ENABLE_RECORDING={{ 1 if matrix_jitsi_enable_recording else 0 }} @@ -55,12 +56,16 @@ ENABLE_SUBDOMAINS ENABLE_TALK_WHILE_MUTED ENABLE_TCC ENABLE_TRANSCRIPTIONS={{ 1 if matrix_jitsi_enable_transcriptions else 0 }} +ENABLE_XMPP_WEBSOCKET ETHERPAD_PUBLIC_URL ETHERPAD_URL_BASE={{ (matrix_jitsi_etherpad_base + '/') if matrix_jitsi_etherpad_enabled else ''}} GOOGLE_ANALYTICS_ID GOOGLE_API_APP_CLIENT_ID INVITE_SERVICE_URL JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} +LETSENCRYPT_DOMAIN={{ matrix_server_fqn_jitsi }} +LETSENCRYPT_EMAIL={{ matrix_ssl_lets_encrypt_support_email }} +LETSENCRYPT_USE_STAGING=0 MATOMO_ENDPOINT MATOMO_SITE_ID MICROSOFT_API_APP_CLIENT_ID @@ -68,29 +73,38 @@ NGINX_RESOLVER NGINX_WORKER_PROCESSES NGINX_WORKER_CONNECTIONS PEOPLE_SEARCH_URL +PUBLIC_URL={{ matrix_jitsi_web_public_url }} RESOLUTION={{ matrix_jitsi_web_config_resolution_height_ideal_and_max }} RESOLUTION_MIN={{ matrix_jitsi_web_config_resolution_height_min }} RESOLUTION_WIDTH={{ matrix_jitsi_web_config_resolution_width_ideal_and_max }} RESOLUTION_WIDTH_MIN={{ matrix_jitsi_web_config_resolution_width_min }} -START_AUDIO_ONLY START_AUDIO_MUTED={{ matrix_jitsi_web_config_start_audio_muted_after_nth_participant }} -START_WITH_AUDIO_MUTED -START_SILENT -DISABLE_AUDIO_LEVELS -ENABLE_NOISY_MIC_DETECTION +START_AUDIO_ONLY START_BITRATE -DESKTOP_SHARING_FRAMERATE_MIN -DESKTOP_SHARING_FRAMERATE_MAX +START_SILENT +START_WITH_AUDIO_MUTED START_VIDEO_MUTED={{ matrix_jitsi_web_config_start_video_muted_after_nth_participant }} START_WITH_VIDEO_MUTED TESTING_CAP_SCREENSHARE_BITRATE TESTING_OCTO_PROBABILITY +TOKEN_AUTH_URL +TZ={{ matrix_jitsi_timezone }} +VIDEOQUALITY_BITRATE_H264_LOW +VIDEOQUALITY_BITRATE_H264_STANDARD +VIDEOQUALITY_BITRATE_H264_HIGH +VIDEOQUALITY_BITRATE_VP8_LOW +VIDEOQUALITY_BITRATE_VP8_STANDARD +VIDEOQUALITY_BITRATE_VP8_HIGH +VIDEOQUALITY_BITRATE_VP9_LOW +VIDEOQUALITY_BITRATE_VP9_STANDARD +VIDEOQUALITY_BITRATE_VP9_HIGH +VIDEOQUALITY_ENFORCE_PREFERRED_CODEC +VIDEOQUALITY_PREFERRED_CODEC XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} XMPP_BOSH_URL_BASE={{ matrix_jitsi_xmpp_bosh_url_base }} XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} -TOKEN_AUTH_URL {{ matrix_jitsi_web_environment_variables_extension }} diff --git a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 index 5d3863611..35bfca676 100644 --- a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 +++ b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 @@ -23,6 +23,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-web \ {% endif %} --mount type=bind,src={{ matrix_jitsi_web_config_path }},dst=/config \ --mount type=bind,src={{ matrix_jitsi_web_transcripts_path }},dst=/usr/share/jitsi-meet/transcripts \ + --mount type=bind,src={{ matrix_jitsi_web_crontabs_path }},dst=/var/spool/cron/crontabs \ {% for arg in matrix_jitsi_web_container_extra_arguments %} {{ arg }} \ {% endfor %} From 55860bf38fae7604468b60e1c87dfd4669e3047f Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Wed, 15 Dec 2021 18:23:29 +0530 Subject: [PATCH 012/144] Jitsi update - sentry logging added --- roles/matrix-jitsi/templates/jicofo/logging.properties.j2 | 5 +++++ roles/matrix-jitsi/templates/jvb/logging.properties.j2 | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 b/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 index 7eba95af6..3d1014a17 100644 --- a/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 +++ b/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 @@ -1,4 +1,8 @@ +{{ if .Env.SENTRY_DSN | default "0" | toBool }} +handlers=java.util.logging.ConsoleHandler,io.sentry.jul.SentryHandler +{{ else }} handlers= java.util.logging.ConsoleHandler +{{ end }} java.util.logging.ConsoleHandler.level = ALL java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter @@ -10,6 +14,7 @@ net.sf.level=SEVERE net.java.sip.communicator.plugin.reconnectplugin.level=FINE org.ice4j.level=SEVERE org.jitsi.impl.neomedia.level=SEVERE +io.sentry.jul.SentryHandler.level=WARNING # Do not worry about missing strings net.java.sip.communicator.service.resources.AbstractResourcesService.level=SEVERE diff --git a/roles/matrix-jitsi/templates/jvb/logging.properties.j2 b/roles/matrix-jitsi/templates/jvb/logging.properties.j2 index 48c1e9fa5..97ac21f05 100644 --- a/roles/matrix-jitsi/templates/jvb/logging.properties.j2 +++ b/roles/matrix-jitsi/templates/jvb/logging.properties.j2 @@ -1,4 +1,8 @@ +{{ if .Env.SENTRY_DSN | default "0" | toBool }} +handlers=java.util.logging.ConsoleHandler,io.sentry.jul.SentryHandler +{{ else }} handlers= java.util.logging.ConsoleHandler +{{ end }} java.util.logging.ConsoleHandler.level = ALL java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter @@ -8,6 +12,7 @@ net.java.sip.communicator.util.ScLogFormatter.programname=JVB .level=INFO org.jitsi.videobridge.xmpp.ComponentImpl.level=FINE +io.sentry.jul.SentryHandler.level=WARNING # All of the INFO level logs from MediaStreamImpl are unnecessary in the context of jitsi-videobridge. org.jitsi.impl.neomedia.MediaStreamImpl.level=WARNING From 8a0c7913be00c962be814bab46eac96047a87c42 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Wed, 15 Dec 2021 18:33:09 +0530 Subject: [PATCH 013/144] Grafana Updata (8.3.1 -> 8.3.3) --- roles/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 37202d6d6..f802d2e56 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 8.3.1 +matrix_grafana_version: 8.3.3 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From 980c2b9a801ae93a90496135450fc27fe506c00a Mon Sep 17 00:00:00 2001 From: sakkiii Date: Wed, 15 Dec 2021 18:35:13 +0530 Subject: [PATCH 014/144] Update coturn (4.5.2-r4 -> 4.5.2-r8) --- roles/matrix-coturn/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index b845e9ee9..4d7ccf6be 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -5,7 +5,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}" matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" -matrix_coturn_version: 4.5.2-r4 +matrix_coturn_version: 4.5.2-r8 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" From 42cd4d2c8d18bcd1b29b91935e8471321d56e2a6 Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Wed, 15 Dec 2021 20:14:47 +0530 Subject: [PATCH 015/144] crontab mount dir should exists --- roles/matrix-jitsi/tasks/setup_jitsi_web.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml index 4fdcc67b8..d734be08b 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml @@ -15,6 +15,7 @@ - { path: "{{ matrix_jitsi_web_base_path }}", when: true } - { path: "{{ matrix_jitsi_web_config_path }}", when: true } - { path: "{{ matrix_jitsi_web_transcripts_path }}", when: true } + - { path: "{{ matrix_jitsi_web_crontabs_path }}", when: true } when: matrix_jitsi_enabled|bool and item.when - name: Ensure jitsi-web Docker image is pulled From 60592fd6a8c3d12878e058299850124c6e05689a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 15 Dec 2021 21:22:29 +0200 Subject: [PATCH 016/144] Fix Jitsi logging.properties conditional being interpreted as Jinja code Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1464 --- roles/matrix-jitsi/templates/jicofo/logging.properties.j2 | 2 ++ roles/matrix-jitsi/templates/jvb/logging.properties.j2 | 2 ++ 2 files changed, 4 insertions(+) diff --git a/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 b/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 index 3d1014a17..f69d78481 100644 --- a/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 +++ b/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 @@ -1,8 +1,10 @@ +{% raw %} {{ if .Env.SENTRY_DSN | default "0" | toBool }} handlers=java.util.logging.ConsoleHandler,io.sentry.jul.SentryHandler {{ else }} handlers= java.util.logging.ConsoleHandler {{ end }} +{% endraw %} java.util.logging.ConsoleHandler.level = ALL java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter diff --git a/roles/matrix-jitsi/templates/jvb/logging.properties.j2 b/roles/matrix-jitsi/templates/jvb/logging.properties.j2 index 97ac21f05..ff1d30a64 100644 --- a/roles/matrix-jitsi/templates/jvb/logging.properties.j2 +++ b/roles/matrix-jitsi/templates/jvb/logging.properties.j2 @@ -1,8 +1,10 @@ +{% raw %} {{ if .Env.SENTRY_DSN | default "0" | toBool }} handlers=java.util.logging.ConsoleHandler,io.sentry.jul.SentryHandler {{ else }} handlers= java.util.logging.ConsoleHandler {{ end }} +{% endraw %} java.util.logging.ConsoleHandler.level = ALL java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter From 2579f6f49b7847a5ff1c54964e0343d050e4bdd4 Mon Sep 17 00:00:00 2001 From: PC-Admin Date: Thu, 16 Dec 2021 07:51:27 +0800 Subject: [PATCH 017/144] add new defaults for AWX section --- roles/matrix-awx/defaults/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/matrix-awx/defaults/main.yml b/roles/matrix-awx/defaults/main.yml index fb9f56ae0..1b61797eb 100755 --- a/roles/matrix-awx/defaults/main.yml +++ b/roles/matrix-awx/defaults/main.yml @@ -1 +1,6 @@ matrix_awx_enabled: true + +# Defaults for 'Customise Website + Access Export' template +awx_sftp_auth_method: 'Disabled' +awx_sftp_password: '' +awx_sftp_public_key: '' From 2430c14869697148ebfc3b4442b77677b78cbe57 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Thu, 16 Dec 2021 22:33:23 +0530 Subject: [PATCH 018/144] Create ansible-lint.yml avoiding common pitfalls that can easily lead to bugs or make code harder to maintain --- .github/workflows/ansible-lint.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/workflows/ansible-lint.yml diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml new file mode 100644 index 000000000..ec7fddef4 --- /dev/null +++ b/.github/workflows/ansible-lint.yml @@ -0,0 +1,19 @@ +name: Ansible Lint + +on: [push, pull_request] + +jobs: + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Lint Ansible Playbook + uses: ansible/ansible-lint-action@master + with: + # Paths to ansible files (i.e., playbooks, tasks, handlers etc..) + targets: "./" + + args: "-x metadata, formatting" From 45119ea9dfbba2df79c01ec0d2ba09f001c0e23d Mon Sep 17 00:00:00 2001 From: Alexander Bersenev Date: Fri, 17 Dec 2021 05:47:47 +0500 Subject: [PATCH 019/144] Remove a space from XMPP_INTERNAL_MUC_DOMAIN The domain is invalid with space, so it shouldn't be here --- roles/matrix-jitsi/templates/jvb/env.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-jitsi/templates/jvb/env.j2 b/roles/matrix-jitsi/templates/jvb/env.j2 index 43569268d..41d343b31 100644 --- a/roles/matrix-jitsi/templates/jvb/env.j2 +++ b/roles/matrix-jitsi/templates/jvb/env.j2 @@ -25,7 +25,7 @@ COLIBRI_REST_ENABLED SHUTDOWN_REST_ENABLED TZ={{ matrix_jitsi_timezone }} XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} -XMPP_INTERNAL_MUC_DOMAIN= {{ matrix_jitsi_xmpp_internal_muc_domain }} +XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} XMPP_SERVER={{ matrix_jitsi_xmpp_server }} {{ matrix_jitsi_jvb_environment_variables_extension }} From 4625b34acca15f1403709e9e203802d57e49f92c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Dec 2021 17:18:18 +0200 Subject: [PATCH 020/144] Fix failure trying to stop orphaned systemd services Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1461 --- roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml b/roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml index 4a90bfa63..d0440d22d 100644 --- a/roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml +++ b/roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml @@ -8,6 +8,7 @@ name: "{{ item.key }}" state: stopped with_dict: "{{ ansible_facts.services|default({})|dict2items|selectattr('key', 'match', 'matrix-synapse-worker-.+\\.service')|list|items2dict }}" + when: "item.value['status'] != 'not-found'" # see https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1461 - name: Find worker configs to be cleaned find: From fa704f104bf9c9f0df07fd3297e371d030c58dfb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Dec 2021 17:30:21 +0200 Subject: [PATCH 021/144] Add support for using custom ACME CA servers (other than Let's Encrypt') Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1468 --- roles/matrix-nginx-proxy/defaults/main.yml | 7 +++++++ .../tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml | 2 ++ 2 files changed, 9 insertions(+) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index a2a2a6b9e..a2584ec76 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -442,7 +442,14 @@ matrix_ssl_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains matrix_ssl_additional_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. +# If you'd like to use another ACME certificate server (not Let's Encrypt), see `matrix_ssl_lets_encrypt_server` matrix_ssl_lets_encrypt_staging: false + +# Controls the server used to retrieve the SSL certificates (passed as a `--server` flag to Certbot). +# By default, we use the Let's Encrypt production environment (see `matrix_ssl_lets_encrypt_staging` for using the staging environment). +# Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#changing-the-acme-server +matrix_ssl_lets_encrypt_server: '' + matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.21.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml index 4639f122c..d4aab6e45 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml @@ -42,6 +42,7 @@ --non-interactive --work-dir=/tmp --http-01-port 8080 + {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %} {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %} --standalone --preferred-challenges http @@ -70,6 +71,7 @@ --non-interactive --work-dir=/tmp --http-01-port 8080 + {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %} {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %} --standalone --preferred-challenges http From afd7f03bb5f541e1e63d48b1ce66e9183b257eca Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Dec 2021 17:30:40 +0200 Subject: [PATCH 022/144] Minor comment changes --- roles/matrix-nginx-proxy/defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index a2584ec76..7eeb39ff6 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -442,11 +442,11 @@ matrix_ssl_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains matrix_ssl_additional_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. -# If you'd like to use another ACME certificate server (not Let's Encrypt), see `matrix_ssl_lets_encrypt_server` +# If you'd like to use another ACME Certificate Authority server (not Let's Encrypt), use `matrix_ssl_lets_encrypt_server` matrix_ssl_lets_encrypt_staging: false -# Controls the server used to retrieve the SSL certificates (passed as a `--server` flag to Certbot). -# By default, we use the Let's Encrypt production environment (see `matrix_ssl_lets_encrypt_staging` for using the staging environment). +# Controls from which Certificate Authority server to retrieve the SSL certificates (passed as a `--server` flag to Certbot). +# By default, we use the Let's Encrypt production environment (use `matrix_ssl_lets_encrypt_staging` for using the staging environment). # Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#changing-the-acme-server matrix_ssl_lets_encrypt_server: '' From 0080e4e40944d251c1613c4636a710fdd9ffe2ef Mon Sep 17 00:00:00 2001 From: sakkiii Date: Fri, 17 Dec 2021 21:03:20 +0530 Subject: [PATCH 023/144] Update ansible-lint version to 5.3.1 --- .github/workflows/ansible-lint.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml index ec7fddef4..32b1b9776 100644 --- a/.github/workflows/ansible-lint.yml +++ b/.github/workflows/ansible-lint.yml @@ -11,9 +11,12 @@ jobs: - uses: actions/checkout@v2 - name: Lint Ansible Playbook - uses: ansible/ansible-lint-action@master + uses: ansible/ansible-lint-action@c37fb7b4bda2c8cb18f4942716bae9f11b0dc9bc with: # Paths to ansible files (i.e., playbooks, tasks, handlers etc..) targets: "./" + override-deps: | + ansible-lint==5.3.1 + args: "-x metadata, formatting" From e8237ea37e8e51ae19c07b2577647d948ede29eb Mon Sep 17 00:00:00 2001 From: SkepticalWaves Date: Fri, 17 Dec 2021 15:23:44 -0500 Subject: [PATCH 024/144] Update synapse-admin to newest tagged release --- roles/matrix-synapse-admin/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index 069b62794..6d20d20fd 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -8,7 +8,7 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" -matrix_synapse_admin_version: 0.8.1 +matrix_synapse_admin_version: 0.8.4 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" From 01b6bba9d7196701c42562e6525518613db55efc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Dec 2021 14:52:06 +0200 Subject: [PATCH 025/144] Make Synapse's url_preview_accept_language default to 'en-US, en' Related to https://github.com/matrix-org/synapse/issues/11604 Getting an upstream fix is preferable. In any case, it's probably nice to have this defined explicitly in our configuration. This way, people can more easily discover that they can override the URL preview language. --- roles/matrix-synapse/defaults/main.yml | 3 +++ roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 3 +-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index d1d049d5e..d2d048414 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -321,6 +321,9 @@ matrix_synapse_push_include_content: true # URLs shared by users. matrix_synapse_url_preview_enabled: true +# A list of values for the Accept-Language HTTP header used when downloading webpages during URL preview generation +matrix_url_preview_accept_language: ['en-US', 'en'] + # Enable exposure of metrics to Prometheus # See https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md matrix_synapse_metrics_enabled: false diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 1361eb9e1..e384853c1 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1149,8 +1149,7 @@ max_spider_size: 10M # - fr;q=0.8 # - *;q=0.7 # -url_preview_accept_language: -# - en +url_preview_accept_language: {{ matrix_url_preview_accept_language|to_json }} ## Captcha ## From dad1a23aa85fe11f89d16de6aec7f83a1985d134 Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Mon, 20 Dec 2021 17:44:08 +0100 Subject: [PATCH 026/144] Update Element version (v1.9.7 -> v1.9.8) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index 28412a264..7853292ad 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -7,7 +7,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.9.7 +matrix_client_element_version: v1.9.8 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 06f3b813d617c17d1d93e96dab4ed94ffc5f298d Mon Sep 17 00:00:00 2001 From: Wm Salt Hale Date: Mon, 20 Dec 2021 10:50:05 -0800 Subject: [PATCH 027/144] added .well-known path to Caddy2 example, closes #1442 --- examples/caddy2/Caddyfile | 35 ++++++++++++++++++++++++----------- 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/examples/caddy2/Caddyfile b/examples/caddy2/Caddyfile index c6d2841bd..6370cb015 100644 --- a/examples/caddy2/Caddyfile +++ b/examples/caddy2/Caddyfile @@ -27,6 +27,10 @@ matrix.DOMAIN.tld { not path /matrix/static-files/* } + @wellknown { + path /.well-known/matrix/* + } + header { # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" @@ -69,6 +73,15 @@ matrix.DOMAIN.tld { } } + handle @wellknown { + encode zstd gzip + root * /matrix/static-files + header Cache-Control max-age=14400 + header Content-Type application/json + header Access-Control-Allow-Origin * + file_server + } + handle { encode zstd gzip @@ -102,17 +115,17 @@ element.DOMAIN.tld { # tls your@email.com header { - # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS - Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - # Enable cross-site filter (XSS) and tell browser to block detected attacks - X-XSS-Protection "1; mode=block" - # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type - X-Content-Type-Options "nosniff" - # Disallow the site to be rendered within a frame (clickjacking protection) - X-Frame-Options "DENY" - # X-Robots-Tag - X-Robots-Tag "noindex, noarchive, nofollow" - } + # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + # Enable cross-site filter (XSS) and tell browser to block detected attacks + X-XSS-Protection "1; mode=block" + # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type + X-Content-Type-Options "nosniff" + # Disallow the site to be rendered within a frame (clickjacking protection) + X-Frame-Options "DENY" + # X-Robots-Tag + X-Robots-Tag "noindex, noarchive, nofollow" + } handle { encode zstd gzip From 2d49b950064655f62ab133ed958b945e5899bb6b Mon Sep 17 00:00:00 2001 From: array-in-a-matrix Date: Mon, 20 Dec 2021 16:55:15 -0500 Subject: [PATCH 028/144] missing uppercase in bot name --- roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 index db57bd0d3..ac14754c8 100644 --- a/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 @@ -43,7 +43,7 @@ appservice: bot_username: {{ matrix_mautrix_instagram_appservice_bot_username|to_json }} # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty # to leave display name/avatar as-is. - bot_displayname: instagram bridge bot + bot_displayname: Instagram bridge bot bot_avatar: mxc://maunium.net/JxjlbZUlCPULEeHZSwleUXQv # Community ID for bridged users (changes registration file) and rooms. From 87bc9bd146f4e04b8c87be6f4e0a40b685aa21dd Mon Sep 17 00:00:00 2001 From: Shreyas Ajjarapu Date: Mon, 20 Dec 2021 23:36:05 -0600 Subject: [PATCH 029/144] Update validate_config.yml --- .../tasks/validate_config.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml index 4c95f7bfa..1c2a52d49 100644 --- a/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml @@ -8,3 +8,11 @@ with_items: - "matrix_mautrix_twitter_appservice_token" - "matrix_mautrix_twitter_homeserver_token" + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a need to set `matrix_mautrix_twitter_database_engine: postgres` and redefine the other `matrix_mautrix_twitter_database_*` variables + when: "vars[item] == ''" + with_items: + - "matrix_mautrix_twitter_database_engine" From 25ced724ace25ec8392ebab220f6094bad842a7d Mon Sep 17 00:00:00 2001 From: Shreyas Ajjarapu Date: Mon, 20 Dec 2021 23:38:54 -0600 Subject: [PATCH 030/144] Update matrix_servers --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c4caef049..69917747a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -541,7 +541,7 @@ matrix_mautrix_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_prov # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. -matrix_mautrix_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_mautrix_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else '' }}" matrix_mautrix_twitter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.twt.db') | to_uuid }}" ###################################################################### From 6a9775520baec57e0729e41197dc04e95bf8edb9 Mon Sep 17 00:00:00 2001 From: Shreyas Ajjarapu Date: Tue, 21 Dec 2021 00:13:08 -0600 Subject: [PATCH 031/144] Update validate_config.yml --- roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml index 1c2a52d49..114fd2cf0 100644 --- a/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml @@ -9,7 +9,7 @@ - "matrix_mautrix_twitter_appservice_token" - "matrix_mautrix_twitter_homeserver_token" -- name: Fail if required settings not defined +- name: Fail if database is not defined fail: msg: >- You need to define a need to set `matrix_mautrix_twitter_database_engine: postgres` and redefine the other `matrix_mautrix_twitter_database_*` variables From cddbb1ffa0bf03ae5eae9f0e506cccded58689f3 Mon Sep 17 00:00:00 2001 From: Shreyas Ajjarapu Date: Tue, 21 Dec 2021 00:27:45 -0600 Subject: [PATCH 032/144] Update config.yaml.j2 --- roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 index 2c10585d3..b03c77f42 100644 --- a/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 @@ -124,10 +124,10 @@ bridge: invite_own_puppet: true # Maximum number of messages to backfill initially. # Set to 0 to disable backfilling when creating portal. - initial_limit: 0 + initial_limit: 100 # If using double puppeting, should notifications be disabled # while the initial backfill is in progress? - disable_notifications: false + disable_notifications: true # End-to-bridge encryption support options. You must install the e2be optional dependency for # this to work. See https://github.com/tulir/mautrix-telegram/wiki/End‐to‐bridge-encryption encryption: From 3509f648af5f03e0a8c0e1ed3e5682725f03576e Mon Sep 17 00:00:00 2001 From: Shreyas Ajjarapu Date: Tue, 21 Dec 2021 00:28:55 -0600 Subject: [PATCH 033/144] Update config.yaml.j2 --- roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 index db57bd0d3..760d6162c 100644 --- a/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 @@ -132,7 +132,7 @@ bridge: missed_limit: 1000 # If using double puppeting, should notifications be disabled # while the initial backfill is in progress? - disable_notifications: false + disable_notifications: true periodic_reconnect: # Interval in seconds in which to automatically reconnect all users. # This can be used to automatically mitigate the bug where Instagram stops sending messages. From 6c9f6c28deb86fea74fa9432ee028bda2575ff96 Mon Sep 17 00:00:00 2001 From: Catalan Lover <48515417+FSG-Cat@users.noreply.github.com> Date: Tue, 21 Dec 2021 14:15:13 +0100 Subject: [PATCH 034/144] Update Synapse from 1.49.0 to 1.49.1 This update fixes a sync issue that would cause some users to experience sync issues that could cause initial sync to completely fail. --- roles/matrix-synapse/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index d2d048414..2d030b7de 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.49.0 -matrix_synapse_version_arm64: v1.49.0 +matrix_synapse_version: v1.49.1 +matrix_synapse_version_arm64: v1.49.1 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From eb0c332f807ebe383d39ca7182fc8e13ab80aeb2 Mon Sep 17 00:00:00 2001 From: Catalan Lover <48515417+FSG-Cat@users.noreply.github.com> Date: Tue, 21 Dec 2021 19:29:56 +0100 Subject: [PATCH 035/144] Update Synapse Version from 1.49.1 to 1.49.2 This upgrade is technically not needed due to 1.49.1 and 1.49.2 being identical with a lone fix to Debian packaging being the only change. Still some might want us to be on the absolutely latest version even tho these 2 are practically identical. ARM64 has yet to be built so this has to wait for that before merge. --- roles/matrix-synapse/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 2d030b7de..4e69ecd74 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.49.1 -matrix_synapse_version_arm64: v1.49.1 +matrix_synapse_version: v1.49.2 +matrix_synapse_version_arm64: v1.49.2 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From ed0fcd618cf4d17c94394e4a787b3481a27c9f1d Mon Sep 17 00:00:00 2001 From: Shreyas Ajjarapu Date: Tue, 21 Dec 2021 21:37:09 -0600 Subject: [PATCH 036/144] Update config.yaml.j2 --- roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 index b03c77f42..9bfa3123d 100644 --- a/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 @@ -124,7 +124,7 @@ bridge: invite_own_puppet: true # Maximum number of messages to backfill initially. # Set to 0 to disable backfilling when creating portal. - initial_limit: 100 + initial_limit: 0 # If using double puppeting, should notifications be disabled # while the initial backfill is in progress? disable_notifications: true From f6f81a85de3c03c2db7534171e389deb09c1360a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 22 Dec 2021 15:27:35 +0200 Subject: [PATCH 037/144] Enable notifications during backfill .. as per the default bridge config. Source: https://github.com/mautrix/twitter/blob/f848710c01a75f4357508552fa63499cba2839e4/mautrix_twitter/example-config.yamll#L147 --- roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 index cea157485..ac14754c8 100644 --- a/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 @@ -132,7 +132,7 @@ bridge: missed_limit: 1000 # If using double puppeting, should notifications be disabled # while the initial backfill is in progress? - disable_notifications: true + disable_notifications: false periodic_reconnect: # Interval in seconds in which to automatically reconnect all users. # This can be used to automatically mitigate the bug where Instagram stops sending messages. From e834a69e60cfa383d26426ec0631a201a3c64656 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 22 Dec 2021 15:53:53 +0200 Subject: [PATCH 038/144] Announce mautrix-twitter support Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1478 --- CHANGELOG.md | 7 +++++++ docs/configuring-playbook-bridge-mautrix-twitter.md | 2 ++ docs/configuring-playbook-bridge-mx-puppet-twitter.md | 2 ++ 3 files changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a6d15b963..1d7331e94 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,10 @@ +# 2021-12-22 + +## Twitter bridging support via mautrix-twitter + +Thanks to [Matthew Cengia](https://github.com/mattcen) and [Shreyas Ajjarapu](https://github.com/shreyasajj), besides [mx-puppet-twitter](docs/configuring-playbook-bridge-mx-puppet-twitter.md), bridging to [Twitter](https://twitter.com/) can now also happen with [mautrix-twitter](docs/configuring-playbook-bridge-mautrix-twitter.md). + + # 2021-12-14 ## (Security) Users of the Signal bridge may wish to upgrade it to work around log4j vulnerability diff --git a/docs/configuring-playbook-bridge-mautrix-twitter.md b/docs/configuring-playbook-bridge-mautrix-twitter.md index cfc145064..93eb89014 100644 --- a/docs/configuring-playbook-bridge-mautrix-twitter.md +++ b/docs/configuring-playbook-bridge-mautrix-twitter.md @@ -1,5 +1,7 @@ # Setting up Mautrix Twitter (optional) +**Note**: bridging to [Twitter](https://twitter.com/) can also happen via the [mx-puppet-twitter](configuring-playbook-bridge-mx-puppet-twitter.md) bridge supported by the playbook. + The playbook can install and configure [mautrix-twitter](https://github.com/tulir/mautrix-twitter) for you. See the project's [documentation](https://github.com/tulir/mautrix-twitter/wiki#usage) to learn what it does and why it might be useful to you. diff --git a/docs/configuring-playbook-bridge-mx-puppet-twitter.md b/docs/configuring-playbook-bridge-mx-puppet-twitter.md index dd2c9c120..cd3dd39ca 100644 --- a/docs/configuring-playbook-bridge-mx-puppet-twitter.md +++ b/docs/configuring-playbook-bridge-mx-puppet-twitter.md @@ -1,5 +1,7 @@ # Setting up MX Puppet Twitter (optional) +**Note**: bridging to [Twitter](https://twitter.com/) can also happen via the [mautrix-twitter](configuring-playbook-bridge-mautrix-twitter.md) bridge supported by the playbook. + The playbook can install and configure [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) for you. From 061d6ac86fbf1ec7141d4cbc1261895ed93bd6a8 Mon Sep 17 00:00:00 2001 From: Toni Spets Date: Wed, 22 Dec 2021 19:04:21 +0200 Subject: [PATCH 039/144] Upgrade Heisenbridge (1.7.1 -> 1.8.0) --- roles/matrix-bridge-heisenbridge/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-heisenbridge/defaults/main.yml b/roles/matrix-bridge-heisenbridge/defaults/main.yml index cd5a08583..d8b19d1e1 100644 --- a/roles/matrix-bridge-heisenbridge/defaults/main.yml +++ b/roles/matrix-bridge-heisenbridge/defaults/main.yml @@ -3,7 +3,7 @@ matrix_heisenbridge_enabled: true -matrix_heisenbridge_version: 1.7.1 +matrix_heisenbridge_version: 1.8.0 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" From e88530abac589452282872d925514c800b03dadf Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 12:01:46 +0200 Subject: [PATCH 040/144] Upgrade devture/ansible (2.10.7-r0 -> 2.11.6-r1) --- docs/ansible.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ansible.md b/docs/ansible.md index 502515403..50cf83ed3 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -51,7 +51,7 @@ docker run -it --rm \ -v `pwd`:/work \ -v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \ --entrypoint=/bin/sh \ -docker.io/devture/ansible:2.10.7-r0 +docker.io/devture/ansible:2.11.6-r1 ``` The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`). From dcab14d9a86249ad0af2bea63b38023365cb2eaf Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 13:03:31 +0200 Subject: [PATCH 041/144] Add self-building support to Beeper LinkedIn bridge Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1480 Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1242 --- docs/self-building.md | 1 + group_vars/matrix_servers | 2 + .../defaults/main.yml | 12 +++- .../tasks/setup_install.yml | 60 +++++++++++++++---- 4 files changed, 62 insertions(+), 13 deletions(-) diff --git a/docs/self-building.md b/docs/self-building.md index 9ff28e4c5..9bf435c08 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -24,6 +24,7 @@ List of roles where self-building the Docker image is currently possible: - `matrix-bridge-appservice-irc` - `matrix-bridge-appservice-slack` - `matrix-bridge-appservice-webhooks` +- `matrix-bridge-beeper-linkedin` - `matrix-bridge-mautrix-facebook` - `matrix-bridge-mautrix-hangouts` - `matrix-bridge-mautrix-googlechat` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 69917747a..8edcd6baf 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -229,6 +229,8 @@ matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_synapse_macaro # We don't enable bridges by default. matrix_beeper_linkedin_enabled: false +matrix_beeper_linkedin_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}" + matrix_beeper_linkedin_systemd_required_services_list: | {{ ['docker.service'] diff --git a/roles/matrix-bridge-beeper-linkedin/defaults/main.yml b/roles/matrix-bridge-beeper-linkedin/defaults/main.yml index 8df6c38f2..87561ff59 100644 --- a/roles/matrix-bridge-beeper-linkedin/defaults/main.yml +++ b/roles/matrix-bridge-beeper-linkedin/defaults/main.yml @@ -4,13 +4,21 @@ matrix_beeper_linkedin_enabled: true matrix_beeper_linkedin_version: v0.5.1 + # See: https://gitlab.com/beeper/linkedin/container_registry -matrix_beeper_linkedin_docker_image: "registry.gitlab.com/beeper/linkedin:{{ matrix_beeper_linkedin_version }}-amd64" -matrix_beeper_linkedin_docker_image_force_pull: "{{ matrix_beeper_linkedin_docker_image.endswith(':latest-amd64') }}" +matrix_beeper_linkedin_docker_image: "{{ matrix_beeper_linkedin_docker_image_name_prefix }}beeper/linkedin:{{ matrix_beeper_linkedin_docker_image_tag }}" +matrix_beeper_linkedin_docker_image_force_pull: "{{ matrix_beeper_linkedin_docker_image_tag.startswith('latest') }}" +matrix_beeper_linkedin_docker_image_name_prefix: "{{ 'localhost/' if matrix_beeper_linkedin_container_image_self_build else 'registry.gitlab.com/' }}" +matrix_beeper_linkedin_docker_image_tag: "{{ 'latest' if matrix_beeper_linkedin_version == 'master' else matrix_beeper_linkedin_version }}-{{ matrix_architecture }}" + +matrix_beeper_linkedin_container_image_self_build: false +matrix_beeper_linkedin_container_image_self_build_repo: "https://gitlab.com/beeper/linkedin" +matrix_beeper_linkedin_container_image_self_build_branch: "{{ matrix_beeper_linkedin_version }}" matrix_beeper_linkedin_base_path: "{{ matrix_base_data_path }}/beeper-linkedin" matrix_beeper_linkedin_config_path: "{{ matrix_beeper_linkedin_base_path }}/config" matrix_beeper_linkedin_data_path: "{{ matrix_beeper_linkedin_base_path }}/data" +matrix_beeper_linkedin_docker_src_files_path: "{{ matrix_beeper_linkedin_base_path }}/docker-src" matrix_beeper_linkedin_homeserver_address: "{{ matrix_homeserver_container_url }}" matrix_beeper_linkedin_homeserver_domain: "{{ matrix_domain }}" diff --git a/roles/matrix-bridge-beeper-linkedin/tasks/setup_install.yml b/roles/matrix-bridge-beeper-linkedin/tasks/setup_install.yml index 97d05a45e..c873d0c2c 100644 --- a/roles/matrix-bridge-beeper-linkedin/tasks/setup_install.yml +++ b/roles/matrix-bridge-beeper-linkedin/tasks/setup_install.yml @@ -7,6 +7,20 @@ msg: >- The matrix-bridge-beeper-linkedin role needs to execute before the matrix-synapse role. when: "matrix_synapse_role_executed|default(False)" +- name: Ensure Beeper LinkedIn paths exists + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_beeper_linkedin_base_path }}", when: true } + - { path: "{{ matrix_beeper_linkedin_config_path }}", when: true } + - { path: "{{ matrix_beeper_linkedin_data_path }}", when: true } + - { path: "{{ matrix_beeper_linkedin_docker_src_files_path }}", when: "{{ matrix_beeper_linkedin_container_image_self_build }}" } + when: "item.when|bool" + - name: Ensure Beeper LinkedIn image is pulled docker_image: @@ -14,18 +28,42 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_beeper_linkedin_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_beeper_linkedin_docker_image_force_pull }}" + when: "not matrix_beeper_linkedin_container_image_self_build|bool" -- name: Ensure Beeper LinkedIn paths exists - file: - path: "{{ item }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_beeper_linkedin_base_path }}" - - "{{ matrix_beeper_linkedin_config_path }}" - - "{{ matrix_beeper_linkedin_data_path }}" +- block: + - name: Ensure Beeper LinkedIn repository is present on self-build + git: + repo: "{{ matrix_beeper_linkedin_container_image_self_build_repo }}" + dest: "{{ matrix_beeper_linkedin_docker_src_files_path }}" + version: "{{ matrix_beeper_linkedin_container_image_self_build_branch }}" + force: "yes" + register: matrix_beeper_linkedin_git_pull_results + + # Building the container image (using the default Dockerfile) requires that a docker-requirements.txt file be generated. + # See: https://gitlab.com/beeper/linkedin/-/blob/94442db17ccb9769b377cdb8e4bf1cb3955781d7/.gitlab-ci.yml#L30-40 + - name: Ensure docker-requirements.txt is generated before building Beeper LinkedIn Docker Image + command: | + {{ matrix_host_command_docker }} run \ + --rm \ + --entrypoint=/bin/sh \ + --mount type=bind,src={{ matrix_beeper_linkedin_docker_src_files_path }},dst=/work \ + -w /work \ + docker.io/python:3.9.6-buster \ + -c "pip install poetry && poetry export --without-hashes -E e2be -E images -E metrics | sed 's/==.*//g' > docker-requirements.txt" + + - name: Ensure Beeper LinkedIn Docker image is built + docker_image: + name: "{{ matrix_beeper_linkedin_docker_image }}" + source: build + force_source: "{{ matrix_beeper_linkedin_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_beeper_linkedin_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_beeper_linkedin_docker_src_files_path }}" + pull: yes + args: + TARGETARCH: "{{ matrix_architecture }}" + when: "matrix_beeper_linkedin_container_image_self_build|bool" - name: Ensure beeper-linkedin config.yaml installed copy: From 26ec3ca1b54accdb944c5cd5fc5a732c23ce41a7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Dec 2021 10:48:06 +0200 Subject: [PATCH 042/144] Link to examples/caddy2 Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1484 --- docs/configuring-playbook-own-webserver.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index fb970ef03..c7e56f146 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -64,7 +64,7 @@ Once you've followed the [Preparation](#preparation) guide above, you can take a ### Using your own external caddy webserver -After following the [Preparation](#preparation) guide above, you can take a look at the [examples/caddy](../examples/caddy) directory for a sample configuration. +After following the [Preparation](#preparation) guide above, you can take a look at the [examples/caddy](../examples/caddy) directory and [examples/caddy2](../examples/caddy2) directory for a sample configuration for Caddy v1 and v2, respectively. ### Using your own HAproxy reverse proxy After following the [Preparation](#preparation) guide above, you can take a look at the [examples/haproxy](../examples/haproxy) directory for a sample configuration. In this case HAproxy is used as a reverse proxy and a simple Nginx container is used to serve statically `.well-known` files. From 5df486f31eca1ffe811946ce377487bd2bd1bb85 Mon Sep 17 00:00:00 2001 From: Toni Spets Date: Sat, 25 Dec 2021 18:05:41 +0200 Subject: [PATCH 043/144] Upgrade Heisenbridge (1.8.0 -> 1.8.2) --- roles/matrix-bridge-heisenbridge/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-heisenbridge/defaults/main.yml b/roles/matrix-bridge-heisenbridge/defaults/main.yml index d8b19d1e1..ef2ba48b5 100644 --- a/roles/matrix-bridge-heisenbridge/defaults/main.yml +++ b/roles/matrix-bridge-heisenbridge/defaults/main.yml @@ -3,7 +3,7 @@ matrix_heisenbridge_enabled: true -matrix_heisenbridge_version: 1.8.0 +matrix_heisenbridge_version: 1.8.2 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" From 0715104886cc694397e5fcef6fac7975eea563da Mon Sep 17 00:00:00 2001 From: Kim Brose Date: Mon, 27 Dec 2021 13:55:02 +0100 Subject: [PATCH 044/144] lint whitespace from ansible-lint.yml --- .github/workflows/ansible-lint.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml index 32b1b9776..2f103ff79 100644 --- a/.github/workflows/ansible-lint.yml +++ b/.github/workflows/ansible-lint.yml @@ -4,7 +4,7 @@ on: [push, pull_request] jobs: build: - + runs-on: ubuntu-latest steps: @@ -18,5 +18,5 @@ jobs: override-deps: | ansible-lint==5.3.1 - + args: "-x metadata, formatting" From 297ed9ce3671789d132453c6dd5762976c70c9e7 Mon Sep 17 00:00:00 2001 From: Alejo Diaz Date: Mon, 27 Dec 2021 14:20:23 -0300 Subject: [PATCH 045/144] Add encryption_enabled_by_default_for_room_type This commit simply add encryption_enabled_by_default_for_room_type variable. Signed-off-by: Alejo Diaz --- roles/matrix-synapse/defaults/main.yml | 2 ++ roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 4e69ecd74..ce5235d31 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -580,6 +580,8 @@ matrix_synapse_default_room_version: "6" # If not, you can also control its value manually. matrix_synapse_spam_checker: [] +matrix_synapse_encryption_enabled_by_default_for_room_type: off + matrix_synapse_trusted_key_servers: - server_name: "matrix.org" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index e384853c1..2e82ea3b6 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2651,7 +2651,7 @@ spam_checker: {{ matrix_synapse_spam_checker|to_json }} # Note that this option will only affect rooms created after it is set. It # will also not affect rooms created by other servers. # -#encryption_enabled_by_default_for_room_type: invite +encryption_enabled_by_default_for_room_type: {{ matrix_synapse_encryption_enabled_by_default_for_room_type }} # Uncomment to allow non-server-admin users to create groups on this server From 280c6c5424365c207ad10915cd1834260f423ea2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 27 Dec 2021 21:45:13 +0200 Subject: [PATCH 046/144] Add |to_json --- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 2e82ea3b6..5d7502fdd 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2651,7 +2651,7 @@ spam_checker: {{ matrix_synapse_spam_checker|to_json }} # Note that this option will only affect rooms created after it is set. It # will also not affect rooms created by other servers. # -encryption_enabled_by_default_for_room_type: {{ matrix_synapse_encryption_enabled_by_default_for_room_type }} +encryption_enabled_by_default_for_room_type: {{ matrix_synapse_encryption_enabled_by_default_for_room_type|to_json }} # Uncomment to allow non-server-admin users to create groups on this server From 56e9ff1740cfd7bfa9c9e3346e7df3941b9cf1da Mon Sep 17 00:00:00 2001 From: SierraKiloBravo <65400576+SierraKiloBravo@users.noreply.github.com> Date: Tue, 28 Dec 2021 11:40:22 +0100 Subject: [PATCH 047/144] Added defaults and edited config template for mautrix-telegram, allowing editing of MXID/displayname templates for bridged users --- roles/matrix-bridge-mautrix-telegram/defaults/main.yml | 5 +++++ .../templates/config.yaml.j2 | 9 ++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index 45a7d6e88..1995a7b78 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -130,3 +130,8 @@ matrix_mautrix_telegram_registration_yaml: | de.sorunome.msc2409.push_ephemeral: true matrix_mautrix_telegram_registration: "{{ matrix_mautrix_telegram_registration_yaml|from_yaml }}" + +# Templates for defining MXID's and displaynames for users and rooms. +matrix_mautrix_telegram_username_template: 'telegram_{userid}' +matrix_mautrix_telegram_alias_template: 'telegram_{groupname}' +matrix_mautrix_telegram_displayname_template: '{displayname} (Telegram)' diff --git a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 index 39a18462e..9492d79e3 100644 --- a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 @@ -69,13 +69,16 @@ appservice: bridge: # Localpart template of MXIDs for Telegram users. # {userid} is replaced with the user ID of the Telegram user. - username_template: "telegram_{userid}" + # Default: telegram_{userid} + username_template: {{ matrix_mautrix_telegram_username_template|to_json }} # Localpart template of room aliases for Telegram portal rooms. # {groupname} is replaced with the name part of the public channel/group invite link ( https://t.me/{} ) - alias_template: "telegram_{groupname}" + # Default: telegram_{groupname} + alias_template: {{ matrix_mautrix_telegram_alias_template|to_json }} # Displayname template for Telegram users. # {displayname} is replaced with the display name of the Telegram user. - displayname_template: "{displayname} (Telegram)" + # Default: {displayname} (Telegram) + displayname_template: {{ matrix_mautrix_telegram_displayname_template|to_json }} # Set the preferred order of user identifiers which to use in the Matrix puppet display name. # In the (hopefully unlikely) scenario that none of the given keys are found, the numeric user From 1066baed38516a570315e9af96f4376c5e6ff0b4 Mon Sep 17 00:00:00 2001 From: pushytoxin Date: Tue, 28 Dec 2021 13:43:22 +0100 Subject: [PATCH 048/144] Upgrade etherpad to 1.8.16 Extend the config template with the lines added in the past year --- roles/matrix-etherpad/defaults/main.yml | 2 +- roles/matrix-etherpad/templates/settings.json.j2 | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/roles/matrix-etherpad/defaults/main.yml b/roles/matrix-etherpad/defaults/main.yml index 45f8f8b28..f04d8589a 100644 --- a/roles/matrix-etherpad/defaults/main.yml +++ b/roles/matrix-etherpad/defaults/main.yml @@ -2,7 +2,7 @@ matrix_etherpad_enabled: false matrix_etherpad_base_path: "{{ matrix_base_data_path }}/etherpad" -matrix_etherpad_version: 1.8.12 +matrix_etherpad_version: 1.8.16 matrix_etherpad_docker_image: "{{ matrix_container_global_registry_prefix }}etherpad/etherpad:{{ matrix_etherpad_version }}" matrix_etherpad_docker_image_force_pull: "{{ matrix_etherpad_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-etherpad/templates/settings.json.j2 b/roles/matrix-etherpad/templates/settings.json.j2 index 377bad988..573b445d8 100644 --- a/roles/matrix-etherpad/templates/settings.json.j2 +++ b/roles/matrix-etherpad/templates/settings.json.j2 @@ -46,6 +46,8 @@ "maxHttpBufferSize": 10000 }, "loadTest": false, + "dumpOnUncleanExit": false, + "indentationOnNewLine": false, "importExportRateLimiting": { "windowMs": 90000, "max": 10 @@ -101,5 +103,6 @@ } ] }, - "customLocaleStrings": {} + "customLocaleStrings": {}, + "enableAdminUITests": false } From c2f3586ac6351ee6864b132d02b70d4427da9b7f Mon Sep 17 00:00:00 2001 From: HarHarLinks Date: Thu, 9 Dec 2021 18:31:40 +0100 Subject: [PATCH 049/144] switch appservice-webhooks fork turt2live/matrix-appservice-webhooks -> redoonetworks/matrix-appservice-webhooks --- roles/matrix-bridge-appservice-webhooks/defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index bc9ae8b40..22f680402 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -1,15 +1,15 @@ # matrix-appservice-webhooks is a Matrix <-> webhook bridge -# See: https://github.com/turt2live/matrix-appservice-webhooks +# See: https://github.com/redoonetworks/matrix-appservice-webhooks matrix_appservice_webhooks_enabled: true matrix_appservice_webhooks_container_image_self_build: false -matrix_appservice_webhooks_container_image_self_build_repo: "https://github.com/turt2live/matrix-appservice-webhooks" +matrix_appservice_webhooks_container_image_self_build_repo: "https://github.com/redoonetworks/matrix-appservice-webhooks" matrix_appservice_webhooks_container_image_self_build_repo_version: "{{ 'master' if matrix_appservice_webhooks_version == 'latest' else matrix_appservice_webhooks_version }}" matrix_appservice_webhooks_container_image_self_build_repo_dockerfile_path: "Dockerfile" matrix_appservice_webhooks_version: latest -matrix_appservice_webhooks_docker_image: "{{ matrix_appservice_webhooks_docker_image_name_prefix }}turt2live/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}" +matrix_appservice_webhooks_docker_image: "{{ matrix_appservice_webhooks_docker_image_name_prefix }}redoonetworks/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}" matrix_appservice_webhooks_docker_image_name_prefix: "{{ 'localhost/' if matrix_appservice_webhooks_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}" From cdf76bdbb73dc1e675166bb0d10f58639d191a54 Mon Sep 17 00:00:00 2001 From: Toni Spets Date: Wed, 29 Dec 2021 21:05:41 +0200 Subject: [PATCH 050/144] Upgrade Heisenbridge (1.8.2 -> 1.9.0) --- roles/matrix-bridge-heisenbridge/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-heisenbridge/defaults/main.yml b/roles/matrix-bridge-heisenbridge/defaults/main.yml index ef2ba48b5..5d393a810 100644 --- a/roles/matrix-bridge-heisenbridge/defaults/main.yml +++ b/roles/matrix-bridge-heisenbridge/defaults/main.yml @@ -3,7 +3,7 @@ matrix_heisenbridge_enabled: true -matrix_heisenbridge_version: 1.8.2 +matrix_heisenbridge_version: 1.9.0 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" From 948c4111069f2d7689eeb23d261b1062bcd38bd0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 30 Dec 2021 10:47:06 +0200 Subject: [PATCH 051/144] Remove sudo requirement for generating SSL certificates Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1492 --- .../ssl/setup_ssl_self_signed_obtain_for_domain.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml index aea17cc02..ff7fa2d8b 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml @@ -37,6 +37,13 @@ -keyout {{ matrix_ssl_certificate_cert_key_path }} \ -out {{ matrix_ssl_certificate_cert_path }} \ -days 3650 - become: true - become_user: "{{ matrix_user_username }}" when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists" + +- name: Adjust SSL certificate file ownership + file: + path: "{{ item }}" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_ssl_certificate_cert_key_path }}" + - "{{ matrix_ssl_certificate_cert_path }}" From 993121e517ad74548d20ef4d0de1db41930acb22 Mon Sep 17 00:00:00 2001 From: Jim Myhrberg Date: Sat, 1 Jan 2022 03:08:00 +0000 Subject: [PATCH 052/144] feat(etherpad): add optional admin web-UI access Enables optional access to Etherpad's web-UI. This is useful for managing Etherpad plugins. Among other things, plugins makes it easy to manage/delete pads if you install the adminpads2 plugin. --- docs/configuring-playbook-etherpad.md | 17 +++++++++++++++++ roles/matrix-etherpad/defaults/main.yml | 5 +++++ .../matrix-etherpad/templates/settings.json.j2 | 8 ++++++++ 3 files changed, 30 insertions(+) diff --git a/docs/configuring-playbook-etherpad.md b/docs/configuring-playbook-etherpad.md index e5533e717..4c38bb3ca 100644 --- a/docs/configuring-playbook-etherpad.md +++ b/docs/configuring-playbook-etherpad.md @@ -25,6 +25,23 @@ The Dimension administrator users can configure the default URL template. The Di If you wish to disable the Etherpad chat button, you can do it by appending `?showChat=false` to the end of the pad URL, or the template. Example: `https://dimension./etherpad/p/$roomId_$padName?showChat=false` +### Etherpad Admin access (optional) + +Etherpad comes with a admin web-UI which is disabled by default. You can enable it by setting a username and password in your configuration file (`inventory/host_vars/matrix./vars.yml`): + +```yaml +matrix_etherpad_admin_username: admin +matrix_etherpad_admin_password: some-password +``` + +The admin web-UI should then be available on: `https://dimension./etherpad/admin` + +### Managing / Deleting old pads + +If you want to manage and remove old unused pads from Etherpad, you will first need to able Admin access as described above. + +Then from the plugin manager page (`https://dimension./etherpad/admin/plugins`), install the `adminpads2` plugin. Once installed, you should have a "Manage pads" section in the Admin web-UI. + ## Known issues If your Etherpad widget fails to load, this might be due to Dimension generating a Pad name so long, the Etherpad app rejects it. diff --git a/roles/matrix-etherpad/defaults/main.yml b/roles/matrix-etherpad/defaults/main.yml index f04d8589a..bcabc3ddc 100644 --- a/roles/matrix-etherpad/defaults/main.yml +++ b/roles/matrix-etherpad/defaults/main.yml @@ -41,6 +41,11 @@ matrix_etherpad_database_hostname: 'matrix-postgres' matrix_etherpad_database_port: 5432 matrix_etherpad_database_name: 'matrix_etherpad' +# If a admin username and password is set, the /admin web page will be +# available. +matrix_etherpad_admin_username: '' +matrix_etherpad_admin_password: '' + matrix_etherpad_database_connection_string: 'postgres://{{ matrix_etherpad_database_username }}:{{ matrix_etherpad_database_password }}@{{ matrix_etherpad_database_hostname }}:{{ matrix_etherpad_database_port }}/{{ matrix_etherpad_database_name }}' # Variables configuring the etherpad diff --git a/roles/matrix-etherpad/templates/settings.json.j2 b/roles/matrix-etherpad/templates/settings.json.j2 index 573b445d8..01127a911 100644 --- a/roles/matrix-etherpad/templates/settings.json.j2 +++ b/roles/matrix-etherpad/templates/settings.json.j2 @@ -71,6 +71,14 @@ "chatAndUsers": false, "lang": "en-gb" }, +{% if matrix_etherpad_admin_username != "" and matrix_etherpad_admin_password != "" %} + "users": { + "{{ matrix_etherpad_admin_username }}": { + "password": "{{ matrix_etherpad_admin_password }}", + "is_admin": true + } + }, +{% endif %} "padShortcutEnabled" : { "altF9": true, "altC": true, From bc5efa0dbccf1202b936145b9f50947b9802e759 Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Sun, 2 Jan 2022 10:54:51 +0100 Subject: [PATCH 053/144] Remove Jitsi web interface_config.js in favour of custom-interface_config.js As of docker-jitsi-meet stable-6433 [1], `/config/interface_config.js` is regenerated on every boot. The correct way to modify the interface config is now via `/config/custom-interface_config.js`, which is appended to a default copy of `interface_config.js` by `/etc/cont-init.d/10-config` on every boot of the docker image. Given that `interface_config.js` is considered deprecated by upstream (all options will eventually be moved to `config.js`), we also deprecate the `matrix_jitsi_web_interface_config_*` variables in favour of `matrix_jitsi_web_custom_interface_config_extension`. [1] https://github.com/jitsi/docker-jitsi-meet/blob/stable-6433/CHANGELOG.md#stable-6433 --- roles/matrix-jitsi/defaults/main.yml | 27 +- roles/matrix-jitsi/tasks/setup_jitsi_web.yml | 2 +- roles/matrix-jitsi/tasks/validate_config.yml | 13 + .../web/custom-interface_config.js.j2 | 3 + .../templates/web/interface_config.js.j2 | 295 ------------------ 5 files changed, 21 insertions(+), 319 deletions(-) create mode 100644 roles/matrix-jitsi/templates/web/custom-interface_config.js.j2 delete mode 100644 roles/matrix-jitsi/templates/web/interface_config.js.j2 diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 3f61f4fff..33dad3885 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -108,37 +108,18 @@ matrix_jitsi_web_container_extra_arguments: [] matrix_jitsi_web_systemd_required_services_list: ['docker.service'] -# Some variables controlling the interface of Jitsi Web. -# These get applied to `templates/web/interface_config.js.j2`. -# -# Besides this, you can also use `matrix_jitsi_web_custom_interface_config_extension` -# to define any other configuration option. -matrix_jitsi_web_interface_config_lang_detection: false -matrix_jitsi_web_interface_config_show_jitsi_watermark: true -matrix_jitsi_web_interface_config_jitsi_watermark_link: "https://jitsi.org" -matrix_jitsi_web_interface_config_show_brand_watermark: false -matrix_jitsi_web_interface_config_brand_watermark_link: "" -matrix_jitsi_web_interface_config_generate_room_names_on_welcome_page: true -matrix_jitsi_web_interface_config_display_welcome_page_content: true -matrix_jitsi_web_interface_config_app_name: "Jitsi Meet" -matrix_jitsi_web_interface_config_native_app_name: "Jitsi Meet" -matrix_jitsi_web_interface_config_provider_name: "Jitsi" -matrix_jitsi_web_interface_config_show_powered_by: false -matrix_jitsi_web_interface_config_disable_transcription_subtitles: false -matrix_jitsi_web_interface_config_show_deep_linking_image: false - -# Custom configuration to be injected into `interface_config.js`, passed to Jitsi Web. -# This configuration gets appended to the final interface configuration that Jitsi Web uses. +# Custom configuration to be appended to `interface_config.js`, passed to Jitsi Web. # # Note: not to be confused with `matrix_jitsi_web_custom_config_extension`. # # For interface configuration, the flow is like this: -# - the contents of `templates/web/interface_config.js.j2` is generated (based on various `matrix_jitsi_web_interface_config_*` variables you see in this file) +# - a default `interface_config.js` is generated from within the docker image # - the contents of `matrix_jitsi_web_custom_interface_config_extension` is appended and can define new settings or override defaults. # # Example: # matrix_jitsi_web_custom_interface_config_extension: | -# interfaceConfig.CONNECTION_INDICATOR_AUTO_HIDE_ENABLED = false; +# interfaceConfig.LANG_DETECTION = false; +# interfaceConfig.SHOW_JITSI_WATERMARK = false; # interfaceConfig.DISABLE_VIDEO_BACKGROUND = true; matrix_jitsi_web_custom_interface_config_extension: '' diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml index d734be08b..bcb1b49e5 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml @@ -40,7 +40,7 @@ mode: 0644 with_items: - custom-config.js - - interface_config.js + - custom-interface_config.js when: matrix_jitsi_enabled|bool - name: Ensure matrix-jitsi-web.service installed diff --git a/roles/matrix-jitsi/tasks/validate_config.yml b/roles/matrix-jitsi/tasks/validate_config.yml index a9d86764e..4defe986c 100644 --- a/roles/matrix-jitsi/tasks/validate_config.yml +++ b/roles/matrix-jitsi/tasks/validate_config.yml @@ -54,3 +54,16 @@ - {'old': 'matrix_jitsi_web_interface_config_show_watermark_for_guests', 'new': ''} - {'old': 'matrix_jitsi_web_interface_config_invitation_powered_by', 'new': ''} - {'old': 'matrix_jisti_web_interface_config_show_deep_linking_image', 'new': 'matrix_jitsi_web_interface_config_show_deep_linking_image'} + - {'old': 'matrix_jitsi_web_interface_config_lang_detection', 'new': ' Date: Mon, 3 Jan 2022 00:59:52 +0000 Subject: [PATCH 054/144] Update links to Mautrix Twitter bridge Signed-off-by: Aaron Raimist --- docs/configuring-playbook-bridge-mautrix-twitter.md | 10 ++++------ docs/container-images.md | 2 +- roles/matrix-bridge-mautrix-twitter/defaults/main.yml | 4 ++-- 3 files changed, 7 insertions(+), 9 deletions(-) diff --git a/docs/configuring-playbook-bridge-mautrix-twitter.md b/docs/configuring-playbook-bridge-mautrix-twitter.md index 93eb89014..3d5b49cff 100644 --- a/docs/configuring-playbook-bridge-mautrix-twitter.md +++ b/docs/configuring-playbook-bridge-mautrix-twitter.md @@ -2,9 +2,9 @@ **Note**: bridging to [Twitter](https://twitter.com/) can also happen via the [mx-puppet-twitter](configuring-playbook-bridge-mx-puppet-twitter.md) bridge supported by the playbook. -The playbook can install and configure [mautrix-twitter](https://github.com/tulir/mautrix-twitter) for you. +The playbook can install and configure [mautrix-twitter](https://github.com/mautrix/twitter) for you. -See the project's [documentation](https://github.com/tulir/mautrix-twitter/wiki#usage) to learn what it does and why it might be useful to you. +See the project's [documentation](https://github.com/mautrix/twitter) to learn what it does and why it might be useful to you. ```yaml matrix_mautrix_twitter_enabled: true @@ -13,7 +13,7 @@ matrix_mautrix_twitter_enabled: true ## Set up Double Puppeting -If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-twitter/wiki/Authentication#double-puppeting) (hint: you most likely do), you have 2 ways of going about it. +If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it. ### Method 1: automatically, by enabling Shared Secret Auth @@ -23,7 +23,7 @@ This is the recommended way of setting up Double Puppeting, as it's easier to ac ### Method 2: manually, by asking each user to provide a working access token -This method is currently not available for the Mautrix-Twitter bridge, but is on the [roadmap](https://github.com/tulir/mautrix-twitter/blob/master/ROADMAP.md) under Misc/Manual login with `login-matrix` +This method is currently not available for the Mautrix-Twitter bridge, but is on the [roadmap](https://github.com/mautrix/twitter/blob/master/ROADMAP.md) under Misc/Manual login with `login-matrix` ## Usage @@ -32,6 +32,4 @@ This method is currently not available for the Mautrix-Twitter bridge, but is on You can learn more here about authentication from the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/python/twitter/authentication.html). -If you run into trouble, check the [Troubleshooting](#troubleshooting) section below. - After successfully enabling bridging, you may wish to [set up Double Puppeting](#set-up-double-puppeting), if you haven't already done so. diff --git a/docs/container-images.md b/docs/container-images.md index 18436c917..d52f3fddd 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -46,7 +46,7 @@ These services are not part of our default installation, but can be enabled by [ - [mautrix/facebook](https://mau.dev/mautrix/facebook/container_registry) - the [mautrix-facebook](https://github.com/mautrix/facebook) bridge to [Facebook](https://facebook.com/) (optional) -- [tulir/mautrix-twitter](https://mau.dev/mautrix/twitter/container_registry) - the [mautrix-twitter](https://github.com/tulir/mautrix-twitter) bridge to [Twitter](https://twitter.com/) (optional) +- [mautrix/twitter](https://mau.dev/mautrix/twitter/container_registry) - the [mautrix-twitter](https://github.com/mautrix/twitter) bridge to [Twitter](https://twitter.com/) (optional) - [mautrix/hangouts](https://mau.dev/mautrix/hangouts/container_registry) - the [mautrix-hangouts](https://github.com/mautrix/hangouts) bridge to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) (optional) diff --git a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml index 2d6b4b20c..826bc4b64 100644 --- a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -1,10 +1,10 @@ # mautrix-twitter is a Matrix <-> Twitter bridge -# See: https://github.com/tulir/mautrix-twitter +# See: https://github.com/mautrix/twitter matrix_mautrix_twitter_enabled: true matrix_mautrix_twitter_container_image_self_build: false -matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/tulir/mautrix-twitter.git" +matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/mautrix/twitter.git" matrix_mautrix_twitter_version: latest # See: https://mau.dev/tulir/mautrix-twitter/container_registry From c0f7c39f7dee36f536389faa707856d260185462 Mon Sep 17 00:00:00 2001 From: HarHarLinks Date: Mon, 3 Jan 2022 18:29:13 +0100 Subject: [PATCH 055/144] s/plabook/playbook --- roles/matrix-bridge-appservice-slack/tasks/init.yml | 2 +- roles/matrix-bridge-appservice-webhooks/tasks/init.yml | 2 +- roles/matrix-bridge-mautrix-googlechat/tasks/init.yml | 2 +- roles/matrix-bridge-mautrix-hangouts/tasks/init.yml | 2 +- roles/matrix-bridge-mautrix-telegram/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-slack/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml | 2 +- roles/matrix-etherpad/tasks/init.yml | 2 +- roles/matrix-registration/tasks/init.yml | 2 +- roles/matrix-synapse-admin/tasks/init.yml | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/roles/matrix-bridge-appservice-slack/tasks/init.yml b/roles/matrix-bridge-appservice-slack/tasks/init.yml index 0584e6247..f6aada6d7 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/init.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/init.yml @@ -44,7 +44,7 @@ msg: >- Trying to append Slack Appservice's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-bridge-appservice-slack role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/init.yml b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml index a42e14c96..7f49e8b64 100644 --- a/roles/matrix-bridge-appservice-webhooks/tasks/init.yml +++ b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml @@ -37,7 +37,7 @@ msg: >- Trying to append webhooks Appservice's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-bridge-appservice-webhooks role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-bridge-mautrix-googlechat/tasks/init.yml b/roles/matrix-bridge-mautrix-googlechat/tasks/init.yml index c12fcd3cc..5c8d82bfe 100644 --- a/roles/matrix-bridge-mautrix-googlechat/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-googlechat/tasks/init.yml @@ -28,7 +28,7 @@ msg: >- Trying to append Mautrix googlechat's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-googlechat role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml index 6cc194fe1..59756ec90 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml @@ -28,7 +28,7 @@ msg: >- Trying to append Mautrix Hangouts's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-hangouts role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml index 84ac86d0b..bf903a57e 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml @@ -28,7 +28,7 @@ msg: >- Trying to append Mautrix Telegram's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-telegram role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml index f484c6873..74ec03502 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml @@ -28,7 +28,7 @@ msg: >- Trying to append Slack Appservice's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-mx-puppet-slack role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml index 06cf83fa6..2054d23c5 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml @@ -28,7 +28,7 @@ msg: >- Trying to append Twitter Appservice's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-mx-puppet-twitter role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-etherpad/tasks/init.yml b/roles/matrix-etherpad/tasks/init.yml index 5b8f5ef65..c94e08174 100644 --- a/roles/matrix-etherpad/tasks/init.yml +++ b/roles/matrix-etherpad/tasks/init.yml @@ -8,7 +8,7 @@ msg: >- Trying to append Etherpad's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-etherpad role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-registration/tasks/init.yml b/roles/matrix-registration/tasks/init.yml index 5ab93910f..47220103b 100644 --- a/roles/matrix-registration/tasks/init.yml +++ b/roles/matrix-registration/tasks/init.yml @@ -15,7 +15,7 @@ msg: >- Trying to append matrix-registration's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-registration role. when: matrix_nginx_proxy_role_executed|default(False)|bool diff --git a/roles/matrix-synapse-admin/tasks/init.yml b/roles/matrix-synapse-admin/tasks/init.yml index e19128717..fccc9dfab 100644 --- a/roles/matrix-synapse-admin/tasks/init.yml +++ b/roles/matrix-synapse-admin/tasks/init.yml @@ -15,7 +15,7 @@ msg: >- Trying to append Synapse Admin's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, + To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-synapse-admin role. when: matrix_nginx_proxy_role_executed|default(False)|bool From f0d7a8e99d0210ab62aa3dd1f387fff70bacab74 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 4 Jan 2022 09:18:31 +0200 Subject: [PATCH 056/144] Use to_json --- roles/matrix-etherpad/templates/settings.json.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-etherpad/templates/settings.json.j2 b/roles/matrix-etherpad/templates/settings.json.j2 index 01127a911..0a240f3e0 100644 --- a/roles/matrix-etherpad/templates/settings.json.j2 +++ b/roles/matrix-etherpad/templates/settings.json.j2 @@ -73,8 +73,8 @@ }, {% if matrix_etherpad_admin_username != "" and matrix_etherpad_admin_password != "" %} "users": { - "{{ matrix_etherpad_admin_username }}": { - "password": "{{ matrix_etherpad_admin_password }}", + {{ matrix_etherpad_admin_username|to_json }}: { + "password": {{ matrix_etherpad_admin_password|to_json }}, "is_admin": true } }, From 8515ac55e63a77cda8fcbf841541c5fb7d7a2381 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 4 Jan 2022 17:04:01 +0200 Subject: [PATCH 057/144] Upgrade nginx (1.21.4 -> 1.21.5) --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 7eeb39ff6..27b0b42da 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -1,5 +1,5 @@ matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_version: 1.21.4-alpine +matrix_nginx_proxy_version: 1.21.5-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but From b1b4ba501fdfaa434dac8a981cec9ac0311ca4ef Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 4 Jan 2022 17:21:02 +0200 Subject: [PATCH 058/144] Replace ExecStop with ExecStopPost ExecStopPost should allow us to clean up (docker kill + docker rm) even if the ExecStart (docker run ..) command failed, and not just after a graceful service stop was initiated. Source: https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStopPost= --- .../templates/systemd/matrix-bot-go-neb.service.j2 | 4 ++-- .../systemd/matrix-bot-matrix-reminder-bot.service.j2 | 4 ++-- .../templates/systemd/matrix-bot-mjolnir.service.j2 | 4 ++-- .../systemd/matrix-appservice-discord.service.j2 | 4 ++-- .../templates/systemd/matrix-appservice-irc.service.j2 | 4 ++-- .../templates/systemd/matrix-appservice-slack.service.j2 | 4 ++-- .../systemd/matrix-appservice-webhooks.service.j2 | 4 ++-- .../templates/systemd/matrix-beeper-linkedin.service.j2 | 4 ++-- .../templates/systemd/matrix-heisenbridge.service.j2 | 4 ++-- .../templates/systemd/matrix-mautrix-facebook.service.j2 | 4 ++-- .../systemd/matrix-mautrix-googlechat.service.j2 | 4 ++-- .../templates/systemd/matrix-mautrix-hangouts.service.j2 | 4 ++-- .../templates/systemd/matrix-mautrix-instagram.service.j2 | 4 ++-- .../systemd/matrix-mautrix-signal-daemon.service.j2 | 4 ++-- .../templates/systemd/matrix-mautrix-signal.service.j2 | 4 ++-- .../templates/systemd/matrix-mautrix-telegram.service.j2 | 4 ++-- .../templates/systemd/matrix-mautrix-twitter.service.j2 | 4 ++-- .../templates/systemd/matrix-mautrix-whatsapp.service.j2 | 4 ++-- .../templates/systemd/matrix-mx-puppet-discord.service.j2 | 4 ++-- .../templates/systemd/matrix-mx-puppet-groupme.service.j2 | 4 ++-- .../systemd/matrix-mx-puppet-instagram.service.j2 | 4 ++-- .../templates/systemd/matrix-mx-puppet-skype.service.j2 | 4 ++-- .../templates/systemd/matrix-mx-puppet-slack.service.j2 | 4 ++-- .../templates/systemd/matrix-mx-puppet-steam.service.j2 | 4 ++-- .../templates/systemd/matrix-mx-puppet-twitter.service.j2 | 4 ++-- .../templates/systemd/matrix-sms-bridge.service.j2 | 4 ++-- .../templates/systemd/matrix-client-element.service.j2 | 4 ++-- .../templates/systemd/matrix-client-hydrogen.service.j2 | 4 ++-- .../templates/systemd/matrix-corporal.service.j2 | 4 ++-- .../templates/systemd/matrix-coturn.service.j2 | 4 ++-- .../templates/systemd/matrix-dimension.service.j2 | 4 ++-- .../templates/systemd/matrix-dynamic-dns.service.j2 | 4 ++-- .../templates/systemd/matrix-email2matrix.service.j2 | 4 ++-- .../templates/systemd/matrix-etherpad.service.j2 | 6 +++--- .../templates/systemd/matrix-grafana.service.j2 | 4 ++-- .../templates/jicofo/matrix-jitsi-jicofo.service.j2 | 4 ++-- .../templates/jvb/matrix-jitsi-jvb.service.j2 | 4 ++-- .../templates/prosody/matrix-jitsi-prosody.service.j2 | 4 ++-- .../templates/web/matrix-jitsi-web.service.j2 | 4 ++-- .../templates/systemd/matrix-ma1sd.service.j2 | 4 ++-- .../templates/systemd/matrix-mailer.service.j2 | 4 ++-- .../templates/systemd/matrix-nginx-proxy.service.j2 | 4 ++-- .../templates/systemd/matrix-postgres-backup.service.j2 | 4 ++-- .../templates/systemd/matrix-postgres.service.j2 | 4 ++-- .../systemd/matrix-prometheus-node-exporter.service.j2 | 4 ++-- .../matrix-prometheus-postgres-exporter.service.j2 | 6 +++--- .../templates/systemd/matrix-prometheus.service.j2 | 4 ++-- .../templates/systemd/matrix-redis.service.j2 | 4 ++-- .../templates/systemd/matrix-registration.service.j2 | 4 ++-- .../templates/systemd/matrix-sygnal.service.j2 | 4 ++-- .../templates/systemd/matrix-synapse-admin.service.j2 | 4 ++-- .../templates/goofys/systemd/matrix-goofys.service.j2 | 8 ++++---- .../synapse/systemd/matrix-synapse-worker.service.j2 | 4 ++-- .../templates/synapse/systemd/matrix-synapse.service.j2 | 4 ++-- 54 files changed, 112 insertions(+), 112 deletions(-) diff --git a/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 b/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 index eabf11372..056447eb8 100644 --- a/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 +++ b/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 @@ -39,8 +39,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-go-neb \ {{ matrix_bot_go_neb_docker_image }} \ -c "go-neb /config/config.yaml" -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-bot-go-neb diff --git a/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 b/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 index b1fe3c325..14b5fa45d 100644 --- a/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 +++ b/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-matrix-rem {{ matrix_bot_matrix_reminder_bot_docker_image }} \ -c "matrix-reminder-bot /config/config.yaml" -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-matrix-reminder-bot 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-matrix-reminder-bot 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-matrix-reminder-bot 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-matrix-reminder-bot 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-bot-matrix-reminder-bot diff --git a/roles/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 b/roles/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 index 0b018f25b..b22983129 100644 --- a/roles/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 +++ b/roles/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-mjolnir \ {% endfor %} {{ matrix_bot_mjolnir_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-mjolnir 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-mjolnir 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-mjolnir 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-mjolnir 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-bot-mjolnir diff --git a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 index 84dee8015..8f61bd9f2 100644 --- a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 +++ b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 @@ -35,8 +35,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-dis {{ matrix_appservice_discord_docker_image }} \ node /build/src/discordas.js -p 9005 -c /cfg/config.yaml -f /cfg/registration.yaml -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-discord 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-discord 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-discord 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-discord 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-discord diff --git a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 index 8650bd8db..2c26c7823 100644 --- a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 +++ b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 @@ -36,8 +36,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-irc {{ matrix_appservice_irc_docker_image }} \ -c 'node app.js -c /config/config.yaml -f /config/registration.yaml -p 9999' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-irc 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-irc 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-irc 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-irc 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-irc diff --git a/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 b/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 index 21ba27ef5..9bf737117 100644 --- a/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 +++ b/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 @@ -35,8 +35,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-sla {{ matrix_appservice_slack_docker_image }} \ node app.js -p {{matrix_appservice_slack_matrix_port}} -c /config/config.yaml -f /config/slack-registration.yaml -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-slack 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-slack 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-slack 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-slack 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-slack diff --git a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 index f27111b3c..a227387a4 100644 --- a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 +++ b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 @@ -35,8 +35,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-web {{ matrix_appservice_webhooks_docker_image }} \ node index.js -p {{ matrix_appservice_webhooks_matrix_port }} -c /config/config.yaml -f /config/webhooks-registration.yaml -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-webhooks 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-webhooks 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-webhooks 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-webhooks 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-webhooks diff --git a/roles/matrix-bridge-beeper-linkedin/templates/systemd/matrix-beeper-linkedin.service.j2 b/roles/matrix-bridge-beeper-linkedin/templates/systemd/matrix-beeper-linkedin.service.j2 index 4498b4f02..84e4a9c21 100644 --- a/roles/matrix-bridge-beeper-linkedin/templates/systemd/matrix-beeper-linkedin.service.j2 +++ b/roles/matrix-bridge-beeper-linkedin/templates/systemd/matrix-beeper-linkedin.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-beeper-linkedi {{ matrix_beeper_linkedin_docker_image }} \ python3 -m linkedin_matrix -c /data/config.yaml -r /data/registration.yaml -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-beeper-linkedin 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-beeper-linkedin 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-beeper-linkedin 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-beeper-linkedin 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-beeper-linkedin diff --git a/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 b/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 index e27b88f1d..6a0750bfa 100644 --- a/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 +++ b/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 @@ -41,8 +41,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-heisenbridge \ --listen-port 9898 \ {{ matrix_heisenbridge_homeserver_url }} -ExecStop=-{{ matrix_host_command_docker }} kill matrix-heisenbridge -ExecStop=-{{ matrix_host_command_docker }} rm matrix-heisenbridge +ExecStopPost=-{{ matrix_host_command_docker }} kill matrix-heisenbridge +ExecStopPost=-{{ matrix_host_command_docker }} rm matrix-heisenbridge Restart=always RestartSec=30 SyslogIdentifier=matrix-heisenbridge diff --git a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 index f3af4b9ff..07ee8fb70 100644 --- a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 +++ b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-facebo {{ matrix_mautrix_facebook_docker_image }} \ python3 -m mautrix_facebook -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-facebook 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-facebook 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-facebook 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-facebook 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-facebook diff --git a/roles/matrix-bridge-mautrix-googlechat/templates/systemd/matrix-mautrix-googlechat.service.j2 b/roles/matrix-bridge-mautrix-googlechat/templates/systemd/matrix-mautrix-googlechat.service.j2 index c56473bed..5a6ab7995 100644 --- a/roles/matrix-bridge-mautrix-googlechat/templates/systemd/matrix-mautrix-googlechat.service.j2 +++ b/roles/matrix-bridge-mautrix-googlechat/templates/systemd/matrix-mautrix-googlechat.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-google {{ matrix_mautrix_googlechat_docker_image }} \ python3 -m mautrix_googlechat -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-googlechat 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-googlechat 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-googlechat 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-googlechat 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-googlechat diff --git a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 index 60f0e055f..66f34d94c 100644 --- a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 +++ b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 @@ -44,8 +44,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-hangou {{ matrix_mautrix_hangouts_docker_image }} \ python3 -m mautrix_hangouts -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-hangouts 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-hangouts 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-hangouts 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-hangouts 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-hangouts diff --git a/roles/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2 b/roles/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2 index 33a5bab3b..0157accc9 100644 --- a/roles/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2 +++ b/roles/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-instag {{ matrix_mautrix_instagram_docker_image }} \ python3 -m mautrix_instagram -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-instagram 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-instagram 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-instagram 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-instagram 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-instagram diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 index 6f128da39..314bba6d5 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 @@ -30,8 +30,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal -v {{ matrix_mautrix_signal_daemon_path }}:/signald:z \ {{ matrix_mautrix_signal_daemon_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-signal-daemon 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-signal-daemon 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-signal-daemon 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-signal-daemon 2>/dev/null' Restart=always RestartSec=30 diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 index e3e024247..244e2a481 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 @@ -37,8 +37,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal {{ matrix_mautrix_signal_docker_image }} \ python3 -m mautrix_signal -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-signal 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-signal 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-signal 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-signal 2>/dev/null' Restart=always RestartSec=30 diff --git a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 index ae1ac675b..69ab167a6 100644 --- a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 +++ b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 @@ -44,8 +44,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-telegr {{ matrix_mautrix_telegram_docker_image }} \ python3 -m mautrix_telegram -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-telegram 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-telegram 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-telegram 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-telegram 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-telegram diff --git a/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2 b/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2 index 73bdbc866..55509b851 100644 --- a/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2 +++ b/roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-twitte {{ matrix_mautrix_twitter_docker_image }} \ python3 -m mautrix_twitter -c /config/config.yaml --no-update -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-twitter 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-twitter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-twitter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-twitter 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-twitter diff --git a/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 b/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 index 4a492492b..77daa825b 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 +++ b/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-whatsa {{ matrix_mautrix_whatsapp_docker_image }} \ /usr/bin/mautrix-whatsapp -c /config/config.yaml -r /config/registration.yaml -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-whatsapp 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-whatsapp 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-whatsapp 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-whatsapp 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-whatsapp diff --git a/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 b/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 index 6ffb87cd3..58b01e200 100644 --- a/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 +++ b/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-disc {% endfor %} {{ matrix_mx_puppet_discord_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-discord 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-discord 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-discord 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-discord 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-discord diff --git a/roles/matrix-bridge-mx-puppet-groupme/templates/systemd/matrix-mx-puppet-groupme.service.j2 b/roles/matrix-bridge-mx-puppet-groupme/templates/systemd/matrix-mx-puppet-groupme.service.j2 index dabafd180..7e008aeb8 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/templates/systemd/matrix-mx-puppet-groupme.service.j2 +++ b/roles/matrix-bridge-mx-puppet-groupme/templates/systemd/matrix-mx-puppet-groupme.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-grou {% endfor %} {{ matrix_mx_puppet_groupme_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-groupme 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-groupme 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-groupme 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-groupme 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-groupme diff --git a/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 b/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 index 965bb41c2..b2921a4fe 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 +++ b/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-inst {% endfor %} {{ matrix_mx_puppet_instagram_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-instagram 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-instagram 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-instagram 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-instagram 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-instagram diff --git a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 index 9a7986e4d..4c604bb7b 100644 --- a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 +++ b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-skyp {% endfor %} {{ matrix_mx_puppet_skype_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-skype 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-skype 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-skype 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-skype 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-skype diff --git a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 index 973771b3e..f130c095e 100644 --- a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 +++ b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 @@ -36,8 +36,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-slac {% endfor %} {{ matrix_mx_puppet_slack_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-slack 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-slack 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-slack 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-slack 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-slack diff --git a/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 b/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 index 0772872b1..c736b7ca5 100644 --- a/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 +++ b/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-stea {% endfor %} {{ matrix_mx_puppet_steam_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-steam 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-steam 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-steam 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-steam 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-steam diff --git a/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 b/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 index 7e1b1c327..efa3e4e33 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 +++ b/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 @@ -36,8 +36,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-twit {% endfor %} {{ matrix_mx_puppet_twitter_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-twitter 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-twitter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-twitter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-twitter 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-twitter diff --git a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 index 46c3463fd..404b5aabc 100644 --- a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 +++ b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 @@ -35,8 +35,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-sms-bridge \ {% endfor %} {{ matrix_sms_bridge_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-sms-bridge -ExecStop=-/usr/bin/docker rm matrix-sms-bridge +ExecStopPost=-/usr/bin/docker kill matrix-sms-bridge +ExecStopPost=-/usr/bin/docker rm matrix-sms-bridge Restart=always RestartSec=30 SyslogIdentifier=matrix-sms-bridge diff --git a/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 b/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 index fe2a3a865..d4ad2b9e6 100644 --- a/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 +++ b/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 @@ -35,8 +35,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-element {% endfor %} {{ matrix_client_element_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-element 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-element 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-element 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-element 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-client-element diff --git a/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 b/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 index c85aeb978..7a72e876b 100644 --- a/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 +++ b/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 @@ -29,8 +29,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-hydroge {% endfor %} {{ matrix_client_hydrogen_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-client-hydrogen diff --git a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 index 262e2e77c..9c42f2b19 100644 --- a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 +++ b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 @@ -34,8 +34,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-corporal \ {{ matrix_corporal_docker_image }} \ /matrix-corporal -config=/etc/matrix-corporal/config.json -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-corporal 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-corporal 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-corporal 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-corporal 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-corporal diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index a39030af1..778f81857 100644 --- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -43,8 +43,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-coturn \ {{ matrix_coturn_docker_image }} \ -c /turnserver.conf -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-coturn 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-coturn 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-coturn 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-coturn 2>/dev/null' # This only reloads certificates (not other configuration). # See: https://github.com/coturn/coturn/pull/236 diff --git a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 index e27a55587..0451231b0 100644 --- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 +++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -38,8 +38,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dimension \ {% endfor %} {{ matrix_dimension_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dimension 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dimension 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dimension 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dimension 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-dimension diff --git a/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 b/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 index dfdd2f72c..31e106f05 100644 --- a/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 +++ b/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 @@ -26,8 +26,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dynamic-dns \ {% endfor %} {{ matrix_dynamic_dns_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dynamic-dns 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dynamic-dns 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dynamic-dns 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dynamic-dns 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-dynamic-dns diff --git a/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 b/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 index c92267682..b620a13f9 100644 --- a/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 +++ b/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 @@ -24,8 +24,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-email2matrix \ {% endfor %} {{ matrix_email2matrix_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-email2matrix 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-email2matrix 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-email2matrix 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-email2matrix 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-email2matrix diff --git a/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 b/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 index b579036be..e55c57c73 100644 --- a/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 +++ b/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 @@ -32,10 +32,10 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-etherpad \ node --experimental-worker src/node/server.js \ --settings /data/settings.json --credentials /data/credentials.json \ --sessionkey /data/sessionkey.json --apikey /data/apijey.json - -ExecStop=-{{ matrix_host_command_docker }} kill matrix-etherpad -ExecStop=-{{ matrix_host_command_docker }} rm matrix-etherpad + +ExecStopPost=-{{ matrix_host_command_docker }} kill matrix-etherpad +ExecStopPost=-{{ matrix_host_command_docker }} rm matrix-etherpad Restart=always RestartSec=30 SyslogIdentifier=matrix-etherpad diff --git a/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 b/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 index a4f81e357..64d40a5c1 100644 --- a/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 +++ b/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-grafana \ {% endfor %} {{ matrix_grafana_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-grafana 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-grafana 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-grafana 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-grafana 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-grafana diff --git a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 index 6ecafaa03..b4944c84f 100644 --- a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 +++ b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 @@ -23,8 +23,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jicofo \ {% endfor %} {{ matrix_jitsi_jicofo_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-jicofo diff --git a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 index 2785795d7..5be322103 100644 --- a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 +++ b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jvb \ {% endfor %} {{ matrix_jitsi_jvb_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jvb 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jvb 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jvb 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jvb 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-jvb diff --git a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 index 5a4a81e5d..452ff954f 100644 --- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 @@ -28,8 +28,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-prosody {% endfor %} {{ matrix_jitsi_prosody_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-prosody 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-prosody 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-prosody 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-prosody 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-prosody diff --git a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 index 35bfca676..ff577670e 100644 --- a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 +++ b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 @@ -29,8 +29,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-web \ {% endfor %} {{ matrix_jitsi_web_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-web 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-web 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-web 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-web 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-web diff --git a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 index 8e5cc6dd1..c3d5850fd 100644 --- a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 +++ b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 @@ -38,8 +38,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-ma1sd \ {% endfor %} {{ matrix_ma1sd_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-ma1sd 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-ma1sd 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-ma1sd 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-ma1sd 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-ma1sd diff --git a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 index bf5a2e42a..ee316469c 100644 --- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 +++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 @@ -27,8 +27,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mailer \ {% endfor %} {{ matrix_mailer_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mailer 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mailer 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mailer 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mailer 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mailer diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index c4000fa9b..744b3924a 100755 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -47,8 +47,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \ {% endfor %} {{ matrix_nginx_proxy_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-nginx-proxy 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-nginx-proxy 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-nginx-proxy 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-nginx-proxy 2>/dev/null' ExecReload={{ matrix_host_command_docker }} exec matrix-nginx-proxy /usr/sbin/nginx -s reload Restart=always RestartSec=30 diff --git a/roles/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 b/roles/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 index 97c9ae7f9..52e12edb4 100644 --- a/roles/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 +++ b/roles/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 @@ -21,8 +21,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-postgres-backu --mount type=bind,src={{ matrix_postgres_backup_path }},dst=/backups \ {{ matrix_postgres_backup_docker_image_to_use }} -ExecStop=-{{ matrix_host_command_docker }} stop matrix-postgres-backup -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres-backup 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_docker }} stop matrix-postgres-backup +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres-backup 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-postgres-backup diff --git a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 index d62a689a9..5ef3646df 100644 --- a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 @@ -36,8 +36,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-postgres \ {{ matrix_postgres_docker_image_to_use }} \ postgres {{ matrix_postgres_process_extra_arguments|join(' ') }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-postgres 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-postgres 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-postgres diff --git a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 index 210a0d97a..0139b9169 100644 --- a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 +++ b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 @@ -34,8 +34,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod {{ matrix_prometheus_node_exporter_docker_image }} \ --path.rootfs=/host -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-node-exporter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-node-exporter 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-prometheus-node-exporter diff --git a/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 b/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 index b25cb5ded..4c9a4eda4 100644 --- a/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 +++ b/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 @@ -30,10 +30,10 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-pos -p {{ matrix_prometheus_postgres_exporter_container_http_host_bind_port }}:{{matrix_prometheus_postgres_exporter_port}} \ {% endif %} --pid=host \ - {{ matrix_prometheus_postgres_exporter_docker_image }} + {{ matrix_prometheus_postgres_exporter_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-postgres-exporter 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-postgres-exporter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-postgres-exporter 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-postgres-exporter 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-prometheus-postgres-exporter diff --git a/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 b/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 index ad75d664a..2070ece3b 100644 --- a/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 +++ b/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus \ {% endfor %} {{ matrix_prometheus_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-prometheus diff --git a/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 b/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 index 5f6699f83..9f9d29026 100644 --- a/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 +++ b/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 @@ -27,8 +27,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-redis \ {{ matrix_redis_docker_image_to_use }} \ redis-server /usr/local/etc/redis/redis.conf -ExecStop=-/usr/bin/docker stop matrix-redis -ExecStop=-/usr/bin/docker rm matrix-redis +ExecStopPost=-/usr/bin/docker stop matrix-redis +ExecStopPost=-/usr/bin/docker rm matrix-redis Restart=always RestartSec=30 SyslogIdentifier=matrix-redis diff --git a/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 b/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 index e73e3e5fc..8de331bff 100644 --- a/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 +++ b/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-registration \ {{ matrix_registration_docker_image }} \ serve -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-registration 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-registration 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-registration 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-registration 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-registration diff --git a/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 b/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 index 019ab40c0..84c6f6eaf 100644 --- a/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 +++ b/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-sygnal \ {% endfor %} {{ matrix_sygnal_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-sygnal 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-sygnal 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-sygnal 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-sygnal 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-sygnal diff --git a/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 b/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 index 4823d89c3..28fe08aa3 100644 --- a/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 +++ b/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse-admin {% endfor %} {{ matrix_synapse_admin_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse-admin 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse-admin 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse-admin 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse-admin 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-synapse-admin diff --git a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 index df4a4f23a..f74cbad9c 100644 --- a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 +++ b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 @@ -27,10 +27,10 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name %n \ -c 'goofys -f{% if not matrix_s3_media_store_custom_endpoint_enabled %} --storage-class=STANDARD_IA{% endif %}{% if matrix_s3_media_store_custom_endpoint_enabled %} --endpoint={{ matrix_s3_media_store_custom_endpoint }}{% endif %} --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' TimeoutStartSec=5min -ExecStop=-{{ matrix_host_command_docker }} stop %n -ExecStop=-{{ matrix_host_command_docker }} kill %n -ExecStop=-{{ matrix_host_command_docker }} rm %n -ExecStop=-{{ matrix_host_command_fusermount }} -u {{ matrix_s3_media_store_path }} +ExecStopPost=-{{ matrix_host_command_docker }} stop %n +ExecStopPost=-{{ matrix_host_command_docker }} kill %n +ExecStopPost=-{{ matrix_host_command_docker }} rm %n +ExecStopPost=-{{ matrix_host_command_fusermount }} -u {{ matrix_s3_media_store_path }} Restart=always RestartSec=5 SyslogIdentifier=matrix-goofys diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 index 43dc42d1f..66a323f96 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 @@ -46,8 +46,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name {{ matrix_synapse_wor run -m synapse.app.{{ matrix_synapse_worker_details.type }} -c /data/homeserver.yaml -c /data/{{ matrix_synapse_worker_config_file_name }} -ExecStop=-{{ matrix_host_command_docker }} kill {{ matrix_synapse_worker_container_name }} -ExecStop=-{{ matrix_host_command_docker }} rm {{ matrix_synapse_worker_container_name }} +ExecStopPost=-{{ matrix_host_command_docker }} kill {{ matrix_synapse_worker_container_name }} +ExecStopPost=-{{ matrix_host_command_docker }} rm {{ matrix_synapse_worker_container_name }} ExecReload={{ matrix_host_command_docker }} exec {{ matrix_synapse_worker_container_name }} /bin/sh -c 'kill -HUP 1' Restart=always diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 188db5ef9..bfc8dd612 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -63,8 +63,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ {{ matrix_synapse_docker_image }} \ run -m synapse.app.homeserver -c /data/homeserver.yaml -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse 2>/dev/null' ExecReload={{ matrix_host_command_docker }} exec matrix-synapse /bin/sh -c 'kill -HUP 1' Restart=always RestartSec=30 From 5788a16a2e6f1e44b6bb9d6c8f75581f17884928 Mon Sep 17 00:00:00 2001 From: rakshazi Date: Wed, 5 Jan 2022 18:33:21 +0200 Subject: [PATCH 059/144] added matrix-client-cinny --- README.md | 2 + docs/configuring-dns.md | 2 + docs/configuring-playbook-client-cinny.md | 21 ++++ docs/configuring-playbook.md | 1 + docs/self-building.md | 1 + group_vars/matrix_servers | 28 +++++ roles/matrix-base/defaults/main.yml | 3 + roles/matrix-client-cinny/defaults/main.yml | 54 +++++++++ roles/matrix-client-cinny/tasks/init.yml | 10 ++ roles/matrix-client-cinny/tasks/main.yml | 28 +++++ .../matrix-client-cinny/tasks/self_check.yml | 22 ++++ .../tasks/setup_install.yml | 71 ++++++++++++ .../tasks/setup_uninstall.yml | 35 ++++++ .../tasks/validate_config.yml | 8 ++ .../templates/config.json.j2 | 6 + .../templates/nginx.conf.j2 | 66 +++++++++++ .../systemd/matrix-client-cinny.service.j2 | 40 +++++++ roles/matrix-nginx-proxy/defaults/main.yml | 9 +- .../tasks/setup_nginx_proxy.yml | 13 +++ .../nginx/conf.d/matrix-client-cinny.conf.j2 | 104 ++++++++++++++++++ setup.yml | 1 + 21 files changed, 524 insertions(+), 1 deletion(-) create mode 100644 docs/configuring-playbook-client-cinny.md create mode 100644 roles/matrix-client-cinny/defaults/main.yml create mode 100644 roles/matrix-client-cinny/tasks/init.yml create mode 100644 roles/matrix-client-cinny/tasks/main.yml create mode 100644 roles/matrix-client-cinny/tasks/self_check.yml create mode 100644 roles/matrix-client-cinny/tasks/setup_install.yml create mode 100644 roles/matrix-client-cinny/tasks/setup_uninstall.yml create mode 100644 roles/matrix-client-cinny/tasks/validate_config.yml create mode 100644 roles/matrix-client-cinny/templates/config.json.j2 create mode 100644 roles/matrix-client-cinny/templates/nginx.conf.j2 create mode 100644 roles/matrix-client-cinny/templates/systemd/matrix-client-cinny.service.j2 create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-cinny.conf.j2 diff --git a/README.md b/README.md index 59bd915ee..80608c694 100644 --- a/README.md +++ b/README.md @@ -113,6 +113,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client - see [docs/configuring-playbook-client-hydrogen.md](docs/configuring-playbook-client-hydrogen.md) for setup documentation +- (optional) the [Cinny](https://github.com/ajbura/cinny) web client - see [docs/configuring-playbook-client-cinny.md](docs/configuring-playbook-client-cinny.md) for setup documentation + Basically, this playbook aims to get you up-and-running with all the necessities around Matrix, without you having to do anything else. **Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need. diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index af2badcac..4416c3bc1 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -37,6 +37,7 @@ If you are using Cloudflare DNS, make sure to disable the proxy and set all reco | CNAME | `goneb` | - | - | - | `matrix.` | | CNAME | `sygnal` | - | - | - | `matrix.` | | CNAME | `hydrogen` | - | - | - | `matrix.` | +| CNAME | `cinny` | - | - | - | `matrix.` | ## Subdomains setup @@ -57,6 +58,7 @@ The `sygnal.` subdomain may be necessary, because this playbook cou The `hydrogen.` subdomain may be necessary, because this playbook could install the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client. The installation of Hydrogen is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Hydrogen guide](configuring-playbook-client-hydrogen.md). If you do not wish to set up Hydrogen, feel free to skip the `hydrogen.` DNS record. +The `cinny.` subdomain may be necessary, because this playbook could install the [Cinny](https://github.com/ajbura/cinny) web client. The installation of cinny is disabled by default, it is not a core required component. To learn how to install it, see our [configuring cinny guide](configuring-playbook-client-cinny.md). If you do not wish to set up cinny, feel free to skip the `cinny.` DNS record. ## `_matrix-identity._tcp` SRV record setup diff --git a/docs/configuring-playbook-client-cinny.md b/docs/configuring-playbook-client-cinny.md new file mode 100644 index 000000000..73a8bbeee --- /dev/null +++ b/docs/configuring-playbook-client-cinny.md @@ -0,0 +1,21 @@ +# Configuring Cinny (optional) + +This playbook can install the [cinny](https://github.com/ajbura/cinny) Matrix web client for you. +cinny is a web client focusing primarily on simple, elegant and secure interface. +cinny can be installed alongside or instead of Element. + +If you'd like cinny to be installed, add the following to your configuration file (`inventory/host_vars/matrix./vars.yml`): + +```yaml +matrix_client_cinny_enabled: true +``` + +You will also need to add a DNS record so that cinny can be accessed. +By default cinny will use https://cinny.DOMAIN so you will need to create an CNAME record +for `cinny`. See [Configuring DNS](configuring-dns.md). + +If you would like to use a different domain, add the following to your configuration file (changing it to use your preferred domain): + +```yaml + matrix_server_fqn_cinny: "app.{{ matrix_domain }}" +``` diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 0f35325d3..6b5a9e5d1 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -69,6 +69,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Adjusting email-sending settings](configuring-playbook-email.md) (optional) - [Setting up Hydrogen](configuring-playbook-client-hydrogen.md) - a new lightweight matrix client with legacy and mobile browser support (optional) +- [Setting up Cinny](configuring-playbook-client-cinny.md) - a web client focusing primarily on simple, elegant and secure interface (optional) ### Authentication and user-related diff --git a/docs/self-building.md b/docs/self-building.md index 9bf435c08..4d5c2db27 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -15,6 +15,7 @@ List of roles where self-building the Docker image is currently possible: - `matrix-synapse-admin` - `matrix-client-element` - `matrix-client-hydrogen` +- `matrix-client-cinny` - `matrix-registration` - `matrix-coturn` - `matrix-corporal` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 8edcd6baf..fb1762c7b 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1332,6 +1332,7 @@ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "{{ matrix_s matrix_nginx_proxy_proxy_matrix_enabled: true matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}" matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}" +matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" @@ -1417,6 +1418,8 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([matrix_server_fqn_hydrogen] if matrix_client_hydrogen_enabled else []) + + ([matrix_server_fqn_cinny] if matrix_client_cinny_enabled else []) + + ([matrix_server_fqn_dimension] if matrix_dimension_enabled else []) + ([matrix_server_fqn_bot_go_neb] if matrix_bot_go_neb_enabled else []) @@ -1760,6 +1763,31 @@ matrix_client_hydrogen_self_check_validate_certificates: "{{ false if matrix_ssl +###################################################################### +# +# matrix-client-cinny +# +###################################################################### + +matrix_client_cinny_enabled: false + +# Normally, matrix-nginx-proxy is enabled and nginx can reach Cinny over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# the HTTP port to the local host. +matrix_client_cinny_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8080' }}" + +matrix_client_cinny_default_hs_url: "{{ matrix_homeserver_url }}" + +matrix_client_cinny_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" + +###################################################################### +# +# /matrix-client-cinny +# +###################################################################### + + + ###################################################################### # # matrix-synapse diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 4767bcf43..9b137bae9 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -21,6 +21,9 @@ matrix_server_fqn_element: "element.{{ matrix_domain }}" # This is where you access the Hydrogen web client from (if enabled via matrix_client_hydrogen_enabled; disabled by default). matrix_server_fqn_hydrogen: "hydrogen.{{ matrix_domain }}" +# This is where you access the Cinny web client from (if enabled via matrix_client_cinny_enabled; disabled by default). +matrix_server_fqn_cinny: "cinny.{{ matrix_domain }}" + # This is where you access the Dimension. matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}" diff --git a/roles/matrix-client-cinny/defaults/main.yml b/roles/matrix-client-cinny/defaults/main.yml new file mode 100644 index 000000000..e693e2b2c --- /dev/null +++ b/roles/matrix-client-cinny/defaults/main.yml @@ -0,0 +1,54 @@ +matrix_client_cinny_enabled: true + +matrix_client_cinny_container_image_self_build: false +matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/cinny.git" + +matrix_client_cinny_version: v1.6.1 +matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_name_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}" +matrix_client_cinny_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build }}" +matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_image.endswith(':latest') }}" + +matrix_client_cinny_data_path: "{{ matrix_base_data_path }}/client-cinny" +matrix_client_cinny_docker_src_files_path: "{{ matrix_client_cinny_data_path }}/docker-src" + +# Controls whether the container exposes its HTTP port (tcp/8080 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8768"), or empty string to not expose. +matrix_client_cinny_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_client_cinny_container_extra_arguments: [] + +# List of systemd services that matrix-client-cinny.service depends on +matrix_client_cinny_systemd_required_services_list: ['docker.service'] + +# Controls whether the self-check feature should validate SSL certificates. +matrix_client_cinny_self_check_validate_certificates: true + +# config.json +matrix_client_cinny_default_hs_url: "" + +# Default cinny configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_client_cinny_configuration_extension_json`) +# or completely replace this variable with your own template. +# +# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. +# This is unlike what it does when looking up YAML template files (no automatic parsing there). +matrix_client_cinny_configuration_default: "{{ lookup('template', 'templates/config.json.j2') }}" + +# Your custom JSON configuration for cinny should go to `matrix_client_cinny_configuration_extension_json`. +# This configuration extends the default starting configuration (`matrix_client_cinny_configuration_default`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_client_cinny_configuration_default`. +matrix_client_cinny_configuration_extension_json: '{}' + +matrix_client_cinny_configuration_extension: "{{ matrix_client_cinny_configuration_extension_json|from_json if matrix_client_cinny_configuration_extension_json|from_json is mapping else {} }}" + +# Holds the final cinny configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_client_cinny_configuration_default`. +matrix_client_cinny_configuration: "{{ matrix_client_cinny_configuration_default|combine(matrix_client_cinny_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-client-cinny/tasks/init.yml b/roles/matrix-client-cinny/tasks/init.yml new file mode 100644 index 000000000..e6889e4d6 --- /dev/null +++ b/roles/matrix-client-cinny/tasks/init.yml @@ -0,0 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Cinny image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_cinny_container_image_self_build and matrix_client_cinny_enabled" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-cinny.service'] }}" + when: matrix_client_cinny_enabled|bool diff --git a/roles/matrix-client-cinny/tasks/main.yml b/roles/matrix-client-cinny/tasks/main.yml new file mode 100644 index 000000000..8a39c0217 --- /dev/null +++ b/roles/matrix-client-cinny/tasks/main.yml @@ -0,0 +1,28 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_client_cinny_enabled|bool" + tags: + - setup-all + - setup-client-cinny + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_client_cinny_enabled|bool" + tags: + - setup-all + - setup-client-cinny + +- import_tasks: "{{ role_path }}/tasks/self_check.yml" + delegate_to: 127.0.0.1 + become: false + when: "run_self_check|bool and matrix_client_cinny_enabled|bool" + tags: + - self-check + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_client_cinny_enabled|bool" + tags: + - setup-all + - setup-client-cinny diff --git a/roles/matrix-client-cinny/tasks/self_check.yml b/roles/matrix-client-cinny/tasks/self_check.yml new file mode 100644 index 000000000..df1241a8a --- /dev/null +++ b/roles/matrix-client-cinny/tasks/self_check.yml @@ -0,0 +1,22 @@ +--- + +- set_fact: + matrix_client_cinny_url_endpoint_public: "https://{{ matrix_server_fqn_cinny }}/config.json" + +- name: Check Cinny + uri: + url: "{{ matrix_client_cinny_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_client_cinny_self_check_validate_certificates }}" + register: matrix_client_cinny_self_check_result + check_mode: no + ignore_errors: true + +- name: Fail if Cinny not working + fail: + msg: "Failed checking Cinny is up at `{{ matrix_server_fqn_cinny }}` (checked endpoint: `{{ matrix_client_cinny_url_endpoint_public }}`). Is Cinny running? Is port 443 open in your firewall? Full error: {{ matrix_client_cinny_self_check_result }}" + when: "matrix_client_cinny_self_check_result.failed or 'json' not in matrix_client_cinny_self_check_result" + +- name: Report working Cinny + debug: + msg: "Cinny at `{{ matrix_server_fqn_cinny }}` is working (checked endpoint: `{{ matrix_client_cinny_url_endpoint_public }}`)" diff --git a/roles/matrix-client-cinny/tasks/setup_install.yml b/roles/matrix-client-cinny/tasks/setup_install.yml new file mode 100644 index 000000000..5d92f1d39 --- /dev/null +++ b/roles/matrix-client-cinny/tasks/setup_install.yml @@ -0,0 +1,71 @@ +--- +- name: Ensure Cinny paths exists + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_client_cinny_data_path }}", when: true } + - { path: "{{ matrix_client_cinny_docker_src_files_path }}", when: "{{ matrix_client_cinny_container_image_self_build }}" } + when: "item.when|bool" + +- name: Ensure Cinny Docker image is pulled + docker_image: + name: "{{ matrix_client_cinny_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_client_cinny_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_cinny_docker_image_force_pull }}" + when: "not matrix_client_cinny_container_image_self_build|bool" + +- name: Ensure Cinny repository is present on self-build + git: + repo: "{{ matrix_client_cinny_container_image_self_build_repo }}" + dest: "{{ matrix_client_cinny_docker_src_files_path }}" + version: "{{ matrix_client_cinny_docker_image.split(':')[1] }}" + force: "yes" + register: matrix_client_cinny_git_pull_results + when: "matrix_client_cinny_container_image_self_build|bool" + +- name: Ensure Cinny configuration installed + copy: + content: "{{ matrix_client_cinny_configuration|to_nice_json }}" + dest: "{{ matrix_client_cinny_data_path }}/config.json" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure Cinny additional config files installed + template: + src: "{{ item.src }}" + dest: "{{ matrix_client_cinny_data_path }}/{{ item.name }}" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} + when: "item.src is not none" + +- name: Ensure Cinny Docker image is built + docker_image: + name: "{{ matrix_client_cinny_docker_image }}" + source: build + force_source: "{{ matrix_client_cinny_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_client_cinny_docker_src_files_path }}" + pull: yes + when: "matrix_client_cinny_container_image_self_build|bool" + +- name: Ensure matrix-client-cinny.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-client-cinny.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-client-cinny.service" + mode: 0644 + register: matrix_client_cinny_systemd_service_result + +- name: Ensure systemd reloaded after matrix-client-cinny.service installation + service: + daemon_reload: yes + when: "matrix_client_cinny_systemd_service_result.changed|bool" diff --git a/roles/matrix-client-cinny/tasks/setup_uninstall.yml b/roles/matrix-client-cinny/tasks/setup_uninstall.yml new file mode 100644 index 000000000..2a3bffb5d --- /dev/null +++ b/roles/matrix-client-cinny/tasks/setup_uninstall.yml @@ -0,0 +1,35 @@ +--- +- name: Check existence of matrix-client-cinny.service + stat: + path: "{{ matrix_systemd_path }}/matrix-client-cinny.service" + register: matrix_client_cinny_service_stat + +- name: Ensure matrix-client-cinny is stopped + service: + name: matrix-client-cinny + state: stopped + enabled: no + daemon_reload: yes + register: stopping_result + when: "matrix_client_cinny_service_stat.stat.exists|bool" + +- name: Ensure matrix-client-cinny.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-client-cinny.service" + state: absent + when: "matrix_client_cinny_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-client-cinny.service removal + service: + daemon_reload: yes + when: "matrix_client_cinny_service_stat.stat.exists|bool" + +- name: Ensure Cinny paths doesn't exist + file: + path: "{{ matrix_client_cinny_data_path }}" + state: absent + +- name: Ensure Cinny Docker image doesn't exist + docker_image: + name: "{{ matrix_client_cinny_docker_image }}" + state: absent diff --git a/roles/matrix-client-cinny/tasks/validate_config.yml b/roles/matrix-client-cinny/tasks/validate_config.yml new file mode 100644 index 000000000..198782e93 --- /dev/null +++ b/roles/matrix-client-cinny/tasks/validate_config.yml @@ -0,0 +1,8 @@ +--- +- name: Fail if required Cinny settings not defined + fail: + msg: > + You need to define a required configuration setting (`{{ item }}`) to use Cinny. + when: "(vars[item] == '' or vars[item] is none) and matrix_client_cinny_container_image_self_build|bool" + with_items: + - "matrix_client_cinny_default_hs_url" diff --git a/roles/matrix-client-cinny/templates/config.json.j2 b/roles/matrix-client-cinny/templates/config.json.j2 new file mode 100644 index 000000000..9731a3722 --- /dev/null +++ b/roles/matrix-client-cinny/templates/config.json.j2 @@ -0,0 +1,6 @@ +{ + "defaultHomeserver": 0, + "homeserverList": [ + {{ matrix_client_cinny_default_hs_url|string|to_json }} + ] +} diff --git a/roles/matrix-client-cinny/templates/nginx.conf.j2 b/roles/matrix-client-cinny/templates/nginx.conf.j2 new file mode 100644 index 000000000..fba16bbdc --- /dev/null +++ b/roles/matrix-client-cinny/templates/nginx.conf.j2 @@ -0,0 +1,66 @@ +#jinja2: lstrip_blocks: "True" +# This is a custom nginx configuration file that we use in the container (instead of the default one), +# because it allows us to run nginx with a non-root user. +# +# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed. +# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well) +# +# The following changes have been done compared to a default nginx configuration file: +# - default server port is changed (80 -> 8080), so that a non-root user can bind it +# - various temp paths are changed to `/tmp`, so that a non-root user can write to them +# - the `user` directive was removed, as we don't want nginx to switch users + +worker_processes 1; + +error_log /var/log/nginx/error.log warn; +pid /tmp/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + proxy_temp_path /tmp/proxy_temp; + client_body_temp_path /tmp/client_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + server { + listen 8080; + server_name localhost; + + root /usr/share/nginx/html; + + location / { + index index.html index.htm; + } + + location ~* ^/(config(.+)?\.json$|(.+)\.html$|i18n) { + expires -1; + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + } +} diff --git a/roles/matrix-client-cinny/templates/systemd/matrix-client-cinny.service.j2 b/roles/matrix-client-cinny/templates/systemd/matrix-client-cinny.service.j2 new file mode 100644 index 000000000..aa5a04320 --- /dev/null +++ b/roles/matrix-client-cinny/templates/systemd/matrix-client-cinny.service.j2 @@ -0,0 +1,40 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Cinny Client +{% for service in matrix_client_cinny_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-cinny 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-cinny 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-cinny \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + {% if matrix_client_cinny_container_http_host_bind_port %} + -p {{ matrix_client_cinny_container_http_host_bind_port }}:8080 \ + {% endif %} + --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ + --mount type=bind,src={{ matrix_client_cinny_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ + --mount type=bind,src={{ matrix_client_cinny_data_path }}/config.json,dst=/app/config.json,ro \ + {% for arg in matrix_client_cinny_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_client_cinny_docker_image }} + +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-cinny 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-cinny 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-client-cinny + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 27b0b42da..74f53e674 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -128,6 +128,10 @@ matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}" matrix_nginx_proxy_proxy_hydrogen_enabled: false matrix_nginx_proxy_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}" +# Controls whether proxying the Cinny domain should be done. +matrix_nginx_proxy_proxy_cinny_enabled: false +matrix_nginx_proxy_proxy_cinny_hostname: "{{ matrix_server_fqn_cinny }}" + # Controls whether proxying the matrix domain should be done. matrix_nginx_proxy_proxy_matrix_enabled: false matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" @@ -273,9 +277,12 @@ matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf). matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: [] -# A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf). +# A list of strings containing additional configuration blocks to add to Hydrogen's server configuration (matrix-client-hydrogen.conf). matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks: [] +# A list of strings containing additional configuration blocks to add to Cinny's server configuration (matrix-client-cinny.conf). +matrix_nginx_proxy_proxy_cinny_additional_server_configuration_blocks: [] + # A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf). matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: [] diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index d325d2f0f..5ddbb19d0 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -88,6 +88,13 @@ mode: 0644 when: matrix_nginx_proxy_proxy_hydrogen_enabled|bool +- name: Ensure Matrix nginx-proxy configuration for Cinny domain exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-cinny.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-cinny.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_cinny_enabled|bool + - name: Ensure Matrix nginx-proxy configuration for dimension domain exists template: src: "{{ role_path }}/templates/nginx/conf.d/matrix-dimension.conf.j2" @@ -227,6 +234,12 @@ state: absent when: "not matrix_nginx_proxy_proxy_hydrogen_enabled|bool" +- name: Ensure Matrix nginx-proxy configuration for Cinny domain deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-cinny.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_cinny_enabled|bool" + - name: Ensure Matrix nginx-proxy configuration for dimension domain deleted file: path: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-cinny.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-cinny.conf.j2 new file mode 100644 index 000000000..df66349fe --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-cinny.conf.j2 @@ -0,0 +1,104 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + gzip on; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + + {% if matrix_nginx_proxy_hsts_preload_enabled %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options SAMEORIGIN; + add_header Content-Security-Policy "frame-ancestors 'none'"; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + + {% for configuration_block in matrix_nginx_proxy_proxy_cinny_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-client-cinny:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:8080; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + + + server_name {{ matrix_nginx_proxy_proxy_cinny_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_cinny_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_cinny_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_cinny_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != "" %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_cinny_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/setup.yml b/setup.yml index edd212057..99d4ab188 100755 --- a/setup.yml +++ b/setup.yml @@ -47,6 +47,7 @@ - matrix-registration - matrix-client-element - matrix-client-hydrogen + - matrix-client-cinny - matrix-jitsi - matrix-ma1sd - matrix-dimension From 490f11ba0df89f384d905318083bab0e078ea789 Mon Sep 17 00:00:00 2001 From: rakshazi Date: Thu, 6 Jan 2022 09:11:28 +0200 Subject: [PATCH 060/144] matrix-client-cinny: self_build feedback" --- group_vars/matrix_servers | 2 ++ roles/matrix-client-cinny/tasks/validate_config.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index fb1762c7b..d5dfb3914 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1771,6 +1771,8 @@ matrix_client_hydrogen_self_check_validate_certificates: "{{ false if matrix_ssl matrix_client_cinny_enabled: false +matrix_client_cinny_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" + # Normally, matrix-nginx-proxy is enabled and nginx can reach Cinny over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the HTTP port to the local host. diff --git a/roles/matrix-client-cinny/tasks/validate_config.yml b/roles/matrix-client-cinny/tasks/validate_config.yml index 198782e93..d8e804c5e 100644 --- a/roles/matrix-client-cinny/tasks/validate_config.yml +++ b/roles/matrix-client-cinny/tasks/validate_config.yml @@ -3,6 +3,6 @@ fail: msg: > You need to define a required configuration setting (`{{ item }}`) to use Cinny. - when: "(vars[item] == '' or vars[item] is none) and matrix_client_cinny_container_image_self_build|bool" + when: "vars[item] == '' or vars[item] is none" with_items: - "matrix_client_cinny_default_hs_url" From 1098e64d19f1791a07faa2de93b7abc34ca2a95b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 6 Jan 2022 10:53:07 +0200 Subject: [PATCH 061/144] Announce Cinny support Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1509 --- CHANGELOG.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1d7331e94..8443d36a4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2022-01-06 + +## Cinny support + +Thanks to [Aine](https://gitlab.com/etke.cc) of [etke.cc](https://etke.cc/), the playbook now supports [Cinny](https://cinny.in/) - a new simple, elegant and secure Matrix client. + +By default, we still install Element. Still, people who'd like to try Cinny out can now install it via the playbook. + +Additional details are available in [Setting up Cinny](docs/configuring-playbook-client-cinny.md). + + # 2021-12-22 ## Twitter bridging support via mautrix-twitter From 7dfb68b7f82fb09edbcdcad2a98875be2c3dda42 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 6 Jan 2022 11:04:35 +0200 Subject: [PATCH 062/144] Add else statements to inline ifs Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1509 --- roles/matrix-client-cinny/defaults/main.yml | 2 +- roles/matrix-client-hydrogen/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-client-cinny/defaults/main.yml b/roles/matrix-client-cinny/defaults/main.yml index e693e2b2c..21ce09d42 100644 --- a/roles/matrix-client-cinny/defaults/main.yml +++ b/roles/matrix-client-cinny/defaults/main.yml @@ -5,7 +5,7 @@ matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/ matrix_client_cinny_version: v1.6.1 matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_name_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}" -matrix_client_cinny_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build }}" +matrix_client_cinny_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_image.endswith(':latest') }}" matrix_client_cinny_data_path: "{{ matrix_base_data_path }}/client-cinny" diff --git a/roles/matrix-client-hydrogen/defaults/main.yml b/roles/matrix-client-hydrogen/defaults/main.yml index 3cfb2337d..4ca2224bd 100644 --- a/roles/matrix-client-hydrogen/defaults/main.yml +++ b/roles/matrix-client-hydrogen/defaults/main.yml @@ -7,7 +7,7 @@ matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vect matrix_client_hydrogen_version: v0.2.19 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" -matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}" +matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" matrix_client_hydrogen_data_path: "{{ matrix_base_data_path }}/client-hydrogen" From 407e8c4940ecec98f9826df0c135443431459a5f Mon Sep 17 00:00:00 2001 From: rakshazi Date: Thu, 6 Jan 2022 20:30:10 +0200 Subject: [PATCH 063/144] added honoroit --- README.md | 2 + docs/configuring-playbook-bot-honoroit.md | 55 +++++++++++ docs/configuring-playbook.md | 2 + docs/container-images.md | 2 + docs/self-building.md | 1 + group_vars/matrix_servers | 37 ++++++++ roles/matrix-bot-honoroit/defaults/main.yml | 95 +++++++++++++++++++ roles/matrix-bot-honoroit/tasks/init.yml | 3 + roles/matrix-bot-honoroit/tasks/main.yml | 21 ++++ .../tasks/setup_install.yml | 86 +++++++++++++++++ .../tasks/setup_uninstall.yml | 36 +++++++ .../tasks/validate_config.yml | 10 ++ .../systemd/matrix-bot-honoroit.service.j2 | 51 ++++++++++ setup.yml | 1 + 14 files changed, 402 insertions(+) create mode 100644 docs/configuring-playbook-bot-honoroit.md create mode 100644 roles/matrix-bot-honoroit/defaults/main.yml create mode 100644 roles/matrix-bot-honoroit/tasks/init.yml create mode 100644 roles/matrix-bot-honoroit/tasks/main.yml create mode 100644 roles/matrix-bot-honoroit/tasks/setup_install.yml create mode 100644 roles/matrix-bot-honoroit/tasks/setup_uninstall.yml create mode 100644 roles/matrix-bot-honoroit/tasks/validate_config.yml create mode 100644 roles/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 diff --git a/README.md b/README.md index 80608c694..63875c5ea 100644 --- a/README.md +++ b/README.md @@ -99,6 +99,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) for scheduling one-off & recurring reminders and alarms - see [docs/configuring-playbook-bot-matrix-reminder-bot.md](docs/configuring-playbook-bot-matrix-reminder-bot.md) for setup documentation +- (optional) [honoroit](https://gitlab.com/etke.cc/honoroit) helpdesk bot - see [docs/configuring-playbook-bot-honoroit.md](docs/configuring-playbook-bot-honoroit.md) for setup documentation + - (optional) [Go-NEB](https://github.com/matrix-org/go-neb) multi functional bot written in Go - see [docs/configuring-playbook-bot-go-neb.md](docs/configuring-playbook-bot-go-neb.md) for setup documentation - (optional) [Mjolnir](https://github.com/matrix-org/mjolnir), a moderation tool for Matrix - see [docs/configuring-playbook-bot-mjolnir.md](docs/configuring-playbook-bot-mjolnir.md) for setup documentation diff --git a/docs/configuring-playbook-bot-honoroit.md b/docs/configuring-playbook-bot-honoroit.md new file mode 100644 index 000000000..45fc033da --- /dev/null +++ b/docs/configuring-playbook-bot-honoroit.md @@ -0,0 +1,55 @@ +# Setting up Honoroit (optional) + +The playbook can install and configure [Honoroit](https://gitlab.com/etke.cc/honoroit) for you. + +It's a bot you can use to setup **your own helpdesk on matrix** + +See the project's [documentation](https://gitlab.com/etke.cc/honoroit#how-it-looks-like) to learn what it does with screenshots and why it might be useful to you. + + +## Registering the bot user + +By default, the playbook will set up the bot with a username like this: `@honoroit:DOMAIN`. + +(to use a different username, adjust the `matrix_bot_honoroit_login` variable). + +You **need to register the bot user manually** before setting up the bot. You can use the playbook to [register a new user](registering-users.md): + +``` +ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=honoroit password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user +``` + +Choose a strong password for the bot. You can generate a good password with a command like this: `pwgen -s 64 1`. + + +## Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: + +```yaml +matrix_bot_honoroit_enabled: true + +# Adjust this to whatever password you chose when registering the bot user +matrix_bot_honoroit_password: PASSWORD_FOR_THE_BOT + +# Adjust this to your room ID +matrix_bot_honoroit_roomid: "!yourRoomID:DOMAIN" +``` + + +## Installing + +After configuring the playbook, run the [installation](installing.md) command again: + +``` +ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start +``` + + +## Usage + +To use the bot, invite the `@honoroit:DOMAIN` to the room you specified in config, after that any matrix user can send a message to the `@honoroit:DOMAIN` to start a new thread in that room. + +Send `!ho help` to the room to see the bot's help menu for additional commands. + +You can also refer to the upstream [documentation](https://gitlab.com/etke.cc/honoroit#features). diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 6b5a9e5d1..31168d23f 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -142,6 +142,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up matrix-reminder-bot](configuring-playbook-bot-matrix-reminder-bot.md) - a bot to remind you about stuff (optional) +- [Setting up honoroit](configuring-playbook-bot-honoroit.md) - a helpdesk bot (optional) + - [Setting up Go-NEB](configuring-playbook-bot-go-neb.md) - an extensible multifunctional bot (optional) - [Setting up Mjolnir](configuring-playbook-bot-mjolnir.md) - a moderation tool/bot (optional) diff --git a/docs/container-images.md b/docs/container-images.md index d52f3fddd..9be487363 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -92,6 +92,8 @@ These services are not part of our default installation, but can be enabled by [ - [anoa/matrix-reminder-bot](https://hub.docker.com/r/anoa/matrix-reminder-bot) - the [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) bot for one-off & recurring reminders and alarms (optional) +- [etke.cc/honoroit](https://gitlab.com/etke.cc/honoroit/container_registry) - the [honoroit](https://gitlab.com/etke.cc/honoroit) helpdesk bot (optional) + - [matrixdotorg/go-neb](https://hub.docker.com/r/matrixdotorg/go-neb) - the [Go-NEB](https://github.com/matrix-org/go-neb) bot (optional) - [matrixdotorg/mjolnir](https://hub.docker.com/r/matrixdotorg/mjolnir) - the [mjolnir](https://github.com/matrix-org/mjolnir) moderation bot (optional) diff --git a/docs/self-building.md b/docs/self-building.md index 4d5c2db27..ef851f22c 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -34,6 +34,7 @@ List of roles where self-building the Docker image is currently possible: - `matrix-bridge-mautrix-whatsapp` - `matrix-bridge-mx-puppet-skype` - `matrix-bot-mjolnir` +- `matrix-bot-honoroit` - `matrix-bot-matrix-reminder-bot` - `matrix-email2matrix` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index d5dfb3914..393984c0f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -946,6 +946,37 @@ matrix_bot_matrix_reminder_bot_container_self_build: "{{ matrix_architecture != # ###################################################################### +###################################################################### +# +# matrix-bot-honoroit +# +###################################################################### + +# We don't enable bots by default. +matrix_bot_honoroit_enabled: false + +matrix_bot_honoroit_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + }} + +# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +matrix_bot_honoroit_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'honoroit.bot.db') | to_uuid }}" +matrix_bot_honoroit_container_self_build: "{{ matrix_architecture != 'amd64' }}" + +###################################################################### +# +# /matrix-bot-honoroit +# +###################################################################### + ###################################################################### # @@ -1489,6 +1520,12 @@ matrix_postgres_additional_databases: | 'password': matrix_bot_matrix_reminder_bot_database_password, }] if (matrix_bot_matrix_reminder_bot_enabled and matrix_bot_matrix_reminder_bot_database_engine == 'postgres' and matrix_bot_matrix_reminder_bot_database_hostname == 'matrix-postgres') else []) + + ([{ + 'name': matrix_bot_honoroit_database_name, + 'username': matrix_bot_honoroit_database_username, + 'password': matrix_bot_honoroit_database_password, + }] if (matrix_bot_honoroit_enabled and matrix_bot_honoroit_database_engine == 'postgres' and matrix_bot_honoroit_database_hostname == 'matrix-postgres') else []) + + ([{ 'name': matrix_registration_database_name, 'username': matrix_registration_database_username, diff --git a/roles/matrix-bot-honoroit/defaults/main.yml b/roles/matrix-bot-honoroit/defaults/main.yml new file mode 100644 index 000000000..ac612f849 --- /dev/null +++ b/roles/matrix-bot-honoroit/defaults/main.yml @@ -0,0 +1,95 @@ +# honoroit is a helpdesk bot +# See: https://gitlab.com/etke.cc/honoroit + +matrix_bot_honoroit_enabled: true + +matrix_bot_honoroit_container_self_build: false +matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git" +matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src" + +matrix_bot_honoroit_version: v0.9.0 +matrix_bot_honoroit_docker_image: "registry.gitlab.com/etke.cc/honoroit:{{ matrix_bot_honoroit_version }}" +matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" + +matrix_bot_honoroit_base_path: "{{ matrix_base_data_path }}/honoroit" +matrix_bot_honoroit_config_path: "{{ matrix_bot_honoroit_base_path }}/config" +matrix_bot_honoroit_data_path: "{{ matrix_bot_honoroit_base_path }}/data" +matrix_bot_honoroit_data_store_path: "{{ matrix_bot_honoroit_data_path }}/store" + +# A list of extra arguments to pass to the container +matrix_bot_honoroit_container_extra_arguments: [] + +# List of systemd services that matrix-bot-honoroit.service depends on +matrix_bot_honoroit_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-bot-honoroit.service wants +matrix_bot_honoroit_systemd_wanted_services_list: [] + + +# Database-related configuration fields. +# +# To use SQLite, stick to these defaults. +# +# To use Postgres: +# - change the engine (`matrix_bot_honoroit_database_engine: 'postgres'`) +# - adjust your database credentials via the `matrix_bot_honoroit_database_*` variables +matrix_bot_honoroit_database_engine: 'sqlite' + +matrix_bot_honoroit_sqlite_database_path_local: "{{ matrix_bot_honoroit_data_path }}/bot.db" +matrix_bot_honoroit_sqlite_database_path_in_container: "/data/bot.db" + +matrix_bot_honoroit_database_username: 'honoroit' +matrix_bot_honoroit_database_password: 'some-password' +matrix_bot_honoroit_database_hostname: 'matrix-postgres' +matrix_bot_honoroit_database_port: 5432 +matrix_bot_honoroit_database_name: 'honoroit' + +matrix_bot_honoroit_database_connection_string: 'postgres://{{ matrix_bot_honoroit_database_username }}:{{ matrix_bot_honoroit_database_password }}@{{ matrix_bot_honoroit_database_hostname }}:{{ matrix_bot_honoroit_database_port }}/{{ matrix_bot_honoroit_database_name }}?sslmode=disable' + +matrix_bot_honoroit_storage_database: "{{ + { + 'sqlite': matrix_bot_honoroit_sqlite_database_path_in_container, + 'postgres': matrix_bot_honoroit_database_connection_string, + }[matrix_bot_honoroit_database_engine] +}}" + +matrix_bot_honoroit_database_dialect: "{{ + { + 'sqlite': 'sqlite3', + 'postgres': 'postgres', + }[matrix_bot_honoroit_database_engine] +}}" + + +# The bot's username. This user needs to be created manually beforehand. +# Also see `matrix_bot_honoroit_password`. +matrix_bot_honoroit_login: "honoroit" + +# The password that the bot uses to authenticate. +matrix_bot_honoroit_password: '' + +matrix_bot_honoroit_homeserver: "{{ matrix_homeserver_container_url }}" + +# The room ID where bot will create threads +matrix_bot_honoroit_roomid: '' + +# Command prefix +matrix_bot_honoroit_prefix: '' + +# Sentry DSN +matrix_bot_honoroit_sentry: '' + +# Log level +matrix_bot_honoroit_loglevel: '' + +# Text: greetings +matrix_bot_honoroit_text_greetings: '' + +# Text: error +matrix_bot_honoroit_text_error: '' + +# Text: empty room +matrix_bot_honoroit_text_emptyroom: '' + +# Text: done +matrix_bot_honoroit_text_done: '' diff --git a/roles/matrix-bot-honoroit/tasks/init.yml b/roles/matrix-bot-honoroit/tasks/init.yml new file mode 100644 index 000000000..1b652e56d --- /dev/null +++ b/roles/matrix-bot-honoroit/tasks/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-honoroit.service'] }}" + when: matrix_bot_honoroit_enabled|bool diff --git a/roles/matrix-bot-honoroit/tasks/main.yml b/roles/matrix-bot-honoroit/tasks/main.yml new file mode 100644 index 000000000..bc5c14904 --- /dev/null +++ b/roles/matrix-bot-honoroit/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_bot_honoroit_enabled|bool" + tags: + - setup-all + - setup-bot-honoroit + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_bot_honoroit_enabled|bool" + tags: + - setup-all + - setup-bot-honoroit + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_bot_honoroit_enabled|bool" + tags: + - setup-all + - setup-bot-honoroit diff --git a/roles/matrix-bot-honoroit/tasks/setup_install.yml b/roles/matrix-bot-honoroit/tasks/setup_install.yml new file mode 100644 index 000000000..33723175b --- /dev/null +++ b/roles/matrix-bot-honoroit/tasks/setup_install.yml @@ -0,0 +1,86 @@ +--- +- set_fact: + matrix_bot_honoroit_requires_restart: false + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_bot_honoroit_sqlite_database_path_local }}" + register: matrix_bot_honoroit_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_bot_honoroit_sqlite_database_path_local }}" + dst: "{{ matrix_bot_honoroit_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_bot_honoroit_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-bot-honoroit.service'] + + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_bot_honoroit_requires_restart: true + when: "matrix_bot_honoroit_sqlite_database_path_local_stat_result.stat.exists|bool" + when: "matrix_bot_honoroit_database_engine == 'postgres'" + +- name: Ensure honoroit paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_bot_honoroit_config_path }}", when: true } + - { path: "{{ matrix_bot_honoroit_data_path }}", when: true } + - { path: "{{ matrix_bot_honoroit_data_store_path }}", when: true } + - { path: "{{ matrix_bot_honoroit_docker_src_files_path }}", when: true} + when: "item.when|bool" + +- name: Ensure honoroit image is pulled + docker_image: + name: "{{ matrix_bot_honoroit_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_bot_honoroit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_honoroit_docker_image_force_pull }}" + when: "not matrix_bot_honoroit_container_self_build|bool" + +- name: Ensure honoroit repository is present on self-build + git: + repo: "{{ matrix_bot_honoroit_docker_repo }}" + dest: "{{ matrix_bot_honoroit_docker_src_files_path }}" + force: "yes" + register: matrix_bot_honoroit_git_pull_results + when: "matrix_bot_honoroit_container_self_build|bool" + +- name: Ensure honoroit image is built + docker_image: + name: "{{ matrix_bot_honoroit_docker_image }}" + source: build + force_source: "{{ matrix_bot_honoroit_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + build: + dockerfile: docker/Dockerfile + path: "{{ matrix_bot_honoroit_docker_src_files_path }}" + pull: yes + when: "matrix_bot_honoroit_container_self_build|bool" + +- name: Ensure matrix-bot-honoroit.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-bot-honoroit.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-bot-honoroit.service" + mode: 0644 + register: matrix_bot_honoroit_systemd_service_result + +- name: Ensure systemd reloaded after matrix-bot-honoroit.service installation + service: + daemon_reload: yes + when: "matrix_bot_honoroit_systemd_service_result.changed|bool" + +- name: Ensure matrix-bot-honoroit.service restarted, if necessary + service: + name: "matrix-bot-honoroit.service" + state: restarted + when: "matrix_bot_honoroit_requires_restart|bool" diff --git a/roles/matrix-bot-honoroit/tasks/setup_uninstall.yml b/roles/matrix-bot-honoroit/tasks/setup_uninstall.yml new file mode 100644 index 000000000..afad2cc1c --- /dev/null +++ b/roles/matrix-bot-honoroit/tasks/setup_uninstall.yml @@ -0,0 +1,36 @@ +--- + +- name: Check existence of matrix-honoroit service + stat: + path: "{{ matrix_systemd_path }}/matrix-bot-honoroit.service" + register: matrix_bot_honoroit_service_stat + +- name: Ensure matrix-honoroit is stopped + service: + name: matrix-bot-honoroit + state: stopped + enabled: no + daemon_reload: yes + register: stopping_result + when: "matrix_bot_honoroit_service_stat.stat.exists|bool" + +- name: Ensure matrix-bot-honoroit.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-bot-honoroit.service" + state: absent + when: "matrix_bot_honoroit_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-bot-honoroit.service removal + service: + daemon_reload: yes + when: "matrix_bot_honoroit_service_stat.stat.exists|bool" + +- name: Ensure Matrix honoroit paths don't exist + file: + path: "{{ matrix_bot_honoroit_base_path }}" + state: absent + +- name: Ensure honoroit Docker image doesn't exist + docker_image: + name: "{{ matrix_bot_honoroit_docker_image }}" + state: absent diff --git a/roles/matrix-bot-honoroit/tasks/validate_config.yml b/roles/matrix-bot-honoroit/tasks/validate_config.yml new file mode 100644 index 000000000..562bf9fba --- /dev/null +++ b/roles/matrix-bot-honoroit/tasks/validate_config.yml @@ -0,0 +1,10 @@ +--- + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_bot_honoroit_password" + - "matrix_bot_honoroit_roomid" diff --git a/roles/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 b/roles/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 new file mode 100644 index 000000000..38c2c7ffb --- /dev/null +++ b/roles/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 @@ -0,0 +1,51 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix helpdesk bot +{% for service in matrix_bot_honoroit_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_bot_honoroit_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-honoroit 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-honoroit 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-honoroit \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + -e 'HONOROIT_LOGIN={{ matrix_bot_honoroit_login }}' \ + -e 'HONOROIT_PASSWORD={{ matrix_bot_honoroit_password }}' \ + -e 'HONOROIT_HOMESERVER={{ matrix_bot_honoroit_homeserver }}' \ + -e 'HONOROIT_ROOMID={{ matrix_bot_honoroit_roomid }}' \ + -e 'HONOROIT_DB_DSN={{ matrix_bot_honoroit_database_connection_string }}' \ + -e 'HONOROIT_DB_DIALECT={{ matrix_bot_honoroit_database_dialect }}' \ + -e 'HONOROIT_PREFIX={{ matrix_bot_honoroit_prefix }}' \ + -e 'HONOROIT_SENTRY={{ matrix_bot_honoroit_sentry }}' \ + -e 'HONOROIT_LOGLEVEL={{ matrix_bot_honoroit_loglevel }}' \ + -e 'HONOROIT_TEXT_GREETINGS={{ matrix_bot_honoroit_text_greetings }}' \ + -e 'HONOROIT_TEXT_ERROR={{ matrix_bot_honoroit_text_error }}' \ + -e 'HONOROIT_TEXT_EMPTYROOM={{ matrix_bot_honoroit_text_emptyroom }}' \ + -e 'HONOROIT_TEXT_DONE={{ matrix_bot_honoroit_text_done }}' \ + --mount type=bind,src={{ matrix_bot_honoroit_data_path }},dst=/data \ + {% for arg in matrix_bot_honoroit_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_bot_honoroit_docker_image }} + +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-honoroit 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-honoroit 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-bot-honoroit + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index 99d4ab188..54e6c4089 100755 --- a/setup.yml +++ b/setup.yml @@ -37,6 +37,7 @@ - matrix-bridge-sms - matrix-bridge-heisenbridge - matrix-bot-matrix-reminder-bot + - matrix-bot-honoroit - matrix-bot-go-neb - matrix-bot-mjolnir - matrix-synapse From d7af37e9e9076ec85d883ffb6abfcb73df219155 Mon Sep 17 00:00:00 2001 From: rakshazi Date: Fri, 7 Jan 2022 09:41:52 +0200 Subject: [PATCH 064/144] matrix-bot-honoroit feedback --- roles/matrix-bot-honoroit/defaults/main.yml | 10 +++++++++- roles/matrix-bot-honoroit/tasks/setup_install.yml | 6 ++++++ roles/matrix-bot-honoroit/templates/env.j2 | 15 +++++++++++++++ .../systemd/matrix-bot-honoroit.service.j2 | 14 +------------- 4 files changed, 31 insertions(+), 14 deletions(-) create mode 100644 roles/matrix-bot-honoroit/templates/env.j2 diff --git a/roles/matrix-bot-honoroit/defaults/main.yml b/roles/matrix-bot-honoroit/defaults/main.yml index ac612f849..ea83dde68 100644 --- a/roles/matrix-bot-honoroit/defaults/main.yml +++ b/roles/matrix-bot-honoroit/defaults/main.yml @@ -8,7 +8,8 @@ matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git" matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src" matrix_bot_honoroit_version: v0.9.0 -matrix_bot_honoroit_docker_image: "registry.gitlab.com/etke.cc/honoroit:{{ matrix_bot_honoroit_version }}" +matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}honoroit:{{ matrix_bot_honoroit_version }}" +matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}" matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" matrix_bot_honoroit_base_path: "{{ matrix_base_data_path }}/honoroit" @@ -93,3 +94,10 @@ matrix_bot_honoroit_text_emptyroom: '' # Text: done matrix_bot_honoroit_text_done: '' + +# Additional environment variables to pass to the Honoroit container +# +# Example: +# matrix_bot_honoroit_environment_variables_extension: | +# HONOROIT_TEXT_DONE=Done +matrix_bot_honoroit_environment_variables_extension: '' diff --git a/roles/matrix-bot-honoroit/tasks/setup_install.yml b/roles/matrix-bot-honoroit/tasks/setup_install.yml index 33723175b..615235cb1 100644 --- a/roles/matrix-bot-honoroit/tasks/setup_install.yml +++ b/roles/matrix-bot-honoroit/tasks/setup_install.yml @@ -39,6 +39,12 @@ - { path: "{{ matrix_bot_honoroit_docker_src_files_path }}", when: true} when: "item.when|bool" +- name: Ensure honoroit environment variables file created + template: + src: "{{ role_path }}/templates/env.j2" + dest: "{{ matrix_bot_honoroit_config_path }}/env" + mode: 0640 + - name: Ensure honoroit image is pulled docker_image: name: "{{ matrix_bot_honoroit_docker_image }}" diff --git a/roles/matrix-bot-honoroit/templates/env.j2 b/roles/matrix-bot-honoroit/templates/env.j2 new file mode 100644 index 000000000..4b1dd43f7 --- /dev/null +++ b/roles/matrix-bot-honoroit/templates/env.j2 @@ -0,0 +1,15 @@ +HONOROIT_LOGIN={{ matrix_bot_honoroit_login }} +HONOROIT_PASSWORD={{ matrix_bot_honoroit_password }} +HONOROIT_HOMESERVER={{ matrix_bot_honoroit_homeserver }} +HONOROIT_ROOMID={{ matrix_bot_honoroit_roomid }} +HONOROIT_DB_DSN={{ matrix_bot_honoroit_database_connection_string }} +HONOROIT_DB_DIALECT={{ matrix_bot_honoroit_database_dialect }} +HONOROIT_PREFIX={{ matrix_bot_honoroit_prefix }} +HONOROIT_SENTRY={{ matrix_bot_honoroit_sentry }} +HONOROIT_LOGLEVEL={{ matrix_bot_honoroit_loglevel }} +HONOROIT_TEXT_GREETINGS={{ matrix_bot_honoroit_text_greetings }} +HONOROIT_TEXT_ERROR={{ matrix_bot_honoroit_text_error }} +HONOROIT_TEXT_EMPTYROOM={{ matrix_bot_honoroit_text_emptyroom }} +HONOROIT_TEXT_DONE={{ matrix_bot_honoroit_text_done }} + +{{ matrix_bot_honoroit_environment_variables_extension }} diff --git a/roles/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 b/roles/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 index 38c2c7ffb..c4eb1a946 100644 --- a/roles/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 +++ b/roles/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2 @@ -22,19 +22,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-honoroit \ --cap-drop=ALL \ --read-only \ --network={{ matrix_docker_network }} \ - -e 'HONOROIT_LOGIN={{ matrix_bot_honoroit_login }}' \ - -e 'HONOROIT_PASSWORD={{ matrix_bot_honoroit_password }}' \ - -e 'HONOROIT_HOMESERVER={{ matrix_bot_honoroit_homeserver }}' \ - -e 'HONOROIT_ROOMID={{ matrix_bot_honoroit_roomid }}' \ - -e 'HONOROIT_DB_DSN={{ matrix_bot_honoroit_database_connection_string }}' \ - -e 'HONOROIT_DB_DIALECT={{ matrix_bot_honoroit_database_dialect }}' \ - -e 'HONOROIT_PREFIX={{ matrix_bot_honoroit_prefix }}' \ - -e 'HONOROIT_SENTRY={{ matrix_bot_honoroit_sentry }}' \ - -e 'HONOROIT_LOGLEVEL={{ matrix_bot_honoroit_loglevel }}' \ - -e 'HONOROIT_TEXT_GREETINGS={{ matrix_bot_honoroit_text_greetings }}' \ - -e 'HONOROIT_TEXT_ERROR={{ matrix_bot_honoroit_text_error }}' \ - -e 'HONOROIT_TEXT_EMPTYROOM={{ matrix_bot_honoroit_text_emptyroom }}' \ - -e 'HONOROIT_TEXT_DONE={{ matrix_bot_honoroit_text_done }}' \ + --env-file={{ matrix_bot_honoroit_config_path }}/env \ --mount type=bind,src={{ matrix_bot_honoroit_data_path }},dst=/data \ {% for arg in matrix_bot_honoroit_container_extra_arguments %} {{ arg }} \ From 6beb39a0627db90c15c51632a7da909b0ae9c37f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Jan 2022 09:53:16 +0200 Subject: [PATCH 065/144] Announce Honoroit support Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1511 --- CHANGELOG.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8443d36a4..7f6dcc35d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2022-01-07 + +## Honoroit bot support + +Thanks to [Aine](https://gitlab.com/etke.cc) of [etke.cc](https://etke.cc/), the playbook can now help you set up [Honoroit](https://gitlab.com/etke.cc/honoroit) - a helpdesk bot. + +See our [Setting up Honoroit](docs/configuring-playbook-bot-honoroit.md) documentation to get started. + + # 2022-01-06 ## Cinny support From d66c812830771782817f8f411a9833e627ff88be Mon Sep 17 00:00:00 2001 From: rakshazi Date: Fri, 7 Jan 2022 09:06:25 +0000 Subject: [PATCH 066/144] matrix-bot-honoroit: fix self-build --- roles/matrix-bot-honoroit/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bot-honoroit/defaults/main.yml b/roles/matrix-bot-honoroit/defaults/main.yml index ea83dde68..fc1713bac 100644 --- a/roles/matrix-bot-honoroit/defaults/main.yml +++ b/roles/matrix-bot-honoroit/defaults/main.yml @@ -9,7 +9,7 @@ matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit matrix_bot_honoroit_version: v0.9.0 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}honoroit:{{ matrix_bot_honoroit_version }}" -matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}" +matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_self_build else 'registry.gitlab.com/etke.cc/' }}" matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" matrix_bot_honoroit_base_path: "{{ matrix_base_data_path }}/honoroit" From b0c801a4970584badeef6c6eeea7eb03beb10d08 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Jan 2022 11:53:24 +0200 Subject: [PATCH 067/144] Rename variable for consistency (matrix_bot_honoroit_container_self_build -> matrix_bot_honoroit_container_image_self_build) Discussed in https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1514 --- group_vars/matrix_servers | 2 +- roles/matrix-bot-honoroit/defaults/main.yml | 4 ++-- roles/matrix-bot-honoroit/tasks/setup_install.yml | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 393984c0f..99d70c996 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -969,7 +969,7 @@ matrix_bot_honoroit_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_honoroit_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'honoroit.bot.db') | to_uuid }}" -matrix_bot_honoroit_container_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_bot_honoroit_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### # diff --git a/roles/matrix-bot-honoroit/defaults/main.yml b/roles/matrix-bot-honoroit/defaults/main.yml index fc1713bac..4e3628f9b 100644 --- a/roles/matrix-bot-honoroit/defaults/main.yml +++ b/roles/matrix-bot-honoroit/defaults/main.yml @@ -3,13 +3,13 @@ matrix_bot_honoroit_enabled: true -matrix_bot_honoroit_container_self_build: false +matrix_bot_honoroit_container_image_self_build: false matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git" matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src" matrix_bot_honoroit_version: v0.9.0 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}honoroit:{{ matrix_bot_honoroit_version }}" -matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_self_build else 'registry.gitlab.com/etke.cc/' }}" +matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}" matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" matrix_bot_honoroit_base_path: "{{ matrix_base_data_path }}/honoroit" diff --git a/roles/matrix-bot-honoroit/tasks/setup_install.yml b/roles/matrix-bot-honoroit/tasks/setup_install.yml index 615235cb1..76eeb0065 100644 --- a/roles/matrix-bot-honoroit/tasks/setup_install.yml +++ b/roles/matrix-bot-honoroit/tasks/setup_install.yml @@ -51,7 +51,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_bot_honoroit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_honoroit_docker_image_force_pull }}" - when: "not matrix_bot_honoroit_container_self_build|bool" + when: "not matrix_bot_honoroit_container_image_self_build|bool" - name: Ensure honoroit repository is present on self-build git: @@ -59,7 +59,7 @@ dest: "{{ matrix_bot_honoroit_docker_src_files_path }}" force: "yes" register: matrix_bot_honoroit_git_pull_results - when: "matrix_bot_honoroit_container_self_build|bool" + when: "matrix_bot_honoroit_container_image_self_build|bool" - name: Ensure honoroit image is built docker_image: @@ -71,7 +71,7 @@ dockerfile: docker/Dockerfile path: "{{ matrix_bot_honoroit_docker_src_files_path }}" pull: yes - when: "matrix_bot_honoroit_container_self_build|bool" + when: "matrix_bot_honoroit_container_image_self_build|bool" - name: Ensure matrix-bot-honoroit.service installed template: From d9dd524db3f7a3b1710a763292e7fefbb47ca7de Mon Sep 17 00:00:00 2001 From: rakshazi Date: Fri, 7 Jan 2022 12:18:45 +0200 Subject: [PATCH 068/144] self-build consistency: rename vars everywhere --- group_vars/matrix_servers | 18 +++++++++--------- .../defaults/main.yml | 2 +- .../tasks/setup_install.yml | 6 +++--- .../defaults/main.yml | 2 +- .../tasks/init.yml | 2 +- .../tasks/setup_install.yml | 8 ++++---- .../defaults/main.yml | 2 +- .../tasks/init.yml | 2 +- .../tasks/setup_install.yml | 8 ++++---- .../defaults/main.yml | 4 ++-- .../tasks/setup_install.yml | 12 ++++++------ .../defaults/main.yml | 6 +++--- .../tasks/init.yml | 2 +- .../tasks/setup_install.yml | 14 +++++++------- roles/matrix-synapse-admin/defaults/main.yml | 6 +++--- roles/matrix-synapse-admin/tasks/init.yml | 2 +- roles/matrix-synapse-admin/tasks/setup.yml | 8 ++++---- .../tasks/validate_config.yml | 1 + 18 files changed, 53 insertions(+), 52 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 99d70c996..49f63ddfa 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -143,7 +143,7 @@ matrix_appservice_webhooks_systemd_required_services_list: | # We don't enable bridges by default. matrix_appservice_slack_enabled: false -matrix_appservice_slack_container_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_appservice_slack_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-slack over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose @@ -185,7 +185,7 @@ matrix_appservice_slack_database_password: "{{ '%s' | format(matrix_synapse_maca # We don't enable bridges by default. matrix_appservice_irc_enabled: false -matrix_appservice_irc_container_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_appservice_irc_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-irc over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose @@ -459,8 +459,8 @@ matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provi matrix_mautrix_signal_database_engine: 'postgres' matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.signal.db') | to_uuid }}" -matrix_mautrix_signal_container_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" -matrix_mautrix_signal_daemon_container_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_mautrix_signal_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" +matrix_mautrix_signal_daemon_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### # @@ -478,9 +478,9 @@ matrix_mautrix_signal_daemon_container_self_build: "{{ matrix_architecture != 'a matrix_mautrix_telegram_enabled: false # Images are multi-arch (amd64 and arm64, but not arm32). -matrix_mautrix_telegram_container_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" -matrix_telegram_lottieconverter_container_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" -matrix_telegram_lottieconverter_container_self_build_mask_arch: "{{ matrix_architecture != 'amd64' }}" +matrix_mautrix_telegram_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" +matrix_telegram_lottieconverter_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" +matrix_telegram_lottieconverter_container_image_self_build_mask_arch: "{{ matrix_architecture != 'amd64' }}" matrix_mautrix_telegram_systemd_required_services_list: | {{ @@ -938,7 +938,7 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" matrix_bot_matrix_reminder_bot_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'reminder.bot.db') | to_uuid }}" -matrix_bot_matrix_reminder_bot_container_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_bot_matrix_reminder_bot_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### # @@ -1948,7 +1948,7 @@ matrix_synapse_admin_enabled: false # Synapse Admin's HTTP port to the local host. matrix_synapse_admin_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8766' }}" -matrix_synapse_admin_container_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_synapse_admin_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### # diff --git a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml index 3e955673d..419e3cca2 100644 --- a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml +++ b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml @@ -3,7 +3,7 @@ matrix_bot_matrix_reminder_bot_enabled: true -matrix_bot_matrix_reminder_bot_container_self_build: false +matrix_bot_matrix_reminder_bot_container_image_self_build: false matrix_bot_matrix_reminder_bot_docker_repo: "https://github.com/anoadragon453/matrix-reminder-bot.git" matrix_bot_matrix_reminder_bot_docker_src_files_path: "{{ matrix_base_data_path }}/matrix-reminder-bot/docker-src" diff --git a/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml index dada8167e..bd33326f7 100644 --- a/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml +++ b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml @@ -46,7 +46,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_bot_matrix_reminder_bot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_matrix_reminder_bot_docker_image_force_pull }}" - when: "not matrix_bot_matrix_reminder_bot_container_self_build|bool" + when: "not matrix_bot_matrix_reminder_bot_container_image_self_build|bool" - name: Ensure matrix-reminder-bot repository is present on self-build git: @@ -54,7 +54,7 @@ dest: "{{ matrix_bot_matrix_reminder_bot_docker_src_files_path }}" force: "yes" register: matrix_bot_matrix_reminder_bot_git_pull_results - when: "matrix_bot_matrix_reminder_bot_container_self_build|bool" + when: "matrix_bot_matrix_reminder_bot_container_image_self_build|bool" - name: Ensure matrix-reminder-bot image is built docker_image: @@ -66,7 +66,7 @@ dockerfile: docker/Dockerfile path: "{{ matrix_bot_matrix_reminder_bot_docker_src_files_path }}" pull: yes - when: "matrix_bot_matrix_reminder_bot_container_self_build|bool" + when: "matrix_bot_matrix_reminder_bot_container_image_self_build|bool" - name: Ensure matrix-reminder-bot config installed copy: diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index 57604b199..25b0a2418 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -3,7 +3,7 @@ matrix_appservice_irc_enabled: true -matrix_appservice_irc_container_self_build: false +matrix_appservice_irc_container_image_self_build: false matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git" matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src" diff --git a/roles/matrix-bridge-appservice-irc/tasks/init.yml b/roles/matrix-bridge-appservice-irc/tasks/init.yml index e13557963..b90d93a5e 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/init.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_irc_container_self_build and matrix_appservice_irc_enabled" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_irc_container_image_self_build and matrix_appservice_irc_enabled" # If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. # We don't want to fail in such cases. diff --git a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml index 75af882af..20714a41e 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -11,7 +11,7 @@ - { path: "{{ matrix_appservice_irc_base_path }}", when: true } - { path: "{{ matrix_appservice_irc_config_path }}", when: true } - { path: "{{ matrix_appservice_irc_data_path }}", when: true } - - { path: "{{ matrix_appservice_irc_docker_src_files_path }}", when: "{{ matrix_appservice_irc_container_self_build }}" } + - { path: "{{ matrix_appservice_irc_docker_src_files_path }}", when: "{{ matrix_appservice_irc_container_image_self_build }}" } when: item.when|bool - name: Check if an old passkey file already exists @@ -61,7 +61,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_appservice_irc_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_irc_docker_image_force_pull }}" - when: "matrix_appservice_irc_enabled|bool and not matrix_appservice_irc_container_self_build|bool" + when: "matrix_appservice_irc_enabled|bool and not matrix_appservice_irc_container_image_self_build|bool" - name: Ensure matrix-appservice-irc repository is present when self-building git: @@ -69,7 +69,7 @@ dest: "{{ matrix_appservice_irc_docker_src_files_path }}" force: "yes" register: matrix_appservice_irc_git_pull_results - when: "matrix_appservice_irc_enabled|bool and matrix_appservice_irc_container_self_build|bool" + when: "matrix_appservice_irc_enabled|bool and matrix_appservice_irc_container_image_self_build|bool" - name: Ensure matrix-appservice-irc Docker image is built docker_image: @@ -81,7 +81,7 @@ dockerfile: Dockerfile path: "{{ matrix_appservice_irc_docker_src_files_path }}" pull: yes - when: "matrix_appservice_irc_enabled|bool and matrix_appservice_irc_container_self_build|bool and matrix_appservice_irc_git_pull_results.changed" + when: "matrix_appservice_irc_enabled|bool and matrix_appservice_irc_container_image_self_build|bool and matrix_appservice_irc_git_pull_results.changed" - name: Ensure Matrix Appservice IRC config installed copy: diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index 4f4d5e2ff..0a578b412 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -3,7 +3,7 @@ matrix_appservice_slack_enabled: true -matrix_appservice_slack_container_self_build: false +matrix_appservice_slack_container_image_self_build: false matrix_appservice_slack_docker_repo: "https://github.com/matrix-org/matrix-appservice-slack.git" matrix_appservice_slack_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-slack/docker-src" diff --git a/roles/matrix-bridge-appservice-slack/tasks/init.yml b/roles/matrix-bridge-appservice-slack/tasks/init.yml index f6aada6d7..7f251ec5f 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/init.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_slack_container_self_build and matrix_appservice_slack_enabled" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_slack_container_image_self_build and matrix_appservice_slack_enabled" # If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. # We don't want to fail in such cases. diff --git a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml index b170fcb8c..8c5a1eeda 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml @@ -11,7 +11,7 @@ - { path: "{{ matrix_appservice_slack_base_path }}", when: true } - { path: "{{ matrix_appservice_slack_config_path }}", when: true } - { path: "{{ matrix_appservice_slack_data_path }}", when: true } - - { path: "{{ matrix_appservice_slack_docker_src_files_path }}", when: "{{ matrix_appservice_slack_container_self_build }}" } + - { path: "{{ matrix_appservice_slack_docker_src_files_path }}", when: "{{ matrix_appservice_slack_container_image_self_build }}" } when: item.when|bool - set_fact: @@ -37,7 +37,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_appservice_slack_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_slack_docker_image_force_pull }}" - when: "not matrix_appservice_slack_container_self_build|bool" + when: "not matrix_appservice_slack_container_image_self_build|bool" - name: Ensure matrix-appservice-slack repository is present when self-building git: @@ -45,7 +45,7 @@ dest: "{{ matrix_appservice_slack_docker_src_files_path }}" force: "yes" register: matrix_appservice_slack_git_pull_results - when: "matrix_appservice_slack_container_self_build|bool" + when: "matrix_appservice_slack_container_image_self_build|bool" - name: Ensure matrix-appservice-slack Docker image is built docker_image: @@ -57,7 +57,7 @@ dockerfile: Dockerfile path: "{{ matrix_appservice_slack_docker_src_files_path }}" pull: yes - when: "matrix_appservice_slack_container_self_build|bool and matrix_appservice_slack_git_pull_results.changed" + when: "matrix_appservice_slack_container_image_self_build|bool and matrix_appservice_slack_git_pull_results.changed" - name: Ensure Matrix Appservice Slack config installed copy: diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 6e0a9918b..9eebedd7c 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -3,7 +3,7 @@ matrix_mautrix_signal_enabled: true -matrix_mautrix_signal_container_self_build: false +matrix_mautrix_signal_container_image_self_build: false matrix_mautrix_signal_docker_repo: "https://mau.dev/mautrix/signal.git" matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src" @@ -13,7 +13,7 @@ matrix_mautrix_signal_daemon_version: latest matrix_mautrix_signal_docker_image: "dock.mau.dev/mautrix/signal:{{ matrix_mautrix_signal_version }}" matrix_mautrix_signal_docker_image_force_pull: "{{ matrix_mautrix_signal_docker_image.endswith(':latest') }}" -matrix_mautrix_signal_daemon_container_self_build: false +matrix_mautrix_signal_daemon_container_image_self_build: false matrix_mautrix_signal_daemon_docker_repo: "https://mau.dev/maunium/signald.git" matrix_mautrix_signal_daemon_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signald/docker-src" diff --git a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml index 88710868c..bc6331ac6 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml @@ -14,7 +14,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_signal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}" - when: "not matrix_mautrix_signal_container_self_build|bool" + when: "not matrix_mautrix_signal_container_image_self_build|bool" - name: Ensure Mautrix Signal repository is present on self-build @@ -23,7 +23,7 @@ dest: "{{ matrix_mautrix_signal_docker_src_files_path }}" force: "yes" register: matrix_mautrix_signal_git_pull_results - when: "matrix_mautrix_signal_container_self_build|bool" + when: "matrix_mautrix_signal_container_image_self_build|bool" - name: Ensure Mautrix Signal image is built docker_image: @@ -35,7 +35,7 @@ dockerfile: Dockerfile path: "{{ matrix_mautrix_signal_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_signal_container_self_build|bool" + when: "matrix_mautrix_signal_container_image_self_build|bool" - name: Ensure Mautrix Signal Daemon image is pulled @@ -44,7 +44,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_signal_daemon_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_daemon_docker_image_force_pull }}" - when: matrix_mautrix_signal_enabled and not matrix_mautrix_signal_daemon_container_self_build|bool + when: matrix_mautrix_signal_enabled and not matrix_mautrix_signal_daemon_container_image_self_build|bool register: matrix_mautrix_signal_daemon_pull_results - name: Ensure Mautrix Signal Daemon repository is present on self-build @@ -53,7 +53,7 @@ dest: "{{ matrix_mautrix_signal_daemon_docker_src_files_path }}" force: "yes" register: matrix_mautrix_signal_daemon_git_pull_results - when: "matrix_mautrix_signal_daemon_container_self_build|bool" + when: "matrix_mautrix_signal_daemon_container_image_self_build|bool" - name: Ensure Mautrix Signal Daemon image is built docker_image: @@ -65,7 +65,7 @@ dockerfile: Dockerfile path: "{{ matrix_mautrix_signal_daemon_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_signal_daemon_container_self_build|bool" + when: "matrix_mautrix_signal_daemon_container_image_self_build|bool" - name: Ensure Mautrix Signal paths exist file: diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index 1995a7b78..7e7ee0a62 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -3,13 +3,13 @@ matrix_mautrix_telegram_enabled: true -matrix_telegram_lottieconverter_container_self_build: false -matrix_telegram_lottieconverter_container_self_build_mask_arch: false +matrix_telegram_lottieconverter_container_image_self_build: false +matrix_telegram_lottieconverter_container_image_self_build_mask_arch: false matrix_telegram_lottieconverter_docker_repo: "https://mau.dev/tulir/lottieconverter.git" matrix_telegram_lottieconverter_docker_src_files_path: "{{ matrix_base_data_path }}/lotticonverter/docker-src" matrix_telegram_lottieconverter_docker_image: "dock.mau.dev/tulir/lottieconverter:alpine-3.14" # needs to be ajusted according to FROM clause of Dockerfile of mautrix-telegram -matrix_mautrix_telegram_container_self_build: false +matrix_mautrix_telegram_container_image_self_build: false matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git" matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml index bf903a57e..662ea1c39 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_telegram_container_self_build and matrix_mautrix_telegram_enabled" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_telegram_container_image_self_build and matrix_mautrix_telegram_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram.service'] }}" diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index 1e87f1aec..1e34e2cd6 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -45,7 +45,7 @@ - { path: "{{ matrix_mautrix_telegram_base_path }}", when: true } - { path: "{{ matrix_mautrix_telegram_config_path }}", when: true } - { path: "{{ matrix_mautrix_telegram_data_path }}", when: true } - - { path: "{{ matrix_mautrix_telegram_docker_src_files_path }}", when: "{{ matrix_mautrix_telegram_container_self_build }}" } + - { path: "{{ matrix_mautrix_telegram_docker_src_files_path }}", when: "{{ matrix_mautrix_telegram_container_image_self_build }}" } when: item.when|bool - name: Ensure Mautrix Telegram image is pulled @@ -54,7 +54,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_telegram_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_telegram_docker_image_force_pull }}" - when: "not matrix_mautrix_telegram_container_self_build|bool" + when: "not matrix_mautrix_telegram_container_image_self_build|bool" - name: Ensure lottieconverter is present when self-building git: @@ -62,7 +62,7 @@ dest: "{{ matrix_telegram_lottieconverter_docker_src_files_path }}" force: "yes" register: matrix_telegram_lottieconverter_git_pull_results - when: "matrix_telegram_lottieconverter_container_self_build|bool and matrix_mautrix_telegram_container_self_build|bool" + when: "matrix_telegram_lottieconverter_container_image_self_build|bool and matrix_mautrix_telegram_container_image_self_build|bool" - name: Ensure lottieconverter Docker image is built docker_image: @@ -74,7 +74,7 @@ dockerfile: Dockerfile path: "{{ matrix_telegram_lottieconverter_docker_src_files_path }}" pull: yes - when: "matrix_telegram_lottieconverter_container_self_build|bool and matrix_telegram_lottieconverter_git_pull_results.changed and matrix_mautrix_telegram_container_self_build|bool" + when: "matrix_telegram_lottieconverter_container_image_self_build|bool and matrix_telegram_lottieconverter_git_pull_results.changed and matrix_mautrix_telegram_container_image_self_build|bool" - name: Ensure matrix-mautrix-telegram repository is present when self-building git: @@ -82,7 +82,7 @@ dest: "{{ matrix_mautrix_telegram_docker_src_files_path }}" force: "yes" register: matrix_mautrix_telegram_git_pull_results - when: "matrix_mautrix_telegram_container_self_build|bool" + when: "matrix_mautrix_telegram_container_image_self_build|bool" - name: Ensure matrix-mautrix-telegram Docker image is built docker_image: @@ -93,10 +93,10 @@ build: dockerfile: Dockerfile path: "{{ matrix_mautrix_telegram_docker_src_files_path }}" - pull: "{{ not matrix_telegram_lottieconverter_container_self_build_mask_arch|bool }}" + pull: "{{ not matrix_telegram_lottieconverter_container_image_self_build_mask_arch|bool }}" args: TARGETARCH: "" - when: "matrix_mautrix_telegram_container_self_build|bool and matrix_mautrix_telegram_git_pull_results.changed" + when: "matrix_mautrix_telegram_container_image_self_build|bool and matrix_mautrix_telegram_git_pull_results.changed" - name: Check if an old database file already exists stat: diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index 6d20d20fd..db1024fac 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -3,14 +3,14 @@ matrix_synapse_admin_enabled: true -matrix_synapse_admin_container_self_build: false -matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Technologies/synapse-admin.git" +matrix_synapse_admin_container_image_self_build: false +matrix_synapse_admin_container_image_self_build_repo: "https://github.com/Awesome-Technologies/synapse-admin.git" matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" matrix_synapse_admin_version: 0.8.4 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" -matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}" +matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" # A list of extra arguments to pass to the container diff --git a/roles/matrix-synapse-admin/tasks/init.yml b/roles/matrix-synapse-admin/tasks/init.yml index fccc9dfab..3ce5a6935 100644 --- a/roles/matrix-synapse-admin/tasks/init.yml +++ b/roles/matrix-synapse-admin/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_admin_container_self_build and matrix_synapse_admin_enabled" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_admin_container_image_self_build and matrix_synapse_admin_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse-admin.service'] }}" diff --git a/roles/matrix-synapse-admin/tasks/setup.yml b/roles/matrix-synapse-admin/tasks/setup.yml index d54583af6..9eac7f903 100644 --- a/roles/matrix-synapse-admin/tasks/setup.yml +++ b/roles/matrix-synapse-admin/tasks/setup.yml @@ -10,16 +10,16 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_synapse_admin_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_admin_docker_image_force_pull }}" - when: "matrix_synapse_admin_enabled|bool and not matrix_synapse_admin_container_self_build|bool" + when: "matrix_synapse_admin_enabled|bool and not matrix_synapse_admin_container_image_self_build|bool" - name: Ensure matrix-synapse-admin repository is present when self-building git: - repo: "{{ matrix_synapse_admin_container_self_build_repo }}" + repo: "{{ matrix_synapse_admin_container_image_self_build_repo }}" dest: "{{ matrix_synapse_admin_docker_src_files_path }}" version: "{{ matrix_synapse_admin_docker_image.split(':')[1] }}" force: "yes" register: matrix_synapse_admin_git_pull_results - when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_self_build|bool" + when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_image_self_build|bool" - name: Ensure matrix-synapse-admin Docker image is built docker_image: @@ -31,7 +31,7 @@ dockerfile: Dockerfile path: "{{ matrix_synapse_admin_docker_src_files_path }}" pull: yes - when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_self_build|bool" + when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_image_self_build|bool" - name: Ensure matrix-synapse-admin.service installed template: diff --git a/roles/matrix-synapse-admin/tasks/validate_config.yml b/roles/matrix-synapse-admin/tasks/validate_config.yml index e08680e03..d0640d7fd 100644 --- a/roles/matrix-synapse-admin/tasks/validate_config.yml +++ b/roles/matrix-synapse-admin/tasks/validate_config.yml @@ -8,3 +8,4 @@ when: "item.old in vars" with_items: - {'old': 'matrix_synapse_admin_docker_repo', 'new': 'matrix_synapse_admin_container_self_build_repo'} + - {'old': 'matrix_synapse_admin_container_self_build_repo', 'new': 'matrix_synapse_admin_container_image_self_build_repo'} From c191bf54cace667e5eda26a2fb1419dd5bc8eb88 Mon Sep 17 00:00:00 2001 From: rakshazi Date: Fri, 7 Jan 2022 13:17:39 +0200 Subject: [PATCH 069/144] self-build consistency: add deprecation warnings --- .../tasks/validate_config.yml | 9 +++++++++ .../tasks/validate_config.yml | 1 + .../tasks/validate_config.yml | 9 +++++++++ .../tasks/validate_config.yml | 2 ++ .../tasks/validate_config.yml | 2 ++ roles/matrix-synapse-admin/tasks/validate_config.yml | 1 + 6 files changed, 24 insertions(+) diff --git a/roles/matrix-bot-matrix-reminder-bot/tasks/validate_config.yml b/roles/matrix-bot-matrix-reminder-bot/tasks/validate_config.yml index 983e7166a..8963a3125 100644 --- a/roles/matrix-bot-matrix-reminder-bot/tasks/validate_config.yml +++ b/roles/matrix-bot-matrix-reminder-bot/tasks/validate_config.yml @@ -8,3 +8,12 @@ with_items: - "matrix_bot_matrix_reminder_bot_matrix_user_password" - "matrix_bot_matrix_reminder_bot_reminders_timezone" + +- name: (Deprecation) Catch and report renamed settings + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_bot_matrix_reminder_bot_container_self_build', 'new': 'matrix_bot_matrix_reminder_bot_container_image_self_build'} diff --git a/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml b/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml index bd08427c2..303f26409 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml @@ -33,3 +33,4 @@ when: "item.old in vars" with_items: - {'old': 'matrix_appservice_irc_container_expose_client_server_api_port', 'new': ''} + - {'old': 'matrix_appservice_irc_container_self_build', 'new': 'matrix_appservice_irc_container_image_self_build'} diff --git a/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml b/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml index e02c6ab07..1866c3123 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml @@ -11,3 +11,12 @@ - "matrix_appservice_slack_homeserver_url" - "matrix_appservice_slack_homeserver_token" - "matrix_appservice_slack_id_token" + +- name: (Deprecation) Catch and report renamed settings + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_appservice_slack_container_self_build', 'new': 'matrix_appservice_slack_container_image_self_build'} diff --git a/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml index 100af3f87..108ac044d 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml @@ -26,3 +26,5 @@ - {'old': 'matrix_mautrix_signal_db_port', 'new': 'matrix_mautrix_signal_database_port'} - {'old': 'matrix_mautrix_signal_db_url', 'new': 'matrix_mautrix_signal_database_connection_string'} - {'old': 'matrix_mautrix_signal_configuration_permissions', 'new': ''} + - {'old': 'matrix_mautrix_signal_container_self_build', 'new': 'matrix_mautrix_signal_container_image_self_build'} + - {'old': 'matrix_mautrix_signal_daemon_container_self_build', 'new': 'matrix_mautrix_signal_daemon_container_image_self_build'} diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml index 5b1f3b006..db10a4cc1 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml @@ -20,3 +20,5 @@ when: "item.old in vars" with_items: - {'old': 'matrix_mautrix_telegram_container_exposed_port_number', 'new': ''} + - {'old': 'matrix_mautrix_telegram_container_self_build', 'new': 'matrix_mautrix_telegram_container_image_self_build'} + - {'old': 'matrix_telegram_lottieconverter_container_self_build', 'new': 'matrix_mautrix_telegram_container_image_self_build'} diff --git a/roles/matrix-synapse-admin/tasks/validate_config.yml b/roles/matrix-synapse-admin/tasks/validate_config.yml index d0640d7fd..20a5c170f 100644 --- a/roles/matrix-synapse-admin/tasks/validate_config.yml +++ b/roles/matrix-synapse-admin/tasks/validate_config.yml @@ -8,4 +8,5 @@ when: "item.old in vars" with_items: - {'old': 'matrix_synapse_admin_docker_repo', 'new': 'matrix_synapse_admin_container_self_build_repo'} + - {'old': 'matrix_synapse_admin_container_self_build', 'new': 'matrix_synapse_admin_container_image_self_build'} - {'old': 'matrix_synapse_admin_container_self_build_repo', 'new': 'matrix_synapse_admin_container_image_self_build_repo'} From 2836667df28c695755854b407955700cfc2aa568 Mon Sep 17 00:00:00 2001 From: rakshazi Date: Fri, 7 Jan 2022 13:21:41 +0200 Subject: [PATCH 070/144] self-build consistency: missing var --- roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml index db10a4cc1..2067b97b0 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/validate_config.yml @@ -22,3 +22,4 @@ - {'old': 'matrix_mautrix_telegram_container_exposed_port_number', 'new': ''} - {'old': 'matrix_mautrix_telegram_container_self_build', 'new': 'matrix_mautrix_telegram_container_image_self_build'} - {'old': 'matrix_telegram_lottieconverter_container_self_build', 'new': 'matrix_mautrix_telegram_container_image_self_build'} + - {'old': 'matrix_telegram_lottieconverter_container_self_build_mask_arch', 'new': 'matrix_telegram_lottieconverter_container_image_self_build_mask_arch'} From 07af05690c0f52d09481614c2ac742bd79a82280 Mon Sep 17 00:00:00 2001 From: "Jip J. Dekker" Date: Sun, 24 Jan 2021 17:41:11 +1100 Subject: [PATCH 071/144] Add initial role for Dendrite as alternative Matrix server --- group_vars/matrix_servers | 98 + roles/matrix-dendrite/defaults/main.yml | 158 + .../matrix-dendrite/tasks/dendrite/setup.yml | 6 + .../tasks/dendrite/setup_install.yml | 85 + .../tasks/dendrite/setup_uninstall.yml | 28 + roles/matrix-dendrite/tasks/goofys/setup.yml | 7 + .../tasks/goofys/setup_install.yml | 41 + .../tasks/goofys/setup_uninstall.yml | 33 + .../tasks/import_media_store.yml | 81 + roles/matrix-dendrite/tasks/init.yml | 12 + roles/matrix-dendrite/tasks/main.yml | 50 + roles/matrix-dendrite/tasks/register_user.yml | 25 + .../tasks/self_check_client_api.yml | 20 + .../tasks/self_check_federation_api.yml | 25 + .../matrix-dendrite/tasks/setup_dendrite.yml | 19 + .../tasks/update_user_password.yml | 41 + .../matrix-dendrite/tasks/validate_config.yml | 16 + .../templates/dendrite/dendrite.yaml.j2 | 342 +++ .../templates/dendrite/homeserver.yaml.j2 | 2682 +++++++++++++++++ .../systemd/matrix-dendrite.service.j2 | 58 + .../matrix-dendrite-create-account.j2 | 12 + .../templates/goofys/env-goofys.j2 | 3 + .../goofys/systemd/matrix-goofys.service.j2 | 39 + roles/matrix-dendrite/vars/main.yml | 11 + setup.yml | 1 + 25 files changed, 3893 insertions(+) create mode 100644 roles/matrix-dendrite/defaults/main.yml create mode 100644 roles/matrix-dendrite/tasks/dendrite/setup.yml create mode 100644 roles/matrix-dendrite/tasks/dendrite/setup_install.yml create mode 100644 roles/matrix-dendrite/tasks/dendrite/setup_uninstall.yml create mode 100644 roles/matrix-dendrite/tasks/goofys/setup.yml create mode 100644 roles/matrix-dendrite/tasks/goofys/setup_install.yml create mode 100644 roles/matrix-dendrite/tasks/goofys/setup_uninstall.yml create mode 100644 roles/matrix-dendrite/tasks/import_media_store.yml create mode 100644 roles/matrix-dendrite/tasks/init.yml create mode 100644 roles/matrix-dendrite/tasks/main.yml create mode 100644 roles/matrix-dendrite/tasks/register_user.yml create mode 100644 roles/matrix-dendrite/tasks/self_check_client_api.yml create mode 100644 roles/matrix-dendrite/tasks/self_check_federation_api.yml create mode 100644 roles/matrix-dendrite/tasks/setup_dendrite.yml create mode 100644 roles/matrix-dendrite/tasks/update_user_password.yml create mode 100644 roles/matrix-dendrite/tasks/validate_config.yml create mode 100644 roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 create mode 100644 roles/matrix-dendrite/templates/dendrite/homeserver.yaml.j2 create mode 100644 roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 create mode 100644 roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 create mode 100644 roles/matrix-dendrite/templates/goofys/env-goofys.j2 create mode 100644 roles/matrix-dendrite/templates/goofys/systemd/matrix-goofys.service.j2 create mode 100644 roles/matrix-dendrite/vars/main.yml diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 49f63ddfa..18351f323 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1508,6 +1508,48 @@ matrix_postgres_additional_databases: | 'password': matrix_synapse_database_password, }] if (matrix_synapse_enabled and matrix_synapse_database_database != matrix_postgres_db_name and matrix_synapse_database_host == 'matrix-postgres') else []) + + ([{ + 'name': matrix_dendrite_naffka_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_appservice_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_federationsender_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_keyserver_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_mediaapi_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_room_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_singingkeyserver_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_syncapi_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_account_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_device_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, + }] if (matrix_dendrite_enabled and matrix_dendrite_database_hostname == 'matrix-postgres') else []) + + ([{ 'name': matrix_ma1sd_database_name, 'username': matrix_ma1sd_database_username, @@ -2125,3 +2167,59 @@ matrix_postgres_backup_databases: | # /matrix-postgres-backup # ###################################################################### + +###################################################################### +# +# matrix-dendrite +# +###################################################################### + +# Normally, matrix-nginx-proxy is enabled and nginx can reach Dendrite over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, +# you can expose Dendrite's ports to the host. +# +# For exposing the Matrix Client API's port (plain HTTP) to the local host. +matrix_dendrite_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8008' }}" +# +# For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces. +matrix_dendrite_container_federation_api_tls_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else matrix_federation_public_port }}" + +matrix_dendrite_database_password: "{{ matrix_dendrite_macaroon_secret_key | password_hash('sha512', 'dendrite.db') | to_uuid }}" + +# Even if TURN doesn't support TLS (it does by default), +# it doesn't hurt to try a secure connection anyway. +matrix_dendrite_turn_uris: | + {{ + [ + 'turns:' + matrix_server_fqn_matrix + '?transport=udp', + 'turns:' + matrix_server_fqn_matrix + '?transport=tcp', + 'turn:' + matrix_server_fqn_matrix + '?transport=udp', + 'turn:' + matrix_server_fqn_matrix + '?transport=tcp', + ] + if matrix_coturn_enabled + else [] + }} + +matrix_dendrite_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}" + +matrix_dendrite_disable_tls_validation: "{{ true if matrix_ssl_retrieval_method == 'self-signed' else false }}" + +matrix_dendrite_systemd_required_services_list: | + {{ + (['docker.service']) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-goofys'] if matrix_s3_media_store_enabled else []) + }} + +matrix_dendrite_systemd_wanted_services_list: | + {{ + (['matrix-coturn.service'] if matrix_coturn_enabled else []) + }} + +###################################################################### +# +# /matrix-dendrite +# +###################################################################### diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml new file mode 100644 index 000000000..78bc9bb81 --- /dev/null +++ b/roles/matrix-dendrite/defaults/main.yml @@ -0,0 +1,158 @@ +# Dendrite is a second-generation Matrix homeserver currently in Beta +# See: https://github.com/matrix-org/dendrite + +matrix_dendrite_enabled: false + +matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" +matrix_dendrite_docker_image_name_prefix: "docker.io/" +matrix_dendrite_docker_image_tag: "v0.3.6" +matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" + +matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" +matrix_dendrite_config_dir_path: "{{ matrix_dendrite_base_path }}/config" +matrix_dendrite_storage_path: "{{ matrix_dendrite_base_path }}/storage" +matrix_dendrite_media_store_path: "{{ matrix_dendrite_storage_path }}/media-store" +matrix_dendrite_ext_path: "{{ matrix_dendrite_base_path }}/ext" + +# Controls whether the matrix-dendrite container exposes the Client/Server API port (tcp/8008 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8008"), or empty string to not expose. +matrix_dendrite_container_client_api_host_bind_port: "" + +# Controls whether the matrix-dendrite container exposes the tls (encrypted) Server/Server (Federation) API port (tcp/8448 in the container). +# +# Takes effect only if federation is enabled (matrix_dendrite_federation_enabled) +# and TLS support is enabled (matrix_dendrite_tls_federation_listener_enabled). +# +# Takes an ":" or "" value (e.g. "8448"), or empty string to not expose. +matrix_dendrite_container_federation_api_tls_host_bind_port: "" + +# A list of extra arguments to pass to the container +matrix_dendrite_container_extra_arguments: [] + +# List of systemd services that matrix-dendrite.service depends on +matrix_dendrite_systemd_required_services_list: ["docker.service"] + +# List of systemd services that matrix-dendrite.service wants +matrix_dendrite_systemd_wanted_services_list: [] + +# Specifies which template files to use when configuring Dendrite. +# If you'd like to have your own different configuration, feel free to copy and paste +# the original files into your inventory (e.g. in `inventory/host_vars//`) +# and then change the specific host's `vars.yaml` file like this: +# matrix_dendrite_template_dendrite_config: "{{ playbook_dir }}/inventory/host_vars//dendrite.yaml.j2" +matrix_dendrite_template_dendrite_config: "{{ role_path }}/templates/dendrite/dendrite.yaml.j2" + +matrix_dendrite_macaroon_secret_key: "" +matrix_dendrite_registration_shared_secret: "{{ matrix_dendrite_macaroon_secret_key }}" +matrix_dendrite_allow_guest_access: false +matrix_dendrite_form_secret: "{{ matrix_dendrite_macaroon_secret_key }}" + +matrix_dendrite_max_file_size_bytes: 10485760 + +# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. +matrix_dendrite_tmp_directory_size_mb: 500 + +# Log levels +matrix_dendrite_log_level: "warning" +matrix_dendrite_log_path: "/var/log/dendrite" + +# Rate limits +matrix_dendrite_rate_limiting_enabled: true +matrix_dendrite_rate_limiting_threshold: 5 +matrix_dendrite_rate_limiting_cooloff_ms: 500 + +# Controls whether people with access to the homeserver can register by themselves. +matrix_dendrite_registration_disabled: false + +# reCAPTCHA API for validating registration attempts +matrix_dendrite_enable_registration_captcha: false +matrix_dendrite_recaptcha_public_key: "" +matrix_dendrite_recaptcha_private_key: "" + +# A list of additional "volumes" to mount in the container. +# This list gets populated dynamically based on Dendrite extensions that have been enabled. +# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} +# +# Note: internally, this uses the `-v` flag for mounting the specified volumes. +# It's better (safer) to use the `--mount` flag for mounting volumes. +# To use `--mount`, specify it in `matrix_dendrite_container_extra_arguments`. +# Example: `matrix_dendrite_container_extra_arguments: ['--mount type=bind,src=/outside,dst=/inside,ro'] +matrix_dendrite_container_additional_volumes: [] + +# A list of appservice config files (in-container filesystem paths). +# This list gets populated dynamically based on Dendrite extensions that have been enabled. +# You may wish to use this together with `matrix_dendrite_container_additional_volumes` or `matrix_dendrite_container_extra_arguments`. +matrix_dendrite_app_service_config_files: [] + +# Enable exposure of metrics +matrix_dendrite_metrics_enabled: false +matrix_dendrite_metrics_username: "metrics" +matrix_dendrite_metrics_password: "metrics" + +# Postgres database information +matrix_dendrite_database_str: "postgresql://{{ matrix_dendrite_database_user }}:{{ matrix_dendrite_database_password }}@{{ matrix_dendrite_database_hostname }}" +matrix_dendrite_database_hostname: "matrix-postgres" +matrix_dendrite_database_user: "dendrite" +matrix_dendrite_database_password: "itsasecret" +matrix_dendrite_naffka_database: "dendrite_naffka" +matrix_dendrite_appservice_database: "dendrite_appservice" +matrix_dendrite_federationsender_database: "dendrite_federationsender" +matrix_dendrite_keyserver_database: "dendrite_keyserver" +matrix_dendrite_mediaapi_database: "dendrite_mediaapi" +matrix_dendrite_room_database: "dendrite_room" +matrix_dendrite_singingkeyserver_database: "dendrite_sigingkeyserver" +matrix_dendrite_syncapi_database: "dendrite_syncapi" +matrix_dendrite_account_database: "dendrite_account" +matrix_dendrite_device_database: "dendrite_device" + +matrix_dendrite_turn_uris: [] +matrix_dendrite_turn_shared_secret: "" +matrix_dendrite_turn_allow_guests: False + +matrix_s3_media_store_enabled: false +matrix_s3_media_store_custom_endpoint_enabled: false +matrix_s3_goofys_docker_image: "ewoutp/goofys:latest" +matrix_s3_goofys_docker_image_force_pull: "{{ matrix_s3_goofys_docker_image.endswith(':latest') }}" +matrix_s3_media_store_custom_endpoint: "your-custom-endpoint" +matrix_s3_media_store_bucket_name: "your-bucket-name" +matrix_s3_media_store_aws_access_key: "your-aws-access-key" +matrix_s3_media_store_aws_secret_key: "your-aws-secret-key" +matrix_s3_media_store_region: "eu-central-1" + +# Controls whether the self-check feature should validate TLS certificates. +matrix_dendrite_disable_tls_validation: false + +matrix_dendrite_trusted_id_servers: + - "matrix.org" + - "vector.im" + +# Default Dendrite configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_dendrite_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_dendrite_configuration_yaml: "{{ lookup('template', 'templates/dendrite/dendrite.yaml.j2') }}" + +matrix_dendrite_configuration_extension_yaml: | + # Your custom YAML configuration for Dendrite goes here. + # This configuration extends the default starting configuration (`matrix_dendrite_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_dendrite_configuration_yaml`. + # + # Example configuration extension follows: + # + # server_notices: + # system_mxid_localpart: notices + # system_mxid_display_name: "Server Notices" + # system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" + # room_name: "Server Notices" + +matrix_dendrite_configuration_extension: "{{ matrix_dendrite_configuration_extension_yaml|from_yaml if matrix_dendrite_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final Dendrite configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_dendrite_configuration_yaml`. +matrix_dendrite_configuration: "{{ matrix_dendrite_configuration_yaml|from_yaml|combine(matrix_dendrite_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-dendrite/tasks/dendrite/setup.yml b/roles/matrix-dendrite/tasks/dendrite/setup.yml new file mode 100644 index 000000000..8b6691937 --- /dev/null +++ b/roles/matrix-dendrite/tasks/dendrite/setup.yml @@ -0,0 +1,6 @@ +--- +- import_tasks: "{{ role_path }}/tasks/dendrite/setup_install.yml" + when: matrix_dendrite_enabled|bool + +- import_tasks: "{{ role_path }}/tasks/dendrite/setup_uninstall.yml" + when: "not matrix_dendrite_enabled|bool" diff --git a/roles/matrix-dendrite/tasks/dendrite/setup_install.yml b/roles/matrix-dendrite/tasks/dendrite/setup_install.yml new file mode 100644 index 000000000..182b6c1c0 --- /dev/null +++ b/roles/matrix-dendrite/tasks/dendrite/setup_install.yml @@ -0,0 +1,85 @@ +--- +# This will throw a Permission Denied error if already mounted using fuse +- name: Check Dendrite media store path + stat: + path: "{{ matrix_dendrite_media_store_path }}" + register: local_path_media_store_stat + ignore_errors: yes + +# This is separate and conditional, to ensure we don't execute it +# if the path already exists or we failed to check, because it's mounted using fuse. +- name: Ensure Dendrite media store path exists + file: + path: "{{ matrix_dendrite_media_store_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists" + +- name: Ensure Dendrite log path exists + file: + path: "{{ matrix_dendrite_log_path }}" + state: directory + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure Dendrite Docker image is pulled + docker_image: + name: "{{ matrix_dendrite_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_dendrite_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dendrite_docker_image_force_pull }}" + +- name: Check if a Dendrite signing key exists + stat: + path: "{{ matrix_dendrite_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.pem" + register: matrix_dendrite_signing_key_stat + +# We do this so that the signing key would get generated. +# We don't use the `docker_container` module, because using it with `cap_drop` requires +# a very recent version, which is not available for a lot of people yet. +- name: Generate Dendrite signing key + command: | + docker run + --rm + --name=matrix-config + --entrypoint=generate-keys + --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data + {{ matrix_dendrite_docker_image }} --private-key=/data/{{ matrix_server_fqn_matrix }}.signing.pem + generate + when: "not matrix_dendrite_signing_key_stat.stat.exists" + +- name: Ensure Dendrite server key exists + file: + path: "{{ matrix_dendrite_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.pem" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure Dendrite configuration installed + copy: + content: "{{ matrix_dendrite_configuration|to_nice_yaml }}" + dest: "{{ matrix_dendrite_config_dir_path }}/dendrite.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-dendrite.service installed + template: + src: "{{ role_path }}/templates/dendrite/systemd/matrix-dendrite.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-dendrite.service" + mode: 0644 + register: matrix_dendrite_systemd_service_result + +- name: Ensure systemd reloaded after matrix-dendrite.service installation + service: + daemon_reload: yes + when: "matrix_dendrite_systemd_service_result.changed" + +- name: Ensure matrix-dendrite-create-account script created + template: + src: "{{ role_path }}/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2" + dest: "{{ matrix_local_bin_path }}/matrix-dendrite-create-account" + mode: 0750 diff --git a/roles/matrix-dendrite/tasks/dendrite/setup_uninstall.yml b/roles/matrix-dendrite/tasks/dendrite/setup_uninstall.yml new file mode 100644 index 000000000..7e953365f --- /dev/null +++ b/roles/matrix-dendrite/tasks/dendrite/setup_uninstall.yml @@ -0,0 +1,28 @@ +- name: Check existence of matrix-dendrite service + stat: + path: "{{ matrix_systemd_path }}/matrix-dendrite.service" + register: matrix_dendrite_service_stat + +- name: Ensure matrix-dendrite is stopped + service: + name: matrix-dendrite + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_dendrite_service_stat.stat.exists" + +- name: Ensure matrix-dendrite.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-dendrite.service" + state: absent + when: "matrix_dendrite_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-dendrite.service removal + service: + daemon_reload: yes + when: "matrix_dendrite_service_stat.stat.exists" + +- name: Ensure Dendrite Docker image doesn't exist + docker_image: + name: "{{ matrix_dendrite_docker_image }}" + state: absent diff --git a/roles/matrix-dendrite/tasks/goofys/setup.yml b/roles/matrix-dendrite/tasks/goofys/setup.yml new file mode 100644 index 000000000..6370408d0 --- /dev/null +++ b/roles/matrix-dendrite/tasks/goofys/setup.yml @@ -0,0 +1,7 @@ +--- + +- import_tasks: "{{ role_path }}/tasks/goofys/setup_install.yml" + when: matrix_s3_media_store_enabled|bool + +- import_tasks: "{{ role_path }}/tasks/goofys/setup_uninstall.yml" + when: "not matrix_s3_media_store_enabled|bool" diff --git a/roles/matrix-dendrite/tasks/goofys/setup_install.yml b/roles/matrix-dendrite/tasks/goofys/setup_install.yml new file mode 100644 index 000000000..4917440b8 --- /dev/null +++ b/roles/matrix-dendrite/tasks/goofys/setup_install.yml @@ -0,0 +1,41 @@ +- name: Ensure Goofys Docker image is pulled + docker_image: + name: "{{ matrix_s3_goofys_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_s3_goofys_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_s3_goofys_docker_image_force_pull }}" + +# This will throw a Permission Denied error if already mounted +- name: Check Matrix Goofys external storage mountpoint path + stat: + path: "{{ matrix_dendrite_media_store_path }}" + register: local_path_matrix_dendrite_media_store_path_stat + ignore_errors: yes + +- name: Ensure Matrix Goofys external storage mountpoint exists + file: + path: "{{ matrix_dendrite_media_store_path if matrix_dendrite_enabled else matrix_dendrite_media_store_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: "not local_path_matrix_dendrite_media_store_path_stat.failed and not local_path_matrix_dendrite_media_store_path_stat.stat.exists" + +- name: Ensure goofys environment variables file created + template: + src: "{{ role_path }}/templates/goofys/env-goofys.j2" + dest: "{{ matrix_dendrite_config_dir_path }}/env-goofys" + owner: root + mode: 0600 + +- name: Ensure matrix-goofys.service installed + template: + src: "{{ role_path }}/templates/goofys/systemd/matrix-goofys.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-goofys.service" + mode: 0644 + register: matrix_goofys_systemd_service_result + +- name: Ensure systemd reloaded after matrix-goofys.service installation + service: + daemon_reload: yes + when: "matrix_goofys_systemd_service_result.changed" diff --git a/roles/matrix-dendrite/tasks/goofys/setup_uninstall.yml b/roles/matrix-dendrite/tasks/goofys/setup_uninstall.yml new file mode 100644 index 000000000..b7f972ad4 --- /dev/null +++ b/roles/matrix-dendrite/tasks/goofys/setup_uninstall.yml @@ -0,0 +1,33 @@ +- name: Check existence of matrix-goofys service + stat: + path: "{{ matrix_systemd_path }}/matrix-goofys.service" + register: matrix_goofys_service_stat + +- name: Ensure matrix-goofys is stopped + service: + name: matrix-goofys + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_goofys_service_stat.stat.exists" + +- name: Ensure matrix-goofys.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-goofys.service" + state: absent + when: "matrix_goofys_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-goofys.service removal + service: + daemon_reload: yes + when: "matrix_goofys_service_stat.stat.exists" + +- name: Ensure goofys environment variables file doesn't exist + file: + path: "{{ matrix_dendrite_config_dir_path }}/env-goofys" + state: absent + +- name: Ensure Goofys Docker image doesn't exist + docker_image: + name: "{{ matrix_s3_goofys_docker_image }}" + state: absent diff --git a/roles/matrix-dendrite/tasks/import_media_store.yml b/roles/matrix-dendrite/tasks/import_media_store.yml new file mode 100644 index 000000000..9eaa6c0c9 --- /dev/null +++ b/roles/matrix-dendrite/tasks/import_media_store.yml @@ -0,0 +1,81 @@ +--- +# Pre-checks + +- name: Fail if playbook called incorrectly + fail: + msg: "The `server_path_media_store` variable needs to be provided to this playbook, via --extra-vars" + when: "server_path_media_store is not defined or server_path_media_store.startswith('<')" + +- name: Fail if media store is on Amazon S3 + fail: + msg: "Your media store is on Amazon S3. Due to technical limitations, restoring is not supported." + when: matrix_s3_media_store_enabled|bool + +- name: Check if the provided media store directory exists + stat: + path: "{{ server_path_media_store }}" + register: server_path_media_store_stat + +- name: Fail if provided media store directory doesn't exist on the server + fail: + msg: "{{ server_path_media_store }} cannot be found on the server" + when: "not server_path_media_store_stat.stat.exists or not server_path_media_store_stat.stat.isdir" + +- name: Check if media store contains local_content + stat: + path: "{{ server_path_media_store }}/local_content" + register: server_path_media_store_local_content_stat + +- name: Check if media store contains remote_content + stat: + path: "{{ server_path_media_store }}/remote_content" + register: server_path_media_store_remote_content_stat + +- name: Fail if media store directory doesn't look okay (lacking remote and local content) + fail: + msg: "{{ server_path_media_store }} contains neither local_content nor remote_content directories. It's most likely a mistake and is not a media store directory." + when: "not server_path_media_store_local_content_stat.stat.exists and not server_path_media_store_remote_content_stat.stat.exists" + +# Actual import work + +- name: Ensure matrix-dendrite is stopped + service: + name: matrix-dendrite + state: stopped + daemon_reload: yes + register: stopping_result + +# This can only work with local files, not if the media store is on Amazon S3, +# as it won't be accessible in such a case. +- name: Ensure provided media store directory is synchronized + synchronize: + src: "{{ server_path_media_store }}/" + dest: "{{ matrix_dendrite_media_store_path }}" + delete: yes + # It's wasteful to preserve owner/group now. We chown below anyway. + owner: no + group: no + times: yes + delegate_to: "{{ inventory_hostname }}" + +# This is for the generic case and fails in other cases (remote file systems), +# because in such cases the base path (matrix_dendrite_media_store_path) is a mount point. +- name: Ensure media store permissions are correct (generic case) + file: + path: "{{ matrix_dendrite_media_store_path }}" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + recurse: yes + when: "not matrix_s3_media_store_enabled|bool" + +# We don't chown for Goofys, because due to the way it's mounted, +# all files become owned by whoever needs to own them. + +- name: Ensure Dendrite is started (if it previously was) + service: + name: "{{ item }}" + state: started + daemon_reload: yes + when: "stopping_result.changed" + with_items: + - matrix-dendrite diff --git a/roles/matrix-dendrite/tasks/init.yml b/roles/matrix-dendrite/tasks/init.yml new file mode 100644 index 000000000..8457c63d1 --- /dev/null +++ b/roles/matrix-dendrite/tasks/init.yml @@ -0,0 +1,12 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dendrite.service'] }}" + when: matrix_dendrite_enabled|bool + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys.service'] }}" + when: matrix_s3_media_store_enabled|bool + +- name: Fail when using also using Synapse + fail: + msg: "To use Dendrite as your matrix server, you should disable Synapse." + when: "matrix_dendrite_enabled and matrix_synapse_enabled" diff --git a/roles/matrix-dendrite/tasks/main.yml b/roles/matrix-dendrite/tasks/main.yml new file mode 100644 index 000000000..a52374423 --- /dev/null +++ b/roles/matrix-dendrite/tasks/main.yml @@ -0,0 +1,50 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: run_setup|bool + tags: + - setup-all + - setup-dendrite + +- import_tasks: "{{ role_path }}/tasks/setup_dendrite.yml" + when: run_setup|bool + tags: + - setup-all + - setup-dendrite + +- import_tasks: "{{ role_path }}/tasks/import_media_store.yml" + when: run_dendrite_import_media_store|bool + tags: + - import-dendrite-media-store + +- import_tasks: "{{ role_path }}/tasks/register_user.yml" + when: run_dendrite_register_user|bool + tags: + - register-user + +- import_tasks: "{{ role_path }}/tasks/self_check_client_api.yml" + delegate_to: 127.0.0.1 + become: false + when: run_self_check|bool + tags: + - self-check + +- import_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml" + delegate_to: 127.0.0.1 + become: false + when: run_self_check|bool + tags: + - self-check + +- import_tasks: "{{ role_path }}/tasks/update_user_password.yml" + when: run_dendrite_update_user_password|bool + tags: + - update-user-password + +- name: Mark matrix-dendrite role as executed + set_fact: + matrix_dendrite_role_executed: true + tags: + - always diff --git a/roles/matrix-dendrite/tasks/register_user.yml b/roles/matrix-dendrite/tasks/register_user.yml new file mode 100644 index 000000000..099d57e98 --- /dev/null +++ b/roles/matrix-dendrite/tasks/register_user.yml @@ -0,0 +1,25 @@ +--- +- name: Fail if playbook called incorrectly + fail: + msg: "The `username` variable needs to be provided to this playbook, via --extra-vars" + when: "username is not defined or username == ''" + +- name: Fail if playbook called incorrectly + fail: + msg: "The `password` variable needs to be provided to this playbook, via --extra-vars" + when: "password is not defined or password == ''" + +- name: Ensure matrix-dendrite is started + service: + name: matrix-dendrite + state: started + daemon_reload: yes + register: start_result + +- name: Wait a while, so that Dendrite can manage to start + pause: + seconds: 7 + when: "start_result.changed" + +- name: Register user + command: "{{ matrix_local_bin_path }}/matrix-dendrite-create-account {{ username|quote }} {{ password|quote }}" diff --git a/roles/matrix-dendrite/tasks/self_check_client_api.yml b/roles/matrix-dendrite/tasks/self_check_client_api.yml new file mode 100644 index 000000000..d3fb1f0de --- /dev/null +++ b/roles/matrix-dendrite/tasks/self_check_client_api.yml @@ -0,0 +1,20 @@ +--- +- name: Check Matrix Client API + uri: + url: "{{ matrix_dendrite_client_api_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_dendrite_self_check_validate_certificates }}" + register: result_matrix_dendrite_client_api + ignore_errors: true + check_mode: no + when: matrix_dendrite_enabled|bool + +- name: Fail if Matrix Client API not working + fail: + msg: "Failed checking Matrix Client API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_client_api_url_endpoint_public }}`). Is Dendrite running? Is port 443 open in your firewall? Full error: {{ result_matrix_dendrite_client_api }}" + when: "matrix_dendrite_enabled|bool and (result_matrix_dendrite_client_api.failed or 'json' not in result_matrix_dendrite_client_api)" + +- name: Report working Matrix Client API + debug: + msg: "The Matrix Client API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_client_api_url_endpoint_public }}`) is working" + when: matrix_dendrite_enabled|bool diff --git a/roles/matrix-dendrite/tasks/self_check_federation_api.yml b/roles/matrix-dendrite/tasks/self_check_federation_api.yml new file mode 100644 index 000000000..f11601d7f --- /dev/null +++ b/roles/matrix-dendrite/tasks/self_check_federation_api.yml @@ -0,0 +1,25 @@ +--- +- name: Check Matrix Federation API + uri: + url: "{{ matrix_dendrite_federation_api_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_dendrite_self_check_validate_certificates }}" + register: result_matrix_dendrite_federation_api + ignore_errors: true + check_mode: no + when: matrix_dendrite_enabled|bool + +- name: Fail if Matrix Federation API not working + fail: + msg: "Failed checking Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_federation_api_url_endpoint_public }}`). Is Dendrite running? Is port {{ matrix_federation_public_port }} open in your firewall? Full error: {{ result_matrix_dendrite_federation_api }}" + when: "matrix_dendrite_enabled|bool and matrix_dendrite_federation_enabled|bool and (result_matrix_dendrite_federation_api.failed or 'json' not in result_matrix_dendrite_federation_api)" + +- name: Fail if Matrix Federation API unexpectedly enabled + fail: + msg: "Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_federation_api_url_endpoint_public }}`) despite being disabled." + when: "matrix_dendrite_enabled|bool and not matrix_dendrite_federation_enabled|bool and not result_matrix_dendrite_federation_api.failed" + +- name: Report working Matrix Federation API + debug: + msg: "The Matrix Federation API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_federation_api_url_endpoint_public }}`) is working" + when: "matrix_dendrite_enabled|bool and matrix_dendrite_federation_enabled|bool" diff --git a/roles/matrix-dendrite/tasks/setup_dendrite.yml b/roles/matrix-dendrite/tasks/setup_dendrite.yml new file mode 100644 index 000000000..920ca184b --- /dev/null +++ b/roles/matrix-dendrite/tasks/setup_dendrite.yml @@ -0,0 +1,19 @@ +--- +- name: Ensure Dendrite paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_dendrite_config_dir_path }}", when: true } + - { path: "{{ matrix_dendrite_ext_path }}", when: true } + # We handle matrix_dendrite_media_store_path elsewhere (in ./dendrite/setup_install.yml), + # because if it's using Goofys and it's already mounted (from before), + # trying to chown/chmod it here will cause trouble. + when: "(matrix_dendrite_enabled|bool or matrix_s3_media_store_enabled|bool) and item.when" + +- import_tasks: "{{ role_path }}/tasks/dendrite/setup.yml" + +- import_tasks: "{{ role_path }}/tasks/goofys/setup.yml" diff --git a/roles/matrix-dendrite/tasks/update_user_password.yml b/roles/matrix-dendrite/tasks/update_user_password.yml new file mode 100644 index 000000000..5fbd23c26 --- /dev/null +++ b/roles/matrix-dendrite/tasks/update_user_password.yml @@ -0,0 +1,41 @@ +--- +- name: Fail if playbook called incorrectly + fail: + msg: "The `username` variable needs to be provided to this playbook, via --extra-vars" + when: "username is not defined or username == ''" + +- name: Fail if playbook called incorrectly + fail: + msg: "The `password` variable needs to be provided to this playbook, via --extra-vars" + when: "password is not defined or password == ''" + +- name: Fail if not using matrix-postgres container + fail: + msg: "This command is working only when matrix-postgres container is being used" + when: "not matrix_postgres_enabled|bool" + +- name: Ensure matrix-dendrite is started + service: + name: matrix-dendrite + state: started + daemon_reload: yes + register: start_result + +- name: Ensure matrix-postgres is started + service: + name: matrix-postgres + state: started + daemon_reload: yes + register: postgres_start_result + +- name: Wait a while, so that Matrix Dendrite can manage to start + pause: + seconds: 7 + when: "start_result.changed or postgres_start_result.changed" + +- name: Generate password hash + shell: "{{ matrix_host_command_docker }} exec matrix-dendrite /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password|quote }}" + register: password_hash + +- name: Update user password hash + command: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash {{ username|quote }} {{ password_hash.stdout|quote }}" diff --git a/roles/matrix-dendrite/tasks/validate_config.yml b/roles/matrix-dendrite/tasks/validate_config.yml new file mode 100644 index 000000000..8c7ee4d20 --- /dev/null +++ b/roles/matrix-dendrite/tasks/validate_config.yml @@ -0,0 +1,16 @@ +--- +- name: Fail if required Dendrite settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`) for using Dendrite. + when: "vars[item] == ''" + with_items: + - "matrix_dendrite_macaroon_secret_key" + +- name: (Deprecation) Catch and report renamed settings + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: [] diff --git a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 new file mode 100644 index 000000000..2ec6c088f --- /dev/null +++ b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -0,0 +1,342 @@ +# This is the Dendrite configuration file. +# +# The configuration is split up into sections - each Dendrite component has a +# configuration section, in addition to the "global" section which applies to +# all components. +# +# At a minimum, to get started, you will need to update the settings in the +# "global" section for your deployment, and you will need to check that the +# database "connection_string" line in each component section is correct. +# +# Each component with a "database" section can accept the following formats +# for "connection_string": +# SQLite: file:filename.db +# file:///path/to/filename.db +# PostgreSQL: postgresql://user:pass@hostname/database?params=... +# +# SQLite is embedded into Dendrite and therefore no further prerequisites are +# needed for the database when using SQLite mode. However, performance with +# PostgreSQL is significantly better and recommended for multi-user deployments. +# SQLite is typically around 20-30% slower than PostgreSQL when tested with a +# small number of users and likely will perform worse still with a higher volume +# of users. +# +# The "max_open_conns" and "max_idle_conns" settings configure the maximum +# number of open/idle database connections. The value 0 will use the database +# engine default, and a negative value will use unlimited connections. The +# "conn_max_lifetime" option controls the maximum length of time a database +# connection can be idle in seconds - a negative value is unlimited. + +# The version of the configuration file. +version: 1 + +# Global Matrix configuration. This configuration applies to all components. +global: + # The domain name of this homeserver. + server_name: {{ matrix_domain }} + + # The path to the signing private key file, used to sign requests and events. + private_key: "/data/{{ matrix_server_fqn_matrix }}.signing.pem" + + # The paths and expiry timestamps (as a UNIX timestamp in millisecond precision) + # to old signing private keys that were formerly in use on this domain. These + # keys will not be used for federation request or event signing, but will be + # provided to any other homeserver that asks when trying to verify old events. + # old_private_keys: + # - private_key: old_matrix_key.pem + # expired_at: 1601024554498 + + # How long a remote server can cache our server signing key before requesting it + # again. Increasing this number will reduce the number of requests made by other + # servers for our key but increases the period that a compromised key will be + # considered valid by other homeservers. + key_validity_period: 168h0m0s + + # Lists of domains that the server will trust as identity servers to verify third + # party identifiers such as phone numbers and email addresses. + trusted_third_party_id_servers: {{ matrix_dendrite_trusted_id_servers|to_json }} + + # Configuration for Kafka/Naffka. + kafka: + # List of Kafka broker addresses to connect to. This is not needed if using + # Naffka in monolith mode. + addresses: + - kafka:9092 + + # The prefix to use for Kafka topic names for this homeserver. Change this only if + # you are running more than one Dendrite homeserver on the same Kafka deployment. + topic_prefix: Dendrite + + # Whether to use Naffka instead of Kafka. This is only available in monolith + # mode, but means that you can run a single-process server without requiring + # Kafka. + use_naffka: true + + # Naffka database options. Not required when using Kafka. + naffka_database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_naffka_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + + # Configuration for Prometheus metric collection. + metrics: + # Whether or not Prometheus metrics are enabled. + enabled: {{ matrix_dendrite_metrics_enabled }} + + # HTTP basic authentication to protect access to monitoring. + basic_auth: + username: {{ matrix_dendrite_metrics_username }} + password: {{ matrix_dendrite_metrics_password }} + + # DNS cache options. The DNS cache may reduce the load on DNS servers + # if there is no local caching resolver available for use. + dns_cache: + # Whether or not the DNS cache is enabled. + enabled: false + + # Maximum number of entries to hold in the DNS cache, and + # for how long those items should be considered valid in seconds. + cache_size: 256 + cache_lifetime: 300 + +# Configuration for the Appservice API. +app_service_api: + internal_api: + listen: http://0.0.0.0:7777 + connect: http://appservice_api:7777 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_appservice_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + + # Appservice configuration files to load into this homeserver. + config_files: {{ matrix_dendrite_app_service_config_files|to_json }} + +# Configuration for the Client API. +client_api: + internal_api: + listen: http://0.0.0.0:7771 + connect: http://client_api:7771 + external_api: + listen: http://0.0.0.0:8071 + + # Prevents new users from being able to register on this homeserver, except when + # using the registration shared secret below. + registration_disabled: {{ matrix_dendrite_registration_disabled|to_json }} + + # If set, allows registration by anyone who knows the shared secret, regardless of + # whether registration is otherwise disabled. + registration_shared_secret: {{ matrix_dendrite_registration_shared_secret|string|to_json }} + + # Whether to require reCAPTCHA for registration. + enable_registration_captcha: {{ matrix_dendrite_enable_registration_captcha|to_json }} + + # Settings for ReCAPTCHA. + recaptcha_public_key: {{ matrix_dendrite_recaptcha_public_key|to_json }} + recaptcha_private_key: {{ matrix_dendrite_recaptcha_private_key|to_json }} + recaptcha_bypass_secret: "" + recaptcha_siteverify_api: "" + + # TURN server information that this homeserver should send to clients. + turn: + turn_user_lifetime: "" + turn_uris: {{ matrix_dendrite_turn_uris|to_json }} + turn_shared_secret: {{ matrix_dendrite_turn_shared_secret|to_json }} + turn_username: "" + turn_password: "" + + # Settings for rate-limited endpoints. Rate limiting will kick in after the + # threshold number of "slots" have been taken by requests from a specific + # host. Each "slot" will be released after the cooloff time in milliseconds. + rate_limiting: + enabled: {{ matrix_dendrite_rate_limiting_enabled|to_json }} + threshold: {{ matrix_dendrite_rate_limiting_threshold|to_json }} + cooloff_ms: {{ matrix_dendrite_rate_limiting_cooloff_ms|to_json }} + +# Configuration for the EDU server. +edu_server: + internal_api: + listen: http://0.0.0.0:7778 + connect: http://edu_server:7778 + +# Configuration for the Federation API. +federation_api: + internal_api: + listen: http://0.0.0.0:7772 + connect: http://federation_api:7772 + external_api: + listen: http://0.0.0.0:8072 + + # List of paths to X.509 certificates to be used by the external federation listeners. + # These certificates will be used to calculate the TLS fingerprints and other servers + # will expect the certificate to match these fingerprints. Certificates must be in PEM + # format. + federation_certificates: [] + +# Configuration for the Federation Sender. +federation_sender: + internal_api: + listen: http://0.0.0.0:7775 + connect: http://federation_sender:7775 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_federationsender_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + + # How many times we will try to resend a failed transaction to a specific server. The + # backoff is 2**x seconds, so 1 = 2 seconds, 2 = 4 seconds, 3 = 8 seconds etc. + send_max_retries: 16 + + # Disable the validation of TLS certificates of remote federated homeservers. Do not + # enable this option in production as it presents a security risk! + disable_tls_validation: {{ matrix_dendrite_disable_tls_validation }} + + # Use the following proxy server for outbound federation traffic. + proxy_outbound: + enabled: false + protocol: http + host: localhost + port: 8080 + +# Configuration for the Key Server (for end-to-end encryption). +key_server: + internal_api: + listen: http://0.0.0.0:7779 + connect: http://key_server:7779 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_keyserver_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + +# Configuration for the Media API. +media_api: + internal_api: + listen: http://0.0.0.0:7774 + connect: http://media_api:7774 + external_api: + listen: http://0.0.0.0:8074 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_mediaapi_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + + # Storage path for uploaded media. May be relative or absolute. + base_path: "/matrix-media-store-parent/{{ matrix_dendrite_media_store_directory_name }}" + + # The maximum allowed file size (in bytes) for media uploads to this homeserver + # (0 = unlimited). + max_file_size_bytes: {{ matrix_dendrite_max_file_size_bytes }} + + # Whether to dynamically generate thumbnails if needed. + dynamic_thumbnails: false + + # The maximum number of simultaneous thumbnail generators to run. + max_thumbnail_generators: 10 + + # A list of thumbnail sizes to be generated for media content. + thumbnail_sizes: + - width: 32 + height: 32 + method: crop + - width: 96 + height: 96 + method: crop + - width: 640 + height: 480 + method: scale + +# Configuration for the Room Server. +room_server: + internal_api: + listen: http://0.0.0.0:7770 + connect: http://room_server:7770 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_room_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + +# Configuration for the Server Key API (for server signing keys). +signing_key_server: + internal_api: + listen: http://0.0.0.0:7780 + connect: http://signing_key_server:7780 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_singingkeyserver_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + + # Perspective keyservers to use as a backup when direct key fetches fail. This may + # be required to satisfy key requests for servers that are no longer online when + # joining some rooms. + key_perspectives: + - server_name: matrix.org + keys: + - key_id: ed25519:auto + public_key: Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw + - key_id: ed25519:a_RXGa + public_key: l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ + + # This option will control whether Dendrite will prefer to look up keys directly + # or whether it should try perspective servers first, using direct fetches as a + # last resort. + prefer_direct_fetch: false + +# Configuration for the Sync API. +sync_api: + internal_api: + listen: http://0.0.0.0:7773 + connect: http://sync_api:7773 + external_api: + listen: http://0.0.0.0:8073 + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_syncapi_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + +# Configuration for the User API. +user_api: + internal_api: + listen: http://0.0.0.0:7781 + connect: http://user_api:7781 + account_database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_account_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + device_database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_device_database }}?sslmode=disable + max_open_conns: 10 + max_idle_conns: 2 + conn_max_lifetime: -1 + +# Configuration for Opentracing. +# See https://github.com/matrix-org/dendrite/tree/master/docs/tracing for information on +# how this works and how to set it up. +tracing: + enabled: false + jaeger: + serviceName: "" + disabled: false + rpc_metrics: false + tags: [] + sampler: null + reporter: null + headers: null + baggage_restrictions: null + throttler: null + +# Logging configuration, in addition to the standard logging that is sent to +# stdout by Dendrite. +logging: +- type: file + level: {{ matrix_dendrite_log_level }} + params: + path: /var/log/dendrite diff --git a/roles/matrix-dendrite/templates/dendrite/homeserver.yaml.j2 b/roles/matrix-dendrite/templates/dendrite/homeserver.yaml.j2 new file mode 100644 index 000000000..fe28779c5 --- /dev/null +++ b/roles/matrix-dendrite/templates/dendrite/homeserver.yaml.j2 @@ -0,0 +1,2682 @@ +#jinja2: lstrip_blocks: "True" +# Configuration file for Synapse. +# +# This is a YAML file: see [1] for a quick introduction. Note in particular +# that *indentation is important*: all the elements of a list or dictionary +# should have the same indentation. +# +# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html + +## Server ## + +# The public-facing domain of the server +# +# The server_name name will appear at the end of usernames and room addresses +# created on this server. For example if the server_name was example.com, +# usernames on this server would be in the format @user:example.com +# +# In most cases you should avoid using a matrix specific subdomain such as +# matrix.example.com or synapse.example.com as the server_name for the same +# reasons you wouldn't use user@email.example.com as your email address. +# See https://github.com/matrix-org/synapse/blob/master/docs/delegate.md +# for information on how to host Synapse on a subdomain while preserving +# a clean server_name. +# +# The server_name cannot be changed later so it is important to +# configure this correctly before you start Synapse. It should be all +# lowercase and may contain an explicit port. +# Examples: matrix.org, localhost:8080 +# +server_name: "{{ matrix_domain }}" + +# When running as a daemon, the file to store the pid in +# +pid_file: /homeserver.pid + +# The absolute URL to the web client which /_matrix/client will redirect +# to if 'webclient' is configured under the 'listeners' configuration. +# +# This option can be also set to the filesystem path to the web client +# which will be served at /_matrix/client/ if 'webclient' is configured +# under the 'listeners' configuration, however this is a security risk: +# https://github.com/matrix-org/synapse#security-note +# +#web_client_location: https://riot.example.com/ + +# The public-facing base URL that clients use to access this HS +# (not including _matrix/...). This is the same URL a user would +# enter into the 'custom HS URL' field on their client. If you +# use synapse with a reverse proxy, this should be the URL to reach +# synapse via the proxy. +# +public_baseurl: https://{{ matrix_server_fqn_matrix }}/ + +# Set the soft limit on the number of file descriptors synapse can use +# Zero is used to indicate synapse should set the soft limit to the +# hard limit. +# +#soft_file_limit: 0 + +# Set to false to disable presence tracking on this homeserver. +# +use_presence: {{ matrix_synapse_use_presence|to_json }} + +# Whether to require authentication to retrieve profile data (avatars, +# display names) of other users through the client API. Defaults to +# 'false'. Note that profile data is also available via the federation +# API, so this setting is of limited value if federation is enabled on +# the server. +# +#require_auth_for_profile_requests: true + +# Uncomment to require a user to share a room with another user in order +# to retrieve their profile information. Only checked on Client-Server +# requests. Profile requests from other servers should be checked by the +# requesting server. Defaults to 'false'. +# +#limit_profile_requests_to_users_who_share_rooms: true + +# If set to 'true', removes the need for authentication to access the server's +# public rooms directory through the client API, meaning that anyone can +# query the room directory. Defaults to 'false'. +# +allow_public_rooms_without_auth: {{ matrix_synapse_allow_public_rooms_without_auth|to_json }} + +# If set to 'true', allows any other homeserver to fetch the server's public +# rooms directory via federation. Defaults to 'false'. +# +allow_public_rooms_over_federation: {{ matrix_synapse_allow_public_rooms_over_federation|to_json }} + +# The default room version for newly created rooms. +# +# Known room versions are listed here: +# https://matrix.org/docs/spec/#complete-list-of-room-versions +# +# For example, for room version 1, default_room_version should be set +# to "1". +# +default_room_version: {{ matrix_synapse_default_room_version|to_json }} + +# The GC threshold parameters to pass to `gc.set_threshold`, if defined +# +#gc_thresholds: [700, 10, 10] + +# Set the limit on the returned events in the timeline in the get +# and sync operations. The default value is 100. -1 means no upper limit. +# +# Uncomment the following to increase the limit to 5000. +# +#filter_timeline_limit: 5000 + +# Whether room invites to users on this server should be blocked +# (except those sent by local server admins). The default is False. +# +#block_non_admin_invites: True + +# Room searching +# +# If disabled, new messages will not be indexed for searching and users +# will receive errors when searching for messages. Defaults to enabled. +# +#enable_search: false + +# Prevent outgoing requests from being sent to the following blacklisted IP address +# CIDR ranges. If this option is not specified then it defaults to private IP +# address ranges (see the example below). +# +# The blacklist applies to the outbound requests for federation, identity servers, +# push servers, and for checking key validity for third-party invite events. +# +# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly +# listed here, since they correspond to unroutable addresses.) +# +# This option replaces federation_ip_range_blacklist in Synapse v1.25.0. +# +#ip_range_blacklist: +# - '127.0.0.0/8' +# - '10.0.0.0/8' +# - '172.16.0.0/12' +# - '192.168.0.0/16' +# - '100.64.0.0/10' +# - '192.0.0.0/24' +# - '169.254.0.0/16' +# - '198.18.0.0/15' +# - '192.0.2.0/24' +# - '198.51.100.0/24' +# - '203.0.113.0/24' +# - '224.0.0.0/4' +# - '::1/128' +# - 'fe80::/10' +# - 'fc00::/7' + +# List of IP address CIDR ranges that should be allowed for federation, +# identity servers, push servers, and for checking key validity for +# third-party invite events. This is useful for specifying exceptions to +# wide-ranging blacklisted target IP ranges - e.g. for communication with +# a push server only visible in your network. +# +# This whitelist overrides ip_range_blacklist and defaults to an empty +# list. +# +#ip_range_whitelist: +# - '192.168.1.1' + +# List of ports that Synapse should listen on, their purpose and their +# configuration. +# +# Options for each listener include: +# +# port: the TCP port to bind to +# +# bind_addresses: a list of local addresses to listen on. The default is +# 'all local interfaces'. +# +# type: the type of listener. Normally 'http', but other valid options are: +# 'manhole' (see docs/manhole.md), +# 'metrics' (see docs/metrics-howto.md), +# 'replication' (see docs/workers.md). +# +# tls: set to true to enable TLS for this listener. Will use the TLS +# key/cert specified in tls_private_key_path / tls_certificate_path. +# +# x_forwarded: Only valid for an 'http' listener. Set to true to use the +# X-Forwarded-For header as the client IP. Useful when Synapse is +# behind a reverse-proxy. +# +# resources: Only valid for an 'http' listener. A list of resources to host +# on this port. Options for each resource are: +# +# names: a list of names of HTTP resources. See below for a list of +# valid resource names. +# +# compress: set to true to enable HTTP compression for this resource. +# +# additional_resources: Only valid for an 'http' listener. A map of +# additional endpoints which should be loaded via dynamic modules. +# +# Valid resource names are: +# +# client: the client-server API (/_matrix/client), and the synapse admin +# API (/_synapse/admin). Also implies 'media' and 'static'. +# +# consent: user consent forms (/_matrix/consent). See +# docs/consent_tracking.md. +# +# federation: the server-server API (/_matrix/federation). Also implies +# 'media', 'keys', 'openid' +# +# keys: the key discovery API (/_matrix/keys). +# +# media: the media API (/_matrix/media). +# +# metrics: the metrics interface. See docs/metrics-howto.md. +# +# openid: OpenID authentication. +# +# replication: the HTTP replication API (/_synapse/replication). See +# docs/workers.md. +# +# static: static resources under synapse/static (/_matrix/static). (Mostly +# useful for 'fallback authentication'.) +# +# webclient: A web client. Requires web_client_location to be set. +# +listeners: +{% if matrix_synapse_metrics_enabled %} + - type: metrics + port: {{ matrix_synapse_metrics_port }} + bind_addresses: + - '0.0.0.0' +{% endif %} + +{% if matrix_synapse_federation_port_enabled and matrix_synapse_tls_federation_listener_enabled %} + # TLS-enabled listener: for when matrix traffic is sent directly to synapse. + - port: 8448 + tls: true + bind_addresses: ['::'] + type: http + x_forwarded: false + + resources: + - names: {{ matrix_synapse_federation_listener_resource_names|to_json }} + compress: false +{% endif %} + + # Unsecure HTTP listener (Client API): for when matrix traffic passes through a reverse proxy + # that unwraps TLS. + - port: 8008 + tls: false + bind_addresses: ['::'] + type: http + x_forwarded: true + + resources: + - names: {{ matrix_synapse_http_listener_resource_names|to_json }} + compress: false + +{% if matrix_synapse_federation_port_enabled %} + # Unsecure HTTP listener (Federation API): for when matrix traffic passes through a reverse proxy + # that unwraps TLS. + - port: 8048 + tls: false + bind_addresses: ['::'] + type: http + x_forwarded: true + + resources: + - names: {{ matrix_synapse_federation_listener_resource_names|to_json }} + compress: false +{% endif %} + +{% if matrix_synapse_manhole_enabled %} + # Turn on the twisted ssh manhole service on localhost on the given + # port. + - port: 9000 + bind_addresses: ['0.0.0.0'] + type: manhole +{% endif %} + + +# Forward extremities can build up in a room due to networking delays between +# homeservers. Once this happens in a large room, calculation of the state of +# that room can become quite expensive. To mitigate this, once the number of +# forward extremities reaches a given threshold, Synapse will send an +# org.matrix.dummy_event event, which will reduce the forward extremities +# in the room. +# +# This setting defines the threshold (i.e. number of forward extremities in the +# room) at which dummy events are sent. The default value is 10. +# +#dummy_events_threshold: 5 + + +## Homeserver blocking ## + +# How to reach the server admin, used in ResourceLimitError +# +#admin_contact: 'mailto:admin@server.com' + +# Global blocking +# +#hs_disabled: False +#hs_disabled_message: 'Human readable reason for why the HS is blocked' +#hs_disabled_limit_type: 'error code(str), to help clients decode reason' + +# Monthly Active User Blocking +# +# Used in cases where the admin or server owner wants to limit to the +# number of monthly active users. +# +# 'limit_usage_by_mau' disables/enables monthly active user blocking. When +# enabled and a limit is reached the server returns a 'ResourceLimitError' +# with error type Codes.RESOURCE_LIMIT_EXCEEDED +# +# 'max_mau_value' is the hard limit of monthly active users above which +# the server will start blocking user actions. +# +# 'mau_trial_days' is a means to add a grace period for active users. It +# means that users must be active for this number of days before they +# can be considered active and guards against the case where lots of users +# sign up in a short space of time never to return after their initial +# session. +# +#limit_usage_by_mau: False +#max_mau_value: 50 +#mau_trial_days: 2 + +# If enabled, the metrics for the number of monthly active users will +# be populated, however no one will be limited. If limit_usage_by_mau +# is true, this is implied to be true. +# +#mau_stats_only: False + +# Sometimes the server admin will want to ensure certain accounts are +# never blocked by mau checking. These accounts are specified here. +# +#mau_limit_reserved_threepids: +# - medium: 'email' +# address: 'reserved_user@example.com' + +# Used by phonehome stats to group together related servers. +#server_context: context + +# Resource-constrained homeserver settings +# +# When this is enabled, the room "complexity" will be checked before a user +# joins a new remote room. If it is above the complexity limit, the server will +# disallow joining, or will instantly leave. +# +# Room complexity is an arbitrary measure based on factors such as the number of +# users in the room. +# +limit_remote_rooms: + # Uncomment to enable room complexity checking. + # + #enabled: true + + # the limit above which rooms cannot be joined. The default is 1.0. + # + #complexity: 0.5 + + # override the error which is returned when the room is too complex. + # + #complexity_error: "This room is too complex." + + # allow server admins to join complex rooms. Default is false. + # + #admins_can_join: true + +# Whether to require a user to be in the room to add an alias to it. +# Defaults to 'true'. +# +#require_membership_for_aliases: false + +# Whether to allow per-room membership profiles through the send of membership +# events with profile information that differ from the target's global profile. +# Defaults to 'true'. +# +#allow_per_room_profiles: false + +# How long to keep redacted events in unredacted form in the database. After +# this period redacted events get replaced with their redacted form in the DB. +# +# Defaults to `7d`. Set to `null` to disable. +# +#redaction_retention_period: 28d + +redaction_retention_period: {{ matrix_synapse_redaction_retention_period }} + +# How long to track users' last seen time and IPs in the database. +# +# Defaults to `28d`. Set to `null` to disable clearing out of old rows. +# +#user_ips_max_age: 14d + +user_ips_max_age: {{ matrix_synapse_user_ips_max_age }} + +# Message retention policy at the server level. +# +# Room admins and mods can define a retention period for their rooms using the +# 'm.room.retention' state event, and server admins can cap this period by setting +# the 'allowed_lifetime_min' and 'allowed_lifetime_max' config options. +# +# If this feature is enabled, Synapse will regularly look for and purge events +# which are older than the room's maximum retention period. Synapse will also +# filter events received over federation so that events that should have been +# purged are ignored and not stored again. +# +retention: + # The message retention policies feature is disabled by default. Uncomment the + # following line to enable it. + # + #enabled: true + + # Default retention policy. If set, Synapse will apply it to rooms that lack the + # 'm.room.retention' state event. Currently, the value of 'min_lifetime' doesn't + # matter much because Synapse doesn't take it into account yet. + # + #default_policy: + # min_lifetime: 1d + # max_lifetime: 1y + + # Retention policy limits. If set, and the state of a room contains a + # 'm.room.retention' event in its state which contains a 'min_lifetime' or a + # 'max_lifetime' that's out of these bounds, Synapse will cap the room's policy + # to these limits when running purge jobs. + # + #allowed_lifetime_min: 1d + #allowed_lifetime_max: 1y + + # Server admins can define the settings of the background jobs purging the + # events which lifetime has expired under the 'purge_jobs' section. + # + # If no configuration is provided, a single job will be set up to delete expired + # events in every room daily. + # + # Each job's configuration defines which range of message lifetimes the job + # takes care of. For example, if 'shortest_max_lifetime' is '2d' and + # 'longest_max_lifetime' is '3d', the job will handle purging expired events in + # rooms whose state defines a 'max_lifetime' that's both higher than 2 days, and + # lower than or equal to 3 days. Both the minimum and the maximum value of a + # range are optional, e.g. a job with no 'shortest_max_lifetime' and a + # 'longest_max_lifetime' of '3d' will handle every room with a retention policy + # which 'max_lifetime' is lower than or equal to three days. + # + # The rationale for this per-job configuration is that some rooms might have a + # retention policy with a low 'max_lifetime', where history needs to be purged + # of outdated messages on a more frequent basis than for the rest of the rooms + # (e.g. every 12h), but not want that purge to be performed by a job that's + # iterating over every room it knows, which could be heavy on the server. + # + # If any purge job is configured, it is strongly recommended to have at least + # a single job with neither 'shortest_max_lifetime' nor 'longest_max_lifetime' + # set, or one job without 'shortest_max_lifetime' and one job without + # 'longest_max_lifetime' set. Otherwise some rooms might be ignored, even if + # 'allowed_lifetime_min' and 'allowed_lifetime_max' are set, because capping a + # room's policy to these values is done after the policies are retrieved from + # Synapse's database (which is done using the range specified in a purge job's + # configuration). + # + #purge_jobs: + # - longest_max_lifetime: 3d + # interval: 12h + # - shortest_max_lifetime: 3d + # interval: 1d + +# Inhibits the /requestToken endpoints from returning an error that might leak +# information about whether an e-mail address is in use or not on this +# homeserver. +# Note that for some endpoints the error situation is the e-mail already being +# used, and for others the error is entering the e-mail being unused. +# If this option is enabled, instead of returning an error, these endpoints will +# act as if no error happened and return a fake session ID ('sid') to clients. +# +#request_token_inhibit_3pid_errors: true + +# A list of domains that the domain portion of 'next_link' parameters +# must match. +# +# This parameter is optionally provided by clients while requesting +# validation of an email or phone number, and maps to a link that +# users will be automatically redirected to after validation +# succeeds. Clients can make use this parameter to aid the validation +# process. +# +# The whitelist is applied whether the homeserver or an +# identity server is handling validation. +# +# The default value is no whitelist functionality; all domains are +# allowed. Setting this value to an empty list will instead disallow +# all domains. +# +#next_link_domain_whitelist: ["matrix.org"] + + +## TLS ## + +# PEM-encoded X509 certificate for TLS. +# This certificate, as of Synapse 1.0, will need to be a valid and verifiable +# certificate, signed by a recognised Certificate Authority. +# +# See 'ACME support' below to enable auto-provisioning this certificate via +# Let's Encrypt. +# +# If supplying your own, be sure to use a `.pem` file that includes the +# full certificate chain including any intermediate certificates (for +# instance, if using certbot, use `fullchain.pem` as your certificate, +# not `cert.pem`). +# +tls_certificate_path: {{ matrix_synapse_tls_certificate_path|to_json }} + +# PEM-encoded private key for TLS +# +tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }} + +# Whether to verify TLS server certificates for outbound federation requests. +# +# Defaults to `true`. To disable certificate verification, uncomment the +# following line. +# +#federation_verify_certificates: false + +# The minimum TLS version that will be used for outbound federation requests. +# +# Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note +# that setting this value higher than `1.2` will prevent federation to most +# of the public Matrix network: only configure it to `1.3` if you have an +# entirely private federation setup and you can ensure TLS 1.3 support. +# +#federation_client_minimum_tls_version: 1.2 + +# Skip federation certificate verification on the following whitelist +# of domains. +# +# This setting should only be used in very specific cases, such as +# federation over Tor hidden services and similar. For private networks +# of homeservers, you likely want to use a private CA instead. +# +# Only effective if federation_verify_certicates is `true`. +# +#federation_certificate_verification_whitelist: +# - lon.example.com +# - *.domain.com +# - *.onion + +# List of custom certificate authorities for federation traffic. +# +# This setting should only normally be used within a private network of +# homeservers. +# +# Note that this list will replace those that are provided by your +# operating environment. Certificates must be in PEM format. +# +#federation_custom_ca_list: +# - myCA1.pem +# - myCA2.pem +# - myCA3.pem + +# ACME support: This will configure Synapse to request a valid TLS certificate +# for your configured `server_name` via Let's Encrypt. +# +# Note that ACME v1 is now deprecated, and Synapse currently doesn't support +# ACME v2. This means that this feature currently won't work with installs set +# up after November 2019. For more info, and alternative solutions, see +# https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1 +# +# Note that provisioning a certificate in this way requires port 80 to be +# routed to Synapse so that it can complete the http-01 ACME challenge. +# By default, if you enable ACME support, Synapse will attempt to listen on +# port 80 for incoming http-01 challenges - however, this will likely fail +# with 'Permission denied' or a similar error. +# +# There are a couple of potential solutions to this: +# +# * If you already have an Apache, Nginx, or similar listening on port 80, +# you can configure Synapse to use an alternate port, and have your web +# server forward the requests. For example, assuming you set 'port: 8009' +# below, on Apache, you would write: +# +# ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge +# +# * Alternatively, you can use something like `authbind` to give Synapse +# permission to listen on port 80. +# +acme: + # ACME support is disabled by default. Uncomment the following line + # (and tls_certificate_path and tls_private_key_path above) to enable it. + # + #enabled: true + + # Endpoint to use to request certificates. If you only want to test, + # use Let's Encrypt's staging url: + # https://acme-staging.api.letsencrypt.org/directory + # + #url: https://acme-v01.api.letsencrypt.org/directory + + # Port number to listen on for the HTTP-01 challenge. Change this if + # you are forwarding connections through Apache/Nginx/etc. + # + #port: 80 + + # Local addresses to listen on for incoming connections. + # Again, you may want to change this if you are forwarding connections + # through Apache/Nginx/etc. + # + #bind_addresses: ['::', '0.0.0.0'] + + # How many days remaining on a certificate before it is renewed. + # + #reprovision_threshold: 30 + + # The domain that the certificate should be for. Normally this + # should be the same as your Matrix domain (i.e., 'server_name'), but, + # by putting a file at 'https:///.well-known/matrix/server', + # you can delegate incoming traffic to another server. If you do that, + # you should give the target of the delegation here. + # + # For example: if your 'server_name' is 'example.com', but + # 'https://example.com/.well-known/matrix/server' delegates to + # 'matrix.example.com', you should put 'matrix.example.com' here. + # + # If not set, defaults to your 'server_name'. + # + #domain: matrix.example.com + + # file to use for the account key. This will be generated if it doesn't + # exist. + # + # If unspecified, we will use CONFDIR/client.key. + # + #account_key_file: /data/acme_account.key + +# List of allowed TLS fingerprints for this server to publish along +# with the signing keys for this server. Other matrix servers that +# make HTTPS requests to this server will check that the TLS +# certificates returned by this server match one of the fingerprints. +# +# Synapse automatically adds the fingerprint of its own certificate +# to the list. So if federation traffic is handled directly by synapse +# then no modification to the list is required. +# +# If synapse is run behind a load balancer that handles the TLS then it +# will be necessary to add the fingerprints of the certificates used by +# the loadbalancers to this list if they are different to the one +# synapse is using. +# +# Homeservers are permitted to cache the list of TLS fingerprints +# returned in the key responses up to the "valid_until_ts" returned in +# key. It may be necessary to publish the fingerprints of a new +# certificate and wait until the "valid_until_ts" of the previous key +# responses have passed before deploying it. +# +# You can calculate a fingerprint from a given TLS listener via: +# openssl s_client -connect $host:$port < /dev/null 2> /dev/null | +# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' +# or by checking matrix.org/federationtester/api/report?server_name=$host +# +#tls_fingerprints: [{"sha256": ""}] + + +## Federation ## + +# Restrict federation to the following whitelist of domains. +# N.B. we recommend also firewalling your federation listener to limit +# inbound federation traffic as early as possible, rather than relying +# purely on this application-layer restriction. If not specified, the +# default is to whitelist everything. +# +#federation_domain_whitelist: +# - lon.example.com +# - nyc.example.com +# - syd.example.com +{% if matrix_synapse_federation_domain_whitelist is not none %} +{# Cannot use `|to_nice_yaml` here, as an empty list does not get serialized properly by it. #} +federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_json }} +{% endif %} + +# Report prometheus metrics on the age of PDUs being sent to and received from +# the following domains. This can be used to give an idea of "delay" on inbound +# and outbound federation, though be aware that any delay can be due to problems +# at either end or with the intermediate network. +# +# By default, no domains are monitored in this way. +# +#federation_metrics_domains: +# - matrix.org +# - example.com + + +## Caching ## + +# Caching can be configured through the following options. +# +# A cache 'factor' is a multiplier that can be applied to each of +# Synapse's caches in order to increase or decrease the maximum +# number of entries that can be stored. + +# The number of events to cache in memory. Not affected by +# caches.global_factor. +# +event_cache_size: "{{ matrix_synapse_event_cache_size }}" + +caches: + # Controls the global cache factor, which is the default cache factor + # for all caches if a specific factor for that cache is not otherwise + # set. + # + # This can also be set by the "SYNAPSE_CACHE_FACTOR" environment + # variable. Setting by environment variable takes priority over + # setting through the config file. + # + # Defaults to 0.5, which will half the size of all caches. + # + global_factor: {{ matrix_synapse_caches_global_factor }} + + # A dictionary of cache name to cache factor for that individual + # cache. Overrides the global cache factor for a given cache. + # + # These can also be set through environment variables comprised + # of "SYNAPSE_CACHE_FACTOR_" + the name of the cache in capital + # letters and underscores. Setting by environment variable + # takes priority over setting through the config file. + # Ex. SYNAPSE_CACHE_FACTOR_GET_USERS_WHO_SHARE_ROOM_WITH_USER=2.0 + # + # Some caches have '*' and other characters that are not + # alphanumeric or underscores. These caches can be named with or + # without the special characters stripped. For example, to specify + # the cache factor for `*stateGroupCache*` via an environment + # variable would be `SYNAPSE_CACHE_FACTOR_STATEGROUPCACHE=2.0`. + # + per_cache_factors: + #get_users_who_share_room_with_user: 2.0 + + +## Database ## + +database: + # The database engine name + name: "psycopg2" + args: + user: {{ matrix_synapse_database_user|string|to_json }} + password: {{ matrix_synapse_database_password|string|to_json }} + database: "{{ matrix_synapse_database_database }}" + host: "{{ matrix_synapse_database_host }}" + cp_min: 5 + cp_max: 10 + + +## Logging ## + +# A yaml python logging config file as described by +# https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema +# +log_config: "/data/{{ matrix_server_fqn_matrix }}.log.config" + + +## Ratelimiting ## + +# Ratelimiting settings for client actions (registration, login, messaging). +# +# Each ratelimiting configuration is made of two parameters: +# - per_second: number of requests a client can send per second. +# - burst_count: number of requests a client can send before being throttled. +# +# Synapse currently uses the following configurations: +# - one for messages that ratelimits sending based on the account the client +# is using +# - one for registration that ratelimits registration requests based on the +# client's IP address. +# - one for login that ratelimits login requests based on the client's IP +# address. +# - one for login that ratelimits login requests based on the account the +# client is attempting to log into. +# - one for login that ratelimits login requests based on the account the +# client is attempting to log into, based on the amount of failed login +# attempts for this account. +# - one for ratelimiting redactions by room admins. If this is not explicitly +# set then it uses the same ratelimiting as per rc_message. This is useful +# to allow room admins to deal with abuse quickly. +# - two for ratelimiting number of rooms a user can join, "local" for when +# users are joining rooms the server is already in (this is cheap) vs +# "remote" for when users are trying to join rooms not on the server (which +# can be more expensive) +# +# The defaults are as shown below. +# +#rc_message: +# per_second: 0.2 +# burst_count: 10 +rc_message: {{ matrix_synapse_rc_message|to_json }} +# +#rc_registration: +# per_second: 0.17 +# burst_count: 3 +rc_registration: {{ matrix_synapse_rc_registration|to_json }} +# +#rc_login: +# address: +# per_second: 0.17 +# burst_count: 3 +# account: +# per_second: 0.17 +# burst_count: 3 +# failed_attempts: +# per_second: 0.17 +# burst_count: 3 +rc_login: {{ matrix_synapse_rc_login|to_json }} +# +#rc_admin_redaction: +# per_second: 1 +# burst_count: 50 +# +#rc_joins: +# local: +# per_second: 0.1 +# burst_count: 3 +# remote: +# per_second: 0.01 +# burst_count: 3 + + +# Ratelimiting settings for incoming federation +# +# The rc_federation configuration is made up of the following settings: +# - window_size: window size in milliseconds +# - sleep_limit: number of federation requests from a single server in +# a window before the server will delay processing the request. +# - sleep_delay: duration in milliseconds to delay processing events +# from remote servers by if they go over the sleep limit. +# - reject_limit: maximum number of concurrent federation requests +# allowed from a single server +# - concurrent: number of federation requests to concurrently process +# from a single server +# +# The defaults are as shown below. +# +#rc_federation: +# window_size: 1000 +# sleep_limit: 10 +# sleep_delay: 500 +# reject_limit: 50 +# concurrent: 3 +rc_federation: {{ matrix_synapse_rc_federation|to_json }} + +# Target outgoing federation transaction frequency for sending read-receipts, +# per-room. +# +# If we end up trying to send out more read-receipts, they will get buffered up +# into fewer transactions. +# +#federation_rr_transactions_per_room_per_second: 50 +federation_rr_transactions_per_room_per_second: {{ matrix_synapse_federation_rr_transactions_per_room_per_second }} + + + +## Media Store ## + +# Enable the media store service in the Synapse master. Uncomment the +# following if you are using a separate media store worker. +# +#enable_media_repo: false + +# Directory where uploaded images and attachments are stored. +# +media_store_path: "/matrix-media-store-parent/{{ matrix_synapse_media_store_directory_name }}" + +# Media storage providers allow media to be stored in different +# locations. +# +#media_storage_providers: +# - module: file_system +# # Whether to store newly uploaded local files +# store_local: false +# # Whether to store newly downloaded remote files +# store_remote: false +# # Whether to wait for successful storage for local uploads +# store_synchronous: false +# config: +# directory: /mnt/some/other/directory + +# The largest allowed upload size in bytes +# +max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M" + +# Maximum number of pixels that will be thumbnailed +# +#max_image_pixels: 32M + +# Whether to generate new thumbnails on the fly to precisely match +# the resolution requested by the client. If true then whenever +# a new resolution is requested by the client the server will +# generate a new thumbnail. If false the server will pick a thumbnail +# from a precalculated list. +# +#dynamic_thumbnails: false + +# List of thumbnails to precalculate when an image is uploaded. +# +#thumbnail_sizes: +# - width: 32 +# height: 32 +# method: crop +# - width: 96 +# height: 96 +# method: crop +# - width: 320 +# height: 240 +# method: scale +# - width: 640 +# height: 480 +# method: scale +# - width: 800 +# height: 600 +# method: scale + +# Is the preview URL API enabled? +# +# 'false' by default: uncomment the following to enable it (and specify a +# url_preview_ip_range_blacklist blacklist). +# +url_preview_enabled: {{ matrix_synapse_url_preview_enabled|to_json }} + +# List of IP address CIDR ranges that the URL preview spider is denied +# from accessing. There are no defaults: you must explicitly +# specify a list for URL previewing to work. You should specify any +# internal services in your network that you do not want synapse to try +# to connect to, otherwise anyone in any Matrix room could cause your +# synapse to issue arbitrary GET requests to your internal services, +# causing serious security issues. +# +# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly +# listed here, since they correspond to unroutable addresses.) +# +# This must be specified if url_preview_enabled is set. It is recommended that +# you uncomment the following list as a starting point. +# +url_preview_ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '192.0.0.0/24' + - '169.254.0.0/16' + - '198.18.0.0/15' + - '192.0.2.0/24' + - '198.51.100.0/24' + - '203.0.113.0/24' + - '224.0.0.0/4' + - '::1/128' + - 'fe80::/10' + - 'fc00::/7' + +# List of IP address CIDR ranges that the URL preview spider is allowed +# to access even if they are specified in url_preview_ip_range_blacklist. +# This is useful for specifying exceptions to wide-ranging blacklisted +# target IP ranges - e.g. for enabling URL previews for a specific private +# website only visible in your network. +# +#url_preview_ip_range_whitelist: +# - '192.168.1.1' + +# Optional list of URL matches that the URL preview spider is +# denied from accessing. You should use url_preview_ip_range_blacklist +# in preference to this, otherwise someone could define a public DNS +# entry that points to a private IP address and circumvent the blacklist. +# This is more useful if you know there is an entire shape of URL that +# you know that will never want synapse to try to spider. +# +# Each list entry is a dictionary of url component attributes as returned +# by urlparse.urlsplit as applied to the absolute form of the URL. See +# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit +# The values of the dictionary are treated as an filename match pattern +# applied to that component of URLs, unless they start with a ^ in which +# case they are treated as a regular expression match. If all the +# specified component matches for a given list item succeed, the URL is +# blacklisted. +# +#url_preview_url_blacklist: +# # blacklist any URL with a username in its URI +# - username: '*' +# +# # blacklist all *.google.com URLs +# - netloc: 'google.com' +# - netloc: '*.google.com' +# +# # blacklist all plain HTTP URLs +# - scheme: 'http' +# +# # blacklist http(s)://www.acme.com/foo +# - netloc: 'www.acme.com' +# path: '/foo' +# +# # blacklist any URL with a literal IPv4 address +# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' + +# The largest allowed URL preview spidering size in bytes +# +max_spider_size: 10M + +# A list of values for the Accept-Language HTTP header used when +# downloading webpages during URL preview generation. This allows +# Synapse to specify the preferred languages that URL previews should +# be in when communicating with remote servers. +# +# Each value is a IETF language tag; a 2-3 letter identifier for a +# language, optionally followed by subtags separated by '-', specifying +# a country or region variant. +# +# Multiple values can be provided, and a weight can be added to each by +# using quality value syntax (;q=). '*' translates to any language. +# +# Defaults to "en". +# +# Example: +# +# url_preview_accept_language: +# - en-UK +# - en-US;q=0.9 +# - fr;q=0.8 +# - *;q=0.7 +# +url_preview_accept_language: +# - en + + +## Captcha ## +# See docs/CAPTCHA_SETUP.md for full details of configuring this. + +# This homeserver's ReCAPTCHA public key. Must be specified if +# enable_registration_captcha is enabled. +# +recaptcha_public_key: {{ matrix_synapse_recaptcha_public_key|to_json }} + +# This homeserver's ReCAPTCHA private key. Must be specified if +# enable_registration_captcha is enabled. +# +recaptcha_private_key: {{ matrix_synapse_recaptcha_private_key|to_json }} + +# Uncomment to enable ReCaptcha checks when registering, preventing signup +# unless a captcha is answered. Requires a valid ReCaptcha +# public/private key. Defaults to 'false'. +# +enable_registration_captcha: {{ matrix_synapse_enable_registration_captcha|to_json }} + +# The API endpoint to use for verifying m.login.recaptcha responses. +# Defaults to "https://www.recaptcha.net/recaptcha/api/siteverify". +# +#recaptcha_siteverify_api: "https://my.recaptcha.site" + + +## TURN ## + +# The public URIs of the TURN server to give to clients +# +turn_uris: {{ matrix_synapse_turn_uris|to_json }} + +# The shared secret used to compute passwords for the TURN server +# +turn_shared_secret: {{ matrix_synapse_turn_shared_secret|string|to_json }} + +# The Username and password if the TURN server needs them and +# does not use a token +# +#turn_username: "TURNSERVER_USERNAME" +#turn_password: "TURNSERVER_PASSWORD" + +# How long generated TURN credentials last +# +#turn_user_lifetime: 1h + +# Whether guests should be allowed to use the TURN server. +# This defaults to True, otherwise VoIP will be unreliable for guests. +# However, it does introduce a slight security risk as it allows users to +# connect to arbitrary endpoints without having first signed up for a +# valid account (e.g. by passing a CAPTCHA). +# +turn_allow_guests: {{ matrix_synapse_turn_allow_guests|to_json }} + + +## Registration ## +# +# Registration can be rate-limited using the parameters in the "Ratelimiting" +# section of this file. + +# Enable registration for new users. +# +enable_registration: {{ matrix_synapse_enable_registration|to_json }} + +# Optional account validity configuration. This allows for accounts to be denied +# any request after a given period. +# +# Once this feature is enabled, Synapse will look for registered users without an +# expiration date at startup and will add one to every account it found using the +# current settings at that time. +# This means that, if a validity period is set, and Synapse is restarted (it will +# then derive an expiration date from the current validity period), and some time +# after that the validity period changes and Synapse is restarted, the users' +# expiration dates won't be updated unless their account is manually renewed. This +# date will be randomly selected within a range [now + period - d ; now + period], +# where d is equal to 10% of the validity period. +# +account_validity: + # The account validity feature is disabled by default. Uncomment the + # following line to enable it. + # + #enabled: true + + # The period after which an account is valid after its registration. When + # renewing the account, its validity period will be extended by this amount + # of time. This parameter is required when using the account validity + # feature. + # + #period: 6w + + # The amount of time before an account's expiry date at which Synapse will + # send an email to the account's email address with a renewal link. By + # default, no such emails are sent. + # + # If you enable this setting, you will also need to fill out the 'email' and + # 'public_baseurl' configuration sections. + # + #renew_at: 1w + + # The subject of the email sent out with the renewal link. '%(app)s' can be + # used as a placeholder for the 'app_name' parameter from the 'email' + # section. + # + # Note that the placeholder must be written '%(app)s', including the + # trailing 's'. + # + # If this is not set, a default value is used. + # + #renew_email_subject: "Renew your %(app)s account" + + # Directory in which Synapse will try to find templates for the HTML files to + # serve to the user when trying to renew an account. If not set, default + # templates from within the Synapse package will be used. + # + #template_dir: "res/templates" + + # File within 'template_dir' giving the HTML to be displayed to the user after + # they successfully renewed their account. If not set, default text is used. + # + #account_renewed_html_path: "account_renewed.html" + + # File within 'template_dir' giving the HTML to be displayed when the user + # tries to renew an account with an invalid renewal token. If not set, + # default text is used. + # + #invalid_token_html_path: "invalid_token.html" + +# Time that a user's session remains valid for, after they log in. +# +# Note that this is not currently compatible with guest logins. +# +# Note also that this is calculated at login time: changes are not applied +# retrospectively to users who have already logged in. +# +# By default, this is infinite. +# +#session_lifetime: 24h + +# The user must provide all of the below types of 3PID when registering. +# +#registrations_require_3pid: +# - email +# - msisdn +{% if matrix_synapse_registrations_require_3pid|length > 0 %} +registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json }} +{% endif %} + +# Explicitly disable asking for MSISDNs from the registration +# flow (overrides registrations_require_3pid if MSISDNs are set as required) +# +#disable_msisdn_registration: true + +# Mandate that users are only allowed to associate certain formats of +# 3PIDs with accounts on this server. +# +#allowed_local_3pids: +# - medium: email +# pattern: '.*@matrix\.org' +# - medium: email +# pattern: '.*@vector\.im' +# - medium: msisdn +# pattern: '\+44' +{% if matrix_synapse_allowed_local_3pids|length > 0 %} +allowed_local_3pids: {{ matrix_synapse_allowed_local_3pids|to_json }} +{% endif %} + +# Enable 3PIDs lookup requests to identity servers from this server. +# +#enable_3pid_lookup: true + +# If set, allows registration of standard or admin accounts by anyone who +# has the shared secret, even if registration is otherwise disabled. +# +registration_shared_secret: {{ matrix_synapse_registration_shared_secret|string|to_json }} + +# Set the number of bcrypt rounds used to generate password hash. +# Larger numbers increase the work factor needed to generate the hash. +# The default number is 12 (which equates to 2^12 rounds). +# N.B. that increasing this will exponentially increase the time required +# to register or login - e.g. 24 => 2^24 rounds which will take >20 mins. +# +#bcrypt_rounds: 12 + +# Allows users to register as guests without a password/email/etc, and +# participate in rooms hosted on this server which have been made +# accessible to anonymous users. +# +allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }} + +# The identity server which we suggest that clients should use when users log +# in on this server. +# +# (By default, no suggestion is made, so it is left up to the client. +# This setting is ignored unless public_baseurl is also set.) +# +#default_identity_server: https://matrix.org + +# Handle threepid (email/phone etc) registration and password resets through a set of +# *trusted* identity servers. Note that this allows the configured identity server to +# reset passwords for accounts! +# +# Be aware that if `email` is not set, and SMTP options have not been +# configured in the email config block, registration and user password resets via +# email will be globally disabled. +# +# Additionally, if `msisdn` is not set, registration and password resets via msisdn +# will be disabled regardless, and users will not be able to associate an msisdn +# identifier to their account. This is due to Synapse currently not supporting +# any method of sending SMS messages on its own. +# +# To enable using an identity server for operations regarding a particular third-party +# identifier type, set the value to the URL of that identity server as shown in the +# examples below. +# +# Servers handling the these requests must answer the `/requestToken` endpoints defined +# by the Matrix Identity Service API specification: +# https://matrix.org/docs/spec/identity_service/latest +# +# If a delegate is specified, the config option public_baseurl must also be filled out. +# +account_threepid_delegates: + email: {{ matrix_synapse_account_threepid_delegates_email|to_json }} + msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }} + +# Whether users are allowed to change their displayname after it has +# been initially set. Useful when provisioning users based on the +# contents of a third-party directory. +# +# Does not apply to server administrators. Defaults to 'true' +# +#enable_set_displayname: false + +# Whether users are allowed to change their avatar after it has been +# initially set. Useful when provisioning users based on the contents +# of a third-party directory. +# +# Does not apply to server administrators. Defaults to 'true' +# +#enable_set_avatar_url: false + +# Whether users can change the 3PIDs associated with their accounts +# (email address and msisdn). +# +# Defaults to 'true' +# +#enable_3pid_changes: false + +# Users who register on this homeserver will automatically be joined +# to these rooms. +# +# By default, any room aliases included in this list will be created +# as a publicly joinable room when the first user registers for the +# homeserver. This behaviour can be customised with the settings below. +# +#auto_join_rooms: +# - "#example:example.com" +{% if matrix_synapse_auto_join_rooms|length > 0 %} +auto_join_rooms: +{{ matrix_synapse_auto_join_rooms|to_nice_yaml }} +{% endif %} + +# Where auto_join_rooms are specified, setting this flag ensures that the +# the rooms exist by creating them when the first user on the +# homeserver registers. +# +# By default the auto-created rooms are publicly joinable from any federated +# server. Use the autocreate_auto_join_rooms_federated and +# autocreate_auto_join_room_preset settings below to customise this behaviour. +# +# Setting to false means that if the rooms are not manually created, +# users cannot be auto-joined since they do not exist. +# +# Defaults to true. Uncomment the following line to disable automatically +# creating auto-join rooms. +# +autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms|to_json }} + +# Whether the auto_join_rooms that are auto-created are available via +# federation. Only has an effect if autocreate_auto_join_rooms is true. +# +# Note that whether a room is federated cannot be modified after +# creation. +# +# Defaults to true: the room will be joinable from other servers. +# Uncomment the following to prevent users from other homeservers from +# joining these rooms. +# +#autocreate_auto_join_rooms_federated: false + +# The room preset to use when auto-creating one of auto_join_rooms. Only has an +# effect if autocreate_auto_join_rooms is true. +# +# This can be one of "public_chat", "private_chat", or "trusted_private_chat". +# If a value of "private_chat" or "trusted_private_chat" is used then +# auto_join_mxid_localpart must also be configured. +# +# Defaults to "public_chat", meaning that the room is joinable by anyone, including +# federated servers if autocreate_auto_join_rooms_federated is true (the default). +# Uncomment the following to require an invitation to join these rooms. +# +#autocreate_auto_join_room_preset: private_chat + +# The local part of the user id which is used to create auto_join_rooms if +# autocreate_auto_join_rooms is true. If this is not provided then the +# initial user account that registers will be used to create the rooms. +# +# The user id is also used to invite new users to any auto-join rooms which +# are set to invite-only. +# +# It *must* be configured if autocreate_auto_join_room_preset is set to +# "private_chat" or "trusted_private_chat". +# +# Note that this must be specified in order for new users to be correctly +# invited to any auto-join rooms which have been set to invite-only (either +# at the time of creation or subsequently). +# +# Note that, if the room already exists, this user must be joined and +# have the appropriate permissions to invite new members. +# +#auto_join_mxid_localpart: system + +# When auto_join_rooms is specified, setting this flag to false prevents +# guest accounts from being automatically joined to the rooms. +# +# Defaults to true. +# +#auto_join_rooms_for_guests: false + + +## Metrics ### + +# Enable collection and rendering of performance metrics +# +enable_metrics: {{ matrix_synapse_metrics_enabled|to_json }} + + +# Enable sentry integration +# NOTE: While attempts are made to ensure that the logs don't contain +# any sensitive information, this cannot be guaranteed. By enabling +# this option the sentry server may therefore receive sensitive +# information, and it in turn may then diseminate sensitive information +# through insecure notification channels if so configured. +# +{% if matrix_synapse_sentry_dsn != "" %} +sentry: + dsn: {{ matrix_synapse_sentry_dsn|to_json }} +{% endif %} + +# Flags to enable Prometheus metrics which are not suitable to be +# enabled by default, either for performance reasons or limited use. +# +metrics_flags: + # Publish synapse_federation_known_servers, a gauge of the number of + # servers this homeserver knows about, including itself. May cause + # performance problems on large homeservers. + # + #known_servers: true + +# Whether or not to report anonymized homeserver usage statistics. +# +report_stats: {{ matrix_synapse_report_stats|to_json }} + +# The endpoint to report the anonymized homeserver usage statistics to. +# Defaults to https://matrix.org/report-usage-stats/push +# +#report_stats_endpoint: https://example.com/report-usage-stats/push + + +## API Configuration ## + +# A list of event types that will be included in the room_invite_state +# +#room_invite_state_types: +# - "m.room.join_rules" +# - "m.room.canonical_alias" +# - "m.room.avatar" +# - "m.room.encryption" +# - "m.room.name" + + +# A list of application service config files to use +# +app_service_config_files: {{ matrix_synapse_app_service_config_files|to_json }} + +# Uncomment to enable tracking of application service IP addresses. Implicitly +# enables MAU tracking for application service users. +# +#track_appservice_user_ips: True + + +# a secret which is used to sign access tokens. If none is specified, +# the registration_shared_secret is used, if one is given; otherwise, +# a secret key is derived from the signing key. +# +macaroon_secret_key: {{ matrix_synapse_macaroon_secret_key|string|to_json }} + +# a secret which is used to calculate HMACs for form values, to stop +# falsification of values. Must be specified for the User Consent +# forms to work. +# +form_secret: {{ matrix_synapse_form_secret|string|to_json }} + +## Signing Keys ## + +# Path to the signing key to sign messages with +# +signing_key_path: "/data/{{ matrix_server_fqn_matrix }}.signing.key" + +# The keys that the server used to sign messages with but won't use +# to sign new messages. +# +old_signing_keys: + # For each key, `key` should be the base64-encoded public key, and + # `expired_ts`should be the time (in milliseconds since the unix epoch) that + # it was last used. + # + # It is possible to build an entry from an old signing.key file using the + # `export_signing_key` script which is provided with synapse. + # + # For example: + # + #"ed25519:id": { key: "base64string", expired_ts: 123456789123 } + +# How long key response published by this server is valid for. +# Used to set the valid_until_ts in /key/v2 APIs. +# Determines how quickly servers will query to check which keys +# are still valid. +# +#key_refresh_interval: 1d + +# The trusted servers to download signing keys from. +# +# When we need to fetch a signing key, each server is tried in parallel. +# +# Normally, the connection to the key server is validated via TLS certificates. +# Additional security can be provided by configuring a `verify key`, which +# will make synapse check that the response is signed by that key. +# +# This setting supercedes an older setting named `perspectives`. The old format +# is still supported for backwards-compatibility, but it is deprecated. +# +# 'trusted_key_servers' defaults to matrix.org, but using it will generate a +# warning on start-up. To suppress this warning, set +# 'suppress_key_server_warning' to true. +# +# Options for each entry in the list include: +# +# server_name: the name of the server. required. +# +# verify_keys: an optional map from key id to base64-encoded public key. +# If specified, we will check that the response is signed by at least +# one of the given keys. +# +# accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset, +# and federation_verify_certificates is not `true`, synapse will refuse +# to start, because this would allow anyone who can spoof DNS responses +# to masquerade as the trusted key server. If you know what you are doing +# and are sure that your network environment provides a secure connection +# to the key server, you can set this to `true` to override this +# behaviour. +# +# An example configuration might look like: +# +#trusted_key_servers: +# - server_name: "my_trusted_server.example.com" +# verify_keys: +# "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" +# - server_name: "my_other_trusted_server.example.com" +# +trusted_key_servers: {{ matrix_synapse_trusted_key_servers|to_json }} + + +# Uncomment the following to disable the warning that is emitted when the +# trusted_key_servers include 'matrix.org'. See above. +# +#suppress_key_server_warning: true + +# The signing keys to use when acting as a trusted key server. If not specified +# defaults to the server signing key. +# +# Can contain multiple keys, one per line. +# +#key_server_signing_keys_path: "key_server_signing_keys.key" + + +## Single sign-on integration ## + +# The following settings can be used to make Synapse use a single sign-on +# provider for authentication, instead of its internal password database. +# +# You will probably also want to set the following options to `false` to +# disable the regular login/registration flows: +# * enable_registration +# * password_config.enabled +# +# You will also want to investigate the settings under the "sso" configuration +# section below. + +# Enable SAML2 for registration and login. Uses pysaml2. +# +# At least one of `sp_config` or `config_path` must be set in this section to +# enable SAML login. +# +# Once SAML support is enabled, a metadata file will be exposed at +# https://:/_matrix/saml2/metadata.xml, which you may be able to +# use to configure your SAML IdP with. Alternatively, you can manually configure +# the IdP to use an ACS location of +# https://:/_matrix/saml2/authn_response. +# +saml2_config: + # `sp_config` is the configuration for the pysaml2 Service Provider. + # See pysaml2 docs for format of config. + # + # Default values will be used for the 'entityid' and 'service' settings, + # so it is not normally necessary to specify them unless you need to + # override them. + # + sp_config: + # Point this to the IdP's metadata. You must provide either a local + # file via the `local` attribute or (preferably) a URL via the + # `remote` attribute. + # + #metadata: + # local: ["saml2/idp.xml"] + # remote: + # - url: https://our_idp/metadata.xml + + # Allowed clock difference in seconds between the homeserver and IdP. + # + # Uncomment the below to increase the accepted time difference from 0 to 3 seconds. + # + #accepted_time_diff: 3 + + # By default, the user has to go to our login page first. If you'd like + # to allow IdP-initiated login, set 'allow_unsolicited: true' in a + # 'service.sp' section: + # + #service: + # sp: + # allow_unsolicited: true + + # The examples below are just used to generate our metadata xml, and you + # may well not need them, depending on your setup. Alternatively you + # may need a whole lot more detail - see the pysaml2 docs! + + #description: ["My awesome SP", "en"] + #name: ["Test SP", "en"] + + #ui_info: + # display_name: + # - lang: en + # text: "Display Name is the descriptive name of your service." + # description: + # - lang: en + # text: "Description should be a short paragraph explaining the purpose of the service." + # information_url: + # - lang: en + # text: "https://example.com/terms-of-service" + # privacy_statement_url: + # - lang: en + # text: "https://example.com/privacy-policy" + # keywords: + # - lang: en + # text: ["Matrix", "Element"] + # logo: + # - lang: en + # text: "https://example.com/logo.svg" + # width: "200" + # height: "80" + + #organization: + # name: Example com + # display_name: + # - ["Example co", "en"] + # url: "http://example.com" + + #contact_person: + # - given_name: Bob + # sur_name: "the Sysadmin" + # email_address": ["admin@example.com"] + # contact_type": technical + + # Instead of putting the config inline as above, you can specify a + # separate pysaml2 configuration file: + # + #config_path: "/data/sp_conf.py" + + # The lifetime of a SAML session. This defines how long a user has to + # complete the authentication process, if allow_unsolicited is unset. + # The default is 15 minutes. + # + #saml_session_lifetime: 5m + + # An external module can be provided here as a custom solution to + # mapping attributes returned from a saml provider onto a matrix user. + # + user_mapping_provider: + # The custom module's class. Uncomment to use a custom module. + # + #module: mapping_provider.SamlMappingProvider + + # Custom configuration values for the module. Below options are + # intended for the built-in provider, they should be changed if + # using a custom module. This section will be passed as a Python + # dictionary to the module's `parse_config` method. + # + config: + # The SAML attribute (after mapping via the attribute maps) to use + # to derive the Matrix ID from. 'uid' by default. + # + # Note: This used to be configured by the + # saml2_config.mxid_source_attribute option. If that is still + # defined, its value will be used instead. + # + #mxid_source_attribute: displayName + + # The mapping system to use for mapping the saml attribute onto a + # matrix ID. + # + # Options include: + # * 'hexencode' (which maps unpermitted characters to '=xx') + # * 'dotreplace' (which replaces unpermitted characters with + # '.'). + # The default is 'hexencode'. + # + # Note: This used to be configured by the + # saml2_config.mxid_mapping option. If that is still defined, its + # value will be used instead. + # + #mxid_mapping: dotreplace + + # In previous versions of synapse, the mapping from SAML attribute to + # MXID was always calculated dynamically rather than stored in a + # table. For backwards- compatibility, we will look for user_ids + # matching such a pattern before creating a new account. + # + # This setting controls the SAML attribute which will be used for this + # backwards-compatibility lookup. Typically it should be 'uid', but if + # the attribute maps are changed, it may be necessary to change it. + # + # The default is 'uid'. + # + #grandfathered_mxid_source_attribute: upn + + # It is possible to configure Synapse to only allow logins if SAML attributes + # match particular values. The requirements can be listed under + # `attribute_requirements` as shown below. All of the listed attributes must + # match for the login to be permitted. + # + #attribute_requirements: + # - attribute: userGroup + # value: "staff" + # - attribute: department + # value: "sales" + + # If the metadata XML contains multiple IdP entities then the `idp_entityid` + # option must be set to the entity to redirect users to. + # + # Most deployments only have a single IdP entity and so should omit this + # option. + # + #idp_entityid: 'https://our_idp/entityid' + + +# Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login. +# +# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md +# for some example configurations. +# +oidc_config: + # Uncomment the following to enable authorization against an OpenID Connect + # server. Defaults to false. + # + #enabled: true + + # Uncomment the following to disable use of the OIDC discovery mechanism to + # discover endpoints. Defaults to true. + # + #discover: false + + # the OIDC issuer. Used to validate tokens and (if discovery is enabled) to + # discover the provider's endpoints. + # + # Required if 'enabled' is true. + # + #issuer: "https://accounts.example.com/" + + # oauth2 client id to use. + # + # Required if 'enabled' is true. + # + #client_id: "provided-by-your-issuer" + + # oauth2 client secret to use. + # + # Required if 'enabled' is true. + # + #client_secret: "provided-by-your-issuer" + + # auth method to use when exchanging the token. + # Valid values are 'client_secret_basic' (default), 'client_secret_post' and + # 'none'. + # + #client_auth_method: client_secret_post + + # list of scopes to request. This should normally include the "openid" scope. + # Defaults to ["openid"]. + # + #scopes: ["openid", "profile"] + + # the oauth2 authorization endpoint. Required if provider discovery is disabled. + # + #authorization_endpoint: "https://accounts.example.com/oauth2/auth" + + # the oauth2 token endpoint. Required if provider discovery is disabled. + # + #token_endpoint: "https://accounts.example.com/oauth2/token" + + # the OIDC userinfo endpoint. Required if discovery is disabled and the + # "openid" scope is not requested. + # + #userinfo_endpoint: "https://accounts.example.com/userinfo" + + # URI where to fetch the JWKS. Required if discovery is disabled and the + # "openid" scope is used. + # + #jwks_uri: "https://accounts.example.com/.well-known/jwks.json" + + # Uncomment to skip metadata verification. Defaults to false. + # + # Use this if you are connecting to a provider that is not OpenID Connect + # compliant. + # Avoid this in production. + # + #skip_verification: true + + # Whether to fetch the user profile from the userinfo endpoint. Valid + # values are: "auto" or "userinfo_endpoint". + # + # Defaults to "auto", which fetches the userinfo endpoint if "openid" is included + # in `scopes`. Uncomment the following to always fetch the userinfo endpoint. + # + #user_profile_method: "userinfo_endpoint" + + # Uncomment to allow a user logging in via OIDC to match a pre-existing account instead + # of failing. This could be used if switching from password logins to OIDC. Defaults to false. + # + #allow_existing_users: true + + # An external module can be provided here as a custom solution to mapping + # attributes returned from a OIDC provider onto a matrix user. + # + user_mapping_provider: + # The custom module's class. Uncomment to use a custom module. + # Default is 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'. + # + # See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers + # for information on implementing a custom mapping provider. + # + #module: mapping_provider.OidcMappingProvider + + # Custom configuration values for the module. This section will be passed as + # a Python dictionary to the user mapping provider module's `parse_config` + # method. + # + # The examples below are intended for the default provider: they should be + # changed if using a custom provider. + # + config: + # name of the claim containing a unique identifier for the user. + # Defaults to `sub`, which OpenID Connect compliant providers should provide. + # + #subject_claim: "sub" + + # Jinja2 template for the localpart of the MXID. + # + # When rendering, this template is given the following variables: + # * user: The claims returned by the UserInfo Endpoint and/or in the ID + # Token + # + # If this is not set, the user will be prompted to choose their + # own username. + # + localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}" + + # Jinja2 template for the display name to set on first login. + # + # If unset, no displayname will be set. + # + #display_name_template: "{% raw %}{{ user.given_name }} {{ user.last_name }}{% endraw %}" + + # Jinja2 templates for extra attributes to send back to the client during + # login. + # + # Note that these are non-standard and clients will ignore them without modifications. + # + #extra_attributes: + #birthdate: "{% raw %}{{ user.birthdate }}{% endraw %}" + + + +# Enable Central Authentication Service (CAS) for registration and login. +# +cas_config: + # Uncomment the following to enable authorization against a CAS server. + # Defaults to false. + # + #enabled: true + + # The URL of the CAS authorization endpoint. + # + #server_url: "https://cas-server.com" + + # The public URL of the homeserver. + # + #service_url: "https://homeserver.domain.com:8448" + + # The attribute of the CAS response to use as the display name. + # + # If unset, no displayname will be set. + # + #displayname_attribute: name + + # It is possible to configure Synapse to only allow logins if CAS attributes + # match particular values. All of the keys in the mapping below must exist + # and the values must match the given value. Alternately if the given value + # is None then any value is allowed (the attribute just must exist). + # All of the listed attributes must match for the login to be permitted. + # + #required_attributes: + # userGroup: "staff" + # department: None + + +# Additional settings to use with single-sign on systems such as OpenID Connect, +# SAML2 and CAS. +# +sso: + # A list of client URLs which are whitelisted so that the user does not + # have to confirm giving access to their account to the URL. Any client + # whose URL starts with an entry in the following list will not be subject + # to an additional confirmation step after the SSO login is completed. + # + # WARNING: An entry such as "https://my.client" is insecure, because it + # will also match "https://my.client.evil.site", exposing your users to + # phishing attacks from evil.site. To avoid this, include a slash after the + # hostname: "https://my.client/". + # + # If public_baseurl is set, then the login fallback page (used by clients + # that don't natively support the required login flows) is whitelisted in + # addition to any URLs in this list. + # + # By default, this list is empty. + # + #client_whitelist: + # - https://riot.im/develop + # - https://my.custom.client/ + + # Directory in which Synapse will try to find the template files below. + # If not set, or the files named below are not found within the template + # directory, default templates from within the Synapse package will be used. + # + # Synapse will look for the following templates in this directory: + # + # * HTML page for a confirmation step before redirecting back to the client + # with the login token: 'sso_redirect_confirm.html'. + # + # When rendering, this template is given three variables: + # * redirect_url: the URL the user is about to be redirected to. Needs + # manual escaping (see + # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # + # * display_url: the same as `redirect_url`, but with the query + # parameters stripped. The intention is to have a + # human-readable URL to show to users, not to use it as + # the final address to redirect to. Needs manual escaping + # (see https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # + # * server_name: the homeserver's name. + # + # * HTML page which notifies the user that they are authenticating to confirm + # an operation on their account during the user interactive authentication + # process: 'sso_auth_confirm.html'. + # + # When rendering, this template is given the following variables: + # * redirect_url: the URL the user is about to be redirected to. Needs + # manual escaping (see + # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # + # * description: the operation which the user is being asked to confirm + # + # * HTML page shown after a successful user interactive authentication session: + # 'sso_auth_success.html'. + # + # Note that this page must include the JavaScript which notifies of a successful authentication + # (see https://matrix.org/docs/spec/client_server/r0.6.0#fallback). + # + # This template has no additional variables. + # + # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database) + # attempts to login: 'sso_account_deactivated.html'. + # + # This template has no additional variables. + # + # * HTML page to display to users if something goes wrong during the + # OpenID Connect authentication process: 'sso_error.html'. + # + # When rendering, this template is given two variables: + # * error: the technical name of the error + # * error_description: a human-readable message for the error + # + # You can see the default templates at: + # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates + # + #template_dir: "res/templates" + + +# JSON web token integration. The following settings can be used to make +# Synapse JSON web tokens for authentication, instead of its internal +# password database. +# +# Each JSON Web Token needs to contain a "sub" (subject) claim, which is +# used as the localpart of the mxid. +# +# Additionally, the expiration time ("exp"), not before time ("nbf"), +# and issued at ("iat") claims are validated if present. +# +# Note that this is a non-standard login type and client support is +# expected to be non-existent. +# +# See https://github.com/matrix-org/synapse/blob/master/docs/jwt.md. +# +#jwt_config: + # Uncomment the following to enable authorization using JSON web + # tokens. Defaults to false. + # + #enabled: true + + # This is either the private shared secret or the public key used to + # decode the contents of the JSON web token. + # + # Required if 'enabled' is true. + # + #secret: "provided-by-your-issuer" + + # The algorithm used to sign the JSON web token. + # + # Supported algorithms are listed at + # https://pyjwt.readthedocs.io/en/latest/algorithms.html + # + # Required if 'enabled' is true. + # + #algorithm: "provided-by-your-issuer" + + # The issuer to validate the "iss" claim against. + # + # Optional, if provided the "iss" claim will be required and + # validated for all JSON web tokens. + # + #issuer: "provided-by-your-issuer" + + # A list of audiences to validate the "aud" claim against. + # + # Optional, if provided the "aud" claim will be required and + # validated for all JSON web tokens. + # + # Note that if the "aud" claim is included in a JSON web token then + # validation will fail without configuring audiences. + # + #audiences: + # - "provided-by-your-issuer" + + +password_config: + # Uncomment to disable password login + # + #enabled: false + + # Uncomment to disable authentication against the local password + # database. This is ignored if `enabled` is false, and is only useful + # if you have other password_providers. + # + localdb_enabled: {{ matrix_synapse_password_config_localdb_enabled|to_json }} + + # Uncomment and change to a secret random string for extra security. + # DO NOT CHANGE THIS AFTER INITIAL SETUP! + # + pepper: {{ matrix_synapse_password_config_pepper|string|to_json }} + + # Define and enforce a password policy. Each parameter is optional. + # This is an implementation of MSC2000. + # + policy: + # Whether to enforce the password policy. + # Defaults to 'false'. + # + #enabled: true + + # Minimum accepted length for a password. + # Defaults to 0. + # + #minimum_length: 15 + + # Whether a password must contain at least one digit. + # Defaults to 'false'. + # + #require_digit: true + + # Whether a password must contain at least one symbol. + # A symbol is any character that's not a number or a letter. + # Defaults to 'false'. + # + #require_symbol: true + + # Whether a password must contain at least one lowercase letter. + # Defaults to 'false'. + # + #require_lowercase: true + + # Whether a password must contain at least one lowercase letter. + # Defaults to 'false'. + # + #require_uppercase: true + +ui_auth: + # The number of milliseconds to allow a user-interactive authentication + # session to be active. + # + # This defaults to 0, meaning the user is queried for their credentials + # before every action, but this can be overridden to alow a single + # validation to be re-used. This weakens the protections afforded by + # the user-interactive authentication process, by allowing for multiple + # (and potentially different) operations to use the same validation session. + # + # Uncomment below to allow for credential validation to last for 15 + # seconds. + # + #session_timeout: 15000 + + +{% if matrix_synapse_email_enabled %} +# Configuration for sending emails from Synapse. +# +email: + # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. + # + #smtp_host: mail.server + smtp_host: {{ matrix_synapse_email_smtp_host|string|to_json }} + + # The port on the mail server for outgoing SMTP. Defaults to 25. + # + #smtp_port: 587 + smtp_port: {{ matrix_synapse_email_smtp_port|to_json }} + + # Username/password for authentication to the SMTP server. By default, no + # authentication is attempted. + # + #smtp_user: "exampleusername" + #smtp_pass: "examplepassword" + + # Uncomment the following to require TLS transport security for SMTP. + # By default, Synapse will connect over plain text, and will then switch to + # TLS via STARTTLS *if the SMTP server supports it*. If this option is set, + # Synapse will refuse to connect unless the server supports STARTTLS. + # + #require_transport_security: true + require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }} + + # Enable sending emails for messages that the user has missed + # + #enable_notifs: false + enable_notifs: true + + # notif_from defines the "From" address to use when sending emails. + # It must be set if email sending is enabled. + # + # The placeholder '%(app)s' will be replaced by the application name, + # which is normally 'app_name' (below), but may be overridden by the + # Matrix client application. + # + # Note that the placeholder must be written '%(app)s', including the + # trailing 's'. + # + #notif_from: "Your Friendly %(app)s homeserver " + notif_from: {{ matrix_synapse_email_notif_from|string|to_json }} + + # app_name defines the default value for '%(app)s' in notif_from and email + # subjects. It defaults to 'Matrix'. + # + #app_name: my_branded_matrix_server + app_name: Matrix + + # Uncomment the following to disable automatic subscription to email + # notifications for new users. Enabled by default. + # + #notif_for_new_users: false + notif_for_new_users: True + + # Custom URL for client links within the email notifications. By default + # links will be based on "https://matrix.to". + # + # (This setting used to be called riot_base_url; the old name is still + # supported for backwards-compatibility but is now deprecated.) + # + #client_base_url: "http://localhost/riot" + client_base_url: {{ matrix_synapse_email_client_base_url|string|to_json }} + + # Configure the time that a validation email will expire after sending. + # Defaults to 1h. + # + #validation_token_lifetime: 15m + + # Directory in which Synapse will try to find the template files below. + # If not set, or the files named below are not found within the template + # directory, default templates from within the Synapse package will be used. + # + # Synapse will look for the following templates in this directory: + # + # * The contents of email notifications of missed events: 'notif_mail.html' and + # 'notif_mail.txt'. + # + # * The contents of account expiry notice emails: 'notice_expiry.html' and + # 'notice_expiry.txt'. + # + # * The contents of password reset emails sent by the homeserver: + # 'password_reset.html' and 'password_reset.txt' + # + # * An HTML page that a user will see when they follow the link in the password + # reset email. The user will be asked to confirm the action before their + # password is reset: 'password_reset_confirmation.html' + # + # * HTML pages for success and failure that a user will see when they confirm + # the password reset flow using the page above: 'password_reset_success.html' + # and 'password_reset_failure.html' + # + # * The contents of address verification emails sent during registration: + # 'registration.html' and 'registration.txt' + # + # * HTML pages for success and failure that a user will see when they follow + # the link in an address verification email sent during registration: + # 'registration_success.html' and 'registration_failure.html' + # + # * The contents of address verification emails sent when an address is added + # to a Matrix account: 'add_threepid.html' and 'add_threepid.txt' + # + # * HTML pages for success and failure that a user will see when they follow + # the link in an address verification email sent when an address is added + # to a Matrix account: 'add_threepid_success.html' and + # 'add_threepid_failure.html' + # + # You can see the default templates at: + # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates + # + #template_dir: "res/templates" + + # Subjects to use when sending emails from Synapse. + # + # The placeholder '%(app)s' will be replaced with the value of the 'app_name' + # setting above, or by a value dictated by the Matrix client application. + # + # If a subject isn't overridden in this configuration file, the value used as + # its example will be used. + # + #subjects: + + # Subjects for notification emails. + # + # On top of the '%(app)s' placeholder, these can use the following + # placeholders: + # + # * '%(person)s', which will be replaced by the display name of the user(s) + # that sent the message(s), e.g. "Alice and Bob". + # * '%(room)s', which will be replaced by the name of the room the + # message(s) have been sent to, e.g. "My super room". + # + # See the example provided for each setting to see which placeholder can be + # used and how to use them. + # + # Subject to use to notify about one message from one or more user(s) in a + # room which has a name. + #message_from_person_in_room: "[%(app)s] You have a message on %(app)s from %(person)s in the %(room)s room..." + # + # Subject to use to notify about one message from one or more user(s) in a + # room which doesn't have a name. + #message_from_person: "[%(app)s] You have a message on %(app)s from %(person)s..." + # + # Subject to use to notify about multiple messages from one or more users in + # a room which doesn't have a name. + #messages_from_person: "[%(app)s] You have messages on %(app)s from %(person)s..." + # + # Subject to use to notify about multiple messages in a room which has a + # name. + #messages_in_room: "[%(app)s] You have messages on %(app)s in the %(room)s room..." + # + # Subject to use to notify about multiple messages in multiple rooms. + #messages_in_room_and_others: "[%(app)s] You have messages on %(app)s in the %(room)s room and others..." + # + # Subject to use to notify about multiple messages from multiple persons in + # multiple rooms. This is similar to the setting above except it's used when + # the room in which the notification was triggered has no name. + #messages_from_person_and_others: "[%(app)s] You have messages on %(app)s from %(person)s and others..." + # + # Subject to use to notify about an invite to a room which has a name. + #invite_from_person_to_room: "[%(app)s] %(person)s has invited you to join the %(room)s room on %(app)s..." + # + # Subject to use to notify about an invite to a room which doesn't have a + # name. + #invite_from_person: "[%(app)s] %(person)s has invited you to chat on %(app)s..." + + # Subject for emails related to account administration. + # + # On top of the '%(app)s' placeholder, these one can use the + # '%(server_name)s' placeholder, which will be replaced by the value of the + # 'server_name' setting in your Synapse configuration. + # + # Subject to use when sending a password reset email. + #password_reset: "[%(server_name)s] Password reset" + # + # Subject to use when sending a verification email to assert an address's + # ownership. + #email_validation: "[%(server_name)s] Validate your email" +{% endif %} + +# Password providers allow homeserver administrators to integrate +# their Synapse installation with existing authentication methods +# ex. LDAP, external tokens, etc. +# +# For more information and known implementations, please see +# https://github.com/matrix-org/synapse/blob/master/docs/password_auth_providers.md +# +# Note: instances wishing to use SAML or CAS authentication should +# instead use the `saml2_config` or `cas_config` options, +# respectively. +# +# password_providers: +# # Example config for an LDAP auth provider +# - module: "ldap_auth_provider.LdapAuthProvider" +# config: +# enabled: true +# uri: "ldap://ldap.example.com:389" +# start_tls: true +# base: "ou=users,dc=example,dc=com" +# attributes: +# uid: "cn" +# mail: "email" +# name: "givenName" +# #bind_dn: +# #bind_password: +# #filter: "(objectClass=posixAccount)" +{% if matrix_synapse_password_providers_enabled %} +password_providers: +{% if matrix_synapse_ext_password_provider_shared_secret_auth_enabled %} + - module: "shared_secret_authenticator.SharedSecretAuthenticator" + config: + sharedSecret: {{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret|string|to_json }} +{% endif %} +{% if matrix_synapse_ext_password_provider_rest_auth_enabled %} + - module: "rest_auth_provider.RestAuthProvider" + config: + endpoint: {{ matrix_synapse_ext_password_provider_rest_auth_endpoint|string|to_json }} + policy: + registration: + username: + enforceLowercase: {{ matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase }} + profile: + name: {{ matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill }} + login: + profile: + name: {{ matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill }} +{% endif %} +{% if matrix_synapse_ext_password_provider_ldap_enabled %} + - module: "ldap_auth_provider.LdapAuthProvider" + config: + enabled: true + uri: {{ matrix_synapse_ext_password_provider_ldap_uri|string|to_json }} + start_tls: {{ matrix_synapse_ext_password_provider_ldap_start_tls|to_json }} + base: {{ matrix_synapse_ext_password_provider_ldap_base|string|to_json }} + attributes: + uid: {{ matrix_synapse_ext_password_provider_ldap_attributes_uid|string|to_json }} + mail: {{ matrix_synapse_ext_password_provider_ldap_attributes_mail|string|to_json }} + name: {{ matrix_synapse_ext_password_provider_ldap_attributes_name|string|to_json }} + bind_dn: {{ matrix_synapse_ext_password_provider_ldap_bind_dn|string|to_json }} + bind_password: {{ matrix_synapse_ext_password_provider_ldap_bind_password|string|to_json }} + filter: {{ matrix_synapse_ext_password_provider_ldap_filter|string|to_json }} +{% endif %} +{% endif %} + + +## Push ## + +push: + # Clients requesting push notifications can either have the body of + # the message sent in the notification poke along with other details + # like the sender, or just the event ID and room ID (`event_id_only`). + # If clients choose the former, this option controls whether the + # notification request includes the content of the event (other details + # like the sender are still included). For `event_id_only` push, it + # has no effect. + # + # For modern android devices the notification content will still appear + # because it is loaded by the app. iPhone, however will send a + # notification saying only that a message arrived and who it came from. + # + # The default value is "true" to include message details. Uncomment to only + # include the event ID and room ID in push notification payloads. + # + include_content: {{ matrix_synapse_push_include_content|to_json }} + + # When a push notification is received, an unread count is also sent. + # This number can either be calculated as the number of unread messages + # for the user, or the number of *rooms* the user has unread messages in. + # + # The default value is "true", meaning push clients will see the number of + # rooms with unread messages in them. Uncomment to instead send the number + # of unread messages. + # + #group_unread_count_by_room: false + + +# Spam checkers are third-party modules that can block specific actions +# of local users, such as creating rooms and registering undesirable +# usernames, as well as remote users by redacting incoming events. +# +# spam_checker: + #- module: "my_custom_project.SuperSpamChecker" + # config: + # example_option: 'things' + #- module: "some_other_project.BadEventStopper" + # config: + # example_stop_events_from: ['@bad:example.com'] +spam_checker: {{ matrix_synapse_spam_checker|to_json }} + + +## Rooms ## + +# Controls whether locally-created rooms should be end-to-end encrypted by +# default. +# +# Possible options are "all", "invite", and "off". They are defined as: +# +# * "all": any locally-created room +# * "invite": any room created with the "private_chat" or "trusted_private_chat" +# room creation presets +# * "off": this option will take no effect +# +# The default value is "off". +# +# Note that this option will only affect rooms created after it is set. It +# will also not affect rooms created by other servers. +# +#encryption_enabled_by_default_for_room_type: invite + + +# Uncomment to allow non-server-admin users to create groups on this server +# +enable_group_creation: {{ matrix_synapse_enable_group_creation|to_json }} + +# If enabled, non server admins can only create groups with local parts +# starting with this prefix +# +#group_creation_prefix: "unofficial_" + + + +# User Directory configuration +# +# 'enabled' defines whether users can search the user directory. If +# false then empty responses are returned to all queries. Defaults to +# true. +# +# 'search_all_users' defines whether to search all users visible to your HS +# when searching the user directory, rather than limiting to users visible +# in public rooms. Defaults to false. If you set it True, you'll have to +# rebuild the user_directory search indexes, see +# https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md +# +#user_directory: +# enabled: true +# search_all_users: false + + +# User Consent configuration +# +# for detailed instructions, see +# https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md +# +# Parts of this section are required if enabling the 'consent' resource under +# 'listeners', in particular 'template_dir' and 'version'. +# +# 'template_dir' gives the location of the templates for the HTML forms. +# This directory should contain one subdirectory per language (eg, 'en', 'fr'), +# and each language directory should contain the policy document (named as +# '.html') and a success page (success.html). +# +# 'version' specifies the 'current' version of the policy document. It defines +# the version to be served by the consent resource if there is no 'v' +# parameter. +# +# 'server_notice_content', if enabled, will send a user a "Server Notice" +# asking them to consent to the privacy policy. The 'server_notices' section +# must also be configured for this to work. Notices will *not* be sent to +# guest users unless 'send_server_notice_to_guests' is set to true. +# +# 'block_events_error', if set, will block any attempts to send events +# until the user consents to the privacy policy. The value of the setting is +# used as the text of the error. +# +# 'require_at_registration', if enabled, will add a step to the registration +# process, similar to how captcha works. Users will be required to accept the +# policy before their account is created. +# +# 'policy_name' is the display name of the policy users will see when registering +# for an account. Has no effect unless `require_at_registration` is enabled. +# Defaults to "Privacy Policy". +# +#user_consent: +# template_dir: res/templates/privacy +# version: 1.0 +# server_notice_content: +# msgtype: m.text +# body: >- +# To continue using this homeserver you must review and agree to the +# terms and conditions at %(consent_uri)s +# send_server_notice_to_guests: True +# block_events_error: >- +# To continue using this homeserver you must review and agree to the +# terms and conditions at %(consent_uri)s +# require_at_registration: False +# policy_name: Privacy Policy +# + + + +# Local statistics collection. Used in populating the room directory. +# +# 'bucket_size' controls how large each statistics timeslice is. It can +# be defined in a human readable short form -- e.g. "1d", "1y". +# +# 'retention' controls how long historical statistics will be kept for. +# It can be defined in a human readable short form -- e.g. "1d", "1y". +# +# +#stats: +# enabled: true +# bucket_size: 1d +# retention: 1y + + +# Server Notices room configuration +# +# Uncomment this section to enable a room which can be used to send notices +# from the server to users. It is a special room which cannot be left; notices +# come from a special "notices" user id. +# +# If you uncomment this section, you *must* define the system_mxid_localpart +# setting, which defines the id of the user which will be used to send the +# notices. +# +# It's also possible to override the room name, the display name of the +# "notices" user, and the avatar for the user. +# +#server_notices: +# system_mxid_localpart: notices +# system_mxid_display_name: "Server Notices" +# system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" +# room_name: "Server Notices" + + + +# Uncomment to disable searching the public room list. When disabled +# blocks searching local and remote room lists for local and remote +# users by always returning an empty list for all queries. +# +#enable_room_list_search: false + +enable_room_list_search: {{ matrix_synapse_enable_room_list_search|to_json }} + +# The `alias_creation` option controls who's allowed to create aliases +# on this server. +# +# The format of this option is a list of rules that contain globs that +# match against user_id, room_id and the new alias (fully qualified with +# server name). The action in the first rule that matches is taken, +# which can currently either be "allow" or "deny". +# +# Missing user_id/room_id/alias fields default to "*". +# +# If no rules match the request is denied. An empty list means no one +# can create aliases. +# +# Options for the rules include: +# +# user_id: Matches against the creator of the alias +# alias: Matches against the alias being created +# room_id: Matches against the room ID the alias is being pointed at +# action: Whether to "allow" or "deny" the request if the rule matches +# +# The default is: +# +#alias_creation_rules: +# - user_id: "*" +# alias: "*" +# room_id: "*" +# action: allow + +alias_creation_rules: {{ matrix_synapse_alias_creation_rules|to_json }} + +# The `room_list_publication_rules` option controls who can publish and +# which rooms can be published in the public room list. +# +# The format of this option is the same as that for +# `alias_creation_rules`. +# +# If the room has one or more aliases associated with it, only one of +# the aliases needs to match the alias rule. If there are no aliases +# then only rules with `alias: *` match. +# +# If no rules match the request is denied. An empty list means no one +# can publish rooms. +# +# Options for the rules include: +# +# user_id: Matches against the creator of the alias +# room_id: Matches against the room ID being published +# alias: Matches against any current local or canonical aliases +# associated with the room +# action: Whether to "allow" or "deny" the request if the rule matches +# +# The default is: +# +#room_list_publication_rules: +# - user_id: "*" +# alias: "*" +# room_id: "*" +# action: allow + +room_list_publication_rules: {{ matrix_synapse_room_list_publication_rules|to_json }} + + +# Server admins can define a Python module that implements extra rules for +# allowing or denying incoming events. In order to work, this module needs to +# override the methods defined in synapse/events/third_party_rules.py. +# +# This feature is designed to be used in closed federations only, where each +# participating server enforces the same rules. +# +#third_party_event_rules: +# module: "my_custom_project.SuperRulesSet" +# config: +# example_option: 'things' + + +## Opentracing ## + +# These settings enable opentracing, which implements distributed tracing. +# This allows you to observe the causal chains of events across servers +# including requests, key lookups etc., across any server running +# synapse or any other other services which supports opentracing +# (specifically those implemented with Jaeger). +# +opentracing: + # tracing is disabled by default. Uncomment the following line to enable it. + # + #enabled: true + + # The list of homeservers we wish to send and receive span contexts and span baggage. + # See docs/opentracing.rst + # This is a list of regexes which are matched against the server_name of the + # homeserver. + # + # By default, it is empty, so no servers are matched. + # + #homeserver_whitelist: + # - ".*" + + # Jaeger can be configured to sample traces at different rates. + # All configuration options provided by Jaeger can be set here. + # Jaeger's configuration mostly related to trace sampling which + # is documented here: + # https://www.jaegertracing.io/docs/1.13/sampling/. + # + #jaeger_config: + # sampler: + # type: const + # param: 1 + + # Logging whether spans were started and reported + # + # logging: + # false + + +## Workers ## + +# Disables sending of outbound federation transactions on the main process. +# Uncomment if using a federation sender worker. +# +#send_federation: false + +# It is possible to run multiple federation sender workers, in which case the +# work is balanced across them. +# +# This configuration must be shared between all federation sender workers, and if +# changed all federation sender workers must be stopped at the same time and then +# started, to ensure that all instances are running with the same config (otherwise +# events may be dropped). +# +#federation_sender_instances: +# - federation_sender1 + +# When using workers this should be a map from `worker_name` to the +# HTTP replication listener of the worker, if configured. +# +#instance_map: +# worker1: +# host: localhost +# port: 8034 + +# Experimental: When using workers you can define which workers should +# handle event persistence and typing notifications. Any worker +# specified here must also be in the `instance_map`. +# +#stream_writers: +# events: worker1 +# typing: worker1 + +# The worker that is used to run background tasks (e.g. cleaning up expired +# data). If not provided this defaults to the main process. +# +#run_background_tasks_on: worker1 + +# A shared secret used by the replication APIs to authenticate HTTP requests +# from workers. +# +# By default this is unused and traffic is not authenticated. +# +#worker_replication_secret: "" + + +# Configuration for Redis when using workers. This *must* be enabled when +# using workers (unless using old style direct TCP configuration). +# +redis: + # Uncomment the below to enable Redis support. + # + #enabled: true + + # Optional host and port to use to connect to redis. Defaults to + # localhost and 6379 + # + #host: localhost + #port: 6379 + + # Optional password if configured on the Redis instance + # + #password: + +# vim:ft=yaml diff --git a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 new file mode 100644 index 000000000..66a7c1f82 --- /dev/null +++ b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -0,0 +1,58 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Dendrite server +{% for service in matrix_dendrite_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_dendrite_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dendrite +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dendrite +{% if matrix_s3_media_store_enabled %} +# Allow for some time before starting, so that media store can mount. +# Mounting can happen later too, but if we start writing, +# we'd write files to the local filesystem and fusermount will complain. +ExecStartPre={{ matrix_host_command_sleep }} 3 +{% endif %} + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_dendrite_tmp_directory_size_mb }}m \ + --network={{ matrix_docker_network }} \ + {% if matrix_dendrite_container_client_api_host_bind_port %} + -p {{ matrix_dendrite_container_client_api_host_bind_port }}:8008 \ + {% endif %} + {% if matrix_dendrite_container_federation_api_tls_host_bind_port %} + -p {{ matrix_dendrite_container_federation_api_tls_host_bind_port }}:8448 \ + {% endif %} + --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data,ro \ + --mount type=bind,src={{ matrix_dendrite_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ + --mount type=bind,src={{ matrix_dendrite_log_path }},dst=/var/log/dendrite,bind-propagation=slave \ + {% for volume in matrix_dendrite_container_additional_volumes %} + -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ + {% endfor %} + {% for arg in matrix_dendrite_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_dendrite_docker_image }} \ + --config /data/dendrite.yaml + +ExecStop=-{{ matrix_host_command_docker }} kill matrix-dendrite +ExecStop=-{{ matrix_host_command_docker }} rm matrix-dendrite +ExecReload={{ matrix_host_command_docker }} exec matrix-dendrite kill -HUP 1 +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-dendrite + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 b/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 new file mode 100644 index 000000000..ebacb681c --- /dev/null +++ b/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 @@ -0,0 +1,12 @@ +#jinja2: lstrip_blocks: "True" +#!/bin/bash + +if [ $# -ne 2 ]; then + echo "Usage: "$0" " + exit 1 +fi + +user=$1 +password=$2 + +docker exec matrix-dendrite create-account --config /data/dendrite.yaml --user "$user" --password "$password" diff --git a/roles/matrix-dendrite/templates/goofys/env-goofys.j2 b/roles/matrix-dendrite/templates/goofys/env-goofys.j2 new file mode 100644 index 000000000..2955efdd8 --- /dev/null +++ b/roles/matrix-dendrite/templates/goofys/env-goofys.j2 @@ -0,0 +1,3 @@ +#jinja2: lstrip_blocks: "True" +AWS_ACCESS_KEY={{ matrix_s3_media_store_aws_access_key }} +AWS_SECRET_KEY={{ matrix_s3_media_store_aws_secret_key }} diff --git a/roles/matrix-dendrite/templates/goofys/systemd/matrix-goofys.service.j2 b/roles/matrix-dendrite/templates/goofys/systemd/matrix-goofys.service.j2 new file mode 100644 index 000000000..44ec3d4a0 --- /dev/null +++ b/roles/matrix-dendrite/templates/goofys/systemd/matrix-goofys.service.j2 @@ -0,0 +1,39 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Goofys media store +After=docker.service +Requires=docker.service +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_docker }} kill %n +ExecStartPre=-{{ matrix_host_command_docker }} rm %n + +ExecStart={{ matrix_host_command_docker }} run --rm --name %n \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --mount type=bind,src=/etc/passwd,dst=/etc/passwd,ro \ + --mount type=bind,src=/etc/group,dst=/etc/group,ro \ + --mount type=bind,src={{ matrix_dendrite_media_store_path }},dst=/s3,bind-propagation=shared \ + --security-opt apparmor:unconfined \ + --cap-add mknod \ + --cap-add sys_admin \ + --device=/dev/fuse \ + --env-file={{ matrix_dendrite_config_dir_path }}/env-goofys \ + --entrypoint /bin/sh \ + {{ matrix_s3_goofys_docker_image }} \ + -c 'goofys -f{% if not matrix_s3_media_store_custom_endpoint_enabled %} --storage-class=STANDARD_IA{% endif %}{% if matrix_s3_media_store_custom_endpoint_enabled %} --endpoint={{ matrix_s3_media_store_custom_endpoint }}{% endif %} --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' + +TimeoutStartSec=5min +ExecStop=-{{ matrix_host_command_docker }} stop %n +ExecStop=-{{ matrix_host_command_docker }} kill %n +ExecStop=-{{ matrix_host_command_docker }} rm %n +ExecStop=-{{ matrix_host_command_fusermount }} -u {{ matrix_dendrite_media_store_path }} +Restart=always +RestartSec=5 +SyslogIdentifier=matrix-goofys + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-dendrite/vars/main.yml b/roles/matrix-dendrite/vars/main.yml new file mode 100644 index 000000000..60d5f4eb5 --- /dev/null +++ b/roles/matrix-dendrite/vars/main.yml @@ -0,0 +1,11 @@ +--- +matrix_dendrite_client_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/client/versions" +matrix_dendrite_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version" + +# Tells whether this role had executed or not. Toggled to `true` during runtime. +matrix_dendrite_role_executed: false + +matrix_dendrite_media_store_parent_path: "{{ matrix_dendrite_media_store_path|dirname }}" +matrix_dendrite_media_store_directory_name: "{{ matrix_dendrite_media_store_path|basename }}" + +matrix_dendrite_signing_key_file_name: "{{ matrix_dendrite_signing_key|basename }}" diff --git a/setup.yml b/setup.yml index 54e6c4089..aa1ea68b4 100755 --- a/setup.yml +++ b/setup.yml @@ -41,6 +41,7 @@ - matrix-bot-go-neb - matrix-bot-mjolnir - matrix-synapse + - matrix-dendrite - matrix-synapse-admin - matrix-prometheus-node-exporter - matrix-prometheus From fc62537fcfd119c1bee509dc54775f5a3e8e1feb Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sun, 31 Jan 2021 01:25:50 -0600 Subject: [PATCH 072/144] Remove Synapse and Goofys stuff --- roles/matrix-dendrite/defaults/main.yml | 10 - roles/matrix-dendrite/tasks/goofys/setup.yml | 7 - .../tasks/goofys/setup_install.yml | 41 - .../tasks/goofys/setup_uninstall.yml | 33 - .../tasks/import_media_store.yml | 81 - roles/matrix-dendrite/tasks/main.yml | 5 - .../matrix-dendrite/tasks/setup_dendrite.yml | 2 - .../templates/dendrite/homeserver.yaml.j2 | 2682 ----------------- .../templates/goofys/env-goofys.j2 | 3 - .../goofys/systemd/matrix-goofys.service.j2 | 39 - 10 files changed, 2903 deletions(-) delete mode 100644 roles/matrix-dendrite/tasks/goofys/setup.yml delete mode 100644 roles/matrix-dendrite/tasks/goofys/setup_install.yml delete mode 100644 roles/matrix-dendrite/tasks/goofys/setup_uninstall.yml delete mode 100644 roles/matrix-dendrite/tasks/import_media_store.yml delete mode 100644 roles/matrix-dendrite/templates/dendrite/homeserver.yaml.j2 delete mode 100644 roles/matrix-dendrite/templates/goofys/env-goofys.j2 delete mode 100644 roles/matrix-dendrite/templates/goofys/systemd/matrix-goofys.service.j2 diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index 78bc9bb81..d231553e6 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -110,16 +110,6 @@ matrix_dendrite_turn_uris: [] matrix_dendrite_turn_shared_secret: "" matrix_dendrite_turn_allow_guests: False -matrix_s3_media_store_enabled: false -matrix_s3_media_store_custom_endpoint_enabled: false -matrix_s3_goofys_docker_image: "ewoutp/goofys:latest" -matrix_s3_goofys_docker_image_force_pull: "{{ matrix_s3_goofys_docker_image.endswith(':latest') }}" -matrix_s3_media_store_custom_endpoint: "your-custom-endpoint" -matrix_s3_media_store_bucket_name: "your-bucket-name" -matrix_s3_media_store_aws_access_key: "your-aws-access-key" -matrix_s3_media_store_aws_secret_key: "your-aws-secret-key" -matrix_s3_media_store_region: "eu-central-1" - # Controls whether the self-check feature should validate TLS certificates. matrix_dendrite_disable_tls_validation: false diff --git a/roles/matrix-dendrite/tasks/goofys/setup.yml b/roles/matrix-dendrite/tasks/goofys/setup.yml deleted file mode 100644 index 6370408d0..000000000 --- a/roles/matrix-dendrite/tasks/goofys/setup.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- import_tasks: "{{ role_path }}/tasks/goofys/setup_install.yml" - when: matrix_s3_media_store_enabled|bool - -- import_tasks: "{{ role_path }}/tasks/goofys/setup_uninstall.yml" - when: "not matrix_s3_media_store_enabled|bool" diff --git a/roles/matrix-dendrite/tasks/goofys/setup_install.yml b/roles/matrix-dendrite/tasks/goofys/setup_install.yml deleted file mode 100644 index 4917440b8..000000000 --- a/roles/matrix-dendrite/tasks/goofys/setup_install.yml +++ /dev/null @@ -1,41 +0,0 @@ -- name: Ensure Goofys Docker image is pulled - docker_image: - name: "{{ matrix_s3_goofys_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_s3_goofys_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_s3_goofys_docker_image_force_pull }}" - -# This will throw a Permission Denied error if already mounted -- name: Check Matrix Goofys external storage mountpoint path - stat: - path: "{{ matrix_dendrite_media_store_path }}" - register: local_path_matrix_dendrite_media_store_path_stat - ignore_errors: yes - -- name: Ensure Matrix Goofys external storage mountpoint exists - file: - path: "{{ matrix_dendrite_media_store_path if matrix_dendrite_enabled else matrix_dendrite_media_store_path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: "not local_path_matrix_dendrite_media_store_path_stat.failed and not local_path_matrix_dendrite_media_store_path_stat.stat.exists" - -- name: Ensure goofys environment variables file created - template: - src: "{{ role_path }}/templates/goofys/env-goofys.j2" - dest: "{{ matrix_dendrite_config_dir_path }}/env-goofys" - owner: root - mode: 0600 - -- name: Ensure matrix-goofys.service installed - template: - src: "{{ role_path }}/templates/goofys/systemd/matrix-goofys.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-goofys.service" - mode: 0644 - register: matrix_goofys_systemd_service_result - -- name: Ensure systemd reloaded after matrix-goofys.service installation - service: - daemon_reload: yes - when: "matrix_goofys_systemd_service_result.changed" diff --git a/roles/matrix-dendrite/tasks/goofys/setup_uninstall.yml b/roles/matrix-dendrite/tasks/goofys/setup_uninstall.yml deleted file mode 100644 index b7f972ad4..000000000 --- a/roles/matrix-dendrite/tasks/goofys/setup_uninstall.yml +++ /dev/null @@ -1,33 +0,0 @@ -- name: Check existence of matrix-goofys service - stat: - path: "{{ matrix_systemd_path }}/matrix-goofys.service" - register: matrix_goofys_service_stat - -- name: Ensure matrix-goofys is stopped - service: - name: matrix-goofys - state: stopped - daemon_reload: yes - register: stopping_result - when: "matrix_goofys_service_stat.stat.exists" - -- name: Ensure matrix-goofys.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-goofys.service" - state: absent - when: "matrix_goofys_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-goofys.service removal - service: - daemon_reload: yes - when: "matrix_goofys_service_stat.stat.exists" - -- name: Ensure goofys environment variables file doesn't exist - file: - path: "{{ matrix_dendrite_config_dir_path }}/env-goofys" - state: absent - -- name: Ensure Goofys Docker image doesn't exist - docker_image: - name: "{{ matrix_s3_goofys_docker_image }}" - state: absent diff --git a/roles/matrix-dendrite/tasks/import_media_store.yml b/roles/matrix-dendrite/tasks/import_media_store.yml deleted file mode 100644 index 9eaa6c0c9..000000000 --- a/roles/matrix-dendrite/tasks/import_media_store.yml +++ /dev/null @@ -1,81 +0,0 @@ ---- -# Pre-checks - -- name: Fail if playbook called incorrectly - fail: - msg: "The `server_path_media_store` variable needs to be provided to this playbook, via --extra-vars" - when: "server_path_media_store is not defined or server_path_media_store.startswith('<')" - -- name: Fail if media store is on Amazon S3 - fail: - msg: "Your media store is on Amazon S3. Due to technical limitations, restoring is not supported." - when: matrix_s3_media_store_enabled|bool - -- name: Check if the provided media store directory exists - stat: - path: "{{ server_path_media_store }}" - register: server_path_media_store_stat - -- name: Fail if provided media store directory doesn't exist on the server - fail: - msg: "{{ server_path_media_store }} cannot be found on the server" - when: "not server_path_media_store_stat.stat.exists or not server_path_media_store_stat.stat.isdir" - -- name: Check if media store contains local_content - stat: - path: "{{ server_path_media_store }}/local_content" - register: server_path_media_store_local_content_stat - -- name: Check if media store contains remote_content - stat: - path: "{{ server_path_media_store }}/remote_content" - register: server_path_media_store_remote_content_stat - -- name: Fail if media store directory doesn't look okay (lacking remote and local content) - fail: - msg: "{{ server_path_media_store }} contains neither local_content nor remote_content directories. It's most likely a mistake and is not a media store directory." - when: "not server_path_media_store_local_content_stat.stat.exists and not server_path_media_store_remote_content_stat.stat.exists" - -# Actual import work - -- name: Ensure matrix-dendrite is stopped - service: - name: matrix-dendrite - state: stopped - daemon_reload: yes - register: stopping_result - -# This can only work with local files, not if the media store is on Amazon S3, -# as it won't be accessible in such a case. -- name: Ensure provided media store directory is synchronized - synchronize: - src: "{{ server_path_media_store }}/" - dest: "{{ matrix_dendrite_media_store_path }}" - delete: yes - # It's wasteful to preserve owner/group now. We chown below anyway. - owner: no - group: no - times: yes - delegate_to: "{{ inventory_hostname }}" - -# This is for the generic case and fails in other cases (remote file systems), -# because in such cases the base path (matrix_dendrite_media_store_path) is a mount point. -- name: Ensure media store permissions are correct (generic case) - file: - path: "{{ matrix_dendrite_media_store_path }}" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - recurse: yes - when: "not matrix_s3_media_store_enabled|bool" - -# We don't chown for Goofys, because due to the way it's mounted, -# all files become owned by whoever needs to own them. - -- name: Ensure Dendrite is started (if it previously was) - service: - name: "{{ item }}" - state: started - daemon_reload: yes - when: "stopping_result.changed" - with_items: - - matrix-dendrite diff --git a/roles/matrix-dendrite/tasks/main.yml b/roles/matrix-dendrite/tasks/main.yml index a52374423..6c25f1906 100644 --- a/roles/matrix-dendrite/tasks/main.yml +++ b/roles/matrix-dendrite/tasks/main.yml @@ -14,11 +14,6 @@ - setup-all - setup-dendrite -- import_tasks: "{{ role_path }}/tasks/import_media_store.yml" - when: run_dendrite_import_media_store|bool - tags: - - import-dendrite-media-store - - import_tasks: "{{ role_path }}/tasks/register_user.yml" when: run_dendrite_register_user|bool tags: diff --git a/roles/matrix-dendrite/tasks/setup_dendrite.yml b/roles/matrix-dendrite/tasks/setup_dendrite.yml index 920ca184b..9fa8f5664 100644 --- a/roles/matrix-dendrite/tasks/setup_dendrite.yml +++ b/roles/matrix-dendrite/tasks/setup_dendrite.yml @@ -15,5 +15,3 @@ when: "(matrix_dendrite_enabled|bool or matrix_s3_media_store_enabled|bool) and item.when" - import_tasks: "{{ role_path }}/tasks/dendrite/setup.yml" - -- import_tasks: "{{ role_path }}/tasks/goofys/setup.yml" diff --git a/roles/matrix-dendrite/templates/dendrite/homeserver.yaml.j2 b/roles/matrix-dendrite/templates/dendrite/homeserver.yaml.j2 deleted file mode 100644 index fe28779c5..000000000 --- a/roles/matrix-dendrite/templates/dendrite/homeserver.yaml.j2 +++ /dev/null @@ -1,2682 +0,0 @@ -#jinja2: lstrip_blocks: "True" -# Configuration file for Synapse. -# -# This is a YAML file: see [1] for a quick introduction. Note in particular -# that *indentation is important*: all the elements of a list or dictionary -# should have the same indentation. -# -# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html - -## Server ## - -# The public-facing domain of the server -# -# The server_name name will appear at the end of usernames and room addresses -# created on this server. For example if the server_name was example.com, -# usernames on this server would be in the format @user:example.com -# -# In most cases you should avoid using a matrix specific subdomain such as -# matrix.example.com or synapse.example.com as the server_name for the same -# reasons you wouldn't use user@email.example.com as your email address. -# See https://github.com/matrix-org/synapse/blob/master/docs/delegate.md -# for information on how to host Synapse on a subdomain while preserving -# a clean server_name. -# -# The server_name cannot be changed later so it is important to -# configure this correctly before you start Synapse. It should be all -# lowercase and may contain an explicit port. -# Examples: matrix.org, localhost:8080 -# -server_name: "{{ matrix_domain }}" - -# When running as a daemon, the file to store the pid in -# -pid_file: /homeserver.pid - -# The absolute URL to the web client which /_matrix/client will redirect -# to if 'webclient' is configured under the 'listeners' configuration. -# -# This option can be also set to the filesystem path to the web client -# which will be served at /_matrix/client/ if 'webclient' is configured -# under the 'listeners' configuration, however this is a security risk: -# https://github.com/matrix-org/synapse#security-note -# -#web_client_location: https://riot.example.com/ - -# The public-facing base URL that clients use to access this HS -# (not including _matrix/...). This is the same URL a user would -# enter into the 'custom HS URL' field on their client. If you -# use synapse with a reverse proxy, this should be the URL to reach -# synapse via the proxy. -# -public_baseurl: https://{{ matrix_server_fqn_matrix }}/ - -# Set the soft limit on the number of file descriptors synapse can use -# Zero is used to indicate synapse should set the soft limit to the -# hard limit. -# -#soft_file_limit: 0 - -# Set to false to disable presence tracking on this homeserver. -# -use_presence: {{ matrix_synapse_use_presence|to_json }} - -# Whether to require authentication to retrieve profile data (avatars, -# display names) of other users through the client API. Defaults to -# 'false'. Note that profile data is also available via the federation -# API, so this setting is of limited value if federation is enabled on -# the server. -# -#require_auth_for_profile_requests: true - -# Uncomment to require a user to share a room with another user in order -# to retrieve their profile information. Only checked on Client-Server -# requests. Profile requests from other servers should be checked by the -# requesting server. Defaults to 'false'. -# -#limit_profile_requests_to_users_who_share_rooms: true - -# If set to 'true', removes the need for authentication to access the server's -# public rooms directory through the client API, meaning that anyone can -# query the room directory. Defaults to 'false'. -# -allow_public_rooms_without_auth: {{ matrix_synapse_allow_public_rooms_without_auth|to_json }} - -# If set to 'true', allows any other homeserver to fetch the server's public -# rooms directory via federation. Defaults to 'false'. -# -allow_public_rooms_over_federation: {{ matrix_synapse_allow_public_rooms_over_federation|to_json }} - -# The default room version for newly created rooms. -# -# Known room versions are listed here: -# https://matrix.org/docs/spec/#complete-list-of-room-versions -# -# For example, for room version 1, default_room_version should be set -# to "1". -# -default_room_version: {{ matrix_synapse_default_room_version|to_json }} - -# The GC threshold parameters to pass to `gc.set_threshold`, if defined -# -#gc_thresholds: [700, 10, 10] - -# Set the limit on the returned events in the timeline in the get -# and sync operations. The default value is 100. -1 means no upper limit. -# -# Uncomment the following to increase the limit to 5000. -# -#filter_timeline_limit: 5000 - -# Whether room invites to users on this server should be blocked -# (except those sent by local server admins). The default is False. -# -#block_non_admin_invites: True - -# Room searching -# -# If disabled, new messages will not be indexed for searching and users -# will receive errors when searching for messages. Defaults to enabled. -# -#enable_search: false - -# Prevent outgoing requests from being sent to the following blacklisted IP address -# CIDR ranges. If this option is not specified then it defaults to private IP -# address ranges (see the example below). -# -# The blacklist applies to the outbound requests for federation, identity servers, -# push servers, and for checking key validity for third-party invite events. -# -# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly -# listed here, since they correspond to unroutable addresses.) -# -# This option replaces federation_ip_range_blacklist in Synapse v1.25.0. -# -#ip_range_blacklist: -# - '127.0.0.0/8' -# - '10.0.0.0/8' -# - '172.16.0.0/12' -# - '192.168.0.0/16' -# - '100.64.0.0/10' -# - '192.0.0.0/24' -# - '169.254.0.0/16' -# - '198.18.0.0/15' -# - '192.0.2.0/24' -# - '198.51.100.0/24' -# - '203.0.113.0/24' -# - '224.0.0.0/4' -# - '::1/128' -# - 'fe80::/10' -# - 'fc00::/7' - -# List of IP address CIDR ranges that should be allowed for federation, -# identity servers, push servers, and for checking key validity for -# third-party invite events. This is useful for specifying exceptions to -# wide-ranging blacklisted target IP ranges - e.g. for communication with -# a push server only visible in your network. -# -# This whitelist overrides ip_range_blacklist and defaults to an empty -# list. -# -#ip_range_whitelist: -# - '192.168.1.1' - -# List of ports that Synapse should listen on, their purpose and their -# configuration. -# -# Options for each listener include: -# -# port: the TCP port to bind to -# -# bind_addresses: a list of local addresses to listen on. The default is -# 'all local interfaces'. -# -# type: the type of listener. Normally 'http', but other valid options are: -# 'manhole' (see docs/manhole.md), -# 'metrics' (see docs/metrics-howto.md), -# 'replication' (see docs/workers.md). -# -# tls: set to true to enable TLS for this listener. Will use the TLS -# key/cert specified in tls_private_key_path / tls_certificate_path. -# -# x_forwarded: Only valid for an 'http' listener. Set to true to use the -# X-Forwarded-For header as the client IP. Useful when Synapse is -# behind a reverse-proxy. -# -# resources: Only valid for an 'http' listener. A list of resources to host -# on this port. Options for each resource are: -# -# names: a list of names of HTTP resources. See below for a list of -# valid resource names. -# -# compress: set to true to enable HTTP compression for this resource. -# -# additional_resources: Only valid for an 'http' listener. A map of -# additional endpoints which should be loaded via dynamic modules. -# -# Valid resource names are: -# -# client: the client-server API (/_matrix/client), and the synapse admin -# API (/_synapse/admin). Also implies 'media' and 'static'. -# -# consent: user consent forms (/_matrix/consent). See -# docs/consent_tracking.md. -# -# federation: the server-server API (/_matrix/federation). Also implies -# 'media', 'keys', 'openid' -# -# keys: the key discovery API (/_matrix/keys). -# -# media: the media API (/_matrix/media). -# -# metrics: the metrics interface. See docs/metrics-howto.md. -# -# openid: OpenID authentication. -# -# replication: the HTTP replication API (/_synapse/replication). See -# docs/workers.md. -# -# static: static resources under synapse/static (/_matrix/static). (Mostly -# useful for 'fallback authentication'.) -# -# webclient: A web client. Requires web_client_location to be set. -# -listeners: -{% if matrix_synapse_metrics_enabled %} - - type: metrics - port: {{ matrix_synapse_metrics_port }} - bind_addresses: - - '0.0.0.0' -{% endif %} - -{% if matrix_synapse_federation_port_enabled and matrix_synapse_tls_federation_listener_enabled %} - # TLS-enabled listener: for when matrix traffic is sent directly to synapse. - - port: 8448 - tls: true - bind_addresses: ['::'] - type: http - x_forwarded: false - - resources: - - names: {{ matrix_synapse_federation_listener_resource_names|to_json }} - compress: false -{% endif %} - - # Unsecure HTTP listener (Client API): for when matrix traffic passes through a reverse proxy - # that unwraps TLS. - - port: 8008 - tls: false - bind_addresses: ['::'] - type: http - x_forwarded: true - - resources: - - names: {{ matrix_synapse_http_listener_resource_names|to_json }} - compress: false - -{% if matrix_synapse_federation_port_enabled %} - # Unsecure HTTP listener (Federation API): for when matrix traffic passes through a reverse proxy - # that unwraps TLS. - - port: 8048 - tls: false - bind_addresses: ['::'] - type: http - x_forwarded: true - - resources: - - names: {{ matrix_synapse_federation_listener_resource_names|to_json }} - compress: false -{% endif %} - -{% if matrix_synapse_manhole_enabled %} - # Turn on the twisted ssh manhole service on localhost on the given - # port. - - port: 9000 - bind_addresses: ['0.0.0.0'] - type: manhole -{% endif %} - - -# Forward extremities can build up in a room due to networking delays between -# homeservers. Once this happens in a large room, calculation of the state of -# that room can become quite expensive. To mitigate this, once the number of -# forward extremities reaches a given threshold, Synapse will send an -# org.matrix.dummy_event event, which will reduce the forward extremities -# in the room. -# -# This setting defines the threshold (i.e. number of forward extremities in the -# room) at which dummy events are sent. The default value is 10. -# -#dummy_events_threshold: 5 - - -## Homeserver blocking ## - -# How to reach the server admin, used in ResourceLimitError -# -#admin_contact: 'mailto:admin@server.com' - -# Global blocking -# -#hs_disabled: False -#hs_disabled_message: 'Human readable reason for why the HS is blocked' -#hs_disabled_limit_type: 'error code(str), to help clients decode reason' - -# Monthly Active User Blocking -# -# Used in cases where the admin or server owner wants to limit to the -# number of monthly active users. -# -# 'limit_usage_by_mau' disables/enables monthly active user blocking. When -# enabled and a limit is reached the server returns a 'ResourceLimitError' -# with error type Codes.RESOURCE_LIMIT_EXCEEDED -# -# 'max_mau_value' is the hard limit of monthly active users above which -# the server will start blocking user actions. -# -# 'mau_trial_days' is a means to add a grace period for active users. It -# means that users must be active for this number of days before they -# can be considered active and guards against the case where lots of users -# sign up in a short space of time never to return after their initial -# session. -# -#limit_usage_by_mau: False -#max_mau_value: 50 -#mau_trial_days: 2 - -# If enabled, the metrics for the number of monthly active users will -# be populated, however no one will be limited. If limit_usage_by_mau -# is true, this is implied to be true. -# -#mau_stats_only: False - -# Sometimes the server admin will want to ensure certain accounts are -# never blocked by mau checking. These accounts are specified here. -# -#mau_limit_reserved_threepids: -# - medium: 'email' -# address: 'reserved_user@example.com' - -# Used by phonehome stats to group together related servers. -#server_context: context - -# Resource-constrained homeserver settings -# -# When this is enabled, the room "complexity" will be checked before a user -# joins a new remote room. If it is above the complexity limit, the server will -# disallow joining, or will instantly leave. -# -# Room complexity is an arbitrary measure based on factors such as the number of -# users in the room. -# -limit_remote_rooms: - # Uncomment to enable room complexity checking. - # - #enabled: true - - # the limit above which rooms cannot be joined. The default is 1.0. - # - #complexity: 0.5 - - # override the error which is returned when the room is too complex. - # - #complexity_error: "This room is too complex." - - # allow server admins to join complex rooms. Default is false. - # - #admins_can_join: true - -# Whether to require a user to be in the room to add an alias to it. -# Defaults to 'true'. -# -#require_membership_for_aliases: false - -# Whether to allow per-room membership profiles through the send of membership -# events with profile information that differ from the target's global profile. -# Defaults to 'true'. -# -#allow_per_room_profiles: false - -# How long to keep redacted events in unredacted form in the database. After -# this period redacted events get replaced with their redacted form in the DB. -# -# Defaults to `7d`. Set to `null` to disable. -# -#redaction_retention_period: 28d - -redaction_retention_period: {{ matrix_synapse_redaction_retention_period }} - -# How long to track users' last seen time and IPs in the database. -# -# Defaults to `28d`. Set to `null` to disable clearing out of old rows. -# -#user_ips_max_age: 14d - -user_ips_max_age: {{ matrix_synapse_user_ips_max_age }} - -# Message retention policy at the server level. -# -# Room admins and mods can define a retention period for their rooms using the -# 'm.room.retention' state event, and server admins can cap this period by setting -# the 'allowed_lifetime_min' and 'allowed_lifetime_max' config options. -# -# If this feature is enabled, Synapse will regularly look for and purge events -# which are older than the room's maximum retention period. Synapse will also -# filter events received over federation so that events that should have been -# purged are ignored and not stored again. -# -retention: - # The message retention policies feature is disabled by default. Uncomment the - # following line to enable it. - # - #enabled: true - - # Default retention policy. If set, Synapse will apply it to rooms that lack the - # 'm.room.retention' state event. Currently, the value of 'min_lifetime' doesn't - # matter much because Synapse doesn't take it into account yet. - # - #default_policy: - # min_lifetime: 1d - # max_lifetime: 1y - - # Retention policy limits. If set, and the state of a room contains a - # 'm.room.retention' event in its state which contains a 'min_lifetime' or a - # 'max_lifetime' that's out of these bounds, Synapse will cap the room's policy - # to these limits when running purge jobs. - # - #allowed_lifetime_min: 1d - #allowed_lifetime_max: 1y - - # Server admins can define the settings of the background jobs purging the - # events which lifetime has expired under the 'purge_jobs' section. - # - # If no configuration is provided, a single job will be set up to delete expired - # events in every room daily. - # - # Each job's configuration defines which range of message lifetimes the job - # takes care of. For example, if 'shortest_max_lifetime' is '2d' and - # 'longest_max_lifetime' is '3d', the job will handle purging expired events in - # rooms whose state defines a 'max_lifetime' that's both higher than 2 days, and - # lower than or equal to 3 days. Both the minimum and the maximum value of a - # range are optional, e.g. a job with no 'shortest_max_lifetime' and a - # 'longest_max_lifetime' of '3d' will handle every room with a retention policy - # which 'max_lifetime' is lower than or equal to three days. - # - # The rationale for this per-job configuration is that some rooms might have a - # retention policy with a low 'max_lifetime', where history needs to be purged - # of outdated messages on a more frequent basis than for the rest of the rooms - # (e.g. every 12h), but not want that purge to be performed by a job that's - # iterating over every room it knows, which could be heavy on the server. - # - # If any purge job is configured, it is strongly recommended to have at least - # a single job with neither 'shortest_max_lifetime' nor 'longest_max_lifetime' - # set, or one job without 'shortest_max_lifetime' and one job without - # 'longest_max_lifetime' set. Otherwise some rooms might be ignored, even if - # 'allowed_lifetime_min' and 'allowed_lifetime_max' are set, because capping a - # room's policy to these values is done after the policies are retrieved from - # Synapse's database (which is done using the range specified in a purge job's - # configuration). - # - #purge_jobs: - # - longest_max_lifetime: 3d - # interval: 12h - # - shortest_max_lifetime: 3d - # interval: 1d - -# Inhibits the /requestToken endpoints from returning an error that might leak -# information about whether an e-mail address is in use or not on this -# homeserver. -# Note that for some endpoints the error situation is the e-mail already being -# used, and for others the error is entering the e-mail being unused. -# If this option is enabled, instead of returning an error, these endpoints will -# act as if no error happened and return a fake session ID ('sid') to clients. -# -#request_token_inhibit_3pid_errors: true - -# A list of domains that the domain portion of 'next_link' parameters -# must match. -# -# This parameter is optionally provided by clients while requesting -# validation of an email or phone number, and maps to a link that -# users will be automatically redirected to after validation -# succeeds. Clients can make use this parameter to aid the validation -# process. -# -# The whitelist is applied whether the homeserver or an -# identity server is handling validation. -# -# The default value is no whitelist functionality; all domains are -# allowed. Setting this value to an empty list will instead disallow -# all domains. -# -#next_link_domain_whitelist: ["matrix.org"] - - -## TLS ## - -# PEM-encoded X509 certificate for TLS. -# This certificate, as of Synapse 1.0, will need to be a valid and verifiable -# certificate, signed by a recognised Certificate Authority. -# -# See 'ACME support' below to enable auto-provisioning this certificate via -# Let's Encrypt. -# -# If supplying your own, be sure to use a `.pem` file that includes the -# full certificate chain including any intermediate certificates (for -# instance, if using certbot, use `fullchain.pem` as your certificate, -# not `cert.pem`). -# -tls_certificate_path: {{ matrix_synapse_tls_certificate_path|to_json }} - -# PEM-encoded private key for TLS -# -tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }} - -# Whether to verify TLS server certificates for outbound federation requests. -# -# Defaults to `true`. To disable certificate verification, uncomment the -# following line. -# -#federation_verify_certificates: false - -# The minimum TLS version that will be used for outbound federation requests. -# -# Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note -# that setting this value higher than `1.2` will prevent federation to most -# of the public Matrix network: only configure it to `1.3` if you have an -# entirely private federation setup and you can ensure TLS 1.3 support. -# -#federation_client_minimum_tls_version: 1.2 - -# Skip federation certificate verification on the following whitelist -# of domains. -# -# This setting should only be used in very specific cases, such as -# federation over Tor hidden services and similar. For private networks -# of homeservers, you likely want to use a private CA instead. -# -# Only effective if federation_verify_certicates is `true`. -# -#federation_certificate_verification_whitelist: -# - lon.example.com -# - *.domain.com -# - *.onion - -# List of custom certificate authorities for federation traffic. -# -# This setting should only normally be used within a private network of -# homeservers. -# -# Note that this list will replace those that are provided by your -# operating environment. Certificates must be in PEM format. -# -#federation_custom_ca_list: -# - myCA1.pem -# - myCA2.pem -# - myCA3.pem - -# ACME support: This will configure Synapse to request a valid TLS certificate -# for your configured `server_name` via Let's Encrypt. -# -# Note that ACME v1 is now deprecated, and Synapse currently doesn't support -# ACME v2. This means that this feature currently won't work with installs set -# up after November 2019. For more info, and alternative solutions, see -# https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1 -# -# Note that provisioning a certificate in this way requires port 80 to be -# routed to Synapse so that it can complete the http-01 ACME challenge. -# By default, if you enable ACME support, Synapse will attempt to listen on -# port 80 for incoming http-01 challenges - however, this will likely fail -# with 'Permission denied' or a similar error. -# -# There are a couple of potential solutions to this: -# -# * If you already have an Apache, Nginx, or similar listening on port 80, -# you can configure Synapse to use an alternate port, and have your web -# server forward the requests. For example, assuming you set 'port: 8009' -# below, on Apache, you would write: -# -# ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge -# -# * Alternatively, you can use something like `authbind` to give Synapse -# permission to listen on port 80. -# -acme: - # ACME support is disabled by default. Uncomment the following line - # (and tls_certificate_path and tls_private_key_path above) to enable it. - # - #enabled: true - - # Endpoint to use to request certificates. If you only want to test, - # use Let's Encrypt's staging url: - # https://acme-staging.api.letsencrypt.org/directory - # - #url: https://acme-v01.api.letsencrypt.org/directory - - # Port number to listen on for the HTTP-01 challenge. Change this if - # you are forwarding connections through Apache/Nginx/etc. - # - #port: 80 - - # Local addresses to listen on for incoming connections. - # Again, you may want to change this if you are forwarding connections - # through Apache/Nginx/etc. - # - #bind_addresses: ['::', '0.0.0.0'] - - # How many days remaining on a certificate before it is renewed. - # - #reprovision_threshold: 30 - - # The domain that the certificate should be for. Normally this - # should be the same as your Matrix domain (i.e., 'server_name'), but, - # by putting a file at 'https:///.well-known/matrix/server', - # you can delegate incoming traffic to another server. If you do that, - # you should give the target of the delegation here. - # - # For example: if your 'server_name' is 'example.com', but - # 'https://example.com/.well-known/matrix/server' delegates to - # 'matrix.example.com', you should put 'matrix.example.com' here. - # - # If not set, defaults to your 'server_name'. - # - #domain: matrix.example.com - - # file to use for the account key. This will be generated if it doesn't - # exist. - # - # If unspecified, we will use CONFDIR/client.key. - # - #account_key_file: /data/acme_account.key - -# List of allowed TLS fingerprints for this server to publish along -# with the signing keys for this server. Other matrix servers that -# make HTTPS requests to this server will check that the TLS -# certificates returned by this server match one of the fingerprints. -# -# Synapse automatically adds the fingerprint of its own certificate -# to the list. So if federation traffic is handled directly by synapse -# then no modification to the list is required. -# -# If synapse is run behind a load balancer that handles the TLS then it -# will be necessary to add the fingerprints of the certificates used by -# the loadbalancers to this list if they are different to the one -# synapse is using. -# -# Homeservers are permitted to cache the list of TLS fingerprints -# returned in the key responses up to the "valid_until_ts" returned in -# key. It may be necessary to publish the fingerprints of a new -# certificate and wait until the "valid_until_ts" of the previous key -# responses have passed before deploying it. -# -# You can calculate a fingerprint from a given TLS listener via: -# openssl s_client -connect $host:$port < /dev/null 2> /dev/null | -# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' -# or by checking matrix.org/federationtester/api/report?server_name=$host -# -#tls_fingerprints: [{"sha256": ""}] - - -## Federation ## - -# Restrict federation to the following whitelist of domains. -# N.B. we recommend also firewalling your federation listener to limit -# inbound federation traffic as early as possible, rather than relying -# purely on this application-layer restriction. If not specified, the -# default is to whitelist everything. -# -#federation_domain_whitelist: -# - lon.example.com -# - nyc.example.com -# - syd.example.com -{% if matrix_synapse_federation_domain_whitelist is not none %} -{# Cannot use `|to_nice_yaml` here, as an empty list does not get serialized properly by it. #} -federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_json }} -{% endif %} - -# Report prometheus metrics on the age of PDUs being sent to and received from -# the following domains. This can be used to give an idea of "delay" on inbound -# and outbound federation, though be aware that any delay can be due to problems -# at either end or with the intermediate network. -# -# By default, no domains are monitored in this way. -# -#federation_metrics_domains: -# - matrix.org -# - example.com - - -## Caching ## - -# Caching can be configured through the following options. -# -# A cache 'factor' is a multiplier that can be applied to each of -# Synapse's caches in order to increase or decrease the maximum -# number of entries that can be stored. - -# The number of events to cache in memory. Not affected by -# caches.global_factor. -# -event_cache_size: "{{ matrix_synapse_event_cache_size }}" - -caches: - # Controls the global cache factor, which is the default cache factor - # for all caches if a specific factor for that cache is not otherwise - # set. - # - # This can also be set by the "SYNAPSE_CACHE_FACTOR" environment - # variable. Setting by environment variable takes priority over - # setting through the config file. - # - # Defaults to 0.5, which will half the size of all caches. - # - global_factor: {{ matrix_synapse_caches_global_factor }} - - # A dictionary of cache name to cache factor for that individual - # cache. Overrides the global cache factor for a given cache. - # - # These can also be set through environment variables comprised - # of "SYNAPSE_CACHE_FACTOR_" + the name of the cache in capital - # letters and underscores. Setting by environment variable - # takes priority over setting through the config file. - # Ex. SYNAPSE_CACHE_FACTOR_GET_USERS_WHO_SHARE_ROOM_WITH_USER=2.0 - # - # Some caches have '*' and other characters that are not - # alphanumeric or underscores. These caches can be named with or - # without the special characters stripped. For example, to specify - # the cache factor for `*stateGroupCache*` via an environment - # variable would be `SYNAPSE_CACHE_FACTOR_STATEGROUPCACHE=2.0`. - # - per_cache_factors: - #get_users_who_share_room_with_user: 2.0 - - -## Database ## - -database: - # The database engine name - name: "psycopg2" - args: - user: {{ matrix_synapse_database_user|string|to_json }} - password: {{ matrix_synapse_database_password|string|to_json }} - database: "{{ matrix_synapse_database_database }}" - host: "{{ matrix_synapse_database_host }}" - cp_min: 5 - cp_max: 10 - - -## Logging ## - -# A yaml python logging config file as described by -# https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema -# -log_config: "/data/{{ matrix_server_fqn_matrix }}.log.config" - - -## Ratelimiting ## - -# Ratelimiting settings for client actions (registration, login, messaging). -# -# Each ratelimiting configuration is made of two parameters: -# - per_second: number of requests a client can send per second. -# - burst_count: number of requests a client can send before being throttled. -# -# Synapse currently uses the following configurations: -# - one for messages that ratelimits sending based on the account the client -# is using -# - one for registration that ratelimits registration requests based on the -# client's IP address. -# - one for login that ratelimits login requests based on the client's IP -# address. -# - one for login that ratelimits login requests based on the account the -# client is attempting to log into. -# - one for login that ratelimits login requests based on the account the -# client is attempting to log into, based on the amount of failed login -# attempts for this account. -# - one for ratelimiting redactions by room admins. If this is not explicitly -# set then it uses the same ratelimiting as per rc_message. This is useful -# to allow room admins to deal with abuse quickly. -# - two for ratelimiting number of rooms a user can join, "local" for when -# users are joining rooms the server is already in (this is cheap) vs -# "remote" for when users are trying to join rooms not on the server (which -# can be more expensive) -# -# The defaults are as shown below. -# -#rc_message: -# per_second: 0.2 -# burst_count: 10 -rc_message: {{ matrix_synapse_rc_message|to_json }} -# -#rc_registration: -# per_second: 0.17 -# burst_count: 3 -rc_registration: {{ matrix_synapse_rc_registration|to_json }} -# -#rc_login: -# address: -# per_second: 0.17 -# burst_count: 3 -# account: -# per_second: 0.17 -# burst_count: 3 -# failed_attempts: -# per_second: 0.17 -# burst_count: 3 -rc_login: {{ matrix_synapse_rc_login|to_json }} -# -#rc_admin_redaction: -# per_second: 1 -# burst_count: 50 -# -#rc_joins: -# local: -# per_second: 0.1 -# burst_count: 3 -# remote: -# per_second: 0.01 -# burst_count: 3 - - -# Ratelimiting settings for incoming federation -# -# The rc_federation configuration is made up of the following settings: -# - window_size: window size in milliseconds -# - sleep_limit: number of federation requests from a single server in -# a window before the server will delay processing the request. -# - sleep_delay: duration in milliseconds to delay processing events -# from remote servers by if they go over the sleep limit. -# - reject_limit: maximum number of concurrent federation requests -# allowed from a single server -# - concurrent: number of federation requests to concurrently process -# from a single server -# -# The defaults are as shown below. -# -#rc_federation: -# window_size: 1000 -# sleep_limit: 10 -# sleep_delay: 500 -# reject_limit: 50 -# concurrent: 3 -rc_federation: {{ matrix_synapse_rc_federation|to_json }} - -# Target outgoing federation transaction frequency for sending read-receipts, -# per-room. -# -# If we end up trying to send out more read-receipts, they will get buffered up -# into fewer transactions. -# -#federation_rr_transactions_per_room_per_second: 50 -federation_rr_transactions_per_room_per_second: {{ matrix_synapse_federation_rr_transactions_per_room_per_second }} - - - -## Media Store ## - -# Enable the media store service in the Synapse master. Uncomment the -# following if you are using a separate media store worker. -# -#enable_media_repo: false - -# Directory where uploaded images and attachments are stored. -# -media_store_path: "/matrix-media-store-parent/{{ matrix_synapse_media_store_directory_name }}" - -# Media storage providers allow media to be stored in different -# locations. -# -#media_storage_providers: -# - module: file_system -# # Whether to store newly uploaded local files -# store_local: false -# # Whether to store newly downloaded remote files -# store_remote: false -# # Whether to wait for successful storage for local uploads -# store_synchronous: false -# config: -# directory: /mnt/some/other/directory - -# The largest allowed upload size in bytes -# -max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M" - -# Maximum number of pixels that will be thumbnailed -# -#max_image_pixels: 32M - -# Whether to generate new thumbnails on the fly to precisely match -# the resolution requested by the client. If true then whenever -# a new resolution is requested by the client the server will -# generate a new thumbnail. If false the server will pick a thumbnail -# from a precalculated list. -# -#dynamic_thumbnails: false - -# List of thumbnails to precalculate when an image is uploaded. -# -#thumbnail_sizes: -# - width: 32 -# height: 32 -# method: crop -# - width: 96 -# height: 96 -# method: crop -# - width: 320 -# height: 240 -# method: scale -# - width: 640 -# height: 480 -# method: scale -# - width: 800 -# height: 600 -# method: scale - -# Is the preview URL API enabled? -# -# 'false' by default: uncomment the following to enable it (and specify a -# url_preview_ip_range_blacklist blacklist). -# -url_preview_enabled: {{ matrix_synapse_url_preview_enabled|to_json }} - -# List of IP address CIDR ranges that the URL preview spider is denied -# from accessing. There are no defaults: you must explicitly -# specify a list for URL previewing to work. You should specify any -# internal services in your network that you do not want synapse to try -# to connect to, otherwise anyone in any Matrix room could cause your -# synapse to issue arbitrary GET requests to your internal services, -# causing serious security issues. -# -# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly -# listed here, since they correspond to unroutable addresses.) -# -# This must be specified if url_preview_enabled is set. It is recommended that -# you uncomment the following list as a starting point. -# -url_preview_ip_range_blacklist: - - '127.0.0.0/8' - - '10.0.0.0/8' - - '172.16.0.0/12' - - '192.168.0.0/16' - - '100.64.0.0/10' - - '192.0.0.0/24' - - '169.254.0.0/16' - - '198.18.0.0/15' - - '192.0.2.0/24' - - '198.51.100.0/24' - - '203.0.113.0/24' - - '224.0.0.0/4' - - '::1/128' - - 'fe80::/10' - - 'fc00::/7' - -# List of IP address CIDR ranges that the URL preview spider is allowed -# to access even if they are specified in url_preview_ip_range_blacklist. -# This is useful for specifying exceptions to wide-ranging blacklisted -# target IP ranges - e.g. for enabling URL previews for a specific private -# website only visible in your network. -# -#url_preview_ip_range_whitelist: -# - '192.168.1.1' - -# Optional list of URL matches that the URL preview spider is -# denied from accessing. You should use url_preview_ip_range_blacklist -# in preference to this, otherwise someone could define a public DNS -# entry that points to a private IP address and circumvent the blacklist. -# This is more useful if you know there is an entire shape of URL that -# you know that will never want synapse to try to spider. -# -# Each list entry is a dictionary of url component attributes as returned -# by urlparse.urlsplit as applied to the absolute form of the URL. See -# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit -# The values of the dictionary are treated as an filename match pattern -# applied to that component of URLs, unless they start with a ^ in which -# case they are treated as a regular expression match. If all the -# specified component matches for a given list item succeed, the URL is -# blacklisted. -# -#url_preview_url_blacklist: -# # blacklist any URL with a username in its URI -# - username: '*' -# -# # blacklist all *.google.com URLs -# - netloc: 'google.com' -# - netloc: '*.google.com' -# -# # blacklist all plain HTTP URLs -# - scheme: 'http' -# -# # blacklist http(s)://www.acme.com/foo -# - netloc: 'www.acme.com' -# path: '/foo' -# -# # blacklist any URL with a literal IPv4 address -# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' - -# The largest allowed URL preview spidering size in bytes -# -max_spider_size: 10M - -# A list of values for the Accept-Language HTTP header used when -# downloading webpages during URL preview generation. This allows -# Synapse to specify the preferred languages that URL previews should -# be in when communicating with remote servers. -# -# Each value is a IETF language tag; a 2-3 letter identifier for a -# language, optionally followed by subtags separated by '-', specifying -# a country or region variant. -# -# Multiple values can be provided, and a weight can be added to each by -# using quality value syntax (;q=). '*' translates to any language. -# -# Defaults to "en". -# -# Example: -# -# url_preview_accept_language: -# - en-UK -# - en-US;q=0.9 -# - fr;q=0.8 -# - *;q=0.7 -# -url_preview_accept_language: -# - en - - -## Captcha ## -# See docs/CAPTCHA_SETUP.md for full details of configuring this. - -# This homeserver's ReCAPTCHA public key. Must be specified if -# enable_registration_captcha is enabled. -# -recaptcha_public_key: {{ matrix_synapse_recaptcha_public_key|to_json }} - -# This homeserver's ReCAPTCHA private key. Must be specified if -# enable_registration_captcha is enabled. -# -recaptcha_private_key: {{ matrix_synapse_recaptcha_private_key|to_json }} - -# Uncomment to enable ReCaptcha checks when registering, preventing signup -# unless a captcha is answered. Requires a valid ReCaptcha -# public/private key. Defaults to 'false'. -# -enable_registration_captcha: {{ matrix_synapse_enable_registration_captcha|to_json }} - -# The API endpoint to use for verifying m.login.recaptcha responses. -# Defaults to "https://www.recaptcha.net/recaptcha/api/siteverify". -# -#recaptcha_siteverify_api: "https://my.recaptcha.site" - - -## TURN ## - -# The public URIs of the TURN server to give to clients -# -turn_uris: {{ matrix_synapse_turn_uris|to_json }} - -# The shared secret used to compute passwords for the TURN server -# -turn_shared_secret: {{ matrix_synapse_turn_shared_secret|string|to_json }} - -# The Username and password if the TURN server needs them and -# does not use a token -# -#turn_username: "TURNSERVER_USERNAME" -#turn_password: "TURNSERVER_PASSWORD" - -# How long generated TURN credentials last -# -#turn_user_lifetime: 1h - -# Whether guests should be allowed to use the TURN server. -# This defaults to True, otherwise VoIP will be unreliable for guests. -# However, it does introduce a slight security risk as it allows users to -# connect to arbitrary endpoints without having first signed up for a -# valid account (e.g. by passing a CAPTCHA). -# -turn_allow_guests: {{ matrix_synapse_turn_allow_guests|to_json }} - - -## Registration ## -# -# Registration can be rate-limited using the parameters in the "Ratelimiting" -# section of this file. - -# Enable registration for new users. -# -enable_registration: {{ matrix_synapse_enable_registration|to_json }} - -# Optional account validity configuration. This allows for accounts to be denied -# any request after a given period. -# -# Once this feature is enabled, Synapse will look for registered users without an -# expiration date at startup and will add one to every account it found using the -# current settings at that time. -# This means that, if a validity period is set, and Synapse is restarted (it will -# then derive an expiration date from the current validity period), and some time -# after that the validity period changes and Synapse is restarted, the users' -# expiration dates won't be updated unless their account is manually renewed. This -# date will be randomly selected within a range [now + period - d ; now + period], -# where d is equal to 10% of the validity period. -# -account_validity: - # The account validity feature is disabled by default. Uncomment the - # following line to enable it. - # - #enabled: true - - # The period after which an account is valid after its registration. When - # renewing the account, its validity period will be extended by this amount - # of time. This parameter is required when using the account validity - # feature. - # - #period: 6w - - # The amount of time before an account's expiry date at which Synapse will - # send an email to the account's email address with a renewal link. By - # default, no such emails are sent. - # - # If you enable this setting, you will also need to fill out the 'email' and - # 'public_baseurl' configuration sections. - # - #renew_at: 1w - - # The subject of the email sent out with the renewal link. '%(app)s' can be - # used as a placeholder for the 'app_name' parameter from the 'email' - # section. - # - # Note that the placeholder must be written '%(app)s', including the - # trailing 's'. - # - # If this is not set, a default value is used. - # - #renew_email_subject: "Renew your %(app)s account" - - # Directory in which Synapse will try to find templates for the HTML files to - # serve to the user when trying to renew an account. If not set, default - # templates from within the Synapse package will be used. - # - #template_dir: "res/templates" - - # File within 'template_dir' giving the HTML to be displayed to the user after - # they successfully renewed their account. If not set, default text is used. - # - #account_renewed_html_path: "account_renewed.html" - - # File within 'template_dir' giving the HTML to be displayed when the user - # tries to renew an account with an invalid renewal token. If not set, - # default text is used. - # - #invalid_token_html_path: "invalid_token.html" - -# Time that a user's session remains valid for, after they log in. -# -# Note that this is not currently compatible with guest logins. -# -# Note also that this is calculated at login time: changes are not applied -# retrospectively to users who have already logged in. -# -# By default, this is infinite. -# -#session_lifetime: 24h - -# The user must provide all of the below types of 3PID when registering. -# -#registrations_require_3pid: -# - email -# - msisdn -{% if matrix_synapse_registrations_require_3pid|length > 0 %} -registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json }} -{% endif %} - -# Explicitly disable asking for MSISDNs from the registration -# flow (overrides registrations_require_3pid if MSISDNs are set as required) -# -#disable_msisdn_registration: true - -# Mandate that users are only allowed to associate certain formats of -# 3PIDs with accounts on this server. -# -#allowed_local_3pids: -# - medium: email -# pattern: '.*@matrix\.org' -# - medium: email -# pattern: '.*@vector\.im' -# - medium: msisdn -# pattern: '\+44' -{% if matrix_synapse_allowed_local_3pids|length > 0 %} -allowed_local_3pids: {{ matrix_synapse_allowed_local_3pids|to_json }} -{% endif %} - -# Enable 3PIDs lookup requests to identity servers from this server. -# -#enable_3pid_lookup: true - -# If set, allows registration of standard or admin accounts by anyone who -# has the shared secret, even if registration is otherwise disabled. -# -registration_shared_secret: {{ matrix_synapse_registration_shared_secret|string|to_json }} - -# Set the number of bcrypt rounds used to generate password hash. -# Larger numbers increase the work factor needed to generate the hash. -# The default number is 12 (which equates to 2^12 rounds). -# N.B. that increasing this will exponentially increase the time required -# to register or login - e.g. 24 => 2^24 rounds which will take >20 mins. -# -#bcrypt_rounds: 12 - -# Allows users to register as guests without a password/email/etc, and -# participate in rooms hosted on this server which have been made -# accessible to anonymous users. -# -allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }} - -# The identity server which we suggest that clients should use when users log -# in on this server. -# -# (By default, no suggestion is made, so it is left up to the client. -# This setting is ignored unless public_baseurl is also set.) -# -#default_identity_server: https://matrix.org - -# Handle threepid (email/phone etc) registration and password resets through a set of -# *trusted* identity servers. Note that this allows the configured identity server to -# reset passwords for accounts! -# -# Be aware that if `email` is not set, and SMTP options have not been -# configured in the email config block, registration and user password resets via -# email will be globally disabled. -# -# Additionally, if `msisdn` is not set, registration and password resets via msisdn -# will be disabled regardless, and users will not be able to associate an msisdn -# identifier to their account. This is due to Synapse currently not supporting -# any method of sending SMS messages on its own. -# -# To enable using an identity server for operations regarding a particular third-party -# identifier type, set the value to the URL of that identity server as shown in the -# examples below. -# -# Servers handling the these requests must answer the `/requestToken` endpoints defined -# by the Matrix Identity Service API specification: -# https://matrix.org/docs/spec/identity_service/latest -# -# If a delegate is specified, the config option public_baseurl must also be filled out. -# -account_threepid_delegates: - email: {{ matrix_synapse_account_threepid_delegates_email|to_json }} - msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }} - -# Whether users are allowed to change their displayname after it has -# been initially set. Useful when provisioning users based on the -# contents of a third-party directory. -# -# Does not apply to server administrators. Defaults to 'true' -# -#enable_set_displayname: false - -# Whether users are allowed to change their avatar after it has been -# initially set. Useful when provisioning users based on the contents -# of a third-party directory. -# -# Does not apply to server administrators. Defaults to 'true' -# -#enable_set_avatar_url: false - -# Whether users can change the 3PIDs associated with their accounts -# (email address and msisdn). -# -# Defaults to 'true' -# -#enable_3pid_changes: false - -# Users who register on this homeserver will automatically be joined -# to these rooms. -# -# By default, any room aliases included in this list will be created -# as a publicly joinable room when the first user registers for the -# homeserver. This behaviour can be customised with the settings below. -# -#auto_join_rooms: -# - "#example:example.com" -{% if matrix_synapse_auto_join_rooms|length > 0 %} -auto_join_rooms: -{{ matrix_synapse_auto_join_rooms|to_nice_yaml }} -{% endif %} - -# Where auto_join_rooms are specified, setting this flag ensures that the -# the rooms exist by creating them when the first user on the -# homeserver registers. -# -# By default the auto-created rooms are publicly joinable from any federated -# server. Use the autocreate_auto_join_rooms_federated and -# autocreate_auto_join_room_preset settings below to customise this behaviour. -# -# Setting to false means that if the rooms are not manually created, -# users cannot be auto-joined since they do not exist. -# -# Defaults to true. Uncomment the following line to disable automatically -# creating auto-join rooms. -# -autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms|to_json }} - -# Whether the auto_join_rooms that are auto-created are available via -# federation. Only has an effect if autocreate_auto_join_rooms is true. -# -# Note that whether a room is federated cannot be modified after -# creation. -# -# Defaults to true: the room will be joinable from other servers. -# Uncomment the following to prevent users from other homeservers from -# joining these rooms. -# -#autocreate_auto_join_rooms_federated: false - -# The room preset to use when auto-creating one of auto_join_rooms. Only has an -# effect if autocreate_auto_join_rooms is true. -# -# This can be one of "public_chat", "private_chat", or "trusted_private_chat". -# If a value of "private_chat" or "trusted_private_chat" is used then -# auto_join_mxid_localpart must also be configured. -# -# Defaults to "public_chat", meaning that the room is joinable by anyone, including -# federated servers if autocreate_auto_join_rooms_federated is true (the default). -# Uncomment the following to require an invitation to join these rooms. -# -#autocreate_auto_join_room_preset: private_chat - -# The local part of the user id which is used to create auto_join_rooms if -# autocreate_auto_join_rooms is true. If this is not provided then the -# initial user account that registers will be used to create the rooms. -# -# The user id is also used to invite new users to any auto-join rooms which -# are set to invite-only. -# -# It *must* be configured if autocreate_auto_join_room_preset is set to -# "private_chat" or "trusted_private_chat". -# -# Note that this must be specified in order for new users to be correctly -# invited to any auto-join rooms which have been set to invite-only (either -# at the time of creation or subsequently). -# -# Note that, if the room already exists, this user must be joined and -# have the appropriate permissions to invite new members. -# -#auto_join_mxid_localpart: system - -# When auto_join_rooms is specified, setting this flag to false prevents -# guest accounts from being automatically joined to the rooms. -# -# Defaults to true. -# -#auto_join_rooms_for_guests: false - - -## Metrics ### - -# Enable collection and rendering of performance metrics -# -enable_metrics: {{ matrix_synapse_metrics_enabled|to_json }} - - -# Enable sentry integration -# NOTE: While attempts are made to ensure that the logs don't contain -# any sensitive information, this cannot be guaranteed. By enabling -# this option the sentry server may therefore receive sensitive -# information, and it in turn may then diseminate sensitive information -# through insecure notification channels if so configured. -# -{% if matrix_synapse_sentry_dsn != "" %} -sentry: - dsn: {{ matrix_synapse_sentry_dsn|to_json }} -{% endif %} - -# Flags to enable Prometheus metrics which are not suitable to be -# enabled by default, either for performance reasons or limited use. -# -metrics_flags: - # Publish synapse_federation_known_servers, a gauge of the number of - # servers this homeserver knows about, including itself. May cause - # performance problems on large homeservers. - # - #known_servers: true - -# Whether or not to report anonymized homeserver usage statistics. -# -report_stats: {{ matrix_synapse_report_stats|to_json }} - -# The endpoint to report the anonymized homeserver usage statistics to. -# Defaults to https://matrix.org/report-usage-stats/push -# -#report_stats_endpoint: https://example.com/report-usage-stats/push - - -## API Configuration ## - -# A list of event types that will be included in the room_invite_state -# -#room_invite_state_types: -# - "m.room.join_rules" -# - "m.room.canonical_alias" -# - "m.room.avatar" -# - "m.room.encryption" -# - "m.room.name" - - -# A list of application service config files to use -# -app_service_config_files: {{ matrix_synapse_app_service_config_files|to_json }} - -# Uncomment to enable tracking of application service IP addresses. Implicitly -# enables MAU tracking for application service users. -# -#track_appservice_user_ips: True - - -# a secret which is used to sign access tokens. If none is specified, -# the registration_shared_secret is used, if one is given; otherwise, -# a secret key is derived from the signing key. -# -macaroon_secret_key: {{ matrix_synapse_macaroon_secret_key|string|to_json }} - -# a secret which is used to calculate HMACs for form values, to stop -# falsification of values. Must be specified for the User Consent -# forms to work. -# -form_secret: {{ matrix_synapse_form_secret|string|to_json }} - -## Signing Keys ## - -# Path to the signing key to sign messages with -# -signing_key_path: "/data/{{ matrix_server_fqn_matrix }}.signing.key" - -# The keys that the server used to sign messages with but won't use -# to sign new messages. -# -old_signing_keys: - # For each key, `key` should be the base64-encoded public key, and - # `expired_ts`should be the time (in milliseconds since the unix epoch) that - # it was last used. - # - # It is possible to build an entry from an old signing.key file using the - # `export_signing_key` script which is provided with synapse. - # - # For example: - # - #"ed25519:id": { key: "base64string", expired_ts: 123456789123 } - -# How long key response published by this server is valid for. -# Used to set the valid_until_ts in /key/v2 APIs. -# Determines how quickly servers will query to check which keys -# are still valid. -# -#key_refresh_interval: 1d - -# The trusted servers to download signing keys from. -# -# When we need to fetch a signing key, each server is tried in parallel. -# -# Normally, the connection to the key server is validated via TLS certificates. -# Additional security can be provided by configuring a `verify key`, which -# will make synapse check that the response is signed by that key. -# -# This setting supercedes an older setting named `perspectives`. The old format -# is still supported for backwards-compatibility, but it is deprecated. -# -# 'trusted_key_servers' defaults to matrix.org, but using it will generate a -# warning on start-up. To suppress this warning, set -# 'suppress_key_server_warning' to true. -# -# Options for each entry in the list include: -# -# server_name: the name of the server. required. -# -# verify_keys: an optional map from key id to base64-encoded public key. -# If specified, we will check that the response is signed by at least -# one of the given keys. -# -# accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset, -# and federation_verify_certificates is not `true`, synapse will refuse -# to start, because this would allow anyone who can spoof DNS responses -# to masquerade as the trusted key server. If you know what you are doing -# and are sure that your network environment provides a secure connection -# to the key server, you can set this to `true` to override this -# behaviour. -# -# An example configuration might look like: -# -#trusted_key_servers: -# - server_name: "my_trusted_server.example.com" -# verify_keys: -# "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" -# - server_name: "my_other_trusted_server.example.com" -# -trusted_key_servers: {{ matrix_synapse_trusted_key_servers|to_json }} - - -# Uncomment the following to disable the warning that is emitted when the -# trusted_key_servers include 'matrix.org'. See above. -# -#suppress_key_server_warning: true - -# The signing keys to use when acting as a trusted key server. If not specified -# defaults to the server signing key. -# -# Can contain multiple keys, one per line. -# -#key_server_signing_keys_path: "key_server_signing_keys.key" - - -## Single sign-on integration ## - -# The following settings can be used to make Synapse use a single sign-on -# provider for authentication, instead of its internal password database. -# -# You will probably also want to set the following options to `false` to -# disable the regular login/registration flows: -# * enable_registration -# * password_config.enabled -# -# You will also want to investigate the settings under the "sso" configuration -# section below. - -# Enable SAML2 for registration and login. Uses pysaml2. -# -# At least one of `sp_config` or `config_path` must be set in this section to -# enable SAML login. -# -# Once SAML support is enabled, a metadata file will be exposed at -# https://:/_matrix/saml2/metadata.xml, which you may be able to -# use to configure your SAML IdP with. Alternatively, you can manually configure -# the IdP to use an ACS location of -# https://:/_matrix/saml2/authn_response. -# -saml2_config: - # `sp_config` is the configuration for the pysaml2 Service Provider. - # See pysaml2 docs for format of config. - # - # Default values will be used for the 'entityid' and 'service' settings, - # so it is not normally necessary to specify them unless you need to - # override them. - # - sp_config: - # Point this to the IdP's metadata. You must provide either a local - # file via the `local` attribute or (preferably) a URL via the - # `remote` attribute. - # - #metadata: - # local: ["saml2/idp.xml"] - # remote: - # - url: https://our_idp/metadata.xml - - # Allowed clock difference in seconds between the homeserver and IdP. - # - # Uncomment the below to increase the accepted time difference from 0 to 3 seconds. - # - #accepted_time_diff: 3 - - # By default, the user has to go to our login page first. If you'd like - # to allow IdP-initiated login, set 'allow_unsolicited: true' in a - # 'service.sp' section: - # - #service: - # sp: - # allow_unsolicited: true - - # The examples below are just used to generate our metadata xml, and you - # may well not need them, depending on your setup. Alternatively you - # may need a whole lot more detail - see the pysaml2 docs! - - #description: ["My awesome SP", "en"] - #name: ["Test SP", "en"] - - #ui_info: - # display_name: - # - lang: en - # text: "Display Name is the descriptive name of your service." - # description: - # - lang: en - # text: "Description should be a short paragraph explaining the purpose of the service." - # information_url: - # - lang: en - # text: "https://example.com/terms-of-service" - # privacy_statement_url: - # - lang: en - # text: "https://example.com/privacy-policy" - # keywords: - # - lang: en - # text: ["Matrix", "Element"] - # logo: - # - lang: en - # text: "https://example.com/logo.svg" - # width: "200" - # height: "80" - - #organization: - # name: Example com - # display_name: - # - ["Example co", "en"] - # url: "http://example.com" - - #contact_person: - # - given_name: Bob - # sur_name: "the Sysadmin" - # email_address": ["admin@example.com"] - # contact_type": technical - - # Instead of putting the config inline as above, you can specify a - # separate pysaml2 configuration file: - # - #config_path: "/data/sp_conf.py" - - # The lifetime of a SAML session. This defines how long a user has to - # complete the authentication process, if allow_unsolicited is unset. - # The default is 15 minutes. - # - #saml_session_lifetime: 5m - - # An external module can be provided here as a custom solution to - # mapping attributes returned from a saml provider onto a matrix user. - # - user_mapping_provider: - # The custom module's class. Uncomment to use a custom module. - # - #module: mapping_provider.SamlMappingProvider - - # Custom configuration values for the module. Below options are - # intended for the built-in provider, they should be changed if - # using a custom module. This section will be passed as a Python - # dictionary to the module's `parse_config` method. - # - config: - # The SAML attribute (after mapping via the attribute maps) to use - # to derive the Matrix ID from. 'uid' by default. - # - # Note: This used to be configured by the - # saml2_config.mxid_source_attribute option. If that is still - # defined, its value will be used instead. - # - #mxid_source_attribute: displayName - - # The mapping system to use for mapping the saml attribute onto a - # matrix ID. - # - # Options include: - # * 'hexencode' (which maps unpermitted characters to '=xx') - # * 'dotreplace' (which replaces unpermitted characters with - # '.'). - # The default is 'hexencode'. - # - # Note: This used to be configured by the - # saml2_config.mxid_mapping option. If that is still defined, its - # value will be used instead. - # - #mxid_mapping: dotreplace - - # In previous versions of synapse, the mapping from SAML attribute to - # MXID was always calculated dynamically rather than stored in a - # table. For backwards- compatibility, we will look for user_ids - # matching such a pattern before creating a new account. - # - # This setting controls the SAML attribute which will be used for this - # backwards-compatibility lookup. Typically it should be 'uid', but if - # the attribute maps are changed, it may be necessary to change it. - # - # The default is 'uid'. - # - #grandfathered_mxid_source_attribute: upn - - # It is possible to configure Synapse to only allow logins if SAML attributes - # match particular values. The requirements can be listed under - # `attribute_requirements` as shown below. All of the listed attributes must - # match for the login to be permitted. - # - #attribute_requirements: - # - attribute: userGroup - # value: "staff" - # - attribute: department - # value: "sales" - - # If the metadata XML contains multiple IdP entities then the `idp_entityid` - # option must be set to the entity to redirect users to. - # - # Most deployments only have a single IdP entity and so should omit this - # option. - # - #idp_entityid: 'https://our_idp/entityid' - - -# Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login. -# -# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md -# for some example configurations. -# -oidc_config: - # Uncomment the following to enable authorization against an OpenID Connect - # server. Defaults to false. - # - #enabled: true - - # Uncomment the following to disable use of the OIDC discovery mechanism to - # discover endpoints. Defaults to true. - # - #discover: false - - # the OIDC issuer. Used to validate tokens and (if discovery is enabled) to - # discover the provider's endpoints. - # - # Required if 'enabled' is true. - # - #issuer: "https://accounts.example.com/" - - # oauth2 client id to use. - # - # Required if 'enabled' is true. - # - #client_id: "provided-by-your-issuer" - - # oauth2 client secret to use. - # - # Required if 'enabled' is true. - # - #client_secret: "provided-by-your-issuer" - - # auth method to use when exchanging the token. - # Valid values are 'client_secret_basic' (default), 'client_secret_post' and - # 'none'. - # - #client_auth_method: client_secret_post - - # list of scopes to request. This should normally include the "openid" scope. - # Defaults to ["openid"]. - # - #scopes: ["openid", "profile"] - - # the oauth2 authorization endpoint. Required if provider discovery is disabled. - # - #authorization_endpoint: "https://accounts.example.com/oauth2/auth" - - # the oauth2 token endpoint. Required if provider discovery is disabled. - # - #token_endpoint: "https://accounts.example.com/oauth2/token" - - # the OIDC userinfo endpoint. Required if discovery is disabled and the - # "openid" scope is not requested. - # - #userinfo_endpoint: "https://accounts.example.com/userinfo" - - # URI where to fetch the JWKS. Required if discovery is disabled and the - # "openid" scope is used. - # - #jwks_uri: "https://accounts.example.com/.well-known/jwks.json" - - # Uncomment to skip metadata verification. Defaults to false. - # - # Use this if you are connecting to a provider that is not OpenID Connect - # compliant. - # Avoid this in production. - # - #skip_verification: true - - # Whether to fetch the user profile from the userinfo endpoint. Valid - # values are: "auto" or "userinfo_endpoint". - # - # Defaults to "auto", which fetches the userinfo endpoint if "openid" is included - # in `scopes`. Uncomment the following to always fetch the userinfo endpoint. - # - #user_profile_method: "userinfo_endpoint" - - # Uncomment to allow a user logging in via OIDC to match a pre-existing account instead - # of failing. This could be used if switching from password logins to OIDC. Defaults to false. - # - #allow_existing_users: true - - # An external module can be provided here as a custom solution to mapping - # attributes returned from a OIDC provider onto a matrix user. - # - user_mapping_provider: - # The custom module's class. Uncomment to use a custom module. - # Default is 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'. - # - # See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers - # for information on implementing a custom mapping provider. - # - #module: mapping_provider.OidcMappingProvider - - # Custom configuration values for the module. This section will be passed as - # a Python dictionary to the user mapping provider module's `parse_config` - # method. - # - # The examples below are intended for the default provider: they should be - # changed if using a custom provider. - # - config: - # name of the claim containing a unique identifier for the user. - # Defaults to `sub`, which OpenID Connect compliant providers should provide. - # - #subject_claim: "sub" - - # Jinja2 template for the localpart of the MXID. - # - # When rendering, this template is given the following variables: - # * user: The claims returned by the UserInfo Endpoint and/or in the ID - # Token - # - # If this is not set, the user will be prompted to choose their - # own username. - # - localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}" - - # Jinja2 template for the display name to set on first login. - # - # If unset, no displayname will be set. - # - #display_name_template: "{% raw %}{{ user.given_name }} {{ user.last_name }}{% endraw %}" - - # Jinja2 templates for extra attributes to send back to the client during - # login. - # - # Note that these are non-standard and clients will ignore them without modifications. - # - #extra_attributes: - #birthdate: "{% raw %}{{ user.birthdate }}{% endraw %}" - - - -# Enable Central Authentication Service (CAS) for registration and login. -# -cas_config: - # Uncomment the following to enable authorization against a CAS server. - # Defaults to false. - # - #enabled: true - - # The URL of the CAS authorization endpoint. - # - #server_url: "https://cas-server.com" - - # The public URL of the homeserver. - # - #service_url: "https://homeserver.domain.com:8448" - - # The attribute of the CAS response to use as the display name. - # - # If unset, no displayname will be set. - # - #displayname_attribute: name - - # It is possible to configure Synapse to only allow logins if CAS attributes - # match particular values. All of the keys in the mapping below must exist - # and the values must match the given value. Alternately if the given value - # is None then any value is allowed (the attribute just must exist). - # All of the listed attributes must match for the login to be permitted. - # - #required_attributes: - # userGroup: "staff" - # department: None - - -# Additional settings to use with single-sign on systems such as OpenID Connect, -# SAML2 and CAS. -# -sso: - # A list of client URLs which are whitelisted so that the user does not - # have to confirm giving access to their account to the URL. Any client - # whose URL starts with an entry in the following list will not be subject - # to an additional confirmation step after the SSO login is completed. - # - # WARNING: An entry such as "https://my.client" is insecure, because it - # will also match "https://my.client.evil.site", exposing your users to - # phishing attacks from evil.site. To avoid this, include a slash after the - # hostname: "https://my.client/". - # - # If public_baseurl is set, then the login fallback page (used by clients - # that don't natively support the required login flows) is whitelisted in - # addition to any URLs in this list. - # - # By default, this list is empty. - # - #client_whitelist: - # - https://riot.im/develop - # - https://my.custom.client/ - - # Directory in which Synapse will try to find the template files below. - # If not set, or the files named below are not found within the template - # directory, default templates from within the Synapse package will be used. - # - # Synapse will look for the following templates in this directory: - # - # * HTML page for a confirmation step before redirecting back to the client - # with the login token: 'sso_redirect_confirm.html'. - # - # When rendering, this template is given three variables: - # * redirect_url: the URL the user is about to be redirected to. Needs - # manual escaping (see - # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). - # - # * display_url: the same as `redirect_url`, but with the query - # parameters stripped. The intention is to have a - # human-readable URL to show to users, not to use it as - # the final address to redirect to. Needs manual escaping - # (see https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). - # - # * server_name: the homeserver's name. - # - # * HTML page which notifies the user that they are authenticating to confirm - # an operation on their account during the user interactive authentication - # process: 'sso_auth_confirm.html'. - # - # When rendering, this template is given the following variables: - # * redirect_url: the URL the user is about to be redirected to. Needs - # manual escaping (see - # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). - # - # * description: the operation which the user is being asked to confirm - # - # * HTML page shown after a successful user interactive authentication session: - # 'sso_auth_success.html'. - # - # Note that this page must include the JavaScript which notifies of a successful authentication - # (see https://matrix.org/docs/spec/client_server/r0.6.0#fallback). - # - # This template has no additional variables. - # - # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database) - # attempts to login: 'sso_account_deactivated.html'. - # - # This template has no additional variables. - # - # * HTML page to display to users if something goes wrong during the - # OpenID Connect authentication process: 'sso_error.html'. - # - # When rendering, this template is given two variables: - # * error: the technical name of the error - # * error_description: a human-readable message for the error - # - # You can see the default templates at: - # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates - # - #template_dir: "res/templates" - - -# JSON web token integration. The following settings can be used to make -# Synapse JSON web tokens for authentication, instead of its internal -# password database. -# -# Each JSON Web Token needs to contain a "sub" (subject) claim, which is -# used as the localpart of the mxid. -# -# Additionally, the expiration time ("exp"), not before time ("nbf"), -# and issued at ("iat") claims are validated if present. -# -# Note that this is a non-standard login type and client support is -# expected to be non-existent. -# -# See https://github.com/matrix-org/synapse/blob/master/docs/jwt.md. -# -#jwt_config: - # Uncomment the following to enable authorization using JSON web - # tokens. Defaults to false. - # - #enabled: true - - # This is either the private shared secret or the public key used to - # decode the contents of the JSON web token. - # - # Required if 'enabled' is true. - # - #secret: "provided-by-your-issuer" - - # The algorithm used to sign the JSON web token. - # - # Supported algorithms are listed at - # https://pyjwt.readthedocs.io/en/latest/algorithms.html - # - # Required if 'enabled' is true. - # - #algorithm: "provided-by-your-issuer" - - # The issuer to validate the "iss" claim against. - # - # Optional, if provided the "iss" claim will be required and - # validated for all JSON web tokens. - # - #issuer: "provided-by-your-issuer" - - # A list of audiences to validate the "aud" claim against. - # - # Optional, if provided the "aud" claim will be required and - # validated for all JSON web tokens. - # - # Note that if the "aud" claim is included in a JSON web token then - # validation will fail without configuring audiences. - # - #audiences: - # - "provided-by-your-issuer" - - -password_config: - # Uncomment to disable password login - # - #enabled: false - - # Uncomment to disable authentication against the local password - # database. This is ignored if `enabled` is false, and is only useful - # if you have other password_providers. - # - localdb_enabled: {{ matrix_synapse_password_config_localdb_enabled|to_json }} - - # Uncomment and change to a secret random string for extra security. - # DO NOT CHANGE THIS AFTER INITIAL SETUP! - # - pepper: {{ matrix_synapse_password_config_pepper|string|to_json }} - - # Define and enforce a password policy. Each parameter is optional. - # This is an implementation of MSC2000. - # - policy: - # Whether to enforce the password policy. - # Defaults to 'false'. - # - #enabled: true - - # Minimum accepted length for a password. - # Defaults to 0. - # - #minimum_length: 15 - - # Whether a password must contain at least one digit. - # Defaults to 'false'. - # - #require_digit: true - - # Whether a password must contain at least one symbol. - # A symbol is any character that's not a number or a letter. - # Defaults to 'false'. - # - #require_symbol: true - - # Whether a password must contain at least one lowercase letter. - # Defaults to 'false'. - # - #require_lowercase: true - - # Whether a password must contain at least one lowercase letter. - # Defaults to 'false'. - # - #require_uppercase: true - -ui_auth: - # The number of milliseconds to allow a user-interactive authentication - # session to be active. - # - # This defaults to 0, meaning the user is queried for their credentials - # before every action, but this can be overridden to alow a single - # validation to be re-used. This weakens the protections afforded by - # the user-interactive authentication process, by allowing for multiple - # (and potentially different) operations to use the same validation session. - # - # Uncomment below to allow for credential validation to last for 15 - # seconds. - # - #session_timeout: 15000 - - -{% if matrix_synapse_email_enabled %} -# Configuration for sending emails from Synapse. -# -email: - # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. - # - #smtp_host: mail.server - smtp_host: {{ matrix_synapse_email_smtp_host|string|to_json }} - - # The port on the mail server for outgoing SMTP. Defaults to 25. - # - #smtp_port: 587 - smtp_port: {{ matrix_synapse_email_smtp_port|to_json }} - - # Username/password for authentication to the SMTP server. By default, no - # authentication is attempted. - # - #smtp_user: "exampleusername" - #smtp_pass: "examplepassword" - - # Uncomment the following to require TLS transport security for SMTP. - # By default, Synapse will connect over plain text, and will then switch to - # TLS via STARTTLS *if the SMTP server supports it*. If this option is set, - # Synapse will refuse to connect unless the server supports STARTTLS. - # - #require_transport_security: true - require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }} - - # Enable sending emails for messages that the user has missed - # - #enable_notifs: false - enable_notifs: true - - # notif_from defines the "From" address to use when sending emails. - # It must be set if email sending is enabled. - # - # The placeholder '%(app)s' will be replaced by the application name, - # which is normally 'app_name' (below), but may be overridden by the - # Matrix client application. - # - # Note that the placeholder must be written '%(app)s', including the - # trailing 's'. - # - #notif_from: "Your Friendly %(app)s homeserver " - notif_from: {{ matrix_synapse_email_notif_from|string|to_json }} - - # app_name defines the default value for '%(app)s' in notif_from and email - # subjects. It defaults to 'Matrix'. - # - #app_name: my_branded_matrix_server - app_name: Matrix - - # Uncomment the following to disable automatic subscription to email - # notifications for new users. Enabled by default. - # - #notif_for_new_users: false - notif_for_new_users: True - - # Custom URL for client links within the email notifications. By default - # links will be based on "https://matrix.to". - # - # (This setting used to be called riot_base_url; the old name is still - # supported for backwards-compatibility but is now deprecated.) - # - #client_base_url: "http://localhost/riot" - client_base_url: {{ matrix_synapse_email_client_base_url|string|to_json }} - - # Configure the time that a validation email will expire after sending. - # Defaults to 1h. - # - #validation_token_lifetime: 15m - - # Directory in which Synapse will try to find the template files below. - # If not set, or the files named below are not found within the template - # directory, default templates from within the Synapse package will be used. - # - # Synapse will look for the following templates in this directory: - # - # * The contents of email notifications of missed events: 'notif_mail.html' and - # 'notif_mail.txt'. - # - # * The contents of account expiry notice emails: 'notice_expiry.html' and - # 'notice_expiry.txt'. - # - # * The contents of password reset emails sent by the homeserver: - # 'password_reset.html' and 'password_reset.txt' - # - # * An HTML page that a user will see when they follow the link in the password - # reset email. The user will be asked to confirm the action before their - # password is reset: 'password_reset_confirmation.html' - # - # * HTML pages for success and failure that a user will see when they confirm - # the password reset flow using the page above: 'password_reset_success.html' - # and 'password_reset_failure.html' - # - # * The contents of address verification emails sent during registration: - # 'registration.html' and 'registration.txt' - # - # * HTML pages for success and failure that a user will see when they follow - # the link in an address verification email sent during registration: - # 'registration_success.html' and 'registration_failure.html' - # - # * The contents of address verification emails sent when an address is added - # to a Matrix account: 'add_threepid.html' and 'add_threepid.txt' - # - # * HTML pages for success and failure that a user will see when they follow - # the link in an address verification email sent when an address is added - # to a Matrix account: 'add_threepid_success.html' and - # 'add_threepid_failure.html' - # - # You can see the default templates at: - # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates - # - #template_dir: "res/templates" - - # Subjects to use when sending emails from Synapse. - # - # The placeholder '%(app)s' will be replaced with the value of the 'app_name' - # setting above, or by a value dictated by the Matrix client application. - # - # If a subject isn't overridden in this configuration file, the value used as - # its example will be used. - # - #subjects: - - # Subjects for notification emails. - # - # On top of the '%(app)s' placeholder, these can use the following - # placeholders: - # - # * '%(person)s', which will be replaced by the display name of the user(s) - # that sent the message(s), e.g. "Alice and Bob". - # * '%(room)s', which will be replaced by the name of the room the - # message(s) have been sent to, e.g. "My super room". - # - # See the example provided for each setting to see which placeholder can be - # used and how to use them. - # - # Subject to use to notify about one message from one or more user(s) in a - # room which has a name. - #message_from_person_in_room: "[%(app)s] You have a message on %(app)s from %(person)s in the %(room)s room..." - # - # Subject to use to notify about one message from one or more user(s) in a - # room which doesn't have a name. - #message_from_person: "[%(app)s] You have a message on %(app)s from %(person)s..." - # - # Subject to use to notify about multiple messages from one or more users in - # a room which doesn't have a name. - #messages_from_person: "[%(app)s] You have messages on %(app)s from %(person)s..." - # - # Subject to use to notify about multiple messages in a room which has a - # name. - #messages_in_room: "[%(app)s] You have messages on %(app)s in the %(room)s room..." - # - # Subject to use to notify about multiple messages in multiple rooms. - #messages_in_room_and_others: "[%(app)s] You have messages on %(app)s in the %(room)s room and others..." - # - # Subject to use to notify about multiple messages from multiple persons in - # multiple rooms. This is similar to the setting above except it's used when - # the room in which the notification was triggered has no name. - #messages_from_person_and_others: "[%(app)s] You have messages on %(app)s from %(person)s and others..." - # - # Subject to use to notify about an invite to a room which has a name. - #invite_from_person_to_room: "[%(app)s] %(person)s has invited you to join the %(room)s room on %(app)s..." - # - # Subject to use to notify about an invite to a room which doesn't have a - # name. - #invite_from_person: "[%(app)s] %(person)s has invited you to chat on %(app)s..." - - # Subject for emails related to account administration. - # - # On top of the '%(app)s' placeholder, these one can use the - # '%(server_name)s' placeholder, which will be replaced by the value of the - # 'server_name' setting in your Synapse configuration. - # - # Subject to use when sending a password reset email. - #password_reset: "[%(server_name)s] Password reset" - # - # Subject to use when sending a verification email to assert an address's - # ownership. - #email_validation: "[%(server_name)s] Validate your email" -{% endif %} - -# Password providers allow homeserver administrators to integrate -# their Synapse installation with existing authentication methods -# ex. LDAP, external tokens, etc. -# -# For more information and known implementations, please see -# https://github.com/matrix-org/synapse/blob/master/docs/password_auth_providers.md -# -# Note: instances wishing to use SAML or CAS authentication should -# instead use the `saml2_config` or `cas_config` options, -# respectively. -# -# password_providers: -# # Example config for an LDAP auth provider -# - module: "ldap_auth_provider.LdapAuthProvider" -# config: -# enabled: true -# uri: "ldap://ldap.example.com:389" -# start_tls: true -# base: "ou=users,dc=example,dc=com" -# attributes: -# uid: "cn" -# mail: "email" -# name: "givenName" -# #bind_dn: -# #bind_password: -# #filter: "(objectClass=posixAccount)" -{% if matrix_synapse_password_providers_enabled %} -password_providers: -{% if matrix_synapse_ext_password_provider_shared_secret_auth_enabled %} - - module: "shared_secret_authenticator.SharedSecretAuthenticator" - config: - sharedSecret: {{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret|string|to_json }} -{% endif %} -{% if matrix_synapse_ext_password_provider_rest_auth_enabled %} - - module: "rest_auth_provider.RestAuthProvider" - config: - endpoint: {{ matrix_synapse_ext_password_provider_rest_auth_endpoint|string|to_json }} - policy: - registration: - username: - enforceLowercase: {{ matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase }} - profile: - name: {{ matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill }} - login: - profile: - name: {{ matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill }} -{% endif %} -{% if matrix_synapse_ext_password_provider_ldap_enabled %} - - module: "ldap_auth_provider.LdapAuthProvider" - config: - enabled: true - uri: {{ matrix_synapse_ext_password_provider_ldap_uri|string|to_json }} - start_tls: {{ matrix_synapse_ext_password_provider_ldap_start_tls|to_json }} - base: {{ matrix_synapse_ext_password_provider_ldap_base|string|to_json }} - attributes: - uid: {{ matrix_synapse_ext_password_provider_ldap_attributes_uid|string|to_json }} - mail: {{ matrix_synapse_ext_password_provider_ldap_attributes_mail|string|to_json }} - name: {{ matrix_synapse_ext_password_provider_ldap_attributes_name|string|to_json }} - bind_dn: {{ matrix_synapse_ext_password_provider_ldap_bind_dn|string|to_json }} - bind_password: {{ matrix_synapse_ext_password_provider_ldap_bind_password|string|to_json }} - filter: {{ matrix_synapse_ext_password_provider_ldap_filter|string|to_json }} -{% endif %} -{% endif %} - - -## Push ## - -push: - # Clients requesting push notifications can either have the body of - # the message sent in the notification poke along with other details - # like the sender, or just the event ID and room ID (`event_id_only`). - # If clients choose the former, this option controls whether the - # notification request includes the content of the event (other details - # like the sender are still included). For `event_id_only` push, it - # has no effect. - # - # For modern android devices the notification content will still appear - # because it is loaded by the app. iPhone, however will send a - # notification saying only that a message arrived and who it came from. - # - # The default value is "true" to include message details. Uncomment to only - # include the event ID and room ID in push notification payloads. - # - include_content: {{ matrix_synapse_push_include_content|to_json }} - - # When a push notification is received, an unread count is also sent. - # This number can either be calculated as the number of unread messages - # for the user, or the number of *rooms* the user has unread messages in. - # - # The default value is "true", meaning push clients will see the number of - # rooms with unread messages in them. Uncomment to instead send the number - # of unread messages. - # - #group_unread_count_by_room: false - - -# Spam checkers are third-party modules that can block specific actions -# of local users, such as creating rooms and registering undesirable -# usernames, as well as remote users by redacting incoming events. -# -# spam_checker: - #- module: "my_custom_project.SuperSpamChecker" - # config: - # example_option: 'things' - #- module: "some_other_project.BadEventStopper" - # config: - # example_stop_events_from: ['@bad:example.com'] -spam_checker: {{ matrix_synapse_spam_checker|to_json }} - - -## Rooms ## - -# Controls whether locally-created rooms should be end-to-end encrypted by -# default. -# -# Possible options are "all", "invite", and "off". They are defined as: -# -# * "all": any locally-created room -# * "invite": any room created with the "private_chat" or "trusted_private_chat" -# room creation presets -# * "off": this option will take no effect -# -# The default value is "off". -# -# Note that this option will only affect rooms created after it is set. It -# will also not affect rooms created by other servers. -# -#encryption_enabled_by_default_for_room_type: invite - - -# Uncomment to allow non-server-admin users to create groups on this server -# -enable_group_creation: {{ matrix_synapse_enable_group_creation|to_json }} - -# If enabled, non server admins can only create groups with local parts -# starting with this prefix -# -#group_creation_prefix: "unofficial_" - - - -# User Directory configuration -# -# 'enabled' defines whether users can search the user directory. If -# false then empty responses are returned to all queries. Defaults to -# true. -# -# 'search_all_users' defines whether to search all users visible to your HS -# when searching the user directory, rather than limiting to users visible -# in public rooms. Defaults to false. If you set it True, you'll have to -# rebuild the user_directory search indexes, see -# https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md -# -#user_directory: -# enabled: true -# search_all_users: false - - -# User Consent configuration -# -# for detailed instructions, see -# https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md -# -# Parts of this section are required if enabling the 'consent' resource under -# 'listeners', in particular 'template_dir' and 'version'. -# -# 'template_dir' gives the location of the templates for the HTML forms. -# This directory should contain one subdirectory per language (eg, 'en', 'fr'), -# and each language directory should contain the policy document (named as -# '.html') and a success page (success.html). -# -# 'version' specifies the 'current' version of the policy document. It defines -# the version to be served by the consent resource if there is no 'v' -# parameter. -# -# 'server_notice_content', if enabled, will send a user a "Server Notice" -# asking them to consent to the privacy policy. The 'server_notices' section -# must also be configured for this to work. Notices will *not* be sent to -# guest users unless 'send_server_notice_to_guests' is set to true. -# -# 'block_events_error', if set, will block any attempts to send events -# until the user consents to the privacy policy. The value of the setting is -# used as the text of the error. -# -# 'require_at_registration', if enabled, will add a step to the registration -# process, similar to how captcha works. Users will be required to accept the -# policy before their account is created. -# -# 'policy_name' is the display name of the policy users will see when registering -# for an account. Has no effect unless `require_at_registration` is enabled. -# Defaults to "Privacy Policy". -# -#user_consent: -# template_dir: res/templates/privacy -# version: 1.0 -# server_notice_content: -# msgtype: m.text -# body: >- -# To continue using this homeserver you must review and agree to the -# terms and conditions at %(consent_uri)s -# send_server_notice_to_guests: True -# block_events_error: >- -# To continue using this homeserver you must review and agree to the -# terms and conditions at %(consent_uri)s -# require_at_registration: False -# policy_name: Privacy Policy -# - - - -# Local statistics collection. Used in populating the room directory. -# -# 'bucket_size' controls how large each statistics timeslice is. It can -# be defined in a human readable short form -- e.g. "1d", "1y". -# -# 'retention' controls how long historical statistics will be kept for. -# It can be defined in a human readable short form -- e.g. "1d", "1y". -# -# -#stats: -# enabled: true -# bucket_size: 1d -# retention: 1y - - -# Server Notices room configuration -# -# Uncomment this section to enable a room which can be used to send notices -# from the server to users. It is a special room which cannot be left; notices -# come from a special "notices" user id. -# -# If you uncomment this section, you *must* define the system_mxid_localpart -# setting, which defines the id of the user which will be used to send the -# notices. -# -# It's also possible to override the room name, the display name of the -# "notices" user, and the avatar for the user. -# -#server_notices: -# system_mxid_localpart: notices -# system_mxid_display_name: "Server Notices" -# system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" -# room_name: "Server Notices" - - - -# Uncomment to disable searching the public room list. When disabled -# blocks searching local and remote room lists for local and remote -# users by always returning an empty list for all queries. -# -#enable_room_list_search: false - -enable_room_list_search: {{ matrix_synapse_enable_room_list_search|to_json }} - -# The `alias_creation` option controls who's allowed to create aliases -# on this server. -# -# The format of this option is a list of rules that contain globs that -# match against user_id, room_id and the new alias (fully qualified with -# server name). The action in the first rule that matches is taken, -# which can currently either be "allow" or "deny". -# -# Missing user_id/room_id/alias fields default to "*". -# -# If no rules match the request is denied. An empty list means no one -# can create aliases. -# -# Options for the rules include: -# -# user_id: Matches against the creator of the alias -# alias: Matches against the alias being created -# room_id: Matches against the room ID the alias is being pointed at -# action: Whether to "allow" or "deny" the request if the rule matches -# -# The default is: -# -#alias_creation_rules: -# - user_id: "*" -# alias: "*" -# room_id: "*" -# action: allow - -alias_creation_rules: {{ matrix_synapse_alias_creation_rules|to_json }} - -# The `room_list_publication_rules` option controls who can publish and -# which rooms can be published in the public room list. -# -# The format of this option is the same as that for -# `alias_creation_rules`. -# -# If the room has one or more aliases associated with it, only one of -# the aliases needs to match the alias rule. If there are no aliases -# then only rules with `alias: *` match. -# -# If no rules match the request is denied. An empty list means no one -# can publish rooms. -# -# Options for the rules include: -# -# user_id: Matches against the creator of the alias -# room_id: Matches against the room ID being published -# alias: Matches against any current local or canonical aliases -# associated with the room -# action: Whether to "allow" or "deny" the request if the rule matches -# -# The default is: -# -#room_list_publication_rules: -# - user_id: "*" -# alias: "*" -# room_id: "*" -# action: allow - -room_list_publication_rules: {{ matrix_synapse_room_list_publication_rules|to_json }} - - -# Server admins can define a Python module that implements extra rules for -# allowing or denying incoming events. In order to work, this module needs to -# override the methods defined in synapse/events/third_party_rules.py. -# -# This feature is designed to be used in closed federations only, where each -# participating server enforces the same rules. -# -#third_party_event_rules: -# module: "my_custom_project.SuperRulesSet" -# config: -# example_option: 'things' - - -## Opentracing ## - -# These settings enable opentracing, which implements distributed tracing. -# This allows you to observe the causal chains of events across servers -# including requests, key lookups etc., across any server running -# synapse or any other other services which supports opentracing -# (specifically those implemented with Jaeger). -# -opentracing: - # tracing is disabled by default. Uncomment the following line to enable it. - # - #enabled: true - - # The list of homeservers we wish to send and receive span contexts and span baggage. - # See docs/opentracing.rst - # This is a list of regexes which are matched against the server_name of the - # homeserver. - # - # By default, it is empty, so no servers are matched. - # - #homeserver_whitelist: - # - ".*" - - # Jaeger can be configured to sample traces at different rates. - # All configuration options provided by Jaeger can be set here. - # Jaeger's configuration mostly related to trace sampling which - # is documented here: - # https://www.jaegertracing.io/docs/1.13/sampling/. - # - #jaeger_config: - # sampler: - # type: const - # param: 1 - - # Logging whether spans were started and reported - # - # logging: - # false - - -## Workers ## - -# Disables sending of outbound federation transactions on the main process. -# Uncomment if using a federation sender worker. -# -#send_federation: false - -# It is possible to run multiple federation sender workers, in which case the -# work is balanced across them. -# -# This configuration must be shared between all federation sender workers, and if -# changed all federation sender workers must be stopped at the same time and then -# started, to ensure that all instances are running with the same config (otherwise -# events may be dropped). -# -#federation_sender_instances: -# - federation_sender1 - -# When using workers this should be a map from `worker_name` to the -# HTTP replication listener of the worker, if configured. -# -#instance_map: -# worker1: -# host: localhost -# port: 8034 - -# Experimental: When using workers you can define which workers should -# handle event persistence and typing notifications. Any worker -# specified here must also be in the `instance_map`. -# -#stream_writers: -# events: worker1 -# typing: worker1 - -# The worker that is used to run background tasks (e.g. cleaning up expired -# data). If not provided this defaults to the main process. -# -#run_background_tasks_on: worker1 - -# A shared secret used by the replication APIs to authenticate HTTP requests -# from workers. -# -# By default this is unused and traffic is not authenticated. -# -#worker_replication_secret: "" - - -# Configuration for Redis when using workers. This *must* be enabled when -# using workers (unless using old style direct TCP configuration). -# -redis: - # Uncomment the below to enable Redis support. - # - #enabled: true - - # Optional host and port to use to connect to redis. Defaults to - # localhost and 6379 - # - #host: localhost - #port: 6379 - - # Optional password if configured on the Redis instance - # - #password: - -# vim:ft=yaml diff --git a/roles/matrix-dendrite/templates/goofys/env-goofys.j2 b/roles/matrix-dendrite/templates/goofys/env-goofys.j2 deleted file mode 100644 index 2955efdd8..000000000 --- a/roles/matrix-dendrite/templates/goofys/env-goofys.j2 +++ /dev/null @@ -1,3 +0,0 @@ -#jinja2: lstrip_blocks: "True" -AWS_ACCESS_KEY={{ matrix_s3_media_store_aws_access_key }} -AWS_SECRET_KEY={{ matrix_s3_media_store_aws_secret_key }} diff --git a/roles/matrix-dendrite/templates/goofys/systemd/matrix-goofys.service.j2 b/roles/matrix-dendrite/templates/goofys/systemd/matrix-goofys.service.j2 deleted file mode 100644 index 44ec3d4a0..000000000 --- a/roles/matrix-dendrite/templates/goofys/systemd/matrix-goofys.service.j2 +++ /dev/null @@ -1,39 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix Goofys media store -After=docker.service -Requires=docker.service -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill %n -ExecStartPre=-{{ matrix_host_command_docker }} rm %n - -ExecStart={{ matrix_host_command_docker }} run --rm --name %n \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --mount type=bind,src=/etc/passwd,dst=/etc/passwd,ro \ - --mount type=bind,src=/etc/group,dst=/etc/group,ro \ - --mount type=bind,src={{ matrix_dendrite_media_store_path }},dst=/s3,bind-propagation=shared \ - --security-opt apparmor:unconfined \ - --cap-add mknod \ - --cap-add sys_admin \ - --device=/dev/fuse \ - --env-file={{ matrix_dendrite_config_dir_path }}/env-goofys \ - --entrypoint /bin/sh \ - {{ matrix_s3_goofys_docker_image }} \ - -c 'goofys -f{% if not matrix_s3_media_store_custom_endpoint_enabled %} --storage-class=STANDARD_IA{% endif %}{% if matrix_s3_media_store_custom_endpoint_enabled %} --endpoint={{ matrix_s3_media_store_custom_endpoint }}{% endif %} --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' - -TimeoutStartSec=5min -ExecStop=-{{ matrix_host_command_docker }} stop %n -ExecStop=-{{ matrix_host_command_docker }} kill %n -ExecStop=-{{ matrix_host_command_docker }} rm %n -ExecStop=-{{ matrix_host_command_fusermount }} -u {{ matrix_dendrite_media_store_path }} -Restart=always -RestartSec=5 -SyslogIdentifier=matrix-goofys - -[Install] -WantedBy=multi-user.target From 265d0485979dde74511dc89387b4146d23188353 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sun, 31 Jan 2021 01:33:19 -0600 Subject: [PATCH 073/144] Upgrade Dendrite (0.3.6 -> 0.3.8) --- roles/matrix-dendrite/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index d231553e6..ab472be55 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -5,7 +5,7 @@ matrix_dendrite_enabled: false matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "docker.io/" -matrix_dendrite_docker_image_tag: "v0.3.6" +matrix_dendrite_docker_image_tag: "v0.3.8" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" From cde2504966ae50c33c8896fbb4ea6f2c4418db07 Mon Sep 17 00:00:00 2001 From: "Jip J. Dekker" Date: Thu, 11 Feb 2021 13:25:56 +1100 Subject: [PATCH 074/144] Upgrade Dendrite (0.3.8 -> 0.3.9) --- roles/matrix-dendrite/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index ab472be55..d6dd7910e 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -5,7 +5,7 @@ matrix_dendrite_enabled: false matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "docker.io/" -matrix_dendrite_docker_image_tag: "v0.3.8" +matrix_dendrite_docker_image_tag: "v0.3.9" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" From 953a9ac7188d39e05f477efa98201900f6b800b9 Mon Sep 17 00:00:00 2001 From: "Jip J. Dekker" Date: Tue, 6 Apr 2021 09:56:34 +1000 Subject: [PATCH 075/144] Upgrade Dendrite (0.3.9 -> 0.3.11) --- roles/matrix-dendrite/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index d6dd7910e..4f7f6a926 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -5,7 +5,7 @@ matrix_dendrite_enabled: false matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "docker.io/" -matrix_dendrite_docker_image_tag: "v0.3.9" +matrix_dendrite_docker_image_tag: "v0.3.11" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" From ccd3dc7a573ad136ecfad1b386fafadc64281213 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 27 Oct 2021 14:14:21 +0300 Subject: [PATCH 076/144] Remove Dendrite file logging We refrain from logging to files for all components, because we rely on systemd-journald anyway. --- roles/matrix-dendrite/defaults/main.yml | 4 ---- .../tasks/dendrite/setup_install.yml | 8 ------- .../templates/dendrite/dendrite.yaml.j2 | 22 ++++++++----------- .../systemd/matrix-dendrite.service.j2 | 1 - .../matrix-dendrite-create-account.j2 | 2 +- 5 files changed, 10 insertions(+), 27 deletions(-) diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index 4f7f6a926..1d80e0b0c 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -53,10 +53,6 @@ matrix_dendrite_max_file_size_bytes: 10485760 # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. matrix_dendrite_tmp_directory_size_mb: 500 -# Log levels -matrix_dendrite_log_level: "warning" -matrix_dendrite_log_path: "/var/log/dendrite" - # Rate limits matrix_dendrite_rate_limiting_enabled: true matrix_dendrite_rate_limiting_threshold: 5 diff --git a/roles/matrix-dendrite/tasks/dendrite/setup_install.yml b/roles/matrix-dendrite/tasks/dendrite/setup_install.yml index 182b6c1c0..2752d51ed 100644 --- a/roles/matrix-dendrite/tasks/dendrite/setup_install.yml +++ b/roles/matrix-dendrite/tasks/dendrite/setup_install.yml @@ -17,14 +17,6 @@ group: "{{ matrix_user_groupname }}" when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists" -- name: Ensure Dendrite log path exists - file: - path: "{{ matrix_dendrite_log_path }}" - state: directory - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - - name: Ensure Dendrite Docker image is pulled docker_image: name: "{{ matrix_dendrite_docker_image }}" diff --git a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index 2ec6c088f..5a127fb7e 100644 --- a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -6,7 +6,7 @@ # # At a minimum, to get started, you will need to update the settings in the # "global" section for your deployment, and you will need to check that the -# database "connection_string" line in each component section is correct. +# database "connection_string" line in each component section is correct. # # Each component with a "database" section can accept the following formats # for "connection_string": @@ -21,13 +21,13 @@ # small number of users and likely will perform worse still with a higher volume # of users. # -# The "max_open_conns" and "max_idle_conns" settings configure the maximum +# The "max_open_conns" and "max_idle_conns" settings configure the maximum # number of open/idle database connections. The value 0 will use the database # engine default, and a negative value will use unlimited connections. The # "conn_max_lifetime" option controls the maximum length of time a database # connection can be idle in seconds - a negative value is unlimited. -# The version of the configuration file. +# The version of the configuration file. version: 1 # Global Matrix configuration. This configuration applies to all components. @@ -133,13 +133,13 @@ client_api: # Whether to require reCAPTCHA for registration. enable_registration_captcha: {{ matrix_dendrite_enable_registration_captcha|to_json }} - # Settings for ReCAPTCHA. + # Settings for ReCAPTCHA. recaptcha_public_key: {{ matrix_dendrite_recaptcha_public_key|to_json }} recaptcha_private_key: {{ matrix_dendrite_recaptcha_private_key|to_json }} recaptcha_bypass_secret: "" recaptcha_siteverify_api: "" - # TURN server information that this homeserver should send to clients. + # TURN server information that this homeserver should send to clients. turn: turn_user_lifetime: "" turn_uris: {{ matrix_dendrite_turn_uris|to_json }} @@ -148,7 +148,7 @@ client_api: turn_password: "" # Settings for rate-limited endpoints. Rate limiting will kick in after the - # threshold number of "slots" have been taken by requests from a specific + # threshold number of "slots" have been taken by requests from a specific # host. Each "slot" will be released after the cooloff time in milliseconds. rate_limiting: enabled: {{ matrix_dendrite_rate_limiting_enabled|to_json }} @@ -192,7 +192,7 @@ federation_sender: # Disable the validation of TLS certificates of remote federated homeservers. Do not # enable this option in production as it presents a security risk! - disable_tls_validation: {{ matrix_dendrite_disable_tls_validation }} + disable_tls_validation: {{ matrix_dendrite_disable_tls_validation }} # Use the following proxy server for outbound federation traffic. proxy_outbound: @@ -282,7 +282,7 @@ signing_key_server: public_key: Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw - key_id: ed25519:a_RXGa public_key: l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ - + # This option will control whether Dendrite will prefer to look up keys directly # or whether it should try perspective servers first, using direct fetches as a # last resort. @@ -335,8 +335,4 @@ tracing: # Logging configuration, in addition to the standard logging that is sent to # stdout by Dendrite. -logging: -- type: file - level: {{ matrix_dendrite_log_level }} - params: - path: /var/log/dendrite +logging: [] diff --git a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 index 66a7c1f82..b41f6c2c5 100644 --- a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 +++ b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -37,7 +37,6 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ {% endif %} --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data,ro \ --mount type=bind,src={{ matrix_dendrite_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ - --mount type=bind,src={{ matrix_dendrite_log_path }},dst=/var/log/dendrite,bind-propagation=slave \ {% for volume in matrix_dendrite_container_additional_volumes %} -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ {% endfor %} diff --git a/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 b/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 index ebacb681c..d9572ac7b 100644 --- a/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 +++ b/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 @@ -9,4 +9,4 @@ fi user=$1 password=$2 -docker exec matrix-dendrite create-account --config /data/dendrite.yaml --user "$user" --password "$password" +docker exec matrix-dendrite create-account --config /data/dendrite.yaml --user "$user" --password "$password" From 5b148921a026d72c92ab6e81d83d345926ba0e7b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 27 Oct 2021 15:06:29 +0300 Subject: [PATCH 077/144] Upgrade Dendrite (0.3.11 -> 0.5.0) and update configuration This brings dendrite.yaml up to date and cleans things up a bit. --- group_vars/matrix_servers | 8 +- roles/matrix-dendrite/defaults/main.yml | 9 ++- .../tasks/dendrite/setup_install.yml | 2 +- .../matrix-dendrite/tasks/validate_config.yml | 3 +- .../templates/dendrite/dendrite.yaml.j2 | 73 ++++++++++++++++--- 5 files changed, 77 insertions(+), 18 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 18351f323..51d7dee46 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1548,6 +1548,10 @@ matrix_postgres_additional_databases: | 'name': matrix_dendrite_device_database, 'username': matrix_dendrite_database_user, 'password': matrix_dendrite_database_password, + },{ + 'name': matrix_dendrite_mscs_database, + 'username': matrix_dendrite_database_user, + 'password': matrix_dendrite_database_password, }] if (matrix_dendrite_enabled and matrix_dendrite_database_hostname == 'matrix-postgres') else []) + ([{ @@ -2184,7 +2188,9 @@ matrix_dendrite_container_client_api_host_bind_port: "{{ '' if matrix_nginx_prox # For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces. matrix_dendrite_container_federation_api_tls_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else matrix_federation_public_port }}" -matrix_dendrite_database_password: "{{ matrix_dendrite_macaroon_secret_key | password_hash('sha512', 'dendrite.db') | to_uuid }}" +matrix_dendrite_registration_shared_secret: "{{ matrix_dendrite_generic_secret_key | password_hash('sha512', 'dendrite.rss') | to_uuid }}" + +matrix_dendrite_database_password: "{{ matrix_dendrite_generic_secret_key | password_hash('sha512', 'dendrite.db') | to_uuid }}" # Even if TURN doesn't support TLS (it does by default), # it doesn't hurt to try a secure connection anyway. diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index 1d80e0b0c..e8e307edb 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -5,7 +5,7 @@ matrix_dendrite_enabled: false matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "docker.io/" -matrix_dendrite_docker_image_tag: "v0.3.11" +matrix_dendrite_docker_image_tag: "v0.5.0" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" @@ -43,10 +43,10 @@ matrix_dendrite_systemd_wanted_services_list: [] # matrix_dendrite_template_dendrite_config: "{{ playbook_dir }}/inventory/host_vars//dendrite.yaml.j2" matrix_dendrite_template_dendrite_config: "{{ role_path }}/templates/dendrite/dendrite.yaml.j2" -matrix_dendrite_macaroon_secret_key: "" -matrix_dendrite_registration_shared_secret: "{{ matrix_dendrite_macaroon_secret_key }}" +# A secret used to derive various other secrets +matrix_dendrite_generic_secret_key: '' +matrix_dendrite_registration_shared_secret: '' matrix_dendrite_allow_guest_access: false -matrix_dendrite_form_secret: "{{ matrix_dendrite_macaroon_secret_key }}" matrix_dendrite_max_file_size_bytes: 10485760 @@ -101,6 +101,7 @@ matrix_dendrite_singingkeyserver_database: "dendrite_sigingkeyserver" matrix_dendrite_syncapi_database: "dendrite_syncapi" matrix_dendrite_account_database: "dendrite_account" matrix_dendrite_device_database: "dendrite_device" +matrix_dendrite_mscs_database: "dendrite_mscs" matrix_dendrite_turn_uris: [] matrix_dendrite_turn_shared_secret: "" diff --git a/roles/matrix-dendrite/tasks/dendrite/setup_install.yml b/roles/matrix-dendrite/tasks/dendrite/setup_install.yml index 2752d51ed..2e319e170 100644 --- a/roles/matrix-dendrite/tasks/dendrite/setup_install.yml +++ b/roles/matrix-dendrite/tasks/dendrite/setup_install.yml @@ -36,7 +36,7 @@ command: | docker run --rm - --name=matrix-config + --name=matrix-dendrite-config --entrypoint=generate-keys --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data {{ matrix_dendrite_docker_image }} --private-key=/data/{{ matrix_server_fqn_matrix }}.signing.pem diff --git a/roles/matrix-dendrite/tasks/validate_config.yml b/roles/matrix-dendrite/tasks/validate_config.yml index 8c7ee4d20..9e7db4265 100644 --- a/roles/matrix-dendrite/tasks/validate_config.yml +++ b/roles/matrix-dendrite/tasks/validate_config.yml @@ -5,7 +5,8 @@ You need to define a required configuration setting (`{{ item }}`) for using Dendrite. when: "vars[item] == ''" with_items: - - "matrix_dendrite_macaroon_secret_key" + - "matrix_dendrite_generic_secret_key" + - "matrix_dendrite_registration_shared_secret" - name: (Deprecation) Catch and report renamed settings fail: diff --git a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index 5a127fb7e..f5744dd5b 100644 --- a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -33,9 +33,11 @@ version: 1 # Global Matrix configuration. This configuration applies to all components. global: # The domain name of this homeserver. - server_name: {{ matrix_domain }} + server_name: {{ matrix_domain|to_json }} # The path to the signing private key file, used to sign requests and events. + # Note that this is NOT the same private key as used for TLS! To generate a + # signing key, use "./bin/generate-keys --private-key matrix_key.pem". private_key: "/data/{{ matrix_server_fqn_matrix }}.signing.pem" # The paths and expiry timestamps (as a UNIX timestamp in millisecond precision) @@ -52,16 +54,23 @@ global: # considered valid by other homeservers. key_validity_period: 168h0m0s + # The server name to delegate server-server communications to, with optional port + # e.g. localhost:443 + well_known_server_name: "" + # Lists of domains that the server will trust as identity servers to verify third # party identifiers such as phone numbers and email addresses. trusted_third_party_id_servers: {{ matrix_dendrite_trusted_id_servers|to_json }} + # Disables federation. Dendrite will not be able to make any outbound HTTP requests + # to other servers and the federation API will not be exposed. + disable_federation: false + # Configuration for Kafka/Naffka. kafka: # List of Kafka broker addresses to connect to. This is not needed if using # Naffka in monolith mode. - addresses: - - kafka:9092 + addresses: [] # The prefix to use for Kafka topic names for this homeserver. Change this only if # you are running more than one Dendrite homeserver on the same Kafka deployment. @@ -72,6 +81,12 @@ global: # Kafka. use_naffka: true + # The max size a Kafka message is allowed to use. + # You only need to change this value, if you encounter issues with too large messages. + # Must be less than/equal to "max.message.bytes" configured in Kafka. + # Defaults to 8388608 bytes. + # max_message_bytes: 8388608 + # Naffka database options. Not required when using Kafka. naffka_database: connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_naffka_database }}?sslmode=disable @@ -82,12 +97,12 @@ global: # Configuration for Prometheus metric collection. metrics: # Whether or not Prometheus metrics are enabled. - enabled: {{ matrix_dendrite_metrics_enabled }} + enabled: {{ matrix_dendrite_metrics_enabled|to_json }} # HTTP basic authentication to protect access to monitoring. basic_auth: - username: {{ matrix_dendrite_metrics_username }} - password: {{ matrix_dendrite_metrics_password }} + username: {{ matrix_dendrite_metrics_username|to_json }} + password: {{ matrix_dendrite_metrics_password|to_json }} # DNS cache options. The DNS cache may reduce the load on DNS servers # if there is no local caching resolver available for use. @@ -98,7 +113,7 @@ global: # Maximum number of entries to hold in the DNS cache, and # for how long those items should be considered valid in seconds. cache_size: 256 - cache_lifetime: 300 + cache_lifetime: "5m" # 5minutes; see https://pkg.go.dev/time@master#ParseDuration for more # Configuration for the Appservice API. app_service_api: @@ -111,6 +126,11 @@ app_service_api: max_idle_conns: 2 conn_max_lifetime: -1 + # Disable the validation of TLS certificates of appservices. This is + # not recommended in production since it may allow appservice traffic + # to be sent to an unverified endpoint. + disable_tls_validation: false + # Appservice configuration files to load into this homeserver. config_files: {{ matrix_dendrite_app_service_config_files|to_json }} @@ -192,7 +212,7 @@ federation_sender: # Disable the validation of TLS certificates of remote federated homeservers. Do not # enable this option in production as it presents a security risk! - disable_tls_validation: {{ matrix_dendrite_disable_tls_validation }} + disable_tls_validation: {{ matrix_dendrite_disable_tls_validation|to_json }} # Use the following proxy server for outbound federation traffic. proxy_outbound: @@ -229,8 +249,9 @@ media_api: base_path: "/matrix-media-store-parent/{{ matrix_dendrite_media_store_directory_name }}" # The maximum allowed file size (in bytes) for media uploads to this homeserver - # (0 = unlimited). - max_file_size_bytes: {{ matrix_dendrite_max_file_size_bytes }} + # (0 = unlimited). If using a reverse proxy, ensure it allows requests at + # least this large (e.g. client_max_body_size in nginx.) + max_file_size_bytes: {{ matrix_dendrite_max_file_size_bytes|to_json }} # Whether to dynamically generate thumbnails if needed. dynamic_thumbnails: false @@ -250,6 +271,19 @@ media_api: height: 480 method: scale +# Configuration for experimental MSC's +mscs: + # A list of enabled MSC's + # Currently valid values are: + # - msc2836 (Threading, see https://github.com/matrix-org/matrix-doc/pull/2836) + # - msc2946 (Spaces Summary, see https://github.com/matrix-org/matrix-doc/pull/2946) + mscs: [] + database: + connection_string: {{ matrix_dendrite_database_str }}/{{ matrix_dendrite_mscs_database }}?sslmode=disable + max_open_conns: 5 + max_idle_conns: 2 + conn_max_lifetime: -1 + # Configuration for the Room Server. room_server: internal_api: @@ -261,7 +295,7 @@ room_server: max_idle_conns: 2 conn_max_lifetime: -1 -# Configuration for the Server Key API (for server signing keys). +# Configuration for the Signing Key Server (for server signing keys). signing_key_server: internal_api: listen: http://0.0.0.0:7780 @@ -301,8 +335,20 @@ sync_api: max_idle_conns: 2 conn_max_lifetime: -1 + # This option controls which HTTP header to inspect to find the real remote IP + # address of the client. This is likely required if Dendrite is running behind + # a reverse proxy server. + # real_ip_header: X-Real-IP + # Configuration for the User API. user_api: + # The cost when hashing passwords on registration/login. Default: 10. Min: 4, Max: 31 + # See https://pkg.go.dev/golang.org/x/crypto/bcrypt for more information. + # Setting this lower makes registration/login consume less CPU resources at the cost of security + # should the database be compromised. Setting this higher makes registration/login consume more + # CPU resources but makes it harder to brute force password hashes. + # This value can be low if performing tests or on embedded Dendrite instances (e.g WASM builds) + # bcrypt_cost: 10 internal_api: listen: http://0.0.0.0:7781 connect: http://user_api:7781 @@ -316,6 +362,11 @@ user_api: max_open_conns: 10 max_idle_conns: 2 conn_max_lifetime: -1 + # The length of time that a token issued for a relying party from + # /_matrix/client/r0/user/{userId}/openid/request_token endpoint + # is considered to be valid in milliseconds. + # The default lifetime is 3600000ms (60 minutes). + # openid_token_lifetime_ms: 3600000 # Configuration for Opentracing. # See https://github.com/matrix-org/dendrite/tree/master/docs/tracing for information on From b2b62b722154c921bfb114a5dffc999149725d9c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 1 Nov 2021 17:51:05 +0200 Subject: [PATCH 078/144] Add a variable to control Dendrite's disable_federation setting --- roles/matrix-dendrite/defaults/main.yml | 4 ++++ roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index e8e307edb..61e5f7100 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -114,6 +114,10 @@ matrix_dendrite_trusted_id_servers: - "matrix.org" - "vector.im" +# Controls whether Dendrite will federate at all. +# Disable this to completely isolate your server from the rest of the Matrix network. +matrix_dendrite_disable_federation: false + # Default Dendrite configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index f5744dd5b..2559be15a 100644 --- a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -64,7 +64,7 @@ global: # Disables federation. Dendrite will not be able to make any outbound HTTP requests # to other servers and the federation API will not be exposed. - disable_federation: false + disable_federation: {{ matrix_dendrite_disable_federation|to_json }} # Configuration for Kafka/Naffka. kafka: From 63968cb04f5c375ff3e2e13417bcb5b2e31cb919 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Dec 2021 17:17:34 +0200 Subject: [PATCH 079/144] Upgrade Dendrite (0.5.0 -> 0.5.1) --- roles/matrix-dendrite/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index 61e5f7100..1c1e7596c 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -5,7 +5,7 @@ matrix_dendrite_enabled: false matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "docker.io/" -matrix_dendrite_docker_image_tag: "v0.5.0" +matrix_dendrite_docker_image_tag: "v0.5.1" matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}" matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite" From 3cf9f87097940c13a7839c050a40c58cbbc4facd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Dec 2021 19:00:17 +0200 Subject: [PATCH 080/144] Add matrix_homeserver_implementation, tracking the current homeserver implementation The goal is to have a single variable which tells us which homeserver software is in use. Much simpler than having if/elif/elif checks for variables like (`matrix_synapse_enabled` and `matrix_dendrite_enabled`, etc.) everywhere. --- group_vars/matrix_servers | 11 +++++++++++ roles/matrix-base/defaults/main.yml | 7 +++++++ roles/matrix-base/tasks/sanity_check.yml | 11 +++++++++++ roles/matrix-base/vars/main.yml | 2 +- 4 files changed, 30 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 51d7dee46..b40d62983 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -17,6 +17,17 @@ matrix_container_global_registry_prefix: "docker.io/" # ###################################################################### +matrix_homeserver_enabled_implementations_list: | + {{ + ( + (['synapse'] if matrix_synapse_enabled else []) + + + (['dendrite'] if matrix_dendrite_enabled else []) + ) + }} + +matrix_homeserver_implementation: "{{ matrix_homeserver_enabled_implementations_list[0] if matrix_homeserver_enabled_implementations_list|length == 1 else '' }}" + matrix_identity_server_url: "{{ ('https://' + matrix_server_fqn_matrix) if matrix_ma1sd_enabled else None }}" # If Synapse workers are enabled and matrix-nginx-proxy is disabled, certain APIs may not work over 'http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}'. diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 9b137bae9..9fc14e8ae 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -7,6 +7,13 @@ # Example value: example.com matrix_domain: ~ +# This will contain the homeserver implementation that is in use. +# Example values: 'synapse', 'dendrite', etc. +# You normally don't need to set this variable manually. +# Its value is automatically set depending on the homeserver implementation that you have enabled via other variables +# (e.g. `matrix_synapse_enabled`, `matrix_dendrite_enabled`, etc.) +matrix_homeserver_implementation: '' + # This is where your data lives and what we set up. # This and the Element FQN (see below) are expected to be on the same server. matrix_server_fqn_matrix: "matrix.{{ matrix_domain }}" diff --git a/roles/matrix-base/tasks/sanity_check.yml b/roles/matrix-base/tasks/sanity_check.yml index 265dc282d..1e525b80e 100644 --- a/roles/matrix-base/tasks/sanity_check.yml +++ b/roles/matrix-base/tasks/sanity_check.yml @@ -1,5 +1,16 @@ --- +- name: Fail if 0 or more than 1 homeserver implementations enabled + fail: + msg: >- + You have 0 or more than 1 homeserver implementations enabled + ({{ matrix_homeserver_enabled_implementations_list|join(', ') }}). + + If you have more than 1 implementation enabled, you can disable the unnecessary implementations by adding `matrix_IMPLEMENTATION_enabled: false` to your vars.yml file. + + If you have 0 implementations enabled, you can enable one by adding `matrix_IMPLEMENTATION_enabled: false` to your vars.yml file (e.g. `matrix_dendrite_enabled: true`). + when: "matrix_homeserver_enabled_implementations_list|length != 1" + # We generally support Ansible 2.7.1 and above. - name: Fail if running on Ansible < 2.7.1 fail: diff --git a/roles/matrix-base/vars/main.yml b/roles/matrix-base/vars/main.yml index e4e9c1668..8b99708b7 100644 --- a/roles/matrix-base/vars/main.yml +++ b/roles/matrix-base/vars/main.yml @@ -1,3 +1,3 @@ # This will contain a list of enabled services that the playbook is managing. # Each component is expected to append its service name to this list. -matrix_systemd_services_list: [] \ No newline at end of file +matrix_systemd_services_list: [] From 2f57c5173347584ea2e07e2472656b5e0beca57d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Dec 2021 10:38:00 +0200 Subject: [PATCH 081/144] Remove useless check Since 025a5ab5e5f6bdb3, we do a similar check in matrix-base. --- roles/matrix-dendrite/tasks/init.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/roles/matrix-dendrite/tasks/init.yml b/roles/matrix-dendrite/tasks/init.yml index 8457c63d1..28709469e 100644 --- a/roles/matrix-dendrite/tasks/init.yml +++ b/roles/matrix-dendrite/tasks/init.yml @@ -5,8 +5,3 @@ - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys.service'] }}" when: matrix_s3_media_store_enabled|bool - -- name: Fail when using also using Synapse - fail: - msg: "To use Dendrite as your matrix server, you should disable Synapse." - when: "matrix_dendrite_enabled and matrix_synapse_enabled" From ecc237bbad4b21edce37faba67864a36fde5a5cb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Dec 2021 10:50:44 +0200 Subject: [PATCH 082/144] Initial work on getting nginx reverse proxying working with Dendrite --- group_vars/matrix_servers | 30 +++++++-- roles/matrix-dendrite/defaults/main.yml | 14 +++- .../tasks/dendrite/setup_install.yml | 2 +- roles/matrix-dendrite/tasks/main.yml | 4 +- .../tasks/self_check_client_api.yml | 4 +- .../tasks/self_check_federation_api.yml | 7 +- .../templates/dendrite/dendrite.yaml.j2 | 2 +- .../systemd/matrix-dendrite.service.j2 | 3 +- roles/matrix-nginx-proxy/defaults/main.yml | 25 ++++--- .../tasks/setup_nginx_proxy.yml | 13 ++++ .../nginx/conf.d/matrix-dendrite.conf.j2 | 67 +++++++++++++++++++ 11 files changed, 143 insertions(+), 28 deletions(-) create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index b40d62983..587ef2435 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1365,7 +1365,13 @@ matrix_nginx_proxy_enabled: true matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-nginx-proxy:12080' }}" matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ '127.0.0.1:41080' if matrix_corporal_enabled else '127.0.0.1:12080' }}" -matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}" +matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: |- + {{ + { + 'synapse': matrix_synapse_max_upload_size_mb, + 'dendrite': (matrix_dendrite_max_file_size_bytes / 1024 / 1024) | round, + }[matrix_homeserver_implementation]|int + }} matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: "{{ matrix_synapse_admin_enabled }}" @@ -1391,19 +1397,29 @@ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ # By default, we do TLS termination for the Matrix Federation API (port 8448) at matrix-nginx-proxy. # Unless this is handled there OR Synapse's federation listener port is disabled, we'll reverse-proxy. -matrix_nginx_proxy_proxy_matrix_federation_api_enabled: "{{ matrix_synapse_federation_port_enabled and not matrix_synapse_tls_federation_listener_enabled }}" +matrix_nginx_proxy_proxy_matrix_federation_api_enabled: |- + {{ + { + 'synapse': (matrix_synapse_federation_port_enabled and not matrix_synapse_tls_federation_listener_enabled), + 'dendrite': matrix_dendrite_federation_enabled, + }[matrix_homeserver_implementation]|bool + }} + matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-nginx-proxy:12088" matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:12088" -# Settings controlling matrix-synapse-proxy.conf matrix_nginx_proxy_proxy_synapse_enabled: "{{ matrix_synapse_enabled }}" - matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "matrix-synapse:{{ matrix_synapse_container_client_api_port }}" -matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:{{ matrix_synapse_container_client_api_port }}" - +matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:{{ matrix_dendrite_container_client_api_port }}" matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:{{matrix_synapse_container_federation_api_plain_port|string}}" matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:{{matrix_synapse_container_federation_api_plain_port|string}}" +matrix_nginx_proxy_proxy_dendrite_enabled: "{{ matrix_dendrite_enabled }}" +matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_container_client_api_port }}" +matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container: "127.0.0.1:{{ matrix_synapse_container_client_api_port }}" +matrix_nginx_proxy_proxy_dendrite_federation_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_container_federation_api_plain_port|string }}" +matrix_nginx_proxy_proxy_dendrite_federation_api_addr_sans_container: "127.0.0.1:{{ matrix_dendrite_container_federation_api_plain_port|string }}" + # When matrix-nginx-proxy is disabled, the actual port number that the vhost uses may begin to matter. matrix_nginx_proxy_proxy_matrix_federation_port: "{{ matrix_federation_public_port }}" @@ -2221,6 +2237,8 @@ matrix_dendrite_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_dendrite_disable_tls_validation: "{{ true if matrix_ssl_retrieval_method == 'self-signed' else false }}" +matrix_dendrite_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" + matrix_dendrite_systemd_required_services_list: | {{ (['docker.service']) diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index 1c1e7596c..11952ce75 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -14,6 +14,15 @@ matrix_dendrite_storage_path: "{{ matrix_dendrite_base_path }}/storage" matrix_dendrite_media_store_path: "{{ matrix_dendrite_storage_path }}/media-store" matrix_dendrite_ext_path: "{{ matrix_dendrite_base_path }}/ext" +matrix_dendrite_container_http_bind_port: 8008 + +# This is passed as a flag `-http-bind-address` flag to the Dendrite server in the container +matrix_dendrite_container_http_bind_address: ":{{ matrix_dendrite_container_http_bind_port }}" + +# Dendrite monolith exposes both the Client API and the Federation API on the same port +matrix_dendrite_container_client_api_port: "{{ matrix_dendrite_container_http_bind_port }}" +matrix_dendrite_container_federation_api_plain_port: "{{ matrix_dendrite_container_http_bind_port }}" + # Controls whether the matrix-dendrite container exposes the Client/Server API port (tcp/8008 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8008"), or empty string to not expose. @@ -116,7 +125,10 @@ matrix_dendrite_trusted_id_servers: # Controls whether Dendrite will federate at all. # Disable this to completely isolate your server from the rest of the Matrix network. -matrix_dendrite_disable_federation: false +matrix_dendrite_federation_enabled: true + +# Controls whether the self-check feature should validate SSL certificates. +matrix_dendrite_self_check_validate_certificates: true # Default Dendrite configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/matrix-dendrite/tasks/dendrite/setup_install.yml b/roles/matrix-dendrite/tasks/dendrite/setup_install.yml index 2e319e170..3e3b21998 100644 --- a/roles/matrix-dendrite/tasks/dendrite/setup_install.yml +++ b/roles/matrix-dendrite/tasks/dendrite/setup_install.yml @@ -68,7 +68,7 @@ - name: Ensure systemd reloaded after matrix-dendrite.service installation service: daemon_reload: yes - when: "matrix_dendrite_systemd_service_result.changed" + when: "matrix_dendrite_systemd_service_result.changed|bool" - name: Ensure matrix-dendrite-create-account script created template: diff --git a/roles/matrix-dendrite/tasks/main.yml b/roles/matrix-dendrite/tasks/main.yml index 6c25f1906..e44134a5a 100644 --- a/roles/matrix-dendrite/tasks/main.yml +++ b/roles/matrix-dendrite/tasks/main.yml @@ -22,14 +22,14 @@ - import_tasks: "{{ role_path }}/tasks/self_check_client_api.yml" delegate_to: 127.0.0.1 become: false - when: run_self_check|bool + when: run_self_check|bool and matrix_dendrite_enabled|bool tags: - self-check - import_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml" delegate_to: 127.0.0.1 become: false - when: run_self_check|bool + when: run_self_check|bool and matrix_dendrite_enabled|bool tags: - self-check diff --git a/roles/matrix-dendrite/tasks/self_check_client_api.yml b/roles/matrix-dendrite/tasks/self_check_client_api.yml index d3fb1f0de..7c2f6b5ec 100644 --- a/roles/matrix-dendrite/tasks/self_check_client_api.yml +++ b/roles/matrix-dendrite/tasks/self_check_client_api.yml @@ -7,14 +7,12 @@ register: result_matrix_dendrite_client_api ignore_errors: true check_mode: no - when: matrix_dendrite_enabled|bool - name: Fail if Matrix Client API not working fail: msg: "Failed checking Matrix Client API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_client_api_url_endpoint_public }}`). Is Dendrite running? Is port 443 open in your firewall? Full error: {{ result_matrix_dendrite_client_api }}" - when: "matrix_dendrite_enabled|bool and (result_matrix_dendrite_client_api.failed or 'json' not in result_matrix_dendrite_client_api)" + when: "(result_matrix_dendrite_client_api.failed or 'json' not in result_matrix_dendrite_client_api)" - name: Report working Matrix Client API debug: msg: "The Matrix Client API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_client_api_url_endpoint_public }}`) is working" - when: matrix_dendrite_enabled|bool diff --git a/roles/matrix-dendrite/tasks/self_check_federation_api.yml b/roles/matrix-dendrite/tasks/self_check_federation_api.yml index f11601d7f..a7c60a677 100644 --- a/roles/matrix-dendrite/tasks/self_check_federation_api.yml +++ b/roles/matrix-dendrite/tasks/self_check_federation_api.yml @@ -7,19 +7,18 @@ register: result_matrix_dendrite_federation_api ignore_errors: true check_mode: no - when: matrix_dendrite_enabled|bool - name: Fail if Matrix Federation API not working fail: msg: "Failed checking Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_federation_api_url_endpoint_public }}`). Is Dendrite running? Is port {{ matrix_federation_public_port }} open in your firewall? Full error: {{ result_matrix_dendrite_federation_api }}" - when: "matrix_dendrite_enabled|bool and matrix_dendrite_federation_enabled|bool and (result_matrix_dendrite_federation_api.failed or 'json' not in result_matrix_dendrite_federation_api)" + when: "matrix_dendrite_federation_enabled|bool and (result_matrix_dendrite_federation_api.failed or 'json' not in result_matrix_dendrite_federation_api)" - name: Fail if Matrix Federation API unexpectedly enabled fail: msg: "Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_federation_api_url_endpoint_public }}`) despite being disabled." - when: "matrix_dendrite_enabled|bool and not matrix_dendrite_federation_enabled|bool and not result_matrix_dendrite_federation_api.failed" + when: "not matrix_dendrite_federation_enabled|bool and not result_matrix_dendrite_federation_api.failed" - name: Report working Matrix Federation API debug: msg: "The Matrix Federation API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_dendrite_federation_api_url_endpoint_public }}`) is working" - when: "matrix_dendrite_enabled|bool and matrix_dendrite_federation_enabled|bool" + when: "matrix_dendrite_federation_enabled|bool" diff --git a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index 2559be15a..c512904eb 100644 --- a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -64,7 +64,7 @@ global: # Disables federation. Dendrite will not be able to make any outbound HTTP requests # to other servers and the federation API will not be exposed. - disable_federation: {{ matrix_dendrite_disable_federation|to_json }} + disable_federation: {{ (not matrix_dendrite_federation_enabled)|to_json }} # Configuration for Kafka/Naffka. kafka: diff --git a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 index b41f6c2c5..48067c0e3 100644 --- a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 +++ b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -44,7 +44,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ {{ arg }} \ {% endfor %} {{ matrix_dendrite_docker_image }} \ - --config /data/dendrite.yaml + -config /data/dendrite.yaml \ + -http-bind-address {{ matrix_dendrite_container_http_bind_address }} ExecStop=-{{ matrix_host_command_docker }} kill matrix-dendrite ExecStop=-{{ matrix_host_command_docker }} rm matrix-dendrite diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 74f53e674..749d9391d 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -111,14 +111,28 @@ matrix_nginx_proxy_access_log_enabled: true matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: false matrix_nginx_proxy_proxy_riot_compat_redirect_hostname: "riot.{{ matrix_domain }}" -# Controls whether proxying the Synapse domain should be done. +# Controls whether proxying for Synapse should be done. matrix_nginx_proxy_proxy_synapse_enabled: false matrix_nginx_proxy_proxy_synapse_hostname: "matrix-nginx-proxy" matrix_nginx_proxy_proxy_synapse_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}" - +# The addresses where the Matrix Client API is, when using Synapse. +matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "" +matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "" # The addresses where the Federation API is, when using Synapse. matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "" matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "" +# A list of strings containing additional configuration blocks to add to the Synapse's server configuration (matrix-synapse.conf). +matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks: [] + +# Controls whether proxying for Dendrite should be done. +matrix_nginx_proxy_proxy_dendrite_enabled: false +matrix_nginx_proxy_proxy_dendrite_hostname: "matrix-nginx-proxy" +matrix_nginx_proxy_proxy_dendrite_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}" +# The addresses where the Matrix Client API is, when using Dendrite. +matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: "" +matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container: "" +# A list of strings containing additional configuration blocks to add to the Dendrite's server configuration (matrix-dendrite.conf). +matrix_nginx_proxy_proxy_dendrite_additional_server_configuration_blocks: [] # Controls whether proxying the Element domain should be done. matrix_nginx_proxy_proxy_element_enabled: false @@ -200,10 +214,6 @@ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "" matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-nginx-proxy:12080" matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:12080" -# The addresses where the Matrix Client API is, when using Synapse. -matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "" -matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "" - # This needs to be equal or higher than the maximum upload size accepted by Synapse. matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50 @@ -268,9 +278,6 @@ matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to the base matrix server configuration (matrix-domain.conf). matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: [] -# A list of strings containing additional configuration blocks to add to the synapse's server configuration (matrix-synapse.conf). -matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks: [] - # A list of strings containing additional configuration blocks to add to Riot's server configuration (matrix-riot-web.conf). matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: [] diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 5ddbb19d0..e5021468a 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -67,6 +67,19 @@ state: absent when: "not matrix_nginx_proxy_proxy_synapse_enabled|bool" +- name: Ensure Matrix nginx-proxy configuration for matrix-dendrite exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-dendrite.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-dendrite.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_dendrite_enabled|bool + +- name: Ensure Matrix nginx-proxy configuration for matrix-dendrite deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-dendrite.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_dendrite_enabled|bool" + - name: Ensure Matrix nginx-proxy configuration for Element domain exists template: src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-element.conf.j2" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 new file mode 100644 index 000000000..9776085e1 --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 @@ -0,0 +1,67 @@ +#jinja2: lstrip_blocks: "True" + +server { + listen 12080; + server_name {{ matrix_nginx_proxy_proxy_dendrite_hostname }}; + + server_tokens off; + root /dev/null; + + gzip on; + gzip_types text/plain application/json; + + {% for configuration_block in matrix_nginx_proxy_proxy_dendrite_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + {# Everything else just goes to the API server ##} + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container }}; + {% endif %} + + proxy_set_header Host $host; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + } +} + +{% if matrix_nginx_proxy_proxy_dendrite_federation_api_enabled %} +server { + listen 12088; + + server_name {{ matrix_nginx_proxy_proxy_dendrite_hostname }}; + server_tokens off; + + root /dev/null; + + gzip on; + gzip_types text/plain application/json; + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_dendrite_federation_api_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_dendrite_federation_api_addr_sans_container }}; + {% endif %} + + proxy_set_header Host $host; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + } +} +{% endif %} From 3b9d5b13e96dd94ee014d0a58bbeeef0b6deb952 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Dec 2021 13:26:31 +0200 Subject: [PATCH 083/144] Add support for not serving Dendrite federation APIs on the client port Seems like Dendrite encourages serving both the Client and Federation API at the same port. Coming from Synapse and how things are done there, we have separate ports. Using separate ports probably makes matrix-corporal (etc.) integration easier, so separating the APIs by default probably makes sense. --- roles/matrix-nginx-proxy/defaults/main.yml | 3 +++ .../templates/nginx/conf.d/matrix-dendrite.conf.j2 | 10 ++++++++++ 2 files changed, 13 insertions(+) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 749d9391d..1feea6b71 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -128,6 +128,9 @@ matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks: [] matrix_nginx_proxy_proxy_dendrite_enabled: false matrix_nginx_proxy_proxy_dendrite_hostname: "matrix-nginx-proxy" matrix_nginx_proxy_proxy_dendrite_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}" +# Controls whether the Client API server (usually at matrix.DOMAIN:443) should explicitly reject `/_matrix/federation` endpoints. +# Normally, Dendrite Monolith serves both APIs (Client & Federation) at the same port, so we can serve federation at `matrix.DOMAIN:443` too. +matrix_nginx_proxy_proxy_dendrite_block_federation_api_on_client_port: true # The addresses where the Matrix Client API is, when using Dendrite. matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: "" matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container: "" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 index 9776085e1..939156a31 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 @@ -14,6 +14,16 @@ server { {{- configuration_block }} {% endfor %} + {% if matrix_nginx_proxy_proxy_dendrite_block_federation_api_on_client_port %} + location /_matrix/federation { + {% if matrix_nginx_proxy_proxy_dendrite_federation_api_enabled %} + return 404 'The Federation API is served at https://{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}'; + {% else %} + return 404 'This Matrix server is running with federation disabled'; + {% endif %} + } + {% endif %} + {# Everything else just goes to the API server ##} location / { {% if matrix_nginx_proxy_enabled %} From 9f6e8f5eaf2fd19200fb6533f4e524f32dffc892 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Dec 2021 13:37:43 +0200 Subject: [PATCH 084/144] Remove matrix_s3 references from matrix-dendrite role All the `matrix_s3_*` stuff happens in the `matrix-synapse` role. If we are to have such S3 support for Dendrite, we should probably extract it out of the `matrix-synapse` role (into a `matrix-s3` role or `matrix-goofys`, etc.) and wire `matrix-dendrite` accordingly. This may or may not be done in the future though. For now, I'm cleaning things up in the `matrix-dendrite` role. --- roles/matrix-dendrite/tasks/init.yml | 4 ---- roles/matrix-dendrite/tasks/setup_dendrite.yml | 5 +---- .../templates/dendrite/systemd/matrix-dendrite.service.j2 | 6 ------ 3 files changed, 1 insertion(+), 14 deletions(-) diff --git a/roles/matrix-dendrite/tasks/init.yml b/roles/matrix-dendrite/tasks/init.yml index 28709469e..2e2e551a8 100644 --- a/roles/matrix-dendrite/tasks/init.yml +++ b/roles/matrix-dendrite/tasks/init.yml @@ -1,7 +1,3 @@ - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dendrite.service'] }}" when: matrix_dendrite_enabled|bool - -- set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys.service'] }}" - when: matrix_s3_media_store_enabled|bool diff --git a/roles/matrix-dendrite/tasks/setup_dendrite.yml b/roles/matrix-dendrite/tasks/setup_dendrite.yml index 9fa8f5664..04c3a7fef 100644 --- a/roles/matrix-dendrite/tasks/setup_dendrite.yml +++ b/roles/matrix-dendrite/tasks/setup_dendrite.yml @@ -9,9 +9,6 @@ with_items: - { path: "{{ matrix_dendrite_config_dir_path }}", when: true } - { path: "{{ matrix_dendrite_ext_path }}", when: true } - # We handle matrix_dendrite_media_store_path elsewhere (in ./dendrite/setup_install.yml), - # because if it's using Goofys and it's already mounted (from before), - # trying to chown/chmod it here will cause trouble. - when: "(matrix_dendrite_enabled|bool or matrix_s3_media_store_enabled|bool) and item.when" + when: "matrix_dendrite_enabled|bool and item.when" - import_tasks: "{{ role_path }}/tasks/dendrite/setup.yml" diff --git a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 index 48067c0e3..647d07564 100644 --- a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 +++ b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -15,12 +15,6 @@ Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dendrite ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dendrite -{% if matrix_s3_media_store_enabled %} -# Allow for some time before starting, so that media store can mount. -# Mounting can happen later too, but if we start writing, -# we'd write files to the local filesystem and fusermount will complain. -ExecStartPre={{ matrix_host_command_sleep }} 3 -{% endif %} ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ --log-driver=none \ From b297e8ee2b92761dd6fd35c7a8a10134bf2d2c6f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Dec 2021 13:56:32 +0200 Subject: [PATCH 085/144] Delay Dendrite startup so that matrix-postgres.service can start --- .../templates/dendrite/systemd/matrix-dendrite.service.j2 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 index 647d07564..a67a3c206 100644 --- a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 +++ b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -16,6 +16,12 @@ Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dendrite ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dendrite +{% if 'matrix-postgres.service' in matrix_dendrite_systemd_required_services_list %} +# Dendrite is too quick to start in relation to its matrix-postgres dependency. +# Delay Dendrite startup to avoid failing with: "failed to connect to accounts db" ("pq: the database system is starting up"). +ExecStartPre={{ matrix_host_command_sleep }} 5 +{% endif %} + ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ From f8a8d7d31033854188fdb27e055b7cb9dcd6e2f9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Dec 2021 14:28:27 +0200 Subject: [PATCH 086/144] Fix /usr/local/bin/matrix-dendrite-create-account We also need to fix `--tags=register-user`. This tag is currently defined in both the `matrix-synapse` and `matrix-dendrite` roles. --- .../dendrite/usr-local-bin/matrix-dendrite-create-account.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 b/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 index d9572ac7b..5332b964d 100644 --- a/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 +++ b/roles/matrix-dendrite/templates/dendrite/usr-local-bin/matrix-dendrite-create-account.j2 @@ -9,4 +9,4 @@ fi user=$1 password=$2 -docker exec matrix-dendrite create-account --config /data/dendrite.yaml --user "$user" --password "$password" +docker exec matrix-dendrite create-account -config /data/dendrite.yaml -username "$user" -password "$password" From 2bd33e5cf2d8000e2aed991c63decdad7bcb4a89 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Dec 2021 14:40:34 +0200 Subject: [PATCH 087/144] Make --tags=register-user work for both Dendrite/Synapse Also get rid of `--tags=update-user-password` in the `matrix-dendrite` role, as what we had doesn't work. We may be able to do it with some Ansible helper or something else. For now, we'll omit this feature. --- roles/matrix-base/defaults/main.yml | 1 + roles/matrix-dendrite/tasks/main.yml | 7 +--- .../tasks/update_user_password.yml | 41 ------------------- roles/matrix-synapse/tasks/main.yml | 4 +- 4 files changed, 4 insertions(+), 49 deletions(-) delete mode 100644 roles/matrix-dendrite/tasks/update_user_password.yml diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 9fc14e8ae..2356c19dd 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -228,6 +228,7 @@ run_synapse_register_user: true run_synapse_update_user_password: true run_synapse_import_media_store: true run_synapse_rust_synapse_compress_state: true +run_dendrite_register_user: true run_setup: true run_self_check: true run_start: true diff --git a/roles/matrix-dendrite/tasks/main.yml b/roles/matrix-dendrite/tasks/main.yml index e44134a5a..815135d74 100644 --- a/roles/matrix-dendrite/tasks/main.yml +++ b/roles/matrix-dendrite/tasks/main.yml @@ -15,7 +15,7 @@ - setup-dendrite - import_tasks: "{{ role_path }}/tasks/register_user.yml" - when: run_dendrite_register_user|bool + when: run_dendrite_register_user|bool and matrix_dendrite_enabled|bool tags: - register-user @@ -33,11 +33,6 @@ tags: - self-check -- import_tasks: "{{ role_path }}/tasks/update_user_password.yml" - when: run_dendrite_update_user_password|bool - tags: - - update-user-password - - name: Mark matrix-dendrite role as executed set_fact: matrix_dendrite_role_executed: true diff --git a/roles/matrix-dendrite/tasks/update_user_password.yml b/roles/matrix-dendrite/tasks/update_user_password.yml deleted file mode 100644 index 5fbd23c26..000000000 --- a/roles/matrix-dendrite/tasks/update_user_password.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -- name: Fail if playbook called incorrectly - fail: - msg: "The `username` variable needs to be provided to this playbook, via --extra-vars" - when: "username is not defined or username == ''" - -- name: Fail if playbook called incorrectly - fail: - msg: "The `password` variable needs to be provided to this playbook, via --extra-vars" - when: "password is not defined or password == ''" - -- name: Fail if not using matrix-postgres container - fail: - msg: "This command is working only when matrix-postgres container is being used" - when: "not matrix_postgres_enabled|bool" - -- name: Ensure matrix-dendrite is started - service: - name: matrix-dendrite - state: started - daemon_reload: yes - register: start_result - -- name: Ensure matrix-postgres is started - service: - name: matrix-postgres - state: started - daemon_reload: yes - register: postgres_start_result - -- name: Wait a while, so that Matrix Dendrite can manage to start - pause: - seconds: 7 - when: "start_result.changed or postgres_start_result.changed" - -- name: Generate password hash - shell: "{{ matrix_host_command_docker }} exec matrix-dendrite /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password|quote }}" - register: password_hash - -- name: Update user password hash - command: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash {{ username|quote }} {{ password_hash.stdout|quote }}" diff --git a/roles/matrix-synapse/tasks/main.yml b/roles/matrix-synapse/tasks/main.yml index 8bf1c563d..17eef9ccd 100644 --- a/roles/matrix-synapse/tasks/main.yml +++ b/roles/matrix-synapse/tasks/main.yml @@ -20,7 +20,7 @@ - import-synapse-media-store - import_tasks: "{{ role_path }}/tasks/register_user.yml" - when: run_synapse_register_user|bool + when: run_synapse_register_user|bool and matrix_synapse_enabled|bool tags: - register-user @@ -39,7 +39,7 @@ - self-check - import_tasks: "{{ role_path }}/tasks/update_user_password.yml" - when: run_synapse_update_user_password|bool + when: run_synapse_update_user_password|bool and matrix_synapse_enabled|bool tags: - update-user-password From 38ec546b8b0f0d5d4d2c4104b9c32af9f14e650a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 14:48:59 +0200 Subject: [PATCH 088/144] Only trust own identity server in Dendrite config, if ma1sd enabled --- group_vars/matrix_servers | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 587ef2435..788aeca49 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2239,6 +2239,8 @@ matrix_dendrite_disable_tls_validation: "{{ true if matrix_ssl_retrieval_method matrix_dendrite_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_dendrite_trusted_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_ma1sd_enabled else ['matrix.org', 'vector.im'] }}" + matrix_dendrite_systemd_required_services_list: | {{ (['docker.service']) From 32bbcf5ed6aae6da40ccee86e56ebf236707986c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 15:14:30 +0200 Subject: [PATCH 089/144] Fix incorrect definition --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 788aeca49..70cedf329 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1410,7 +1410,7 @@ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:1 matrix_nginx_proxy_proxy_synapse_enabled: "{{ matrix_synapse_enabled }}" matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "matrix-synapse:{{ matrix_synapse_container_client_api_port }}" -matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:{{ matrix_dendrite_container_client_api_port }}" +matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:{{ matrix_synapse_container_client_api_port }}" matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:{{matrix_synapse_container_federation_api_plain_port|string}}" matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:{{matrix_synapse_container_federation_api_plain_port|string}}" From 4139290cc9834c6ecba5b2371199b7874acf617d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 15:23:41 +0200 Subject: [PATCH 090/144] Rename some variables for consistency --- group_vars/matrix_servers | 16 ++++---- roles/matrix-dendrite/defaults/main.yml | 41 ++++++++++++------- .../systemd/matrix-dendrite.service.j2 | 16 +++++--- 3 files changed, 45 insertions(+), 28 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 70cedf329..9c011b4e4 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1415,10 +1415,10 @@ matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-syn matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:{{matrix_synapse_container_federation_api_plain_port|string}}" matrix_nginx_proxy_proxy_dendrite_enabled: "{{ matrix_dendrite_enabled }}" -matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_container_client_api_port }}" -matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container: "127.0.0.1:{{ matrix_synapse_container_client_api_port }}" -matrix_nginx_proxy_proxy_dendrite_federation_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_container_federation_api_plain_port|string }}" -matrix_nginx_proxy_proxy_dendrite_federation_api_addr_sans_container: "127.0.0.1:{{ matrix_dendrite_container_federation_api_plain_port|string }}" +matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_http_bind_port|string }}" +matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container: "127.0.0.1:{{ matrix_dendrite_http_bind_port|string }}" +matrix_nginx_proxy_proxy_dendrite_federation_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_http_bind_port|string }}" +matrix_nginx_proxy_proxy_dendrite_federation_api_addr_sans_container: "127.0.0.1:{{ matrix_dendrite_http_bind_port|string }}" # When matrix-nginx-proxy is disabled, the actual port number that the vhost uses may begin to matter. matrix_nginx_proxy_proxy_matrix_federation_port: "{{ matrix_federation_public_port }}" @@ -2209,11 +2209,11 @@ matrix_postgres_backup_databases: | # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, # you can expose Dendrite's ports to the host. # -# For exposing the Matrix Client API's port (plain HTTP) to the local host. -matrix_dendrite_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8008' }}" +# For exposing Dendrite's plain HTTP server to the local host. +matrix_dendrite_container_http_host_bind_address: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' + matrix_dendrite_http_bind_port|string) }}" # -# For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces. -matrix_dendrite_container_federation_api_tls_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else matrix_federation_public_port }}" +# For exposing Dendrite's HTTPS server to the local host. +matrix_dendrite_container_https_host_bind_address: "{{ '' if matrix_nginx_proxy_enabled or not matrix_dendrite_https_bind_port else ('127.0.0.1:' + matrix_dendrite_https_bind_port|string) }}" matrix_dendrite_registration_shared_secret: "{{ matrix_dendrite_generic_secret_key | password_hash('sha512', 'dendrite.rss') | to_uuid }}" diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index 11952ce75..8cd4c168c 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -14,31 +14,42 @@ matrix_dendrite_storage_path: "{{ matrix_dendrite_base_path }}/storage" matrix_dendrite_media_store_path: "{{ matrix_dendrite_storage_path }}/media-store" matrix_dendrite_ext_path: "{{ matrix_dendrite_base_path }}/ext" -matrix_dendrite_container_http_bind_port: 8008 +# By default, we make Dendrite only serve HTTP (not HTTPS). +# HTTPS is usually served at the reverse-proxy side (usually via `matrix-nginx-proxy`). +# +# To enable HTTPS serving by Dendrite (directly): +# - `matrix_dendrite_https_bind_port` must be set +# - `-tls-cert` and `-tls-key` must be passed to Dendrite via `matrix_dendrite_process_extra_arguments` +# - the TLS certificate files must be mounted into the container using `matrix_dendrite_container_additional_volumes` +matrix_dendrite_http_bind_port: 8008 +matrix_dendrite_https_bind_port: ~ -# This is passed as a flag `-http-bind-address` flag to the Dendrite server in the container -matrix_dendrite_container_http_bind_address: ":{{ matrix_dendrite_container_http_bind_port }}" +# This is passed as an `-http-bind-address` flag to the Dendrite server in the container +matrix_dendrite_http_bind_address: "{{ (':' + matrix_dendrite_http_bind_port|string) if matrix_dendrite_http_bind_port else '' }}" -# Dendrite monolith exposes both the Client API and the Federation API on the same port -matrix_dendrite_container_client_api_port: "{{ matrix_dendrite_container_http_bind_port }}" -matrix_dendrite_container_federation_api_plain_port: "{{ matrix_dendrite_container_http_bind_port }}" +# This is passed as an `-https-bind-address` flag to the Dendrite server in the container +matrix_dendrite_https_bind_address: "{{ (':' + matrix_dendrite_https_bind_port|string) if matrix_dendrite_https_bind_port else '' }}" -# Controls whether the matrix-dendrite container exposes the Client/Server API port (tcp/8008 in the container). +# Controls whether the matrix-dendrite container exposes the HTTP port (tcp/{{ matrix_dendrite_http_bind_port }} in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8008"), or empty string to not expose. -matrix_dendrite_container_client_api_host_bind_port: "" +matrix_dendrite_container_http_host_bind_address: "" -# Controls whether the matrix-dendrite container exposes the tls (encrypted) Server/Server (Federation) API port (tcp/8448 in the container). +# Controls whether the matrix-dendrite container exposes the HTTPS port (tcp/{{ matrix_dendrite_https_bind_port }} in the container). # -# Takes effect only if federation is enabled (matrix_dendrite_federation_enabled) -# and TLS support is enabled (matrix_dendrite_tls_federation_listener_enabled). -# -# Takes an ":" or "" value (e.g. "8448"), or empty string to not expose. -matrix_dendrite_container_federation_api_tls_host_bind_port: "" +# Takes an ":" or "" value (e.g. "127.0.0.1:8448"), or empty string to not expose. +matrix_dendrite_container_https_host_bind_address: "" -# A list of extra arguments to pass to the container +# A list of extra arguments to pass to the container (`docker run` command) matrix_dendrite_container_extra_arguments: [] +# A list of extra arguments to pass to the container process (`dendrite-monolith` command) +# Example: +# matrix_dendrite_process_extra_arguments: +# - "-tls-cert /some/path.crt" +# - "-tls-key /some/path.pem" +matrix_dendrite_process_extra_arguments: [] + # List of systemd services that matrix-dendrite.service depends on matrix_dendrite_systemd_required_services_list: ["docker.service"] diff --git a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 index a67a3c206..4c357fd19 100644 --- a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 +++ b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -29,11 +29,11 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_dendrite_tmp_directory_size_mb }}m \ --network={{ matrix_docker_network }} \ - {% if matrix_dendrite_container_client_api_host_bind_port %} - -p {{ matrix_dendrite_container_client_api_host_bind_port }}:8008 \ + {% if matrix_dendrite_container_http_host_bind_address and matrix_dendrite_http_bind_port %} + -p {{ matrix_dendrite_container_http_host_bind_address }}:{{ matrix_dendrite_http_bind_port }} \ {% endif %} - {% if matrix_dendrite_container_federation_api_tls_host_bind_port %} - -p {{ matrix_dendrite_container_federation_api_tls_host_bind_port }}:8448 \ + {% if matrix_dendrite_container_https_host_bind_address and matrix_dendrite_https_bind_port %} + -p {{ matrix_dendrite_container_https_host_bind_address }}:{{ matrix_dendrite_https_bind_port }} \ {% endif %} --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data,ro \ --mount type=bind,src={{ matrix_dendrite_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ @@ -45,7 +45,13 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ {% endfor %} {{ matrix_dendrite_docker_image }} \ -config /data/dendrite.yaml \ - -http-bind-address {{ matrix_dendrite_container_http_bind_address }} + {% if matrix_dendrite_http_bind_address %} + -http-bind-address {{ matrix_dendrite_http_bind_address }} + {% endif %} + {% if matrix_dendrite_https_bind_address %} + -https-bind-address {{ matrix_dendrite_https_bind_address }} + {% endif %} + {{ matrix_dendrite_process_extra_arguments|join(' ') }} ExecStop=-{{ matrix_host_command_docker }} kill matrix-dendrite ExecStop=-{{ matrix_host_command_docker }} rm matrix-dendrite From 1dfe21944fc83c8f2c2afe25756b2e9d475c714d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 16:28:34 +0200 Subject: [PATCH 091/144] Make matrix_homeserver_implementation influence matrix_IMPLEMENTATION_enabled, not the other way around Doing this seems more reasonable and simpler. --- examples/vars.yml | 4 ++++ group_vars/matrix_servers | 15 ++++----------- roles/matrix-base/defaults/main.yml | 12 +++++++----- roles/matrix-base/tasks/sanity_check.yml | 12 +++--------- roles/matrix-dendrite/defaults/main.yml | 2 +- 5 files changed, 19 insertions(+), 26 deletions(-) diff --git a/examples/vars.yml b/examples/vars.yml index f6c86be9f..9623ad392 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -10,6 +10,10 @@ # Example value: example.com matrix_domain: YOUR_BARE_DOMAIN_NAME_HERE +# The Matrix homeserver software to install. +# See `roles/matrix-base/defaults/main.yml` for valid options. +matrix_homeserver_implementation: synapse + # This is something which is provided to Let's Encrypt when retrieving SSL certificates for domains. # # In case SSL renewal fails at some point, you'll also get an email notification there. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 9c011b4e4..3c2161dc9 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -17,17 +17,6 @@ matrix_container_global_registry_prefix: "docker.io/" # ###################################################################### -matrix_homeserver_enabled_implementations_list: | - {{ - ( - (['synapse'] if matrix_synapse_enabled else []) - + - (['dendrite'] if matrix_dendrite_enabled else []) - ) - }} - -matrix_homeserver_implementation: "{{ matrix_homeserver_enabled_implementations_list[0] if matrix_homeserver_enabled_implementations_list|length == 1 else '' }}" - matrix_identity_server_url: "{{ ('https://' + matrix_server_fqn_matrix) if matrix_ma1sd_enabled else None }}" # If Synapse workers are enabled and matrix-nginx-proxy is disabled, certain APIs may not work over 'http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}'. @@ -1906,6 +1895,8 @@ matrix_client_cinny_self_check_validate_certificates: "{{ false if matrix_ssl_re # ###################################################################### +matrix_synapse_enabled: "{{ matrix_homeserver_implementation == 'synapse' }}" + matrix_synapse_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" # When ma1sd is enabled, we can use it to validate email addresses and phone numbers. @@ -2205,6 +2196,8 @@ matrix_postgres_backup_databases: | # ###################################################################### +matrix_dendrite_enabled: "{{ matrix_homeserver_implementation == 'dendrite' }}" + # Normally, matrix-nginx-proxy is enabled and nginx can reach Dendrite over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, # you can expose Dendrite's ports to the host. diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 2356c19dd..c71061f8b 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -8,11 +8,13 @@ matrix_domain: ~ # This will contain the homeserver implementation that is in use. -# Example values: 'synapse', 'dendrite', etc. -# You normally don't need to set this variable manually. -# Its value is automatically set depending on the homeserver implementation that you have enabled via other variables -# (e.g. `matrix_synapse_enabled`, `matrix_dendrite_enabled`, etc.) -matrix_homeserver_implementation: '' +# Valid values: synapse, dendrite +# +# By default, we use Synapse, because it's the only full-featured Matrix server at the moment. +# +# This value automatically influences other variables (`matrix_synapse_enabled`, `matrix_dendrite_enabled`, etc.). +# The homeserver implementation of an existing server cannot be changed without data loss. +matrix_homeserver_implementation: synapse # This is where your data lives and what we set up. # This and the Element FQN (see below) are expected to be on the same server. diff --git a/roles/matrix-base/tasks/sanity_check.yml b/roles/matrix-base/tasks/sanity_check.yml index 1e525b80e..b9c8348fd 100644 --- a/roles/matrix-base/tasks/sanity_check.yml +++ b/roles/matrix-base/tasks/sanity_check.yml @@ -1,15 +1,9 @@ --- -- name: Fail if 0 or more than 1 homeserver implementations enabled +- name: Fail if invalid homeserver implementation fail: - msg: >- - You have 0 or more than 1 homeserver implementations enabled - ({{ matrix_homeserver_enabled_implementations_list|join(', ') }}). - - If you have more than 1 implementation enabled, you can disable the unnecessary implementations by adding `matrix_IMPLEMENTATION_enabled: false` to your vars.yml file. - - If you have 0 implementations enabled, you can enable one by adding `matrix_IMPLEMENTATION_enabled: false` to your vars.yml file (e.g. `matrix_dendrite_enabled: true`). - when: "matrix_homeserver_enabled_implementations_list|length != 1" + msg: "You need to set a valid homeserver implementation in `matrix_homeserver_implementation`" + when: "matrix_homeserver_implementation not in ['synapse', 'dendrite']" # We generally support Ansible 2.7.1 and above. - name: Fail if running on Ansible < 2.7.1 diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index 8cd4c168c..ed15711eb 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -1,7 +1,7 @@ # Dendrite is a second-generation Matrix homeserver currently in Beta # See: https://github.com/matrix-org/dendrite -matrix_dendrite_enabled: false +matrix_dendrite_enabled: true matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}" matrix_dendrite_docker_image_name_prefix: "docker.io/" From 965890bf757ab0d9c6c5223f166f7e49a5ac80c5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Jan 2022 16:00:42 +0200 Subject: [PATCH 092/144] Derive secrets from matrix_homeserver_generic_secret_key, not matrix_synapse_macaroon_secret_key We're trying to move away from implementation-specific variables, hoping for a clean (implementation-neutral) examples/vars.yml file. --- examples/vars.yml | 8 +- group_vars/matrix_servers | 158 +++++++++--------- roles/matrix-base/defaults/main.yml | 3 + roles/matrix-base/tasks/sanity_check.yml | 21 ++- roles/matrix-dendrite/defaults/main.yml | 2 - .../matrix-dendrite/tasks/validate_config.yml | 1 - 6 files changed, 103 insertions(+), 90 deletions(-) diff --git a/examples/vars.yml b/examples/vars.yml index 9623ad392..0f6c1a55f 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -14,6 +14,10 @@ matrix_domain: YOUR_BARE_DOMAIN_NAME_HERE # See `roles/matrix-base/defaults/main.yml` for valid options. matrix_homeserver_implementation: synapse +# A secret used as a base, for generating various other secrets. +# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). +matrix_homeserver_generic_secret_key: '' + # This is something which is provided to Let's Encrypt when retrieving SSL certificates for domains. # # In case SSL renewal fails at some point, you'll also get an email notification there. @@ -28,10 +32,6 @@ matrix_ssl_lets_encrypt_support_email: '' # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). matrix_coturn_turn_static_auth_secret: '' -# A secret used to protect access keys issued by the server. -# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). -matrix_synapse_macaroon_secret_key: '' - # A Postgres password to use for the superuser Postgres user (called `matrix` by default). # # The playbook creates additional Postgres users and databases (one for each enabled service) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 3c2161dc9..a39b46657 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -79,14 +79,14 @@ matrix_appservice_discord_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_appservice_discord_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'discord.as.token') | to_uuid }}" +matrix_appservice_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'discord.as.token') | to_uuid }}" -matrix_appservice_discord_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'discord.hs.token') | to_uuid }}" +matrix_appservice_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'discord.hs.token') | to_uuid }}" # We only make this use Postgres if our own Postgres server is enabled. # It's only then (for now) that we can automatically create the necessary database and user for this service. matrix_appservice_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_appservice_discord_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'as.discord.db') | to_uuid }}" +matrix_appservice_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.discord.db') | to_uuid }}" ###################################################################### # @@ -111,12 +111,12 @@ matrix_appservice_webhooks_container_image_self_build: "{{ matrix_architecture ! # matrix-appservice-webhooks' client-server port to the local host. matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_webhooks_matrix_port) }}" -matrix_appservice_webhooks_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.as.token') | to_uuid }}" +matrix_appservice_webhooks_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.as.token') | to_uuid }}" matrix_appservice_webhooks_homeserver_url: "{{ matrix_homeserver_container_url }}" -matrix_appservice_webhooks_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.hs.token') | to_uuid }}" +matrix_appservice_webhooks_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.hs.token') | to_uuid }}" -matrix_appservice_webhooks_id_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.id.token') | to_uuid }}" +matrix_appservice_webhooks_id_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.id.token') | to_uuid }}" matrix_appservice_webhooks_systemd_required_services_list: | {{ @@ -150,12 +150,12 @@ matrix_appservice_slack_container_image_self_build: "{{ matrix_architecture != ' # matrix-appservice-slack's client-server port to the local host. matrix_appservice_slack_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_slack_slack_port) }}" -matrix_appservice_slack_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.as.token') | to_uuid }}" +matrix_appservice_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.as.token') | to_uuid }}" matrix_appservice_slack_homeserver_url: "{{ matrix_homeserver_container_url }}" -matrix_appservice_slack_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.hs.token') | to_uuid }}" +matrix_appservice_slack_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.hs.token') | to_uuid }}" -matrix_appservice_slack_id_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.id.token') | to_uuid }}" +matrix_appservice_slack_id_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.id.token') | to_uuid }}" matrix_appservice_slack_systemd_required_services_list: | {{ @@ -168,7 +168,7 @@ matrix_appservice_slack_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_appservice_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'nedb' }}" -matrix_appservice_slack_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'as.slack.db') | to_uuid }}" +matrix_appservice_slack_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.slack.db') | to_uuid }}" ###################################################################### # @@ -205,12 +205,12 @@ matrix_appservice_irc_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_appservice_irc_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'irc.as.token') | to_uuid }}" +matrix_appservice_irc_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'irc.as.token') | to_uuid }}" -matrix_appservice_irc_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'irc.hs.token') | to_uuid }}" +matrix_appservice_irc_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'irc.hs.token') | to_uuid }}" matrix_appservice_irc_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'nedb' }}" -matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'as.irc.db') | to_uuid }}" +matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.irc.db') | to_uuid }}" ###################################################################### @@ -242,15 +242,15 @@ matrix_beeper_linkedin_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_beeper_linkedin_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'linked.as.token') | to_uuid }}" +matrix_beeper_linkedin_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'linked.as.token') | to_uuid }}" -matrix_beeper_linkedin_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'linked.hs.token') | to_uuid }}" +matrix_beeper_linkedin_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'linked.hs.token') | to_uuid }}" matrix_beeper_linkedin_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" matrix_beeper_linkedin_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" -matrix_beeper_linkedin_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'maulinkedin.db') | to_uuid }}" +matrix_beeper_linkedin_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maulinkedin.db') | to_uuid }}" ###################################################################### # @@ -280,9 +280,9 @@ matrix_mautrix_facebook_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_facebook_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'fb.as.token') | to_uuid }}" +matrix_mautrix_facebook_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'fb.as.token') | to_uuid }}" -matrix_mautrix_facebook_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'fb.hs.token') | to_uuid }}" +matrix_mautrix_facebook_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'fb.hs.token') | to_uuid }}" matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -291,7 +291,7 @@ matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. matrix_mautrix_facebook_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_facebook_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.fb.db') | to_uuid }}" +matrix_mautrix_facebook_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.fb.db') | to_uuid }}" ###################################################################### # @@ -322,9 +322,9 @@ matrix_mautrix_hangouts_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_hangouts_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ho.as.token') | to_uuid }}" +matrix_mautrix_hangouts_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ho.as.token') | to_uuid }}" -matrix_mautrix_hangouts_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ho.hs.token') | to_uuid }}" +matrix_mautrix_hangouts_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ho.hs.token') | to_uuid }}" matrix_mautrix_hangouts_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" @@ -332,7 +332,7 @@ matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_hangouts_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_hangouts_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.hangouts.db') | to_uuid }}" +matrix_mautrix_hangouts_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.hangouts.db') | to_uuid }}" ###################################################################### # @@ -363,9 +363,9 @@ matrix_mautrix_googlechat_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_googlechat_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'gc.as.token') | to_uuid }}" +matrix_mautrix_googlechat_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gc.as.token') | to_uuid }}" -matrix_mautrix_googlechat_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'gc.hs.token') | to_uuid }}" +matrix_mautrix_googlechat_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gc.hs.token') | to_uuid }}" matrix_mautrix_googlechat_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" @@ -373,7 +373,7 @@ matrix_mautrix_googlechat_login_shared_secret: "{{ matrix_synapse_ext_password_p # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_googlechat_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_googlechat_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.gc.db') | to_uuid }}" +matrix_mautrix_googlechat_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.gc.db') | to_uuid }}" ###################################################################### # @@ -404,9 +404,9 @@ matrix_mautrix_instagram_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_instagram_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ig.as.token') | to_uuid }}" +matrix_mautrix_instagram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ig.as.token') | to_uuid }}" -matrix_mautrix_instagram_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ig.hs.token') | to_uuid }}" +matrix_mautrix_instagram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ig.hs.token') | to_uuid }}" matrix_mautrix_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -415,7 +415,7 @@ matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_presence_enabled if # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. matrix_mautrix_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_instagram_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.ig.db') | to_uuid }}" +matrix_mautrix_instagram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.ig.db') | to_uuid }}" ###################################################################### # @@ -450,14 +450,14 @@ matrix_mautrix_signal_homeserver_domain: '{{ matrix_domain }}' matrix_mautrix_signal_homeserver_address: "{{ matrix_homeserver_container_url }}" -matrix_mautrix_signal_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'si.hs.token') | to_uuid }}" +matrix_mautrix_signal_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'si.hs.token') | to_uuid }}" -matrix_mautrix_signal_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'si.as.token') | to_uuid }}" +matrix_mautrix_signal_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'si.as.token') | to_uuid }}" matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" matrix_mautrix_signal_database_engine: 'postgres' -matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.signal.db') | to_uuid }}" +matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.signal.db') | to_uuid }}" matrix_mautrix_signal_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" matrix_mautrix_signal_daemon_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" @@ -493,11 +493,11 @@ matrix_mautrix_telegram_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_telegram_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'telegr.as.token') | to_uuid }}" +matrix_mautrix_telegram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegr.as.token') | to_uuid }}" -matrix_mautrix_telegram_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'telegr.hs.token') | to_uuid }}" +matrix_mautrix_telegram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegr.hs.token') | to_uuid }}" -matrix_mautrix_telegram_public_endpoint: "/{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'telegram') | to_uuid }}" +matrix_mautrix_telegram_public_endpoint: "/{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegram') | to_uuid }}" matrix_mautrix_telegram_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9006' }}" @@ -505,7 +505,7 @@ matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_telegram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_telegram_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.telegram.db') | to_uuid }}" +matrix_mautrix_telegram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.telegram.db') | to_uuid }}" ###################################################################### # @@ -535,16 +535,16 @@ matrix_mautrix_twitter_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_twitter_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'twt.as.token') | to_uuid }}" +matrix_mautrix_twitter_appservice_token: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'twt.as.token') | to_uuid }}" -matrix_mautrix_twitter_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'twt.hs.token') | to_uuid }}" +matrix_mautrix_twitter_homeserver_token: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'twt.hs.token') | to_uuid }}" matrix_mautrix_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. matrix_mautrix_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else '' }}" -matrix_mautrix_twitter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.twt.db') | to_uuid }}" +matrix_mautrix_twitter_database_password: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'mau.twt.db') | to_uuid }}" ###################################################################### # @@ -574,15 +574,15 @@ matrix_mautrix_whatsapp_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_whatsapp_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'whats.as.token') | to_uuid }}" +matrix_mautrix_whatsapp_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'whats.as.token') | to_uuid }}" -matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'whats.hs.token') | to_uuid }}" +matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'whats.hs.token') | to_uuid }}" matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_whatsapp_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mauwhatsapp.db') | to_uuid }}" +matrix_mautrix_whatsapp_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mauwhatsapp.db') | to_uuid }}" ###################################################################### # @@ -608,10 +608,10 @@ matrix_sms_bridge_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_sms_bridge_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'sms.as.token') | to_uuid }}" +matrix_sms_bridge_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'sms.as.token') | to_uuid }}" matrix_sms_bridge_homeserver_port: "{{ matrix_synapse_container_client_api_port }}" -matrix_sms_bridge_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'sms.hs.token') | to_uuid }}" +matrix_sms_bridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'sms.hs.token') | to_uuid }}" ###################################################################### # @@ -628,9 +628,9 @@ matrix_sms_bridge_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_se # We don't enable bridges by default. matrix_heisenbridge_enabled: false -matrix_heisenbridge_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'heisen.as.tok') | to_uuid }}" +matrix_heisenbridge_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'heisen.as.tok') | to_uuid }}" -matrix_heisenbridge_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'heisen.hs.tok') | to_uuid }}" +matrix_heisenbridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'heisen.hs.tok') | to_uuid }}" matrix_heisenbridge_systemd_wanted_services_list: | {{ @@ -667,15 +667,15 @@ matrix_mx_puppet_skype_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_skype_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'skype.as.tok') | to_uuid }}" +matrix_mx_puppet_skype_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'skype.as.tok') | to_uuid }}" -matrix_mx_puppet_skype_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'skype.hs.tok') | to_uuid }}" +matrix_mx_puppet_skype_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'skype.hs.tok') | to_uuid }}" matrix_mx_puppet_skype_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_skype_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_skype_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.skype.db') | to_uuid }}" +matrix_mx_puppet_skype_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.skype.db') | to_uuid }}" ###################################################################### # @@ -706,15 +706,15 @@ matrix_mx_puppet_slack_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_slack_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}" +matrix_mx_puppet_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}" -matrix_mx_puppet_slack_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxslk.hs.tok') | to_uuid }}" +matrix_mx_puppet_slack_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxslk.hs.tok') | to_uuid }}" matrix_mx_puppet_slack_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_slack_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.slack.db') | to_uuid }}" +matrix_mx_puppet_slack_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.slack.db') | to_uuid }}" ###################################################################### # @@ -744,9 +744,9 @@ matrix_mx_puppet_twitter_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_twitter_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxtwt.as.tok') | to_uuid }}" +matrix_mx_puppet_twitter_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxtwt.as.tok') | to_uuid }}" -matrix_mx_puppet_twitter_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxtwt.hs.tok') | to_uuid }}" +matrix_mx_puppet_twitter_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxtwt.hs.tok') | to_uuid }}" matrix_mx_puppet_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -754,7 +754,7 @@ matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ '' if matrix_nginx_p # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_twitter_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.twitter.db') | to_uuid }}" +matrix_mx_puppet_twitter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.twitter.db') | to_uuid }}" ###################################################################### # @@ -785,15 +785,15 @@ matrix_mx_puppet_instagram_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_instagram_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxig.as.tok') | to_uuid }}" +matrix_mx_puppet_instagram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxig.as.tok') | to_uuid }}" -matrix_mx_puppet_instagram_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxig.hs.tok') | to_uuid }}" +matrix_mx_puppet_instagram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxig.hs.tok') | to_uuid }}" matrix_mx_puppet_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_instagram_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.ig.db') | to_uuid }}" +matrix_mx_puppet_instagram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.ig.db') | to_uuid }}" ###################################################################### # @@ -823,15 +823,15 @@ matrix_mx_puppet_discord_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_discord_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxdsc.as.tok') | to_uuid }}" +matrix_mx_puppet_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxdsc.as.tok') | to_uuid }}" -matrix_mx_puppet_discord_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxdsc.hs.tok') | to_uuid }}" +matrix_mx_puppet_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxdsc.hs.tok') | to_uuid }}" matrix_mx_puppet_discord_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_discord_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.dsc.db') | to_uuid }}" +matrix_mx_puppet_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.dsc.db') | to_uuid }}" ###################################################################### # @@ -861,15 +861,15 @@ matrix_mx_puppet_steam_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_steam_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxste.as.tok') | to_uuid }}" +matrix_mx_puppet_steam_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxste.as.tok') | to_uuid }}" -matrix_mx_puppet_steam_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxste.hs.tok') | to_uuid }}" +matrix_mx_puppet_steam_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxste.hs.tok') | to_uuid }}" matrix_mx_puppet_steam_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_steam_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_steam_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.steam.db') | to_uuid }}" +matrix_mx_puppet_steam_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.steam.db') | to_uuid }}" ###################################################################### # @@ -899,15 +899,15 @@ matrix_mx_puppet_groupme_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_groupme_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxgro.as.tok') | to_uuid }}" +matrix_mx_puppet_groupme_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxgro.as.tok') | to_uuid }}" -matrix_mx_puppet_groupme_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxgro.hs.tok') | to_uuid }}" +matrix_mx_puppet_groupme_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxgro.hs.tok') | to_uuid }}" matrix_mx_puppet_groupme_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_groupme_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_groupme_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.groupme.db') | to_uuid }}" +matrix_mx_puppet_groupme_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.groupme.db') | to_uuid }}" ###################################################################### # @@ -937,7 +937,7 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_bot_matrix_reminder_bot_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'reminder.bot.db') | to_uuid }}" +matrix_bot_matrix_reminder_bot_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'reminder.bot.db') | to_uuid }}" matrix_bot_matrix_reminder_bot_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### @@ -1142,7 +1142,7 @@ matrix_dimension_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_dimension_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_dimension_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'dimension.db') | to_uuid }}" +matrix_dimension_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dimension.db') | to_uuid }}" ###################################################################### # @@ -1167,7 +1167,7 @@ matrix_etherpad_systemd_required_services_list: | (['matrix-postgres.service'] if matrix_postgres_enabled else []) }} -matrix_etherpad_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'etherpad.db') | to_uuid }}" +matrix_etherpad_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'etherpad.db') | to_uuid }}" ###################################################################### # @@ -1226,9 +1226,9 @@ matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ '' if matrix_nginx_pro matrix_jitsi_prosody_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:5280' }}" -matrix_jitsi_jibri_xmpp_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'jibri') | to_uuid }}" -matrix_jitsi_jicofo_auth_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'jicofo') | to_uuid }}" -matrix_jitsi_jvb_auth_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'jvb') | to_uuid }}" +matrix_jitsi_jibri_xmpp_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jibri') | to_uuid }}" +matrix_jitsi_jicofo_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jicofo') | to_uuid }}" +matrix_jitsi_jvb_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jvb') | to_uuid }}" matrix_jitsi_web_stun_servers: | {{ @@ -1331,7 +1331,7 @@ matrix_ma1sd_systemd_wanted_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_ma1sd_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_ma1sd_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ma1sd.db') | to_uuid }}" +matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ma1sd.db') | to_uuid }}" ###################################################################### # @@ -1926,7 +1926,9 @@ matrix_synapse_container_manhole_api_host_bind_port: "{{ '127.0.0.1:9000' if mat # For exposing the Synapse worker (and metrics) ports to the local host. matrix_synapse_workers_container_host_bind_address: "{{ '127.0.0.1' if (matrix_synapse_workers_enabled and not matrix_nginx_proxy_enabled) else '' }}" -matrix_synapse_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'synapse.db') | to_uuid }}" +matrix_synapse_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'synapse.db') | to_uuid }}" + +matrix_synapse_macaroon_secret_key: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'synapse.mac') | to_uuid }}" # We do not enable TLS in Synapse by default. # TLS is handled by the matrix-nginx-proxy, which proxies the requests to Synapse. @@ -2077,7 +2079,7 @@ matrix_prometheus_scraper_postgres_targets: "{{ ['matrix-prometheus-postgres-exp ###################################################################### matrix_prometheus_postgres_exporter_enabled: false -matrix_prometheus_postgres_exporter_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'prometheus.pg.db') | to_uuid }}" +matrix_prometheus_postgres_exporter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'prometheus.pg.db') | to_uuid }}" matrix_prometheus_postgres_exporter_systemd_required_services_list: | {{ @@ -2153,7 +2155,7 @@ matrix_registration_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_registration_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_registration_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mx.registr.db') | to_uuid }}" +matrix_registration_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mx.registr.db') | to_uuid }}" ###################################################################### # @@ -2208,9 +2210,9 @@ matrix_dendrite_container_http_host_bind_address: "{{ '' if matrix_nginx_proxy_e # For exposing Dendrite's HTTPS server to the local host. matrix_dendrite_container_https_host_bind_address: "{{ '' if matrix_nginx_proxy_enabled or not matrix_dendrite_https_bind_port else ('127.0.0.1:' + matrix_dendrite_https_bind_port|string) }}" -matrix_dendrite_registration_shared_secret: "{{ matrix_dendrite_generic_secret_key | password_hash('sha512', 'dendrite.rss') | to_uuid }}" +matrix_dendrite_registration_shared_secret: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'dendrite.rss') | to_uuid }}" -matrix_dendrite_database_password: "{{ matrix_dendrite_generic_secret_key | password_hash('sha512', 'dendrite.db') | to_uuid }}" +matrix_dendrite_database_password: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'dendrite.db') | to_uuid }}" # Even if TURN doesn't support TLS (it does by default), # it doesn't hurt to try a secure connection anyway. diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index c71061f8b..dc273afd6 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -16,6 +16,9 @@ matrix_domain: ~ # The homeserver implementation of an existing server cannot be changed without data loss. matrix_homeserver_implementation: synapse +# This contains a secret, which is used for generating various other secrets later on. +matrix_homeserver_generic_secret_key: '' + # This is where your data lives and what we set up. # This and the Element FQN (see below) are expected to be on the same server. matrix_server_fqn_matrix: "matrix.{{ matrix_domain }}" diff --git a/roles/matrix-base/tasks/sanity_check.yml b/roles/matrix-base/tasks/sanity_check.yml index b9c8348fd..298a994c1 100644 --- a/roles/matrix-base/tasks/sanity_check.yml +++ b/roles/matrix-base/tasks/sanity_check.yml @@ -33,14 +33,25 @@ - {'old': 'hostname_riot', 'new': 'matrix_server_fqn_element'} - {'old': 'matrix_server_fqn_riot', 'new': 'matrix_server_fqn_element'} +# We have a dedicated check for this variable, because we'd like to have a custom (friendlier) message. +- name: Fail if matrix_homeserver_generic_secret_key is undefined + fail: + msg: | + The `matrix_homeserver_generic_secret_key` variable must be defined and have a non-null and non-empty value. + + If you're seeing this error on an existing homeserver installation, you can fix it easily this error by adding + `{% raw %}matrix_homeserver_generic_secret_key: "{{ matrix_synapse_macaroon_secret_key }}"{% endraw %}` + to your vars.yml file. Using another secret for the new variable is also possible and shouldn't cause any trouble. + when: "matrix_homeserver_generic_secret_key is none or matrix_homeserver_generic_secret_key == ''" + - name: Fail if required variables are undefined fail: - msg: "The `{{ item }}` variable must be defined and have a non-null value" + msg: "The `{{ item.var }}` variable must be defined and have a non-null and non-empty value" with_items: - - matrix_domain - - matrix_server_fqn_matrix - - matrix_server_fqn_element - when: "item not in vars or vars[item] is none" + - {'var': matrix_domain, 'value': "{{ matrix_domain|default('') }}"} + - {'var': matrix_server_fqn_matrix, 'value': "{{ matrix_server_fqn_matrix|default('') }}"} + - {'var': matrix_server_fqn_element, 'value': "{{ matrix_server_fqn_element|default('') }}"} + when: "item.value is none or item.value == ''" - name: Fail if uppercase domain used fail: diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index ed15711eb..840ef9ecf 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -63,8 +63,6 @@ matrix_dendrite_systemd_wanted_services_list: [] # matrix_dendrite_template_dendrite_config: "{{ playbook_dir }}/inventory/host_vars//dendrite.yaml.j2" matrix_dendrite_template_dendrite_config: "{{ role_path }}/templates/dendrite/dendrite.yaml.j2" -# A secret used to derive various other secrets -matrix_dendrite_generic_secret_key: '' matrix_dendrite_registration_shared_secret: '' matrix_dendrite_allow_guest_access: false diff --git a/roles/matrix-dendrite/tasks/validate_config.yml b/roles/matrix-dendrite/tasks/validate_config.yml index 9e7db4265..2d2cf4c5b 100644 --- a/roles/matrix-dendrite/tasks/validate_config.yml +++ b/roles/matrix-dendrite/tasks/validate_config.yml @@ -5,7 +5,6 @@ You need to define a required configuration setting (`{{ item }}`) for using Dendrite. when: "vars[item] == ''" with_items: - - "matrix_dendrite_generic_secret_key" - "matrix_dendrite_registration_shared_secret" - name: (Deprecation) Catch and report renamed settings From bbbfc0708f662927158df508ba7b10f0b26ad6f7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 17:39:56 +0200 Subject: [PATCH 093/144] Derive matrix_coturn_turn_static_auth_secret from matrix_homeserver_generic_secret_key Doing this further simplifies examples/vars.yml. --- examples/vars.yml | 4 ---- group_vars/matrix_servers | 2 ++ 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/examples/vars.yml b/examples/vars.yml index 0f6c1a55f..f57769624 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -28,10 +28,6 @@ matrix_homeserver_generic_secret_key: '' # Example value: someone@example.com matrix_ssl_lets_encrypt_support_email: '' -# A shared secret (between Coturn and Synapse) used for authentication. -# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). -matrix_coturn_turn_static_auth_secret: '' - # A Postgres password to use for the superuser Postgres user (called `matrix` by default). # # The playbook creates additional Postgres users and databases (one for each enabled service) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index a39b46657..4441ca050 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1087,6 +1087,8 @@ matrix_coturn_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" +matrix_coturn_turn_static_auth_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'coturn.sas') | to_uuid }}" + matrix_coturn_tls_enabled: "{{ matrix_ssl_retrieval_method != 'none' }}" matrix_coturn_tls_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/fullchain.pem" matrix_coturn_tls_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/privkey.pem" From 38ad152c03c39ac1adc7126d86c8280ec8886015 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 17:48:34 +0200 Subject: [PATCH 094/144] Add Dendrite-awareness to matrix_homeserver_container_url when matrix-nginx-proxy disabled --- group_vars/matrix_servers | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 4441ca050..27f997e83 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -21,7 +21,13 @@ matrix_identity_server_url: "{{ ('https://' + matrix_server_fqn_matrix) if matri # If Synapse workers are enabled and matrix-nginx-proxy is disabled, certain APIs may not work over 'http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}'. # This is because we explicitly disable them for the main Synapse process. -matrix_homeserver_container_url: "{{ 'http://matrix-nginx-proxy:12080' if matrix_nginx_proxy_enabled else 'http://matrix-synapse:'+ matrix_synapse_container_client_api_port|string }}" +matrix_homeserver_container_url: |- + {{ + 'http://matrix-nginx-proxy:12080' if matrix_nginx_proxy_enabled else { + 'synapse': ('http://matrix-synapse:'+ matrix_synapse_container_client_api_port|string), + 'dendrite': ('http://matrix-dendrite:' + matrix_dendrite_http_bind_port|string), + }[matrix_homeserver_implementation] + }} ###################################################################### # From 593fc2fa852429211ae364fff58d75f2d7d41400 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 18:01:48 +0200 Subject: [PATCH 095/144] Replace matrix-synapse.service references with more homeserver-neutral references --- group_vars/matrix_servers | 63 +++++++++++++++++++-------------------- 1 file changed, 31 insertions(+), 32 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 27f997e83..1ae75535a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -78,7 +78,7 @@ matrix_appservice_discord_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -128,7 +128,7 @@ matrix_appservice_webhooks_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -167,7 +167,7 @@ matrix_appservice_slack_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -206,7 +206,7 @@ matrix_appservice_irc_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -241,7 +241,7 @@ matrix_beeper_linkedin_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -279,7 +279,7 @@ matrix_mautrix_facebook_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -321,7 +321,7 @@ matrix_mautrix_hangouts_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -362,7 +362,7 @@ matrix_mautrix_googlechat_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -403,7 +403,7 @@ matrix_mautrix_instagram_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -443,7 +443,7 @@ matrix_mautrix_signal_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -492,7 +492,7 @@ matrix_mautrix_telegram_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -534,7 +534,7 @@ matrix_mautrix_twitter_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -573,7 +573,7 @@ matrix_mautrix_whatsapp_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -609,7 +609,7 @@ matrix_sms_bridge_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -640,7 +640,7 @@ matrix_heisenbridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generi matrix_heisenbridge_systemd_wanted_services_list: | {{ - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -666,7 +666,7 @@ matrix_mx_puppet_skype_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -705,7 +705,7 @@ matrix_mx_puppet_slack_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -743,7 +743,7 @@ matrix_mx_puppet_twitter_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -784,7 +784,7 @@ matrix_mx_puppet_instagram_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -822,7 +822,7 @@ matrix_mx_puppet_discord_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -860,7 +860,7 @@ matrix_mx_puppet_steam_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -898,7 +898,7 @@ matrix_mx_puppet_groupme_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -934,9 +934,9 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -997,7 +997,7 @@ matrix_bot_go_neb_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -1026,7 +1026,7 @@ matrix_bot_mjolnir_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -1060,10 +1060,9 @@ matrix_corporal_systemd_required_services_list: | {{ (['docker.service']) + - (['matrix-synapse.service']) + (['matrix-' + matrix_homeserver_implementation + '.service']) }} -# This goes to Synapse's vhost matrix_corporal_matrix_homeserver_api_endpoint: "{{ matrix_homeserver_container_url }}" matrix_corporal_matrix_auth_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}" @@ -1141,9 +1140,9 @@ matrix_dimension_systemd_required_services_list: | {{ ['docker.service'] + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} @@ -1330,7 +1329,7 @@ matrix_ma1sd_systemd_required_services_list: | matrix_ma1sd_systemd_wanted_services_list: | {{ - (['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-synapse.service']) + (['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-' + matrix_homeserver_implementation + '.service']) + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + @@ -1454,7 +1453,7 @@ matrix_nginx_proxy_proxy_synapse_workers_enabled_list: "{{ matrix_synapse_worker matrix_nginx_proxy_systemd_wanted_services_list: | {{ - (['matrix-synapse.service'] if matrix_synapse_enabled else []) + ['matrix-' + matrix_homeserver_implementation + '.service'] + (['matrix-corporal.service'] if matrix_corporal_enabled else []) + From de49cc5271a907dba11985853a9402f7ccb79ac1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 18:04:26 +0200 Subject: [PATCH 096/144] Fix matrix_registration_shared_secret for Dendrite --- group_vars/matrix_servers | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 1ae75535a..305d80441 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2145,7 +2145,13 @@ matrix_registration_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_ matrix_registration_riot_instance: "{{ ('https://' + matrix_server_fqn_element) if matrix_client_element_enabled else 'https://riot.im/app/' }}" -matrix_registration_shared_secret: "{{ matrix_synapse_registration_shared_secret if matrix_synapse_enabled else '' }}" +matrix_registration_shared_secret: |- + {{ + { + 'synapse': matrix_synapse_registration_shared_secret, + 'dendrite': matrix_dendrite_registration_shared_secret, + }[matrix_homeserver_implementation] + }} matrix_registration_server_location: "{{ matrix_homeserver_container_url }}" From 05b4572fab77c1da79f21a7aab51c00d97e011e5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 18:13:44 +0200 Subject: [PATCH 097/144] Fix matrix_dimension_homeserver_federationUrl for Dendrite --- group_vars/matrix_servers | 10 +++++++++- roles/matrix-base/defaults/main.yml | 9 +++++++-- roles/matrix-base/tasks/validate_config.yml | 3 ++- 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 305d80441..864f7702a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -29,6 +29,14 @@ matrix_homeserver_container_url: |- }[matrix_homeserver_implementation] }} +matrix_homeserver_container_federation_url: |- + {{ + 'http://matrix-nginx-proxy:12088' if matrix_nginx_proxy_enabled else { + 'synapse': ('http://matrix-synapse:'+ matrix_synapse_container_federation_api_plain_port|string), + 'dendrite': ('http://matrix-dendrite:' + matrix_dendrite_http_bind_port|string), + }[matrix_homeserver_implementation] + }} + ###################################################################### # # /matrix-base @@ -1131,7 +1139,7 @@ matrix_dimension_container_image_self_build: "{{ matrix_architecture != 'amd64' # the Dimension HTTP port to the local host. matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8184' }}" -matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:{{matrix_synapse_container_federation_api_plain_port|string}}" +matrix_dimension_homeserver_federationUrl: "{{ matrix_homeserver_container_federation_url }}" matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}" matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}" diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index dc273afd6..be403de76 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -103,11 +103,16 @@ matrix_ntpd_service: "{{ 'systemd-timesyncd' if (ansible_distribution == 'CentOS matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}" -# Specifies where the homeserver is on the container network. -# Where this is depends on whether there's a reverse-proxy in front of it, etc. +# Specifies where the homeserver's Client-Server API is on the container network. +# Where this is depends on whether there's a reverse-proxy in front of the homeserver, which homeserver it is, etc. # This likely gets overriden elsewhere. matrix_homeserver_container_url: "" +# Specifies where the homeserver's Federation API is on the container network. +# Where this is depends on whether there's a reverse-proxy in front of the homeserver, which homeserver it is, etc. +# This likely gets overriden elsewhere. +matrix_homeserver_container_federation_url: "" + matrix_identity_server_url: ~ matrix_integration_manager_rest_url: ~ diff --git a/roles/matrix-base/tasks/validate_config.yml b/roles/matrix-base/tasks/validate_config.yml index 8bb3fca06..84ef2f064 100644 --- a/roles/matrix-base/tasks/validate_config.yml +++ b/roles/matrix-base/tasks/validate_config.yml @@ -6,4 +6,5 @@ You need to define a required configuration setting (`{{ item }}`) for using this playbook. when: "vars[item] == ''" with_items: - - "matrix_homeserver_container_url" \ No newline at end of file + - "matrix_homeserver_container_url" + - "matrix_homeserver_container_federation_url" From 5c3c0d0d588bce8669240c41ff123a45502bad8d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 18:47:50 +0200 Subject: [PATCH 098/144] Set Dendrite's real_ip_header correctly --- group_vars/matrix_servers | 2 ++ roles/matrix-dendrite/defaults/main.yml | 4 ++++ roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 | 1 + 3 files changed, 7 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 864f7702a..57319eba0 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2231,6 +2231,8 @@ matrix_dendrite_container_http_host_bind_address: "{{ '' if matrix_nginx_proxy_e # For exposing Dendrite's HTTPS server to the local host. matrix_dendrite_container_https_host_bind_address: "{{ '' if matrix_nginx_proxy_enabled or not matrix_dendrite_https_bind_port else ('127.0.0.1:' + matrix_dendrite_https_bind_port|string) }}" +matrix_dendrite_sync_api_real_ip_header: "{{ 'X-Forwarded-For' if matrix_nginx_proxy_enabled else '' }}" + matrix_dendrite_registration_shared_secret: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'dendrite.rss') | to_uuid }}" matrix_dendrite_database_password: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'dendrite.db') | to_uuid }}" diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index 840ef9ecf..237895403 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -68,6 +68,10 @@ matrix_dendrite_allow_guest_access: false matrix_dendrite_max_file_size_bytes: 10485760 +# Controls which HTTP header (e.g. 'X-Forwarded-For', 'X-Real-IP') to inspect to find the real remote IP address of the client. +# This is likely required if Dendrite is running behind a reverse proxy server. +matrix_dendrite_sync_api_real_ip_header: '' + # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. matrix_dendrite_tmp_directory_size_mb: 500 diff --git a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index c512904eb..102dd2f59 100644 --- a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -339,6 +339,7 @@ sync_api: # address of the client. This is likely required if Dendrite is running behind # a reverse proxy server. # real_ip_header: X-Real-IP + real_ip_header: {{ matrix_dendrite_sync_api_real_ip_header|to_json }} # Configuration for the User API. user_api: From 61c0930325a6f064483bfebb2b05f6f47eb29b50 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 4 Jan 2022 17:31:37 +0200 Subject: [PATCH 099/144] Suppress output for ExecStartPre/ExecStop commands This brings matrix-dendrite.service in line with all the other services. --- .../dendrite/systemd/matrix-dendrite.service.j2 | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 index 4c357fd19..e14734dd7 100644 --- a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 +++ b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dendrite -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dendrite +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dendrite 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dendrite 2>/dev/null' {% if 'matrix-postgres.service' in matrix_dendrite_systemd_required_services_list %} # Dendrite is too quick to start in relation to its matrix-postgres dependency. @@ -53,9 +53,9 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ {% endif %} {{ matrix_dendrite_process_extra_arguments|join(' ') }} -ExecStop=-{{ matrix_host_command_docker }} kill matrix-dendrite -ExecStop=-{{ matrix_host_command_docker }} rm matrix-dendrite -ExecReload={{ matrix_host_command_docker }} exec matrix-dendrite kill -HUP 1 +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dendrite 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dendrite 2>/dev/null' +ExecReload={{ matrix_host_command_docker }} exec matrix-dendrite /bin/sh -c 'kill -HUP 1' Restart=always RestartSec=30 SyslogIdentifier=matrix-dendrite From 90c9801c560b66dcbc3e3dda91ce45d3a874022e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 4 Jan 2022 17:32:06 +0200 Subject: [PATCH 100/144] Use ExecStopPost instead of ExecStop This is the equivalent of b1b4ba501fdfaa43 for the matrix-dendrite role. --- .../templates/dendrite/systemd/matrix-dendrite.service.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 index e14734dd7..7592fca8a 100644 --- a/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 +++ b/roles/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -53,8 +53,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dendrite \ {% endif %} {{ matrix_dendrite_process_extra_arguments|join(' ') }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dendrite 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dendrite 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dendrite 2>/dev/null' +ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dendrite 2>/dev/null' ExecReload={{ matrix_host_command_docker }} exec matrix-dendrite /bin/sh -c 'kill -HUP 1' Restart=always RestartSec=30 From 139c574cdbbbed4e2642500eb2ec618a5c0a63ee Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Jan 2022 12:40:56 +0200 Subject: [PATCH 101/144] Move checks from unused validate_config.yml file elsewhere --- roles/matrix-base/tasks/sanity_check.yml | 8 ++++++-- roles/matrix-base/tasks/validate_config.yml | 10 ---------- 2 files changed, 6 insertions(+), 12 deletions(-) delete mode 100644 roles/matrix-base/tasks/validate_config.yml diff --git a/roles/matrix-base/tasks/sanity_check.yml b/roles/matrix-base/tasks/sanity_check.yml index 298a994c1..f78510d77 100644 --- a/roles/matrix-base/tasks/sanity_check.yml +++ b/roles/matrix-base/tasks/sanity_check.yml @@ -39,9 +39,11 @@ msg: | The `matrix_homeserver_generic_secret_key` variable must be defined and have a non-null and non-empty value. - If you're seeing this error on an existing homeserver installation, you can fix it easily this error by adding + If you're observing this error on a new installation, you should ensure that the `matrix_homeserver_generic_secret_key` is defined. + + If you're observing this error on an existing homeserver installation, you can fix it easily and in a backward-compatible way by adding `{% raw %}matrix_homeserver_generic_secret_key: "{{ matrix_synapse_macaroon_secret_key }}"{% endraw %}` - to your vars.yml file. Using another secret for the new variable is also possible and shouldn't cause any trouble. + to your `vars.yml` file. Using another secret value for the new variable is also possible and shouldn't cause any trouble. when: "matrix_homeserver_generic_secret_key is none or matrix_homeserver_generic_secret_key == ''" - name: Fail if required variables are undefined @@ -51,6 +53,8 @@ - {'var': matrix_domain, 'value': "{{ matrix_domain|default('') }}"} - {'var': matrix_server_fqn_matrix, 'value': "{{ matrix_server_fqn_matrix|default('') }}"} - {'var': matrix_server_fqn_element, 'value': "{{ matrix_server_fqn_element|default('') }}"} + - {'var': matrix_homeserver_container_url, 'value': "{{ matrix_homeserver_container_url|default('') }}"} + - {'var': matrix_homeserver_container_federation_url, 'value': "{{ matrix_homeserver_container_federation_url|default('') }}"} when: "item.value is none or item.value == ''" - name: Fail if uppercase domain used diff --git a/roles/matrix-base/tasks/validate_config.yml b/roles/matrix-base/tasks/validate_config.yml deleted file mode 100644 index 84ef2f064..000000000 --- a/roles/matrix-base/tasks/validate_config.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -- name: Fail if required Matrix Base settings not defined - fail: - msg: >- - You need to define a required configuration setting (`{{ item }}`) for using this playbook. - when: "vars[item] == ''" - with_items: - - "matrix_homeserver_container_url" - - "matrix_homeserver_container_federation_url" From 0f59c4056ed027c6f497c7bbf5525aaf6ae1d614 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Jan 2022 13:32:43 +0200 Subject: [PATCH 102/144] Set up well-known when invoked with the setup-dendrite tag --- roles/matrix-base/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-base/tasks/main.yml b/roles/matrix-base/tasks/main.yml index 4af3564ca..f9db37b3e 100644 --- a/roles/matrix-base/tasks/main.yml +++ b/roles/matrix-base/tasks/main.yml @@ -31,4 +31,5 @@ - setup-all - setup-ma1sd - setup-synapse + - setup-dendrite - setup-nginx-proxy From 134c617f34a9b436bc8d6981d84b120c38650b13 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Jan 2022 15:13:13 +0200 Subject: [PATCH 103/144] Update README --- README.md | 2 ++ docs/container-images.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/README.md b/README.md index 63875c5ea..af02a3b0a 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,8 @@ Using this playbook, you can get the following services configured on your serve - (optional, default) a [Synapse](https://github.com/matrix-org/synapse) homeserver - storing your data and managing your presence in the [Matrix](http://matrix.org/) network +- (optional) a [Dendrite](https://github.com/matrix-org/dendrite) homeserver - storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. + - (optional) [Amazon S3](https://aws.amazon.com/s3/) storage for Synapse's content repository (`media_store`) files using [Goofys](https://github.com/kahing/goofys) - (optional, default) [PostgreSQL](https://www.postgresql.org/) database for Synapse. [Using an external PostgreSQL server](docs/configuring-playbook-external-postgres.md) is also possible. diff --git a/docs/container-images.md b/docs/container-images.md index 9be487363..cf680d217 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -30,6 +30,8 @@ These services are enabled and used by default, but you can turn them off, if yo These services are not part of our default installation, but can be enabled by [configuring the playbook](configuring-playbook.md) (either before the initial installation or any time later): +- [matrixdotorg/dendrite-monolith](https://hub.docker.com/r/matrixdotorg/dendrite-monolith/) - the official [Dendrite](https://github.com/matrix-org/dendrite) Matrix homeserver (optional) + - [ewoutp/goofys](https://hub.docker.com/r/ewoutp/goofys/) - the [Goofys](https://github.com/kahing/goofys) Amazon [S3](https://aws.amazon.com/s3/) file-system-mounting program (optional) - [etherpad/etherpad](https://hub.docker.com/r/etherpad/etherpad/) - the [Etherpad](https://etherpad.org) realtime collaborative text editor that can be used in a Jitsi audio/video call or integrated as a widget into Matrix chat rooms via the Dimension integration manager (optional) From 5e2f4564bbfc4572832068f564a858f14a1406a4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Jan 2022 15:58:36 +0200 Subject: [PATCH 104/144] Announce Dendrite support Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/818 --- CHANGELOG.md | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7f6dcc35d..5fd3d30f0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,40 @@ # 2022-01-07 +## Dendrite support + +**Existing (Synapse) installations need to be updated**, see below. + +[Jip J. Dekker](https://github.com/Dekker1) did the initial [work of adding Dendrite support](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/818) to the playbook back in January 2021. Lots of work (and time) later, Dendrite support is finally ready for testing. + +We believe that 2022 will be the year of the non-Synapse Matrix server! + +The playbook was previously quite [Synapse](https://github.com/matrix-org/synapse)-centric, but can now accommodate multiple homeserver implementations. Only one homeserver implementation can be active (installed) at a given time. + +**Synapse is still the default homeserver implementation** installed by the playbook. A new variable (`matrix_homeserver_implementation`) controls which server implementation is enabled (`synapse` or `dendrite` at the given moment). + +Because the playbook is not so Synapse-centric anymore, a small configuration change is necessary for existing installations to bring them up to date. + +The `vars.yml` file for **existing installations will need to be updated**: + +```yaml +# All secrets keys are now derived from `matrix_homeserver_generic_secret_key`, not from `matrix_synapse_macaroon_secret_key`. +# To keep them all the same, define `matrix_homeserver_generic_secret_key` in terms of `matrix_synapse_macaroon_secret_key`. +# Using a new secret value for this configuration key is also possible and should not cause any problems. +# +# Fun fact: new installations (based on the new `examples/vars.yml` file) do this in reverse. +# That is, the Synapse macaroon secret is derived from `matrix_homeserver_generic_secret_key`. +matrix_homeserver_generic_secret_key: "{{ matrix_synapse_macaroon_secret_key }}" +``` + +Finally, **to try out Dendrite**, we recommend that you **use a new server** and the following addition to your `vars.yml` configuration: + +```yaml +matrix_homeserver_implementation: dendrite +``` + +We're excited to gain support for other homeserver implementations, like [Conduit](https://conduit.rs/), etc! + + ## Honoroit bot support Thanks to [Aine](https://gitlab.com/etke.cc) of [etke.cc](https://etke.cc/), the playbook can now help you set up [Honoroit](https://gitlab.com/etke.cc/honoroit) - a helpdesk bot. From 6cedeb094ce4a90cd1ddcf8ba3ca43ec82759d6b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Jan 2022 16:23:32 +0200 Subject: [PATCH 105/144] Mention inability to migrate between homeserver implementation --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5fd3d30f0..570d992ed 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -32,6 +32,8 @@ Finally, **to try out Dendrite**, we recommend that you **use a new server** and matrix_homeserver_implementation: dendrite ``` +**The homeserver implementation of an existing server cannot be changed** (e.g. from Synapse to Dendrite) without data loss. + We're excited to gain support for other homeserver implementations, like [Conduit](https://conduit.rs/), etc! From 425a56c94eda90a18f1ad31bda11e69011fb6b51 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Jan 2022 16:27:15 +0200 Subject: [PATCH 106/144] Link to Dendrite repository from changelog entry --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 570d992ed..3fc0e741d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ **Existing (Synapse) installations need to be updated**, see below. -[Jip J. Dekker](https://github.com/Dekker1) did the initial [work of adding Dendrite support](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/818) to the playbook back in January 2021. Lots of work (and time) later, Dendrite support is finally ready for testing. +[Jip J. Dekker](https://github.com/Dekker1) did the [initial work](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/818) of adding [Dendrite](https://github.com/matrix-org/dendrite) support to the playbook back in January 2021. Lots of work (and time) later, Dendrite support is finally ready for testing. We believe that 2022 will be the year of the non-Synapse Matrix server! From 19b5a50805c20ef01fc605505f19a7abea1f195a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 8 Jan 2022 09:08:55 +0200 Subject: [PATCH 107/144] Derive Honoroit database password from matrix_homeserver_generic_secret_key Related to the work done in https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/818 --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 57319eba0..0696b148c 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -982,7 +982,7 @@ matrix_bot_honoroit_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_honoroit_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'honoroit.bot.db') | to_uuid }}" +matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'honoroit.bot.db') | to_uuid }}" matrix_bot_honoroit_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### From 7b093c5ae00bb6ce6e60867a839e5494422f4ba2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 8 Jan 2022 09:11:22 +0200 Subject: [PATCH 108/144] Move some variables to a more appropriate location --- group_vars/matrix_servers | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 0696b148c..3be4e6acd 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -37,6 +37,9 @@ matrix_homeserver_container_federation_url: |- }[matrix_homeserver_implementation] }} +matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}" +matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}" + ###################################################################### # # /matrix-base @@ -1141,9 +1144,6 @@ matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_ena matrix_dimension_homeserver_federationUrl: "{{ matrix_homeserver_container_federation_url }}" -matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}" -matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}" - matrix_dimension_systemd_required_services_list: | {{ ['docker.service'] From 53dbf2738cc9dcc3cf9f65c4281799a5523f29e8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 8 Jan 2022 09:44:58 +0200 Subject: [PATCH 109/144] Try to improve Dendrite announcement message This is an attempt to address this: https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/dc893485d1a3893dfebd2f55c5a45ddb14e1dd74#commitcomment-63097721 --- CHANGELOG.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3fc0e741d..3b5f1fe0a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ ## Dendrite support -**Existing (Synapse) installations need to be updated**, see below. +**TLDR**: We now have optional experimental [Dendrite](https://github.com/matrix-org/dendrite) homeserver support for new installations. **Existing (Synapse) installations need to be updated**, because some internals changed. See [Adapting the configuration for existing Synapse installations](#adapting-the-configuration-for-existing-synapse-installations). [Jip J. Dekker](https://github.com/Dekker1) did the [initial work](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/818) of adding [Dendrite](https://github.com/matrix-org/dendrite) support to the playbook back in January 2021. Lots of work (and time) later, Dendrite support is finally ready for testing. @@ -12,6 +12,8 @@ The playbook was previously quite [Synapse](https://github.com/matrix-org/synaps **Synapse is still the default homeserver implementation** installed by the playbook. A new variable (`matrix_homeserver_implementation`) controls which server implementation is enabled (`synapse` or `dendrite` at the given moment). +### Adapting the configuration for existing Synapse installations + Because the playbook is not so Synapse-centric anymore, a small configuration change is necessary for existing installations to bring them up to date. The `vars.yml` file for **existing installations will need to be updated**: @@ -26,6 +28,8 @@ The `vars.yml` file for **existing installations will need to be updated**: matrix_homeserver_generic_secret_key: "{{ matrix_synapse_macaroon_secret_key }}" ``` +### Trying out Dendrite + Finally, **to try out Dendrite**, we recommend that you **use a new server** and the following addition to your `vars.yml` configuration: ```yaml From 548d495d81d7197df25490424976c1571c7acc5d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 8 Jan 2022 09:46:24 +0200 Subject: [PATCH 110/144] Update CHANGELOG --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3b5f1fe0a..e9f234680 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,7 +16,7 @@ The playbook was previously quite [Synapse](https://github.com/matrix-org/synaps Because the playbook is not so Synapse-centric anymore, a small configuration change is necessary for existing installations to bring them up to date. -The `vars.yml` file for **existing installations will need to be updated**: +The `vars.yml` file for **existing installations will need to be updated** by adding this **additional configuration**: ```yaml # All secrets keys are now derived from `matrix_homeserver_generic_secret_key`, not from `matrix_synapse_macaroon_secret_key`. From 4e4fb98a65474fd058c61a838db6ac312a09e7df Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 8 Jan 2022 14:14:46 +0200 Subject: [PATCH 111/144] Do not install fuse unless necessary Discussed here: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1510 --- .../tasks/server_base/setup_archlinux.yml | 2 -- .../tasks/server_base/setup_centos.yml | 1 - .../tasks/server_base/setup_centos8.yml | 3 +-- .../tasks/server_base/setup_debian.yml | 1 - .../tasks/server_base/setup_raspbian.yml | 1 - .../tasks/util/ensure_fuse_installed.yml | 23 +++++++++++++++++++ .../tasks/goofys/setup_install.yml | 2 ++ 7 files changed, 26 insertions(+), 7 deletions(-) create mode 100644 roles/matrix-base/tasks/util/ensure_fuse_installed.yml diff --git a/roles/matrix-base/tasks/server_base/setup_archlinux.yml b/roles/matrix-base/tasks/server_base/setup_archlinux.yml index d08cafc0a..6c5cdff82 100644 --- a/roles/matrix-base/tasks/server_base/setup_archlinux.yml +++ b/roles/matrix-base/tasks/server_base/setup_archlinux.yml @@ -4,8 +4,6 @@ pacman: name: - python-docker - # TODO This needs to be verified. Which version do we need? - - fuse3 - python-dnspython state: latest update_cache: yes diff --git a/roles/matrix-base/tasks/server_base/setup_centos.yml b/roles/matrix-base/tasks/server_base/setup_centos.yml index 07776d7f6..cbf7fbc6c 100644 --- a/roles/matrix-base/tasks/server_base/setup_centos.yml +++ b/roles/matrix-base/tasks/server_base/setup_centos.yml @@ -21,7 +21,6 @@ yum: name: - "{{ matrix_ntpd_package }}" - - fuse state: latest update_cache: yes diff --git a/roles/matrix-base/tasks/server_base/setup_centos8.yml b/roles/matrix-base/tasks/server_base/setup_centos8.yml index 01666197b..e6127f470 100644 --- a/roles/matrix-base/tasks/server_base/setup_centos8.yml +++ b/roles/matrix-base/tasks/server_base/setup_centos8.yml @@ -28,7 +28,6 @@ yum: name: - "{{ matrix_ntpd_package }}" - - fuse state: latest update_cache: yes @@ -44,4 +43,4 @@ pip: name: docker-py state: latest - when: matrix_docker_installation_enabled|bool \ No newline at end of file + when: matrix_docker_installation_enabled|bool diff --git a/roles/matrix-base/tasks/server_base/setup_debian.yml b/roles/matrix-base/tasks/server_base/setup_debian.yml index 37706d1f9..1cd7ac41d 100644 --- a/roles/matrix-base/tasks/server_base/setup_debian.yml +++ b/roles/matrix-base/tasks/server_base/setup_debian.yml @@ -29,7 +29,6 @@ apt: name: - "{{ matrix_ntpd_package }}" - - fuse state: latest update_cache: yes diff --git a/roles/matrix-base/tasks/server_base/setup_raspbian.yml b/roles/matrix-base/tasks/server_base/setup_raspbian.yml index 421905a0d..4aed3c767 100644 --- a/roles/matrix-base/tasks/server_base/setup_raspbian.yml +++ b/roles/matrix-base/tasks/server_base/setup_raspbian.yml @@ -29,7 +29,6 @@ apt: name: - "{{ matrix_ntpd_package }}" - - fuse state: latest update_cache: yes diff --git a/roles/matrix-base/tasks/util/ensure_fuse_installed.yml b/roles/matrix-base/tasks/util/ensure_fuse_installed.yml new file mode 100644 index 000000000..948c60825 --- /dev/null +++ b/roles/matrix-base/tasks/util/ensure_fuse_installed.yml @@ -0,0 +1,23 @@ + +# This is for both CentOS 7 and 8 +- name: Ensure fuse installed (CentOS) + yum: + name: + - fuse + state: latest + when: ansible_distribution == 'CentOS' + +# This is for both Debian and Raspbian +- name: Ensure fuse installed (Debian/Raspbian) + apt: + name: + - fuse + state: latest + when: ansible_os_family == 'Debian' + +- name: Ensure fuse installed (Archlinux) + pacman: + name: + - fuse3 + state: latest + when: ansible_distribution == 'Archlinux' diff --git a/roles/matrix-synapse/tasks/goofys/setup_install.yml b/roles/matrix-synapse/tasks/goofys/setup_install.yml index b5e956148..147efabfd 100644 --- a/roles/matrix-synapse/tasks/goofys/setup_install.yml +++ b/roles/matrix-synapse/tasks/goofys/setup_install.yml @@ -1,3 +1,5 @@ +- import_tasks: "{{ role_path }}/../matrix-base/tasks/util/ensure_fuse_installed.yml" + - name: Ensure Goofys Docker image is pulled docker_image: name: "{{ matrix_s3_goofys_docker_image }}" From 817d6833bfc0c5b6d618840d3120098cadbe7855 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 8 Jan 2022 20:06:59 +0200 Subject: [PATCH 112/144] Try to fix self-building for honoroit (fix incorrect Dockerfile path) Hopefully fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1518 --- roles/matrix-bot-honoroit/tasks/setup_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bot-honoroit/tasks/setup_install.yml b/roles/matrix-bot-honoroit/tasks/setup_install.yml index 76eeb0065..0d2d325bf 100644 --- a/roles/matrix-bot-honoroit/tasks/setup_install.yml +++ b/roles/matrix-bot-honoroit/tasks/setup_install.yml @@ -68,7 +68,7 @@ force_source: "{{ matrix_bot_honoroit_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" build: - dockerfile: docker/Dockerfile + dockerfile: Dockerfile path: "{{ matrix_bot_honoroit_docker_src_files_path }}" pull: yes when: "matrix_bot_honoroit_container_image_self_build|bool" From 27a4871aea5c5d87c165b93a02b19c3a59db3c8d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 9 Jan 2022 12:14:23 +0200 Subject: [PATCH 113/144] Fix variable name typo --- .../tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml index d4aab6e45..e820b0edb 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml @@ -21,7 +21,7 @@ - name: Wait some time, so that the required service for obtaining can start wait_for: - timeout: "{{ matrix_ssl_service_to_start_before_obtaining_start_wait_time_seconds }}" + timeout: "{{ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds }}" when: "matrix_ssl_pre_obtaining_required_service_start_result.changed|bool" when: "domain_name_needs_cert|bool and matrix_ssl_pre_obtaining_required_service_name != ''" From b50494e5b3016091a2df3fa566019fbe5575181f Mon Sep 17 00:00:00 2001 From: HarHarLinks Date: Wed, 5 Jan 2022 21:12:22 +0100 Subject: [PATCH 114/144] pin appservice-webhooks version v1.0.2-01 --- roles/matrix-bridge-appservice-webhooks/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index 22f680402..32b0cbba7 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -8,7 +8,7 @@ matrix_appservice_webhooks_container_image_self_build_repo: "https://github.com/ matrix_appservice_webhooks_container_image_self_build_repo_version: "{{ 'master' if matrix_appservice_webhooks_version == 'latest' else matrix_appservice_webhooks_version }}" matrix_appservice_webhooks_container_image_self_build_repo_dockerfile_path: "Dockerfile" -matrix_appservice_webhooks_version: latest +matrix_appservice_webhooks_version: v1.0.2-01 matrix_appservice_webhooks_docker_image: "{{ matrix_appservice_webhooks_docker_image_name_prefix }}redoonetworks/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}" matrix_appservice_webhooks_docker_image_name_prefix: "{{ 'localhost/' if matrix_appservice_webhooks_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}" From 4377c348c56f4ee070265f5d4ace3c6ff0a9b471 Mon Sep 17 00:00:00 2001 From: Aine Date: Sun, 9 Jan 2022 17:46:47 +0200 Subject: [PATCH 115/144] matrix-bot-honoroit: disable self-build by default, update to v0.9.1 --- group_vars/matrix_servers | 2 +- roles/matrix-bot-honoroit/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 3be4e6acd..cfd2e74b5 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -986,7 +986,7 @@ matrix_bot_honoroit_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_honoroit_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'honoroit.bot.db') | to_uuid }}" -matrix_bot_honoroit_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_bot_honoroit_container_image_self_build: false ###################################################################### # diff --git a/roles/matrix-bot-honoroit/defaults/main.yml b/roles/matrix-bot-honoroit/defaults/main.yml index 4e3628f9b..0b868a942 100644 --- a/roles/matrix-bot-honoroit/defaults/main.yml +++ b/roles/matrix-bot-honoroit/defaults/main.yml @@ -7,7 +7,7 @@ matrix_bot_honoroit_container_image_self_build: false matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git" matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src" -matrix_bot_honoroit_version: v0.9.0 +matrix_bot_honoroit_version: v0.9.1 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}honoroit:{{ matrix_bot_honoroit_version }}" matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}" matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" From a83b880f72b290a5640e77b80852803d1120531d Mon Sep 17 00:00:00 2001 From: Aine Date: Sun, 9 Jan 2022 18:49:41 +0200 Subject: [PATCH 116/144] matrix-bot-honoroit: feedback --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index cfd2e74b5..32b0d3a8a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -986,7 +986,7 @@ matrix_bot_honoroit_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_honoroit_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'honoroit.bot.db') | to_uuid }}" -matrix_bot_honoroit_container_image_self_build: false +matrix_bot_honoroit_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}" ###################################################################### # From e72ecf2c650d12233734b84d2fffb671e0e30ec5 Mon Sep 17 00:00:00 2001 From: PC-Admin Date: Sun, 9 Jan 2022 10:50:44 +0800 Subject: [PATCH 117/144] update new variable for matrix-awx, update documentation --- docs/configuring-awx-system.md | 14 ++++------- roles/matrix-awx/tasks/main.yml | 4 ++-- roles/matrix-awx/tasks/rename_variables.yml | 8 ------- roles/matrix-awx/tasks/update_variables.yml | 26 +++++++++++++++++++++ 4 files changed, 32 insertions(+), 20 deletions(-) delete mode 100644 roles/matrix-awx/tasks/rename_variables.yml create mode 100644 roles/matrix-awx/tasks/update_variables.yml diff --git a/docs/configuring-awx-system.md b/docs/configuring-awx-system.md index f455f0587..c33664c2b 100644 --- a/docs/configuring-awx-system.md +++ b/docs/configuring-awx-system.md @@ -4,7 +4,7 @@ An AWX setup for managing multiple Matrix servers. This section is used in an AWX system that can create and manage multiple [Matrix](http://matrix.org/) servers. You can issue members an AWX login to their own 'organisation', which they can use to manage/configure 1 to N servers. -Members can be assigned a server from Digitalocean, or they can connect their own on-premises server. This script is free to use in a commercial context with the 'MemberPress Plus' and 'WP Oauth Sever' addons. It can also be run in a non-commercial context. +Members can be assigned a server from Digitalocean, or they can connect their own on-premises server. These playbooks are free to use in a commercial context with the 'MemberPress Plus' plugin. They can also be run in a non-commercial context. The AWX system is arranged into 'members' each with their own 'subscriptions'. After creating a subscription the user enters the 'provision stage' where they defined the URLs they will use, the servers location and whether or not there's already a website at the base domain. They then proceed onto the 'deploy stage' where they can configure their Matrix server. @@ -21,12 +21,7 @@ The following repositories allow you to copy and use this setup: [Ansible Provision Server](https://gitlab.com/GoMatrixHosting/ansible-provision-server) - Used by AWX members to perform initial configuration of their DigitalOcean or On-Premises server. - -## Testing Fork For This Playbook - -Updates to this section are trailed here: - -[GoMatrixHosting Matrix Docker Ansible Deploy](https://gitlab.com/GoMatrixHosting/matrix-docker-ansible-deploy) +[GMHosting External Tools](https://gitlab.com/GoMatrixHosting/gmhosting-external-tools) - Extra tools we run outside of AWX, some of which are experimental. ## Does I need an AWX setup to use this? How do I configure it? @@ -38,7 +33,6 @@ For simpler installation steps you can use to get started with this system, chec ## Does I need a front-end WordPress site? And a DigitalOcean account? -You do not need a front-end WordPress site or any of the mentioned WordPress plugins to use this setup. It can be run on it's own in a non-commercial context. - -You also don't need a DigitalOcean account, but this will limit you to only being able to connect 'On-Premises' servers. +You do not need a front-end WordPress site or the MemberPress plugin to use this setup. It can be run on it's own in a non-commercial context. +You also don't need a DigitalOcean account, although this will limit you to only being able to connect 'On-Premises' servers. diff --git a/roles/matrix-awx/tasks/main.yml b/roles/matrix-awx/tasks/main.yml index adc158c7a..6ac39a495 100755 --- a/roles/matrix-awx/tasks/main.yml +++ b/roles/matrix-awx/tasks/main.yml @@ -8,9 +8,9 @@ tags: - always -# Renames the variables if needed +# Renames or updates the vars.yml if needed - include_tasks: - file: "rename_variables.yml" + file: "update_variables.yml" apply: tags: always when: run_setup|bool and matrix_awx_enabled|bool diff --git a/roles/matrix-awx/tasks/rename_variables.yml b/roles/matrix-awx/tasks/rename_variables.yml deleted file mode 100644 index e664325f9..000000000 --- a/roles/matrix-awx/tasks/rename_variables.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- - -- name: Rename synapse presence variable - delegate_to: 127.0.0.1 - replace: - path: "/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml" - regexp: 'matrix_synapse_use_presence' - replace: 'matrix_synapse_presence_enabled' diff --git a/roles/matrix-awx/tasks/update_variables.yml b/roles/matrix-awx/tasks/update_variables.yml new file mode 100644 index 000000000..9818a9c21 --- /dev/null +++ b/roles/matrix-awx/tasks/update_variables.yml @@ -0,0 +1,26 @@ +--- + +- name: Rename synapse presence variable + delegate_to: 127.0.0.1 + replace: + path: "/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml" + regexp: 'matrix_synapse_use_presence' + replace: 'matrix_synapse_presence_enabled' + +- name: Generate matrix_homeserver_generic_secret_key variable + delegate_to: 127.0.0.1 + command: | + openssl rand -hex 16 + register: generic_secret + no_log: True + when: ( matrix_homeserver_generic_secret_key is undefined ) or ( matrix_homeserver_generic_secret_key | length == 0 ) + +- name: Add new matrix_homeserver_generic_secret_key variable + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + line: "matrix_homeserver_generic_secret_key: {{ generic_secret.stdout }}" + insertbefore: '# Basic Settings End' + mode: '0600' + state: present + when: ( matrix_homeserver_generic_secret_key is undefined ) or ( matrix_homeserver_generic_secret_key | length == 0 ) From ac6049516632a15dbff43c14c4e831d3c03ae6c9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 10 Jan 2022 08:40:18 +0200 Subject: [PATCH 118/144] Get rid of broken CI (ansible-lint) Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1488 Discussed here: - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1522#issuecomment-1008381512 - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1524#issuecomment-1008477510 --- .github/workflows/ansible-lint.yml | 22 ---------------------- 1 file changed, 22 deletions(-) delete mode 100644 .github/workflows/ansible-lint.yml diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml deleted file mode 100644 index 2f103ff79..000000000 --- a/.github/workflows/ansible-lint.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: Ansible Lint - -on: [push, pull_request] - -jobs: - build: - - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - - name: Lint Ansible Playbook - uses: ansible/ansible-lint-action@c37fb7b4bda2c8cb18f4942716bae9f11b0dc9bc - with: - # Paths to ansible files (i.e., playbooks, tasks, handlers etc..) - targets: "./" - - override-deps: | - ansible-lint==5.3.1 - - args: "-x metadata, formatting" From 29bc22a085b5117442dcafc267fcc270e6ed6edd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 10 Jan 2022 11:51:57 +0200 Subject: [PATCH 119/144] Add matrix_nginx_proxy_container_additional_networks Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1498 --- roles/matrix-nginx-proxy/defaults/main.yml | 9 +++++++++ .../templates/systemd/matrix-nginx-proxy.service.j2 | 4 ++++ 2 files changed, 13 insertions(+) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 1feea6b71..8c57928f8 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -19,6 +19,15 @@ matrix_nginx_proxy_systemd_required_services_list: ['docker.service'] # List of systemd services that matrix-nginx-proxy.service wants matrix_nginx_proxy_systemd_wanted_services_list: [] +# A list of additional container networks that matrix-nginx-proxy would be connected to. +# The playbook does not create these networks, so make sure they already exist. +# +# Use this to expose matrix-nginx-proxy to another reverse proxy, which runs in a different container network, +# without exposing all other Matrix services to that other reverse-proxy. +# +# For background, see: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1498 +matrix_nginx_proxy_container_additional_networks: [] + # A list of additional "volumes" to mount in the container. # This list gets populated dynamically at runtime. You can provide a different default value, # if you wish to mount your own files into the container. diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index 744b3924a..03bc32afb 100755 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -47,6 +47,10 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \ {% endfor %} {{ matrix_nginx_proxy_docker_image }} +{% for network in matrix_nginx_proxy_container_additional_networks %} +ExecStartPost={{ matrix_host_command_sh }} -c 'attempt=0; while [ $attempt -le 29 ]; do attempt=$(( $attempt + 1 )); if [ "`docker inspect -f {{ '{{.State.Running}}' }} matrix-nginx-proxy 2> /dev/null`" = "true" ]; then break; fi; sleep 1; done; {{ matrix_host_command_docker }} network connect {{ network }} matrix-nginx-proxy' +{% endfor %} + ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-nginx-proxy 2>/dev/null' ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-nginx-proxy 2>/dev/null' ExecReload={{ matrix_host_command_docker }} exec matrix-nginx-proxy /usr/sbin/nginx -s reload From ac515b7f0953fbe03ca72323289a8eb0076a7695 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 10 Jan 2022 15:11:14 +0200 Subject: [PATCH 120/144] Fix incorrect variables being used --- roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml index bc6331ac6..1a9b29154 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml @@ -30,7 +30,7 @@ name: "{{ matrix_mautrix_signal_docker_image }}" source: build force_source: "{{ matrix_mautrix_signal_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mautrix_signal_docker_src_files_path }}" @@ -60,7 +60,7 @@ name: "{{ matrix_mautrix_signal_daemon_docker_image }}" source: build force_source: "{{ matrix_mautrix_signal_daemon_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_daemon_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mautrix_signal_daemon_docker_src_files_path }}" From ad00875a6db1a0af1862fe5b1c413e28b708664c Mon Sep 17 00:00:00 2001 From: Kim Brose Date: Mon, 10 Jan 2022 16:21:39 +0100 Subject: [PATCH 121/144] Update configuring-playbook-dimension.md --- docs/configuring-playbook-dimension.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index 69ed7aa7e..b938a6a32 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -58,7 +58,7 @@ curl -X POST --header 'Content-Type: application/json' -d '{ "type": "m.login.password" }' 'https://matrix.YOURDOMAIN/_matrix/client/r0/login' ``` -*Change the "YourDimensionUser/Pass" URL accordigly* +*Change `YourDimensionUsername`, `YourDimensionPassword`, and `YOURDOMAIN` accordingly.* **Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.** From 0fb881deb578a37ba9c3fcfc966a2282aa33d3fe Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 11 Jan 2022 08:29:11 +0200 Subject: [PATCH 122/144] Update the "wanted systemd services" list for matrix-nginx-proxy/matrix-grafana Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1517 --- group_vars/matrix_servers | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 32b0d3a8a..af84d5d92 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1467,7 +1467,21 @@ matrix_nginx_proxy_systemd_wanted_services_list: | + (['matrix-ma1sd.service'] if matrix_ma1sd_enabled else []) + + (['matrix-client-cinny.service'] if matrix_client_cinny_enabled else []) + + (['matrix-client-element.service'] if matrix_client_element_enabled else []) + + + (['matrix-client-hydrogen.service'] if matrix_client_hydrogen_enabled else []) + + + (['matrix-grafana.service'] if matrix_grafana_enabled else []) + + + (['matrix-dimension.service'] if matrix_dimension_enabled else []) + + + (['matrix-sygnal.service'] if matrix_sygnal_enabled else []) + + + (['matrix-jitsi.service'] if matrix_jitsi_enabled else []) + + + (['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled else []) }} matrix_ssl_domains_to_obtain_certificates_for: | @@ -2129,6 +2143,12 @@ matrix_grafana_dashboard_download_urls_all: | (matrix_prometheus_postgres_exporter_dashboard_urls if matrix_prometheus_postgres_exporter_enabled else []) }} +matrix_grafana_systemd_wanted_services_list: | + {{ + [] + + + (['matrix-prometheus-postgres-exporter.service'] if matrix_prometheus_postgres_exporter_enabled else []) + }} ###################################################################### # From 037bde73a65af2e097d4c470b82d1ed064398b02 Mon Sep 17 00:00:00 2001 From: Toni Spets Date: Fri, 14 Jan 2022 11:53:03 +0200 Subject: [PATCH 123/144] Upgrade Heisenbridge (1.9.0 -> 1.10.0) --- roles/matrix-bridge-heisenbridge/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-heisenbridge/defaults/main.yml b/roles/matrix-bridge-heisenbridge/defaults/main.yml index 5d393a810..6772c364e 100644 --- a/roles/matrix-bridge-heisenbridge/defaults/main.yml +++ b/roles/matrix-bridge-heisenbridge/defaults/main.yml @@ -3,7 +3,7 @@ matrix_heisenbridge_enabled: true -matrix_heisenbridge_version: 1.9.0 +matrix_heisenbridge_version: 1.10.0 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" From 49342bd3a7b72937f97d01bb70d7d14582437cac Mon Sep 17 00:00:00 2001 From: IUCCA <33322841+IUCCA@users.noreply.github.com> Date: Fri, 14 Jan 2022 11:29:18 +0100 Subject: [PATCH 124/144] added writable /tmp directory --- .../templates/systemd/matrix-mautrix-signal.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 index 244e2a481..0d3eb9b80 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 @@ -26,6 +26,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ + --tmpfs /tmp \ {% if matrix_mautrix_signal_container_http_host_bind_port %} -p {{ matrix_mautrix_signal_container_http_host_bind_port }}:29328 \ {% endif %} From 02c1756135403733410222f32adbaa6061da8e27 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 14 Jan 2022 19:31:30 +0000 Subject: [PATCH 125/144] Upgrade Hydrogen (0.2.19 -> 0.2.23) --- roles/matrix-client-hydrogen/defaults/main.yml | 2 +- roles/matrix-client-hydrogen/tasks/setup_install.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-client-hydrogen/defaults/main.yml b/roles/matrix-client-hydrogen/defaults/main.yml index 4ca2224bd..61db1ba2a 100644 --- a/roles/matrix-client-hydrogen/defaults/main.yml +++ b/roles/matrix-client-hydrogen/defaults/main.yml @@ -5,7 +5,7 @@ matrix_client_hydrogen_enabled: true matrix_client_hydrogen_container_image_self_build: true matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" -matrix_client_hydrogen_version: v0.2.19 +matrix_client_hydrogen_version: v0.2.23 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-client-hydrogen/tasks/setup_install.yml b/roles/matrix-client-hydrogen/tasks/setup_install.yml index b512a1a81..2f949927d 100644 --- a/roles/matrix-client-hydrogen/tasks/setup_install.yml +++ b/roles/matrix-client-hydrogen/tasks/setup_install.yml @@ -32,7 +32,7 @@ - name: Ensure Hydrogen configuration installed copy: content: "{{ matrix_client_hydrogen_configuration|to_nice_json }}" - dest: "{{ matrix_client_hydrogen_docker_src_files_path }}/assets/config.json" + dest: "{{ matrix_client_hydrogen_docker_src_files_path }}/src/platform/web/assets/config.json" mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" From cba605a8b7a4aab6706e6167119d3394cba49256 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 15 Jan 2022 09:06:10 +0200 Subject: [PATCH 126/144] Fix go-neb sample configuration to not clash with Jinja2 Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1544 --- docs/configuring-playbook-bot-go-neb.md | 4 ++-- roles/matrix-bot-go-neb/defaults/main.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/configuring-playbook-bot-go-neb.md b/docs/configuring-playbook-bot-go-neb.md index ab84e0174..33ce4dd31 100644 --- a/docs/configuring-playbook-bot-go-neb.md +++ b/docs/configuring-playbook-bot-go-neb.md @@ -198,8 +198,8 @@ matrix_bot_go_neb_services: # Each room will get the notification with the alert rendered with the given template rooms: "!someroomid:domain.tld": - text_template: "{{range .Alerts -}} [{{ .Status }}] {{index .Labels \"alertname\" }}: {{index .Annotations \"description\"}} {{ end -}}" - html_template: "{{range .Alerts -}} {{ $severity := index .Labels \"severity\" }} {{ if eq .Status \"firing\" }} {{ if eq $severity \"critical\"}} [FIRING - CRITICAL] {{ else if eq $severity \"warning\"}} [FIRING - WARNING] {{ else }} [FIRING - {{ $severity }}] {{ end }} {{ else }} [RESOLVED] {{ end }} {{ index .Labels \"alertname\"}} : {{ index .Annotations \"description\"}} source
{{end -}}" + text_template: "{% raw %}{{range .Alerts -}} [{{ .Status }}] {{index .Labels \"alertname\" }}: {{index .Annotations \"description\"}} {{ end -}}{% endraw %}" + html_template: "{% raw %}{{range .Alerts -}} {{ $severity := index .Labels \"severity\" }} {{ if eq .Status \"firing\" }} {{ if eq $severity \"critical\"}} [FIRING - CRITICAL] {{ else if eq $severity \"warning\"}} [FIRING - WARNING] {{ else }} [FIRING - {{ $severity }}] {{ end }} {{ else }} [RESOLVED] {{ end }} {{ index .Labels \"alertname\"}} : {{ index .Annotations \"description\"}} source
{{end -}}{% endraw %}" msg_type: "m.text" # Must be either `m.text` or `m.notice` ``` diff --git a/roles/matrix-bot-go-neb/defaults/main.yml b/roles/matrix-bot-go-neb/defaults/main.yml index 4dd4f1f66..c5a1f6365 100644 --- a/roles/matrix-bot-go-neb/defaults/main.yml +++ b/roles/matrix-bot-go-neb/defaults/main.yml @@ -203,8 +203,8 @@ matrix_bot_go_neb_services: [] # # Each room will get the notification with the alert rendered with the given template # rooms: # "!someroomid:domain.tld": -# text_template: "{{range .Alerts -}} [{{ .Status }}] {{index .Labels \"alertname\" }}: {{index .Annotations \"description\"}} {{ end -}}" -# html_template: "{{range .Alerts -}} {{ $severity := index .Labels \"severity\" }} {{ if eq .Status \"firing\" }} {{ if eq $severity \"critical\"}} [FIRING - CRITICAL] {{ else if eq $severity \"warning\"}} [FIRING - WARNING] {{ else }} [FIRING - {{ $severity }}] {{ end }} {{ else }} [RESOLVED] {{ end }} {{ index .Labels \"alertname\"}} : {{ index .Annotations \"description\"}} source
{{end -}}" +# text_template: "{% raw %}{{range .Alerts -}} [{{ .Status }}] {{index .Labels \"alertname\" }}: {{index .Annotations \"description\"}} {{ end -}}{% endraw %}" +# html_template: "{% raw %}{{range .Alerts -}} {{ $severity := index .Labels \"severity\" }} {{ if eq .Status \"firing\" }} {{ if eq $severity \"critical\"}} [FIRING - CRITICAL] {{ else if eq $severity \"warning\"}} [FIRING - WARNING] {{ else }} [FIRING - {{ $severity }}] {{ end }} {{ else }} [RESOLVED] {{ end }} {{ index .Labels \"alertname\"}} : {{ index .Annotations \"description\"}} source
{{end -}}{% endraw %}" # msg_type: "m.text" # Must be either `m.text` or `m.notice` # Default configuration template which covers the generic use case. From b0b88242f2a35b81bf388569f5a075baab42bd36 Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Sat, 15 Jan 2022 18:31:07 +0100 Subject: [PATCH 127/144] Updated: ddclient to v3.9.1-ls76 --- roles/matrix-dynamic-dns/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-dynamic-dns/defaults/main.yml b/roles/matrix-dynamic-dns/defaults/main.yml index 3411d0f83..2be1a5ba5 100644 --- a/roles/matrix-dynamic-dns/defaults/main.yml +++ b/roles/matrix-dynamic-dns/defaults/main.yml @@ -4,7 +4,7 @@ matrix_dynamic_dns_enabled: true # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' -matrix_dynamic_dns_version: v3.9.1-ls45 +matrix_dynamic_dns_version: v3.9.1-ls76 # The docker container to use when in mode matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" From be4c93dc2425cc8c96d8cc35c971144555dd2543 Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Sat, 15 Jan 2022 18:33:44 +0100 Subject: [PATCH 128/144] Updated: version to stable-6726-2 --- roles/matrix-jitsi/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 33dad3885..a36a09fc1 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -68,7 +68,7 @@ matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false -matrix_jitsi_version: stable-6726-1 +matrix_jitsi_version: stable-6726-2 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" From 7dffd4417126d20571c8809d3fb3295f9d2af245 Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Sat, 15 Jan 2022 18:36:10 +0100 Subject: [PATCH 129/144] Updated: webhooks image tag to v1.0.3-01 --- roles/matrix-bridge-appservice-webhooks/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index 32b0cbba7..f987c0876 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -8,7 +8,7 @@ matrix_appservice_webhooks_container_image_self_build_repo: "https://github.com/ matrix_appservice_webhooks_container_image_self_build_repo_version: "{{ 'master' if matrix_appservice_webhooks_version == 'latest' else matrix_appservice_webhooks_version }}" matrix_appservice_webhooks_container_image_self_build_repo_dockerfile_path: "Dockerfile" -matrix_appservice_webhooks_version: v1.0.2-01 +matrix_appservice_webhooks_version: v1.0.3-01 matrix_appservice_webhooks_docker_image: "{{ matrix_appservice_webhooks_docker_image_name_prefix }}redoonetworks/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}" matrix_appservice_webhooks_docker_image_name_prefix: "{{ 'localhost/' if matrix_appservice_webhooks_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}" From dcbd0a598e6a194b3b1630b8fb433adbfab844af Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Sat, 15 Jan 2022 18:40:28 +0100 Subject: [PATCH 130/144] Updated: beeper-linkedin to v0.5.2 --- roles/matrix-bridge-beeper-linkedin/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-beeper-linkedin/defaults/main.yml b/roles/matrix-bridge-beeper-linkedin/defaults/main.yml index 87561ff59..34c9c3cb0 100644 --- a/roles/matrix-bridge-beeper-linkedin/defaults/main.yml +++ b/roles/matrix-bridge-beeper-linkedin/defaults/main.yml @@ -3,7 +3,7 @@ matrix_beeper_linkedin_enabled: true -matrix_beeper_linkedin_version: v0.5.1 +matrix_beeper_linkedin_version: v0.5.2 # See: https://gitlab.com/beeper/linkedin/container_registry matrix_beeper_linkedin_docker_image: "{{ matrix_beeper_linkedin_docker_image_name_prefix }}beeper/linkedin:{{ matrix_beeper_linkedin_docker_image_tag }}" From 6bdb599a589353ce54e6e5de30dd439f34a481c6 Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Sat, 15 Jan 2022 18:45:23 +0100 Subject: [PATCH 131/144] Updated: sygnal to v0.11.0 --- roles/matrix-sygnal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-sygnal/defaults/main.yml b/roles/matrix-sygnal/defaults/main.yml index 70d530f86..595f8022f 100644 --- a/roles/matrix-sygnal/defaults/main.yml +++ b/roles/matrix-sygnal/defaults/main.yml @@ -7,7 +7,7 @@ matrix_sygnal_base_path: "{{ matrix_base_data_path }}/sygnal" matrix_sygnal_config_path: "{{ matrix_sygnal_base_path }}/config" matrix_sygnal_data_path: "{{ matrix_sygnal_base_path }}/data" -matrix_sygnal_version: v0.10.1 +matrix_sygnal_version: v0.11.0 matrix_sygnal_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/sygnal:{{ matrix_sygnal_version }}" matrix_sygnal_docker_image_force_pull: "{{ matrix_sygnal_docker_image.endswith(':latest') }}" From f2f4d5ba2194c1aee9d796aa27c112897f125101 Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Sat, 15 Jan 2022 18:49:30 +0100 Subject: [PATCH 132/144] Updated: node-exporter to v1.3.1 --- roles/matrix-prometheus-node-exporter/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-prometheus-node-exporter/defaults/main.yml b/roles/matrix-prometheus-node-exporter/defaults/main.yml index 481864d3e..2ec0d23c6 100644 --- a/roles/matrix-prometheus-node-exporter/defaults/main.yml +++ b/roles/matrix-prometheus-node-exporter/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_node_exporter_enabled: false -matrix_prometheus_node_exporter_version: v1.2.2 +matrix_prometheus_node_exporter_version: v1.3.1 matrix_prometheus_node_exporter_docker_image: "{{ matrix_container_global_registry_prefix }}prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}" matrix_prometheus_node_exporter_docker_image_force_pull: "{{ matrix_prometheus_node_exporter_docker_image.endswith(':latest') }}" From dec1bd6c653c5cdbf851f156f0412d3effe98581 Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Sat, 15 Jan 2022 18:59:18 +0100 Subject: [PATCH 133/144] Updated: slack to 1.10.0 --- roles/matrix-bridge-appservice-slack/defaults/main.yml | 2 +- roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index 0a578b412..b1c98d2a3 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -7,7 +7,7 @@ matrix_appservice_slack_container_image_self_build: false matrix_appservice_slack_docker_repo: "https://github.com/matrix-org/matrix-appservice-slack.git" matrix_appservice_slack_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-slack/docker-src" -matrix_appservice_slack_version: release-1.8.0 +matrix_appservice_slack_version: release-1.10.0 matrix_appservice_slack_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-slack:{{ matrix_appservice_slack_version }}" matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 b/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 index bf8072c15..96e689675 100644 --- a/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 +++ b/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 @@ -5,9 +5,9 @@ bot_username: "{{ matrix_appservice_slack_bot_name }}" username_prefix: {{ matrix_appservice_slack_user_prefix }} homeserver: - media_url: "{{ matrix_appservice_slack_homeserver_media_url }}" - url: "{{ matrix_appservice_slack_homeserver_url }}" server_name: "{{ matrix_domain }}" + url: "{{ matrix_appservice_slack_homeserver_url }}" + media_url: "{{ matrix_appservice_slack_homeserver_media_url }}" {% if matrix_appservice_slack_database_engine == 'nedb' %} dbdir: "/data" From 8f0da16621df3769f61e5ae23ab0f192383e7b6f Mon Sep 17 00:00:00 2001 From: Felix Date: Sun, 16 Jan 2022 16:00:54 +0100 Subject: [PATCH 134/144] Added: version tag (v0.1.2 --- roles/matrix-bridge-mautrix-instagram/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml index e1a1bddab..a3783328e 100644 --- a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml @@ -6,7 +6,7 @@ matrix_mautrix_instagram_enabled: true matrix_mautrix_instagram_container_image_self_build: false matrix_mautrix_instagram_container_image_self_build_repo: "https://github.com/mautrix/instagram.git" -matrix_mautrix_instagram_version: latest +matrix_mautrix_instagram_version: v0.1.2 # See: https://mau.dev/tulir/mautrix-instagram/container_registry matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}mautrix/instagram:{{ matrix_mautrix_instagram_version }}" matrix_mautrix_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_instagram_container_image_self_build else 'dock.mau.dev/' }}" From 05541bd54aba8dd71609ed7d927a406763843739 Mon Sep 17 00:00:00 2001 From: Aine Date: Sun, 16 Jan 2022 18:41:02 +0200 Subject: [PATCH 135/144] Updated Honoroit with fallback reply-to mode --- roles/matrix-bot-honoroit/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bot-honoroit/defaults/main.yml b/roles/matrix-bot-honoroit/defaults/main.yml index 0b868a942..426aa372a 100644 --- a/roles/matrix-bot-honoroit/defaults/main.yml +++ b/roles/matrix-bot-honoroit/defaults/main.yml @@ -7,7 +7,7 @@ matrix_bot_honoroit_container_image_self_build: false matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git" matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src" -matrix_bot_honoroit_version: v0.9.1 +matrix_bot_honoroit_version: v0.9.2 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}honoroit:{{ matrix_bot_honoroit_version }}" matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}" matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" From 29668f4a3341bbbce189cec9673b52752d37c3d6 Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Sun, 16 Jan 2022 22:41:01 +0100 Subject: [PATCH 136/144] Updated: telegram to v0.11.1 --- .../matrix-bridge-mautrix-telegram/defaults/main.yml | 4 ++-- .../templates/config.yaml.j2 | 11 ----------- .../systemd/matrix-mautrix-telegram.service.j2 | 9 --------- 3 files changed, 2 insertions(+), 22 deletions(-) diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index 7e7ee0a62..bcdcfdd8f 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -7,13 +7,13 @@ matrix_telegram_lottieconverter_container_image_self_build: false matrix_telegram_lottieconverter_container_image_self_build_mask_arch: false matrix_telegram_lottieconverter_docker_repo: "https://mau.dev/tulir/lottieconverter.git" matrix_telegram_lottieconverter_docker_src_files_path: "{{ matrix_base_data_path }}/lotticonverter/docker-src" -matrix_telegram_lottieconverter_docker_image: "dock.mau.dev/tulir/lottieconverter:alpine-3.14" # needs to be ajusted according to FROM clause of Dockerfile of mautrix-telegram +matrix_telegram_lottieconverter_docker_image: "dock.mau.dev/tulir/lottieconverter:alpine-3.15" # needs to be ajusted according to FROM clause of Dockerfile of mautrix-telegram matrix_mautrix_telegram_container_image_self_build: false matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git" matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" -matrix_mautrix_telegram_version: v0.10.2 +matrix_mautrix_telegram_version: v0.11.1 # See: https://mau.dev/mautrix/telegram/container_registry matrix_mautrix_telegram_docker_image: "dock.mau.dev/mautrix/telegram:{{ matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 index 9492d79e3..94694351e 100644 --- a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 @@ -225,17 +225,6 @@ bridge: # notices from users listed here will be bridged. exceptions: [] - # Some config options related to Telegram message deduplication. - # The default values are usually fine, but some debug messages/warnings might recommend you - # change these. - deduplication: - # Whether or not to check the database if the message about to be sent is a duplicate. - pre_db_check: false - # The number of latest events to keep when checking for duplicates. - # You might need to increase this on high-traffic bridge instances. - cache_queue_length: 20 - - # The formats to use when sending messages to Telegram via the relay bot. # # Telegram doesn't have built-in emotes, so the m.emote format is also used for non-relaybot users. diff --git a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 index 69ab167a6..3f5cbd005 100644 --- a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 +++ b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 @@ -15,15 +15,6 @@ Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-telegram 2>/dev/null' ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-telegram 2>/dev/null' -ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-telegram-db \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --network={{ matrix_docker_network }} \ - -v {{ matrix_mautrix_telegram_config_path }}:/config:z \ - -v {{ matrix_mautrix_telegram_data_path }}:/data:z \ - {{ matrix_mautrix_telegram_docker_image }} \ - alembic -x config=/config/config.yaml upgrade head # Intentional delay, so that the homeserver (we likely depend on) can manage to start. ExecStartPre={{ matrix_host_command_sleep }} 5 From 6f142faf85f2030e09317cff70febd02f2df6beb Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Mon, 17 Jan 2022 09:55:00 +0100 Subject: [PATCH 137/144] Added: mautrix-signal 0.2.2 & signald 0.16.1 --- roles/matrix-bridge-mautrix-signal/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 9eebedd7c..ceaa9b87e 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -7,8 +7,8 @@ matrix_mautrix_signal_container_image_self_build: false matrix_mautrix_signal_docker_repo: "https://mau.dev/mautrix/signal.git" matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src" -matrix_mautrix_signal_version: latest -matrix_mautrix_signal_daemon_version: latest +matrix_mautrix_signal_version: v0.2.2 +matrix_mautrix_signal_daemon_version: 0.16.1 # See: https://mau.dev/mautrix/signal/container_registry matrix_mautrix_signal_docker_image: "dock.mau.dev/mautrix/signal:{{ matrix_mautrix_signal_version }}" matrix_mautrix_signal_docker_image_force_pull: "{{ matrix_mautrix_signal_docker_image.endswith(':latest') }}" From 46f621bca60542d37ef44299d9930b434cb4f245 Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Mon, 17 Jan 2022 09:58:16 +0100 Subject: [PATCH 138/144] Added: mautrix-whatsapp v0.2.3 tag --- roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 81c451cf4..aaa1f04a2 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mautrix_whatsapp_container_image_self_build: false matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git" matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}" -matrix_mautrix_whatsapp_version: latest +matrix_mautrix_whatsapp_version: v0.2.3 # See: https://mau.dev/mautrix/whatsapp/container_registry matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}" matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}" From 94d31eefd37ab35efedd7eaa6fe902d33d5dc110 Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Mon, 17 Jan 2022 10:02:16 +0100 Subject: [PATCH 139/144] Updated: mautrix-twitter to v0.1.3 --- roles/matrix-bridge-mautrix-twitter/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml index 826bc4b64..6a72706b5 100644 --- a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -6,7 +6,7 @@ matrix_mautrix_twitter_enabled: true matrix_mautrix_twitter_container_image_self_build: false matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/mautrix/twitter.git" -matrix_mautrix_twitter_version: latest +matrix_mautrix_twitter_version: v0.1.3 # See: https://mau.dev/tulir/mautrix-twitter/container_registry matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_name_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}" matrix_mautrix_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else 'dock.mau.dev/' }}" From 8a66db850ea2898f409921147970b6c645f9f166 Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Mon, 17 Jan 2022 10:53:15 +0100 Subject: [PATCH 140/144] Updated: Certbot to v1.22.0 --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 8c57928f8..a14a67856 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -476,7 +476,7 @@ matrix_ssl_lets_encrypt_staging: false # Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#changing-the-acme-server matrix_ssl_lets_encrypt_server: '' -matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.21.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.22.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ From b608c3d342c15a9e9946453870595c40e1b55db2 Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Mon, 17 Jan 2022 10:55:36 +0100 Subject: [PATCH 141/144] Updated: worker_processes to auto --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index a14a67856..6932c8c06 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -555,5 +555,5 @@ matrix_nginx_proxy_synapse_frontend_proxy_locations: [] # The amount of worker processes and connections # Consider increasing these when you are expecting high amounts of traffic # http://nginx.org/en/docs/ngx_core_module.html#worker_connections -matrix_nginx_proxy_worker_processes: 1 +matrix_nginx_proxy_worker_processes: auto matrix_nginx_proxy_worker_connections: 1024 From 3614903e38edbb86decd13d1eec0aef33f1d934a Mon Sep 17 00:00:00 2001 From: GoliathLabs Date: Mon, 17 Jan 2022 18:40:44 +0100 Subject: [PATCH 142/144] Updated: element-web to v1.9.9 --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index 7853292ad..15f401ddb 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -7,7 +7,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.9.8 +matrix_client_element_version: v1.9.9 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 5f22371c23f2f638b7a2dd03c0a36196d33a3777 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 18 Jan 2022 16:15:52 +0200 Subject: [PATCH 143/144] Upgrade Synapse (1.49.2 -> 1.50.0) --- roles/matrix-synapse/defaults/main.yml | 4 ++-- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index ce5235d31..91f5461c8 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.49.2 -matrix_synapse_version_arm64: v1.49.2 +matrix_synapse_version: v1.50.0 +matrix_synapse_version_arm64: v1.50.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 5d7502fdd..902aaa71f 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -12,7 +12,7 @@ # Server admins can expand Synapse's functionality with external modules. # -# See https://matrix-org.github.io/synapse/develop/modules.html for more +# See https://matrix-org.github.io/synapse/latest/modules/index.html for more # documentation on how to configure or create custom modules for Synapse. # modules: @@ -1519,6 +1519,7 @@ room_prejoin_state: # - m.room.encryption # - m.room.name # - m.room.create + # - m.room.topic # # Uncomment the following to disable these defaults (so that only the event # types listed in 'additional_event_types' are shared). Defaults to 'false'. From 4cd44f117dcc8cd627833148d6a7af657b2452ac Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 18 Jan 2022 20:45:12 +0200 Subject: [PATCH 144/144] Upgrade Synapse (1.50.0 -> 1.50.1) v1.50.0 was found to be buggy for people using a `webclient` listener. This is fixed in v1.50.1. We don't use such a listener, so we weren't affected anyway. --- roles/matrix-synapse/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 91f5461c8..a8e934488 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.50.0 -matrix_synapse_version_arm64: v1.50.0 +matrix_synapse_version: v1.50.1 +matrix_synapse_version_arm64: v1.50.1 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"