diff --git a/CHANGELOG.md b/CHANGELOG.md index 8fd1c8d2..c706b4a6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,39 @@ +# 2021-10-23 + +## Hangouts bridge no longer updated, superseded by a Googlechat bridge + +The mautrix-hangouts bridge is no longer receiving updates upstream and is likely to stop working in the future. +We still retain support for this bridge in the playbook, but you're encouraged to switch away from it. + +There's a new [mautrix-googlechat](https://github.com/mautrix/googlechat) bridge that you can [install using the playbook](docs/configuring-playbook-bridge-mautrix-googlechat.md). +Your **Hangouts bridge data will not be migrated**, however. You need to start fresh with the new bridge. + + +# 2021-08-23 + +## LinkedIn bridging support via beeper-linkedin + +Thanks to [Alexandar Mechev](https://github.com/apmechev), the playbook can now install the [beeper-linkedin](https://gitlab.com/beeper/linkedin) bridge for bridging to [LinkedIn](https://www.linkedin.com/) Messaging. + +This brings the total number of bridges supported by the playbook up to 20. See all supported bridges [here](docs/configuring-playbook.md#bridging-other-networks). + +To get started with bridging to LinkedIn, see [Setting up Beeper LinkedIn bridging](docs/configuring-playbook-bridge-beeper-linkedin.md). + + +# 2021-08-20 + +# Sygnal upgraded - ARM support and no longer requires a database + +The [Sygnal](docs/configuring-playbook-sygnal.md) push gateway has been upgraded from `v0.9.0` to `v0.10.1`. + +This is an optional component for the playbook, so most of our users wouldn't care about this announcement. + +Since this feels like a relatively big (and untested, as of yet) Sygnal change, we're putting up this changelog entry. + +The new version is also available for the ARM architecture. It also no longer requires a database anymore. +If you need to downgrade to the previous version, changing `matrix_sygnal_version` or `matrix_sygnal_docker_image` will not be enough, as we've removed the `database` configuration completely. You'd need to switch to an earlier playbook commit. + + # 2021-05-21 ## Hydrogen support diff --git a/README.md b/README.md index 096c04e3..6e1b5c14 100644 --- a/README.md +++ b/README.md @@ -45,17 +45,21 @@ Using this playbook, you can get the following services configured on your serve - (optional, advanced) the [Matrix Corporal](https://github.com/devture/matrix-corporal) reconciliator and gateway for a managed Matrix server -- (optional) the [mautrix-telegram](https://github.com/tulir/mautrix-telegram) bridge for bridging your Matrix server to [Telegram](https://telegram.org/) +- (optional) the [mautrix-telegram](https://github.com/mautrix/telegram) bridge for bridging your Matrix server to [Telegram](https://telegram.org/) -- (optional) the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge for bridging your Matrix server to [WhatsApp](https://www.whatsapp.com/) +- (optional) the [mautrix-whatsapp](https://github.com/mautrix/whatsapp) bridge for bridging your Matrix server to [WhatsApp](https://www.whatsapp.com/) -- (optional) the [mautrix-facebook](https://github.com/tulir/mautrix-facebook) bridge for bridging your Matrix server to [Facebook](https://facebook.com/) +- (optional) the [mautrix-facebook](https://github.com/mautrix/facebook) bridge for bridging your Matrix server to [Facebook](https://facebook.com/) -- (optional) the [mautrix-hangouts](https://github.com/tulir/mautrix-hangouts) bridge for bridging your Matrix server to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) +- (optional) the [mautrix-hangouts](https://github.com/mautrix/hangouts) bridge for bridging your Matrix server to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) -- (optional) the [mautrix-instagram](https://github.com/tulir/mautrix-instagram) bridge for bridging your Matrix server to [Instagram](https://instagram.com/) +- (optional) the [mautrix-googlechat](https://github.com/mautrix/googlechat) bridge for bridging your Matrix server to [Google Chat](https://en.wikipedia.org/wiki/Google_Chat) -- (optional) the [mautrix-signal](https://github.com/tulir/mautrix-signal) bridge for bridging your Matrix server to [Signal](https://www.signal.org/) +- (optional) the [mautrix-instagram](https://github.com/mautrix/instagram) bridge for bridging your Matrix server to [Instagram](https://instagram.com/) + +- (optional) the [mautrix-signal](https://github.com/mautrix/signal) bridge for bridging your Matrix server to [Signal](https://www.signal.org/) + +- (optional) the [beeper-linkedin](https://gitlab.com/beeper/linkedin) bridge for bridging your Matrix server to [LinkedIn](https://www.linkedin.com/) - (optional) the [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) bridge for bridging your Matrix server to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) diff --git a/docs/configuring-awx-system.md b/docs/configuring-awx-system.md index 1ab6950a..f455f058 100644 --- a/docs/configuring-awx-system.md +++ b/docs/configuring-awx-system.md @@ -26,14 +26,14 @@ The following repositories allow you to copy and use this setup: Updates to this section are trailed here: -[GoMatrixHosting Matrix Docker Ansible Deploy](https://gitlab.com/GoMatrixHosting/gomatrixhosting-matrix-docker-ansible-deploy) +[GoMatrixHosting Matrix Docker Ansible Deploy](https://gitlab.com/GoMatrixHosting/matrix-docker-ansible-deploy) ## Does I need an AWX setup to use this? How do I configure it? -Yes, you'll need to configure an AWX instance, the [Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) repository makes it easy to do. Just follow the steps listed in ['/docs/Installation.md' of that repository](https://gitlab.com/GoMatrixHosting/create-awx-system/-/blob/master/docs/Installation.md). +Yes, you'll need to configure an AWX instance, the [Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) repository makes it easy to do. Just follow the steps listed in ['/docs/Installation_AWX.md' of that repository](https://gitlab.com/GoMatrixHosting/create-awx-system/-/blob/master/docs/Installation_AWX.md). -For simpler installation steps you can use to get started with this system, check out our minimal installation guide at ['/doc/Installation_Minimal.md of that repository'](https://gitlab.com/GoMatrixHosting/create-awx-system/-/blob/master/docs/Installation_Minimal.md). +For simpler installation steps you can use to get started with this system, check out our minimal installation guide at ['/doc/Installation_Minimal_AWX.md of that repository'](https://gitlab.com/GoMatrixHosting/create-awx-system/-/blob/master/docs/Installation_Minimal_AWX.md). ## Does I need a front-end WordPress site? And a DigitalOcean account? diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index 0016464f..af2badca 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -31,12 +31,12 @@ If you are using Cloudflare DNS, make sure to disable the proxy and set all reco | Type | Host | Priority | Weight | Port | Target | | ----- | ---------------------------- | -------- | ------ | ---- | ---------------------- | | SRV | `_matrix-identity._tcp` | 10 | 0 | 443 | `matrix.` | -| CNAME | `dimension` (*) | - | - | - | `matrix.` | -| CNAME | `jitsi` (*) | - | - | - | `matrix.` | -| CNAME | `stats` (*) | - | - | - | `matrix.` | -| CNAME | `goneb` (*) | - | - | - | `matrix.` | -| CNAME | `sygnal` (*) | - | - | - | `matrix.` | -| CNAME | `hydrogen` (*) | - | - | - | `matrix.` | +| CNAME | `dimension` | - | - | - | `matrix.` | +| CNAME | `jitsi` | - | - | - | `matrix.` | +| CNAME | `stats` | - | - | - | `matrix.` | +| CNAME | `goneb` | - | - | - | `matrix.` | +| CNAME | `sygnal` | - | - | - | `matrix.` | +| CNAME | `hydrogen` | - | - | - | `matrix.` | ## Subdomains setup @@ -68,4 +68,4 @@ This is an optional feature. See [ma1sd's documentation](https://github.com/ma1u Note: This `_matrix-identity._tcp` SRV record for the identity server is different from the `_matrix._tcp` that can be used for Synapse delegation. See [howto-server-delegation.md](howto-server-delegation.md) for more information about delegation. -When you're done with the DNS configuration and ready to proceed, continue with [Configuring this Ansible playbook](configuring-playbook.md). +When you're done with the DNS configuration and ready to proceed, continue with [Getting the playbook](getting-the-playbook.md). diff --git a/docs/configuring-playbook-bridge-beeper-linkedin.md b/docs/configuring-playbook-bridge-beeper-linkedin.md new file mode 100644 index 00000000..bcc9d0f5 --- /dev/null +++ b/docs/configuring-playbook-bridge-beeper-linkedin.md @@ -0,0 +1,59 @@ +# Setting up Beeper Linkedin (optional) + +The playbook can install and configure [beeper-linkedin](https://gitlab.com/beeper/linkedin) for you, for bridging to [LinkedIn](https://www.linkedin.com/) Messaging. This bridge is based on the mautrix-python framework and can be configured in a similar way to the other mautrix bridges + +See the project's [documentation](https://gitlab.com/beeper/linkedin/-/blob/master/README.md) to learn what it does and why it might be useful to you. + +```yaml +matrix_beeper_linkedin_enabled: true +``` + +There are some additional things you may wish to configure about the bridge before you continue. + +Encryption support is off by default. If you would like to enable encryption, add the following to your `vars.yml` file: +```yaml +matrix_beeper_linkedin_configuration_extension_yaml: | + bridge: + encryption: + allow: true + default: true +``` + +If you would like to be able to administrate the bridge from your account it can be configured like this: +```yaml +matrix_beeper_linkedin_configuration_extension_yaml: | + bridge: + permissions: + '@YOUR_USERNAME:YOUR_DOMAIN': admin +``` + +You may wish to look at `roles/matrix-bridge-beeper-linkedin/templates/config.yaml.j2` to find other things you would like to configure. + + +## Set up Double Puppeting + +If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it. + +### Method 1: automatically, by enabling Shared Secret Auth + +The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook. + +This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future. + + +## Usage + +You then need to start a chat with `@linkedinbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). + +Send `login YOUR_LINKEDIN_EMAIL_ADDRESS` to the bridge bot to enable bridging for your LinkedIn account. + +If you run into trouble, check the [Troubleshooting](#troubleshooting) section below. + +After successfully enabling bridging, you may wish to [set up Double Puppeting](#set-up-double-puppeting), if you haven't already done so. + + +## Troubleshooting + +### Bridge asking for 2FA even if you don't have 2FA enabled + +If you don't have 2FA enabled and are logging in from a strange IP for the first time, LinkedIn will send an email with a one-time code. You can use this code to authorize the bridge session. In my experience, once the IP is authorized, you will not be asked again. diff --git a/docs/configuring-playbook-bridge-heisenbridge.md b/docs/configuring-playbook-bridge-heisenbridge.md index 9cf016f2..2c1b438f 100644 --- a/docs/configuring-playbook-bridge-heisenbridge.md +++ b/docs/configuring-playbook-bridge-heisenbridge.md @@ -4,7 +4,7 @@ The playbook can install and configure [Heisenbridge](https://github.com/hifi/heisenbridge) - the bouncer-style [IRC](https://en.wikipedia.org/wiki/Internet_Relay_Chat) bridge for you. -See the project's [README](https://github.com/hifi/heisenbridge/blob/master/README.md) to learn what it does and why it might be useful to you. +See the project's [README](https://github.com/hifi/heisenbridge/blob/master/README.md) to learn what it does and why it might be useful to you. You can also take a look at [this demonstration video](https://www.youtube.com/watch?v=nQk1Bp4tk4I). ## Configuration @@ -33,4 +33,6 @@ After the bridge is successfully running just DM `@heisenbridge:your-homeserver` Help is available for all commands with the `-h` switch. If the bridge ignores you and a DM is not accepted then the owner setting may be wrong. +You can also learn the basics by watching [this demonstration video](https://www.youtube.com/watch?v=nQk1Bp4tk4I). + If you encounter issues or feel lost you can join the project room at [#heisenbridge:vi.fi](https://matrix.to/#/#heisenbridge:vi.fi) for help. diff --git a/docs/configuring-playbook-bridge-mautrix-facebook.md b/docs/configuring-playbook-bridge-mautrix-facebook.md index d07873ae..282865e7 100644 --- a/docs/configuring-playbook-bridge-mautrix-facebook.md +++ b/docs/configuring-playbook-bridge-mautrix-facebook.md @@ -1,8 +1,8 @@ # Setting up Mautrix Facebook (optional) -The playbook can install and configure [mautrix-facebook](https://github.com/tulir/mautrix-facebook) for you. +The playbook can install and configure [mautrix-facebook](https://github.com/mautrix/facebook) for you. -See the project's [documentation](https://github.com/tulir/mautrix-facebook/blob/master/ROADMAP.md) to learn what it does and why it might be useful to you. +See the project's [documentation](https://github.com/mautrix/facebook/blob/master/ROADMAP.md) to learn what it does and why it might be useful to you. ```yaml matrix_mautrix_facebook_enabled: true diff --git a/docs/configuring-playbook-bridge-mautrix-googlechat.md b/docs/configuring-playbook-bridge-mautrix-googlechat.md new file mode 100644 index 00000000..381d1f29 --- /dev/null +++ b/docs/configuring-playbook-bridge-mautrix-googlechat.md @@ -0,0 +1,58 @@ +# Setting up Mautrix Google Chat (optional) + +The playbook can install and configure [mautrix-googlechat](https://github.com/mautrix/googlechat) for you. + +See the project's [documentation](https://docs.mau.fi/bridges/python/googlechat/index.html) to learn what it does and why it might be useful to you. + +To enable the [Google Chat](https://chat.google.com/) bridge just use the following playbook configuration: + + +```yaml +matrix_mautrix_googlechat_enabled: true +``` + + +## Set up Double Puppeting + +If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it. + +### Method 1: automatically, by enabling Shared Secret Auth + +The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook. + +This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future. + + +### Method 2: manually, by asking each user to provide a working access token + +**Note**: This method for enabling Double Puppeting can be configured only after you've already set up bridging (see [Usage](#usage)). + +When using this method, **each user** that wishes to enable Double Puppeting needs to follow the following steps: + +- retrieve a Matrix access token for yourself. You can use the following command: + +``` +curl \ +--data '{"identifier": {"type": "m.id.user", "user": "YOUR_MATRIX_USERNAME" }, "password": "YOUR_MATRIX_PASSWORD", "type": "m.login.password", "device_id": "Mautrix-googlechat", "initial_device_display_name": "Mautrix-googlechat"}' \ +https://matrix.DOMAIN/_matrix/client/r0/login +``` + +- send the access token to the bot. Example: `login-matrix MATRIX_ACCESS_TOKEN_HERE` + +- make sure you don't log out the `Mautrix-googlechat` device some time in the future, as that would break the Double Puppeting feature + + +## Usage + +Once the bot is enabled you need to start a chat with `googlechat bridge bot` with handle `@googlechatbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). + +Send `login` to the bridge bot to receive a link to the portal from which you can enable the bridging. Open the link sent by the bot and follow the instructions. + +Automatic login may not work. If it does not, reload the page and select the "Manual login" checkbox before starting. Manual login involves logging into your Google account normally and then manually getting the OAuth token from browser cookies with developer tools. + +Once logged in, recent chats should show up as new conversations automatically. Other chats will get portals as you receive messages. + +You can learn more about authentication from the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/python/googlechat/authentication.html). + +After successfully enabling bridging, you may wish to [set up Double Puppeting](#set-up-double-puppeting), if you haven't already done so. + diff --git a/docs/configuring-playbook-bridge-mautrix-hangouts.md b/docs/configuring-playbook-bridge-mautrix-hangouts.md index a74b1f11..f6129777 100644 --- a/docs/configuring-playbook-bridge-mautrix-hangouts.md +++ b/docs/configuring-playbook-bridge-mautrix-hangouts.md @@ -1,8 +1,10 @@ +# The [Mautrix Hangouts Bridge](https://mau.dev/mautrix/hangouts) is no longer maintained. It has changed to a [Google Chat Bridge](https://github.com/mautrix/googlechat). Setup instructions for the Google Chat Bridge can be [found here](configuring-playbook-bridge-mautrix-googlechat.md). + # Setting up Mautrix Hangouts (optional) -The playbook can install and configure [mautrix-hangouts](https://github.com/tulir/mautrix-hangouts) for you. +The playbook can install and configure [mautrix-hangouts](https://github.com/mautrix/hangouts) for you. -See the project's [documentation](https://github.com/tulir/mautrix-hangouts/wiki#usage) to learn what it does and why it might be useful to you. +See the project's [documentation](https://docs.mau.fi/bridges/python/hangouts/index.html) to learn what it does and why it might be useful to you. To enable the [Google Hangouts](https://hangouts.google.com/) bridge just use the following playbook configuration: @@ -14,7 +16,7 @@ matrix_mautrix_hangouts_enabled: true ## Set up Double Puppeting -If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-hangouts/wiki/Authentication#double-puppeting) (hint: you most likely do), you have 2 ways of going about it. +If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it. ### Method 1: automatically, by enabling Shared Secret Auth @@ -52,7 +54,7 @@ Automatic login may not work. If it does not, reload the page and select the "Ma Once logged in, recent chats should show up as new conversations automatically. Other chats will get portals as you receive messages. -You can learn more about authentication from the bridge's [official documentation on Authentication](https://github.com/tulir/mautrix-hangouts/wiki/Authentication). +You can learn more about authentication from the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/python/hangouts/authentication.html). After successfully enabling bridging, you may wish to [set up Double Puppeting](#set-up-double-puppeting), if you haven't already done so. diff --git a/docs/configuring-playbook-bridge-mautrix-instagram.md b/docs/configuring-playbook-bridge-mautrix-instagram.md index 7cdbc7a8..38d107d0 100644 --- a/docs/configuring-playbook-bridge-mautrix-instagram.md +++ b/docs/configuring-playbook-bridge-mautrix-instagram.md @@ -1,6 +1,6 @@ # Setting up Mautrix Instagram (optional) -The playbook can install and configure [mautrix-instagram](https://github.com/tulir/mautrix-instagram) for you. +The playbook can install and configure [mautrix-instagram](https://github.com/mautrix/instagram) for you. See the project's [documentation](https://docs.mau.fi/bridges/python/instagram/index.html) to learn what it does and why it might be useful to you. diff --git a/docs/configuring-playbook-bridge-mautrix-signal.md b/docs/configuring-playbook-bridge-mautrix-signal.md index 6d3c4dfb..f47640b9 100644 --- a/docs/configuring-playbook-bridge-mautrix-signal.md +++ b/docs/configuring-playbook-bridge-mautrix-signal.md @@ -1,8 +1,8 @@ # Setting up Mautrix Signal (optional) -The playbook can install and configure [mautrix-signal](https://github.com/tulir/mautrix-signal) for you. +The playbook can install and configure [mautrix-signal](https://github.com/mautrix/signal) for you. -See the project's [documentation](https://github.com/tulir/mautrix-signal/wiki) to learn what it does and why it might be useful to you. +See the project's [documentation](https://docs.mau.fi/bridges/python/signal/index.html) to learn what it does and why it might be useful to you. **Note/Prerequisite**: If you're running with the Postgres database server integrated by the playbook (which is the default), you don't need to do anything special and can easily proceed with installing. However, if you're [using an external Postgres server](configuring-playbook-external-postgres.md), you'd need to manually prepare a Postgres database for this bridge and adjust the variables related to that (`matrix_mautrix_signal_database_*`). @@ -12,9 +12,54 @@ Use the following playbook configuration: matrix_mautrix_signal_enabled: true ``` +There are some additional things you may wish to configure about the bridge before you continue. + +The relay bot functionality is off by default. If you would like to enable the relay bot, add the following to your `vars.yml` file: +```yaml +matrix_mautrix_signal_relaybot_enabled: true +``` +If you want to activate the relay bot in a room, use `!signal set-relay`. +Use `!signal unset-relay` to deactivate. +By default, any user on your homeserver will be able to use the bridge. +If you enable the relay bot functionality, it will relay every user's messages in a portal room - no matter which homeserver they're from. + +Different levels of permission can be granted to users: + +* relay - Allowed to be relayed through the bridge, no access to commands; +* user - Use the bridge with puppeting; +* admin - Use and administer the bridge. + +The permissions are following the sequence: nothing < relay < user < admin. + +The default permissions are set as follows: +```yaml +permissions: + '*': relay + YOUR_DOMAIN: user +``` + +If you want to augment the preset permissions, you might want to set the additional permissions with the following settings in your `vars.yml` file: +```yaml +matrix_mautrix_signal_configuration_extension_yaml: | + bridge: + permissions: + '@YOUR_USERNAME:YOUR_DOMAIN': admin +``` + +This will add the admin permission to the specific user, while keepting the default permissions. + +In case you want to replace the default permissions settings **completely**, populate the following item within your `vars.yml` file: +```yaml +matrix_mautrix_signal_bridge_permissions: | + '@ADMIN:YOUR_DOMAIN': admin + '@USER:YOUR_DOMAIN' : user +``` + +You may wish to look at `roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2` to find more information on the permissions settings and other options you would like to configure. + ## Set up Double Puppeting -If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-signal/wiki/Authentication#double-puppeting) (hint: you most likely do), you have 2 ways of going about it. +If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it. ### Method 1: automatically, by enabling Shared Secret Auth diff --git a/docs/configuring-playbook-bridge-mautrix-telegram.md b/docs/configuring-playbook-bridge-mautrix-telegram.md index bfdc6fc5..0ac6c103 100644 --- a/docs/configuring-playbook-bridge-mautrix-telegram.md +++ b/docs/configuring-playbook-bridge-mautrix-telegram.md @@ -1,8 +1,8 @@ # Setting up Mautrix Telegram (optional) -The playbook can install and configure [mautrix-telegram](https://github.com/tulir/mautrix-telegram) for you. +The playbook can install and configure [mautrix-telegram](https://github.com/mautrix/telegram) for you. -See the project's [documentation](https://github.com/tulir/mautrix-telegram/wiki#usage) to learn what it does and why it might be useful to you. +See the project's [documentation](https://docs.mau.fi/bridges/python/telegram/index.html) to learn what it does and why it might be useful to you. You'll need to obtain API keys from [https://my.telegram.org/apps](https://my.telegram.org/apps) and then use the following playbook configuration: @@ -14,7 +14,7 @@ matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH ## Set up Double Puppeting -If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-telegram/wiki/Authentication#replacing-telegram-accounts-matrix-puppet-with-matrix-account) (hint: you most likely do), you have 2 ways of going about it. +If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it. ### Method 1: automatically, by enabling Shared Secret Auth @@ -45,7 +45,7 @@ https://matrix.DOMAIN/_matrix/client/r0/login You then need to start a chat with `@telegrambot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). -If you want to use the relay-bot feature ([relay bot documentation](https://github.com/tulir/mautrix-telegram/wiki/Relay-bot)), which allows anonymous user to chat with telegram users, use the following additional playbook configuration: +If you want to use the relay-bot feature ([relay bot documentation](https://docs.mau.fi/bridges/python/telegram/relay-bot.html)), which allows anonymous user to chat with telegram users, use the following additional playbook configuration: ```yaml matrix_mautrix_telegram_bot_token: YOUR_TELEGRAM_BOT_TOKEN diff --git a/docs/configuring-playbook-bridge-mautrix-whatsapp.md b/docs/configuring-playbook-bridge-mautrix-whatsapp.md index 78ae2863..1e5f7038 100644 --- a/docs/configuring-playbook-bridge-mautrix-whatsapp.md +++ b/docs/configuring-playbook-bridge-mautrix-whatsapp.md @@ -1,8 +1,8 @@ # Setting up Mautrix Whatsapp (optional) -The playbook can install and configure [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) for you. +The playbook can install and configure [mautrix-whatsapp](https://github.com/mautrix/whatsapp) for you. -See the project's [documentation](https://github.com/tulir/mautrix-whatsapp/wiki) to learn what it does and why it might be useful to you. +See the project's [documentation](https://docs.mau.fi/bridges/go/whatsapp/index.html) to learn what it does and why it might be useful to you. Use the following playbook configuration: @@ -13,7 +13,7 @@ matrix_mautrix_whatsapp_enabled: true ## Set up Double Puppeting -If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-whatsapp/wiki/Authentication#replacing-whatsapp-accounts-matrix-puppet-with-matrix-account) (hint: you most likely do), you have 2 ways of going about it. +If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it. ### Method 1: automatically, by enabling Shared Secret Auth diff --git a/docs/configuring-playbook-bridge-mx-puppet-discord.md b/docs/configuring-playbook-bridge-mx-puppet-discord.md index 7a3e986c..1a48f05b 100644 --- a/docs/configuring-playbook-bridge-mx-puppet-discord.md +++ b/docs/configuring-playbook-bridge-mx-puppet-discord.md @@ -13,8 +13,6 @@ playbook configuration: ```yaml matrix_mx_puppet_discord_enabled: true -matrix_mx_puppet_discord_client_id: "" -matrix_mx_puppet_discord_client_secret: "" ``` diff --git a/docs/configuring-playbook-bridge-mx-puppet-groupme.md b/docs/configuring-playbook-bridge-mx-puppet-groupme.md index c3b9663f..2f0eda19 100644 --- a/docs/configuring-playbook-bridge-mx-puppet-groupme.md +++ b/docs/configuring-playbook-bridge-mx-puppet-groupme.md @@ -11,8 +11,6 @@ playbook configuration: ```yaml matrix_mx_puppet_groupme_enabled: true -matrix_mx_puppet_groupme_client_id: "" -matrix_mx_puppet_groupme_client_secret: "" ``` diff --git a/docs/configuring-playbook-bridge-mx-puppet-slack.md b/docs/configuring-playbook-bridge-mx-puppet-slack.md index 61600c7a..e7d8dba2 100644 --- a/docs/configuring-playbook-bridge-mx-puppet-slack.md +++ b/docs/configuring-playbook-bridge-mx-puppet-slack.md @@ -13,8 +13,6 @@ playbook configuration: ```yaml matrix_mx_puppet_slack_enabled: true -matrix_mx_puppet_slack_client_id: "" -matrix_mx_puppet_slack_client_secret: "" ``` diff --git a/docs/configuring-playbook-bridge-mx-puppet-steam.md b/docs/configuring-playbook-bridge-mx-puppet-steam.md index 616efbe2..5681c3d1 100644 --- a/docs/configuring-playbook-bridge-mx-puppet-steam.md +++ b/docs/configuring-playbook-bridge-mx-puppet-steam.md @@ -11,8 +11,6 @@ playbook configuration: ```yaml matrix_mx_puppet_steam_enabled: true -matrix_mx_puppet_steam_client_id: "" -matrix_mx_puppet_steam_client_secret: "" ``` diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index d5f0a9e6..69ed7aa7 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -3,14 +3,12 @@ **[Dimension](https://dimension.t2bot.io) can only be installed after Matrix services are installed and running.** If you're just installing Matrix services for the first time, please continue with the [Configuration](configuring-playbook.md) / [Installation](installing.md) flow and come back here later. -**Note**: enabling Dimension, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. It's something to be aware of, especially in terms of firewall whitelisting (make sure port `8448` is accessible). +**Note**: This playbook now supports running [Dimension](https://dimension.t2bot.io) in both a federated and [unfederated](https://github.com/turt2live/matrix-dimension/blob/master/docs/unfederated.md) environments. This is handled automatically based on the value of `matrix_synapse_federation_enabled`. Enabling Dimension, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. It's something to be aware of, especially in terms of firewall whitelisting (make sure port `8448` is accessible). ## Prerequisites -This playbook now supports running [Dimension](https://dimension.t2bot.io) in both a federated and an [unfederated](https://github.com/turt2live/matrix-dimension/blob/master/docs/unfederated.md) environment. This is handled automatically based on the value of `matrix_synapse_federation_enabled`. - -Other important prerequisite is the `dimension.` DNS record being set up correctly. See [Configuring your DNS server](configuring-dns.md) on how to set up DNS record correctly. +The `dimension.` DNS record must be created. See [Configuring your DNS server](configuring-dns.md) on how to set up DNS record correctly. ## Enable @@ -24,7 +22,7 @@ matrix_dimension_enabled: true ## Define admin users -These users can modify the integrations this Dimension supports. Admin interface is accessible by opening Dimension in Element and clicking the settings icon. +These users can modify the integrations this Dimension supports. Admin interface is accessible at `https://dimension./riot-app/admin` after logging in to element. Add this to your configuration file (`inventory/host_vars/matrix./vars.yml`): ```yaml @@ -45,11 +43,11 @@ To get an access token for the Dimension user, you can follow one of two options *Through an interactive login*: 1. In a private browsing session (incognito window), open Element. -2. Log in with the `dimension` user and its password. +1. Log in with the `dimension` user and its password. 1. Set the display name and avatar, if required. -2. In the settings page choose "Help & About", scroll down to the bottom and click `Access Token: `. -3. Copy the highlighted text to your configuration. -4. Close the private browsing session. **Do not log out**. Logging out will invalidate the token, making it not work. +1. In the settings page choose "Help & About", scroll down to the bottom and expand the `Access Token` section. +1. Copy the access token to your configuration. +1. Close the private browsing session. **Do not log out**. Logging out will invalidate the token, making it not work. *With CURL* @@ -81,6 +79,8 @@ After these variables have been set, please run the following command to re-run ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start ``` +After Dimension has been installed you may need to log out and log back in for it to pick up the new integrations manager. Then you can access integrations in Element by opening a room, clicking the Room info button (`i`) button in the top right corner of the screen, and then clicking Add widgets, bridges & bots. + ## Jitsi domain diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 81ceb9fb..f4e4c9f3 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -26,7 +26,6 @@ matrix_jitsi_enabled: true # Run `bash inventory/scripts/jitsi-generate-passwords.sh` to generate these passwords, # or define your own strong passwords manually. -matrix_jitsi_jicofo_component_secret: "" matrix_jitsi_jicofo_auth_password: "" matrix_jitsi_jvb_auth_password: "" matrix_jitsi_jibri_recorder_password: "" @@ -129,7 +128,7 @@ Until this gets integrated into the playbook, we need to register new users / me Please SSH into your matrix host machine and execute the following command targeting the `matrix-jitsi-prosody` container: ```bash -docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register matrix-jitsi-web +docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register meet.jitsi ``` Run this command for each user you would like to create, replacing `` and `` accordingly. After you've finished, please exit the host. diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 8a827d0d..6a33ffbe 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -71,7 +71,7 @@ After following the [Preparation](#preparation) guide above, you can take a loo ### Using another external webserver -Feel free to look at the [examples/apache](../examples/apache) directory, or the [template files in the matrix-nginx-proxy role](../roles/matrix-nginx-proxy/templates/conf.d/). +Feel free to look at the [examples/apache](../examples/apache) directory, or the [template files in the matrix-nginx-proxy role](../roles/matrix-nginx-proxy/templates/nginx/conf.d/). ## Method 2: Fronting the integrated nginx reverse-proxy webserver with another reverse-proxy @@ -108,6 +108,9 @@ matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449' # Since we don't obtain any certificates (`matrix_ssl_retrieval_method: none` above), it won't work by default. # An alternative is to tweak some of: `matrix_coturn_tls_enabled`, `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path`. matrix_coturn_enabled: false + +# Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection. +matrix_nginx_proxy_trust_forwarded_proto: true ``` With this, nginx would still be in use, but it would not bother with anything SSL related or with taking up public ports. diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index dc1b7b4c..4edc2a81 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -56,8 +56,72 @@ Name | Description `matrix_nginx_proxy_proxy_synapse_metrics`|Set this to `true` to make matrix-nginx-proxy expose the Synapse metrics at `https://matrix.DOMAIN/_synapse/metrics` `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled`|Set this to `true` to password-protect (using HTTP Basic Auth) `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus`, the password is defined in `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`) `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`|Set this to a password to use for HTTP Basic Auth for protecting `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus` - it's not configurable) -`matrix_server_fqn_grafana`|Use this variable to override the domain at which the Grafana web user-interface is at (defaults to `stats.DOMAIN`). +`matrix_server_fqn_grafana`|Use this variable to override the domain at which the Grafana web user-interface is at (defaults to `stats.DOMAIN`) +### Collecting worker metrics to an external Prometheus server + +If you are using workers (`matrix_synapse_workers_enabled`) and have enabled `matrix_nginx_proxy_proxy_synapse_metrics` as described above, the playbook will also automatically proxy the all worker threads's metrics to `https://matrix.DOMAIN/_synapse-worker-TYPE-ID/metrics`, where `TYPE` corresponds to the type and `ID` to the instanceId of a worker as exemplified in `matrix_synapse_workers_enabled_list`. + +The playbook also generates an exemplary prometheus.yml config file (`matrix_base_data_path/external_prometheus.yml.template`) with all the correct paths which you can copy to your Prometheus server and adapt to your needs, especially edit the specified `password_file` path and contents and path to your `synapse-v2.rules`. +It will look a bit like this: +```yaml +scrape_configs: + - job_name: 'synapse' + metrics_path: /_synapse/metrics + scheme: https + basic_auth: + username: prometheus + password_file: /etc/prometheus/password.pwd + static_configs: + - targets: ['matrix.DOMAIN:443'] + labels: + job: "master" + index: 1 + - job_name: 'synapse-generic_worker-1' + metrics_path: /_synapse-worker-generic_worker-18111/metrics + scheme: https + basic_auth: + username: prometheus + password_file: /etc/prometheus/password.pwd + static_configs: + - targets: ['matrix.DOMAIN:443'] + labels: + job: "generic_worker" + index: 18111 +``` + +### Collecting system and Postgres metrics to an external Prometheus server (advanced) + +When you normally enable the Prometheus and Grafana via the playbook, it will also show general system (via node-exporter) and Postgres (via postgres-exporter) stats. If you are instead collecting your metrics to an external Prometheus server, you can follow this advanced configuration example to also export these stats. + +It would be possible to use `matrix_prometheus_node_exporter_container_http_host_bind_port` etc., but that is not always the best choice, for example because your server is on a public network. + +Use the following variables in addition to the ones mentioned above: + +Name | Description +-----|---------- +`matrix_nginx_proxy_proxy_grafana_enabled`|Set this to `true` to make the stats subdomain (`matrix_server_fqn_grafana`) available via the Nginx proxy +`matrix_ssl_additional_domains_to_obtain_certificates_for`|Add `"{{ matrix_server_fqn_grafana }}"` to this list to have letsencrypt fetch a certificate for the stats subdomain +`matrix_prometheus_node_exporter_enabled`|Set this to `true` to enable the node (general system stats) exporter +`matrix_prometheus_postgres_exporter_enabled`|Set this to `true` to enable the Postgres exporter +`matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks`|Add locations to this list depending on which of the above exporters you enabled (see below) + +```nginx +matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks: + - 'location /node-exporter/ { + resolver 127.0.0.11 valid=5s; + proxy_pass http://matrix-prometheus-node-exporter:9100/; + auth_basic "protected"; + auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd; + }' + - 'location /postgres-exporter/ { + resolver 127.0.0.11 valid=5s; + proxy_pass http://matrix-prometheus-postgres-exporter:9187/; + auth_basic "protected"; + auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd; + }' +``` +You can customize the `location`s to your liking, just point your Prometheus to there later (e.g. `stats.DOMAIN/node-exporter/metrics`). Nginx is very picky about the `proxy_pass`syntax: take care to follow the example closely and note the trailing slash as well as absent use of variables. postgres-exporter uses the nonstandard port 9187. ## More information diff --git a/docs/configuring-playbook-synapse.md b/docs/configuring-playbook-synapse.md index bdfdfa63..50860a17 100644 --- a/docs/configuring-playbook-synapse.md +++ b/docs/configuring-playbook-synapse.md @@ -55,3 +55,22 @@ Certain Synapse administration tasks (managing users and rooms, etc.) can be per ## Synapse + OpenID Connect for Single-Sign-On If you'd like to use OpenID Connect authentication with Synapse, you'll need some additional reverse-proxy configuration (see [our nginx reverse-proxy doc page](configuring-playbook-nginx.md#synapse-openid-connect-for-single-sign-on)). + +In case you encounter errors regarding the parsing of the variables, you can try to add `{% raw %}` and `{% endraw %}` blocks around them. For example ; + +``` + - idp_id: keycloak + idp_name: "Keycloak" + issuer: "https://url.ix/auth/realms/x" + client_id: "matrix" + client_secret: "{{ vault_synapse_keycloak }}" + scopes: ["openid", "profile"] + authorization_endpoint: "https://url.ix/auth/realms/x/protocol/openid-connect/auth" + token_endpoint: "https://url.ix/auth/realms/x/protocol/openid-connect/token" + userinfo_endpoint: "https://url.ix/auth/realms/x/protocol/openid-connect/userinfo" + user_mapping_provider: + config: + display_name_template: "{% raw %}{{ user.given_name }}{% endraw %} {% raw %}{{ user.family_name }}{% endraw %}" + email_template: "{% raw %}{{ user.email }}{% endraw %}" +``` + diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index fae66dca..243440dd 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -98,12 +98,16 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Mautrix Hangouts bridging](configuring-playbook-bridge-mautrix-hangouts.md) (optional) +- [Setting up Mautrix Google Chat bridging](configuring-playbook-bridge-mautrix-googlechat.md) (optional) + - [Setting up Mautrix Instagram bridging](configuring-playbook-bridge-mautrix-instagram.md) (optional) - [Setting up Mautrix Signal bridging](configuring-playbook-bridge-mautrix-signal.md) (optional) - [Setting up Appservice IRC bridging](configuring-playbook-bridge-appservice-irc.md) (optional) +- [Setting up Beeper LinkedIn bridging](configuring-playbook-bridge-beeper-linkedin.md) (optional) + - [Setting up Appservice Discord bridging](configuring-playbook-bridge-appservice-discord.md) (optional) - [Setting up Appservice Slack bridging](configuring-playbook-bridge-appservice-slack.md) (optional) diff --git a/docs/configuring-well-known.md b/docs/configuring-well-known.md index 2bedaeed..27a4001c 100644 --- a/docs/configuring-well-known.md +++ b/docs/configuring-well-known.md @@ -69,7 +69,7 @@ It is, however, **a little fragile**, as future updates performed by this playbo If you don't need the base domain (e.g. `example.com`) for anything else (hosting a website, etc.), you can point it to the Matrix server's IP address and tell the playbook to configure it. -This is the easiest way to set up well-known serving -- letting the playbook handle the whole base domain for you (including SSL certificates, etc.). However, if you need to use the base domain for other things (such as hosting some website, etc.), going with Option 1 or Option 2 might be more suitable. +This is the easiest way to set up well-known serving -- letting the playbook handle the whole base domain for you (including SSL certificates, etc.). However, if you need to use the base domain for other things (such as hosting some website, etc.), going with Option 1 or Option 3 might be more suitable. See [Serving the base domain](configuring-playbook-base-domain-serving.md) to learn how the playbook can help you set it up. diff --git a/docs/container-images.md b/docs/container-images.md index f2914488..6fbb9205 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -40,17 +40,19 @@ These services are not part of our default installation, but can be enabled by [ - [zeratax/matrix-registration](https://hub.docker.com/r/devture/zeratax-matrix-registration/) - [matrix-registration](https://github.com/ZerataX/matrix-registration): a simple python application to have a token based matrix registration (optional) -- [tulir/mautrix-telegram](https://mau.dev/tulir/mautrix-telegram/container_registry) - the [mautrix-telegram](https://github.com/tulir/mautrix-telegram) bridge to [Telegram](https://telegram.org/) (optional) +- [mautrix/telegram](https://mau.dev/mautrix/telegram/container_registry) - the [mautrix-telegram](https://github.com/mautrix/telegram) bridge to [Telegram](https://telegram.org/) (optional) -- [tulir/mautrix-whatsapp](https://mau.dev/tulir/mautrix-whatsapp/container_registry) - the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge to [Whatsapp](https://www.whatsapp.com/) (optional) +- [mautrix/whatsapp](https://mau.dev/mautrix/whatsapp/container_registry) - the [mautrix-whatsapp](https://github.com/mautrix/whatsapp) bridge to [Whatsapp](https://www.whatsapp.com/) (optional) -- [tulir/mautrix-facebook](https://mau.dev/tulir/mautrix-facebook/container_registry) - the [mautrix-facebook](https://github.com/tulir/mautrix-facebook) bridge to [Facebook](https://facebook.com/) (optional) +- [mautrix/facebook](https://mau.dev/mautrix/facebook/container_registry) - the [mautrix-facebook](https://github.com/mautrix/facebook) bridge to [Facebook](https://facebook.com/) (optional) -- [tulir/mautrix-hangouts](https://mau.dev/tulir/mautrix-hangouts/container_registry) - the [mautrix-hangouts](https://github.com/tulir/mautrix-hangouts) bridge to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) (optional) +- [mautrix/hangouts](https://mau.dev/mautrix/hangouts/container_registry) - the [mautrix-hangouts](https://github.com/mautrix/hangouts) bridge to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) (optional) -- [tulir/mautrix-instagram](https://mau.dev/tulir/mautrix-instagram/container_registry) - the [mautrix-instagram](https://github.com/tulir/mautrix-instagram) bridge to [Instagram](https://instagram.com/) (optional) +- [mautrix/googlechat](https://mau.dev/mautrix/googlechat/container_registry) - the [mautrix-googlechat](https://github.com/mautrix/googlechat) bridge to [Google Chat](https://en.wikipedia.org/wiki/Google_Chat) (optional) -- [tulir/mautrix-signal](https://mau.dev/tulir/mautrix-signal/container_registry) - the [mautrix-signal](https://github.com/tulir/mautrix-signal) bridge to [Signal](https://www.signal.org/) (optional) +- [mautrix/instagram](https://mau.dev/mautrix/instagram/container_registry) - the [mautrix-instagram](https://github.com/mautrix/instagram) bridge to [Instagram](https://instagram.com/) (optional) + +- [mautrix/signal](https://mau.dev/mautrix/signal/container_registry) - the [mautrix-signal](https://github.com/mautrix/signal) bridge to [Signal](https://www.signal.org/) (optional) - [matrixdotorg/matrix-appservice-irc](https://hub.docker.com/r/matrixdotorg/matrix-appservice-irc) - the [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) (optional) diff --git a/docs/faq.md b/docs/faq.md index 6c9eedc2..5181c6ea 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -121,7 +121,7 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM - this one **can be executed more than once** without causing trouble -- works on various distros: **CentOS** (7.0+), Debian-based distributions (**Debian** 9/Stretch+, **Ubuntu** 16.04+), **Archlinux** +- works on various distros: **CentOS** (7.0+), Debian-based distributions (**Debian** 10/Buster+, **Ubuntu** 18.04+), **Archlinux** - this one installs everything in a single directory (`/matrix` by default) and **doesn't "contaminate" your server** with files all over the place diff --git a/docs/howto-server-delegation.md b/docs/howto-server-delegation.md index b89bd2f2..e9ca5bde 100644 --- a/docs/howto-server-delegation.md +++ b/docs/howto-server-delegation.md @@ -82,8 +82,8 @@ Based on your setup, you have different ways to go about it: # # NOTE: these are in-container paths. `/matrix/ssl` on the host is mounted into the container # at the same path (`/matrix/ssl`) by default, so if that's the path you need, it would be seamless. -matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: /matrix/ssl/config/live/matrix./fullchain.pem -matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: /matrix/ssl/config/live/matrix./privkey.pem +matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: /matrix/ssl/config/live//fullchain.pem +matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: /matrix/ssl/config/live//privkey.pem ``` If your files are not in `/matrix/ssl` but in some other location, you would need to mount them into the container: diff --git a/docs/importing-postgres.md b/docs/importing-postgres.md index b905ba7b..925ed14d 100644 --- a/docs/importing-postgres.md +++ b/docs/importing-postgres.md @@ -23,12 +23,10 @@ To import, run this command (make sure to replace `` must be a file path to a Postgres dump file on the server (not on your local machine!). @@ -62,7 +60,7 @@ ALTER TABLE public.application_services_state OWNER TO synapse_user; It can be worked around by changing the username to `synapse`, for example by using `sed`: ```Shell -$ sed -i "s/synapse_user/synapse/g" homeserver.sql" +$ sed -i "s/synapse_user/synapse/g" homeserver.sql ``` This uses sed to perform an 'in-place' (`-i`) replacement globally (`/g`), searching for `synapse user` and replacing with `synapse` (`s/synapse_user/synapse`). If your database username was different, change `synapse_user` to that username instead. diff --git a/docs/installing.md b/docs/installing.md index 0e9dadd1..8b1b51aa 100644 --- a/docs/installing.md +++ b/docs/installing.md @@ -1,25 +1,25 @@ # Installing +## 1. Installing the Matrix services + If you've [configured your DNS](configuring-dns.md) and have [configured the playbook](configuring-playbook.md), you can start the installation procedure. -Run this as-is to set up a server: +Run this command to install the Matrix services: ```bash ansible-playbook -i inventory/hosts setup.yml --tags=setup-all ``` -**Note**: if you don't use SSH keys for authentication, but rather a regular password, you may need to add `--ask-pass` to the above (and all other) Ansible commands. +The above command **doesn't start any services just yet** (another step does this later - below). Feel free to **re-run this setup command any time** you think something is off with the server configuration. -**Note**: if you **do** use SSH keys for authentication, **and** use a non-root user to *become* root (sudo), you may need to add `-K` (`--ask-become-pass`) to the above (and all other) Ansible commands. - -The above command **doesn't start any services just yet** (another step does this later - below). - -Feel free to **re-run this setup command any time** you think something is off with the server configuration. +**Notes**: +- if you **don't** use SSH keys for authentication, but rather a regular password, you may need to add `--ask-pass` to the above (and all other) Ansible commands. +- if you **do** use SSH keys for authentication, **and** use a non-root user to *become* root (sudo), you may need to add `-K` (`--ask-become-pass`) to the above (and all other) Ansible commands. -## Things you might want to do after installing +## 2. Things you might want to do after installing -After installing, but before starting the services, you may want to do additional things like: +**Before starting the services**, you may want to do additional things like: - [Importing an existing SQLite database (from another Synapse installation)](importing-synapse-sqlite.md) (optional) @@ -28,20 +28,22 @@ After installing, but before starting the services, you may want to do additiona - [Importing `media_store` data files from an existing Synapse installation](importing-synapse-media-store.md) (optional) -## Starting the services +## 3. Starting the services -When you're ready to start the Matrix services (and set them up to auto-start in the future): +When you're ready to start the Matrix services (and set them up to auto-start in the future), run this command: ```bash ansible-playbook -i inventory/hosts setup.yml --tags=start ``` -Now that services are running, you need to **finalize the installation process** (required for federation to work!) by [Configuring Service Discovery via .well-known](configuring-well-known.md) +## 4. Finalize the installation + +Now that services are running, you need to **finalize the installation process** (required for federation to work!) by [Configuring Service Discovery via .well-known](configuring-well-known.md). -## Things to do next +## 5. Things to do next -If you have started services and **finalized the installation process** (required for federation to work!) by [Configuring Service Discovery via .well-known](configuring-well-known.md), you can: +After you have started the services and **finalized the installation process** (required for federation to work!) by [Configuring Service Discovery via .well-known](configuring-well-known.md), you can: - [check if services work](maintenance-checking-services.md) - or [create your first Matrix user account](registering-users.md) diff --git a/docs/maintenance-synapse.md b/docs/maintenance-synapse.md index 62bb8b16..9727f450 100644 --- a/docs/maintenance-synapse.md +++ b/docs/maintenance-synapse.md @@ -14,7 +14,7 @@ Table of contents: ## Purging old data with the Purge History API -You can use the **[Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.rst)** to delete old messages on a per-room basis. **This is destructive** (especially for non-federated rooms), because it means **people will no longer have access to history past a certain point**. +You can use the **[Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.md)** to delete old messages on a per-room basis. **This is destructive** (especially for non-federated rooms), because it means **people will no longer have access to history past a certain point**. To make use of this API, **you'll need an admin access token** first. You can find your access token in the setting of some clients (like Element). Alternatively, you can log in and obtain a new access token like this: @@ -27,7 +27,7 @@ https://matrix.DOMAIN/_matrix/client/r0/login Synapse's Admin API is not exposed to the internet by default. To expose it you will need to add `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` to your `vars.yml` file. -Follow the [Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.rst) documentation page for the actual purging instructions. +Follow the [Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.md) documentation page for the actual purging instructions. After deleting data, you may wish to run a [`FULL` Postgres `VACUUM`](./maintenance-postgres.md#vacuuming-postgresql). diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 39b42ef1..0da1c715 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -4,8 +4,8 @@ To install Matrix services using this Ansible playbook, you need: - (Recommended) An **x86** server ([What kind of server specs do I need?](faq.md#what-kind-of-server-specs-do-i-need)) running one of these operating systems: - **CentOS** (7 only for now; [8 is not yet supported](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/300)) - - **Debian** (9/Stretch or newer) - - **Ubuntu** (16.04 or newer, although [20.04 may be problematic](ansible.md#supported-ansible-versions)) + - **Debian** (10/Buster or newer) + - **Ubuntu** (18.04 or newer, although [20.04 may be problematic](ansible.md#supported-ansible-versions)) - **Archlinux** Generally, newer is better. We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there. diff --git a/docs/self-building.md b/docs/self-building.md index 303344ac..82726bb7 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -22,10 +22,17 @@ List of roles where self-building the Docker image is currently possible: - `matrix-mailer` - `matrix-bridge-appservice-irc` - `matrix-bridge-appservice-slack` +- `matrix-bridge-appservice-webhooks` - `matrix-bridge-mautrix-facebook` - `matrix-bridge-mautrix-hangouts` +- `matrix-bridge-mautrix-googlechat` - `matrix-bridge-mautrix-telegram` +- `matrix-bridge-mautrix-signal` +- `matrix-bridge-mautrix-whatsapp` - `matrix-bridge-mx-puppet-skype` +- `matrix-bot-mjolnir` +- `matrix-bot-matrix-reminder-bot` +- `matrix-email2matrix` Adding self-building support to other roles is welcome. Feel free to contribute! diff --git a/examples/apache/matrix-synapse.conf b/examples/apache/matrix-synapse.conf index e4266b81..2c7b3dde 100644 --- a/examples/apache/matrix-synapse.conf +++ b/examples/apache/matrix-synapse.conf @@ -32,6 +32,7 @@ ProxyPreserveHost On ProxyRequests Off ProxyVia On + RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME} # Keep some URIs free for different proxy/location ProxyPassMatch ^/.well-known/matrix/client ! @@ -45,6 +46,14 @@ ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix ProxyPass /_synapse/client http://127.0.0.1:8008/_synapse/client retry=0 nocanon ProxyPassReverse /_synapse/client http://127.0.0.1:8008/_synapse/client + + # Proxy Admin API (necessary for Synapse-Admin) + # ProxyPass /_synapse/admin http://127.0.0.1:8008/_synapse/admin retry=0 nocanon + # ProxyPassReverse /_synapse/admin http://127.0.0.1:8008/_synapse/admin + + # Proxy Synapse-Admin + # ProxyPass /synapse-admin http://127.0.0.1:8766 retry=0 nocanon + # ProxyPassReverse /synapse-admin http://127.0.0.1:8766 # Map /.well-known/matrix/client for client discovery Alias /.well-known/matrix/client /matrix/static-files/.well-known/matrix/client @@ -111,6 +120,7 @@ Listen 8448 ProxyPreserveHost On ProxyRequests Off ProxyVia On + RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME} # Proxy all remaining traffic to the Synapse port # Beware: In this example the local traffic goes to the local synapse server at 127.0.0.1 diff --git a/examples/vars.yml b/examples/vars.yml index f79e5e3c..f6c86be9 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -14,7 +14,7 @@ matrix_domain: YOUR_BARE_DOMAIN_NAME_HERE # # In case SSL renewal fails at some point, you'll also get an email notification there. # -# If you decide to use another method for managing SSL certifites (different than the default Let's Encrypt), +# If you decide to use another method for managing SSL certificates (different than the default Let's Encrypt), # you won't be required to define this variable (see `docs/configuring-playbook-ssl-certificates.md`). # # Example value: someone@example.com diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 704fdcb4..20d59624 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -41,6 +41,8 @@ matrix_awx_enabled: false matrix_nginx_proxy_data_path: "{{ '/chroot/website' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else (matrix_nginx_proxy_base_path + '/data') }}" matrix_nginx_proxy_data_path_in_container: "{{ '/nginx-data/matrix-domain' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else '/nginx-data' }}" +matrix_nginx_proxy_data_path_extension: "{{ '' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else '/matrix-domain' }}" +matrix_nginx_proxy_base_domain_create_directory: "{{ not matrix_awx_enabled }}" ###################################################################### # @@ -102,6 +104,8 @@ matrix_appservice_discord_database_password: "{{ matrix_synapse_macaroon_secret_ # We don't enable bridges by default. matrix_appservice_webhooks_enabled: false +matrix_appservice_webhooks_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" + # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-webhooks over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-webhooks' client-server port to the local host. @@ -214,6 +218,42 @@ matrix_appservice_irc_database_password: "{{ matrix_synapse_macaroon_secret_key ###################################################################### +###################################################################### +# +# matrix-bridge-beeper-linkedin +# +###################################################################### + +# We don't enable bridges by default. +matrix_beeper_linkedin_enabled: false + +matrix_beeper_linkedin_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + }} + +matrix_beeper_linkedin_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'linked.as.token') | to_uuid }}" + +matrix_beeper_linkedin_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'linked.hs.token') | to_uuid }}" + +matrix_beeper_linkedin_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" + +matrix_beeper_linkedin_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" + +matrix_beeper_linkedin_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'maulinkedin.db') | to_uuid }}" + +###################################################################### +# +# /matrix-bridge-beeper-linkedin +# +###################################################################### + ###################################################################### # # matrix-bridge-mautrix-facebook @@ -297,6 +337,47 @@ matrix_mautrix_hangouts_database_password: "{{ matrix_synapse_macaroon_secret_ke ###################################################################### +###################################################################### +# +# matrix-bridge-mautrix-googlechat +# +###################################################################### + +# We don't enable bridges by default. +matrix_mautrix_googlechat_enabled: false + +matrix_mautrix_googlechat_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" + +matrix_mautrix_googlechat_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + }} + +matrix_mautrix_googlechat_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'gc.as.token') | to_uuid }}" + +matrix_mautrix_googlechat_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'gc.hs.token') | to_uuid }}" + +matrix_mautrix_googlechat_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" + +matrix_mautrix_googlechat_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" + +# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +matrix_mautrix_googlechat_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_mautrix_googlechat_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.gc.db') | to_uuid }}" + +###################################################################### +# +# /matrix-bridge-mautrix-googlechat +# +###################################################################### + + ###################################################################### # # matrix-bridge-mautrix-instagram @@ -374,13 +455,15 @@ matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provi matrix_mautrix_signal_database_engine: 'postgres' matrix_mautrix_signal_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.signal.db') | to_uuid }}" +matrix_mautrix_signal_container_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" +matrix_mautrix_signal_daemon_container_self_build: "{{ matrix_architecture != 'amd64' }}" + ###################################################################### # # /matrix-bridge-mautrix-signal # ###################################################################### - ###################################################################### # # matrix-bridge-mautrix-telegram @@ -392,6 +475,8 @@ matrix_mautrix_telegram_enabled: false # Images are multi-arch (amd64 and arm64, but not arm32). matrix_mautrix_telegram_container_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" +matrix_telegram_lottieconverter_container_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" +matrix_telegram_lottieconverter_container_self_build_mask_arch: "{{ matrix_architecture != 'amd64' }}" matrix_mautrix_telegram_systemd_required_services_list: | {{ @@ -433,6 +518,8 @@ matrix_mautrix_telegram_database_password: "{{ matrix_synapse_macaroon_secret_ke # We don't enable bridges by default. matrix_mautrix_whatsapp_enabled: false +matrix_mautrix_whatsapp_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" + matrix_mautrix_whatsapp_systemd_required_services_list: | {{ ['docker.service'] @@ -849,6 +936,7 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" matrix_bot_matrix_reminder_bot_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'reminder.bot.db') | to_uuid }}" +matrix_bot_matrix_reminder_bot_container_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### # @@ -893,6 +981,8 @@ matrix_bot_go_neb_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_en # We don't enable bots by default. matrix_bot_mjolnir_enabled: false +matrix_bot_mjolnir_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" + matrix_bot_mjolnir_systemd_required_services_list: | {{ ['docker.service'] @@ -1072,6 +1162,8 @@ matrix_dynamic_dns_enabled: false matrix_email2matrix_enabled: false +matrix_email2matrix_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" + ###################################################################### # # /matrix-email2matrix @@ -1157,17 +1249,7 @@ matrix_mailer_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" # If you wish to use the public identity servers (matrix.org, vector.im) instead of your own you may wish to disable this. matrix_ma1sd_enabled: true -# There's no prebuilt ma1sd image for the `arm32` architecture. -# We're relying on self-building there. -matrix_ma1sd_architecture: "{{ - { - 'amd64': 'amd64', - 'arm32': 'arm32', - 'arm64': 'arm64', - }[matrix_architecture] -}}" - -matrix_ma1sd_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" +matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach ma1sd over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose @@ -1300,6 +1382,8 @@ matrix_nginx_proxy_synapse_media_repository_locations: "{{matrix_synapse_workers matrix_nginx_proxy_synapse_user_dir_locations: "{{ matrix_synapse_workers_user_dir_endpoints|default([]) }}" matrix_nginx_proxy_synapse_frontend_proxy_locations: "{{ matrix_synapse_workers_frontend_proxy_endpoints|default([]) }}" +matrix_nginx_proxy_proxy_synapse_workers_enabled_list: "{{ matrix_synapse_workers_enabled_list }}" + matrix_nginx_proxy_systemd_wanted_services_list: | {{ (['matrix-synapse.service'] if matrix_synapse_enabled else []) @@ -1416,6 +1500,12 @@ matrix_postgres_additional_databases: | 'password': matrix_appservice_irc_database_password, }] if (matrix_appservice_irc_enabled and matrix_appservice_irc_database_engine == 'postgres' and matrix_appservice_irc_database_hostname == 'matrix-postgres') else []) + + ([{ + 'name': matrix_beeper_linkedin_database_name, + 'username': matrix_beeper_linkedin_database_username, + 'password': matrix_beeper_linkedin_database_password, + }] if (matrix_beeper_linkedin_enabled and matrix_beeper_linkedin_database_engine == 'postgres' and matrix_beeper_linkedin_database_hostname == 'matrix-postgres') else []) + + ([{ 'name': matrix_mautrix_facebook_database_name, 'username': matrix_mautrix_facebook_database_username, @@ -1428,6 +1518,12 @@ matrix_postgres_additional_databases: | 'password': matrix_mautrix_hangouts_database_password, }] if (matrix_mautrix_hangouts_enabled and matrix_mautrix_hangouts_database_engine == 'postgres' and matrix_mautrix_hangouts_database_hostname == 'matrix-postgres') else []) + + ([{ + 'name': matrix_mautrix_googlechat_database_name, + 'username': matrix_mautrix_googlechat_database_username, + 'password': matrix_mautrix_googlechat_database_password, + }] if (matrix_mautrix_googlechat_enabled and matrix_mautrix_googlechat_database_engine == 'postgres' and matrix_mautrix_googlechat_database_hostname == 'matrix-postgres') else []) + + ([{ 'name': matrix_mautrix_instagram_database_name, 'username': matrix_mautrix_instagram_database_username, @@ -1506,18 +1602,12 @@ matrix_postgres_additional_databases: | 'password': matrix_etherpad_database_password, }] if (matrix_etherpad_enabled and matrix_etherpad_database_engine == 'postgres' and matrix_etherpad_database_hostname == 'matrix-postgres') else []) + - ([{ - 'name': matrix_sygnal_database_name, - 'username': matrix_sygnal_database_username, - 'password': matrix_sygnal_database_password, - }] if (matrix_sygnal_enabled and matrix_sygnal_database_engine == 'postgres' and matrix_sygnal_database_hostname == 'matrix-postgres') else []) - + ([{ 'name': matrix_prometheus_postgres_exporter_database_name, 'username': matrix_prometheus_postgres_exporter_database_username, 'password': matrix_prometheus_postgres_exporter_database_password, }] if (matrix_prometheus_postgres_exporter_enabled and matrix_prometheus_postgres_exporter_database_hostname == 'matrix-postgres') else []) - + }} matrix_postgres_import_roles_to_ignore: | @@ -1556,10 +1646,6 @@ matrix_sygnal_metrics_prometheus_enabled: "{{ matrix_prometheus_enabled }}" matrix_sygnal_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:6000' }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_sygnal_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_sygnal_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sygnal') | to_uuid }}" - ###################################################################### # # /matrix-sygnal @@ -1714,16 +1800,23 @@ matrix_synapse_email_notif_from: "Matrix <{{ matrix_mailer_sender_address }}>" # Even if TURN doesn't support TLS (it does by default), # it doesn't hurt to try a secure connection anyway. +# +# When Let's Encrypt certificates are used (the default case), +# we don't enable `turns` endpoints, because WebRTC in Element can't talk to them. +# Learn more here: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1145 matrix_synapse_turn_uris: | {{ + [] + + [ 'turns:' + matrix_server_fqn_matrix + '?transport=udp', 'turns:' + matrix_server_fqn_matrix + '?transport=tcp', + ] if matrix_coturn_enabled and matrix_coturn_tls_enabled and matrix_ssl_retrieval_method != 'lets-encrypt' else [] + + + [ 'turn:' + matrix_server_fqn_matrix + '?transport=udp', 'turn:' + matrix_server_fqn_matrix + '?transport=tcp', - ] - if matrix_coturn_enabled - else [] + ] if matrix_coturn_enabled else [] }} matrix_synapse_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}" @@ -1813,6 +1906,7 @@ matrix_prometheus_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_en matrix_prometheus_scraper_synapse_enabled: "{{ matrix_synapse_enabled and matrix_synapse_metrics_enabled }}" matrix_prometheus_scraper_synapse_targets: ['matrix-synapse:{{ matrix_synapse_metrics_port }}'] +matrix_prometheus_scraper_synapse_workers_enabled_list: "{{ matrix_synapse_workers_enabled_list }}" matrix_prometheus_scraper_synapse_rules_synapse_tag: "{{ matrix_synapse_docker_image_tag }}" matrix_prometheus_scraper_node_enabled: "{{ matrix_prometheus_node_exporter_enabled }}" diff --git a/inventory/scripts/jitsi-generate-passwords.sh b/inventory/scripts/jitsi-generate-passwords.sh index eacfa7d8..c48a0c2d 100755 --- a/inventory/scripts/jitsi-generate-passwords.sh +++ b/inventory/scripts/jitsi-generate-passwords.sh @@ -11,7 +11,6 @@ echo "# Install it before using this script, or simply create your own passwords echo "" -JICOFO_COMPONENT_SECRET=$(generatePassword) JICOFO_AUTH_PASSWORD=$(generatePassword) JVB_AUTH_PASSWORD=$(generatePassword) JIBRI_RECORDER_PASSWORD=$(generatePassword) @@ -19,7 +18,6 @@ JIBRI_XMPP_PASSWORD=$(generatePassword) echo "# Paste these variables into your inventory/host_vars/matrix.DOMAIN/vars.yml file:" echo "" -echo "matrix_jitsi_jicofo_component_secret: "$JICOFO_COMPONENT_SECRET echo "matrix_jitsi_jicofo_auth_password: "$JICOFO_AUTH_PASSWORD echo "matrix_jitsi_jvb_auth_password: "$JVB_AUTH_PASSWORD echo "matrix_jitsi_jibri_recorder_password: "$JIBRI_RECORDER_PASSWORD diff --git a/roles/matrix-awx/surveys/access_export.json.j2 b/roles/matrix-awx/surveys/access_export.json.j2 index c20a9749..d5e1f945 100644 --- a/roles/matrix-awx/surveys/access_export.json.j2 +++ b/roles/matrix-awx/surveys/access_export.json.j2 @@ -8,10 +8,10 @@ "required": true, "min": null, "max": null, - "default": "{{ sftp_auth_method | string }}", + "default": "{{ awx_sftp_auth_method | string }}", "choices": "Disabled\nPassword\nSSH Key", "new_question": true, - "variable": "sftp_auth_method", + "variable": "awx_sftp_auth_method", "type": "multiplechoice" }, { @@ -20,10 +20,10 @@ "required": false, "min": 0, "max": 64, - "default": "{{ sftp_password }}", + "default": "{{ awx_sftp_password }}", "choices": "", "new_question": true, - "variable": "sftp_password", + "variable": "awx_sftp_password", "type": "password" }, { @@ -32,10 +32,10 @@ "required": false, "min": 0, "max": 16384, - "default": "{{ sftp_public_key }}", + "default": "{{ awx_sftp_public_key }}", "choices": "", "new_question": true, - "variable": "sftp_public_key", + "variable": "awx_sftp_public_key", "type": "text" } ] diff --git a/roles/matrix-awx/surveys/backup_server.json.j2 b/roles/matrix-awx/surveys/backup_server.json.j2 index 80782b74..559daade 100644 --- a/roles/matrix-awx/surveys/backup_server.json.j2 +++ b/roles/matrix-awx/surveys/backup_server.json.j2 @@ -8,12 +8,11 @@ "required": false, "min": null, "max": null, - "default": "{{ matrix_awx_backup_enabled | string | lower }}", + "default": "{{ awx_backup_enabled | string | lower }}", "choices": "true\nfalse", "new_question": true, - "variable": "matrix_awx_backup_enabled", + "variable": "awx_backup_enabled", "type": "multiplechoice" } ] } - diff --git a/roles/matrix-awx/surveys/bridge_discord_appservice.json.j2 b/roles/matrix-awx/surveys/bridge_discord_appservice.json.j2 new file mode 100644 index 00000000..7252cc2c --- /dev/null +++ b/roles/matrix-awx/surveys/bridge_discord_appservice.json.j2 @@ -0,0 +1,66 @@ +{ + "name": "Bridge Discord Appservice", + "description": "Enables a private bridge you can use to connect Matrix rooms to Discord.", + "spec": [ + { + "question_name": "Enable Discord AppService Bridge", + "question_description": "Enables a private bridge you can use to connect Matrix rooms to Discord.", + "required": true, + "min": null, + "max": null, + "default": "{{ matrix_appservice_discord_enabled | string | lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_appservice_discord_enabled", + "type": "multiplechoice" + }, + { + "question_name": "Discord Client ID", + "question_description": "The OAuth2 'CLIENT ID' which can be found in the 'OAuth2' tab of your new discord application: https://discord.com/developers/applications", + "required": true, + "min": 0, + "max": 128, + "default": "{{ matrix_appservice_discord_client_id | trim }}", + "choices": "", + "new_question": true, + "variable": "matrix_appservice_discord_client_id", + "type": "text" + }, + { + "question_name": "Discord Bot Token", + "question_description": "The Bot 'TOKEN' which can be found in the 'Bot' tab of your new discord application: https://discord.com/developers/applications", + "required": true, + "min": 0, + "max": 256, + "default": "{{ matrix_appservice_discord_bot_token | trim }}", + "choices": "", + "new_question": true, + "variable": "matrix_appservice_discord_bot_token", + "type": "password" + }, + { + "question_name": "Auto-Admin Matrix User", + "question_description": "The username you would like to be automatically joined and promoted to administrator (PL100) in bridged rooms. Exclude the '@' and server name postfix. So to create @stevo:example.org just enter 'stevo'.", + "required": false, + "min": 0, + "max": 1024, + "default": "", + "choices": "", + "new_question": true, + "variable": "awx_appservice_discord_admin_user", + "type": "text" + }, + { + "question_name": "Auto-Admin Rooms", + "question_description": "A list of rooms you want the user to be automatically joined and promoted to administrator (PL100) in. These should be the internal IDs (for example '!axfBUsKhfAjSMBdjKX:example.org') separated by newlines.", + "required": false, + "min": 0, + "max": 4096, + "default": "", + "choices": "", + "new_question": true, + "variable": "awx_appservice_discord_admin_rooms", + "type": "textarea" + } + ] +} diff --git a/roles/matrix-awx/surveys/configure_corporal.json.j2 b/roles/matrix-awx/surveys/configure_corporal.json.j2 index 14e417ce..dc8cd4fd 100755 --- a/roles/matrix-awx/surveys/configure_corporal.json.j2 +++ b/roles/matrix-awx/surveys/configure_corporal.json.j2 @@ -20,10 +20,10 @@ "required": true, "min": null, "max": null, - "default": "{{ matrix_corporal_policy_provider_mode }}", + "default": "{{ awx_corporal_policy_provider_mode }}", "choices": "Simple Static File\nHTTP Pull Mode (API Enabled)\nHTTP Push Mode (API Enabled)", "new_question": true, - "variable": "matrix_corporal_policy_provider_mode", + "variable": "awx_corporal_policy_provider_mode", "type": "multiplechoice" }, { @@ -34,7 +34,7 @@ "max": 65536, "default": "", "new_question": true, - "variable": "matrix_corporal_simple_static_config", + "variable": "awx_corporal_simple_static_config", "type": "textarea" }, { @@ -43,9 +43,9 @@ "required": false, "min": 0, "max": 4096, - "default": "{{ matrix_corporal_pull_mode_uri }}", + "default": "{{ awx_corporal_pull_mode_uri }}", "new_question": true, - "variable": "matrix_corporal_pull_mode_uri", + "variable": "awx_corporal_pull_mode_uri", "type": "text" }, { @@ -54,10 +54,10 @@ "required": false, "min": 0, "max": 256, - "default": "{{ matrix_corporal_pull_mode_token }}", + "default": "{{ awx_corporal_pull_mode_token }}", "choices": "", "new_question": true, - "variable": "matrix_corporal_pull_mode_token", + "variable": "awx_corporal_pull_mode_token", "type": "password" }, { @@ -78,10 +78,10 @@ "required": false, "min": null, "max": null, - "default": "{{ matrix_corporal_raise_ratelimits }}", + "default": "{{ awx_corporal_raise_ratelimits }}", "choices": "Normal\nRaised", "new_question": true, - "variable": "matrix_corporal_raise_ratelimits", + "variable": "awx_corporal_raise_ratelimits", "type": "multiplechoice" } ] diff --git a/roles/matrix-awx/surveys/configure_dimension.json.j2 b/roles/matrix-awx/surveys/configure_dimension.json.j2 index 2f39e80e..5f79cfd0 100644 --- a/roles/matrix-awx/surveys/configure_dimension.json.j2 +++ b/roles/matrix-awx/surveys/configure_dimension.json.j2 @@ -20,10 +20,10 @@ "required": false, "min": 0, "max": 65536, - "default": {{ ext_dimension_users_raw_final | to_json }}, + "default": {{ awx_dimension_users_final | to_json }}, "choices": "", "new_question": true, - "variable": "ext_dimension_users_raw", + "variable": "awx_dimension_users", "type": "textarea" } ] diff --git a/roles/matrix-awx/surveys/configure_element.json.j2 b/roles/matrix-awx/surveys/configure_element.json.j2 index d85a0ee5..b4021732 100755 --- a/roles/matrix-awx/surveys/configure_element.json.j2 +++ b/roles/matrix-awx/surveys/configure_element.json.j2 @@ -14,18 +14,6 @@ "variable": "matrix_client_element_enabled", "type": "multiplechoice" }, - { - "question_name": "Set Branding for Web Client", - "question_description": "Sets the 'branding' seen in the tab and on the welcome page to a custom value.", - "required": false, - "min": 0, - "max": 256, - "default": "{{ matrix_client_element_brand }}", - "choices": "", - "new_question": true, - "variable": "matrix_client_element_brand", - "type": "text" - }, { "question_name": "Set Theme for Web Client", "question_description": "Sets the default theme for the web client, can be changed later by individual users.", @@ -38,18 +26,78 @@ "variable": "matrix_client_element_default_theme", "type": "multiplechoice" }, + { + "question_name": "Set Branding for Web Client", + "question_description": "Sets the 'branding' seen in the tab and on the welcome page to a custom value.Leaving this field blank will cause the default branding will be used: 'Element'", + "required": false, + "min": 0, + "max": 256, + "default": "{{ matrix_client_element_brand | trim }}", + "choices": "", + "new_question": true, + "variable": "matrix_client_element_brand", + "type": "text" + }, { "question_name": "Set Welcome Page Background", - "question_description": "URL to Wallpaper, shown in background of the welcome page. Must be a 'https' link, otherwise it won't be set.", + "question_description": "Sets the background image on the welcome page, you should enter a URL to the image you want to use. Must be a 'https' link, otherwise it won't be set. Leaving this field blank will cause the default background to be used.", "required": false, "min": 0, "max": 1024, - "default": "{{ matrix_client_element_branding_welcomeBackgroundUrl }}", + "default": "{{ matrix_client_element_branding_welcomeBackgroundUrl | trim }}", "choices": "", "new_question": true, "variable": "matrix_client_element_branding_welcomeBackgroundUrl", "type": "text" }, + { + "question_name": "Set Welcome Page Logo", + "question_description": "Sets the logo found on the welcome and login page, must be a valid https link to your logo, the logo itself should be a square vector image (SVG). Leaving this field blank will cause the default Element logo to be used.", + "required": false, + "min": 0, + "max": 1024, + "default": "{{ matrix_client_element_welcome_logo | trim }}", + "choices": "", + "new_question": true, + "variable": "matrix_client_element_welcome_logo", + "type": "text" + }, + { + "question_name": "Set Welcome Page Logo URL", + "question_description": "Sets the URL link the welcome page logo leads to, must be a valid https link. Leaving this field blank will cause this default link to be used: 'https://element.io'", + "required": false, + "min": 0, + "max": 1024, + "default": "{{ matrix_client_element_welcome_logo_link | trim }}", + "choices": "", + "new_question": true, + "variable": "matrix_client_element_welcome_logo_link", + "type": "text" + }, + { + "question_name": "Set Welcome Page Headline", + "question_description": "Sets the headline seen on the welcome page. Leaving this field blank will cause this default headline to be used: 'Welcome to Element!'", + "required": false, + "min": 0, + "max": 512, + "default": "{{ awx_matrix_client_element_welcome_headline | trim }}", + "choices": "", + "new_question": true, + "variable": "awx_matrix_client_element_welcome_headline", + "type": "text" + }, + { + "question_name": "Set Welcome Page Text", + "question_description": "Sets the text seen on the welcome page. Leaving this field blank will cause this default headline to be used: 'Decentralised, encrypted chat & collaboration powered by [Matrix]'", + "required": false, + "min": 0, + "max": 2048, + "default": "{{ awx_matrix_client_element_welcome_text | trim }}", + "choices": "", + "new_question": true, + "variable": "awx_matrix_client_element_welcome_text", + "type": "text" + }, { "question_name": "Show Registration Button", "question_description": "If you show the registration button on the welcome page.", diff --git a/roles/matrix-awx/surveys/configure_element_subdomain.json.j2 b/roles/matrix-awx/surveys/configure_element_subdomain.json.j2 index a355af23..8e6aaf28 100644 --- a/roles/matrix-awx/surveys/configure_element_subdomain.json.j2 +++ b/roles/matrix-awx/surveys/configure_element_subdomain.json.j2 @@ -8,10 +8,10 @@ "required": false, "min": 0, "max": 2048, - "default": "{{ element_subdomain }}", + "default": "{{ awx_element_subdomain }}", "choices": "", "new_question": true, - "variable": "element_subdomain", + "variable": "awx_element_subdomain", "type": "text" } ] diff --git a/roles/matrix-awx/surveys/configure_email_relay.json.j2 b/roles/matrix-awx/surveys/configure_email_relay.json.j2 new file mode 100644 index 00000000..65c21a94 --- /dev/null +++ b/roles/matrix-awx/surveys/configure_email_relay.json.j2 @@ -0,0 +1,19 @@ +{ + "name": "Configure Email Relay", + "description": "Enable MailGun relay to increase verification email reliability.", + "spec": [ + { + "question_name": "Enable Email Relay", + "question_description": "Enables the MailGun email relay server, enabling this will increase the reliability of your email verification.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_mailer_relay_use | string | lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_mailer_relay_use", + "type": "multiplechoice" + } + ] +} + diff --git a/roles/matrix-awx/surveys/configure_ma1sd.json.j2 b/roles/matrix-awx/surveys/configure_ma1sd.json.j2 index 67c2c88d..055e817c 100644 --- a/roles/matrix-awx/surveys/configure_ma1sd.json.j2 +++ b/roles/matrix-awx/surveys/configure_ma1sd.json.j2 @@ -20,10 +20,10 @@ "required": false, "min": null, "max": null, - "default": "{{ ext_matrix_ma1sd_auth_store }}", + "default": "{{ awx_matrix_ma1sd_auth_store }}", "choices": "Synapse Internal\nLDAP/AD", "new_question": true, - "variable": "ext_matrix_ma1sd_auth_store", + "variable": "awx_matrix_ma1sd_auth_store", "type": "multiplechoice" }, { @@ -32,9 +32,9 @@ "required": false, "min": 0, "max": 65536, - "default": {{ ext_matrix_ma1sd_configuration_extension_yaml | to_json }}, + "default": {{ awx_matrix_ma1sd_configuration_extension_yaml | to_json }}, "new_question": true, - "variable": "ext_matrix_ma1sd_configuration_extension_yaml", + "variable": "awx_matrix_ma1sd_configuration_extension_yaml", "type": "textarea" } ] diff --git a/roles/matrix-awx/surveys/configure_synapse.json.j2 b/roles/matrix-awx/surveys/configure_synapse.json.j2 index 7089f7b3..7a4e711d 100755 --- a/roles/matrix-awx/surveys/configure_synapse.json.j2 +++ b/roles/matrix-awx/surveys/configure_synapse.json.j2 @@ -92,10 +92,10 @@ "required": false, "min": null, "max": null, - "default": "{{ ext_registrations_require_3pid | string | lower }}", + "default": "{{ awx_registrations_require_3pid | string | lower }}", "choices": "true\nfalse", "new_question": true, - "variable": "ext_registrations_require_3pid", + "variable": "awx_registrations_require_3pid", "type": "multiplechoice" }, { @@ -107,7 +107,7 @@ "default": "", "choices": "", "new_question": true, - "variable": "ext_matrix_synapse_registration_shared_secret", + "variable": "awx_matrix_synapse_registration_shared_secret", "type": "password" }, { @@ -119,7 +119,7 @@ "default": "{{ matrix_synapse_max_upload_size_mb }}", "choices": "", "new_question": true, - "variable": "matrix_synapse_max_upload_size_mb_raw", + "variable": "awx_synapse_max_upload_size_mb", "type": "text" }, { @@ -128,10 +128,10 @@ "required": false, "min": 0, "max": 65536, - "default": {{ ext_url_preview_accept_language_default | to_json }}, + "default": {{ awx_url_preview_accept_language_default | to_json }}, "choices": "", "new_question": true, - "variable": "ext_url_preview_accept_language_raw", + "variable": "awx_url_preview_accept_language", "type": "textarea" }, { @@ -140,10 +140,10 @@ "required": false, "min": 0, "max": 65536, - "default": {{ ext_federation_whitelist_raw | to_json }}, + "default": {{ awx_federation_whitelist | to_json }}, "choices": "", "new_question": true, - "variable": "ext_federation_whitelist_raw", + "variable": "awx_federation_whitelist", "type": "textarea" }, { @@ -152,10 +152,10 @@ "required": false, "min": 0, "max": 65536, - "default": {{ matrix_synapse_auto_join_rooms_raw | to_json }}, + "default": {{ awx_synapse_auto_join_rooms | to_json }}, "choices": "", "new_question": true, - "variable": "matrix_synapse_auto_join_rooms_raw", + "variable": "awx_synapse_auto_join_rooms", "type": "textarea" }, { @@ -164,10 +164,10 @@ "required": false, "min": null, "max": null, - "default": "{{ ext_enable_registration_captcha | string | lower }}", + "default": "{{ awx_enable_registration_captcha | string | lower }}", "choices": "true\nfalse", "new_question": true, - "variable": "ext_enable_registration_captcha", + "variable": "awx_enable_registration_captcha", "type": "multiplechoice" }, { @@ -176,10 +176,10 @@ "required": false, "min": 0, "max": 40, - "default": "{{ ext_recaptcha_public_key }}", + "default": "{{ awx_recaptcha_public_key }}", "choices": "", "new_question": true, - "variable": "ext_recaptcha_public_key", + "variable": "awx_recaptcha_public_key", "type": "text" }, { @@ -188,10 +188,10 @@ "required": false, "min": 0, "max": 40, - "default": "{{ ext_recaptcha_private_key }}", + "default": "{{ awx_recaptcha_private_key }}", "choices": "", "new_question": true, - "variable": "ext_recaptcha_private_key", + "variable": "awx_recaptcha_private_key", "type": "text" } ] diff --git a/roles/matrix-awx/surveys/configure_website_access_export.json.j2 b/roles/matrix-awx/surveys/configure_website_access_export.json.j2 index 2b3e1637..d35fb839 100755 --- a/roles/matrix-awx/surveys/configure_website_access_export.json.j2 +++ b/roles/matrix-awx/surveys/configure_website_access_export.json.j2 @@ -8,10 +8,10 @@ "required": true, "min": null, "max": null, - "default": "{{ customise_base_domain_website | string | lower }}", + "default": "{{ awx_customise_base_domain_website | string | lower }}", "choices": "true\nfalse", "new_question": true, - "variable": "customise_base_domain_website", + "variable": "awx_customise_base_domain_website", "type": "multiplechoice" }, { @@ -20,10 +20,10 @@ "required": true, "min": null, "max": null, - "default": "{{ sftp_auth_method | string }}", + "default": "{{ awx_sftp_auth_method | string }}", "choices": "Disabled\nPassword\nSSH Key", "new_question": true, - "variable": "sftp_auth_method", + "variable": "awx_sftp_auth_method", "type": "multiplechoice" }, { @@ -32,10 +32,10 @@ "required": false, "min": 0, "max": 64, - "default": "{{ sftp_password }}", + "default": "{{ awx_sftp_password }}", "choices": "", "new_question": true, - "variable": "sftp_password", + "variable": "awx_sftp_password", "type": "password" }, { @@ -44,10 +44,10 @@ "required": false, "min": 0, "max": 16384, - "default": "{{ sftp_public_key }}", + "default": "{{ awx_sftp_public_key }}", "choices": "", "new_question": true, - "variable": "sftp_public_key", + "variable": "awx_sftp_public_key", "type": "text" } ] diff --git a/roles/matrix-awx/tasks/backup_server.yml b/roles/matrix-awx/tasks/backup_server.yml index a82f46b0..d33f0f70 100644 --- a/roles/matrix-awx/tasks/backup_server.yml +++ b/roles/matrix-awx/tasks/backup_server.yml @@ -7,7 +7,7 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: '# AWX Settings Start' with_dict: - 'matrix_awx_backup_enabled': '{{ matrix_awx_backup_enabled }}' + 'awx_backup_enabled': '{{ awx_backup_enabled }}' tags: use-survey - name: Save new 'Backup Server' survey.json to the AWX tower, template @@ -24,14 +24,6 @@ mode: '0660' tags: use-survey -- name: Collect AWX admin token the hard way! - delegate_to: 127.0.0.1 - shell: | - curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' - register: tower_token - no_log: True - tags: use-survey - - name: Recreate 'Backup Server' job template delegate_to: 127.0.0.1 awx.awx.tower_job_template: @@ -49,15 +41,11 @@ become_enabled: yes state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes tags: use-survey -- name: Run export.sh if this job template is run by the client - command: /bin/sh /root/export.sh - tags: use-survey - - name: Include vars in matrix_vars.yml include_vars: file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' @@ -70,14 +58,43 @@ mode: '0660' tags: use-survey -- name: Perform the borg backup - command: borgmatic - when: matrix_awx_backup_enabled|bool +- name: Run initial backup of /matrix/ and snapshot the database simultaneously + command: "{{ item }}" + with_items: + - borgmatic -c /root/.config/borgmatic/config_1.yaml + - /bin/sh /usr/local/bin/awx-export-service.sh 1 0 + register: _create_instances + async: 3600 # Maximum runtime in seconds. + poll: 0 # Fire and continue (never poll) + when: awx_backup_enabled|bool + +- name: Wait for both of these jobs to finish + async_status: + jid: "{{ item.ansible_job_id }}" + register: _jobs + until: _jobs.finished + delay: 5 # Check every 5 seconds. + retries: 720 # Retry for a full hour. + with_items: "{{ _create_instances.results }}" + when: awx_backup_enabled|bool + +- name: Perform borg backup of postgres dump + command: borgmatic -c /root/.config/borgmatic/config_2.yaml + when: awx_backup_enabled|bool + +- name: Delete the AWX session token for executing modules + awx.awx.tower_token: + description: 'AWX Session Token' + scope: "write" + state: absent + existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" - name: Set boolean value to exit playbook set_fact: - end_playbook: true + awx_end_playbook: true - name: End playbook if this task list is called. meta: end_play - when: end_playbook is defined and end_playbook|bool + when: awx_end_playbook is defined and awx_end_playbook|bool diff --git a/roles/matrix-awx/tasks/bridge_discord_appservice.yml b/roles/matrix-awx/tasks/bridge_discord_appservice.yml new file mode 100644 index 00000000..7cb24028 --- /dev/null +++ b/roles/matrix-awx/tasks/bridge_discord_appservice.yml @@ -0,0 +1,57 @@ + +- name: Record Bridge Discord AppService variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Bridge Discord AppService Start' + with_dict: + 'matrix_appservice_discord_enabled': '{{ matrix_appservice_discord_enabled }}' + 'matrix_appservice_discord_client_id': '{{ matrix_appservice_discord_client_id }}' + 'matrix_appservice_discord_bot_token': '{{ matrix_appservice_discord_bot_token }}' + +- name: If the raw inputs is not empty start constructing parsed awx_appservice_discord_admin_rooms list + set_fact: + awx_appservice_discord_admin_rooms_array: |- + {{ awx_appservice_discord_admin_rooms.splitlines() | to_json }} + when: awx_appservice_discord_admin_rooms | trim | length > 0 + +- name: Promote user to administer (PL100) of each room + command: | + docker exec -i matrix-appservice-discord /bin/sh -c 'cp /cfg/registration.yaml /tmp/discord-registration.yaml && cd /tmp && node /build/tools/adminme.js -c /cfg/config.yaml -m "{{ item.1 }}" -u "@{{ awx_appservice_discord_admin_user }}:{{ matrix_domain }}" -p 100' + with_indexed_items: + - "{{ awx_appservice_discord_admin_rooms_array }}" + when: ( awx_appservice_discord_admin_rooms | trim | length > 0 ) and ( awx_appservice_discord_admin_user is defined ) + +- name: Save new 'Bridge Discord Appservice' survey.json to the AWX tower, template + delegate_to: 127.0.0.1 + template: + src: 'roles/matrix-awx/surveys/bridge_discord_appservice.json.j2' + dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}//bridge_discord_appservice.json' + +- name: Copy new 'Bridge Discord Appservice' survey.json to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/bridge_discord_appservice.json' + dest: '/matrix/awx/bridge_discord_appservice.json' + mode: '0660' + +- name: Recreate 'Bridge Discord Appservice' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 3 - Bridge Discord AppService" + description: "Enables a private bridge you can use to connect Matrix rooms to Discord." + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "start,setup-all,bridge-discord-appservice" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + survey_enabled: true + survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/bridge_discord_appservice.json') }}" + state: present + verbosity: 1 + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" + validate_certs: yes diff --git a/roles/matrix-awx/tasks/create_session_token.yml b/roles/matrix-awx/tasks/create_session_token.yml new file mode 100644 index 00000000..9f22a37e --- /dev/null +++ b/roles/matrix-awx/tasks/create_session_token.yml @@ -0,0 +1,10 @@ + +- name: Create a AWX session token for executing modules + awx.awx.tower_token: + description: 'AWX Session Token' + scope: "write" + state: present + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_master_token }}" + register: awx_session_token + no_log: True diff --git a/roles/matrix-awx/tasks/create_user.yml b/roles/matrix-awx/tasks/create_user.yml index 13a30596..fefec426 100755 --- a/roles/matrix-awx/tasks/create_user.yml +++ b/roles/matrix-awx/tasks/create_user.yml @@ -6,26 +6,35 @@ - name: Set admin bool to zero set_fact: - admin_bool: 0 - when: admin_access == 'false' + awx_admin_bool: 0 + when: awx_admin_access == 'false' - name: Examine if server admin set set_fact: - admin_bool: 1 - when: admin_access == 'true' - -- name: Set boolean value to exit playbook - set_fact: - end_playbook: true + awx_admin_bool: 1 + when: awx_admin_access == 'true' - name: Create user account command: | - /usr/local/bin/matrix-synapse-register-user {{ new_username | quote }} {{ new_password | quote }} {{ admin_bool }} - register: cmd + /usr/local/bin/matrix-synapse-register-user {{ awx_new_username | quote }} {{ awx_new_password | quote }} {{ awx_admin_bool }} + register: awx_cmd_output + +- name: Delete the AWX session token for executing modules + awx.awx.tower_token: + description: 'AWX Session Token' + scope: "write" + state: absent + existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" + +- name: Set boolean value to exit playbook + set_fact: + awx_end_playbook: true - name: Result - debug: msg="{{ cmd.stdout }}" + debug: msg="{{ awx_cmd_output.stdout }}" - name: End playbook if this task list is called. meta: end_play - when: end_playbook is defined and end_playbook|bool + when: awx_end_playbook is defined and awx_end_playbook|bool diff --git a/roles/matrix-awx/tasks/customise_website_access_export.yml b/roles/matrix-awx/tasks/customise_website_access_export.yml index b7e27e9d..c9b96026 100755 --- a/roles/matrix-awx/tasks/customise_website_access_export.yml +++ b/roles/matrix-awx/tasks/customise_website_access_export.yml @@ -1,3 +1,4 @@ +--- - name: Enable index.html creation if user doesn't wish to customise base domain delegate_to: 127.0.0.1 @@ -8,7 +9,7 @@ insertafter: '# Base Domain Settings Start' with_dict: 'matrix_nginx_proxy_base_domain_homepage_enabled': 'true' - when: (customise_base_domain_website is defined) and not customise_base_domain_website|bool + when: (awx_customise_base_domain_website is defined) and not awx_customise_base_domain_website|bool - name: Disable index.html creation to allow multi-file site if user does wish to customise base domain delegate_to: 127.0.0.1 @@ -19,7 +20,7 @@ insertafter: '# Base Domain Settings Start' with_dict: 'matrix_nginx_proxy_base_domain_homepage_enabled': 'false' - when: (customise_base_domain_website is defined) and customise_base_domain_website|bool + when: (awx_customise_base_domain_website is defined) and awx_customise_base_domain_website|bool - name: Record custom 'Customise Website + Access Export' variables locally on AWX delegate_to: 127.0.0.1 @@ -29,9 +30,9 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: '# Custom Settings Start' with_dict: - 'sftp_auth_method': '"{{ sftp_auth_method }}"' - 'sftp_password': '"{{ sftp_password }}"' - 'sftp_public_key': '"{{ sftp_public_key }}"' + 'awx_sftp_auth_method': '"{{ awx_sftp_auth_method }}"' + 'awx_sftp_password': '"{{ awx_sftp_password }}"' + 'awx_sftp_public_key': '"{{ awx_sftp_public_key }}"' - name: Record custom 'Customise Website + Access Export' variables locally on AWX delegate_to: 127.0.0.1 @@ -41,8 +42,8 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: '# Custom Settings Start' with_dict: - 'customise_base_domain_website': '{{ customise_base_domain_website }}' - when: customise_base_domain_website is defined + 'awx_customise_base_domain_website': '{{ awx_customise_base_domain_website }}' + when: awx_customise_base_domain_website is defined - name: Reload vars in matrix_vars.yml include_vars: @@ -54,35 +55,28 @@ template: src: './roles/matrix-awx/surveys/configure_website_access_export.json.j2' dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json' - when: customise_base_domain_website is defined + when: awx_customise_base_domain_website is defined - name: Copy new 'Customise Website + Access Export' survey.json to target machine copy: src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json' dest: '/matrix/awx/configure_website_access_export.json' mode: '0660' - when: customise_base_domain_website is defined + when: awx_customise_base_domain_website is defined - name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template delegate_to: 127.0.0.1 template: src: './roles/matrix-awx/surveys/access_export.json.j2' dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json' - when: customise_base_domain_website is undefined + when: awx_customise_base_domain_website is undefined - name: Copy new 'Customise Website + Access Export' survey.json to target machine copy: src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json' dest: '/matrix/awx/access_export.json' mode: '0660' - when: customise_base_domain_website is undefined - -- name: Collect AWX admin token the hard way! - delegate_to: 127.0.0.1 - shell: | - curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' - register: tower_token - no_log: True + when: awx_customise_base_domain_website is undefined - name: Recreate 'Configure Website + Access Export' job template delegate_to: 127.0.0.1 @@ -101,10 +95,10 @@ become_enabled: yes state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes - when: customise_base_domain_website is defined + when: awx_customise_base_domain_website is defined - name: Recreate 'Access Export' job template delegate_to: 127.0.0.1 @@ -123,44 +117,44 @@ become_enabled: yes state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes - when: customise_base_domain_website is undefined + when: awx_customise_base_domain_website is undefined + +- name: If user doesn't define a awx_sftp_password, create a disabled 'sftp' account + user: + name: sftp + comment: SFTP user to set custom web files and access servers export + shell: /bin/false + home: /home/sftp + group: matrix + password: '*' + update_password: always + when: awx_sftp_password|length == 0 + +- name: If user defines awx_sftp_password, enable account and set password on 'stfp' account + user: + name: sftp + comment: SFTP user to set custom web files and access servers export + shell: /bin/false + home: /home/sftp + group: matrix + password: "{{ awx_sftp_password | password_hash('sha512') }}" + update_password: always + when: awx_sftp_password|length > 0 - name: Ensure group "sftp" exists group: name: sftp state: present -- name: If user doesn't define a sftp_password, create a disabled 'sftp' account - user: - name: sftp - comment: SFTP user to set custom web files and access servers export - shell: /bin/false - home: /home/sftp - group: sftp - password: '*' - update_password: always - when: sftp_password|length == 0 - -- name: If user defines sftp_password, enable account and set password on 'stfp' account - user: - name: sftp - comment: SFTP user to set custom web files and access servers export - shell: /bin/false - home: /home/sftp - group: sftp - password: "{{ sftp_password | password_hash('sha512') }}" - update_password: always - when: sftp_password|length > 0 - - name: adding existing user 'sftp' to group matrix user: name: sftp - groups: matrix + groups: sftp append: yes - when: customise_base_domain_website is defined + when: awx_customise_base_domain_website is defined - name: Create the ro /chroot directory with sticky bit if it doesn't exist. (/chroot/website has matrix:matrix permissions and is mounted to nginx container) file: @@ -176,8 +170,8 @@ state: directory owner: matrix group: matrix - mode: '0574' - when: customise_base_domain_website is defined + mode: '0770' + when: awx_customise_base_domain_website is defined - name: Ensure /chroot/export location exists file: @@ -209,19 +203,19 @@ - name: Insert public SSH key into authorized_keys file lineinfile: path: /home/sftp/.ssh/authorized_keys - line: "{{ sftp_public_key }}" + line: "{{ awx_sftp_public_key }}" owner: sftp group: sftp mode: '0644' - when: (sftp_public_key | length > 0) and (sftp_auth_method == "SSH Key") - -- name: Alter SSH Subsystem State 1 + when: (awx_sftp_public_key | length > 0) and (awx_sftp_auth_method == "SSH Key") + +- name: Remove any existing Subsystem lines lineinfile: path: /etc/ssh/sshd_config - line: "Subsystem sftp /usr/lib/openssh/sftp-server" state: absent + regexp: '^Subsystem' -- name: Alter SSH Subsystem State 2 +- name: Set SSH Subsystem State lineinfile: path: /etc/ssh/sshd_config insertafter: "^# override default of no subsystems" @@ -239,7 +233,7 @@ AllowTcpForwarding no PasswordAuthentication yes AuthorizedKeysFile /home/sftp/.ssh/authorized_keys - when: sftp_auth_method == "Disabled" + when: awx_sftp_auth_method == "Disabled" - name: Add SSH Match User section for password auth blockinfile: @@ -252,7 +246,7 @@ X11Forwarding no AllowTcpForwarding no PasswordAuthentication yes - when: sftp_auth_method == "Password" + when: awx_sftp_auth_method == "Password" - name: Add SSH Match User section for publickey auth blockinfile: @@ -265,7 +259,7 @@ X11Forwarding no AllowTcpForwarding no AuthorizedKeysFile /home/sftp/.ssh/authorized_keys - when: sftp_auth_method == "SSH Key" + when: awx_sftp_auth_method == "SSH Key" - name: Restart service ssh.service service: diff --git a/roles/matrix-awx/tasks/delete_session_token.yml b/roles/matrix-awx/tasks/delete_session_token.yml new file mode 100644 index 00000000..a6a52e48 --- /dev/null +++ b/roles/matrix-awx/tasks/delete_session_token.yml @@ -0,0 +1,10 @@ +--- + +- name: Delete the AWX session token for executing modules + awx.awx.tower_token: + description: 'AWX Session Token' + scope: "write" + state: absent + existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" diff --git a/roles/matrix-awx/tasks/export_server.yml b/roles/matrix-awx/tasks/export_server.yml new file mode 100644 index 00000000..d779028e --- /dev/null +++ b/roles/matrix-awx/tasks/export_server.yml @@ -0,0 +1,43 @@ +--- + +- name: Run export of /matrix/ and snapshot the database simultaneously + command: "{{ item }}" + with_items: + - /bin/sh /usr/local/bin/awx-export-service.sh 1 0 + - /bin/sh /usr/local/bin/awx-export-service.sh 0 1 + register: awx_create_instances + async: 3600 # Maximum runtime in seconds. + poll: 0 # Fire and continue (never poll) + +- name: Wait for both of these jobs to finish + async_status: + jid: "{{ item.ansible_job_id }}" + register: awx_jobs + until: awx_jobs.finished + delay: 5 # Check every 5 seconds. + retries: 720 # Retry for a full hour. + with_items: "{{ awx_create_instances.results }}" + +- name: Schedule deletion of the export in 24 hours + at: + command: rm /chroot/export/matrix* + count: 1 + units: days + unique: yes + +- name: Delete the AWX session token for executing modules + awx.awx.tower_token: + description: 'AWX Session Token' + scope: "write" + state: absent + existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" + +- name: Set boolean value to exit playbook + set_fact: + awx_end_playbook: true + +- name: End playbook if this task list is called. + meta: end_play + when: awx_end_playbook is defined and awx_end_playbook|bool diff --git a/roles/matrix-awx/tasks/import_awx.yml b/roles/matrix-awx/tasks/import_awx.yml index 6017152f..b2154c7a 100644 --- a/roles/matrix-awx/tasks/import_awx.yml +++ b/roles/matrix-awx/tasks/import_awx.yml @@ -1,18 +1,7 @@ - -- name: Ensure /matrix/awx is empty - shell: rm -r /matrix/awx/* - ignore_errors: yes - -- name: Ensure /matrix/synapse is empty - shell: rm -r /matrix/synapse/* - ignore_errors: yes - -- name: Extract from /chroot/export - shell: tar -xvzf /chroot/export/matrix.tar.gz -C /matrix/ +--- - name: Ensure correct ownership of /matrix/awx shell: chown -R matrix:matrix /matrix/awx - name: Ensure correct ownership of /matrix/synapse shell: chown -R matrix:matrix /matrix/synapse - diff --git a/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml b/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml index ea866254..69b2aac8 100644 --- a/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml +++ b/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml @@ -1,3 +1,4 @@ +--- - name: Include vars in organisation.yml include_vars: @@ -9,3 +10,7 @@ file: '/var/lib/awx/projects/hosting/hosting_vars.yml' no_log: True +- name: Include AWX master token from awx_tokens.yml + include_vars: + file: /var/lib/awx/projects/hosting/awx_tokens.yml + no_log: True diff --git a/roles/matrix-awx/tasks/load_matrix_variables.yml b/roles/matrix-awx/tasks/load_matrix_variables.yml index 2a9f9a0d..34754efb 100755 --- a/roles/matrix-awx/tasks/load_matrix_variables.yml +++ b/roles/matrix-awx/tasks/load_matrix_variables.yml @@ -1,3 +1,4 @@ +--- - name: Include new vars in matrix_vars.yml include_vars: diff --git a/roles/matrix-awx/tasks/main.yml b/roles/matrix-awx/tasks/main.yml index 654cdf62..adc158c7 100755 --- a/roles/matrix-awx/tasks/main.yml +++ b/roles/matrix-awx/tasks/main.yml @@ -17,6 +17,15 @@ tags: - always +# Create AWX session token +- include_tasks: + file: "create_session_token.yml" + apply: + tags: always + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - always + # Perform a backup of the server - include_tasks: file: "backup_server.yml" @@ -26,6 +35,15 @@ tags: - backup-server +# Perform a export of the server +- include_tasks: + file: "export_server.yml" + apply: + tags: export-server + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - export-server + # Create a user account if called - include_tasks: file: "create_user.yml" @@ -53,6 +71,15 @@ tags: - purge-database +# Rotate SSH key if called +- include_tasks: + file: "rotate_ssh.yml" + apply: + tags: rotate-ssh + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - rotate-ssh + # Import configs, media repo from /chroot/backup import - include_tasks: file: "import_awx.yml" @@ -98,6 +125,15 @@ tags: - setup-client-element +# Additional playbook to set the variable file during Mailer configuration +- include_tasks: + file: "set_variables_mailer.yml" + apply: + tags: setup-mailer + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - setup-mailer + # Additional playbook to set the variable file during Element configuration - include_tasks: file: "set_variables_element_subdomain.yml" @@ -161,6 +197,24 @@ tags: - setup-synapse-admin +# Additional playbook to set the variable file during Discord Appservice Bridge configuration +- include_tasks: + file: "bridge_discord_appservice.yml" + apply: + tags: bridge-discord-appservice + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - bridge-discord-appservice + +# Delete AWX session token +- include_tasks: + file: "delete_session_token.yml" + apply: + tags: always + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - always + # Load newly formed matrix variables from AWX volume - include_tasks: file: "load_matrix_variables.yml" diff --git a/roles/matrix-awx/tasks/purge_database_build_list.yml b/roles/matrix-awx/tasks/purge_database_build_list.yml index 1ea05b7f..5ca57d22 100644 --- a/roles/matrix-awx/tasks/purge_database_build_list.yml +++ b/roles/matrix-awx/tasks/purge_database_build_list.yml @@ -1,10 +1,11 @@ +--- - name: Collect entire room list into stdout shell: | curl -X GET --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/rooms?from={{ item }}' - register: rooms_output + register: awx_rooms_output - name: Print stdout to file delegate_to: 127.0.0.1 shell: | - echo '{{ rooms_output.stdout }}' >> /tmp/{{ subscription_id }}_room_list_complete.json + echo '{{ awx_rooms_output.stdout }}' >> /tmp/{{ subscription_id }}_room_list_complete.json diff --git a/roles/matrix-awx/tasks/purge_database_events.yml b/roles/matrix-awx/tasks/purge_database_events.yml index 9e2ef9c2..aaef3cba 100644 --- a/roles/matrix-awx/tasks/purge_database_events.yml +++ b/roles/matrix-awx/tasks/purge_database_events.yml @@ -1,12 +1,13 @@ +--- - name: Purge all rooms with more then N events shell: | - curl --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "delete_local_events": false, "purge_up_to_ts": {{ purge_epoche_time.stdout }}000 }' "{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_history/{{ item[1:-1] }}" - register: purge_command + curl --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "delete_local_events": false, "purge_up_to_ts": {{ awx_purge_epoche_time.stdout }}000 }' "{{ awx_synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_history/{{ item[1:-1] }}" + register: awx_purge_command - name: Print output of purge command debug: - msg: "{{ purge_command.stdout }}" + msg: "{{ awx_purge_command.stdout }}" - name: Pause for 5 seconds to let Synapse breathe pause: diff --git a/roles/matrix-awx/tasks/purge_database_main.yml b/roles/matrix-awx/tasks/purge_database_main.yml index 76a437e1..6b132091 100644 --- a/roles/matrix-awx/tasks/purge_database_main.yml +++ b/roles/matrix-awx/tasks/purge_database_main.yml @@ -1,3 +1,4 @@ +--- - name: Ensure dateutils and curl is installed in AWX delegate_to: 127.0.0.1 @@ -5,34 +6,34 @@ name: dateutils state: latest -- name: Ensure dateutils, curl and jq intalled on target machine +- name: Include vars in matrix_vars.yml + include_vars: + file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + no_log: True + +- name: Ensure curl and jq intalled on target machine apt: pkg: - curl - jq state: present -- name: Include vars in matrix_vars.yml - include_vars: - file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' - no_log: True - - name: Collect before shrink size of Synapse database shell: du -sh /matrix/postgres/data - register: db_size_before_stat - when: (purge_mode.find("Perform final shrink") != -1) + register: awx_db_size_before_stat + when: (awx_purge_mode.find("Perform final shrink") != -1) no_log: True - name: Collect the internal IP of the matrix-synapse container shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse" - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) - register: synapse_container_ip + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) + register: awx_synapse_container_ip - name: Collect access token for janitor user shell: | - curl -X POST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ matrix_awx_janitor_user_password }}"}' "{{ synapse_container_ip.stdout }}:8008/_matrix/client/r0/login" | jq '.access_token' - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) - register: janitors_token + curl -X POST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:8008/_matrix/client/r0/login" | jq '.access_token' + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) + register: awx_janitors_token no_log: True - name: Copy build_room_list.py script to target machine @@ -42,114 +43,107 @@ owner: matrix group: matrix mode: '0755' - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) - name: Run build_room_list.py script shell: | - runuser -u matrix -- python3 /usr/local/bin/matrix_build_room_list.py {{ janitors_token.stdout[1:-1] }} {{ synapse_container_ip.stdout }} - register: rooms_total - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) + runuser -u matrix -- python3 /usr/local/bin/matrix_build_room_list.py {{ awx_janitors_token.stdout[1:-1] }} {{ awx_synapse_container_ip.stdout }} + register: awx_rooms_total + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) - name: Fetch complete room list from target machine fetch: src: /tmp/room_list_complete.json dest: "/tmp/{{ subscription_id }}_room_list_complete.json" flat: yes - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) - name: Remove complete room list from target machine file: path: /tmp/room_list_complete.json state: absent - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) - name: Generate list of rooms with no local users delegate_to: 127.0.0.1 shell: | jq 'try .rooms[] | select(.joined_local_members == 0) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_no_local_users.txt - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) - name: Count number of rooms with no local users delegate_to: 127.0.0.1 shell: | wc -l /tmp/{{ subscription_id }}_room_list_no_local_users.txt | awk '{ print $1 }' - register: rooms_no_local_total - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) + register: awx_rooms_no_local_total + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) -- name: Setting host fact room_list_no_local_users +- name: Setting host fact awx_room_list_no_local_users set_fact: - room_list_no_local_users: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_no_local_users.txt') }}" + awx_room_list_no_local_users: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_no_local_users.txt') }}" no_log: True - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) - name: Purge all rooms with no local users include_tasks: purge_database_no_local.yml - loop: "{{ room_list_no_local_users.splitlines() | flatten(levels=1) }}" - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) + loop: "{{ awx_room_list_no_local_users.splitlines() | flatten(levels=1) }}" + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) - name: Collect epoche time from date delegate_to: 127.0.0.1 shell: | - date -d '{{ purge_date }}' +"%s" - when: (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) - register: purge_epoche_time + date -d '{{ awx_purge_date }}' +"%s" + when: (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) + register: awx_purge_epoche_time - name: Generate list of rooms with more then N users delegate_to: 127.0.0.1 shell: | - jq 'try .rooms[] | select(.joined_members > {{ purge_metric_value }}) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_joined_members.txt - when: purge_mode.find("Number of users [slower]") != -1 + jq 'try .rooms[] | select(.joined_members > {{ awx_purge_metric_value }}) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_joined_members.txt + when: awx_purge_mode.find("Number of users [slower]") != -1 - name: Count number of rooms with more then N users delegate_to: 127.0.0.1 shell: | wc -l /tmp/{{ subscription_id }}_room_list_joined_members.txt | awk '{ print $1 }' - register: rooms_join_members_total - when: purge_mode.find("Number of users [slower]") != -1 + register: awx_rooms_join_members_total + when: awx_purge_mode.find("Number of users [slower]") != -1 -- name: Setting host fact room_list_joined_members +- name: Setting host fact awx_room_list_joined_members delegate_to: 127.0.0.1 set_fact: - room_list_joined_members: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_joined_members.txt') }}" - when: purge_mode.find("Number of users [slower]") != -1 + awx_room_list_joined_members: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_joined_members.txt') }}" + when: awx_purge_mode.find("Number of users [slower]") != -1 no_log: True - name: Purge all rooms with more then N users include_tasks: purge_database_users.yml - loop: "{{ room_list_joined_members.splitlines() | flatten(levels=1) }}" - when: purge_mode.find("Number of users [slower]") != -1 + loop: "{{ awx_room_list_joined_members.splitlines() | flatten(levels=1) }}" + when: awx_purge_mode.find("Number of users [slower]") != -1 - name: Generate list of rooms with more then N events delegate_to: 127.0.0.1 shell: | - jq 'try .rooms[] | select(.state_events > {{ purge_metric_value }}) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_state_events.txt - when: purge_mode.find("Number of events [slower]") != -1 + jq 'try .rooms[] | select(.state_events > {{ awx_purge_metric_value }}) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_state_events.txt + when: awx_purge_mode.find("Number of events [slower]") != -1 - name: Count number of rooms with more then N events delegate_to: 127.0.0.1 shell: | wc -l /tmp/{{ subscription_id }}_room_list_state_events.txt | awk '{ print $1 }' - register: rooms_state_events_total - when: purge_mode.find("Number of events [slower]") != -1 + register: awx_rooms_state_events_total + when: awx_purge_mode.find("Number of events [slower]") != -1 -- name: Setting host fact room_list_state_events +- name: Setting host fact awx_room_list_state_events delegate_to: 127.0.0.1 set_fact: - room_list_state_events: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_state_events.txt') }}" - when: purge_mode.find("Number of events [slower]") != -1 + awx_room_list_state_events: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_state_events.txt') }}" + when: awx_purge_mode.find("Number of events [slower]") != -1 no_log: True - name: Purge all rooms with more then N events include_tasks: purge_database_events.yml - loop: "{{ room_list_state_events.splitlines() | flatten(levels=1) }}" - when: purge_mode.find("Number of events [slower]") != -1 - -- name: Collect AWX admin token the hard way! - delegate_to: 127.0.0.1 - shell: | - curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' - register: tower_token - no_log: True + loop: "{{ awx_room_list_state_events.splitlines() | flatten(levels=1) }}" + when: awx_purge_mode.find("Number of events [slower]") != -1 - name: Adjust 'Deploy/Update a Server' job template delegate_to: 127.0.0.1 @@ -165,20 +159,20 @@ credential: "{{ member_id }} - AWX SSH Key" state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1) + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) or (awx_purge_mode.find("Skip purging rooms [faster]") != -1) - name: Execute rust-synapse-compress-state job template delegate_to: 127.0.0.1 awx.awx.tower_job_launch: job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server" wait: yes - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1) + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) or (awx_purge_mode.find("Skip purging rooms [faster]") != -1) - name: Revert 'Deploy/Update a Server' job template delegate_to: 127.0.0.1 @@ -194,28 +188,28 @@ credential: "{{ member_id }} - AWX SSH Key" state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1) + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) or (awx_purge_mode.find("Skip purging rooms [faster]") != -1) - name: Ensure matrix-synapse is stopped service: name: matrix-synapse state: stopped daemon_reload: yes - when: (purge_mode.find("Perform final shrink") != -1) + when: (awx_purge_mode.find("Perform final shrink") != -1) - name: Re-index Synapse database shell: docker exec -i matrix-postgres psql "host=127.0.0.1 port=5432 dbname=synapse user=synapse password={{ matrix_synapse_connection_password }}" -c 'REINDEX (VERBOSE) DATABASE synapse' - when: (purge_mode.find("Perform final shrink") != -1) + when: (awx_purge_mode.find("Perform final shrink") != -1) - name: Ensure matrix-synapse is started service: name: matrix-synapse state: started daemon_reload: yes - when: (purge_mode.find("Perform final shrink") != -1) + when: (awx_purge_mode.find("Perform final shrink") != -1) - name: Adjust 'Deploy/Update a Server' job template delegate_to: 127.0.0.1 @@ -231,20 +225,20 @@ credential: "{{ member_id }} - AWX SSH Key" state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes - when: (purge_mode.find("Perform final shrink") != -1) + when: (awx_purge_mode.find("Perform final shrink") != -1) - name: Execute run-postgres-vacuum job template delegate_to: 127.0.0.1 awx.awx.tower_job_launch: job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server" wait: yes - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes - when: (purge_mode.find("Perform final shrink") != -1) + when: (awx_purge_mode.find("Perform final shrink") != -1) - name: Revert 'Deploy/Update a Server' job template delegate_to: 127.0.0.1 @@ -260,58 +254,67 @@ credential: "{{ member_id }} - AWX SSH Key" state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes - when: (purge_mode.find("Perform final shrink") != -1) + when: (awx_purge_mode.find("Perform final shrink") != -1) - name: Cleanup room_list files delegate_to: 127.0.0.1 shell: | rm /tmp/{{ subscription_id }}_room_list* - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) ignore_errors: yes - name: Collect after shrink size of Synapse database shell: du -sh /matrix/postgres/data - register: db_size_after_stat - when: (purge_mode.find("Perform final shrink") != -1) + register: awx_db_size_after_stat + when: (awx_purge_mode.find("Perform final shrink") != -1) no_log: True - name: Print total number of rooms processed debug: - msg: '{{ rooms_total.stdout }}' - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) + msg: '{{ awx_rooms_total.stdout }}' + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) - name: Print the number of rooms purged with no local users debug: - msg: '{{ rooms_no_local_total.stdout }}' - when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) + msg: '{{ awx_rooms_no_local_total.stdout }}' + when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) - name: Print the number of rooms purged with more then N users debug: - msg: '{{ rooms_join_members_total.stdout }}' - when: purge_mode.find("Number of users") != -1 + msg: '{{ awx_rooms_join_members_total.stdout }}' + when: awx_purge_mode.find("Number of users") != -1 - name: Print the number of rooms purged with more then N events debug: - msg: '{{ rooms_state_events_total.stdout }}' - when: purge_mode.find("Number of events") != -1 + msg: '{{ awx_rooms_state_events_total.stdout }}' + when: awx_purge_mode.find("Number of events") != -1 - name: Print before purge size of Synapse database debug: - msg: "{{ db_size_before_stat.stdout.split('\n') }}" - when: (db_size_before_stat is defined) and (purge_mode.find("Perform final shrink") != -1) + msg: "{{ awx_db_size_before_stat.stdout.split('\n') }}" + when: ( awx_db_size_before_stat is defined ) and ( awx_purge_mode.find("Perform final shrink" ) != -1 ) - name: Print after purge size of Synapse database debug: - msg: "{{ db_size_after_stat.stdout.split('\n') }}" - when: (db_size_after_stat is defined) and (purge_mode.find("Perform final shrink") != -1) + msg: "{{ awx_db_size_after_stat.stdout.split('\n') }}" + when: (awx_db_size_after_stat is defined) and (awx_purge_mode.find("Perform final shrink") != -1) + +- name: Delete the AWX session token for executing modules + awx.awx.tower_token: + description: 'AWX Session Token' + scope: "write" + state: absent + existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" - name: Set boolean value to exit playbook set_fact: - end_playbook: true + awx_end_playbook: true - name: End playbook early if this task is called. meta: end_play - when: end_playbook is defined and end_playbook|bool + when: awx_end_playbook is defined and awx_end_playbook|bool diff --git a/roles/matrix-awx/tasks/purge_database_no_local.yml b/roles/matrix-awx/tasks/purge_database_no_local.yml index d94fd007..33f99c49 100644 --- a/roles/matrix-awx/tasks/purge_database_no_local.yml +++ b/roles/matrix-awx/tasks/purge_database_no_local.yml @@ -1,12 +1,13 @@ +--- - name: Purge all rooms with no local users shell: | - curl --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "room_id": {{ item }} }' '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_room' - register: purge_command + curl --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "room_id": {{ item }} }' '{{ awx_synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_room' + register: awx_purge_command - name: Print output of purge command debug: - msg: "{{ purge_command.stdout }}" + msg: "{{ awx_purge_command.stdout }}" - name: Pause for 5 seconds to let Synapse breathe pause: diff --git a/roles/matrix-awx/tasks/purge_database_users.yml b/roles/matrix-awx/tasks/purge_database_users.yml index 302dffd8..1c8da14d 100644 --- a/roles/matrix-awx/tasks/purge_database_users.yml +++ b/roles/matrix-awx/tasks/purge_database_users.yml @@ -1,12 +1,13 @@ +--- - name: Purge all rooms with more then N users shell: | - curl --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "delete_local_events": false, "purge_up_to_ts": {{ purge_epoche_time.stdout }}000 }' "{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_history/{{ item[1:-1] }}" - register: purge_command + curl --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "delete_local_events": false, "purge_up_to_ts": {{ awx_purge_epoche_time.stdout }}000 }' "{{ awx_synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_history/{{ item[1:-1] }}" + register: awx_purge_command - name: Print output of purge command debug: - msg: "{{ purge_command.stdout }}" + msg: "{{ awx_purge_command.stdout }}" - name: Pause for 5 seconds to let Synapse breathe pause: diff --git a/roles/matrix-awx/tasks/purge_media_local.yml b/roles/matrix-awx/tasks/purge_media_local.yml index fcb4770f..2074d5d8 100644 --- a/roles/matrix-awx/tasks/purge_media_local.yml +++ b/roles/matrix-awx/tasks/purge_media_local.yml @@ -1,17 +1,18 @@ +--- - name: Collect epoche time from date shell: | date -d '{{ item }}' +"%s" - register: epoche_time + register: awx_epoche_time - name: Purge local media to specific date shell: | - curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/media/matrix.{{ matrix_domain }}/delete?before_ts={{ epoche_time.stdout }}' - register: purge_command + curl -X POST --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" '{{ awx_synapse_container_ip.stdout }}:8008/_synapse/admin/v1/media/matrix.{{ matrix_domain }}/delete?before_ts={{ awx_epoche_time.stdout }}000' + register: awx_purge_command - name: Print output of purge command debug: - msg: "{{ purge_command.stdout }}" + msg: "{{ awx_purge_command.stdout }}" - name: Pause for 5 seconds to let Synapse breathe pause: diff --git a/roles/matrix-awx/tasks/purge_media_main.yml b/roles/matrix-awx/tasks/purge_media_main.yml index 77a8fecc..9c5f6bfb 100644 --- a/roles/matrix-awx/tasks/purge_media_main.yml +++ b/roles/matrix-awx/tasks/purge_media_main.yml @@ -1,5 +1,5 @@ -- name: Ensure dateutils and curl is installed in AWX +- name: Ensure dateutils is installed in AWX delegate_to: 127.0.0.1 yum: name: dateutils @@ -17,82 +17,92 @@ - jq state: present -- name: Collect access token for janitor user - shell: | - curl -XPOST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ matrix_awx_janitor_user_password }}"}' "https://matrix.{{ matrix_domain }}/_matrix/client/r0/login" | jq '.access_token' - register: janitors_token - - name: Collect the internal IP of the matrix-synapse container shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse" - register: synapse_container_ip - + register: awx_synapse_container_ip + +- name: Collect access token for janitor user + shell: | + curl -XPOST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:8008/_matrix/client/r0/login" | jq '.access_token' + register: awx_janitors_token + no_log: True + - name: Generate list of dates to purge to delegate_to: 127.0.0.1 shell: "dateseq {{ matrix_purge_from_date }} {{ matrix_purge_to_date }}" - register: purge_dates + register: awx_purge_dates - name: Calculate initial size of local media repository shell: du -sh /matrix/synapse/storage/media-store/local* - register: local_media_size_before - when: matrix_purge_media_type == "Local Media" + register: awx_local_media_size_before + when: awx_purge_media_type == "Local Media" ignore_errors: yes no_log: True - name: Calculate initial size of remote media repository shell: du -sh /matrix/synapse/storage/media-store/remote* - register: remote_media_size_before - when: matrix_purge_media_type == "Remote Media" + register: awx_remote_media_size_before + when: awx_purge_media_type == "Remote Media" ignore_errors: yes no_log: True - name: Purge local media with loop include_tasks: purge_media_local.yml - loop: "{{ purge_dates.stdout_lines | flatten(levels=1) }}" - when: matrix_purge_media_type == "Local Media" + loop: "{{ awx_purge_dates.stdout_lines | flatten(levels=1) }}" + when: awx_purge_media_type == "Local Media" - name: Purge remote media with loop include_tasks: purge_media_remote.yml - loop: "{{ purge_dates.stdout_lines | flatten(levels=1) }}" - when: matrix_purge_media_type == "Remote Media" + loop: "{{ awx_purge_dates.stdout_lines | flatten(levels=1) }}" + when: awx_purge_media_type == "Remote Media" - name: Calculate final size of local media repository shell: du -sh /matrix/synapse/storage/media-store/local* - register: local_media_size_after - when: matrix_purge_media_type == "Local Media" + register: awx_local_media_size_after + when: awx_purge_media_type == "Local Media" ignore_errors: yes no_log: True - name: Calculate final size of remote media repository shell: du -sh /matrix/synapse/storage/media-store/remote* - register: remote_media_size_after - when: matrix_purge_media_type == "Remote Media" + register: awx_remote_media_size_after + when: awx_purge_media_type == "Remote Media" ignore_errors: yes no_log: True - name: Print size of local media repository before purge debug: - msg: "{{ local_media_size_before.stdout.split('\n') }}" - when: matrix_purge_media_type == "Local Media" + msg: "{{ awx_local_media_size_before.stdout.split('\n') }}" + when: awx_purge_media_type == "Local Media" - name: Print size of local media repository after purge debug: - msg: "{{ local_media_size_after.stdout.split('\n') }}" - when: matrix_purge_media_type == "Local Media" + msg: "{{ awx_local_media_size_after.stdout.split('\n') }}" + when: awx_purge_media_type == "Local Media" - name: Print size of remote media repository before purge debug: - msg: "{{ remote_media_size_before.stdout.split('\n') }}" - when: matrix_purge_media_type == "Remote Media" + msg: "{{ awx_remote_media_size_before.stdout.split('\n') }}" + when: awx_purge_media_type == "Remote Media" - name: Print size of remote media repository after purge debug: - msg: "{{ remote_media_size_after.stdout.split('\n') }}" - when: matrix_purge_media_type == "Remote Media" + msg: "{{ awx_remote_media_size_after.stdout.split('\n') }}" + when: awx_purge_media_type == "Remote Media" + +- name: Delete the AWX session token for executing modules + awx.awx.tower_token: + description: 'AWX Session Token' + scope: "write" + state: absent + existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" - name: Set boolean value to exit playbook set_fact: - end_playbook: true + awx_end_playbook: true - name: End playbook early if this task is called. meta: end_play - when: end_playbook is defined and end_playbook|bool + when: awx_end_playbook is defined and awx_end_playbook|bool diff --git a/roles/matrix-awx/tasks/purge_media_remote.yml b/roles/matrix-awx/tasks/purge_media_remote.yml index 14f9c8d5..1418d9a6 100644 --- a/roles/matrix-awx/tasks/purge_media_remote.yml +++ b/roles/matrix-awx/tasks/purge_media_remote.yml @@ -1,17 +1,18 @@ +--- - name: Collect epoche time from date shell: | date -d '{{ item }}' +"%s" - register: epoche_time + register: awx_epoche_time - name: Purge remote media to specific date shell: | - curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_media_cache?before_ts={{ epoche_time.stdout }}' - register: purge_command + curl -X POST --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" '{{ awx_synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_media_cache?before_ts={{ awx_epoche_time.stdout }}000' + register: awx_purge_command - name: Print output of purge command debug: - msg: "{{ purge_command.stdout }}" + msg: "{{ awx_purge_command.stdout }}" - name: Pause for 5 seconds to let Synapse breathe pause: diff --git a/roles/matrix-awx/tasks/rename_variables.yml b/roles/matrix-awx/tasks/rename_variables.yml index e8992bd8..e664325f 100644 --- a/roles/matrix-awx/tasks/rename_variables.yml +++ b/roles/matrix-awx/tasks/rename_variables.yml @@ -1,3 +1,4 @@ +--- - name: Rename synapse presence variable delegate_to: 127.0.0.1 @@ -5,4 +6,3 @@ path: "/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml" regexp: 'matrix_synapse_use_presence' replace: 'matrix_synapse_presence_enabled' - diff --git a/roles/matrix-awx/tasks/rotate_ssh.yml b/roles/matrix-awx/tasks/rotate_ssh.yml new file mode 100644 index 00000000..9596f504 --- /dev/null +++ b/roles/matrix-awx/tasks/rotate_ssh.yml @@ -0,0 +1,25 @@ +--- + +- name: Set the new authorized key taken from file + authorized_key: + user: root + state: present + exclusive: yes + key: "{{ lookup('file', '/var/lib/awx/projects/hosting/client_public.key') }}" + +- name: Delete the AWX session token for executing modules + awx.awx.tower_token: + description: 'AWX Session Token' + scope: "write" + state: absent + existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" + +- name: Set boolean value to exit playbook + set_fact: + end_playbook: true + +- name: End playbook if this task list is called. + meta: end_play + when: end_playbook is defined and end_playbook|bool diff --git a/roles/matrix-awx/tasks/self_check.yml b/roles/matrix-awx/tasks/self_check.yml index edf6b8b3..510b9f9e 100644 --- a/roles/matrix-awx/tasks/self_check.yml +++ b/roles/matrix-awx/tasks/self_check.yml @@ -1,3 +1,4 @@ +--- - name: Install prerequisite apt packages on target apt: @@ -23,83 +24,83 @@ - name: Calculate MAU value shell: | curl -s localhost:9000 | grep "^synapse_admin_mau_current " - register: mau_stat + register: awx_mau_stat no_log: True -- name: Print MAU value - debug: - msg: "{{ mau_stat.stdout.split('\n') }}" - when: mau_stat is defined - - name: Calculate CPU usage statistics shell: iostat -c - register: cpu_usage_stat + register: awx_cpu_usage_stat no_log: True -- name: Print CPU usage statistics - debug: - msg: "{{ cpu_usage_stat.stdout.split('\n') }}" - when: cpu_usage_stat is defined - - name: Calculate RAM usage statistics shell: free -mh - register: ram_usage_stat + register: awx_ram_usage_stat no_log: True -- name: Print RAM usage statistics - debug: - msg: "{{ ram_usage_stat.stdout.split('\n') }}" - when: ram_usage_stat is defined - - name: Calculate free disk space shell: df -h - register: disk_space_stat + register: awx_disk_space_stat no_log: True -- name: Print free disk space - debug: - msg: "{{ disk_space_stat.stdout.split('\n') }}" - when: disk_space_stat is defined - - name: Calculate size of Synapse database shell: du -sh /matrix/postgres/data - register: db_size_stat + register: awx_db_size_stat no_log: True -- name: Print size of Synapse database - debug: - msg: "{{ db_size_stat.stdout.split('\n') }}" - when: db_size_stat is defined - - name: Calculate size of local media repository shell: du -sh /matrix/synapse/storage/media-store/local* - register: local_media_size_stat + register: awx_local_media_size_stat ignore_errors: yes no_log: True -- name: Print size of local media repository - debug: - msg: "{{ local_media_size_stat.stdout.split('\n') }}" - when: local_media_size_stat is defined - - name: Calculate size of remote media repository shell: du -sh /matrix/synapse/storage/media-store/remote* - register: remote_media_size_stat + register: awx_remote_media_size_stat + ignore_errors: yes + no_log: True + +- name: Calculate docker container statistics + shell: docker stats --all --no-stream + register: awx_docker_stats ignore_errors: yes no_log: True - name: Print size of remote media repository debug: - msg: "{{ remote_media_size_stat.stdout.split('\n') }}" - when: remote_media_size_stat is defined + msg: "{{ awx_remote_media_size_stat.stdout.split('\n') }}" + when: awx_remote_media_size_stat is defined + +- name: Print size of local media repository + debug: + msg: "{{ awx_local_media_size_stat.stdout.split('\n') }}" + when: awx_local_media_size_stat is defined -- name: Calculate docker container statistics - shell: docker stats --all --no-stream - register: docker_stats - ignore_errors: yes - no_log: True +- name: Print size of Synapse database + debug: + msg: "{{ awx_db_size_stat.stdout.split('\n') }}" + when: awx_db_size_stat is defined + +- name: Print free disk space + debug: + msg: "{{ awx_disk_space_stat.stdout.split('\n') }}" + when: awx_disk_space_stat is defined + +- name: Print RAM usage statistics + debug: + msg: "{{ awx_ram_usage_stat.stdout.split('\n') }}" + when: awx_ram_usage_stat is defined + +- name: Print CPU usage statistics + debug: + msg: "{{ awx_cpu_usage_stat.stdout.split('\n') }}" + when: awx_cpu_usage_stat is defined + +- name: Print MAU value + debug: + msg: "{{ awx_mau_stat.stdout.split('\n') }}" + when: awx_mau_stat is defined - name: Print docker container statistics debug: - msg: "{{ docker_stats.stdout.split('\n') }}" - when: docker_stats is defined + msg: "{{ awx_docker_stats.stdout.split('\n') }}" + when: awx_docker_stats is defined diff --git a/roles/matrix-awx/tasks/set_variables_corporal.yml b/roles/matrix-awx/tasks/set_variables_corporal.yml index 6ae187c7..e911144d 100755 --- a/roles/matrix-awx/tasks/set_variables_corporal.yml +++ b/roles/matrix-awx/tasks/set_variables_corporal.yml @@ -1,3 +1,4 @@ +--- - name: Record Corporal Enabled/Disabled variable delegate_to: 127.0.0.1 @@ -62,7 +63,7 @@ insertafter: '# Corporal Settings Start' with_dict: 'matrix_corporal_http_api_enabled': 'false' - when: (matrix_corporal_policy_provider_mode == "Simple Static File") or (not matrix_corporal_enabled|bool) + when: (awx_corporal_policy_provider_mode == "Simple Static File") or (not matrix_corporal_enabled|bool) - name: Enable Corporal API if Push/Pull mode delected delegate_to: 127.0.0.1 @@ -73,7 +74,7 @@ insertafter: '# Corporal Settings Start' with_dict: 'matrix_corporal_http_api_enabled': 'true' - when: (matrix_corporal_policy_provider_mode != "Simple Static File") and (matrix_corporal_enabled|bool) + when: (awx_corporal_policy_provider_mode != "Simple Static File") and (matrix_corporal_enabled|bool) - name: Record Corporal API Access Token if it's defined delegate_to: 127.0.0.1 @@ -84,20 +85,22 @@ insertafter: '# Corporal Settings Start' with_dict: 'matrix_corporal_http_api_auth_token': '{{ matrix_corporal_http_api_auth_token }}' - when: matrix_corporal_http_api_auth_token|length > 0 + when: ( matrix_corporal_http_api_auth_token|length > 0 ) and ( awx_corporal_policy_provider_mode != "Simple Static File" ) - name: Record 'Simple Static File' configuration variables in matrix_vars.yml delegate_to: 127.0.0.1 blockinfile: path: '{{ awx_cached_matrix_vars }}' - insertafter: "# Corporal Policy Provider Settings Start" + insertbefore: "# Corporal Policy Provider Settings End" + marker_begin: "Corporal" + marker_end: "Corporal" block: | matrix_corporal_policy_provider_config: | { "Type": "static_file", "Path": "/etc/matrix-corporal/corporal-policy.json" } - when: matrix_corporal_policy_provider_mode == "Simple Static File" + when: awx_corporal_policy_provider_mode == "Simple Static File" - name: Touch the /matrix/corporal/ directory file: @@ -141,12 +144,12 @@ - name: Record 'Simple Static File' configuration content in corporal-policy.json copy: - content: "{{ matrix_corporal_simple_static_config | string }}" + content: "{{ awx_corporal_simple_static_config | string }}" dest: "/matrix/corporal/config/corporal-policy.json" owner: matrix group: matrix mode: '660' - when: (matrix_corporal_policy_provider_mode == "Simple Static File") and (matrix_corporal_simple_static_config|length > 0) + when: (awx_corporal_policy_provider_mode == "Simple Static File") and (awx_corporal_simple_static_config|length > 0) - name: Record 'HTTP Pull Mode' configuration variables in matrix_vars.yml delegate_to: 127.0.0.1 @@ -157,13 +160,13 @@ matrix_corporal_policy_provider_config: | { "Type": "http", - "Uri": "{{ matrix_corporal_pull_mode_uri }}", - "AuthorizationBearerToken": "{{ matrix_corporal_pull_mode_token }}", + "Uri": "{{ awx_corporal_pull_mode_uri }}", + "AuthorizationBearerToken": "{{ awx_corporal_pull_mode_token }}", "CachePath": "/var/cache/matrix-corporal/last-policy.json", "ReloadIntervalSeconds": 1800, "TimeoutMilliseconds": 30000 } - when: (matrix_corporal_policy_provider_mode == "HTTP Pull Mode (API Enabled)") and (matrix_corporal_pull_mode_uri|length > 0) and (matrix_corporal_pull_mode_token|length > 0) + when: (awx_corporal_policy_provider_mode == "HTTP Pull Mode (API Enabled)") and (matrix_corporal_pull_mode_uri|length > 0) and (awx_corporal_pull_mode_token|length > 0) - name: Record 'HTTP Push Mode' configuration variables in matrix_vars.yml delegate_to: 127.0.0.1 @@ -176,7 +179,7 @@ "Type": "last_seen_store_policy", "CachePath": "/var/cache/matrix-corporal/last-policy.json" } - when: (matrix_corporal_policy_provider_mode == "HTTP Push Mode (API Enabled)") + when: (awx_corporal_policy_provider_mode == "HTTP Push Mode (API Enabled)") - name: Lower RateLimit if set to 'Normal' delegate_to: 127.0.0.1 @@ -184,7 +187,7 @@ path: '{{ awx_cached_matrix_vars }}' regexp: ' address:\n per_second: 50\n burst_count: 300\n account:\n per_second: 0.17\n burst_count: 300' replace: ' address:\n per_second: 0.17\n burst_count: 3\n account:\n per_second: 0.17\n burst_count: 3' - when: matrix_corporal_raise_ratelimits == "Normal" + when: awx_corporal_raise_ratelimits == "Normal" - name: Raise RateLimit if set to 'Raised' delegate_to: 127.0.0.1 @@ -192,7 +195,7 @@ path: '{{ awx_cached_matrix_vars }}' regexp: ' address:\n per_second: 0.17\n burst_count: 3\n account:\n per_second: 0.17\n burst_count: 3' replace: ' address:\n per_second: 50\n burst_count: 300\n account:\n per_second: 0.17\n burst_count: 300' - when: matrix_corporal_raise_ratelimits == "Raised" + when: awx_corporal_raise_ratelimits == "Raised" - name: Save new 'Configure Corporal' survey.json to the AWX tower delegate_to: 127.0.0.1 @@ -218,13 +221,6 @@ - debug: msg: "matrix_corporal_matrix_registration_shared_secret: {{ matrix_corporal_matrix_registration_shared_secret }}" -- name: Collect AWX admin token the hard way! - delegate_to: 127.0.0.1 - shell: | - curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' - register: tower_token - no_log: True - - name: Recreate 'Configure Corporal (Advanced)' job template delegate_to: 127.0.0.1 awx.awx.tower_job_template: @@ -242,6 +238,6 @@ become_enabled: yes state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes diff --git a/roles/matrix-awx/tasks/set_variables_dimension.yml b/roles/matrix-awx/tasks/set_variables_dimension.yml index 53a4dbfc..d5e51c6b 100644 --- a/roles/matrix-awx/tasks/set_variables_dimension.yml +++ b/roles/matrix-awx/tasks/set_variables_dimension.yml @@ -1,3 +1,4 @@ +--- - name: Include vars in matrix_vars.yml include_vars: @@ -13,8 +14,8 @@ - name: Collect access token of Dimension user shell: | - curl -X POST --header 'Content-Type: application/json' -d '{ "identifier": { "type": "m.id.user","user": "dimension" }, "password": "{{ matrix_awx_dimension_user_password }}", "type": "m.login.password"}' 'https://matrix.{{ matrix_domain }}/_matrix/client/r0/login' | jq -c '. | {access_token}' | sed 's/.*\":\"//' | sed 's/\"}//' - register: dimension_user_access_token + curl -X POST --header 'Content-Type: application/json' -d '{ "identifier": { "type": "m.id.user","user": "dimension" }, "password": "{{ awx_dimension_user_password }}", "type": "m.login.password"}' 'https://matrix.{{ matrix_domain }}/_matrix/client/r0/login' | jq -c '. | {access_token}' | sed 's/.*\":\"//' | sed 's/\"}//' + register: awx_dimension_user_access_token - name: Record Synapse variables locally on AWX delegate_to: 127.0.0.1 @@ -25,17 +26,17 @@ insertafter: '# Dimension Settings Start' with_dict: 'matrix_dimension_enabled': '{{ matrix_dimension_enabled }}' - 'matrix_dimension_access_token': '"{{ dimension_user_access_token.stdout }}"' + 'matrix_dimension_access_token': '"{{ awx_dimension_user_access_token.stdout }}"' - name: Set final users list if users are defined set_fact: - ext_dimension_users_raw_final: "{{ ext_dimension_users_raw }}" - when: ext_dimension_users_raw|length > 0 + awx_dimension_users_final: "{{ awx_dimension_users }}" + when: awx_dimension_users | length > 0 - name: Set final users list if no users are defined set_fact: - ext_dimension_users_raw_final: '@dimension:{{ matrix_domain }}' - when: ext_dimension_users_raw|length == 0 + awx_dimension_users_final: '@dimension:{{ matrix_domain }}' + when: awx_dimension_users | length == 0 - name: Remove Dimension Users delegate_to: 127.0.0.1 @@ -58,7 +59,7 @@ path: '{{ awx_cached_matrix_vars }}' insertafter: '^matrix_dimension_admins:' line: ' - "{{ item }}"' - with_items: "{{ ext_dimension_users_raw_final.splitlines() }}" + with_items: "{{ awx_dimension_users_final.splitlines() }}" - name: Record Dimension Custom variables locally on AWX delegate_to: 127.0.0.1 @@ -66,9 +67,9 @@ path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertafter: '# Custom Settings Start' + insertbefore: '# Dimension Settings End' with_dict: - 'ext_dimension_users_raw': '{{ ext_dimension_users_raw.splitlines() | to_json }}' + 'awx_dimension_users': '{{ awx_dimension_users.splitlines() | to_json }}' - name: Save new 'Configure Dimension' survey.json to the AWX tower, template delegate_to: 127.0.0.1 @@ -82,13 +83,6 @@ dest: '/matrix/awx/configure_dimension.json' mode: '0660' -- name: Collect AWX admin token the hard way! - delegate_to: 127.0.0.1 - shell: | - curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' - register: tower_token - no_log: True - - name: Recreate 'Configure Dimension' job template delegate_to: 127.0.0.1 awx.awx.tower_job_template: @@ -106,6 +100,6 @@ become_enabled: yes state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes diff --git a/roles/matrix-awx/tasks/set_variables_element.yml b/roles/matrix-awx/tasks/set_variables_element.yml index 29aac37f..491c91b3 100755 --- a/roles/matrix-awx/tasks/set_variables_element.yml +++ b/roles/matrix-awx/tasks/set_variables_element.yml @@ -1,3 +1,4 @@ +--- - name: Record Element-Web variables locally on AWX delegate_to: 127.0.0.1 @@ -8,25 +9,142 @@ insertafter: '# Element Settings Start' with_dict: 'matrix_client_element_enabled': '{{ matrix_client_element_enabled }}' - 'matrix_client_element_jitsi_preferredDomain': '{{ matrix_client_element_jitsi_preferredDomain }}' - 'matrix_client_element_brand': '{{ matrix_client_element_brand }}' + 'matrix_client_element_jitsi_preferredDomain': 'jitsi.{{ matrix_domain }}' 'matrix_client_element_default_theme': '{{ matrix_client_element_default_theme }}' 'matrix_client_element_registration_enabled': '{{ matrix_client_element_registration_enabled }}' + 'matrix_client_element_brand': '{{ matrix_client_element_brand | trim }}' + 'matrix_client_element_branding_welcomeBackgroundUrl': '{{ matrix_client_element_branding_welcomeBackgroundUrl | trim }}' + 'matrix_client_element_welcome_logo': '{{ matrix_client_element_welcome_logo | trim }}' + 'matrix_client_element_welcome_logo_link': '{{ matrix_client_element_welcome_logo_link | trim }}' + +- name: Record Element-Web custom variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: '{{ item.value }}'" + insertbefore: '# Element Settings End' + with_dict: + 'awx_matrix_client_element_welcome_headline': '{{ awx_matrix_client_element_welcome_headline | trim }}' + 'awx_matrix_client_element_welcome_text': '{{ awx_matrix_client_element_welcome_text | trim }}' + +- name: Set Element-Web custom branding locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: '{{ item.value }}'" + insertafter: '# Element Settings Start' + with_dict: + 'matrix_client_element_brand': "{{ matrix_client_element_brand }}" + when: matrix_client_element_brand | trim | length > 0 + +- name: Remove Element-Web custom branding locally on AWX if not defined + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^matrix_client_element_brand: " + state: absent + when: matrix_client_element_brand | trim | length == 0 - name: Set fact for 'https' string set_fact: awx_https_string: "https" -- name: Record Element-Web Background variable locally on AWX +- name: Set Element-Web custom logo locally on AWX if defined delegate_to: 127.0.0.1 lineinfile: path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" - line: "{{ item.key }}: {{ item.value }}" + line: "{{ item.key }}: '{{ item.value }}'" + insertafter: '# Element Settings Start' + with_dict: + 'matrix_client_element_welcome_logo': '{{ matrix_client_element_welcome_logo }}' + when: ( awx_https_string in matrix_client_element_welcome_logo ) and ( matrix_client_element_welcome_logo | trim | length > 0 ) + +- name: Remove Element-Web custom logo locally on AWX if not defined + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^matrix_client_element_welcome_logo: " + state: absent + when: matrix_client_element_welcome_logo | trim | length == 0 + +- name: Set Element-Web custom logo link locally on AWX if defined + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: '{{ item.value }}'" + insertafter: '# Element Settings Start' + with_dict: + 'matrix_client_element_welcome_logo_link': '{{ matrix_client_element_welcome_logo_link }}' + when: ( awx_https_string in matrix_client_element_welcome_logo_link ) and ( matrix_client_element_welcome_logo_link | trim | length > 0 ) + +- name: Remove Element-Web custom logo link locally on AWX if not defined + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^matrix_client_element_welcome_logo_link: " + state: absent + when: matrix_client_element_welcome_logo_link | trim | length == 0 + +- name: Set Element-Web custom headline locally on AWX if defined + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: '{{ item.value }}'" + insertafter: '# Element Settings Start' + with_dict: + 'matrix_client_element_welcome_headline': '{{ awx_matrix_client_element_welcome_headline }}' + when: awx_matrix_client_element_welcome_headline | trim | length > 0 + +- name: Remove Element-Web custom headline locally on AWX if not defined + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^matrix_client_element_welcome_headline: " + state: absent + when: awx_matrix_client_element_welcome_headline | trim | length == 0 + +- name: Set Element-Web custom text locally on AWX if defined + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: '{{ item.value }}'" + insertafter: '# Element Settings Start' + with_dict: + 'matrix_client_element_welcome_text': '{{ awx_matrix_client_element_welcome_text }}' + when: awx_matrix_client_element_welcome_text | trim | length > 0 + +- name: Remove Element-Web custom text locally on AWX if not defined + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^matrix_client_element_welcome_text: " + state: absent + when: awx_matrix_client_element_welcome_text | trim | length == 0 + +- name: Set Element-Web background locally on AWX if defined + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: '{{ item.value }}'" insertafter: '# Element Settings Start' with_dict: 'matrix_client_element_branding_welcomeBackgroundUrl': '{{ matrix_client_element_branding_welcomeBackgroundUrl }}' - when: (awx_https_string in matrix_client_element_branding_welcomeBackgroundUrl) and ( matrix_client_element_branding_welcomeBackgroundUrl|length > 0 ) + when: matrix_client_element_branding_welcomeBackgroundUrl | trim | length > 0 + +- name: Remove Element-Web background locally on AWX if not defined + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^matrix_client_element_branding_welcomeBackgroundUrl: " + state: absent + when: matrix_client_element_branding_welcomeBackgroundUrl | trim | length == 0 - name: Save new 'Configure Element' survey.json to the AWX tower, template delegate_to: 127.0.0.1 @@ -40,13 +158,6 @@ dest: '/matrix/awx/configure_element.json' mode: '0660' -- name: Collect AWX admin token the hard way! - delegate_to: 127.0.0.1 - shell: | - curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' - register: tower_token - no_log: True - - name: Recreate 'Configure Element' job template delegate_to: 127.0.0.1 awx.awx.tower_job_template: @@ -64,6 +175,6 @@ become_enabled: yes state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes diff --git a/roles/matrix-awx/tasks/set_variables_element_subdomain.yml b/roles/matrix-awx/tasks/set_variables_element_subdomain.yml index 87259d0f..9e47be16 100644 --- a/roles/matrix-awx/tasks/set_variables_element_subdomain.yml +++ b/roles/matrix-awx/tasks/set_variables_element_subdomain.yml @@ -1,3 +1,4 @@ +--- - name: Record Element-Web variables locally on AWX delegate_to: 127.0.0.1 @@ -7,7 +8,7 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: '# Element Settings Start' with_dict: - 'matrix_server_fqn_element': "{{ element_subdomain }}.{{ matrix_domain }}" + 'matrix_server_fqn_element': "{{ awx_element_subdomain | trim }}.{{ matrix_domain }}" - name: Save new 'Configure Element Subdomain' survey.json to the AWX tower, template delegate_to: 127.0.0.1 @@ -21,13 +22,6 @@ dest: '/matrix/awx/configure_element_subdomain.json' mode: '0660' -- name: Collect AWX admin token the hard way! - delegate_to: 127.0.0.1 - shell: | - curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' - register: tower_token - no_log: True - - name: Recreate 'Configure Element Subdomain' job template delegate_to: 127.0.0.1 awx.awx.tower_job_template: @@ -44,6 +38,6 @@ survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element_subdomain.json') }}" state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes diff --git a/roles/matrix-awx/tasks/set_variables_jitsi.yml b/roles/matrix-awx/tasks/set_variables_jitsi.yml index 9c610685..2e8f1f8e 100755 --- a/roles/matrix-awx/tasks/set_variables_jitsi.yml +++ b/roles/matrix-awx/tasks/set_variables_jitsi.yml @@ -1,3 +1,4 @@ +--- - name: Record Jitsi variables locally on AWX delegate_to: 127.0.0.1 @@ -8,7 +9,7 @@ insertafter: '# Jitsi Settings Start' with_dict: 'matrix_jitsi_enabled': '{{ matrix_jitsi_enabled }}' - 'matrix_jitsi_web_config_defaultLanguage': '{{ matrix_jitsi_web_config_defaultLanguage }}' + 'matrix_jitsi_web_config_defaultLanguage': '{{ matrix_jitsi_web_config_defaultLanguage | trim }}' - name: Save new 'Configure Jitsi' survey.json to the AWX tower, template delegate_to: 127.0.0.1 @@ -22,13 +23,6 @@ dest: '/matrix/awx/configure_jitsi.json' mode: '0660' -- name: Collect AWX admin token the hard way! - delegate_to: 127.0.0.1 - shell: | - curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' - register: tower_token - no_log: True - - name: Recreate 'Configure Jitsi' job template delegate_to: 127.0.0.1 awx.awx.tower_job_template: @@ -46,6 +40,6 @@ become_enabled: yes state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes diff --git a/roles/matrix-awx/tasks/set_variables_ma1sd.yml b/roles/matrix-awx/tasks/set_variables_ma1sd.yml index 853d8c09..0f4234f1 100755 --- a/roles/matrix-awx/tasks/set_variables_ma1sd.yml +++ b/roles/matrix-awx/tasks/set_variables_ma1sd.yml @@ -1,3 +1,4 @@ +--- - name: Record ma1sd variables locally on AWX delegate_to: 127.0.0.1 @@ -17,8 +18,8 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: '# Synapse Extension Start' with_dict: - 'matrix_synapse_ext_password_provider_rest_auth_enabled': 'false' - when: ext_matrix_ma1sd_auth_store == 'Synapse Internal' + 'matrix_synapse_awx_password_provider_rest_auth_enabled': 'false' + when: awx_matrix_ma1sd_auth_store == 'Synapse Internal' - name: Enable REST auth if using external LDAP/AD with ma1sd delegate_to: 127.0.0.1 @@ -28,14 +29,9 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: '# Synapse Extension Start' with_dict: - 'matrix_synapse_ext_password_provider_rest_auth_enabled': 'true' - 'matrix_synapse_ext_password_provider_rest_auth_endpoint': 'http://matrix-ma1sd:8090' - when: ext_matrix_ma1sd_auth_store == 'LDAP/AD' - -- name: Strip header from ma1sd configuration extension if using internal auth - set_fact: - ext_matrix_ma1sd_configuration_extension_yaml_parsed: "{{ ext_matrix_ma1sd_configuration_extension_yaml.splitlines() | reject('search', '^matrix_client_element_configuration_extension_json:') | list }}" - when: ext_matrix_ma1sd_auth_store == 'LDAP/AD' + 'matrix_synapse_awx_password_provider_rest_auth_enabled': 'true' + 'matrix_synapse_awx_password_provider_rest_auth_endpoint': '"http://matrix-ma1sd:8090"' + when: awx_matrix_ma1sd_auth_store == 'LDAP/AD' - name: Remove entire ma1sd configuration extension delegate_to: 127.0.0.1 @@ -52,22 +48,13 @@ regexp: '^# Start ma1sd Extension# End ma1sd Extension' replace: '# Start ma1sd Extension\n# End ma1sd Extension' -- name: Insert ma1sd configuration extension header if using external LDAP/AD with ma1sd +- name: Insert/Update ma1sd configuration extension variables delegate_to: 127.0.0.1 - lineinfile: + blockinfile: path: '{{ awx_cached_matrix_vars }}' - line: "matrix_ma1sd_configuration_extension_yaml: |" + marker: "# {mark} ma1sd ANSIBLE MANAGED BLOCK" insertafter: '# Start ma1sd Extension' - when: ext_matrix_ma1sd_auth_store == 'LDAP/AD' - -- name: Set ma1sd configuration extension if using external LDAP/AD with ma1sd - delegate_to: 127.0.0.1 - lineinfile: - path: '{{ awx_cached_matrix_vars }}' - insertbefore: '# End ma1sd Extension' - line: '{{ item }}' - with_items: "{{ ext_matrix_ma1sd_configuration_extension_yaml_parsed }}" - when: ext_matrix_ma1sd_auth_store == 'LDAP/AD' + block: '{{ awx_matrix_ma1sd_configuration_extension_yaml }}' - name: Record ma1sd Custom variables locally on AWX delegate_to: 127.0.0.1 @@ -75,10 +62,11 @@ path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertbefore: '# Custom Settings Start' + insertbefore: '# ma1sd Settings End' with_dict: - 'ext_matrix_ma1sd_auth_store': '{{ ext_matrix_ma1sd_auth_store }}' - 'ext_matrix_ma1sd_configuration_extension_yaml': '{{ ext_matrix_ma1sd_configuration_extension_yaml.splitlines() | to_json }}' + 'awx_matrix_ma1sd_auth_store': '{{ awx_matrix_ma1sd_auth_store }}' + 'awx_matrix_ma1sd_configuration_extension_yaml': '{{ awx_matrix_ma1sd_configuration_extension_yaml.splitlines() | to_json }}' + no_log: True - name: Save new 'Configure ma1sd' survey.json to the AWX tower, template delegate_to: 127.0.0.1 @@ -92,13 +80,6 @@ dest: '/matrix/awx/configure_ma1sd.json' mode: '0660' -- name: Collect AWX admin token the hard way! - delegate_to: 127.0.0.1 - shell: | - curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' - register: tower_token - no_log: True - - name: Recreate 'Configure ma1sd (Advanced)' job template delegate_to: 127.0.0.1 awx.awx.tower_job_template: @@ -116,7 +97,7 @@ become_enabled: yes state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes diff --git a/roles/matrix-awx/tasks/set_variables_mailer.yml b/roles/matrix-awx/tasks/set_variables_mailer.yml new file mode 100644 index 00000000..2ae2d513 --- /dev/null +++ b/roles/matrix-awx/tasks/set_variables_mailer.yml @@ -0,0 +1,44 @@ +--- + +- name: Record Mailer variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Email Settings Start' + with_dict: + 'matrix_mailer_relay_use': '{{ matrix_mailer_relay_use }}' + +- name: Save new 'Configure Email Relay' survey.json to the AWX tower, template + delegate_to: 127.0.0.1 + template: + src: 'roles/matrix-awx/surveys/configure_email_relay.json.j2' + dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_email_relay.json' + +- name: Copy new 'Configure Email Relay' survey.json to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_email_relay.json' + dest: '/matrix/awx/configure_email_relay.json' + mode: '0660' + +- name: Recreate 'Configure Email Relay' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 1 - Configure Email Relay" + description: "Enable MailGun relay to increase verification email reliability." + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "start,setup-mailer" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + survey_enabled: true + survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_email_relay.json') }}" + become_enabled: yes + state: present + verbosity: 1 + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" + validate_certs: yes diff --git a/roles/matrix-awx/tasks/set_variables_synapse.yml b/roles/matrix-awx/tasks/set_variables_synapse.yml index 6459f5a2..f0fe2369 100755 --- a/roles/matrix-awx/tasks/set_variables_synapse.yml +++ b/roles/matrix-awx/tasks/set_variables_synapse.yml @@ -1,13 +1,13 @@ -- name: Limit max upload size to 100MB part 1 +- name: Limit max upload size to 200MB part 1 set_fact: - matrix_synapse_max_upload_size_mb: "100" - when: matrix_synapse_max_upload_size_mb_raw|int >= 100 + matrix_synapse_max_upload_size_mb: "200" + when: awx_synapse_max_upload_size_mb | int >= 200 -- name: Limit max upload size to 100MB part 2 +- name: Limit max upload size to 200MB part 2 set_fact: - matrix_synapse_max_upload_size_mb: "{{ matrix_synapse_max_upload_size_mb_raw }}" - when: matrix_synapse_max_upload_size_mb_raw|int < 100 + matrix_synapse_max_upload_size_mb: "{{ awx_synapse_max_upload_size_mb }}" + when: awx_synapse_max_upload_size_mb | int < 200 - name: Record Synapse variables locally on AWX delegate_to: 127.0.0.1 @@ -32,13 +32,13 @@ path: '{{ awx_cached_matrix_vars }}' regexp: "^matrix_synapse_auto_join_rooms: .*$" replace: "matrix_synapse_auto_join_rooms: []" - when: matrix_synapse_auto_join_rooms_raw|length == 0 + when: awx_synapse_auto_join_rooms | length == 0 - name: If the raw inputs is not empty start constructing parsed auto_join_rooms list set_fact: - matrix_synapse_auto_join_rooms_array: |- - {{ matrix_synapse_auto_join_rooms_raw.splitlines() | to_json }} - when: matrix_synapse_auto_join_rooms_raw|length > 0 + awx_synapse_auto_join_rooms_array: |- + {{ awx_synapse_auto_join_rooms.splitlines() | to_json }} + when: awx_synapse_auto_join_rooms | length > 0 - name: Record Synapse variable 'matrix_synapse_auto_join_rooms' locally on AWX, if it's not blank delegate_to: 127.0.0.1 @@ -48,8 +48,8 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: '# Synapse Settings Start' with_dict: - "matrix_synapse_auto_join_rooms": "{{ matrix_synapse_auto_join_rooms_array }}" - when: matrix_synapse_auto_join_rooms_raw|length > 0 + "matrix_synapse_auto_join_rooms": "{{ awx_synapse_auto_join_rooms_array }}" + when: awx_synapse_auto_join_rooms | length > 0 - name: Record Synapse Shared Secret if it's defined delegate_to: 127.0.0.1 @@ -59,33 +59,33 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: '# Synapse Settings Start' with_dict: - 'matrix_synapse_registration_shared_secret': '{{ ext_matrix_synapse_registration_shared_secret }}' - when: ext_matrix_synapse_registration_shared_secret|length > 0 + 'matrix_synapse_registration_shared_secret': '{{ awx_matrix_synapse_registration_shared_secret }}' + when: awx_matrix_synapse_registration_shared_secret | length > 0 - name: Record registations_require_3pid extra variable if true delegate_to: 127.0.0.1 lineinfile: path: '{{ awx_cached_matrix_vars }}' - regexp: "{{ item }}:" + regexp: "{{ item }}" line: "{{ item }}" insertbefore: '# Synapse Extension End' with_items: - " registrations_require_3pid:" - " - email" - when: ext_registrations_require_3pid|bool + when: awx_registrations_require_3pid | bool - name: Remove registrations_require_3pid extra variable if false delegate_to: 127.0.0.1 lineinfile: path: '{{ awx_cached_matrix_vars }}' - regexp: "{{ item }}:" + regexp: "{{ item }}" line: "{{ item }}" insertbefore: '# Synapse Extension End' state: absent with_items: - " registrations_require_3pid:" - " - email" - when: not ext_registrations_require_3pid|bool + when: not awx_registrations_require_3pid | bool - name: Remove URL Languages delegate_to: 127.0.0.1 @@ -97,21 +97,21 @@ - name: Set URL languages default if raw inputs empty set_fact: - ext_url_preview_accept_language_default: 'en' - when: ext_url_preview_accept_language_raw|length == 0 + awx_url_preview_accept_language_default: 'en' + when: awx_url_preview_accept_language | length == 0 - name: Set URL languages default if raw inputs not empty set_fact: - ext_url_preview_accept_language_default: "{{ ext_url_preview_accept_language_raw }}" - when: ext_url_preview_accept_language_raw|length > 0 + awx_url_preview_accept_language_default: "{{ awx_url_preview_accept_language }}" + when: awx_url_preview_accept_language|length > 0 - name: Set URL languages if raw inputs empty delegate_to: 127.0.0.1 lineinfile: path: '{{ awx_cached_matrix_vars }}' insertafter: '^ url_preview_accept_language:' - line: " - {{ ext_url_preview_accept_language_default }}" - when: ext_url_preview_accept_language_raw|length == 0 + line: " - {{ awx_url_preview_accept_language_default }}" + when: awx_url_preview_accept_language|length == 0 - name: Set URL languages if raw inputs not empty delegate_to: 127.0.0.1 @@ -119,8 +119,8 @@ path: '{{ awx_cached_matrix_vars }}' insertafter: '^ url_preview_accept_language:' line: " - {{ item }}" - with_items: "{{ ext_url_preview_accept_language_raw.splitlines() }}" - when: ext_url_preview_accept_language_raw|length > 0 + with_items: "{{ awx_url_preview_accept_language.splitlines() }}" + when: awx_url_preview_accept_language | length > 0 - name: Remove Federation Whitelisting 1 delegate_to: 127.0.0.1 @@ -143,7 +143,7 @@ path: '{{ awx_cached_matrix_vars }}' insertafter: '^matrix_synapse_configuration_extension_yaml: \|' line: " federation_domain_whitelist:" - when: ext_federation_whitelist_raw|length > 0 + when: awx_federation_whitelist | length > 0 - name: Set Federation Whitelisting 2 delegate_to: 127.0.0.1 @@ -151,27 +151,16 @@ path: '{{ awx_cached_matrix_vars }}' insertafter: '^ federation_domain_whitelist:' line: " - {{ item }}" - with_items: "{{ ext_federation_whitelist_raw.splitlines() }}" - when: ext_federation_whitelist_raw|length > 0 + with_items: "{{ awx_federation_whitelist.splitlines() }}" + when: awx_federation_whitelist | length > 0 -- name: Record Synapse Custom variables locally on AWX - delegate_to: 127.0.0.1 - lineinfile: - path: '{{ awx_cached_matrix_vars }}' - regexp: "^#? *{{ item.key | regex_escape() }}:" - line: "{{ item.key }}: {{ item.value }}" - insertafter: '# Custom Settings Start' - with_dict: - 'ext_federation_whitelist_raw': '{{ ext_federation_whitelist_raw.splitlines() | to_json }}' - 'ext_url_preview_accept_language_default': '{{ ext_url_preview_accept_language_default.splitlines() | to_json }}' +- name: Set awx_recaptcha_public_key to a 'public-key' if undefined + set_fact: awx_recaptcha_public_key="public-key" + when: (awx_recaptcha_public_key is not defined) or (awx_recaptcha_public_key|length == 0) -- name: Set ext_recaptcha_public_key to a 'public-key' if undefined - set_fact: ext_recaptcha_public_key="public-key" - when: (ext_recaptcha_public_key is not defined) or (ext_recaptcha_public_key|length == 0) - -- name: Set ext_recaptcha_private_key to a 'private-key' if undefined - set_fact: ext_recaptcha_private_key="private-key" - when: (ext_recaptcha_private_key is not defined) or (ext_recaptcha_private_key|length == 0) +- name: Set awx_recaptcha_private_key to a 'private-key' if undefined + set_fact: awx_recaptcha_private_key="private-key" + when: (awx_recaptcha_private_key is not defined) or (awx_recaptcha_private_key|length == 0) - name: Record Synapse Extension variables locally on AWX delegate_to: 127.0.0.1 @@ -181,9 +170,23 @@ line: "{{ item.key }}: {{ item.value }}" insertbefore: '# Synapse Extension End' with_dict: - ' enable_registration_captcha': '{{ ext_enable_registration_captcha }}' - ' recaptcha_public_key': '{{ ext_recaptcha_public_key }}' - ' recaptcha_private_key': '{{ ext_recaptcha_private_key }}' + ' enable_registration_captcha': '{{ awx_enable_registration_captcha }}' + ' recaptcha_public_key': '{{ awx_recaptcha_public_key }}' + ' recaptcha_private_key': '{{ awx_recaptcha_private_key }}' + +- name: Record Synapse Custom variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertbefore: '# Synapse Settings End' + with_dict: + 'awx_federation_whitelist': '{{ awx_federation_whitelist.splitlines() | to_json }}' + 'awx_url_preview_accept_language_default': '{{ awx_url_preview_accept_language_default.splitlines() | to_json }}' + 'awx_enable_registration_captcha': '{{ awx_enable_registration_captcha }}' + 'awx_recaptcha_public_key': '"{{ awx_recaptcha_public_key }}"' + 'awx_recaptcha_private_key': '"{{ awx_recaptcha_private_key }}"' - name: Save new 'Configure Synapse' survey.json to the AWX tower, template delegate_to: 127.0.0.1 @@ -197,13 +200,6 @@ dest: '/matrix/awx/configure_synapse.json' mode: '0660' -- name: Collect AWX admin token the hard way! - delegate_to: 127.0.0.1 - shell: | - curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' - register: tower_token - no_log: True - - name: Recreate 'Configure Synapse' job template delegate_to: 127.0.0.1 awx.awx.tower_job_template: @@ -221,6 +217,6 @@ become_enabled: yes state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes diff --git a/roles/matrix-awx/tasks/set_variables_synapse_admin.yml b/roles/matrix-awx/tasks/set_variables_synapse_admin.yml index fa922de4..635befb5 100644 --- a/roles/matrix-awx/tasks/set_variables_synapse_admin.yml +++ b/roles/matrix-awx/tasks/set_variables_synapse_admin.yml @@ -1,3 +1,4 @@ +--- - name: Record Synapse Admin variables locally on AWX delegate_to: 127.0.0.1 @@ -21,13 +22,6 @@ dest: '/matrix/awx/configure_synapse_admin.json' mode: '0660' -- name: Collect AWX admin token the hard way! - delegate_to: 127.0.0.1 - shell: | - curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' - register: tower_token - no_log: True - - name: Recreate 'Configure Synapse Admin' job template delegate_to: 127.0.0.1 awx.awx.tower_job_template: @@ -45,6 +39,6 @@ become_enabled: yes state: present verbosity: 1 - tower_host: "https://{{ tower_host }}" - tower_oauthtoken: "{{ tower_token.stdout }}" + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" validate_certs: yes diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index ab0b13f0..9429b1b6 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -11,6 +11,9 @@ matrix_domain: ~ # This and the Element FQN (see below) are expected to be on the same server. matrix_server_fqn_matrix: "matrix.{{ matrix_domain }}" +# This is where you access federation API. +matrix_server_fqn_matrix_federation: '{{ matrix_server_fqn_matrix }}' + # This is where you access the Element web UI from (if enabled via matrix_client_element_enabled; enabled by default). # This and the Matrix FQN (see above) are expected to be on the same server. matrix_server_fqn_element: "element.{{ matrix_domain }}" @@ -83,8 +86,8 @@ matrix_host_command_openssl: "/usr/bin/env openssl" matrix_host_command_systemctl: "/usr/bin/env systemctl" matrix_host_command_sh: "/usr/bin/env sh" -matrix_ntpd_package: "ntp" -matrix_ntpd_service: "{{ 'ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp' }}" +matrix_ntpd_package: "{{ 'systemd-timesyncd' if (ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7') or (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version > '18') else ( 'systemd' if ansible_os_family == 'Suse' else 'ntp' ) }}" +matrix_ntpd_service: "{{ 'systemd-timesyncd' if (ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7') or (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version > '18') or ansible_distribution == 'Archlinux' or ansible_os_family == 'Suse' else ('ntpd' if ansible_os_family == 'RedHat' else 'ntp') }}" matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}" diff --git a/roles/matrix-base/tasks/server_base/setup.yml b/roles/matrix-base/tasks/server_base/setup.yml index 64f461ef..0869e501 100644 --- a/roles/matrix-base/tasks/server_base/setup.yml +++ b/roles/matrix-base/tasks/server_base/setup.yml @@ -1,7 +1,10 @@ --- - include_tasks: "{{ role_path }}/tasks/server_base/setup_centos.yml" - when: ansible_distribution == 'CentOS' + when: ansible_distribution == 'CentOS' and ansible_distribution_major_version < '8' + +- include_tasks: "{{ role_path }}/tasks/server_base/setup_centos8.yml" + when: ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7' - block: # ansible_lsb is only available if lsb-release is installed. diff --git a/roles/matrix-base/tasks/server_base/setup_archlinux.yml b/roles/matrix-base/tasks/server_base/setup_archlinux.yml index 3814305d..d08cafc0 100644 --- a/roles/matrix-base/tasks/server_base/setup_archlinux.yml +++ b/roles/matrix-base/tasks/server_base/setup_archlinux.yml @@ -4,7 +4,6 @@ pacman: name: - python-docker - - "{{ matrix_ntpd_package }}" # TODO This needs to be verified. Which version do we need? - fuse3 - python-dnspython diff --git a/roles/matrix-base/tasks/server_base/setup_centos8.yml b/roles/matrix-base/tasks/server_base/setup_centos8.yml new file mode 100644 index 00000000..01666197 --- /dev/null +++ b/roles/matrix-base/tasks/server_base/setup_centos8.yml @@ -0,0 +1,47 @@ +--- + +- name: Ensure Docker repository is enabled + template: + src: "{{ role_path }}/files/yum.repos.d/{{ item }}" + dest: "/etc/yum.repos.d/{{ item }}" + owner: "root" + group: "root" + mode: 0644 + with_items: + - docker-ce.repo + when: matrix_docker_installation_enabled|bool and matrix_docker_package_name == 'docker-ce' + +- name: Ensure Docker's RPM key is trusted + rpm_key: + state: present + key: https://download.docker.com/linux/centos/gpg + when: matrix_docker_installation_enabled|bool and matrix_docker_package_name == 'docker-ce' + +- name: Ensure EPEL is installed + yum: + name: + - epel-release + state: latest + update_cache: yes + +- name: Ensure yum packages are installed + yum: + name: + - "{{ matrix_ntpd_package }}" + - fuse + state: latest + update_cache: yes + +- name: Ensure Docker is installed + yum: + name: + - "{{ matrix_docker_package_name }}" + - python3-pip + state: latest + when: matrix_docker_installation_enabled|bool + +- name: Ensure Docker-Py is installed + pip: + name: docker-py + state: latest + when: matrix_docker_installation_enabled|bool \ No newline at end of file diff --git a/roles/matrix-base/tasks/server_base/setup_debian.yml b/roles/matrix-base/tasks/server_base/setup_debian.yml index 54e52c1b..37706d1f 100644 --- a/roles/matrix-base/tasks/server_base/setup_debian.yml +++ b/roles/matrix-base/tasks/server_base/setup_debian.yml @@ -23,14 +23,7 @@ repo: "deb [arch={{ matrix_debian_arch }}] https://download.docker.com/linux/{{ ansible_distribution|lower }} {{ ansible_distribution_release }} stable" state: present update_cache: yes - when: matrix_docker_installation_enabled|bool and matrix_docker_package_name == 'docker-ce' and not ansible_distribution_release == 'bullseye' - -- name: Ensure Docker repository is enabled (using Debian Buster on Debian Bullseye, for which there is no Docker yet) - apt_repository: - repo: "deb [arch={{ matrix_debian_arch }}] https://download.docker.com/linux/{{ ansible_distribution|lower }} buster stable" - state: present - update_cache: yes - when: matrix_docker_installation_enabled|bool and matrix_docker_package_name == 'docker-ce' and ansible_distribution_release == 'bullseye' + when: matrix_docker_installation_enabled|bool and matrix_docker_package_name == 'docker-ce' - name: Ensure APT packages are installed apt: diff --git a/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 b/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 index 8349a15c..3bc7346d 100644 --- a/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 +++ b/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 @@ -1,4 +1,4 @@ #jinja2: lstrip_blocks: "True" { - "m.server": "{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}" + "m.server": "{{ matrix_server_fqn_matrix_federation }}:{{ matrix_federation_public_port }}" } diff --git a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml index 775dadcc..3e955673 100644 --- a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml +++ b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml @@ -2,7 +2,12 @@ # See: https://github.com/anoadragon453/matrix-reminder-bot matrix_bot_matrix_reminder_bot_enabled: true -matrix_bot_matrix_reminder_bot_version: release-v0.2.0 + +matrix_bot_matrix_reminder_bot_container_self_build: false +matrix_bot_matrix_reminder_bot_docker_repo: "https://github.com/anoadragon453/matrix-reminder-bot.git" +matrix_bot_matrix_reminder_bot_docker_src_files_path: "{{ matrix_base_data_path }}/matrix-reminder-bot/docker-src" + +matrix_bot_matrix_reminder_bot_version: release-v0.2.1 matrix_bot_matrix_reminder_bot_docker_image: "{{ matrix_container_global_registry_prefix }}anoa/matrix-reminder-bot:{{ matrix_bot_matrix_reminder_bot_version }}" matrix_bot_matrix_reminder_bot_docker_image_force_pull: "{{ matrix_bot_matrix_reminder_bot_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml index 195485e4..dada8167 100644 --- a/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml +++ b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml @@ -37,6 +37,7 @@ - { path: "{{ matrix_bot_matrix_reminder_bot_config_path }}", when: true } - { path: "{{ matrix_bot_matrix_reminder_bot_data_path }}", when: true } - { path: "{{ matrix_bot_matrix_reminder_bot_data_store_path }}", when: true } + - { path: "{{ matrix_bot_matrix_reminder_bot_docker_src_files_path }}", when: true} when: "item.when|bool" - name: Ensure matrix-reminder-bot image is pulled @@ -45,6 +46,27 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_bot_matrix_reminder_bot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_matrix_reminder_bot_docker_image_force_pull }}" + when: "not matrix_bot_matrix_reminder_bot_container_self_build|bool" + +- name: Ensure matrix-reminder-bot repository is present on self-build + git: + repo: "{{ matrix_bot_matrix_reminder_bot_docker_repo }}" + dest: "{{ matrix_bot_matrix_reminder_bot_docker_src_files_path }}" + force: "yes" + register: matrix_bot_matrix_reminder_bot_git_pull_results + when: "matrix_bot_matrix_reminder_bot_container_self_build|bool" + +- name: Ensure matrix-reminder-bot image is built + docker_image: + name: "{{ matrix_bot_matrix_reminder_bot_docker_image }}" + source: build + force_source: "{{ matrix_bot_matrix_reminder_bot_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + build: + dockerfile: docker/Dockerfile + path: "{{ matrix_bot_matrix_reminder_bot_docker_src_files_path }}" + pull: yes + when: "matrix_bot_matrix_reminder_bot_container_self_build|bool" - name: Ensure matrix-reminder-bot config installed copy: diff --git a/roles/matrix-bot-mjolnir/defaults/main.yml b/roles/matrix-bot-mjolnir/defaults/main.yml index f97e997c..6e7331c4 100644 --- a/roles/matrix-bot-mjolnir/defaults/main.yml +++ b/roles/matrix-bot-mjolnir/defaults/main.yml @@ -2,13 +2,21 @@ # See: https://github.com/matrix-org/mjolnir matrix_bot_mjolnir_enabled: true -matrix_bot_mjolnir_version: "v0.1.17" -matrix_bot_mjolnir_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/mjolnir:{{ matrix_bot_mjolnir_version }}" + +matrix_bot_mjolnir_version: "v1.1.20" + +matrix_bot_mjolnir_container_image_self_build: false +matrix_bot_mjolnir_container_image_self_build_repo: "https://github.com/matrix-org/mjolnir.git" + +matrix_bot_mjolnir_docker_image: "{{ matrix_bot_mjolnir_docker_image_name_prefix }}matrixdotorg/mjolnir:{{ matrix_bot_mjolnir_version }}" +matrix_bot_mjolnir_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_mjolnir_container_image_self_build else matrix_container_global_registry_prefix }}" + matrix_bot_mjolnir_docker_image_force_pull: "{{ matrix_bot_mjolnir_docker_image.endswith(':latest') }}" matrix_bot_mjolnir_base_path: "{{ matrix_base_data_path }}/mjolnir" matrix_bot_mjolnir_config_path: "{{ matrix_bot_mjolnir_base_path }}/config" matrix_bot_mjolnir_data_path: "{{ matrix_bot_mjolnir_base_path }}/data" +matrix_bot_mjolnir_docker_src_files_path: "{{ matrix_bot_mjolnir_base_path }}/docker-src" # A list of extra arguments to pass to the container matrix_bot_mjolnir_container_extra_arguments: [] diff --git a/roles/matrix-bot-mjolnir/tasks/init.yml b/roles/matrix-bot-mjolnir/tasks/init.yml index d54684d2..b8ab58f1 100644 --- a/roles/matrix-bot-mjolnir/tasks/init.yml +++ b/roles/matrix-bot-mjolnir/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Mjolnir image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_bot_mjolnir_container_image_self_build and matrix_bot_mjolnir_enabled" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-mjolnir.service'] }}" when: matrix_bot_mjolnir_enabled|bool diff --git a/roles/matrix-bot-mjolnir/tasks/setup_install.yml b/roles/matrix-bot-mjolnir/tasks/setup_install.yml index 4c18bf6a..e770b6d5 100644 --- a/roles/matrix-bot-mjolnir/tasks/setup_install.yml +++ b/roles/matrix-bot-mjolnir/tasks/setup_install.yml @@ -14,14 +14,36 @@ - { path: "{{ matrix_bot_mjolnir_base_path }}", when: true } - { path: "{{ matrix_bot_mjolnir_config_path }}", when: true } - { path: "{{ matrix_bot_mjolnir_data_path }}", when: true } + - { path: "{{ matrix_bot_mjolnir_docker_src_files_path }}", when: "{{ matrix_bot_mjolnir_container_image_self_build }}" } when: "item.when|bool" -- name: Ensure mjolnir image is pulled +- name: Ensure mjolnir Docker image is pulled docker_image: name: "{{ matrix_bot_mjolnir_docker_image }}" source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_bot_mjolnir_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_mjolnir_docker_image_force_pull }}" + when: "not matrix_bot_mjolnir_container_image_self_build|bool" + +- name: Ensure mjolnir repository is present on self-build + git: + repo: "{{ matrix_bot_mjolnir_container_image_self_build_repo }}" + dest: "{{ matrix_bot_mjolnir_docker_src_files_path }}" + version: "{{ matrix_bot_mjolnir_docker_image.split(':')[1] }}" + force: "yes" + register: matrix_bot_mjolnir_git_pull_results + when: "matrix_bot_mjolnir_container_image_self_build|bool" + +- name: Ensure mjolnir Docker image is built + docker_image: + name: "{{ matrix_bot_mjolnir_docker_image }}" + source: build + force_source: "{{ matrix_bot_mjolnir_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_bot_mjolnir_docker_src_files_path }}" + pull: yes + when: "matrix_bot_mjolnir_container_image_self_build|bool" - name: Ensure matrix-bot-mjolnir config installed copy: diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index bdf49f65..35432aa0 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -7,7 +7,7 @@ matrix_appservice_irc_container_self_build: false matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git" matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src" -matrix_appservice_irc_version: release-0.26.0 +matrix_appservice_irc_version: release-0.31.0 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-appservice-irc/tasks/init.yml b/roles/matrix-bridge-appservice-irc/tasks/init.yml index b9a58e00..e1355796 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/init.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_irc_container_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_irc_container_self_build and matrix_appservice_irc_enabled" # If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. # We don't want to fail in such cases. diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index bb801273..10b3d7b4 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -7,7 +7,7 @@ matrix_appservice_slack_container_self_build: false matrix_appservice_slack_docker_repo: "https://github.com/matrix-org/matrix-appservice-slack.git" matrix_appservice_slack_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-slack/docker-src" -matrix_appservice_slack_version: release-1.5.0 +matrix_appservice_slack_version: release-1.8.0 matrix_appservice_slack_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-slack:{{ matrix_appservice_slack_version }}" matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-appservice-slack/tasks/init.yml b/roles/matrix-bridge-appservice-slack/tasks/init.yml index 6a1bf869..0584e624 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/init.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_slack_container_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_slack_container_self_build and matrix_appservice_slack_enabled" # If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. # We don't want to fail in such cases. diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index 7f26ea58..2b9fe310 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -3,13 +3,20 @@ matrix_appservice_webhooks_enabled: true +matrix_appservice_webhooks_container_image_self_build: false +matrix_appservice_webhooks_container_image_self_build_repo: "https://github.com/turt2live/matrix-appservice-webhooks" +matrix_appservice_webhooks_container_image_self_build_repo_version: "{{ 'master' if matrix_appservice_webhooks_version == 'latest' else matrix_appservice_webhooks_version }}" +matrix_appservice_webhooks_container_image_self_build_repo_dockerfile_path: "Dockerfile" + matrix_appservice_webhooks_version: latest -matrix_appservice_webhooks_docker_image: "{{ matrix_container_global_registry_prefix }}turt2live/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}" +matrix_appservice_webhooks_docker_image: "{{ matrix_appservice_webhooks_docker_image_name_prefix }}turt2live/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}" +matrix_appservice_webhooks_docker_image_name_prefix: "{{ 'localhost/' if matrix_appservice_webhooks_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}" matrix_appservice_webhooks_base_path: "{{ matrix_base_data_path }}/appservice-webhooks" matrix_appservice_webhooks_config_path: "{{ matrix_appservice_webhooks_base_path }}/config" matrix_appservice_webhooks_data_path: "{{ matrix_appservice_webhooks_base_path }}/data" +matrix_appservice_webhooks_docker_src_files_path: "{{ matrix_appservice_webhooks_base_path }}/docker-src" # If nginx-proxy is disabled, the bridge itself expects its endpoint to be on its own domain (e.g. "localhost:6789") matrix_appservice_webhooks_public_endpoint: /appservice-webhooks diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml b/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml index 9ddc121a..1b276efc 100644 --- a/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml @@ -1,23 +1,47 @@ --- +- name: Ensure AppService webhooks paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_appservice_webhooks_base_path }}", when: true } + - { path: "{{ matrix_appservice_webhooks_config_path }}", when: true } + - { path: "{{ matrix_appservice_webhooks_data_path }}", when: true } + - { path: "{{ matrix_appservice_webhooks_docker_src_files_path }}", when: "{{ matrix_appservice_webhooks_container_image_self_build }}"} + when: "item.when|bool" + - name: Ensure Appservice webhooks image is pulled docker_image: name: "{{ matrix_appservice_webhooks_docker_image }}" source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_appservice_webhooks_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_webhooks_docker_image_force_pull }}" + when: "not matrix_appservice_webhooks_container_image_self_build|bool" -- name: Ensure AppService webhooks paths exist - file: - path: "{{ item }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_appservice_webhooks_base_path }}" - - "{{ matrix_appservice_webhooks_config_path }}" - - "{{ matrix_appservice_webhooks_data_path }}" +- block: + - name: Ensure Appservice webhooks repository is present on self-build + git: + repo: "{{ matrix_appservice_webhooks_container_image_self_build_repo }}" + dest: "{{ matrix_appservice_webhooks_docker_src_files_path }}" + version: "{{ matrix_appservice_webhooks_container_image_self_build_repo_version }}" + force: "yes" + register: matrix_appservice_webhooks_git_pull_results + + - name: Ensure Appservice webhooks Docker image is built + docker_image: + name: "{{ matrix_appservice_webhooks_docker_image }}" + source: build + force_source: "{{ matrix_appservice_webhooks_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_webhooks_git_pull_results.changed }}" + build: + dockerfile: "{{ matrix_appservice_webhooks_container_image_self_build_repo_dockerfile_path }}" + path: "{{ matrix_appservice_webhooks_docker_src_files_path }}" + pull: yes + when: "matrix_appservice_webhooks_container_image_self_build|bool" - name: Ensure Matrix Appservice webhooks config is installed copy: diff --git a/roles/matrix-bridge-beeper-linkedin/defaults/main.yml b/roles/matrix-bridge-beeper-linkedin/defaults/main.yml new file mode 100644 index 00000000..8df6c38f --- /dev/null +++ b/roles/matrix-bridge-beeper-linkedin/defaults/main.yml @@ -0,0 +1,100 @@ +# beeper-linkedin is a Matrix <-> LinkedIn bridge +# See: https://gitlab.com/beeper/linkedin + +matrix_beeper_linkedin_enabled: true + +matrix_beeper_linkedin_version: v0.5.1 +# See: https://gitlab.com/beeper/linkedin/container_registry +matrix_beeper_linkedin_docker_image: "registry.gitlab.com/beeper/linkedin:{{ matrix_beeper_linkedin_version }}-amd64" +matrix_beeper_linkedin_docker_image_force_pull: "{{ matrix_beeper_linkedin_docker_image.endswith(':latest-amd64') }}" + +matrix_beeper_linkedin_base_path: "{{ matrix_base_data_path }}/beeper-linkedin" +matrix_beeper_linkedin_config_path: "{{ matrix_beeper_linkedin_base_path }}/config" +matrix_beeper_linkedin_data_path: "{{ matrix_beeper_linkedin_base_path }}/data" + +matrix_beeper_linkedin_homeserver_address: "{{ matrix_homeserver_container_url }}" +matrix_beeper_linkedin_homeserver_domain: "{{ matrix_domain }}" +matrix_beeper_linkedin_appservice_address: "http://matrix-beeper-linkedin:29319" + +# A list of extra arguments to pass to the container +matrix_beeper_linkedin_container_extra_arguments: [] + +# List of systemd services that matrix-beeper-linkedin.service depends on. +matrix_beeper_linkedin_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-beeper-linkedin.service wants +matrix_beeper_linkedin_systemd_wanted_services_list: [] + +matrix_beeper_linkedin_appservice_token: "" +matrix_beeper_linkedin_homeserver_token: "" + +matrix_beeper_linkedin_appservice_bot_username: linkedinbot + + +# Database-related configuration fields. +# Only Postgres is supported. +matrix_beeper_linkedin_database_engine: "postgres" + +matrix_beeper_linkedin_database_username: 'matrix_beeper_linkedin' +matrix_beeper_linkedin_database_password: "" +matrix_beeper_linkedin_database_hostname: 'matrix-postgres' +matrix_beeper_linkedin_database_port: 5432 +matrix_beeper_linkedin_database_name: 'matrix_beeper_linkedin' + +matrix_beeper_linkedin_database_connection_string: 'postgresql://{{ matrix_beeper_linkedin_database_username }}:{{ matrix_beeper_linkedin_database_password }}@{{ matrix_beeper_linkedin_database_hostname }}:{{ matrix_beeper_linkedin_database_port }}/{{ matrix_beeper_linkedin_database_name }}?sslmode=disable' + +matrix_beeper_linkedin_appservice_database_type: "{{ + { + 'postgres':'postgres', + }[matrix_beeper_linkedin_database_engine] +}}" + +matrix_beeper_linkedin_appservice_database_uri: "{{ + { + 'postgres': matrix_beeper_linkedin_database_connection_string, + }[matrix_beeper_linkedin_database_engine] +}}" + + +# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). +matrix_beeper_linkedin_login_shared_secret: '' + +# Default beeper-linkedin configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_beeper_linkedin_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_beeper_linkedin_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" + +matrix_beeper_linkedin_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_beeper_linkedin_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_beeper_linkedin_configuration_yaml`. + +matrix_beeper_linkedin_configuration_extension: "{{ matrix_beeper_linkedin_configuration_extension_yaml|from_yaml if matrix_beeper_linkedin_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_beeper_linkedin_configuration_yaml`. +matrix_beeper_linkedin_configuration: "{{ matrix_beeper_linkedin_configuration_yaml|from_yaml|combine(matrix_beeper_linkedin_configuration_extension, recursive=True) }}" + +matrix_beeper_linkedin_registration_yaml: | + id: linkedin + url: {{ matrix_beeper_linkedin_appservice_address }} + as_token: "{{ matrix_beeper_linkedin_appservice_token }}" + hs_token: "{{ matrix_beeper_linkedin_homeserver_token }}" + + sender_localpart: _bot_{{ matrix_beeper_linkedin_appservice_bot_username }} + rate_limited: false + namespaces: + users: + - regex: '^@linkedin_.+:{{ matrix_beeper_linkedin_homeserver_domain|regex_escape }}$' + exclusive: true + - exclusive: true + regex: '^@{{ matrix_beeper_linkedin_appservice_bot_username|regex_escape }}:{{ matrix_beeper_linkedin_homeserver_domain|regex_escape }}$' + de.sorunome.msc2409.push_ephemeral: true + +matrix_beeper_linkedin_registration: "{{ matrix_beeper_linkedin_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-beeper-linkedin/tasks/init.yml b/roles/matrix-bridge-beeper-linkedin/tasks/init.yml new file mode 100644 index 00000000..755ac2f5 --- /dev/null +++ b/roles/matrix-bridge-beeper-linkedin/tasks/init.yml @@ -0,0 +1,16 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-beeper-linkedin.service'] }}" + when: matrix_beeper_linkedin_enabled|bool + +# If the matrix-synapse role is not used, these variables may not exist. +- set_fact: + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_beeper_linkedin_config_path }}/registration.yaml,dst=/matrix-beeper-linkedin-registration.yaml,ro"] + + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files|default([]) }} + + + {{ ["/matrix-beeper-linkedin-registration.yaml"] }} + when: matrix_beeper_linkedin_enabled|bool diff --git a/roles/matrix-bridge-beeper-linkedin/tasks/main.yml b/roles/matrix-bridge-beeper-linkedin/tasks/main.yml new file mode 100644 index 00000000..79c54f1a --- /dev/null +++ b/roles/matrix-bridge-beeper-linkedin/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_beeper_linkedin_enabled|bool" + tags: + - setup-all + - setup-beeper-linkedin + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup and matrix_beeper_linkedin_enabled" + tags: + - setup-all + - setup-beeper-linkedin + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup and not matrix_beeper_linkedin_enabled" + tags: + - setup-all + - setup-beeper-linkedin diff --git a/roles/matrix-bridge-beeper-linkedin/tasks/setup_install.yml b/roles/matrix-bridge-beeper-linkedin/tasks/setup_install.yml new file mode 100644 index 00000000..97d05a45 --- /dev/null +++ b/roles/matrix-bridge-beeper-linkedin/tasks/setup_install.yml @@ -0,0 +1,56 @@ +--- + +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-beeper-linkedin role needs to execute before the matrix-synapse role. + when: "matrix_synapse_role_executed|default(False)" + +- name: Ensure Beeper LinkedIn image is pulled + docker_image: + name: "{{ matrix_beeper_linkedin_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_beeper_linkedin_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_beeper_linkedin_docker_image_force_pull }}" + +- name: Ensure Beeper LinkedIn paths exists + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_beeper_linkedin_base_path }}" + - "{{ matrix_beeper_linkedin_config_path }}" + - "{{ matrix_beeper_linkedin_data_path }}" + +- name: Ensure beeper-linkedin config.yaml installed + copy: + content: "{{ matrix_beeper_linkedin_configuration|to_nice_yaml }}" + dest: "{{ matrix_beeper_linkedin_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure beeper-linkedin registration.yaml installed + copy: + content: "{{ matrix_beeper_linkedin_registration|to_nice_yaml }}" + dest: "{{ matrix_beeper_linkedin_config_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-beeper-linkedin.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-beeper-linkedin.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-beeper-linkedin.service" + mode: 0644 + register: matrix_beeper_linkedin_systemd_service_result + +- name: Ensure systemd reloaded after matrix-beeper-linkedin.service installation + service: + daemon_reload: yes + when: "matrix_beeper_linkedin_systemd_service_result.changed" diff --git a/roles/matrix-bridge-beeper-linkedin/tasks/setup_uninstall.yml b/roles/matrix-bridge-beeper-linkedin/tasks/setup_uninstall.yml new file mode 100644 index 00000000..004b788e --- /dev/null +++ b/roles/matrix-bridge-beeper-linkedin/tasks/setup_uninstall.yml @@ -0,0 +1,24 @@ +--- + +- name: Check existence of matrix-beeper-linkedin service + stat: + path: "{{ matrix_systemd_path }}/matrix-beeper-linkedin.service" + register: matrix_beeper_linkedin_service_stat + +- name: Ensure matrix-beeper-linkedin is stopped + service: + name: matrix-beeper-linkedin + state: stopped + daemon_reload: yes + when: "matrix_beeper_linkedin_service_stat.stat.exists" + +- name: Ensure matrix-beeper-linkedin.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-beeper-linkedin.service" + state: absent + when: "matrix_beeper_linkedin_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-beeper-linkedin.service removal + service: + daemon_reload: yes + when: "matrix_beeper_linkedin_service_stat.stat.exists" diff --git a/roles/matrix-bridge-beeper-linkedin/tasks/validate_config.yml b/roles/matrix-bridge-beeper-linkedin/tasks/validate_config.yml new file mode 100644 index 00000000..fe33defa --- /dev/null +++ b/roles/matrix-bridge-beeper-linkedin/tasks/validate_config.yml @@ -0,0 +1,11 @@ +--- + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_beeper_linkedin_appservice_token" + - "matrix_beeper_linkedin_homeserver_token" + diff --git a/roles/matrix-bridge-beeper-linkedin/templates/config.yaml.j2 b/roles/matrix-bridge-beeper-linkedin/templates/config.yaml.j2 new file mode 100644 index 00000000..4fb6b055 --- /dev/null +++ b/roles/matrix-bridge-beeper-linkedin/templates/config.yaml.j2 @@ -0,0 +1,267 @@ +#jinja2: lstrip_blocks: "True" +# Homeserver details. +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: {{ matrix_beeper_linkedin_homeserver_address }} + # The domain of the homeserver (for MXIDs, etc). + domain: {{ matrix_beeper_linkedin_homeserver_domain }} + # Whether or not to verify the SSL certificate of the homeserver. + # Only applies if address starts with https:// + verify_ssl: true + # Whether or not the homeserver supports asmux-specific endpoints, + # such as /_matrix/client/unstable/net.maunium.asmux/dms for atomically + # updating m.direct. + asmux: false + # Number of retries for all HTTP requests if the homeserver isn't reachable. + http_retry_count: 4 + + +appservice: + # The address that the homeserver can use to connect to this appservice. + address: {{ matrix_beeper_linkedin_appservice_address }} + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 29319 + + # The maximum body size of appservice API requests (from the homeserver) in mebibytes + # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s + max_body_size: 1 + + # The full URI to the database. Only Postgres is currently supported. + database: {{ matrix_beeper_linkedin_appservice_database_uri|to_json }} + # Additional arguments for asyncpg.create_pool() + # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool + database_opts: + min_size: 5 + max_size: 10 + + # Provisioning API part of the web server for automated portal creation and fetching information. + # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager). + provisioning: + # Whether or not the provisioning API should be enabled. + enabled: true + # The prefix to use in the provisioning API endpoints. + prefix: /_matrix/provision/v1 + # The shared secret to authorize users of the API. + # Set to "generate" to generate and save a new token. + shared_secret: generate + + # The unique ID of this appservice. + id: beeper_linkedin + # Appservice bot details. + bot: + # Username of the appservice bot. + username: {{ matrix_beeper_linkedin_appservice_bot_username|to_json }} + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + displayname: LinkedIn bridge bot + avatar: mxc://sumnerevans.com/XMtwdeUBnxYvWNFFrfeTSHqB + + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + # You should disable bridge -> sync_with_custom_puppets when this is enabled. + ephemeral_events: false + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: "{{ matrix_beeper_linkedin_appservice_token }}" + hs_token: "{{ matrix_beeper_linkedin_homeserver_token }}" + + +# Prometheus telemetry config. Requires prometheus-client to be installed. +metrics: + enabled: false + listen_port: 8000 + +# Manhole config. +manhole: + # Whether or not opening the manhole is allowed. + enabled: false + # The path for the unix socket. + path: /var/tmp/linkedin-matrix.manhole + # The list of UIDs who can be added to the whitelist. + # If empty, any UIDs can be specified in the open-manhole command. + whitelist: + - 0 + + +# Bridge config +bridge: + # Localpart template of MXIDs for LinkedIn users. + username_template: "linkedin_{userid}" + # Displayname template for LinkedIn users. + # Localpart template for per-user room grouping community IDs. + # The bridge will create these communities and add all of the specific user's portals to the community. + # {localpart} is the MXID localpart and {server} is the MXID server part of the user. + # (Note that, by default, non-admins might not have your homeserver's permission to create + # communities. You should set `enable_group_creation: true` in homeserver.yaml to fix this.) + # `linkedin_{localpart}={server}` is a good value. + community_template: null + + # Displayname template for LinkedIn users. + # {displayname} is replaced with the display name of the LinkedIn user + # as defined below in displayname_preference. + # Keys available for displayname_preference are also available here. + displayname_template: "{displayname} (LinkedIn)" + + # Number of chats to sync (and create portals for) on startup/login. + # Set 0 to disable automatic syncing. + initial_chat_sync: 10 + + # Whether or not the LinkedIn users of logged in Matrix users should be + # invited to private chats when the user sends a message from another client. + invite_own_puppet_to_pm: false + # Whether or not to use /sync to get presence, read receipts and typing notifications + # when double puppeting is enabled + sync_with_custom_puppets: true + # Whether or not to update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: false + # Servers to always allow double puppeting from + double_puppet_server_map: {} + # example.com: https://example.com + # Allow using double puppeting from any server with a valid client .well-known file. + + # Maximum number of seconds since last message in chat to skip + # syncing the chat in any case. This setting will take priority + # over both recovery_chat_sync_limit and initial_chat_sync_count. + # Default is 3 days = 259200 seconds + sync_max_chat_age: 259200 + + # Whether or not to sync with custom puppets to receive EDUs that + # are not normally sent to appservices. + sync_with_custom_puppets: true + # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, custom puppets will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + login_shared_secret: {{ matrix_beeper_linkedin_login_shared_secret|to_json }} + + # Allow using double puppeting from any server with a valid client .well-known file. + double_puppet_allow_discovery: false + + # Whether or not to bridge presence in both directions. LinkedIn allows users not to broadcast + # presence, but then it won't send other users' presence to the client. + presence: {{ matrix_beeper_linkedin_bridge_presence|to_json }} + # Whether or not to update avatars when syncing all contacts at startup. + update_avatar_initial_sync: true + + + # End-to-bridge encryption support options. These require matrix-nio to be installed with pip + # and login_shared_secret to be configured in order to get a device for the bridge bot. + # + # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal + # application service. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: false + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + # Options for automatic key sharing. + key_sharing: + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow: false + # Require the requesting device to have a valid cross-signing signature? + # This doesn't require that the bridge has verified the device, only that the user has verified it. + # Not yet implemented. + require_cross_signing: false + # Require devices to be verified by the bridge? + # Verification by the bridge is not yet implemented. + require_verification: true + # Whether or not the bridge should send a read receipt from the bridge bot when a message has + # been sent to LinkedIn. + delivery_receipts: false + # Whether to allow inviting arbitrary mxids to portal rooms + allow_invites: false + + # Settings for backfilling messages from LinkedIn. + backfill: + # Whether or not the LinkedIn users of logged in Matrix users should be + # invited to private chats when backfilling history from LinkedIn. This is + # usually needed to prevent rate limits and to allow timestamp massaging. + invite_own_puppet: true + # Maximum number of messages to backfill initially. + # Set to 0 to disable backfilling when creating portal. + initial_limit: 0 + # Maximum number of messages to backfill if messages were missed while + # the bridge was disconnected. + # Set to 0 to disable backfilling missed messages. + missed_limit: 1000 + # If using double puppeting, should notifications be disabled + # while the initial backfill is in progress? + disable_notifications: false + periodic_reconnect: + # TODO needed? + # Interval in seconds in which to automatically reconnect all users. + # This can be used to automatically mitigate the bug where Linkedin stops sending messages. + # Set to -1 to disable periodic reconnections entirely. + interval: -1 + # What to do in periodic reconnects. Either "refresh" or "reconnect" + mode: refresh + # Should even disconnected users be reconnected? + always: false + # The number of seconds that a disconnection can last without triggering an automatic re-sync + # and missed message backfilling when reconnecting. + # Set to 0 to always re-sync, or -1 to never re-sync automatically. + resync_max_disconnected_time: 5 + # Whether or not temporary disconnections should send notices to the notice room. + # If this is false, disconnections will never send messages and connections will only send + # messages if it was disconnected for more than resync_max_disconnected_time seconds. + temporary_disconnect_notices: true + # Whether or not the bridge should try to "refresh" the connection if a normal reconnection + # attempt fails. + refresh_on_reconnection_fail: false + # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. + # This field will automatically be changed back to false after it, + # except if the config file is not writable. + resend_bridge_info: false + # When using double puppeting, should muted chats be muted in Matrix? + mute_bridging: false + # Whether or not mute status and tags should only be bridged when the portal room is created. + tag_only_on_create: true + + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!li" + + # Permissions for using the bridge. + # Permitted values: + # user - Access to use the bridge to chat with a Linkedin account. + # admin - User level and some additional administration tools + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + "{{ matrix_beeper_linkedin_homeserver_domain }}": user + + + +# Logging config. +logging: + version: 1 + formatters: + colored: + (): mautrix.util.logging.color.ColorFormatter + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + normal: + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + handlers: + console: + class: logging.StreamHandler + formatter: colored + loggers: + mau: + level: DEBUG + paho: + level: INFO + aiohttp: + level: INFO + root: + level: DEBUG + handlers: [ console] + diff --git a/roles/matrix-bridge-beeper-linkedin/templates/systemd/matrix-beeper-linkedin.service.j2 b/roles/matrix-bridge-beeper-linkedin/templates/systemd/matrix-beeper-linkedin.service.j2 new file mode 100644 index 00000000..4498b4f0 --- /dev/null +++ b/roles/matrix-bridge-beeper-linkedin/templates/systemd/matrix-beeper-linkedin.service.j2 @@ -0,0 +1,42 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Beeper Linkedin bridge +{% for service in matrix_beeper_linkedin_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_beeper_linkedin_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-beeper-linkedin 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-beeper-linkedin 2>/dev/null' + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-beeper-linkedin \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + -v {{ matrix_beeper_linkedin_config_path }}:/data:z \ + --workdir=/opt/linkedin-matrix \ + {% for arg in matrix_beeper_linkedin_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_beeper_linkedin_docker_image }} \ + python3 -m linkedin_matrix -c /data/config.yaml -r /data/registration.yaml + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-beeper-linkedin 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-beeper-linkedin 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-beeper-linkedin + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-bridge-heisenbridge/defaults/main.yml b/roles/matrix-bridge-heisenbridge/defaults/main.yml index be95af8d..a8c6db96 100644 --- a/roles/matrix-bridge-heisenbridge/defaults/main.yml +++ b/roles/matrix-bridge-heisenbridge/defaults/main.yml @@ -3,7 +3,7 @@ matrix_heisenbridge_enabled: true -matrix_heisenbridge_version: latest +matrix_heisenbridge_version: 1.3.0 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml b/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml index d5526f8a..853faf7a 100644 --- a/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml @@ -7,7 +7,7 @@ - name: Ensure matrix-heisenbridge is stopped service: - name: heisenbridge + name: matrix-heisenbridge state: stopped daemon_reload: yes when: "matrix_heisenbridge_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index 71a225f7..6c1d6b69 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -1,14 +1,13 @@ # mautrix-facebook is a Matrix <-> Facebook bridge -# See: https://github.com/tulir/mautrix-facebook +# See: https://github.com/mautrix/facebook matrix_mautrix_facebook_enabled: true matrix_mautrix_facebook_container_image_self_build: false -matrix_mautrix_facebook_container_image_self_build_repo: "https://github.com/tulir/mautrix-facebook.git" +matrix_mautrix_facebook_container_image_self_build_repo: "https://mau.dev/mautrix/facebook.git" -matrix_mautrix_facebook_version: latest -# See: https://mau.dev/tulir/mautrix-facebook/container_registry -matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:{{ matrix_mautrix_facebook_version }}" +matrix_mautrix_facebook_version: v0.3.1 +matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}mautrix/facebook:{{ matrix_mautrix_facebook_version }}" matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}" @@ -107,7 +106,7 @@ matrix_mautrix_facebook_registration_yaml: | - exclusive: true regex: '^@{{ matrix_mautrix_facebook_appservice_bot_username|regex_escape }}:{{ matrix_mautrix_facebook_homeserver_domain|regex_escape }}$' url: {{ matrix_mautrix_facebook_appservice_address }} - # See https://github.com/tulir/mautrix-signal/issues/43 + # See https://github.com/mautrix/signal/issues/43 sender_localpart: _bot_{{ matrix_mautrix_facebook_appservice_bot_username }} rate_limited: false de.sorunome.msc2409.push_ephemeral: true diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml index 83e54cb4..cf67f227 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_facebook_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_facebook_container_image_self_build and matrix_mautrix_facebook_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-facebook.service'] }}" @@ -21,10 +21,3 @@ + {{ ["/matrix-mautrix-facebook-registration.yaml"] }} when: matrix_mautrix_facebook_enabled|bool - -# ansible lower than 2.8, does not support docker_image build parameters -# for self building it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build Mautrix Facebook image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_facebook_container_image_self_build" diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index 4cfbde9e..fb9dcca4 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -40,7 +40,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_facebook_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_facebook_docker_image_force_pull }}" - when: matrix_mautrix_facebook_enabled|bool and not matrix_mautrix_facebook_container_image_self_build + when: not matrix_mautrix_facebook_container_image_self_build - name: Ensure Mautrix Facebook paths exist file: @@ -60,10 +60,10 @@ git: repo: "{{ matrix_mautrix_facebook_container_image_self_build_repo }}" dest: "{{ matrix_mautrix_facebook_docker_src_files_path }}" -# version: "{{ matrix_coturn_docker_image.split(':')[1] }}" + version: "{{ matrix_mautrix_facebook_docker_image.split(':')[1] }}" force: "yes" register: matrix_mautrix_facebook_git_pull_results - when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build" + when: "matrix_mautrix_facebook_container_image_self_build|bool" - name: Ensure Mautrix Facebook Docker image is built docker_image: @@ -75,7 +75,7 @@ dockerfile: Dockerfile path: "{{ matrix_mautrix_facebook_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build|bool" + when: "matrix_mautrix_facebook_container_image_self_build|bool" - name: Check if an old database file already exists stat: diff --git a/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml b/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml new file mode 100644 index 00000000..22f863ff --- /dev/null +++ b/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml @@ -0,0 +1,115 @@ +# mautrix-googlechat is a Matrix <-> googlechat bridge +# See: https://github.com/mautrix/googlechat + +matrix_mautrix_googlechat_enabled: true + +matrix_mautrix_googlechat_container_image_self_build: false +matrix_mautrix_googlechat_container_image_self_build_repo: "https://github.com/mautrix/googlechat.git" + +matrix_mautrix_googlechat_version: latest +# See: https://mau.dev/mautrix/googlechat/container_registry +matrix_mautrix_googlechat_docker_image: "{{ matrix_mautrix_googlechat_docker_image_name_prefix }}mautrix/googlechat:{{ matrix_mautrix_googlechat_version }}" +matrix_mautrix_googlechat_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_googlechat_container_image_self_build else 'dock.mau.dev/' }}" +matrix_mautrix_googlechat_docker_image_force_pull: "{{ matrix_mautrix_googlechat_docker_image.endswith(':latest') }}" + +matrix_mautrix_googlechat_base_path: "{{ matrix_base_data_path }}/mautrix-googlechat" +matrix_mautrix_googlechat_config_path: "{{ matrix_mautrix_googlechat_base_path }}/config" +matrix_mautrix_googlechat_data_path: "{{ matrix_mautrix_googlechat_base_path }}/data" +matrix_mautrix_googlechat_docker_src_files_path: "{{ matrix_mautrix_googlechat_base_path }}/docker-src" + +matrix_mautrix_googlechat_public_endpoint: '/mautrix-googlechat' + +matrix_mautrix_googlechat_homeserver_address: "{{ matrix_homeserver_container_url }}" +matrix_mautrix_googlechat_homeserver_domain: '{{ matrix_domain }}' +matrix_mautrix_googlechat_appservice_address: 'http://matrix-mautrix-googlechat:8080' + +# Controls whether the matrix-mautrix-googlechat container exposes its HTTP port (tcp/8080 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:9007"), or empty string to not expose. +matrix_mautrix_googlechat_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_mautrix_googlechat_container_extra_arguments: [] + +# List of systemd services that matrix-mautrix-googlechat.service depends on. +matrix_mautrix_googlechat_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-mautrix-googlechat.service wants +matrix_mautrix_googlechat_systemd_wanted_services_list: [] + +matrix_mautrix_googlechat_appservice_token: '' +matrix_mautrix_googlechat_homeserver_token: '' + + +# Database-related configuration fields. +# +# To use SQLite, stick to these defaults. +# +# To use Postgres: +# - change the engine (`matrix_mautrix_googlechat_database_engine: 'postgres'`) +# - adjust your database credentials via the `matrix_mautrix_googlechat_postgres_*` variables +matrix_mautrix_googlechat_database_engine: 'sqlite' + +matrix_mautrix_googlechat_sqlite_database_path_local: "{{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db" +matrix_mautrix_googlechat_sqlite_database_path_in_container: "/data/mautrix-googlechat.db" + +matrix_mautrix_googlechat_database_username: 'matrix_mautrix_googlechat' +matrix_mautrix_googlechat_database_password: 'some-password' +matrix_mautrix_googlechat_database_hostname: 'matrix-postgres' +matrix_mautrix_googlechat_database_port: 5432 +matrix_mautrix_googlechat_database_name: 'matrix_mautrix_googlechat' + +matrix_mautrix_googlechat_database_connection_string: 'postgres://{{ matrix_mautrix_googlechat_database_username }}:{{ matrix_mautrix_googlechat_database_password }}@{{ matrix_mautrix_googlechat_database_hostname }}:{{ matrix_mautrix_googlechat_database_port }}/{{ matrix_mautrix_googlechat_database_name }}' + +matrix_mautrix_googlechat_appservice_database: "{{ + { + 'sqlite': ('sqlite:///' + matrix_mautrix_googlechat_sqlite_database_path_in_container), + 'postgres': matrix_mautrix_googlechat_database_connection_string, + }[matrix_mautrix_googlechat_database_engine] +}}" + + +# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). +matrix_mautrix_googlechat_login_shared_secret: '' + +matrix_mautrix_googlechat_appservice_bot_username: googlechatbot + +# Default configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_mautrix_googlechat_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_mautrix_googlechat_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" + +matrix_mautrix_googlechat_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_mautrix_googlechat_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_mautrix_googlechat_configuration_yaml`. + +matrix_mautrix_googlechat_configuration_extension: "{{ matrix_mautrix_googlechat_configuration_extension_yaml|from_yaml if matrix_mautrix_googlechat_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_googlechat_configuration_yaml`. +matrix_mautrix_googlechat_configuration: "{{ matrix_mautrix_googlechat_configuration_yaml|from_yaml|combine(matrix_mautrix_googlechat_configuration_extension, recursive=True) }}" + +matrix_mautrix_googlechat_registration_yaml: | + id: googlechat + as_token: "{{ matrix_mautrix_googlechat_appservice_token }}" + hs_token: "{{ matrix_mautrix_googlechat_homeserver_token }}" + namespaces: + users: + - exclusive: true + regex: '^@googlechat_.+:{{ matrix_mautrix_googlechat_homeserver_domain|regex_escape }}$' + - exclusive: true + regex: '^@{{ matrix_mautrix_googlechat_appservice_bot_username|regex_escape }}:{{ matrix_mautrix_googlechat_homeserver_domain|regex_escape }}$' + url: {{ matrix_mautrix_googlechat_appservice_address }} + # See https://github.com/mautrix/signal/issues/43 + sender_localpart: _bot_{{ matrix_mautrix_googlechat_appservice_bot_username }} + rate_limited: false + de.sorunome.msc2409.push_ephemeral: true + +matrix_mautrix_googlechat_registration: "{{ matrix_mautrix_googlechat_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mautrix-googlechat/tasks/init.yml b/roles/matrix-bridge-mautrix-googlechat/tasks/init.yml new file mode 100644 index 00000000..c12fcd3c --- /dev/null +++ b/roles/matrix-bridge-mautrix-googlechat/tasks/init.yml @@ -0,0 +1,69 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_googlechat_container_image_self_build and matrix_mautrix_googlechat_enabled" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-googlechat.service'] }}" + when: matrix_mautrix_googlechat_enabled|bool + +# If the matrix-synapse role is not used, these variables may not exist. +- set_fact: + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_mautrix_googlechat_config_path }}/registration.yaml,dst=/matrix-mautrix-googlechat-registration.yaml,ro"] + + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files|default([]) }} + + + {{ ["/matrix-mautrix-googlechat-registration.yaml"] }} + when: matrix_mautrix_googlechat_enabled|bool + +- block: + - name: Fail if matrix-nginx-proxy role already executed + fail: + msg: >- + Trying to append Mautrix googlechat's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your plabook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-googlechat role. + when: matrix_nginx_proxy_role_executed|default(False)|bool + + - name: Generate Mautrix googlechat proxying configuration for matrix-nginx-proxy + set_fact: + matrix_mautrix_googlechat_matrix_nginx_proxy_configuration: | + location {{ matrix_mautrix_googlechat_public_endpoint }} { + {% if matrix_nginx_proxy_enabled|default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-googlechat:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:9007; + {% endif %} + } + - name: Register Mautrix googlechat proxying configuration with matrix-nginx-proxy + set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([]) + + + [matrix_mautrix_googlechat_matrix_nginx_proxy_configuration] + }} + tags: + - always + when: matrix_mautrix_googlechat_enabled|bool + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + debug: + msg: >- + NOTE: You've enabled the Mautrix googlechat bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_mautrix_googlechat_public_endpoint }}` + URL endpoint to the matrix-mautrix-googlechat container. + You can expose the container's port using the `matrix_mautrix_googlechat_container_http_host_bind_port` variable. + when: "matrix_mautrix_googlechat_enabled|bool and (matrix_nginx_proxy_enabled is not defined or matrix_nginx_proxy_enabled|bool == false)" diff --git a/roles/matrix-bridge-mautrix-googlechat/tasks/main.yml b/roles/matrix-bridge-mautrix-googlechat/tasks/main.yml new file mode 100644 index 00000000..defcd58a --- /dev/null +++ b/roles/matrix-bridge-mautrix-googlechat/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_mautrix_googlechat_enabled|bool" + tags: + - setup-all + - setup-mautrix-googlechat + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_mautrix_googlechat_enabled|bool" + tags: + - setup-all + - setup-mautrix-googlechat + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_mautrix_googlechat_enabled|bool" + tags: + - setup-all + - setup-mautrix-googlechat diff --git a/roles/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml new file mode 100644 index 00000000..f68ee505 --- /dev/null +++ b/roles/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml @@ -0,0 +1,128 @@ +--- + +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-mautrix-googlechat role needs to execute before the matrix-synapse role. + when: "matrix_synapse_role_executed|default(False)" + +- set_fact: + matrix_mautrix_googlechat_requires_restart: false + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_mautrix_googlechat_sqlite_database_path_local }}" + register: matrix_mautrix_googlechat_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_mautrix_googlechat_sqlite_database_path_local }}" + dst: "{{ matrix_mautrix_googlechat_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_mautrix_googlechat_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-mautrix-googlechat.service'] + + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_mautrix_googlechat_requires_restart: true + when: "matrix_mautrix_googlechat_sqlite_database_path_local_stat_result.stat.exists|bool" + when: "matrix_mautrix_googlechat_database_engine == 'postgres'" + +- name: Ensure Mautrix googlechat image is pulled + docker_image: + name: "{{ matrix_mautrix_googlechat_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mautrix_googlechat_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_googlechat_docker_image_force_pull }}" + when: not matrix_mautrix_googlechat_container_image_self_build + +- name: Ensure Mautrix googlechat paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_mautrix_googlechat_base_path }}", when: true } + - { path: "{{ matrix_mautrix_googlechat_config_path }}", when: true } + - { path: "{{ matrix_mautrix_googlechat_data_path }}", when: true } + - { path: "{{ matrix_mautrix_googlechat_docker_src_files_path }}", when: "{{ matrix_mautrix_googlechat_container_image_self_build }}" } + when: "item.when|bool" + +- name: Ensure Mautrix Hangots repository is present on self build + git: + repo: "{{ matrix_mautrix_googlechat_container_image_self_build_repo }}" + dest: "{{ matrix_mautrix_googlechat_docker_src_files_path }}" + force: "yes" + register: matrix_mautrix_googlechat_git_pull_results + when: "matrix_mautrix_googlechat_container_image_self_build|bool" + +- name: Ensure Mautrix googlechat Docker image is built + docker_image: + name: "{{ matrix_mautrix_googlechat_docker_image }}" + source: build + force_source: "{{ matrix_mautrix_googlechat_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_googlechat_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_mautrix_googlechat_docker_src_files_path }}" + pull: yes + when: "matrix_mautrix_googlechat_container_image_self_build|bool" + +- name: Check if an old database file already exists + stat: + path: "{{ matrix_mautrix_googlechat_base_path }}/mautrix-googlechat.db" + register: matrix_mautrix_googlechat_stat_database + +- name: (Data relocation) Ensure matrix-mautrix-googlechat.service is stopped + service: + name: matrix-mautrix-googlechat + state: stopped + daemon_reload: yes + failed_when: false + when: "matrix_mautrix_googlechat_stat_database.stat.exists" + +- name: (Data relocation) Move mautrix-googlechat database file to ./data directory + command: "mv {{ matrix_mautrix_googlechat_base_path }}/mautrix-googlechat.db {{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db" + when: "matrix_mautrix_googlechat_stat_database.stat.exists" + +- name: Ensure mautrix-googlechat config.yaml installed + copy: + content: "{{ matrix_mautrix_googlechat_configuration|to_nice_yaml }}" + dest: "{{ matrix_mautrix_googlechat_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure mautrix-googlechat registration.yaml installed + copy: + content: "{{ matrix_mautrix_googlechat_registration|to_nice_yaml }}" + dest: "{{ matrix_mautrix_googlechat_config_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-mautrix-googlechat.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-mautrix-googlechat.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-mautrix-googlechat.service" + mode: 0644 + register: matrix_mautrix_googlechat_systemd_service_result + +- name: Ensure systemd reloaded after matrix-mautrix-googlechat.service installation + service: + daemon_reload: yes + when: "matrix_mautrix_googlechat_systemd_service_result.changed" + +- name: Ensure matrix-mautrix-googlechat.service restarted, if necessary + service: + name: "matrix-mautrix-googlechat.service" + state: restarted + when: "matrix_mautrix_googlechat_requires_restart|bool" diff --git a/roles/matrix-bridge-mautrix-googlechat/tasks/setup_uninstall.yml b/roles/matrix-bridge-mautrix-googlechat/tasks/setup_uninstall.yml new file mode 100644 index 00000000..d3adb7e2 --- /dev/null +++ b/roles/matrix-bridge-mautrix-googlechat/tasks/setup_uninstall.yml @@ -0,0 +1,24 @@ +--- + +- name: Check existence of matrix-mautrix-googlechat service + stat: + path: "{{ matrix_systemd_path }}/matrix-mautrix-googlechat.service" + register: matrix_mautrix_googlechat_service_stat + +- name: Ensure matrix-mautrix-googlechat is stopped + service: + name: matrix-mautrix-googlechat + state: stopped + daemon_reload: yes + when: "matrix_mautrix_googlechat_service_stat.stat.exists" + +- name: Ensure matrix-mautrix-googlechat.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-mautrix-googlechat.service" + state: absent + when: "matrix_mautrix_googlechat_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-mautrix-googlechat.service removal + service: + daemon_reload: yes + when: "matrix_mautrix_googlechat_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mautrix-googlechat/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-googlechat/tasks/validate_config.yml new file mode 100644 index 00000000..7aa42870 --- /dev/null +++ b/roles/matrix-bridge-mautrix-googlechat/tasks/validate_config.yml @@ -0,0 +1,14 @@ +--- + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_mautrix_googlechat_public_endpoint" + - "matrix_mautrix_googlechat_appservice_token" + - "matrix_mautrix_googlechat_homeserver_token" +- debug: + msg: + - '`matrix_mautrix_googlechat_homeserver_domain` == {{ matrix_mautrix_googlechat_homeserver_domain }}' diff --git a/roles/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2 new file mode 100644 index 00000000..c54ffac2 --- /dev/null +++ b/roles/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2 @@ -0,0 +1,145 @@ +#jinja2: lstrip_blocks: "True" +# Homeserver details +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: {{ matrix_mautrix_googlechat_homeserver_address }} + # The domain of the homeserver (for MXIDs, etc). + domain: {{ matrix_mautrix_googlechat_homeserver_domain }} + # Whether or not to verify the SSL certificate of the homeserver. + # Only applies if address starts with https:// + verify_ssl: true + +# Application service host/registration related details +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: {{ matrix_mautrix_googlechat_appservice_address }} + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 8080 + # The maximum body size of appservice API requests (from the homeserver) in mebibytes + # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s + max_body_size: 1 + + # The full URI to the database. SQLite and Postgres are fully supported. + # Other DBMSes supported by SQLAlchemy may or may not work. + # Format examples: + # SQLite: sqlite:///filename.db + # Postgres: postgres://username:password@hostname/dbname + database: {{ matrix_mautrix_googlechat_appservice_database|to_json }} + + # The unique ID of this appservice. + id: googlechat + # Username of the appservice bot. + bot_username: {{ matrix_mautrix_googlechat_appservice_bot_username|to_json }} + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + bot_displayname: googlechat bridge bot + bot_avatar: mxc://maunium.net/FBXZnpfORkBEruORbikmleAy + + # Authentication tokens for AS <-> HS communication. + as_token: "{{ matrix_mautrix_googlechat_appservice_token }}" + hs_token: "{{ matrix_mautrix_googlechat_homeserver_token }}" + +# Bridge config +bridge: + # Localpart template of MXIDs for googlechat users. + # {userid} is replaced with the user ID of the googlechat user. + username_template: "googlechat_{userid}" + # Displayname template for googlechat users. + # {displayname} is replaced with the display name of the googlechat user + # as defined below in displayname_preference. + # Keys available for displayname_preference are also available here. + displayname_template: '{full_name} (googlechat)' + # Available keys: + # "name" (full name) + # "first_name" + # "last_name" + # "nickname" + # "own_nickname" (user-specific!) + displayname_preference: + - name + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!HO" + + # Number of chats to sync (and create portals for) on startup/login. + # Maximum 20, set 0 to disable automatic syncing. + initial_chat_sync: 20 + # Whether or not the googlechat users of logged in Matrix users should be + # invited to private chats when the user sends a message from another client. + invite_own_puppet_to_pm: false + # Whether or not to use /sync to get presence, read receipts and typing notifications when using + # your own Matrix account as the Matrix puppet for your googlechat account. + sync_with_custom_puppets: true + # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, custom puppets will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + login_shared_secret: {{ matrix_mautrix_googlechat_login_shared_secret|to_json }} + # Whether or not to update avatars when syncing all contacts at startup. + update_avatar_initial_sync: true + # End-to-bridge encryption support options. These require matrix-nio to be installed with pip + # and login_shared_secret to be configured in order to get a device for the bridge bot. + # + # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal + # application service. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: false + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + + # Public website and API configs + web: + # Auth server config + auth: + # Publicly accessible base URL for the login endpoints. + # The prefix below is not implicitly added. This URL and all subpaths should be proxied + # or otherwise pointed to the appservice's webserver to the path specified below (prefix). + # This path should usually include a trailing slash. + # Internal prefix in the appservice web server for the login endpoints. + public: "{{ matrix_homeserver_url }}{{ matrix_mautrix_googlechat_public_endpoint }}/login" + prefix: "{{ matrix_mautrix_googlechat_public_endpoint }}/login" + + + # Permissions for using the bridge. + # Permitted values: + # user - Use the bridge with puppeting. + # admin - Use and administrate the bridge. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + '{{ matrix_mautrix_googlechat_homeserver_domain }}': user + +# Python logging configuration. +# +# See section 16.7.2 of the Python documentation for more info: +# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema +logging: + version: 1 + formatters: + colored: + (): mautrix_googlechat.util.ColorFormatter + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + normal: + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + handlers: + console: + class: logging.StreamHandler + formatter: colored + loggers: + mau: + level: DEBUG + hangups: + level: DEBUG + aiohttp: + level: INFO + root: + level: DEBUG + handlers: [console] diff --git a/roles/matrix-bridge-mautrix-googlechat/templates/systemd/matrix-mautrix-googlechat.service.j2 b/roles/matrix-bridge-mautrix-googlechat/templates/systemd/matrix-mautrix-googlechat.service.j2 new file mode 100644 index 00000000..c56473be --- /dev/null +++ b/roles/matrix-bridge-mautrix-googlechat/templates/systemd/matrix-mautrix-googlechat.service.j2 @@ -0,0 +1,43 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Mautrix googlechat bridge +{% for service in matrix_mautrix_googlechat_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_mautrix_googlechat_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-googlechat \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + {% if matrix_mautrix_googlechat_container_http_host_bind_port %} + -p {{ matrix_mautrix_googlechat_container_http_host_bind_port }}:8080 \ + {% endif %} + -v {{ matrix_mautrix_googlechat_config_path }}:/config:z \ + -v {{ matrix_mautrix_googlechat_data_path }}:/data:z \ + {% for arg in matrix_mautrix_googlechat_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_mautrix_googlechat_docker_image }} \ + python3 -m mautrix_googlechat -c /config/config.yaml --no-update + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-googlechat 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-googlechat 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-mautrix-googlechat + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index 48b66b8d..fa46d33c 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -1,14 +1,14 @@ # mautrix-hangouts is a Matrix <-> Hangouts bridge -# See: https://github.com/tulir/mautrix-hangouts +# See: https://github.com/mautrix/hangouts matrix_mautrix_hangouts_enabled: true matrix_mautrix_hangouts_container_image_self_build: false -matrix_mautrix_hangouts_container_image_self_build_repo: "https://github.com/tulir/mautrix-hangouts.git" +matrix_mautrix_hangouts_container_image_self_build_repo: "https://github.com/mautrix/hangouts.git" matrix_mautrix_hangouts_version: latest -# See: https://mau.dev/tulir/mautrix-hangouts/container_registry -matrix_mautrix_hangouts_docker_image: "{{ matrix_mautrix_hangouts_docker_image_name_prefix }}tulir/mautrix-hangouts:{{ matrix_mautrix_hangouts_version }}" +# See: https://mau.dev/mautrix/hangouts/container_registry +matrix_mautrix_hangouts_docker_image: "{{ matrix_mautrix_hangouts_docker_image_name_prefix }}mautrix/hangouts:{{ matrix_mautrix_hangouts_version }}" matrix_mautrix_hangouts_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_hangouts_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_hangouts_docker_image_force_pull: "{{ matrix_mautrix_hangouts_docker_image.endswith(':latest') }}" @@ -107,7 +107,7 @@ matrix_mautrix_hangouts_registration_yaml: | - exclusive: true regex: '^@{{ matrix_mautrix_hangouts_appservice_bot_username|regex_escape }}:{{ matrix_mautrix_hangouts_homeserver_domain|regex_escape }}$' url: {{ matrix_mautrix_hangouts_appservice_address }} - # See https://github.com/tulir/mautrix-signal/issues/43 + # See https://github.com/mautrix/signal/issues/43 sender_localpart: _bot_{{ matrix_mautrix_hangouts_appservice_bot_username }} rate_limited: false de.sorunome.msc2409.push_ephemeral: true diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml index 07fb254d..6cc194fe 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_hangouts_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_hangouts_container_image_self_build and matrix_mautrix_hangouts_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-hangouts.service'] }}" @@ -67,10 +67,3 @@ URL endpoint to the matrix-mautrix-hangouts container. You can expose the container's port using the `matrix_mautrix_hangouts_container_http_host_bind_port` variable. when: "matrix_mautrix_hangouts_enabled|bool and (matrix_nginx_proxy_enabled is not defined or matrix_nginx_proxy_enabled|bool == false)" - -# ansible lower than 2.8, does not support docker_image build parameters -# for self building it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build Mautrix Hangouts image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_hangouts_container_image_self_build" diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index 14ae255f..d5373134 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -40,7 +40,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_hangouts_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_hangouts_docker_image_force_pull }}" - when: matrix_mautrix_hangouts_enabled|bool and not matrix_mautrix_hangouts_container_image_self_build + when: not matrix_mautrix_hangouts_container_image_self_build - name: Ensure Mautrix Hangouts paths exist file: @@ -54,7 +54,7 @@ - { path: "{{ matrix_mautrix_hangouts_config_path }}", when: true } - { path: "{{ matrix_mautrix_hangouts_data_path }}", when: true } - { path: "{{ matrix_mautrix_hangouts_docker_src_files_path }}", when: "{{ matrix_mautrix_hangouts_container_image_self_build }}" } - when: matrix_mautrix_hangouts_enabled|bool and item.when|bool + when: "item.when|bool" - name: Ensure Mautrix Hangots repository is present on self build git: @@ -62,7 +62,7 @@ dest: "{{ matrix_mautrix_hangouts_docker_src_files_path }}" force: "yes" register: matrix_mautrix_hangouts_git_pull_results - when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_container_image_self_build|bool" + when: "matrix_mautrix_hangouts_container_image_self_build|bool" - name: Ensure Mautrix Hangouts Docker image is built docker_image: @@ -74,7 +74,7 @@ dockerfile: Dockerfile path: "{{ matrix_mautrix_hangouts_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_container_image_self_build|bool" + when: "matrix_mautrix_hangouts_container_image_self_build|bool" - name: Check if an old database file already exists stat: diff --git a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml index 5204386d..a648018e 100644 --- a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml @@ -1,14 +1,14 @@ # mautrix-instagram is a Matrix <-> Instagram bridge -# See: https://github.com/tulir/mautrix-instagram +# See: https://github.com/mautrix/instagram matrix_mautrix_instagram_enabled: true matrix_mautrix_instagram_container_image_self_build: false -matrix_mautrix_instagram_container_image_self_build_repo: "https://github.com/tulir/mautrix-instagram.git" +matrix_mautrix_instagram_container_image_self_build_repo: "https://github.com/mautrix/instagram.git" matrix_mautrix_instagram_version: latest # See: https://mau.dev/tulir/mautrix-instagram/container_registry -matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}tulir/mautrix-instagram:{{ matrix_mautrix_instagram_version }}" +matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}mautrix/instagram:{{ matrix_mautrix_instagram_version }}" matrix_mautrix_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_instagram_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_instagram_docker_image_force_pull: "{{ matrix_mautrix_instagram_docker_image.endswith(':latest') }}" @@ -97,7 +97,7 @@ matrix_mautrix_instagram_registration_yaml: | - exclusive: true regex: '^@{{ matrix_mautrix_instagram_appservice_bot_username|regex_escape }}:{{ matrix_mautrix_instagram_homeserver_domain|regex_escape }}$' url: {{ matrix_mautrix_instagram_appservice_address }} - # See https://github.com/tulir/mautrix-signal/issues/43 + # See https://github.com/mautrix/signal/issues/43 sender_localpart: _bot_{{ matrix_mautrix_instagram_appservice_bot_username }} rate_limited: false de.sorunome.msc2409.push_ephemeral: true diff --git a/roles/matrix-bridge-mautrix-instagram/tasks/init.yml b/roles/matrix-bridge-mautrix-instagram/tasks/init.yml index 6944003e..c44855d8 100644 --- a/roles/matrix-bridge-mautrix-instagram/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-instagram/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_instagram_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_instagram_container_image_self_build and matrix_mautrix_instagram_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-instagram.service'] }}" @@ -21,10 +21,3 @@ + {{ ["/matrix-mautrix-instagram-registration.yaml"] }} when: matrix_mautrix_instagram_enabled|bool - -# ansible lower than 2.8, does not support docker_image build parameters -# for self building it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build Mautrix instagram image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_instagram_container_image_self_build" diff --git a/roles/matrix-bridge-mautrix-instagram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-instagram/tasks/setup_install.yml index 60474230..38a7f62e 100644 --- a/roles/matrix-bridge-mautrix-instagram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-instagram/tasks/setup_install.yml @@ -13,7 +13,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_instagram_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_instagram_docker_image_force_pull }}" - when: matrix_mautrix_instagram_enabled|bool and not matrix_mautrix_instagram_container_image_self_build + when: not matrix_mautrix_instagram_container_image_self_build - name: Ensure Mautrix instagram paths exist file: @@ -38,7 +38,7 @@ dest: "{{ matrix_mautrix_instagram_docker_src_files_path }}" force: "yes" register: matrix_mautrix_instagram_git_pull_results - when: "matrix_mautrix_instagram_enabled|bool and matrix_mautrix_instagram_container_image_self_build" + when: "matrix_mautrix_instagram_container_image_self_build|bool" - name: Ensure Mautrix instagram Docker image is built docker_image: @@ -50,7 +50,7 @@ dockerfile: Dockerfile path: "{{ matrix_mautrix_instagram_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_instagram_enabled|bool and matrix_mautrix_instagram_container_image_self_build|bool" + when: "matrix_mautrix_instagram_container_image_self_build|bool" - name: Ensure mautrix-instagram config.yaml installed copy: diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 50240548..93993fa1 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -1,14 +1,22 @@ # mautrix-signal is a Matrix <-> Signal bridge -# See: https://github.com/tulir/mautrix-signal +# See: https://github.com/mautrix/signal matrix_mautrix_signal_enabled: true +matrix_mautrix_signal_container_self_build: false +matrix_mautrix_signal_docker_repo: "https://mau.dev/mautrix/signal.git" +matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src" + matrix_mautrix_signal_version: latest matrix_mautrix_signal_daemon_version: latest -# See: https://mau.dev/tulir/mautrix-signal/container_registry -matrix_mautrix_signal_docker_image: "dock.mau.dev/tulir/mautrix-signal:{{ matrix_mautrix_signal_version }}" +# See: https://mau.dev/mautrix/signal/container_registry +matrix_mautrix_signal_docker_image: "dock.mau.dev/mautrix/signal:{{ matrix_mautrix_signal_version }}" matrix_mautrix_signal_docker_image_force_pull: "{{ matrix_mautrix_signal_docker_image.endswith(':latest') }}" +matrix_mautrix_signal_daemon_container_self_build: false +matrix_mautrix_signal_daemon_docker_repo: "https://mau.dev/maunium/signald.git" +matrix_mautrix_signal_daemon_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signald/docker-src" + matrix_mautrix_signal_daemon_docker_image: "dock.mau.dev/maunium/signald:{{ matrix_mautrix_signal_daemon_version }}" matrix_mautrix_signal_daemon_docker_image_force_pull: "{{ matrix_mautrix_signal_daemon_docker_image.endswith(':latest') }}" @@ -62,14 +70,30 @@ matrix_mautrix_signal_database_name: 'matrix_mautrix_signal' matrix_mautrix_signal_database_connection_string: 'postgres://{{ matrix_mautrix_signal_database_username }}:{{ matrix_mautrix_signal_database_password }}@{{ matrix_mautrix_signal_database_hostname }}:{{ matrix_mautrix_signal_database_port }}/{{ matrix_mautrix_signal_database_name }}' matrix_mautrix_signal_appservice_database: "{{ - { - 'postgres': matrix_mautrix_signal_database_connection_string, - }[matrix_mautrix_signal_database_engine] + { + 'postgres': matrix_mautrix_signal_database_connection_string, + }[matrix_mautrix_signal_database_engine] }}" # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). matrix_mautrix_signal_login_shared_secret: '' +# Enable bridge relay bot functionality +matrix_mautrix_signal_relaybot_enabled: false + +# Permissions for using the bridge. +# Permitted values: +# relay - Allowed to be relayed through the bridge, no access to commands. +# user - Use the bridge with puppeting. +# admin - Use and administrate the bridge. +# Permitted keys: +# * - All Matrix users +# domain - All users on that homeserver +# mxid - Specific user +matrix_mautrix_signal_bridge_permissions: | + '*': relay + '{{ matrix_mautrix_signal_homeserver_domain }}': user + # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml index 61c6adff..88710868 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml @@ -14,7 +14,29 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_signal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}" - when: matrix_mautrix_signal_enabled|bool + when: "not matrix_mautrix_signal_container_self_build|bool" + + +- name: Ensure Mautrix Signal repository is present on self-build + git: + repo: "{{ matrix_mautrix_signal_docker_repo }}" + dest: "{{ matrix_mautrix_signal_docker_src_files_path }}" + force: "yes" + register: matrix_mautrix_signal_git_pull_results + when: "matrix_mautrix_signal_container_self_build|bool" + +- name: Ensure Mautrix Signal image is built + docker_image: + name: "{{ matrix_mautrix_signal_docker_image }}" + source: build + force_source: "{{ matrix_mautrix_signal_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_mautrix_signal_docker_src_files_path }}" + pull: yes + when: "matrix_mautrix_signal_container_self_build|bool" + - name: Ensure Mautrix Signal Daemon image is pulled docker_image: @@ -22,7 +44,28 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_signal_daemon_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_daemon_docker_image_force_pull }}" - when: matrix_mautrix_signal_enabled|bool + when: matrix_mautrix_signal_enabled and not matrix_mautrix_signal_daemon_container_self_build|bool + register: matrix_mautrix_signal_daemon_pull_results + +- name: Ensure Mautrix Signal Daemon repository is present on self-build + git: + repo: "{{ matrix_mautrix_signal_daemon_docker_repo }}" + dest: "{{ matrix_mautrix_signal_daemon_docker_src_files_path }}" + force: "yes" + register: matrix_mautrix_signal_daemon_git_pull_results + when: "matrix_mautrix_signal_daemon_container_self_build|bool" + +- name: Ensure Mautrix Signal Daemon image is built + docker_image: + name: "{{ matrix_mautrix_signal_daemon_docker_image }}" + source: build + force_source: "{{ matrix_mautrix_signal_daemon_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_mautrix_signal_daemon_docker_src_files_path }}" + pull: yes + when: "matrix_mautrix_signal_daemon_container_self_build|bool" - name: Ensure Mautrix Signal paths exist file: diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index ca5060a7..19c3ba05 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -9,6 +9,12 @@ homeserver: # Only applies if address starts with https:// verify_ssl: true asmux: false + # Number of retries for all HTTP requests if the homeserver isn't reachable. + http_retry_count: 4 + # The URL to push real-time bridge status to. + # If set, the bridge will make POST requests to this URL whenever a user's Signal connection state changes. + # The bridge will use the appservice as_token to authorize requests. + status_endpoint: null # Application service host/registration related details # Changing these values requires regeneration of the registration. @@ -80,6 +86,9 @@ signal: avatar_dir: /signald/avatars # Directory where signald stores auth data. Used to delete data when logging out. data_dir: /signald/data + # Whether or not unknown signald accounts should be deleted when the bridge is started. + # When this is enabled, any UserInUse errors should be resolved by restarting the bridge. + delete_unknown_accounts_on_start: false # Whether or not message attachments should be removed from disk after they're bridged. remove_file_after_handling: true @@ -131,7 +140,7 @@ bridge: # If false, created portal rooms will never be federated. federate_rooms: true # End-to-bridge encryption support options. You must install the e2be optional dependency for - # this to work. See https://github.com/tulir/mautrix-telegram/wiki/End‐to‐bridge-encryption + # this to work. See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html encryption: # Allow encryption, work in group chat rooms with e2ee enabled allow: false @@ -164,20 +173,44 @@ bridge: # This field will automatically be changed back to false after it, # except if the config file is not writable. resend_bridge_info: false + # Interval at which to resync contacts. + periodic_sync: 0 # The prefix for commands. Only required in non-management rooms. command_prefix: "!signal" # Permissions for using the bridge. # Permitted values: + # relay - Allowed to be relayed through the bridge, no access to commands. # user - Use the bridge with puppeting. # admin - Use and administrate the bridge. # Permitted keys: # * - All Matrix users # domain - All users on that homeserver # mxid - Specific user - permissions: - '{{ matrix_mautrix_signal_homeserver_domain }}': user + permissions: + {{ matrix_mautrix_signal_bridge_permissions|from_yaml }} + + relay: + # Whether or not relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any + # authenticated user into a relaybot for that chat. + enabled: {{ matrix_mautrix_signal_relaybot_enabled }} + # The formats to use when sending messages to Signal via a relay user. + # + # Available variables: + # $sender_displayname - The display name of the sender (e.g. Example User) + # $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser) + # $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.com) + # $message - The message content + message_formats: + m.text: '$sender_displayname: $message' + m.notice: '$sender_displayname: $message' + m.emote: '* $sender_displayname $message' + m.file: '$sender_displayname sent a file' + m.image: '$sender_displayname sent an image' + m.audio: '$sender_displayname sent an audio file' + m.video: '$sender_displayname sent a video' + m.location: '$sender_displayname sent a location' # Python logging configuration. diff --git a/roles/matrix-bridge-mautrix-signal/templates/registration.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/registration.yaml.j2 index 54df82da..32e913a1 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/registration.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/registration.yaml.j2 @@ -12,7 +12,7 @@ namespaces: - exclusive: true regex: '^#signal_.+:{{ matrix_mautrix_signal_homeserver_domain|regex_escape }}$' url: {{ matrix_mautrix_signal_appservice_address }} -# See https://github.com/tulir/mautrix-signal/issues/43 +# See https://github.com/mautrix/signal/issues/43 sender_localpart: _bot_{{ matrix_mautrix_signal_appservice_bot_username }} rate_limited: false de.sorunome.msc2409.push_ephemeral: true diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index e4c7696a..a105621a 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -1,15 +1,21 @@ # mautrix-telegram is a Matrix <-> Telegram bridge -# See: https://github.com/tulir/mautrix-telegram +# See: https://github.com/mautrix/telegram matrix_mautrix_telegram_enabled: true +matrix_telegram_lottieconverter_container_self_build: false +matrix_telegram_lottieconverter_container_self_build_mask_arch: false +matrix_telegram_lottieconverter_docker_repo: "https://mau.dev/tulir/lottieconverter.git" +matrix_telegram_lottieconverter_docker_src_files_path: "{{ matrix_base_data_path }}/lotticonverter/docker-src" +matrix_telegram_lottieconverter_docker_image: "dock.mau.dev/tulir/lottieconverter:alpine-3.14" # needs to be ajusted according to FROM clause of Dockerfile of mautrix-telegram + matrix_mautrix_telegram_container_self_build: false -matrix_mautrix_telegram_docker_repo: "https://mau.dev/tulir/mautrix-telegram.git" +matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git" matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" -matrix_mautrix_telegram_version: v0.9.0 -# See: https://mau.dev/tulir/mautrix-telegram/container_registry -matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:{{ matrix_mautrix_telegram_version }}" +matrix_mautrix_telegram_version: v0.10.1 +# See: https://mau.dev/mautrix/telegram/container_registry +matrix_mautrix_telegram_docker_image: "dock.mau.dev/mautrix/telegram:{{ matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}" matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram" @@ -117,7 +123,7 @@ matrix_mautrix_telegram_registration_yaml: | aliases: - exclusive: true regex: '^#telegram_.+:{{ matrix_mautrix_telegram_homeserver_domain|regex_escape }}$' - # See https://github.com/tulir/mautrix-signal/issues/43 + # See https://github.com/mautrix/signal/issues/43 sender_localpart: _bot_{{ matrix_mautrix_telegram_appservice_bot_username }} url: {{ matrix_mautrix_telegram_appservice_address }} rate_limited: false diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml index c8f7f895..84ac86d0 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_telegram_container_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_telegram_container_self_build and matrix_mautrix_telegram_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram.service'] }}" diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index 704f0e26..e2e583f2 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -56,6 +56,26 @@ force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_telegram_docker_image_force_pull }}" when: "not matrix_mautrix_telegram_container_self_build|bool" +- name: Ensure lottieconverter is present when self-building + git: + repo: "{{ matrix_telegram_lottieconverter_docker_repo }}" + dest: "{{ matrix_telegram_lottieconverter_docker_src_files_path }}" + force: "yes" + register: matrix_telegram_lottieconverter_git_pull_results + when: "matrix_telegram_lottieconverter_container_self_build|bool and matrix_mautrix_telegram_container_self_build|bool" + +- name: Ensure lottieconverter Docker image is built + docker_image: + name: "{{ matrix_telegram_lottieconverter_docker_image }}" + source: build + force_source: "{{ matrix_telegram_lottieconverter_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_telegram_lottieconverter_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_telegram_lottieconverter_docker_src_files_path }}" + pull: yes + when: "matrix_telegram_lottieconverter_container_self_build|bool and matrix_telegram_lottieconverter_git_pull_results.changed and matrix_mautrix_telegram_container_self_build|bool" + - name: Ensure matrix-mautrix-telegram repository is present when self-building git: repo: "{{ matrix_mautrix_telegram_docker_repo }}" @@ -73,7 +93,9 @@ build: dockerfile: Dockerfile path: "{{ matrix_mautrix_telegram_docker_src_files_path }}" - pull: yes + pull: "{{ not matrix_telegram_lottieconverter_container_self_build_mask_arch|bool }}" + args: + TARGETARCH: "" when: "matrix_mautrix_telegram_container_self_build|bool and matrix_mautrix_telegram_git_pull_results.changed" - name: Check if an old database file already exists diff --git a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml index f8ae7d87..7409fb4d 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -1,16 +1,22 @@ # mautrix-whatsapp is a Matrix <-> Whatsapp bridge -# See: https://github.com/tulir/mautrix-whatsapp +# See: https://github.com/mautrix/whatsapp matrix_mautrix_whatsapp_enabled: true +matrix_mautrix_whatsapp_container_image_self_build: false +matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git" +matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}" + matrix_mautrix_whatsapp_version: latest -# See: https://mau.dev/tulir/mautrix-whatsapp/container_registry -matrix_mautrix_whatsapp_docker_image: "dock.mau.dev/tulir/mautrix-whatsapp:{{ matrix_mautrix_whatsapp_version }}" +# See: https://mau.dev/mautrix/whatsapp/container_registry +matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}" +matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_whatsapp_docker_image_force_pull: "{{ matrix_mautrix_whatsapp_docker_image.endswith(':latest') }}" matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp" matrix_mautrix_whatsapp_config_path: "{{ matrix_mautrix_whatsapp_base_path }}/config" matrix_mautrix_whatsapp_data_path: "{{ matrix_mautrix_whatsapp_base_path }}/data" +matrix_mautrix_whatsapp_docker_src_files_path: "{{ matrix_mautrix_whatsapp_base_path }}/docker-src" matrix_mautrix_whatsapp_homeserver_address: "{{ matrix_homeserver_container_url }}" matrix_mautrix_whatsapp_homeserver_domain: "{{ matrix_domain }}" @@ -96,7 +102,7 @@ matrix_mautrix_whatsapp_registration_yaml: | url: {{ matrix_mautrix_whatsapp_appservice_address }} as_token: "{{ matrix_mautrix_whatsapp_appservice_token }}" hs_token: "{{ matrix_mautrix_whatsapp_homeserver_token }}" - # See https://github.com/tulir/mautrix-signal/issues/43 + # See https://github.com/mautrix/signal/issues/43 sender_localpart: _bot_{{ matrix_mautrix_whatsapp_appservice_bot_username }} rate_limited: false namespaces: diff --git a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml index 9691a58f..f3dd0570 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml @@ -35,24 +35,49 @@ when: "matrix_mautrix_whatsapp_sqlite_database_path_local_stat_result.stat.exists|bool" when: "matrix_mautrix_whatsapp_database_engine == 'postgres'" + +- name: Ensure Mautrix Whatsapp paths exists + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_mautrix_whatsapp_base_path }}", when: true } + - { path: "{{ matrix_mautrix_whatsapp_config_path }}", when: true } + - { path: "{{ matrix_mautrix_whatsapp_data_path }}", when: true } + - { path: "{{ matrix_mautrix_whatsapp_docker_src_files_path }}", when: "{{ matrix_mautrix_whatsapp_container_image_self_build }}" } + when: item.when|bool + - name: Ensure Mautrix Whatsapp image is pulled docker_image: name: "{{ matrix_mautrix_whatsapp_docker_image }}" source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_whatsapp_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_whatsapp_docker_image_force_pull }}" + when: not matrix_mautrix_whatsapp_container_image_self_build -- name: Ensure Mautrix Whatsapp paths exists - file: - path: "{{ item }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_mautrix_whatsapp_base_path }}" - - "{{ matrix_mautrix_whatsapp_config_path }}" - - "{{ matrix_mautrix_whatsapp_data_path }}" +- name: Ensure Mautrix Whatsapp repository is present on self-build + git: + repo: "{{ matrix_mautrix_whatsapp_container_image_self_build_repo }}" + dest: "{{ matrix_mautrix_whatsapp_docker_src_files_path }}" + version: "{{ matrix_mautrix_whatsapp_container_image_self_build_branch }}" + force: "yes" + register: matrix_mautrix_whatsapp_git_pull_results + when: "matrix_mautrix_whatsapp_container_image_self_build|bool" + +- name: Ensure Mautrix Whatsapp Docker image is built + docker_image: + name: "{{ matrix_mautrix_whatsapp_docker_image }}" + source: build + force_source: "{{ matrix_mautrix_whatsapp_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_whatsapp_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_mautrix_whatsapp_docker_src_files_path }}" + pull: yes + when: "matrix_mautrix_whatsapp_container_image_self_build|bool" - name: Check if an old database file exists stat: diff --git a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml index 7e99c9b2..1113bb1c 100644 --- a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml @@ -27,9 +27,6 @@ matrix_mx_puppet_discord_homeserver_address: "{{ matrix_homeserver_container_url matrix_mx_puppet_discord_homeserver_domain: '{{ matrix_domain }}' matrix_mx_puppet_discord_appservice_address: 'http://matrix-mx-puppet-discord:{{ matrix_mx_puppet_discord_appservice_port }}' -matrix_mx_puppet_discord_client_id: '' -matrix_mx_puppet_discord_client_secret: '' - # "@user:server.com" to allow specific user # "@.*:yourserver.com" to allow users on a specific homeserver # "@.*" to allow anyone diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml index 983e3895..6fa43037 100644 --- a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_discord_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_discord_container_image_self_build and matrix_mx_puppet_discord_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-discord.service'] }}" @@ -21,10 +21,3 @@ + {{ ["/matrix-mx-puppet-discord-registration.yaml"] }} when: matrix_mx_puppet_discord_enabled|bool - -# ansible lower than 2.8, does not support docker_image build parameters -# for self building it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_discord_container_image_self_build" diff --git a/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml b/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml index 898768bf..8b382605 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml @@ -27,9 +27,6 @@ matrix_mx_puppet_groupme_homeserver_address: "{{ matrix_homeserver_container_url matrix_mx_puppet_groupme_homeserver_domain: '{{ matrix_domain }}' matrix_mx_puppet_groupme_appservice_address: 'http://matrix-mx-puppet-groupme:{{ matrix_mx_puppet_groupme_appservice_port }}' -matrix_mx_puppet_groupme_client_id: '' -matrix_mx_puppet_groupme_client_secret: '' - # "@user:server.com" to allow specific user # "@.*:yourserver.com" to allow users on a specific homeserver # "@.*" to allow anyone diff --git a/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml b/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml index eb598ecb..b4469ea1 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_groupme_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_groupme_container_image_self_build and matrix_mx_puppet_groupme_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-groupme.service'] }}" @@ -21,10 +21,3 @@ + {{ ["/matrix-mx-puppet-groupme-registration.yaml"] }} when: matrix_mx_puppet_groupme_enabled|bool - -# ansible lower than 2.8, does not support docker_image build parameters -# for self building it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_groupme_container_image_self_build" diff --git a/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml b/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml index 2ef99f02..a12885e7 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_instagram_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_instagram_container_image_self_build and matrix_mx_puppet_instagram_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-instagram.service'] }}" diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml index 1bdc4c2b..5618821b 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_skype_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_skype_container_image_self_build and matrix_mx_puppet_skype_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-skype.service'] }}" @@ -21,10 +21,3 @@ + {{ ["/matrix-mx-puppet-skype-registration.yaml"] }} when: matrix_mx_puppet_skype_enabled|bool - -# ansible lower than 2.8, does not support docker_image build parameters -# for self building it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build Puppet Skype image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_skype_container_image_self_build" diff --git a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml index 65b295c9..30d42475 100644 --- a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -27,8 +27,6 @@ matrix_mx_puppet_slack_homeserver_address: "{{ matrix_homeserver_container_url } matrix_mx_puppet_slack_homeserver_domain: '{{ matrix_domain }}' matrix_mx_puppet_slack_appservice_address: 'http://matrix-mx-puppet-slack:{{ matrix_mx_puppet_slack_appservice_port }}' -matrix_mx_puppet_slack_client_id: '' -matrix_mx_puppet_slack_client_secret: '' matrix_mx_puppet_slack_redirect_path: '/slack/oauth' matrix_mx_puppet_slack_redirect_uri: 'https://{{ matrix_server_fqn_matrix }}{{ matrix_mx_puppet_slack_redirect_path }}' diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml index de3ffd7c..f484c687 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_slack_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_slack_container_image_self_build and matrix_mx_puppet_slack_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-slack.service'] }}" @@ -68,10 +68,3 @@ URL endpoint to the matrix-mx-puppet-slack container. You can expose the container's port using the `matrix_appservice_slack_container_http_host_bind_port` variable. when: "matrix_mx_puppet_slack_enabled|bool and matrix_nginx_proxy_enabled is not defined" - -# ansible lower than 2.8, does not support docker_image build parameters -# for self building it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_slack_container_image_self_build" diff --git a/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 index 01714cb3..b1917b86 100644 --- a/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 @@ -18,10 +18,6 @@ bridge: # Slack OAuth settings. Create a slack app at https://api.slack.com/apps oauth: enabled: true - # Slack app credentials. - # N.B. This must be quoted so YAML wouldn't parse it as a float. - clientId: "{{ matrix_mx_puppet_slack_client_id }}" - clientSecret: {{ matrix_mx_puppet_slack_client_secret }} # Path where to listen for OAuth redirect callbacks. redirectPath: {{ matrix_mx_puppet_slack_redirect_path }} # Set up proxying from https://your.domain/redirect_path to http://bindAddress:port/redirect_path, diff --git a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml index e4df90a5..2af4a32a 100644 --- a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml @@ -27,9 +27,6 @@ matrix_mx_puppet_steam_homeserver_address: "{{ matrix_homeserver_container_url } matrix_mx_puppet_steam_homeserver_domain: '{{ matrix_domain }}' matrix_mx_puppet_steam_appservice_address: 'http://matrix-mx-puppet-steam:{{ matrix_mx_puppet_steam_appservice_port }}' -matrix_mx_puppet_steam_client_id: '' -matrix_mx_puppet_steam_client_secret: '' - # "@user:server.com" to allow specific user # "@.*:yourserver.com" to allow users on a specific homeserver # "@.*" to allow anyone diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml index c7b3d67f..c3218e89 100644 --- a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_steam_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_steam_container_image_self_build and matrix_mx_puppet_steam_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-steam.service'] }}" @@ -21,10 +21,3 @@ + {{ ["/matrix-mx-puppet-steam-registration.yaml"] }} when: matrix_mx_puppet_steam_enabled|bool - -# ansible lower than 2.8, does not support docker_image build parameters -# for self building it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_steam_container_image_self_build" diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml index 94fafd90..06cf83fa 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_twitter_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_twitter_container_image_self_build and matrix_mx_puppet_twitter_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-twitter.service'] }}" @@ -68,10 +68,3 @@ URL endpoint to the matrix-mx-puppet-twitter container. You can expose the container's port using the `matrix_mx_puppet_twitter_container_http_host_bind_port` variable. when: "matrix_mx_puppet_twitter_enabled|bool and matrix_nginx_proxy_enabled is not defined" - -# ansible lower than 2.8, does not support docker_image build parameters -# for self building it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build Puppet Twitter image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_twitter_container_image_self_build" diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index f0596d91..527b17e5 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_version: v1.7.29 +matrix_client_element_version: v1.9.3 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-client-element/tasks/init.yml b/roles/matrix-client-element/tasks/init.yml index 102cae38..44fa1544 100644 --- a/roles/matrix-client-element/tasks/init.yml +++ b/roles/matrix-client-element/tasks/init.yml @@ -7,4 +7,4 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_element_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_element_container_image_self_build and matrix_client_element_enabled" diff --git a/roles/matrix-client-hydrogen/defaults/main.yml b/roles/matrix-client-hydrogen/defaults/main.yml index f7a3059e..e84d56cf 100644 --- a/roles/matrix-client-hydrogen/defaults/main.yml +++ b/roles/matrix-client-hydrogen/defaults/main.yml @@ -5,7 +5,7 @@ matrix_client_hydrogen_enabled: true matrix_client_hydrogen_container_image_self_build: true matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" -matrix_client_hydrogen_version: v0.1.53 +matrix_client_hydrogen_version: v0.2.7 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-client-hydrogen/tasks/init.yml b/roles/matrix-client-hydrogen/tasks/init.yml index 1115f63d..8116a003 100644 --- a/roles/matrix-client-hydrogen/tasks/init.yml +++ b/roles/matrix-client-hydrogen/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Hydrogen image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_hydrogen_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_hydrogen_container_image_self_build and matrix_client_hydrogen_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-hydrogen.service'] }}" diff --git a/roles/matrix-client-hydrogen/tasks/setup.yml b/roles/matrix-client-hydrogen/tasks/setup.yml index 205fa3ce..a4ff7c3c 100644 --- a/roles/matrix-client-hydrogen/tasks/setup.yml +++ b/roles/matrix-client-hydrogen/tasks/setup.yml @@ -53,6 +53,8 @@ - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} when: "matrix_client_hydrogen_enabled|bool and item.src is not none" +# This step MUST come after the steps to install the configuration files because the config files +# are currently only read at build time, not at run time like most other components in the playbook - name: Ensure Hydrogen Docker image is built docker_image: name: "{{ matrix_client_hydrogen_docker_image }}" diff --git a/roles/matrix-common-after/tasks/awx_post.yml b/roles/matrix-common-after/tasks/awx_post.yml index 1e194046..4fbd5e55 100644 --- a/roles/matrix-common-after/tasks/awx_post.yml +++ b/roles/matrix-common-after/tasks/awx_post.yml @@ -2,9 +2,9 @@ - name: Create user account @janitor command: | - /usr/local/bin/matrix-synapse-register-user janitor {{ matrix_awx_janitor_user_password | quote }} 1 + /usr/local/bin/matrix-synapse-register-user janitor {{ awx_janitor_user_password | quote }} 1 register: cmd - when: not matrix_awx_janitor_user_created|bool + when: not awx_janitor_user_created|bool no_log: True - name: Update AWX janitor user created variable @@ -15,14 +15,14 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: 'AWX Settings' with_dict: - 'matrix_awx_janitor_user_created': 'true' - when: not matrix_awx_janitor_user_created|bool + 'awx_janitor_user_created': 'true' + when: not awx_janitor_user_created|bool - name: Create user account @dimension command: | - /usr/local/bin/matrix-synapse-register-user dimension {{ matrix_awx_dimension_user_password | quote }} 0 + /usr/local/bin/matrix-synapse-register-user dimension {{ awx_dimension_user_password | quote }} 0 register: cmd - when: not matrix_awx_dimension_user_created|bool + when: not awx_dimension_user_created|bool no_log: True - name: Update AWX dimension user created variable @@ -33,14 +33,14 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: 'AWX Settings' with_dict: - 'matrix_awx_dimension_user_created': 'true' - when: not matrix_awx_dimension_user_created|bool + 'awx_dimension_user_created': 'true' + when: not awx_dimension_user_created|bool - name: Create user account @mjolnir command: | - /usr/local/bin/matrix-synapse-register-user mjolnir {{ matrix_awx_mjolnir_user_password | quote }} 0 + /usr/local/bin/matrix-synapse-register-user mjolnir {{ awx_mjolnir_user_password | quote }} 0 register: cmd - when: not matrix_awx_mjolnir_user_created|bool + when: not awx_mjolnir_user_created|bool no_log: True - name: Update AWX dimension user created variable @@ -51,8 +51,8 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: 'AWX Settings' with_dict: - 'matrix_awx_mjolnir_user_created': 'true' - when: not matrix_awx_mjolnir_user_created|bool + 'awx_mjolnir_user_created': 'true' + when: not awx_mjolnir_user_created|bool - name: Ensure /chroot/website location has correct permissions file: @@ -60,11 +60,18 @@ state: directory owner: matrix group: matrix - mode: '0574' - when: customise_base_domain_website is defined + mode: '0770' + when: awx_customise_base_domain_website is defined -- name: Ensure erroneous /chroot/website/matrix-domain location doesn't exist - file: - path: /chroot/website/matrix-domain - state: absent - when: customise_base_domain_website is defined +- name: Collect Discord AppService bot invite link if file exists + command: + cat /matrix/appservice-discord/config/invite_link + register: awx_discord_appservice_link + when: awx_appservice_discord_admin_user is defined + args: + removes: /matrix/appservice-discord/config/invite_link + +- name: Print Discord AppService bot link for user + debug: + msg: "{{ awx_discord_appservice_link.stdout }}" + when: awx_discord_appservice_link.stdout is defined diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index 05af8046..313f79a8 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -22,7 +22,7 @@ matrix_corporal_container_extra_arguments: [] # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] -matrix_corporal_version: 2.1.0 +matrix_corporal_version: 2.1.2 matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_corporal_docker_image_tag: "{{ matrix_corporal_version }}" # for backward-compatibility diff --git a/roles/matrix-corporal/tasks/init.yml b/roles/matrix-corporal/tasks/init.yml index 993ace81..e5062c27 100644 --- a/roles/matrix-corporal/tasks/init.yml +++ b/roles/matrix-corporal/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_corporal_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_corporal_container_image_self_build and matrix_corporal_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal.service'] }}" diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index ad8735fe..b845e9ee 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -2,10 +2,10 @@ matrix_coturn_enabled: true matrix_coturn_container_image_self_build: false matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn" -matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}-r0" +matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}" matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" -matrix_coturn_version: 4.5.2 +matrix_coturn_version: 4.5.2-r4 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-coturn/tasks/init.yml b/roles/matrix-coturn/tasks/init.yml index c645c06b..a7d8a343 100644 --- a/roles/matrix-coturn/tasks/init.yml +++ b/roles/matrix-coturn/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_coturn_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_coturn_container_image_self_build and matrix_coturn_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn.service'] }}" diff --git a/roles/matrix-dynamic-dns/tasks/init.yml b/roles/matrix-dynamic-dns/tasks/init.yml index 039b5b02..e7d33ff2 100644 --- a/roles/matrix-dynamic-dns/tasks/init.yml +++ b/roles/matrix-dynamic-dns/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_dynamic_dns_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_dynamic_dns_container_image_self_build and matrix_dynamic_dns_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dynamic-dns.service'] }}" diff --git a/roles/matrix-email2matrix/defaults/main.yml b/roles/matrix-email2matrix/defaults/main.yml index e6bfa0fe..3dfabc1a 100644 --- a/roles/matrix-email2matrix/defaults/main.yml +++ b/roles/matrix-email2matrix/defaults/main.yml @@ -2,9 +2,15 @@ matrix_email2matrix_enabled: true matrix_email2matrix_base_path: "{{ matrix_base_data_path }}/email2matrix" matrix_email2matrix_config_dir_path: "{{ matrix_email2matrix_base_path }}/config" +matrix_email2matrix_docker_src_files_path: "{{ matrix_email2matrix_base_path }}/docker-src" + +matrix_email2matrix_container_image_self_build: false +matrix_email2matrix_container_image_self_build_repo: "https://github.com/devture/email2matrix.git" +matrix_email2matrix_container_image_self_build_branch: "{{ matrix_email2matrix_version }}" matrix_email2matrix_version: 1.0.1 -matrix_email2matrix_docker_image: "{{ matrix_container_global_registry_prefix }}devture/email2matrix:{{ matrix_email2matrix_version }}" +matrix_email2matrix_docker_image_prefix: "{{ 'localhost/' if matrix_email2matrix_container_image_self_build else matrix_container_global_registry_prefix }}" +matrix_email2matrix_docker_image: "{{ matrix_email2matrix_docker_image_prefix }}devture/email2matrix:{{ matrix_email2matrix_version }}" matrix_email2matrix_docker_image_force_pull: "{{ matrix_email2matrix_docker_image.endswith(':latest') }}" # A list of extra arguments to pass to the container diff --git a/roles/matrix-email2matrix/tasks/main.yml b/roles/matrix-email2matrix/tasks/main.yml index 23114673..77be7279 100644 --- a/roles/matrix-email2matrix/tasks/main.yml +++ b/roles/matrix-email2matrix/tasks/main.yml @@ -8,8 +8,14 @@ - setup-all - setup-email2matrix -- import_tasks: "{{ role_path }}/tasks/setup_email2matrix.yml" - when: run_setup|bool +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_email2matrix_enabled|bool" + tags: + - setup-all + - setup-email2matrix + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_email2matrix_enabled|bool" tags: - setup-all - setup-email2matrix diff --git a/roles/matrix-email2matrix/tasks/setup_email2matrix.yml b/roles/matrix-email2matrix/tasks/setup_email2matrix.yml deleted file mode 100644 index d5fa73a5..00000000 --- a/roles/matrix-email2matrix/tasks/setup_email2matrix.yml +++ /dev/null @@ -1,88 +0,0 @@ ---- - -# -# Tasks related to setting up Email2Matrix -# - -- name: Ensure Email2Matrix paths exist - file: - path: "{{ item }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_email2matrix_base_path }}" - - "{{ matrix_email2matrix_config_dir_path }}" - when: matrix_email2matrix_enabled|bool - -- name: Ensure Email2Matrix configuration file created - template: - src: "{{ role_path }}/templates/config.json.j2" - dest: "{{ matrix_email2matrix_config_dir_path }}/config.json" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0640 - when: matrix_email2matrix_enabled|bool - -- name: Ensure Email2Matrix image is pulled - docker_image: - name: "{{ matrix_email2matrix_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_email2matrix_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_email2matrix_docker_image_force_pull }}" - when: matrix_email2matrix_enabled|bool - -- name: Ensure matrix-email2matrix.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-email2matrix.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-email2matrix.service" - mode: 0644 - register: matrix_email2matrix_systemd_service_result - when: matrix_email2matrix_enabled|bool - -- name: Ensure systemd reloaded after matrix-email2matrix.service installation - service: - daemon_reload: yes - when: "matrix_email2matrix_enabled|bool and matrix_email2matrix_systemd_service_result.changed" - -# -# Tasks related to getting rid of the Email2Matrix (if it was previously enabled) -# - -- name: Check existence of matrix-email2matrix service - stat: - path: "{{ matrix_systemd_path }}/matrix-email2matrix.service" - register: matrix_email2matrix_service_stat - when: "not matrix_email2matrix_enabled|bool" - -- name: Ensure matrix-email2matrix is stopped - service: - name: matrix-email2matrix - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_email2matrix_enabled|bool and matrix_email2matrix_service_stat.stat.exists" - -- name: Ensure matrix-email2matrix.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-email2matrix.service" - state: absent - when: "not matrix_email2matrix_enabled|bool and matrix_email2matrix_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-email2matrix.service removal - service: - daemon_reload: yes - when: "not matrix_email2matrix_enabled|bool and matrix_email2matrix_service_stat.stat.exists" - -- name: Ensure Email2Matrix data path doesn't exist - file: - path: "{{ matrix_email2matrix_base_path }}" - state: absent - when: "not matrix_email2matrix_enabled|bool" - -- name: Ensure Email2Matrix Docker image doesn't exist - docker_image: - name: "{{ matrix_email2matrix_docker_image }}" - state: absent - when: "not matrix_email2matrix_enabled|bool" diff --git a/roles/matrix-email2matrix/tasks/setup_install.yml b/roles/matrix-email2matrix/tasks/setup_install.yml new file mode 100644 index 00000000..7805c2c1 --- /dev/null +++ b/roles/matrix-email2matrix/tasks/setup_install.yml @@ -0,0 +1,63 @@ +--- + +- name: Ensure Email2Matrix paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_email2matrix_base_path }}", when: true } + - { path: "{{ matrix_email2matrix_config_dir_path }}", when: true } + - { path: "{{ matrix_email2matrix_docker_src_files_path }}", when: "{{ matrix_email2matrix_container_image_self_build }}"} + when: "item.when|bool" + +- name: Ensure Email2Matrix configuration file created + template: + src: "{{ role_path }}/templates/config.json.j2" + dest: "{{ matrix_email2matrix_config_dir_path }}/config.json" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + mode: 0640 + +- name: Ensure Email2Matrix image is pulled + docker_image: + name: "{{ matrix_email2matrix_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_email2matrix_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_email2matrix_docker_image_force_pull }}" + when: "not matrix_email2matrix_container_image_self_build|bool" + +- name: Ensure Email2Matrix repository is present on self-build + git: + repo: "{{ matrix_email2matrix_container_image_self_build_repo }}" + dest: "{{ matrix_email2matrix_docker_src_files_path }}" + version: "{{ matrix_email2matrix_container_image_self_build_branch }}" + force: "yes" + register: matrix_email2matrix_git_pull_results + when: "matrix_email2matrix_container_image_self_build|bool" + +- name: Ensure Email2Matrix Docker image is built + docker_image: + name: "{{ matrix_email2matrix_docker_image }}" + source: build + force_source: "{{ matrix_email2matrix_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_email2matrix_git_pull_results.changed }}" + build: + dockerfile: etc/docker/Dockerfile + path: "{{ matrix_email2matrix_docker_src_files_path }}" + pull: yes + when: "matrix_email2matrix_container_image_self_build|bool" + +- name: Ensure matrix-email2matrix.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-email2matrix.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-email2matrix.service" + mode: 0644 + register: matrix_email2matrix_systemd_service_result + +- name: Ensure systemd reloaded after matrix-email2matrix.service installation + service: + daemon_reload: yes + when: "matrix_email2matrix_systemd_service_result.changed|bool" diff --git a/roles/matrix-email2matrix/tasks/setup_uninstall.yml b/roles/matrix-email2matrix/tasks/setup_uninstall.yml new file mode 100644 index 00000000..b0b44cca --- /dev/null +++ b/roles/matrix-email2matrix/tasks/setup_uninstall.yml @@ -0,0 +1,35 @@ +--- + +- name: Check existence of matrix-email2matrix service + stat: + path: "{{ matrix_systemd_path }}/matrix-email2matrix.service" + register: matrix_email2matrix_service_stat + +- name: Ensure matrix-email2matrix is stopped + service: + name: matrix-email2matrix + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_email2matrix_service_stat.stat.exists|bool" + +- name: Ensure matrix-email2matrix.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-email2matrix.service" + state: absent + when: "matrix_email2matrix_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-email2matrix.service removal + service: + daemon_reload: yes + when: "matrix_email2matrix_service_stat.stat.exists|bool" + +- name: Ensure Email2Matrix data path doesn't exist + file: + path: "{{ matrix_email2matrix_base_path }}" + state: absent + +- name: Ensure Email2Matrix Docker image doesn't exist + docker_image: + name: "{{ matrix_email2matrix_docker_image }}" + state: absent diff --git a/roles/matrix-etherpad/tasks/init.yml b/roles/matrix-etherpad/tasks/init.yml index 081d4c23..5b8f5ef6 100644 --- a/roles/matrix-etherpad/tasks/init.yml +++ b/roles/matrix-etherpad/tasks/init.yml @@ -15,7 +15,7 @@ - name: Generate Etherpad proxying configuration for matrix-nginx-proxy set_fact: matrix_etherpad_matrix_nginx_proxy_configuration: | - rewrite ^{{ matrix_etherpad_public_endpoint }}$ $scheme://$server_name{{ matrix_etherpad_public_endpoint }}/ permanent; + rewrite ^{{ matrix_etherpad_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_etherpad_public_endpoint }}/ permanent; location {{ matrix_etherpad_public_endpoint }}/ { {% if matrix_nginx_proxy_enabled|default(False) %} @@ -27,7 +27,7 @@ proxy_http_version 1.1; # recommended with keepalive connections proxy_pass_header Server; proxy_set_header Host $host; - proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used + proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; # for EP to set secure cookie flag when https is used # WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 7c5c217c..8df73e2d 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 7.5.7 +matrix_grafana_version: 8.1.4 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" @@ -38,11 +38,11 @@ matrix_grafana_default_admin_password: admin matrix_grafana_content_security_policy: true # specify content security policy template to customized template -# added 'unsafe-inline' (ignored by browsers supporting nonces/hashes) to be backward compatible with older browsers. # added https: and http: url schemes (ignored by browsers supporting 'strict-dynamic') to be backward compatible with older browsers. # [Content Security Policy Browser Test] (https://content-security-policy.com/browser-test/) # [Content Security Policy Reference](https://content-security-policy.com/script-src/) -matrix_grafana_content_security_policy_customized: true +matrix_grafana_content_security_policy_customized: false +matrix_grafana_content_security_policy_template: "script-src 'self' 'unsafe-eval' 'unsafe-inline' http: https: 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src * data:;base-uri 'self';connect-src 'self' grafana.com ws://$ROOT_PATH wss://$ROOT_PATH;manifest-src 'self';media-src 'none';form-action 'self';" # A list of extra arguments to pass to the container matrix_grafana_container_extra_arguments: [] diff --git a/roles/matrix-grafana/templates/grafana.ini.j2 b/roles/matrix-grafana/templates/grafana.ini.j2 index 322762b4..8f4c88f0 100644 --- a/roles/matrix-grafana/templates/grafana.ini.j2 +++ b/roles/matrix-grafana/templates/grafana.ini.j2 @@ -13,7 +13,7 @@ content_security_policy = "{{ matrix_grafana_content_security_policy }}" # specify content security policy template to customized template {% if matrix_grafana_content_security_policy_customized %} -content_security_policy_template = """script-src http: https: 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data:;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';""" +content_security_policy_template = """{{ matrix_grafana_content_security_policy_template }}""" {% endif %} [auth.anonymous] diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 14545bc9..bef993e0 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -7,6 +7,7 @@ matrix_jitsi_enable_guests: false matrix_jitsi_enable_recording: false matrix_jitsi_enable_transcriptions: false matrix_jitsi_enable_p2p: true +matrix_jitsi_enable_av_moderation: true # Authentication type, must be one of internal, jwt or ldap. Currently only # internal and ldap are supported by this playbook. @@ -32,13 +33,14 @@ matrix_jitsi_ldap_start_tls: false matrix_jitsi_timezone: UTC -matrix_jitsi_xmpp_domain: matrix-jitsi-web -matrix_jitsi_xmpp_server: matrix-jitsi-prosody +matrix_jitsi_xmpp_domain: meet.jitsi +matrix_jitsi_xmpp_server: xmpp.meet.jitsi matrix_jitsi_xmpp_auth_domain: auth.meet.jitsi matrix_jitsi_xmpp_bosh_url_base: http://{{ matrix_jitsi_xmpp_server }}:5280 matrix_jitsi_xmpp_guest_domain: guest.meet.jitsi matrix_jitsi_xmpp_muc_domain: muc.meet.jitsi matrix_jitsi_xmpp_internal_muc_domain: internal-muc.meet.jitsi +matrix_jitsi_xmpp_modules: '' matrix_jitsi_recorder_domain: recorder.meet.jitsi @@ -52,7 +54,7 @@ matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false -matrix_jitsi_version: stable-5765-1 +matrix_jitsi_version: stable-6173 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" @@ -68,6 +70,14 @@ matrix_jitsi_web_public_url: "https://{{ matrix_server_fqn_jitsi }}" # Addresses need to be prefixed with one of `stun:`, `turn:` or `turns:`. matrix_jitsi_web_stun_servers: ['stun:meet-jit-si-turnrelay.jitsi.net:443'] +# Setting up TURN +# Default set with Coturn container +matrix_jitsi_turn_credentials: "{{ matrix_coturn_turn_static_auth_secret }}" +matrix_jitsi_turn_host: "turn.{{ matrix_server_fqn_matrix }}" +matrix_jitsi_turns_host: "turn.{{ matrix_server_fqn_matrix }}" +matrix_jitsi_turn_port: "{{ matrix_coturn_container_stun_plain_host_bind_port }}" +matrix_jitsi_turns_port: "{{ matrix_coturn_container_stun_tls_host_bind_port }}" + # Controls whether Etherpad will be available within Jitsi matrix_jitsi_etherpad_enabled: false diff --git a/roles/matrix-jitsi/tasks/validate_config.yml b/roles/matrix-jitsi/tasks/validate_config.yml index cc8a4b22..d2887b12 100644 --- a/roles/matrix-jitsi/tasks/validate_config.yml +++ b/roles/matrix-jitsi/tasks/validate_config.yml @@ -16,7 +16,6 @@ with_items: - "matrix_jitsi_jibri_xmpp_password" - "matrix_jitsi_jibri_recorder_password" - - "matrix_jitsi_jicofo_component_secret" - "matrix_jitsi_jicofo_auth_password" - "matrix_jitsi_jvb_auth_password" diff --git a/roles/matrix-jitsi/templates/jicofo/env.j2 b/roles/matrix-jitsi/templates/jicofo/env.j2 index a402d2d7..687df714 100644 --- a/roles/matrix-jitsi/templates/jicofo/env.j2 +++ b/roles/matrix-jitsi/templates/jicofo/env.j2 @@ -1,17 +1,34 @@ +AUTH_TYPE={{ matrix_jitsi_auth_type }} +BRIDGE_AVG_PARTICIPANT_STRESS +BRIDGE_STRESS_THRESHOLD ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} - +ENABLE_AUTO_OWNER +ENABLE_CODEC_VP8 +ENABLE_CODEC_VP9 +ENABLE_CODEC_H264 +ENABLE_OCTO +ENABLE_RECORDING +ENABLE_SCTP +JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} +JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }} +JICOFO_ENABLE_BRIDGE_HEALTH_CHECKS +JICOFO_CONF_INITIAL_PARTICIPANT_WAIT_TIMEOUT +JICOFO_CONF_SINGLE_PARTICIPANT_TIMEOUT +JICOFO_ENABLE_HEALTH_CHECKS +JICOFO_SHORT_ID +JICOFO_RESERVATION_ENABLED +JICOFO_RESERVATION_REST_BASE_URL +JIBRI_BREWERY_MUC={{ matrix_jitsi_jibri_brewery_muc }} +JIBRI_REQUEST_RETRIES +JIBRI_PENDING_TIMEOUT={{ matrix_jitsi_jibri_pending_timeout }} +JIGASI_BREWERY_MUC +JIGASI_SIP_URI +JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }} +MAX_BRIDGE_PARTICIPANTS +OCTO_BRIDGE_SELECTION_STRATEGY +TZ={{ matrix_jitsi_timezone }} XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} +XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} XMPP_SERVER={{ matrix_jitsi_xmpp_server }} - -JICOFO_COMPONENT_SECRET={{ matrix_jitsi_jicofo_component_secret }} -JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} -JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }} - -JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }} - -JIBRI_BREWERY_MUC={{ matrix_jitsi_jibri_brewery_muc }} -JIBRI_PENDING_TIMEOUT={{ matrix_jitsi_jibri_pending_timeout }} - -TZ={{ matrix_jitsi_timezone }} diff --git a/roles/matrix-jitsi/templates/jvb/env.j2 b/roles/matrix-jitsi/templates/jvb/env.j2 index f7dc9247..a927314e 100644 --- a/roles/matrix-jitsi/templates/jvb/env.j2 +++ b/roles/matrix-jitsi/templates/jvb/env.j2 @@ -1,20 +1,25 @@ -JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} -JVB_TCP_PORT={{ matrix_jitsi_jvb_rtp_tcp_port }} -JVB_PORT={{ matrix_jitsi_jvb_rtp_udp_port }} +ENABLE_COLIBRI_WEBSOCKET +ENABLE_OCTO +DOCKER_HOST_ADDRESS +XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} +XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} +XMPP_SERVER={{ matrix_jitsi_xmpp_server }} JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }} - -XMPP_SERVER={{ matrix_jitsi_xmpp_server }} -XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} -XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} - -HOSTNAME=matrix-jitsi-jvb - +JVB_PORT={{ matrix_jitsi_jvb_rtp_udp_port }} +JVB_TCP_HARVESTER_DISABLED=true +JVB_TCP_PORT={{ matrix_jitsi_jvb_rtp_tcp_port }} +JVB_TCP_MAPPED_PORT={{ matrix_jitsi_jvb_rtp_tcp_port }} {% if matrix_jitsi_jvb_stun_servers|length > 0 %} JVB_STUN_SERVERS={{ matrix_jitsi_jvb_stun_servers|join(',') }} {% endif %} - +JVB_ENABLE_APIS +JVB_WS_DOMAIN +JVB_WS_SERVER_ID PUBLIC_URL={{ matrix_jitsi_web_public_url }} - -{{ matrix_jitsi_jvb_environment_variables_extension }} +JVB_OCTO_BIND_ADDRESS +JVB_OCTO_PUBLIC_ADDRESS +JVB_OCTO_BIND_PORT +JVB_OCTO_REGION +TZ={{ matrix_jitsi_timezone }} \ No newline at end of file diff --git a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 index 53c0c83a..2785795d 100644 --- a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 +++ b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 @@ -16,6 +16,7 @@ ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jvb \ --log-driver=none \ --network={{ matrix_docker_network }} \ + --network-alias=jvb.meet.jitsi \ --env-file={{ matrix_jitsi_jvb_base_path }}/env \ {% if matrix_jitsi_jvb_container_rtp_udp_host_bind_port %} -p {{ matrix_jitsi_jvb_container_rtp_udp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_udp_port }}/udp \ diff --git a/roles/matrix-jitsi/templates/prosody/env.j2 b/roles/matrix-jitsi/templates/prosody/env.j2 index 0c977d45..70feda6e 100644 --- a/roles/matrix-jitsi/templates/prosody/env.j2 +++ b/roles/matrix-jitsi/templates/prosody/env.j2 @@ -1,10 +1,11 @@ AUTH_TYPE={{ matrix_jitsi_auth_type }} - ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} - -PUBLIC_URL={{ matrix_jitsi_web_public_url }} - +ENABLE_LOBBY={{ 1 if matrix_jitsi_enable_lobby else 0 }} +ENABLE_AV_MODERATION={{1 if matrix_jitsi_enable_av_moderation else 0}} +ENABLE_XMPP_WEBSOCKET +GLOBAL_MODULES +GLOBAL_CONFIG LDAP_URL={{ matrix_jitsi_ldap_url }} LDAP_BASE={{ matrix_jitsi_ldap_base }} LDAP_BINDDN={{ matrix_jitsi_ldap_binddn }} @@ -18,32 +19,39 @@ LDAP_TLS_CHECK_PEER={{ 1 if matrix_jitsi_ldap_tls_check_peer else 0 }} LDAP_TLS_CACERT_FILE={{ matrix_jitsi_ldap_tls_cacert_file }} LDAP_TLS_CACERT_DIR={{ matrix_jitsi_ldap_tls_cacert_dir }} LDAP_START_TLS={{ 1 if matrix_jitsi_ldap_start_tls else 0 }} - XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} - -XMPP_MODULES= +XMPP_MODULES={{ matrix_jitsi_xmpp_modules }} XMPP_MUC_MODULES= XMPP_INTERNAL_MUC_MODULES= - XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} - -JICOFO_COMPONENT_SECRET={{ matrix_jitsi_jicofo_component_secret }} +XMPP_CROSS_DOMAIN=true JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }} - JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} - +JIGASI_XMPP_USER= +JIGASI_XMPP_PASSWORD= JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }} JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }} - JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }} JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }} - -ENABLE_LOBBY={{ 1 if matrix_jitsi_enable_lobby else 0 }} - +JWT_APP_ID +JWT_APP_SECRET +JWT_ACCEPTED_ISSUERS +JWT_ACCEPTED_AUDIENCES +JWT_ASAP_KEYSERVER +JWT_ALLOW_EMPTY +JWT_AUTH_TYPE +JWT_TOKEN_AUTH_MODULE +LOG_LEVEL +PUBLIC_URL={{ matrix_jitsi_web_public_url }} +TURN_CREDENTIALS={{ matrix_jitsi_turn_credentials }} +TURN_HOST={{ matrix_jitsi_turn_host }} +TURNS_HOST={{ matrix_jitsi_turns_host }} +TURN_PORT={{ matrix_jitsi_turn_port }} +TURNS_PORT={{ matrix_jitsi_turns_port }} TZ={{ matrix_jitsi_timezone }} diff --git a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 index 4445e52b..5a4a81e5 100644 --- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 @@ -16,6 +16,7 @@ ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-prosody \ --log-driver=none \ --network={{ matrix_docker_network }} \ + --network-alias={{ matrix_jitsi_xmpp_server }} \ {% if matrix_jitsi_prosody_container_http_host_bind_port %} -p {{ matrix_jitsi_prosody_container_http_host_bind_port }}:5280 \ {% endif %} diff --git a/roles/matrix-jitsi/templates/web/env.j2 b/roles/matrix-jitsi/templates/web/env.j2 index 7b763a3c..c4faa5ba 100644 --- a/roles/matrix-jitsi/templates/web/env.j2 +++ b/roles/matrix-jitsi/templates/web/env.j2 @@ -1,42 +1,94 @@ -ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} -ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} - -ENABLE_TRANSCRIPTIONS={{ 1 if matrix_jitsi_enable_transcriptions else 0 }} - -ENABLE_P2P={{ 1 if matrix_jitsi_enable_p2p else 0 }} - -DISABLE_HTTPS=1 - -JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} - +ENABLE_COLIBRI_WEBSOCKET +ENABLE_FLOC=0 +ENABLE_LETSENCRYPT=0 +ENABLE_HTTP_REDIRECT=0 +ENABLE_HSTS=0 +ENABLE_XMPP_WEBSOCKET +DISABLE_HTTPS=0 +DISABLE_DEEP_LINKING +LETSENCRYPT_DOMAIN={{ matrix_server_fqn_jitsi }} +LETSENCRYPT_EMAIL={{ matrix_ssl_lets_encrypt_support_email }} +LETSENCRYPT_USE_STAGING=0 PUBLIC_URL={{ matrix_jitsi_web_public_url }} - -XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} -XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} -XMPP_BOSH_URL_BASE={{ matrix_jitsi_xmpp_bosh_url_base }} -XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} -XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} -XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} - TZ={{ matrix_jitsi_timezone }} - -JIBRI_BREWERY_MUC={{ matrix_jitsi_jibri_brewery_muc }} -JIBRI_PENDING_TIMEOUT={{ matrix_jitsi_jibri_pending_timeout }} -JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }} -JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }} -JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }} -JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }} - +AMPLITUDE_ID +ANALYTICS_SCRIPT_URLS +ANALYTICS_WHITELISTED_EVENTS +CALLSTATS_CUSTOM_SCRIPT_URL +CALLSTATS_ID +CALLSTATS_SECRET +CHROME_EXTENSION_BANNER_JSON +CONFCODE_URL +CONFIG_EXTERNAL_CONNECT +DEFAULT_LANGUAGE +DEPLOYMENTINFO_ENVIRONMENT +DEPLOYMENTINFO_ENVIRONMENT_TYPE +DEPLOYMENTINFO_REGION +DEPLOYMENTINFO_SHARD +DEPLOYMENTINFO_USERREGION +DIALIN_NUMBERS_URL +DIALOUT_AUTH_URL +DIALOUT_CODES_URL +DROPBOX_APPKEY +DROPBOX_REDIRECT_URI +DYNAMIC_BRANDING_URL +ENABLE_AUDIO_PROCESSING +ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} +ENABLE_CALENDAR +ENABLE_FILE_RECORDING_SERVICE +ENABLE_FILE_RECORDING_SERVICE_SHARING +ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} +ENABLE_IPV6 +ENABLE_LIPSYNC +ENABLE_NO_AUDIO_DETECTION +ENABLE_P2P={{ 1 if matrix_jitsi_enable_p2p else 0 }} +ENABLE_PREJOIN_PAGE +ENABLE_WELCOME_PAGE +ENABLE_CLOSE_PAGE ENABLE_RECORDING={{ 1 if matrix_jitsi_enable_recording else 0 }} - +ENABLE_REMB +ENABLE_REQUIRE_DISPLAY_NAME +ENABLE_SIMULCAST +ENABLE_STATS_ID +ENABLE_STEREO +ENABLE_SUBDOMAINS +ENABLE_TALK_WHILE_MUTED +ENABLE_TCC +ENABLE_TRANSCRIPTIONS={{ 1 if matrix_jitsi_enable_transcriptions else 0 }} +ETHERPAD_PUBLIC_URL +ETHERPAD_URL_BASE={{ (matrix_jitsi_etherpad_base + '/') if matrix_jitsi_etherpad_enabled else ''}} +GOOGLE_ANALYTICS_ID +GOOGLE_API_APP_CLIENT_ID +INVITE_SERVICE_URL +JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} +MATOMO_ENDPOINT +MATOMO_SITE_ID +MICROSOFT_API_APP_CLIENT_ID +NGINX_RESOLVER +NGINX_WORKER_PROCESSES +NGINX_WORKER_CONNECTIONS +PEOPLE_SEARCH_URL RESOLUTION={{ matrix_jitsi_web_config_resolution_height_ideal_and_max }} RESOLUTION_MIN={{ matrix_jitsi_web_config_resolution_height_min }} RESOLUTION_WIDTH={{ matrix_jitsi_web_config_resolution_width_ideal_and_max }} RESOLUTION_WIDTH_MIN={{ matrix_jitsi_web_config_resolution_width_min }} - +START_AUDIO_ONLY START_AUDIO_MUTED={{ matrix_jitsi_web_config_start_audio_muted_after_nth_participant }} +START_WITH_AUDIO_MUTED +START_SILENT +DISABLE_AUDIO_LEVELS +ENABLE_NOISY_MIC_DETECTION +START_BITRATE +DESKTOP_SHARING_FRAMERATE_MIN +DESKTOP_SHARING_FRAMERATE_MAX START_VIDEO_MUTED={{ matrix_jitsi_web_config_start_video_muted_after_nth_participant }} - -ETHERPAD_URL_BASE={{ (matrix_jitsi_etherpad_base + '/') if matrix_jitsi_etherpad_enabled else ''}} - -{{ matrix_jitsi_web_environment_variables_extension }} +START_WITH_VIDEO_MUTED +TESTING_CAP_SCREENSHARE_BITRATE +TESTING_OCTO_PROBABILITY +XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} +XMPP_BOSH_URL_BASE={{ matrix_jitsi_xmpp_bosh_url_base }} +XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} +XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} +XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} +XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} +TOKEN_AUTH_URL \ No newline at end of file diff --git a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 index 6ae2074d..5d386361 100644 --- a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 +++ b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 @@ -16,6 +16,7 @@ ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-web \ --log-driver=none \ --network={{ matrix_docker_network }} \ + --network-alias={{ matrix_jitsi_xmpp_domain }} \ --env-file={{ matrix_jitsi_web_base_path }}/env \ {% if matrix_jitsi_web_container_http_host_bind_port %} -p {{ matrix_jitsi_web_container_http_host_bind_port }}:80 \ diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 7ab0d15e..f91189f5 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -7,11 +7,9 @@ matrix_ma1sd_container_image_self_build: false matrix_ma1sd_container_image_self_build_repo: "https://github.com/ma1uta/ma1sd.git" matrix_ma1sd_container_image_self_build_branch: "{{ matrix_ma1sd_version }}" -matrix_ma1sd_architecture: "amd64" +matrix_ma1sd_version: "2.5.0" -matrix_ma1sd_version: "2.4.0" - -matrix_ma1sd_docker_image: "{{ matrix_ma1sd_docker_image_name_prefix }}ma1uta/ma1sd:{{ matrix_ma1sd_version }}-{{ matrix_ma1sd_architecture }}" +matrix_ma1sd_docker_image: "{{ matrix_ma1sd_docker_image_name_prefix }}ma1uta/ma1sd:{{ matrix_ma1sd_version }}" matrix_ma1sd_docker_image_name_prefix: "{{ 'localhost/' if matrix_ma1sd_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-ma1sd/tasks/init.yml b/roles/matrix-ma1sd/tasks/init.yml index f09cfcfd..04cc3a21 100644 --- a/roles/matrix-ma1sd/tasks/init.yml +++ b/roles/matrix-ma1sd/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build and matrix_ma1sd_enabled|bool" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd.service'] }}" diff --git a/roles/matrix-ma1sd/tasks/validate_config.yml b/roles/matrix-ma1sd/tasks/validate_config.yml index 4ca25e7e..4f80b154 100644 --- a/roles/matrix-ma1sd/tasks/validate_config.yml +++ b/roles/matrix-ma1sd/tasks/validate_config.yml @@ -28,6 +28,7 @@ - 'matrix_ma1sd_ldap_auth_filter' - 'matrix_ma1sd_ldap_directory_filter' - 'matrix_ma1sd_template_config' + - 'matrix_ma1sd_architecture' - name: Ensure ma1sd configuration does not contain any dot-notation keys fail: diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index 1340cc70..71a33752 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src" matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}" -matrix_mailer_version: 4.94.2-r0-1 +matrix_mailer_version: 4.94.2-r0-4 matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}" matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-mailer/tasks/init.yml b/roles/matrix-mailer/tasks/init.yml index 5895343e..d07380f0 100644 --- a/roles/matrix-mailer/tasks/init.yml +++ b/roles/matrix-mailer/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mailer_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mailer_container_image_self_build and matrix_mailer_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mailer.service'] }}" diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 11d46374..0b4d5ffc 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -1,5 +1,5 @@ matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_version: 1.21.0-alpine +matrix_nginx_proxy_version: 1.21.3-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but @@ -10,6 +10,7 @@ matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image. matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data" matrix_nginx_proxy_data_path_in_container: "/nginx-data" +matrix_nginx_proxy_data_path_extension: "/matrix_domain" matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_base_path }}/conf.d" # List of systemd services that matrix-nginx-proxy.service depends on @@ -39,6 +40,12 @@ matrix_nginx_proxy_container_extra_arguments: [] # - services are served directly from the HTTP vhost matrix_nginx_proxy_https_enabled: true +# Controls whether matrix-nginx-proxy trusts an upstream server's X-Forwarded-Proto header +# +# Required if you disable HTTPS for the container (see `matrix_nginx_proxy_https_enabled`) and have an upstream server handle it instead. +matrix_nginx_proxy_trust_forwarded_proto: false +matrix_nginx_proxy_x_forwarded_proto_value: "{{ '$http_x_forwarded_proto' if matrix_nginx_proxy_trust_forwarded_proto else '$scheme' }}" + # Controls whether the matrix-nginx-proxy container exposes its HTTP port (tcp/8080 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:80"), or empty string to not expose. @@ -75,6 +82,9 @@ matrix_nginx_proxy_container_federation_host_bind_port: '8448' # in the `{{ matrix_nginx_proxy_data_path }}/matrix-domain` (`/matrix/nginx-proxy/data/matrix-domain`) directory. matrix_nginx_proxy_base_domain_serving_enabled: false +# Controls whether the base domain directory and default index.html file are created. +matrix_nginx_proxy_base_domain_create_directory: true + matrix_nginx_proxy_base_domain_hostname: "{{ matrix_domain }}" # Controls whether `matrix_nginx_proxy_base_domain_homepage_template` would be dumped to an `index.html` file @@ -120,6 +130,7 @@ matrix_nginx_proxy_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}" # Controls whether proxying the matrix domain should be done. matrix_nginx_proxy_proxy_matrix_enabled: false matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" +matrix_nginx_proxy_proxy_matrix_federation_hostname: "{{ matrix_nginx_proxy_proxy_matrix_hostname }}" # The port name used for federation in the nginx configuration. # This is not necessarily the port that it's actually on, # as port-mapping happens (`-p ..`) for the `matrix-nginx-proxy` container. @@ -175,7 +186,12 @@ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:809 # Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_synapse_metrics: false +matrix_nginx_proxy_synapse_workers_enabled_list: [] matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false +# The following value will be written verbatim to the htpasswd file that stores the password for nginx to check against and needs to be encoded appropriately. +# Read the manpage at `man 1 htpasswd` to learn more, then encrypt your password, and paste the encrypted value here. +# e.g. `htpasswd -c mypass.htpasswd prometheus` and enter `mysecurepw` when prompted yields `prometheus:$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/` +# The part after `prometheus:` is needed here. matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/" matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "" # The addresses where the Matrix Client API is. @@ -215,7 +231,7 @@ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: | + (['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else []) + - (['/_synapse/metrics'] if matrix_nginx_proxy_proxy_synapse_metrics else []) + (['/_synapse.*/metrics'] if matrix_nginx_proxy_proxy_synapse_metrics else []) }} # Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected. @@ -284,6 +300,23 @@ matrix_nginx_proxy_proxy_mautrix_wsproxy_additional_server_configuration_blocks: # A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf). matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: [] +# To increase request timeout in NGINX using proxy_read_timeout, proxy_connect_timeout, proxy_send_timeout, send_timeout directives +# Nginx Default: proxy_connect_timeout 60s; #Defines a timeout for establishing a connection with a proxied server +# Nginx Default: proxy_send_timeout 60s; #Sets a timeout for transmitting a request to the proxied server. +# Nginx Default: proxy_read_timeout 60s; #Defines a timeout for reading a response from the proxied server. +# Nginx Default: send_timeout 60s; #Sets a timeout for transmitting a response to the client. +# +# For more information visit: +# http://nginx.org/en/docs/http/ngx_http_proxy_module.html +# http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout +# https://www.nginx.com/resources/wiki/start/topics/examples/fullexample2/ +# +# Here we are sticking with nginx default values change this value carefully. +matrix_nginx_proxy_connect_timeout: 60 +matrix_nginx_proxy_send_timeout: 60 +matrix_nginx_proxy_read_timeout: 60 +matrix_nginx_send_timeout: 60 + # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses for all vhosts meant to be accessed by users. # # Learn more about what it is here: @@ -411,7 +444,7 @@ matrix_ssl_additional_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.14.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.20.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index e2a6caf7..2c7a5f29 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -38,6 +38,15 @@ mode: 0400 when: "matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled|bool and matrix_nginx_proxy_proxy_synapse_metrics|bool" +- name: Generate sample prometheus.yml for external scraping + template: + src: "{{ role_path }}/templates/prometheus/external_prometheus.yml.example.j2" + dest: "{{ matrix_base_data_path }}/external_prometheus.yml.example" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + mode: 0644 + when: matrix_nginx_proxy_proxy_synapse_metrics|bool + - name: Ensure Matrix nginx-proxy configured (generic) template: src: "{{ role_path }}/templates/nginx/conf.d/nginx-http.conf.j2" @@ -134,7 +143,7 @@ mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: matrix_nginx_proxy_base_domain_serving_enabled|bool + when: matrix_nginx_proxy_base_domain_serving_enabled|bool and matrix_nginx_proxy_base_domain_create_directory|bool - name: Ensure Matrix nginx-proxy homepage for base domain exists copy: @@ -143,7 +152,7 @@ mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: matrix_nginx_proxy_base_domain_serving_enabled|bool and matrix_nginx_proxy_base_domain_homepage_enabled|bool + when: matrix_nginx_proxy_base_domain_serving_enabled|bool and matrix_nginx_proxy_base_domain_homepage_enabled|bool and matrix_nginx_proxy_base_domain_create_directory|bool - name: Ensure Matrix nginx-proxy configuration for base domain exists template: @@ -283,3 +292,9 @@ path: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd" state: absent when: "not matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled|bool or not matrix_nginx_proxy_proxy_synapse_metrics|bool" + +- name: Ensure sample prometheus.yml for external scraping is deleted + file: + path: "{{ matrix_base_data_path }}/external_prometheus.yml.example" + state: absent + when: "not matrix_nginx_proxy_proxy_synapse_metrics|bool" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 index 37863d73..b0294283 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -1,7 +1,7 @@ #jinja2: lstrip_blocks: "True" {% macro render_vhost_directives() %} - root /nginx-data/matrix-domain; + root {{ matrix_nginx_proxy_data_path_in_container if matrix_nginx_proxy_enabled else matrix_nginx_proxy_data_path }}{{ matrix_nginx_proxy_data_path_extension }}; gzip on; gzip_types text/plain application/json; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index ee23cdfe..2f4f4aa1 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -12,6 +12,7 @@ add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; add_header X-Frame-Options SAMEORIGIN; + add_header Content-Security-Policy "frame-ancestors 'self'"; {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 index d9a05926..1ea4a344 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 @@ -88,7 +88,7 @@ server { {% if matrix_nginx_proxy_ocsp_stapling_enabled %} ssl_stapling on; ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/chain.pem; {% endif %} {% if matrix_nginx_proxy_ssl_session_tickets_off %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 7b26434d..b6506b43 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -20,13 +20,13 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} - + {% if matrix_nginx_proxy_hsts_preload_enabled %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; {% endif %} - + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; location /.well-known/matrix { @@ -59,7 +59,7 @@ proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; } {% endif %} @@ -77,7 +77,7 @@ proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; } {% endif %} @@ -112,7 +112,7 @@ proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; } {% endif %} @@ -137,7 +137,7 @@ proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; client_body_buffer_size 25M; client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; @@ -152,7 +152,7 @@ #} location ~* ^/$ { {% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %} - return 302 $scheme://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri; + return 302 {{ matrix_nginx_proxy_x_forwarded_proto_value }}://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri; {% else %} rewrite ^/$ /_matrix/static/ last; {% endif %} @@ -215,12 +215,12 @@ server { ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem; {% endif %} - + {% if matrix_nginx_proxy_ssl_session_tickets_off %} ssl_session_tickets off; {% endif %} ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; {{ render_vhost_directives() }} } @@ -239,7 +239,7 @@ server { listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }}; {% endif %} - server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; + server_name {{ matrix_nginx_proxy_proxy_matrix_federation_hostname }}; server_tokens off; root /dev/null; @@ -262,7 +262,7 @@ server { ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate }}; {% endif %} - + {% if matrix_nginx_proxy_ssl_session_tickets_off %} ssl_session_tickets off; {% endif %} @@ -283,7 +283,7 @@ server { proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; client_body_buffer_size 25M; client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 0ccda7d3..86d95453 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -71,7 +71,7 @@ proxy_set_header Connection "upgrade"; proxy_set_header Upgrade $http_upgrade; proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; tcp_nodelay on; } {% endmacro %} @@ -128,7 +128,7 @@ server { ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/chain.pem; {% endif %} - + {% if matrix_nginx_proxy_ssl_session_tickets_off %} ssl_session_tickets off; {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 index d5760434..9c4af1d9 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -29,7 +29,7 @@ proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; } {% endmacro %} @@ -85,7 +85,7 @@ server { ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/chain.pem; {% endif %} - + {% if matrix_nginx_proxy_ssl_session_tickets_off %} ssl_session_tickets off; {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index db111090..6f569327 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -153,6 +153,24 @@ server { } {% endif %} + {% if matrix_nginx_proxy_enabled and matrix_nginx_proxy_proxy_synapse_metrics %} + {% for worker in matrix_nginx_proxy_proxy_synapse_workers_enabled_list %} + {% if worker.metrics_port != 0 %} + location /_synapse-worker-{{ worker.type }}-{{ worker.instanceId }}/metrics { + resolver 127.0.0.11 valid=5s; + set $backend "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.metrics_port }}"; + proxy_pass http://$backend/_synapse/metrics; + proxy_set_header Host $host; + + {% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %} + auth_basic "protected"; + auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd; + {% endif %} + } + {% endif %} + {% endfor %} + {% endif %} + {# Everything else just goes to the API server ##} location / { {% if matrix_nginx_proxy_enabled %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 index 9ec7fa56..1084d8ca 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 @@ -42,6 +42,11 @@ http { {% else %} access_log off; {% endif %} + + proxy_connect_timeout {{ matrix_nginx_proxy_connect_timeout }}; + proxy_send_timeout {{ matrix_nginx_proxy_send_timeout }}; + proxy_read_timeout {{ matrix_nginx_proxy_read_timeout }}; + send_timeout {{ matrix_nginx_send_timeout }}; sendfile on; #tcp_nopush on; diff --git a/roles/matrix-nginx-proxy/templates/prometheus/external_prometheus.yml.example.j2 b/roles/matrix-nginx-proxy/templates/prometheus/external_prometheus.yml.example.j2 new file mode 100644 index 00000000..01a39ffa --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/prometheus/external_prometheus.yml.example.j2 @@ -0,0 +1,40 @@ +global: + scrape_interval: 5s + + # Attach these labels to any time series or alerts when communicating with + # external systems (federation, remote storage, Alertmanager). + external_labels: + monitor: 'synapse-{{ matrix_domain }}' + +rule_files: + - /etc/prometheus/synapse-v2.rules + +scrape_configs: + - job_name: 'synapse' + metrics_path: /_synapse/metrics + scheme: {{ 'https' if matrix_nginx_proxy_https_enabled else 'http' }} +{% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %} + basic_auth: + username: prometheus + password_file: /path/to/your/passwordfile.pwd +{% endif %} + static_configs: + - targets: ['{{ matrix_server_fqn_matrix }}:{{ matrix_nginx_proxy_container_https_host_bind_port if matrix_nginx_proxy_https_enabled else matrix_nginx_proxy_container_http_host_bind_port }}'] + labels: + job: "master" + index: 1 +{% for worker in matrix_nginx_proxy_proxy_synapse_workers_enabled_list %} + - job_name: 'synapse-{{ worker.type }}-{{ worker.instanceId }}' + metrics_path: /_synapse-worker-{{ worker.type }}-{{ worker.instanceId }}/metrics + scheme: {{ 'https' if matrix_nginx_proxy_https_enabled else 'http' }} +{% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %} + basic_auth: + username: prometheus + password_file: /path/to/your/passwordfile.pwd +{% endif %} + static_configs: + - targets: ['{{ matrix_server_fqn_matrix }}:{{ matrix_nginx_proxy_container_https_host_bind_port if matrix_nginx_proxy_https_enabled else matrix_nginx_proxy_container_http_host_bind_port }}'] + labels: + job: "{{ worker.type }}" + index: {{ worker.instanceId }} +{% endfor %} diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 72e42021..91a31d99 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -17,12 +17,13 @@ matrix_postgres_architecture: amd64 # > LOG: startup process (PID 37) was terminated by signal 11: Segmentation fault matrix_postgres_docker_image_suffix: "{{ '-alpine' if matrix_postgres_architecture in ['amd64', 'arm64'] else '' }}" -matrix_postgres_docker_image_v9: "{{ matrix_container_global_registry_prefix }}postgres:9.6.21{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v10: "{{ matrix_container_global_registry_prefix }}postgres:10.16{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v11: "{{ matrix_container_global_registry_prefix }}postgres:11.11{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v12: "{{ matrix_container_global_registry_prefix }}postgres:12.6{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v13: "{{ matrix_container_global_registry_prefix }}postgres:13.2{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v13 }}" +matrix_postgres_docker_image_v9: "{{ matrix_container_global_registry_prefix }}postgres:9.6.23{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v10: "{{ matrix_container_global_registry_prefix }}postgres:10.18{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v11: "{{ matrix_container_global_registry_prefix }}postgres:11.13{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v12: "{{ matrix_container_global_registry_prefix }}postgres:12.8{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v13: "{{ matrix_container_global_registry_prefix }}postgres:13.4{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v14: "{{ matrix_container_global_registry_prefix }}postgres:14.0{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v14 }}" # This variable is assigned at runtime. Overriding its value has no effect. matrix_postgres_docker_image_to_use: '{{ matrix_postgres_docker_image_latest }}' @@ -62,7 +63,16 @@ matrix_postgres_additional_databases: [] # We either need to not create them or to ignore the `CREATE ROLE` statements in the dump. matrix_postgres_import_roles_to_ignore: [matrix_postgres_connection_username] -matrix_postgres_import_roles_ignore_regex: "^CREATE ROLE ({{ matrix_postgres_import_roles_to_ignore|join('|') }});" +# When importing an existing Postgres database (when restoring a backup) or when doing a Postgres upgrade (which dumps & restores), we'd like to avoid: +# - creating users (`CREATE ROLE ..`) +# - updating passwords for users (`ALTER ROLE matrix WITH SUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN NOREPLICATION NOBYPASSRLS PASSWORD 'md5...`) +# +# Both of these operations are done by the playbook anyway. +# Updating passwords is especially undesirable, because older versions hash passwords using md5 and export them as md5 hashes in the dump file, +# which is unsupported by default by newer Postgres versions (v14+). +# When users are created and passwords are set by the playbook, they end up hashed as `scram-sha-256` on Postgres v14+. +# If an md5-hashed password is restored on top, Postgres v14+ will refuse to authenticate users with it by default. +matrix_postgres_import_roles_ignore_regex: "^(CREATE|ALTER) ROLE ({{ matrix_postgres_import_roles_to_ignore|join('|') }})(;| WITH)" # A list of databases to avoid creating when importing (or upgrading) the database. # If a dump file contains the databases and they've also been created beforehand (see `matrix_postgres_additional_databases`), diff --git a/roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml b/roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml index 9032c15e..a7e94a0c 100644 --- a/roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml +++ b/roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml @@ -54,3 +54,8 @@ set_fact: matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v12 }}" when: "matrix_postgres_detected_version == '12' or matrix_postgres_detected_version.startswith('12.')" + +- name: Determine corresponding Docker image to detected version (use 13.x, if detected) + set_fact: + matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v13 }}" + when: "matrix_postgres_detected_version == '13' or matrix_postgres_detected_version.startswith('13.')" diff --git a/roles/matrix-prometheus-node-exporter/defaults/main.yml b/roles/matrix-prometheus-node-exporter/defaults/main.yml index 492d48b1..481864d3 100644 --- a/roles/matrix-prometheus-node-exporter/defaults/main.yml +++ b/roles/matrix-prometheus-node-exporter/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_node_exporter_enabled: false -matrix_prometheus_node_exporter_version: v1.1.2 +matrix_prometheus_node_exporter_version: v1.2.2 matrix_prometheus_node_exporter_docker_image: "{{ matrix_container_global_registry_prefix }}prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}" matrix_prometheus_node_exporter_docker_image_force_pull: "{{ matrix_prometheus_node_exporter_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-prometheus-postgres-exporter/defaults/main.yml b/roles/matrix-prometheus-postgres-exporter/defaults/main.yml index 8aca4576..0857d3e7 100644 --- a/roles/matrix-prometheus-postgres-exporter/defaults/main.yml +++ b/roles/matrix-prometheus-postgres-exporter/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_postgres_exporter_enabled: false -matrix_prometheus_postgres_exporter_version: v0.9.0 +matrix_prometheus_postgres_exporter_version: v0.10.0 matrix_prometheus_postgres_exporter_port: 9187 matrix_prometheus_postgres_exporter_docker_image: "quay.io/prometheuscommunity/postgres-exporter:{{ matrix_prometheus_postgres_exporter_version }}" diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml index 6c0fef31..dc43eb48 100644 --- a/roles/matrix-prometheus/defaults/main.yml +++ b/roles/matrix-prometheus/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_enabled: false -matrix_prometheus_version: v2.27.1 +matrix_prometheus_version: v2.29.2 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" @@ -34,6 +34,7 @@ matrix_prometheus_scraper_synapse_rules_synapse_tag: "master" matrix_prometheus_scraper_synapse_rules_download_url: "https://raw.githubusercontent.com/matrix-org/synapse/{{ matrix_prometheus_scraper_synapse_rules_synapse_tag }}/contrib/prometheus/synapse-v2.rules" matrix_prometheus_scraper_synapse_targets: [] +matrix_prometheus_scraper_synapse_workers_enabled_list: [] # Tells whether the "node" scraper configuration is enabled. # This configuration aims to scrape the current node (this server). diff --git a/roles/matrix-prometheus/templates/prometheus.yml.j2 b/roles/matrix-prometheus/templates/prometheus.yml.j2 index b3ee3b86..869b2da8 100644 --- a/roles/matrix-prometheus/templates/prometheus.yml.j2 +++ b/roles/matrix-prometheus/templates/prometheus.yml.j2 @@ -31,6 +31,19 @@ scrape_configs: metrics_path: '/_synapse/metrics' static_configs: - targets: {{ matrix_prometheus_scraper_synapse_targets|to_json }} + labels: + instance: {{ matrix_domain }} + job: master + index: 0 + {% for worker in matrix_prometheus_scraper_synapse_workers_enabled_list %} + {% if worker.metrics_port != 0 %} + - targets: ['matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.metrics_port }}'] + labels: + instance: {{ matrix_domain }} + job: {{ worker.type }} + index: {{ worker.instanceId }} + {% endif %} + {% endfor %} {% endif %} {% if matrix_prometheus_scraper_node_enabled %} @@ -43,4 +56,4 @@ scrape_configs: - job_name: postgres static_configs: - targets: {{ matrix_prometheus_scraper_postgres_targets|to_json }} - {% endif %} \ No newline at end of file + {% endif %} diff --git a/roles/matrix-redis/defaults/main.yml b/roles/matrix-redis/defaults/main.yml index e33e7493..409c7926 100644 --- a/roles/matrix-redis/defaults/main.yml +++ b/roles/matrix-redis/defaults/main.yml @@ -5,7 +5,7 @@ matrix_redis_connection_password: "" matrix_redis_base_path: "{{ matrix_base_data_path }}/redis" matrix_redis_data_path: "{{ matrix_redis_base_path }}/data" -matrix_redis_version: 6.0.10-alpine +matrix_redis_version: 6.2.4-alpine matrix_redis_docker_image_v6: "{{ matrix_container_global_registry_prefix }}redis:{{ matrix_redis_version }}" matrix_redis_docker_image_latest: "{{ matrix_redis_docker_image_v6 }}" matrix_redis_docker_image_to_use: '{{ matrix_redis_docker_image_latest }}' diff --git a/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 b/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 index 0752d23b..5f6699f8 100644 --- a/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 +++ b/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 @@ -19,7 +19,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-redis \ {% if matrix_redis_container_redis_bind_port %} -p {{ matrix_redis_container_redis_bind_port }}:6379 \ {% endif %} - -v {{ matrix_redis_base_path }}/redis.conf:/usr/local/etc/redis/redis.conf \ + --mount type=bind,src={{ matrix_redis_base_path }}/redis.conf,dst=/usr/local/etc/redis/redis.conf,ro \ + --mount type=bind,src={{ matrix_redis_data_path }},dst=/data \ {% for arg in matrix_redis_container_extra_arguments %} {{ arg }} \ {% endfor %} diff --git a/roles/matrix-registration/tasks/init.yml b/roles/matrix-registration/tasks/init.yml index b58ba659..5ab93910 100644 --- a/roles/matrix-registration/tasks/init.yml +++ b/roles/matrix-registration/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_registration_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_registration_container_image_self_build and matrix_registration_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-registration.service'] }}" @@ -22,8 +22,8 @@ - name: Generate matrix-registration proxying configuration for matrix-nginx-proxy set_fact: matrix_registration_matrix_nginx_proxy_configuration: | - rewrite ^{{ matrix_registration_public_endpoint }}$ $scheme://$server_name{{ matrix_registration_public_endpoint }}/ permanent; - rewrite ^{{ matrix_registration_public_endpoint }}/$ $scheme://$server_name{{ matrix_registration_public_endpoint }}/register redirect; + rewrite ^{{ matrix_registration_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_registration_public_endpoint }}/ permanent; + rewrite ^{{ matrix_registration_public_endpoint }}/$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_registration_public_endpoint }}/register redirect; location ~ ^{{ matrix_registration_public_endpoint }}/(.*) { {% if matrix_nginx_proxy_enabled|default(False) %} diff --git a/roles/matrix-sygnal/defaults/main.yml b/roles/matrix-sygnal/defaults/main.yml index 476ac2ad..70d530f8 100644 --- a/roles/matrix-sygnal/defaults/main.yml +++ b/roles/matrix-sygnal/defaults/main.yml @@ -7,7 +7,7 @@ matrix_sygnal_base_path: "{{ matrix_base_data_path }}/sygnal" matrix_sygnal_config_path: "{{ matrix_sygnal_base_path }}/config" matrix_sygnal_data_path: "{{ matrix_sygnal_base_path }}/data" -matrix_sygnal_version: v0.9.0 +matrix_sygnal_version: v0.10.1 matrix_sygnal_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/sygnal:{{ matrix_sygnal_version }}" matrix_sygnal_docker_image_force_pull: "{{ matrix_sygnal_docker_image.endswith(':latest') }}" @@ -25,26 +25,6 @@ matrix_sygnal_container_http_host_bind_port: '' # A list of extra arguments to pass to the container matrix_sygnal_container_extra_arguments: [] -# Database-related configuration fields. -# -# To use SQLite, stick to these defaults. -# -# To use Postgres: -# - change the engine (`matrix_sygnal_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_sygnal_postgres_*` variables -matrix_sygnal_database_engine: 'sqlite' - -matrix_sygnal_sqlite_database_path_local: "{{ matrix_sygnal_data_path }}/sygnal.db" -matrix_sygnal_sqlite_database_path_in_container: "/data/sygnal.db" - -matrix_sygnal_database_username: 'matrix_sygnal' -matrix_sygnal_database_password: 'some-password' -matrix_sygnal_database_hostname: 'matrix-postgres' -matrix_sygnal_database_port: 5432 -matrix_sygnal_database_name: 'matrix_sygnal' - -matrix_sygnal_database_connection_string: 'postgres://{{ matrix_sygnal_database_username }}:{{ matrix_sygnal_database_password }}@{{ matrix_sygnal_database_hostname }}:{{ matrix_sygnal_database_port }}/{{ matrix_sygnal_database_name }}' - # A map (dictionary) of apps instances that this server works with. # # Example configuration: diff --git a/roles/matrix-sygnal/tasks/setup_install.yml b/roles/matrix-sygnal/tasks/setup_install.yml index afac61c4..b85b6bff 100644 --- a/roles/matrix-sygnal/tasks/setup_install.yml +++ b/roles/matrix-sygnal/tasks/setup_install.yml @@ -1,32 +1,5 @@ --- -- set_fact: - matrix_sygnal_requires_restart: false - -- block: - - name: Check if an SQLite database already exists - stat: - path: "{{ matrix_sygnal_sqlite_database_path_local }}" - register: matrix_sygnal_sqlite_database_path_local_stat_result - - - block: - - set_fact: - matrix_postgres_db_migration_request: - src: "{{ matrix_sygnal_sqlite_database_path_local }}" - dst: "{{ matrix_sygnal_database_connection_string }}" - caller: "{{ role_path|basename }}" - engine_variable_name: 'matrix_sygnal_database_engine' - engine_old: 'sqlite' - systemd_services_to_stop: ['matrix-sygnal.service'] - pgloader_options: ['--with "quote identifiers"'] - - - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" - - - set_fact: - matrix_sygnal_requires_restart: true - when: "matrix_sygnal_sqlite_database_path_local_stat_result.stat.exists|bool" - when: "matrix_sygnal_database_engine == 'postgres'" - - name: Ensure Sygnal image is pulled docker_image: name: "{{ matrix_sygnal_docker_image }}" @@ -65,9 +38,3 @@ service: daemon_reload: yes when: "matrix_sygnal_systemd_service_result.changed|bool" - -- name: Ensure matrix-sygnal.service restarted, if necessary - service: - name: "matrix-sygnal.service" - state: restarted - when: "matrix_sygnal_requires_restart|bool" diff --git a/roles/matrix-sygnal/tasks/validate_config.yml b/roles/matrix-sygnal/tasks/validate_config.yml index efd64104..1cf8357e 100644 --- a/roles/matrix-sygnal/tasks/validate_config.yml +++ b/roles/matrix-sygnal/tasks/validate_config.yml @@ -3,11 +3,3 @@ msg: >- Enabling Sygnal requires that you specify at least one app in `matrix_sygnal_apps` when: "matrix_sygnal_enabled and matrix_sygnal_apps|length == 0" - -- name: Fail if running on a non-supported architecture - fail: - msg: >- - Sygnal can only be used on the amd64 architecture for now. - Only amd64 container images are pushed for the `docker.io/matrixdotorg/sygnal` container image. - Either use a different image (by redefining `matrix_sygnal_docker_image`) or consider contributing self-building support to this role. - when: "matrix_sygnal_enabled and matrix_architecture != 'amd64' and matrix_sygnal_docker_image.startswith('docker.io/matrixdotorg/sygnal')" diff --git a/roles/matrix-sygnal/templates/sygnal.yaml.j2 b/roles/matrix-sygnal/templates/sygnal.yaml.j2 index bb8c521d..bb81ea9a 100644 --- a/roles/matrix-sygnal/templates/sygnal.yaml.j2 +++ b/roles/matrix-sygnal/templates/sygnal.yaml.j2 @@ -3,57 +3,6 @@ # See: matrix.org ## -# The 'database' setting defines the database that sygnal uses to store all of -# its data. -# -# 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or -# 'psycopg2' (for PostgreSQL). -# -# 'args' gives options which are passed through to the database engine, -# except for options starting 'cp_', which are used to configure the Twisted -# connection pool. For a reference to valid arguments, see: -# * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect -# * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS -# * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__ -# -# -# Example SQLite configuration: -# -#database: -# name: sqlite3 -# args: -# dbfile: /path/to/database.db -# -# -# Example Postgres configuration: -# -#database: -# name: psycopg2 -# args: -# host: localhost -# database: sygnal -# user: sygnal -# password: pass -# cp_min: 1 -# cp_max: 5 -# -{% if matrix_sygnal_database_engine == 'sqlite' %} -database: - name: sqlite3 - args: - dbfile: {{ matrix_sygnal_sqlite_database_path_in_container|to_json }} -{% else %} -database: - name: psycopg2 - args: - host: {{ matrix_sygnal_database_hostname|to_json }} - database: {{ matrix_sygnal_database_name|to_json }} - user: {{ matrix_sygnal_database_username|to_json }} - password: {{ matrix_sygnal_database_password|to_json }} - cp_min: 1 - cp_max: 5 -{% endif %} - ## Logging # # log: diff --git a/roles/matrix-synapse-admin/tasks/init.yml b/roles/matrix-synapse-admin/tasks/init.yml index 7898dec9..e1912871 100644 --- a/roles/matrix-synapse-admin/tasks/init.yml +++ b/roles/matrix-synapse-admin/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_admin_container_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_admin_container_self_build and matrix_synapse_admin_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse-admin.service'] }}" @@ -22,7 +22,7 @@ - name: Generate Synapse Admin proxying configuration for matrix-nginx-proxy set_fact: matrix_synapse_admin_matrix_nginx_proxy_configuration: | - rewrite ^{{ matrix_synapse_admin_public_endpoint }}$ $scheme://$server_name{{ matrix_synapse_admin_public_endpoint }}/ permanent; + rewrite ^{{ matrix_synapse_admin_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_synapse_admin_public_endpoint }}/ permanent; location ~ ^{{ matrix_synapse_admin_public_endpoint }}/(.*) { {% if matrix_nginx_proxy_enabled|default(False) %} diff --git a/roles/matrix-synapse-admin/tasks/setup.yml b/roles/matrix-synapse-admin/tasks/setup.yml index 002ff68d..6fb47fb3 100644 --- a/roles/matrix-synapse-admin/tasks/setup.yml +++ b/roles/matrix-synapse-admin/tasks/setup.yml @@ -16,6 +16,7 @@ git: repo: "{{ matrix_synapse_admin_container_self_build_repo }}" dest: "{{ matrix_synapse_admin_docker_src_files_path }}" + version: "{{ matrix_synapse_admin_docker_image.split(':')[1] }}" force: "yes" register: matrix_synapse_admin_git_pull_results when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_self_build|bool" diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 5cfa5c5f..d0df4f8d 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.35.0 -matrix_synapse_version_arm64: v1.35.0 +matrix_synapse_version: v1.45.1 +matrix_synapse_version_arm64: v1.45.1 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" @@ -453,6 +453,7 @@ matrix_synapse_replication_http_port: 9093 matrix_synapse_sentry_dsn: "" # Postgres database information +matrix_synapse_database_txn_limit: 0 matrix_synapse_database_host: "matrix-postgres" matrix_synapse_database_port: 5432 matrix_synapse_database_user: "synapse" @@ -469,6 +470,7 @@ matrix_synapse_email_smtp_port: 587 matrix_synapse_email_smtp_require_transport_security: false matrix_synapse_email_notif_from: "Matrix " matrix_synapse_email_client_base_url: "https://{{ matrix_server_fqn_element }}" +matrix_synapse_email_invite_client_location: "https://app.element.io" # Enable this to activate the REST auth password provider module. diff --git a/roles/matrix-synapse/tasks/init.yml b/roles/matrix-synapse/tasks/init.yml index 16790664..bc23fc86 100644 --- a/roles/matrix-synapse/tasks/init.yml +++ b/roles/matrix-synapse/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_container_image_self_build and matrix_synapse_enabled" # Unless `matrix_synapse_workers_enabled_list` is explicitly defined, # we'll generate it dynamically. diff --git a/roles/matrix-synapse/tasks/main.yml b/roles/matrix-synapse/tasks/main.yml index e366a13f..8bf1c563 100644 --- a/roles/matrix-synapse/tasks/main.yml +++ b/roles/matrix-synapse/tasks/main.yml @@ -3,7 +3,7 @@ - always - import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: run_setup|bool + when: run_setup|bool and matrix_synapse_enabled|bool tags: - setup-all - setup-synapse diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 734a7e90..9e558632 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -7,6 +7,22 @@ # # [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html + +## Modules ## + +# Server admins can expand Synapse's functionality with external modules. +# +# See https://matrix-org.github.io/synapse/develop/modules.html for more +# documentation on how to configure or create custom modules for Synapse. +# +modules: + # - module: my_super_module.MySuperClass + # config: + # do_thing: true + # - module: my_other_super_module.SomeClass + # config: {} + + ## Server ## # The public-facing domain of the server @@ -67,20 +83,6 @@ presence: # enabled: {{ matrix_synapse_presence_enabled|to_json }} - # Presence routers are third-party modules that can specify additional logic - # to where presence updates from users are routed. - # - presence_router: - # The custom module's class. Uncomment to use a custom presence router module. - # - #module: "my_custom_router.PresenceRouter" - - # Configuration options of the custom module. Refer to your module's - # documentation for available options. - # - #config: - # example_option: 'something' - # Whether to require authentication to retrieve profile data (avatars, # display names) of other users through the client API. Defaults to # 'false'. Note that profile data is also available via the federation @@ -169,6 +171,8 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }} # # This option replaces federation_ip_range_blacklist in Synapse v1.25.0. # +# Note: The value is ignored when an HTTP proxy is in use +# #ip_range_blacklist: # - '127.0.0.0/8' # - '10.0.0.0/8' @@ -353,6 +357,24 @@ update_user_directory: false daemonize: false {% endif %} +# Connection settings for the manhole +# +manhole_settings: + # The username for the manhole. This defaults to 'matrix'. + # + #username: manhole + + # The password for the manhole. This defaults to 'rabbithole'. + # + #password: mypassword + + # The private and public SSH key pair used to encrypt the manhole traffic. + # If these are left unset, then hardcoded and non-secret keys are used, + # which could allow traffic to be intercepted if sent over a public network. + # + #ssh_priv_key_path: /data/id_rsa + #ssh_pub_key_path: /data/id_rsa.pub + # Forward extremities can build up in a room due to networking delays between # homeservers. Once this happens in a large room, calculation of the state of # that room can become quite expensive. To mitigate this, once the number of @@ -567,6 +589,19 @@ retention: # #next_link_domain_whitelist: ["matrix.org"] +# Templates to use when generating email or HTML page contents. +# +templates: + # Directory in which Synapse will try to find template files to use to generate + # email or HTML page contents. + # If not set, or a file is not found within the template directory, a default + # template from within the Synapse package will be used. + # + # See https://matrix-org.github.io/synapse/latest/templates.html for more + # information about using custom templates. + # + #custom_template_directory: /path/to/custom/templates/ + ## TLS ## @@ -574,13 +609,9 @@ retention: # This certificate, as of Synapse 1.0, will need to be a valid and verifiable # certificate, signed by a recognised Certificate Authority. # -# See 'ACME support' below to enable auto-provisioning this certificate via -# Let's Encrypt. -# -# If supplying your own, be sure to use a `.pem` file that includes the -# full certificate chain including any intermediate certificates (for -# instance, if using certbot, use `fullchain.pem` as your certificate, -# not `cert.pem`). +# Be sure to use a `.pem` file that includes the full certificate chain including +# any intermediate certificates (for instance, if using certbot, use +# `fullchain.pem` as your certificate, not `cert.pem`). # tls_certificate_path: {{ matrix_synapse_tls_certificate_path|to_json }} @@ -631,80 +662,6 @@ tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }} # - myCA2.pem # - myCA3.pem -# ACME support: This will configure Synapse to request a valid TLS certificate -# for your configured `server_name` via Let's Encrypt. -# -# Note that ACME v1 is now deprecated, and Synapse currently doesn't support -# ACME v2. This means that this feature currently won't work with installs set -# up after November 2019. For more info, and alternative solutions, see -# https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1 -# -# Note that provisioning a certificate in this way requires port 80 to be -# routed to Synapse so that it can complete the http-01 ACME challenge. -# By default, if you enable ACME support, Synapse will attempt to listen on -# port 80 for incoming http-01 challenges - however, this will likely fail -# with 'Permission denied' or a similar error. -# -# There are a couple of potential solutions to this: -# -# * If you already have an Apache, Nginx, or similar listening on port 80, -# you can configure Synapse to use an alternate port, and have your web -# server forward the requests. For example, assuming you set 'port: 8009' -# below, on Apache, you would write: -# -# ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge -# -# * Alternatively, you can use something like `authbind` to give Synapse -# permission to listen on port 80. -# -acme: - # ACME support is disabled by default. Uncomment the following line - # (and tls_certificate_path and tls_private_key_path above) to enable it. - # - #enabled: true - - # Endpoint to use to request certificates. If you only want to test, - # use Let's Encrypt's staging url: - # https://acme-staging.api.letsencrypt.org/directory - # - #url: https://acme-v01.api.letsencrypt.org/directory - - # Port number to listen on for the HTTP-01 challenge. Change this if - # you are forwarding connections through Apache/Nginx/etc. - # - #port: 80 - - # Local addresses to listen on for incoming connections. - # Again, you may want to change this if you are forwarding connections - # through Apache/Nginx/etc. - # - #bind_addresses: ['::', '0.0.0.0'] - - # How many days remaining on a certificate before it is renewed. - # - #reprovision_threshold: 30 - - # The domain that the certificate should be for. Normally this - # should be the same as your Matrix domain (i.e., 'server_name'), but, - # by putting a file at 'https:///.well-known/matrix/server', - # you can delegate incoming traffic to another server. If you do that, - # you should give the target of the delegation here. - # - # For example: if your 'server_name' is 'example.com', but - # 'https://example.com/.well-known/matrix/server' delegates to - # 'matrix.example.com', you should put 'matrix.example.com' here. - # - # If not set, defaults to your 'server_name'. - # - #domain: matrix.example.com - - # file to use for the account key. This will be generated if it doesn't - # exist. - # - # If unspecified, we will use CONFDIR/client.key. - # - #account_key_file: /data/acme_account.key - ## Federation ## @@ -791,12 +748,70 @@ caches: per_cache_factors: #get_users_who_share_room_with_user: 2.0 + # Controls how long an entry can be in a cache without having been + # accessed before being evicted. Defaults to None, which means + # entries are never evicted based on time. + # + #expiry_time: 30m + + # Controls how long the results of a /sync request are cached for after + # a successful response is returned. A higher duration can help clients with + # intermittent connections, at the cost of higher memory usage. + # + # By default, this is zero, which means that sync responses are not cached + # at all. + # + #sync_response_cache_duration: 2m + ## Database ## +# The 'database' setting defines the database that synapse uses to store all of +# its data. +# +# 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or +# 'psycopg2' (for PostgreSQL). +# +# 'txn_limit' gives the maximum number of transactions to run per connection +# before reconnecting. Defaults to 0, which means no limit. +# +# 'args' gives options which are passed through to the database engine, +# except for options starting 'cp_', which are used to configure the Twisted +# connection pool. For a reference to valid arguments, see: +# * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect +# * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS +# * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__ +# +# +# Example SQLite configuration: +# +#database: +# name: sqlite3 +# args: +# database: /path/to/homeserver.db +# +# +# Example Postgres configuration: +# +#database: +# name: psycopg2 +# txn_limit: 10000 +# args: +# user: synapse_user +# password: secretpassword +# database: synapse +# host: localhost +# port: 5432 +# cp_min: 5 +# cp_max: 10 +# +# For more information on using Synapse with Postgres, +# see https://matrix-org.github.io/synapse/latest/postgres.html. +# database: # The database engine name name: "psycopg2" + txn_limit: {{ matrix_synapse_database_txn_limit }} args: user: {{ matrix_synapse_database_user|string|to_json }} password: {{ matrix_synapse_database_password|string|to_json }} @@ -828,6 +843,8 @@ log_config: "/data/{{ matrix_server_fqn_matrix }}.log.config" # is using # - one for registration that ratelimits registration requests based on the # client's IP address. +# - one for checking the validity of registration tokens that ratelimits +# requests based on the client's IP address. # - one for login that ratelimits login requests based on the client's IP # address. # - one for login that ratelimits login requests based on the account the @@ -858,6 +875,10 @@ rc_message: {{ matrix_synapse_rc_message|to_json }} # burst_count: 3 rc_registration: {{ matrix_synapse_rc_registration|to_json }} # +#rc_registration_token_validity: +# per_second: 0.1 +# burst_count: 5 +# #rc_login: # address: # per_second: 0.17 @@ -957,6 +978,10 @@ media_store_path: "/matrix-media-store-parent/{{ matrix_synapse_media_store_dire # The largest allowed upload size in bytes # +# If you are using a reverse proxy you may also need to set this value in +# your reverse proxy's config. Notably Nginx has a small max body size by default. +# See https://matrix-org.github.io/synapse/develop/reverse_proxy.html. +# max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M" # Maximum number of pixels that will be thumbnailed @@ -1011,6 +1036,8 @@ url_preview_enabled: {{ matrix_synapse_url_preview_enabled|to_json }} # This must be specified if url_preview_enabled is set. It is recommended that # you uncomment the following list as a starting point. # +# Note: The value is ignored when an HTTP proxy is in use +# url_preview_ip_range_blacklist: - '127.0.0.0/8' - '10.0.0.0/8' @@ -1211,6 +1238,15 @@ allowed_local_3pids: {{ matrix_synapse_allowed_local_3pids|to_json }} # #enable_3pid_lookup: true +# Require users to submit a token during registration. +# Tokens can be managed using the admin API: +# https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/registration_tokens.html +# Note that `enable_registration` must be set to `true`. +# Disabling this option will not delete any tokens previously generated. +# Defaults to false. Uncomment the following to require tokens: +# +#registration_requires_token: true + # If set, allows registration of standard or admin accounts by anyone who # has the shared secret, even if registration is otherwise disabled. # @@ -1372,91 +1408,6 @@ autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms|to_json #auto_join_rooms_for_guests: false -## Account Validity ## - -# Optional account validity configuration. This allows for accounts to be denied -# any request after a given period. -# -# Once this feature is enabled, Synapse will look for registered users without an -# expiration date at startup and will add one to every account it found using the -# current settings at that time. -# This means that, if a validity period is set, and Synapse is restarted (it will -# then derive an expiration date from the current validity period), and some time -# after that the validity period changes and Synapse is restarted, the users' -# expiration dates won't be updated unless their account is manually renewed. This -# date will be randomly selected within a range [now + period - d ; now + period], -# where d is equal to 10% of the validity period. -# -account_validity: - # The account validity feature is disabled by default. Uncomment the - # following line to enable it. - # - #enabled: true - - # The period after which an account is valid after its registration. When - # renewing the account, its validity period will be extended by this amount - # of time. This parameter is required when using the account validity - # feature. - # - #period: 6w - - # The amount of time before an account's expiry date at which Synapse will - # send an email to the account's email address with a renewal link. By - # default, no such emails are sent. - # - # If you enable this setting, you will also need to fill out the 'email' and - # 'public_baseurl' configuration sections. - # - #renew_at: 1w - - # The subject of the email sent out with the renewal link. '%(app)s' can be - # used as a placeholder for the 'app_name' parameter from the 'email' - # section. - # - # Note that the placeholder must be written '%(app)s', including the - # trailing 's'. - # - # If this is not set, a default value is used. - # - #renew_email_subject: "Renew your %(app)s account" - - # Directory in which Synapse will try to find templates for the HTML files to - # serve to the user when trying to renew an account. If not set, default - # templates from within the Synapse package will be used. - # - # The currently available templates are: - # - # * account_renewed.html: Displayed to the user after they have successfully - # renewed their account. - # - # * account_previously_renewed.html: Displayed to the user if they attempt to - # renew their account with a token that is valid, but that has already - # been used. In this case the account is not renewed again. - # - # * invalid_token.html: Displayed to the user when they try to renew an account - # with an unknown or invalid renewal token. - # - # See https://github.com/matrix-org/synapse/tree/master/synapse/res/templates for - # default template contents. - # - # The file name of some of these templates can be configured below for legacy - # reasons. - # - #template_dir: "res/templates" - - # A custom file name for the 'account_renewed.html' template. - # - # If not set, the file is assumed to be named "account_renewed.html". - # - #account_renewed_html_path: "account_renewed.html" - - # A custom file name for the 'invalid_token.html' template. - # - # If not set, the file is assumed to be named "invalid_token.html". - # - #invalid_token_html_path: "invalid_token.html" - - ## Metrics ### # Enable collection and rendering of performance metrics @@ -2024,6 +1975,9 @@ cas_config: # Additional settings to use with single-sign on systems such as OpenID Connect, # SAML2 and CAS. # +# Server admins can configure custom templates for pages related to SSO. See +# https://matrix-org.github.io/synapse/latest/templates.html for more information. +# sso: # A list of client URLs which are whitelisted so that the user does not # have to confirm giving access to their account to the URL. Any client @@ -2045,6 +1999,17 @@ sso: # - https://riot.im/develop # - https://my.custom.client/ + # Uncomment to keep a user's profile fields in sync with information from + # the identity provider. Currently only syncing the displayname is + # supported. Fields are checked on every SSO login, and are updated + # if necessary. + # + # Note that enabling this option will override user profile information, + # regardless of whether users have opted-out of syncing that + # information when first signing in. Defaults to false. + # + #update_profile_information: true + # Directory in which Synapse will try to find the template files below. # If not set, or the files named below are not found within the template # directory, default templates from within the Synapse package will be used. @@ -2311,7 +2276,7 @@ password_config: # #require_lowercase: true - # Whether a password must contain at least one lowercase letter. + # Whether a password must contain at least one uppercase letter. # Defaults to 'false'. # #require_uppercase: true @@ -2326,6 +2291,10 @@ ui_auth: # the user-interactive authentication process, by allowing for multiple # (and potentially different) operations to use the same validation session. # + # This is ignored for potentially "dangerous" operations (including + # deactivating an account, modifying an account password, and + # adding a 3PID). + # # Uncomment below to allow for credential validation to last for 15 # seconds. # @@ -2335,6 +2304,9 @@ ui_auth: {% if matrix_synapse_email_enabled %} # Configuration for sending emails from Synapse. # +# Server admins can configure custom templates for email content. See +# https://matrix-org.github.io/synapse/latest/templates.html for more information. +# email: # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. # @@ -2360,10 +2332,13 @@ email: #require_transport_security: true require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }} - # Enable sending emails for messages that the user has missed + # Uncomment the following to disable TLS for SMTP. # - #enable_notifs: false - enable_notifs: true + # By default, if the server supports TLS, it will be used, and the server + # must present a certificate that is valid for 'smtp_host'. If this option + # is set to false, TLS will not be used. + # + #enable_tls: false # notif_from defines the "From" address to use when sending emails. # It must be set if email sending is enabled. @@ -2384,6 +2359,11 @@ email: #app_name: my_branded_matrix_server app_name: Matrix + # Enable sending emails for messages that the user has missed + # + #enable_notifs: false + enable_notifs: true + # Uncomment the following to disable automatic subscription to email # notifications for new users. Enabled by default. # @@ -2404,48 +2384,11 @@ email: # #validation_token_lifetime: 15m - # Directory in which Synapse will try to find the template files below. - # If not set, or the files named below are not found within the template - # directory, default templates from within the Synapse package will be used. + # The web client location to direct users to during an invite. This is passed + # to the identity server as the org.matrix.web_client_location key. Defaults + # to unset, giving no guidance to the identity server. # - # Synapse will look for the following templates in this directory: - # - # * The contents of email notifications of missed events: 'notif_mail.html' and - # 'notif_mail.txt'. - # - # * The contents of account expiry notice emails: 'notice_expiry.html' and - # 'notice_expiry.txt'. - # - # * The contents of password reset emails sent by the homeserver: - # 'password_reset.html' and 'password_reset.txt' - # - # * An HTML page that a user will see when they follow the link in the password - # reset email. The user will be asked to confirm the action before their - # password is reset: 'password_reset_confirmation.html' - # - # * HTML pages for success and failure that a user will see when they confirm - # the password reset flow using the page above: 'password_reset_success.html' - # and 'password_reset_failure.html' - # - # * The contents of address verification emails sent during registration: - # 'registration.html' and 'registration.txt' - # - # * HTML pages for success and failure that a user will see when they follow - # the link in an address verification email sent during registration: - # 'registration_success.html' and 'registration_failure.html' - # - # * The contents of address verification emails sent when an address is added - # to a Matrix account: 'add_threepid.html' and 'add_threepid.txt' - # - # * HTML pages for success and failure that a user will see when they follow - # the link in an address verification email sent when an address is added - # to a Matrix account: 'add_threepid_success.html' and - # 'add_threepid_failure.html' - # - # You can see the default templates at: - # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates - # - #template_dir: "res/templates" + invite_client_location: {{ matrix_synapse_email_invite_client_location|string|to_json }} # Subjects to use when sending emails from Synapse. # @@ -2669,12 +2612,16 @@ user_directory: #enabled: false # Defines whether to search all users visible to your HS when searching - # the user directory, rather than limiting to users visible in public - # rooms. Defaults to false. + # the user directory. If false, search results will only contain users + # visible in public rooms and users sharing a room with the requester. + # Defaults to false. # - # If you set it true, you'll have to rebuild the user_directory search - # indexes, see: - # https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md + # NB. If you set this to true, and the last time the user_directory search + # indexes were (re)built was before Synapse 1.44, you'll have to + # rebuild the indexes in order to search through all known users. + # These indexes are built the first time Synapse starts; admins can + # manually trigger a rebuild following the instructions at + # https://matrix-org.github.io/synapse/latest/user_directory.html # # Uncomment to return search results containing all known users, even if that # user does not share a room with the requester. @@ -2753,11 +2700,6 @@ stats: # #enabled: false - # The size of each timeslice in the room_stats_historical and - # user_stats_historical tables, as a time period. Defaults to "1d". - # - #bucket_size: 1h - # Server Notices room configuration # @@ -2850,19 +2792,6 @@ alias_creation_rules: {{ matrix_synapse_alias_creation_rules|to_json }} room_list_publication_rules: {{ matrix_synapse_room_list_publication_rules|to_json }} -# Server admins can define a Python module that implements extra rules for -# allowing or denying incoming events. In order to work, this module needs to -# override the methods defined in synapse/events/third_party_rules.py. -# -# This feature is designed to be used in closed federations only, where each -# participating server enforces the same rules. -# -#third_party_event_rules: -# module: "my_custom_project.SuperRulesSet" -# config: -# example_option: 'things' - - ## Opentracing ## # These settings enable opentracing, which implements distributed tracing. @@ -2977,19 +2906,4 @@ redis: password: {{ matrix_synapse_redis_password }} -# Enable experimental features in Synapse. -# -# Experimental features might break or be removed without a deprecation -# period. -# -experimental_features: - # Support for Spaces (MSC1772), it enables the following: - # - # * The Spaces Summary API (MSC2946). - # * Restricting room membership based on space membership (MSC3083). - # - # Uncomment to disable support for Spaces. - #spaces_enabled: false - - # vim:ft=yaml diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml index c989fb5b..049ae9b5 100644 --- a/roles/matrix-synapse/vars/workers.yml +++ b/roles/matrix-synapse/vars/workers.yml @@ -32,16 +32,22 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/federation/v1/user/devices/ - ^/_matrix/federation/v1/get_groups_publicised$ - ^/_matrix/key/v2/query + - ^/_matrix/federation/unstable/org.matrix.msc2946/spaces/ + - ^/_matrix/federation/unstable/org.matrix.msc2946/hierarchy/ # Inbound federation transaction request - ^/_matrix/federation/v1/send/ # Client API requests + - ^/_matrix/client/(api/v1|r0|unstable)/createRoom$ - ^/_matrix/client/(api/v1|r0|unstable)/publicRooms$ - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/joined_members$ - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/context/.*$ - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/members$ - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state$ + - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/spaces$ + - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/hierarchy$ + - ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$ - ^/_matrix/client/(api/v1|r0|unstable)/account/3pid$ - ^/_matrix/client/(api/v1|r0|unstable)/devices$ - ^/_matrix/client/(api/v1|r0|unstable)/keys/query$ @@ -51,10 +57,14 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/client/(api/v1|r0|unstable)/joined_groups$ - ^/_matrix/client/(api/v1|r0|unstable)/publicised_groups$ - ^/_matrix/client/(api/v1|r0|unstable)/publicised_groups/ + - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/event/ + - ^/_matrix/client/(api/v1|r0|unstable)/joined_rooms$ + - ^/_matrix/client/(api/v1|r0|unstable)/search$ # Registration/login requests - ^/_matrix/client/(api/v1|r0|unstable)/login$ - ^/_matrix/client/(r0|unstable)/register$ + - ^/_matrix/client/unstable/org.matrix.msc3231/register/org.matrix.msc3231.login.registration_token/validity$ # Event sending requests - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/redact @@ -250,10 +260,12 @@ matrix_synapse_workers_media_repository_endpoints: - ^/_synapse/admin/v1/user/.*/media.*$ - ^/_synapse/admin/v1/media/.*$ - ^/_synapse/admin/v1/quarantine_media/.*$ + - ^/_synapse/admin/v1/users/.*/media$ # You should also set `enable_media_repo: False` in the shared configuration # file to stop the main synapse running background jobs related to managing the - # media repository. + # media repository. Note that doing so will prevent the main process from being + # able to handle the above endpoints. # In the `media_repository` worker configuration file, configure the http listener to # expose the `media` resource. For example: diff --git a/setup.yml b/setup.yml index 399e8596..52c1250d 100755 --- a/setup.yml +++ b/setup.yml @@ -18,8 +18,10 @@ - matrix-bridge-appservice-slack - matrix-bridge-appservice-webhooks - matrix-bridge-appservice-irc + - matrix-bridge-beeper-linkedin - matrix-bridge-mautrix-facebook - matrix-bridge-mautrix-hangouts + - matrix-bridge-mautrix-googlechat - matrix-bridge-mautrix-instagram - matrix-bridge-mautrix-signal - matrix-bridge-mautrix-telegram @@ -56,4 +58,4 @@ - matrix-aux - matrix-postgres-backup - matrix-prometheus-postgres-exporter - - matrix-common-after \ No newline at end of file + - matrix-common-after