diff --git a/docs/configuring-awx-system.md b/docs/configuring-awx-system.md new file mode 100644 index 00000000..2bc2699b --- /dev/null +++ b/docs/configuring-awx-system.md @@ -0,0 +1,43 @@ +# Configuring AWX System (optional) + +An AWX setup for managing multiple Matrix servers. + +This section is used in an AWX system that can create and manage multiple [Matrix](http://matrix.org/) servers. You can issue members an AWX login to their own 'organisation', which they can use to manage/configure 1 to N servers. + +Members can be assigned a server from Digitalocean, or they can connect their own on-premises server. This script is free to use in a commercial context with the 'MemberPress Plus' and 'WP Oauth Sever' addons. It can also be run in a non-commercial context. + +The AWX system is arranged into 'members' each with their own 'subscriptions'. After creating a subscription the user enters the 'provision stage' where they defined the URLs they will use, the servers location and whether or not there's already a website at the base domain. They then proceed onto the 'deploy stage' where they can configure their Matrix server. + +Ideally this system can manage the updates, configuration, backups and monitoring on it's own. It is an extension of the popular deploy script [spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy). + +Warning: This project is currently alpha quality and should only be run by the brave. + + +## Other Required Playbooks + +The following repositories allow you to copy and use this setup: + +[Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) - Creates and configures the AWX system for you. + +[Ansible Create Delete Subscription Membership](https://gitlab.com/GoMatrixHosting/ansible-create-delete-subscription-membership) - Used by the AWX system to create memberships and subscriptions. + +[Ansible Provision Server](https://gitlab.com/GoMatrixHosting/ansible-provision-server) - Used by AWX members to perform initial configuration of their DigitalOcean or On-Premises server. + +## Testing Fork For This Playbook + +Updates to this section are trailed here: + +[GoMatrixHosting Matrix Docker Ansible Deploy](https://gitlab.com/GoMatrixHosting/gomatrixhosting-matrix-docker-ansible-deploy) + + +## Does I need an AWX setup to use this? How do I configure it? + +Yes, you'll need to configure an AWX instance, the [Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) repository makes it easy to do. Just follow the steps listed in '/docs/Installation.md' of that repository. + + +## Does I need a front-end WordPress site? And a DigitalOcean account? + +You do not need a front-end WordPress site or any of the mentioned WordPress plugins to use this setup. It can be run on it's own in a non-commercial context. + +You also don't need a DigitalOcean account, but this will limit you to only being able to connect 'On-Premises' servers. + diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index a40c83ad..c9cc6ad0 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -29,6 +29,22 @@ matrix_homeserver_container_url: "{{ 'http://matrix-nginx-proxy:12080' if matrix ###################################################################### +###################################################################### +# +# matrix-awx +# +###################################################################### + +matrix_nginx_proxy_data_path: "{{ '/chroot/website' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else (matrix_nginx_proxy_base_path + '/data') }}" +matrix_nginx_proxy_data_path_in_container: "{{ '/nginx-data/matrix-domain' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else '/nginx-data' }}" + +###################################################################### +# +# /matrix-awx +# +###################################################################### + + ###################################################################### # # matrix-bridge-appservice-discord diff --git a/roles/matrix-awx/defaults/main.yml b/roles/matrix-awx/defaults/main.yml new file mode 100755 index 00000000..9394ecab --- /dev/null +++ b/roles/matrix-awx/defaults/main.yml @@ -0,0 +1,2 @@ + +matrix_awx_enabled: false diff --git a/roles/matrix-awx/surveys/backup_server.json.j2 b/roles/matrix-awx/surveys/backup_server.json.j2 new file mode 100644 index 00000000..232d1968 --- /dev/null +++ b/roles/matrix-awx/surveys/backup_server.json.j2 @@ -0,0 +1,19 @@ +{ + "name": "Backup Server", + "description": "", + "spec": [ + { + "question_name": "Enable Backup", + "question_description": "Set if remote backup is enabled or not. If enabled a daily backup of your server will be sent to the backup server located in {{ backup_server_location }}.", + "required": true, + "min": null, + "max": null, + "default": "{{ matrix_awx_backup_enabled | string | lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_awx_backup_enabled", + "type": "multiplechoice" + } + ] +} + diff --git a/roles/matrix-awx/surveys/configure_corporal.json.j2 b/roles/matrix-awx/surveys/configure_corporal.json.j2 new file mode 100755 index 00000000..4c4ead83 --- /dev/null +++ b/roles/matrix-awx/surveys/configure_corporal.json.j2 @@ -0,0 +1,88 @@ +{ + "name": "Configure Matrix Corporal", + "description": "", + "spec": [ + { + "question_name": "Enable Corporal", + "question_description": "Controls if Matrix Corporal is enabled at all. If you're unsure if you need Matrix Corporal or not, you most likely don't.", + "required": true, + "min": null, + "max": null, + "default": "{{ matrix_corporal_enabled|string|lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_corporal_enabled", + "type": "multiplechoice" + }, + { + "question_name": "Corporal Policy Provider", + "question_description": "Controls what provider policy is used with Matrix Corporal.", + "required": true, + "min": null, + "max": null, + "default": "{{ matrix_corporal_policy_provider_mode }}", + "choices": "Simple Static File\nHTTP Pull Mode (API Enabled)\nHTTP Push Mode (API Enabled)", + "new_question": true, + "variable": "matrix_corporal_policy_provider_mode", + "type": "multiplechoice" + }, + { + "question_name": "Simple Static File Configuration", + "question_description": "The configuration file for Matrix Corporal, only needed if 'Simple Static File' provider is selected, any configuration entered here will be saved and applied.", + "required": false, + "min": 0, + "max": 65536, + "default": "", + "new_question": true, + "variable": "matrix_corporal_simple_static_config", + "type": "textarea" + }, + { + "question_name": "HTTP Pull Mode URI", + "question_description": "The network address to remotely fetch the configuration from. Only needed if 'HTTP Pull Mode (API Enabled)' provider is selected.", + "required": false, + "min": 0, + "max": 4096, + "default": "{{ matrix_corporal_pull_mode_uri }}", + "new_question": true, + "variable": "matrix_corporal_pull_mode_uri", + "type": "text" + }, + { + "question_name": "HTTP Pull Mode Authentication Token", + "question_description": "An authentication token for pulling the Corporal configuration from a network location. Only needed if 'HTTP Pull Mode (API Enabled)' provider is selected. WARNING: You must set a strong and unique password here.", + "required": false, + "min": 0, + "max": 256, + "default": "{{ matrix_corporal_pull_mode_token }}", + "choices": "", + "new_question": true, + "variable": "matrix_corporal_pull_mode_token", + "type": "password" + }, + { + "question_name": "Corporal API Authentication Token", + "question_description": "An authentication token for interfacing with Corporals API. Only needed to be set if 'HTTP Pull Mode (API Enabled)' or 'HTTP Push Mode (API Enabled)' provider is selected. WARNING: You must set a strong and unique password here.", + "required": false, + "min": 0, + "max": 256, + "default": "{{ matrix_corporal_http_api_auth_token }}", + "choices": "", + "new_question": true, + "variable": "matrix_corporal_http_api_auth_token", + "type": "password" + }, + { + "question_name": "Raise Synapse Ratelimits", + "question_description": "For Matrix Corporal to work you will need to temporarily raise the rate limits for logins, please return this value to 'Normal' after you're done using Corporal.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_corporal_raise_ratelimits }}", + "choices": "Normal\nRaised", + "new_question": true, + "variable": "matrix_corporal_raise_ratelimits", + "type": "multiplechoice" + } + ] +} diff --git a/roles/matrix-awx/surveys/configure_element.json.j2 b/roles/matrix-awx/surveys/configure_element.json.j2 new file mode 100755 index 00000000..0ff02288 --- /dev/null +++ b/roles/matrix-awx/surveys/configure_element.json.j2 @@ -0,0 +1,78 @@ +{ + "name": "", + "description": "", + "spec": [ + { + "question_name": "Enable Element-Web", + "question_description": "Set if Element web client is enabled or not.", + "required": true, + "min": null, + "max": null, + "default": "{{ matrix_client_element_enabled }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_client_element_enabled", + "type": "multiplechoice" + }, + { + "question_name": "Set Branding for Web Client", + "question_description": "Sets the 'branding' seen in the tab and on the welcome page to a custom value.", + "required": false, + "min": 0, + "max": 256, + "default": "{{ matrix_client_element_brand }}", + "choices": "", + "new_question": true, + "variable": "matrix_client_element_brand", + "type": "text" + }, + { + "question_name": "Set Theme for Web Client", + "question_description": "Sets the default theme for the web client, can be changed later by individual users.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_client_element_default_theme }}", + "choices": "light\ndark", + "new_question": true, + "variable": "matrix_client_element_default_theme", + "type": "multiplechoice" + }, + { + "question_name": "Set Welcome Page Background", + "question_description": "URL to Wallpaper, shown in background of the welcome page. Must be a 'https' link, otherwise it won't be set.", + "required": false, + "min": 0, + "max": 1024, + "default": "{{ matrix_client_element_branding_welcomeBackgroundUrl }}", + "choices": "", + "new_question": true, + "variable": "matrix_client_element_branding_welcomeBackgroundUrl", + "type": "text" + }, + { + "question_name": "Show Registration Button", + "question_description": "If you show the registration button on the welcome page.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_client_element_registration_enabled }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_client_element_registration_enabled", + "type": "multiplechoice" + }, + { + "question_name": "Set Element Subdomain", + "question_description": "Sets the subdomain of the Element web-client, you should only specify the subdomain, not the base domain you've already set. (Eg: 'element' for element.example.org) Note that if you change this value you'll need to reconfigure your DNS.", + "required": false, + "min": 0, + "max": 2048, + "default": "{{ element_subdomain }}", + "choices": "", + "new_question": true, + "variable": "element_subdomain", + "type": "text" + } + ] +} diff --git a/roles/matrix-awx/surveys/configure_jitsi.json.j2 b/roles/matrix-awx/surveys/configure_jitsi.json.j2 new file mode 100755 index 00000000..2eb0579b --- /dev/null +++ b/roles/matrix-awx/surveys/configure_jitsi.json.j2 @@ -0,0 +1,31 @@ +{ + "name": "", + "description": "", + "spec": [ + { + "question_name": "Enable Jitsi", + "question_description": "Set if Jitsi is enabled or not. If disabled your server will use the https://jitsi.riot.im server. If you're on a smaller server disabling this might increase the performance of your Matrix service.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_jitsi_enabled }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_jitsi_enabled", + "type": "multiplechoice" + }, + { + "question_name": "Set Default Language", + "question_description": "2 digit 639-1 language code to adjust the language of the web client. For a list of possible codes see: https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes", + "required": false, + "min": 0, + "max": 2, + "default": "{{ matrix_jitsi_web_config_defaultLanguage }}", + "choices": "", + "new_question": true, + "variable": "matrix_jitsi_web_config_defaultLanguage", + "type": "text" + } + ] +} + diff --git a/roles/matrix-awx/surveys/configure_ma1sd.json.j2 b/roles/matrix-awx/surveys/configure_ma1sd.json.j2 new file mode 100644 index 00000000..ad2110a0 --- /dev/null +++ b/roles/matrix-awx/surveys/configure_ma1sd.json.j2 @@ -0,0 +1,41 @@ +{ + "name": "", + "description": "", + "spec": [ + { + "question_name": "Enable ma1sd", + "question_description": "Set if ma1sd is enabled or not. If disabled your server will loose identity functionality (not recommended).", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_ma1sd_enabled|string|lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_ma1sd_enabled", + "type": "multiplechoice" + }, + { + "question_name": "ma1sd Authentication Mode", + "question_description": "Set the source of user account authentication credentials with the ma1sd.", + "required": false, + "min": null, + "max": null, + "default": "{{ ext_matrix_ma1sd_auth_store }}", + "choices": "Synapse Internal\nLDAP/AD", + "new_question": true, + "variable": "ext_matrix_ma1sd_auth_store", + "type": "multiplechoice" + }, + { + "question_name": "LDAP/AD Configuration", + "question_description": "Settings for connecting LDAP/AD to the ma1sd service. (ignored if using Synapse Internal, see https://github.com/ma1uta/ma1sd/blob/master/docs/stores/README.md )", + "required": false, + "min": 0, + "max": 65536, + "default": {{ ext_matrix_ma1sd_configuration_extension_yaml | to_json }}, + "new_question": true, + "variable": "ext_matrix_ma1sd_configuration_extension_yaml", + "type": "textarea" + } + ] +} diff --git a/roles/matrix-awx/surveys/configure_synapse.json.j2 b/roles/matrix-awx/surveys/configure_synapse.json.j2 new file mode 100755 index 00000000..32d54646 --- /dev/null +++ b/roles/matrix-awx/surveys/configure_synapse.json.j2 @@ -0,0 +1,198 @@ +{ + "name": "Configure Synapse", + "description": "", + "spec": [ + { + "question_name": "Enable Public Registration", + "question_description": "Controls whether people with access to the homeserver can register by themselves.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_synapse_enable_registration|string|lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_synapse_enable_registration", + "type": "multiplechoice" + }, + { + "question_name": "Enable Federation", + "question_description": "Controls whether Synapse will federate at all. Disable this to completely isolate your server from the rest of the Matrix network.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_synapse_federation_enabled|string|lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_synapse_federation_enabled", + "type": "multiplechoice" + }, + { + "question_name": "Allow Public Rooms Over Federation", + "question_description": "Controls whether remote servers can fetch this server's public rooms directory via federation. For private servers, you'll most likely want to forbid this.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_synapse_allow_public_rooms_over_federation|string|lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_synapse_allow_public_rooms_over_federation", + "type": "multiplechoice" + }, + { + "question_name": "Enable Community Creation", + "question_description": "Allows regular users (who aren't server admins) to create 'communities', which are basically groups of rooms.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_synapse_enable_group_creation|string|lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_synapse_enable_group_creation", + "type": "multiplechoice" + }, + { + "question_name": "Enable Synapse Presence", + "question_description": "Controls whether presence is enabled. This shows who's online and reading your posts. Disabling it will increase both performance and user privacy.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_synapse_use_presence|string|lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_synapse_use_presence", + "type": "multiplechoice" + }, + { + "question_name": "Enable URL Previews", + "question_description": "Controls whether URL previews should be generated. This will cause a request from Synapse to URLs shared by users.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_synapse_url_preview_enabled|string|lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_synapse_url_preview_enabled", + "type": "multiplechoice" + }, + { + "question_name": "Enable Guest Access", + "question_description": "Controls whether 'guest accounts' can access rooms without registering. Guest users do not count towards your servers user limit.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_synapse_allow_guest_access|string|lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_synapse_allow_guest_access", + "type": "multiplechoice" + }, + { + "question_name": "Registration Requires Email", + "question_description": "Controls whether an email address is required to register on the server.", + "required": false, + "min": null, + "max": null, + "default": "{{ ext_registrations_require_3pid|string|lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "ext_registrations_require_3pid", + "type": "multiplechoice" + }, + { + "question_name": "Registration Shared Secret", + "question_description": "A secret that allows registration of standard or admin accounts by anyone who has the shared secret, even if registration is otherwise disabled. WARNING: You must set a strong and unique password here.", + "required": false, + "min": 0, + "max": 256, + "default": "", + "choices": "", + "new_question": true, + "variable": "matrix_synapse_registration_shared_secret", + "type": "password" + }, + { + "question_name": "Synapse Max Upload Size", + "question_description": "Sets the maximum size for uploaded files in MB.", + "required": false, + "min": 0, + "max": 3, + "default": "{{ matrix_synapse_max_upload_size_mb }}", + "choices": "", + "new_question": true, + "variable": "matrix_synapse_max_upload_size_mb", + "type": "text" + }, + { + "question_name": "URL Preview Languages", + "question_description": "Sets the languages that URL previews will be generated in. Entries are a 2-3 letter IETF language tag, they must be seperated with newlines. For example: 'fr' https://en.wikipedia.org/wiki/IETF_language_tag", + "required": false, + "min": 0, + "max": 65536, + "default": {{ ext_url_preview_accept_language_default|to_json }}, + "choices": "", + "new_question": true, + "variable": "ext_url_preview_accept_language_raw", + "type": "textarea" + }, + { + "question_name": "Federation Whitelist", + "question_description": "Here you can list the URLs of other Matrix homeservers and Synapse will only federate with those homeservers. Entries must be seperated with newlines and must not have a 'https://' prefix. For example: 'matrix.example.org'", + "required": false, + "min": 0, + "max": 65536, + "default": {{ ext_federation_whitelist_raw|to_json }}, + "choices": "", + "new_question": true, + "variable": "ext_federation_whitelist_raw", + "type": "textarea" + }, + { + "question_name": "Synapse Auto-Join Rooms", + "question_description": "Sets the 'auto-join' rooms, where new users will be automatically invited to, these rooms must already exist. Entries must be room addresses that are separated with newlines. For example: '#announcements:example.org'", + "required": false, + "min": 0, + "max": 65536, + "default": {{ matrix_synapse_auto_join_rooms_raw|to_json }}, + "choices": "", + "new_question": true, + "variable": "matrix_synapse_auto_join_rooms_raw", + "type": "textarea" + }, + { + "question_name": "Enable ReCaptcha on Registration", + "question_description": "Enables Googles ReCaptcha verification for registering an account, recommended for public servers.", + "required": false, + "min": null, + "max": null, + "default": "{{ ext_enable_registration_captcha|string|lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "ext_enable_registration_captcha", + "type": "multiplechoice" + }, + { + "question_name": "Recaptcha Public Key", + "question_description": "Sets the Google ReCaptcha public key for this website.", + "required": false, + "min": 0, + "max": 40, + "default": "{{ ext_recaptcha_public_key }}", + "choices": "", + "new_question": true, + "variable": "ext_recaptcha_public_key", + "type": "text" + }, + { + "question_name": "Recaptcha Private Key", + "question_description": "Sets the Google ReCaptcha private key for this website.", + "required": false, + "min": 0, + "max": 40, + "default": "{{ ext_recaptcha_private_key }}", + "choices": "", + "new_question": true, + "variable": "ext_recaptcha_private_key", + "type": "text" + } + ] +} diff --git a/roles/matrix-awx/surveys/configure_synapse_admin.json.j2 b/roles/matrix-awx/surveys/configure_synapse_admin.json.j2 new file mode 100644 index 00000000..f5a740aa --- /dev/null +++ b/roles/matrix-awx/surveys/configure_synapse_admin.json.j2 @@ -0,0 +1,18 @@ +{ + "name": "Configure Synapse Admin", + "description": "Configure 'Synapse Admin', a moderation tool to help you manage your server.", + "spec": [ + { + "question_name": "Enable Synapse Admin", + "question_description": "Set if Synapse Admin is enabled or not. If enabled you can access it at https://matrix.{{ matrix_domain }}/synapse-admin.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_synapse_admin_enabled|string|lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_synapse_admin_enabled", + "type": "multiplechoice" + } + ] +} diff --git a/roles/matrix-awx/surveys/configure_website_access_export.json.j2 b/roles/matrix-awx/surveys/configure_website_access_export.json.j2 new file mode 100755 index 00000000..2b3e1637 --- /dev/null +++ b/roles/matrix-awx/surveys/configure_website_access_export.json.j2 @@ -0,0 +1,54 @@ +{ + "name": "Configure Website Access Backup", + "description": "Configure base domain website settings and access the services backup.", + "spec": [ + { + "question_name": "Customise Base Domain Website", + "question_description": "Set if you want to adjust the base domain website using SFTP.", + "required": true, + "min": null, + "max": null, + "default": "{{ customise_base_domain_website | string | lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "customise_base_domain_website", + "type": "multiplechoice" + }, + { + "question_name": "SFTP Authorisation Method", + "question_description": "Set whether you want to disable SFTP, use a password to connect to SFTP or connect with a more secure SSH key.", + "required": true, + "min": null, + "max": null, + "default": "{{ sftp_auth_method | string }}", + "choices": "Disabled\nPassword\nSSH Key", + "new_question": true, + "variable": "sftp_auth_method", + "type": "multiplechoice" + }, + { + "question_name": "SFTP Password", + "question_description": "Sets the password of the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as export the latest copy of your Matrix service. Must be defined if 'Password' method is selected. WARNING: You must set a strong and unique password here.", + "required": false, + "min": 0, + "max": 64, + "default": "{{ sftp_password }}", + "choices": "", + "new_question": true, + "variable": "sftp_password", + "type": "password" + }, + { + "question_name": "SFTP Public SSH Key (More Secure)", + "question_description": "Sets the public SSH key used to access the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as export the latest copy of your Matrix service. Must be defined if 'SSH Key' method is selected.", + "required": false, + "min": 0, + "max": 16384, + "default": "{{ sftp_public_key }}", + "choices": "", + "new_question": true, + "variable": "sftp_public_key", + "type": "text" + } + ] +} diff --git a/roles/matrix-awx/tasks/backup_server.yml b/roles/matrix-awx/tasks/backup_server.yml new file mode 100644 index 00000000..556c4497 --- /dev/null +++ b/roles/matrix-awx/tasks/backup_server.yml @@ -0,0 +1,69 @@ + +- name: Record Backup Server variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# AWX Settings' + with_dict: + 'matrix_awx_backup_enabled': '{{ matrix_awx_backup_enabled }}' + +- name: Copy new 'matrix_vars.yml' to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + dest: '/matrix/awx/matrix_vars.yml' + mode: '0660' + +- name: Save new 'Backup Server' survey.json to the AWX tower, template + delegate_to: 127.0.0.1 + template: + src: 'roles/matrix-awx/surveys/backup_server.json.j2' + dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/backup_server.json' + +- name: Copy new 'Backup Server' survey.json to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/backup_server.json' + dest: '/matrix/awx/backup_server.json' + mode: '0660' + +- name: Collect AWX admin token the hard way! + delegate_to: 127.0.0.1 + shell: | + curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' + register: tower_token + no_log: True + +- name: Recreate 'Backup Server' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 0 - Backup Server" + description: "Performs a backup of the entire service to a remote location." + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "backup-server" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + survey_enabled: true + survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/backup_server.json') }}" + become_enabled: yes + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + +- name: Perform the borg backup + command: borgmatic + when: matrix_awx_backup_enabled|bool + +- name: Set boolean value to exit playbook + set_fact: + end_playbook: true + +- name: End playbook if this task list is called. + meta: end_play + when: end_playbook is defined and end_playbook|bool + diff --git a/roles/matrix-awx/tasks/create_user.yml b/roles/matrix-awx/tasks/create_user.yml new file mode 100755 index 00000000..0993d61f --- /dev/null +++ b/roles/matrix-awx/tasks/create_user.yml @@ -0,0 +1,31 @@ +# +# Create user and define if they are admin +# +# /usr/local/bin/matrix-synapse-register-user +# + +- name: Set admin bool to zero + set_fact: + admin_bool: 0 + when: admin_access == 'false' + +- name: Examine if server admin set + set_fact: + admin_bool: 1 + when: admin_access == 'true' + +- name: Set boolean value to exit playbook + set_fact: + end_playbook: true + +- name: Create user account + command: | + /usr/local/bin/matrix-synapse-register-user {{ new_username | quote }} {{ new_password | quote }} {{ admin_bool }} + register: cmd + +- name: Result + debug: msg="{{ cmd.stdout }}" + +- name: End playbook if this task list is called. + meta: end_play + when: end_playbook is defined and end_playbook|bool diff --git a/roles/matrix-awx/tasks/customise_website_access_export.yml b/roles/matrix-awx/tasks/customise_website_access_export.yml new file mode 100755 index 00000000..4b775105 --- /dev/null +++ b/roles/matrix-awx/tasks/customise_website_access_export.yml @@ -0,0 +1,230 @@ + + +- name: Enable index.html creation if user doesn't wish to customise base domain + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Base Domain Settings' + with_dict: + 'matrix_nginx_proxy_base_domain_homepage_enabled': 'true' + when: customise_base_domain_website|bool == false + +- name: Disable index.html creation to allow multi-file site if user does wish to customise base domain + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Base Domain Settings' + with_dict: + 'matrix_nginx_proxy_base_domain_homepage_enabled': 'false' + when: customise_base_domain_website|bool == true + +- name: Record custom 'Customise Website + Access Export' variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Custom Settings' + with_dict: + 'customise_base_domain_website': '{{ customise_base_domain_website }}' + 'sftp_auth_method': '"{{ sftp_auth_method }}"' + 'sftp_password': '"{{ sftp_password }}"' + 'sftp_public_key': '"{{ sftp_public_key }}"' + +- name: Copy new 'matrix_vars.yml' to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + dest: '/matrix/awx/matrix_vars.yml' + mode: '0660' + +- name: Reload vars in matrix_vars.yml + include_vars: + file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + no_log: True + +- name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template + delegate_to: 127.0.0.1 + template: + src: './roles/matrix-awx/surveys/configure_website_access_export.json.j2' + dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json' + +- name: Copy new 'Customise Website + Access Export' survey.json to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json' + dest: '/matrix/awx/configure_website_access_export.json' + mode: '0660' + +- name: Collect AWX admin token the hard way! + delegate_to: 127.0.0.1 + shell: | + curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' + register: tower_token + no_log: True + +- name: Recreate 'Customise Base Domain Export' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 1 - Configure Website + Access Export" + description: "Configure base domain website settings and access the servers export." + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "start,setup-nginx-proxy" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + survey_enabled: true + survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json') }}" + become_enabled: yes + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + +- name: Ensure group "sftp" exists + group: + name: sftp + state: present + +- name: If user doesn't define a sftp_password, create a disabled 'sftp' account + user: + name: sftp + comment: SFTP user to set custom web files and access servers export + shell: /bin/false + home: /home/sftp + group: sftp + password: '*' + update_password: always + when: sftp_password|length == 0 + +- name: If user defines sftp_password, enable account and set password on 'stfp' account + user: + name: sftp + comment: SFTP user to set custom web files and access servers export + shell: /bin/false + home: /home/sftp + group: sftp + password: "{{ sftp_password | password_hash('sha512') }}" + update_password: always + when: sftp_password|length > 0 + +- name: adding existing user 'sftp' to group matrix + user: + name: sftp + groups: matrix + append: yes + +- name: Create the ro /chroot directory with sticky bit if it doesn't exist. (/chroot/website has matrix:matrix permissions and is mounted to nginx container) + file: + path: /chroot + state: directory + owner: root + group: root + mode: '1755' + +- name: Ensure /chroot/website location exists. + file: + path: /chroot/website + state: directory + owner: matrix + group: matrix + mode: '0574' + +- name: Ensure /chroot/export location exists + file: + path: /chroot/export + state: directory + owner: sftp + group: sftp + mode: '0700' + +- name: Ensure /home/sftp/.ssh location exists + file: + path: /home/sftp/.ssh + state: directory + owner: sftp + group: sftp + mode: '0700' + +- name: Ensure /home/sftp/authorized_keys exists + file: + path: /home/sftp/.ssh/authorized_keys + state: touch + owner: sftp + group: sftp + mode: '0644' + +- name: Clear authorized_keys file + shell: echo "" > /home/sftp/.ssh/authorized_keys + +- name: Insert public SSH key into authorized_keys file + lineinfile: + path: /home/sftp/.ssh/authorized_keys + line: "{{ sftp_public_key }}" + owner: sftp + group: sftp + mode: '0644' + when: (sftp_public_key | length > 0) and (sftp_auth_method == "SSH Key") + +- name: Alter SSH Subsystem State 1 + lineinfile: + path: /etc/ssh/sshd_config + line: "Subsystem sftp /usr/lib/openssh/sftp-server" + state: absent + +- name: Alter SSH Subsystem State 2 + lineinfile: + path: /etc/ssh/sshd_config + insertafter: "^# override default of no subsystems" + line: "Subsystem sftp internal-sftp" + +- name: Add SSH Match User section for disabled auth + blockinfile: + path: /etc/ssh/sshd_config + state: absent + block: | + Match User sftp + ChrootDirectory /chroot + PermitTunnel no + X11Forwarding no + AllowTcpForwarding no + PasswordAuthentication yes + AuthorizedKeysFile /home/sftp/.ssh/authorized_keys + when: sftp_auth_method == "Disabled" + +- name: Add SSH Match User section for password auth + blockinfile: + path: /etc/ssh/sshd_config + state: present + block: | + Match User sftp + ChrootDirectory /chroot + PermitTunnel no + X11Forwarding no + AllowTcpForwarding no + PasswordAuthentication yes + when: sftp_auth_method == "Password" + +- name: Add SSH Match User section for publickey auth + blockinfile: + path: /etc/ssh/sshd_config + state: present + block: | + Match User sftp + ChrootDirectory /chroot + PermitTunnel no + X11Forwarding no + AllowTcpForwarding no + AuthorizedKeysFile /home/sftp/.ssh/authorized_keys + when: sftp_auth_method == "SSH Key" + +- name: Restart service ssh.service + service: + name: ssh.service + state: restarted + diff --git a/roles/matrix-awx/tasks/import_awx.yml b/roles/matrix-awx/tasks/import_awx.yml new file mode 100644 index 00000000..0100a5d0 --- /dev/null +++ b/roles/matrix-awx/tasks/import_awx.yml @@ -0,0 +1,23 @@ + +- name: Ensure /matrix/awx is empty + shell: rm -r /matrix/awx/* + ignore_errors: yes + +- name: Ensure /matrix/synapse is empty + shell: rm -r /matrix/synapse/* + ignore_errors: yes + +- name: Extract from /chroot/export + shell: tar -xvzf /chroot/export/matrix.tar.gz -C /matrix/ + +- name: Ensure correct ownership of /matrix/awx + shell: chown -R matrix:matrix /matrix/awx + +- name: Ensure correct ownership of /matrix/synapse + shell: chown -R matrix:matrix /matrix/synapse + +- name: Fetch matrix_vars.yml file to AWX + fetch: + src: /matrix/awx/matrix_vars.yml + dest: /var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/ + flat: yes diff --git a/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml b/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml new file mode 100644 index 00000000..6789431a --- /dev/null +++ b/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml @@ -0,0 +1,10 @@ + +- name: Include vars in organisation.yml + include_vars: + file: '/var/lib/awx/projects/clients/{{ member_id }}/organisation.yml' + no_log: True + +- name: Include vars in hosting_vars.yml + include_vars: + file: '/var/lib/awx/projects/hosting/hosting_vars.yml' + no_log: True diff --git a/roles/matrix-awx/tasks/load_matrix_variables.yml b/roles/matrix-awx/tasks/load_matrix_variables.yml new file mode 100755 index 00000000..0174e0e6 --- /dev/null +++ b/roles/matrix-awx/tasks/load_matrix_variables.yml @@ -0,0 +1,6 @@ + +- name: Include vars in matrix_vars.yml + include_vars: + file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + no_log: True + diff --git a/roles/matrix-awx/tasks/main.yml b/roles/matrix-awx/tasks/main.yml new file mode 100755 index 00000000..f7f5bf1f --- /dev/null +++ b/roles/matrix-awx/tasks/main.yml @@ -0,0 +1,79 @@ + +# Load initial hosting and organisation variables from AWX volume +- import_tasks: "{{ role_path }}/tasks/load_hosting_and_org_variables.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - always + +# Perform a backup of the server +- import_tasks: "{{ role_path }}/tasks/backup_server.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - backup-server + +# Create a user account if called +- import_tasks: "{{ role_path }}/tasks/create_user.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - create-user + +# Perform extra self-check functions +- import_tasks: "{{ role_path }}/tasks/self_check.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - self-check + +# Import configs, media repo from /chroot/backup import +- import_tasks: "{{ role_path }}/tasks/import_awx.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - import-awx + +# Configure SFTP so user can upload a static website or access the servers export +- import_tasks: "{{ role_path }}/tasks/customise_website_access_export.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - setup-nginx-proxy + +# Additional playbook to set the variable file during Element configuration +- import_tasks: "{{ role_path }}/tasks/set_variables_element.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - setup-client-element + +# Additional playbook to set the variable file during Synapse configuration +- import_tasks: "{{ role_path }}/tasks/set_variables_synapse.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - setup-synapse + +# Additional playbook to set the variable file during Jitsi configuration +- import_tasks: "{{ role_path }}/tasks/set_variables_jitsi.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - setup-jitsi + +# Additional playbook to set the variable file during Ma1sd configuration +- import_tasks: "{{ role_path }}/tasks/set_variables_ma1sd.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - setup-ma1sd + +# Additional playbook to set the variable file during Corporal configuration +- import_tasks: "{{ role_path }}/tasks/set_variables_corporal.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - setup-corporal + +# Additional playbook to set the variable file during Synapse Admin configuration +- import_tasks: "{{ role_path }}/tasks/set_variables_synapse_admin.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - setup-all + +# Load newly formed matrix variables from tower volume +- import_tasks: "{{ role_path }}/tasks/load_matrix_variables.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - always + diff --git a/roles/matrix-awx/tasks/self_check.yml b/roles/matrix-awx/tasks/self_check.yml new file mode 100644 index 00000000..977293d0 --- /dev/null +++ b/roles/matrix-awx/tasks/self_check.yml @@ -0,0 +1,94 @@ + +- name: Install prerequisite apt packages on target + apt: + name: + - sysstat + state: present + +- name: Install prerequisite yum packages on AWX + delegate_to: 127.0.0.1 + yum: + name: + - bind-utils + state: present + +- name: Install prerequisite pip packages on AWX + delegate_to: 127.0.0.1 + pip: + name: + - dnspython + state: present + +- name: Calculate CPU usage statistics + shell: iostat -c + register: cpu_usage_stat + no_log: True + +- name: Print CPU usage statistics + debug: + msg: "{{ cpu_usage_stat.stdout.split('\n') }}" + when: cpu_usage_stat is defined + +- name: Calculate RAM usage statistics + shell: free -mh + register: ram_usage_stat + no_log: True + +- name: Print RAM usage statistics + debug: + msg: "{{ ram_usage_stat.stdout.split('\n') }}" + when: ram_usage_stat is defined + +- name: Calculate free disk space + shell: df -h + register: disk_space_stat + no_log: True + +- name: Print free disk space + debug: + msg: "{{ disk_space_stat.stdout.split('\n') }}" + when: disk_space_stat is defined + +- name: Calculate size of Synapse database + shell: du -sh /matrix/postgres/data + register: db_size_stat + no_log: True + +- name: Print size of Synapse database + debug: + msg: "{{ db_size_stat.stdout.split('\n') }}" + when: db_size_stat is defined + +- name: Calculate size of local media repository + shell: du -sh /matrix/synapse/storage/media-store/local* + register: local_media_size_stat + ignore_errors: yes + no_log: True + +- name: Print size of local media repository + debug: + msg: "{{ local_media_size_stat.stdout.split('\n') }}" + when: local_media_size_stat is defined + +- name: Calculate size of remote media repository + shell: du -sh /matrix/synapse/storage/media-store/remote* + register: remote_media_size_stat + ignore_errors: yes + no_log: True + +- name: Print size of remote media repository + debug: + msg: "{{ remote_media_size_stat.stdout.split('\n') }}" + when: remote_media_size_stat is defined + +- name: Calculate docker container statistics + shell: docker stats --all --no-stream + register: docker_stats + ignore_errors: yes + no_log: True + +- name: Print docker container statistics + debug: + msg: "{{ docker_stats.stdout.split('\n') }}" + when: docker_stats is defined + diff --git a/roles/matrix-awx/tasks/set_variables_corporal.yml b/roles/matrix-awx/tasks/set_variables_corporal.yml new file mode 100755 index 00000000..efc44a42 --- /dev/null +++ b/roles/matrix-awx/tasks/set_variables_corporal.yml @@ -0,0 +1,254 @@ + +- name: Record Corporal Enabled/Disabled variable + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Corporal Settings' + with_dict: + 'matrix_corporal_enabled': '{{ matrix_corporal_enabled }}' + +- name: Enable Shared Secret Auth if Corporal enabled + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Shared Secret Auth Settings' + with_dict: + 'matrix_synapse_ext_password_provider_shared_secret_auth_enabled': 'true' + when: matrix_corporal_enabled|bool + +- name: Disable Shared Secret Auth if Corporal disabled + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Shared Secret Auth Settings' + with_dict: + 'matrix_synapse_ext_password_provider_shared_secret_auth_enabled': 'false' + when: not matrix_corporal_enabled|bool + +- name: Enable Rest Auth Endpoint if Corporal enabled + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Synapse Extension' + with_dict: + 'matrix_synapse_ext_password_provider_rest_auth_enabled': 'true' + when: matrix_corporal_enabled|bool + +- name: Disable Rest Auth Endpoint if Corporal disabled + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Synapse Extension' + with_dict: + 'matrix_synapse_ext_password_provider_rest_auth_enabled': 'false' + when: not matrix_corporal_enabled|bool + +- name: Disable Corporal API if Simple Static File mode selected + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Corporal Settings' + with_dict: + 'matrix_corporal_http_api_enabled': 'false' + when: (matrix_corporal_policy_provider_mode == "Simple Static File") or (not matrix_corporal_enabled|bool) + +- name: Enable Corporal API if Push/Pull mode delected + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Corporal Settings' + with_dict: + 'matrix_corporal_http_api_enabled': 'true' + when: (matrix_corporal_policy_provider_mode != "Simple Static File") and (matrix_corporal_enabled|bool) + +- name: Record Corporal API Access Token if it's defined + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Corporal Settings' + with_dict: + 'matrix_corporal_http_api_auth_token': '{{ matrix_corporal_http_api_auth_token }}' + when: matrix_corporal_http_api_auth_token|length > 0 + +- name: Record 'Simple Static File' configuration variables in matrix_vars.yml + delegate_to: 127.0.0.1 + blockinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + insertafter: "# Corporal Policy Provider Settings" + block: | + matrix_corporal_policy_provider_config: | + { + "Type": "static_file", + "Path": "/etc/matrix-corporal/corporal-policy.json" + } + when: matrix_corporal_policy_provider_mode == "Simple Static File" + +- name: Touch the /matrix/corporal/ directory + file: + path: "/matrix/corporal/" + state: directory + owner: matrix + group: matrix + mode: '750' + +- name: Touch the /matrix/corporal/config/ directory + file: + path: "/matrix/corporal/config/" + state: directory + owner: matrix + group: matrix + mode: '750' + +- name: Touch the /matrix/corporal/cache/ directory + file: + path: "/matrix/corporal/cache/" + state: directory + owner: matrix + group: matrix + mode: '750' + +- name: Touch the corporal-policy.json file to ensure it exists + file: + path: "/matrix/corporal/config/corporal-policy.json" + state: touch + owner: matrix + group: matrix + mode: '660' + +- name: Touch the last-policy.json file to ensure it exists + file: + path: "/matrix/corporal/config/last-policy.json" + state: touch + owner: matrix + group: matrix + mode: '660' + +- name: Record 'Simple Static File' configuration content in corporal-policy.json + copy: + content: "{{ matrix_corporal_simple_static_config | string }}" + dest: "/matrix/corporal/config/corporal-policy.json" + owner: matrix + group: matrix + mode: '660' + when: (matrix_corporal_policy_provider_mode == "Simple Static File") and (matrix_corporal_simple_static_config|length > 0) + +- name: Record 'HTTP Pull Mode' configuration variables in matrix_vars.yml + delegate_to: 127.0.0.1 + blockinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + insertafter: "# Corporal Policy Provider Settings" + block: | + matrix_corporal_policy_provider_config: | + { + "Type": "http", + "Uri": "{{ matrix_corporal_pull_mode_uri }}", + "AuthorizationBearerToken": "{{ matrix_corporal_pull_mode_token }}", + "CachePath": "/var/cache/matrix-corporal/last-policy.json", + "ReloadIntervalSeconds": 1800, + "TimeoutMilliseconds": 30000 + } + when: (matrix_corporal_policy_provider_mode == "HTTP Pull Mode (API Enabled)") and (matrix_corporal_pull_mode_uri|length > 0) and (matrix_corporal_pull_mode_token|length > 0) + +- name: Record 'HTTP Push Mode' configuration variables in matrix_vars.yml + delegate_to: 127.0.0.1 + blockinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + insertafter: "# Corporal Policy Provider Settings" + block: | + matrix_corporal_policy_provider_config: | + { + "Type": "last_seen_store_policy", + "CachePath": "/var/cache/matrix-corporal/last-policy.json" + } + when: (matrix_corporal_policy_provider_mode == "HTTP Push Mode (API Enabled)") + +- name: Lower RateLimit if set to 'Normal' + delegate_to: 127.0.0.1 + replace: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: ' address:\n per_second: 50\n burst_count: 300\n account:\n per_second: 0.17\n burst_count: 300' + replace: ' address:\n per_second: 0.17\n burst_count: 3\n account:\n per_second: 0.17\n burst_count: 3' + when: matrix_corporal_raise_ratelimits == "Normal" + +- name: Raise RateLimit if set to 'Raised' + delegate_to: 127.0.0.1 + replace: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: ' address:\n per_second: 0.17\n burst_count: 3\n account:\n per_second: 0.17\n burst_count: 3' + replace: ' address:\n per_second: 50\n burst_count: 300\n account:\n per_second: 0.17\n burst_count: 300' + when: matrix_corporal_raise_ratelimits == "Raised" + +- name: Copy new 'matrix_vars.yml' to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + dest: '/matrix/awx/matrix_vars.yml' + mode: '0664' + +- name: Save new 'Configure Corporal' survey.json to the AWX tower + delegate_to: 127.0.0.1 + template: + src: 'roles/matrix-awx/surveys/configure_corporal.json.j2' + dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_corporal.json' + +- name: Copy new 'Configure Corporal' survey.json to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_corporal.json' + dest: '/matrix/awx/configure_corporal.json' + mode: '0660' + +- debug: + msg: "matrix_corporal_matrix_homeserver_api_endpoint: {{ matrix_corporal_matrix_homeserver_api_endpoint }}" + +- debug: + msg: "matrix_corporal_matrix_auth_shared_secret: {{ matrix_corporal_matrix_auth_shared_secret }}" + +- debug: + msg: "matrix_corporal_http_gateway_internal_rest_auth_enabled: {{ matrix_corporal_http_gateway_internal_rest_auth_enabled }}" + +- debug: + msg: "matrix_corporal_matrix_registration_shared_secret: {{ matrix_corporal_matrix_registration_shared_secret }}" + +- name: Collect AWX admin token the hard way! + delegate_to: 127.0.0.1 + shell: | + curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' + register: tower_token + no_log: True + +- name: Recreate 'Configure Corporal (Advanced)' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 1 - Configure Corporal (Advanced)" + description: "Configure Matrix Corporal, a tool that manages your Matrix server according to a configuration policy." + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "start,setup-corporal" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + survey_enabled: true + survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_corporal.json') }}" + become_enabled: yes + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + diff --git a/roles/matrix-awx/tasks/set_variables_element.yml b/roles/matrix-awx/tasks/set_variables_element.yml new file mode 100755 index 00000000..892c1bac --- /dev/null +++ b/roles/matrix-awx/tasks/set_variables_element.yml @@ -0,0 +1,77 @@ + +- name: Record Element-Web variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Element Settings' + with_dict: + 'matrix_client_element_enabled': '{{ matrix_client_element_enabled }}' + 'matrix_client_element_jitsi_preferredDomain': '{{ matrix_client_element_jitsi_preferredDomain }}' + 'matrix_client_element_brand': '{{ matrix_client_element_brand }}' + 'matrix_client_element_default_theme': '{{ matrix_client_element_default_theme }}' + 'matrix_client_element_registration_enabled': '{{ matrix_client_element_registration_enabled }}' + 'matrix_server_fqn_element': "{{ element_subdomain }}.{{ matrix_domain }}" + +- name: Set fact for 'https' string + set_fact: + https_string: "https" + +- name: Record Element-Web Background variable locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Element Settings' + with_dict: + 'matrix_client_element_branding_welcomeBackgroundUrl': '{{ matrix_client_element_branding_welcomeBackgroundUrl }}' + when: (https_string in matrix_client_element_branding_welcomeBackgroundUrl) and ( matrix_client_element_branding_welcomeBackgroundUrl|length > 0 ) + +- name: Copy new 'matrix_vars.yml' to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + dest: '/matrix/awx/matrix_vars.yml' + mode: '0660' + +- name: Save new 'Configure Element' survey.json to the AWX tower, template + delegate_to: 127.0.0.1 + template: + src: 'roles/matrix-awx/surveys/configure_element.json.j2' + dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element.json' + +- name: Copy new 'Configure Element' survey.json to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element.json' + dest: '/matrix/awx/configure_element.json' + mode: '0660' + +- name: Collect AWX admin token the hard way! + delegate_to: 127.0.0.1 + shell: | + curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' + register: tower_token + no_log: True + +- name: Recreate 'Configure Element' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 1 - Configure Element" + description: "Configure Element client via survey." + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "start,setup-client-element" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + survey_enabled: true + survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element.json') }}" + become_enabled: yes + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + diff --git a/roles/matrix-awx/tasks/set_variables_jitsi.yml b/roles/matrix-awx/tasks/set_variables_jitsi.yml new file mode 100755 index 00000000..e35beab7 --- /dev/null +++ b/roles/matrix-awx/tasks/set_variables_jitsi.yml @@ -0,0 +1,58 @@ + +- name: Record Jitsi variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Jitsi Settings' + with_dict: + 'matrix_jitsi_enabled': '{{ matrix_jitsi_enabled }}' + 'matrix_jitsi_web_config_defaultLanguage': '{{ matrix_jitsi_web_config_defaultLanguage }}' + +- name: Copy new 'matrix_vars.yml' to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + dest: '/matrix/awx/matrix_vars.yml' + mode: '0660' + +- name: Save new 'Configure Jitsi' survey.json to the AWX tower, template + delegate_to: 127.0.0.1 + template: + src: 'roles/matrix-awx/surveys/configure_jitsi.json.j2' + dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_jitsi.json' + +- name: Copy new 'Configure Jitsi' survey.json to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_jitsi.json' + dest: '/matrix/awx/configure_jitsi.json' + mode: '0660' + +- name: Collect AWX admin token the hard way! + delegate_to: 127.0.0.1 + shell: | + curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' + register: tower_token + no_log: True + +- name: Recreate 'Configure Jitsi' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 1 - Configure Jitsi" + description: "Configure Jitsi conferencing settings." + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "start,setup-jitsi" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + survey_enabled: true + survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_jitsi.json') }}" + become_enabled: yes + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + diff --git a/roles/matrix-awx/tasks/set_variables_ma1sd.yml b/roles/matrix-awx/tasks/set_variables_ma1sd.yml new file mode 100755 index 00000000..256a2410 --- /dev/null +++ b/roles/matrix-awx/tasks/set_variables_ma1sd.yml @@ -0,0 +1,130 @@ + +- name: Record ma1sd variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# ma1sd Settings' + with_dict: + 'matrix_ma1sd_enabled': '{{ matrix_ma1sd_enabled }}' + +- name: Disable REST auth (matrix-corporal/ma1sd) if using internal auth + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Synapse Extension' + with_dict: + 'matrix_synapse_ext_password_provider_rest_auth_enabled': 'false' + when: ext_matrix_ma1sd_auth_store == 'Synapse Internal' + +- name: Enable REST auth if using external LDAP/AD with ma1sd + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Synapse Extension' + with_dict: + 'matrix_synapse_ext_password_provider_rest_auth_enabled': 'true' + 'matrix_synapse_ext_password_provider_rest_auth_endpoint': 'http://matrix-ma1sd:8090' + when: ext_matrix_ma1sd_auth_store == 'LDAP/AD' + +- name: Strip header from ma1sd configuration extension if using internal auth + set_fact: + ext_matrix_ma1sd_configuration_extension_yaml_parsed: "{{ ext_matrix_ma1sd_configuration_extension_yaml.splitlines() | reject('search', '^matrix_client_element_configuration_extension_json:') | list }}" + when: ext_matrix_ma1sd_auth_store == 'LDAP/AD' + +- name: Remove entire ma1sd configuration extension + delegate_to: 127.0.0.1 + replace: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: '^.*\n' + after: '# Start ma1sd Extension' + before: '# End ma1sd Extension' + +- name: Replace conjoined ma1sd configuration extension limiters + delegate_to: 127.0.0.1 + replace: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: '^# Start ma1sd Extension# End ma1sd Extension' + replace: '# Start ma1sd Extension\n# End ma1sd Extension' + +- name: Insert ma1sd configuration extension header if using external LDAP/AD with ma1sd + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + line: "matrix_ma1sd_configuration_extension_yaml: |" + insertafter: '# Start ma1sd Extension' + when: ext_matrix_ma1sd_auth_store == 'LDAP/AD' + +- name: Set ma1sd configuration extension if using external LDAP/AD with ma1sd + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + insertbefore: '# End ma1sd Extension' + line: '{{ item }}' + with_items: "{{ ext_matrix_ma1sd_configuration_extension_yaml_parsed }}" + when: ext_matrix_ma1sd_auth_store == 'LDAP/AD' + +- name: Record ma1sd Custom variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertbefore: '# Custom Settings' + with_dict: + 'ext_matrix_ma1sd_auth_store': '{{ ext_matrix_ma1sd_auth_store }}' + 'ext_matrix_ma1sd_configuration_extension_yaml': '{{ ext_matrix_ma1sd_configuration_extension_yaml.splitlines() | to_json }}' + +- name: Copy new 'matrix_vars.yml' to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + dest: '/matrix/awx/matrix_vars.yml' + mode: '0660' + +- name: Save new 'Configure ma1sd' survey.json to the AWX tower, template + delegate_to: 127.0.0.1 + template: + src: 'roles/matrix-awx/surveys/configure_ma1sd.json.j2' + dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_ma1sd.json' + +- name: Copy new 'Configure ma1sd' survey.json to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_ma1sd.json' + dest: '/matrix/awx/configure_ma1sd.json' + mode: '0660' + +- name: Collect AWX admin token the hard way! + delegate_to: 127.0.0.1 + shell: | + curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' + register: tower_token + no_log: True + +- name: Recreate 'Configure ma1sd (Advanced)' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 1 - Configure ma1sd (Advanced)" + description: "Configure Jitsi conferencing settings." + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "start,setup-ma1sd" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + survey_enabled: true + survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_ma1sd.json') }}" + become_enabled: yes + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + +# ^ This playbook isn't executing so the survey isn't being updated! :P + diff --git a/roles/matrix-awx/tasks/set_variables_synapse.yml b/roles/matrix-awx/tasks/set_variables_synapse.yml new file mode 100755 index 00000000..979190ce --- /dev/null +++ b/roles/matrix-awx/tasks/set_variables_synapse.yml @@ -0,0 +1,223 @@ + +- name: Record Synapse variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Synapse Settings' + with_dict: + 'matrix_synapse_allow_public_rooms_over_federation': '{{ matrix_synapse_allow_public_rooms_over_federation }}' + 'matrix_synapse_enable_registration': '{{ matrix_synapse_enable_registration }}' + 'matrix_synapse_federation_enabled': '{{ matrix_synapse_federation_enabled }}' + 'matrix_synapse_enable_group_creation': '{{ matrix_synapse_enable_group_creation }}' + 'matrix_synapse_use_presence': '{{ matrix_synapse_use_presence }}' + 'matrix_synapse_max_upload_size_mb': '{{ matrix_synapse_max_upload_size_mb }}' + 'matrix_synapse_url_preview_enabled': '{{ matrix_synapse_url_preview_enabled }}' + 'matrix_synapse_allow_guest_access': '{{ matrix_synapse_allow_guest_access }}' + +- name: Empty Synapse variable 'matrix_synapse_auto_join_rooms' locally on AWX, if raw inputs empty + delegate_to: 127.0.0.1 + replace: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^matrix_synapse_auto_join_rooms: .*$" + replace: "matrix_synapse_auto_join_rooms: []" + when: matrix_synapse_auto_join_rooms_raw|length == 0 + +- name: If the raw inputs is not empty start constructing parsed auto_join_rooms list + set_fact: + matrix_synapse_auto_join_rooms_array: |- + {{ matrix_synapse_auto_join_rooms_raw.splitlines() | to_json }} + when: matrix_synapse_auto_join_rooms_raw|length > 0 + +- name: Record Synapse variable 'matrix_synapse_auto_join_rooms' locally on AWX, if it's not blank + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Synapse Settings' + with_dict: + "matrix_synapse_auto_join_rooms": "{{ matrix_synapse_auto_join_rooms_array }}" + when: matrix_synapse_auto_join_rooms_raw|length > 0 + +- name: Record Synapse Shared Secret if it's defined + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Synapse Settings' + with_dict: + 'matrix_synapse_registration_shared_secret': '{{ matrix_synapse_registration_shared_secret }}' + when: matrix_synapse_registration_shared_secret|length > 0 + +- name: Record registations_require_3pid extra variable if true + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "{{ item }}:" + line: "{{ item }}" + insertbefore: '# End Synapse Extension' + with_items: + - " registrations_require_3pid:" + - " - email" + when: ext_registrations_require_3pid|bool + +- name: Remove registrations_require_3pid extra variable if false + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "{{ item }}:" + line: "{{ item }}" + insertbefore: '# End Synapse Extension' + state: absent + with_items: + - " registrations_require_3pid:" + - " - email" + when: not ext_registrations_require_3pid|bool + +- name: Remove URL Languages + delegate_to: 127.0.0.1 + replace: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: '^(?!.*\bemail\b) - [a-zA-Z\-]{2,5}\n' + after: ' url_preview_accept_language:' + before: '# End Synapse Extension' + +- name: Set URL languages default if raw inputs empty + set_fact: + ext_url_preview_accept_language_default: 'en' + when: ext_url_preview_accept_language_raw|length == 0 + +- name: Set URL languages default if raw inputs not empty + set_fact: + ext_url_preview_accept_language_default: "{{ ext_url_preview_accept_language_raw }}" + when: ext_url_preview_accept_language_raw|length > 0 + +- name: Set URL languages if raw inputs empty + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + insertafter: '^ url_preview_accept_language:' + line: " - {{ ext_url_preview_accept_language_default }}" + when: ext_url_preview_accept_language_raw|length == 0 + +- name: Set URL languages if raw inputs not empty + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + insertafter: '^ url_preview_accept_language:' + line: " - {{ item }}" + with_items: "{{ ext_url_preview_accept_language_raw.splitlines() }}" + when: ext_url_preview_accept_language_raw|length > 0 + +- name: Remove Federation Whitelisting 1 + delegate_to: 127.0.0.1 + replace: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: '^ - [a-z0-9]+\.[a-z0-9.]+\n' + after: ' federation_domain_whitelist:' + before: '# End Synapse Extension' + +- name: Remove Federation Whitelisting 2 + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + line: " federation_domain_whitelist:" + state: absent + +- name: Set Federation Whitelisting 1 + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + insertafter: '^matrix_synapse_configuration_extension_yaml: \|' + line: " federation_domain_whitelist:" + when: ext_federation_whitelist_raw|length > 0 + +- name: Set Federation Whitelisting 2 + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + insertafter: '^ federation_domain_whitelist:' + line: " - {{ item }}" + with_items: "{{ ext_federation_whitelist_raw.splitlines() }}" + when: ext_federation_whitelist_raw|length > 0 + +- name: Record Synapse Custom variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertbefore: '# Custom Settings' + with_dict: + 'ext_federation_whitelist_raw': '{{ ext_federation_whitelist_raw.splitlines() | to_json }}' + 'ext_url_preview_accept_language_default': '{{ ext_url_preview_accept_language_default.splitlines() | to_json }}' + +- name: Set ext_recaptcha_public_key to a 'public-key' if undefined + set_fact: ext_recaptcha_public_key="public-key" + when: (ext_recaptcha_public_key is not defined) or (ext_recaptcha_public_key|length == 0) + +- name: Set ext_recaptcha_private_key to a 'private-key' if undefined + set_fact: ext_recaptcha_private_key="private-key" + when: (ext_recaptcha_private_key is not defined) or (ext_recaptcha_private_key|length == 0) + +- name: Record Synapse Extension variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertbefore: '# End Synapse Extension' + with_dict: + ' enable_registration_captcha': '{{ ext_enable_registration_captcha }}' + ' recaptcha_public_key': '{{ ext_recaptcha_public_key }}' + ' recaptcha_private_key': '{{ ext_recaptcha_private_key }}' + +- name: Copy new 'matrix_vars.yml' to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + dest: '/matrix/awx/matrix_vars.yml' + mode: '0660' + +- name: Save new 'Configure Synapse' survey.json to the AWX tower, template + delegate_to: 127.0.0.1 + template: + src: 'roles/matrix-awx/surveys/configure_synapse.json.j2' + dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}//configure_synapse.json' + +- name: Copy new 'Configure Synapse' survey.json to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_synapse.json' + dest: '/matrix/awx/configure_synapse.json' + mode: '0660' + +- name: Collect AWX admin token the hard way! + delegate_to: 127.0.0.1 + shell: | + curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' + register: tower_token + no_log: True + +- name: Recreate 'Configure Synapse' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 1 - Configure Synapse" + description: "Configure Synapse (homeserver) settings." + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "start,setup-synapse" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + survey_enabled: true + survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_synapse.json') }}" + become_enabled: yes + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + diff --git a/roles/matrix-awx/tasks/set_variables_synapse_admin.yml b/roles/matrix-awx/tasks/set_variables_synapse_admin.yml new file mode 100644 index 00000000..30cf12b4 --- /dev/null +++ b/roles/matrix-awx/tasks/set_variables_synapse_admin.yml @@ -0,0 +1,58 @@ + +- name: Record Synapse Admin variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Synapse Admin Settings' + with_dict: + 'matrix_synapse_admin_enabled': '{{ matrix_synapse_admin_enabled }}' + +- name: Copy new 'matrix_vars.yml' to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + dest: '/matrix/awx/matrix_vars.yml' + mode: '0660' + +- name: Save new 'Configure Synapse Admin' survey.json to the AWX tower, template + delegate_to: 127.0.0.1 + template: + src: 'roles/matrix-awx/surveys/configure_synapse_admin.json.j2' + dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_synapse_admin.json' + +- name: Copy new 'Configure Synapse Admin' survey.json to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_synapse_admin.json' + dest: '/matrix/awx/configure_synapse_admin.json' + mode: '0660' + +- name: Collect AWX admin token the hard way! + delegate_to: 127.0.0.1 + shell: | + curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' + register: tower_token + no_log: True + +- name: Recreate 'Configure Synapse Admin' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 1 - Configure Synapse Admin" + description: "Configure 'Synapse Admin', a moderation tool to help you manage your server." + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "start,setup-all" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + survey_enabled: true + survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_synapse_admin.json') }}" + become_enabled: yes + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + + diff --git a/roles/matrix-common-after/tasks/awx_post.yml b/roles/matrix-common-after/tasks/awx_post.yml new file mode 100644 index 00000000..6497acf7 --- /dev/null +++ b/roles/matrix-common-after/tasks/awx_post.yml @@ -0,0 +1,20 @@ +--- + +- name: Create user account + command: | + /usr/local/bin/matrix-synapse-register-user janitor {{ matrix_awx_janitor_user_password | quote }} 1 + register: cmd + when: not matrix_awx_janitor_user_created|bool + no_log: True + +- name: Update AWX janitor user created variable + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: 'AWX Settings' + with_dict: + 'matrix_awx_janitor_user_created': 'true' + when: not matrix_awx_janitor_user_created|bool + diff --git a/roles/matrix-common-after/tasks/main.yml b/roles/matrix-common-after/tasks/main.yml index d77d56a1..b4503ae1 100644 --- a/roles/matrix-common-after/tasks/main.yml +++ b/roles/matrix-common-after/tasks/main.yml @@ -1,3 +1,4 @@ + - import_tasks: "{{ role_path }}/tasks/start.yml" when: run_start|bool tags: @@ -11,7 +12,14 @@ - import_tasks: "{{ role_path }}/tasks/dump_runtime_results.yml" tags: - always + +- import_tasks: "{{ role_path }}/tasks/awx_post.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - always - import_tasks: "{{ role_path }}/tasks/run_docker_prune.yml" tags: - run-docker-prune + + diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 3178fece..c1538c75 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -9,6 +9,7 @@ matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image. matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data" +matrix_nginx_proxy_data_path_in_container: "/nginx-data" matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_base_path }}/conf.d" # List of systemd services that matrix-nginx-proxy.service depends on diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 old mode 100644 new mode 100755 index 38bc64a8..c4000fa9 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -33,7 +33,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \ -p {{ matrix_nginx_proxy_container_federation_host_bind_port }}:{{ matrix_nginx_proxy_proxy_matrix_federation_port }} \ {% endif %} --mount type=bind,src={{ matrix_nginx_proxy_base_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ - --mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst=/nginx-data,ro \ + --mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst={{ matrix_nginx_proxy_data_path_in_container }},ro \ --mount type=bind,src={{ matrix_nginx_proxy_confd_path }},dst=/etc/nginx/conf.d,ro \ {% if matrix_ssl_retrieval_method != 'none' %} --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst={{ matrix_ssl_config_dir_path }},ro \ diff --git a/setup.yml b/setup.yml index 0414b1cc..c87354be 100755 --- a/setup.yml +++ b/setup.yml @@ -7,6 +7,7 @@ - roles/matrix-synapse/vars/workers.yml roles: + - matrix-awx - matrix-base - matrix-dynamic-dns - matrix-mailer