Merge branch 'master' into pub.solar

This commit is contained in:
teutat3s 2021-01-19 16:19:52 +01:00
commit 07e8f04fa9
Signed by: teutat3s
GPG key ID: 18DAE600A6BBE705
109 changed files with 529 additions and 281 deletions

View file

@ -1,3 +1,25 @@
# 2021-01-17
## matrix-corporal goes 2.0
[matrix-corporal v2 has been released](https://github.com/devture/matrix-corporal/releases/tag/2.0.0) and the playbook also supports it now.
No manual intervention is required in the common case.
The new [matrix-corporal](https://github.com/devture/matrix-corporal) version is also the first one to support Interactive Authentication. If you wish to enable that (hint: you should), you'll need to set up the [REST auth password provider](docs/configuring-playbook-rest-auth.md). There's more information in [our matrix-corporal docs](docs/configuring-playbook-matrix-corporal.md).
# 2021-01-14
## Moving from cronjobs to systemd timers
We no longer use cronjobs for Let's Encrypt SSL renewal and `matrix-nginx-proxy`/`matrix-coturn` reloading. Instead, we've switched to systemd timers.
The largest benefit of this is that we no longer require you to install a cron daemon, thus simplifying our install procedure.
The playbook will migrate you from cronjobs to systemd timers automatically. This is just a heads up.
# 2021-01-08
## (Breaking Change) New SSL configuration

View file

@ -146,7 +146,7 @@ This playbook sets up your server using the following Docker images:
- [devture/matrix-corporal](https://hub.docker.com/r/devture/matrix-corporal/) - [Matrix Corporal](https://github.com/devture/matrix-corporal): reconciliator and gateway for a managed Matrix server (optional)
- [devture/zeratax-matrix-registration](https://hub.docker.com/r/devture/zeratax-matrix-registration/) - [matrix-registration](https://github.com/ZerataX/matrix-registration): a simple python application to have a token based matrix registration (optional)
- [zeratax/matrix-registration](https://hub.docker.com/r/devture/zeratax-matrix-registration/) - [matrix-registration](https://github.com/ZerataX/matrix-registration): a simple python application to have a token based matrix registration (optional)
- [nginx](https://hub.docker.com/_/nginx/) - the [nginx](http://nginx.org/) web server (optional)

View file

@ -12,7 +12,6 @@ matrix_mautrix_telegram_api_id: YOUR_TELEGRAM_APP_ID
matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH
```
## Set up Double Puppeting
If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-telegram/wiki/Authentication#replacing-telegram-accounts-matrix-puppet-with-matrix-account) (hint: you most likely do), you have 2 ways of going about it.

View file

@ -11,7 +11,9 @@ The playbook can install and configure [matrix-corporal](https://github.com/devt
In short, it's a sort of automation and firewalling service, which is helpful if you're instaling Matrix services in a controlled corporate environment.
See that project's documentation to learn what it does and why it might be useful to you.
If you decide that you'd like to let this playbook install it for you, you'd need to also [set up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md).
If you decide that you'd like to let this playbook install it for you, you'd need to also:
- (required) [set up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md)
- (optional, but encouraged) [set up the REST authentication password provider module](configuring-playbook-rest-auth.md)
## Playbook configuration
@ -24,6 +26,15 @@ You would then need some configuration like this:
matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: YOUR_SHARED_SECRET_GOES_HERE
# When matrix-corporal is acting as the primary authentication provider,
# you need to set up the REST authentication password provider module
# to make Interactive User Authentication work.
# This is necessary for certain user actions (like E2EE, device management, etc).
#
# See configuring-playbook-rest-auth.md
matrix_synapse_ext_password_provider_rest_auth_enabled: true
matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-corporal:41080/_matrix/corporal"
matrix_corporal_enabled: true
matrix_corporal_policy_provider_config: |
@ -40,9 +51,9 @@ matrix_corporal_policy_provider_config: |
matrix_corporal_http_api_enabled: true
matrix_corporal_http_api_auth_token: "AUTH_TOKEN_HERE"
# If you need to change the reconciliator user's id from the default (matrix-corporal)..
# If you need to change matrix-corporal's user id from the default (matrix-corporal).
# In any case, you need to make sure this Matrix user is created on your server.
matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal"
matrix_corporal_corporal_user_id_local_part: "matrix-corporal"
# Because Corporal peridoically performs lots of user logins from the same IP,
# you may need raise Synapse's ratelimits.

View file

@ -6,14 +6,16 @@
- **Ubuntu** (16.04+, although [20.04 may be problematic](ansible.md#supported-ansible-versions))
- **Archlinux**
This playbook doesn't support running on ARM (see [this issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/299)), however a minimal subset of the tools can be built on the host, which may result in a working configuration, even on a Raspberry pi (see [Alternative Architectures](alternative-architectures.md)). We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there.
We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there.
This playbook somewhat supports running on non-`amd64` architectures like ARM. See [Alternative Architectures](alternative-architectures.md).
If your distro runs within an [LXC container](https://linuxcontainers.org/), you may hit [this issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/703). It can be worked around, if absolutely necessary, but we suggest that you avoid running from within an LXC container.
- `root` access to your server (or a user capable of elevating to `root` via `sudo`).
- [Python](https://www.python.org/) being installed on the server. Most distributions install Python by default, but some don't (e.g. Ubuntu 18.04) and require manual installation (something like `apt-get install python3`). On some distros, Ansible may incorrectly [detect the Python version](https://docs.ansible.com/ansible/latest/reference_appendices/interpreter_discovery.html) (2 vs 3) and you may need to explicitly specify the interpreter path in `inventory/hosts` during installation (e.g. `ansible_python_interpreter=/usr/bin/python3`)
- A `cron`-like tool installed on the server such as `cron` or `anacron` to automatically schedule the Let's Encrypt SSL certificates's renewal. *This can be ignored if you use your own SSL certificates.*
- The [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for more information, as well as [version requirements](ansible.md#supported-ansible-versions) and alternative ways to run Ansible.
- Either the `dig` tool or `python-dns` installed on your own computer. Used later on, by the playbook's [services check](maintenance-checking-services.md) feature.

View file

@ -18,8 +18,10 @@ List of roles where self-building the Docker image is currently possible:
- `matrix-corporal`
- `matrix-ma1sd`
- `matrix-mailer`
- `matrix-bridge-appservice-slack`
- `matrix-bridge-mautrix-facebook`
- `matrix-bridge-mautrix-hangouts`
- `matrix-bridge-mautrix-telegram`
- `matrix-bridge-mx-puppet-skype`
Adding self-building support to other roles is welcome. Feel free to contribute!

View file

@ -23,15 +23,13 @@ If you prefer to uninstall manually, run these commands (most are meant to be ex
- ensure all Matrix services are stopped: `ansible-playbook -i inventory/hosts setup.yml --tags=stop` (if you can't get Ansible working to run this command, you can run `systemctl stop 'matrix*'` manually on the server)
- delete the Matrix-related systemd `.service` files (`rm -f /etc/systemd/system/matrix*.service`) and reload systemd (`systemctl daemon-reload`)
- delete all Matrix-related cronjobs (`rm -f /etc/cron.d/matrix*`)
- delete the Matrix-related systemd `.service` and `.timer` files (`rm -f /etc/systemd/system/matrix*.{service,timer}`) and reload systemd (`systemctl daemon-reload`)
- delete some helper scripts (`rm -f /usr/local/bin/matrix*`)
- delete some cached Docker images (`docker system prune -a`) or just delete them all (`docker rmi $(docker images -aq)`)
- delete the Docker network: `docker network rm matrix` (might have been deleted already if you ran the `docker system prune` command)
- delete the Docker networks: `docker network rm matrix matrix-coturn` (might have been deleted already if you ran the `docker system prune` command)
- uninstall Docker itself, if necessary

View file

@ -110,6 +110,8 @@ matrix_appservice_webhooks_systemd_required_services_list: |
# We don't enable bridges by default.
matrix_appservice_slack_enabled: false
matrix_appservice_slack_container_self_build: "{{ matrix_architecture != 'amd64' }}"
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-slack over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# matrix-appservice-slack's client-server port to the local host.
@ -305,6 +307,9 @@ matrix_mautrix_signal_database_password: "{{ matrix_synapse_macaroon_secret_key
# We don't enable bridges by default.
matrix_mautrix_telegram_enabled: false
# Images are multi-arch (amd64 and arm64, but not arm32).
matrix_mautrix_telegram_container_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
matrix_mautrix_telegram_systemd_required_services_list: |
{{
['docker.service']
@ -669,6 +674,9 @@ matrix_corporal_matrix_homeserver_api_endpoint: "http://matrix-synapse:8008"
matrix_corporal_matrix_auth_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
# This is only useful if there's REST auth provider to make use of it.
matrix_corporal_http_gateway_internal_rest_auth_enabled: "{{ matrix_synapse_ext_password_provider_rest_auth_enabled }}"
matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registration_shared_secret }}"
######################################################################

View file

@ -48,7 +48,16 @@ matrix_base_data_path_mode: "750"
matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files"
matrix_systemd_path: "/etc/systemd/system"
# Specifies the path to use for the `HOME` environment variable for systemd unit files.
# Docker 20.10 complains with `WARNING: Error loading config file: .dockercfg: $HOME is not defined`
# if `$HOME` is not defined, so we define something to make it happy.
matrix_systemd_unit_home_path: /root
# This is now unused. We keep it so that cleanup tasks can use it.
# To be removed in the future.
matrix_cron_path: "/etc/cron.d"
matrix_local_bin_path: "/usr/local/bin"
matrix_host_command_docker: "/usr/bin/env docker"

View file

@ -20,8 +20,6 @@ else
rm -f {{ matrix_systemd_path }}/$s
done
systemctl daemon-reload
echo "Remove matrix cronjobs"
find /etc/cron.d/ -name "matrix-*" -delete
echo "Remove matrix scripts"
find {{ matrix_local_bin_path }}/ -name "matrix-*" -delete
echo "Remove unused Docker images and resources"

View file

@ -1,3 +1,3 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-matrix-reminder-bot'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-matrix-reminder-bot.service'] }}"
when: matrix_bot_matrix_reminder_bot_enabled|bool

View file

@ -12,6 +12,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-bot-matrix-reminder-bot
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-bot-matrix-reminder-bot

View file

@ -7,7 +7,7 @@
when: "matrix_appservice_discord_enabled and matrix_synapse_role_executed|default(False)"
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-discord'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-discord.service'] }}"
when: matrix_appservice_discord_enabled|bool
# If the matrix-synapse role is not used, these variables may not exist.

View file

@ -12,6 +12,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-discord
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-discord

View file

@ -7,7 +7,7 @@
when: "matrix_appservice_irc_enabled|bool and matrix_synapse_role_executed|default(False)"
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-irc'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-irc.service'] }}"
when: matrix_appservice_irc_enabled|bool
# If the matrix-synapse role is not used, these variables may not exist.

View file

@ -12,6 +12,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-irc
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-irc

View file

@ -3,6 +3,10 @@
matrix_appservice_slack_enabled: true
matrix_appservice_slack_container_self_build: false
matrix_appservice_slack_docker_repo: "https://github.com/matrix-org/matrix-appservice-slack.git"
matrix_appservice_slack_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-slack/docker-src"
matrix_appservice_slack_docker_image: "docker.io/matrixdotorg/matrix-appservice-slack:release-1.5.0"
matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}"

View file

@ -7,7 +7,7 @@
when: "matrix_synapse_role_executed|default(False)"
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-slack'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-slack.service'] }}"
when: matrix_appservice_slack_enabled|bool
# If the matrix-synapse role is not used, these variables may not exist.

View file

@ -8,9 +8,11 @@
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- "{{ matrix_appservice_slack_base_path }}"
- "{{ matrix_appservice_slack_config_path }}"
- "{{ matrix_appservice_slack_data_path }}"
- { path: "{{ matrix_appservice_slack_base_path }}", when: true }
- { path: "{{ matrix_appservice_slack_config_path }}", when: true }
- { path: "{{ matrix_appservice_slack_data_path }}", when: true }
- { path: "{{ matrix_appservice_slack_docker_src_files_path }}", when: "{{ matrix_appservice_slack_container_self_build }}" }
when: item.when|bool
- set_fact:
matrix_appservice_slack_requires_restart: false
@ -35,6 +37,26 @@
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_appservice_slack_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_slack_docker_image_force_pull }}"
when: "not matrix_appservice_slack_container_self_build|bool"
- name: Ensure matrix-appservice-slack repository is present when self-building
git:
repo: "{{ matrix_appservice_slack_docker_repo }}"
dest: "{{ matrix_appservice_slack_docker_src_files_path }}"
force: "yes"
register: matrix_appservice_slack_git_pull_results
when: "matrix_appservice_slack_container_self_build|bool"
- name: Ensure matrix-appservice-slack Docker image is built
docker_image:
name: "{{ matrix_appservice_slack_docker_image }}"
source: build
force_source: yes
build:
dockerfile: Dockerfile
path: "{{ matrix_appservice_slack_docker_src_files_path }}"
pull: yes
when: "matrix_appservice_slack_container_self_build|bool and matrix_appservice_slack_git_pull_results.changed"
- name: Ensure Matrix Appservice Slack config installed
copy:

View file

@ -12,6 +12,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-slack
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-slack

View file

@ -7,7 +7,7 @@
when: "matrix_synapse_role_executed|default(False)"
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-webhooks'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-webhooks.service'] }}"
when: matrix_appservice_webhooks_enabled|bool
# If the matrix-synapse role is not used, these variables may not exist.

View file

@ -12,6 +12,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-webhooks
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-webhooks

View file

@ -1,5 +1,5 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-facebook'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-facebook.service'] }}"
when: matrix_mautrix_facebook_enabled|bool
# If the matrix-synapse role is not used, these variables may not exist.

View file

@ -12,6 +12,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-facebook
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-facebook
ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-facebook-db \

View file

@ -1,5 +1,5 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-hangouts'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-hangouts.service'] }}"
when: matrix_mautrix_hangouts_enabled|bool
# If the matrix-synapse role is not used, these variables may not exist.

View file

@ -12,6 +12,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-hangouts matrix-mautrix-hangouts-db
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-hangouts matrix-mautrix-hangouts-db
ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-hangouts-db \

View file

@ -1,5 +1,5 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-signal', 'matrix-mautrix-signal-daemon'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-signal.service', 'matrix-mautrix-signal-daemon.service'] }}"
when: matrix_mautrix_signal_enabled|bool
# If the matrix-synapse role is not used, these variables may not exist.

View file

@ -13,6 +13,7 @@ Wants={{ service }}
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-signal-daemon
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal-daemon

View file

@ -13,6 +13,7 @@ Wants={{ service }}
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-signal
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal

View file

@ -3,6 +3,10 @@
matrix_mautrix_telegram_enabled: true
matrix_mautrix_telegram_container_self_build: false
matrix_mautrix_telegram_docker_repo: "https://mau.dev/tulir/mautrix-telegram.git"
matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src"
# See: https://mau.dev/tulir/mautrix-telegram/container_registry
matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.9.0"
matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}"

View file

@ -1,5 +1,5 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram.service'] }}"
when: matrix_mautrix_telegram_enabled|bool
# If the matrix-synapse role is not used, these variables may not exist.

View file

@ -34,24 +34,46 @@
when: "matrix_mautrix_telegram_sqlite_database_path_local_stat_result.stat.exists|bool"
when: "matrix_mautrix_telegram_database_engine == 'postgres'"
- name: Ensure Mautrix Telegram paths exist
file:
path: "{{ item.path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- { path: "{{ matrix_mautrix_telegram_base_path }}", when: true }
- { path: "{{ matrix_mautrix_telegram_config_path }}", when: true }
- { path: "{{ matrix_mautrix_telegram_data_path }}", when: true }
- { path: "{{ matrix_mautrix_telegram_docker_src_files_path }}", when: "{{ matrix_mautrix_telegram_container_self_build }}" }
when: item.when|bool
- name: Ensure Mautrix Telegram image is pulled
docker_image:
name: "{{ matrix_mautrix_telegram_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_mautrix_telegram_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_telegram_docker_image_force_pull }}"
when: "not matrix_mautrix_telegram_container_self_build|bool"
- name: Ensure Mautrix Telegram paths exist
file:
path: "{{ item }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- "{{ matrix_mautrix_telegram_base_path }}"
- "{{ matrix_mautrix_telegram_config_path }}"
- "{{ matrix_mautrix_telegram_data_path }}"
- name: Ensure matrix-mautrix-telegram repository is present when self-building
git:
repo: "{{ matrix_mautrix_telegram_docker_repo }}"
dest: "{{ matrix_mautrix_telegram_docker_src_files_path }}"
force: "yes"
register: matrix_mautrix_telegram_git_pull_results
when: "matrix_mautrix_telegram_container_self_build|bool"
- name: Ensure matrix-mautrix-telegram Docker image is build
docker_image:
name: "{{ matrix_mautrix_telegram_docker_image }}"
source: build
force_source: yes
build:
dockerfile: Dockerfile
path: "{{ matrix_mautrix_telegram_docker_src_files_path }}"
pull: yes
when: "matrix_mautrix_telegram_container_self_build|bool and matrix_mautrix_telegram_git_pull_results.changed"
- name: Check if an old database file already exists
stat:

View file

@ -12,6 +12,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-telegram
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-telegram
ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-telegram-db \

View file

@ -1,5 +1,5 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-whatsapp'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-whatsapp.service'] }}"
when: matrix_mautrix_whatsapp_enabled|bool
# If the matrix-synapse role is not used, these variables may not exist.

View file

@ -26,6 +26,7 @@
engine_variable_name: 'matrix_mautrix_whatsapp_database_engine'
engine_old: 'sqlite'
systemd_services_to_stop: ['matrix-mautrix-whatsapp.service']
pgloader_options: ['--with "quote identifiers"']
- import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml"

View file

@ -12,6 +12,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-whatsapp
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-whatsapp

View file

@ -1,5 +1,5 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-discord'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-discord.service'] }}"
when: matrix_mx_puppet_discord_enabled|bool
# If the matrix-synapse role is not used, these variables may not exist.

View file

@ -12,6 +12,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-discord
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-discord

View file

@ -1,5 +1,5 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-instagram'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-instagram.service'] }}"
when: matrix_mx_puppet_instagram_enabled|bool
# If the matrix-synapse role is not used, these variables may not exist.

View file

@ -12,6 +12,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-instagram
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-instagram

View file

@ -1,5 +1,5 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-skype'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-skype.service'] }}"
when: matrix_mx_puppet_skype_enabled|bool
# If the matrix-synapse role is not used, these variables may not exist.

View file

@ -12,6 +12,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-skype
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-skype

View file

@ -1,5 +1,5 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-slack'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-slack.service'] }}"
when: matrix_mx_puppet_slack_enabled|bool
# If the matrix-synapse role is not used, these variables may not exist.

View file

@ -12,6 +12,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-slack
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-slack

View file

@ -1,5 +1,5 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-steam'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-steam.service'] }}"
when: matrix_mx_puppet_steam_enabled|bool
# If the matrix-synapse role is not used, these variables may not exist.

View file

@ -12,6 +12,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-steam
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-steam

View file

@ -1,5 +1,5 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-twitter'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-twitter.service'] }}"
when: matrix_mx_puppet_twitter_enabled|bool
# If the matrix-synapse role is not used, these variables may not exist.

View file

@ -12,6 +12,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-twitter
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-twitter

View file

@ -7,7 +7,7 @@
when: "matrix_sms_bridge_enabled and matrix_synapse_role_executed|default(False)"
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sms-bridge'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sms-bridge.service'] }}"
when: matrix_sms_bridge_enabled|bool
# If the matrix-synapse role is not used, these variables may not exist.

View file

@ -12,6 +12,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-/usr/bin/docker kill matrix-sms-bridge
ExecStartPre=-/usr/bin/docker rm matrix-sms-bridge

View file

@ -1,5 +1,5 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-element'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-element.service'] }}"
when: matrix_client_element_enabled|bool
# ansible lower than 2.8, does not support docker_image build parameters

View file

@ -9,6 +9,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-client-element
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-client-element

View file

@ -1,6 +1,6 @@
---
- name: Deterimne whether we should make services autostart
- name: Determine whether we should make services autostart
set_fact:
matrix_services_autostart_enabled_bool: "{{ true if matrix_services_autostart_enabled|default('') == '' else matrix_services_autostart_enabled|bool }}"
@ -46,7 +46,7 @@
Try running `systemctl status {{ item }}` and `journalctl -fu {{ item }}` on the server to investigate.
with_items: "{{ matrix_systemd_services_list }}"
when:
- "ansible_facts.services[item + '.service']|default(none) is none or ansible_facts.services[item + '.service'].state != 'running'"
- "item.endswith('.service') and (ansible_facts.services[item]|default(none) is none or ansible_facts.services[item].state != 'running')"
when: " ansible_distribution != 'Archlinux'"
- block:

View file

@ -24,7 +24,7 @@ matrix_corporal_systemd_required_services_list: ['docker.service']
matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}"
matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else 'docker.io/' }}"
matrix_corporal_docker_image_tag: "1.11.0"
matrix_corporal_docker_image_tag: "2.1.0"
matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}"
matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal"
@ -50,10 +50,16 @@ matrix_corporal_matrix_registration_shared_secret: ""
matrix_corporal_matrix_timeout_milliseconds: 45000
matrix_corporal_reconciliation_retry_interval_milliseconds: 30000
matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal"
matrix_corporal_corporal_user_id_local_part: "matrix-corporal"
matrix_corporal_http_gateway_timeout_milliseconds: 60000
# If enabled, matrix-corporal exposes a `POST /_matrix/corporal/_matrix-internal/identity/v1/check_credentials` API
# on the gateway (Client-Server API) server.
# This API can then be used together with the REST Auth password provider by pointing it to matrix-corporal (e.g. `http://matrix-corporal:41080/_matrix/corporal`).
# Doing so allows Interactive Authentication to work.
matrix_corporal_http_gateway_internal_rest_auth_enabled: false
matrix_corporal_http_api_enabled: false
matrix_corporal_http_api_auth_token: ""
matrix_corporal_http_api_timeout_milliseconds: 15000

View file

@ -1,3 +1,3 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal.service'] }}"
when: matrix_corporal_enabled|bool

View file

@ -16,7 +16,6 @@
msg: "The Matrix Corporal HTTP API is enabled (`matrix_corporal_http_api_enabled`), but no auth token has been set in `matrix_corporal_http_api_auth_token`"
when: "matrix_corporal_http_api_enabled|bool and matrix_corporal_http_api_auth_token == ''"
- name: (Deprecation) Catch and report renamed corporal variables
fail:
msg: >-
@ -25,3 +24,4 @@
when: "item.old in vars"
with_items:
- {'old': 'matrix_corporal_container_expose_ports', 'new': '<superseded by matrix_corporal_container_http_gateway_host_bind_port and matrix_corporal_container_http_api_host_bind_port>'}
- {'old': 'matrix_corporal_reconciliation_user_id_local_part', 'new': 'matrix_corporal_corporal_user_id_local_part'}

View file

@ -7,14 +7,20 @@
"TimeoutMilliseconds": {{ matrix_corporal_matrix_timeout_milliseconds }}
},
"Corporal": {
"UserID": "@{{ matrix_corporal_corporal_user_id_local_part }}:{{ matrix_domain }}"
},
"Reconciliation": {
"UserId": "@{{ matrix_corporal_reconciliation_user_id_local_part }}:{{ matrix_domain }}",
"RetryIntervalMilliseconds": {{ matrix_corporal_reconciliation_retry_interval_milliseconds }}
},
"HttpGateway": {
"ListenAddress": "0.0.0.0:41080",
"TimeoutMilliseconds": {{ matrix_corporal_http_gateway_timeout_milliseconds }}
"TimeoutMilliseconds": {{ matrix_corporal_http_gateway_timeout_milliseconds }},
"InternalRESTAuth": {
"Enabled": {{ matrix_corporal_http_gateway_internal_rest_auth_enabled|to_json }}
}
},
"HttpApi": {

View file

@ -9,6 +9,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-corporal
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-corporal

View file

@ -3,7 +3,7 @@ matrix_coturn_enabled: true
matrix_coturn_container_image_self_build: false
matrix_coturn_container_image_self_build_repo: "https://github.com/instrumentisto/coturn-docker-image.git"
matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:4.5.1.3"
matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:4.5.2"
matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else 'docker.io/' }}"
matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"

View file

@ -1,7 +1,11 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn.service'] }}"
when: matrix_coturn_enabled|bool
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn-reload.timer'] }}"
when: "matrix_coturn_enabled|bool and matrix_coturn_tls_enabled|bool"
# ansible lower than 2.8, does not support docker_image build parameters
# for self buildig it is explicitly needed, so we rather fail here
- name: Fail if running on Ansible lower than 2.8 and trying self building

View file

@ -8,8 +8,14 @@
- setup-all
- setup-coturn
- import_tasks: "{{ role_path }}/tasks/setup_coturn.yml"
when: run_setup|bool
- import_tasks: "{{ role_path }}/tasks/setup_install.yml"
when: "run_setup|bool and matrix_coturn_enabled|bool"
tags:
- setup-all
- setup-coturn
- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
when: "run_setup|bool and not matrix_coturn_enabled|bool"
tags:
- setup-all
- setup-coturn

View file

@ -1,137 +0,0 @@
---
#
# Tasks related to setting up Coturn
#
- name: Ensure Matrix Coturn path exists
file:
path: "{{ item.path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- { path: "{{ matrix_coturn_docker_src_files_path }}", when: "{{ matrix_coturn_container_image_self_build }}"}
when: matrix_coturn_enabled|bool and item.when
- name: Ensure Coturn image is pulled
docker_image:
name: "{{ matrix_coturn_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_coturn_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_coturn_docker_image_force_pull }}"
when: matrix_coturn_enabled|bool and not matrix_coturn_container_image_self_build
- name: Ensure Coturn repository is present on self-build
git:
repo: "{{ matrix_coturn_container_image_self_build_repo }}"
dest: "{{ matrix_coturn_docker_src_files_path }}"
version: "{{ matrix_coturn_docker_image.split(':')[1] }}"
force: "yes"
register: matrix_coturn_git_pull_results
when: "matrix_coturn_enabled|bool and matrix_coturn_container_image_self_build"
- name: Ensure Coturn Docker image is built
docker_image:
name: "{{ matrix_coturn_docker_image }}"
source: build
force_source: "{{ matrix_coturn_git_pull_results.changed }}"
build:
dockerfile: Dockerfile
path: "{{ matrix_coturn_docker_src_files_path }}"
pull: yes
when: "matrix_coturn_enabled|bool and matrix_coturn_container_image_self_build|bool"
- name: Ensure Coturn configuration path exists
file:
path: "{{ matrix_coturn_base_path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
when: matrix_coturn_enabled|bool
- name: Ensure turnserver.conf installed
template:
src: "{{ role_path }}/templates/turnserver.conf.j2"
dest: "{{ matrix_coturn_config_path }}"
mode: 0644
when: matrix_coturn_enabled|bool
- name: Ensure Coturn network is created in Docker
docker_network:
name: "{{ matrix_coturn_docker_network }}"
driver: bridge
when: matrix_coturn_enabled|bool
- name: Ensure matrix-coturn.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2"
dest: "{{ matrix_systemd_path }}/matrix-coturn.service"
mode: 0644
register: matrix_coturn_systemd_service_result
when: matrix_coturn_enabled|bool
- name: Ensure systemd reloaded after matrix-coturn.service installation
service:
daemon_reload: yes
when: "matrix_coturn_enabled|bool and matrix_coturn_systemd_service_result.changed"
# This may be unnecessary when more long-lived certificates are used.
# We optimize for the common use-case though (short-lived Let's Encrypt certificates).
# Reloading doesn't hurt anyway, so there's no need to make this more flexible.
- name: Ensure periodic reloading of matrix-coturn is configured for SSL renewal (matrix-coturn-reload)
template:
src: "{{ role_path }}/templates/cron.d/matrix-coturn-ssl-reload.j2"
dest: /etc/cron.d/matrix-coturn-ssl-reload
mode: 0644
when: "matrix_coturn_enabled|bool and matrix_coturn_tls_enabled|bool"
#
# Tasks related to getting rid of Coturn (if it was previously enabled)
#
- name: Ensure matrix-coturn-ssl-reload cronjob removed
file:
path: /etc/cron.d/matrix-coturn-ssl-reload
state: absent
when: "not matrix_coturn_enabled|bool or not matrix_coturn_tls_enabled|bool"
- name: Check existence of matrix-coturn service
stat:
path: "{{ matrix_systemd_path }}/matrix-coturn.service"
register: matrix_coturn_service_stat
when: "not matrix_coturn_enabled|bool"
- name: Ensure matrix-coturn is stopped
service:
name: matrix-coturn
state: stopped
daemon_reload: yes
register: stopping_result
when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists"
- name: Ensure matrix-coturn.service doesn't exist
file:
path: "{{ matrix_systemd_path }}/matrix-coturn.service"
state: absent
when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists"
- name: Ensure systemd reloaded after matrix-coturn.service removal
service:
daemon_reload: yes
when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists"
- name: Ensure Matrix coturn paths don't exist
file:
path: "{{ matrix_coturn_base_path }}"
state: absent
when: "not matrix_coturn_enabled|bool"
- name: Ensure coturn Docker image doesn't exist
docker_image:
name: "{{ matrix_coturn_docker_image }}"
state: absent
when: "not matrix_coturn_enabled|bool"

View file

@ -0,0 +1,104 @@
---
# This is a cleanup/migration task. It can be removed some time in the future.
- name: (Migration) Remove deprecated cronjob
file:
path: "{{ matrix_cron_path }}/matrix-coturn-ssl-reload"
state: absent
- name: Ensure Matrix Coturn path exists
file:
path: "{{ item.path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- { path: "{{ matrix_coturn_docker_src_files_path }}", when: "{{ matrix_coturn_container_image_self_build }}"}
when: "item.when|bool"
- name: Ensure Coturn image is pulled
docker_image:
name: "{{ matrix_coturn_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_coturn_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_coturn_docker_image_force_pull }}"
when: "not matrix_coturn_container_image_self_build|bool"
- block:
- name: Ensure Coturn repository is present on self-build
git:
repo: "{{ matrix_coturn_container_image_self_build_repo }}"
dest: "{{ matrix_coturn_docker_src_files_path }}"
version: "{{ matrix_coturn_docker_image.split(':')[1] }}"
force: "yes"
register: matrix_coturn_git_pull_results
- name: Ensure Coturn Docker image is built
docker_image:
name: "{{ matrix_coturn_docker_image }}"
source: build
force_source: "{{ matrix_coturn_git_pull_results.changed }}"
build:
dockerfile: Dockerfile
path: "{{ matrix_coturn_docker_src_files_path }}"
pull: yes
when: "matrix_coturn_container_image_self_build|bool"
- name: Ensure Coturn configuration path exists
file:
path: "{{ matrix_coturn_base_path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
- name: Ensure turnserver.conf installed
template:
src: "{{ role_path }}/templates/turnserver.conf.j2"
dest: "{{ matrix_coturn_config_path }}"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
- name: Ensure Coturn network is created in Docker
docker_network:
name: "{{ matrix_coturn_docker_network }}"
driver: bridge
- name: Ensure matrix-coturn.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2"
dest: "{{ matrix_systemd_path }}/matrix-coturn.service"
mode: 0644
register: matrix_coturn_systemd_service_change_results
# This may be unnecessary when more long-lived certificates are used.
# We optimize for the common use-case though (short-lived Let's Encrypt certificates).
# Reloading doesn't hurt anyway, so there's no need to make this more flexible.
- name: Ensure reloading systemd units installed, if necessary
template:
src: "{{ role_path }}/templates/systemd/{{ item }}.j2"
dest: "{{ matrix_systemd_path }}/{{ item }}"
mode: 0644
register: "matrix_coturn_systemd_service_change_results"
when: "matrix_coturn_tls_enabled|bool"
with_items:
- matrix-coturn-reload.service
- matrix-coturn-reload.timer
# A similar task exists in `setup_uninstall.yml`
- name: Ensure reloading systemd units uninstalled, if unnecessary
file:
path: "{{ item }}"
state: absent
register: "matrix_coturn_systemd_service_change_results"
when: "not matrix_coturn_tls_enabled|bool"
with_items:
- matrix-coturn-reload.service
- matrix-coturn-reload.timer
- name: Ensure systemd reloaded if systemd units changed
service:
daemon_reload: yes
when: "matrix_coturn_systemd_service_change_results.changed"

View file

@ -0,0 +1,47 @@
---
- name: Check existence of matrix-coturn service
stat:
path: "{{ matrix_systemd_path }}/matrix-coturn.service"
register: matrix_coturn_service_stat
when: "not matrix_coturn_enabled|bool"
- name: Ensure matrix-coturn is stopped
service:
name: matrix-coturn
state: stopped
daemon_reload: yes
when: "matrix_coturn_service_stat.stat.exists|bool"
- name: Ensure matrix-coturn-reload.timer is stopped
service:
name: matrix-coturn
state: stopped
daemon_reload: yes
failed_when: false
when: "matrix_coturn_service_stat.stat.exists|bool"
- name: Ensure systemd units don't exist
file:
path: "{{ matrix_systemd_path }}/{{ item }}"
state: absent
register: matrix_coturn_systemd_unit_uninstallation_result
with_items:
- matrix-coturn.service
- matrix-coturn-reload.service
- matrix-coturn-reload.timer
- name: Ensure systemd reloaded after unit removal
service:
daemon_reload: yes
when: "matrix_coturn_systemd_unit_uninstallation_result.changed|bool"
- name: Ensure Matrix coturn paths don't exist
file:
path: "{{ matrix_coturn_base_path }}"
state: absent
- name: Ensure coturn Docker image doesn't exist
docker_image:
name: "{{ matrix_coturn_docker_image }}"
state: absent

View file

@ -1 +0,0 @@
20 4 */5 * * root {{ matrix_host_command_systemctl }} reload matrix-coturn.service

View file

@ -0,0 +1,6 @@
[Unit]
Description=Reloads matrix-coturn so that new SSL certificates can kick in
[Service]
Type=oneshot
ExecStart={{ matrix_host_command_systemctl }} reload matrix-coturn.service

View file

@ -0,0 +1,10 @@
[Unit]
Description=Reloads matrix-coturn periodically so that new SSL certificates can kick in
[Timer]
Unit=matrix-coturn-reload.service
OnCalendar=Sunday *-*-* 13:00:00
RandomizedDelaySec=3h
[Install]
WantedBy=timers.target

View file

@ -9,6 +9,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-coturn
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-coturn

View file

@ -1,3 +1,3 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dimension'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dimension.service'] }}"
when: matrix_dimension_enabled|bool

View file

@ -12,6 +12,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dimension
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dimension

View file

@ -1,3 +1,3 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dynamic-dns'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dynamic-dns.service'] }}"
when: "matrix_dynamic_dns_enabled|bool"

View file

@ -12,6 +12,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dynamic-dns
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dynamic-dns
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dynamic-dns \

View file

@ -1,3 +1,3 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-email2matrix'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-email2matrix.service'] }}"
when: matrix_email2matrix_enabled|bool

View file

@ -7,6 +7,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-email2matrix
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-email2matrix

View file

@ -1,3 +1,3 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-jitsi-web', 'matrix-jitsi-prosody', 'matrix-jitsi-jicofo', 'matrix-jitsi-jvb'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-jitsi-web.service', 'matrix-jitsi-prosody.service', 'matrix-jitsi-jicofo.service', 'matrix-jitsi-jvb.service'] }}"
when: matrix_jitsi_enabled|bool

View file

@ -9,6 +9,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo

View file

@ -9,6 +9,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-jvb
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-jvb

View file

@ -9,6 +9,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-prosody
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-prosody

View file

@ -9,6 +9,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-web
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-web

View file

@ -5,10 +5,13 @@ matrix_ma1sd_enabled: true
matrix_ma1sd_container_image_self_build: false
matrix_ma1sd_container_image_self_build_repo: "https://github.com/ma1uta/ma1sd.git"
matrix_ma1sd_container_image_self_build_branch: "{{ matrix_ma1sd_version }}"
matrix_ma1sd_architecture: "amd64"
matrix_ma1sd_docker_image: "{{ matrix_ma1sd_docker_image_name_prefix }}ma1uta/ma1sd:2.4.0-{{ matrix_ma1sd_architecture }}"
matrix_ma1sd_version: "2.4.0"
matrix_ma1sd_docker_image: "{{ matrix_ma1sd_docker_image_name_prefix }}ma1uta/ma1sd:{{ matrix_ma1sd_version }}-{{ matrix_ma1sd_architecture }}"
matrix_ma1sd_docker_image_name_prefix: "{{ 'localhost/' if matrix_ma1sd_container_image_self_build else 'docker.io/' }}"
matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}"

View file

@ -1,5 +1,5 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd.service'] }}"
when: matrix_ma1sd_enabled|bool
# ansible lower than 2.8, does not support docker_image build parameters

View file

@ -79,21 +79,24 @@
git:
repo: "{{ matrix_ma1sd_container_image_self_build_repo }}"
dest: "{{ matrix_ma1sd_docker_src_files_path }}"
version: "{{ matrix_ma1sd_docker_image.split(':')[1].split('-')[0] }}"
version: "{{ matrix_ma1sd_container_image_self_build_branch }}"
force: "yes"
register: matrix_ma1sd_git_pull_results
- name: Ensure ma1sd Docker image is built
shell: "./gradlew dockerBuild"
shell: "DOCKER_BUILDKIT=1 ./gradlew dockerBuild"
args:
chdir: "{{ matrix_ma1sd_docker_src_files_path }}"
- name: Ensure ma1sd Docker image is tagged correctly
docker_image:
# The build script always tags the image with something like `ma1uta/ma1sd:2.4.0`.
# Remove the `-{{ matrix_ma1sd_architecture }}` suffix and our `localhost/` prefix (applied when self-building)
# to get to what has actually been built, so we can retag it as `{{ matrix_ma1sd_docker_image }}`.
name: "{{ matrix_ma1sd_docker_image.split('-')[0].replace('localhost/', '') }}"
# The build script always tags the image with 2 tags:
# - based on the branch/version: e.g. `ma1uta/ma1sd:2.4.0` (when on `2.4.0`)
# or `ma1uta/ma1sd:2.4.0-19-ga71d32b` (when on a given commit for a pre-release)
# - generic one: `ma1uta/ma1sd:latest-dev`
#
# It's hard to predict the first one, so we'll use the latter.
name: "ma1uta/ma1sd:latest-dev"
repository: "{{ matrix_ma1sd_docker_image }}"
force_tag: yes
source: local

View file

@ -12,6 +12,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-ma1sd
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-ma1sd

View file

@ -7,7 +7,7 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev
matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src"
matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}"
matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:4.93.1-r0"
matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:4.93-r1"
matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else 'docker.io/' }}"
matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}"
@ -19,6 +19,8 @@ matrix_mailer_container_user_gid: 101
# A list of extra arguments to pass to the container
matrix_mailer_container_extra_arguments: []
matrix_mailer_hostname: "{{ matrix_server_fqn_matrix }}"
matrix_mailer_sender_address: "matrix@{{ matrix_domain }}"
matrix_mailer_relay_use: false
matrix_mailer_relay_host_name: "mail.example.com"

View file

@ -1,3 +1,3 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mailer'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mailer.service'] }}"
when: matrix_mailer_enabled|bool

View file

@ -6,3 +6,4 @@ SMARTHOST={{ matrix_mailer_relay_host_name }}::{{ matrix_mailer_relay_host_port
SMTP_USERNAME={{ matrix_mailer_relay_auth_username }}
SMTP_PASSWORD={{ matrix_mailer_relay_auth_password }}
{% endif %}
HOSTNAME={{ matrix_mailer_hostname }}

View file

@ -7,9 +7,12 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mailer
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mailer
# --hostname gives us a friendlier hostname than the default.
# The real hostname is passed via a `HOSTNAME` environment variable though.
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mailer \
--log-driver=none \
--user={{ matrix_mailer_container_user_uid }}:{{ matrix_mailer_container_user_gid }} \

View file

@ -215,10 +215,6 @@ matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to the base domain server configuration.
matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []
# Specifies when to reload the matrix-nginx-proxy service so that
# a new SSL certificate could go into effect.
matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"
# Specifies the SSL configuration that should be used for the SSL protocols and ciphers
# This is based on the Mozilla Server Side TLS Recommended configurations.
#

View file

@ -1,3 +1,8 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy.service'] }}"
when: matrix_nginx_proxy_enabled|bool
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + [item.name] }}"
when: "item.applicable|bool and item.enableable|bool"
with_items: "{{ matrix_ssl_renewal_systemd_units_list }}"

View file

@ -10,71 +10,56 @@
- "{{ matrix_local_bin_path }}/matrix-ssl-certificates-renew"
- "{{ matrix_cron_path }}/matrix-ssl-certificate-renewal"
- "{{ matrix_cron_path }}/matrix-nginx-proxy-periodic-restarter"
- "/etc/cron.d/matrix-ssl-lets-encrypt"
- "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
#
# Tasks related to setting up Let's Encrypt's management of certificates
#
- name: (Deprecation) Catch and report renamed settings
fail:
msg: >-
Your configuration contains a variable, which now has a different name.
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
with_items:
- {'old': 'host_specific_matrix_ssl_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'}
- {'old': 'host_specific_matrix_ssl_lets_encrypt_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'}
when: "matrix_ssl_retrieval_method == 'lets-encrypt' and item.old in vars"
- block:
- name: Ensure certbot Docker image is pulled
docker_image:
name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_ssl_lets_encrypt_certbot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ssl_lets_encrypt_certbot_docker_image_force_pull }}"
- name: Fail if required variables are undefined
fail:
msg: "Detected an undefined required variable"
with_items:
- "matrix_ssl_lets_encrypt_support_email"
when: "matrix_ssl_retrieval_method == 'lets-encrypt' and vars[item] is none"
- name: Obtain Let's Encrypt certificates
include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml"
with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
loop_control:
loop_var: domain_name
- name: Ensure certbot Docker image is pulled
docker_image:
name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_ssl_lets_encrypt_certbot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ssl_lets_encrypt_certbot_docker_image_force_pull }}"
- name: Ensure Let's Encrypt SSL renewal script installed
template:
src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2"
dest: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
mode: 0750
- name: Ensure SSL renewal systemd units installed
template:
src: "{{ role_path }}/templates/systemd/{{ item.name }}.j2"
dest: "{{ matrix_systemd_path }}/{{ item.name }}"
mode: 0644
when: "item.applicable|bool"
with_items: "{{ matrix_ssl_renewal_systemd_units_list }}"
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
- name: Obtain Let's Encrypt certificates
include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml"
with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
loop_control:
loop_var: domain_name
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
- name: Ensure Let's Encrypt SSL renewal script installed
template:
src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2"
dest: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
mode: 0750
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
- name: Ensure periodic SSL renewal cronjob configured
template:
src: "{{ role_path }}/templates/cron.d/matrix-ssl-lets-encrypt.j2"
dest: /etc/cron.d/matrix-ssl-lets-encrypt
mode: 0644
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
#
# Tasks related to getting rid of Let's Encrypt's management of certificates
#
- name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed
file:
path: /etc/cron.d/matrix-ssl-lets-encrypt
state: absent
when: "matrix_ssl_retrieval_method != 'lets-encrypt'"
- block:
- name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed
file:
path: "{{ matrix_systemd_path }}/{{ item.name }}"
state: absent
when: "{{ not item.applicable }}"
with_items: "{{ matrix_ssl_renewal_systemd_units_list }}"
- name: Ensure Let's Encrypt SSL renewal script removed
file:
path: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
state: absent
- name: Ensure Let's Encrypt SSL renewal script removed
file:
path: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
state: absent
when: "matrix_ssl_retrieval_method != 'lets-encrypt'"

View file

@ -12,6 +12,8 @@
# People who configured this to disable Riot, would now wish to be disabling Element.
# We now also have `matrix_nginx_proxy_proxy_riot_compat_redirect_`, but that's something else and is disabled by default.
- {'old': 'matrix_nginx_proxy_proxy_riot_enabled', 'new': 'matrix_nginx_proxy_proxy_element_enabled'}
- {'old': 'matrix_ssl_lets_encrypt_renew_cron_time_definition', 'new': '<not configurable anymore>'}
- {'old': 'matrix_nginx_proxy_reload_cron_time_definition', 'new': '<not configurable anymore>'}
- name: Fail on unknown matrix_ssl_retrieval_method
fail:
@ -24,3 +26,22 @@
msg: >-
`matrix_nginx_proxy_ssl_preset` needs to be set to a known value.
when: "matrix_nginx_proxy_ssl_preset not in ['modern', 'intermediate', 'old']"
- block:
- name: (Deprecation) Catch and report renamed settings
fail:
msg: >-
Your configuration contains a variable, which now has a different name.
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
with_items:
- {'old': 'host_specific_matrix_ssl_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'}
- {'old': 'host_specific_matrix_ssl_lets_encrypt_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'}
when: "item.old in vars"
- name: Fail if required variables are undefined
fail:
msg: "Detected an undefined required variable"
with_items:
- "matrix_ssl_lets_encrypt_support_email"
when: "vars[item] is none"
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"

View file

@ -1,5 +0,0 @@
MAILTO="{{ matrix_ssl_lets_encrypt_support_email }}"
15 4 * * * root {{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew
{% if matrix_nginx_proxy_enabled %}
20 5 * * * root {{ matrix_host_command_systemctl }} reload matrix-nginx-proxy.service
{% endif %}

View file

@ -12,6 +12,7 @@ DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-nginx-proxy
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-nginx-proxy

View file

@ -0,0 +1,7 @@
[Unit]
Description=Renews Let's Encrypt SSL certificates
[Service]
Type=oneshot
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStart={{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew

View file

@ -0,0 +1,10 @@
[Unit]
Description=Renews Let's Encrypt SSL certificates periodically
[Timer]
Unit=matrix-ssl-lets-encrypt-certificates-renew.service
OnCalendar=Sunday *-*-* 05:00:00
RandomizedDelaySec=3h
[Install]
WantedBy=timers.target

View file

@ -0,0 +1,6 @@
[Unit]
Description=Reloads matrix-nginx-proxy so that new SSL certificates can kick in
[Service]
Type=oneshot
ExecStart={{ matrix_host_command_systemctl }} reload matrix-nginx-proxy.service

View file

@ -0,0 +1,10 @@
[Unit]
Description=Reloads matrix-nginx-proxy periodically so that new SSL certificates can kick in
[Timer]
Unit=matrix-ssl-nginx-proxy-reload.service
OnCalendar=Sunday *-*-* 13:00:00
RandomizedDelaySec=3h
[Install]
WantedBy=timers.target

View file

@ -24,7 +24,6 @@ docker run \
{% if matrix_ssl_lets_encrypt_staging %}
--staging \
{% endif %}
--quiet \
--standalone \
--preferred-challenges http \
--agree-tos \

View file

@ -1,4 +1,18 @@
---
# Tells whether this role had executed or not. Toggled to `true` during runtime.
matrix_nginx_proxy_role_executed: false
matrix_nginx_proxy_role_executed: false
matrix_ssl_renewal_systemd_units_list:
- name: matrix-ssl-lets-encrypt-certificates-renew.service
applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' }}"
enableable: false
- name: matrix-ssl-lets-encrypt-certificates-renew.timer
applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' }}"
enableable: true
- name: matrix-ssl-nginx-proxy-reload.service
applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' and matrix_nginx_proxy_enabled|bool }}"
enableable: false
- name: matrix-ssl-nginx-proxy-reload.timer
applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' and matrix_nginx_proxy_enabled|bool }}"
enableable: true

View file

@ -1,3 +1,3 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-postgres'] }}"
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-postgres.service'] }}"
when: matrix_postgres_enabled|bool

Some files were not shown because too many files have changed in this diff Show more