Merge branch 'master' into pub.solar

This commit is contained in:
teutat3s 2022-02-23 11:35:26 +01:00
commit 1378e779ce
Signed by: teutat3s
GPG key ID: 18DAE600A6BBE705
32 changed files with 289 additions and 47 deletions

View file

@ -1,3 +1,12 @@
# 2022-02-12
## matrix_encryption_disabler support
We now support installing the [matrix_encryption_disabler](https://github.com/digitalentity/matrix_encryption_disabler) Synapse module, which lets you prevent End-to-End-Encryption from being enabled by users on your homeserver. The popular opinion is that this is dangerous and shouldn't be done, but there are valid use cases for disabling encryption discussed [here](https://github.com/matrix-org/synapse/issues/4401).
To enable this module (and prevent encryption from being used on your homserver), add `matrix_synapse_ext_encryption_disabler_enabled: true` to your configuration. This module provides further customization. Check its other configuration settings (and defaults) in `roles/matrix-synapse/defaults/main.yml`.
# 2022-02-01 # 2022-02-01
## matrix-hookshot bridging support ## matrix-hookshot bridging support

View file

@ -47,3 +47,20 @@ matrix_synapse_federation_port_enabled: false
# This removes the `8448` virtual host from the matrix-nginx-proxy reverse-proxy server. # This removes the `8448` virtual host from the matrix-nginx-proxy reverse-proxy server.
matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false
``` ```
## Changing the federation port from 8448 to a different port to use a CDN that only accepts 443/80 ports
Why? This change could be useful for people running small Synapse instances on small severs/VPSes to avoid being impacted by a simple DOS/DDOS when bandwidth, RAM, an CPU resources are limited and if your hosting provider does not provide a DOS/DDOS protection.
The following changes in the configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`) will allow this and make it possible to proxy the federation through a CDN such as CloudFlare or any other:
```
matrix_synapse_http_listener_resource_names: ["client","federation"]
# Any port can be used but in this case we use 443
matrix_federation_public_port: 443
matrix_synapse_federation_port_enabled: false
# Note that the following change might not be "required per se" but probably will be due to the proxying of the traffic through the CDN proxy servers (CloudFlare for instance). The security impact of doing this should be minimal as your CDN itself will encrypt the traffic no matter what on their proxy servers. You could however first try and see if federation works while setting the following to true.
matrix_synapse_tls_federation_listener_enabled: false
```
**Use this at you own risk as all the possible side-effects of doing this are not fully known. However, it has been tested and works fine and passes all the tests on <https://federationtester.matrix.org/> without issues.**

View file

@ -67,8 +67,13 @@ By default, it obtains certificates for:
- `matrix.<your-domain>` (`matrix_server_fqn_matrix`) - `matrix.<your-domain>` (`matrix_server_fqn_matrix`)
- possibly for `element.<your-domain>`, unless you have disabled the [Element client component](configuring-playbook-client-element.md) using `matrix_client_element_enabled: false` - possibly for `element.<your-domain>`, unless you have disabled the [Element client component](configuring-playbook-client-element.md) using `matrix_client_element_enabled: false`
- possibly for `riot.<your-domain>`, if you have explicitly enabled Riot to Element redirection (for background compatibility) using `matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: true` - possibly for `riot.<your-domain>`, if you have explicitly enabled Riot to Element redirection (for background compatibility) using `matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: true`
- possibly for `hydrogen.<your-domain>`, if you have explicitly [set up Hydrogen client](configuring-playbook-client-hydrogen.md).
- possibly for `cinny.<your-domain>`, if you have explicitly [set up Cinny client](configuring-playbook-client-cinny.md).
- possibly for `dimension.<your-domain>`, if you have explicitly [set up Dimension](configuring-playbook-dimension.md). - possibly for `dimension.<your-domain>`, if you have explicitly [set up Dimension](configuring-playbook-dimension.md).
- possibly for `goneb.<your-domain>`, if you have explicitly [set up Go-NEB bot](configuring-playbook-bot-go-neb.md).
- possibly for `jitsi.<your-domain>`, if you have explicitly [set up Jitsi](configuring-playbook-jitsi.md). - possibly for `jitsi.<your-domain>`, if you have explicitly [set up Jitsi](configuring-playbook-jitsi.md).
- possibly for `stats.<your-domain>`, if you have explicitly [set up Grafana](configuring-playbook-prometheus-grafana.md).
- possibly for `sygnal.<your-domain>`, if you have explicitly [set up Sygnal](configuring-playbook-sygnal.md).
- possibly for your base domain (`<your-domain>`), if you have explicitly configured [Serving the base domain](configuring-playbook-base-domain-serving.md) - possibly for your base domain (`<your-domain>`), if you have explicitly configured [Serving the base domain](configuring-playbook-base-domain-serving.md)
If you are hosting other domains on the Matrix machine, you can make the playbook obtain and renew certificates for those other domains too. If you are hosting other domains on the Matrix machine, you can make the playbook obtain and renew certificates for those other domains too.

View file

@ -226,7 +226,7 @@ Using a separate domain name is easier to manage (although it's a little hard to
We allow `matrix.DOMAIN` to be the Matrix server handling Matrix stuff for `DOMAIN` by [Server Delegation](howto-server-delegation.md). During the installation procedure, we recommend that you set up server delegation using the [.well-known](configuring-well-known.md) method. We allow `matrix.DOMAIN` to be the Matrix server handling Matrix stuff for `DOMAIN` by [Server Delegation](howto-server-delegation.md). During the installation procedure, we recommend that you set up server delegation using the [.well-known](configuring-well-known.md) method.
If you'd really like to install Matrix services directly on the base domain, see [How do I install on matrix.DOMAIN without involving the base DOMAIN?](#how-do-i-install-on-matrixdomain-without-involving-the-base-domain). If you'd really like to install Matrix services directly on the base domain, see [How do I install on matrix.DOMAIN without involving the base DOMAIN?](#how-do-i-install-on-matrixdomain-without-involving-the-base-domain)
### I don't control anything on the base domain and can't set up delegation to matrix.DOMAIN. What do I do? ### I don't control anything on the base domain and can't set up delegation to matrix.DOMAIN. What do I do?

View file

@ -0,0 +1,62 @@
[docker-ce-stable]
name=Docker CE Stable - $basearch
baseurl=https://download.docker.com/linux/fedora/$releasever/$basearch/stable
enabled=1
gpgcheck=1
gpgkey=https://download.docker.com/linux/fedora/gpg
[docker-ce-stable-debuginfo]
name=Docker CE Stable - Debuginfo $basearch
baseurl=https://download.docker.com/linux/fedora/$releasever/debug-$basearch/stable
enabled=0
gpgcheck=1
gpgkey=https://download.docker.com/linux/fedora/gpg
[docker-ce-stable-source]
name=Docker CE Stable - Sources
baseurl=https://download.docker.com/linux/fedora/$releasever/source/stable
enabled=0
gpgcheck=1
gpgkey=https://download.docker.com/linux/fedora/gpg
[docker-ce-test]
name=Docker CE Test - $basearch
baseurl=https://download.docker.com/linux/fedora/$releasever/$basearch/test
enabled=0
gpgcheck=1
gpgkey=https://download.docker.com/linux/fedora/gpg
[docker-ce-test-debuginfo]
name=Docker CE Test - Debuginfo $basearch
baseurl=https://download.docker.com/linux/fedora/$releasever/debug-$basearch/test
enabled=0
gpgcheck=1
gpgkey=https://download.docker.com/linux/fedora/gpg
[docker-ce-test-source]
name=Docker CE Test - Sources
baseurl=https://download.docker.com/linux/fedora/$releasever/source/test
enabled=0
gpgcheck=1
gpgkey=https://download.docker.com/linux/fedora/gpg
[docker-ce-nightly]
name=Docker CE Nightly - $basearch
baseurl=https://download.docker.com/linux/fedora/$releasever/$basearch/nightly
enabled=0
gpgcheck=1
gpgkey=https://download.docker.com/linux/fedora/gpg
[docker-ce-nightly-debuginfo]
name=Docker CE Nightly - Debuginfo $basearch
baseurl=https://download.docker.com/linux/fedora/$releasever/debug-$basearch/nightly
enabled=0
gpgcheck=1
gpgkey=https://download.docker.com/linux/fedora/gpg
[docker-ce-nightly-source]
name=Docker CE Nightly - Sources
baseurl=https://download.docker.com/linux/fedora/$releasever/source/nightly
enabled=0
gpgcheck=1
gpgkey=https://download.docker.com/linux/fedora/gpg

View file

@ -4,7 +4,10 @@
when: ansible_os_family == 'RedHat' and ansible_distribution_major_version|int < 8 when: ansible_os_family == 'RedHat' and ansible_distribution_major_version|int < 8
- include_tasks: "{{ role_path }}/tasks/server_base/setup_redhat8.yml" - include_tasks: "{{ role_path }}/tasks/server_base/setup_redhat8.yml"
when: ansible_os_family == 'RedHat' and ansible_distribution_major_version|int > 7 when: ansible_os_family == 'RedHat' and ansible_distribution_major_version|int > 7 and ansible_distribution_major_version|int < 30
- include_tasks: "{{ role_path }}/tasks/server_base/setup_fedora.yml"
when: ansible_os_family == 'RedHat' and ansible_distribution_major_version|int > 30
- block: - block:
# ansible_lsb is only available if lsb-release is installed. # ansible_lsb is only available if lsb-release is installed.

View file

@ -0,0 +1,39 @@
---
- name: Ensure Docker repository is enabled
template:
src: "{{ role_path }}/files/yum.repos.d/{{ item }}"
dest: "/etc/yum.repos.d/docker-ce.repo"
owner: "root"
group: "root"
mode: 0644
with_items:
- docker-ce-fedora.repo
when: matrix_docker_installation_enabled|bool and matrix_docker_package_name == 'docker-ce'
- name: Ensure Docker's RPM key is trusted
rpm_key:
state: present
key: https://download.docker.com/linux/fedora/gpg
when: matrix_docker_installation_enabled|bool and matrix_docker_package_name == 'docker-ce'
- name: Ensure yum packages are installed
yum:
name:
- "{{ matrix_ntpd_package }}"
state: latest
update_cache: true
- name: Ensure Docker is installed
yum:
name:
- "{{ matrix_docker_package_name }}"
- python3-pip
state: latest
when: matrix_docker_installation_enabled|bool
- name: Ensure Docker-Py is installed
pip:
name: docker-py
state: latest
when: matrix_docker_installation_enabled|bool

View file

@ -2,13 +2,11 @@
- name: Ensure Docker repository is enabled - name: Ensure Docker repository is enabled
template: template:
src: "{{ role_path }}/files/yum.repos.d/{{ item }}" src: "{{ role_path }}/files/yum.repos.d/docker-ce-centos.repo"
dest: "/etc/yum.repos.d/{{ item }}" dest: "/etc/yum.repos.d/docker-ce.repo"
owner: "root" owner: "root"
group: "root" group: "root"
mode: 0644 mode: 0644
with_items:
- docker-ce.repo
when: matrix_docker_installation_enabled|bool and matrix_docker_package_name == 'docker-ce' when: matrix_docker_installation_enabled|bool and matrix_docker_package_name == 'docker-ce'
- name: Ensure Docker's RPM key is trusted - name: Ensure Docker's RPM key is trusted

View file

@ -2,13 +2,11 @@
- name: Ensure Docker repository is enabled - name: Ensure Docker repository is enabled
template: template:
src: "{{ role_path }}/files/yum.repos.d/{{ item }}" src: "{{ role_path }}/files/yum.repos.d/docker-ce-centos.repo"
dest: "/etc/yum.repos.d/{{ item }}" dest: "/etc/yum.repos.d/docker-ce.repo"
owner: "root" owner: "root"
group: "root" group: "root"
mode: 0644 mode: 0644
with_items:
- docker-ce.repo
when: matrix_docker_installation_enabled|bool and matrix_docker_package_name == 'docker-ce' when: matrix_docker_installation_enabled|bool and matrix_docker_package_name == 'docker-ce'
- name: Ensure Docker's RPM key is trusted - name: Ensure Docker's RPM key is trusted

View file

@ -69,7 +69,7 @@
mode: 0400 mode: 0400
owner: "{{ matrix_user_username }}" owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}" group: "{{ matrix_user_groupname }}"
when: "{{ matrix_hookshot_github_enabled|bool and matrix_hookshot_github_private_key|length }}" when: matrix_hookshot_github_enabled|bool and matrix_hookshot_github_private_key|length > 0
- name: Ensure matrix-hookshot.service installed - name: Ensure matrix-hookshot.service installed
template: template:

View file

@ -8,8 +8,8 @@ matrix_mautrix_signal_container_image_self_build: false
matrix_mautrix_signal_docker_repo: "https://mau.dev/mautrix/signal.git" matrix_mautrix_signal_docker_repo: "https://mau.dev/mautrix/signal.git"
matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src" matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src"
matrix_mautrix_signal_version: v0.2.2 matrix_mautrix_signal_version: v0.2.3
matrix_mautrix_signal_daemon_version: 0.16.1 matrix_mautrix_signal_daemon_version: 0.17.0
# See: https://mau.dev/mautrix/signal/container_registry # See: https://mau.dev/mautrix/signal/container_registry
matrix_mautrix_signal_docker_image: "dock.mau.dev/mautrix/signal:{{ matrix_mautrix_signal_version }}" matrix_mautrix_signal_docker_image: "dock.mau.dev/mautrix/signal:{{ matrix_mautrix_signal_version }}"
matrix_mautrix_signal_docker_image_force_pull: "{{ matrix_mautrix_signal_docker_image.endswith(':latest') }}" matrix_mautrix_signal_docker_image_force_pull: "{{ matrix_mautrix_signal_docker_image.endswith(':latest') }}"

View file

@ -14,7 +14,7 @@ matrix_mautrix_telegram_container_image_self_build: false
matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git" matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git"
matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src"
matrix_mautrix_telegram_version: v0.11.1 matrix_mautrix_telegram_version: v0.11.2
# See: https://mau.dev/mautrix/telegram/container_registry # See: https://mau.dev/mautrix/telegram/container_registry
matrix_mautrix_telegram_docker_image: "dock.mau.dev/mautrix/telegram:{{ matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_image: "dock.mau.dev/mautrix/telegram:{{ matrix_mautrix_telegram_version }}"
matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}" matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}"

View file

@ -8,7 +8,7 @@ matrix_mautrix_whatsapp_container_image_self_build: false
matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git" matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git"
matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}" matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}"
matrix_mautrix_whatsapp_version: v0.2.3 matrix_mautrix_whatsapp_version: v0.2.4
# See: https://mau.dev/mautrix/whatsapp/container_registry # See: https://mau.dev/mautrix/whatsapp/container_registry
matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}" matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}"
matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}"

View file

@ -9,7 +9,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto
# - https://github.com/vector-im/element-web/issues/19544 # - https://github.com/vector-im/element-web/issues/19544
matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
matrix_client_element_version: v1.10.1 matrix_client_element_version: v1.10.4
matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"

View file

@ -7,7 +7,7 @@ matrix_client_hydrogen_enabled: true
matrix_client_hydrogen_container_image_self_build: true matrix_client_hydrogen_container_image_self_build: true
matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git"
matrix_client_hydrogen_version: v0.2.25 matrix_client_hydrogen_version: v0.2.26
matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}"
matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}"

View file

@ -5,7 +5,7 @@ matrix_dynamic_dns_enabled: true
# The dynamic dns daemon interval # The dynamic dns daemon interval
matrix_dynamic_dns_daemon_interval: '300' matrix_dynamic_dns_daemon_interval: '300'
matrix_dynamic_dns_version: v3.9.1-ls77 matrix_dynamic_dns_version: v3.9.1-ls79
# The docker container to use when in mode # The docker container to use when in mode
matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}"

View file

@ -4,7 +4,7 @@
matrix_grafana_enabled: false matrix_grafana_enabled: false
matrix_grafana_version: 8.3.4 matrix_grafana_version: 8.4.1
matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}"
matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}"
@ -22,6 +22,10 @@ matrix_grafana_data_path: "{{ matrix_grafana_base_path }}/data"
# Allow viewing Grafana without logging in # Allow viewing Grafana without logging in
matrix_grafana_anonymous_access: false matrix_grafana_anonymous_access: false
# When `false`, sends a `X-Frame-Options: deny` HTTP header, which allows Grafana from being embeded in a frame.
# Read more here: https://grafana.com/docs/grafana/latest/administration/configuration/#allow_embedding
matrix_grafana_allow_embedding: false
# specify organization name that should be used for unauthenticated users # specify organization name that should be used for unauthenticated users
# if you change this in the Grafana admin panel, this needs to be updated # if you change this in the Grafana admin panel, this needs to be updated
# to match to keep anonymous logins working # to match to keep anonymous logins working

View file

@ -16,6 +16,8 @@ content_security_policy = "{{ matrix_grafana_content_security_policy }}"
content_security_policy_template = """{{ matrix_grafana_content_security_policy_template }}""" content_security_policy_template = """{{ matrix_grafana_content_security_policy_template }}"""
{% endif %} {% endif %}
allow_embedding = {{ matrix_grafana_allow_embedding }}
[auth.anonymous] [auth.anonymous]
# enable anonymous access # enable anonymous access
enabled = {{ matrix_grafana_anonymous_access }} enabled = {{ matrix_grafana_anonymous_access }}

View file

@ -477,7 +477,7 @@ matrix_ssl_lets_encrypt_staging: false
# Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#changing-the-acme-server # Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#changing-the-acme-server
matrix_ssl_lets_encrypt_server: '' matrix_ssl_lets_encrypt_server: ''
matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.22.0" matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.23.0"
matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
matrix_ssl_lets_encrypt_support_email: ~ matrix_ssl_lets_encrypt_support_email: ~

View file

@ -20,11 +20,11 @@ matrix_postgres_architecture: amd64
matrix_postgres_docker_image_suffix: "{{ '-alpine' if matrix_postgres_architecture in ['amd64', 'arm64'] else '' }}" matrix_postgres_docker_image_suffix: "{{ '-alpine' if matrix_postgres_architecture in ['amd64', 'arm64'] else '' }}"
matrix_postgres_docker_image_v9: "{{ matrix_container_global_registry_prefix }}postgres:9.6.23{{ matrix_postgres_docker_image_suffix }}" matrix_postgres_docker_image_v9: "{{ matrix_container_global_registry_prefix }}postgres:9.6.23{{ matrix_postgres_docker_image_suffix }}"
matrix_postgres_docker_image_v10: "{{ matrix_container_global_registry_prefix }}postgres:10.19{{ matrix_postgres_docker_image_suffix }}" matrix_postgres_docker_image_v10: "{{ matrix_container_global_registry_prefix }}postgres:10.20{{ matrix_postgres_docker_image_suffix }}"
matrix_postgres_docker_image_v11: "{{ matrix_container_global_registry_prefix }}postgres:11.14{{ matrix_postgres_docker_image_suffix }}" matrix_postgres_docker_image_v11: "{{ matrix_container_global_registry_prefix }}postgres:11.15{{ matrix_postgres_docker_image_suffix }}"
matrix_postgres_docker_image_v12: "{{ matrix_container_global_registry_prefix }}postgres:12.9{{ matrix_postgres_docker_image_suffix }}" matrix_postgres_docker_image_v12: "{{ matrix_container_global_registry_prefix }}postgres:12.10{{ matrix_postgres_docker_image_suffix }}"
matrix_postgres_docker_image_v13: "{{ matrix_container_global_registry_prefix }}postgres:13.5{{ matrix_postgres_docker_image_suffix }}" matrix_postgres_docker_image_v13: "{{ matrix_container_global_registry_prefix }}postgres:13.6{{ matrix_postgres_docker_image_suffix }}"
matrix_postgres_docker_image_v14: "{{ matrix_container_global_registry_prefix }}postgres:14.1{{ matrix_postgres_docker_image_suffix }}" matrix_postgres_docker_image_v14: "{{ matrix_container_global_registry_prefix }}postgres:14.2{{ matrix_postgres_docker_image_suffix }}"
matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v14 }}" matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v14 }}"
# This variable is assigned at runtime. Overriding its value has no effect. # This variable is assigned at runtime. Overriding its value has no effect.

View file

@ -4,7 +4,7 @@
matrix_prometheus_enabled: false matrix_prometheus_enabled: false
matrix_prometheus_version: v2.33.1 matrix_prometheus_version: v2.33.3
matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}"
matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}"

View file

@ -9,7 +9,7 @@ matrix_synapse_admin_container_image_self_build_repo: "https://github.com/Awesom
matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src"
matrix_synapse_admin_version: 0.8.4 matrix_synapse_admin_version: 0.8.5
matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}"
matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}"

View file

@ -9,7 +9,7 @@ matrix_synapse_container_image_self_build_repo: "https://github.com/matrix-org/s
matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}" matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}"
matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_synapse_version: v1.52.0 matrix_synapse_version: v1.53.0
matrix_synapse_docker_image_tag: "{{ matrix_synapse_version }}" matrix_synapse_docker_image_tag: "{{ matrix_synapse_version }}"
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
@ -489,8 +489,16 @@ matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: fals
# Enable this to activate the Shared Secret Auth password provider module. # Enable this to activate the Shared Secret Auth password provider module.
# See: https://github.com/devture/matrix-synapse-shared-secret-auth # See: https://github.com/devture/matrix-synapse-shared-secret-auth
matrix_synapse_ext_password_provider_shared_secret_auth_enabled: false matrix_synapse_ext_password_provider_shared_secret_auth_enabled: false
matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/1.0.2/shared_secret_authenticator.py" matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/2.0.2/shared_secret_authenticator.py"
matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "" matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: ""
matrix_synapse_ext_password_provider_shared_secret_auth_m_login_password_support_enabled: true
# We'd like to enable this, but it causes trouble for Element: https://github.com/vector-im/element-web/issues/19605
matrix_synapse_ext_password_provider_shared_secret_auth_com_devture_shared_secret_auth_support_enabled: false
matrix_synapse_ext_password_provider_shared_secret_config: "{{ matrix_synapse_ext_password_provider_shared_secret_config_yaml|from_yaml }}"
matrix_synapse_ext_password_provider_shared_secret_config_yaml: |
shared_secret: {{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret|string|to_json }}
m_login_password_support_enabled: {{ matrix_synapse_ext_password_provider_shared_secret_auth_m_login_password_support_enabled|to_json }}
com_devture_shared_secret_auth_support_enabled: {{ matrix_synapse_ext_password_provider_shared_secret_auth_com_devture_shared_secret_auth_support_enabled|to_json }}
# Enable this to activate LDAP password provider # Enable this to activate LDAP password provider
matrix_synapse_ext_password_provider_ldap_enabled: false matrix_synapse_ext_password_provider_ldap_enabled: false
@ -534,6 +542,30 @@ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_usernames: false
matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists: [] matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists: []
# Enable this to activate the E2EE disabling Synapse module.
# See: https://github.com/digitalentity/matrix_encryption_disabler
matrix_synapse_ext_encryption_disabler_enabled: false
matrix_synapse_ext_encryption_disabler_download_url: "https://raw.githubusercontent.com/digitalentity/matrix_encryption_disabler/1182388f7019e8ec1e28f035070c7919d0e4cc24/matrix_e2ee_filter.py"
# A list of server domain names for which to deny encryption if the event sender's domain matches the domain in the list.
# By default, with the configuration below, we prevent all homeserver users from initiating encryption in ANY room.
matrix_synapse_ext_encryption_disabler_deny_encryption_for_users_of: ["{{ matrix_domain }}"]
# A list of server domain names for which to deny encryption if the destination room id's domain matches the domain in the list.
# By default, with the configuration below, we prevent locally-created encryption events by ANY user encrypt rooms on the homeserver.
# Note: foreign users with enough room privileges will still be able to send an encryption event to your rooms and encrypt them.
matrix_synapse_ext_encryption_disabler_deny_encryption_for_rooms_of: ["{{ matrix_domain }}"]
# Specifies whether the power levels event (setting) provided during room creation should be patched.
# This makes it impossible for anybody (locally or over federation) from enabling room encryption
# for the lifetime of rooms created while this setting is enabled (irreversible).
# Enabling this may have incompatiblity consequences with servers / clients.
# Familiarize yourself with the caveats upstream: https://github.com/digitalentity/matrix_encryption_disabler
matrix_synapse_ext_encryption_disabler_patch_power_levels: false
matrix_synapse_ext_encryption_config: "{{ matrix_synapse_ext_encryption_config_yaml|from_yaml }}"
matrix_synapse_ext_encryption_config_yaml: |
deny_encryption_for_users_of: {{ matrix_synapse_ext_encryption_disabler_deny_encryption_for_users_of|to_json }}
deny_encryption_for_rooms_of: {{ matrix_synapse_ext_encryption_disabler_deny_encryption_for_rooms_of|to_json }}
patch_power_levels: {{ matrix_synapse_ext_encryption_disabler_patch_power_levels|to_json }}
matrix_s3_media_store_enabled: false matrix_s3_media_store_enabled: false
matrix_s3_media_store_custom_endpoint_enabled: false matrix_s3_media_store_custom_endpoint_enabled: false
matrix_s3_goofys_docker_image: "ewoutp/goofys:latest" matrix_s3_goofys_docker_image: "ewoutp/goofys:latest"
@ -565,7 +597,7 @@ matrix_synapse_room_list_publication_rules:
room_id: "*" room_id: "*"
action: allow action: allow
matrix_synapse_default_room_version: "6" matrix_synapse_default_room_version: "9"
# Controls the Synapse `spam_checker` setting. # Controls the Synapse `spam_checker` setting.
# #
@ -573,6 +605,9 @@ matrix_synapse_default_room_version: "6"
# If not, you can also control its value manually. # If not, you can also control its value manually.
matrix_synapse_spam_checker: [] matrix_synapse_spam_checker: []
# Controls the Synapse `modules` list.
# You can define your own list of modules here. See the `modules` syntax in `homeserver.yaml.j2`
# Certain Synapse extensions that you can enable below auto-inject themselves into `matrix_synapse_modules` at runtime.
matrix_synapse_modules: [] matrix_synapse_modules: []
matrix_synapse_encryption_enabled_by_default_for_room_type: "off" matrix_synapse_encryption_enabled_by_default_for_room_type: "off"

View file

@ -0,0 +1,7 @@
---
- import_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_install.yml"
when: matrix_synapse_ext_encryption_disabler_enabled|bool
- import_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_uninstall.yml"
when: "not matrix_synapse_ext_encryption_disabler_enabled|bool"

View file

@ -0,0 +1,33 @@
---
- name: Download matrix_encryption_disabler
get_url:
url: "{{ matrix_synapse_ext_encryption_disabler_download_url }}"
dest: "{{ matrix_synapse_ext_path }}/matrix_e2ee_filter.py"
force: true
mode: 0440
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
- set_fact:
matrix_synapse_modules: |
{{
matrix_synapse_modules|default([])
+
[
{
"module": "matrix_e2ee_filter.EncryptedRoomFilter",
"config": matrix_synapse_ext_encryption_config
}
]
}}
matrix_synapse_container_extra_arguments: >
{{ matrix_synapse_container_extra_arguments|default([]) }}
+
["--mount type=bind,src={{ matrix_synapse_ext_path }}/matrix_e2ee_filter.py,dst={{ matrix_synapse_in_container_python_packages_path }}/matrix_e2ee_filter.py,ro"]
matrix_synapse_additional_loggers: >
{{ matrix_synapse_additional_loggers }}
+
{{ [{'name': 'matrix_e2ee_filter', 'level': 'INFO'}] }}

View file

@ -0,0 +1,6 @@
---
- name: Ensure matrix_encryption_disabler doesn't exist
file:
path: "{{ matrix_synapse_ext_path }}/matrix_e2ee_filter.py"
state: absent

View file

@ -1,5 +1,7 @@
--- ---
- import_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup.yml"
- import_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup.yml" - import_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup.yml"
- import_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup.yml" - import_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup.yml"

View file

@ -5,6 +5,11 @@
msg: "Shared Secret Auth is enabled, but no secret has been set in matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret" msg: "Shared Secret Auth is enabled, but no secret has been set in matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret"
when: "matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret == ''" when: "matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret == ''"
- name: Fail if no Shared Secret Auth login types enabled
fail:
msg: "Shared Secret Auth is enabled, but none of the login types are"
when: "not (matrix_synapse_ext_password_provider_shared_secret_auth_m_login_password_support_enabled or matrix_synapse_ext_password_provider_shared_secret_auth_com_devture_shared_secret_auth_support_enabled)"
- name: Download matrix-synapse-shared-secret-auth - name: Download matrix-synapse-shared-secret-auth
get_url: get_url:
url: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_download_url }}" url: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_download_url }}"
@ -15,7 +20,17 @@
group: "{{ matrix_user_groupname }}" group: "{{ matrix_user_groupname }}"
- set_fact: - set_fact:
matrix_synapse_password_providers_enabled: true matrix_synapse_modules: |
{{
matrix_synapse_modules|default([])
+
[
{
"module": "shared_secret_authenticator.SharedSecretAuthProvider",
"config": matrix_synapse_ext_password_provider_shared_secret_config
}
]
}}
matrix_synapse_container_extra_arguments: > matrix_synapse_container_extra_arguments: >
{{ matrix_synapse_container_extra_arguments|default([]) }} {{ matrix_synapse_container_extra_arguments|default([]) }}

View file

@ -3,7 +3,7 @@
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 # and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
- name: Fail if trying to self-build on Ansible < 2.8 - name: Fail if trying to self-build on Ansible < 2.8
fail: fail:
msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" msg: "To self-build the Synapse image, you should use Ansible 2.8 or higher. See docs/ansible.md"
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_container_image_self_build and matrix_synapse_enabled" when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_container_image_self_build and matrix_synapse_enabled"
# Unless `matrix_synapse_workers_enabled_list` is explicitly defined, # Unless `matrix_synapse_workers_enabled_list` is explicitly defined,

View file

@ -776,11 +776,16 @@ caches:
per_cache_factors: per_cache_factors:
#get_users_who_share_room_with_user: 2.0 #get_users_who_share_room_with_user: 2.0
# Controls how long an entry can be in a cache without having been # Controls whether cache entries are evicted after a specified time
# accessed before being evicted. Defaults to None, which means # period. Defaults to true. Uncomment to disable this feature.
# entries are never evicted based on time.
# #
#expiry_time: 30m #expire_caches: false
# If expire_caches is enabled, this flag controls how long an entry can
# be in a cache without having been accessed before being evicted.
# Defaults to 30m. Uncomment to set a different time to live for cache entries.
#
#cache_entry_ttl: 30m
# Controls how long the results of a /sync request are cached for after # Controls how long the results of a /sync request are cached for after
# a successful response is returned. A higher duration can help clients with # a successful response is returned. A higher duration can help clients with
@ -890,6 +895,9 @@ log_config: "/data/{{ matrix_server_fqn_matrix }}.log.config"
# - one for ratelimiting how often a user or IP can attempt to validate a 3PID. # - one for ratelimiting how often a user or IP can attempt to validate a 3PID.
# - two for ratelimiting how often invites can be sent in a room or to a # - two for ratelimiting how often invites can be sent in a room or to a
# specific user. # specific user.
# - one for ratelimiting 3PID invites (i.e. invites sent to a third-party ID
# such as an email address or a phone number) based on the account that's
# sending the invite.
# #
# The defaults are as shown below. # The defaults are as shown below.
# #
@ -944,6 +952,10 @@ rc_joins: {{ matrix_synapse_rc_joins|to_json }}
# per_user: # per_user:
# per_second: 0.003 # per_second: 0.003
# burst_count: 5 # burst_count: 5
#
#rc_third_party_invite:
# per_second: 0.2
# burst_count: 10
# Ratelimiting settings for incoming federation # Ratelimiting settings for incoming federation
# #
@ -2586,11 +2598,6 @@ email:
# #filter: "(objectClass=posixAccount)" # #filter: "(objectClass=posixAccount)"
{% if matrix_synapse_password_providers_enabled %} {% if matrix_synapse_password_providers_enabled %}
password_providers: password_providers:
{% if matrix_synapse_ext_password_provider_shared_secret_auth_enabled %}
- module: "shared_secret_authenticator.SharedSecretAuthenticator"
config:
sharedSecret: {{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret|string|to_json }}
{% endif %}
{% if matrix_synapse_ext_password_provider_rest_auth_enabled %} {% if matrix_synapse_ext_password_provider_rest_auth_enabled %}
- module: "rest_auth_provider.RestAuthProvider" - module: "rest_auth_provider.RestAuthProvider"
config: config:

View file

@ -64,7 +64,7 @@ matrix_synapse_workers_generic_worker_endpoints:
# Registration/login requests # Registration/login requests
- ^/_matrix/client/(api/v1|r0|v3|unstable)/login$ - ^/_matrix/client/(api/v1|r0|v3|unstable)/login$
- ^/_matrix/client/(r0|v3|unstable)/register$ - ^/_matrix/client/(r0|v3|unstable)/register$
- ^/_matrix/client/unstable/org.matrix.msc3231/register/org.matrix.msc3231.login.registration_token/validity$ - ^/_matrix/client/v1/register/m.login.registration_token/validity$
# Event sending requests # Event sending requests
- ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact
@ -206,7 +206,7 @@ matrix_synapse_workers_generic_worker_endpoints:
# You might also wish to investigate the `update_user_directory` and # You might also wish to investigate the `update_user_directory` and
# `media_instance_running_background_jobs` settings. # `media_instance_running_background_jobs` settings.
# pusher worker (no API endpoints) [ # pusher worker (no API endpoints) [
# Handles sending push notifications to sygnal and email. Doesn't handle any # Handles sending push notifications to sygnal and email. Doesn't handle any
# REST endpoints itself, but you should set `start_pushers: False` in the # REST endpoints itself, but you should set `start_pushers: False` in the
# shared configuration file to stop the main synapse sending push notifications. # shared configuration file to stop the main synapse sending push notifications.
@ -220,18 +220,18 @@ matrix_synapse_workers_generic_worker_endpoints:
# - pusher_worker2 # - pusher_worker2
# ``` # ```
# ] # ]
# appservice worker (no API endpoints) [ # appservice worker (no API endpoints) [
# Handles sending output traffic to Application Services. Doesn't handle any # Handles sending output traffic to Application Services. Doesn't handle any
# REST endpoints itself, but you should set `notify_appservices: False` in the # REST endpoints itself, but you should set `notify_appservices: False` in the
# shared configuration file to stop the main synapse sending appservice notifications. # shared configuration file to stop the main synapse sending appservice notifications.
# Note this worker cannot be load-balanced: only one instance should be active. # Note this worker cannot be load-balanced: only one instance should be active.
# ] # ]
# federation_sender worker (no API endpoints) [ # federation_sender worker (no API endpoints) [
# Handles sending federation traffic to other servers. Doesn't handle any # Handles sending federation traffic to other servers. Doesn't handle any
# REST endpoints itself, but you should set `send_federation: False` in the # REST endpoints itself, but you should set `send_federation: False` in the
# shared configuration file to stop the main synapse sending this traffic. # shared configuration file to stop the main synapse sending this traffic.