0.2.1 revision

This commit is contained in:
Michael 2021-02-28 22:21:40 +08:00
parent 4c882c513b
commit 33ec5710d9
62 changed files with 384 additions and 248 deletions

View file

@ -0,0 +1,43 @@
# Configuring AWX System (optional)
An AWX setup for managing multiple Matrix servers.
This section is used in an AWX system that can create and manage multiple [Matrix](http://matrix.org/) servers. You can issue members an AWX login to their own 'organisation', which they can use to manage/configure 1 to N servers.
Members can be assigned a server from Digitalocean, or they can connect their own on-premises server. This script is free to use in a commercial context with the 'MemberPress Plus' and 'WP Oauth Sever' addons. It can also be run in a non-commercial context.
The AWX system is arranged into 'members' each with their own 'subscriptions'. After creating a subscription the user enters the 'provision stage' where they defined the URLs they will use, the servers location and whether or not there's already a website at the base domain. They then proceed onto the 'deploy stage' where they can configure their Matrix server.
Ideally this system can manage the updates, configuration, backups and monitoring on it's own. It is an extension of the popular deploy script [spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy).
Warning: This project is currently alpha quality and should only be run by the brave.
## Other Required Playbooks
The following repositories allow you to copy and use this setup:
[Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) - Creates and configures the AWX system for you.
[Ansible Create Delete Subscription Membership](https://gitlab.com/GoMatrixHosting/ansible-create-delete-subscription-membership) - Used by the AWX system to create memberships and subscriptions.
[Ansible Provision Server](https://gitlab.com/GoMatrixHosting/ansible-provision-server) - Used by AWX members to perform initial configuration of their DigitalOcean or On-Premises server.
## Testing Fork For This Playbook
Updates to this section are trailed here:
[GoMatrixHosting Matrix Docker Ansible Deploy](https://gitlab.com/GoMatrixHosting/gomatrixhosting-matrix-docker-ansible-deploy)
## Does I need an AWX setup to use this? How do I configure it?
Yes, you'll need to configure an AWX instance, the [Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) repository makes it easy to do. Just follow the steps listed in '/docs/Installation.md' of that repository.
## Does I need a front-end WordPress site? And a DigitalOcean account?
You do not need a front-end WordPress site or any of the mentioned WordPress plugins to use this setup. It can be run on it's own in a non-commercial context.
You also don't need a DigitalOcean account, but this will limit you to only being able to connect 'On-Premises' servers.

View file

@ -4,7 +4,7 @@ The playbook can install and configure [mautrix-telegram](https://github.com/tul
See the project's [documentation](https://github.com/tulir/mautrix-telegram/wiki#usage) to learn what it does and why it might be useful to you.
You'll need to obtain API keys from `https://my.telegram.org/apps` and then use the following playbook configuration:
You'll need to obtain API keys from [https://my.telegram.org/apps](https://my.telegram.org/apps) and then use the following playbook configuration:
```yaml
matrix_mautrix_telegram_enabled: true

View file

@ -4,6 +4,8 @@ It can be useful to have some (visual) insight into the performance of your home
You can enable this with the following settings in your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
Remember to add `stats.<your-domain>` to DNS as described in [Configuring DNS](configuring-dns.md) before running the playbook.
```yaml
matrix_prometheus_enabled: true

View file

@ -289,7 +289,7 @@ matrix_mailer_enabled: false
# You can also disable this to save more RAM,
# at the expense of audio/video calls being unreliable.
matrix_coturn_enabled: true
matrix_coturn_enabled: false
# This makes Synapse not keep track of who is online/offline.
#

View file

@ -51,20 +51,15 @@ ansible-playbook -i inventory/hosts setup.yml --tags=run-postgres-vacuum,start
To make a back up of the current PostgreSQL database, make sure it's running and then execute a command like this on the server:
```bash
docker run \
--rm \
--log-driver=none \
--network=matrix \
/usr/bin/docker exec \
--env-file=/matrix/postgres/env-postgres-psql \
docker.io/postgres:13.1-alpine \
pg_dumpall -h matrix-postgres \
matrix-postgres \
/usr/local/bin/pg_dumpall -h matrix-postgres \
| gzip -c \
> /postgres.sql.gz
> /matrix/postgres.sql.gz
```
If you are using an [external Postgres server](configuring-playbook-external-postgres.md), the above command will not work, because the credentials file (`/matrix/postgres/env-postgres-psql`) is not available.
If your server is on the ARM32 [architecture](alternative-architectures.md), you may need to remove the `-alpine` suffix from the image name in the command above.
If you are using an [external Postgres server](configuring-playbook-external-postgres.md), the above command will not work, because neither the credentials file (`/matrix/postgres/env-postgres-psql`), nor the `matrix-postgres` container is available.
Restoring a backup made this way can be done by [importing it](importing-postgres.md).

View file

@ -29,6 +29,22 @@ matrix_homeserver_container_url: "{{ 'http://matrix-nginx-proxy:12080' if matrix
######################################################################
######################################################################
#
# matrix-awx
#
######################################################################
matrix_nginx_proxy_data_path: "{{ '/chroot/website' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else (matrix_nginx_proxy_base_path + '/data') }}"
matrix_nginx_proxy_data_path_in_container: "{{ '/nginx-data/matrix-domain' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else '/nginx-data' }}"
######################################################################
#
# /matrix-awx
#
######################################################################
######################################################################
#
# matrix-bridge-appservice-discord
@ -1074,6 +1090,9 @@ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:1
matrix_nginx_proxy_proxy_synapse_enabled: "{{ matrix_synapse_enabled }}"
matrix_nginx_proxy_proxy_synapse_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}"
# When matrix-nginx-proxy is disabled, the actual port number that the vhost uses may begin to matter.
matrix_nginx_proxy_proxy_matrix_federation_port: "{{ matrix_federation_public_port }}"
matrix_nginx_proxy_container_federation_host_bind_port: "{{ matrix_federation_public_port }}"
# This used to be hooked to `matrix_synapse_metrics_enabled`, but we don't do it anymore.

View file

@ -1,30 +0,0 @@
{
"name": "Configure Website Access Backup",
"description": "Configure base domain website settings and access the services backup.",
"spec": [
{
"question_name": "Customise Base Domain Website",
"question_description": "Set if you want to adjust the base domain website using SFTP.",
"required": true,
"min": null,
"max": null,
"default": "{{ customise_base_domain_website|string|lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "customise_base_domain_website",
"type": "multiplechoice"
},
{
"question_name": "SFTP Password",
"question_description": "Sets the password of the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as download the latest copy of your services backup. If empty the password won't be updated. WARNING: You must set a strong and unique password here.",
"required": false,
"min": 0,
"max": 64,
"default": "{{ sftp_password }}",
"choices": "",
"new_question": true,
"variable": "sftp_password",
"type": "password"
}
]
}

View file

@ -0,0 +1,54 @@
{
"name": "Configure Website Access Backup",
"description": "Configure base domain website settings and access the services backup.",
"spec": [
{
"question_name": "Customise Base Domain Website",
"question_description": "Set if you want to adjust the base domain website using SFTP.",
"required": true,
"min": null,
"max": null,
"default": "{{ customise_base_domain_website | string | lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "customise_base_domain_website",
"type": "multiplechoice"
},
{
"question_name": "SFTP Authorisation Method",
"question_description": "Set whether you want to disable SFTP, use a password to connect to SFTP or connect with a more secure SSH key.",
"required": true,
"min": null,
"max": null,
"default": "{{ sftp_auth_method | string }}",
"choices": "Disabled\nPassword\nSSH Key",
"new_question": true,
"variable": "sftp_auth_method",
"type": "multiplechoice"
},
{
"question_name": "SFTP Password",
"question_description": "Sets the password of the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as export the latest copy of your Matrix service. Must be defined if 'Password' method is selected. WARNING: You must set a strong and unique password here.",
"required": false,
"min": 0,
"max": 64,
"default": "{{ sftp_password }}",
"choices": "",
"new_question": true,
"variable": "sftp_password",
"type": "password"
},
{
"question_name": "SFTP Public SSH Key (More Secure)",
"question_description": "Sets the public SSH key used to access the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as export the latest copy of your Matrix service. Must be defined if 'SSH Key' method is selected.",
"required": false,
"min": 0,
"max": 16384,
"default": "{{ sftp_public_key }}",
"choices": "",
"new_question": true,
"variable": "sftp_public_key",
"type": "text"
}
]
}

View file

@ -20,7 +20,7 @@
- name: Create user account
command: |
/usr/local/bin/matrix-synapse-register-user {{ new_username }} '{{ new_password }}' {{ admin_bool }}
/usr/local/bin/matrix-synapse-register-user {{ new_username | quote }} {{ new_password | quote }} {{ admin_bool }}
register: cmd
- name: Result

View file

@ -22,15 +22,18 @@
'matrix_nginx_proxy_base_domain_homepage_enabled': 'false'
when: customise_base_domain_website|bool == true
- name: Record 'Customise Website + Access Backup' variables locally on AWX
- name: Record custom 'Customise Website + Access Export' variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# AWX Settings'
insertafter: '# Custom Settings'
with_dict:
'customise_base_domain_website': '{{ customise_base_domain_website }}'
'sftp_auth_method': '"{{ sftp_auth_method }}"'
'sftp_password': '"{{ sftp_password }}"'
'sftp_public_key': '"{{ sftp_public_key }}"'
- name: Copy new 'matrix_vars.yml' to target machine
copy:
@ -41,17 +44,18 @@
- name: Reload vars in matrix_vars.yml
include_vars:
file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
no_log: True
- name: Save new 'Customise Website + Access Backup' survey.json to the AWX tower, template
- name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template
delegate_to: 127.0.0.1
template:
src: './roles/matrix-awx/surveys/configure_website_access_backup.json.j2'
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_backup.json'
src: './roles/matrix-awx/surveys/configure_website_access_export.json.j2'
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'
- name: Copy new 'Customise Website + Access Backup' survey.json to target machine
- name: Copy new 'Customise Website + Access Export' survey.json to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_backup.json'
dest: '/matrix/awx/configure_website_access_backup.json'
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'
dest: '/matrix/awx/configure_website_access_export.json'
mode: '0660'
- name: Collect AWX admin token the hard way!
@ -61,11 +65,11 @@
register: tower_token
no_log: True
- name: Recreate 'Customise Base Domain Website' job template
- name: Recreate 'Customise Base Domain Export' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
name: "{{ matrix_domain }} - 1 - Configure Website + Access Backup"
description: "Configure base domain website settings and access the services backup."
name: "{{ matrix_domain }} - 1 - Configure Website + Access Export"
description: "Configure base domain website settings and access the servers export."
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type: run
job_tags: "start,setup-nginx-proxy"
@ -74,7 +78,7 @@
playbook: setup.yml
credential: "{{ member_id }} - AWX SSH Key"
survey_enabled: true
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_backup.json') }}"
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json') }}"
become_enabled: yes
state: present
verbosity: 1
@ -82,40 +86,32 @@
tower_oauthtoken: "{{ tower_token.stdout }}"
validate_certs: yes
# Copied over from provision stage
- name: Copy ssh_sftp.service file
copy:
src: './roles/matrix-awx/templates/sftp/ssh_sftp.service'
dest: '/lib/systemd/system/ssh_sftp.service'
mode: 0644
- name: Copy sshd config file
copy:
src: './roles/matrix-awx/templates/sftp/sshd_sftp_config'
dest: '/etc/ssh/sshd_sftp_config'
mode: 0644
- name: Ensure group "sftp" exists
group:
name: sftp
state: present
- name: If user defines sftp_password, enable account / set password on 'stfp' account.
- name: If user doesn't define a sftp_password, create a disabled 'sftp' account
user:
name: sftp
comment: SFTP user to set custom web files
comment: SFTP user to set custom web files and access servers export
shell: /bin/false
home: /home/sftp/
home: /home/sftp
group: sftp
password: '*'
update_password: always
when: sftp_password|length == 0
- name: If user defines sftp_password, enable account and set password on 'stfp' account
user:
name: sftp
comment: SFTP user to set custom web files and access servers export
shell: /bin/false
home: /home/sftp
group: sftp
password: "{{ sftp_password | password_hash('sha512') }}"
update_password: always
when: (sftp_password is defined) and (sftp_password|length > 0)
# would be safer if it generated the password for you!
- name: Setup SFTP users default root path
shell: sudo usermod -d / sftp
when: sftp_password|length > 0
- name: adding existing user 'sftp' to group matrix
user:
@ -131,7 +127,7 @@
group: root
mode: '1755'
- name: Create the rw /chroot/website directory if it doesn't exist.
- name: Ensure /chroot/website location exists.
file:
path: /chroot/website
state: directory
@ -139,21 +135,96 @@
group: matrix
mode: '0574'
- name: Ensure /chroot/backup/ location exists
- name: Ensure /chroot/export location exists
file:
path: /chroot/backup
path: /chroot/export
state: directory
owner: sftp
group: sftp
mode: '0700'
- name: Enable service ssh_sftp.service
service:
name: ssh_sftp.service
enabled: yes
- name: Ensure /home/sftp/.ssh location exists
file:
path: /home/sftp/.ssh
state: directory
owner: sftp
group: sftp
mode: '0700'
- name: Start service ssh_sftp.service
service:
name: ssh_sftp.service
state: started
- name: Ensure /home/sftp/authorized_keys exists
file:
path: /home/sftp/.ssh/authorized_keys
state: touch
owner: sftp
group: sftp
mode: '0644'
- name: Clear authorized_keys file
shell: echo "" > /home/sftp/.ssh/authorized_keys
- name: Insert public SSH key into authorized_keys file
lineinfile:
path: /home/sftp/.ssh/authorized_keys
line: "{{ sftp_public_key }}"
owner: sftp
group: sftp
mode: '0644'
when: (sftp_public_key | length > 0) and (sftp_auth_method == "SSH Key")
- name: Alter SSH Subsystem State 1
lineinfile:
path: /etc/ssh/sshd_config
line: "Subsystem sftp /usr/lib/openssh/sftp-server"
state: absent
- name: Alter SSH Subsystem State 2
lineinfile:
path: /etc/ssh/sshd_config
insertafter: "^# override default of no subsystems"
line: "Subsystem sftp internal-sftp"
- name: Add SSH Match User section for disabled auth
blockinfile:
path: /etc/ssh/sshd_config
state: absent
block: |
Match User sftp
ChrootDirectory /chroot
PermitTunnel no
X11Forwarding no
AllowTcpForwarding no
PasswordAuthentication yes
AuthorizedKeysFile /home/sftp/.ssh/authorized_keys
when: sftp_auth_method == "Disabled"
- name: Add SSH Match User section for password auth
blockinfile:
path: /etc/ssh/sshd_config
state: present
block: |
Match User sftp
ChrootDirectory /chroot
PermitTunnel no
X11Forwarding no
AllowTcpForwarding no
PasswordAuthentication yes
when: sftp_auth_method == "Password"
- name: Add SSH Match User section for publickey auth
blockinfile:
path: /etc/ssh/sshd_config
state: present
block: |
Match User sftp
ChrootDirectory /chroot
PermitTunnel no
X11Forwarding no
AllowTcpForwarding no
AuthorizedKeysFile /home/sftp/.ssh/authorized_keys
when: sftp_auth_method == "SSH Key"
- name: Restart service ssh.service
service:
name: ssh.service
state: restarted

View file

@ -2,5 +2,5 @@
- name: Include vars in matrix_vars.yml
include_vars:
file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
# no_log: True
no_log: True

View file

@ -23,8 +23,8 @@
tags:
- import-awx
# Configure SFTP so user can upload a static website
- import_tasks: "{{ role_path }}/tasks/customise_website_access_backup.yml"
# Configure SFTP so user can upload a static website or access the servers export
- import_tasks: "{{ role_path }}/tasks/customise_website_access_export.yml"
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- setup-nginx-proxy

View file

@ -1,23 +0,0 @@
[Unit]
Description=OpenBSD Secure Shell server
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
[Service]
EnvironmentFile=-/etc/default/ssh
ExecStartPre=/usr/sbin/sshd -t
ExecStart=/usr/sbin/sshd -D -f /etc/ssh/sshd_sftp_config $SSHD_OPTS
ExecReload=/usr/sbin/sshd -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
RuntimeDirectory=sshd
RuntimeDirectoryMode=0755
[Install]
WantedBy=multi-user.target
Alias=sshd_sftp.service

View file

@ -1,33 +0,0 @@
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port 2222
PermitRootLogin no
PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp internal-sftp
Match User sftp
ChrootDirectory /chroot
PermitTunnel no
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

View file

@ -2,8 +2,8 @@
# See: https://github.com/anoadragon453/matrix-reminder-bot
matrix_bot_matrix_reminder_bot_enabled: true
matrix_bot_matrix_reminder_bot_docker_image: "docker.io/anoa/matrix-reminder-bot:release-v0.2.0"
matrix_bot_matrix_reminder_bot_version: release-v0.2.0
matrix_bot_matrix_reminder_bot_docker_image: "docker.io/anoa/matrix-reminder-bot:{{ matrix_bot_matrix_reminder_bot_version }}"
matrix_bot_matrix_reminder_bot_docker_image_force_pull: "{{ matrix_bot_matrix_reminder_bot_docker_image.endswith(':latest') }}"
matrix_bot_matrix_reminder_bot_base_path: "{{ matrix_base_data_path }}/matrix-reminder-bot"

View file

@ -3,7 +3,8 @@
matrix_appservice_discord_enabled: true
matrix_appservice_discord_docker_image: "docker.io/halfshot/matrix-appservice-discord:v1.0.0"
matrix_appservice_discord_version: v1.0.0
matrix_appservice_discord_docker_image: "docker.io/halfshot/matrix-appservice-discord:{{ matrix_appservice_discord_version }}"
matrix_appservice_discord_docker_image_force_pull: "{{ matrix_appservice_discord_docker_image.endswith(':latest') }}"
matrix_appservice_discord_base_path: "{{ matrix_base_data_path }}/appservice-discord"

View file

@ -7,7 +7,8 @@ matrix_appservice_irc_container_self_build: false
matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git"
matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src"
matrix_appservice_irc_docker_image: "docker.io/matrixdotorg/matrix-appservice-irc:release-0.23.0"
matrix_appservice_irc_version: release-0.23.0
matrix_appservice_irc_docker_image: "docker.io/matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}"
matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}"
matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc"

View file

@ -7,7 +7,8 @@ matrix_appservice_slack_container_self_build: false
matrix_appservice_slack_docker_repo: "https://github.com/matrix-org/matrix-appservice-slack.git"
matrix_appservice_slack_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-slack/docker-src"
matrix_appservice_slack_docker_image: "docker.io/matrixdotorg/matrix-appservice-slack:release-1.5.0"
matrix_appservice_slack_version: release-1.5.0
matrix_appservice_slack_docker_image: "docker.io/matrixdotorg/matrix-appservice-slack:{{ matrix_appservice_slack_version }}"
matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}"
matrix_appservice_slack_base_path: "{{ matrix_base_data_path }}/appservice-slack"

View file

@ -3,7 +3,8 @@
matrix_appservice_webhooks_enabled: true
matrix_appservice_webhooks_docker_image: "docker.io/turt2live/matrix-appservice-webhooks:latest"
matrix_appservice_webhooks_version: latest
matrix_appservice_webhooks_docker_image: "docker.io/turt2live/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}"
matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}"
matrix_appservice_webhooks_base_path: "{{ matrix_base_data_path }}/appservice-webhooks"

View file

@ -6,8 +6,9 @@ matrix_mautrix_facebook_enabled: true
matrix_mautrix_facebook_container_image_self_build: false
matrix_mautrix_facebook_container_image_self_build_repo: "https://github.com/tulir/mautrix-facebook.git"
matrix_mautrix_facebook_version: latest
# See: https://mau.dev/tulir/mautrix-facebook/container_registry
matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:latest"
matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:{{ matrix_mautrix_facebook_version }}"
matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}"
matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}"

View file

@ -6,8 +6,9 @@ matrix_mautrix_hangouts_enabled: true
matrix_mautrix_hangouts_container_image_self_build: false
matrix_mautrix_hangouts_container_image_self_build_repo: "https://github.com/tulir/mautrix-hangouts.git"
matrix_mautrix_hangouts_version: latest
# See: https://mau.dev/tulir/mautrix-hangouts/container_registry
matrix_mautrix_hangouts_docker_image: "{{ matrix_mautrix_hangouts_docker_image_name_prefix }}tulir/mautrix-hangouts:latest"
matrix_mautrix_hangouts_docker_image: "{{ matrix_mautrix_hangouts_docker_image_name_prefix }}tulir/mautrix-hangouts:{{ matrix_mautrix_hangouts_version }}"
matrix_mautrix_hangouts_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_hangouts_container_image_self_build else 'dock.mau.dev/' }}"
matrix_mautrix_hangouts_docker_image_force_pull: "{{ matrix_mautrix_hangouts_docker_image.endswith(':latest') }}"

View file

@ -6,8 +6,9 @@ matrix_mautrix_instagram_enabled: true
matrix_mautrix_instagram_container_image_self_build: false
matrix_mautrix_instagram_container_image_self_build_repo: "https://github.com/tulir/mautrix-instagram.git"
matrix_mautrix_instagram_version: latest
# See: https://mau.dev/tulir/mautrix-instagram/container_registry
matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}tulir/mautrix-instagram:latest"
matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}tulir/mautrix-instagram:{{ matrix_mautrix_instagram_version }}"
matrix_mautrix_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_instagram_container_image_self_build else 'dock.mau.dev/' }}"
matrix_mautrix_instagram_docker_image_force_pull: "{{ matrix_mautrix_instagram_docker_image.endswith(':latest') }}"
@ -16,7 +17,7 @@ matrix_mautrix_instagram_config_path: "{{ matrix_mautrix_instagram_base_path }}/
matrix_mautrix_instagram_data_path: "{{ matrix_mautrix_instagram_base_path }}/data"
matrix_mautrix_instagram_docker_src_files_path: "{{ matrix_mautrix_instagram_base_path }}/docker-src"
matrix_mautrix_instagram_homeserver_address: 'http://matrix-synapse:8008'
matrix_mautrix_instagram_homeserver_address: "{{ matrix_homeserver_container_url }}"
matrix_mautrix_instagram_homeserver_domain: '{{ matrix_domain }}'
matrix_mautrix_instagram_appservice_address: 'http://matrix-mautrix-instagram:29330'

View file

@ -3,11 +3,13 @@
matrix_mautrix_signal_enabled: true
matrix_mautrix_signal_version: latest
matrix_mautrix_signal_daemon_version: latest
# See: https://mau.dev/tulir/mautrix-signal/container_registry
matrix_mautrix_signal_docker_image: "dock.mau.dev/tulir/mautrix-signal:latest"
matrix_mautrix_signal_docker_image: "dock.mau.dev/tulir/mautrix-signal:{{ matrix_mautrix_signal_version }}"
matrix_mautrix_signal_docker_image_force_pull: "{{ matrix_mautrix_signal_docker_image.endswith(':latest') }}"
matrix_mautrix_signal_daemon_docker_image: "dock.mau.dev/maunium/signald:latest"
matrix_mautrix_signal_daemon_docker_image: "dock.mau.dev/maunium/signald:{{ matrix_mautrix_signal_daemon_version }}"
matrix_mautrix_signal_daemon_docker_image_force_pull: "{{ matrix_mautrix_signal_daemon_docker_image.endswith(':latest') }}"
matrix_mautrix_signal_base_path: "{{ matrix_base_data_path }}/mautrix-signal"

View file

@ -7,8 +7,9 @@ matrix_mautrix_telegram_container_self_build: false
matrix_mautrix_telegram_docker_repo: "https://mau.dev/tulir/mautrix-telegram.git"
matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src"
matrix_mautrix_telegram_version: v0.9.0
# See: https://mau.dev/tulir/mautrix-telegram/container_registry
matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.9.0"
matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:{{ matrix_mautrix_telegram_version }}"
matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}"
matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram"

View file

@ -3,15 +3,16 @@
matrix_mautrix_whatsapp_enabled: true
matrix_mautrix_whatsapp_version: latest
# See: https://mau.dev/tulir/mautrix-whatsapp/container_registry
matrix_mautrix_whatsapp_docker_image: "dock.mau.dev/tulir/mautrix-whatsapp:latest"
matrix_mautrix_whatsapp_docker_image: "dock.mau.dev/tulir/mautrix-whatsapp:{{ matrix_mautrix_whatsapp_version }}"
matrix_mautrix_whatsapp_docker_image_force_pull: "{{ matrix_mautrix_whatsapp_docker_image.endswith(':latest') }}"
matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp"
matrix_mautrix_whatsapp_config_path: "{{ matrix_mautrix_whatsapp_base_path }}/config"
matrix_mautrix_whatsapp_data_path: "{{ matrix_mautrix_whatsapp_base_path }}/data"
matrix_mautrix_whatsapp_homeserver_address: "http://matrix-synapse:8008"
matrix_mautrix_whatsapp_homeserver_address: "{{ matrix_homeserver_container_url }}"
matrix_mautrix_whatsapp_homeserver_domain: "{{ matrix_domain }}"
matrix_mautrix_whatsapp_appservice_address: "http://matrix-mautrix-whatsapp:8080"

View file

@ -11,7 +11,8 @@ matrix_mx_puppet_discord_container_image_self_build_repo: "https://github.com/ma
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8432"), or empty string to not expose.
matrix_mx_puppet_discord_container_http_host_bind_port: ''
matrix_mx_puppet_discord_docker_image: "{{ matrix_mx_puppet_discord_docker_image_name_prefix }}sorunome/mx-puppet-discord:latest"
matrix_mx_puppet_discord_version: latest
matrix_mx_puppet_discord_docker_image: "{{ matrix_mx_puppet_discord_docker_image_name_prefix }}sorunome/mx-puppet-discord:{{ matrix_mx_puppet_discord_version }}"
matrix_mx_puppet_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_discord_container_image_self_build else 'docker.io/' }}"
matrix_mx_puppet_discord_docker_image_force_pull: "{{ matrix_mx_puppet_discord_docker_image.endswith(':latest') }}"

View file

@ -11,7 +11,8 @@ matrix_mx_puppet_groupme_container_image_self_build_repo: "https://gitlab.com/ro
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8437"), or empty string to not expose.
matrix_mx_puppet_groupme_container_http_host_bind_port: ''
matrix_mx_puppet_groupme_docker_image: "{{ matrix_mx_puppet_groupme_docker_image_name_prefix }}xangelix/mx-puppet-groupme:latest"
matrix_mx_puppet_groupme_version: latest
matrix_mx_puppet_groupme_docker_image: "{{ matrix_mx_puppet_groupme_docker_image_name_prefix }}xangelix/mx-puppet-groupme:{{ matrix_mx_puppet_groupme_version }}"
matrix_mx_puppet_groupme_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_groupme_container_image_self_build else 'docker.io/' }}"
matrix_mx_puppet_groupme_docker_image_force_pull: "{{ matrix_mx_puppet_groupme_docker_image.endswith(':latest') }}"
@ -22,7 +23,7 @@ matrix_mx_puppet_groupme_docker_src_files_path: "{{ matrix_mx_puppet_groupme_bas
matrix_mx_puppet_groupme_appservice_port: "8437"
matrix_mx_puppet_groupme_homeserver_address: 'http://matrix-synapse:8008'
matrix_mx_puppet_groupme_homeserver_address: "{{ matrix_homeserver_container_url }}"
matrix_mx_puppet_groupme_homeserver_domain: '{{ matrix_domain }}'
matrix_mx_puppet_groupme_appservice_address: 'http://matrix-mx-puppet-groupme:{{ matrix_mx_puppet_groupme_appservice_port }}'

View file

@ -6,7 +6,8 @@ matrix_mx_puppet_instagram_enabled: true
matrix_mx_puppet_instagram_container_image_self_build: false
matrix_mx_puppet_instagram_container_image_self_build_repo: "https://github.com/Sorunome/mx-puppet-instagram.git"
matrix_mx_puppet_instagram_docker_image: "{{ matrix_mx_puppet_instagram_docker_image_name_prefix }}sorunome/mx-puppet-instagram:latest"
matrix_mx_puppet_instagram_version: latest
matrix_mx_puppet_instagram_docker_image: "{{ matrix_mx_puppet_instagram_docker_image_name_prefix }}sorunome/mx-puppet-instagram:{{ matrix_mx_puppet_instagram_version }}"
matrix_mx_puppet_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_instagram_container_image_self_build else 'docker.io/' }}"
matrix_mx_puppet_instagram_docker_image_force_pull: "{{ matrix_mx_puppet_instagram_docker_image.endswith(':latest') }}"

View file

@ -6,7 +6,8 @@ matrix_mx_puppet_skype_enabled: true
matrix_mx_puppet_skype_container_image_self_build: false
matrix_mx_puppet_skype_container_image_self_build_repo: "https://github.com/Sorunome/mx-puppet-skype.git"
matrix_mx_puppet_skype_docker_image: "{{ matrix_mx_puppet_skype_docker_image_name_prefix }}sorunome/mx-puppet-skype:latest"
matrix_mx_puppet_skype_version: latest
matrix_mx_puppet_skype_docker_image: "{{ matrix_mx_puppet_skype_docker_image_name_prefix }}sorunome/mx-puppet-skype:{{ matrix_mx_puppet_skype_version }}"
matrix_mx_puppet_skype_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_skype_container_image_self_build else 'docker.io/' }}"
matrix_mx_puppet_skype_docker_image_force_pull: "{{ matrix_mx_puppet_skype_docker_image.endswith(':latest') }}"

View file

@ -11,7 +11,8 @@ matrix_mx_puppet_slack_container_image_self_build_repo: "https://github.com/Soru
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8432"), or empty string to not expose.
matrix_mx_puppet_slack_container_http_host_bind_port: ''
matrix_mx_puppet_slack_docker_image: "{{ matrix_mx_puppet_slack_docker_image_name_prefix }}sorunome/mx-puppet-slack:latest"
matrix_mx_puppet_slack_version: latest
matrix_mx_puppet_slack_docker_image: "{{ matrix_mx_puppet_slack_docker_image_name_prefix }}sorunome/mx-puppet-slack:{{ matrix_mx_puppet_slack_version }}"
matrix_mx_puppet_slack_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_slack_container_image_self_build else 'docker.io/' }}"
matrix_mx_puppet_slack_docker_image_force_pull: "{{ matrix_mx_puppet_slack_docker_image.endswith(':latest') }}"

View file

@ -11,7 +11,8 @@ matrix_mx_puppet_steam_container_image_self_build_repo: "https://github.com/icew
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8432"), or empty string to not expose.
matrix_mx_puppet_steam_container_http_host_bind_port: ''
matrix_mx_puppet_steam_docker_image: "{{ matrix_mx_puppet_steam_docker_image_name_prefix }}icewind1991/mx-puppet-steam:latest"
matrix_mx_puppet_steam_version: latest
matrix_mx_puppet_steam_docker_image: "{{ matrix_mx_puppet_steam_docker_image_name_prefix }}icewind1991/mx-puppet-steam:{{ matrix_mx_puppet_steam_version }}"
matrix_mx_puppet_steam_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_steam_container_image_self_build else 'docker.io/' }}"
matrix_mx_puppet_steam_docker_image_force_pull: "{{ matrix_mx_puppet_steam_docker_image.endswith(':latest') }}"

View file

@ -11,7 +11,8 @@ matrix_mx_puppet_twitter_container_image_self_build_repo: "https://github.com/So
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8432"), or empty string to not expose.
matrix_mx_puppet_twitter_container_http_host_bind_port: ''
matrix_mx_puppet_twitter_docker_image: "{{ matrix_mx_puppet_twitter_docker_image_name_prefix }}sorunome/mx-puppet-twitter:latest"
matrix_mx_puppet_twitter_version: latest
matrix_mx_puppet_twitter_docker_image: "{{ matrix_mx_puppet_twitter_docker_image_name_prefix }}sorunome/mx-puppet-twitter:{{ matrix_mx_puppet_twitter_version }}"
matrix_mx_puppet_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_twitter_container_image_self_build else 'docker.io/' }}"
matrix_mx_puppet_twitter_docker_image_force_pull: "{{ matrix_mx_puppet_twitter_docker_image.endswith(':latest') }}"

View file

@ -3,7 +3,8 @@
matrix_sms_bridge_enabled: true
matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:0.5.5"
matrix_sms_bridge_version: 0.5.5
matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:{{ matrix_sms_bridge_version }}"
matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge"
matrix_sms_bridge_config_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/config"

View file

@ -3,7 +3,8 @@ matrix_client_element_enabled: true
matrix_client_element_container_image_self_build: false
matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git"
matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.21"
matrix_client_element_version: v1.7.21
matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}"
matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"

View file

@ -2,7 +2,7 @@
- name: Create user account
command: |
/usr/local/bin/matrix-synapse-register-user janitor '{{ matrix_awx_janitor_user_password }}' 1
/usr/local/bin/matrix-synapse-register-user janitor {{ matrix_awx_janitor_user_password | quote }} 1
register: cmd
when: not matrix_awx_janitor_user_created|bool
no_log: True

View file

@ -22,9 +22,10 @@ matrix_corporal_container_extra_arguments: []
# List of systemd services that matrix-corporal.service depends on
matrix_corporal_systemd_required_services_list: ['docker.service']
matrix_corporal_version: 2.1.0
matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}"
matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else 'docker.io/' }}"
matrix_corporal_docker_image_tag: "2.1.0"
matrix_corporal_docker_image_tag: "{{ matrix_corporal_version }}" # for backward-compatibility
matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}"
matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal"

View file

@ -3,7 +3,8 @@ matrix_coturn_enabled: true
matrix_coturn_container_image_self_build: false
matrix_coturn_container_image_self_build_repo: "https://github.com/instrumentisto/coturn-docker-image.git"
matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:4.5.2"
matrix_coturn_version: 4.5.2
matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:{{ matrix_coturn_version }}"
matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else 'docker.io/' }}"
matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"

View file

@ -3,8 +3,8 @@ Description=Reloads matrix-coturn periodically so that new SSL certificates can
[Timer]
Unit=matrix-coturn-reload.service
OnCalendar=Sunday *-*-* 13:00:00
RandomizedDelaySec=3h
OnCalendar=*-*-* 06:30:00
RandomizedDelaySec=1h
[Install]
WantedBy=timers.target

View file

@ -12,7 +12,8 @@ matrix_dimension_widgets_allow_self_signed_ssl_certificates: false
matrix_dimension_base_path: "{{ matrix_base_data_path }}/dimension"
matrix_dimension_docker_image: "docker.io/turt2live/matrix-dimension:latest"
matrix_dimension_version: latest
matrix_dimension_docker_image: "docker.io/turt2live/matrix-dimension:{{ matrix_dimension_version }}"
matrix_dimension_docker_image_force_pull: "{{ matrix_dimension_docker_image.endswith(':latest') }}"
# List of systemd services that matrix-dimension.service depends on.

View file

@ -4,8 +4,10 @@ matrix_dynamic_dns_enabled: true
# The dynamic dns daemon interval
matrix_dynamic_dns_daemon_interval: '300'
matrix_dynamic_dns_version: v3.9.1-ls45
# The docker container to use when in mode
matrix_dynamic_dns_docker_image: '{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:v3.9.1-ls45'
matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}"
matrix_dynamic_dns_docker_image_name_prefix: "{{ 'localhost/' if matrix_dynamic_dns_container_image_self_build else 'docker.io/' }}"

View file

@ -3,7 +3,8 @@ matrix_email2matrix_enabled: true
matrix_email2matrix_base_path: "{{ matrix_base_data_path }}/email2matrix"
matrix_email2matrix_config_dir_path: "{{ matrix_email2matrix_base_path }}/config"
matrix_email2matrix_docker_image: "docker.io/devture/email2matrix:1.0.1"
matrix_email2matrix_version: 1.0.1
matrix_email2matrix_docker_image: "docker.io/devture/email2matrix:{{ matrix_email2matrix_version }}"
matrix_email2matrix_docker_image_force_pull: "{{ matrix_email2matrix_docker_image.endswith(':latest') }}"
# A list of extra arguments to pass to the container

View file

@ -2,7 +2,8 @@ matrix_etherpad_enabled: false
matrix_etherpad_base_path: "{{ matrix_base_data_path }}/etherpad"
matrix_etherpad_docker_image: "docker.io/etherpad/etherpad:1.8.7"
matrix_etherpad_version: 1.8.7
matrix_etherpad_docker_image: "docker.io/etherpad/etherpad:{{ matrix_etherpad_version }}"
matrix_etherpad_docker_image_force_pull: "{{ matrix_etherpad_docker_image.endswith(':latest') }}"
# List of systemd services that matrix-etherpad.service depends on.
@ -22,12 +23,7 @@ matrix_etherpad_user_gid: '5001'
matrix_etherpad_container_http_host_bind_port: ''
# A list of extra arguments to pass to the container
#
# We assume that a reverse proxy is used and tell the container to trust it
# Details: https://github.com/ether/etherpad-lite/blob/develop/doc/docker.md
matrix_etherpad_container_extra_arguments: [
'--env TRUST_PROXY=true'
]
matrix_etherpad_container_extra_arguments: []
matrix_etherpad_public_endpoint: '/etherpad'

View file

@ -3,7 +3,8 @@
matrix_grafana_enabled: false
matrix_grafana_docker_image: "docker.io/grafana/grafana:7.4.0"
matrix_grafana_version: 7.4.0
matrix_grafana_docker_image: "docker.io/grafana/grafana:{{ matrix_grafana_version }}"
matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}"
# Not conditional, because when someone disables metrics

View file

@ -108,8 +108,3 @@
daemon_reload: yes
when: "not matrix_grafana_enabled|bool and matrix_grafana_service_stat.stat.exists"
- name: Ensure matrix-grafana Docker image doesn't exist
docker_image:
name: "{{ matrix_grafana_docker_image }}"
state: absent
when: "not matrix_grafana_enabled|bool"

View file

@ -52,7 +52,8 @@ matrix_jitsi_jibri_recorder_password: ''
matrix_jitsi_enable_lobby: false
matrix_jitsi_container_image_tag: "stable-5142"
matrix_jitsi_version: stable-5142
matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility
matrix_jitsi_web_docker_image: "docker.io/jitsi/web:{{ matrix_jitsi_container_image_tag }}"
matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}"

View file

@ -7,7 +7,8 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev
matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src"
matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}"
matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:4.93-r1"
matrix_mailer_version: 4.93-r1
matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}"
matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else 'docker.io/' }}"
matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}"

View file

@ -1,13 +1,15 @@
matrix_nginx_proxy_enabled: true
matrix_nginx_proxy_version: 1.19.6-alpine
# We use an official nginx image, which we fix-up to run unprivileged.
# An alternative would be an `nginxinc/nginx-unprivileged` image, but
# that is frequently out of date.
matrix_nginx_proxy_docker_image: "docker.io/nginx:1.19.6-alpine"
matrix_nginx_proxy_docker_image: "docker.io/nginx:{{ matrix_nginx_proxy_version }}"
matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}"
matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"
matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data"
matrix_nginx_proxy_data_path_in_container: "/nginx-data"
matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_base_path }}/conf.d"
# List of systemd services that matrix-nginx-proxy.service depends on
@ -110,6 +112,10 @@ matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}"
# Controls whether proxying the matrix domain should be done.
matrix_nginx_proxy_proxy_matrix_enabled: false
matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}"
# The port name used for federation in the nginx configuration.
# This is not necessarily the port that it's actually on,
# as port-mapping happens (`-p ..`) for the `matrix-nginx-proxy` container.
matrix_nginx_proxy_proxy_matrix_federation_port: 8448
# Controls whether proxying the dimension domain should be done.
matrix_nginx_proxy_proxy_dimension_enabled: false

View file

@ -11,7 +11,6 @@
- "{{ matrix_cron_path }}/matrix-ssl-certificate-renewal"
- "{{ matrix_cron_path }}/matrix-nginx-proxy-periodic-restarter"
- "/etc/cron.d/matrix-ssl-lets-encrypt"
- "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
#
# Tasks related to setting up Let's Encrypt's management of certificates

View file

@ -199,10 +199,10 @@ server {
#}
server {
{% if matrix_nginx_proxy_https_enabled %}
listen 8448 ssl http2;
listen [::]:8448 ssl http2;
listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2;
listen [::]:{{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2;
{% else %}
listen 8448;
listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }};
{% endif %}
server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};

View file

@ -30,15 +30,10 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \
-p {{ matrix_nginx_proxy_container_https_host_bind_port }}:8443 \
{% endif %}
{% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled and matrix_nginx_proxy_container_federation_host_bind_port %}
-p {{ matrix_nginx_proxy_container_federation_host_bind_port }}:8448 \
-p {{ matrix_nginx_proxy_container_federation_host_bind_port }}:{{ matrix_nginx_proxy_proxy_matrix_federation_port }} \
{% endif %}
--mount type=bind,src={{ matrix_nginx_proxy_base_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \
{% if matrix_awx_enabled|bool == false or matrix_nginx_proxy_base_domain_homepage_enabled %}
--mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst=/nginx-data,ro \
{% endif %}
{% if matrix_awx_enabled and matrix_nginx_proxy_base_domain_homepage_enabled|bool == false %}
--mount type=bind,src=/chroot/website,dst=/nginx-data/matrix-domain,ro \
{% endif %}
--mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst={{ matrix_nginx_proxy_data_path_in_container }},ro \
--mount type=bind,src={{ matrix_nginx_proxy_confd_path }},dst=/etc/nginx/conf.d,ro \
{% if matrix_ssl_retrieval_method != 'none' %}
--mount type=bind,src={{ matrix_ssl_config_dir_path }},dst={{ matrix_ssl_config_dir_path }},ro \

View file

@ -3,8 +3,8 @@ Description=Renews Let's Encrypt SSL certificates periodically
[Timer]
Unit=matrix-ssl-lets-encrypt-certificates-renew.service
OnCalendar=Sunday *-*-* 05:00:00
RandomizedDelaySec=3h
OnCalendar=*-*-* 04:00:00
RandomizedDelaySec=2h
[Install]
WantedBy=timers.target

View file

@ -3,8 +3,8 @@ Description=Reloads matrix-nginx-proxy periodically so that new SSL certificates
[Timer]
Unit=matrix-ssl-nginx-proxy-reload.service
OnCalendar=Sunday *-*-* 13:00:00
RandomizedDelaySec=3h
OnCalendar=*-*-* 06:30:00
RandomizedDelaySec=1h
[Install]
WantedBy=timers.target

View file

@ -3,7 +3,8 @@
matrix_prometheus_node_exporter_enabled: false
matrix_prometheus_node_exporter_docker_image: "docker.io/prom/node-exporter:v1.1.0"
matrix_prometheus_node_exporter_version: v1.1.0
matrix_prometheus_node_exporter_docker_image: "docker.io/prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}"
matrix_prometheus_node_exporter_docker_image_force_pull: "{{ matrix_prometheus_node_exporter_docker_image.endswith(':latest') }}"
# A list of extra arguments to pass to the container

View file

@ -52,9 +52,3 @@
service:
daemon_reload: yes
when: "not matrix_prometheus_node_exporter_enabled|bool and matrix_prometheus_node_exporter_service_stat.stat.exists"
- name: Ensure matrix-prometheus-node-exporter Docker image doesn't exist
docker_image:
name: "{{ matrix_prometheus_node_exporter_docker_image }}"
state: absent
when: "not matrix_prometheus_node_exporter_enabled|bool"

View file

@ -3,7 +3,8 @@
matrix_prometheus_enabled: false
matrix_prometheus_docker_image: "docker.io/prom/prometheus:v2.24.1"
matrix_prometheus_version: v2.24.1
matrix_prometheus_docker_image: "docker.io/prom/prometheus:{{ matrix_prometheus_version }}"
matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}"
matrix_prometheus_base_path: "{{ matrix_base_data_path }}/prometheus"

View file

@ -23,9 +23,3 @@
service:
daemon_reload: yes
when: "matrix_prometheus_service_stat.stat.exists|bool"
- name: Ensure matrix-prometheus Docker image doesn't exist
docker_image:
name: "{{ matrix_prometheus_docker_image }}"
state: absent
when: "not matrix_prometheus_enabled|bool"

View file

@ -5,7 +5,8 @@ matrix_redis_connection_password: ""
matrix_redis_base_path: "{{ matrix_base_data_path }}/redis"
matrix_redis_data_path: "{{ matrix_redis_base_path }}/data"
matrix_redis_docker_image_v6: "docker.io/redis:6.0.10-alpine"
matrix_redis_version: 6.0.10-alpine
matrix_redis_docker_image_v6: "docker.io/redis:{{ matrix_redis_version }}"
matrix_redis_docker_image_latest: "{{ matrix_redis_docker_image_v6 }}"
matrix_redis_docker_image_to_use: '{{ matrix_redis_docker_image_latest }}'

View file

@ -8,7 +8,8 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech
matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src"
matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:0.7.0"
matrix_synapse_admin_version: 0.7.0
matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}"
matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else 'docker.io/' }}"
matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}"

View file

@ -15,7 +15,9 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
# amd64 gets released first.
# arm32 relies on self-building, so the same version can be built immediately.
# arm64 users need to wait for a prebuilt image to become available.
matrix_synapse_docker_image_tag: "{{ 'v1.27.0' if matrix_architecture in ['arm32', 'amd64'] else 'v1.26.0' }}"
matrix_synapse_version: v1.28.0
matrix_synapse_version_arm64: v1.28.0
matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"

View file

@ -141,6 +141,7 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }}
# - '100.64.0.0/10'
# - '192.0.0.0/24'
# - '169.254.0.0/16'
# - '192.88.99.0/24'
# - '198.18.0.0/15'
# - '192.0.2.0/24'
# - '198.51.100.0/24'
@ -149,6 +150,9 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }}
# - '::1/128'
# - 'fe80::/10'
# - 'fc00::/7'
# - '2001:db8::/32'
# - 'ff00::/8'
# - 'fec0::/10'
# List of IP address CIDR ranges that should be allowed for federation,
# identity servers, push servers, and for checking key validity for
@ -993,6 +997,7 @@ url_preview_ip_range_blacklist:
- '100.64.0.0/10'
- '192.0.0.0/24'
- '169.254.0.0/16'
- '192.88.99.0/24'
- '198.18.0.0/15'
- '192.0.2.0/24'
- '198.51.100.0/24'
@ -1001,6 +1006,9 @@ url_preview_ip_range_blacklist:
- '::1/128'
- 'fe80::/10'
- 'fc00::/7'
- '2001:db8::/32'
- 'ff00::/8'
- 'fec0::/10'
# List of IP address CIDR ranges that the URL preview spider is allowed
# to access even if they are specified in url_preview_ip_range_blacklist.
@ -1327,6 +1335,8 @@ account_threepid_delegates:
# By default, any room aliases included in this list will be created
# as a publicly joinable room when the first user registers for the
# homeserver. This behaviour can be customised with the settings below.
# If the room already exists, make certain it is a publicly joinable
# room. The join rule of the room must be set to 'public'.
#
#auto_join_rooms:
# - "#example:example.com"
@ -1869,9 +1879,9 @@ oidc_providers:
# user_mapping_provider:
# config:
# subject_claim: "id"
# localpart_template: "{ user.login }"
# display_name_template: "{ user.name }"
# email_template: "{ user.email }"
# localpart_template: "{% raw %}{{ user.login }}{% endraw %}"
# display_name_template: "{% raw %}{{ user.name }}{% endraw %}"
# email_template: "{% raw %}{{ user.email }}{% endraw %}"
# For use with Keycloak
#
@ -1898,8 +1908,8 @@ oidc_providers:
# user_mapping_provider:
# config:
# subject_claim: "id"
# localpart_template: "{ user.login }"
# display_name_template: "{ user.name }"
# localpart_template: "{% raw %}{{ user.login }}{% endraw %}"
# display_name_template: "{% raw %}{{ user.name }}{% endraw %}"
# Enable Central Authentication Service (CAS) for registration and login.
@ -2227,11 +2237,11 @@ password_config:
#require_uppercase: true
ui_auth:
# The number of milliseconds to allow a user-interactive authentication
# session to be active.
# The amount of time to allow a user-interactive authentication session
# to be active.
#
# This defaults to 0, meaning the user is queried for their credentials
# before every action, but this can be overridden to alow a single
# before every action, but this can be overridden to allow a single
# validation to be re-used. This weakens the protections afforded by
# the user-interactive authentication process, by allowing for multiple
# (and potentially different) operations to use the same validation session.
@ -2239,7 +2249,7 @@ ui_auth:
# Uncomment below to allow for credential validation to last for 15
# seconds.
#
#session_timeout: 15000
#session_timeout: "15s"
{% if matrix_synapse_email_enabled %}

View file

@ -22,6 +22,11 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name {{ matrix_synapse_wor
--read-only \
--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \
--network={{ matrix_docker_network }} \
{% if matrix_synapse_worker_details.port != 0 %}
--health-cmd 'curl -fSs http://localhost:{{ matrix_synapse_worker_details.port }}/health || exit 1' \
{% else %}
--no-healthcheck \
{% endif %}
{% if matrix_synapse_workers_enabled and matrix_synapse_workers_container_host_bind_address %}
{% if matrix_synapse_worker_details.port != 0 %}
-p {{ '' if matrix_synapse_workers_container_host_bind_address == '*' else (matrix_synapse_workers_container_host_bind_address + ':') }}{{ matrix_synapse_worker_details.port }}:{{ matrix_synapse_worker_details.port }} \

View file

@ -107,7 +107,8 @@ matrix_synapse_workers_generic_worker_endpoints:
# Ensure that all SSO logins go to a single process.
# For multiple workers not handling the SSO endpoints properly, see
# [#7530](https://github.com/matrix-org/synapse/issues/7530).
# [#7530](https://github.com/matrix-org/synapse/issues/7530) and
# [#9427](https://github.com/matrix-org/synapse/issues/9427).
# Note that a HTTP listener with `client` and `federation` resources must be
# configured in the `worker_listeners` option in the worker config.
@ -203,7 +204,15 @@ matrix_synapse_workers_generic_worker_endpoints:
# REST endpoints itself, but you should set `start_pushers: False` in the
# shared configuration file to stop the main synapse sending push notifications.
# Note this worker cannot be load-balanced: only one instance should be active.
# To run multiple instances at once the `pusher_instances` option should list all
# pusher instances by their worker name, e.g.:
# ```yaml
# pusher_instances:
# - pusher_worker1
# - pusher_worker2
# ```
# ]
# appservice worker (no API endpoints) [