Merge branch 'master' into pub.solar
commit
431fcfd9d3
GPG Key ID:
18DAE600A6BBE705
15
README.md
15
README.md
|
|
@ -29,7 +29,7 @@ Using this playbook, you can get the following services configured on your serve
|
|||
|
||||
- (optional, default) an [Element](https://app.element.io/) ([formerly Riot](https://element.io/previously-riot)) web UI, which is configured to connect to your own Synapse server by default
|
||||
|
||||
- (optional, default) an [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server
|
||||
- (optional, default) a [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server
|
||||
|
||||
- (optional, default) an [Exim](https://www.exim.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server)
|
||||
|
||||
|
|
@ -47,7 +47,7 @@ Using this playbook, you can get the following services configured on your serve
|
|||
|
||||
- (optional) the [mautrix-telegram](https://github.com/tulir/mautrix-telegram) bridge for bridging your Matrix server to [Telegram](https://telegram.org/)
|
||||
|
||||
- (optional) the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge for bridging your Matrix server to [Whatsapp](https://www.whatsapp.com/)
|
||||
- (optional) the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge for bridging your Matrix server to [WhatsApp](https://www.whatsapp.com/)
|
||||
|
||||
- (optional) the [mautrix-facebook](https://github.com/tulir/mautrix-facebook) bridge for bridging your Matrix server to [Facebook](https://facebook.com/)
|
||||
|
||||
|
|
@ -103,7 +103,7 @@ Using this playbook, you can get the following services configured on your serve
|
|||
|
||||
- (optional) the [Sygnal](https://github.com/matrix-org/sygnal) push gateway - see [Setting up the Sygnal push gateway](docs/configuring-playbook-sygnal.md) for setup documentation
|
||||
|
||||
Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else.
|
||||
Basically, this playbook aims to get you up-and-running with all the necessities around Matrix, without you having to do anything else.
|
||||
|
||||
**Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need.
|
||||
Sticking with the defaults (which install a subset of the above components) is the best choice, especially for a new installation.
|
||||
|
|
@ -128,4 +128,11 @@ When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up w
|
|||
|
||||
- IRC channel: `#matrix-docker-ansible-deploy` on the [Freenode](https://freenode.net/) IRC network (irc.freenode.net)
|
||||
|
||||
- Github issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues)
|
||||
- GitHub issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues)
|
||||
|
||||
|
||||
## Services by the community
|
||||
|
||||
- [etke.cc](https://etke.cc) - matrix-docker-ansible-deploy and system stuff "as a service". That service will create your matrix homeserver on your domain and server (doesn't matter if it's cloud provider or on an old laptop in the corner of your room), (optional) maintains it (server's system updates, cleanup, security adjustments, tuning, etc.; matrix homeserver updates & maintenance) and (optional) provide full-featured email service for your domain
|
||||
|
||||
- [GoMatrixHosting](https://gomatrixhosting.com) - matrix-docker-ansible-deploy "as a service" with [Ansible AWX](https://github.com/ansible/awx). Members can be assigned a server from DigitalOcean, or they can connect their on-premises server. This AWX system can manage the updates, configuration, import and export, backups, and monitoring on its own. For more information [see our GitLab group](https://gitlab.com/GoMatrixHosting) or come [visit us on Matrix](https://matrix.to/#/#general:gomatrixhosting.com).
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ matrix_client_element_enabled: true
|
|||
matrix_client_element_container_image_self_build: false
|
||||
matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git"
|
||||
|
||||
matrix_client_element_version: v1.7.27
|
||||
matrix_client_element_version: v1.7.28
|
||||
matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
|
||||
matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
|
||||
matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
|
||||
matrix_grafana_enabled: false
|
||||
|
||||
matrix_grafana_version: 7.5.5
|
||||
matrix_grafana_version: 7.5.6
|
||||
matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}"
|
||||
matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}"
|
||||
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev
|
|||
matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src"
|
||||
matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}"
|
||||
|
||||
matrix_mailer_version: 4.94.2-r0
|
||||
matrix_mailer_version: 4.94.2-r0-1
|
||||
matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}"
|
||||
matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}"
|
||||
matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}"
|
||||
|
|
|
|||
|
|
@ -223,6 +223,7 @@ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:1
|
|||
matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}"
|
||||
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem"
|
||||
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem"
|
||||
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem"
|
||||
|
||||
# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
|
||||
matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}"
|
||||
|
|
@ -385,6 +386,19 @@ matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
|
|||
matrix_ssl_pre_obtaining_required_service_name: ~
|
||||
matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60
|
||||
|
||||
# OCSP Stapling eliminating the need for clients to contact the CA, with the aim of improving both security and performance.
|
||||
# OCSP stapling can provide a performance boost of up to 30%
|
||||
# nginx web server supports OCSP stapling since version 1.3.7.
|
||||
#
|
||||
# *warning* Nginx is lazy loading OCSP responses, which means that for the first few web requests it is unable to add the OCSP response.
|
||||
# set matrix_nginx_proxy_ocsp_stapling_enabled false to disable OCSP Stapling
|
||||
#
|
||||
# Learn more about what it is here:
|
||||
# - https://en.wikipedia.org/wiki/OCSP_stapling
|
||||
# - https://blog.cloudflare.com/high-reliability-ocsp-stapling/
|
||||
# - https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
|
||||
matrix_nginx_proxy_ocsp_stapling_enabled: true
|
||||
|
||||
# nginx status page configurations.
|
||||
matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false
|
||||
matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}']
|
||||
|
|
|
|||
|
|
@ -73,6 +73,12 @@ server {
|
|||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem;
|
||||
{% endif %}
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -74,6 +74,12 @@ server {
|
|||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/chain.pem;
|
||||
{% endif %}
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
{% endif %}
|
||||
|
|
|
|||
|
|
@ -79,6 +79,12 @@ server {
|
|||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem;
|
||||
{% endif %}
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
{% endif %}
|
||||
|
|
|
|||
|
|
@ -77,6 +77,12 @@ server {
|
|||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/chain.pem;
|
||||
{% endif %}
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
{% endif %}
|
||||
|
|
|
|||
|
|
@ -136,7 +136,13 @@
|
|||
proxy_max_temp_file_size 0;
|
||||
}
|
||||
|
||||
location / {
|
||||
{#
|
||||
We only handle the root URI for this redirect or homepage serving.
|
||||
Unhandled URIs (mostly by `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes` above) should result in a 404,
|
||||
instead of causing a redirect.
|
||||
See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1058
|
||||
#}
|
||||
location ~* ^/$ {
|
||||
{% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %}
|
||||
return 302 $scheme://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri;
|
||||
{% else %}
|
||||
|
|
@ -196,6 +202,12 @@ server {
|
|||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem;
|
||||
{% endif %}
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
{% endif %}
|
||||
|
|
@ -230,6 +242,12 @@ server {
|
|||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate }};
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
location / {
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@
|
|||
# add_header X-Content-Type-Options nosniff;
|
||||
# add_header X-Frame-Options SAMEORIGIN;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin";
|
||||
|
||||
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||
add_header Permissions-Policy interest-cohort=() always;
|
||||
{% endif %}
|
||||
|
|
@ -84,6 +85,12 @@ server {
|
|||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/chain.pem;
|
||||
{% endif %}
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
{% endif %}
|
||||
|
|
|
|||
|
|
@ -119,6 +119,12 @@ server {
|
|||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/chain.pem;
|
||||
{% endif %}
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
{% endif %}
|
||||
|
|
|
|||
|
|
@ -66,6 +66,12 @@ server {
|
|||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/chain.pem;
|
||||
{% endif %}
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
{% endif %}
|
||||
|
|
|
|||
|
|
@ -76,6 +76,12 @@ server {
|
|||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/chain.pem;
|
||||
{% endif %}
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
{% endif %}
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
|
||||
matrix_prometheus_enabled: false
|
||||
|
||||
matrix_prometheus_version: v2.26.0
|
||||
matrix_prometheus_version: v2.27.0
|
||||
matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}"
|
||||
matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}"
|
||||
|
||||
|
|
|
|||
|
|
@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
|
|||
# amd64 gets released first.
|
||||
# arm32 relies on self-building, so the same version can be built immediately.
|
||||
# arm64 users need to wait for a prebuilt image to become available.
|
||||
matrix_synapse_version: v1.33.2
|
||||
matrix_synapse_version_arm64: v1.33.2
|
||||
matrix_synapse_version: v1.34.0
|
||||
matrix_synapse_version_arm64: v1.34.0
|
||||
matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
|
||||
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
|
||||
|
||||
|
|
@ -454,6 +454,7 @@ matrix_synapse_sentry_dsn: ""
|
|||
|
||||
# Postgres database information
|
||||
matrix_synapse_database_host: "matrix-postgres"
|
||||
matrix_synapse_database_port: 5432
|
||||
matrix_synapse_database_user: "synapse"
|
||||
matrix_synapse_database_password: ""
|
||||
matrix_synapse_database_database: "synapse"
|
||||
|
|
|
|||
|
|
@ -128,6 +128,16 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }}
|
|||
#
|
||||
#gc_thresholds: [700, 10, 10]
|
||||
|
||||
# The minimum time in seconds between each GC for a generation, regardless of
|
||||
# the GC thresholds. This ensures that we don't do GC too frequently.
|
||||
#
|
||||
# A value of `[1s, 10s, 30s]` indicates that a second must pass between consecutive
|
||||
# generation 0 GCs, etc.
|
||||
#
|
||||
# Defaults to `[1s, 10s, 30s]`.
|
||||
#
|
||||
#gc_min_interval: [0.5s, 30s, 1m]
|
||||
|
||||
# Set the limit on the returned events in the timeline in the get
|
||||
# and sync operations. The default value is 100. -1 means no upper limit.
|
||||
#
|
||||
|
|
@ -757,6 +767,12 @@ federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_js
|
|||
#
|
||||
#allow_profile_lookup_over_federation: false
|
||||
|
||||
# Uncomment to disable device display name lookup over federation. By default, the
|
||||
# Federation API allows other homeservers to obtain device display names of any user
|
||||
# on this homeserver. Defaults to 'true'.
|
||||
#
|
||||
#allow_device_name_lookup_over_federation: false
|
||||
|
||||
|
||||
## Caching ##
|
||||
|
||||
|
|
@ -813,6 +829,7 @@ database:
|
|||
password: {{ matrix_synapse_database_password|string|to_json }}
|
||||
database: "{{ matrix_synapse_database_database }}"
|
||||
host: "{{ matrix_synapse_database_host }}"
|
||||
port: {{ matrix_synapse_database_port }}
|
||||
cp_min: 5
|
||||
cp_max: 10
|
||||
|
||||
|
|
@ -1519,6 +1536,7 @@ room_prejoin_state:
|
|||
# - m.room.avatar
|
||||
# - m.room.encryption
|
||||
# - m.room.name
|
||||
# - m.room.create
|
||||
#
|
||||
# Uncomment the following to disable these defaults (so that only the event
|
||||
# types listed in 'additional_event_types' are shared). Defaults to 'false'.
|
||||
|
|
|
|||
Loading…
Reference in New Issue