Merge branch 'master' into pub.solar
This commit is contained in:
commit
721d982929
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -3,3 +3,4 @@
|
|||
!/inventory/host_vars/.gitkeep
|
||||
!/inventory/scripts
|
||||
/roles/*/files/scratchpad
|
||||
.DS_Store
|
||||
|
|
11
CHANGELOG.md
11
CHANGELOG.md
|
@ -1,3 +1,12 @@
|
|||
# 2020-09-01
|
||||
|
||||
## matrix-registration support
|
||||
|
||||
The playbook can now help you set up [matrix-registration](https://github.com/ZerataX/matrix-registration) - an application that lets you keep your Matrix server's registration private, but still allow certain users (those having a unique registration link) to register by themselves.
|
||||
|
||||
See our [Setting up matrix-registration](docs/configuring-playbook-matrix-registration.md) documentation page to get started.
|
||||
|
||||
|
||||
# 2020-08-21
|
||||
|
||||
## rust-synapse-compress-state support
|
||||
|
@ -87,7 +96,7 @@ To reuse your existing rooms, invite `@smsbot:yourServer` to the room or write a
|
|||
|
||||
Thanks to [benkuly](https://github.com/benkuly)'s efforts, the playbook now supports bridging to SMS (with one telephone number only) via [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge).
|
||||
|
||||
See our [Setting up Matrix SMS bridging](docs/configuring-playbook-matrix-bridge-sms.md) documentation page for getting started.
|
||||
See our [Setting up Matrix SMS bridging](docs/configuring-playbook-bridge-matrix-bridge-sms.md) documentation page for getting started.
|
||||
|
||||
|
||||
# 2020-05-19
|
||||
|
|
18
README.md
18
README.md
|
@ -56,21 +56,23 @@ Using this playbook, you can get the following services configured on your serve
|
|||
|
||||
- (optional) the [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) bridge for Twitter-DMs ([Twitter](https://twitter.com/) - see [docs/configuring-playbook-bridge-mx-puppet-twitter.md](docs/configuring-playbook-bridge-mx-puppet-twitter.md) for setup documentation
|
||||
|
||||
- (optional) the [mx-puppet-discord](https://github.com/Sorunome/mx-puppet-discord) bridge for [Discord](https://discordapp.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-discord.md](docs/configuring-playbook-bridge-mx-puppet-discord.md) for setup documentation
|
||||
- (optional) the [mx-puppet-discord](https://github.com/matrix-discord/mx-puppet-discord) bridge for [Discord](https://discordapp.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-discord.md](docs/configuring-playbook-bridge-mx-puppet-discord.md) for setup documentation
|
||||
|
||||
- (optional) the [mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) bridge for [Steam](https://steamapp.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-steam.md](docs/configuring-playbook-bridge-mx-puppet-steam.md) for setup documentation
|
||||
|
||||
- (optional) the [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) for bridging your Matrix server to SMS
|
||||
- (optional) the [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) for bridging your Matrix server to SMS - see [docs/configuring-playbook-bridge-matrix-bridge-sms.md](docs/configuring-playbook-bridge-matrix-bridge-sms.md) for setup documentation
|
||||
|
||||
- (optional) [Email2Matrix](https://github.com/devture/email2matrix) for relaying email messages to Matrix rooms
|
||||
- (optional) [Email2Matrix](https://github.com/devture/email2matrix) for relaying email messages to Matrix rooms - see [docs/configuring-playbook-email2matrix.md](docs/configuring-playbook-email2matrix.md) for setup documentation
|
||||
|
||||
- (optional) [Dimension](https://github.com/turt2live/matrix-dimension), an open source integrations manager for matrix clients
|
||||
- (optional) [Dimension](https://github.com/turt2live/matrix-dimension), an open source integrations manager for matrix clients - see [docs/configuring-playbook-dimension.md](docs/configuring-playbook-dimension.md) for setup documentation
|
||||
|
||||
- (optional) [Jitsi](https://jitsi.org/), an open source video-conferencing platform
|
||||
- (optional) [Jitsi](https://jitsi.org/), an open source video-conferencing platform - see [docs/configuring-playbook-jitsi.md](docs/configuring-playbook-jitsi.md) for setup documentation
|
||||
|
||||
- (optional) [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) for scheduling one-off & recurring reminders and alarms
|
||||
- (optional) [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) for scheduling one-off & recurring reminders and alarms - see [docs/configuring-playbook-bot-matrix-reminder-bot.md](docs/configuring-playbook-bot-matrix-reminder-bot.md) for setup documentation
|
||||
|
||||
- (optional) [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin), a web UI tool for administrating users and rooms on your Matrix server
|
||||
- (optional) [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin), a web UI tool for administrating users and rooms on your Matrix server - see [docs/configuring-playbook-synapse-admin.md](docs/configuring-playbook-synapse-admin.md) for setup documentation
|
||||
|
||||
- (optional) [matrix-registration](https://github.com/ZerataX/matrix-registration), a simple python application to have a token based matrix registration - see [docs/configuring-playbook-matrix-registration.md](docs/configuring-playbook-matrix-registration.md) for setup documentation
|
||||
|
||||
Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else.
|
||||
|
||||
|
@ -140,6 +142,8 @@ This playbook sets up your server using the following Docker images:
|
|||
|
||||
- [devture/matrix-corporal](https://hub.docker.com/r/devture/matrix-corporal/) - [Matrix Corporal](https://github.com/devture/matrix-corporal): reconciliator and gateway for a managed Matrix server (optional)
|
||||
|
||||
- [devture/zeratax-matrix-registration](https://hub.docker.com/r/devture/zeratax-matrix-registration/) - [matrix-registration](https://github.com/ZerataX/matrix-registration): a simple python application to have a token based matrix registration (optional)
|
||||
|
||||
- [nginx](https://hub.docker.com/_/nginx/) - the [nginx](http://nginx.org/) web server (optional)
|
||||
|
||||
- [certbot/certbot](https://hub.docker.com/r/certbot/certbot/) - the [certbot](https://certbot.eff.org/) tool for obtaining SSL certificates from [Let's Encrypt](https://letsencrypt.org/) (optional)
|
||||
|
|
|
@ -23,7 +23,7 @@ matrix_appservice_discord_bot_token: "YOUR DISCORD APP BOT TOKEN"
|
|||
```
|
||||
|
||||
4. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready.
|
||||
5. Retrieve Discord invite link from the `{{ matrix_appservice_discord_config_path }}/invite_link` file on the server (this defaults to `/matrix/appservice-discord/config/invite_link`)
|
||||
5. Retrieve Discord invite link from the `{{ matrix_appservice_discord_config_path }}/invite_link` file on the server (this defaults to `/matrix/appservice-discord/config/invite_link`). You need to peek at the file on the server via SSH, etc., because it's not available via HTTP(S).
|
||||
6. Invite the Bot to Discord servers you wish to bridge. Administrator permission is recommended.
|
||||
7. Room addresses follow this syntax: `#_discord_guildid_channelid`. You can easily find the guild and channel ids by logging into Discord in a browser and opening the desired channel. The URL will have this format: `discordapp.com/channels/guild_id/channel_id`. Once you have figured out the appropriate room addrss, you can join by doing `/join #_discord_guildid_channelid` in your Matrix client.
|
||||
|
||||
|
|
|
@ -38,6 +38,7 @@ Follow our [Registering users](registering-users.md) guide to learn how to regis
|
|||
|
||||
You are required to specify an access token (belonging to this new user) for Dimension to work.
|
||||
To get an access token for the Dimension user, you can follow one of two options:
|
||||
|
||||
*Through an interactive login*:
|
||||
|
||||
1. In a private browsing session (incognito window), open Element.
|
||||
|
|
|
@ -56,11 +56,19 @@ The default authentication mode of Jitsi is `internal`, however LDAP is also sup
|
|||
```yaml
|
||||
matrix_jitsi_enable_auth: true
|
||||
matrix_jitsi_auth_type: ldap
|
||||
matrix_jitsi_ldap_url: ldap://ldap.DOMAIN # or ldaps:// if using tls
|
||||
matrix_jitsi_ldap_base: "OU=People,DC=DOMAIN"
|
||||
matrix_jitsi_ldap_filter: "(&(uid=%u)(employeeType=active))"
|
||||
matrix_jitsi_ldap_use_tls: false
|
||||
matrix_jitsi_ldap_start_tls: true
|
||||
matrix_jitsi_ldap_url: "ldap://ldap.DOMAIN"
|
||||
matrix_jitsi_ldap_base: "OU=People,DC=DOMAIN
|
||||
#matrix_jitsi_ldap_binddn: ""
|
||||
#matrix_jitsi_ldap_bindpw: ""
|
||||
matrix_jitsi_ldap_filter: "uid=%u"
|
||||
matrix_jitsi_ldap_auth_method: "bind"
|
||||
matrix_jitsi_ldap_version: "3"
|
||||
matrix_jitsi_ldap_use_tls: true
|
||||
matrix_jitsi_ldap_tls_ciphers: ""
|
||||
matrix_jitsi_ldap_tls_check_peer: true
|
||||
matrix_jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt"
|
||||
matrix_jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs"
|
||||
matrix_jitsi_ldap_start_tls: false
|
||||
```
|
||||
|
||||
For more information refer to the [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap) and the [saslauthd `LDAP_SASLAUTHD`](https://github.com/winlibs/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD) documentation.
|
||||
|
|
53
docs/configuring-playbook-matrix-registration.md
Normal file
53
docs/configuring-playbook-matrix-registration.md
Normal file
|
@ -0,0 +1,53 @@
|
|||
# Setting up matrix-registration (optional)
|
||||
|
||||
The playbook can install and configure [matrix-registration](https://github.com/ZerataX/matrix-registration) for you.
|
||||
|
||||
> matrix-registration is a simple python application to have a token based matrix registration.
|
||||
|
||||
Use matrix-registration to **create unique registration links**, which people can use to register on your Matrix server. It allows you to **keep your server's registration closed (private)**, but still allow certain people (these having a special link) to register a user account.
|
||||
|
||||
**matrix-registration** provides 2 things:
|
||||
|
||||
- **an API for creating registration tokens** (unique registration links). This API can be used via `curl` or via the playbook (see [Usage](#usage) below)
|
||||
|
||||
- **a user registration page**, where people can use these registration tokens. By default, exposed at `https:///matrix.DOMAIN/matrix-registration`
|
||||
|
||||
|
||||
## Installing
|
||||
|
||||
Adjust your playbook configuration (your `inventory/host_vars/matrix.DOMAIN/vars.yml` file):
|
||||
|
||||
```yaml
|
||||
matrix_registration_enabled: true
|
||||
|
||||
# Generate a strong secret using: `pwgen -s 64 1`.
|
||||
matrix_registration_admin_secret: "ENTER_SOME_SECRET_HERE"
|
||||
```
|
||||
|
||||
Then, run the [installation](installing.md) command again:
|
||||
|
||||
```
|
||||
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
|
||||
```
|
||||
|
||||
|
||||
## Usage
|
||||
|
||||
**matrix-registration** gets exposed at `https:///matrix.DOMAIN/matrix-registration`
|
||||
|
||||
It provides various [APIs](https://github.com/ZerataX/matrix-registration/wiki/api) - for creating registration tokens, listing tokens, disabling tokens, etc. To make use of all of its capabilities, consider using `curl`.
|
||||
|
||||
We make the most common API (the one for creating unique registration tokens) easy to use via the playbook.
|
||||
|
||||
**To create a new user registration token (link)**, use this command:
|
||||
|
||||
```
|
||||
ansible-playbook -i inventory/hosts setup.yml \
|
||||
--tags=generate-matrix-registration-token \
|
||||
--extra-vars="one_time=yes ex_date=2021-12-31"
|
||||
```
|
||||
|
||||
The above command creates and returns a **one-time use** token, which **expires** on the 31st of December 2021.
|
||||
Adjust the `one_time` and `ex_date` variables as you see fit.
|
||||
|
||||
Share the unique registration link (generated by the command above) with users to let them register on your Matrix server.
|
|
@ -3,7 +3,7 @@
|
|||
By default, this playbook retrieves and auto-renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/) for the domains it needs (`matrix.<your-domain>` and possibly `element.<your-domain>`)
|
||||
|
||||
Those certificates are used when configuring the nginx reverse proxy installed by this playbook.
|
||||
They can also be used for configuring [your own webserver](docs/configuring-playbook-own-webserver.md), in case you're not using the integrated nginx server provided by the playbook.
|
||||
They can also be used for configuring [your own webserver](configuring-playbook-own-webserver.md), in case you're not using the integrated nginx server provided by the playbook.
|
||||
|
||||
If you need to retrieve certificates for other domains (e.g. your base domain) or more control over certificate retrieval, read below.
|
||||
|
||||
|
@ -13,7 +13,7 @@ Things discussed in this document:
|
|||
|
||||
- [Using your own SSL certificates](#using-your-own-ssl-certificates), if you don't want to or can't use Let's Encrypt certificates, but are still interested in using the integrated nginx reverse proxy server
|
||||
|
||||
- [Not bothering with SSL certificates](#not-bothering-with-ssl-certificates), if you're using [your own webserver](docs/configuring-playbook-own-webserver.md) and would rather this playbook leaves SSL certificate management to you
|
||||
- [Not bothering with SSL certificates](#not-bothering-with-ssl-certificates), if you're using [your own webserver](configuring-playbook-own-webserver.md) and would rather this playbook leaves SSL certificate management to you
|
||||
|
||||
- [Obtaining SSL certificates for additional domains](#obtaining-ssl-certificates-for-additional-domains), if you'd like to host additional domains on the Matrix server and would like the playbook to help you obtain and renew certificates for those domains automatically
|
||||
|
||||
|
|
|
@ -10,7 +10,7 @@ growth of the Matrix community, and helps to make Matrix a success.
|
|||
|
||||
## Enabling Telemetry
|
||||
|
||||
If you'd like to **help by enabling submission of anonymized usage statistics** for your homeserver, add this to your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
|
||||
If you'd like to **help by enabling submission of general usage statistics** for your homeserver, add this to your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
|
||||
|
||||
```yaml
|
||||
matrix_synapse_report_stats: true
|
||||
|
|
|
@ -70,6 +70,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins
|
|||
|
||||
- [Setting up Synapse Admin](configuring-playbook-synapse-admin.md) (optional)
|
||||
|
||||
- [Setting up matrix-registration](configuring-playbook-matrix-registration.md) (optional)
|
||||
|
||||
- [Setting up the REST authentication password provider module](configuring-playbook-rest-auth.md) (optional, advanced)
|
||||
|
||||
- [Setting up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md) (optional, advanced)
|
||||
|
@ -113,7 +115,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins
|
|||
|
||||
- [Setting up Email2Matrix](configuring-playbook-email2matrix.md) (optional)
|
||||
|
||||
- [Setting up Matrix SMS bridging](configuring-playbook-matrix-bridge-sms.md) (optional)
|
||||
- [Setting up Matrix SMS bridging](configuring-playbook-bridge-matrix-bridge-sms.md) (optional)
|
||||
|
||||
|
||||
### Bots
|
||||
|
|
|
@ -42,6 +42,7 @@ To make a back up of the current PostgreSQL database, make sure it's running and
|
|||
```bash
|
||||
docker run \
|
||||
--rm \
|
||||
--log-driver=none \
|
||||
--network=matrix \
|
||||
--env-file=/matrix/postgres/env-postgres-psql \
|
||||
postgres:12.4-alpine \
|
||||
|
|
|
@ -1,6 +1,18 @@
|
|||
# Registering users
|
||||
|
||||
Run this to create a new user account on your Matrix server.
|
||||
This documentation page tells you how to create user account on your Matrix server.
|
||||
|
||||
Table of contents:
|
||||
|
||||
- [Registering users](#registering-users)
|
||||
- [Registering users manually](#registering-users-manually)
|
||||
- [Managing users via a Web UI](#managing-users-via-a-web-ui)
|
||||
- [Letting certain users register on your private server](#letting-certain-users-register-on-your-private-server)
|
||||
- [Enabling public user registration](#enabling-public-user-registration)
|
||||
- [Adding/Removing Administrator privileges to an existing user](#addingremoving-administrator-privileges-to-an-existing-user)
|
||||
|
||||
|
||||
## Registering users manually
|
||||
|
||||
You can do it via this Ansible playbook (make sure to edit the `<your-username>` and `<your-password>` part below):
|
||||
|
||||
|
@ -22,10 +34,31 @@ ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=<your-usern
|
|||
|
||||
If you've just installed Matrix, **to finalize the installation process**, it's best if you proceed to [Configuring service discovery via .well-known](configuring-well-known.md)
|
||||
|
||||
-----
|
||||
|
||||
## Managing users via a Web UI
|
||||
|
||||
To manage users more easily (via a web user-interace), you can install [Synapse Admin](configuring-playbook-synapse-admin.md).
|
||||
|
||||
|
||||
## Adding/Removing Administrator privileges to an existing user.
|
||||
## Letting certain users register on your private server
|
||||
|
||||
If you'd rather **keep your server private** (public registration closed, as is the default), and **let certain people create accounts by themselves** (instead of creating user accounts manually like this), consider installing and making use of [matrix-registration](configuring-playbook-matrix-registration.md).
|
||||
|
||||
|
||||
## Enabling public user registration
|
||||
|
||||
To **open up user registration publicly** (usually **not recommended**), consider using the following configuration:
|
||||
|
||||
```yaml
|
||||
matrix_synapse_enable_registration: true
|
||||
```
|
||||
|
||||
and running the [installation](installing.md) procedure once again.
|
||||
|
||||
If you're opening up registrations publicly like this, you might also wish to [configure CAPTCHA protection](configuring-captcha.md).
|
||||
|
||||
|
||||
## Adding/Removing Administrator privileges to an existing user
|
||||
|
||||
The script `/usr/local/bin/matrix-change-user-admin-status` may be used to change a user's admin privileges.
|
||||
|
||||
|
@ -35,8 +68,3 @@ The script `/usr/local/bin/matrix-change-user-admin-status` may be used to chang
|
|||
```
|
||||
/usr/local/bin/matrix-change-user-admin-status <username> <0/1>
|
||||
```
|
||||
|
||||
|
||||
## Managing users via a Web UI
|
||||
|
||||
To manage users more easily (via a web user-interace), you can install [Synapse Admin](configuring-playbook-synapse-admin.md).
|
||||
|
|
|
@ -13,6 +13,7 @@ List of roles where self-building the Docker image is currently possible:
|
|||
- `matrix-synapse`
|
||||
- `matrix-synapse-admin`
|
||||
- `matrix-client-element`
|
||||
- `matrix-registration`
|
||||
- `matrix-coturn`
|
||||
- `matrix-ma1sd`
|
||||
- `matrix-mailer`
|
||||
|
|
156
examples/caddy2/Caddyfile
Normal file
156
examples/caddy2/Caddyfile
Normal file
|
@ -0,0 +1,156 @@
|
|||
matrix.DOMAIN.tld {
|
||||
|
||||
tls {$CADDY_TLS}
|
||||
|
||||
@identity {
|
||||
path /_matrix/identity/*
|
||||
}
|
||||
|
||||
@noidentity {
|
||||
not path /_matrix/identity/*
|
||||
}
|
||||
|
||||
@search {
|
||||
path /_matrix/client/r0/user_directory/search/*
|
||||
}
|
||||
|
||||
@nosearch {
|
||||
not path /_matrix/client/r0/user_directory/search/*
|
||||
}
|
||||
|
||||
@static {
|
||||
path /matrix/static-files/*
|
||||
}
|
||||
|
||||
@nostatic {
|
||||
not path /matrix/static-files/*
|
||||
}
|
||||
|
||||
header {
|
||||
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
|
||||
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
||||
# Enable cross-site filter (XSS) and tell browser to block detected attacks
|
||||
X-XSS-Protection "1; mode=block"
|
||||
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
|
||||
X-Content-Type-Options "nosniff"
|
||||
# Disallow the site to be rendered within a frame (clickjacking protection)
|
||||
X-Frame-Options "DENY"
|
||||
# X-Robots-Tag
|
||||
X-Robots-Tag "noindex, noarchive, nofollow"
|
||||
167,9 79%
|
||||
}
|
||||
|
||||
# Cache
|
||||
header @static {
|
||||
# Cache
|
||||
Cache-Control "public, max-age=31536000"
|
||||
defer
|
||||
}
|
||||
|
||||
# identity
|
||||
handle @identity {
|
||||
reverse_proxy localhost:8090 {
|
||||
header_up X-Forwarded-Port {http.request.port}
|
||||
header_up X-Forwarded-Proto {http.request.scheme}
|
||||
header_up X-Forwarded-TlsProto {tls_protocol}
|
||||
header_up X-Forwarded-TlsCipher {tls_cipher}
|
||||
header_up X-Forwarded-HttpsProto {proto}
|
||||
}
|
||||
}
|
||||
|
||||
# search
|
||||
handle @search {
|
||||
reverse_proxy localhost:8090 {
|
||||
header_up X-Forwarded-Port {http.request.port}
|
||||
header_up X-Forwarded-Proto {http.request.scheme}
|
||||
header_up X-Forwarded-TlsProto {tls_protocol}
|
||||
header_up X-Forwarded-TlsCipher {tls_cipher}
|
||||
header_up X-Forwarded-HttpsProto {proto}
|
||||
}
|
||||
}
|
||||
|
||||
handle {
|
||||
encode zstd gzip
|
||||
|
||||
reverse_proxy localhost:8008 {
|
||||
header_up X-Forwarded-Port {http.request.port}
|
||||
header_up X-Forwarded-Proto {http.request.scheme}
|
||||
header_up X-Forwarded-TlsProto {tls_protocol}
|
||||
header_up X-Forwarded-TlsCipher {tls_cipher}
|
||||
header_up X-Forwarded-HttpsProto {proto}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
matrix.DOMAIN.tld:8448 {
|
||||
handle {
|
||||
encode zstd gzip
|
||||
|
||||
reverse_proxy 127.0.0.1:8048 {
|
||||
header_up X-Forwarded-Port {http.request.port}
|
||||
header_up X-Forwarded-Proto {http.request.scheme}
|
||||
header_up X-Forwarded-TlsProto {tls_protocol}
|
||||
header_up X-Forwarded-TlsCipher {tls_cipher}
|
||||
header_up X-Forwarded-HttpsProto {proto}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
dimension.DOMAIN.tld {
|
||||
|
||||
tls {$CADDY_TLS}
|
||||
|
||||
header {
|
||||
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
|
||||
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
||||
# Enable cross-site filter (XSS) and tell browser to block detected attacks
|
||||
X-XSS-Protection "1; mode=block"
|
||||
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
|
||||
X-Content-Type-Options "nosniff"
|
||||
# Disallow the site to be rendered within a frame (clickjacking protection)
|
||||
X-Frame-Options "DENY"
|
||||
# X-Robots-Tag
|
||||
X-Robots-Tag "noindex, noarchive, nofollow"
|
||||
}
|
||||
|
||||
handle {
|
||||
encode zstd gzip
|
||||
|
||||
reverse_proxy localhost:8184 {
|
||||
header_up X-Forwarded-Port {http.request.port}
|
||||
header_up X-Forwarded-Proto {http.request.scheme}
|
||||
header_up X-Forwarded-TlsProto {tls_protocol}
|
||||
header_up X-Forwarded-TlsCipher {tls_cipher}
|
||||
header_up X-Forwarded-HttpsProto {proto}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
element.DOMAIN.tld {
|
||||
|
||||
tls {$CADDY_TLS}
|
||||
|
||||
header {
|
||||
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
|
||||
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
||||
# Enable cross-site filter (XSS) and tell browser to block detected attacks
|
||||
X-XSS-Protection "1; mode=block"
|
||||
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
|
||||
X-Content-Type-Options "nosniff"
|
||||
# Disallow the site to be rendered within a frame (clickjacking protection)
|
||||
X-Frame-Options "DENY"
|
||||
# X-Robots-Tag
|
||||
X-Robots-Tag "noindex, noarchive, nofollow"
|
||||
}
|
||||
|
||||
handle {
|
||||
encode zstd gzip
|
||||
|
||||
reverse_proxy localhost:8765 {
|
||||
header_up X-Forwarded-Port {http.request.port}
|
||||
header_up X-Forwarded-Proto {http.request.scheme}
|
||||
header_up X-Forwarded-TlsProto {tls_protocol}
|
||||
header_up X-Forwarded-TlsCipher {tls_cipher}
|
||||
header_up X-Forwarded-HttpsProto {proto}
|
||||
}
|
||||
}
|
|
@ -4,6 +4,9 @@
|
|||
# Note: this playbook does not touch the server referenced here.
|
||||
# Installation happens on another server ("matrix.<matrix-domain>").
|
||||
#
|
||||
# If you've deployed using the wrong domain, you'll have to run the Uninstalling step,
|
||||
# because you can't change the Domain after deployment.
|
||||
#
|
||||
# Example value: example.com
|
||||
matrix_domain: YOUR_BARE_DOMAIN_NAME_HERE
|
||||
|
||||
|
|
|
@ -737,7 +737,7 @@ matrix_ma1sd_threepid_medium_email_connectors_smtp_host: "matrix-mailer"
|
|||
matrix_ma1sd_threepid_medium_email_connectors_smtp_port: 8025
|
||||
matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 0
|
||||
|
||||
matrix_ma1sd_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}"
|
||||
matrix_ma1sd_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
|
||||
|
||||
matrix_ma1sd_systemd_wanted_services_list: |
|
||||
{{
|
||||
|
@ -799,7 +799,7 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_
|
|||
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}"
|
||||
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}"
|
||||
|
||||
matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}"
|
||||
matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
|
||||
|
||||
matrix_nginx_proxy_systemd_wanted_services_list: |
|
||||
{{
|
||||
|
@ -890,7 +890,7 @@ matrix_client_element_integrations_rest_url: "{{ matrix_dimension_integrations_r
|
|||
matrix_client_element_integrations_widgets_urls: "{{ matrix_dimension_integrations_widgets_urls if matrix_dimension_enabled else ['https://scalar.vector.im/api'] }}"
|
||||
matrix_client_element_integrations_jitsi_widget_url: "{{ matrix_dimension_integrations_jitsi_widget_url if matrix_dimension_enabled else 'https://scalar.vector.im/api/widgets/jitsi.html' }}"
|
||||
|
||||
matrix_client_element_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}"
|
||||
matrix_client_element_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
|
||||
|
||||
matrix_client_element_registration_enabled: "{{ matrix_synapse_enable_registration }}"
|
||||
|
||||
|
@ -985,7 +985,7 @@ matrix_synapse_turn_uris: |
|
|||
|
||||
matrix_synapse_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}"
|
||||
|
||||
matrix_synapse_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}"
|
||||
matrix_synapse_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
|
||||
|
||||
matrix_synapse_systemd_required_services_list: |
|
||||
{{
|
||||
|
@ -1029,3 +1029,34 @@ matrix_synapse_admin_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy
|
|||
# /matrix-synapse-admin
|
||||
#
|
||||
######################################################################
|
||||
|
||||
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# matrix-registration
|
||||
#
|
||||
######################################################################
|
||||
|
||||
matrix_registration_enabled: false
|
||||
|
||||
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-registration over the container network.
|
||||
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
||||
# matrix-registration's HTTP port to the local host.
|
||||
matrix_registration_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8767' }}"
|
||||
|
||||
matrix_registration_riot_instance: "{{ ('https://' + matrix_server_fqn_element) if matrix_client_element_enabled else 'https://riot.im/app/' }}"
|
||||
|
||||
matrix_registration_shared_secret: "{{ matrix_synapse_registration_shared_secret if matrix_synapse_enabled else '' }}"
|
||||
|
||||
matrix_registration_server_location: "{{ 'http://matrix-synapse:8008' if matrix_synapse_enabled else '' }}"
|
||||
|
||||
matrix_registration_api_validate_certs: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
|
||||
|
||||
matrix_registration_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# /matrix-registration
|
||||
#
|
||||
######################################################################
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
|
||||
matrix_bot_matrix_reminder_bot_enabled: true
|
||||
|
||||
matrix_bot_matrix_reminder_bot_docker_image: "anoa/matrix-reminder-bot:release-0.1.0"
|
||||
matrix_bot_matrix_reminder_bot_docker_image: "anoa/matrix-reminder-bot:release-v0.2.0"
|
||||
matrix_bot_matrix_reminder_bot_docker_image_force_pull: "{{ matrix_bot_matrix_reminder_bot_docker_image.endswith(':latest') }}"
|
||||
|
||||
matrix_bot_matrix_reminder_bot_base_path: "{{ matrix_base_data_path }}/matrix-reminder-bot"
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
|
||||
matrix_appservice_slack_enabled: true
|
||||
|
||||
matrix_appservice_slack_docker_image: "cadair/matrix-appservice-slack:cadair"
|
||||
matrix_appservice_slack_docker_image: "matrixdotorg/matrix-appservice-slack:release-1.5.0"
|
||||
matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}"
|
||||
|
||||
matrix_appservice_slack_base_path: "{{ matrix_base_data_path }}/appservice-slack"
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#jinja2: lstrip_blocks: "True"
|
||||
[Unit]
|
||||
Description=Matrix mx-puppet-instagram bridge
|
||||
Description=Matrix Mx Puppet Instagram server
|
||||
{% for service in matrix_mx_puppet_instagram_systemd_required_services_list %}
|
||||
Requires={{ service }}
|
||||
After={{ service }}
|
||||
|
|
|
@ -2,7 +2,7 @@ matrix_client_element_enabled: true
|
|||
|
||||
matrix_client_element_container_image_self_build: false
|
||||
|
||||
matrix_client_element_docker_image: "vectorim/riot-web:v1.7.4"
|
||||
matrix_client_element_docker_image: "vectorim/riot-web:v1.7.7"
|
||||
matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"
|
||||
|
||||
matrix_client_element_data_path: "{{ matrix_base_data_path }}/client-element"
|
||||
|
|
6
roles/matrix-common-after/tasks/dump_runtime_results.yml
Normal file
6
roles/matrix-common-after/tasks/dump_runtime_results.yml
Normal file
|
@ -0,0 +1,6 @@
|
|||
# Ansible outputs the message in the `item=` field.
|
||||
# It's unnecessary to output it again in the actual message, so we don't.
|
||||
- debug:
|
||||
msg: ""
|
||||
with_items: "{{ matrix_playbook_runtime_results }}"
|
||||
when: "matrix_playbook_runtime_results is defined and matrix_playbook_runtime_results|length > 0"
|
|
@ -7,3 +7,7 @@
|
|||
when: run_stop|bool
|
||||
tags:
|
||||
- stop
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/dump_runtime_results.yml"
|
||||
tags:
|
||||
- always
|
||||
|
|
|
@ -91,15 +91,10 @@
|
|||
# We optimize for the common use-case though (short-lived Let's Encrypt certificates).
|
||||
# Reloading doesn't hurt anyway, so there's no need to make this more flexible.
|
||||
- name: Ensure periodic reloading of matrix-coturn is configured for SSL renewal (matrix-coturn-reload)
|
||||
cron:
|
||||
user: root
|
||||
cron_file: matrix-coturn-ssl-reload
|
||||
name: matrix-coturn-ssl-reload
|
||||
state: present
|
||||
hour: "4"
|
||||
minute: "20"
|
||||
day: "*/5"
|
||||
job: "{{ matrix_host_command_systemctl }} reload matrix-coturn.service"
|
||||
template:
|
||||
src: "{{ role_path }}/templates/cron.d/matrix-coturn-ssl-reload.j2"
|
||||
dest: /etc/cron.d/matrix-coturn-ssl-reload
|
||||
mode: 0644
|
||||
when: "matrix_coturn_enabled|bool and matrix_coturn_tls_enabled|bool"
|
||||
|
||||
|
||||
|
@ -108,9 +103,8 @@
|
|||
#
|
||||
|
||||
- name: Ensure matrix-coturn-ssl-reload cronjob removed
|
||||
cron:
|
||||
user: root
|
||||
cron_file: matrix-coturn-ssl-reload
|
||||
file:
|
||||
path: /etc/cron.d/matrix-coturn-ssl-reload
|
||||
state: absent
|
||||
when: "not matrix_coturn_enabled|bool or not matrix_coturn_tls_enabled|bool"
|
||||
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
20 4 */5 * * root {{ matrix_host_command_systemctl }} reload matrix-coturn.service
|
|
@ -27,7 +27,7 @@ matrix_dimension_container_http_host_bind_port: ''
|
|||
# A list of extra arguments to pass to the container
|
||||
matrix_dimension_container_extra_arguments: []
|
||||
|
||||
matrix_dimension_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/riot"
|
||||
matrix_dimension_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/element"
|
||||
matrix_dimension_integrations_rest_url: "https://{{ matrix_server_fqn_dimension }}/api/v1/scalar"
|
||||
matrix_dimension_integrations_widgets_urls: ["https://{{ matrix_server_fqn_dimension }}/widgets"]
|
||||
matrix_dimension_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi"
|
||||
|
|
|
@ -49,6 +49,8 @@ matrix_jitsi_jibri_xmpp_password: ''
|
|||
matrix_jitsi_jibri_recorder_user: recorder
|
||||
matrix_jitsi_jibri_recorder_password: ''
|
||||
|
||||
matrix_jitsi_enable_lobby: false
|
||||
|
||||
matrix_jitsi_container_image_tag: "stable-4857"
|
||||
|
||||
matrix_jitsi_web_docker_image: "jitsi/web:{{ matrix_jitsi_container_image_tag }}"
|
||||
|
|
|
@ -42,4 +42,6 @@ JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }}
|
|||
JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }}
|
||||
JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }}
|
||||
|
||||
ENABLE_LOBBY={{ 1 if matrix_jitsi_enable_lobby else 0 }}
|
||||
|
||||
TZ={{ matrix_jitsi_timezone }}
|
||||
|
|
|
@ -55,37 +55,11 @@
|
|||
mode: 0750
|
||||
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
|
||||
|
||||
- block:
|
||||
- name: Ensure periodic SSL renewal cronjob configured (MAILTO)
|
||||
cron:
|
||||
user: root
|
||||
cron_file: matrix-ssl-lets-encrypt
|
||||
env: yes
|
||||
name: MAILTO
|
||||
value: "{{ matrix_ssl_lets_encrypt_support_email }}"
|
||||
|
||||
- name: Ensure periodic SSL renewal cronjob configured (matrix-ssl-lets-encrypt-certificates-renew)
|
||||
cron:
|
||||
user: root
|
||||
cron_file: matrix-ssl-lets-encrypt
|
||||
name: matrix-ssl-lets-encrypt-certificates-renew
|
||||
state: present
|
||||
hour: "4"
|
||||
minute: "15"
|
||||
day: "*"
|
||||
job: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
|
||||
|
||||
- name: Ensure periodic reloading of matrix-nginx-proxy is configured for SSL renewal (matrix-nginx-proxy-reload)
|
||||
cron:
|
||||
user: root
|
||||
cron_file: matrix-ssl-lets-encrypt
|
||||
name: matrix-nginx-proxy-reload
|
||||
state: present
|
||||
hour: "5"
|
||||
minute: "20"
|
||||
day: "*"
|
||||
job: "{{ matrix_host_command_systemctl }} reload matrix-nginx-proxy.service"
|
||||
when: matrix_nginx_proxy_enabled|bool
|
||||
- name: Ensure periodic SSL renewal cronjob configured
|
||||
template:
|
||||
src: "{{ role_path }}/templates/cron.d/matrix-ssl-lets-encrypt.j2"
|
||||
dest: /etc/cron.d/matrix-ssl-lets-encrypt
|
||||
mode: 0644
|
||||
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
|
||||
|
||||
|
||||
|
@ -93,21 +67,9 @@
|
|||
# Tasks related to getting rid of Let's Encrypt's management of certificates
|
||||
#
|
||||
|
||||
# When nginx-proxy is disabled, make sure its reloading cronjob is gone.
|
||||
# Other cronjobs can potentially remain there (see below).
|
||||
- name: Ensure matrix-nginx-proxy-reload cronjob removed
|
||||
cron:
|
||||
user: root
|
||||
cron_file: matrix-ssl-lets-encrypt
|
||||
name: matrix-nginx-proxy-reload
|
||||
state: absent
|
||||
when: "not matrix_nginx_proxy_enabled|bool"
|
||||
|
||||
- name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed
|
||||
cron:
|
||||
user: root
|
||||
cron_file: matrix-ssl-lets-encrypt
|
||||
name: matrix-ssl-lets-encrypt-certificates-renew
|
||||
file:
|
||||
path: /etc/cron.d/matrix-ssl-lets-encrypt
|
||||
state: absent
|
||||
when: "matrix_ssl_retrieval_method != 'lets-encrypt'"
|
||||
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
MAILTO="{{ matrix_ssl_lets_encrypt_support_email }}"
|
||||
15 4 * * * root {{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
20 5 * * * root {{ matrix_host_command_systemctl }} reload matrix-nginx-proxy.service
|
||||
{% endif %}
|
|
@ -64,6 +64,7 @@
|
|||
set_fact:
|
||||
matrix_postgres_import_command: >-
|
||||
{{ matrix_host_command_docker }} run --rm --name matrix-postgres-import
|
||||
--log-driver=none
|
||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
|
||||
--cap-drop=ALL
|
||||
--network={{ matrix_docker_network }}
|
||||
|
|
|
@ -74,6 +74,7 @@
|
|||
docker run
|
||||
--rm
|
||||
--name=matrix-synapse-migrate
|
||||
--log-driver=none
|
||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
|
||||
--cap-drop=ALL
|
||||
--network={{ matrix_docker_network }}
|
||||
|
|
|
@ -18,9 +18,16 @@
|
|||
matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_latest if matrix_postgres_detected_version_corresponding_docker_image == '' else matrix_postgres_detected_version_corresponding_docker_image }}"
|
||||
when: matrix_postgres_enabled|bool
|
||||
|
||||
- name: Warn if on an old version of Postgres
|
||||
debug:
|
||||
msg: "NOTE: Your setup is on an old Postgres version ({{ matrix_postgres_docker_image_to_use }}), while {{ matrix_postgres_docker_image_latest }} is supported. You can upgrade using --tags=upgrade-postgres"
|
||||
- name: Inject warning if on an old version of Postgres
|
||||
set_fact:
|
||||
matrix_playbook_runtime_results: |
|
||||
{{
|
||||
matrix_playbook_runtime_results|default([])
|
||||
+
|
||||
[
|
||||
"NOTE: Your setup is on an old Postgres version ({{ matrix_postgres_docker_image_to_use }}), while {{ matrix_postgres_docker_image_latest }} is supported. You can upgrade using --tags=upgrade-postgres"
|
||||
]
|
||||
}}
|
||||
when: "matrix_postgres_enabled|bool and matrix_postgres_docker_image_to_use != matrix_postgres_docker_image_latest"
|
||||
|
||||
# Even if we don't run the internal server, we still need this for running the CLI
|
||||
|
|
|
@ -80,6 +80,7 @@
|
|||
- name: Perform Postgres database dump
|
||||
command: >-
|
||||
{{ matrix_host_command_docker }} run --rm --name matrix-postgres-dump
|
||||
--log-driver=none
|
||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
|
||||
--network={{ matrix_docker_network }}
|
||||
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql
|
||||
|
@ -124,6 +125,7 @@
|
|||
set_fact:
|
||||
matrix_postgres_import_command: >-
|
||||
{{ matrix_host_command_docker }} run --rm --name matrix-postgres-import
|
||||
--log-driver=none
|
||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
|
||||
--cap-drop=ALL
|
||||
--network={{ matrix_docker_network }}
|
||||
|
|
83
roles/matrix-registration/defaults/main.yml
Normal file
83
roles/matrix-registration/defaults/main.yml
Normal file
|
@ -0,0 +1,83 @@
|
|||
# matrix-registration is a simple python application to have a token based matrix registration
|
||||
# See: https://zeratax.github.io/matrix-registration/
|
||||
|
||||
matrix_registration_enabled: true
|
||||
|
||||
matrix_registration_container_image_self_build: false
|
||||
|
||||
matrix_registration_base_path: "{{ matrix_base_data_path }}/matrix-registration"
|
||||
matrix_registration_config_path: "{{ matrix_registration_base_path }}/config"
|
||||
matrix_registration_data_path: "{{ matrix_registration_base_path }}/data"
|
||||
matrix_registration_docker_src_files_path: "{{ matrix_registration_base_path }}/docker-src"
|
||||
|
||||
matrix_registration_version: "v0.7.0"
|
||||
|
||||
matrix_registration_docker_image: "devture/zeratax-matrix-registration:{{ matrix_registration_version }}"
|
||||
matrix_registration_docker_image_force_pull: "{{ matrix_registration_docker_image.endswith(':latest') }}"
|
||||
matrix_registration_docker_repo: "https://github.com/ZerataX/matrix-registration"
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
matrix_registration_container_extra_arguments: []
|
||||
|
||||
# List of systemd services that matrix-registration.service depends on
|
||||
matrix_registration_systemd_required_services_list: ['docker.service']
|
||||
|
||||
# List of systemd services that matrix-registration.service wants
|
||||
matrix_registration_systemd_wanted_services_list: []
|
||||
|
||||
# Controls whether the matrix-registration container exposes its HTTP port (tcp/5000 in the container).
|
||||
#
|
||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8767"), or empty string to not expose.
|
||||
matrix_registration_container_http_host_bind_port: ''
|
||||
|
||||
# The path at which Matrix Registration will be exposed on `matrix.DOMAIN`
|
||||
# (only applies when matrix-nginx-proxy is used).
|
||||
matrix_registration_public_endpoint: /matrix-registration
|
||||
|
||||
matrix_registration_api_register_endpoint: "{{ matrix_homeserver_url }}{{ matrix_registration_public_endpoint }}/register"
|
||||
matrix_registration_api_token_endpoint: "{{ matrix_homeserver_url }}{{ matrix_registration_public_endpoint }}/token"
|
||||
|
||||
matrix_registration_api_validate_certs: true
|
||||
|
||||
# The URL to your homeserver (e.g.: `https://matrix.DOMAIN`).
|
||||
# A local (in-container address) is preferable.
|
||||
matrix_registration_server_location: ""
|
||||
|
||||
matrix_registration_server_name: "{{ matrix_domain }}"
|
||||
|
||||
# matrix_registration_shared_secret needs to match the homeserver's registration secret.
|
||||
# For Synapse, that's the `registration_shared_secret` setting.
|
||||
matrix_registration_shared_secret: ""
|
||||
|
||||
# matrix_registration_admin_secret is your own admin secret for using matrix-registration (creating new tokens, etc.)
|
||||
matrix_registration_admin_secret: ""
|
||||
|
||||
matrix_registration_riot_instance: "https://riot.im/app/"
|
||||
|
||||
|
||||
# Default matrix-registration configuration template which covers the generic use case.
|
||||
# You can customize it by controlling the various variables inside it.
|
||||
#
|
||||
# For a more advanced customization, you can extend the default (see `matrix_registration_configuration_extension_yaml`)
|
||||
# or completely replace this variable with your own template.
|
||||
matrix_registration_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"
|
||||
|
||||
matrix_registration_configuration_extension_yaml: |
|
||||
# Your custom YAML configuration for registration goes here.
|
||||
# This configuration extends the default starting configuration (`matrix_registration_configuration_yaml`).
|
||||
#
|
||||
# You can override individual variables from the default configuration, or introduce new ones.
|
||||
#
|
||||
# If you need something more special, you can take full control by
|
||||
# completely redefining `matrix_registration_configuration_yaml`.
|
||||
#
|
||||
# Example configuration extension follows:
|
||||
#
|
||||
# password:
|
||||
# min_length: 12
|
||||
|
||||
matrix_registration_configuration_extension: "{{ matrix_registration_configuration_extension_yaml|from_yaml if matrix_registration_configuration_extension_yaml|from_yaml is mapping else {} }}"
|
||||
|
||||
# Holds the final matrix-registration configuration (a combination of the default and its extension).
|
||||
# You most likely don't need to touch this variable. Instead, see `matrix_registration_configuration_yaml`.
|
||||
matrix_registration_configuration: "{{ matrix_registration_configuration_yaml|from_yaml|combine(matrix_registration_configuration_extension, recursive=True) }}"
|
50
roles/matrix-registration/tasks/generate_token.yml
Normal file
50
roles/matrix-registration/tasks/generate_token.yml
Normal file
|
@ -0,0 +1,50 @@
|
|||
- name: Fail if playbook called incorrectly
|
||||
fail:
|
||||
msg: "The `one_time` variable needs to be provided to this playbook, via --extra-vars"
|
||||
when: "one_time is not defined or one_time not in ['yes', 'no']"
|
||||
|
||||
- name: Fail if playbook called incorrectly
|
||||
fail:
|
||||
msg: "The `ex_date` variable (expiration date) needs to be provided to this playbook, via --extra-vars"
|
||||
when: "ex_date is not defined or ex_date == '<date>'"
|
||||
|
||||
- name: Call matrix-registration token creation API
|
||||
uri:
|
||||
url: "{{ matrix_registration_api_token_endpoint }}"
|
||||
follow_redirects: none
|
||||
validate_certs: "{{ matrix_registration_api_validate_certs }}"
|
||||
headers:
|
||||
Content-Type: application/json
|
||||
Authorization: "SharedSecret {{ matrix_registration_admin_secret }}"
|
||||
method: POST
|
||||
body_format: json
|
||||
body: |
|
||||
{
|
||||
"one_time": {{ 'true' if one_time == 'yes' else 'false' }},
|
||||
"ex_date": {{ ex_date|to_json }}
|
||||
}
|
||||
check_mode: no
|
||||
register: matrix_registration_api_result
|
||||
|
||||
- set_fact:
|
||||
matrix_registration_api_result_message: >-
|
||||
matrix-registration result:
|
||||
|
||||
Direct registration link (with the token prefilled):
|
||||
|
||||
{{ matrix_registration_api_register_endpoint }}?token={{ matrix_registration_api_result.json.name }}
|
||||
|
||||
Full token details are:
|
||||
|
||||
{{ matrix_registration_api_result.json }}
|
||||
check_mode: no
|
||||
|
||||
- name: Inject result message into matrix_playbook_runtime_results
|
||||
set_fact:
|
||||
matrix_playbook_runtime_results: |
|
||||
{{
|
||||
matrix_playbook_runtime_results|default([])
|
||||
+
|
||||
[matrix_registration_api_result_message]
|
||||
}}
|
||||
check_mode: no
|
64
roles/matrix-registration/tasks/init.yml
Normal file
64
roles/matrix-registration/tasks/init.yml
Normal file
|
@ -0,0 +1,64 @@
|
|||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-registration'] }}"
|
||||
when: matrix_registration_enabled|bool
|
||||
|
||||
- block:
|
||||
- name: Fail if matrix-nginx-proxy role already executed
|
||||
fail:
|
||||
msg: >-
|
||||
Trying to append matrix-registration's reverse-proxying configuration to matrix-nginx-proxy,
|
||||
but it's pointless since the matrix-nginx-proxy role had already executed.
|
||||
To fix this, please change the order of roles in your plabook,
|
||||
so that the matrix-nginx-proxy role would run after the matrix-registration role.
|
||||
when: matrix_nginx_proxy_role_executed|default(False)|bool
|
||||
|
||||
- name: Generate matrix-registration proxying configuration for matrix-nginx-proxy
|
||||
set_fact:
|
||||
matrix_registration_matrix_nginx_proxy_configuration: |
|
||||
rewrite ^{{ matrix_registration_public_endpoint }}$ $scheme://$server_name{{ matrix_registration_public_endpoint }}/ permanent;
|
||||
rewrite ^{{ matrix_registration_public_endpoint }}/$ $scheme://$server_name{{ matrix_registration_public_endpoint }}/register redirect;
|
||||
|
||||
location ~ ^{{ matrix_registration_public_endpoint }}/(.*) {
|
||||
{% if matrix_nginx_proxy_enabled|default(False) %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "matrix-registration:5000";
|
||||
proxy_pass http://$backend/$1;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://127.0.0.1:8767/$1;
|
||||
{% endif %}
|
||||
|
||||
{#
|
||||
Workaround matrix-registration serving static files at /static
|
||||
(see https://github.com/ZerataX/matrix-registration/issues/29)
|
||||
|
||||
Also fixing the form, which goes to /register.
|
||||
#}
|
||||
sub_filter_once off;
|
||||
sub_filter_types text/html text/css;
|
||||
sub_filter "/static/" "{{ matrix_registration_public_endpoint }}/static/";
|
||||
sub_filter "/register" "{{ matrix_registration_public_endpoint }}/register";
|
||||
}
|
||||
|
||||
- name: Register matrix-registration proxying configuration with matrix-nginx-proxy
|
||||
set_fact:
|
||||
matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: |
|
||||
{{
|
||||
matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([])
|
||||
+
|
||||
[matrix_registration_matrix_nginx_proxy_configuration]
|
||||
}}
|
||||
tags:
|
||||
- always
|
||||
when: matrix_registration_enabled|bool
|
||||
|
||||
- name: Warn about reverse-proxying if matrix-nginx-proxy not used
|
||||
debug:
|
||||
msg: >-
|
||||
NOTE: You've enabled the matrix-registration tool but are not using the matrix-nginx-proxy
|
||||
reverse proxy.
|
||||
Please make sure that you're proxying the `{{ matrix_registration_public_endpoint }}`
|
||||
URL endpoint to the matrix-registration container.
|
||||
You can expose the container's port using the `matrix_registration_container_http_host_bind_port` variable.
|
||||
when: "matrix_registration_enabled|bool and matrix_nginx_proxy_enabled is not defined"
|
19
roles/matrix-registration/tasks/main.yml
Normal file
19
roles/matrix-registration/tasks/main.yml
Normal file
|
@ -0,0 +1,19 @@
|
|||
- import_tasks: "{{ role_path }}/tasks/init.yml"
|
||||
tags:
|
||||
- always
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
|
||||
when: "run_setup|bool and matrix_registration_enabled|bool"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-matrix-registration
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/setup.yml"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-matrix-registration
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/generate_token.yml"
|
||||
when: "run_setup|bool and matrix_registration_enabled|bool"
|
||||
tags:
|
||||
- generate-matrix-registration-token
|
103
roles/matrix-registration/tasks/setup.yml
Normal file
103
roles/matrix-registration/tasks/setup.yml
Normal file
|
@ -0,0 +1,103 @@
|
|||
---
|
||||
|
||||
#
|
||||
# Tasks related to setting up matrix-registration
|
||||
#
|
||||
|
||||
- name: Ensure matrix-registration paths exist
|
||||
file:
|
||||
path: "{{ item.path }}"
|
||||
state: directory
|
||||
mode: 0750
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- { path: "{{ matrix_registration_base_path }}", when: true }
|
||||
- { path: "{{ matrix_registration_config_path }}", when: true }
|
||||
- { path: "{{ matrix_registration_data_path }}", when: true }
|
||||
- { path: "{{ matrix_registration_docker_src_files_path }}", when: "{{ matrix_registration_container_image_self_build }}"}
|
||||
when: matrix_registration_enabled|bool and item.when
|
||||
|
||||
- name: Ensure matrix-registration image is pulled
|
||||
docker_image:
|
||||
name: "{{ matrix_registration_docker_image }}"
|
||||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
|
||||
force_source: "{{ matrix_registration_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_registration_docker_image_force_pull }}"
|
||||
when: "matrix_registration_enabled|bool and not matrix_registration_container_image_self_build|bool"
|
||||
|
||||
- name: Ensure matrix-registration repository is present when self-building
|
||||
git:
|
||||
repo: "{{ matrix_registration_docker_repo }}"
|
||||
dest: "{{ matrix_registration_docker_src_files_path }}"
|
||||
version: "{{ matrix_registration_version }}"
|
||||
force: "yes"
|
||||
register: matrix_registration_git_pull_results
|
||||
when: "matrix_registration_enabled|bool and matrix_registration_container_image_self_build|bool"
|
||||
|
||||
- name: Ensure matrix-registration Docker image is built
|
||||
docker_image:
|
||||
name: "{{ matrix_registration_docker_image }}"
|
||||
source: build
|
||||
force_source: yes
|
||||
build:
|
||||
dockerfile: Dockerfile
|
||||
path: "{{ matrix_registration_docker_src_files_path }}"
|
||||
pull: yes
|
||||
when: "matrix_registration_enabled|bool and matrix_registration_container_image_self_build|bool and matrix_registration_git_pull_results.changed"
|
||||
|
||||
- name: Ensure matrix-registration config installed
|
||||
copy:
|
||||
content: "{{ matrix_registration_configuration|to_nice_yaml }}"
|
||||
dest: "{{ matrix_registration_config_path }}/config.yaml"
|
||||
mode: 0644
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
when: matrix_registration_enabled|bool
|
||||
|
||||
- name: Ensure matrix-registration.service installed
|
||||
template:
|
||||
src: "{{ role_path }}/templates/systemd/matrix-registration.service.j2"
|
||||
dest: "{{ matrix_systemd_path }}/matrix-registration.service"
|
||||
mode: 0644
|
||||
register: matrix_registration_systemd_service_result
|
||||
when: matrix_registration_enabled|bool
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-registration.service installation
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "matrix_registration_enabled|bool and matrix_registration_systemd_service_result.changed"
|
||||
|
||||
#
|
||||
# Tasks related to getting rid of matrix-registration (if it was previously enabled)
|
||||
#
|
||||
|
||||
- name: Check existence of matrix-registration service
|
||||
stat:
|
||||
path: "{{ matrix_systemd_path }}/matrix-registration.service"
|
||||
register: matrix_registration_service_stat
|
||||
|
||||
- name: Ensure matrix-registration is stopped
|
||||
service:
|
||||
name: matrix-registration
|
||||
state: stopped
|
||||
daemon_reload: yes
|
||||
register: stopping_result
|
||||
when: "not matrix_registration_enabled|bool and matrix_registration_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure matrix-registration.service doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_systemd_path }}/matrix-registration.service"
|
||||
state: absent
|
||||
when: "not matrix_registration_enabled|bool and matrix_registration_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-registration.service removal
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "not matrix_registration_enabled|bool and matrix_registration_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure matrix-registration Docker image doesn't exist
|
||||
docker_image:
|
||||
name: "{{ matrix_registration_docker_image }}"
|
||||
state: absent
|
||||
when: "not matrix_registration_enabled|bool"
|
11
roles/matrix-registration/tasks/validate_config.yml
Normal file
11
roles/matrix-registration/tasks/validate_config.yml
Normal file
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
|
||||
- name: Fail if required matrix-registration settings not defined
|
||||
fail:
|
||||
msg: >
|
||||
You need to define a required configuration setting (`{{ item }}`) for using matrix-registration.
|
||||
when: "vars[item] == ''"
|
||||
with_items:
|
||||
- "matrix_registration_shared_secret"
|
||||
- "matrix_registration_admin_secret"
|
||||
- "matrix_registration_server_location"
|
30
roles/matrix-registration/templates/config.yaml.j2
Normal file
30
roles/matrix-registration/templates/config.yaml.j2
Normal file
|
@ -0,0 +1,30 @@
|
|||
server_location: {{ matrix_registration_server_location|to_json }}
|
||||
server_name: {{ matrix_registration_server_name|to_json }}
|
||||
shared_secret: {{ matrix_registration_shared_secret|to_json }}
|
||||
admin_secret: {{ matrix_registration_admin_secret|to_json }}
|
||||
riot_instance: {{ matrix_registration_riot_instance|to_json }}
|
||||
db: 'sqlite:////data/db.sqlite3'
|
||||
host: '0.0.0.0'
|
||||
port: 5000
|
||||
rate_limit: ["100 per day", "10 per minute"]
|
||||
allow_cors: false
|
||||
logging:
|
||||
disable_existing_loggers: False
|
||||
version: 1
|
||||
root:
|
||||
level: DEBUG
|
||||
handlers: [console]
|
||||
formatters:
|
||||
brief:
|
||||
format: '%(name)s - %(levelname)s - %(message)s'
|
||||
precise:
|
||||
format: '%(asctime)s - %(name)s - %(levelname)s - %(message)s'
|
||||
handlers:
|
||||
console:
|
||||
class: logging.StreamHandler
|
||||
level: INFO
|
||||
formatter: brief
|
||||
stream: ext://sys.stdout
|
||||
# password requirements
|
||||
password:
|
||||
min_length: 8
|
|
@ -0,0 +1,40 @@
|
|||
#jinja2: lstrip_blocks: "True"
|
||||
[Unit]
|
||||
Description=matrix-registration
|
||||
{% for service in matrix_registration_systemd_required_services_list %}
|
||||
Requires={{ service }}
|
||||
After={{ service }}
|
||||
{% endfor %}
|
||||
{% for service in matrix_registration_systemd_wanted_services_list %}
|
||||
Wants={{ service }}
|
||||
{% endfor %}
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-registration
|
||||
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-registration
|
||||
|
||||
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-registration \
|
||||
--log-driver=none \
|
||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||
--cap-drop=ALL \
|
||||
--network={{ matrix_docker_network }} \
|
||||
{% if matrix_registration_container_http_host_bind_port %}
|
||||
-p {{ matrix_registration_container_http_host_bind_port }}:5000 \
|
||||
{% endif %}
|
||||
-v {{ matrix_registration_config_path }}:/config:ro \
|
||||
-v {{ matrix_registration_data_path }}:/data \
|
||||
{% for arg in matrix_registration_container_extra_arguments %}
|
||||
{{ arg }} \
|
||||
{% endfor %}
|
||||
{{ matrix_registration_docker_image }} \
|
||||
serve
|
||||
|
||||
ExecStop=-{{ matrix_host_command_docker }} kill matrix-registration
|
||||
ExecStop=-{{ matrix_host_command_docker }} rm matrix-registration
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
SyslogIdentifier=matrix-registration
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -20,7 +20,7 @@
|
|||
register: matrix_synapse_admin_git_pull_results
|
||||
when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_self_build|bool"
|
||||
|
||||
- name: Ensure matrix-synapse-admin Docker image is build
|
||||
- name: Ensure matrix-synapse-admin Docker image is built
|
||||
docker_image:
|
||||
name: "{{ matrix_synapse_admin_docker_image }}"
|
||||
source: build
|
||||
|
|
|
@ -5,7 +5,7 @@ matrix_synapse_enabled: true
|
|||
|
||||
matrix_synapse_container_image_self_build: false
|
||||
|
||||
matrix_synapse_docker_image: "matrixdotorg/synapse:v1.19.1"
|
||||
matrix_synapse_docker_image: "matrixdotorg/synapse:v1.19.3"
|
||||
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
|
||||
|
||||
matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
|
||||
|
|
Loading…
Reference in a new issue