GoMatrixHosting v0.5.5
This commit is contained in:
parent
03006eb5ab
commit
86e4649578
231
roles/matrix-bot-go-neb/defaults/main.yml
Normal file
231
roles/matrix-bot-go-neb/defaults/main.yml
Normal file
|
@ -0,0 +1,231 @@
|
|||
# Go-NEB is a Matrix bot written in Go. It is the successor to Matrix-NEB, the original Matrix bot written in Python.
|
||||
# See: https://github.com/matrix-org/go-neb
|
||||
|
||||
matrix_bot_go_neb_enabled: true
|
||||
matrix_bot_go_neb_version: latest
|
||||
matrix_bot_go_neb_docker_image: "matrixdotorg/go-neb:{{ matrix_bot_go_neb_version }}"
|
||||
matrix_bot_go_neb_docker_image_force_pull: "{{ matrix_bot_go_neb_docker_image.endswith(':latest') }}"
|
||||
|
||||
matrix_bot_go_neb_base_path: "{{ matrix_base_data_path }}/go-neb"
|
||||
matrix_bot_go_neb_config_path: "{{ matrix_bot_go_neb_base_path }}/config"
|
||||
matrix_bot_go_neb_config_path_in_container: "/config/config.yaml"
|
||||
matrix_bot_go_neb_data_path: "{{ matrix_bot_go_neb_base_path }}/data"
|
||||
matrix_bot_go_neb_data_store_path: "{{ matrix_bot_go_neb_data_path }}/store"
|
||||
|
||||
# Controls whether the matrix-bot-go-neb container exposes its HTTP port (tcp/4050 in the container).
|
||||
#
|
||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:4050"), or empty string to not expose.
|
||||
matrix_bot_go_neb_container_http_host_bind_port: ''
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
matrix_bot_go_neb_container_extra_arguments: []
|
||||
|
||||
# List of systemd services that matrix-bot-go-neb.service depends on
|
||||
matrix_bot_go_neb_systemd_required_services_list: ['docker.service']
|
||||
|
||||
# List of systemd services that matrix-bot-go-neb.service wants
|
||||
matrix_bot_go_neb_systemd_wanted_services_list: []
|
||||
|
||||
# Database-related configuration fields.
|
||||
#
|
||||
# MUST be "sqlite3". No other type is supported.
|
||||
matrix_bot_go_neb_database_engine: 'sqlite3'
|
||||
|
||||
matrix_bot_go_neb_sqlite_database_path_local: "{{ matrix_bot_go_neb_data_path }}/bot.db"
|
||||
matrix_bot_go_neb_sqlite_database_path_in_container: "/data/bot.db"
|
||||
|
||||
matrix_bot_go_neb_storage_database: "{{
|
||||
{
|
||||
'sqlite3': (matrix_bot_go_neb_sqlite_database_path_in_container + '?_busy_timeout=5000'),
|
||||
}[matrix_bot_go_neb_database_engine]
|
||||
}}"
|
||||
|
||||
# The bot's username(s). These users need to be created manually beforehand.
|
||||
# The access tokens that the bot uses to authenticate.
|
||||
# Generate one as described in
|
||||
# https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-dimension.md#access-token
|
||||
# via curl. With the element method, you might run into decryption problems (see https://github.com/matrix-org/go-neb#quick-start)
|
||||
matrix_bot_go_neb_clients: []
|
||||
# - UserID: "@goneb:{{ matrix_domain }}"
|
||||
# AccessToken: "MDASDASJDIASDJASDAFGFRGER"
|
||||
# DeviceID: "DEVICE1"
|
||||
# HomeserverURL: "{{ matrix_homeserver_container_url }}"
|
||||
# Sync: true
|
||||
# AutoJoinRooms: true
|
||||
# DisplayName: "Go-NEB!"
|
||||
# AcceptVerificationFromUsers: [":{{ matrix_domain }}"]
|
||||
#
|
||||
# - UserID: "@another_goneb:{{ matrix_domain }}"
|
||||
# AccessToken: "MDASDASJDIASDJASDAFGFRGER"
|
||||
# DeviceID: "DEVICE2"
|
||||
# HomeserverURL: "{{ matrix_homeserver_container_url }}"
|
||||
# Sync: false
|
||||
# AutoJoinRooms: false
|
||||
# DisplayName: "Go-NEB!"
|
||||
# AcceptVerificationFromUsers: ["^@admin:{{ matrix_domain }}"]
|
||||
|
||||
# The list of realms which Go-NEB is aware of.
|
||||
# Delete or modify this list as appropriate.
|
||||
# See the docs for /configureAuthRealm for the full list of options:
|
||||
# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureAuthRealmRequest
|
||||
matrix_bot_go_neb_realms: []
|
||||
# - ID: "github_realm"
|
||||
# Type: "github"
|
||||
# Config: {} # No need for client ID or Secret as Go-NEB isn't generating OAuth URLs
|
||||
|
||||
# The list of *authenticated* sessions which Go-NEB is aware of.
|
||||
# Delete or modify this list as appropriate.
|
||||
# The full list of options are shown below: there is no single HTTP endpoint
|
||||
# which maps to this section.
|
||||
# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#Session
|
||||
matrix_bot_go_neb_sessions: []
|
||||
# - SessionID: "your_github_session"
|
||||
# RealmID: "github_realm"
|
||||
# UserID: "@YOUR_USER_ID:{{ matrix_domain }}" # This needs to be the username of the person that's allowed to use the !github commands
|
||||
# Config:
|
||||
# # Populate these fields by generating a "Personal Access Token" on github.com
|
||||
# AccessToken: "YOUR_GITHUB_ACCESS_TOKEN"
|
||||
# Scopes: "admin:org_hook,admin:repo_hook,repo,user"
|
||||
|
||||
# The list of services which Go-NEB is aware of.
|
||||
# Delete or modify this list as appropriate.
|
||||
# See the docs for /configureService for the full list of options:
|
||||
# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureServiceRequest
|
||||
matrix_bot_go_neb_services: []
|
||||
# - ID: "echo_service"
|
||||
# Type: "echo"
|
||||
# UserID: "@goneb:{{ matrix_domain }}"
|
||||
# Config: {}
|
||||
|
||||
## Can be obtained from https://developers.giphy.com/dashboard/
|
||||
# - ID: "giphy_service"
|
||||
# Type: "giphy"
|
||||
# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client
|
||||
# Config:
|
||||
# api_key: "qwg4672vsuyfsfe"
|
||||
# use_downsized: false
|
||||
#
|
||||
## This service has been dead for over a year :/
|
||||
# - ID: "guggy_service"
|
||||
# Type: "guggy"
|
||||
# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client
|
||||
# Config:
|
||||
# api_key: "2356saaqfhgfe"
|
||||
#
|
||||
## API Key via https://developers.google.com/custom-search/v1/introduction
|
||||
## CX via http://www.google.com/cse/manage/all
|
||||
## https://stackoverflow.com/questions/6562125/getting-a-cx-id-for-custom-search-google-api-python
|
||||
## 'Search the entire web' and 'Image search' enabled for best results
|
||||
# - ID: "google_service"
|
||||
# Type: "google"
|
||||
# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client
|
||||
# Config:
|
||||
# api_key: "AIzaSyA4FD39m9"
|
||||
# cx: "AIASDFWSRRtrtr"
|
||||
#
|
||||
## Get a key via https://api.imgur.com/oauth2/addclient
|
||||
## Select "oauth2 without callback url"
|
||||
# - ID: "imgur_service"
|
||||
# Type: "imgur"
|
||||
# UserID: "@imgur:{{ matrix_domain }}" # requires a Syncing client
|
||||
# Config:
|
||||
# client_id: "AIzaSyA4FD39m9"
|
||||
# client_secret: "somesecret"
|
||||
#
|
||||
# - ID: "wikipedia_service"
|
||||
# Type: "wikipedia"
|
||||
# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client
|
||||
# Config:
|
||||
#
|
||||
# - ID: "rss_service"
|
||||
# Type: "rssbot"
|
||||
# UserID: "@another_goneb:{{ matrix_domain }}"
|
||||
# Config:
|
||||
# feeds:
|
||||
# "http://lorem-rss.herokuapp.com/feed?unit=second&interval=60":
|
||||
# rooms: ["!qmElAGdFYCHoCJuaNt:localhost"]
|
||||
# must_include:
|
||||
# author:
|
||||
# - author1
|
||||
# description:
|
||||
# - lorem
|
||||
# - ipsum
|
||||
# must_not_include:
|
||||
# title:
|
||||
# - Lorem
|
||||
# - Ipsum
|
||||
#
|
||||
# - ID: "github_cmd_service"
|
||||
# Type: "github"
|
||||
# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client
|
||||
# Config:
|
||||
# RealmID: "github_realm"
|
||||
#
|
||||
# # Make sure your BASE_URL can be accessed by Github!
|
||||
# - ID: "github_webhook_service"
|
||||
# Type: "github-webhook"
|
||||
# UserID: "@another_goneb:{{ matrix_domain }}"
|
||||
# Config:
|
||||
# RealmID: "github_realm"
|
||||
# ClientUserID: "@YOUR_USER_ID:{{ matrix_domain }}" # needs to be an authenticated user so Go-NEB can create webhooks. Check the UserID field in the github_realm in matrix_bot_go_neb_sessions.
|
||||
# Rooms:
|
||||
# "!someroom:id":
|
||||
# Repos:
|
||||
# "matrix-org/synapse":
|
||||
# Events: ["push", "issues"]
|
||||
# "matrix-org/dendron":
|
||||
# Events: ["pull_request"]
|
||||
# "!anotherroom:id":
|
||||
# Repos:
|
||||
# "matrix-org/synapse":
|
||||
# Events: ["push", "issues"]
|
||||
# "matrix-org/dendron":
|
||||
# Events: ["pull_request"]
|
||||
#
|
||||
# - ID: "slackapi_service"
|
||||
# Type: "slackapi"
|
||||
# UserID: "@slackapi:{{ matrix_domain }}"
|
||||
# Config:
|
||||
# Hooks:
|
||||
# "hook1":
|
||||
# RoomID: "!someroom:id"
|
||||
# MessageType: "m.text" # default is m.text
|
||||
#
|
||||
# - ID: "alertmanager_service"
|
||||
# Type: "alertmanager"
|
||||
# UserID: "@alertmanager:{{ matrix_domain }}"
|
||||
# Config:
|
||||
# # This is for information purposes only. It should point to Go-NEB path as follows:
|
||||
# # `/services/hooks/<base64 encoded service ID>`
|
||||
# # Where in this case "service ID" is "alertmanager_service"
|
||||
# # Make sure your BASE_URL can be accessed by the Alertmanager instance!
|
||||
# webhook_url: "http://localhost/services/hooks/YWxlcnRtYW5hZ2VyX3NlcnZpY2U"
|
||||
# # Each room will get the notification with the alert rendered with the given template
|
||||
# rooms:
|
||||
# "!someroomid:domain.tld":
|
||||
# text_template: "{{range .Alerts -}} [{{ .Status }}] {{index .Labels \"alertname\" }}: {{index .Annotations \"description\"}} {{ end -}}"
|
||||
# html_template: "{{range .Alerts -}} {{ $severity := index .Labels \"severity\" }} {{ if eq .Status \"firing\" }} {{ if eq $severity \"critical\"}} <font color='red'><b>[FIRING - CRITICAL]</b></font> {{ else if eq $severity \"warning\"}} <font color='orange'><b>[FIRING - WARNING]</b></font> {{ else }} <b>[FIRING - {{ $severity }}]</b> {{ end }} {{ else }} <font color='green'><b>[RESOLVED]</b></font> {{ end }} {{ index .Labels \"alertname\"}} : {{ index .Annotations \"description\"}} <a href=\"{{ .GeneratorURL }}\">source</a><br/>{{end -}}"
|
||||
# msg_type: "m.text" # Must be either `m.text` or `m.notice`
|
||||
|
||||
# Default configuration template which covers the generic use case.
|
||||
# You can customize it by controlling the various variables inside it.
|
||||
#
|
||||
# For a more advanced customization, you can extend the default (see `matrix_bot_go_neb_configuration_extension_yaml`)
|
||||
# or completely replace this variable with your own template.
|
||||
matrix_bot_go_neb_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"
|
||||
|
||||
matrix_bot_go_neb_configuration_extension_yaml: |
|
||||
# Your custom YAML configuration goes here.
|
||||
# This configuration extends the default starting configuration (`matrix_bot_go_neb_configuration_yaml`).
|
||||
#
|
||||
# You can override individual variables from the default configuration, or introduce new ones.
|
||||
#
|
||||
# If you need something more special, you can take full control by
|
||||
# completely redefining `matrix_bot_go_neb_configuration_yaml`.
|
||||
|
||||
matrix_bot_go_neb_configuration_extension: "{{ matrix_bot_go_neb_configuration_extension_yaml|from_yaml if matrix_bot_go_neb_configuration_extension_yaml|from_yaml is mapping else {} }}"
|
||||
|
||||
# Holds the final configuration (a combination of the default and its extension).
|
||||
# You most likely don't need to touch this variable. Instead, see `matrix_bot_go_neb_configuration_yaml`.
|
||||
matrix_bot_go_neb_configuration: "{{ matrix_bot_go_neb_configuration_yaml|from_yaml|combine(matrix_bot_go_neb_configuration_extension, recursive=True) }}"
|
||||
|
3
roles/matrix-bot-go-neb/tasks/init.yml
Normal file
3
roles/matrix-bot-go-neb/tasks/init.yml
Normal file
|
@ -0,0 +1,3 @@
|
|||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-go-neb.service'] }}"
|
||||
when: matrix_bot_go_neb_enabled|bool
|
21
roles/matrix-bot-go-neb/tasks/main.yml
Normal file
21
roles/matrix-bot-go-neb/tasks/main.yml
Normal file
|
@ -0,0 +1,21 @@
|
|||
- import_tasks: "{{ role_path }}/tasks/init.yml"
|
||||
tags:
|
||||
- always
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
|
||||
when: "run_setup|bool and matrix_bot_go_neb_enabled|bool"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-bot-go-neb
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/setup_install.yml"
|
||||
when: "run_setup|bool and matrix_bot_go_neb_enabled|bool"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-bot-go-neb
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
|
||||
when: "run_setup|bool and not matrix_bot_go_neb_enabled|bool"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-bot-go-neb
|
50
roles/matrix-bot-go-neb/tasks/setup_install.yml
Normal file
50
roles/matrix-bot-go-neb/tasks/setup_install.yml
Normal file
|
@ -0,0 +1,50 @@
|
|||
---
|
||||
|
||||
- set_fact:
|
||||
matrix_bot_go_neb_requires_restart: false
|
||||
|
||||
- name: Ensure go-neb paths exist
|
||||
file:
|
||||
path: "{{ item.path }}"
|
||||
state: directory
|
||||
mode: 0750
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- { path: "{{ matrix_bot_go_neb_config_path }}", when: true }
|
||||
- { path: "{{ matrix_bot_go_neb_data_path }}", when: true }
|
||||
- { path: "{{ matrix_bot_go_neb_data_store_path }}", when: true }
|
||||
when: "item.when|bool"
|
||||
|
||||
- name: Ensure go-neb image is pulled
|
||||
docker_image:
|
||||
name: "{{ matrix_bot_go_neb_docker_image }}"
|
||||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
|
||||
force_source: "{{ matrix_bot_go_neb_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_go_neb_docker_image_force_pull }}"
|
||||
|
||||
- name: Ensure go-neb config installed
|
||||
copy:
|
||||
content: "{{ matrix_bot_go_neb_configuration|to_nice_yaml }}"
|
||||
dest: "{{ matrix_bot_go_neb_config_path }}/config.yaml"
|
||||
mode: 0644
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
|
||||
- name: Ensure matrix-bot-go-neb.service installed
|
||||
template:
|
||||
src: "{{ role_path }}/templates/systemd/matrix-bot-go-neb.service.j2"
|
||||
dest: "{{ matrix_systemd_path }}/matrix-bot-go-neb.service"
|
||||
mode: 0644
|
||||
register: matrix_bot_go_neb_systemd_service_result
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-bot-go-neb.service installation
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "matrix_bot_go_neb_systemd_service_result.changed|bool"
|
||||
|
||||
- name: Ensure matrix-bot-go-neb.service restarted, if necessary
|
||||
service:
|
||||
name: "matrix-bot-go-neb.service"
|
||||
state: restarted
|
||||
when: "matrix_bot_go_neb_requires_restart|bool"
|
35
roles/matrix-bot-go-neb/tasks/setup_uninstall.yml
Normal file
35
roles/matrix-bot-go-neb/tasks/setup_uninstall.yml
Normal file
|
@ -0,0 +1,35 @@
|
|||
---
|
||||
|
||||
- name: Check existence of matrix-go-neb service
|
||||
stat:
|
||||
path: "{{ matrix_systemd_path }}/matrix-bot-go-neb.service"
|
||||
register: matrix_bot_go_neb_service_stat
|
||||
|
||||
- name: Ensure matrix-go-neb is stopped
|
||||
service:
|
||||
name: matrix-bot-go-neb
|
||||
state: stopped
|
||||
daemon_reload: yes
|
||||
register: stopping_result
|
||||
when: "matrix_bot_go_neb_service_stat.stat.exists|bool"
|
||||
|
||||
- name: Ensure matrix-bot-go-neb.service doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_systemd_path }}/matrix-bot-go-neb.service"
|
||||
state: absent
|
||||
when: "matrix_bot_go_neb_service_stat.stat.exists|bool"
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-bot-go-neb.service removal
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "matrix_bot_go_neb_service_stat.stat.exists|bool"
|
||||
|
||||
- name: Ensure Matrix go-neb paths don't exist
|
||||
file:
|
||||
path: "{{ matrix_bot_go_neb_base_path }}"
|
||||
state: absent
|
||||
|
||||
- name: Ensure go-neb Docker image doesn't exist
|
||||
docker_image:
|
||||
name: "{{ matrix_bot_go_neb_docker_image }}"
|
||||
state: absent
|
13
roles/matrix-bot-go-neb/tasks/validate_config.yml
Normal file
13
roles/matrix-bot-go-neb/tasks/validate_config.yml
Normal file
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
|
||||
- name: Fail if there's not at least 1 client
|
||||
fail:
|
||||
msg: >-
|
||||
You need at least 1 client in the matrix_bot_go_neb_clients block.
|
||||
when: matrix_bot_go_neb_clients is not defined or matrix_bot_go_neb_clients[0] is not defined
|
||||
|
||||
- name: Fail if there's not at least 1 service
|
||||
fail:
|
||||
msg: >-
|
||||
You need at least 1 service in the matrix_bot_go_neb_services block.
|
||||
when: matrix_bot_go_neb_services is not defined or matrix_bot_go_neb_services[0] is not defined
|
44
roles/matrix-bot-go-neb/templates/config.yaml.j2
Normal file
44
roles/matrix-bot-go-neb/templates/config.yaml.j2
Normal file
|
@ -0,0 +1,44 @@
|
|||
# Go-NEB Configuration File
|
||||
#
|
||||
# This file provides an alternative way to configure Go-NEB which does not involve HTTP APIs.
|
||||
#
|
||||
# This file can be supplied to go-neb by the environment variable `CONFIG_FILE=config.yaml`.
|
||||
# It will force Go-NEB to operate in "config" mode. This means:
|
||||
# - Go-NEB will ONLY use the data contained inside this file.
|
||||
# - All of Go-NEB's /admin HTTP listeners will be disabled. You will be unable to add new services at runtime.
|
||||
# - The environment variable `DATABASE_URL` will be ignored and an in-memory database will be used instead.
|
||||
#
|
||||
# This file is broken down into 4 sections which matches the following HTTP APIs:
|
||||
# - /configureClient
|
||||
# - /configureAuthRealm
|
||||
# - /configureService
|
||||
# - /requestAuthSession (redirects not supported)
|
||||
|
||||
# The list of clients which Go-NEB is aware of.
|
||||
# Delete or modify this list as appropriate.
|
||||
# See the docs for /configureClient for the full list of options:
|
||||
# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ClientConfig
|
||||
clients:
|
||||
{{ matrix_bot_go_neb_clients|to_json }}
|
||||
|
||||
# The list of realms which Go-NEB is aware of.
|
||||
# Delete or modify this list as appropriate.
|
||||
# See the docs for /configureAuthRealm for the full list of options:
|
||||
# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureAuthRealmRequest
|
||||
realms:
|
||||
{{ matrix_bot_go_neb_realms|to_json }}
|
||||
|
||||
# The list of *authenticated* sessions which Go-NEB is aware of.
|
||||
# Delete or modify this list as appropriate.
|
||||
# The full list of options are shown below: there is no single HTTP endpoint
|
||||
# which maps to this section.
|
||||
# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#Session
|
||||
sessions:
|
||||
{{ matrix_bot_go_neb_sessions|to_json }}
|
||||
|
||||
# The list of services which Go-NEB is aware of.
|
||||
# Delete or modify this list as appropriate.
|
||||
# See the docs for /configureService for the full list of options:
|
||||
# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureServiceRequest
|
||||
services:
|
||||
{{ matrix_bot_go_neb_services|to_json }}
|
|
@ -0,0 +1,49 @@
|
|||
#jinja2: lstrip_blocks: "True"
|
||||
[Unit]
|
||||
Description=Matrix Go-NEB bot
|
||||
{% for service in matrix_bot_go_neb_systemd_required_services_list %}
|
||||
Requires={{ service }}
|
||||
After={{ service }}
|
||||
{% endfor %}
|
||||
{% for service in matrix_bot_go_neb_systemd_wanted_services_list %}
|
||||
Wants={{ service }}
|
||||
{% endfor %}
|
||||
DefaultDependencies=no
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
Environment="HOME={{ matrix_systemd_unit_home_path }}"
|
||||
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null'
|
||||
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null'
|
||||
|
||||
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-go-neb \
|
||||
--log-driver=none \
|
||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||
--cap-drop=ALL \
|
||||
--read-only \
|
||||
--network={{ matrix_docker_network }} \
|
||||
{% if matrix_bot_go_neb_container_http_host_bind_port %}
|
||||
-p {{ matrix_bot_go_neb_container_http_host_bind_port }}:4050 \
|
||||
{% endif %}
|
||||
-e 'BIND_ADDRESS=:4050' \
|
||||
-e 'DATABASE_TYPE={{ matrix_bot_go_neb_database_engine }}' \
|
||||
-e 'BASE_URL=https://{{ matrix_server_fqn_bot_go_neb }}' \
|
||||
-e 'CONFIG_FILE={{ matrix_bot_go_neb_config_path_in_container }}' \
|
||||
-e 'DATABASE_URL={{ matrix_bot_go_neb_storage_database }}' \
|
||||
--mount type=bind,src={{ matrix_bot_go_neb_config_path }},dst=/config,ro \
|
||||
--mount type=bind,src={{ matrix_bot_go_neb_data_path }},dst=/data \
|
||||
--entrypoint=/bin/sh \
|
||||
{% for arg in matrix_bot_go_neb_container_extra_arguments %}
|
||||
{{ arg }} \
|
||||
{% endfor %}
|
||||
{{ matrix_bot_go_neb_docker_image }} \
|
||||
-c "go-neb /config/config.yaml"
|
||||
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null'
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null'
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
SyslogIdentifier=matrix-bot-go-neb
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
47
roles/matrix-bridge-heisenbridge/defaults/main.yml
Normal file
47
roles/matrix-bridge-heisenbridge/defaults/main.yml
Normal file
|
@ -0,0 +1,47 @@
|
|||
# heisenbridge is a bouncer-style Matrix IRC bridge
|
||||
# See: https://github.com/hifi/heisenbridge
|
||||
|
||||
matrix_heisenbridge_enabled: true
|
||||
|
||||
matrix_heisenbridge_version: latest
|
||||
matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}"
|
||||
matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}"
|
||||
|
||||
# Set this to your Matrix ID if you want to enforce the owner, otherwise first _local_ user becomes one
|
||||
matrix_heisenbridge_owner: ""
|
||||
|
||||
# Enabling identd will bind to host port 113/TCP
|
||||
matrix_heisenbridge_identd_enabled: false
|
||||
|
||||
matrix_heisenbridge_base_path: "{{ matrix_base_data_path }}/heisenbridge"
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
matrix_heisenbridge_container_extra_arguments: []
|
||||
|
||||
# List of systemd services that service depends on.
|
||||
matrix_heisenbridge_systemd_required_services_list: ['docker.service']
|
||||
|
||||
# List of systemd services that service wants
|
||||
matrix_heisenbridge_systemd_wanted_services_list: []
|
||||
|
||||
matrix_heisenbridge_homeserver_url: "{{ matrix_homeserver_container_url }}"
|
||||
|
||||
matrix_heisenbridge_appservice_token: ''
|
||||
matrix_heisenbridge_homeserver_token: ''
|
||||
|
||||
# Default registration file
|
||||
matrix_heisenbridge_registration_yaml:
|
||||
id: heisenbridge
|
||||
url: http://matrix-heisenbridge:9898
|
||||
as_token: "{{ matrix_heisenbridge_appservice_token }}"
|
||||
hs_token: "{{ matrix_heisenbridge_homeserver_token }}"
|
||||
rate_limited: false
|
||||
sender_localpart: heisenbridge
|
||||
namespaces:
|
||||
users:
|
||||
- regex: '@hbirc_.*'
|
||||
exclusive: true
|
||||
aliases: []
|
||||
rooms: []
|
||||
|
||||
matrix_heisenbridge_registration: "{{ matrix_heisenbridge_registration_yaml|from_yaml }}"
|
24
roles/matrix-bridge-heisenbridge/tasks/init.yml
Normal file
24
roles/matrix-bridge-heisenbridge/tasks/init.yml
Normal file
|
@ -0,0 +1,24 @@
|
|||
# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist.
|
||||
# We don't want to fail in such cases.
|
||||
- name: Fail if matrix-synapse role already executed
|
||||
fail:
|
||||
msg: >-
|
||||
The matrix-bridge-heisenbridge role needs to execute before the matrix-synapse role.
|
||||
when: "matrix_heisenbridge_enabled and matrix_synapse_role_executed|default(False)"
|
||||
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-heisenbridge.service'] }}"
|
||||
when: matrix_heisenbridge_enabled|bool
|
||||
|
||||
# If the matrix-synapse role is not used, these variables may not exist.
|
||||
- set_fact:
|
||||
matrix_synapse_container_extra_arguments: >
|
||||
{{ matrix_synapse_container_extra_arguments|default([]) }}
|
||||
+
|
||||
["--mount type=bind,src={{ matrix_heisenbridge_base_path }}/registration.yaml,dst=/heisenbridge-registration.yaml,ro"]
|
||||
|
||||
matrix_synapse_app_service_config_files: >
|
||||
{{ matrix_synapse_app_service_config_files|default([]) }}
|
||||
+
|
||||
{{ ["/heisenbridge-registration.yaml"] }}
|
||||
when: matrix_heisenbridge_enabled|bool
|
15
roles/matrix-bridge-heisenbridge/tasks/main.yml
Normal file
15
roles/matrix-bridge-heisenbridge/tasks/main.yml
Normal file
|
@ -0,0 +1,15 @@
|
|||
- import_tasks: "{{ role_path }}/tasks/init.yml"
|
||||
tags:
|
||||
- always
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/setup_install.yml"
|
||||
when: "run_setup|bool and matrix_heisenbridge_enabled|bool"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-heisenbridge
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
|
||||
when: "run_setup|bool and not matrix_heisenbridge_enabled|bool"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-heisenbridge
|
38
roles/matrix-bridge-heisenbridge/tasks/setup_install.yml
Normal file
38
roles/matrix-bridge-heisenbridge/tasks/setup_install.yml
Normal file
|
@ -0,0 +1,38 @@
|
|||
---
|
||||
|
||||
- name: Ensure heisenbridge image is pulled
|
||||
docker_image:
|
||||
name: "{{ matrix_heisenbridge_docker_image }}"
|
||||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
|
||||
force_source: "{{ matrix_heisenbridge_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_heisenbridge_docker_image_force_pull }}"
|
||||
|
||||
- name: Ensure heisenbridge paths exist
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
mode: 0750
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- "{{ matrix_heisenbridge_base_path }}"
|
||||
|
||||
- name: Ensure heisenbridge registration.yaml installed if provided
|
||||
copy:
|
||||
content: "{{ matrix_heisenbridge_registration|to_nice_yaml }}"
|
||||
dest: "{{ matrix_heisenbridge_base_path }}/registration.yaml"
|
||||
mode: 0644
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
|
||||
- name: Ensure matrix-heisenbridge.service installed
|
||||
template:
|
||||
src: "{{ role_path }}/templates/systemd/matrix-heisenbridge.service.j2"
|
||||
dest: "{{ matrix_systemd_path }}/matrix-heisenbridge.service"
|
||||
mode: 0644
|
||||
register: matrix_heisenbridge_systemd_service_result
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-heisenbridge.service installation
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: matrix_heisenbridge_systemd_service_result.changed
|
24
roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml
Normal file
24
roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml
Normal file
|
@ -0,0 +1,24 @@
|
|||
---
|
||||
|
||||
- name: Check existence of matrix-heisenbridge service
|
||||
stat:
|
||||
path: "{{ matrix_systemd_path }}/matrix-heisenbridge.service"
|
||||
register: matrix_heisenbridge_service_stat
|
||||
|
||||
- name: Ensure matrix-heisenbridge is stopped
|
||||
service:
|
||||
name: matrix-heisenbridge
|
||||
state: stopped
|
||||
daemon_reload: yes
|
||||
when: "matrix_heisenbridge_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure matrix-heisenbridge.service doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_systemd_path }}/matrix-heisenbridge.service"
|
||||
state: absent
|
||||
when: "matrix_heisenbridge_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-heisenbridge.service removal
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "matrix_heisenbridge_service_stat.stat.exists"
|
|
@ -0,0 +1,51 @@
|
|||
#jinja2: lstrip_blocks: "True"
|
||||
[Unit]
|
||||
Description=a bouncer-style Matrix IRC bridge
|
||||
{% for service in matrix_heisenbridge_systemd_required_services_list %}
|
||||
Requires={{ service }}
|
||||
After={{ service }}
|
||||
{% endfor %}
|
||||
{% for service in matrix_heisenbridge_systemd_wanted_services_list %}
|
||||
Wants={{ service }}
|
||||
{% endfor %}
|
||||
DefaultDependencies=no
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
Environment="HOME={{ matrix_systemd_unit_home_path }}"
|
||||
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-heisenbridge
|
||||
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-heisenbridge
|
||||
|
||||
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-heisenbridge \
|
||||
--log-driver=none \
|
||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||
--cap-drop=ALL \
|
||||
--network={{ matrix_docker_network }} \
|
||||
{% if matrix_heisenbridge_identd_enabled %}
|
||||
-p 113:13113 \
|
||||
{% endif %}
|
||||
-v {{ matrix_heisenbridge_base_path }}:/config:z \
|
||||
{% for arg in matrix_heisenbridge_container_extra_arguments %}
|
||||
{{ arg }} \
|
||||
{% endfor %}
|
||||
{{ matrix_heisenbridge_docker_image }} \
|
||||
{% if matrix_heisenbridge_identd_enabled %}
|
||||
--identd \
|
||||
--identd-port 13113 \
|
||||
{% endif %}
|
||||
{% if matrix_heisenbridge_owner %}
|
||||
-o {{ matrix_heisenbridge_owner }} \
|
||||
{% endif %}
|
||||
--config /config/registration.yaml \
|
||||
--listen-address 0.0.0.0 \
|
||||
--listen-port 9898 \
|
||||
{{ matrix_heisenbridge_homeserver_url }}
|
||||
|
||||
ExecStop=-{{ matrix_host_command_docker }} kill matrix-heisenbridge
|
||||
ExecStop=-{{ matrix_host_command_docker }} rm matrix-heisenbridge
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
SyslogIdentifier=matrix-heisenbridge
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
68
roles/matrix-client-hydrogen/defaults/main.yml
Normal file
68
roles/matrix-client-hydrogen/defaults/main.yml
Normal file
|
@ -0,0 +1,68 @@
|
|||
matrix_client_hydrogen_enabled: true
|
||||
|
||||
# Self building is used by default because the `config.json` file is only read at build time.
|
||||
# The pre-built images also were not functional as of 2021-05-15.
|
||||
matrix_client_hydrogen_container_image_self_build: true
|
||||
matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git"
|
||||
|
||||
matrix_client_hydrogen_version: v0.2.0
|
||||
matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}"
|
||||
matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}"
|
||||
matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}"
|
||||
|
||||
matrix_client_hydrogen_data_path: "{{ matrix_base_data_path }}/client-hydrogen"
|
||||
matrix_client_hydrogen_docker_src_files_path: "{{ matrix_client_hydrogen_data_path }}/docker-src"
|
||||
|
||||
# Controls whether the container exposes its HTTP port (tcp/8080 in the container).
|
||||
#
|
||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8768"), or empty string to not expose.
|
||||
matrix_client_hydrogen_container_http_host_bind_port: ''
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
matrix_client_hydrogen_container_extra_arguments: []
|
||||
|
||||
# List of systemd services that matrix-client-hydrogen.service depends on
|
||||
matrix_client_hydrogen_systemd_required_services_list: ['docker.service']
|
||||
|
||||
# Controls whether the self-check feature should validate SSL certificates.
|
||||
matrix_client_hydrogen_self_check_validate_certificates: true
|
||||
|
||||
# config.json
|
||||
matrix_client_hydrogen_default_hs_url: ""
|
||||
|
||||
# Default Hydrogen configuration template which covers the generic use case.
|
||||
# You can customize it by controlling the various variables inside it.
|
||||
#
|
||||
# For a more advanced customization, you can extend the default (see `matrix_client_hydrogen_configuration_extension_json`)
|
||||
# or completely replace this variable with your own template.
|
||||
#
|
||||
# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict.
|
||||
# This is unlike what it does when looking up YAML template files (no automatic parsing there).
|
||||
matrix_client_hydrogen_configuration_default: "{{ lookup('template', 'templates/config.json.j2') }}"
|
||||
|
||||
# Your custom JSON configuration for Hydrogen should go to `matrix_client_hydrogen_configuration_extension_json`.
|
||||
# This configuration extends the default starting configuration (`matrix_client_hydrogen_configuration_default`).
|
||||
#
|
||||
# You can override individual variables from the default configuration, or introduce new ones.
|
||||
#
|
||||
# If you need something more special, you can take full control by
|
||||
# completely redefining `matrix_client_hydrogen_configuration_default`.
|
||||
#
|
||||
# Example configuration extension follows:
|
||||
#
|
||||
# matrix_client_hydrogen_configuration_extension_json: |
|
||||
# {
|
||||
# "push": {
|
||||
# "appId": "io.element.hydrogen.web",
|
||||
# "gatewayUrl": "https://matrix.org",
|
||||
# "applicationServerKey": "BC-gpSdVHEXhvHSHS0AzzWrQoukv2BE7KzpoPO_FfPacqOo3l1pdqz7rSgmB04pZCWaHPz7XRe6fjLaC-WPDopM"
|
||||
# },
|
||||
# "defaultHomeServer": "matrix.org"
|
||||
# }
|
||||
matrix_client_hydrogen_configuration_extension_json: '{}'
|
||||
|
||||
matrix_client_hydrogen_configuration_extension: "{{ matrix_client_hydrogen_configuration_extension_json|from_json if matrix_client_hydrogen_configuration_extension_json|from_json is mapping else {} }}"
|
||||
|
||||
# Holds the final Hydrogen configuration (a combination of the default and its extension).
|
||||
# You most likely don't need to touch this variable. Instead, see `matrix_client_hydrogen_configuration_default`.
|
||||
matrix_client_hydrogen_configuration: "{{ matrix_client_hydrogen_configuration_default|combine(matrix_client_hydrogen_configuration_extension, recursive=True) }}"
|
10
roles/matrix-client-hydrogen/tasks/init.yml
Normal file
10
roles/matrix-client-hydrogen/tasks/init.yml
Normal file
|
@ -0,0 +1,10 @@
|
|||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self-build the Hydrogen image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_hydrogen_container_image_self_build and matrix_client_hydrogen_enabled"
|
||||
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-hydrogen.service'] }}"
|
||||
when: matrix_client_hydrogen_enabled|bool
|
15
roles/matrix-client-hydrogen/tasks/main.yml
Normal file
15
roles/matrix-client-hydrogen/tasks/main.yml
Normal file
|
@ -0,0 +1,15 @@
|
|||
- import_tasks: "{{ role_path }}/tasks/init.yml"
|
||||
tags:
|
||||
- always
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
|
||||
when: "run_setup|bool and matrix_client_hydrogen_enabled|bool"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-client-hydrogen
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/setup.yml"
|
||||
when: run_setup|bool
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-client-hydrogen
|
22
roles/matrix-client-hydrogen/tasks/self_check.yml
Normal file
22
roles/matrix-client-hydrogen/tasks/self_check.yml
Normal file
|
@ -0,0 +1,22 @@
|
|||
---
|
||||
|
||||
- set_fact:
|
||||
matrix_client_hydrogen_url_endpoint_public: "https://{{ matrix_server_fqn_hydrogen }}"
|
||||
|
||||
- name: Check Hydrogen
|
||||
uri:
|
||||
url: "{{ matrix_client_hydrogen_url_endpoint_public }}"
|
||||
follow_redirects: none
|
||||
validate_certs: "{{ matrix_client_hydrogen_self_check_validate_certificates }}"
|
||||
register: matrix_client_hydrogen_self_check_result
|
||||
check_mode: no
|
||||
ignore_errors: true
|
||||
|
||||
- name: Fail if Hydrogen not working
|
||||
fail:
|
||||
msg: "Failed checking Hydrogen is up at `{{ matrix_server_fqn_hydrogen }}` (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`). Is Hydrogen running? Is port 443 open in your firewall? Full error: {{ matrix_client_hydrogen_self_check_result }}"
|
||||
when: "matrix_client_hydrogen_self_check_result.failed or 'json' not in matrix_client_hydrogen_self_check_result"
|
||||
|
||||
- name: Report working Hydrogen
|
||||
debug:
|
||||
msg: "Hydrogen at `{{ matrix_server_fqn_hydrogen }}` is working (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`)"
|
119
roles/matrix-client-hydrogen/tasks/setup.yml
Normal file
119
roles/matrix-client-hydrogen/tasks/setup.yml
Normal file
|
@ -0,0 +1,119 @@
|
|||
---
|
||||
|
||||
#
|
||||
# Tasks related to setting up Hydrogen
|
||||
#
|
||||
|
||||
- name: Ensure Hydrogen paths exists
|
||||
file:
|
||||
path: "{{ item.path }}"
|
||||
state: directory
|
||||
mode: 0750
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- { path: "{{ matrix_client_hydrogen_data_path }}", when: true }
|
||||
- { path: "{{ matrix_client_hydrogen_docker_src_files_path }}", when: "{{ matrix_client_hydrogen_container_image_self_build }}" }
|
||||
when: matrix_client_hydrogen_enabled|bool and item.when
|
||||
|
||||
- name: Ensure Hydrogen Docker image is pulled
|
||||
docker_image:
|
||||
name: "{{ matrix_client_hydrogen_docker_image }}"
|
||||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
|
||||
force_source: "{{ matrix_client_hydrogen_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_hydrogen_docker_image_force_pull }}"
|
||||
when: matrix_client_hydrogen_enabled|bool and not matrix_client_hydrogen_container_image_self_build
|
||||
|
||||
- name: Ensure Hydrogen repository is present on self-build
|
||||
git:
|
||||
repo: "{{ matrix_client_hydrogen_container_image_self_build_repo }}"
|
||||
dest: "{{ matrix_client_hydrogen_docker_src_files_path }}"
|
||||
version: "{{ matrix_client_hydrogen_docker_image.split(':')[1] }}"
|
||||
force: "yes"
|
||||
register: matrix_client_hydrogen_git_pull_results
|
||||
when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool"
|
||||
|
||||
- name: Ensure Hydrogen configuration installed
|
||||
copy:
|
||||
content: "{{ matrix_client_hydrogen_configuration|to_nice_json }}"
|
||||
dest: "{{ matrix_client_hydrogen_docker_src_files_path }}/assets/config.json"
|
||||
mode: 0644
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool"
|
||||
|
||||
- name: Ensure Hydrogen additional config files installed
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ matrix_client_hydrogen_data_path }}/{{ item.name }}"
|
||||
mode: 0644
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"}
|
||||
when: "matrix_client_hydrogen_enabled|bool and item.src is not none"
|
||||
|
||||
- name: Ensure Hydrogen Docker image is built
|
||||
docker_image:
|
||||
name: "{{ matrix_client_hydrogen_docker_image }}"
|
||||
source: build
|
||||
force_source: "{{ matrix_client_hydrogen_git_pull_results.changed }}"
|
||||
build:
|
||||
dockerfile: Dockerfile
|
||||
path: "{{ matrix_client_hydrogen_docker_src_files_path }}"
|
||||
pull: yes
|
||||
when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool"
|
||||
|
||||
- name: Ensure matrix-client-hydrogen.service installed
|
||||
template:
|
||||
src: "{{ role_path }}/templates/systemd/matrix-client-hydrogen.service.j2"
|
||||
dest: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service"
|
||||
mode: 0644
|
||||
register: matrix_client_hydrogen_systemd_service_result
|
||||
when: matrix_client_hydrogen_enabled|bool
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-client-hydrogen.service installation
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "matrix_client_hydrogen_enabled and matrix_client_hydrogen_systemd_service_result.changed"
|
||||
|
||||
#
|
||||
# Tasks related to getting rid of Hydrogen (if it was previously enabled)
|
||||
#
|
||||
|
||||
- name: Check existence of matrix-client-hydrogen.service
|
||||
stat:
|
||||
path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service"
|
||||
register: matrix_client_hydrogen_service_stat
|
||||
when: "not matrix_client_hydrogen_enabled|bool"
|
||||
|
||||
- name: Ensure matrix-client-hydrogen is stopped
|
||||
service:
|
||||
name: matrix-client-hydrogen
|
||||
state: stopped
|
||||
daemon_reload: yes
|
||||
register: stopping_result
|
||||
when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure matrix-client-hydrogen.service doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service"
|
||||
state: absent
|
||||
when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-client-hydrogen.service removal
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure Hydrogen paths doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_client_hydrogen_data_path }}"
|
||||
state: absent
|
||||
when: "not matrix_client_hydrogen_enabled|bool"
|
||||
|
||||
- name: Ensure Hydrogen Docker image doesn't exist
|
||||
docker_image:
|
||||
name: "{{ matrix_client_hydrogen_docker_image }}"
|
||||
state: absent
|
||||
when: "not matrix_client_hydrogen_enabled|bool"
|
9
roles/matrix-client-hydrogen/tasks/validate_config.yml
Normal file
9
roles/matrix-client-hydrogen/tasks/validate_config.yml
Normal file
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
|
||||
- name: Fail if required Hydrogen settings not defined
|
||||
fail:
|
||||
msg: >
|
||||
You need to define a required configuration setting (`{{ item }}`) to use Hydrogen.
|
||||
when: "(vars[item] == '' or vars[item] is none) and matrix_client_hydrogen_container_image_self_build|bool"
|
||||
with_items:
|
||||
- "matrix_client_hydrogen_default_hs_url"
|
3
roles/matrix-client-hydrogen/templates/config.json.j2
Normal file
3
roles/matrix-client-hydrogen/templates/config.json.j2
Normal file
|
@ -0,0 +1,3 @@
|
|||
{
|
||||
"defaultHomeServer": {{ matrix_client_hydrogen_default_hs_url|string|to_json }}
|
||||
}
|
66
roles/matrix-client-hydrogen/templates/nginx.conf.j2
Normal file
66
roles/matrix-client-hydrogen/templates/nginx.conf.j2
Normal file
|
@ -0,0 +1,66 @@
|
|||
#jinja2: lstrip_blocks: "True"
|
||||
# This is a custom nginx configuration file that we use in the container (instead of the default one),
|
||||
# because it allows us to run nginx with a non-root user.
|
||||
#
|
||||
# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed.
|
||||
# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well)
|
||||
#
|
||||
# The following changes have been done compared to a default nginx configuration file:
|
||||
# - default server port is changed (80 -> 8080), so that a non-root user can bind it
|
||||
# - various temp paths are changed to `/tmp`, so that a non-root user can write to them
|
||||
# - the `user` directive was removed, as we don't want nginx to switch users
|
||||
|
||||
worker_processes 1;
|
||||
|
||||
error_log /var/log/nginx/error.log warn;
|
||||
pid /tmp/nginx.pid;
|
||||
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
|
||||
http {
|
||||
proxy_temp_path /tmp/proxy_temp;
|
||||
client_body_temp_path /tmp/client_temp;
|
||||
fastcgi_temp_path /tmp/fastcgi_temp;
|
||||
uwsgi_temp_path /tmp/uwsgi_temp;
|
||||
scgi_temp_path /tmp/scgi_temp;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
|
||||
access_log /var/log/nginx/access.log main;
|
||||
|
||||
sendfile on;
|
||||
#tcp_nopush on;
|
||||
|
||||
keepalive_timeout 65;
|
||||
|
||||
#gzip on;
|
||||
|
||||
server {
|
||||
listen 8080;
|
||||
server_name localhost;
|
||||
|
||||
root /usr/share/nginx/html;
|
||||
|
||||
location / {
|
||||
index index.html index.htm;
|
||||
}
|
||||
|
||||
location ~* ^/(config(.+)?\.json$|(.+)\.html$|i18n) {
|
||||
expires -1;
|
||||
}
|
||||
|
||||
error_page 500 502 503 504 /50x.html;
|
||||
location = /50x.html {
|
||||
root /usr/share/nginx/html;
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,39 @@
|
|||
#jinja2: lstrip_blocks: "True"
|
||||
[Unit]
|
||||
Description=Matrix Hydrogen Client
|
||||
{% for service in matrix_client_hydrogen_systemd_required_services_list %}
|
||||
Requires={{ service }}
|
||||
After={{ service }}
|
||||
{% endfor %}
|
||||
DefaultDependencies=no
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
Environment="HOME={{ matrix_systemd_unit_home_path }}"
|
||||
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null'
|
||||
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null'
|
||||
|
||||
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-hydrogen \
|
||||
--log-driver=none \
|
||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||
--cap-drop=ALL \
|
||||
--read-only \
|
||||
--network={{ matrix_docker_network }} \
|
||||
{% if matrix_client_hydrogen_container_http_host_bind_port %}
|
||||
-p {{ matrix_client_hydrogen_container_http_host_bind_port }}:8080 \
|
||||
{% endif %}
|
||||
--tmpfs=/tmp:rw,noexec,nosuid,size=10m \
|
||||
--mount type=bind,src={{ matrix_client_hydrogen_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \
|
||||
{% for arg in matrix_client_hydrogen_container_extra_arguments %}
|
||||
{{ arg }} \
|
||||
{% endfor %}
|
||||
{{ matrix_client_hydrogen_docker_image }}
|
||||
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null'
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null'
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
SyslogIdentifier=matrix-client-hydrogen
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
48
roles/matrix-dynamic-dns/defaults/main.yml
Normal file
48
roles/matrix-dynamic-dns/defaults/main.yml
Normal file
|
@ -0,0 +1,48 @@
|
|||
# Whether dynamic dns is enabled
|
||||
matrix_dynamic_dns_enabled: true
|
||||
|
||||
# The dynamic dns daemon interval
|
||||
matrix_dynamic_dns_daemon_interval: '300'
|
||||
|
||||
matrix_dynamic_dns_version: v3.9.1-ls45
|
||||
|
||||
# The docker container to use when in mode
|
||||
matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}"
|
||||
|
||||
matrix_dynamic_dns_docker_image_name_prefix: "{{ 'localhost/' if matrix_dynamic_dns_container_image_self_build else matrix_container_global_registry_prefix }}"
|
||||
|
||||
# The image to force pull
|
||||
matrix_dynamic_dns_docker_image_force_pull: "{{ matrix_dynamic_dns_docker_image.endswith(':latest') }}"
|
||||
|
||||
# List of extra arguments to pass to the ontainer mode
|
||||
matrix_dynamic_dns_container_extra_arguments: []
|
||||
|
||||
# List of wanted services when running in mode
|
||||
matrix_dynamic_dns_systemd_wanted_services_list: []
|
||||
|
||||
# List of required services when running in mode
|
||||
matrix_dynamic_dns_systemd_required_services_list: ['docker.service']
|
||||
|
||||
# Build the container from source when running in mode
|
||||
matrix_dynamic_dns_container_image_self_build: false
|
||||
matrix_dynamic_dns_container_image_self_build_repo: "https://github.com/linuxserver/docker-ddclient.git"
|
||||
|
||||
# Config paths
|
||||
matrix_dynamic_dns_base_path: "{{ matrix_base_data_path }}/dynamic-dns"
|
||||
matrix_dynamic_dns_config_path: "{{ matrix_dynamic_dns_base_path }}/config"
|
||||
matrix_dynamic_dns_docker_src_files_path: "{{ matrix_dynamic_dns_base_path }}/docker-src"
|
||||
|
||||
# Holds the configurations (the domains to update DNS for, the providers they use, etc.)
|
||||
#
|
||||
# Example:
|
||||
# matrix_dynamic_dns_domain_configurations:
|
||||
# - provider: domains.google.com
|
||||
# protocol: dyndn2
|
||||
# username: XXXXXXXXXXXXXXXX
|
||||
# password: XXXXXXXXXXXXXXXX
|
||||
# domain: "{{ matrix_domain }}"
|
||||
matrix_dynamic_dns_domain_configurations: []
|
||||
|
||||
# Config options
|
||||
matrix_dynamic_dns_additional_configuration_blocks: []
|
||||
matrix_dynamic_dns_use: "web"
|
10
roles/matrix-dynamic-dns/tasks/init.yml
Normal file
10
roles/matrix-dynamic-dns/tasks/init.yml
Normal file
|
@ -0,0 +1,10 @@
|
|||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_dynamic_dns_container_image_self_build and matrix_dynamic_dns_enabled"
|
||||
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dynamic-dns.service'] }}"
|
||||
when: "matrix_dynamic_dns_enabled|bool"
|
62
roles/matrix-dynamic-dns/tasks/install.yml
Normal file
62
roles/matrix-dynamic-dns/tasks/install.yml
Normal file
|
@ -0,0 +1,62 @@
|
|||
---
|
||||
|
||||
- name: Ensure Dynamic DNS image is pulled
|
||||
docker_image:
|
||||
name: "{{ matrix_dynamic_dns_docker_image }}"
|
||||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
|
||||
force_source: "{{ matrix_dynamic_dns_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dynamic_dns_docker_image_force_pull }}"
|
||||
when: matrix_dynamic_dns_enabled|bool and not matrix_dynamic_dns_container_image_self_build
|
||||
|
||||
- name: Ensure Dynamic DNS paths exist
|
||||
file:
|
||||
path: "{{ item.path }}"
|
||||
state: directory
|
||||
mode: 0751
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- { path: "{{ matrix_dynamic_dns_base_path }}", when: true }
|
||||
- { path: "{{ matrix_dynamic_dns_config_path }}", when: true }
|
||||
- { path: "{{ matrix_dynamic_dns_docker_src_files_path }}", when: "{{ matrix_dynamic_dns_container_image_self_build }}" }
|
||||
when: matrix_dynamic_dns_enabled|bool and item.when|bool
|
||||
|
||||
- name: Ensure Dynamic DNS repository is present on self build
|
||||
git:
|
||||
repo: "{{ matrix_dynamic_dns_container_image_self_build_repo }}"
|
||||
dest: "{{ matrix_dynamic_dns_docker_src_files_path }}"
|
||||
force: "yes"
|
||||
register: matrix_dynamic_dns_git_pull_results
|
||||
when: "matrix_dynamic_dns_enabled|bool and matrix_dynamic_dns_container_image_self_build|bool"
|
||||
|
||||
- name: Ensure Dynamic DNS Docker image is built
|
||||
docker_image:
|
||||
name: "{{ matrix_dynamic_dns_docker_image }}"
|
||||
source: build
|
||||
force_source: "{{ matrix_dynamic_dns_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dynamic_dns_git_pull_results.changed }}"
|
||||
build:
|
||||
dockerfile: Dockerfile
|
||||
path: "{{ matrix_dynamic_dns_docker_src_files_path }}"
|
||||
pull: yes
|
||||
when: "matrix_dynamic_dns_enabled|bool and matrix_dynamic_dns_container_image_self_build|bool"
|
||||
|
||||
- name: Ensure Dynamic DNS ddclient.conf installed
|
||||
template:
|
||||
src: "{{ role_path }}/templates/ddclient.conf.j2"
|
||||
dest: "{{ matrix_dynamic_dns_config_path }}/ddclient.conf"
|
||||
mode: 0644
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
|
||||
- name: Ensure matrix-dynamic-dns.service installed
|
||||
template:
|
||||
src: "{{ role_path }}/templates/systemd/matrix-dynamic-dns.service.j2"
|
||||
dest: "/etc/systemd/system/matrix-dynamic-dns.service"
|
||||
mode: 0644
|
||||
register: matrix_dynamic_dns_systemd_service_result
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-dynamic-dns.service installation
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "matrix_dynamic_dns_systemd_service_result.changed"
|
21
roles/matrix-dynamic-dns/tasks/main.yml
Normal file
21
roles/matrix-dynamic-dns/tasks/main.yml
Normal file
|
@ -0,0 +1,21 @@
|
|||
- import_tasks: "{{ role_path }}/tasks/init.yml"
|
||||
tags:
|
||||
- always
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
|
||||
when: "run_setup|bool and matrix_dynamic_dns_enabled|bool"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-dynamic-dns
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/install.yml"
|
||||
when: "run_setup|bool and matrix_dynamic_dns_enabled|bool"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-dynamic-dns
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/uninstall.yml"
|
||||
when: "run_setup|bool and not matrix_dynamic_dns_enabled|bool"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-dynamic-dns
|
27
roles/matrix-dynamic-dns/tasks/uninstall.yml
Normal file
27
roles/matrix-dynamic-dns/tasks/uninstall.yml
Normal file
|
@ -0,0 +1,27 @@
|
|||
---
|
||||
|
||||
- name: Check existence of matrix-dynamic-dns service
|
||||
stat:
|
||||
path: "{{ matrix_systemd_path }}/matrix-dynamic-dns.service"
|
||||
register: matrix_dynamic_dns_service_stat
|
||||
|
||||
- name: Ensure matrix-dynamic-dns is stopped
|
||||
service:
|
||||
name: matrix-dynamic-dns
|
||||
state: stopped
|
||||
daemon_reload: yes
|
||||
when: "matrix_dynamic_dns_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure matrix-dynamic-dns.service doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_systemd_path }}/matrix-dynamic-dns.service"
|
||||
state: absent
|
||||
when: "matrix_dynamic_dns_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-dynamic-dns.service removal
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "matrix_dynamic_dns_service_stat.stat.exists"
|
||||
|
||||
# Intentionally not removing the Docker image when uninstalling.
|
||||
# We can't be sure it had been pulled by us in the first place.
|
16
roles/matrix-dynamic-dns/tasks/validate_config.yml
Normal file
16
roles/matrix-dynamic-dns/tasks/validate_config.yml
Normal file
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
|
||||
- name: Fail if no configurations specified
|
||||
fail:
|
||||
msg: >-
|
||||
You need to define at least one configuration in `matrix_dynamic_dns_domain_configurations` for using matrix-dynamic-dns.
|
||||
when: "matrix_dynamic_dns_domain_configurations|length == 0"
|
||||
|
||||
- name: Fail if required settings not defined in configuration blocks
|
||||
fail:
|
||||
msg: >-
|
||||
One of the configurations in matrix_dynamic_dns_domain_configurations is missing a required key (domain, provider, protocol).
|
||||
when: "'domain' not in configuration or 'provider' not in configuration or 'protocol' not in configuration"
|
||||
with_items: "{{ matrix_dynamic_dns_domain_configurations }}"
|
||||
loop_control:
|
||||
loop_var: configuration
|
26
roles/matrix-dynamic-dns/templates/ddclient.conf.j2
Normal file
26
roles/matrix-dynamic-dns/templates/ddclient.conf.j2
Normal file
|
@ -0,0 +1,26 @@
|
|||
daemon={{ matrix_dynamic_dns_daemon_interval }}
|
||||
syslog=no
|
||||
pid=/var/run/ddclient/ddclient.pid
|
||||
ssl=yes
|
||||
use={{ matrix_dynamic_dns_use }}
|
||||
|
||||
{% for dynamic_dns_domain_configuration in matrix_dynamic_dns_domain_configurations %}
|
||||
protocol={{ dynamic_dns_domain_configuration.protocol }}
|
||||
server={{ dynamic_dns_domain_configuration.provider }} {% if 'username' in dynamic_dns_domain_configuration %}
|
||||
login='{{ dynamic_dns_domain_configuration.username }}' {% endif %} {% if 'password' in dynamic_dns_domain_configuration %}
|
||||
password='{{ dynamic_dns_domain_configuration.password }}' {% endif %} {% if 'static' in dynamic_dns_domain_configuration %}
|
||||
static=yes {% endif %} {% if 'custom' in dynamic_dns_domain_configuration %}
|
||||
custom=yes {% endif %} {% if 'zone' in dynamic_dns_domain_configuration %}
|
||||
zone={{ dynamic_dns_domain_configuration.zone }} {% endif %} {% if 'ttl' in dynamic_dns_domain_configuration %}
|
||||
ttl={{ dynamic_dns_domain_configuration.ttl }} {% endif %} {% if 'mx' in dynamic_dns_domain_configuration %}
|
||||
mx={{ dynamic_dns_domain_configuration.mx }} {% endif %} {% if 'wildcard' in dynamic_dns_domain_configuration %}
|
||||
wildcard=yes {% endif %}
|
||||
{{ dynamic_dns_domain_configuration.domain }}
|
||||
|
||||
{% endfor %}
|
||||
|
||||
|
||||
{% for matrix_dynamic_dns_additional_configuration in matrix_dynamic_dns_additional_configuration_blocks %}
|
||||
{{ matrix_dynamic_dns_additional_configuration }}
|
||||
|
||||
{% endfor %}
|
|
@ -0,0 +1,36 @@
|
|||
#jinja2: lstrip_blocks: "True"
|
||||
[Unit]
|
||||
Description=Matrix Dynamic DNS
|
||||
{% for service in matrix_dynamic_dns_systemd_required_services_list %}
|
||||
Requires={{ service }}
|
||||
After={{ service }}
|
||||
{% endfor %}
|
||||
{% for service in matrix_dynamic_dns_systemd_wanted_services_list %}
|
||||
Wants={{ service }}
|
||||
{% endfor %}
|
||||
DefaultDependencies=no
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
Environment="HOME={{ matrix_systemd_unit_home_path }}"
|
||||
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dynamic-dns 2>/dev/null'
|
||||
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dynamic-dns 2>/dev/null'
|
||||
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dynamic-dns \
|
||||
--log-driver=none \
|
||||
--network={{ matrix_docker_network }} \
|
||||
-e PUID={{ matrix_user_uid }} \
|
||||
-e PGID={{ matrix_user_gid }} \
|
||||
-v {{ matrix_dynamic_dns_config_path }}:/config:z \
|
||||
{% for arg in matrix_dynamic_dns_container_extra_arguments %}
|
||||
{{ arg }} \
|
||||
{% endfor %}
|
||||
{{ matrix_dynamic_dns_docker_image }}
|
||||
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dynamic-dns 2>/dev/null'
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dynamic-dns 2>/dev/null'
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
SyslogIdentifier=matrix-dynamic-dns
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
44
roles/matrix-email2matrix/defaults/main.yml
Normal file
44
roles/matrix-email2matrix/defaults/main.yml
Normal file
|
@ -0,0 +1,44 @@
|
|||
matrix_email2matrix_enabled: true
|
||||
|
||||
matrix_email2matrix_base_path: "{{ matrix_base_data_path }}/email2matrix"
|
||||
matrix_email2matrix_config_dir_path: "{{ matrix_email2matrix_base_path }}/config"
|
||||
|
||||
matrix_email2matrix_version: 1.0.1
|
||||
matrix_email2matrix_docker_image: "{{ matrix_container_global_registry_prefix }}devture/email2matrix:{{ matrix_email2matrix_version }}"
|
||||
matrix_email2matrix_docker_image_force_pull: "{{ matrix_email2matrix_docker_image.endswith(':latest') }}"
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
matrix_email2matrix_container_extra_arguments: []
|
||||
|
||||
# List of systemd services that matrix-corporal.service depends on
|
||||
matrix_email2matrix_systemd_required_services_list: ['docker.service']
|
||||
|
||||
# Controls where the matrix-email2matrix container exposes the SMTP (tcp/2525 in the container).
|
||||
#
|
||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:2525").
|
||||
#
|
||||
# By default, we listen on port 25 on all of the host's network interfaces.
|
||||
matrix_email2matrix_smtp_host_bind_port: "25"
|
||||
|
||||
matrix_email2matrix_smtp_hostname: "{{ matrix_server_fqn_matrix }}"
|
||||
|
||||
# A list of mailbox to Matrix mappings.
|
||||
#
|
||||
# Example:
|
||||
# matrix_email2matrix_matrix_mappings:
|
||||
# - MailboxName: "mailbox1"
|
||||
# MatrixRoomId: "!bpcwlxIUxVvvgXcbjy:example.com"
|
||||
# MatrixHomeserverUrl: "{{ matrix_homeserver_url }}"
|
||||
# MatrixUserId": "@email2matrix:{{ matrix_domain }}"
|
||||
# MatrixAccessToken": "TOKEN_HERE"
|
||||
# IgnoreSubject: false
|
||||
#
|
||||
# - MailboxName: "mailbox2"
|
||||
# MatrixRoomId: "!another:example.com"
|
||||
# MatrixHomeserverUrl: "{{ matrix_homeserver_url }}"
|
||||
# MatrixUserId": "@email2matrix:{{ matrix_domain }}"
|
||||
# MatrixAccessToken": "TOKEN_HERE"
|
||||
# IgnoreSubject: true
|
||||
matrix_email2matrix_matrix_mappings: []
|
||||
|
||||
matrix_email2matrix_misc_debug: false
|
3
roles/matrix-email2matrix/tasks/init.yml
Normal file
3
roles/matrix-email2matrix/tasks/init.yml
Normal file
|
@ -0,0 +1,3 @@
|
|||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-email2matrix.service'] }}"
|
||||
when: matrix_email2matrix_enabled|bool
|
15
roles/matrix-email2matrix/tasks/main.yml
Normal file
15
roles/matrix-email2matrix/tasks/main.yml
Normal file
|
@ -0,0 +1,15 @@
|
|||
- import_tasks: "{{ role_path }}/tasks/init.yml"
|
||||
tags:
|
||||
- always
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
|
||||
when: "run_setup|bool and matrix_email2matrix_enabled|bool"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-email2matrix
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/setup_email2matrix.yml"
|
||||
when: run_setup|bool
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-email2matrix
|
88
roles/matrix-email2matrix/tasks/setup_email2matrix.yml
Normal file
88
roles/matrix-email2matrix/tasks/setup_email2matrix.yml
Normal file
|
@ -0,0 +1,88 @@
|
|||
---
|
||||
|
||||
#
|
||||
# Tasks related to setting up Email2Matrix
|
||||
#
|
||||
|
||||
- name: Ensure Email2Matrix paths exist
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
mode: 0750
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- "{{ matrix_email2matrix_base_path }}"
|
||||
- "{{ matrix_email2matrix_config_dir_path }}"
|
||||
when: matrix_email2matrix_enabled|bool
|
||||
|
||||
- name: Ensure Email2Matrix configuration file created
|
||||
template:
|
||||
src: "{{ role_path }}/templates/config.json.j2"
|
||||
dest: "{{ matrix_email2matrix_config_dir_path }}/config.json"
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
mode: 0640
|
||||
when: matrix_email2matrix_enabled|bool
|
||||
|
||||
- name: Ensure Email2Matrix image is pulled
|
||||
docker_image:
|
||||
name: "{{ matrix_email2matrix_docker_image }}"
|
||||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
|
||||
force_source: "{{ matrix_email2matrix_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_email2matrix_docker_image_force_pull }}"
|
||||
when: matrix_email2matrix_enabled|bool
|
||||
|
||||
- name: Ensure matrix-email2matrix.service installed
|
||||
template:
|
||||
src: "{{ role_path }}/templates/systemd/matrix-email2matrix.service.j2"
|
||||
dest: "{{ matrix_systemd_path }}/matrix-email2matrix.service"
|
||||
mode: 0644
|
||||
register: matrix_email2matrix_systemd_service_result
|
||||
when: matrix_email2matrix_enabled|bool
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-email2matrix.service installation
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "matrix_email2matrix_enabled|bool and matrix_email2matrix_systemd_service_result.changed"
|
||||
|
||||
#
|
||||
# Tasks related to getting rid of the Email2Matrix (if it was previously enabled)
|
||||
#
|
||||
|
||||
- name: Check existence of matrix-email2matrix service
|
||||
stat:
|
||||
path: "{{ matrix_systemd_path }}/matrix-email2matrix.service"
|
||||
register: matrix_email2matrix_service_stat
|
||||
when: "not matrix_email2matrix_enabled|bool"
|
||||
|
||||
- name: Ensure matrix-email2matrix is stopped
|
||||
service:
|
||||
name: matrix-email2matrix
|
||||
state: stopped
|
||||
daemon_reload: yes
|
||||
register: stopping_result
|
||||
when: "not matrix_email2matrix_enabled|bool and matrix_email2matrix_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure matrix-email2matrix.service doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_systemd_path }}/matrix-email2matrix.service"
|
||||
state: absent
|
||||
when: "not matrix_email2matrix_enabled|bool and matrix_email2matrix_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-email2matrix.service removal
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "not matrix_email2matrix_enabled|bool and matrix_email2matrix_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure Email2Matrix data path doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_email2matrix_base_path }}"
|
||||
state: absent
|
||||
when: "not matrix_email2matrix_enabled|bool"
|
||||
|
||||
- name: Ensure Email2Matrix Docker image doesn't exist
|
||||
docker_image:
|
||||
name: "{{ matrix_email2matrix_docker_image }}"
|
||||
state: absent
|
||||
when: "not matrix_email2matrix_enabled|bool"
|
7
roles/matrix-email2matrix/tasks/validate_config.yml
Normal file
7
roles/matrix-email2matrix/tasks/validate_config.yml
Normal file
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
|
||||
- name: Fail if no mappings
|
||||
fail:
|
||||
msg: >
|
||||
You need to define at least one mapping in `matrix_email2matrix_matrix_mappings` for enabling Email2Matrix.
|
||||
when: "matrix_email2matrix_matrix_mappings|length == 0"
|
14
roles/matrix-email2matrix/templates/config.json.j2
Normal file
14
roles/matrix-email2matrix/templates/config.json.j2
Normal file
|
@ -0,0 +1,14 @@
|
|||
#jinja2: lstrip_blocks: "True"
|
||||
{
|
||||
"Smtp": {
|
||||
"ListenInterface": "0.0.0.0:2525",
|
||||
"Hostname": {{ matrix_email2matrix_smtp_hostname|to_json }},
|
||||
"Workers": 10
|
||||
},
|
||||
"Matrix": {
|
||||
"Mappings": {{ matrix_email2matrix_matrix_mappings|to_nice_json }}
|
||||
},
|
||||
"Misc": {
|
||||
"Debug": {{ matrix_email2matrix_misc_debug|to_json }}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,34 @@
|
|||
#jinja2: lstrip_blocks: "True"
|
||||
[Unit]
|
||||
Description=Email2Matrix
|
||||
After=docker.service
|
||||
Requires=docker.service
|
||||
DefaultDependencies=no
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
Environment="HOME={{ matrix_systemd_unit_home_path }}"
|
||||
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-email2matrix 2>/dev/null'
|
||||
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-email2matrix 2>/dev/null'
|
||||
|
||||
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-email2matrix \
|
||||
--log-driver=none \
|
||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||
--cap-drop=ALL \
|
||||
--read-only \
|
||||
--network={{ matrix_docker_network }} \
|
||||
-p {{ matrix_email2matrix_smtp_host_bind_port }}:2525 \
|
||||
--mount type=bind,src={{ matrix_email2matrix_config_dir_path }}/config.json,dst=/config.json,ro \
|
||||
{% for arg in matrix_email2matrix_container_extra_arguments %}
|
||||
{{ arg }} \
|
||||
{% endfor %}
|
||||
{{ matrix_email2matrix_docker_image }}
|
||||
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-email2matrix 2>/dev/null'
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-email2matrix 2>/dev/null'
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
SyslogIdentifier=matrix-email2matrix
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
87
roles/matrix-etherpad/defaults/main.yml
Normal file
87
roles/matrix-etherpad/defaults/main.yml
Normal file
|
@ -0,0 +1,87 @@
|
|||
matrix_etherpad_enabled: false
|
||||
|
||||
matrix_etherpad_base_path: "{{ matrix_base_data_path }}/etherpad"
|
||||
|
||||
matrix_etherpad_version: 1.8.12
|
||||
matrix_etherpad_docker_image: "{{ matrix_container_global_registry_prefix }}etherpad/etherpad:{{ matrix_etherpad_version }}"
|
||||
matrix_etherpad_docker_image_force_pull: "{{ matrix_etherpad_docker_image.endswith(':latest') }}"
|
||||
|
||||
# List of systemd services that matrix-etherpad.service depends on.
|
||||
matrix_etherpad_systemd_required_services_list: ['docker.service']
|
||||
|
||||
# List of systemd services that matrix-etherpad.service wants
|
||||
matrix_etherpad_systemd_wanted_services_list: []
|
||||
|
||||
# Container user has to be able to write to the source file directories until this bug is fixed:
|
||||
# https://github.com/ether/etherpad-lite/issues/2683
|
||||
matrix_etherpad_user_uid: '5001'
|
||||
matrix_etherpad_user_gid: '5001'
|
||||
|
||||
# Controls whether the matrix-etherpad container exposes its HTTP port (tcp/9001 in the container).
|
||||
#
|
||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9001"), or empty string to not expose.
|
||||
matrix_etherpad_container_http_host_bind_port: ''
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
matrix_etherpad_container_extra_arguments: []
|
||||
|
||||
matrix_etherpad_public_endpoint: '/etherpad'
|
||||
|
||||
# By default, the Etherpad app can be accessed within the Dimension domain
|
||||
matrix_etherpad_base_url: "https://{{ matrix_server_fqn_dimension }}{{ matrix_etherpad_public_endpoint }}"
|
||||
|
||||
# Database-related configuration fields.
|
||||
#
|
||||
# Etherpad requires a dedicated database
|
||||
matrix_etherpad_database_engine: 'postgres'
|
||||
|
||||
matrix_etherpad_database_username: 'matrix_etherpad'
|
||||
matrix_etherpad_database_password: 'some-password'
|
||||
matrix_etherpad_database_hostname: 'matrix-postgres'
|
||||
matrix_etherpad_database_port: 5432
|
||||
matrix_etherpad_database_name: 'matrix_etherpad'
|
||||
|
||||
matrix_etherpad_database_connection_string: 'postgres://{{ matrix_etherpad_database_username }}:{{ matrix_etherpad_database_password }}@{{ matrix_etherpad_database_hostname }}:{{ matrix_etherpad_database_port }}/{{ matrix_etherpad_database_name }}'
|
||||
|
||||
# Variables configuring the etherpad
|
||||
matrix_etherpad_title: 'Etherpad'
|
||||
matrix_etherpad_default_pad_text: |
|
||||
Welcome to Etherpad!
|
||||
|
||||
This pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!
|
||||
|
||||
Get involved with Etherpad at https://etherpad.org
|
||||
|
||||
# Default Etherpad configuration template which covers the generic use case.
|
||||
# You can customize it by controlling the various variables inside it.
|
||||
#
|
||||
# For a more advanced customization, you can extend the default (see `matrix_etherpad_configuration_extension_json`)
|
||||
# or completely replace this variable with your own template.
|
||||
matrix_etherpad_configuration_default: "{{ lookup('template', 'templates/settings.json.j2') }}"
|
||||
|
||||
# Your custom JSON configuration for Etherpad goes here.
|
||||
# This configuration extends the default starting configuration (`matrix_etherpad_configuration_json`).
|
||||
#
|
||||
# You can override individual variables from the default configuration, or introduce new ones.
|
||||
#
|
||||
# If you need something more special, you can take full control by
|
||||
# completely redefining `matrix_etherpad_configuration_json`.
|
||||
#
|
||||
# Example configuration extension follows:
|
||||
#
|
||||
# matrix_etherpad_configuration_extension_json: |
|
||||
# {
|
||||
# "loadTest": true,
|
||||
# "commitRateLimiting": {
|
||||
# "duration": 1,
|
||||
# "points": 10
|
||||
# }
|
||||
# }
|
||||
#
|
||||
matrix_etherpad_configuration_extension_json: '{}'
|
||||
|
||||
matrix_etherpad_configuration_extension: "{{ matrix_etherpad_configuration_extension_json|from_json if matrix_etherpad_configuration_extension_json|from_json is mapping else {} }}"
|
||||
|
||||
# Holds the final Etherpad configuration (a combination of the default and its extension).
|
||||
# You most likely don't need to touch this variable. Instead, see `matrix_etherpad_configuration_json`.
|
||||
matrix_etherpad_configuration: "{{ matrix_etherpad_configuration_default|combine(matrix_etherpad_configuration_extension, recursive=True) }}"
|
62
roles/matrix-etherpad/tasks/init.yml
Normal file
62
roles/matrix-etherpad/tasks/init.yml
Normal file
|
@ -0,0 +1,62 @@
|
|||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-etherpad.service'] }}"
|
||||
when: matrix_etherpad_enabled|bool
|
||||
|
||||
- block:
|
||||
- name: Fail if matrix-nginx-proxy role already executed
|
||||
fail:
|
||||
msg: >-
|
||||
Trying to append Etherpad's reverse-proxying configuration to matrix-nginx-proxy,
|
||||
but it's pointless since the matrix-nginx-proxy role had already executed.
|
||||
To fix this, please change the order of roles in your plabook,
|
||||
so that the matrix-nginx-proxy role would run after the matrix-etherpad role.
|
||||
when: matrix_nginx_proxy_role_executed|default(False)|bool
|
||||
|
||||
- name: Generate Etherpad proxying configuration for matrix-nginx-proxy
|
||||
set_fact:
|
||||
matrix_etherpad_matrix_nginx_proxy_configuration: |
|
||||
rewrite ^{{ matrix_etherpad_public_endpoint }}$ $scheme://$server_name{{ matrix_etherpad_public_endpoint }}/ permanent;
|
||||
|
||||
location {{ matrix_etherpad_public_endpoint }}/ {
|
||||
{% if matrix_nginx_proxy_enabled|default(False) %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
proxy_pass http://matrix-etherpad:9001/;
|
||||
{# These are proxy directives needed specifically by Etherpad #}
|
||||
proxy_buffering off;
|
||||
proxy_http_version 1.1; # recommended with keepalive connections
|
||||
proxy_pass_header Server;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
|
||||
# WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
# A good guide for setting up your Etherpad behind nginx:
|
||||
# https://docs.gandi.net/en/cloud/tutorials/etherpad_lite.html
|
||||
proxy_pass http://127.0.0.1:9001/;
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
- name: Register Etherpad proxying configuration with matrix-nginx-proxy
|
||||
set_fact:
|
||||
matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: |
|
||||
{{
|
||||
matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks|default([])
|
||||
+
|
||||
[matrix_etherpad_matrix_nginx_proxy_configuration]
|
||||
}}
|
||||
tags:
|
||||
- always
|
||||
when: matrix_etherpad_enabled|bool
|
||||
|
||||
- name: Warn about reverse-proxying if matrix-nginx-proxy not used
|
||||
debug:
|
||||
msg: >-
|
||||
NOTE: You've enabled the Etherpad tool but are not using the matrix-nginx-proxy
|
||||
reverse proxy.
|
||||
Please make sure that you're proxying the `{{ matrix_etherpad_public_endpoint }}`
|
||||
URL endpoint to the matrix-etherpad container.
|
||||
You can expose the container's port using the `matrix_etherpad_container_http_host_bind_port` variable.
|
||||
when: "matrix_etherpad_enabled|bool and matrix_nginx_proxy_enabled is not defined"
|
21
roles/matrix-etherpad/tasks/main.yml
Normal file
21
roles/matrix-etherpad/tasks/main.yml
Normal file
|
@ -0,0 +1,21 @@
|
|||
- import_tasks: "{{ role_path }}/tasks/init.yml"
|
||||
tags:
|
||||
- always
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/setup_install.yml"
|
||||
when: run_setup|bool and matrix_etherpad_enabled|bool
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-etherpad
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
|
||||
when: run_setup|bool and not matrix_etherpad_enabled|bool
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-etherpad
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
|
||||
when: run_setup|bool and matrix_etherpad_enabled|bool
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-etherpad
|
36
roles/matrix-etherpad/tasks/setup_install.yml
Normal file
36
roles/matrix-etherpad/tasks/setup_install.yml
Normal file
|
@ -0,0 +1,36 @@
|
|||
---
|
||||
|
||||
- name: Ensure Etherpad base path exists
|
||||
file:
|
||||
path: "{{ matrix_etherpad_base_path }}"
|
||||
state: directory
|
||||
mode: 0770
|
||||
owner: "{{ matrix_etherpad_user_uid }}"
|
||||
group: "{{ matrix_etherpad_user_gid }}"
|
||||
|
||||
- name: Ensure Etherpad config installed
|
||||
copy:
|
||||
content: "{{ matrix_etherpad_configuration|to_nice_json }}"
|
||||
dest: "{{ matrix_etherpad_base_path }}/settings.json"
|
||||
mode: 0640
|
||||
owner: "{{ matrix_etherpad_user_uid }}"
|
||||
group: "{{ matrix_etherpad_user_gid }}"
|
||||
|
||||
- name: Ensure Etherpad image is pulled
|
||||
docker_image:
|
||||
name: "{{ matrix_etherpad_docker_image }}"
|
||||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
|
||||
force_source: "{{ matrix_etherpad_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_etherpad_docker_image_force_pull }}"
|
||||
|
||||
- name: Ensure matrix-etherpad.service installed
|
||||
template:
|
||||
src: "{{ role_path }}/templates/systemd/matrix-etherpad.service.j2"
|
||||
dest: "{{ matrix_systemd_path }}/matrix-etherpad.service"
|
||||
mode: 0644
|
||||
register: matrix_etherpad_systemd_service_result
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-etherpad.service installation
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "matrix_etherpad_systemd_service_result.changed|bool"
|
35
roles/matrix-etherpad/tasks/setup_uninstall.yml
Normal file
35
roles/matrix-etherpad/tasks/setup_uninstall.yml
Normal file
|
@ -0,0 +1,35 @@
|
|||
---
|
||||
|
||||
- name: Check existence of matrix-etherpad service
|
||||
stat:
|
||||
path: "{{ matrix_systemd_path }}/matrix-etherpad.service"
|
||||
register: matrix_etherpad_service_stat
|
||||
|
||||
- name: Ensure matrix-etherpad is stopped
|
||||
service:
|
||||
name: matrix-etherpad
|
||||
state: stopped
|
||||
daemon_reload: yes
|
||||
register: stopping_result
|
||||
when: "matrix_etherpad_service_stat.stat.exists|bool"
|
||||
|
||||
- name: Ensure matrix-etherpad.service doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_systemd_path }}/matrix-etherpad.service"
|
||||
state: absent
|
||||
when: "matrix_etherpad_service_stat.stat.exists|bool"
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-etherpad.service removal
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "matrix_etherpad_service_stat.stat.exists|bool"
|
||||
|
||||
- name: Ensure Etherpad base directory doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_etherpad_base_path }}"
|
||||
state: absent
|
||||
|
||||
- name: Ensure Etherpad Docker image doesn't exist
|
||||
docker_image:
|
||||
name: "{{ matrix_etherpad_docker_image }}"
|
||||
state: absent
|
11
roles/matrix-etherpad/tasks/validate_config.yml
Normal file
11
roles/matrix-etherpad/tasks/validate_config.yml
Normal file
|
@ -0,0 +1,11 @@
|
|||
- name: Fail if Etherpad is enabled without the Dimension integrations manager
|
||||
fail:
|
||||
msg: >-
|
||||
To integrate Etherpad notes with Matrix rooms you need to set "matrix_dimension_enabled" to true
|
||||
when: "not matrix_dimension_enabled|bool"
|
||||
|
||||
- name: Fail if no database is configured for Etherpad
|
||||
fail:
|
||||
msg: >-
|
||||
Etherpad requires a dedicated Postgres database. Please enable the built in one, or configure an external DB by redefining "matrix_etherpad_database_hostname"
|
||||
when: matrix_etherpad_database_hostname == "matrix-postgres" and not matrix_postgres_enabled
|
105
roles/matrix-etherpad/templates/settings.json.j2
Normal file
105
roles/matrix-etherpad/templates/settings.json.j2
Normal file
|
@ -0,0 +1,105 @@
|
|||
{
|
||||
"title": {{ matrix_etherpad_title|to_json }},
|
||||
"favicon": "favicon.ico",
|
||||
"skinName": "colibris",
|
||||
"skinVariants": "super-light-toolbar super-light-editor light-background",
|
||||
"ip": "::",
|
||||
"port": 9001,
|
||||
"showSettingsInAdminPage": true,
|
||||
"dbType": {{ matrix_etherpad_database_engine|to_json }},
|
||||
"dbSettings": {
|
||||
"database": {{ matrix_etherpad_database_name|to_json }},
|
||||
"host": {{ matrix_etherpad_database_hostname|to_json }},
|
||||
"password": {{ matrix_etherpad_database_password|to_json }},
|
||||
"port": {{ matrix_etherpad_database_port|to_json }},
|
||||
"user": {{ matrix_etherpad_database_username|to_json }}
|
||||
},
|
||||
"defaultPadText" : {{ matrix_etherpad_default_pad_text|to_json }},
|
||||
"suppressErrorsInPadText": false,
|
||||
"requireSession": false,
|
||||
"editOnly": false,
|
||||
"minify": true,
|
||||
"maxAge": 21600,
|
||||
"abiword": null,
|
||||
"soffice": null,
|
||||
"tidyHtml": null,
|
||||
"allowUnknownFileEnds": true,
|
||||
"requireAuthentication": false,
|
||||
"requireAuthorization": false,
|
||||
"trustProxy": true,
|
||||
"cookie": {
|
||||
"sameSite": "Lax"
|
||||
},
|
||||
"disableIPlogging": true,
|
||||
"automaticReconnectionTimeout": 0,
|
||||
"scrollWhenFocusLineIsOutOfViewport": {
|
||||
"percentage": {
|
||||
"editionAboveViewport": 0,
|
||||
"editionBelowViewport": 0
|
||||
},
|
||||
"duration": 0,
|
||||
"scrollWhenCaretIsInTheLastLineOfViewport": false,
|
||||
"percentageToScrollWhenUserPressesArrowUp": 0
|
||||
},
|
||||
"socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
|
||||
"socketIo": {
|
||||
"maxHttpBufferSize": 10000
|
||||
},
|
||||
"loadTest": false,
|
||||
"importExportRateLimiting": {
|
||||
"windowMs": 90000,
|
||||
"max": 10
|
||||
},
|
||||
"importMaxFileSize": 52428800,
|
||||
"commitRateLimiting": {
|
||||
"duration": 1,
|
||||
"points": 10
|
||||
},
|
||||
"exposeVersion": false,
|
||||
"padOptions": {
|
||||
"noColors": false,
|
||||
"showControls": true,
|
||||
"showChat": false,
|
||||
"showLineNumbers": true,
|
||||
"useMonospaceFont": false,
|
||||
"userName": false,
|
||||
"userColor": false,
|
||||
"rtl": false,
|
||||
"alwaysShowChat": false,
|
||||
"chatAndUsers": false,
|
||||
"lang": "en-gb"
|
||||
},
|
||||
"padShortcutEnabled" : {
|
||||
"altF9": true,
|
||||
"altC": true,
|
||||
"cmdShift2": true,
|
||||
"delete": true,
|
||||
"return": true,
|
||||
"esc": true,
|
||||
"cmdS": true,
|
||||
"tab": true,
|
||||
"cmdZ": true,
|
||||
"cmdY": true,
|
||||
"cmdI": true,
|
||||
"cmdB": true,
|
||||
"cmdU": true,
|
||||
"cmd5": true,
|
||||
"cmdShiftL": true,
|
||||
"cmdShiftN": true,
|
||||
"cmdShift1": true,
|
||||
"cmdShiftC": true,
|
||||
"cmdH": true,
|
||||
"ctrlHome": true,
|
||||
"pageUp": true,
|
||||
"pageDown": true
|
||||
},
|
||||
"loglevel": "INFO",
|
||||
"logconfig" :
|
||||
{ "appenders": [
|
||||
{ "type": "console",
|
||||
"layout": {"type": "messagePassThrough"}
|
||||
}
|
||||
]
|
||||
},
|
||||
"customLocaleStrings": {}
|
||||
}
|
|
@ -0,0 +1,44 @@
|
|||
#jinja2: lstrip_blocks: "True"
|
||||
[Unit]
|
||||
Description=Matrix Etherpad
|
||||
{% for service in matrix_etherpad_systemd_required_services_list %}
|
||||
Requires={{ service }}
|
||||
After={{ service }}
|
||||
{% endfor %}
|
||||
{% for service in matrix_etherpad_systemd_wanted_services_list %}
|
||||
Wants={{ service }}
|
||||
{% endfor %}
|
||||
DefaultDependencies=no
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
Environment="HOME={{ matrix_systemd_unit_home_path }}"
|
||||
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-etherpad
|
||||
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-etherpad
|
||||
|
||||
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-etherpad \
|
||||
--log-driver=none \
|
||||
--user={{ matrix_etherpad_user_uid }}:{{ matrix_etherpad_user_gid }} \
|
||||
--cap-drop=ALL \
|
||||
--network={{ matrix_docker_network }} \
|
||||
{% if matrix_etherpad_container_http_host_bind_port %}
|
||||
-p {{ matrix_etherpad_container_http_host_bind_port }}:9001 \
|
||||
{% endif %}
|
||||
--mount type=bind,src={{ matrix_etherpad_base_path }},dst=/data \
|
||||
{% for arg in matrix_etherpad_container_extra_arguments %}
|
||||
{{ arg }} \
|
||||
{% endfor %}
|
||||
{{ matrix_etherpad_docker_image }} \
|
||||
node --experimental-worker src/node/server.js \
|
||||
--settings /data/settings.json --credentials /data/credentials.json \
|
||||
--sessionkey /data/sessionkey.json --apikey /data/apijey.json
|
||||
|
||||
|
||||
ExecStop=-{{ matrix_host_command_docker }} kill matrix-etherpad
|
||||
ExecStop=-{{ matrix_host_command_docker }} rm matrix-etherpad
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
SyslogIdentifier=matrix-etherpad
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
59
roles/matrix-grafana/defaults/main.yml
Normal file
59
roles/matrix-grafana/defaults/main.yml
Normal file
|
@ -0,0 +1,59 @@
|
|||
# matrix-grafana is open source visualization and analytics software
|
||||
# See: https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md
|
||||
|
||||
matrix_grafana_enabled: false
|
||||
|
||||
matrix_grafana_version: 8.0.5
|
||||
matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}"
|
||||
matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}"
|
||||
|
||||
# Not conditional, because when someone disables metrics
|
||||
# they might still want to look at the old existing data.
|
||||
# So it would be silly to delete the dashboard in such case.
|
||||
matrix_grafana_dashboard_download_urls:
|
||||
- "https://raw.githubusercontent.com/matrix-org/synapse/master/contrib/grafana/synapse.json"
|
||||
- "https://raw.githubusercontent.com/rfrail3/grafana-dashboards/master/prometheus/node-exporter-full.json"
|
||||
|
||||
matrix_grafana_base_path: "{{ matrix_base_data_path }}/grafana"
|
||||
matrix_grafana_config_path: "{{ matrix_grafana_base_path }}/config"
|
||||
matrix_grafana_data_path: "{{ matrix_grafana_base_path }}/data"
|
||||
|
||||
# Allow viewing Grafana without logging in
|
||||
matrix_grafana_anonymous_access: false
|
||||
|
||||
# specify organization name that should be used for unauthenticated users
|
||||
# if you change this in the Grafana admin panel, this needs to be updated
|
||||
# to match to keep anonymous logins working
|
||||
matrix_grafana_anonymous_access_org_name: 'Main Org.'
|
||||
|
||||
|
||||
# default admin credentials, you are asked to change these on first login
|
||||
matrix_grafana_default_admin_user: admin
|
||||
matrix_grafana_default_admin_password: admin
|
||||
|
||||
# Set to true to add the Content-Security-Policy header to your requests.
|
||||
# CSP allows to control resources that the user agent can load and helps
|
||||
# prevent XSS attacks.
|
||||
# [Content Security Policy](https://grafana.com/docs/grafana/latest/administration/configuration/#content_security_policy)
|
||||
matrix_grafana_content_security_policy: true
|
||||
|
||||
# specify content security policy template to customized template
|
||||
# added https: and http: url schemes (ignored by browsers supporting 'strict-dynamic') to be backward compatible with older browsers.
|
||||
# [Content Security Policy Browser Test] (https://content-security-policy.com/browser-test/)
|
||||
# [Content Security Policy Reference](https://content-security-policy.com/script-src/)
|
||||
matrix_grafana_content_security_policy_customized: false
|
||||
matrix_grafana_content_security_policy_template: "script-src 'self' 'unsafe-eval' 'unsafe-inline' http: https: 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src * data:;base-uri 'self';connect-src 'self' grafana.com ws://$ROOT_PATH wss://$ROOT_PATH;manifest-src 'self';media-src 'none';form-action 'self';"
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
matrix_grafana_container_extra_arguments: []
|
||||
|
||||
# List of systemd services that matrix-grafana.service depends on
|
||||
matrix_grafana_systemd_required_services_list: ['docker.service']
|
||||
|
||||
# List of systemd services that matrix-grafana.service wants
|
||||
matrix_grafana_systemd_wanted_services_list: []
|
||||
|
||||
# Controls whether the matrix-grafana container exposes its HTTP port (tcp/3000 in the container).
|
||||
#
|
||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3000"), or empty string to not expose.
|
||||
matrix_grafana_container_http_host_bind_port: ''
|
5
roles/matrix-grafana/tasks/init.yml
Normal file
5
roles/matrix-grafana/tasks/init.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-grafana.service'] }}"
|
||||
when: matrix_grafana_enabled|bool
|
||||
|
||||
|
14
roles/matrix-grafana/tasks/main.yml
Normal file
14
roles/matrix-grafana/tasks/main.yml
Normal file
|
@ -0,0 +1,14 @@
|
|||
- import_tasks: "{{ role_path }}/tasks/init.yml"
|
||||
tags:
|
||||
- always
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
|
||||
when: "run_setup|bool and matrix_grafana_enabled|bool"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-grafana
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/setup.yml"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-grafana
|
110
roles/matrix-grafana/tasks/setup.yml
Normal file
110
roles/matrix-grafana/tasks/setup.yml
Normal file
|
@ -0,0 +1,110 @@
|
|||
---
|
||||
|
||||
#
|
||||
# Tasks related to setting up matrix-grafana
|
||||
#
|
||||
|
||||
- name: Ensure matrix-grafana image is pulled
|
||||
docker_image:
|
||||
name: "{{ matrix_grafana_docker_image }}"
|
||||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
|
||||
force_source: "{{ matrix_grafana_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_grafana_docker_image_force_pull }}"
|
||||
when: "matrix_grafana_enabled|bool"
|
||||
|
||||
- name: Ensure grafana paths exists
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
mode: 0750
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- "{{ matrix_grafana_base_path }}"
|
||||
- "{{ matrix_grafana_config_path }}"
|
||||
- "{{ matrix_grafana_config_path }}/provisioning"
|
||||
- "{{ matrix_grafana_config_path }}/provisioning/datasources"
|
||||
- "{{ matrix_grafana_config_path }}/provisioning/dashboards"
|
||||
- "{{ matrix_grafana_config_path }}/dashboards"
|
||||
- "{{ matrix_grafana_data_path }}"
|
||||
when: matrix_grafana_enabled|bool
|
||||
|
||||
- name: Ensure grafana.ini present
|
||||
template:
|
||||
src: "{{ role_path }}/templates/grafana.ini.j2"
|
||||
dest: "{{ matrix_grafana_config_path }}/grafana.ini"
|
||||
mode: 0440
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
when: matrix_grafana_enabled|bool
|
||||
|
||||
- name: Ensure provisioning/datasources/default.yaml present
|
||||
template:
|
||||
src: "{{ role_path }}/templates/datasources.yaml.j2"
|
||||
dest: "{{ matrix_grafana_config_path }}/provisioning/datasources/default.yaml"
|
||||
mode: 0440
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
when: matrix_grafana_enabled|bool
|
||||
|
||||
- name: Ensure provisioning/dashboards/default.yaml present
|
||||
template:
|
||||
src: "{{ role_path }}/templates/dashboards.yaml.j2"
|
||||
dest: "{{ matrix_grafana_config_path }}/provisioning/dashboards/default.yaml"
|
||||
mode: 0440
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
when: matrix_grafana_enabled|bool
|
||||
|
||||
- name: Ensure dashboard(s) downloaded
|
||||
get_url:
|
||||
url: "{{ item }}"
|
||||
dest: "{{ matrix_grafana_config_path }}/dashboards/"
|
||||
force: true
|
||||
mode: 0440
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items: "{{ matrix_grafana_dashboard_download_urls_all }}"
|
||||
when: matrix_grafana_enabled|bool
|
||||
|
||||
- name: Ensure matrix-grafana.service installed
|
||||
template:
|
||||
src: "{{ role_path }}/templates/systemd/matrix-grafana.service.j2"
|
||||
dest: "{{ matrix_systemd_path }}/matrix-grafana.service"
|
||||
mode: 0644
|
||||
register: matrix_grafana_systemd_service_result
|
||||
when: matrix_grafana_enabled|bool
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-grafana.service installation
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "matrix_grafana_enabled|bool and matrix_grafana_systemd_service_result.changed"
|
||||
|
||||
#
|
||||
# Tasks related to getting rid of matrix-grafana (if it was previously enabled)
|
||||
#
|
||||
|
||||
- name: Check existence of matrix-grafana service
|
||||
stat:
|
||||
path: "{{ matrix_systemd_path }}/matrix-grafana.service"
|
||||
register: matrix_grafana_service_stat
|
||||
|
||||
- name: Ensure matrix-grafana is stopped
|
||||
service:
|
||||
name: matrix-grafana
|
||||
state: stopped
|
||||
daemon_reload: yes
|
||||
register: stopping_result
|
||||
when: "not matrix_grafana_enabled|bool and matrix_grafana_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure matrix-grafana.service doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_systemd_path }}/matrix-grafana.service"
|
||||
state: absent
|
||||
when: "not matrix_grafana_enabled|bool and matrix_grafana_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-grafana.service removal
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "not matrix_grafana_enabled|bool and matrix_grafana_service_stat.stat.exists"
|
||||
|
7
roles/matrix-grafana/tasks/validate_config.yml
Normal file
7
roles/matrix-grafana/tasks/validate_config.yml
Normal file
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
|
||||
- name: Fail if Prometheus not enabled
|
||||
fail:
|
||||
msg: >
|
||||
You need to enable `matrix_prometheus_enabled` to use Prometheus as data source for Grafana.
|
||||
when: "not matrix_prometheus_enabled"
|
9
roles/matrix-grafana/templates/dashboards.yaml.j2
Normal file
9
roles/matrix-grafana/templates/dashboards.yaml.j2
Normal file
|
@ -0,0 +1,9 @@
|
|||
apiVersion: 1
|
||||
|
||||
providers:
|
||||
- name: {{ matrix_server_fqn_matrix }} - Dashboards
|
||||
folder: '' # The folder where to place the dashboards
|
||||
type: file
|
||||
allowUiUpdates: true
|
||||
options:
|
||||
path: /etc/grafana/dashboards
|
8
roles/matrix-grafana/templates/datasources.yaml.j2
Normal file
8
roles/matrix-grafana/templates/datasources.yaml.j2
Normal file
|
@ -0,0 +1,8 @@
|
|||
apiVersion: 1
|
||||
|
||||
datasources:
|
||||
- name: {{ matrix_server_fqn_matrix }} - Prometheus
|
||||
type: prometheus
|
||||
# Access mode - proxy (server in the UI) or direct (browser in the UI).
|
||||
access: proxy
|
||||
url: http://matrix-prometheus:9090
|
31
roles/matrix-grafana/templates/grafana.ini.j2
Normal file
31
roles/matrix-grafana/templates/grafana.ini.j2
Normal file
|
@ -0,0 +1,31 @@
|
|||
[server]
|
||||
root_url = "https://{{ matrix_server_fqn_grafana }}"
|
||||
|
||||
[security]
|
||||
# default admin user, created on startup
|
||||
admin_user = "{{ matrix_grafana_default_admin_user }}"
|
||||
|
||||
# default admin password, can be changed before first start of grafana, or in profile settings
|
||||
admin_password = """{{ matrix_grafana_default_admin_password }}"""
|
||||
|
||||
# specify content_security_policy to add the Content-Security-Policy header to your requests
|
||||
content_security_policy = "{{ matrix_grafana_content_security_policy }}"
|
||||
|
||||
# specify content security policy template to customized template
|
||||
{% if matrix_grafana_content_security_policy_customized %}
|
||||
content_security_policy_template = """{{ matrix_grafana_content_security_policy_template }}"""
|
||||
{% endif %}
|
||||
|
||||
[auth.anonymous]
|
||||
# enable anonymous access
|
||||
enabled = {{ matrix_grafana_anonymous_access }}
|
||||
|
||||
# specify organization name that should be used for unauthenticated users
|
||||
org_name = "{{ matrix_grafana_anonymous_access_org_name }}"
|
||||
|
||||
[dashboards]
|
||||
{% if matrix_synapse_metrics_enabled %}
|
||||
default_home_dashboard_path = /etc/grafana/dashboards/synapse.json
|
||||
{% else %}
|
||||
default_home_dashboard_path = /etc/grafana/dashboards/node-exporter-full.json
|
||||
{% endif %}
|
|
@ -0,0 +1,43 @@
|
|||
#jinja2: lstrip_blocks: "True"
|
||||
[Unit]
|
||||
Description=matrix-grafana
|
||||
{% for service in matrix_grafana_systemd_required_services_list %}
|
||||
Requires={{ service }}
|
||||
After={{ service }}
|
||||
{% endfor %}
|
||||
{% for service in matrix_grafana_systemd_wanted_services_list %}
|
||||
Wants={{ service }}
|
||||
{% endfor %}
|
||||
DefaultDependencies=no
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
Environment="HOME={{ matrix_systemd_unit_home_path }}"
|
||||
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-grafana 2>/dev/null'
|
||||
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-grafana 2>/dev/null'
|
||||
|
||||
|
||||
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-grafana \
|
||||
--log-driver=none \
|
||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||
--cap-drop=ALL \
|
||||
--read-only \
|
||||
--network={{ matrix_docker_network }} \
|
||||
{% if matrix_grafana_container_http_host_bind_port %}
|
||||
-p {{ matrix_grafana_container_http_host_bind_port }}:3000 \
|
||||
{% endif %}
|
||||
-v {{ matrix_grafana_config_path }}:/etc/grafana:z \
|
||||
-v {{ matrix_grafana_data_path }}:/var/lib/grafana:z \
|
||||
{% for arg in matrix_grafana_container_extra_arguments %}
|
||||
{{ arg }} \
|
||||
{% endfor %}
|
||||
{{ matrix_grafana_docker_image }}
|
||||
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-grafana 2>/dev/null'
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-grafana 2>/dev/null'
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
SyslogIdentifier=matrix-grafana
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
261
roles/matrix-jitsi/defaults/main.yml
Normal file
261
roles/matrix-jitsi/defaults/main.yml
Normal file
|
@ -0,0 +1,261 @@
|
|||
matrix_jitsi_enabled: true
|
||||
|
||||
matrix_jitsi_base_path: "{{ matrix_base_data_path }}/jitsi"
|
||||
|
||||
matrix_jitsi_enable_auth: false
|
||||
matrix_jitsi_enable_guests: false
|
||||
matrix_jitsi_enable_recording: false
|
||||
matrix_jitsi_enable_transcriptions: false
|
||||
matrix_jitsi_enable_p2p: true
|
||||
|
||||
# Authentication type, must be one of internal, jwt or ldap. Currently only
|
||||
# internal and ldap are supported by this playbook.
|
||||
matrix_jitsi_auth_type: internal
|
||||
|
||||
# Configuration options for LDAP authentication. For details see upstream:
|
||||
# https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap.
|
||||
# Defaults are taken from:
|
||||
# https://github.com/jitsi/docker-jitsi-meet/blob/master/prosody/rootfs/defaults/saslauthd.conf
|
||||
matrix_jitsi_ldap_url: ""
|
||||
matrix_jitsi_ldap_base: ""
|
||||
matrix_jitsi_ldap_binddn: ""
|
||||
matrix_jitsi_ldap_bindpw: ""
|
||||
matrix_jitsi_ldap_filter: "uid=%u"
|
||||
matrix_jitsi_ldap_auth_method: "bind"
|
||||
matrix_jitsi_ldap_version: "3"
|
||||
matrix_jitsi_ldap_use_tls: false
|
||||
matrix_jitsi_ldap_tls_ciphers: ""
|
||||
matrix_jitsi_ldap_tls_check_peer: false
|
||||
matrix_jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt"
|
||||
matrix_jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs"
|
||||
matrix_jitsi_ldap_start_tls: false
|
||||
|
||||
matrix_jitsi_timezone: UTC
|
||||
|
||||
matrix_jitsi_xmpp_domain: matrix-jitsi-web
|
||||
matrix_jitsi_xmpp_server: matrix-jitsi-prosody
|
||||
matrix_jitsi_xmpp_auth_domain: auth.meet.jitsi
|
||||
matrix_jitsi_xmpp_bosh_url_base: http://{{ matrix_jitsi_xmpp_server }}:5280
|
||||
matrix_jitsi_xmpp_guest_domain: guest.meet.jitsi
|
||||
matrix_jitsi_xmpp_muc_domain: muc.meet.jitsi
|
||||
matrix_jitsi_xmpp_internal_muc_domain: internal-muc.meet.jitsi
|
||||
matrix_jitsi_xmpp_modules: ''
|
||||
|
||||
matrix_jitsi_recorder_domain: recorder.meet.jitsi
|
||||
|
||||
|
||||
matrix_jitsi_jibri_brewery_muc: jibribrewery
|
||||
matrix_jitsi_jibri_pending_timeout: 90
|
||||
matrix_jitsi_jibri_xmpp_user: jibri
|
||||
matrix_jitsi_jibri_xmpp_password: ''
|
||||
matrix_jitsi_jibri_recorder_user: recorder
|
||||
matrix_jitsi_jibri_recorder_password: ''
|
||||
|
||||
matrix_jitsi_enable_lobby: false
|
||||
|
||||
matrix_jitsi_version: stable-5765-1
|
||||
matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility
|
||||
|
||||
matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}"
|
||||
matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}"
|
||||
|
||||
matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web"
|
||||
matrix_jitsi_web_config_path: "{{ matrix_jitsi_web_base_path }}/config"
|
||||
matrix_jitsi_web_transcripts_path: "{{ matrix_jitsi_web_base_path }}/transcripts"
|
||||
|
||||
matrix_jitsi_web_public_url: "https://{{ matrix_server_fqn_jitsi }}"
|
||||
|
||||
# STUN servers used in the web UI. Feel free to point them to your own STUN server.
|
||||
# Addresses need to be prefixed with one of `stun:`, `turn:` or `turns:`.
|
||||
matrix_jitsi_web_stun_servers: ['stun:meet-jit-si-turnrelay.jitsi.net:443']
|
||||
|
||||
# Controls whether Etherpad will be available within Jitsi
|
||||
matrix_jitsi_etherpad_enabled: false
|
||||
|
||||
# Controls whether the matrix-jitsi-web container exposes its HTTP port (tcp/80 in the container).
|
||||
#
|
||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:13080"), or empty string to not expose.
|
||||
matrix_jitsi_web_container_http_host_bind_port: ''
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
matrix_jitsi_web_container_extra_arguments: []
|
||||
|
||||
# List of systemd services that matrix-jitsi-web.service depends on
|
||||
matrix_jitsi_web_systemd_required_services_list: ['docker.service']
|
||||
|
||||
|
||||
# Some variables controlling the interface of Jitsi Web.
|
||||
# These get applied to `templates/web/interface_config.js.j2`.
|
||||
#
|
||||
# Besides this, you can also use `matrix_jitsi_web_custom_interface_config_extension`
|
||||
# to define any other configuration option.
|
||||
matrix_jitsi_web_interface_config_lang_detection: false
|
||||
matrix_jitsi_web_interface_config_show_jitsi_watermark: true
|
||||
matrix_jitsi_web_interface_config_jitsi_watermark_link: "https://jitsi.org"
|
||||
matrix_jitsi_web_interface_config_show_brand_watermark: false
|
||||
matrix_jitsi_web_interface_config_brand_watermark_link: ""
|
||||
matrix_jitsi_web_interface_config_generate_room_names_on_welcome_page: true
|
||||
matrix_jitsi_web_interface_config_display_welcome_page_content: true
|
||||
matrix_jitsi_web_interface_config_app_name: "Jitsi Meet"
|
||||
matrix_jitsi_web_interface_config_native_app_name: "Jitsi Meet"
|
||||
matrix_jitsi_web_interface_config_provider_name: "Jitsi"
|
||||
matrix_jitsi_web_interface_config_show_powered_by: false
|
||||
matrix_jitsi_web_interface_config_disable_transcription_subtitles: false
|
||||
matrix_jitsi_web_interface_config_show_deep_linking_image: false
|
||||
|
||||
# Custom configuration to be injected into `interface_config.js`, passed to Jitsi Web.
|
||||
# This configuration gets appended to the final interface configuration that Jitsi Web uses.
|
||||
#
|
||||
# Note: not to be confused with `matrix_jitsi_web_custom_config_extension`.
|
||||
#
|
||||
# For interface configuration, the flow is like this:
|
||||
# - the contents of `templates/web/interface_config.js.j2` is generated (based on various `matrix_jitsi_web_interface_config_*` variables you see in this file)
|
||||
# - the contents of `matrix_jitsi_web_custom_interface_config_extension` is appended and can define new settings or override defaults.
|
||||
#
|
||||
# Example:
|
||||
# matrix_jitsi_web_custom_interface_config_extension: |
|
||||
# interfaceConfig.CONNECTION_INDICATOR_AUTO_HIDE_ENABLED = false;
|
||||
# interfaceConfig.DISABLE_VIDEO_BACKGROUND = true;
|
||||
matrix_jitsi_web_custom_interface_config_extension: ''
|
||||
|
||||
|
||||
# Controls after which participant audio will be muted. If not specified, defaults to Jitsi's default value (likely 10)
|
||||
matrix_jitsi_web_config_start_audio_muted_after_nth_participant: ~
|
||||
# Controls after which participant video will be muted. If not specified, defaults to Jitsi's default value (likely 10)
|
||||
matrix_jitsi_web_config_start_video_muted_after_nth_participant: ~
|
||||
|
||||
matrix_jitsi_web_config_defaultLanguage: 'en'
|
||||
|
||||
# Ideal and also maximum resolution width. If not specified, defaults to Jitsi's default value (likely 1280)
|
||||
matrix_jitsi_web_config_resolution_width_ideal_and_max: ~
|
||||
# Minimum resolution width. If not specified, defaults to Jitsi's default value (likely 320)
|
||||
matrix_jitsi_web_config_resolution_width_min: ~
|
||||
# Ideal and also maximum resolution height. If not specified, defaults to Jitsi's default value (likely 720)
|
||||
matrix_jitsi_web_config_resolution_height_ideal_and_max: ~
|
||||
# Minimum resolution height. If not specified, defaults to Jitsi's default value (likely 180)
|
||||
matrix_jitsi_web_config_resolution_height_min: ~
|
||||
|
||||
# Custom configuration to be injected into `custom-config.js`, passed to Jitsi Web.
|
||||
# This configuration gets appended to the final configuration that Jitsi Web uses.
|
||||
#
|
||||
# Note: not to be confused with `matrix_jitsi_web_custom_interface_config_extension`.
|
||||
#
|
||||
# The flow is like this:
|
||||
# - some default configuration is automatically generated based on the environment variables passed to the Jitsi Web container
|
||||
# - the contents of `custom-config.js` is appended to it (see `templates/web/custom-config.js.j2`)
|
||||
# - said `custom-config.js` contains your custom contents specified in `matrix_jitsi_web_custom_config_extension`.
|
||||
#
|
||||
# Example:
|
||||
# matrix_jitsi_web_custom_config_extension: |
|
||||
# if (!config.hasOwnProperty('testing')) config.testing = {};
|
||||
# config.testing.p2pTestMode = true
|
||||
matrix_jitsi_web_custom_config_extension: ''
|
||||
|
||||
# Additional environment variables to pass to the Jitsi Web container.
|
||||
# You can use this to further influence the default configuration generated by the Jitsi Web container on every startup.
|
||||
# Besides influencing the final configuration by passing environment variables, you can also inject custom configuration
|
||||
# by using `matrix_jitsi_web_custom_config_extension`.
|
||||
#
|
||||
# Example:
|
||||
# matrix_jitsi_web_environment_variables_extension: |
|
||||
# ENABLE_FILE_RECORDING_SERVICE=1
|
||||
# DROPBOX_APPKEY=something
|
||||
# DROPBOX_REDIRECT_URI=something
|
||||
matrix_jitsi_web_environment_variables_extension: ''
|
||||
|
||||
|
||||
matrix_jitsi_prosody_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/prosody:{{ matrix_jitsi_container_image_tag }}"
|
||||
matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}"
|
||||
|
||||
matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody"
|
||||
matrix_jitsi_prosody_config_path: "{{ matrix_jitsi_prosody_base_path }}/config"
|
||||
matrix_jitsi_prosody_plugins_path: "{{ matrix_jitsi_prosody_base_path }}/prosody-plugins-custom"
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
matrix_jitsi_prosody_container_extra_arguments: []
|
||||
|
||||
# List of systemd services that matrix-jitsi-prosody.service depends on
|
||||
matrix_jitsi_prosody_systemd_required_services_list: ['docker.service']
|
||||
|
||||
# Neccessary Port binding for those disabling the integrated nginx proxy
|
||||
matrix_jitsi_prosody_container_http_host_bind_port: ''
|
||||
|
||||
matrix_jitsi_jicofo_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jicofo:{{ matrix_jitsi_container_image_tag }}"
|
||||
matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}"
|
||||
|
||||
matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo"
|
||||
matrix_jitsi_jicofo_config_path: "{{ matrix_jitsi_jicofo_base_path }}/config"
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
matrix_jitsi_jicofo_container_extra_arguments: []
|
||||
|
||||
# List of systemd services that matrix-jitsi-jicofo.service depends on
|
||||
matrix_jitsi_jicofo_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service']
|
||||
|
||||
matrix_jitsi_jicofo_component_secret: ''
|
||||
matrix_jitsi_jicofo_auth_user: focus
|
||||
matrix_jitsi_jicofo_auth_password: ''
|
||||
|
||||
|
||||
matrix_jitsi_jvb_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jvb:{{ matrix_jitsi_container_image_tag }}"
|
||||
matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}"
|
||||
|
||||
matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb"
|
||||
matrix_jitsi_jvb_config_path: "{{ matrix_jitsi_jvb_base_path }}/config"
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
matrix_jitsi_jvb_container_extra_arguments: []
|
||||
|
||||
# List of systemd services that matrix-jitsi-jvb.service depends on
|
||||
matrix_jitsi_jvb_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service']
|
||||
|
||||
matrix_jitsi_jvb_auth_user: jvb
|
||||
matrix_jitsi_jvb_auth_password: ''
|
||||
|
||||
# STUN servers used by JVB on the server-side, so it can discover its own external IP address.
|
||||
# Pointing this to a STUN server running on the same Docker network may lead to incorrect IP address discovery.
|
||||
matrix_jitsi_jvb_stun_servers: ['meet-jit-si-turnrelay.jitsi.net:443']
|
||||
|
||||
matrix_jitsi_jvb_brewery_muc: jvbbrewery
|
||||
matrix_jitsi_jvb_rtp_udp_port: 10000
|
||||
matrix_jitsi_jvb_rtp_tcp_port: 4443
|
||||
|
||||
# Custom configuration to be injected into `custom-sip-communicator.properties`, passed to Jitsi JVB.
|
||||
# This configuration gets appended to the final configuration that Jitsi JVB uses.
|
||||
#
|
||||
# The flow is like this:
|
||||
# - some default configuration is automatically generated based on the environment variables passed to the Jitsi JVB container
|
||||
# - the contents of `custom-sip-communicator.properties` is appended to it (see `templates/jvb/custom-sip-communicator.properties.j2`)
|
||||
# - said `custom-sip-communicator.properties` contains your custom contents specified in `matrix_jitsi_jvb_custom_config_extension`.
|
||||
#
|
||||
# Example:
|
||||
# matrix_jitsi_jvb_custom_config_extension: |
|
||||
# org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=false
|
||||
# org.jitsi.videobridge.ENABLE_STATISTICS=false
|
||||
matrix_jitsi_jvb_custom_config_extension: ''
|
||||
|
||||
# Additional environment variables to pass to the Jitsi JVB container.
|
||||
# You can use this to further influence the default configuration generated by the Jitsi JVB container on every startup.
|
||||
# Besides influencing the final configuration by passing environment variables, you can also inject custom configuration
|
||||
# by using `matrix_jitsi_jvb_custom_config_extension`.
|
||||
#
|
||||
# Example:
|
||||
# matrix_jitsi_jvb_environment_variables_extension: |
|
||||
# SOME_VARIABLE=1
|
||||
# ANOTHER_VARIABLE=something
|
||||
matrix_jitsi_jvb_environment_variables_extension: ''
|
||||
|
||||
# Controls whether the matrix-jitsi-jvb container exposes its RTP UDP port (udp/10000 in the container).
|
||||
#
|
||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:10000"), or empty string to not expose.
|
||||
matrix_jitsi_jvb_container_rtp_udp_host_bind_port: "{{ matrix_jitsi_jvb_rtp_udp_port }}"
|
||||
|
||||
# Controls whether the matrix-jitsi-jvb container exposes its RTP UDP port (udp/4443 in the container).
|
||||
#
|
||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:4443"), or empty string to not expose.
|
||||
matrix_jitsi_jvb_container_rtp_tcp_host_bind_port: "{{ matrix_jitsi_jvb_rtp_tcp_port }}"
|
||||
|
||||
# Controls whether the matrix-jitsi-jvb container exposes its Colibri WebSocket port (tcp/9090 in the container).
|
||||
#
|
||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:12090"), or empty string to not expose.
|
||||
matrix_jitsi_jvb_container_colibri_ws_host_bind_port: ''
|
3
roles/matrix-jitsi/tasks/init.yml
Normal file
3
roles/matrix-jitsi/tasks/init.yml
Normal file
|
@ -0,0 +1,3 @@
|
|||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-jitsi-web.service', 'matrix-jitsi-prosody.service', 'matrix-jitsi-jicofo.service', 'matrix-jitsi-jvb.service'] }}"
|
||||
when: matrix_jitsi_enabled|bool
|
39
roles/matrix-jitsi/tasks/main.yml
Normal file
39
roles/matrix-jitsi/tasks/main.yml
Normal file
|
@ -0,0 +1,39 @@
|
|||
- import_tasks: "{{ role_path }}/tasks/init.yml"
|
||||
tags:
|
||||
- always
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
|
||||
when: "run_setup|bool and matrix_jitsi_enabled|bool"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-jitsi
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml"
|
||||
when: run_setup|bool
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-jitsi
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/setup_jitsi_web.yml"
|
||||
when: run_setup|bool
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-jitsi
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/setup_jitsi_prosody.yml"
|
||||
when: run_setup|bool
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-jitsi
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/setup_jitsi_jicofo.yml"
|
||||
when: run_setup|bool
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-jitsi
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb.yml"
|
||||
when: run_setup|bool
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-jitsi
|
20
roles/matrix-jitsi/tasks/setup_jitsi_base.yml
Normal file
20
roles/matrix-jitsi/tasks/setup_jitsi_base.yml
Normal file
|
@ -0,0 +1,20 @@
|
|||
---
|
||||
|
||||
#
|
||||
# Tasks related to setting up jitsi
|
||||
#
|
||||
|
||||
- name: Ensure Matrix jitsi base path exists
|
||||
file:
|
||||
path: "{{ item.path }}"
|
||||
state: directory
|
||||
mode: 0750
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- { path: "{{ matrix_jitsi_base_path }}", when: true }
|
||||
when: matrix_jitsi_enabled|bool and item.when
|
||||
|
||||
#
|
||||
# Tasks related to getting rid of jitsi (if it was previously enabled)
|
||||
#
|
93
roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml
Normal file
93
roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml
Normal file
|
@ -0,0 +1,93 @@
|
|||
---
|
||||
|
||||
#
|
||||
# Tasks related to setting up jitsi-jicofo
|
||||
#
|
||||
|
||||
- name: Ensure Matrix jitsi-jicofo path exists
|
||||
file:
|
||||
path: "{{ item.path }}"
|
||||
state: directory
|
||||
mode: 0777
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- { path: "{{ matrix_jitsi_jicofo_base_path }}", when: true }
|
||||
- { path: "{{ matrix_jitsi_jicofo_config_path }}", when: true }
|
||||
when: matrix_jitsi_enabled|bool and item.when
|
||||
|
||||
- name: Ensure jitsi-jicofo Docker image is pulled
|
||||
docker_image:
|
||||
name: "{{ matrix_jitsi_jicofo_docker_image }}"
|
||||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
|
||||
force_source: "{{ matrix_jitsi_jicofo_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_jicofo_docker_image_force_pull }}"
|
||||
when: matrix_jitsi_enabled|bool
|
||||
|
||||
- name: Ensure jitsi-jicofo environment variables file created
|
||||
template:
|
||||
src: "{{ role_path }}/templates/jicofo/env.j2"
|
||||
dest: "{{ matrix_jitsi_jicofo_base_path }}/env"
|
||||
mode: 0640
|
||||
when: matrix_jitsi_enabled|bool
|
||||
|
||||
- name: Ensure jitsi-jicofo configuration files created
|
||||
template:
|
||||
src: "{{ role_path }}/templates/jicofo/{{ item }}.j2"
|
||||
dest: "{{ matrix_jitsi_jicofo_config_path }}/{{ item }}"
|
||||
mode: 0644
|
||||
with_items:
|
||||
- sip-communicator.properties
|
||||
- logging.properties
|
||||
when: matrix_jitsi_enabled|bool
|
||||
|
||||
- name: Ensure matrix-jitsi-jicofo.service installed
|
||||
template:
|
||||
src: "{{ role_path }}/templates/jicofo/matrix-jitsi-jicofo.service.j2"
|
||||
dest: "{{ matrix_systemd_path }}/matrix-jitsi-jicofo.service"
|
||||
mode: 0644
|
||||
register: matrix_jitsi_jicofo_systemd_service_result
|
||||
when: matrix_jitsi_enabled|bool
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-jitsi-jicofo.service installation
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "matrix_jitsi_enabled and matrix_jitsi_jicofo_systemd_service_result.changed"
|
||||
|
||||
#
|
||||
# Tasks related to getting rid of jitsi-jicofo (if it was previously enabled)
|
||||
#
|
||||
|
||||
- name: Check existence of matrix-jitsi-jicofo service
|
||||
stat:
|
||||
path: "{{ matrix_systemd_path }}/matrix-jitsi-jicofo.service"
|
||||
register: matrix_jitsi_jicofo_service_stat
|
||||
when: "not matrix_jitsi_enabled|bool"
|
||||
|
||||
- name: Ensure matrix-jitsi-jicofo is stopped
|
||||
service:
|
||||
name: matrix-jitsi-jicofo
|
||||
state: stopped
|
||||
daemon_reload: yes
|
||||
register: stopping_result
|
||||
when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jicofo_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure matrix-jitsi-jicofo.service doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_systemd_path }}/matrix-jitsi-jicofo.service"
|
||||
state: absent
|
||||
when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jicofo_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-jitsi-jicofo.service removal
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jicofo_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure Matrix jitsi-jicofo paths doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_jitsi_jicofo_base_path }}"
|
||||
state: absent
|
||||
when: "not matrix_jitsi_enabled|bool"
|
||||
|
||||
# Intentionally not removing the Docker image when uninstalling.
|
||||
# We can't be sure it had been pulled by us in the first place.
|
93
roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml
Normal file
93
roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml
Normal file
|
@ -0,0 +1,93 @@
|
|||
---
|
||||
|
||||
#
|
||||
# Tasks related to setting up jitsi-jvb
|
||||
#
|
||||
|
||||
- name: Ensure Matrix jitsi-jvb path exists
|
||||
file:
|
||||
path: "{{ item.path }}"
|
||||
state: directory
|
||||
mode: 0777
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- { path: "{{ matrix_jitsi_jvb_base_path }}", when: true }
|
||||
- { path: "{{ matrix_jitsi_jvb_config_path }}", when: true }
|
||||
when: matrix_jitsi_enabled|bool and item.when
|
||||
|
||||
- name: Ensure jitsi-jvb Docker image is pulled
|
||||
docker_image:
|
||||
name: "{{ matrix_jitsi_jvb_docker_image }}"
|
||||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
|
||||
force_source: "{{ matrix_jitsi_jvb_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_jvb_docker_image_force_pull }}"
|
||||
when: matrix_jitsi_enabled|bool
|
||||
|
||||
- name: Ensure jitsi-jvb configuration files created
|
||||
template:
|
||||
src: "{{ role_path }}/templates/jvb/{{ item }}.j2"
|
||||
dest: "{{ matrix_jitsi_jvb_config_path }}/{{ item }}"
|
||||
mode: 0644
|
||||
with_items:
|
||||
- custom-sip-communicator.properties
|
||||
- logging.properties
|
||||
when: matrix_jitsi_enabled|bool
|
||||
|
||||
- name: Ensure jitsi-jvb environment variables file created
|
||||
template:
|
||||
src: "{{ role_path }}/templates/jvb/env.j2"
|
||||
dest: "{{ matrix_jitsi_jvb_base_path }}/env"
|
||||
mode: 0640
|
||||
when: matrix_jitsi_enabled|bool
|
||||
|
||||
- name: Ensure matrix-jitsi-jvb.service installed
|
||||
template:
|
||||
src: "{{ role_path }}/templates/jvb/matrix-jitsi-jvb.service.j2"
|
||||
dest: "{{ matrix_systemd_path }}/matrix-jitsi-jvb.service"
|
||||
mode: 0644
|
||||
register: matrix_jitsi_jvb_systemd_service_result
|
||||
when: matrix_jitsi_enabled|bool
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-jitsi-jvb.service installation
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "matrix_jitsi_enabled and matrix_jitsi_jvb_systemd_service_result.changed"
|
||||
|
||||
#
|
||||
# Tasks related to getting rid of jitsi-jvb (if it was previously enabled)
|
||||
#
|
||||
|
||||
- name: Check existence of matrix-jitsi-jvb service
|
||||
stat:
|
||||
path: "{{ matrix_systemd_path }}/matrix-jitsi-jvb.service"
|
||||
register: matrix_jitsi_jvb_service_stat
|
||||
when: "not matrix_jitsi_enabled|bool"
|
||||
|
||||
- name: Ensure matrix-jitsi-jvb is stopped
|
||||
service:
|
||||
name: matrix-jitsi-jvb
|
||||
state: stopped
|
||||
daemon_reload: yes
|
||||
register: stopping_result
|
||||
when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jvb_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure matrix-jitsi-jvb.service doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_systemd_path }}/matrix-jitsi-jvb.service"
|
||||
state: absent
|
||||
when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jvb_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-jitsi-jvb.service removal
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jvb_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure Matrix jitsi-jvb paths doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_jitsi_jvb_base_path }}"
|
||||
state: absent
|
||||
when: "not matrix_jitsi_enabled|bool"
|
||||
|
||||
# Intentionally not removing the Docker image when uninstalling.
|
||||
# We can't be sure it had been pulled by us in the first place.
|
84
roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml
Normal file
84
roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml
Normal file
|
@ -0,0 +1,84 @@
|
|||
---
|
||||
|
||||
#
|
||||
# Tasks related to setting up jitsi-prosody
|
||||
#
|
||||
|
||||
- name: Ensure Matrix jitsi-prosody path exists
|
||||
file:
|
||||
path: "{{ item.path }}"
|
||||
state: directory
|
||||
mode: 0777
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- { path: "{{ matrix_jitsi_prosody_base_path }}", when: true }
|
||||
- { path: "{{ matrix_jitsi_prosody_config_path }}", when: true }
|
||||
- { path: "{{ matrix_jitsi_prosody_plugins_path }}", when: true }
|
||||
when: matrix_jitsi_enabled|bool and item.when
|
||||
|
||||
- name: Ensure jitsi-prosody Docker image is pulled
|
||||
docker_image:
|
||||
name: "{{ matrix_jitsi_prosody_docker_image }}"
|
||||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
|
||||
force_source: "{{ matrix_jitsi_prosody_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_prosody_docker_image_force_pull }}"
|
||||
when: matrix_jitsi_enabled|bool
|
||||
|
||||
- name: Ensure jitsi-prosody environment variables file created
|
||||
template:
|
||||
src: "{{ role_path }}/templates/prosody/env.j2"
|
||||
dest: "{{ matrix_jitsi_prosody_base_path }}/env"
|
||||
mode: 0640
|
||||
when: matrix_jitsi_enabled|bool
|
||||
|
||||
- name: Ensure matrix-jitsi-prosody.service installed
|
||||
template:
|
||||
src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2"
|
||||
dest: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service"
|
||||
mode: 0644
|
||||
register: matrix_jitsi_prosody_systemd_service_result
|
||||
when: matrix_jitsi_enabled|bool
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-jitsi-prosody.service installation
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "matrix_jitsi_enabled and matrix_jitsi_prosody_systemd_service_result.changed"
|
||||
|
||||
#
|
||||
# Tasks related to getting rid of jitsi-prosody (if it was previously enabled)
|
||||
#
|
||||
|
||||
- name: Check existence of matrix-jitsi-prosody service
|
||||
stat:
|
||||
path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service"
|
||||
register: matrix_jitsi_prosody_service_stat
|
||||
when: "not matrix_jitsi_enabled|bool"
|
||||
|
||||
- name: Ensure matrix-jitsi-prosody is stopped
|
||||
service:
|
||||
name: matrix-jitsi-prosody
|
||||
state: stopped
|
||||
daemon_reload: yes
|
||||
register: stopping_result
|
||||
when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure matrix-jitsi-prosody.service doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service"
|
||||
state: absent
|
||||
when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-jitsi-prosody.service removal
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure Matrix jitsi-prosody paths doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_jitsi_prosody_base_path }}"
|
||||
state: absent
|
||||
when: "not matrix_jitsi_enabled|bool"
|
||||
|
||||
# Intentionally not removing the Docker image when uninstalling.
|
||||
# We can't be sure it had been pulled by us in the first place.
|
95
roles/matrix-jitsi/tasks/setup_jitsi_web.yml
Normal file
95
roles/matrix-jitsi/tasks/setup_jitsi_web.yml
Normal file
|
@ -0,0 +1,95 @@
|
|||
---
|
||||
|
||||
#
|
||||
# Tasks related to setting up jitsi-web
|
||||
#
|
||||
|
||||
- name: Ensure Matrix jitsi-web path exists
|
||||
file:
|
||||
path: "{{ item.path }}"
|
||||
state: directory
|
||||
mode: 0777
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- { path: "{{ matrix_jitsi_web_base_path }}", when: true }
|
||||
- { path: "{{ matrix_jitsi_web_config_path }}", when: true }
|
||||
- { path: "{{ matrix_jitsi_web_transcripts_path }}", when: true }
|
||||
when: matrix_jitsi_enabled|bool and item.when
|
||||
|
||||
- name: Ensure jitsi-web Docker image is pulled
|
||||
docker_image:
|
||||
name: "{{ matrix_jitsi_web_docker_image }}"
|
||||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
|
||||
force_source: "{{ matrix_jitsi_web_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_web_docker_image_force_pull }}"
|
||||
when: matrix_jitsi_enabled|bool
|
||||
|
||||
- name: Ensure jitsi-web environment variables file created
|
||||
template:
|
||||
src: "{{ role_path }}/templates/web/env.j2"
|
||||
dest: "{{ matrix_jitsi_web_base_path }}/env"
|
||||
mode: 0640
|
||||
when: matrix_jitsi_enabled|bool
|
||||
|
||||
- name: Ensure jitsi-web configuration files created
|
||||
template:
|
||||
src: "{{ role_path }}/templates/web/{{ item }}.j2"
|
||||
dest: "{{ matrix_jitsi_web_config_path }}/{{ item }}"
|
||||
mode: 0644
|
||||
with_items:
|
||||
- custom-config.js
|
||||
- interface_config.js
|
||||
when: matrix_jitsi_enabled|bool
|
||||
|
||||
- name: Ensure matrix-jitsi-web.service installed
|
||||
template:
|
||||
src: "{{ role_path }}/templates/web/matrix-jitsi-web.service.j2"
|
||||
dest: "{{ matrix_systemd_path }}/matrix-jitsi-web.service"
|
||||
mode: 0644
|
||||
register: matrix_jitsi_web_systemd_service_result
|
||||
when: matrix_jitsi_enabled|bool
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-jitsi-web.service installation
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "matrix_jitsi_enabled and matrix_jitsi_web_systemd_service_result.changed"
|
||||
|
||||
#
|
||||
# Tasks related to getting rid of jitsi-web (if it was previously enabled)
|
||||
#
|
||||
|
||||
- name: Check existence of matrix-jitsi-web service
|
||||
stat:
|
||||
path: "{{ matrix_systemd_path }}/matrix-jitsi-web.service"
|
||||
register: matrix_jitsi_web_service_stat
|
||||
when: "not matrix_jitsi_enabled|bool"
|
||||
|
||||
- name: Ensure matrix-jitsi-web is stopped
|
||||
service:
|
||||
name: matrix-jitsi-web
|
||||
state: stopped
|
||||
daemon_reload: yes
|
||||
register: stopping_result
|
||||
when: "not matrix_jitsi_enabled|bool and matrix_jitsi_web_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure matrix-jitsi-web.service doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_systemd_path }}/matrix-jitsi-web.service"
|
||||
state: absent
|
||||
when: "not matrix_jitsi_enabled|bool and matrix_jitsi_web_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-jitsi-web.service removal
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "not matrix_jitsi_enabled|bool and matrix_jitsi_web_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure Matrix jitsi-web paths doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_jitsi_web_base_path }}"
|
||||
state: absent
|
||||
when: "not matrix_jitsi_enabled|bool"
|
||||
|
||||
# Intentionally not removing the Docker image when uninstalling.
|
||||
# We can't be sure it had been pulled by us in the first place.
|
||||
|
43
roles/matrix-jitsi/tasks/validate_config.yml
Normal file
43
roles/matrix-jitsi/tasks/validate_config.yml
Normal file
|
@ -0,0 +1,43 @@
|
|||
---
|
||||
|
||||
- name: Fail if required Jitsi settings not defined
|
||||
fail:
|
||||
msg: >-
|
||||
You need to define a required configuration setting (`{{ item }}`) for using Jitsi.
|
||||
|
||||
If you're setting up Jitsi for the first time, you may have missed a step.
|
||||
Refer to our setup instructions (docs/configuring-playbook-jitsi.md).
|
||||
|
||||
If you had setup Jitsi successfully before and it's just now that you're observing this failure,
|
||||
it means that your installation may be using some default passwords that the playbook used to define until now.
|
||||
This is not secure and we urge you to rebuild your Jitsi setup.
|
||||
Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md).
|
||||
when: "vars[item] == ''"
|
||||
with_items:
|
||||
- "matrix_jitsi_jibri_xmpp_password"
|
||||
- "matrix_jitsi_jibri_recorder_password"
|
||||
- "matrix_jitsi_jicofo_component_secret"
|
||||
- "matrix_jitsi_jicofo_auth_password"
|
||||
- "matrix_jitsi_jvb_auth_password"
|
||||
|
||||
- name: (Deprecation) Catch and report renamed settings
|
||||
fail:
|
||||
msg: >-
|
||||
Your configuration contains a variable, which now has a different name.
|
||||
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
|
||||
when: "item.old in vars"
|
||||
with_items:
|
||||
- {'old': 'matrix_jitsi_web_config_constraints_enabled', 'new': '<Now unnecessary. Constraints are always applied automatically>'}
|
||||
- {'old': 'matrix_jitsi_web_config_constraints_video_aspectRatio', 'new': '<Not applicable anymore>'}
|
||||
- {'old': 'matrix_jitsi_web_config_constraints_video_height_ideal', 'new': 'matrix_jitsi_web_config_resolution_height_ideal_and_max'}
|
||||
- {'old': 'matrix_jitsi_web_config_constraints_video_height_max', 'new': 'matrix_jitsi_web_config_resolution_height_ideal_and_max'}
|
||||
- {'old': 'matrix_jitsi_web_config_constraints_video_height_min', 'new': 'matrix_jitsi_web_config_resolution_height_min'}
|
||||
- {'old': 'matrix_jitsi_web_config_disableAudioLevels', 'new': '<Can be set by using matrix_jitsi_web_custom_config_extension. Example in docs/configuring-playbook-jitsi.md>'}
|
||||
- {'old': 'matrix_jitsi_web_config_enableLayerSuspension', 'new': '<Can be set by using matrix_jitsi_web_custom_config_extension. Example in docs/configuring-playbook-jitsi.md>'}
|
||||
- {'old': 'matrix_jitsi_web_config_channelLastN', 'new': '<Can be set by using matrix_jitsi_web_custom_config_extension. Example in docs/configuring-playbook-jitsi.md>'}
|
||||
- {'old': 'matrix_jitsi_web_config_testing_p2pTestMode', 'new': '<Can be set by using matrix_jitsi_web_custom_config_extension>'}
|
||||
- {'old': 'matrix_jitsi_web_config_start_with_audio_muted', 'new': '<Superseded by matrix_jitsi_web_config_start_audio_muted_after_nth_participant>'}
|
||||
- {'old': 'matrix_jitsi_web_config_start_with_video_muted', 'new': '<Superseded by matrix_jitsi_web_config_start_video_muted_after_nth_participant>'}
|
||||
- {'old': 'matrix_jitsi_web_interface_config_show_watermark_for_guests', 'new': '<Not applicable anymore>'}
|
||||
- {'old': 'matrix_jitsi_web_interface_config_invitation_powered_by', 'new': '<Not applicable anymore>'}
|
||||
- {'old': 'matrix_jisti_web_interface_config_show_deep_linking_image', 'new': 'matrix_jitsi_web_interface_config_show_deep_linking_image'}
|
17
roles/matrix-jitsi/templates/jicofo/env.j2
Normal file
17
roles/matrix-jitsi/templates/jicofo/env.j2
Normal file
|
@ -0,0 +1,17 @@
|
|||
ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }}
|
||||
|
||||
XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }}
|
||||
XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }}
|
||||
XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }}
|
||||
XMPP_SERVER={{ matrix_jitsi_xmpp_server }}
|
||||
|
||||
JICOFO_COMPONENT_SECRET={{ matrix_jitsi_jicofo_component_secret }}
|
||||
JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }}
|
||||
JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }}
|
||||
|
||||
JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }}
|
||||
|
||||
JIBRI_BREWERY_MUC={{ matrix_jitsi_jibri_brewery_muc }}
|
||||
JIBRI_PENDING_TIMEOUT={{ matrix_jitsi_jibri_pending_timeout }}
|
||||
|
||||
TZ={{ matrix_jitsi_timezone }}
|
20
roles/matrix-jitsi/templates/jicofo/logging.properties.j2
Normal file
20
roles/matrix-jitsi/templates/jicofo/logging.properties.j2
Normal file
|
@ -0,0 +1,20 @@
|
|||
handlers= java.util.logging.ConsoleHandler
|
||||
|
||||
java.util.logging.ConsoleHandler.level = ALL
|
||||
java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter
|
||||
|
||||
net.java.sip.communicator.util.ScLogFormatter.programname=Jicofo
|
||||
|
||||
.level=INFO
|
||||
net.sf.level=SEVERE
|
||||
net.java.sip.communicator.plugin.reconnectplugin.level=FINE
|
||||
org.ice4j.level=SEVERE
|
||||
org.jitsi.impl.neomedia.level=SEVERE
|
||||
|
||||
# Do not worry about missing strings
|
||||
net.java.sip.communicator.service.resources.AbstractResourcesService.level=SEVERE
|
||||
|
||||
#net.java.sip.communicator.service.protocol.level=ALL
|
||||
|
||||
# Enable debug packets logging
|
||||
#org.jitsi.impl.protocol.xmpp.level=FINE
|
|
@ -0,0 +1,33 @@
|
|||
#jinja2: lstrip_blocks: "True"
|
||||
[Unit]
|
||||
Description=Matrix jitsi-jicofo server
|
||||
{% for service in matrix_jitsi_jicofo_systemd_required_services_list %}
|
||||
Requires={{ service }}
|
||||
After={{ service }}
|
||||
{% endfor %}
|
||||
DefaultDependencies=no
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
Environment="HOME={{ matrix_systemd_unit_home_path }}"
|
||||
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo 2>/dev/null'
|
||||
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo 2>/dev/null'
|
||||
|
||||
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jicofo \
|
||||
--log-driver=none \
|
||||
--network={{ matrix_docker_network }} \
|
||||
--env-file={{ matrix_jitsi_jicofo_base_path }}/env \
|
||||
--mount type=bind,src={{ matrix_jitsi_jicofo_config_path }},dst=/config \
|
||||
{% for arg in matrix_jitsi_jicofo_container_extra_arguments %}
|
||||
{{ arg }} \
|
||||
{% endfor %}
|
||||
{{ matrix_jitsi_jicofo_docker_image }}
|
||||
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo 2>/dev/null'
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo 2>/dev/null'
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
SyslogIdentifier=matrix-jitsi-jicofo
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,9 @@
|
|||
org.jitsi.jicofo.ALWAYS_TRUST_MODE_ENABLED=true
|
||||
org.jitsi.jicofo.BRIDGE_MUC={{ matrix_jitsi_jvb_brewery_muc }}@{{ matrix_jitsi_xmpp_internal_muc_domain }}
|
||||
|
||||
org.jitsi.jicofo.jibri.BREWERY={{ matrix_jitsi_jibri_brewery_muc }}@{{ matrix_jitsi_xmpp_internal_muc_domain }}
|
||||
org.jitsi.jicofo.jibri.PENDING_TIMEOUT=90
|
||||
|
||||
{% if matrix_jitsi_enable_auth %}
|
||||
org.jitsi.jicofo.auth.URL=XMPP:{{ matrix_jitsi_xmpp_domain }}
|
||||
{% endif %}
|
|
@ -0,0 +1,7 @@
|
|||
org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=true
|
||||
|
||||
org.jitsi.videobridge.ENABLE_STATISTICS=true
|
||||
org.jitsi.videobridge.STATISTICS_TRANSPORT=muc
|
||||
org.jitsi.videobridge.STATISTICS_INTERVAL=5000
|
||||
|
||||
{{ matrix_jitsi_jvb_custom_config_extension }}
|
20
roles/matrix-jitsi/templates/jvb/env.j2
Normal file
20
roles/matrix-jitsi/templates/jvb/env.j2
Normal file
|
@ -0,0 +1,20 @@
|
|||
JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }}
|
||||
JVB_TCP_PORT={{ matrix_jitsi_jvb_rtp_tcp_port }}
|
||||
JVB_PORT={{ matrix_jitsi_jvb_rtp_udp_port }}
|
||||
JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }}
|
||||
JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }}
|
||||
JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }}
|
||||
|
||||
XMPP_SERVER={{ matrix_jitsi_xmpp_server }}
|
||||
XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }}
|
||||
XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }}
|
||||
|
||||
HOSTNAME=matrix-jitsi-jvb
|
||||
|
||||
{% if matrix_jitsi_jvb_stun_servers|length > 0 %}
|
||||
JVB_STUN_SERVERS={{ matrix_jitsi_jvb_stun_servers|join(',') }}
|
||||
{% endif %}
|
||||
|
||||
PUBLIC_URL={{ matrix_jitsi_web_public_url }}
|
||||
|
||||
{{ matrix_jitsi_jvb_environment_variables_extension }}
|
13
roles/matrix-jitsi/templates/jvb/logging.properties.j2
Normal file
13
roles/matrix-jitsi/templates/jvb/logging.properties.j2
Normal file
|
@ -0,0 +1,13 @@
|
|||
handlers= java.util.logging.ConsoleHandler
|
||||
|
||||
java.util.logging.ConsoleHandler.level = ALL
|
||||
java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter
|
||||
|
||||
net.java.sip.communicator.util.ScLogFormatter.programname=JVB
|
||||
|
||||
.level=INFO
|
||||
|
||||
org.jitsi.videobridge.xmpp.ComponentImpl.level=FINE
|
||||
|
||||
# All of the INFO level logs from MediaStreamImpl are unnecessary in the context of jitsi-videobridge.
|
||||
org.jitsi.impl.neomedia.MediaStreamImpl.level=WARNING
|
42
roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2
Normal file
42
roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2
Normal file
|
@ -0,0 +1,42 @@
|
|||
#jinja2: lstrip_blocks: "True"
|
||||
[Unit]
|
||||
Description=Matrix jitsi-jvb server
|
||||
{% for service in matrix_jitsi_jvb_systemd_required_services_list %}
|
||||
Requires={{ service }}
|
||||
After={{ service }}
|
||||
{% endfor %}
|
||||
DefaultDependencies=no
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
Environment="HOME={{ matrix_systemd_unit_home_path }}"
|
||||
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jvb 2>/dev/null'
|
||||
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jvb 2>/dev/null'
|
||||
|
||||
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jvb \
|
||||
--log-driver=none \
|
||||
--network={{ matrix_docker_network }} \
|
||||
--env-file={{ matrix_jitsi_jvb_base_path }}/env \
|
||||
{% if matrix_jitsi_jvb_container_rtp_udp_host_bind_port %}
|
||||
-p {{ matrix_jitsi_jvb_container_rtp_udp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_udp_port }}/udp \
|
||||
{% endif %}
|
||||
{% if matrix_jitsi_jvb_container_rtp_tcp_host_bind_port %}
|
||||
-p {{ matrix_jitsi_jvb_container_rtp_tcp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_tcp_port }} \
|
||||
{% endif %}
|
||||
{% if matrix_jitsi_jvb_container_colibri_ws_host_bind_port %}
|
||||
-p {{ matrix_jitsi_jvb_container_colibri_ws_host_bind_port }}:9090 \
|
||||
{% endif %}
|
||||
--mount type=bind,src={{ matrix_jitsi_jvb_config_path }},dst=/config \
|
||||
{% for arg in matrix_jitsi_jvb_container_extra_arguments %}
|
||||
{{ arg }} \
|
||||
{% endfor %}
|
||||
{{ matrix_jitsi_jvb_docker_image }}
|
||||
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jvb 2>/dev/null'
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jvb 2>/dev/null'
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
SyslogIdentifier=matrix-jitsi-jvb
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
49
roles/matrix-jitsi/templates/prosody/env.j2
Normal file
49
roles/matrix-jitsi/templates/prosody/env.j2
Normal file
|
@ -0,0 +1,49 @@
|
|||
AUTH_TYPE={{ matrix_jitsi_auth_type }}
|
||||
|
||||
ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }}
|
||||
ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }}
|
||||
|
||||
PUBLIC_URL={{ matrix_jitsi_web_public_url }}
|
||||
|
||||
LDAP_URL={{ matrix_jitsi_ldap_url }}
|
||||
LDAP_BASE={{ matrix_jitsi_ldap_base }}
|
||||
LDAP_BINDDN={{ matrix_jitsi_ldap_binddn }}
|
||||
LDAP_BINDPW={{ matrix_jitsi_ldap_bindpw }}
|
||||
LDAP_FILTER={{ matrix_jitsi_ldap_filter }}
|
||||
LDAP_AUTH_METHOD={{ matrix_jitsi_ldap_auth_method }}
|
||||
LDAP_VERSION={{ matrix_jitsi_ldap_version }}
|
||||
LDAP_USE_TLS={{ 1 if matrix_jitsi_ldap_use_tls else 0 }}
|
||||
LDAP_TLS_CIPHERS={{ matrix_jitsi_ldap_tls_ciphers }}
|
||||
LDAP_TLS_CHECK_PEER={{ 1 if matrix_jitsi_ldap_tls_check_peer else 0 }}
|
||||
LDAP_TLS_CACERT_FILE={{ matrix_jitsi_ldap_tls_cacert_file }}
|
||||
LDAP_TLS_CACERT_DIR={{ matrix_jitsi_ldap_tls_cacert_dir }}
|
||||
LDAP_START_TLS={{ 1 if matrix_jitsi_ldap_start_tls else 0 }}
|
||||
|
||||
XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }}
|
||||
XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }}
|
||||
XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }}
|
||||
XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }}
|
||||
XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }}
|
||||
|
||||
XMPP_MODULES={{ matrix_jitsi_xmpp_modules }}
|
||||
XMPP_MUC_MODULES=
|
||||
XMPP_INTERNAL_MUC_MODULES=
|
||||
|
||||
XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }}
|
||||
|
||||
JICOFO_COMPONENT_SECRET={{ matrix_jitsi_jicofo_component_secret }}
|
||||
JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }}
|
||||
JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }}
|
||||
|
||||
JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }}
|
||||
JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }}
|
||||
|
||||
JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }}
|
||||
JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }}
|
||||
|
||||
JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }}
|
||||
JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }}
|
||||
|
||||
ENABLE_LOBBY={{ 1 if matrix_jitsi_enable_lobby else 0 }}
|
||||
|
||||
TZ={{ matrix_jitsi_timezone }}
|
|
@ -0,0 +1,37 @@
|
|||
#jinja2: lstrip_blocks: "True"
|
||||
[Unit]
|
||||
Description=Matrix jitsi-prosody server
|
||||
{% for service in matrix_jitsi_prosody_systemd_required_services_list %}
|
||||
Requires={{ service }}
|
||||
After={{ service }}
|
||||
{% endfor %}
|
||||
DefaultDependencies=no
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
Environment="HOME={{ matrix_systemd_unit_home_path }}"
|
||||
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-prosody 2>/dev/null'
|
||||
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-prosody 2>/dev/null'
|
||||
|
||||
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-prosody \
|
||||
--log-driver=none \
|
||||
--network={{ matrix_docker_network }} \
|
||||
{% if matrix_jitsi_prosody_container_http_host_bind_port %}
|
||||
-p {{ matrix_jitsi_prosody_container_http_host_bind_port }}:5280 \
|
||||
{% endif %}
|
||||
--env-file={{ matrix_jitsi_prosody_base_path }}/env \
|
||||
--mount type=bind,src={{ matrix_jitsi_prosody_config_path }},dst=/config \
|
||||
--mount type=bind,src={{ matrix_jitsi_prosody_plugins_path }},dst=/prosody-plugins-custom \
|
||||
{% for arg in matrix_jitsi_prosody_container_extra_arguments %}
|
||||
{{ arg }} \
|
||||
{% endfor %}
|
||||
{{ matrix_jitsi_prosody_docker_image }}
|
||||
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-prosody 2>/dev/null'
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-prosody 2>/dev/null'
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
SyslogIdentifier=matrix-jitsi-prosody
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
18
roles/matrix-jitsi/templates/web/custom-config.js.j2
Normal file
18
roles/matrix-jitsi/templates/web/custom-config.js.j2
Normal file
|
@ -0,0 +1,18 @@
|
|||
config.defaultLanguage = {{ matrix_jitsi_web_config_defaultLanguage|to_json }};
|
||||
|
||||
|
||||
if (!config.hasOwnProperty('p2p')) config.p2p = {% raw %}{}{% endraw %};
|
||||
|
||||
{% if matrix_jitsi_web_stun_servers|length > 0 %}
|
||||
config.p2p.stunServers = [
|
||||
{% for url in matrix_jitsi_web_stun_servers %}
|
||||
{ urls: {{ url|to_json }} }{% if not loop.last %},{% endif %}
|
||||
{% endfor %}
|
||||
];
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_jitsi_etherpad_enabled %}
|
||||
config.etherpad_base = {{ (matrix_jitsi_etherpad_base + '/p/') |to_json }}
|
||||
{% endif %}
|
||||
|
||||
{{ matrix_jitsi_web_custom_config_extension }}
|
42
roles/matrix-jitsi/templates/web/env.j2
Normal file
42
roles/matrix-jitsi/templates/web/env.j2
Normal file
|
@ -0,0 +1,42 @@
|
|||
ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }}
|
||||
ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }}
|
||||
|
||||
ENABLE_TRANSCRIPTIONS={{ 1 if matrix_jitsi_enable_transcriptions else 0 }}
|
||||
|
||||
ENABLE_P2P={{ 1 if matrix_jitsi_enable_p2p else 0 }}
|
||||
|
||||
DISABLE_HTTPS=1
|
||||
|
||||
JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }}
|
||||
|
||||
PUBLIC_URL={{ matrix_jitsi_web_public_url }}
|
||||
|
||||
XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }}
|
||||
XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }}
|
||||
XMPP_BOSH_URL_BASE={{ matrix_jitsi_xmpp_bosh_url_base }}
|
||||
XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }}
|
||||
XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }}
|
||||
XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }}
|
||||
|
||||
TZ={{ matrix_jitsi_timezone }}
|
||||
|
||||
JIBRI_BREWERY_MUC={{ matrix_jitsi_jibri_brewery_muc }}
|
||||
JIBRI_PENDING_TIMEOUT={{ matrix_jitsi_jibri_pending_timeout }}
|
||||
JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }}
|
||||
JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }}
|
||||
JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }}
|
||||
JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }}
|
||||
|
||||
ENABLE_RECORDING={{ 1 if matrix_jitsi_enable_recording else 0 }}
|
||||
|
||||
RESOLUTION={{ matrix_jitsi_web_config_resolution_height_ideal_and_max }}
|
||||
RESOLUTION_MIN={{ matrix_jitsi_web_config_resolution_height_min }}
|
||||
RESOLUTION_WIDTH={{ matrix_jitsi_web_config_resolution_width_ideal_and_max }}
|
||||
RESOLUTION_WIDTH_MIN={{ matrix_jitsi_web_config_resolution_width_min }}
|
||||
|
||||
START_AUDIO_MUTED={{ matrix_jitsi_web_config_start_audio_muted_after_nth_participant }}
|
||||
START_VIDEO_MUTED={{ matrix_jitsi_web_config_start_video_muted_after_nth_participant }}
|
||||
|
||||
ETHERPAD_URL_BASE={{ (matrix_jitsi_etherpad_base + '/') if matrix_jitsi_etherpad_enabled else ''}}
|
||||
|
||||
{{ matrix_jitsi_web_environment_variables_extension }}
|
295
roles/matrix-jitsi/templates/web/interface_config.js.j2
Normal file
295
roles/matrix-jitsi/templates/web/interface_config.js.j2
Normal file
|
@ -0,0 +1,295 @@
|
|||
/* eslint-disable no-unused-vars, no-var, max-len */
|
||||
/* eslint sort-keys: ["error", "asc", {"caseSensitive": false}] */
|
||||
|
||||
var interfaceConfig = {
|
||||
APP_NAME: {{ matrix_jitsi_web_interface_config_app_name|to_json }},
|
||||
AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)',
|
||||
AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)',
|
||||
|
||||
/**
|
||||
* A UX mode where the last screen share participant is automatically
|
||||
* pinned. Valid values are the string "remote-only" so remote participants
|
||||
* get pinned but not local, otherwise any truthy value for all participants,
|
||||
* and any falsy value to disable the feature.
|
||||
*
|
||||
* Note: this mode is experimental and subject to breakage.
|
||||
*/
|
||||
AUTO_PIN_LATEST_SCREEN_SHARE: 'remote-only',
|
||||
BRAND_WATERMARK_LINK: {{ matrix_jitsi_web_interface_config_brand_watermark_link|to_json }},
|
||||
|
||||
CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it
|
||||
/**
|
||||
* Whether the connection indicator icon should hide itself based on
|
||||
* connection strength. If true, the connection indicator will remain
|
||||
* displayed while the participant has a weak connection and will hide
|
||||
* itself after the CONNECTION_INDICATOR_HIDE_TIMEOUT when the connection is
|
||||
* strong.
|
||||
*
|
||||
* @type {boolean}
|
||||
*/
|
||||
CONNECTION_INDICATOR_AUTO_HIDE_ENABLED: true,
|
||||
|
||||
/**
|
||||
* How long the connection indicator should remain displayed before hiding.
|
||||
* Used in conjunction with CONNECTION_INDICATOR_AUTOHIDE_ENABLED.
|
||||
*
|
||||
* @type {number}
|
||||
*/
|
||||
CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT: 5000,
|
||||
|
||||
/**
|
||||
* If true, hides the connection indicators completely.
|
||||
*
|
||||
* @type {boolean}
|
||||
*/
|
||||
CONNECTION_INDICATOR_DISABLED: false,
|
||||
|
||||
DEFAULT_BACKGROUND: '#474747',
|
||||
DEFAULT_LOCAL_DISPLAY_NAME: 'me',
|
||||
DEFAULT_LOGO_URL: 'images/watermark.svg',
|
||||
DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
|
||||
DEFAULT_WELCOME_PAGE_LOGO_URL: 'images/watermark.svg',
|
||||
|
||||
DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
|
||||
|
||||
DISABLE_FOCUS_INDICATOR: false,
|
||||
|
||||
/**
|
||||
* If true, notifications regarding joining/leaving are no longer displayed.
|
||||
*/
|
||||
DISABLE_JOIN_LEAVE_NOTIFICATIONS: false,
|
||||
|
||||
/**
|
||||
* If true, presence status: busy, calling, connected etc. is not displayed.
|
||||
*/
|
||||
DISABLE_PRESENCE_STATUS: false,
|
||||
|
||||
/**
|
||||
* Whether the ringing sound in the call/ring overlay is disabled. If
|
||||
* {@code undefined}, defaults to {@code false}.
|
||||
*
|
||||
* @type {boolean}
|
||||
*/
|
||||
DISABLE_RINGING: false,
|
||||
|
||||
/**
|
||||
* Whether the speech to text transcription subtitles panel is disabled.
|
||||
* If {@code undefined}, defaults to {@code false}.
|
||||
*
|
||||
* @type {boolean}
|
||||
*/
|
||||
DISABLE_TRANSCRIPTION_SUBTITLES: {{ matrix_jitsi_web_interface_config_disable_transcription_subtitles|to_json }},
|
||||
|
||||
/**
|
||||
* Whether or not the blurred video background for large video should be
|
||||
* displayed on browsers that can support it.
|
||||
*/
|
||||
DISABLE_VIDEO_BACKGROUND: false,
|
||||
|
||||
DISPLAY_WELCOME_FOOTER: true,
|
||||
DISPLAY_WELCOME_PAGE_ADDITIONAL_CARD: false,
|
||||
DISPLAY_WELCOME_PAGE_CONTENT: {{ matrix_jitsi_web_interface_config_display_welcome_page_content|to_json }},
|
||||
DISPLAY_WELCOME_PAGE_TOOLBAR_ADDITIONAL_CONTENT: false,
|
||||
|
||||
ENABLE_DIAL_OUT: true,
|
||||
|
||||
ENABLE_FEEDBACK_ANIMATION: false, // Enables feedback star animation.
|
||||
|
||||
FILM_STRIP_MAX_HEIGHT: 120,
|
||||
|
||||
GENERATE_ROOMNAMES_ON_WELCOME_PAGE: {{ matrix_jitsi_web_interface_config_generate_room_names_on_welcome_page|to_json }},
|
||||
|
||||
/**
|
||||
* Hide the logo on the deep linking pages.
|
||||
*/
|
||||
HIDE_DEEP_LINKING_LOGO: false,
|
||||
|
||||
/**
|
||||
* Hide the invite prompt in the header when alone in the meeting.
|
||||
*/
|
||||
HIDE_INVITE_MORE_HEADER: false,
|
||||
|
||||
INITIAL_TOOLBAR_TIMEOUT: 20000,
|
||||
JITSI_WATERMARK_LINK: {{ matrix_jitsi_web_interface_config_jitsi_watermark_link|to_json }},
|
||||
|
||||
LANG_DETECTION: {{ matrix_jitsi_web_interface_config_lang_detection|to_json }}, // Allow i18n to detect the system language
|
||||
LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', // Documentation reference for the live streaming feature.
|
||||
LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
|
||||
|
||||
/**
|
||||
* Maximum coefficient of the ratio of the large video to the visible area
|
||||
* after the large video is scaled to fit the window.
|
||||
*
|
||||
* @type {number}
|
||||
*/
|
||||
MAXIMUM_ZOOMING_COEFFICIENT: 1.3,
|
||||
|
||||
/**
|
||||
* Whether the mobile app Jitsi Meet is to be promoted to participants
|
||||
* attempting to join a conference in a mobile Web browser. If
|
||||
* {@code undefined}, defaults to {@code true}.
|
||||
*
|
||||
* @type {boolean}
|
||||
*/
|
||||
MOBILE_APP_PROMO: true,
|
||||
|
||||
/**
|
||||
* Specify custom URL for downloading android mobile app.
|
||||
*/
|
||||
MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
|
||||
|
||||
/**
|
||||
* Specify custom URL for downloading f droid app.
|
||||
*/
|
||||
MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
|
||||
|
||||
/**
|
||||
* Specify URL for downloading ios mobile app.
|
||||
*/
|
||||
MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
|
||||
|
||||
NATIVE_APP_NAME: {{ matrix_jitsi_web_interface_config_native_app_name|to_json }},
|
||||
|
||||
// Names of browsers which should show a warning stating the current browser
|
||||
// has a suboptimal experience. Browsers which are not listed as optimal or
|
||||
// unsupported are considered suboptimal. Valid values are:
|
||||
// chrome, chromium, edge, electron, firefox, nwjs, opera, safari
|
||||
OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'nwjs', 'electron', 'safari' ],
|
||||
|
||||
POLICY_LOGO: null,
|
||||
PROVIDER_NAME: {{ matrix_jitsi_web_interface_config_provider_name|to_json }},
|
||||
|
||||
/**
|
||||
* If true, will display recent list
|
||||
*
|
||||
* @type {boolean}
|
||||
*/
|
||||
RECENT_LIST_ENABLED: true,
|
||||
REMOTE_THUMBNAIL_RATIO: 1, // 1:1
|
||||
|
||||
SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar' ],
|
||||
SHOW_BRAND_WATERMARK: {{ matrix_jitsi_web_interface_config_show_brand_watermark|to_json }},
|
||||
|
||||
/**
|
||||
* Decides whether the chrome extension banner should be rendered on the landing page and during the meeting.
|
||||
* If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s)
|
||||
* being already installed is done before rendering.
|
||||
*/
|
||||
SHOW_CHROME_EXTENSION_BANNER: false,
|
||||
|
||||
SHOW_DEEP_LINKING_IMAGE: {{ matrix_jitsi_web_interface_config_show_deep_linking_image|to_json }},
|
||||
SHOW_JITSI_WATERMARK: {{ matrix_jitsi_web_interface_config_show_jitsi_watermark|to_json }},
|
||||
SHOW_POWERED_BY: {{ matrix_jitsi_web_interface_config_show_powered_by|to_json }},
|
||||
SHOW_PROMOTIONAL_CLOSE_PAGE: false,
|
||||
|
||||
/*
|
||||
* If indicated some of the error dialogs may point to the support URL for
|
||||
* help.
|
||||
*/
|
||||
SUPPORT_URL: 'https://community.jitsi.org/',
|
||||
|
||||
TOOLBAR_ALWAYS_VISIBLE: false,
|
||||
|
||||
/**
|
||||
* The name of the toolbar buttons to display in the toolbar, including the
|
||||
* "More actions" menu. If present, the button will display. Exceptions are
|
||||
* "livestreaming" and "recording" which also require being a moderator and
|
||||
* some values in config.js to be enabled. Also, the "profile" button will
|
||||
* not display for users with a JWT.
|
||||
* Notes:
|
||||
* - it's impossible to choose which buttons go in the "More actions" menu
|
||||
* - it's impossible to control the placement of buttons
|
||||
* - 'desktop' controls the "Share your screen" button
|
||||
*/
|
||||
TOOLBAR_BUTTONS: [
|
||||
{% if matrix_jitsi_enable_transcriptions %}
|
||||
'closedcaptions',
|
||||
{% endif %}
|
||||
{% if matrix_jitsi_enable_recording %}
|
||||
'recording',
|
||||
{% endif %}
|
||||
'microphone', 'camera', 'desktop', 'embedmeeting', 'fullscreen',
|
||||
'fodeviceselection', 'hangup', 'profile', 'chat',
|
||||
'livestreaming', 'etherpad', 'sharedvideo', 'settings', 'raisehand',
|
||||
'videoquality', 'filmstrip', 'invite', 'feedback', 'stats', 'shortcuts',
|
||||
'tileview', 'videobackgroundblur', 'download', 'help', 'mute-everyone', 'security'
|
||||
],
|
||||
|
||||
TOOLBAR_TIMEOUT: 4000,
|
||||
|
||||
// Browsers, in addition to those which do not fully support WebRTC, that
|
||||
// are not supported and should show the unsupported browser page.
|
||||
UNSUPPORTED_BROWSERS: [],
|
||||
|
||||
/**
|
||||
* Whether to show thumbnails in filmstrip as a column instead of as a row.
|
||||
*/
|
||||
VERTICAL_FILMSTRIP: true,
|
||||
|
||||
// Determines how the video would fit the screen. 'both' would fit the whole
|
||||
// screen, 'height' would fit the original video height to the height of the
|
||||
// screen, 'width' would fit the original video width to the width of the
|
||||
// screen respecting ratio.
|
||||
VIDEO_LAYOUT_FIT: 'both',
|
||||
|
||||
/**
|
||||
* If true, hides the video quality label indicating the resolution status
|
||||
* of the current large video.
|
||||
*
|
||||
* @type {boolean}
|
||||
*/
|
||||
VIDEO_QUALITY_LABEL_DISABLED: false,
|
||||
|
||||
/**
|
||||
* How many columns the tile view can expand to. The respected range is
|
||||
* between 1 and 5.
|
||||
*/
|
||||
// TILE_VIEW_MAX_COLUMNS: 5,
|
||||
|
||||
/**
|
||||
* Specify Firebase dynamic link properties for the mobile apps.
|
||||
*/
|
||||
// MOBILE_DYNAMIC_LINK: {
|
||||
// APN: 'org.jitsi.meet',
|
||||
// APP_CODE: 'w2atb',
|
||||
// CUSTOM_DOMAIN: undefined,
|
||||
// IBI: 'com.atlassian.JitsiMeet.ios',
|
||||
// ISI: '1165103905'
|
||||
// },
|
||||
|
||||
/**
|
||||
* Specify mobile app scheme for opening the app from the mobile browser.
|
||||
*/
|
||||
// APP_SCHEME: 'org.jitsi.meet',
|
||||
|
||||
/**
|
||||
* Specify the Android app package name.
|
||||
*/
|
||||
// ANDROID_APP_PACKAGE: 'org.jitsi.meet',
|
||||
|
||||
/**
|
||||
* Override the behavior of some notifications to remain displayed until
|
||||
* explicitly dismissed through a user action. The value is how long, in
|
||||
* milliseconds, those notifications should remain displayed.
|
||||
*/
|
||||
// ENFORCE_NOTIFICATION_AUTO_DISMISS_TIMEOUT: 15000,
|
||||
|
||||
// List of undocumented settings
|
||||
/**
|
||||
INDICATOR_FONT_SIZES
|
||||
PHONE_NUMBER_REGEX
|
||||
*/
|
||||
|
||||
// Allow all above example options to include a trailing comma and
|
||||
// prevent fear when commenting out the last value.
|
||||
// eslint-disable-next-line sort-keys
|
||||
makeJsonParserHappy: 'even if last key had a trailing comma'
|
||||
|
||||
// No configuration value should follow this line.
|
||||
};
|
||||
|
||||
|
||||
{{ matrix_jitsi_web_custom_interface_config_extension }}
|
||||
|
||||
|
||||
/* eslint-enable no-unused-vars, no-var, max-len */
|
37
roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2
Normal file
37
roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2
Normal file
|
@ -0,0 +1,37 @@
|
|||
#jinja2: lstrip_blocks: "True"
|
||||
[Unit]
|
||||
Description=Matrix jitsi-web server
|
||||
{% for service in matrix_jitsi_web_systemd_required_services_list %}
|
||||
Requires={{ service }}
|
||||
After={{ service }}
|
||||
{% endfor %}
|
||||
DefaultDependencies=no
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
Environment="HOME={{ matrix_systemd_unit_home_path }}"
|
||||
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-web 2>/dev/null'
|
||||
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-web 2>/dev/null'
|
||||
|
||||
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-web \
|
||||
--log-driver=none \
|
||||
--network={{ matrix_docker_network }} \
|
||||
--env-file={{ matrix_jitsi_web_base_path }}/env \
|
||||
{% if matrix_jitsi_web_container_http_host_bind_port %}
|
||||
-p {{ matrix_jitsi_web_container_http_host_bind_port }}:80 \
|
||||
{% endif %}
|
||||
--mount type=bind,src={{ matrix_jitsi_web_config_path }},dst=/config \
|
||||
--mount type=bind,src={{ matrix_jitsi_web_transcripts_path }},dst=/usr/share/jitsi-meet/transcripts \
|
||||
{% for arg in matrix_jitsi_web_container_extra_arguments %}
|
||||
{{ arg }} \
|
||||
{% endfor %}
|
||||
{{ matrix_jitsi_web_docker_image }}
|
||||
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-web 2>/dev/null'
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-web 2>/dev/null'
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
SyslogIdentifier=matrix-jitsi-web
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
163
roles/matrix-ma1sd/defaults/main.yml
Normal file
163
roles/matrix-ma1sd/defaults/main.yml
Normal file
|
@ -0,0 +1,163 @@
|
|||
# ma1sd is a Federated Matrix Identity Server
|
||||
# See: https://github.com/ma1uta/ma1sd
|
||||
|
||||
matrix_ma1sd_enabled: true
|
||||
|
||||
matrix_ma1sd_container_image_self_build: false
|
||||
matrix_ma1sd_container_image_self_build_repo: "https://github.com/ma1uta/ma1sd.git"
|
||||
matrix_ma1sd_container_image_self_build_branch: "{{ matrix_ma1sd_version }}"
|
||||
|
||||
matrix_ma1sd_architecture: "amd64"
|
||||
|
||||
matrix_ma1sd_version: "2.4.0"
|
||||
|
||||
matrix_ma1sd_docker_image: "{{ matrix_ma1sd_docker_image_name_prefix }}ma1uta/ma1sd:{{ matrix_ma1sd_version }}-{{ matrix_ma1sd_architecture }}"
|
||||
matrix_ma1sd_docker_image_name_prefix: "{{ 'localhost/' if matrix_ma1sd_container_image_self_build else matrix_container_global_registry_prefix }}"
|
||||
matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}"
|
||||
|
||||
matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd"
|
||||
# We need the docker src directory to be named ma1sd. See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/588
|
||||
matrix_ma1sd_docker_src_files_path: "{{ matrix_ma1sd_base_path }}/docker-src/ma1sd"
|
||||
matrix_ma1sd_config_path: "{{ matrix_ma1sd_base_path }}/config"
|
||||
matrix_ma1sd_data_path: "{{ matrix_ma1sd_base_path }}/data"
|
||||
|
||||
# Controls whether the matrix-ma1sd container exposes its HTTP port (tcp/8090 in the container).
|
||||
#
|
||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8090"), or empty string to not expose.
|
||||
matrix_ma1sd_container_http_host_bind_port: ''
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
matrix_ma1sd_container_extra_arguments: []
|
||||
|
||||
# List of systemd services that matrix-ma1sd.service depends on
|
||||
matrix_ma1sd_systemd_required_services_list: ['docker.service']
|
||||
|
||||
# List of systemd services that matrix-ma1sd.service wants
|
||||
matrix_ma1sd_systemd_wanted_services_list: []
|
||||
|
||||
# Your identity server is private by default.
|
||||
# To ensure maximum discovery, you can make your identity server
|
||||
# also forward lookups to the central matrix.org Identity server
|
||||
# (at the cost of potentially leaking all your contacts information).
|
||||
# Enabling this is discouraged. Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups
|
||||
matrix_ma1sd_matrixorg_forwarding_enabled: false
|
||||
|
||||
|
||||
# Database-related configuration fields.
|
||||
#
|
||||
# To use SQLite, stick to these defaults.
|
||||
#
|
||||
# To use Postgres:
|
||||
# - change the engine (`matrix_ma1sd_database_engine: 'postgres'`)
|
||||
# - adjust your database credentials via the `matrix_ma1sd_postgres_*` variables
|
||||
matrix_ma1sd_database_engine: 'sqlite'
|
||||
|
||||
matrix_ma1sd_sqlite_database_path_local: "{{ matrix_ma1sd_data_path }}/ma1sd.db"
|
||||
matrix_ma1sd_sqlite_database_path_in_container: "/var/ma1sd/ma1sd.db"
|
||||
|
||||
matrix_ma1sd_database_username: 'matrix_ma1sd'
|
||||
matrix_ma1sd_database_password: 'some-password'
|
||||
matrix_ma1sd_database_hostname: 'matrix-postgres'
|
||||
matrix_ma1sd_database_port: 5432
|
||||
matrix_ma1sd_database_name: 'matrix_ma1sd'
|
||||
|
||||
matrix_ma1sd_database_connection_string: 'postgresql://{{ matrix_ma1sd_database_username }}:{{ matrix_ma1sd_database_password }}@{{ matrix_ma1sd_database_hostname }}:{{ matrix_ma1sd_database_port }}/{{ matrix_ma1sd_database_name }}'
|
||||
|
||||
|
||||
# ma1sd has serveral supported identity stores.
|
||||
# One of them is storing identities directly in Synapse's database.
|
||||
# Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/stores/synapse.md
|
||||
matrix_ma1sd_synapsesql_enabled: false
|
||||
matrix_ma1sd_synapsesql_type: ""
|
||||
matrix_ma1sd_synapsesql_connection: ""
|
||||
|
||||
# Setting up email-sending settings is required for using ma1sd.
|
||||
matrix_ma1sd_threepid_medium_email_identity_from: "matrix@{{ matrix_domain }}"
|
||||
matrix_ma1sd_threepid_medium_email_connectors_smtp_host: ""
|
||||
matrix_ma1sd_threepid_medium_email_connectors_smtp_port: 587
|
||||
matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 1
|
||||
matrix_ma1sd_threepid_medium_email_connectors_smtp_login: ""
|
||||
matrix_ma1sd_threepid_medium_email_connectors_smtp_password: ""
|
||||
|
||||
# DNS overwrites are useful for telling ma1sd how it can reach the homeserver directly.
|
||||
# Useful when reverse-proxying certain URLs (e.g. `/_matrix/client/r0/user_directory/search`) to ma1sd,
|
||||
# so that ma1sd can rewrite the original URL to one that would reach the homeserver.
|
||||
matrix_ma1sd_dns_overwrite_enabled: false
|
||||
matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}"
|
||||
matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008"
|
||||
|
||||
# Override the default session templates
|
||||
# To use this, fill in the template variables with the full desired template as a multi-line YAML variable
|
||||
#
|
||||
# More info:
|
||||
# https://github.com/ma1uta/ma1sd/blob/master/docs/threepids/session/session-views.md
|
||||
matrix_ma1sd_view_session_custom_templates_enabled: false
|
||||
# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/templates/session/tokenSubmitSuccess.html
|
||||
matrix_ma1sd_view_session_custom_onTokenSubmit_success_template: ""
|
||||
# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/templates/session/tokenSubmitFailure.html
|
||||
matrix_ma1sd_view_session_custom_onTokenSubmit_failure_template: ""
|
||||
|
||||
# Override the default email templates
|
||||
# To use this, fill in the template variables with the full desired template as a multi-line YAML variable
|
||||
#
|
||||
# More info:
|
||||
# https://github.com/ma1uta/ma1sd/blob/master/docs/threepids/notification/template-generator.md
|
||||
# https://github.com/ma1uta/ma1sd/tree/master/src/main/resources/threepids/email
|
||||
matrix_ma1sd_threepid_medium_email_custom_templates_enabled: false
|
||||
# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/invite-template.eml
|
||||
matrix_ma1sd_threepid_medium_email_custom_invite_template: ""
|
||||
# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/validate-template.eml
|
||||
matrix_ma1sd_threepid_medium_email_custom_session_validation_template: ""
|
||||
# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/unbind-notification.eml
|
||||
matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template: ""
|
||||
# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/mxid-template.eml
|
||||
matrix_ma1sd_threepid_medium_email_custom_matrixid_template: ""
|
||||
|
||||
# Controls whether the self-check feature should validate SSL certificates.
|
||||
matrix_ma1sd_self_check_validate_certificates: true
|
||||
|
||||
# Controls ma1sd logging verbosity for troubleshooting.
|
||||
#
|
||||
# According to: https://github.com/ma1uta/ma1sd/blob/master/docs/troubleshooting.md#increase-verbosity
|
||||
matrix_ma1sd_verbose_logging: false
|
||||
|
||||
# Setting up support for API prefixes
|
||||
matrix_ma1sd_v1_enabled: true
|
||||
matrix_ma1sd_v2_enabled: true
|
||||
|
||||
# Fix for missing 3PIDS bug
|
||||
matrix_ma1sd_hashing_enabled: true
|
||||
|
||||
# Default ma1sd configuration template which covers the generic use case.
|
||||
# You can customize it by controlling the various variables inside it.
|
||||
#
|
||||
# For a more advanced customization, you can extend the default (see `matrix_ma1sd_configuration_extension_yaml`)
|
||||
# or completely replace this variable with your own template.
|
||||
matrix_ma1sd_configuration_yaml: "{{ lookup('template', 'templates/ma1sd.yaml.j2') }}"
|
||||
|
||||
matrix_ma1sd_configuration_extension_yaml: |
|
||||
# Your custom YAML configuration for ma1sd goes here.
|
||||
# This configuration extends the default starting configuration (`matrix_ma1sd_configuration_yaml`).
|
||||
#
|
||||
# You can override individual variables from the default configuration, or introduce new ones.
|
||||
#
|
||||
# If you need something more special, you can take full control by
|
||||
# completely redefining `matrix_ma1sd_configuration_yaml`.
|
||||
#
|
||||
# Example configuration extension follows:
|
||||
#
|
||||
# ldap:
|
||||
# enabled: true
|
||||
# connection:
|
||||
# host: ldapHostnameOrIp
|
||||
# tls: false
|
||||
# port: 389
|
||||
# baseDNs: ['OU=Users,DC=example,DC=org']
|
||||
# bindDn: CN=My Ma1sd User,OU=Users,DC=example,DC=org
|
||||
# bindPassword: TheUserPassword
|
||||
|
||||
matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml|from_yaml if matrix_ma1sd_configuration_extension_yaml|from_yaml is mapping else {} }}"
|
||||
|
||||
# Holds the final ma1sd configuration (a combination of the default and its extension).
|
||||
# You most likely don't need to touch this variable. Instead, see `matrix_ma1sd_configuration_yaml`.
|
||||
matrix_ma1sd_configuration: "{{ matrix_ma1sd_configuration_yaml|from_yaml|combine(matrix_ma1sd_configuration_extension, recursive=True) }}"
|
10
roles/matrix-ma1sd/tasks/init.yml
Normal file
10
roles/matrix-ma1sd/tasks/init.yml
Normal file
|
@ -0,0 +1,10 @@
|
|||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build and matrix_ma1sd_enabled|bool"
|
||||
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd.service'] }}"
|
||||
when: matrix_ma1sd_enabled|bool
|
28
roles/matrix-ma1sd/tasks/main.yml
Normal file
28
roles/matrix-ma1sd/tasks/main.yml
Normal file
|
@ -0,0 +1,28 @@
|
|||
- import_tasks: "{{ role_path }}/tasks/init.yml"
|
||||
tags:
|
||||
- always
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
|
||||
when: "run_setup|bool and matrix_ma1sd_enabled|bool"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-ma1sd
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/setup_install.yml"
|
||||
when: "run_setup|bool and matrix_ma1sd_enabled|bool"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-ma1sd
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
|
||||
when: "run_setup|bool and not matrix_ma1sd_enabled|bool"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-ma1sd
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/self_check_ma1sd.yml"
|
||||
delegate_to: 127.0.0.1
|
||||
become: false
|
||||
when: "run_self_check|bool and matrix_ma1sd_enabled|bool"
|
||||
tags:
|
||||
- self-check
|
72
roles/matrix-ma1sd/tasks/migrate_mxisd.yml
Normal file
72
roles/matrix-ma1sd/tasks/migrate_mxisd.yml
Normal file
|
@ -0,0 +1,72 @@
|
|||
---
|
||||
|
||||
# This task is for migrating existing mxisd data when transitioning to the ma1sd fork.
|
||||
|
||||
- name: Check for existent mxisd data
|
||||
stat:
|
||||
path: "{{ matrix_base_data_path }}/mxisd/data"
|
||||
register: ma1sd_migrate_mxisd_data_dir_stat
|
||||
|
||||
- name: Warn if mxisd data detected
|
||||
debug:
|
||||
msg: >
|
||||
You seem to have an existing mxisd folder in `{{ matrix_base_data_path }}/mxisd`.
|
||||
We are going to migrate it to ma1sd and rename the folder to mxisd.migrated.
|
||||
when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists"
|
||||
|
||||
- name: Check existence of old matrix-mxisd service
|
||||
stat:
|
||||
path: "{{ matrix_systemd_path }}/matrix-mxisd.service"
|
||||
register: matrix_mxisd_service_stat
|
||||
|
||||
- name: Ensure matrix-mxisd is stopped
|
||||
service:
|
||||
name: matrix-mxisd
|
||||
state: stopped
|
||||
daemon_reload: yes
|
||||
when: "matrix_mxisd_service_stat.stat.exists"
|
||||
|
||||
- name: Check existence of matrix-ma1sd service
|
||||
stat:
|
||||
path: "{{ matrix_systemd_path }}/matrix-ma1sd.service"
|
||||
register: matrix_ma1sd_service_stat
|
||||
when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists"
|
||||
|
||||
- name: Ensure matrix-ma1sd is stopped
|
||||
service:
|
||||
name: matrix-ma1sd
|
||||
state: stopped
|
||||
daemon_reload: yes
|
||||
when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists and matrix_ma1sd_service_stat.stat.exists"
|
||||
|
||||
# We use shell commands for the migration, because the Ansible copy module cannot
|
||||
# recursively copy remote directories (like `/matrix/mxisd/data/sign.key`) in older versions of Ansible.
|
||||
- block:
|
||||
- name: Copy mxisd data files to ma1sd folder
|
||||
command: "cp -ar {{ matrix_base_data_path }}/mxisd/data {{ matrix_ma1sd_base_path }}"
|
||||
|
||||
- name: Check existence of mxisd.db file
|
||||
stat:
|
||||
path: "{{ matrix_ma1sd_data_path }}/mxisd.db"
|
||||
register: matrix_ma1sd_mxisd_db_stat
|
||||
|
||||
- name: Rename database (mxisd.db -> ma1sd.db)
|
||||
command: "mv {{ matrix_ma1sd_data_path }}/mxisd.db {{ matrix_ma1sd_data_path }}/ma1sd.db"
|
||||
when: "matrix_ma1sd_mxisd_db_stat.stat.exists"
|
||||
|
||||
- name: Rename mxisd folder
|
||||
command: "mv {{ matrix_base_data_path }}/mxisd {{ matrix_base_data_path }}/mxisd.migrated"
|
||||
when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists"
|
||||
|
||||
- name: Ensure outdated matrix-mxisd.service doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_systemd_path }}/matrix-mxisd.service"
|
||||
state: absent
|
||||
when: "matrix_mxisd_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure systemd reloaded after removing outdated matrix-mxisd.service
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "matrix_mxisd_service_stat.stat.exists"
|
||||
|
||||
|
22
roles/matrix-ma1sd/tasks/self_check_ma1sd.yml
Normal file
22
roles/matrix-ma1sd/tasks/self_check_ma1sd.yml
Normal file
|
@ -0,0 +1,22 @@
|
|||
---
|
||||
|
||||
- set_fact:
|
||||
ma1sd_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/identity/api/v1"
|
||||
|
||||
- name: Check ma1sd Identity Service
|
||||
uri:
|
||||
url: "{{ ma1sd_url_endpoint_public }}"
|
||||
follow_redirects: none
|
||||
validate_certs: "{{ matrix_ma1sd_self_check_validate_certificates }}"
|
||||
check_mode: no
|
||||
register: result_ma1sd
|
||||
ignore_errors: true
|
||||
|
||||
- name: Fail if ma1sd Identity Service not working
|
||||
fail:
|
||||
msg: "Failed checking ma1sd is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ ma1sd_url_endpoint_public }}`). Is ma1sd running? Is port 443 open in your firewall? Full error: {{ result_ma1sd }}"
|
||||
when: "result_ma1sd.failed or 'json' not in result_ma1sd"
|
||||
|
||||
- name: Report working ma1sd Identity Service
|
||||
debug:
|
||||
msg: "ma1sd at `{{ matrix_server_fqn_matrix }}` is working (checked endpoint: `{{ ma1sd_url_endpoint_public }}`)"
|
167
roles/matrix-ma1sd/tasks/setup_install.yml
Normal file
167
roles/matrix-ma1sd/tasks/setup_install.yml
Normal file
|
@ -0,0 +1,167 @@
|
|||
---
|
||||
|
||||
- name: Ensure ma1sd paths exist
|
||||
file:
|
||||
path: "{{ item.path }}"
|
||||
state: directory
|
||||
mode: 0750
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- { path: "{{ matrix_ma1sd_config_path }}", when: true }
|
||||
- { path: "{{ matrix_ma1sd_data_path }}", when: true }
|
||||
- { path: "{{ matrix_ma1sd_docker_src_files_path }}", when: "{{ matrix_ma1sd_container_image_self_build }}"}
|
||||
when: "item.when|bool"
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/migrate_mxisd.yml"
|
||||
|
||||
|
||||
# These (SQLite -> Postgres) migration tasks are usually at the top,
|
||||
# but we'd like to run them after `migrate_mxisd.yml`, which requires the ma1sd paths to exist.
|
||||
- set_fact:
|
||||
matrix_ma1sd_requires_restart: false
|
||||
|
||||
- block:
|
||||
- name: Check if an SQLite database already exists
|
||||
stat:
|
||||
path: "{{ matrix_ma1sd_sqlite_database_path_local }}"
|
||||
register: matrix_ma1sd_sqlite_database_path_local_stat_result
|
||||
|
||||
- block:
|
||||
- set_fact:
|
||||
matrix_postgres_db_migration_request:
|
||||
src: "{{ matrix_ma1sd_sqlite_database_path_local }}"
|
||||
dst: "{{ matrix_ma1sd_database_connection_string }}"
|
||||
caller: "{{ role_path|basename }}"
|
||||
engine_variable_name: 'matrix_ma1sd_database_engine'
|
||||
engine_old: 'sqlite'
|
||||
systemd_services_to_stop: ['matrix-ma1sd.service']
|
||||
pgloader_options: ['--with "quote identifiers"']
|
||||
|
||||
- import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml"
|
||||
|
||||
- set_fact:
|
||||
matrix_ma1sd_requires_restart: true
|
||||
when: "matrix_ma1sd_sqlite_database_path_local_stat_result.stat.exists|bool"
|
||||
when: "matrix_ma1sd_database_engine == 'postgres'"
|
||||
|
||||
- name: Ensure ma1sd image is pulled
|
||||
docker_image:
|
||||
name: "{{ matrix_ma1sd_docker_image }}"
|
||||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
|
||||
force_source: "{{ matrix_ma1sd_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ma1sd_docker_image_force_pull }}"
|
||||
when: "not matrix_ma1sd_container_image_self_build|bool"
|
||||
|
||||
- block:
|
||||
- name: Ensure gradle is installed for self-building (Debian)
|
||||
apt:
|
||||
name:
|
||||
- gradle
|
||||
state: present
|
||||
update_cache: yes
|
||||
when: (ansible_os_family == 'Debian')
|
||||
|
||||
- name: Ensure gradle is installed for self-building (CentOS)
|
||||
fail:
|
||||
msg: "Installing gradle on CentOS is currently not supported, so self-building ma1sd cannot happen at this time"
|
||||
when: ansible_distribution == 'CentOS'
|
||||
|
||||
- name: Ensure gradle is installed for self-building (Archlinux)
|
||||
pacman:
|
||||
name:
|
||||
- gradle
|
||||
state: latest
|
||||
update_cache: yes
|
||||
when: ansible_distribution == 'Archlinux'
|
||||
|
||||
- name: Ensure ma1sd repository is present on self-build
|
||||
git:
|
||||
repo: "{{ matrix_ma1sd_container_image_self_build_repo }}"
|
||||
dest: "{{ matrix_ma1sd_docker_src_files_path }}"
|
||||
version: "{{ matrix_ma1sd_container_image_self_build_branch }}"
|
||||
force: "yes"
|
||||
register: matrix_ma1sd_git_pull_results
|
||||
|
||||
- name: Ensure ma1sd Docker image is built
|
||||
shell: "DOCKER_BUILDKIT=1 ./gradlew dockerBuild"
|
||||
args:
|
||||
chdir: "{{ matrix_ma1sd_docker_src_files_path }}"
|
||||
|
||||
- name: Ensure ma1sd Docker image is tagged correctly
|
||||
docker_image:
|
||||
# The build script always tags the image with 2 tags:
|
||||
# - based on the branch/version: e.g. `ma1uta/ma1sd:2.4.0` (when on `2.4.0`)
|
||||
# or `ma1uta/ma1sd:2.4.0-19-ga71d32b` (when on a given commit for a pre-release)
|
||||
# - generic one: `ma1uta/ma1sd:latest-dev`
|
||||
#
|
||||
# It's hard to predict the first one, so we'll use the latter.
|
||||
name: "ma1uta/ma1sd:latest-dev"
|
||||
repository: "{{ matrix_ma1sd_docker_image }}"
|
||||
force_tag: yes
|
||||
source: local
|
||||
when: "matrix_ma1sd_container_image_self_build|bool"
|
||||
|
||||
- name: Ensure ma1sd config installed
|
||||
copy:
|
||||
content: "{{ matrix_ma1sd_configuration|to_nice_yaml }}"
|
||||
dest: "{{ matrix_ma1sd_config_path }}/ma1sd.yaml"
|
||||
mode: 0644
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
|
||||
- name: Ensure custom view templates are installed, if any
|
||||
copy:
|
||||
content: "{{ item.value }}"
|
||||
dest: "{{ matrix_ma1sd_config_path }}/{{ item.location }}"
|
||||
mode: 0644
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- {value: "{{ matrix_ma1sd_view_session_custom_onTokenSubmit_success_template }}", location: 'tokenSubmitSuccess.html'}
|
||||
- {value: "{{ matrix_ma1sd_view_session_custom_onTokenSubmit_failure_template }}", location: 'tokenSubmitFailure.html'}
|
||||
when: "matrix_ma1sd_view_session_custom_templates_enabled|bool and item.value"
|
||||
|
||||
- name: Ensure custom email templates are installed, if any
|
||||
copy:
|
||||
content: "{{ item.value }}"
|
||||
dest: "{{ matrix_ma1sd_config_path }}/{{ item.location }}"
|
||||
mode: 0644
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- {value: "{{ matrix_ma1sd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'}
|
||||
- {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'}
|
||||
- {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template }}", location: 'unbind-notification.eml'}
|
||||
- {value: "{{ matrix_ma1sd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'}
|
||||
when: "matrix_ma1sd_threepid_medium_email_custom_templates_enabled|bool and item.value"
|
||||
|
||||
# Only cleaning up for people who define the respective templates
|
||||
- name: (Cleanup) Ensure custom email templates are not in data/ anymore (we've put them in config/)
|
||||
file:
|
||||
path: "{{ matrix_ma1sd_data_path }}/{{ item.location }}"
|
||||
state: absent
|
||||
with_items:
|
||||
- {value: "{{ matrix_ma1sd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'}
|
||||
- {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'}
|
||||
- {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template }}", location: 'unbind-notification.eml'}
|
||||
- {value: "{{ matrix_ma1sd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'}
|
||||
when: "matrix_ma1sd_threepid_medium_email_custom_templates_enabled|bool and item.value"
|
||||
|
||||
- name: Ensure matrix-ma1sd.service installed
|
||||
template:
|
||||
src: "{{ role_path }}/templates/systemd/matrix-ma1sd.service.j2"
|
||||
dest: "{{ matrix_systemd_path }}/matrix-ma1sd.service"
|
||||
mode: 0644
|
||||
register: matrix_ma1sd_systemd_service_result
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-ma1sd.service installation
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "matrix_ma1sd_systemd_service_result.changed|bool"
|
||||
|
||||
- name: Ensure matrix-ma1sd.service restarted, if necessary
|
||||
service:
|
||||
name: "matrix-ma1sd.service"
|
||||
state: restarted
|
||||
when: "matrix_ma1sd_requires_restart|bool"
|
35
roles/matrix-ma1sd/tasks/setup_uninstall.yml
Normal file
35
roles/matrix-ma1sd/tasks/setup_uninstall.yml
Normal file
|
@ -0,0 +1,35 @@
|
|||
---
|
||||
|
||||
- name: Check existence of matrix-ma1sd service
|
||||
stat:
|
||||
path: "{{ matrix_systemd_path }}/matrix-ma1sd.service"
|
||||
register: matrix_ma1sd_service_stat
|
||||
|
||||
- name: Ensure matrix-ma1sd is stopped
|
||||
service:
|
||||
name: matrix-ma1sd
|
||||
state: stopped
|
||||
daemon_reload: yes
|
||||
register: stopping_result
|
||||
when: "matrix_ma1sd_service_stat.stat.exists|bool"
|
||||
|
||||
- name: Ensure matrix-ma1sd.service doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_systemd_path }}/matrix-ma1sd.service"
|
||||
state: absent
|
||||
when: "matrix_ma1sd_service_stat.stat.exists|bool"
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-ma1sd.service removal
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "matrix_ma1sd_service_stat.stat.exists|bool"
|
||||
|
||||
- name: Ensure Matrix ma1sd paths don't exist
|
||||
file:
|
||||
path: "{{ matrix_ma1sd_base_path }}"
|
||||
state: absent
|
||||
|
||||
- name: Ensure ma1sd Docker image doesn't exist
|
||||
docker_image:
|
||||
name: "{{ matrix_ma1sd_docker_image }}"
|
||||
state: absent
|
67
roles/matrix-ma1sd/tasks/validate_config.yml
Normal file
67
roles/matrix-ma1sd/tasks/validate_config.yml
Normal file
|
@ -0,0 +1,67 @@
|
|||
---
|
||||
|
||||
- name: (Deprecation) Warn about ma1sd variables that are not used anymore
|
||||
fail:
|
||||
msg: >
|
||||
The `{{ item }}` variable defined in your configuration is not used by this playbook anymore!
|
||||
You'll need to adapt to the new way of extending ma1sd configuration.
|
||||
See the CHANGELOG and the `matrix_ma1sd_configuration_extension_yaml` variable for more information and examples.
|
||||
when: "item in vars"
|
||||
with_items:
|
||||
- 'matrix_ma1sd_ldap_enabled'
|
||||
- 'matrix_ma1sd_ldap_connection_host'
|
||||
- 'matrix_ma1sd_ldap_connection_tls'
|
||||
- 'matrix_ma1sd_ldap_connection_port'
|
||||
- 'matrix_ma1sd_ldap_connection_baseDn'
|
||||
- 'matrix_ma1sd_ldap_connection_baseDns'
|
||||
- 'matrix_ma1sd_ldap_connection_bindDn'
|
||||
- 'matrix_ma1sd_ldap_connection_bindPassword'
|
||||
- 'matrix_ma1sd_ldap_filter'
|
||||
- 'matrix_ma1sd_ldap_attribute_uid_type'
|
||||
- 'matrix_ma1sd_ldap_attribute_uid_value'
|
||||
- 'matrix_ma1sd_ldap_connection_bindPassword'
|
||||
- 'matrix_ma1sd_ldap_attribute_name'
|
||||
- 'matrix_ma1sd_ldap_attribute_threepid_email'
|
||||
- 'matrix_ma1sd_ldap_attribute_threepid_msisdn'
|
||||
- 'matrix_ma1sd_ldap_identity_filter'
|
||||
- 'matrix_ma1sd_ldap_identity_medium'
|
||||
- 'matrix_ma1sd_ldap_auth_filter'
|
||||
- 'matrix_ma1sd_ldap_directory_filter'
|
||||
- 'matrix_ma1sd_template_config'
|
||||
|
||||
- name: Ensure ma1sd configuration does not contain any dot-notation keys
|
||||
fail:
|
||||
msg: >
|
||||
Since version 1.3.0, ma1sd will not accept property-style configuration keys.
|
||||
You have defined a key (`{{ item.key }}`) which contains a dot.
|
||||
Instead, use nesting. See: https://github.com/ma1uta/ma1sd/wiki/Upgrade-Notes#v130
|
||||
when: "'.' in item.key"
|
||||
with_dict: "{{ matrix_ma1sd_configuration }}"
|
||||
|
||||
- name: Fail if required ma1sd settings not defined
|
||||
fail:
|
||||
msg: >
|
||||
You need to define a required configuration setting (`{{ item }}`) for using ma1sd.
|
||||
when: "vars[item] == ''"
|
||||
with_items:
|
||||
- "matrix_ma1sd_threepid_medium_email_connectors_smtp_host"
|
||||
|
||||
- name: (Deprecation) Catch and report renamed ma1sd variables
|
||||
fail:
|
||||
msg: >-
|
||||
Your configuration contains a variable, which now has a different name.
|
||||
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
|
||||
when: "vars | dict2items | selectattr('key', 'match', item.old) | list | items2dict"
|
||||
with_items:
|
||||
- {'old': 'matrix_ma1sd_container_expose_port', 'new': '<superseded by matrix_ma1sd_container_http_host_bind_port>'}
|
||||
- {'old': 'matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template', 'new': 'matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template'}
|
||||
|
||||
- name: (Deprecation) Catch and report mxisd variables
|
||||
fail:
|
||||
msg: >-
|
||||
mxisd is deprecated and has been replaced with ma1sd (https://github.com/ma1uta/ma1sd), a compatible fork.
|
||||
The playbook will migrate your existing mxisd configuration and data automatically, but you need to adjust variable names.
|
||||
Please change your configuration (vars.yml) to rename all mxisd variables (`{{ item.old }}` -> `{{ item.new }}`).
|
||||
when: "vars | dict2items | selectattr('key', 'match', item.old) | list | items2dict"
|
||||
with_items:
|
||||
- {'old': 'matrix_mxisd_.*', 'new': 'matrix_ma1sd_.*'}
|
104
roles/matrix-ma1sd/templates/ma1sd.yaml.j2
Normal file
104
roles/matrix-ma1sd/templates/ma1sd.yaml.j2
Normal file
|
@ -0,0 +1,104 @@
|
|||
#jinja2: lstrip_blocks: True
|
||||
matrix:
|
||||
domain: {{ matrix_domain }}
|
||||
v1: {{ matrix_ma1sd_v1_enabled|to_json }}
|
||||
v2: {{ matrix_ma1sd_v2_enabled|to_json }}
|
||||
|
||||
server:
|
||||
name: {{ matrix_server_fqn_matrix }}
|
||||
|
||||
key:
|
||||
path: /var/ma1sd/sign.key
|
||||
|
||||
storage:
|
||||
{% if matrix_ma1sd_database_engine == 'sqlite' %}
|
||||
backend: sqlite
|
||||
provider:
|
||||
sqlite:
|
||||
database: {{ matrix_ma1sd_sqlite_database_path_in_container|to_json }}
|
||||
{% elif matrix_ma1sd_database_engine == 'postgres' %}
|
||||
backend: postgresql
|
||||
provider:
|
||||
postgresql:
|
||||
database: //{{ matrix_ma1sd_database_hostname }}:{{ matrix_ma1sd_database_port }}/{{ matrix_ma1sd_database_name }}
|
||||
username: {{ matrix_ma1sd_database_username|to_json }}
|
||||
password: {{ matrix_ma1sd_database_password|to_json }}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_ma1sd_dns_overwrite_enabled %}
|
||||
dns:
|
||||
overwrite:
|
||||
homeserver:
|
||||
client:
|
||||
- name: {{ matrix_ma1sd_dns_overwrite_homeserver_client_name }}
|
||||
value: {{ matrix_ma1sd_dns_overwrite_homeserver_client_value }}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_ma1sd_matrixorg_forwarding_enabled %}
|
||||
forward:
|
||||
servers: ['matrix-org']
|
||||
{% endif %}
|
||||
|
||||
threepid:
|
||||
medium:
|
||||
email:
|
||||
identity:
|
||||
from: {{ matrix_ma1sd_threepid_medium_email_identity_from }}
|
||||
connectors:
|
||||
smtp:
|
||||
host: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_host }}
|
||||
port: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_port }}
|
||||
tls: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_tls }}
|
||||
login: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_login }}
|
||||
password: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_password }}
|
||||
{% if matrix_ma1sd_threepid_medium_email_custom_templates_enabled %}
|
||||
generators:
|
||||
template:
|
||||
{% if matrix_ma1sd_threepid_medium_email_custom_invite_template %}
|
||||
invite: '/etc/ma1sd/invite-template.eml'
|
||||
{% endif %}
|
||||
{% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template or matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template %}
|
||||
session:
|
||||
{% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template %}
|
||||
validation: '/etc/ma1sd/validate-template.eml'
|
||||
{% endif %}
|
||||
{% if matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template %}
|
||||
unbind:
|
||||
notification: '/etc/ma1sd/unbind-notification.eml'
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if matrix_ma1sd_threepid_medium_email_custom_matrixid_template %}
|
||||
generic:
|
||||
matrixId: '/etc/ma1sd/mxid-template.eml'
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_ma1sd_view_session_custom_templates_enabled %}
|
||||
view:
|
||||
session:
|
||||
onTokenSubmit:
|
||||
{% if matrix_ma1sd_view_session_custom_onTokenSubmit_success_template %}
|
||||
success: '/etc/ma1sd/tokenSubmitSuccess.html'
|
||||
{% endif %}
|
||||
{% if matrix_ma1sd_view_session_custom_onTokenSubmit_failure_template %}
|
||||
failure: '/etc/ma1sd/tokenSubmitFailure.html'
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_ma1sd_hashing_enabled %}
|
||||
hashing:
|
||||
enabled: true # enable or disable the hash lookup MSC2140 (default is false)
|
||||
pepperLength: 20 # length of the pepper value (default is 20)
|
||||
rotationPolicy: per_requests # or `per_seconds` how often the hashes will be updating
|
||||
hashStorageType: sql # or `in_memory` where the hashes will be stored
|
||||
algorithms:
|
||||
- none # the same as v1 bulk lookup
|
||||
- sha256 # hash the 3PID and pepper.
|
||||
delay: 2m # how often hashes will be updated if rotation policy = per_seconds (default is 10s)
|
||||
requests: 10
|
||||
{% endif %}
|
||||
|
||||
synapseSql:
|
||||
enabled: {{ matrix_ma1sd_synapsesql_enabled|to_json }}
|
||||
type: {{ matrix_ma1sd_synapsesql_type|to_json }}
|
||||
connection: {{ matrix_ma1sd_synapsesql_connection|to_json }}
|
48
roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2
Normal file
48
roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2
Normal file
|
@ -0,0 +1,48 @@
|
|||
#jinja2: lstrip_blocks: "True"
|
||||
[Unit]
|
||||
Description=Matrix ma1sd Identity server
|
||||
{% for service in matrix_ma1sd_systemd_required_services_list %}
|
||||
Requires={{ service }}
|
||||
After={{ service }}
|
||||
{% endfor %}
|
||||
{% for service in matrix_ma1sd_systemd_wanted_services_list %}
|
||||
Wants={{ service }}
|
||||
{% endfor %}
|
||||
DefaultDependencies=no
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
Environment="HOME={{ matrix_systemd_unit_home_path }}"
|
||||
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-ma1sd 2>/dev/null'
|
||||
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-ma1sd 2>/dev/null'
|
||||
|
||||
# ma1sd writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there,
|
||||
# so /tmp needs to be mounted with an exec option.
|
||||
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-ma1sd \
|
||||
--log-driver=none \
|
||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||
--cap-drop=ALL \
|
||||
--read-only \
|
||||
--tmpfs=/tmp:rw,exec,nosuid,size=10m \
|
||||
--network={{ matrix_docker_network }} \
|
||||
{% if matrix_ma1sd_container_http_host_bind_port %}
|
||||
-p {{ matrix_ma1sd_container_http_host_bind_port }}:8090 \
|
||||
{% endif %}
|
||||
{% if matrix_ma1sd_verbose_logging %}
|
||||
-e MA1SD_LOG_LEVEL=debug \
|
||||
{% endif %}
|
||||
--mount type=bind,src={{ matrix_ma1sd_config_path }},dst=/etc/ma1sd,ro \
|
||||
--mount type=bind,src={{ matrix_ma1sd_data_path }},dst=/var/ma1sd \
|
||||
{% for arg in matrix_ma1sd_container_extra_arguments %}
|
||||
{{ arg }} \
|
||||
{% endfor %}
|
||||
{{ matrix_ma1sd_docker_image }}
|
||||
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-ma1sd 2>/dev/null'
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-ma1sd 2>/dev/null'
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
SyslogIdentifier=matrix-ma1sd
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
5
roles/matrix-ma1sd/vars/main.yml
Normal file
5
roles/matrix-ma1sd/vars/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
|
||||
# Doing `|from_yaml` when the extension contains nothing yields an empty string ("").
|
||||
# We need to ensure it's a dictionary or `|combine` (when building `matrix_ma1sd_configuration`) will fail later.
|
||||
matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml|from_yaml if matrix_ma1sd_configuration_extension_yaml|from_yaml else {} }}"
|
31
roles/matrix-mailer/defaults/main.yml
Normal file
31
roles/matrix-mailer/defaults/main.yml
Normal file
|
@ -0,0 +1,31 @@
|
|||
matrix_mailer_enabled: true
|
||||
|
||||
matrix_mailer_base_path: "{{ matrix_base_data_path }}/mailer"
|
||||
|
||||
matrix_mailer_container_image_self_build: false
|
||||
matrix_mailer_container_image_self_build_repository_url: "https://github.com/devture/exim-relay"
|
||||
matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src"
|
||||
matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}"
|
||||
|
||||
matrix_mailer_version: 4.94.2-r0-2
|
||||
matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}"
|
||||
matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}"
|
||||
matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}"
|
||||
|
||||
# The user/group that the container runs with.
|
||||
# These match the `exim` user/group within the container image.
|
||||
matrix_mailer_container_user_uid: 100
|
||||
matrix_mailer_container_user_gid: 101
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
matrix_mailer_container_extra_arguments: []
|
||||
|
||||
matrix_mailer_hostname: "{{ matrix_server_fqn_matrix }}"
|
||||
|
||||
matrix_mailer_sender_address: "matrix@{{ matrix_domain }}"
|
||||
matrix_mailer_relay_use: false
|
||||
matrix_mailer_relay_host_name: "mail.example.com"
|
||||
matrix_mailer_relay_host_port: 587
|
||||
matrix_mailer_relay_auth: false
|
||||
matrix_mailer_relay_auth_username: ""
|
||||
matrix_mailer_relay_auth_password: ""
|
10
roles/matrix-mailer/tasks/init.yml
Normal file
10
roles/matrix-mailer/tasks/init.yml
Normal file
|
@ -0,0 +1,10 @@
|
|||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mailer_container_image_self_build and matrix_mailer_enabled"
|
||||
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mailer.service'] }}"
|
||||
when: matrix_mailer_enabled|bool
|
9
roles/matrix-mailer/tasks/main.yml
Normal file
9
roles/matrix-mailer/tasks/main.yml
Normal file
|
@ -0,0 +1,9 @@
|
|||
- import_tasks: "{{ role_path }}/tasks/init.yml"
|
||||
tags:
|
||||
- always
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/setup_mailer.yml"
|
||||
when: run_setup|bool
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-mailer
|
107
roles/matrix-mailer/tasks/setup_mailer.yml
Normal file
107
roles/matrix-mailer/tasks/setup_mailer.yml
Normal file
|
@ -0,0 +1,107 @@
|
|||
---
|
||||
|
||||
#
|
||||
# Tasks related to setting up the mailer
|
||||
#
|
||||
|
||||
- name: Ensure mailer base path exists
|
||||
file:
|
||||
path: "{{ item.path }}"
|
||||
state: directory
|
||||
mode: 0750
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- { path: "{{ matrix_mailer_base_path }}", when: true }
|
||||
- { path: "{{ matrix_mailer_container_image_self_build_src_files_path }}", when: "{{ matrix_mailer_container_image_self_build }}" }
|
||||
when: "matrix_mailer_enabled|bool and item.when"
|
||||
|
||||
- name: Ensure mailer environment variables file created
|
||||
template:
|
||||
src: "{{ role_path }}/templates/env-mailer.j2"
|
||||
dest: "{{ matrix_mailer_base_path }}/env-mailer"
|
||||
mode: 0640
|
||||
when: matrix_mailer_enabled|bool
|
||||
|
||||
- name: Ensure exim-relay repository is present on self-build
|
||||
git:
|
||||
repo: "{{ matrix_mailer_container_image_self_build_repository_url }}"
|
||||
dest: "{{ matrix_mailer_container_image_self_build_src_files_path }}"
|
||||
version: "{{ matrix_mailer_container_image_self_build_version }}"
|
||||
force: "yes"
|
||||
register: matrix_mailer_git_pull_results
|
||||
when: "matrix_mailer_enabled|bool and matrix_mailer_container_image_self_build|bool"
|
||||
|
||||
- name: Ensure exim-relay Docker image is built
|
||||
docker_image:
|
||||
name: "{{ matrix_mailer_docker_image }}"
|
||||
source: build
|
||||
force_source: "{{ matrix_mailer_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}"
|
||||
build:
|
||||
dockerfile: Dockerfile
|
||||
path: "{{ matrix_mailer_container_image_self_build_src_files_path }}"
|
||||
pull: yes
|
||||
when: "matrix_mailer_enabled|bool and matrix_mailer_container_image_self_build|bool"
|
||||
|
||||
- name: Ensure exim-relay image is pulled
|
||||
docker_image:
|
||||
name: "{{ matrix_mailer_docker_image }}"
|
||||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
|
||||
force_source: "{{ matrix_mailer_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_docker_image_force_pull }}"
|
||||
when: "matrix_mailer_enabled|bool and not matrix_mailer_container_image_self_build|bool"
|
||||
|
||||
- name: Ensure matrix-mailer.service installed
|
||||
template:
|
||||
src: "{{ role_path }}/templates/systemd/matrix-mailer.service.j2"
|
||||
dest: "{{ matrix_systemd_path }}/matrix-mailer.service"
|
||||
mode: 0644
|
||||
register: matrix_mailer_systemd_service_result
|
||||
when: matrix_mailer_enabled|bool
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-mailer.service installation
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "matrix_mailer_enabled|bool and matrix_mailer_systemd_service_result.changed"
|
||||
|
||||
#
|
||||
# Tasks related to getting rid of the mailer (if it was previously enabled)
|
||||
#
|
||||
|
||||
- name: Check existence of matrix-mailer service
|
||||
stat:
|
||||
path: "{{ matrix_systemd_path }}/matrix-mailer.service"
|
||||
register: matrix_mailer_service_stat
|
||||
when: "not matrix_mailer_enabled|bool"
|
||||
|
||||
- name: Ensure matrix-mailer is stopped
|
||||
service:
|
||||
name: matrix-mailer
|
||||
state: stopped
|
||||
daemon_reload: yes
|
||||
register: stopping_result
|
||||
when: "not matrix_mailer_enabled|bool and matrix_mailer_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure matrix-mailer.service doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_systemd_path }}/matrix-mailer.service"
|
||||
state: absent
|
||||
when: "not matrix_mailer_enabled|bool and matrix_mailer_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-mailer.service removal
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "not matrix_mailer_enabled|bool and matrix_mailer_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure Matrix mailer environment variables path doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_mailer_base_path }}"
|
||||
state: absent
|
||||
when: "not matrix_mailer_enabled|bool"
|
||||
|
||||
- name: Ensure mailer Docker image doesn't exist
|
||||
docker_image:
|
||||
name: "{{ matrix_mailer_docker_image }}"
|
||||
state: absent
|
||||
when: "not matrix_mailer_enabled|bool"
|
9
roles/matrix-mailer/templates/env-mailer.j2
Normal file
9
roles/matrix-mailer/templates/env-mailer.j2
Normal file
|
@ -0,0 +1,9 @@
|
|||
#jinja2: lstrip_blocks: "True"
|
||||
{% if matrix_mailer_relay_use %}
|
||||
SMARTHOST={{ matrix_mailer_relay_host_name }}::{{ matrix_mailer_relay_host_port }}
|
||||
{% endif %}
|
||||
{% if matrix_mailer_relay_auth %}
|
||||
SMTP_USERNAME={{ matrix_mailer_relay_auth_username }}
|
||||
SMTP_PASSWORD={{ matrix_mailer_relay_auth_password }}
|
||||
{% endif %}
|
||||
HOSTNAME={{ matrix_mailer_hostname }}
|
|
@ -0,0 +1,37 @@
|
|||
#jinja2: lstrip_blocks: "True"
|
||||
[Unit]
|
||||
Description=Matrix mailer
|
||||
After=docker.service
|
||||
Requires=docker.service
|
||||
DefaultDependencies=no
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
Environment="HOME={{ matrix_systemd_unit_home_path }}"
|
||||
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mailer 2>/dev/null'
|
||||
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mailer 2>/dev/null'
|
||||
|
||||
# --hostname gives us a friendlier hostname than the default.
|
||||
# The real hostname is passed via a `HOSTNAME` environment variable though.
|
||||
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mailer \
|
||||
--log-driver=none \
|
||||
--user={{ matrix_mailer_container_user_uid }}:{{ matrix_mailer_container_user_gid }} \
|
||||
--cap-drop=ALL \
|
||||
--read-only \
|
||||
--tmpfs=/var/spool/exim:rw,noexec,nosuid,size=100m \
|
||||
--network={{ matrix_docker_network }} \
|
||||
--env-file={{ matrix_mailer_base_path }}/env-mailer \
|
||||
--hostname=matrix-mailer \
|
||||
{% for arg in matrix_mailer_container_extra_arguments %}
|
||||
{{ arg }} \
|
||||
{% endfor %}
|
||||
{{ matrix_mailer_docker_image }}
|
||||
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mailer 2>/dev/null'
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mailer 2>/dev/null'
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
SyslogIdentifier=matrix-mailer
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
487
roles/matrix-nginx-proxy/defaults/main.yml
Normal file
487
roles/matrix-nginx-proxy/defaults/main.yml
Normal file
|
@ -0,0 +1,487 @@
|
|||
matrix_nginx_proxy_enabled: true
|
||||
matrix_nginx_proxy_version: 1.21.1-alpine
|
||||
|
||||
# We use an official nginx image, which we fix-up to run unprivileged.
|
||||
# An alternative would be an `nginxinc/nginx-unprivileged` image, but
|
||||
# that is frequently out of date.
|
||||
matrix_nginx_proxy_docker_image: "{{ matrix_container_global_registry_prefix }}nginx:{{ matrix_nginx_proxy_version }}"
|
||||
matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}"
|
||||
|
||||
matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"
|
||||
matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data"
|
||||
matrix_nginx_proxy_data_path_in_container: "/nginx-data"
|
||||
matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_base_path }}/conf.d"
|
||||
|
||||
# List of systemd services that matrix-nginx-proxy.service depends on
|
||||
matrix_nginx_proxy_systemd_required_services_list: ['docker.service']
|
||||
|
||||
# List of systemd services that matrix-nginx-proxy.service wants
|
||||
matrix_nginx_proxy_systemd_wanted_services_list: []
|
||||
|
||||
# A list of additional "volumes" to mount in the container.
|
||||
# This list gets populated dynamically at runtime. You can provide a different default value,
|
||||
# if you wish to mount your own files into the container.
|
||||
# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
|
||||
matrix_nginx_proxy_container_additional_volumes: []
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
matrix_nginx_proxy_container_extra_arguments: []
|
||||
|
||||
# Controls whether matrix-nginx-proxy serves its vhosts over HTTPS or HTTP.
|
||||
#
|
||||
# If enabled:
|
||||
# - SSL certificates would be expected to be available (see `matrix_ssl_retrieval_method`)
|
||||
# - the HTTP vhost would be made a redirect to the HTTPS vhost
|
||||
#
|
||||
# If not enabled:
|
||||
# - you don't need any SSL certificates (you can set `matrix_ssl_retrieval_method: none`)
|
||||
# - naturally, there's no HTTPS vhost
|
||||
# - services are served directly from the HTTP vhost
|
||||
matrix_nginx_proxy_https_enabled: true
|
||||
|
||||
# Controls whether the matrix-nginx-proxy container exposes its HTTP port (tcp/8080 in the container).
|
||||
#
|
||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:80"), or empty string to not expose.
|
||||
matrix_nginx_proxy_container_http_host_bind_port: '80'
|
||||
|
||||
# Controls whether the matrix-nginx-proxy container exposes its HTTPS port (tcp/8443 in the container).
|
||||
#
|
||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:443"), or empty string to not expose.
|
||||
#
|
||||
# This only makes sense and applies if `matrix_nginx_proxy_https_enabled` is set to `true`.
|
||||
# Otherwise, there are no HTTPS vhosts to expose.
|
||||
matrix_nginx_proxy_container_https_host_bind_port: '443'
|
||||
|
||||
# Controls whether the matrix-nginx-proxy container exposes the Matrix Federation port (tcp/8448 in the container).
|
||||
#
|
||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8448"), or empty string to not expose.
|
||||
#
|
||||
# This only makes sense and applies if `matrix_nginx_proxy_proxy_matrix_federation_api_enabled` is set to `true`.
|
||||
# Otherwise, there is no Matrix Federation port to expose.
|
||||
#
|
||||
# This port can take HTTP or HTTPS traffic, depending on `matrix_nginx_proxy_https_enabled`.
|
||||
# When HTTPS is disabled, you'd likely want to only expose the port locally, and front it with another HTTPS-enabled reverse-proxy.
|
||||
matrix_nginx_proxy_container_federation_host_bind_port: '8448'
|
||||
|
||||
# Controls whether matrix-nginx-proxy should serve the base domain.
|
||||
#
|
||||
# This is useful for when you only have your Matrix server, but you need to serve
|
||||
# to serve `/.well-known/matrix/*` files from the base domain for the needs of
|
||||
# Server-Discovery (Federation) and for Client-Discovery.
|
||||
#
|
||||
# Besides serving these Matrix files, a homepage would be served with content
|
||||
# as specified in the `matrix_nginx_proxy_base_domain_homepage_template` variable.
|
||||
# You can also put additional files to use for this webpage
|
||||
# in the `{{ matrix_nginx_proxy_data_path }}/matrix-domain` (`/matrix/nginx-proxy/data/matrix-domain`) directory.
|
||||
matrix_nginx_proxy_base_domain_serving_enabled: false
|
||||
|
||||
matrix_nginx_proxy_base_domain_hostname: "{{ matrix_domain }}"
|
||||
|
||||
# Controls whether `matrix_nginx_proxy_base_domain_homepage_template` would be dumped to an `index.html` file
|
||||
# in the `/matrix/nginx-proxy/data/matrix-domain` directory.
|
||||
#
|
||||
# If you would instead like to serve a static website by yourself, you can disable this.
|
||||
# When disabled, you're expected to put website files in `/matrix/nginx-proxy/data/matrix-domain` manually
|
||||
# and can expect that the playbook won't intefere with the `index.html` file.
|
||||
matrix_nginx_proxy_base_domain_homepage_enabled: true
|
||||
|
||||
matrix_nginx_proxy_base_domain_homepage_template: |-
|
||||
<!doctype html>
|
||||
<meta charset="utf-8" />
|
||||
<html>
|
||||
<body>
|
||||
Hello from {{ matrix_domain }}!
|
||||
</body>
|
||||
</html>
|
||||
|
||||
# Option to disable the access log
|
||||
matrix_nginx_proxy_access_log_enabled: true
|
||||
|
||||
# Controls whether proxying the riot domain should be done.
|
||||
matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: false
|
||||
matrix_nginx_proxy_proxy_riot_compat_redirect_hostname: "riot.{{ matrix_domain }}"
|
||||
|
||||
# Controls whether proxying the Synapse domain should be done.
|
||||
matrix_nginx_proxy_proxy_synapse_enabled: false
|
||||
matrix_nginx_proxy_proxy_synapse_hostname: "matrix-nginx-proxy"
|
||||
matrix_nginx_proxy_proxy_synapse_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}"
|
||||
# The addresses where the Federation API is, when using Synapse.
|
||||
matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:8048"
|
||||
matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:8048"
|
||||
|
||||
# Controls whether proxying the Element domain should be done.
|
||||
matrix_nginx_proxy_proxy_element_enabled: false
|
||||
matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}"
|
||||
|
||||
# Controls whether proxying the Hydrogen domain should be done.
|
||||
matrix_nginx_proxy_proxy_hydrogen_enabled: false
|
||||
matrix_nginx_proxy_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}"
|
||||
|
||||
# Controls whether proxying the matrix domain should be done.
|
||||
matrix_nginx_proxy_proxy_matrix_enabled: false
|
||||
matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}"
|
||||
# The port name used for federation in the nginx configuration.
|
||||
# This is not necessarily the port that it's actually on,
|
||||
# as port-mapping happens (`-p ..`) for the `matrix-nginx-proxy` container.
|
||||
matrix_nginx_proxy_proxy_matrix_federation_port: 8448
|
||||
|
||||
# Controls whether proxying the dimension domain should be done.
|
||||
matrix_nginx_proxy_proxy_dimension_enabled: false
|
||||
matrix_nginx_proxy_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}"
|
||||
|
||||
# Controls whether proxying the goneb domain should be done.
|
||||
matrix_nginx_proxy_proxy_bot_go_neb_enabled: false
|
||||
matrix_nginx_proxy_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}"
|
||||
|
||||
# Controls whether proxying the jitsi domain should be done.
|
||||
matrix_nginx_proxy_proxy_jitsi_enabled: false
|
||||
matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}"
|
||||
|
||||
# Controls whether proxying the grafana domain should be done.
|
||||
matrix_nginx_proxy_proxy_grafana_enabled: false
|
||||
matrix_nginx_proxy_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}"
|
||||
|
||||
# Controls whether proxying the sygnal domain should be done.
|
||||
matrix_nginx_proxy_proxy_sygnal_enabled: false
|
||||
matrix_nginx_proxy_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}"
|
||||
|
||||
# Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain)
|
||||
matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false
|
||||
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
|
||||
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081"
|
||||
|
||||
# Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain).
|
||||
# This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search.
|
||||
# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/directory.md
|
||||
matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false
|
||||
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:8090"
|
||||
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:8090"
|
||||
|
||||
# Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain).
|
||||
# This allows another service to control registrations involving 3PIDs.
|
||||
# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md
|
||||
matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false
|
||||
matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:8090"
|
||||
matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:8090"
|
||||
|
||||
# Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain)
|
||||
matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false
|
||||
matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:8090"
|
||||
matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090"
|
||||
|
||||
# Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain)
|
||||
matrix_nginx_proxy_proxy_synapse_metrics: false
|
||||
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false
|
||||
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: ""
|
||||
|
||||
# The addresses where the Matrix Client API is.
|
||||
# Certain extensions (like matrix-corporal) may override this in order to capture all traffic.
|
||||
matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-nginx-proxy:12080"
|
||||
matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:12080"
|
||||
|
||||
# The addresses where the Matrix Client API is, when using Synapse.
|
||||
matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "matrix-synapse:8008"
|
||||
matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:8008"
|
||||
|
||||
# This needs to be equal or higher than the maximum upload size accepted by Synapse.
|
||||
matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50
|
||||
|
||||
|
||||
# Tells whether `/_synapse/client` is forwarded to the Matrix Client API server.
|
||||
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled: true
|
||||
|
||||
# Tells whether `/_synapse/oidc` is forwarded to the Matrix Client API server.
|
||||
# Enable this if you need OpenID Connect authentication support.
|
||||
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: false
|
||||
|
||||
# Tells whether `/_synapse/admin` is forwarded to the Matrix Client API server.
|
||||
# Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.
|
||||
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: false
|
||||
|
||||
# `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefixes` holds
|
||||
# the location prefixes that get forwarded to the Matrix Client API server.
|
||||
# These locations get combined into a regex like this `^(/_matrix|/_synapse/client)`.
|
||||
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: |
|
||||
{{
|
||||
(['/_matrix'])
|
||||
+
|
||||
(['/_synapse/client'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled else [])
|
||||
+
|
||||
(['/_synapse/oidc'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled else [])
|
||||
+
|
||||
(['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else [])
|
||||
+
|
||||
(['/_synapse/metrics'] if matrix_nginx_proxy_proxy_synapse_metrics else [])
|
||||
}}
|
||||
|
||||
# Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected.
|
||||
# If this has an empty value, they're just passed to the homeserver, which serves a static page.
|
||||
# If you'd like to make `https://matrix.DOMAIN` redirect to `https://element.DOMAIN` (or something of that sort), specify the domain name here.
|
||||
# Example value: `element.DOMAIN` (or `{{ matrix_server_fqn_element }}`).
|
||||
matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: ""
|
||||
|
||||
# Controls whether proxying for the Matrix Federation API should be done.
|
||||
matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false
|
||||
matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-nginx-proxy:12088"
|
||||
matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:12088"
|
||||
matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}"
|
||||
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem"
|
||||
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem"
|
||||
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem"
|
||||
|
||||
# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
|
||||
matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}"
|
||||
|
||||
# A list of strings containing additional configuration blocks to add to the nginx server configuration (nginx.conf).
|
||||
# for big matrixservers to enlarge the number of open files to prevent timeouts
|
||||
# matrix_nginx_proxy_proxy_additional_configuration_blocks:
|
||||
# - 'worker_rlimit_nofile 30000;'
|
||||
matrix_nginx_proxy_proxy_additional_configuration_blocks: []
|
||||
|
||||
# A list of strings containing additional configuration blocks to add to the nginx event server configuration (nginx.conf).
|
||||
matrix_nginx_proxy_proxy_event_additional_configuration_blocks: []
|
||||
|
||||
# A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf).
|
||||
matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: []
|
||||
|
||||
# A list of strings containing additional configuration blocks to add to the base matrix server configuration (matrix-domain.conf).
|
||||
matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: []
|
||||
|
||||
# A list of strings containing additional configuration blocks to add to the synapse's server configuration (matrix-synapse.conf).
|
||||
matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks: []
|
||||
|
||||
# A list of strings containing additional configuration blocks to add to Riot's server configuration (matrix-riot-web.conf).
|
||||
matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: []
|
||||
|
||||
# A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf).
|
||||
matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: []
|
||||
|
||||
# A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf).
|
||||
matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks: []
|
||||
|
||||
# A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf).
|
||||
matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: []
|
||||
|
||||
# A list of strings containing additional configuration blocks to add to GoNEB's server configuration (matrix-bot-go-neb.conf).
|
||||
matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks: []
|
||||
|
||||
# A list of strings containing additional configuration blocks to add to Jitsi's server configuration (matrix-jitsi.conf).
|
||||
matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: []
|
||||
|
||||
# A list of strings containing additional configuration blocks to add to Grafana's server configuration (matrix-grafana.conf).
|
||||
matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks: []
|
||||
|
||||
# A list of strings containing additional configuration blocks to add to Sygnal's server configuration (matrix-sygnal.conf).
|
||||
matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks: []
|
||||
|
||||
# A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf).
|
||||
matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []
|
||||
|
||||
# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses for all vhosts meant to be accessed by users.
|
||||
#
|
||||
# Learn more about what it is here:
|
||||
# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
|
||||
# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
|
||||
# - https://amifloced.org/
|
||||
#
|
||||
# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
|
||||
matrix_nginx_proxy_floc_optout_enabled: true
|
||||
|
||||
# HSTS Preloading Enable
|
||||
#
|
||||
# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
|
||||
# indicates a willingness to be “preloaded” into browsers:
|
||||
# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
|
||||
# For more information visit:
|
||||
# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
|
||||
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
|
||||
# - https://hstspreload.org/#opt-in
|
||||
matrix_nginx_proxy_hsts_preload_enabled: false
|
||||
|
||||
# X-XSS-Protection Enable
|
||||
# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
|
||||
# Note: Not applicable for grafana
|
||||
#
|
||||
# Learn more about it is here:
|
||||
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
|
||||
# - https://portswigger.net/web-security/cross-site-scripting/reflected
|
||||
matrix_nginx_proxy_xss_protection: "1; mode=block"
|
||||
|
||||
# Specifies the SSL configuration that should be used for the SSL protocols and ciphers
|
||||
# This is based on the Mozilla Server Side TLS Recommended configurations.
|
||||
#
|
||||
# The posible values are:
|
||||
# - "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility
|
||||
# - "intermediate" - Recommended configuration for a general-purpose server
|
||||
# - "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8
|
||||
#
|
||||
# For more information visit:
|
||||
# - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
|
||||
# - https://ssl-config.mozilla.org/#server=nginx
|
||||
matrix_nginx_proxy_ssl_preset: "intermediate"
|
||||
|
||||
# Presets are taken from Mozilla's Server Side TLS Recommended configurations
|
||||
# DO NOT modify these values and use `matrix_nginx_proxy_ssl_protocols`, `matrix_nginx_proxy_ssl_ciphers` and `matrix_nginx_proxy_ssl_ciphers`
|
||||
# if you wish to use something more custom.
|
||||
matrix_nginx_proxy_ssl_presets:
|
||||
modern:
|
||||
protocols: TLSv1.3
|
||||
ciphers: ""
|
||||
prefer_server_ciphers: "off"
|
||||
intermediate:
|
||||
protocols: TLSv1.2 TLSv1.3
|
||||
ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
prefer_server_ciphers: "off"
|
||||
old:
|
||||
protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
|
||||
ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
|
||||
prefer_server_ciphers: "on"
|
||||
|
||||
|
||||
# Specifies which *SSL protocols* to use when serving all the various vhosts.
|
||||
matrix_nginx_proxy_ssl_protocols: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}"
|
||||
|
||||
# Specifies whether to prefer *the client’s choice or the server’s choice* when negotiating ciphers.
|
||||
matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}"
|
||||
|
||||
# Specifies which *SSL Cipher suites* to use when serving all the various vhosts.
|
||||
# To see the full list for suportes ciphers run `openssl ciphers` on your server
|
||||
matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"
|
||||
|
||||
# Controls whether the self-check feature should validate SSL certificates.
|
||||
matrix_nginx_proxy_self_check_validate_certificates: true
|
||||
|
||||
# Controls whether redirects will be followed when checking the `/.well-known/matrix/client` resource.
|
||||
#
|
||||
# As per the spec (https://matrix.org/docs/spec/client_server/r0.6.0#well-known-uri), it shouldn't be,
|
||||
# so we default to not following redirects as well.
|
||||
matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none
|
||||
|
||||
# For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter).
|
||||
#
|
||||
# Otherwise, we get warnings like this:
|
||||
# > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/.../fullchain.pem"
|
||||
#
|
||||
# We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`.
|
||||
#
|
||||
# When nginx proxy is disabled, our configuration is likely used by non-containerized nginx, so can't use the internal Docker resolver.
|
||||
# Pointing `resolver` to some public DNS server might be an option, but for now we impose DNS servers on people.
|
||||
# It might also be that no such warnings occur when not running in a container.
|
||||
matrix_nginx_proxy_http_level_resolver: "{{ '127.0.0.11' if matrix_nginx_proxy_enabled else '' }}"
|
||||
|
||||
# By default, this playbook automatically retrieves and auto-renews
|
||||
# free SSL certificates from Let's Encrypt.
|
||||
#
|
||||
# The following retrieval methods are supported:
|
||||
# - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt
|
||||
# - "self-signed" - the playbook generates and self-signs certificates
|
||||
# - "manually-managed" - lets you manage certificates by yourself (manually; see below)
|
||||
# - "none" - like "manually-managed", but doesn't care if you don't drop certificates in the location it expects
|
||||
#
|
||||
# If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`),
|
||||
# you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path`
|
||||
# obeying the following hierarchy:
|
||||
# - <matrix_ssl_config_dir_path>/live/<domain>/fullchain.pem
|
||||
# - <matrix_ssl_config_dir_path>/live/<domain>/privkey.pem
|
||||
# where <domain> refers to the domains that you need (usually `matrix_server_fqn_matrix` and `matrix_server_fqn_element`).
|
||||
#
|
||||
# The "none" type (`matrix_ssl_retrieval_method: none`), simply means that no certificate retrieval will happen.
|
||||
# It's useful for when you've disabled the nginx proxy (`matrix_nginx_proxy_enabled: false`)
|
||||
# and you'll be using another reverse-proxy server (like Apache) with your own certificates, managed by yourself.
|
||||
# It's also useful if you're using `matrix_nginx_proxy_https_enabled: false` to make this nginx proxy serve
|
||||
# plain HTTP traffic only (usually, on the loopback interface only) and you'd be terminating SSL using another reverse-proxy.
|
||||
matrix_ssl_retrieval_method: "lets-encrypt"
|
||||
|
||||
matrix_ssl_architecture: "amd64"
|
||||
|
||||
# The full list of domains that this role will obtain certificates for.
|
||||
# This variable is likely redefined outside of the role, to include the domains that are necessary (depending on the services that are enabled).
|
||||
# To add additional domain names, consider using `matrix_ssl_additional_domains_to_obtain_certificates_for` instead.
|
||||
matrix_ssl_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}"
|
||||
|
||||
# A list of additional domain names to obtain certificates for.
|
||||
matrix_ssl_additional_domains_to_obtain_certificates_for: []
|
||||
|
||||
# Controls whether to obtain production or staging certificates from Let's Encrypt.
|
||||
matrix_ssl_lets_encrypt_staging: false
|
||||
matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.17.0"
|
||||
matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
|
||||
matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
|
||||
matrix_ssl_lets_encrypt_support_email: ~
|
||||
|
||||
# Tells which interface and port the Let's Encrypt (certbot) container should try to bind to
|
||||
# when it tries to obtain initial certificates in standalone mode.
|
||||
#
|
||||
# This should normally be a public interface and port.
|
||||
# If you'd like to not bind on all IP addresses, specify one explicitly (e.g. `a.b.c.d:80`)
|
||||
matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port: '80'
|
||||
|
||||
matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
|
||||
matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
|
||||
matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
|
||||
|
||||
# If you'd like to start some service before a certificate is obtained, specify it here.
|
||||
# This could be something like `matrix-dynamic-dns`, etc.
|
||||
matrix_ssl_pre_obtaining_required_service_name: ~
|
||||
matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60
|
||||
|
||||
# Nginx Optimize SSL Session
|
||||
#
|
||||
# ssl_session_cache:
|
||||
# - Creating a cache of TLS connection parameters reduces the number of handshakes
|
||||
# and thus can improve the performance of application.
|
||||
# - Default session cache is not optimal as it can be used by only one worker process
|
||||
# and can cause memory fragmentation. It is much better to use shared cache.
|
||||
# - Learn More: https://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
||||
#
|
||||
# ssl_session_timeout:
|
||||
# - Nginx by default it is set to 5 minutes which is very low.
|
||||
# should be like 4h or 1d but will require you to increase the size of cache.
|
||||
# - Learn More:
|
||||
# https://github.com/certbot/certbot/issues/6903
|
||||
# https://github.com/mozilla/server-side-tls/issues/198
|
||||
#
|
||||
# ssl_session_tickets:
|
||||
# - In case of session tickets, information about session is given to the client.
|
||||
# Enabling this improve performance also make Perfect Forward Secrecy useless.
|
||||
# - If you would instead like to use ssl_session_tickets by yourself, you can set
|
||||
# matrix_nginx_proxy_ssl_session_tickets_off false.
|
||||
# - Learn More: https://github.com/mozilla/server-side-tls/issues/135
|
||||
#
|
||||
# Presets are taken from Mozilla's Server Side TLS Recommended configurations
|
||||
matrix_nginx_proxy_ssl_session_cache: "shared:MozSSL:10m"
|
||||
matrix_nginx_proxy_ssl_session_timeout: "1d"
|
||||
matrix_nginx_proxy_ssl_session_tickets_off: true
|
||||
|
||||
# OCSP Stapling eliminating the need for clients to contact the CA, with the aim of improving both security and performance.
|
||||
# OCSP stapling can provide a performance boost of up to 30%
|
||||
# nginx web server supports OCSP stapling since version 1.3.7.
|
||||
#
|
||||
# *warning* Nginx is lazy loading OCSP responses, which means that for the first few web requests it is unable to add the OCSP response.
|
||||
# set matrix_nginx_proxy_ocsp_stapling_enabled false to disable OCSP Stapling
|
||||
#
|
||||
# Learn more about what it is here:
|
||||
# - https://en.wikipedia.org/wiki/OCSP_stapling
|
||||
# - https://blog.cloudflare.com/high-reliability-ocsp-stapling/
|
||||
# - https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
|
||||
matrix_nginx_proxy_ocsp_stapling_enabled: true
|
||||
|
||||
# nginx status page configurations.
|
||||
matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false
|
||||
matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}']
|
||||
|
||||
|
||||
# synapse worker activation and endpoint mappings
|
||||
matrix_nginx_proxy_synapse_workers_enabled: false
|
||||
matrix_nginx_proxy_synapse_workers_list: []
|
||||
matrix_nginx_proxy_synapse_generic_worker_client_server_locations: []
|
||||
matrix_nginx_proxy_synapse_generic_worker_federation_locations: []
|
||||
matrix_nginx_proxy_synapse_media_repository_locations: []
|
||||
matrix_nginx_proxy_synapse_user_dir_locations: []
|
||||
matrix_nginx_proxy_synapse_frontend_proxy_locations: []
|
||||
|
||||
# The amount of worker processes and connections
|
||||
# Consider increasing these when you are expecting high amounts of traffic
|
||||
# http://nginx.org/en/docs/ngx_core_module.html#worker_connections
|
||||
matrix_nginx_proxy_worker_processes: 1
|
||||
matrix_nginx_proxy_worker_connections: 1024
|
8
roles/matrix-nginx-proxy/tasks/init.yml
Normal file
8
roles/matrix-nginx-proxy/tasks/init.yml
Normal file
|
@ -0,0 +1,8 @@
|
|||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy.service'] }}"
|
||||
when: matrix_nginx_proxy_enabled|bool
|
||||
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + [item.name] }}"
|
||||
when: "item.applicable|bool and item.enableable|bool"
|
||||
with_items: "{{ matrix_ssl_renewal_systemd_units_list }}"
|
38
roles/matrix-nginx-proxy/tasks/main.yml
Normal file
38
roles/matrix-nginx-proxy/tasks/main.yml
Normal file
|
@ -0,0 +1,38 @@
|
|||
- import_tasks: "{{ role_path }}/tasks/init.yml"
|
||||
tags:
|
||||
- always
|
||||
|
||||
# Always validating the configuration, even if `matrix_nginx_proxy: false`.
|
||||
# This role performs actions even if the role is disabled, so we need
|
||||
# to ensure there's a valid configuration in any case.
|
||||
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
|
||||
when: run_setup|bool
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-nginx-proxy
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/ssl/main.yml"
|
||||
when: run_setup|bool
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-nginx-proxy
|
||||
- setup-ssl
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/setup_nginx_proxy.yml"
|
||||
when: run_setup|bool
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-nginx-proxy
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/self_check_well_known.yml"
|
||||
delegate_to: 127.0.0.1
|
||||
become: false
|
||||
when: run_self_check|bool
|
||||
tags:
|
||||
- self-check
|
||||
|
||||
- name: Mark matrix-nginx-proxy role as executed
|
||||
set_fact:
|
||||
matrix_nginx_proxy_role_executed: true
|
||||
tags:
|
||||
- always
|
30
roles/matrix-nginx-proxy/tasks/self_check_well_known.yml
Normal file
30
roles/matrix-nginx-proxy/tasks/self_check_well_known.yml
Normal file
|
@ -0,0 +1,30 @@
|
|||
---
|
||||
|
||||
- name: Determine well-known files to check (Matrix)
|
||||
set_fact:
|
||||
well_known_file_checks:
|
||||
- path: /.well-known/matrix/client
|
||||
purpose: Client Discovery
|
||||
cors: true
|
||||
follow_redirects: "{{ matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects }}"
|
||||
validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"
|
||||
|
||||
- block:
|
||||
- set_fact:
|
||||
well_known_file_check_matrix_server:
|
||||
path: /.well-known/matrix/server
|
||||
purpose: Server Discovery
|
||||
cors: false
|
||||
follow_redirects: safe
|
||||
validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"
|
||||
|
||||
- name: Determine domains that we require certificates for (ma1sd)
|
||||
set_fact:
|
||||
well_known_file_checks: "{{ well_known_file_checks + [well_known_file_check_matrix_server] }}"
|
||||
when: matrix_well_known_matrix_server_enabled|bool
|
||||
|
||||
- name: Perform well-known checks
|
||||
include_tasks: "{{ role_path }}/tasks/self_check_well_known_file.yml"
|
||||
with_items: "{{ well_known_file_checks }}"
|
||||
loop_control:
|
||||
loop_var: well_known_file_check
|
|
@ -0,0 +1,73 @@
|
|||
---
|
||||
|
||||
- set_fact:
|
||||
well_known_url_matrix: "https://{{ matrix_server_fqn_matrix }}{{ well_known_file_check.path }}"
|
||||
well_known_url_identity: "https://{{ matrix_domain }}{{ well_known_file_check.path }}"
|
||||
|
||||
# These well-known files may be served without a `Content-Type: application/json` header,
|
||||
# so we can't rely on the uri module's automatic parsing of JSON.
|
||||
- name: Check .well-known on the matrix hostname
|
||||
uri:
|
||||
url: "{{ well_known_url_matrix }}"
|
||||
follow_redirects: none
|
||||
return_content: true
|
||||
validate_certs: "{{ well_known_file_check.validate_certs }}"
|
||||
headers:
|
||||
Origin: example.com
|
||||
check_mode: no
|
||||
register: result_well_known_matrix
|
||||
ignore_errors: true
|
||||
|
||||
- name: Fail if .well-known not working on the matrix hostname
|
||||
fail:
|
||||
msg: "Failed checking that the well-known file for {{ well_known_file_check.purpose }} is configured at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_matrix }}"
|
||||
when: "result_well_known_matrix.failed"
|
||||
|
||||
- name: Parse JSON for well-known payload at the matrix hostname
|
||||
set_fact:
|
||||
well_known_matrix_payload: "{{ result_well_known_matrix.content|from_json }}"
|
||||
|
||||
- name: Fail if .well-known not CORS-aware on the matrix hostname
|
||||
fail:
|
||||
msg: "The well-known file for {{ well_known_file_check.purpose }} on `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set."
|
||||
when: "well_known_file_check.cors and 'access_control_allow_origin' not in result_well_known_matrix"
|
||||
|
||||
- name: Report working .well-known on the matrix hostname
|
||||
debug:
|
||||
msg: "well-known for {{ well_known_file_check.purpose }} is configured correctly for `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`)"
|
||||
|
||||
- name: Check .well-known on the identity hostname
|
||||
uri:
|
||||
url: "{{ well_known_url_identity }}"
|
||||
follow_redirects: "{{ well_known_file_check.follow_redirects }}"
|
||||
return_content: true
|
||||
validate_certs: "{{ well_known_file_check.validate_certs }}"
|
||||
headers:
|
||||
Origin: example.com
|
||||
check_mode: no
|
||||
register: result_well_known_identity
|
||||
ignore_errors: true
|
||||
|
||||
- name: Fail if .well-known not working on the identity hostname
|
||||
fail:
|
||||
msg: "Failed checking that the well-known file for {{ well_known_file_check.purpose }} is configured at `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_identity }}"
|
||||
when: "result_well_known_identity.failed"
|
||||
|
||||
- name: Parse JSON for well-known payload at the identity hostname
|
||||
set_fact:
|
||||
well_known_identity_payload: "{{ result_well_known_identity.content|from_json }}"
|
||||
|
||||
- name: Fail if .well-known not CORS-aware on the identity hostname
|
||||
fail:
|
||||
msg: "The well-known file for {{ well_known_file_check.purpose }} on `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set. See docs/configuring-well-known.md"
|
||||
when: "well_known_file_check.cors and 'access_control_allow_origin' not in result_well_known_identity"
|
||||
|
||||
# For people who manually copy the well-known file, try to detect if it's outdated
|
||||
- name: Fail if well-known is different on matrix hostname and identity hostname
|
||||
fail:
|
||||
msg: "The well-known files for {{ well_known_file_check.purpose }} at `{{ matrix_server_fqn_matrix }}` and `{{ matrix_domain }}` are different. Perhaps you copied the file ({{ well_known_file_check.path }}) manually before and now it's outdated?"
|
||||
when: "well_known_matrix_payload != well_known_identity_payload"
|
||||
|
||||
- name: Report working .well-known on the identity hostname
|
||||
debug:
|
||||
msg: "well-known for {{ well_known_file_check.purpose }} ({{ well_known_file_check.path }}) is configured correctly for `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`)"
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue