pub-solar/matrix-docker-ansible-deploy
5
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy

Browse source
This commit is contained in:
Horvath Gergely 2020-02-11 20:56:54 +01:00
parent 83e5cd7d6f 5421ce22bf
commit 8a0c3146d3
52 changed files with 846 additions and 239 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
CHANGELOG.md
View file

@ -1,3 +1,38 @@
# 2020-01-30
## Disabling TLSv1.1
To improve security, we've removed TLSv1.1 support from our default matrix-nginx-proxy configuration.
If you need to support old clients, you can re-enable it with the following configuration: `matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"`
# 2020-01-21
## Postgres collation changes (action required!)
By default, we've been using a UTF-8 collation for Postgres. This is known to cause Synapse some troubles (see the [relevant issue](https://github.com/matrix-org/synapse/issues/6722)) on systems that use [glibc](https://www.gnu.org/software/libc/). We run Postgres in an [Alpine Linux](https://alpinelinux.org/) container (which uses [musl](https://www.musl-libc.org/), and not glibc), so our users are likely not affected by the index corruption problem observed by others.
Still, we might become affected in the future. In any case, it's imminent that Synapse will complain about databases which do not use a C collation.
To avoid future problems, we recommend that you run the following command:
```
ansible-playbook -i inventory/hosts setup.yml --tags=upgrade-postgres --extra-vars='{"postgres_force_upgrade": true}'
```
It forces a [Postgres database upgrade](docs/maintenance-postgres.md#upgrading-postgresql), which would recreate your Postgres database using the proper (`C`) collation. If you are low on disk space, or run into trouble, refer to the Postgres database upgrade documentation page.
# 2020-01-14
## Added support for Appservice Webhooks
Thanks to a contribution from [Björn Marten](https://github.com/tripleawwy) from [netresearch](https://www.netresearch.de/), the playbook can now install and configure [matrix-appservice-webhooks](https://github.com/turt2live/matrix-appservice-webhooks) for you. This bridge provides support for Slack-compatible webhooks.
Learn more in [Setting up Appservice Webhooks](docs/configuring-playbook-bridge-appservice-webhooks.md).
# 2020-01-12
## Added support for automatic Double Puppeting for all Mautrix bridges

8
README.md
View file

@ -44,12 +44,14 @@ Using this playbook, you can get the following services configured on your serve
- (optional) the [mautrix-hangouts](https://github.com/tulir/mautrix-hangouts) bridge for bridging your Matrix server to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts)
- (optional) the [matrix-appservice-irc](https://github.com/TeDomum/matrix-appservice-irc) bridge for bridging your Matrix server to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat)
- (optional) the [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) bridge for bridging your Matrix server to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat)
- (optional) the [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) bridge for bridging your Matrix server to [Discord](https://discordapp.com/)
- (optional) the [matrix-appservice-slack](https://github.com/matrix-org/matrix-appservice-slack) bridge for bridging your Matrix server to [Slack](https://slack.com/)
- (optional) the [matrix-appservice-webhooks](https://github.com/turt2live/matrix-appservice-webhooks) bridge for slack compatible webhooks ([ConcourseCI](https://concourse-ci.org/), [Slack](https://slack.com/) etc. pp.)
- (optional) [Email2Matrix](https://github.com/devture/email2matrix) for relaying email messages to Matrix rooms
- (optional) [Dimension](https://github.com/turt2live/matrix-dimension), an open source integrations manager for matrix clients
@ -132,12 +134,14 @@ This playbook sets up your server using the following Docker images:
- [tulir/mautrix-hangouts](https://hub.docker.com/r/tulir/mautrix-hangouts/) - the [mautrix-hangouts](https://github.com/tulir/mautrix-hangouts) bridge to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) (optional)
- [tedomum/matrix-appservice-irc](https://hub.docker.com/r/tedomum/matrix-appservice-irc/) - the [matrix-appservice-irc](https://github.com/TeDomum/matrix-appservice-irc) bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) (optional)
- [matrixdotorg/matrix-appservice-irc](https://hub.docker.com/r/matrixdotorg/matrix-appservice-irc) - the [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) (optional)
- [halfshot/matrix-appservice-discord](https://hub.docker.com/r/halfshot/matrix-appservice-discord) - the [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) bridge to [Discord](https://discordapp.com/) (optional)
- [cadair/matrix-appservice-slack](https://hub.docker.com/r/cadair/matrix-appservice-slack) - the [matrix-appservice-slack](https://github.com/matrix-org/matrix-appservice-slack) bridge to [Slack](https://slack.com/) (optional)
- [turt2live/matrix-appservice-webhooks](https://hub.docker.com/r/turt2live/matrix-appservice-webhooks) - the [Appservice Webhooks](https://github.com/turt2live/matrix-appservice-webhooks) bridge (optional)
- [turt2live/matrix-dimension](https://hub.docker.com/r/turt2live/matrix-dimension) - the [Dimension](https://dimension.t2bot.io/) integrations manager (optional)

6
docs/ansible.md
View file

@ -9,9 +9,7 @@ If your local computer cannot run Ansible, you can also run Ansible on some serv
## Supported Ansible versions
Ansible 2.5 or newer is required.
If you're on Ansible 2.5.x, due to bugs in Ansible 2.5.0 and 2.5.1, at least Ansible 2.5.2 is required.
Ansible 2.5.2 or newer is required.
## Checking your Ansible version
@ -28,7 +26,7 @@ If you're on an old version of Ansible, you should [upgrade Ansible to a newer v
Depending on your distribution, you may be able to upgrade Ansible in a few different ways:
- by using an additional repository (PPA, etc.), which provides newer Ansible versions
- by using an additional repository (PPA, etc.), which provides newer Ansible versions. See instructions for [CentOS](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible-on-rhel-centos-or-fedora), [Debian](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible-on-debian), or [Ubuntu](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible-on-ubuntu) on the Ansible website.
- by removing the Ansible package (`yum remove ansible` or `apt-get remove ansible`) and installing via [pip](https://pip.pypa.io/en/stable/installing/) (`pip install ansible`).

4
docs/configuring-playbook-bridge-appservice-irc.md
View file

@ -1,8 +1,8 @@
# Setting up Appservice IRC (optional)
The playbook can install and configure [matrix-appservice-irc](https://github.com/TeDomum/matrix-appservice-irc) for you.
The playbook can install and configure [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) for you.
See the project's [documentation](https://github.com/TeDomum/matrix-appservice-irc/blob/master/HOWTO.md) to learn what it does and why it might be useful to you.
See the project's [documentation](https://github.com/matrix-org/matrix-appservice-irc/blob/master/HOWTO.md) to learn what it does and why it might be useful to you.
You'll need to use the following playbook configuration:

61
docs/configuring-playbook-bridge-appservice-webhooks.md Normal file
View file

@ -0,0 +1,61 @@
# Setting up Appservice Webhooks (optional)
The playbook can install and configure [matrix-appservice-webhooks](https://github.com/turt2live/matrix-appservice-webhooks) for you.
This bridge provides support for Slack-compatible webhooks.
Setup Instructions:
loosely based on [this](https://github.com/turt2live/matrix-appservice-webhooks/blob/master/README.md)
1. All you basically need is to adjust your `inventory/host_vars/matrix.<domain-name>/vars.yml`:
```yaml
matrix_appservice_webhooks_enabled: true
matrix_appservice_webhooks_api_secret: '<your_secret>'
```
2. In case you want to change the verbosity of logging via `journalctl -fu matrix-appservice-webhooks.service`
you can adjust this in `inventory/host_vars/matrix.<domain-name>/vars.yml` as well.
*Note*: default value is: `info` and availabe log levels are : `info`, `verbose`
```yaml
matrix_appservice_webhooks_log_level: '<log_level>'
```
3. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready.
4. Invite the bridge bot user to your room:
- either with `/invite @_webhook:<domain.name>` (*Note*: Make sure you have administration permissions in your room)
- or simply add the bridge bot to a private channel (personal channels imply you being an administrator)
5. Send a message to the bridge bot in order to receive a private message including the webhook link.
```
!webhook
```
6. The JSON body for posting messages will have to look like this:
```json
{
"text": "Hello world!",
"format": "plain",
"displayName": "My Cool Webhook",
"avatarUrl": "http://i.imgur.com/IDOBtEJ.png"
}
```
You can test this via curl like so:
```
curl --header "Content-Type: application/json" \
--data '{
"text": "Hello world!",
"format": "plain",
"displayName": "My Cool Webhook",
"avatarUrl": "http://i.imgur.com/IDOBtEJ.png"
}' \
<the link you've gotten in 5.>
```

2
docs/configuring-playbook-own-webserver.md
View file

@ -52,7 +52,7 @@ Note that if your nginx version is old, it might not like our default choice of
```yaml
# Custom protocol list (removing `TLSv1.3`) to suit your nginx version.
matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2"
matrix_nginx_proxy_ssl_protocols: "TLSv1.2"
```

2
docs/configuring-playbook.md
View file

@ -93,4 +93,6 @@ When you're done with all the configuration you'd like to do, continue with [Ins
- [Setting up Appservice Slack bridging](configuring-playbook-bridge-appservice-slack.md) (optional)
- [Setting up Appservice Webhooks bridging](configuring-playbook-bridge-appservice-webhooks.md) (optional)
- [Setting up Email2Matrix](configuring-playbook-email2matrix.md) (optional)

6
docs/installing.md
View file

@ -8,9 +8,11 @@ Run this as-is to set up a server:
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all
```
This **doesn't start any services just yet** (another step does this later - below).
**Note**: if you don't use SSH keys for authentication, but rather a regular password, you may need to add `--ask-pass` to the above (and all other) Ansible commands.
Feel free to **re-run this any time** you think something is off with the server configuration.
The above command **doesn't start any services just yet** (another step does this later - below).
Feel free to **re-run this setup command any time** you think something is off with the server configuration.
## Things you might want to do after installing

2
docs/maintenance-postgres.md
View file

@ -42,7 +42,7 @@ docker run \
--rm \
--network=matrix \
--env-file=/matrix/postgres/env-postgres-psql \
postgres:12.0-alpine \
postgres:12.1-alpine \
pg_dumpall -h matrix-postgres \
| gzip -c \
> /postgres.sql.gz

9
docs/registering-users.md
View file

@ -24,11 +24,14 @@ If you've just installed Matrix, **to finalize the installation process**, it's
-----
The script `/usr/local/bin/matrix-make-user-admin` may be used to upgrade a user's privileges:
## Adding/Removing Administrator privileges to an existing user.
The script `/usr/local/bin/matrix-change-user-admin-status` may be used to change a user's admin privileges.
* log on to your server with ssh
* execute with the username:
* execute with the username and 0/1 (0 = non-admin | 1 = admin)
```
/usr/local/bin/matrix-make-user-admin <username>
/usr/local/bin/matrix-change-user-admin-status <username> <0/1>
```

4
docs/updating-users-passwords.md
View file

@ -34,7 +34,9 @@ where `<password-hash>` is the hash returned by the docker command above.
Use the Synapse User Admin API as described here: https://github.com/matrix-org/synapse/blob/master/docs/admin_api/user_admin_api.rst#reset-password
This requires an access token from a server admin account. If you didn't make your account a server admin when you created it, you can use the `/usr/local/bin/matrix-make-user-admin` script as described in [registering-users.md](registering-users.md). Note this method will also log the user out of all of their clients while the other options do not.
This requires an access token from a server admin account. *This method will also log the user out of all of their clients while the other options do not.*
If you didn't make your account a server admin when you created it, you can use the `/usr/local/bin/matrix-change-user-admin-status` script as described in [registering-users.md](registering-users.md).
### Example:
To set @user:domain.com's password to `correct_horse_battery_staple` you could use this curl command:

2
examples/apache/matrix-dimension.conf
View file

@ -26,7 +26,7 @@
SSLCertificateKeyFile /matrix/ssl/config/live/dimension.DOMAIN/privkey.pem
SSLProxyEngine on
SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3
SSLProxyProtocol +TLSv1.2 +TLSv1.3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
ProxyPreserveHost On

2
examples/apache/matrix-riot-web.conf
View file

@ -26,7 +26,7 @@
SSLCertificateKeyFile /matrix/ssl/config/live/riot.DOMAIN/privkey.pem
SSLProxyEngine on
SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3
SSLProxyProtocol +TLSv1.2 +TLSv1.3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
ProxyPreserveHost On

4
examples/apache/matrix-synapse.conf
View file

@ -26,7 +26,7 @@
SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
SSLProxyEngine on
SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3
SSLProxyProtocol +TLSv1.2 +TLSv1.3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
ProxyPreserveHost On
@ -103,7 +103,7 @@ Listen 8448
SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
SSLProxyEngine on
SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3
SSLProxyProtocol +TLSv1.2 +TLSv1.3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
ProxyPreserveHost On

41
group_vars/matrix_servers
View file

@ -60,6 +60,40 @@ matrix_appservice_discord_homeserver_token: "{{ matrix_synapse_macaroon_secret_k
######################################################################
######################################################################
#
# matrix-appservice-webhooks
#
######################################################################
# We don't enable bridges by default.
matrix_appservice_webhooks_enabled: false
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-webhooks over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# matrix-appservice-webhooks' client-server port to the local host.
matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:{{ matrix_appservice_webhooks_webhooks_port }}' }}"
matrix_appservice_webhooks_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.as.token') | to_uuid }}"
matrix_appservice_webhooks_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.hs.token') | to_uuid }}"
matrix_appservice_webhooks_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.id.token') | to_uuid }}"
matrix_appservice_webhooks_systemd_required_services_list: |
{{
['docker.service']
+
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
}}
######################################################################
#
# /matrix-appservice-webhooks
#
######################################################################
######################################################################
#
# matrix-appservice-slack
@ -74,11 +108,11 @@ matrix_appservice_slack_enabled: false
# matrix-appservice-slack's client-server port to the local host.
matrix_appservice_slack_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:{{ matrix_appservice_slack_slack_port }}' }}"
matrix_appservice_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack-appservice-token') | to_uuid }}"
matrix_appservice_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.as.token') | to_uuid }}"
matrix_appservice_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack-homeserver-token') | to_uuid }}"
matrix_appservice_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.hs.token') | to_uuid }}"
matrix_appservice_slack_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack-id-token') | to_uuid }}"
matrix_appservice_slack_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.id.token') | to_uuid }}"
matrix_appservice_slack_systemd_required_services_list: |
{{
@ -604,7 +638,6 @@ matrix_synapse_email_smtp_host: "matrix-mailer"
matrix_synapse_email_smtp_port: 8025
matrix_synapse_email_smtp_require_transport_security: false
matrix_synapse_email_notif_from: "Matrix <{{ matrix_mailer_sender_address }}>"
matrix_synapse_email_riot_base_url: "https://{{ matrix_server_fqn_riot }}"
# Even if TURN doesn't support TLS (it does by default),
# it doesn't hurt to try a secure connection anyway.

2
roles/matrix-base/tasks/server_base/setup_debian.yml
View file

@ -28,7 +28,7 @@
apt:
name:
- bash-completion
- python-docker
- "python{{'3' if ansible_python.version.major == 3 else ''}}-docker"
- ntp
- fuse
state: latest

16
roles/matrix-bridge-appservice-irc/defaults/main.yml
View file

@ -3,7 +3,7 @@
matrix_appservice_irc_enabled: true
matrix_appservice_irc_docker_image: "tedomum/matrix-appservice-irc:latest"
matrix_appservice_irc_docker_image: "matrixdotorg/matrix-appservice-irc:release-0.14.1"
matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}"
matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc"
@ -377,11 +377,6 @@ matrix_appservice_irc_configuration_yaml: |
enablePresence: {{ matrix_appservice_irc_homeserver_enablePresence|to_json }}
ircService:
# The nedb database URI to connect to. This is the name of the directory to
# dump .db files to. This is relative to the project directory.
# Required.
databaseUri: "nedb:///data"
# WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot
# send a password hash. As a result, passwords (NOT hashes) are stored encrypted in
# the database.
@ -474,6 +469,15 @@ matrix_appservice_irc_configuration_yaml: |
# enough for the vast majority of use cases.
maxHttpSockets: 1000
# Use an external database to store bridge state.
database:
# database engine (must be 'postgres' or 'nedb'). Default: nedb
engine: "nedb"
# Either a PostgreSQL connection string, or a path to the NeDB storage directory.
# For postgres, it must start with postgres://
# For NeDB, it must start with nedb://. The path is relative to the project directory.
connectionString: "nedb:///data"
matrix_appservice_irc_configuration_extension_yaml: |
# Your custom YAML configuration for Appservice IRC servers goes here.
# This configuration extends the default starting configuration (`matrix_appservice_irc_configuration_yaml`).

6
roles/matrix-bridge-appservice-irc/tasks/setup_install.yml
View file

@ -98,13 +98,15 @@
--cap-drop=ALL
-v {{ matrix_appservice_irc_config_path }}:/config:z
-v {{ matrix_appservice_irc_data_path }}:/data:z
--entrypoint=/bin/bash
{{ matrix_appservice_irc_docker_image }}
node app.js
-c
'node app.js
-r
-f /config/registration-template.yaml
-u "http://matrix-appservice-irc:9999"
-c /config/config.yaml
-l irc_bot
-l irc_bot'
changed_when: false
- name: Read Appservice IRC registration-template.yaml

3
roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2
View file

@ -30,8 +30,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-appservice-irc \
{% for arg in matrix_appservice_irc_container_extra_arguments %}
{{ arg }} \
{% endfor %}
--entrypoint=/bin/bash \
{{ matrix_appservice_irc_docker_image }} \
-c /config/config.yaml -f /config/registration.yaml -p 9999
-c 'node app.js -c /config/config.yaml -f /config/registration.yaml -p 9999'
ExecStop=-/usr/bin/docker kill matrix-appservice-irc
ExecStop=-/usr/bin/docker rm matrix-appservice-irc

20
roles/matrix-bridge-appservice-slack/defaults/main.yml
View file

@ -3,7 +3,7 @@
matrix_appservice_slack_enabled: true
matrix_appservice_slack_docker_image: "matrixdotorg/matrix-appservice-slack:release-1.0.2"
matrix_appservice_slack_docker_image: "cadair/matrix-appservice-slack:latest"
matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}"
matrix_appservice_slack_base_path: "{{ matrix_base_data_path }}/appservice-slack"
@ -51,24 +51,6 @@ matrix_appservice_slack_configuration_yaml: |
bot_username: "{{ matrix_appservice_slack_bot_name }}"
username_prefix: {{ matrix_appservice_slack_user_prefix }}
# Optional if slack_hook_port and inbound_uri_prefix are defined, required otherwise.
rtm:
# Use the RTM API to listen for requests, which does not require
# the bridge to listen on the hook port.
# You should leave this enabled, unless you plan to use the
# bridge exclusively for webhooks.
enable: true
logging: "silent" # Logging level specific to RTM traffic.
# A prefix similar to inbound_uri_prefix for oauth2 requests. inbound_uri_prefix will be used if this is not set
# Optional
# redirect_prefix: "https://my.server.here:9898/mycustomoauthendpoint"
# Allow users to add channels dynamically by using oauth, or puppet themselves.
# Optional
oauth2:
client_id: ""
client_secret: ""
homeserver:
media_url: "{{ matrix_appservice_slack_homeserver_media_url }}"
url: "{{ matrix_appservice_slack_homeserver_url }}"

105
roles/matrix-bridge-appservice-webhooks/defaults/main.yml Normal file
View file

@ -0,0 +1,105 @@
# matrix-appservice-webhooks is a Matrix <-> webhook bridge
# See: https://github.com/turt2live/matrix-appservice-webhooks
matrix_appservice_webhooks_enabled: true
matrix_appservice_webhooks_docker_image: "turt2live/matrix-appservice-webhooks:latest"
matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}"
matrix_appservice_webhooks_base_path: "{{ matrix_base_data_path }}/appservice-webhooks"
matrix_appservice_webhooks_config_path: "{{ matrix_appservice_webhooks_base_path }}/config"
matrix_appservice_webhooks_data_path: "{{ matrix_appservice_webhooks_base_path }}/data"
# If nginx-proxy is disabled, the bridge itself expects its endpoint to be on its own domain (e.g. "localhost:6789")
matrix_appservice_webhooks_public_endpoint: /appservice-webhooks
matrix_appservice_webhooks_inbound_uri_prefix: "{{ matrix_homeserver_url }}{{ matrix_appservice_webhooks_public_endpoint }}"
# Once you make a control room in Matrix, you can get its ID by typing any message and checking its source
matrix_appservice_webhooks_control_room_id: ''
matrix_appservice_webhooks_bot_name: 'webhookbot'
matrix_appservice_webhooks_user_prefix: '_webhook'
# Controls the webhooks_PORT and MATRIX_PORT of the installation
matrix_appservice_webhooks_matrix_port: 6789
matrix_appservice_webhooks_webhooks_port: 6788
# Controls whether the appservice-webhooks container exposes its HTTP port (tcp/6788 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9999"), or empty string to not expose.
matrix_appservice_webhooks_container_http_host_bind_port: ''
matrix_appservice_webhooks_homeserver_media_url: "matrix.{{ matrix_domain }}"
matrix_appservice_webhooks_homeserver_url: "http://matrix-synapse:8008"
matrix_appservice_webhooks_homeserver_domain: "{{ matrix_domain }}"
matrix_appservice_webhooks_appservice_url: 'http://matrix-appservice-webhooks'
# A list of extra arguments to pass to the container
matrix_appservice_webhooks_container_extra_arguments: []
# List of systemd services that matrix-appservice-webhooks.service depends on.
matrix_appservice_webhooks_systemd_required_services_list: ['docker.service', 'matrix-synapse.service']
# List of systemd services that matrix-appservice-webhooks.service wants
matrix_appservice_webhooks_systemd_wanted_services_list: []
matrix_appservice_webhooks_appservice_token: ''
matrix_appservice_webhooks_homeserver_token: ''
matrix_appservice_webhooks_id_token: ''
matrix_appservice_webhooks_api_secret: ''
# Logging information (info and verbose is available) default is: info
matrix_appservice_webhooks_log_level: 'info'
matrix_appservice_webhooks_configuration_yaml: |
# Configuration specific to the application service. All fields (unless otherwise marked) are required.
homeserver:
# The domain for the client-server API calls.
url: "{{ matrix_appservice_webhooks_homeserver_url }}"
# The domain part for user IDs on this home server. Usually, but not always, this is the same as the
# home server's URL.
domain: "{{ matrix_domain }}"
# Configuration specific to the bridge. All fields (unless otherwise marked) are required.
webhookBot:
# The localpart to use for the bot. May require re-registering the application service.
localpart: "_webhook"
# Provisioning API options
provisioning:
# Your secret for the API. Required for all provisioning API requests.
secret: '{{ matrix_appservice_webhooks_api_secret }}'
# Configuration related to the web portion of the bridge. Handles the inbound webhooks
web:
hookUrlBase: "{{ matrix_appservice_webhooks_inbound_uri_prefix }}"
logging:
console: true
consoleLevel: {{ matrix_appservice_webhooks_log_level }}
writeFiles: false
matrix_appservice_webhooks_configuration_extension_yaml: |
#
matrix_appservice_webhooks_configuration_extension: "{{ matrix_appservice_webhooks_configuration_extension_yaml|from_yaml if matrix_appservice_webhooks_configuration_extension_yaml|from_yaml else {} }}"
matrix_appservice_webhooks_configuration: "{{ matrix_appservice_webhooks_configuration_yaml|from_yaml|combine(matrix_appservice_webhooks_configuration_extension, recursive=True) }}"
matrix_appservice_webhooks_registration_yaml: |
id: "{{ matrix_appservice_webhooks_id_token }}"
hs_token: "{{ matrix_appservice_webhooks_homeserver_token }}"
as_token: "{{ matrix_appservice_webhooks_appservice_token }}"
namespaces:
users:
- exclusive: true
regex: '^@{{ matrix_appservice_webhooks_user_prefix | regex_escape }}.*:{{ matrix_domain | regex_escape }}$'
aliases: []
rooms: []
url: "{{ matrix_appservice_webhooks_appservice_url }}:{{ matrix_appservice_webhooks_matrix_port }}"
sender_localpart: _webhook
rate_limited: false
protocols: null
matrix_appservice_webhooks_registration: "{{ matrix_appservice_webhooks_registration_yaml|from_yaml }}"

78
roles/matrix-bridge-appservice-webhooks/tasks/init.yml Normal file
View file

@ -0,0 +1,78 @@
# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist.
# We don't want to fail in such cases.
- name: Fail if matrix-synapse role already executed
fail:
msg: >-
The matrix-bridge-appservice-webhooks role needs to execute before the matrix-synapse role.
when: "matrix_synapse_role_executed|default(False)"
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-webhooks'] }}"
when: matrix_appservice_webhooks_enabled|bool
# If the matrix-synapse role is not used, these variables may not exist.
- set_fact:
matrix_synapse_container_extra_arguments: >
{{ matrix_synapse_container_extra_arguments|default([]) }}
+
["--mount type=bind,src={{ matrix_appservice_webhooks_config_path }}/webhooks-registration.yaml,dst=/matrix-appservice-webhooks-registration.yaml,ro"]
matrix_synapse_app_service_config_files: >
{{ matrix_synapse_app_service_config_files|default([]) }}
+
{{ ["/matrix-appservice-webhooks-registration.yaml"] }}
when: matrix_appservice_webhooks_enabled|bool
# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist.
# We don't want to fail in such cases.
- name: Fail if matrix-synapse role already executed
fail:
msg: >-
The matrix-bridge-appservice-webhooks role needs to execute before the matrix-synapse role.
when: "matrix_synapse_role_executed|default(False)"
- block:
- name: Fail if matrix-nginx-proxy role already executed
fail:
msg: >-
Trying to append webhooks Appservice's reverse-proxying configuration to matrix-nginx-proxy,
but it's pointless since the matrix-nginx-proxy role had already executed.
To fix this, please change the order of roles in your plabook,
so that the matrix-nginx-proxy role would run after the matrix-bridge-appservice-webhooks role.
when: matrix_nginx_proxy_role_executed|default(False)|bool
- name: Generate Matrix Appservice webhooks proxying configuration for matrix-nginx-proxy
set_fact:
matrix_appservice_webhooks_matrix_nginx_proxy_configuration: |
location {{ matrix_appservice_webhooks_public_endpoint }}/ {
{% if matrix_nginx_proxy_enabled|default(False) %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
proxy_pass {{ matrix_appservice_webhooks_appservice_url }}:{{ matrix_appservice_webhooks_matrix_port }}/;
{% else %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://127.0.0.1:{{ matrix_appservice_webhooks_matrix_port }}/;
{% endif %}
}
- name: Register webhooks Appservice proxying configuration with matrix-nginx-proxy
set_fact:
matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: |
{{
matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([])
+
[matrix_appservice_webhooks_matrix_nginx_proxy_configuration]
}}
tags:
- always
when: matrix_appservice_webhooks_enabled|bool
- name: Warn about reverse-proxying if matrix-nginx-proxy not used
debug:
msg: >-
NOTE: You've enabled the Matrix webhooks bridge but are not using the matrix-nginx-proxy
reverse proxy.
Please make sure that you're proxying the `{{ matrix_appservice_webhooks_public_endpoint }}`
URL endpoint to the matrix-appservice-webhooks container.
You can expose the container's port using the `matrix_appservice_webhooks_container_http_host_bind_port` variable.
when: "matrix_appservice_webhooks_enabled|bool and matrix_nginx_proxy_enabled is not defined"

21
roles/matrix-bridge-appservice-webhooks/tasks/main.yml Normal file
View file

@ -0,0 +1,21 @@
- import_tasks: "{{ role_path }}/tasks/init.yml"
tags:
- always
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
when: "run_setup|bool and matrix_appservice_webhooks_enabled|bool"
tags:
- setup-all
- setup-appservice-webhooks
- import_tasks: "{{ role_path }}/tasks/setup_install.yml"
when: "run_setup|bool and matrix_appservice_webhooks_enabled|bool"
tags:
- setup-all
- setup-appservice-webhooks
- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
when: "run_setup|bool and not matrix_appservice_webhooks_enabled|bool"
tags:
- setup-all
- setup-appservice-webhooks

64
roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml Normal file
View file

@ -0,0 +1,64 @@
---
- name: Ensure Appservice webhooks image is pulled
docker_image:
name: "{{ matrix_appservice_webhooks_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_appservice_webhooks_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_webhooks_docker_image_force_pull }}"
- name: Ensure AppService webhooks paths exist
file:
path: "{{ item }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
with_items:
- "{{ matrix_appservice_webhooks_base_path }}"
- "{{ matrix_appservice_webhooks_config_path }}"
- "{{ matrix_appservice_webhooks_data_path }}"
- name: Ensure Matrix Appservice webhooks config is installed
copy:
content: "{{ matrix_appservice_webhooks_configuration|to_nice_yaml }}"
dest: "{{ matrix_appservice_webhooks_config_path }}/config.yaml"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
- name: Ensure Matrix Appservice webhooks schema.yml template exists
template:
src: "{{ role_path }}/templates/schema.yml.j2"
dest: "{{ matrix_appservice_webhooks_config_path }}/schema.yml"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
- name: Ensure Matrix Appservice webhooks database.json template exists
template:
src: "{{ role_path }}/templates/database.json.j2"
dest: "{{ matrix_appservice_webhooks_data_path }}/database.json"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
- name: Ensure appservice-webhooks registration.yaml installed
copy:
content: "{{ matrix_appservice_webhooks_registration|to_nice_yaml }}"
dest: "{{ matrix_appservice_webhooks_config_path }}/webhooks-registration.yaml"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
- name: Ensure matrix-appservice-webhooks.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-appservice-webhooks.service.j2"
dest: "/etc/systemd/system/matrix-appservice-webhooks.service"
mode: 0644
register: matrix_appservice_webhooks_systemd_service_result
- name: Ensure systemd reloaded after matrix-appservice-webhooks.service installation
service:
daemon_reload: yes
when: "matrix_appservice_webhooks_systemd_service_result.changed"

24
roles/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml Normal file
View file

@ -0,0 +1,24 @@
---
- name: Check existence of matrix-appservice-webhooks service
stat:
path: "/etc/systemd/system/matrix-appservice-webhooks.service"
register: matrix_appservice_webhooks_service_stat
- name: Ensure matrix-appservice-webhooks is stopped
service:
name: matrix-appservice-webhooks
state: stopped
daemon_reload: yes
when: "matrix_appservice_webhooks_service_stat.stat.exists"
- name: Ensure matrix-appservice-webhooks.service doesn't exist
file:
path: "/etc/systemd/system/matrix-appservice-webhooks.service"
state: absent
when: "matrix_appservice_webhooks_service_stat.stat.exists"
- name: Ensure systemd reloaded after matrix-appservice-webhooks.service removal
service:
daemon_reload: yes
when: "matrix_appservice_webhooks_service_stat.stat.exists"

12
roles/matrix-bridge-appservice-webhooks/tasks/validate_config.yml Normal file
View file

@ -0,0 +1,12 @@
---
- name: Fail if required settings not defined
fail:
msg: >-
You need to define a required configuration setting (`{{ item }}`).
when: "vars[item] == ''"
with_items:
- "matrix_appservice_webhooks_appservice_token"
- "matrix_appservice_webhooks_homeserver_token"
- "matrix_appservice_webhooks_id_token"
- "matrix_appservice_webhooks_api_secret"

13
roles/matrix-bridge-appservice-webhooks/templates/database.json.j2 Normal file
View file

@ -0,0 +1,13 @@
{
"defaultEnv": {
"ENV": "NODE_ENV"
},
"development": {
"driver": "sqlite3",
"filename": "/data/development.db"
},
"production": {
"driver": "sqlite3",
"filename": "/data/production.db"
}
}

54
roles/matrix-bridge-appservice-webhooks/templates/schema.yml.j2 Normal file
View file

@ -0,0 +1,54 @@
"$schema": "http://json-schema.org/draft-04/schema#"
type: "object"
properties:
provisioning:
type: "object"
properties:
secret:
type: "string"
homeserver:
type: "object"
properties:
domain:
type: "string"
url:
type: "string"
mediaUrl:
type: "string"
web:
type: "object"
properties:
hookUrlBase:
type: "string"
webhookBot:
type: "object"
properties:
localpart:
type: "string"
appearance:
type: "object"
properties:
displayName:
type: "string"
avatarUrl:
type: "string"
logging:
type: "object"
properties:
file:
type: "string"
console:
type: "boolean"
consoleLevel:
type: "string"
fileLevel:
type: "string"
writeFiles:
type: "boolean"
rotate:
type: "object"
properties:
size:
type: "number"
count:
type: "number"

43
roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 Normal file
View file

@ -0,0 +1,43 @@
#jinja2: lstrip_blocks: "True"
[Unit]
Description=Matrix Appservice webhooks server
{% for service in matrix_appservice_webhooks_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_appservice_webhooks_systemd_wanted_services_list %}
Wants={{ service }}
{% endfor %}
[Service]
Type=simple
ExecStartPre=-/usr/bin/docker kill matrix-appservice-webhooks
ExecStartPre=-/usr/bin/docker rm matrix-appservice-webhooks
# Intentional delay, so that the homeserver (we likely depend on) can manage to start.
ExecStartPre=/bin/sleep 5
ExecStart=/usr/bin/docker run --rm --name matrix-appservice-webhooks \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--network={{ matrix_docker_network }} \
{% if matrix_appservice_webhooks_container_http_host_bind_port %}
-p {{ matrix_appservice_webhooks_container_http_host_bind_port }}:{{matrix_appservice_webhooks_matrix_port}} \
{% endif %}
-v {{ matrix_appservice_webhooks_config_path }}:/config:z \
-v {{ matrix_appservice_webhooks_data_path }}:/data:z \
{% for arg in matrix_appservice_webhooks_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_appservice_webhooks_docker_image }} \
node index.js -p {{ matrix_appservice_webhooks_matrix_port }} -c /config/config.yaml -f /config/webhooks-registration.yaml
ExecStop=-/usr/bin/docker kill matrix-appservice-webhooks
ExecStop=-/usr/bin/docker rm matrix-appservice-webhooks
Restart=always
RestartSec=30
SyslogIdentifier=matrix-appservice-webhooks
[Install]
WantedBy=multi-user.target

2
roles/matrix-bridge-mautrix-telegram/defaults/main.yml
View file

@ -4,7 +4,7 @@
matrix_mautrix_telegram_enabled: true
# See: https://mau.dev/tulir/mautrix-telegram/container_registry
matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.6.1"
matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.7.0"
matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}"
matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram"

2
roles/matrix-corporal/tasks/self_check_corporal.yml
View file

@ -6,7 +6,7 @@
- name: Check Matrix Corporal HTTP gateway
uri:
url: "{{ corporal_client_api_url_endpoint_public }}"
follow_redirects: false
follow_redirects: none
return_content: true
register: result_corporal_client_api
ignore_errors: true

2
roles/matrix-mxisd/tasks/self_check_mxisd.yml
View file

@ -6,7 +6,7 @@
- name: Check mxisd Identity Service
uri:
url: "{{ mxisd_url_endpoint_public }}"
follow_redirects: false
follow_redirects: none
validate_certs: "{{ matrix_mxisd_self_check_validate_certificates }}"
register: result_mxisd
ignore_errors: true

16
roles/matrix-nginx-proxy/defaults/main.yml
View file

@ -152,15 +152,27 @@ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_s
# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}"
# A list of strings containing additional configuration blocks to add to the matrix domain's server configuration.
# A list of strings containing additional configuration blocks to add to the nginx http's server configuration.
matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to the matrix synapse's server configuration.
matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to the matrix riot's server configuration.
matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to the matrix dimension's server configuration.
matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to the matrix domain server configuration.
matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []
# Specifies when to reload the matrix-nginx-proxy service so that
# a new SSL certificate could go into effect.
matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"
# Specifies which SSL protocols to use when serving Riot and Synapse
matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"
matrix_nginx_proxy_ssl_protocols: "TLSv1.2 TLSv1.3"
# Controls whether the self-check feature should validate SSL certificates.
matrix_nginx_proxy_self_check_validate_certificates: true

4
roles/matrix-nginx-proxy/tasks/self_check_well_known.yml
View file

@ -6,7 +6,7 @@
- path: /.well-known/matrix/client
purpose: Client Discovery
cors: true
follow_redirects: false
follow_redirects: none
validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"
- block:
@ -15,7 +15,7 @@
path: /.well-known/matrix/server
purpose: Server Discovery
cors: false
follow_redirects: true
follow_redirects: safe
validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"
- name: Determine domains that we require certificates for (mxisd)

2
roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml
View file

@ -9,7 +9,7 @@
- name: Check .well-known on the matrix hostname
uri:
url: "{{ well_known_url_matrix }}"
follow_redirects: false
follow_redirects: none
return_content: true
validate_certs: "{{ well_known_file_check.validate_certs }}"
register: result_well_known_matrix

3
roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2
View file

@ -3,6 +3,9 @@
{% macro render_vhost_directives() %}
gzip on;
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
{% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %}
{{- configuration_block }}
{% endfor %}
location / {
{% if matrix_nginx_proxy_enabled %}

3
roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
View file

@ -5,6 +5,9 @@
gzip on;
gzip_types text/plain application/json;
{% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %}
{{- configuration_block }}
{% endfor %}
location /.well-known/matrix {
root {{ matrix_static_files_base_path }};

3
roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2
View file

@ -3,6 +3,9 @@
{% macro render_vhost_directives() %}
gzip on;
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
{% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %}
{{- configuration_block }}
{% endfor %}
location / {
{% if matrix_nginx_proxy_enabled %}

5
roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2
View file

@ -3,4 +3,7 @@
# which can sometimes be too low to handle our 2 vhosts (Synapse and Riot).
#
# Thus, we ensure a larger bucket size value is used.
server_names_hash_bucket_size 64;
server_names_hash_bucket_size 64;
{% for configuration_block in matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks %}
{{- configuration_block }}
{% endfor %}

14
roles/matrix-postgres/tasks/setup_postgres.yml
View file

@ -73,13 +73,19 @@
mode: 0750
when: matrix_postgres_enabled|bool
- name: Ensure matrix-make-user-admin script created
- name: Ensure matrix-change-user-admin-status script created
template:
src: "{{ role_path }}/templates/usr-local-bin/matrix-make-user-admin.j2"
dest: "/usr/local/bin/matrix-make-user-admin"
src: "{{ role_path }}/templates/usr-local-bin/matrix-change-user-admin-status.j2"
dest: "/usr/local/bin/matrix-change-user-admin-status"
mode: 0750
when: matrix_postgres_enabled|bool
- name: (Migration) Ensure old matrix-make-user-admin script deleted
file:
path: "/usr/local/bin/matrix-make-user-admin"
state: absent
when: matrix_postgres_enabled|bool
- name: Ensure matrix-postgres-update-user-password-hash script created
template:
src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2"
@ -146,6 +152,6 @@
state: absent
with_items:
- matrix-postgres-cli
- matrix-make-user-admin
- matrix-change-user-admin-status
- matrix-postgres-update-user-password-hash
when: "not matrix_postgres_enabled|bool"

7
roles/matrix-postgres/tasks/upgrade_postgres.yml
View file

@ -20,6 +20,11 @@
postgres_start_wait_time: 15
when: "postgres_start_wait_time|default('') == ''"
- name: Set postgres_force_upgrade, if not provided
set_fact:
postgres_force_upgrade: false
when: "postgres_force_upgrade|default('') == ''"
- name: Fail, if trying to upgrade external Postgres database
fail:
msg: "Your configuration indicates that you're not using Postgres from this role. There is nothing to upgrade."
@ -45,7 +50,7 @@
- name: Abort, if already at latest Postgres version
fail:
msg: "You are already running the latest Postgres version supported ({{ matrix_postgres_docker_image_latest }}). Nothing to do"
when: "matrix_postgres_detected_version_corresponding_docker_image == matrix_postgres_docker_image_latest"
when: "matrix_postgres_detected_version_corresponding_docker_image == matrix_postgres_docker_image_latest and not postgres_force_upgrade"
- debug:
msg: "Upgrading database from {{ matrix_postgres_detected_version_corresponding_docker_image }} to {{ matrix_postgres_docker_image_latest }}"

5
roles/matrix-postgres/templates/env-postgres-server.j2
View file

@ -1,4 +1,7 @@
#jinja2: lstrip_blocks: "True"
POSTGRES_USER={{ matrix_postgres_connection_username }}
POSTGRES_PASSWORD={{ matrix_postgres_connection_password }}
POSTGRES_DB={{ matrix_postgres_db_name }}
POSTGRES_DB={{ matrix_postgres_db_name }}
# Synapse refuses to run if collation is not C.
# See https://github.com/matrix-org/synapse/issues/6722
POSTGRES_INITDB_ARGS=--lc-collate C --lc-ctype C --encoding UTF8

19
roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 Normal file
View file

@ -0,0 +1,19 @@
#jinja2: lstrip_blocks: "True"
#!/bin/bash
if [ $# -ne 2 ]; then
echo "Usage: "$0" <username> <0/1>"
echo "Usage: 0 = non-admin"
echo "Usage: 1 = admin"
exit 1
fi
docker run \
-it \
--rm \
--user=991:991 \
--cap-drop=ALL \
--env-file=/matrix/postgres/env-postgres-psql \
--network matrix \
postgres:12.1-alpine \
psql -h matrix-postgres -c "UPDATE users set admin=$2 WHERE name like '@$1:{{ matrix_domain }}'"

17
roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2
View file

@ -1,17 +0,0 @@
#jinja2: lstrip_blocks: "True"
#!/bin/bash
if [ $# -ne 1 ]; then
echo "Usage: "$0" <username>"
exit 1
fi
docker run \
-it \
--rm \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
--network {{ matrix_docker_network }} \
{{ matrix_postgres_docker_image_to_use }} \
psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set admin=1 WHERE name like '@$1:{{ matrix_domain }}'"

2
roles/matrix-riot-web/defaults/main.yml
View file

@ -1,6 +1,6 @@
matrix_riot_web_enabled: true
matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.7"
matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.8"
matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}"
matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web"

2
roles/matrix-riot-web/tasks/self_check_riot_web.yml
View file

@ -6,7 +6,7 @@
- name: Check riot-web
uri:
url: "{{ riot_web_url_endpoint_public }}"
follow_redirects: false
follow_redirects: none
validate_certs: "{{ matrix_riot_web_self_check_validate_certificates }}"
register: result_riot_web
ignore_errors: true

8
roles/matrix-synapse/defaults/main.yml
View file

@ -3,7 +3,7 @@
matrix_synapse_enabled: true
matrix_synapse_docker_image: "matrixdotorg/synapse:v1.8.0"
matrix_synapse_docker_image: "matrixdotorg/synapse:v1.9.1"
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
@ -259,13 +259,13 @@ matrix_synapse_email_smtp_host: ""
matrix_synapse_email_smtp_port: 587
matrix_synapse_email_smtp_require_transport_security: false
matrix_synapse_email_notif_from: "Matrix <matrix@{{ matrix_domain }}>"
matrix_synapse_email_riot_base_url: "https://{{ matrix_server_fqn_riot }}"
matrix_synapse_email_client_base_url: "https://{{ matrix_server_fqn_riot }}"
# Enable this to activate the REST auth password provider module.
# See: https://github.com/kamax-io/matrix-synapse-rest-auth
# See: https://github.com/ma1uta/matrix-synapse-rest-password-provider
matrix_synapse_ext_password_provider_rest_auth_enabled: false
matrix_synapse_ext_password_provider_rest_auth_download_url: "https://raw.githubusercontent.com/kamax-io/matrix-synapse-rest-auth/v0.1.2/rest_auth_provider.py"
matrix_synapse_ext_password_provider_rest_auth_download_url: "https://raw.githubusercontent.com/ma1uta/matrix-synapse-rest-password-provider/ed377fb70513c2e51b42055eb364195af1ccaf33/rest_auth_provider.py"
matrix_synapse_ext_password_provider_rest_auth_endpoint: ""
matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false
matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true

2
roles/matrix-synapse/tasks/self_check_client_api.yml
View file

@ -3,7 +3,7 @@
- name: Check Matrix Client API
uri:
url: "{{ matrix_synapse_client_api_url_endpoint_public }}"
follow_redirects: false
follow_redirects: none
validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}"
register: result_matrix_synapse_client_api
ignore_errors: true

2
roles/matrix-synapse/tasks/self_check_federation_api.yml
View file

@ -3,7 +3,7 @@
- name: Check Matrix Federation API
uri:
url: "{{ matrix_synapse_federation_api_url_endpoint_public }}"
follow_redirects: false
follow_redirects: none
validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}"
register: result_matrix_synapse_federation_api
ignore_errors: true

1
roles/matrix-synapse/tasks/validate_config.yml
View file

@ -15,6 +15,7 @@
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
when: "item.old in vars"
with_items:
- {'old': 'matrix_synapse_email_riot_base_url', 'new': '<superseded by client_base_url>'}
- {'old': 'matrix_synapse_container_expose_api_port', 'new': '<superseded by matrix_synapse_container_federation_api_plain_host_bind_port>'}
- {'old': 'matrix_synapse_no_tls', 'new': '<removed>'}
- {'old': 'matrix_enable_room_list_search', 'new': 'matrix_synapse_enable_room_list_search'}

314
roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
View file

@ -392,17 +392,17 @@ retention:
#
# The rationale for this per-job configuration is that some rooms might have a
# retention policy with a low 'max_lifetime', where history needs to be purged
# of outdated messages on a very frequent basis (e.g. every 5min), but not want
# that purge to be performed by a job that's iterating over every room it knows,
# which would be quite heavy on the server.
# of outdated messages on a more frequent basis than for the rest of the rooms
# (e.g. every 12h), but not want that purge to be performed by a job that's
# iterating over every room it knows, which could be heavy on the server.
#
#purge_jobs:
# - shortest_max_lifetime: 1d
# longest_max_lifetime: 3d
# interval: 5m:
# interval: 12h
# - shortest_max_lifetime: 3d
# longest_max_lifetime: 1y
# interval: 24h
# interval: 1d
## TLS ##
@ -891,23 +891,6 @@ enable_registration: {{ matrix_synapse_enable_registration|to_json }}
# Optional account validity configuration. This allows for accounts to be denied
# any request after a given period.
#
# ``enabled`` defines whether the account validity feature is enabled. Defaults
# to False.
#
# ``period`` allows setting the period after which an account is valid
# after its registration. When renewing the account, its validity period
# will be extended by this amount of time. This parameter is required when using
# the account validity feature.
#
# ``renew_at`` is the amount of time before an account's expiry date at which
# Synapse will send an email to the account's email address with a renewal link.
# This needs the ``email`` and ``public_baseurl`` configuration sections to be
# filled.
#
# ``renew_email_subject`` is the subject of the email sent out with the renewal
# link. ``%(app)s`` can be used as a placeholder for the ``app_name`` parameter
# from the ``email`` section.
#
# Once this feature is enabled, Synapse will look for registered users without an
# expiration date at startup and will add one to every account it found using the
# current settings at that time.
@ -918,32 +901,55 @@ enable_registration: {{ matrix_synapse_enable_registration|to_json }}
# date will be randomly selected within a range [now + period - d ; now + period],
# where d is equal to 10% of the validity period.
#
#account_validity:
# enabled: True
# period: 6w
# renew_at: 1w
# renew_email_subject: "Renew your %(app)s account"
# # Directory in which Synapse will try to find the HTML files to serve to the
# # user when trying to renew an account. Optional, defaults to
# # synapse/res/templates.
# template_dir: "res/templates"
# # HTML to be displayed to the user after they successfully renewed their
# # account. Optional.
# account_renewed_html_path: "account_renewed.html"
# # HTML to be displayed when the user tries to renew an account with an invalid
# # renewal token. Optional.
# invalid_token_html_path: "invalid_token.html"
account_validity:
# The account validity feature is disabled by default. Uncomment the
# following line to enable it.
#
#enabled: true
# Time that a user's session remains valid for, after they log in.
#
# Note that this is not currently compatible with guest logins.
#
# Note also that this is calculated at login time: changes are not applied
# retrospectively to users who have already logged in.
#
# By default, this is infinite.
#
#session_lifetime: 24h
# The period after which an account is valid after its registration. When
# renewing the account, its validity period will be extended by this amount
# of time. This parameter is required when using the account validity
# feature.
#
#period: 6w
# The amount of time before an account's expiry date at which Synapse will
# send an email to the account's email address with a renewal link. By
# default, no such emails are sent.
#
# If you enable this setting, you will also need to fill out the 'email' and
# 'public_baseurl' configuration sections.
#
#renew_at: 1w
# The subject of the email sent out with the renewal link. '%(app)s' can be
# used as a placeholder for the 'app_name' parameter from the 'email'
# section.
#
# Note that the placeholder must be written '%(app)s', including the
# trailing 's'.
#
# If this is not set, a default value is used.
#
#renew_email_subject: "Renew your %(app)s account"
# Directory in which Synapse will try to find templates for the HTML files to
# serve to the user when trying to renew an account. If not set, default
# templates from within the Synapse package will be used.
#
#template_dir: "res/templates"
# File within 'template_dir' giving the HTML to be displayed to the user after
# they successfully renewed their account. If not set, default text is used.
#
#account_renewed_html_path: "account_renewed.html"
# File within 'template_dir' giving the HTML to be displayed when the user
# tries to renew an account with an invalid renewal token. If not set,
# default text is used.
#
#invalid_token_html_path: "invalid_token.html"
# The user must provide all of the below types of 3PID when registering.
#
@ -1378,107 +1384,123 @@ password_config:
pepper: {{ matrix_synapse_password_config_pepper|string|to_json }}
# Enable sending emails for password resets, notification events or
# account expiry notices
#
# If your SMTP server requires authentication, the optional smtp_user &
# smtp_pass variables should be used
#
#email:
# enable_notifs: false
# smtp_host: "localhost"
# smtp_port: 25 # SSL: 465, STARTTLS: 587
# smtp_user: "exampleusername"
# smtp_pass: "examplepassword"
# require_transport_security: False
# notif_from: "Your Friendly %(app)s homeserver <noreply@example.com>"
# app_name: Matrix
#
# # Enable email notifications by default
# #
# notif_for_new_users: True
#
# # Defining a custom URL for Riot is only needed if email notifications
# # should contain links to a self-hosted installation of Riot; when set
# # the "app_name" setting is ignored
# #
# riot_base_url: "http://localhost/riot"
#
# # Configure the time that a validation email or text message code
# # will expire after sending
# #
# # This is currently used for password resets
# #
# #validation_token_lifetime: 1h
#
# # Template directory. All template files should be stored within this
# # directory. If not set, default templates from within the Synapse
# # package will be used
# #
# # For the list of default templates, please see
# # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
# #
# #template_dir: res/templates
#
# # Templates for email notifications
# #
# notif_template_html: notif_mail.html
# notif_template_text: notif_mail.txt
#
# # Templates for account expiry notices
# #
# expiry_template_html: notice_expiry.html
# expiry_template_text: notice_expiry.txt
#
# # Templates for password reset emails sent by the homeserver
# #
# #password_reset_template_html: password_reset.html
# #password_reset_template_text: password_reset.txt
#
# # Templates for registration emails sent by the homeserver
# #
# #registration_template_html: registration.html
# #registration_template_text: registration.txt
#
# # Templates for validation emails sent by the homeserver when adding an email to
# # your user account
# #
# #add_threepid_template_html: add_threepid.html
# #add_threepid_template_text: add_threepid.txt
#
# # Templates for password reset success and failure pages that a user
# # will see after attempting to reset their password
# #
# #password_reset_template_success_html: password_reset_success.html
# #password_reset_template_failure_html: password_reset_failure.html
#
# # Templates for registration success and failure pages that a user
# # will see after attempting to register using an email or phone
# #
# #registration_template_success_html: registration_success.html
# #registration_template_failure_html: registration_failure.html
#
# # Templates for success and failure pages that a user will see after attempting
# # to add an email or phone to their account
# #
# #add_threepid_success_html: add_threepid_success.html
# #add_threepid_failure_html: add_threepid_failure.html
{% if matrix_synapse_email_enabled %}
# Configuration for sending emails from Synapse.
#
email:
enable_notifs: true
smtp_host: {{ matrix_synapse_email_smtp_host|string|to_json }}
smtp_port: {{ matrix_synapse_email_smtp_port|to_json }}
require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }}
notif_from: {{ matrix_synapse_email_notif_from|string|to_json }}
app_name: Matrix
notif_template_html: notif_mail.html
notif_template_text: notif_mail.txt
# Templates for account expiry notices.
expiry_template_html: notice_expiry.html
expiry_template_text: notice_expiry.txt
notif_for_new_users: True
riot_base_url: {{ matrix_synapse_email_riot_base_url|string|to_json }}
# The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
#
#smtp_host: mail.server
smtp_host: {{ matrix_synapse_email_smtp_host|string|to_json }}
# The port on the mail server for outgoing SMTP. Defaults to 25.
#
#smtp_port: 587
smtp_port: {{ matrix_synapse_email_smtp_port|to_json }}
# Username/password for authentication to the SMTP server. By default, no
# authentication is attempted.
#
# smtp_user: "exampleusername"
# smtp_pass: "examplepassword"
# Uncomment the following to require TLS transport security for SMTP.
# By default, Synapse will connect over plain text, and will then switch to
# TLS via STARTTLS *if the SMTP server supports it*. If this option is set,
# Synapse will refuse to connect unless the server supports STARTTLS.
#
#require_transport_security: true
require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }}
# Enable sending emails for messages that the user has missed
#
#enable_notifs: false
enable_notifs: true
# notif_from defines the "From" address to use when sending emails.
# It must be set if email sending is enabled.
#
# The placeholder '%(app)s' will be replaced by the application name,
# which is normally 'app_name' (below), but may be overridden by the
# Matrix client application.
#
# Note that the placeholder must be written '%(app)s', including the
# trailing 's'.
#
#notif_from: "Your Friendly %(app)s homeserver <noreply@example.com>"
notif_from: {{ matrix_synapse_email_notif_from|string|to_json }}
# app_name defines the default value for '%(app)s' in notif_from. It
# defaults to 'Matrix'.
#
#app_name: my_branded_matrix_server
app_name: Matrix
# Uncomment the following to disable automatic subscription to email
# notifications for new users. Enabled by default.
#
#notif_for_new_users: false
notif_for_new_users: True
# Custom URL for client links within the email notifications. By default
# links will be based on "https://matrix.to".
#
# (This setting used to be called riot_base_url; the old name is still
# supported for backwards-compatibility but is now deprecated.)
#
#client_base_url: "http://localhost/riot"
client_base_url: {{ matrix_synapse_email_client_base_url|string|to_json }}
# Configure the time that a validation email will expire after sending.
# Defaults to 1h.
#
#validation_token_lifetime: 15m
# Directory in which Synapse will try to find the template files below.
# If not set, default templates from within the Synapse package will be used.
#
# DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates.
# If you *do* uncomment it, you will need to make sure that all the templates
# below are in the directory.
#
# Synapse will look for the following templates in this directory:
#
# * The contents of email notifications of missed events: 'notif_mail.html' and
# 'notif_mail.txt'.
#
# * The contents of account expiry notice emails: 'notice_expiry.html' and
# 'notice_expiry.txt'.
#
# * The contents of password reset emails sent by the homeserver:
# 'password_reset.html' and 'password_reset.txt'
#
# * HTML pages for success and failure that a user will see when they follow
# the link in the password reset email: 'password_reset_success.html' and
# 'password_reset_failure.html'
#
# * The contents of address verification emails sent during registration:
# 'registration.html' and 'registration.txt'
#
# * HTML pages for success and failure that a user will see when they follow
# the link in an address verification email sent during registration:
# 'registration_success.html' and 'registration_failure.html'
#
# * The contents of address verification emails sent when an address is added
# to a Matrix account: 'add_threepid.html' and 'add_threepid.txt'
#
# * HTML pages for success and failure that a user will see when they follow
# the link in an address verification email sent when an address is added
# to a Matrix account: 'add_threepid_success.html' and
# 'add_threepid_failure.html'
#
# You can see the default templates at:
# https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
#
#template_dir: "res/templates"
notif_template_html: notif_mail.html
notif_template_text: notif_mail.txt
expiry_template_html: notice_expiry.html
expiry_template_text: notice_expiry.txt
{% endif %}

1
setup.yml
View file

@ -10,6 +10,7 @@
- matrix-corporal
- matrix-bridge-appservice-discord
- matrix-bridge-appservice-slack
- matrix-bridge-appservice-webhooks
- matrix-bridge-appservice-irc
- matrix-bridge-mautrix-facebook
- matrix-bridge-mautrix-hangouts