diff --git a/CHANGELOG.md b/CHANGELOG.md index 8848df0b..2f5f62f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,38 @@ +# 2020-01-30 + +## Disabling TLSv1.1 + +To improve security, we've removed TLSv1.1 support from our default matrix-nginx-proxy configuration. + +If you need to support old clients, you can re-enable it with the following configuration: `matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"` + + +# 2020-01-21 + +## Postgres collation changes (action required!) + +By default, we've been using a UTF-8 collation for Postgres. This is known to cause Synapse some troubles (see the [relevant issue](https://github.com/matrix-org/synapse/issues/6722)) on systems that use [glibc](https://www.gnu.org/software/libc/). We run Postgres in an [Alpine Linux](https://alpinelinux.org/) container (which uses [musl](https://www.musl-libc.org/), and not glibc), so our users are likely not affected by the index corruption problem observed by others. + +Still, we might become affected in the future. In any case, it's imminent that Synapse will complain about databases which do not use a C collation. + +To avoid future problems, we recommend that you run the following command: + +``` +ansible-playbook -i inventory/hosts setup.yml --tags=upgrade-postgres --extra-vars='{"postgres_force_upgrade": true}' +``` + +It forces a [Postgres database upgrade](docs/maintenance-postgres.md#upgrading-postgresql), which would recreate your Postgres database using the proper (`C`) collation. If you are low on disk space, or run into trouble, refer to the Postgres database upgrade documentation page. + + +# 2020-01-14 + +## Added support for Appservice Webhooks + +Thanks to a contribution from [Björn Marten](https://github.com/tripleawwy) from [netresearch](https://www.netresearch.de/), the playbook can now install and configure [matrix-appservice-webhooks](https://github.com/turt2live/matrix-appservice-webhooks) for you. This bridge provides support for Slack-compatible webhooks. + +Learn more in [Setting up Appservice Webhooks](docs/configuring-playbook-bridge-appservice-webhooks.md). + + # 2020-01-12 ## Added support for automatic Double Puppeting for all Mautrix bridges diff --git a/README.md b/README.md index e228519b..bf6398cd 100644 --- a/README.md +++ b/README.md @@ -44,12 +44,14 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [mautrix-hangouts](https://github.com/tulir/mautrix-hangouts) bridge for bridging your Matrix server to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) -- (optional) the [matrix-appservice-irc](https://github.com/TeDomum/matrix-appservice-irc) bridge for bridging your Matrix server to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) +- (optional) the [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) bridge for bridging your Matrix server to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) - (optional) the [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) bridge for bridging your Matrix server to [Discord](https://discordapp.com/) - (optional) the [matrix-appservice-slack](https://github.com/matrix-org/matrix-appservice-slack) bridge for bridging your Matrix server to [Slack](https://slack.com/) +- (optional) the [matrix-appservice-webhooks](https://github.com/turt2live/matrix-appservice-webhooks) bridge for slack compatible webhooks ([ConcourseCI](https://concourse-ci.org/), [Slack](https://slack.com/) etc. pp.) + - (optional) [Email2Matrix](https://github.com/devture/email2matrix) for relaying email messages to Matrix rooms - (optional) [Dimension](https://github.com/turt2live/matrix-dimension), an open source integrations manager for matrix clients @@ -132,12 +134,14 @@ This playbook sets up your server using the following Docker images: - [tulir/mautrix-hangouts](https://hub.docker.com/r/tulir/mautrix-hangouts/) - the [mautrix-hangouts](https://github.com/tulir/mautrix-hangouts) bridge to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) (optional) -- [tedomum/matrix-appservice-irc](https://hub.docker.com/r/tedomum/matrix-appservice-irc/) - the [matrix-appservice-irc](https://github.com/TeDomum/matrix-appservice-irc) bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) (optional) +- [matrixdotorg/matrix-appservice-irc](https://hub.docker.com/r/matrixdotorg/matrix-appservice-irc) - the [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) (optional) - [halfshot/matrix-appservice-discord](https://hub.docker.com/r/halfshot/matrix-appservice-discord) - the [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) bridge to [Discord](https://discordapp.com/) (optional) - [cadair/matrix-appservice-slack](https://hub.docker.com/r/cadair/matrix-appservice-slack) - the [matrix-appservice-slack](https://github.com/matrix-org/matrix-appservice-slack) bridge to [Slack](https://slack.com/) (optional) +- [turt2live/matrix-appservice-webhooks](https://hub.docker.com/r/turt2live/matrix-appservice-webhooks) - the [Appservice Webhooks](https://github.com/turt2live/matrix-appservice-webhooks) bridge (optional) + - [turt2live/matrix-dimension](https://hub.docker.com/r/turt2live/matrix-dimension) - the [Dimension](https://dimension.t2bot.io/) integrations manager (optional) diff --git a/docs/ansible.md b/docs/ansible.md index f58241a1..e098c8a4 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -9,9 +9,7 @@ If your local computer cannot run Ansible, you can also run Ansible on some serv ## Supported Ansible versions -Ansible 2.5 or newer is required. - -If you're on Ansible 2.5.x, due to bugs in Ansible 2.5.0 and 2.5.1, at least Ansible 2.5.2 is required. +Ansible 2.5.2 or newer is required. ## Checking your Ansible version @@ -28,7 +26,7 @@ If you're on an old version of Ansible, you should [upgrade Ansible to a newer v Depending on your distribution, you may be able to upgrade Ansible in a few different ways: -- by using an additional repository (PPA, etc.), which provides newer Ansible versions +- by using an additional repository (PPA, etc.), which provides newer Ansible versions. See instructions for [CentOS](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible-on-rhel-centos-or-fedora), [Debian](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible-on-debian), or [Ubuntu](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible-on-ubuntu) on the Ansible website. - by removing the Ansible package (`yum remove ansible` or `apt-get remove ansible`) and installing via [pip](https://pip.pypa.io/en/stable/installing/) (`pip install ansible`). diff --git a/docs/configuring-playbook-bridge-appservice-irc.md b/docs/configuring-playbook-bridge-appservice-irc.md index f66c9631..a9403cb5 100644 --- a/docs/configuring-playbook-bridge-appservice-irc.md +++ b/docs/configuring-playbook-bridge-appservice-irc.md @@ -1,8 +1,8 @@ # Setting up Appservice IRC (optional) -The playbook can install and configure [matrix-appservice-irc](https://github.com/TeDomum/matrix-appservice-irc) for you. +The playbook can install and configure [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) for you. -See the project's [documentation](https://github.com/TeDomum/matrix-appservice-irc/blob/master/HOWTO.md) to learn what it does and why it might be useful to you. +See the project's [documentation](https://github.com/matrix-org/matrix-appservice-irc/blob/master/HOWTO.md) to learn what it does and why it might be useful to you. You'll need to use the following playbook configuration: diff --git a/docs/configuring-playbook-bridge-appservice-webhooks.md b/docs/configuring-playbook-bridge-appservice-webhooks.md new file mode 100644 index 00000000..4e56d8e4 --- /dev/null +++ b/docs/configuring-playbook-bridge-appservice-webhooks.md @@ -0,0 +1,61 @@ +# Setting up Appservice Webhooks (optional) + +The playbook can install and configure [matrix-appservice-webhooks](https://github.com/turt2live/matrix-appservice-webhooks) for you. + +This bridge provides support for Slack-compatible webhooks. + +Setup Instructions: + +loosely based on [this](https://github.com/turt2live/matrix-appservice-webhooks/blob/master/README.md) + +1. All you basically need is to adjust your `inventory/host_vars/matrix./vars.yml`: + +```yaml +matrix_appservice_webhooks_enabled: true +matrix_appservice_webhooks_api_secret: '' +``` + +2. In case you want to change the verbosity of logging via `journalctl -fu matrix-appservice-webhooks.service` +you can adjust this in `inventory/host_vars/matrix./vars.yml` as well. + +*Note*: default value is: `info` and availabe log levels are : `info`, `verbose` + +```yaml +matrix_appservice_webhooks_log_level: '' +``` + +3. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready. + +4. Invite the bridge bot user to your room: + + - either with `/invite @_webhook:` (*Note*: Make sure you have administration permissions in your room) + + - or simply add the bridge bot to a private channel (personal channels imply you being an administrator) + +5. Send a message to the bridge bot in order to receive a private message including the webhook link. +``` +!webhook +``` + +6. The JSON body for posting messages will have to look like this: +```json +{ + "text": "Hello world!", + "format": "plain", + "displayName": "My Cool Webhook", + "avatarUrl": "http://i.imgur.com/IDOBtEJ.png" +} +``` + +You can test this via curl like so: + +``` +curl --header "Content-Type: application/json" \ +--data '{ +"text": "Hello world!", +"format": "plain", +"displayName": "My Cool Webhook", +"avatarUrl": "http://i.imgur.com/IDOBtEJ.png" +}' \ + +``` diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index bb958cd7..d686c947 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -52,7 +52,7 @@ Note that if your nginx version is old, it might not like our default choice of ```yaml # Custom protocol list (removing `TLSv1.3`) to suit your nginx version. -matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2" +matrix_nginx_proxy_ssl_protocols: "TLSv1.2" ``` diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 5b605cbf..4d84fac3 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -93,4 +93,6 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Appservice Slack bridging](configuring-playbook-bridge-appservice-slack.md) (optional) +- [Setting up Appservice Webhooks bridging](configuring-playbook-bridge-appservice-webhooks.md) (optional) + - [Setting up Email2Matrix](configuring-playbook-email2matrix.md) (optional) diff --git a/docs/installing.md b/docs/installing.md index 78bd1be1..1e3ebf54 100644 --- a/docs/installing.md +++ b/docs/installing.md @@ -8,9 +8,11 @@ Run this as-is to set up a server: ansible-playbook -i inventory/hosts setup.yml --tags=setup-all ``` -This **doesn't start any services just yet** (another step does this later - below). +**Note**: if you don't use SSH keys for authentication, but rather a regular password, you may need to add `--ask-pass` to the above (and all other) Ansible commands. -Feel free to **re-run this any time** you think something is off with the server configuration. +The above command **doesn't start any services just yet** (another step does this later - below). + +Feel free to **re-run this setup command any time** you think something is off with the server configuration. ## Things you might want to do after installing diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index a62b4994..da62509b 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -42,7 +42,7 @@ docker run \ --rm \ --network=matrix \ --env-file=/matrix/postgres/env-postgres-psql \ -postgres:12.0-alpine \ +postgres:12.1-alpine \ pg_dumpall -h matrix-postgres \ | gzip -c \ > /postgres.sql.gz diff --git a/docs/registering-users.md b/docs/registering-users.md index 50dd92a9..cf0ede41 100644 --- a/docs/registering-users.md +++ b/docs/registering-users.md @@ -24,11 +24,14 @@ If you've just installed Matrix, **to finalize the installation process**, it's ----- -The script `/usr/local/bin/matrix-make-user-admin` may be used to upgrade a user's privileges: + +## Adding/Removing Administrator privileges to an existing user. + +The script `/usr/local/bin/matrix-change-user-admin-status` may be used to change a user's admin privileges. * log on to your server with ssh -* execute with the username: +* execute with the username and 0/1 (0 = non-admin | 1 = admin) ``` -/usr/local/bin/matrix-make-user-admin +/usr/local/bin/matrix-change-user-admin-status <0/1> ``` diff --git a/docs/updating-users-passwords.md b/docs/updating-users-passwords.md index 838e2000..f2fac643 100644 --- a/docs/updating-users-passwords.md +++ b/docs/updating-users-passwords.md @@ -34,7 +34,9 @@ where `` is the hash returned by the docker command above. Use the Synapse User Admin API as described here: https://github.com/matrix-org/synapse/blob/master/docs/admin_api/user_admin_api.rst#reset-password -This requires an access token from a server admin account. If you didn't make your account a server admin when you created it, you can use the `/usr/local/bin/matrix-make-user-admin` script as described in [registering-users.md](registering-users.md). Note this method will also log the user out of all of their clients while the other options do not. +This requires an access token from a server admin account. *This method will also log the user out of all of their clients while the other options do not.* + +If you didn't make your account a server admin when you created it, you can use the `/usr/local/bin/matrix-change-user-admin-status` script as described in [registering-users.md](registering-users.md). ### Example: To set @user:domain.com's password to `correct_horse_battery_staple` you could use this curl command: diff --git a/examples/apache/matrix-dimension.conf b/examples/apache/matrix-dimension.conf index 9078cd87..f334690e 100644 --- a/examples/apache/matrix-dimension.conf +++ b/examples/apache/matrix-dimension.conf @@ -26,7 +26,7 @@ SSLCertificateKeyFile /matrix/ssl/config/live/dimension.DOMAIN/privkey.pem SSLProxyEngine on - SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3 + SSLProxyProtocol +TLSv1.2 +TLSv1.3 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH ProxyPreserveHost On diff --git a/examples/apache/matrix-riot-web.conf b/examples/apache/matrix-riot-web.conf index 85769785..0860a048 100644 --- a/examples/apache/matrix-riot-web.conf +++ b/examples/apache/matrix-riot-web.conf @@ -26,7 +26,7 @@ SSLCertificateKeyFile /matrix/ssl/config/live/riot.DOMAIN/privkey.pem SSLProxyEngine on - SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3 + SSLProxyProtocol +TLSv1.2 +TLSv1.3 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH ProxyPreserveHost On diff --git a/examples/apache/matrix-synapse.conf b/examples/apache/matrix-synapse.conf index f3f85d31..3e09121f 100644 --- a/examples/apache/matrix-synapse.conf +++ b/examples/apache/matrix-synapse.conf @@ -26,7 +26,7 @@ SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem SSLProxyEngine on - SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3 + SSLProxyProtocol +TLSv1.2 +TLSv1.3 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH ProxyPreserveHost On @@ -103,7 +103,7 @@ Listen 8448 SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem SSLProxyEngine on - SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3 + SSLProxyProtocol +TLSv1.2 +TLSv1.3 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH ProxyPreserveHost On diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 61c9fe69..1c7ac23f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -60,6 +60,40 @@ matrix_appservice_discord_homeserver_token: "{{ matrix_synapse_macaroon_secret_k ###################################################################### +###################################################################### +# +# matrix-appservice-webhooks +# +###################################################################### + +# We don't enable bridges by default. +matrix_appservice_webhooks_enabled: false + +# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-webhooks over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# matrix-appservice-webhooks' client-server port to the local host. +matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:{{ matrix_appservice_webhooks_webhooks_port }}' }}" + +matrix_appservice_webhooks_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.as.token') | to_uuid }}" + +matrix_appservice_webhooks_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.hs.token') | to_uuid }}" + +matrix_appservice_webhooks_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.id.token') | to_uuid }}" + +matrix_appservice_webhooks_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + }} + +###################################################################### +# +# /matrix-appservice-webhooks +# +###################################################################### + + ###################################################################### # # matrix-appservice-slack @@ -74,11 +108,11 @@ matrix_appservice_slack_enabled: false # matrix-appservice-slack's client-server port to the local host. matrix_appservice_slack_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:{{ matrix_appservice_slack_slack_port }}' }}" -matrix_appservice_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack-appservice-token') | to_uuid }}" +matrix_appservice_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.as.token') | to_uuid }}" -matrix_appservice_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack-homeserver-token') | to_uuid }}" +matrix_appservice_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.hs.token') | to_uuid }}" -matrix_appservice_slack_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack-id-token') | to_uuid }}" +matrix_appservice_slack_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.id.token') | to_uuid }}" matrix_appservice_slack_systemd_required_services_list: | {{ @@ -604,7 +638,6 @@ matrix_synapse_email_smtp_host: "matrix-mailer" matrix_synapse_email_smtp_port: 8025 matrix_synapse_email_smtp_require_transport_security: false matrix_synapse_email_notif_from: "Matrix <{{ matrix_mailer_sender_address }}>" -matrix_synapse_email_riot_base_url: "https://{{ matrix_server_fqn_riot }}" # Even if TURN doesn't support TLS (it does by default), # it doesn't hurt to try a secure connection anyway. diff --git a/roles/matrix-base/tasks/server_base/setup_debian.yml b/roles/matrix-base/tasks/server_base/setup_debian.yml index 3a9192f0..c8325324 100644 --- a/roles/matrix-base/tasks/server_base/setup_debian.yml +++ b/roles/matrix-base/tasks/server_base/setup_debian.yml @@ -28,7 +28,7 @@ apt: name: - bash-completion - - python-docker + - "python{{'3' if ansible_python.version.major == 3 else ''}}-docker" - ntp - fuse state: latest diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index 354e5fdb..a9b04872 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -3,7 +3,7 @@ matrix_appservice_irc_enabled: true -matrix_appservice_irc_docker_image: "tedomum/matrix-appservice-irc:latest" +matrix_appservice_irc_docker_image: "matrixdotorg/matrix-appservice-irc:release-0.14.1" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc" @@ -377,11 +377,6 @@ matrix_appservice_irc_configuration_yaml: | enablePresence: {{ matrix_appservice_irc_homeserver_enablePresence|to_json }} ircService: - # The nedb database URI to connect to. This is the name of the directory to - # dump .db files to. This is relative to the project directory. - # Required. - databaseUri: "nedb:///data" - # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in # the database. @@ -474,6 +469,15 @@ matrix_appservice_irc_configuration_yaml: | # enough for the vast majority of use cases. maxHttpSockets: 1000 + # Use an external database to store bridge state. + database: + # database engine (must be 'postgres' or 'nedb'). Default: nedb + engine: "nedb" + # Either a PostgreSQL connection string, or a path to the NeDB storage directory. + # For postgres, it must start with postgres:// + # For NeDB, it must start with nedb://. The path is relative to the project directory. + connectionString: "nedb:///data" + matrix_appservice_irc_configuration_extension_yaml: | # Your custom YAML configuration for Appservice IRC servers goes here. # This configuration extends the default starting configuration (`matrix_appservice_irc_configuration_yaml`). diff --git a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml index f3340094..e2c2c2b6 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -98,13 +98,15 @@ --cap-drop=ALL -v {{ matrix_appservice_irc_config_path }}:/config:z -v {{ matrix_appservice_irc_data_path }}:/data:z + --entrypoint=/bin/bash {{ matrix_appservice_irc_docker_image }} - node app.js + -c + 'node app.js -r -f /config/registration-template.yaml -u "http://matrix-appservice-irc:9999" -c /config/config.yaml - -l irc_bot + -l irc_bot' changed_when: false - name: Read Appservice IRC registration-template.yaml diff --git a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 index 596a6005..53e5b8e3 100644 --- a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 +++ b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 @@ -30,8 +30,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-appservice-irc \ {% for arg in matrix_appservice_irc_container_extra_arguments %} {{ arg }} \ {% endfor %} + --entrypoint=/bin/bash \ {{ matrix_appservice_irc_docker_image }} \ - -c /config/config.yaml -f /config/registration.yaml -p 9999 + -c 'node app.js -c /config/config.yaml -f /config/registration.yaml -p 9999' ExecStop=-/usr/bin/docker kill matrix-appservice-irc ExecStop=-/usr/bin/docker rm matrix-appservice-irc diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index 5c6f5e34..58babbc3 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -3,7 +3,7 @@ matrix_appservice_slack_enabled: true -matrix_appservice_slack_docker_image: "matrixdotorg/matrix-appservice-slack:release-1.0.2" +matrix_appservice_slack_docker_image: "cadair/matrix-appservice-slack:latest" matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}" matrix_appservice_slack_base_path: "{{ matrix_base_data_path }}/appservice-slack" @@ -51,24 +51,6 @@ matrix_appservice_slack_configuration_yaml: | bot_username: "{{ matrix_appservice_slack_bot_name }}" username_prefix: {{ matrix_appservice_slack_user_prefix }} - # Optional if slack_hook_port and inbound_uri_prefix are defined, required otherwise. - rtm: - # Use the RTM API to listen for requests, which does not require - # the bridge to listen on the hook port. - # You should leave this enabled, unless you plan to use the - # bridge exclusively for webhooks. - enable: true - logging: "silent" # Logging level specific to RTM traffic. - # A prefix similar to inbound_uri_prefix for oauth2 requests. inbound_uri_prefix will be used if this is not set - # Optional - # redirect_prefix: "https://my.server.here:9898/mycustomoauthendpoint" - - # Allow users to add channels dynamically by using oauth, or puppet themselves. - # Optional - oauth2: - client_id: "" - client_secret: "" - homeserver: media_url: "{{ matrix_appservice_slack_homeserver_media_url }}" url: "{{ matrix_appservice_slack_homeserver_url }}" diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml new file mode 100644 index 00000000..09daa22b --- /dev/null +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -0,0 +1,105 @@ +# matrix-appservice-webhooks is a Matrix <-> webhook bridge +# See: https://github.com/turt2live/matrix-appservice-webhooks + +matrix_appservice_webhooks_enabled: true + +matrix_appservice_webhooks_docker_image: "turt2live/matrix-appservice-webhooks:latest" +matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}" + +matrix_appservice_webhooks_base_path: "{{ matrix_base_data_path }}/appservice-webhooks" +matrix_appservice_webhooks_config_path: "{{ matrix_appservice_webhooks_base_path }}/config" +matrix_appservice_webhooks_data_path: "{{ matrix_appservice_webhooks_base_path }}/data" + +# If nginx-proxy is disabled, the bridge itself expects its endpoint to be on its own domain (e.g. "localhost:6789") +matrix_appservice_webhooks_public_endpoint: /appservice-webhooks +matrix_appservice_webhooks_inbound_uri_prefix: "{{ matrix_homeserver_url }}{{ matrix_appservice_webhooks_public_endpoint }}" + +# Once you make a control room in Matrix, you can get its ID by typing any message and checking its source +matrix_appservice_webhooks_control_room_id: '' +matrix_appservice_webhooks_bot_name: 'webhookbot' +matrix_appservice_webhooks_user_prefix: '_webhook' + +# Controls the webhooks_PORT and MATRIX_PORT of the installation +matrix_appservice_webhooks_matrix_port: 6789 +matrix_appservice_webhooks_webhooks_port: 6788 + +# Controls whether the appservice-webhooks container exposes its HTTP port (tcp/6788 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:9999"), or empty string to not expose. +matrix_appservice_webhooks_container_http_host_bind_port: '' + +matrix_appservice_webhooks_homeserver_media_url: "matrix.{{ matrix_domain }}" +matrix_appservice_webhooks_homeserver_url: "http://matrix-synapse:8008" +matrix_appservice_webhooks_homeserver_domain: "{{ matrix_domain }}" +matrix_appservice_webhooks_appservice_url: 'http://matrix-appservice-webhooks' + +# A list of extra arguments to pass to the container +matrix_appservice_webhooks_container_extra_arguments: [] + +# List of systemd services that matrix-appservice-webhooks.service depends on. +matrix_appservice_webhooks_systemd_required_services_list: ['docker.service', 'matrix-synapse.service'] + +# List of systemd services that matrix-appservice-webhooks.service wants +matrix_appservice_webhooks_systemd_wanted_services_list: [] + +matrix_appservice_webhooks_appservice_token: '' +matrix_appservice_webhooks_homeserver_token: '' +matrix_appservice_webhooks_id_token: '' +matrix_appservice_webhooks_api_secret: '' + +# Logging information (info and verbose is available) default is: info +matrix_appservice_webhooks_log_level: 'info' + +matrix_appservice_webhooks_configuration_yaml: | + + # Configuration specific to the application service. All fields (unless otherwise marked) are required. + homeserver: + # The domain for the client-server API calls. + url: "{{ matrix_appservice_webhooks_homeserver_url }}" + + # The domain part for user IDs on this home server. Usually, but not always, this is the same as the + # home server's URL. + domain: "{{ matrix_domain }}" + + # Configuration specific to the bridge. All fields (unless otherwise marked) are required. + webhookBot: + # The localpart to use for the bot. May require re-registering the application service. + localpart: "_webhook" + + # Provisioning API options + provisioning: + # Your secret for the API. Required for all provisioning API requests. + secret: '{{ matrix_appservice_webhooks_api_secret }}' + + # Configuration related to the web portion of the bridge. Handles the inbound webhooks + web: + hookUrlBase: "{{ matrix_appservice_webhooks_inbound_uri_prefix }}" + + logging: + console: true + consoleLevel: {{ matrix_appservice_webhooks_log_level }} + writeFiles: false + +matrix_appservice_webhooks_configuration_extension_yaml: | + # + +matrix_appservice_webhooks_configuration_extension: "{{ matrix_appservice_webhooks_configuration_extension_yaml|from_yaml if matrix_appservice_webhooks_configuration_extension_yaml|from_yaml else {} }}" + +matrix_appservice_webhooks_configuration: "{{ matrix_appservice_webhooks_configuration_yaml|from_yaml|combine(matrix_appservice_webhooks_configuration_extension, recursive=True) }}" + +matrix_appservice_webhooks_registration_yaml: | + id: "{{ matrix_appservice_webhooks_id_token }}" + hs_token: "{{ matrix_appservice_webhooks_homeserver_token }}" + as_token: "{{ matrix_appservice_webhooks_appservice_token }}" + namespaces: + users: + - exclusive: true + regex: '^@{{ matrix_appservice_webhooks_user_prefix | regex_escape }}.*:{{ matrix_domain | regex_escape }}$' + aliases: [] + rooms: [] + url: "{{ matrix_appservice_webhooks_appservice_url }}:{{ matrix_appservice_webhooks_matrix_port }}" + sender_localpart: _webhook + rate_limited: false + protocols: null + +matrix_appservice_webhooks_registration: "{{ matrix_appservice_webhooks_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/init.yml b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml new file mode 100644 index 00000000..bc275f78 --- /dev/null +++ b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml @@ -0,0 +1,78 @@ +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-appservice-webhooks role needs to execute before the matrix-synapse role. + when: "matrix_synapse_role_executed|default(False)" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-webhooks'] }}" + when: matrix_appservice_webhooks_enabled|bool + +# If the matrix-synapse role is not used, these variables may not exist. +- set_fact: + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_appservice_webhooks_config_path }}/webhooks-registration.yaml,dst=/matrix-appservice-webhooks-registration.yaml,ro"] + + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files|default([]) }} + + + {{ ["/matrix-appservice-webhooks-registration.yaml"] }} + when: matrix_appservice_webhooks_enabled|bool + +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-appservice-webhooks role needs to execute before the matrix-synapse role. + when: "matrix_synapse_role_executed|default(False)" + +- block: + - name: Fail if matrix-nginx-proxy role already executed + fail: + msg: >- + Trying to append webhooks Appservice's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your plabook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-appservice-webhooks role. + when: matrix_nginx_proxy_role_executed|default(False)|bool + + - name: Generate Matrix Appservice webhooks proxying configuration for matrix-nginx-proxy + set_fact: + matrix_appservice_webhooks_matrix_nginx_proxy_configuration: | + location {{ matrix_appservice_webhooks_public_endpoint }}/ { + {% if matrix_nginx_proxy_enabled|default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + proxy_pass {{ matrix_appservice_webhooks_appservice_url }}:{{ matrix_appservice_webhooks_matrix_port }}/; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_appservice_webhooks_matrix_port }}/; + {% endif %} + } + + - name: Register webhooks Appservice proxying configuration with matrix-nginx-proxy + set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([]) + + + [matrix_appservice_webhooks_matrix_nginx_proxy_configuration] + }} + tags: + - always + when: matrix_appservice_webhooks_enabled|bool + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + debug: + msg: >- + NOTE: You've enabled the Matrix webhooks bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_appservice_webhooks_public_endpoint }}` + URL endpoint to the matrix-appservice-webhooks container. + You can expose the container's port using the `matrix_appservice_webhooks_container_http_host_bind_port` variable. + when: "matrix_appservice_webhooks_enabled|bool and matrix_nginx_proxy_enabled is not defined" diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/main.yml b/roles/matrix-bridge-appservice-webhooks/tasks/main.yml new file mode 100644 index 00000000..216905f3 --- /dev/null +++ b/roles/matrix-bridge-appservice-webhooks/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_appservice_webhooks_enabled|bool" + tags: + - setup-all + - setup-appservice-webhooks + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_appservice_webhooks_enabled|bool" + tags: + - setup-all + - setup-appservice-webhooks + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_appservice_webhooks_enabled|bool" + tags: + - setup-all + - setup-appservice-webhooks diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml b/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml new file mode 100644 index 00000000..94b4ef0c --- /dev/null +++ b/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml @@ -0,0 +1,64 @@ +--- + +- name: Ensure Appservice webhooks image is pulled + docker_image: + name: "{{ matrix_appservice_webhooks_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_appservice_webhooks_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_webhooks_docker_image_force_pull }}" + +- name: Ensure AppService webhooks paths exist + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - "{{ matrix_appservice_webhooks_base_path }}" + - "{{ matrix_appservice_webhooks_config_path }}" + - "{{ matrix_appservice_webhooks_data_path }}" + +- name: Ensure Matrix Appservice webhooks config is installed + copy: + content: "{{ matrix_appservice_webhooks_configuration|to_nice_yaml }}" + dest: "{{ matrix_appservice_webhooks_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + +- name: Ensure Matrix Appservice webhooks schema.yml template exists + template: + src: "{{ role_path }}/templates/schema.yml.j2" + dest: "{{ matrix_appservice_webhooks_config_path }}/schema.yml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + +- name: Ensure Matrix Appservice webhooks database.json template exists + template: + src: "{{ role_path }}/templates/database.json.j2" + dest: "{{ matrix_appservice_webhooks_data_path }}/database.json" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + +- name: Ensure appservice-webhooks registration.yaml installed + copy: + content: "{{ matrix_appservice_webhooks_registration|to_nice_yaml }}" + dest: "{{ matrix_appservice_webhooks_config_path }}/webhooks-registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + +- name: Ensure matrix-appservice-webhooks.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-appservice-webhooks.service.j2" + dest: "/etc/systemd/system/matrix-appservice-webhooks.service" + mode: 0644 + register: matrix_appservice_webhooks_systemd_service_result + +- name: Ensure systemd reloaded after matrix-appservice-webhooks.service installation + service: + daemon_reload: yes + when: "matrix_appservice_webhooks_systemd_service_result.changed" diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml b/roles/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml new file mode 100644 index 00000000..605b2525 --- /dev/null +++ b/roles/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml @@ -0,0 +1,24 @@ +--- + +- name: Check existence of matrix-appservice-webhooks service + stat: + path: "/etc/systemd/system/matrix-appservice-webhooks.service" + register: matrix_appservice_webhooks_service_stat + +- name: Ensure matrix-appservice-webhooks is stopped + service: + name: matrix-appservice-webhooks + state: stopped + daemon_reload: yes + when: "matrix_appservice_webhooks_service_stat.stat.exists" + +- name: Ensure matrix-appservice-webhooks.service doesn't exist + file: + path: "/etc/systemd/system/matrix-appservice-webhooks.service" + state: absent + when: "matrix_appservice_webhooks_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-appservice-webhooks.service removal + service: + daemon_reload: yes + when: "matrix_appservice_webhooks_service_stat.stat.exists" diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/validate_config.yml b/roles/matrix-bridge-appservice-webhooks/tasks/validate_config.yml new file mode 100644 index 00000000..b92a0eb9 --- /dev/null +++ b/roles/matrix-bridge-appservice-webhooks/tasks/validate_config.yml @@ -0,0 +1,12 @@ +--- + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_appservice_webhooks_appservice_token" + - "matrix_appservice_webhooks_homeserver_token" + - "matrix_appservice_webhooks_id_token" + - "matrix_appservice_webhooks_api_secret" diff --git a/roles/matrix-bridge-appservice-webhooks/templates/database.json.j2 b/roles/matrix-bridge-appservice-webhooks/templates/database.json.j2 new file mode 100644 index 00000000..e70f1d83 --- /dev/null +++ b/roles/matrix-bridge-appservice-webhooks/templates/database.json.j2 @@ -0,0 +1,13 @@ +{ + "defaultEnv": { + "ENV": "NODE_ENV" + }, + "development": { + "driver": "sqlite3", + "filename": "/data/development.db" + }, + "production": { + "driver": "sqlite3", + "filename": "/data/production.db" + } +} diff --git a/roles/matrix-bridge-appservice-webhooks/templates/schema.yml.j2 b/roles/matrix-bridge-appservice-webhooks/templates/schema.yml.j2 new file mode 100644 index 00000000..e999555d --- /dev/null +++ b/roles/matrix-bridge-appservice-webhooks/templates/schema.yml.j2 @@ -0,0 +1,54 @@ +"$schema": "http://json-schema.org/draft-04/schema#" +type: "object" +properties: + provisioning: + type: "object" + properties: + secret: + type: "string" + homeserver: + type: "object" + properties: + domain: + type: "string" + url: + type: "string" + mediaUrl: + type: "string" + web: + type: "object" + properties: + hookUrlBase: + type: "string" + webhookBot: + type: "object" + properties: + localpart: + type: "string" + appearance: + type: "object" + properties: + displayName: + type: "string" + avatarUrl: + type: "string" + logging: + type: "object" + properties: + file: + type: "string" + console: + type: "boolean" + consoleLevel: + type: "string" + fileLevel: + type: "string" + writeFiles: + type: "boolean" + rotate: + type: "object" + properties: + size: + type: "number" + count: + type: "number" diff --git a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 new file mode 100644 index 00000000..cde798df --- /dev/null +++ b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 @@ -0,0 +1,43 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Appservice webhooks server +{% for service in matrix_appservice_webhooks_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_appservice_webhooks_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-appservice-webhooks +ExecStartPre=-/usr/bin/docker rm matrix-appservice-webhooks + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre=/bin/sleep 5 + +ExecStart=/usr/bin/docker run --rm --name matrix-appservice-webhooks \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + {% if matrix_appservice_webhooks_container_http_host_bind_port %} + -p {{ matrix_appservice_webhooks_container_http_host_bind_port }}:{{matrix_appservice_webhooks_matrix_port}} \ + {% endif %} + -v {{ matrix_appservice_webhooks_config_path }}:/config:z \ + -v {{ matrix_appservice_webhooks_data_path }}:/data:z \ + {% for arg in matrix_appservice_webhooks_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_appservice_webhooks_docker_image }} \ + node index.js -p {{ matrix_appservice_webhooks_matrix_port }} -c /config/config.yaml -f /config/webhooks-registration.yaml + +ExecStop=-/usr/bin/docker kill matrix-appservice-webhooks +ExecStop=-/usr/bin/docker rm matrix-appservice-webhooks +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-appservice-webhooks + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index 065030da..6cfa3abb 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -4,7 +4,7 @@ matrix_mautrix_telegram_enabled: true # See: https://mau.dev/tulir/mautrix-telegram/container_registry -matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.6.1" +matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.7.0" matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}" matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram" diff --git a/roles/matrix-corporal/tasks/self_check_corporal.yml b/roles/matrix-corporal/tasks/self_check_corporal.yml index 03e91d8d..d1561757 100644 --- a/roles/matrix-corporal/tasks/self_check_corporal.yml +++ b/roles/matrix-corporal/tasks/self_check_corporal.yml @@ -6,7 +6,7 @@ - name: Check Matrix Corporal HTTP gateway uri: url: "{{ corporal_client_api_url_endpoint_public }}" - follow_redirects: false + follow_redirects: none return_content: true register: result_corporal_client_api ignore_errors: true diff --git a/roles/matrix-mxisd/tasks/self_check_mxisd.yml b/roles/matrix-mxisd/tasks/self_check_mxisd.yml index 26dccb76..137907bb 100644 --- a/roles/matrix-mxisd/tasks/self_check_mxisd.yml +++ b/roles/matrix-mxisd/tasks/self_check_mxisd.yml @@ -6,7 +6,7 @@ - name: Check mxisd Identity Service uri: url: "{{ mxisd_url_endpoint_public }}" - follow_redirects: false + follow_redirects: none validate_certs: "{{ matrix_mxisd_self_check_validate_certificates }}" register: result_mxisd ignore_errors: true diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index d6388a98..8eefe210 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -152,15 +152,27 @@ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_s # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}" -# A list of strings containing additional configuration blocks to add to the matrix domain's server configuration. +# A list of strings containing additional configuration blocks to add to the nginx http's server configuration. +matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to the matrix synapse's server configuration. matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: [] +# A list of strings containing additional configuration blocks to add to the matrix riot's server configuration. +matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to the matrix dimension's server configuration. +matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to the matrix domain server configuration. +matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: [] + # Specifies when to reload the matrix-nginx-proxy service so that # a new SSL certificate could go into effect. matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" # Specifies which SSL protocols to use when serving Riot and Synapse -matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3" +matrix_nginx_proxy_ssl_protocols: "TLSv1.2 TLSv1.3" # Controls whether the self-check feature should validate SSL certificates. matrix_nginx_proxy_self_check_validate_certificates: true diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml index 72be0f41..1e274ee3 100644 --- a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml +++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml @@ -6,7 +6,7 @@ - path: /.well-known/matrix/client purpose: Client Discovery cors: true - follow_redirects: false + follow_redirects: none validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}" - block: @@ -15,7 +15,7 @@ path: /.well-known/matrix/server purpose: Server Discovery cors: false - follow_redirects: true + follow_redirects: safe validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}" - name: Determine domains that we require certificates for (mxisd) diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml index 91dbcdc8..e7a4cfac 100644 --- a/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml +++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml @@ -9,7 +9,7 @@ - name: Check .well-known on the matrix hostname uri: url: "{{ well_known_url_matrix }}" - follow_redirects: false + follow_redirects: none return_content: true validate_certs: "{{ well_known_file_check.validate_certs }}" register: result_well_known_matrix diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index babcb98c..e7019040 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -3,6 +3,9 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; +{% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %} + {{- configuration_block }} +{% endfor %} location / { {% if matrix_nginx_proxy_enabled %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 55f0e9f2..027f2d31 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -5,6 +5,9 @@ gzip on; gzip_types text/plain application/json; + {% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} location /.well-known/matrix { root {{ matrix_static_files_base_path }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index a81035c7..2047748d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -3,6 +3,9 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + {% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} location / { {% if matrix_nginx_proxy_enabled %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 index 290e1a98..8060ffd5 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 @@ -3,4 +3,7 @@ # which can sometimes be too low to handle our 2 vhosts (Synapse and Riot). # # Thus, we ensure a larger bucket size value is used. -server_names_hash_bucket_size 64; \ No newline at end of file +server_names_hash_bucket_size 64; +{% for configuration_block in matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks %} + {{- configuration_block }} +{% endfor %} diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml index 9ee09381..16c27677 100644 --- a/roles/matrix-postgres/tasks/setup_postgres.yml +++ b/roles/matrix-postgres/tasks/setup_postgres.yml @@ -73,13 +73,19 @@ mode: 0750 when: matrix_postgres_enabled|bool -- name: Ensure matrix-make-user-admin script created +- name: Ensure matrix-change-user-admin-status script created template: - src: "{{ role_path }}/templates/usr-local-bin/matrix-make-user-admin.j2" - dest: "/usr/local/bin/matrix-make-user-admin" + src: "{{ role_path }}/templates/usr-local-bin/matrix-change-user-admin-status.j2" + dest: "/usr/local/bin/matrix-change-user-admin-status" mode: 0750 when: matrix_postgres_enabled|bool +- name: (Migration) Ensure old matrix-make-user-admin script deleted + file: + path: "/usr/local/bin/matrix-make-user-admin" + state: absent + when: matrix_postgres_enabled|bool + - name: Ensure matrix-postgres-update-user-password-hash script created template: src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2" @@ -146,6 +152,6 @@ state: absent with_items: - matrix-postgres-cli - - matrix-make-user-admin + - matrix-change-user-admin-status - matrix-postgres-update-user-password-hash when: "not matrix_postgres_enabled|bool" diff --git a/roles/matrix-postgres/tasks/upgrade_postgres.yml b/roles/matrix-postgres/tasks/upgrade_postgres.yml index 9a30e819..8a3886b3 100644 --- a/roles/matrix-postgres/tasks/upgrade_postgres.yml +++ b/roles/matrix-postgres/tasks/upgrade_postgres.yml @@ -20,6 +20,11 @@ postgres_start_wait_time: 15 when: "postgres_start_wait_time|default('') == ''" +- name: Set postgres_force_upgrade, if not provided + set_fact: + postgres_force_upgrade: false + when: "postgres_force_upgrade|default('') == ''" + - name: Fail, if trying to upgrade external Postgres database fail: msg: "Your configuration indicates that you're not using Postgres from this role. There is nothing to upgrade." @@ -45,7 +50,7 @@ - name: Abort, if already at latest Postgres version fail: msg: "You are already running the latest Postgres version supported ({{ matrix_postgres_docker_image_latest }}). Nothing to do" - when: "matrix_postgres_detected_version_corresponding_docker_image == matrix_postgres_docker_image_latest" + when: "matrix_postgres_detected_version_corresponding_docker_image == matrix_postgres_docker_image_latest and not postgres_force_upgrade" - debug: msg: "Upgrading database from {{ matrix_postgres_detected_version_corresponding_docker_image }} to {{ matrix_postgres_docker_image_latest }}" diff --git a/roles/matrix-postgres/templates/env-postgres-server.j2 b/roles/matrix-postgres/templates/env-postgres-server.j2 index 34f75aee..06feb82a 100644 --- a/roles/matrix-postgres/templates/env-postgres-server.j2 +++ b/roles/matrix-postgres/templates/env-postgres-server.j2 @@ -1,4 +1,7 @@ #jinja2: lstrip_blocks: "True" POSTGRES_USER={{ matrix_postgres_connection_username }} POSTGRES_PASSWORD={{ matrix_postgres_connection_password }} -POSTGRES_DB={{ matrix_postgres_db_name }} \ No newline at end of file +POSTGRES_DB={{ matrix_postgres_db_name }} +# Synapse refuses to run if collation is not C. +# See https://github.com/matrix-org/synapse/issues/6722 +POSTGRES_INITDB_ARGS=--lc-collate C --lc-ctype C --encoding UTF8 diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 new file mode 100644 index 00000000..5f66ca6c --- /dev/null +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 @@ -0,0 +1,19 @@ +#jinja2: lstrip_blocks: "True" +#!/bin/bash + +if [ $# -ne 2 ]; then + echo "Usage: "$0" <0/1>" + echo "Usage: 0 = non-admin" + echo "Usage: 1 = admin" + exit 1 +fi + +docker run \ + -it \ + --rm \ + --user=991:991 \ + --cap-drop=ALL \ + --env-file=/matrix/postgres/env-postgres-psql \ + --network matrix \ + postgres:12.1-alpine \ + psql -h matrix-postgres -c "UPDATE users set admin=$2 WHERE name like '@$1:{{ matrix_domain }}'" \ No newline at end of file diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 deleted file mode 100644 index f8daa6a7..00000000 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 +++ /dev/null @@ -1,17 +0,0 @@ -#jinja2: lstrip_blocks: "True" -#!/bin/bash - -if [ $# -ne 1 ]; then - echo "Usage: "$0" " - exit 1 -fi - -docker run \ - -it \ - --rm \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ - --network {{ matrix_docker_network }} \ - {{ matrix_postgres_docker_image_to_use }} \ - psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set admin=1 WHERE name like '@$1:{{ matrix_domain }}'" diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index cf47fa94..6ded2b98 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -1,6 +1,6 @@ matrix_riot_web_enabled: true -matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.7" +matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.8" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" diff --git a/roles/matrix-riot-web/tasks/self_check_riot_web.yml b/roles/matrix-riot-web/tasks/self_check_riot_web.yml index f16e210b..1a845b3e 100644 --- a/roles/matrix-riot-web/tasks/self_check_riot_web.yml +++ b/roles/matrix-riot-web/tasks/self_check_riot_web.yml @@ -6,7 +6,7 @@ - name: Check riot-web uri: url: "{{ riot_web_url_endpoint_public }}" - follow_redirects: false + follow_redirects: none validate_certs: "{{ matrix_riot_web_self_check_validate_certificates }}" register: result_riot_web ignore_errors: true diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 601028a5..75adcf3e 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -3,7 +3,7 @@ matrix_synapse_enabled: true -matrix_synapse_docker_image: "matrixdotorg/synapse:v1.8.0" +matrix_synapse_docker_image: "matrixdotorg/synapse:v1.9.1" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" @@ -259,13 +259,13 @@ matrix_synapse_email_smtp_host: "" matrix_synapse_email_smtp_port: 587 matrix_synapse_email_smtp_require_transport_security: false matrix_synapse_email_notif_from: "Matrix " -matrix_synapse_email_riot_base_url: "https://{{ matrix_server_fqn_riot }}" +matrix_synapse_email_client_base_url: "https://{{ matrix_server_fqn_riot }}" # Enable this to activate the REST auth password provider module. -# See: https://github.com/kamax-io/matrix-synapse-rest-auth +# See: https://github.com/ma1uta/matrix-synapse-rest-password-provider matrix_synapse_ext_password_provider_rest_auth_enabled: false -matrix_synapse_ext_password_provider_rest_auth_download_url: "https://raw.githubusercontent.com/kamax-io/matrix-synapse-rest-auth/v0.1.2/rest_auth_provider.py" +matrix_synapse_ext_password_provider_rest_auth_download_url: "https://raw.githubusercontent.com/ma1uta/matrix-synapse-rest-password-provider/ed377fb70513c2e51b42055eb364195af1ccaf33/rest_auth_provider.py" matrix_synapse_ext_password_provider_rest_auth_endpoint: "" matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true diff --git a/roles/matrix-synapse/tasks/self_check_client_api.yml b/roles/matrix-synapse/tasks/self_check_client_api.yml index 50d0f4ef..fc691cc6 100644 --- a/roles/matrix-synapse/tasks/self_check_client_api.yml +++ b/roles/matrix-synapse/tasks/self_check_client_api.yml @@ -3,7 +3,7 @@ - name: Check Matrix Client API uri: url: "{{ matrix_synapse_client_api_url_endpoint_public }}" - follow_redirects: false + follow_redirects: none validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}" register: result_matrix_synapse_client_api ignore_errors: true diff --git a/roles/matrix-synapse/tasks/self_check_federation_api.yml b/roles/matrix-synapse/tasks/self_check_federation_api.yml index b584cb35..fd4b338c 100644 --- a/roles/matrix-synapse/tasks/self_check_federation_api.yml +++ b/roles/matrix-synapse/tasks/self_check_federation_api.yml @@ -3,7 +3,7 @@ - name: Check Matrix Federation API uri: url: "{{ matrix_synapse_federation_api_url_endpoint_public }}" - follow_redirects: false + follow_redirects: none validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}" register: result_matrix_synapse_federation_api ignore_errors: true diff --git a/roles/matrix-synapse/tasks/validate_config.yml b/roles/matrix-synapse/tasks/validate_config.yml index fa496642..f3a4a869 100644 --- a/roles/matrix-synapse/tasks/validate_config.yml +++ b/roles/matrix-synapse/tasks/validate_config.yml @@ -15,6 +15,7 @@ Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). when: "item.old in vars" with_items: + - {'old': 'matrix_synapse_email_riot_base_url', 'new': ''} - {'old': 'matrix_synapse_container_expose_api_port', 'new': ''} - {'old': 'matrix_synapse_no_tls', 'new': ''} - {'old': 'matrix_enable_room_list_search', 'new': 'matrix_synapse_enable_room_list_search'} diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 75e147d4..0b3e96a9 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -392,17 +392,17 @@ retention: # # The rationale for this per-job configuration is that some rooms might have a # retention policy with a low 'max_lifetime', where history needs to be purged - # of outdated messages on a very frequent basis (e.g. every 5min), but not want - # that purge to be performed by a job that's iterating over every room it knows, - # which would be quite heavy on the server. + # of outdated messages on a more frequent basis than for the rest of the rooms + # (e.g. every 12h), but not want that purge to be performed by a job that's + # iterating over every room it knows, which could be heavy on the server. # #purge_jobs: # - shortest_max_lifetime: 1d # longest_max_lifetime: 3d - # interval: 5m: + # interval: 12h # - shortest_max_lifetime: 3d # longest_max_lifetime: 1y - # interval: 24h + # interval: 1d ## TLS ## @@ -891,23 +891,6 @@ enable_registration: {{ matrix_synapse_enable_registration|to_json }} # Optional account validity configuration. This allows for accounts to be denied # any request after a given period. # -# ``enabled`` defines whether the account validity feature is enabled. Defaults -# to False. -# -# ``period`` allows setting the period after which an account is valid -# after its registration. When renewing the account, its validity period -# will be extended by this amount of time. This parameter is required when using -# the account validity feature. -# -# ``renew_at`` is the amount of time before an account's expiry date at which -# Synapse will send an email to the account's email address with a renewal link. -# This needs the ``email`` and ``public_baseurl`` configuration sections to be -# filled. -# -# ``renew_email_subject`` is the subject of the email sent out with the renewal -# link. ``%(app)s`` can be used as a placeholder for the ``app_name`` parameter -# from the ``email`` section. -# # Once this feature is enabled, Synapse will look for registered users without an # expiration date at startup and will add one to every account it found using the # current settings at that time. @@ -918,32 +901,55 @@ enable_registration: {{ matrix_synapse_enable_registration|to_json }} # date will be randomly selected within a range [now + period - d ; now + period], # where d is equal to 10% of the validity period. # -#account_validity: -# enabled: True -# period: 6w -# renew_at: 1w -# renew_email_subject: "Renew your %(app)s account" -# # Directory in which Synapse will try to find the HTML files to serve to the -# # user when trying to renew an account. Optional, defaults to -# # synapse/res/templates. -# template_dir: "res/templates" -# # HTML to be displayed to the user after they successfully renewed their -# # account. Optional. -# account_renewed_html_path: "account_renewed.html" -# # HTML to be displayed when the user tries to renew an account with an invalid -# # renewal token. Optional. -# invalid_token_html_path: "invalid_token.html" +account_validity: + # The account validity feature is disabled by default. Uncomment the + # following line to enable it. + # + #enabled: true -# Time that a user's session remains valid for, after they log in. -# -# Note that this is not currently compatible with guest logins. -# -# Note also that this is calculated at login time: changes are not applied -# retrospectively to users who have already logged in. -# -# By default, this is infinite. -# -#session_lifetime: 24h + # The period after which an account is valid after its registration. When + # renewing the account, its validity period will be extended by this amount + # of time. This parameter is required when using the account validity + # feature. + # + #period: 6w + + # The amount of time before an account's expiry date at which Synapse will + # send an email to the account's email address with a renewal link. By + # default, no such emails are sent. + # + # If you enable this setting, you will also need to fill out the 'email' and + # 'public_baseurl' configuration sections. + # + #renew_at: 1w + + # The subject of the email sent out with the renewal link. '%(app)s' can be + # used as a placeholder for the 'app_name' parameter from the 'email' + # section. + # + # Note that the placeholder must be written '%(app)s', including the + # trailing 's'. + # + # If this is not set, a default value is used. + # + #renew_email_subject: "Renew your %(app)s account" + + # Directory in which Synapse will try to find templates for the HTML files to + # serve to the user when trying to renew an account. If not set, default + # templates from within the Synapse package will be used. + # + #template_dir: "res/templates" + + # File within 'template_dir' giving the HTML to be displayed to the user after + # they successfully renewed their account. If not set, default text is used. + # + #account_renewed_html_path: "account_renewed.html" + + # File within 'template_dir' giving the HTML to be displayed when the user + # tries to renew an account with an invalid renewal token. If not set, + # default text is used. + # + #invalid_token_html_path: "invalid_token.html" # The user must provide all of the below types of 3PID when registering. # @@ -1378,107 +1384,123 @@ password_config: pepper: {{ matrix_synapse_password_config_pepper|string|to_json }} - -# Enable sending emails for password resets, notification events or -# account expiry notices -# -# If your SMTP server requires authentication, the optional smtp_user & -# smtp_pass variables should be used -# -#email: -# enable_notifs: false -# smtp_host: "localhost" -# smtp_port: 25 # SSL: 465, STARTTLS: 587 -# smtp_user: "exampleusername" -# smtp_pass: "examplepassword" -# require_transport_security: False -# notif_from: "Your Friendly %(app)s homeserver " -# app_name: Matrix -# -# # Enable email notifications by default -# # -# notif_for_new_users: True -# -# # Defining a custom URL for Riot is only needed if email notifications -# # should contain links to a self-hosted installation of Riot; when set -# # the "app_name" setting is ignored -# # -# riot_base_url: "http://localhost/riot" -# -# # Configure the time that a validation email or text message code -# # will expire after sending -# # -# # This is currently used for password resets -# # -# #validation_token_lifetime: 1h -# -# # Template directory. All template files should be stored within this -# # directory. If not set, default templates from within the Synapse -# # package will be used -# # -# # For the list of default templates, please see -# # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates -# # -# #template_dir: res/templates -# -# # Templates for email notifications -# # -# notif_template_html: notif_mail.html -# notif_template_text: notif_mail.txt -# -# # Templates for account expiry notices -# # -# expiry_template_html: notice_expiry.html -# expiry_template_text: notice_expiry.txt -# -# # Templates for password reset emails sent by the homeserver -# # -# #password_reset_template_html: password_reset.html -# #password_reset_template_text: password_reset.txt -# -# # Templates for registration emails sent by the homeserver -# # -# #registration_template_html: registration.html -# #registration_template_text: registration.txt -# -# # Templates for validation emails sent by the homeserver when adding an email to -# # your user account -# # -# #add_threepid_template_html: add_threepid.html -# #add_threepid_template_text: add_threepid.txt -# -# # Templates for password reset success and failure pages that a user -# # will see after attempting to reset their password -# # -# #password_reset_template_success_html: password_reset_success.html -# #password_reset_template_failure_html: password_reset_failure.html -# -# # Templates for registration success and failure pages that a user -# # will see after attempting to register using an email or phone -# # -# #registration_template_success_html: registration_success.html -# #registration_template_failure_html: registration_failure.html -# -# # Templates for success and failure pages that a user will see after attempting -# # to add an email or phone to their account -# # -# #add_threepid_success_html: add_threepid_success.html -# #add_threepid_failure_html: add_threepid_failure.html {% if matrix_synapse_email_enabled %} +# Configuration for sending emails from Synapse. +# email: - enable_notifs: true - smtp_host: {{ matrix_synapse_email_smtp_host|string|to_json }} - smtp_port: {{ matrix_synapse_email_smtp_port|to_json }} - require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }} - notif_from: {{ matrix_synapse_email_notif_from|string|to_json }} - app_name: Matrix - notif_template_html: notif_mail.html - notif_template_text: notif_mail.txt - # Templates for account expiry notices. - expiry_template_html: notice_expiry.html - expiry_template_text: notice_expiry.txt - notif_for_new_users: True - riot_base_url: {{ matrix_synapse_email_riot_base_url|string|to_json }} + # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. + # + #smtp_host: mail.server + smtp_host: {{ matrix_synapse_email_smtp_host|string|to_json }} + + # The port on the mail server for outgoing SMTP. Defaults to 25. + # + #smtp_port: 587 + smtp_port: {{ matrix_synapse_email_smtp_port|to_json }} + + # Username/password for authentication to the SMTP server. By default, no + # authentication is attempted. + # + # smtp_user: "exampleusername" + # smtp_pass: "examplepassword" + + # Uncomment the following to require TLS transport security for SMTP. + # By default, Synapse will connect over plain text, and will then switch to + # TLS via STARTTLS *if the SMTP server supports it*. If this option is set, + # Synapse will refuse to connect unless the server supports STARTTLS. + # + #require_transport_security: true + require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }} + + # Enable sending emails for messages that the user has missed + # + #enable_notifs: false + enable_notifs: true + + # notif_from defines the "From" address to use when sending emails. + # It must be set if email sending is enabled. + # + # The placeholder '%(app)s' will be replaced by the application name, + # which is normally 'app_name' (below), but may be overridden by the + # Matrix client application. + # + # Note that the placeholder must be written '%(app)s', including the + # trailing 's'. + # + #notif_from: "Your Friendly %(app)s homeserver " + notif_from: {{ matrix_synapse_email_notif_from|string|to_json }} + + # app_name defines the default value for '%(app)s' in notif_from. It + # defaults to 'Matrix'. + # + #app_name: my_branded_matrix_server + app_name: Matrix + + # Uncomment the following to disable automatic subscription to email + # notifications for new users. Enabled by default. + # + #notif_for_new_users: false + notif_for_new_users: True + + # Custom URL for client links within the email notifications. By default + # links will be based on "https://matrix.to". + # + # (This setting used to be called riot_base_url; the old name is still + # supported for backwards-compatibility but is now deprecated.) + # + #client_base_url: "http://localhost/riot" + client_base_url: {{ matrix_synapse_email_client_base_url|string|to_json }} + + # Configure the time that a validation email will expire after sending. + # Defaults to 1h. + # + #validation_token_lifetime: 15m + + # Directory in which Synapse will try to find the template files below. + # If not set, default templates from within the Synapse package will be used. + # + # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. + # If you *do* uncomment it, you will need to make sure that all the templates + # below are in the directory. + # + # Synapse will look for the following templates in this directory: + # + # * The contents of email notifications of missed events: 'notif_mail.html' and + # 'notif_mail.txt'. + # + # * The contents of account expiry notice emails: 'notice_expiry.html' and + # 'notice_expiry.txt'. + # + # * The contents of password reset emails sent by the homeserver: + # 'password_reset.html' and 'password_reset.txt' + # + # * HTML pages for success and failure that a user will see when they follow + # the link in the password reset email: 'password_reset_success.html' and + # 'password_reset_failure.html' + # + # * The contents of address verification emails sent during registration: + # 'registration.html' and 'registration.txt' + # + # * HTML pages for success and failure that a user will see when they follow + # the link in an address verification email sent during registration: + # 'registration_success.html' and 'registration_failure.html' + # + # * The contents of address verification emails sent when an address is added + # to a Matrix account: 'add_threepid.html' and 'add_threepid.txt' + # + # * HTML pages for success and failure that a user will see when they follow + # the link in an address verification email sent when an address is added + # to a Matrix account: 'add_threepid_success.html' and + # 'add_threepid_failure.html' + # + # You can see the default templates at: + # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates + # + #template_dir: "res/templates" + notif_template_html: notif_mail.html + notif_template_text: notif_mail.txt + expiry_template_html: notice_expiry.html + expiry_template_text: notice_expiry.txt {% endif %} diff --git a/setup.yml b/setup.yml index 3d677074..429a6c4f 100755 --- a/setup.yml +++ b/setup.yml @@ -10,6 +10,7 @@ - matrix-corporal - matrix-bridge-appservice-discord - matrix-bridge-appservice-slack + - matrix-bridge-appservice-webhooks - matrix-bridge-appservice-irc - matrix-bridge-mautrix-facebook - matrix-bridge-mautrix-hangouts