pub-solar/matrix-docker-ansible-deploy
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge branch 'master' into pub.solar

Browse source
This commit is contained in:
teutat3s 2021-03-30 19:59:14 +02:00
commit 8c261b296b
Signed by: teutat3s
GPG key ID: 18DAE600A6BBE705
93 changed files with 3790 additions and 153 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
CHANGELOG.md
View file

@ -1,3 +1,24 @@
# 2021-03-20
## Sygnal push gateway support
The playbook can now install the [Sygnal](https://github.com/matrix-org/sygnal) push gateway for you.
This is only useful to people who develop/build their own Matrix client applications.
Additional details are available in our [Setting up Sygnal](docs/configuring-playbook-sygnal.md) docs.
# 2021-03-16
## Go-NEB support
Thanks to [Zir0h](https://github.com/Zir0h), the playbook can now install and configure the [Go-NEB](https://github.com/matrix-org/go-neb) bot.
Additional details are available in [Setting up Go-NEB](docs/configuring-playbook-bot-go-neb.md).
# 2021-02-19
## GroupMe bridging support via mx-puppet-groupme

4
README.md
View file

@ -91,12 +91,16 @@ Using this playbook, you can get the following services configured on your serve
- (optional) [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) for scheduling one-off & recurring reminders and alarms - see [docs/configuring-playbook-bot-matrix-reminder-bot.md](docs/configuring-playbook-bot-matrix-reminder-bot.md) for setup documentation
- (optional) [Go-NEB](https://github.com/matrix-org/go-neb) multi functional bot written in Go - see [docs/configuring-playbook-bot-go-neb.md](docs/configuring-playbook-bot-go-neb.md) for setup documentation
- (optional) [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin), a web UI tool for administrating users and rooms on your Matrix server - see [docs/configuring-playbook-synapse-admin.md](docs/configuring-playbook-synapse-admin.md) for setup documentation
- (optional) [matrix-registration](https://github.com/ZerataX/matrix-registration), a simple python application to have a token based matrix registration - see [docs/configuring-playbook-matrix-registration.md](docs/configuring-playbook-matrix-registration.md) for setup documentation
- (optional) the [Prometheus](https://prometheus.io) time-series database server, the Prometheus [node-exporter](https://prometheus.io/docs/guides/node-exporter/) host metrics exporter, and the [Grafana](https://grafana.com/) web UI - see [Enabling metrics and graphs (Prometheus, Grafana) for your Matrix server](docs/configuring-playbook-prometheus-grafana.md) for setup documentation
- (optional) the [Sygnal](https://github.com/matrix-org/sygnal) push gateway - see [Setting up the Sygnal push gateway](docs/configuring-playbook-sygnal.md) for setup documentation
Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else.
**Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need.

43
docs/configuring-awx-system.md Normal file
View file

@ -0,0 +1,43 @@
# Configuring AWX System (optional)
An AWX setup for managing multiple Matrix servers.
This section is used in an AWX system that can create and manage multiple [Matrix](http://matrix.org/) servers. You can issue members an AWX login to their own 'organisation', which they can use to manage/configure 1 to N servers.
Members can be assigned a server from Digitalocean, or they can connect their own on-premises server. This script is free to use in a commercial context with the 'MemberPress Plus' and 'WP Oauth Sever' addons. It can also be run in a non-commercial context.
The AWX system is arranged into 'members' each with their own 'subscriptions'. After creating a subscription the user enters the 'provision stage' where they defined the URLs they will use, the servers location and whether or not there's already a website at the base domain. They then proceed onto the 'deploy stage' where they can configure their Matrix server.
Ideally this system can manage the updates, configuration, backups and monitoring on it's own. It is an extension of the popular deploy script [spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy).
Warning: This project is currently alpha quality and should only be run by the brave.
## Other Required Playbooks
The following repositories allow you to copy and use this setup:
[Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) - Creates and configures the AWX system for you.
[Ansible Create Delete Subscription Membership](https://gitlab.com/GoMatrixHosting/ansible-create-delete-subscription-membership) - Used by the AWX system to create memberships and subscriptions.
[Ansible Provision Server](https://gitlab.com/GoMatrixHosting/ansible-provision-server) - Used by AWX members to perform initial configuration of their DigitalOcean or On-Premises server.
## Testing Fork For This Playbook
Updates to this section are trailed here:
[GoMatrixHosting Matrix Docker Ansible Deploy](https://gitlab.com/GoMatrixHosting/gomatrixhosting-matrix-docker-ansible-deploy)
## Does I need an AWX setup to use this? How do I configure it?
Yes, you'll need to configure an AWX instance, the [Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) repository makes it easy to do. Just follow the steps listed in '/docs/Installation.md' of that repository.
## Does I need a front-end WordPress site? And a DigitalOcean account?
You do not need a front-end WordPress site or any of the mentioned WordPress plugins to use this setup. It can be run on it's own in a non-commercial context.
You also don't need a DigitalOcean account, but this will limit you to only being able to connect 'On-Premises' servers.

19
docs/configuring-dns.md
View file

@ -15,31 +15,33 @@ As we discuss in [Server Delegation](howto-server-delegation.md), there are 2 di
This playbook mostly discusses the well-known file method, because it's easier to manage with regard to certificates.
If you decide to go with the alternative method ([Server Delegation via a DNS SRV record (advanced)](howto-server-delegation.md#server-delegation-via-a-dns-srv-record-advanced)), please be aware that the general flow that this playbook guides you through may not match what you need to do.
## Required DNS settings for services enabled by default
## DNS settings for services enabled by default
| Type | Host | Priority | Weight | Port | Target |
| ----- | ---------------------------- | -------- | ------ | ---- | ---------------------- |
| A | `matrix` | - | - | - | `matrix-server-IP` |
| CNAME | `element` | - | - | - | `matrix.<your-domain>` |
| SRV | `_matrix-identity._tcp` | 10 | 0 | 443 | `matrix.<your-domain>` |
Be mindful as to how long it will take for the DNS records to propagate.
If you are using Cloudflare DNS, make sure to disable the proxy and set all records to `DNS only`. Otherwise, fetching certificates will fail.
## Required DNS settings for optional services
## DNS settings for optional services/features
| Type | Host | Priority | Weight | Port | Target |
| ----- | ---------------------------- | -------- | ------ | ---- | ---------------------- |
| SRV | `_matrix-identity._tcp` | 10 | 0 | 443 | `matrix.<your-domain>` |
| CNAME | `dimension` (*) | - | - | - | `matrix.<your-domain>` |
| CNAME | `jitsi` (*) | - | - | - | `matrix.<your-domain>` |
| CNAME | `stats` (*) | - | - | - | `matrix.<your-domain>` |
| CNAME | `goneb` (*) | - | - | - | `matrix.<your-domain>` |
| CNAME | `sygnal` (*) | - | - | - | `matrix.<your-domain>` |
## Subdomains setup
As the table above illustrates, you need to create 2 subdomains (`matrix.<your-domain>` and `element.<your-domain>`) and point both of them to your new server's IP address (DNS `A` record or `CNAME` record is fine).
The `element.<your-domain>` subdomain is necessary, because this playbook installs the [Element](https://github.com/vector-im/element-web) web client for you.
The `element.<your-domain>` subdomain may be necessary, because this playbook installs the [Element](https://github.com/vector-im/element-web) web client for you.
If you'd rather instruct the playbook not to install Element (`matrix_client_element_enabled: false` when [Configuring the playbook](configuring-playbook.md) later), feel free to skip the `element.<your-domain>` DNS record.
The `dimension.<your-domain>` subdomain may be necessary, because this playbook could install the [Dimension integrations manager](http://dimension.t2bot.io/) for you. Dimension installation is disabled by default, because it's only possible to install it after the other Matrix services are working (see [Setting up Dimension](configuring-playbook-dimension.md) later). If you do not wish to set up Dimension, feel free to skip the `dimension.<your-domain>` DNS record.
@ -48,12 +50,19 @@ The `jitsi.<your-domain>` subdomain may be necessary, because this playbook coul
The `stats.<your-domain>` subdomain may be necessary, because this playbook could install [Grafana](https://grafana.com/) and setup performance metrics for you. Grafana installation is disabled by default, it is not a core required component. To learn how to install it, see our [metrics and graphs guide](configuring-playbook-prometheus-grafana.md). If you do not wish to set up Grafana, feel free to skip the `stats.<your-domain>` DNS record. It is possible to install Prometheus without installing Grafana, this would also not require the `stats.<your-domain>` subdomain.
The `goneb.<your-domain>` subdomain may be necessary, because this playbook could install the [Go-NEB](https://github.com/matrix-org/go-neb) bot. The installation of Go-NEB is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Go-NEB guide](configuring-playbook-bot-go-neb.md). If you do not wish to set up Go-NEB, feel free to skip the `goneb.<your-domain>` DNS record.
The `sygnal.<your-domain>` subdomain may be necessary, because this playbook could install the [Sygnal](https://github.com/matrix-org/sygnal) push gateway. The installation of Sygnal is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Sygnal guide](configuring-playbook-sygnal.md). If you do not wish to set up Sygnal (you probably don't, unless you're also developing/building your own Matrix apps), feel free to skip the `sygnal.<your-domain>` DNS record.
## `_matrix-identity._tcp` SRV record setup
To make the [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server (which this playbook installs for you) be authoritative for your domain name, set up one more SRV record that looks like this:
To make the [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server (which this playbook installs for you) enable its federation features, set up an SRV record that looks like this:
- Name: `_matrix-identity._tcp` (use this text as-is)
- Content: `10 0 443 matrix.<your-domain>` (replace `<your-domain>` with your own)
This is an optional feature. See [ma1sd's documentation](https://github.com/ma1uta/ma1sd/wiki/mxisd-and-your-privacy#choices-are-never-easy) for information on the privacy implications of setting up this SRV record.
Note: This `_matrix-identity._tcp` SRV record for the identity server is different from the `_matrix._tcp` that can be used for Synapse delegation. See [howto-server-delegation.md](howto-server-delegation.md) for more information about delegation.
When you're done with the DNS configuration and ready to proceed, continue with [Configuring this Ansible playbook](configuring-playbook.md).

226
docs/configuring-playbook-bot-go-neb.md Normal file
View file

@ -0,0 +1,226 @@
# Setting up Go-NEB (optional)
The playbook can install and configure [Go-NEB](https://github.com/matrix-org/go-neb) for you.
Go-NEB is a Matrix bot written in Go. It is the successor to Matrix-NEB, the original Matrix bot written in Python.
See the project's [documentation](https://github.com/matrix-org/go-neb) to learn what it does and why it might be useful to you.
## Registering the bot user
The playbook does not automatically create users for you. The bot requires at least 1 access token to be able to connect to your homeserver.
You **need to register the bot user manually** before setting up the bot.
Choose a strong password for the bot. You can generate a good password with a command like this: `pwgen -s 64 1`.
You can use the playbook to [register a new user](registering-users.md):
```
ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.go-neb password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user
```
## Getting an access token
If you use curl, you can get an access token like this:
```
curl -X POST --header 'Content-Type: application/json' -d '{
"identifier": { "type": "m.id.user", "user": "bot.go-neb" },
"password": "a strong password",
"type": "m.login.password"
}' 'https://matrix.YOURDOMAIN/_matrix/client/r0/login'
```
Alternatively, you can use a full-featured client (such as Element) to log in and get the access token from there (note: don't log out from the client as that will invalidate the token), but doing so might lead to decryption problems. That warning comes from [here](https://github.com/matrix-org/go-neb#quick-start).
## Adjusting the playbook configuration
Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs):
```yaml
matrix_bot_go_neb_enabled: true
# You need at least 1 client.
# Use the access token you obtained in the step above.
matrix_bot_go_neb_clients:
- UserID: "@goneb:{{ matrix_domain }}"
AccessToken: "MDASDASJDIASDJASDAFGFRGER"
DeviceID: "DEVICE1"
HomeserverURL: "{{ matrix_homeserver_container_url }}"
Sync: true
AutoJoinRooms: true
DisplayName: "Go-NEB!"
AcceptVerificationFromUsers: [":{{ matrix_domain }}"]
- UserID: "@another_goneb:{{ matrix_domain }}"
AccessToken: "MDASDASJDIASDJASDAFGFRGER"
DeviceID: "DEVICE2"
HomeserverURL: "{{ matrix_homeserver_container_url }}"
Sync: false
AutoJoinRooms: false
DisplayName: "Go-NEB!"
AcceptVerificationFromUsers: ["^@admin:{{ matrix_domain }}"]
# Optional, for use with the github_cmd, github_webhooks or jira services
matrix_bot_go_neb_realms:
- ID: "github_realm"
Type: "github"
Config: {} # No need for client ID or Secret as Go-NEB isn't generating OAuth URLs
# Optional. The list of *authenticated* sessions which Go-NEB is aware of.
matrix_bot_go_neb_sessions:
- SessionID: "your_github_session"
RealmID: "github_realm"
UserID: "@YOUR_USER_ID:{{ matrix_domain }}" # This needs to be the username of the person that's allowed to use the !github commands
Config:
# Populate these fields by generating a "Personal Access Token" on github.com
AccessToken: "YOUR_GITHUB_ACCESS_TOKEN"
Scopes: "admin:org_hook,admin:repo_hook,repo,user"
# The list of services which Go-NEB is aware of.
# Delete or modify this list as appropriate.
# See the docs for /configureService for the full list of options:
# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureServiceRequest
# You need at least 1 service.
matrix_bot_go_neb_services:
- ID: "echo_service"
Type: "echo"
UserID: "@goneb:{{ matrix_domain }}"
Config: {}
# Can be obtained from https://developers.giphy.com/dashboard/
- ID: "giphy_service"
Type: "giphy"
UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client
Config:
api_key: "qwg4672vsuyfsfe"
use_downsized: false
# This service has been dead for over a year :/
- ID: "guggy_service"
Type: "guggy"
UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client
Config:
api_key: "2356saaqfhgfe"
# API Key via https://developers.google.com/custom-search/v1/introduction
# CX via http://www.google.com/cse/manage/all
# https://stackoverflow.com/questions/6562125/getting-a-cx-id-for-custom-search-google-api-python
# 'Search the entire web' and 'Image search' enabled for best results
- ID: "google_service"
Type: "google"
UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client
Config:
api_key: "AIzaSyA4FD39m9"
cx: "AIASDFWSRRtrtr"
# Get a key via https://api.imgur.com/oauth2/addclient
# Select "oauth2 without callback url"
- ID: "imgur_service"
Type: "imgur"
UserID: "@imgur:{{ matrix_domain }}" # requires a Syncing client
Config:
client_id: "AIzaSyA4FD39m9"
client_secret: "somesecret"
- ID: "wikipedia_service"
Type: "wikipedia"
UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client
Config:
- ID: "rss_service"
Type: "rssbot"
UserID: "@another_goneb:{{ matrix_domain }}"
Config:
feeds:
"http://lorem-rss.herokuapp.com/feed?unit=second&interval=60":
rooms: ["!qmElAGdFYCHoCJuaNt:{{ matrix_domain }}"]
must_include:
author:
- author1
description:
- lorem
- ipsum
must_not_include:
title:
- Lorem
- Ipsum
- ID: "github_cmd_service"
Type: "github"
UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client
Config:
RealmID: "github_realm"
# Make sure your BASE_URL can be accessed by Github!
- ID: "github_webhook_service"
Type: "github-webhook"
UserID: "@another_goneb:{{ matrix_domain }}"
Config:
RealmID: "github_realm"
ClientUserID: "@YOUR_USER_ID:{{ matrix_domain }}" # needs to be an authenticated user so Go-NEB can create webhooks. Check the UserID field in the github_realm in matrix_bot_go_neb_sessions.
Rooms:
"!someroom:id":
Repos:
"matrix-org/synapse":
Events: ["push", "issues"]
"matrix-org/dendron":
Events: ["pull_request"]
"!anotherroom:id":
Repos:
"matrix-org/synapse":
Events: ["push", "issues"]
"matrix-org/dendron":
Events: ["pull_request"]
- ID: "slackapi_service"
Type: "slackapi"
UserID: "@slackapi:{{ matrix_domain }}"
Config:
Hooks:
"hook1":
RoomID: "!someroom:id"
MessageType: "m.text" # default is m.text
- ID: "alertmanager_service"
Type: "alertmanager"
UserID: "@alertmanager:{{ matrix_domain }}"
Config:
# This is for information purposes only. It should point to Go-NEB path as follows:
# `/services/hooks/<base64 encoded service ID>`
# Where in this case "service ID" is "alertmanager_service"
# Make sure your BASE_URL can be accessed by the Alertmanager instance!
webhook_url: "http://localhost/services/hooks/YWxlcnRtYW5hZ2VyX3NlcnZpY2U"
# Each room will get the notification with the alert rendered with the given template
rooms:
"!someroomid:domain.tld":
text_template: "{{range .Alerts -}} [{{ .Status }}] {{index .Labels \"alertname\" }}: {{index .Annotations \"description\"}} {{ end -}}"
html_template: "{{range .Alerts -}} {{ $severity := index .Labels \"severity\" }} {{ if eq .Status \"firing\" }} {{ if eq $severity \"critical\"}} <font color='red'><b>[FIRING - CRITICAL]</b></font> {{ else if eq $severity \"warning\"}} <font color='orange'><b>[FIRING - WARNING]</b></font> {{ else }} <b>[FIRING - {{ $severity }}]</b> {{ end }} {{ else }} <font color='green'><b>[RESOLVED]</b></font> {{ end }} {{ index .Labels \"alertname\"}} : {{ index .Annotations \"description\"}} <a href=\"{{ .GeneratorURL }}\">source</a><br/>{{end -}}"
msg_type: "m.text" # Must be either `m.text` or `m.notice`
```
## Installing
Don't forget to add `goneb.<your-domain>` to DNS as described in [Configuring DNS](configuring-dns.md) before running the playbook.
After configuring the playbook, run the [installation](installing.md) command again:
```
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
```
## Usage
To use the bot, invite it to any existing Matrix room (`/invite @whatever_you_chose:DOMAIN` where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain, make sure you have permission from the room owner if that's not you).
Basic usage is like this: `!echo hi` or `!imgur puppies` or `!giphy matrix`
If you enabled the github_cmd service you can get the supported commands via `!github help`
You can also refer to the upstream [Documentation](https://github.com/matrix-org/go-neb).

71
docs/configuring-playbook-sygnal.md Normal file
View file

@ -0,0 +1,71 @@
# Setting up Sygnal (optional)
The playbook can install and configure the [Sygnal](https://github.com/matrix-org/sygnal) push gateway for you.
See the project's [documentation](https://github.com/matrix-org/sygnal) to learn what it does and why it might be useful to you.
**Note**: most people don't need to install their own gateway. As Sygnal's [Notes for application developers](https://github.com/matrix-org/sygnal/blob/master/docs/applications.md) documentation says:
> It is not feasible to allow end-users to configure their own Sygnal instance, because the Sygnal instance needs the appropriate FCM or APNs secrets that belong to the application.
This optional playbook component is only useful to people who develop/build their own Matrix client applications themselves.
## Adjusting the playbook configuration
Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs):
```yaml
matrix_sygnal_enabled: true
# You need at least 1 app defined.
# The configuration below is incomplete. Read more below.
matrix_sygnal_apps:
com.example.myapp.ios:
type: apns
keyfile: /data/my_key.p8
# .. more configuration ..
com.example.myapp.android:
type: gcm
api_key: your_api_key_for_gcm
# .. more configuration ..
matrix_aux_file_definitions:
- dest: "{{ matrix_sygnal_data_path }}/my_key.p8"
content: |
some
content
here
mode: '0600'
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
```
For a more complete example of available fields and values they can take, see `roles/matrix-sygnal/templates/sygnal.yaml.j2` (or the [upstream `sygnal.yaml.sample` configuration file](https://github.com/matrix-org/sygnal/blob/master/sygnal.yaml.sample)).
Configuring [GCM/FCM](https://firebase.google.com/docs/cloud-messaging/) is easier, as it only requires that you provide some config values.
To configure [APNS](https://developer.apple.com/notifications/) (Apple Push Notification Service), you'd need to provide one or more certificate files.
To do that, the above example configuration:
- makes use of the `matrix-aux` role (and its `matrix_aux_file_definitions` variable) to make the playbook install files into `/matrix/sygnal/data` (the `matrix_sygnal_data_path` variable). See `roles/matrix-aux/defaults/main.yml` for usage examples. It also makes sure the files are owned by `matrix:matrix`, so that Sygnal can read them. Of course, you can also install these files manually yourself, if you'd rather not use `matrix-aux`.
- references these files in the Sygnal configuration (`matrix_sygnal_apps`) using a path like `/data/..` (the `/matrix/sygnal/data` directory on the host system is mounted into the `/data` directory inside the container)
## Installing
Don't forget to add `sygnal.<your-domain>` to DNS as described in [Configuring DNS](configuring-dns.md) before running the playbook.
After configuring the playbook, run the [installation](installing.md) command again:
```
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
```
## Usage
To make use of your Sygnal installation, you'd need to build your own Matrix client application, which uses the same API keys (for [GCM/FCM](https://firebase.google.com/docs/cloud-messaging/)) and certificates (for [APNS](https://developer.apple.com/notifications/)) and is also pointed to `https://sygnal.DOMAIN` as the configured push server.
Refer to Sygnal's [Notes for application developers](https://github.com/matrix-org/sygnal/blob/master/docs/applications.md) document.

7
docs/configuring-playbook.md
View file

@ -130,3 +130,10 @@ When you're done with all the configuration you'd like to do, continue with [Ins
### Bots
- [Setting up matrix-reminder-bot](configuring-playbook-bot-matrix-reminder-bot.md) (optional)
- [Setting up Go-NEB](configuring-playbook-bot-go-neb.md) (optional)
### Other specialized services
- [Setting up the Sygnal push gateway](configuring-playbook-sygnal.md) (optional)

4
docs/container-images.md
View file

@ -88,6 +88,8 @@ These services are not part of our default installation, but can be enabled by [
- [anoa/matrix-reminder-bot](https://hub.docker.com/r/anoa/matrix-reminder-bot) - the [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) bot for one-off & recurring reminders and alarms (optional)
- [matrixdotorg/go-neb](https://hub.docker.com/r/matrixdotorg/go-neb) - the [Go-NEB](https://github.com/matrix-org/go-neb) bot (optional)
- [awesometechnologies/synapse-admin](https://hub.docker.com/r/awesometechnologies/synapse-admin) - the [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin) web UI tool for administrating users and rooms on your Matrix server (optional)
- [prom/prometheus](https://hub.docker.com/r/prom/prometheus/) - [Prometheus](https://github.com/prometheus/prometheus/) is a systems and service monitoring system
@ -95,3 +97,5 @@ These services are not part of our default installation, but can be enabled by [
- [prom/node-exporter](https://hub.docker.com/r/prom/node-exporter/) - [Prometheus Node Exporter](https://github.com/prometheus/node_exporter/) is an addon for Prometheus that gathers standard system metrics
- [grafana/grafana](https://hub.docker.com/r/grafana/grafana/) - [Grafana](https://github.com/grafana/grafana/) is a graphing tool that works well with the above two images. Our playbook also adds two dashboards for [Synapse](https://github.com/matrix-org/synapse/tree/master/contrib/grafana) and [Node Exporter](https://github.com/rfrail3/grafana-dashboards)
- [matrixdotorg/sygnal](https://hub.docker.com/r/matrixdotorg/sygnal/) - [Sygnal](https://github.com/matrix-org/sygnal) is a reference Push Gateway for Matrix

2
docs/maintenance-migrating.md
View file

@ -1,6 +1,6 @@
# Migrating to new server
1. Prepare by lowering DNS TTL for your domains (`matrix.DOMAIN`, etc.), so that DNS record changes (step 4 below) would happen faster, leading ot less downtime
1. Prepare by lowering DNS TTL for your domains (`matrix.DOMAIN`, etc.), so that DNS record changes (step 4 below) would happen faster, leading to less downtime
2. Stop all services on the old server and make sure they won't be starting again. Execute this on the old server: `systemctl disable --now matrix*`
3. Copy directory `/matrix` from the old server to the new server. Make sure to preserve ownership and permissions (use `cp -p` or `rsync -ar`)!
4. Make sure your DNS records are adjusted to point to the new server's IP address

2
docs/prerequisites.md
View file

@ -20,8 +20,6 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you
- The [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for more information, as well as [version requirements](ansible.md#supported-ansible-versions) and alternative ways to run Ansible.
- Either the `dig` tool or `python-dns` installed on your own computer. Used later on, by the playbook's [services check](maintenance-checking-services.md) feature.
- An HTTPS-capable web server at the base domain name (`<your-domain>`) which is capable of serving static files. Unless you decide to [Serve the base domain from the Matrix server](configuring-playbook-base-domain-serving.md) or alternatively, to use DNS SRV records for [Server Delegation](howto-server-delegation.md).
- Properly configured DNS records for `<your-domain>` (details in [Configuring DNS](configuring-dns.md)).

131
group_vars/matrix_servers
View file

@ -29,6 +29,25 @@ matrix_homeserver_container_url: "{{ 'http://matrix-nginx-proxy:12080' if matrix
######################################################################
######################################################################
#
# matrix-awx
#
######################################################################
# We don't enable AWX support by default.
matrix_awx_enabled: false
matrix_nginx_proxy_data_path: "{{ '/chroot/website' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else (matrix_nginx_proxy_base_path + '/data') }}"
matrix_nginx_proxy_data_path_in_container: "{{ '/nginx-data/matrix-domain' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else '/nginx-data' }}"
######################################################################
#
# /matrix-awx
#
######################################################################
######################################################################
#
# matrix-bridge-appservice-discord
@ -53,6 +72,8 @@ matrix_appservice_discord_systemd_required_services_list: |
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
+
(['matrix-postgres.service'] if matrix_postgres_enabled else [])
+
(['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
}}
matrix_appservice_discord_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'discord.as.token') | to_uuid }}"
@ -96,6 +117,8 @@ matrix_appservice_webhooks_systemd_required_services_list: |
['docker.service']
+
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
+
(['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
}}
######################################################################
@ -132,6 +155,8 @@ matrix_appservice_slack_systemd_required_services_list: |
['docker.service']
+
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
+
(['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
}}
# Postgres is the default, except if not using `matrix_postgres` (internal postgres)
@ -169,6 +194,8 @@ matrix_appservice_irc_systemd_required_services_list: |
['docker.service']
+
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
+
(['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
}}
matrix_appservice_irc_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'irc.as.token') | to_uuid }}"
@ -204,6 +231,8 @@ matrix_mautrix_facebook_systemd_required_services_list: |
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
+
(['matrix-postgres.service'] if matrix_postgres_enabled else [])
+
(['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
}}
matrix_mautrix_facebook_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'fb.as.token') | to_uuid }}"
@ -244,6 +273,8 @@ matrix_mautrix_hangouts_systemd_required_services_list: |
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
+
(['matrix-postgres.service'] if matrix_postgres_enabled else [])
+
(['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
}}
matrix_mautrix_hangouts_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ho.as.token') | to_uuid }}"
@ -283,6 +314,8 @@ matrix_mautrix_instagram_systemd_required_services_list: |
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
+
(['matrix-postgres.service'] if matrix_postgres_enabled else [])
+
(['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
}}
matrix_mautrix_instagram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ig.as.token') | to_uuid }}"
@ -322,6 +355,8 @@ matrix_mautrix_signal_systemd_required_services_list: |
+
(['matrix-postgres.service'] if matrix_postgres_enabled else [])
+
(['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
+
['matrix-mautrix-signal-daemon.service']
}}
@ -364,6 +399,8 @@ matrix_mautrix_telegram_systemd_required_services_list: |
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
+
(['matrix-postgres.service'] if matrix_postgres_enabled else [])
+
(['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
}}
matrix_mautrix_telegram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegr.as.token') | to_uuid }}"
@ -402,6 +439,8 @@ matrix_mautrix_whatsapp_systemd_required_services_list: |
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
+
(['matrix-postgres.service'] if matrix_postgres_enabled else [])
+
(['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
}}
matrix_mautrix_whatsapp_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.as.token') | to_uuid }}"
@ -434,6 +473,8 @@ matrix_sms_bridge_systemd_required_services_list: |
['docker.service']
+
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
+
(['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
}}
matrix_sms_bridge_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sms.as.token') | to_uuid }}"
@ -464,6 +505,8 @@ matrix_mx_puppet_skype_systemd_required_services_list: |
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
+
(['matrix-postgres.service'] if matrix_postgres_enabled else [])
+
(['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
}}
matrix_mx_puppet_skype_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'skype.as.tok') | to_uuid }}"
@ -501,6 +544,8 @@ matrix_mx_puppet_slack_systemd_required_services_list: |
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
+
(['matrix-postgres.service'] if matrix_postgres_enabled else [])
+
(['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
}}
matrix_mx_puppet_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}"
@ -537,6 +582,8 @@ matrix_mx_puppet_twitter_systemd_required_services_list: |
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
+
(['matrix-postgres.service'] if matrix_postgres_enabled else [])
+
(['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
}}
matrix_mx_puppet_twitter_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxtwt.as.tok') | to_uuid }}"
@ -576,6 +623,8 @@ matrix_mx_puppet_instagram_systemd_required_services_list: |
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
+
(['matrix-postgres.service'] if matrix_postgres_enabled else [])
+
(['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
}}
matrix_mx_puppet_instagram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxig.as.tok') | to_uuid }}"
@ -612,6 +661,8 @@ matrix_mx_puppet_discord_systemd_required_services_list: |
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
+
(['matrix-postgres.service'] if matrix_postgres_enabled else [])
+
(['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
}}
matrix_mx_puppet_discord_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxdsc.as.tok') | to_uuid }}"
@ -648,6 +699,8 @@ matrix_mx_puppet_steam_systemd_required_services_list: |
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
+
(['matrix-postgres.service'] if matrix_postgres_enabled else [])
+
(['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
}}
matrix_mx_puppet_steam_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxste.as.tok') | to_uuid }}"
@ -684,6 +737,8 @@ matrix_mx_puppet_groupme_systemd_required_services_list: |
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
+
(['matrix-postgres.service'] if matrix_postgres_enabled else [])
+
(['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
}}
matrix_mx_puppet_groupme_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxgro.as.tok') | to_uuid }}"
@ -716,6 +771,10 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: |
['docker.service']
+
(['matrix-postgres.service'] if matrix_postgres_enabled else [])
+
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
+
(['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
}}
# Postgres is the default, except if not using `matrix_postgres` (internal postgres)
@ -729,6 +788,33 @@ matrix_bot_matrix_reminder_bot_database_password: "{{ matrix_synapse_macaroon_se
######################################################################
######################################################################
#
# matrix-bot-go-neb
#
######################################################################
# We don't enable bots by default.
matrix_bot_go_neb_enabled: false
matrix_bot_go_neb_systemd_required_services_list: |
{{
['docker.service']
+
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
+
(['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
}}
matrix_bot_go_neb_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:4050' }}"
######################################################################
#
# /matrix-bot-go-neb
#
######################################################################
######################################################################
#
# matrix-corporal
@ -825,6 +911,10 @@ matrix_dimension_systemd_required_services_list: |
['docker.service']
+
(['matrix-postgres.service'] if matrix_postgres_enabled else [])
+
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
+
(['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
}}
# Postgres is the default, except if not using `matrix_postgres` (internal postgres)
@ -1053,8 +1143,10 @@ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "{{ matrix_s
matrix_nginx_proxy_proxy_matrix_enabled: true
matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}"
matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}"
matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}"
matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}"
matrix_nginx_proxy_proxy_grafana_enabled: "{{ matrix_grafana_enabled }}"
matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}"
matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}"
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
@ -1072,7 +1164,6 @@ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:1
# Settings controlling matrix-synapse-proxy.conf
matrix_nginx_proxy_proxy_synapse_enabled: "{{ matrix_synapse_enabled }}"
matrix_nginx_proxy_proxy_synapse_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}"
# When matrix-nginx-proxy is disabled, the actual port number that the vhost uses may begin to matter.
matrix_nginx_proxy_proxy_matrix_federation_port: "{{ matrix_federation_public_port }}"
@ -1104,7 +1195,7 @@ matrix_nginx_proxy_synapse_frontend_proxy_locations: "{{ matrix_synapse_workers
matrix_nginx_proxy_systemd_wanted_services_list: |
{{
(['matrix-synapse.service'])
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
+
(['matrix-corporal.service'] if matrix_corporal_enabled else [])
+
@ -1123,10 +1214,14 @@ matrix_ssl_domains_to_obtain_certificates_for: |
+
([matrix_server_fqn_dimension] if matrix_dimension_enabled else [])
+
([matrix_server_fqn_bot_go_neb] if matrix_bot_go_neb_enabled else [])
+
([matrix_server_fqn_jitsi] if matrix_jitsi_enabled else [])
+
([matrix_server_fqn_grafana] if matrix_grafana_enabled else [])
+
([matrix_server_fqn_sygnal] if matrix_sygnal_enabled else [])
+
([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else [])
+
matrix_ssl_additional_domains_to_obtain_certificates_for
@ -1299,6 +1394,12 @@ matrix_postgres_additional_databases: |
'username': matrix_etherpad_database_username,
'password': matrix_etherpad_database_password,
}] if (matrix_etherpad_enabled and matrix_etherpad_database_engine == 'postgres' and matrix_etherpad_database_hostname == 'matrix-postgres') else [])
+
([{
'name': matrix_sygnal_database_name,
'username': matrix_sygnal_database_username,
'password': matrix_sygnal_database_password,
}] if (matrix_sygnal_enabled and matrix_sygnal_database_engine == 'postgres' and matrix_sygnal_database_hostname == 'matrix-postgres') else [])
}}
matrix_postgres_import_roles_to_ignore: |
@ -1323,6 +1424,32 @@ matrix_postgres_import_databases_to_ignore: |
######################################################################
#
# matrix-sygnal
#
######################################################################
# Most people don't need their own push-server, because they also need their own app to utilize it from.
matrix_sygnal_enabled: false
# If someone instals Prometheus via the playbook, they most likely wish to monitor Sygnal.
matrix_sygnal_metrics_prometheus_enabled: "{{ matrix_prometheus_enabled }}"
matrix_sygnal_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:6000' }}"
# Postgres is the default, except if not using `matrix_postgres` (internal postgres)
matrix_sygnal_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
matrix_sygnal_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sygnal') | to_uuid }}"
######################################################################
#
# /matrix-sygnal
#
######################################################################
######################################################################
#
# matrix-redis

1
roles/matrix-awx/defaults/main.yml Executable file
View file

@ -0,0 +1 @@
matrix_awx_enabled: true

19
roles/matrix-awx/surveys/backup_server.json.j2 Normal file
View file

@ -0,0 +1,19 @@
{
"name": "Backup Server",
"description": "",
"spec": [
{
"question_name": "Enable Backup",
"question_description": "Set if remote backup is enabled or not. If enabled a daily backup of your server will be sent to the backup server located in {{ backup_server_location }}.",
"required": true,
"min": null,
"max": null,
"default": "{{ matrix_awx_backup_enabled | string | lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_awx_backup_enabled",
"type": "multiplechoice"
}
]
}

88
roles/matrix-awx/surveys/configure_corporal.json.j2 Executable file
View file

@ -0,0 +1,88 @@
{
"name": "Configure Matrix Corporal",
"description": "",
"spec": [
{
"question_name": "Enable Corporal",
"question_description": "Controls if Matrix Corporal is enabled at all. If you're unsure if you need Matrix Corporal or not, you most likely don't.",
"required": true,
"min": null,
"max": null,
"default": "{{ matrix_corporal_enabled|string|lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_corporal_enabled",
"type": "multiplechoice"
},
{
"question_name": "Corporal Policy Provider",
"question_description": "Controls what provider policy is used with Matrix Corporal.",
"required": true,
"min": null,
"max": null,
"default": "{{ matrix_corporal_policy_provider_mode }}",
"choices": "Simple Static File\nHTTP Pull Mode (API Enabled)\nHTTP Push Mode (API Enabled)",
"new_question": true,
"variable": "matrix_corporal_policy_provider_mode",
"type": "multiplechoice"
},
{
"question_name": "Simple Static File Configuration",
"question_description": "The configuration file for Matrix Corporal, only needed if 'Simple Static File' provider is selected, any configuration entered here will be saved and applied.",
"required": false,
"min": 0,
"max": 65536,
"default": "",
"new_question": true,
"variable": "matrix_corporal_simple_static_config",
"type": "textarea"
},
{
"question_name": "HTTP Pull Mode URI",
"question_description": "The network address to remotely fetch the configuration from. Only needed if 'HTTP Pull Mode (API Enabled)' provider is selected.",
"required": false,
"min": 0,
"max": 4096,
"default": "{{ matrix_corporal_pull_mode_uri }}",
"new_question": true,
"variable": "matrix_corporal_pull_mode_uri",
"type": "text"
},
{
"question_name": "HTTP Pull Mode Authentication Token",
"question_description": "An authentication token for pulling the Corporal configuration from a network location. Only needed if 'HTTP Pull Mode (API Enabled)' provider is selected. WARNING: You must set a strong and unique password here.",
"required": false,
"min": 0,
"max": 256,
"default": "{{ matrix_corporal_pull_mode_token }}",
"choices": "",
"new_question": true,
"variable": "matrix_corporal_pull_mode_token",
"type": "password"
},
{
"question_name": "Corporal API Authentication Token",
"question_description": "An authentication token for interfacing with Corporals API. Only needed to be set if 'HTTP Pull Mode (API Enabled)' or 'HTTP Push Mode (API Enabled)' provider is selected. WARNING: You must set a strong and unique password here.",
"required": false,
"min": 0,
"max": 256,
"default": "{{ matrix_corporal_http_api_auth_token }}",
"choices": "",
"new_question": true,
"variable": "matrix_corporal_http_api_auth_token",
"type": "password"
},
{
"question_name": "Raise Synapse Ratelimits",
"question_description": "For Matrix Corporal to work you will need to temporarily raise the rate limits for logins, please return this value to 'Normal' after you're done using Corporal.",
"required": false,
"min": null,
"max": null,
"default": "{{ matrix_corporal_raise_ratelimits }}",
"choices": "Normal\nRaised",
"new_question": true,
"variable": "matrix_corporal_raise_ratelimits",
"type": "multiplechoice"
}
]
}

78
roles/matrix-awx/surveys/configure_element.json.j2 Executable file
View file

@ -0,0 +1,78 @@
{
"name": "",
"description": "",
"spec": [
{
"question_name": "Enable Element-Web",
"question_description": "Set if Element web client is enabled or not.",
"required": true,
"min": null,
"max": null,
"default": "{{ matrix_client_element_enabled }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_client_element_enabled",
"type": "multiplechoice"
},
{
"question_name": "Set Branding for Web Client",
"question_description": "Sets the 'branding' seen in the tab and on the welcome page to a custom value.",
"required": false,
"min": 0,
"max": 256,
"default": "{{ matrix_client_element_brand }}",
"choices": "",
"new_question": true,
"variable": "matrix_client_element_brand",
"type": "text"
},
{
"question_name": "Set Theme for Web Client",
"question_description": "Sets the default theme for the web client, can be changed later by individual users.",
"required": false,
"min": null,
"max": null,
"default": "{{ matrix_client_element_default_theme }}",
"choices": "light\ndark",
"new_question": true,
"variable": "matrix_client_element_default_theme",
"type": "multiplechoice"
},
{
"question_name": "Set Welcome Page Background",
"question_description": "URL to Wallpaper, shown in background of the welcome page. Must be a 'https' link, otherwise it won't be set.",
"required": false,
"min": 0,
"max": 1024,
"default": "{{ matrix_client_element_branding_welcomeBackgroundUrl }}",
"choices": "",
"new_question": true,
"variable": "matrix_client_element_branding_welcomeBackgroundUrl",
"type": "text"
},
{
"question_name": "Show Registration Button",
"question_description": "If you show the registration button on the welcome page.",
"required": false,
"min": null,
"max": null,
"default": "{{ matrix_client_element_registration_enabled }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_client_element_registration_enabled",
"type": "multiplechoice"
},
{
"question_name": "Set Element Subdomain",
"question_description": "Sets the subdomain of the Element web-client, you should only specify the subdomain, not the base domain you've already set. (Eg: 'element' for element.example.org) Note that if you change this value you'll need to reconfigure your DNS.",
"required": false,
"min": 0,
"max": 2048,
"default": "{{ element_subdomain }}",
"choices": "",
"new_question": true,
"variable": "element_subdomain",
"type": "text"
}
]
}

31
roles/matrix-awx/surveys/configure_jitsi.json.j2 Executable file
View file

@ -0,0 +1,31 @@
{
"name": "",
"description": "",
"spec": [
{
"question_name": "Enable Jitsi",
"question_description": "Set if Jitsi is enabled or not. If disabled your server will use the https://jitsi.riot.im server. If you're on a smaller server disabling this might increase the performance of your Matrix service.",
"required": false,
"min": null,
"max": null,
"default": "{{ matrix_jitsi_enabled }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_jitsi_enabled",
"type": "multiplechoice"
},
{
"question_name": "Set Default Language",
"question_description": "2 digit 639-1 language code to adjust the language of the web client. For a list of possible codes see: https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes",
"required": false,
"min": 0,
"max": 2,
"default": "{{ matrix_jitsi_web_config_defaultLanguage }}",
"choices": "",
"new_question": true,
"variable": "matrix_jitsi_web_config_defaultLanguage",
"type": "text"
}
]
}

41
roles/matrix-awx/surveys/configure_ma1sd.json.j2 Normal file
View file

@ -0,0 +1,41 @@
{
"name": "",
"description": "",
"spec": [
{
"question_name": "Enable ma1sd",
"question_description": "Set if ma1sd is enabled or not. If disabled your server will loose identity functionality (not recommended).",
"required": false,
"min": null,
"max": null,
"default": "{{ matrix_ma1sd_enabled|string|lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_ma1sd_enabled",
"type": "multiplechoice"
},
{
"question_name": "ma1sd Authentication Mode",
"question_description": "Set the source of user account authentication credentials with the ma1sd.",
"required": false,
"min": null,
"max": null,
"default": "{{ ext_matrix_ma1sd_auth_store }}",
"choices": "Synapse Internal\nLDAP/AD",
"new_question": true,
"variable": "ext_matrix_ma1sd_auth_store",
"type": "multiplechoice"
},
{
"question_name": "LDAP/AD Configuration",
"question_description": "Settings for connecting LDAP/AD to the ma1sd service. (ignored if using Synapse Internal, see https://github.com/ma1uta/ma1sd/blob/master/docs/stores/README.md )",
"required": false,
"min": 0,
"max": 65536,
"default": {{ ext_matrix_ma1sd_configuration_extension_yaml | to_json }},
"new_question": true,
"variable": "ext_matrix_ma1sd_configuration_extension_yaml",
"type": "textarea"
}
]
}

198
roles/matrix-awx/surveys/configure_synapse.json.j2 Executable file
View file

@ -0,0 +1,198 @@
{
"name": "Configure Synapse",
"description": "",
"spec": [
{
"question_name": "Enable Public Registration",
"question_description": "Controls whether people with access to the homeserver can register by themselves.",
"required": false,
"min": null,
"max": null,
"default": "{{ matrix_synapse_enable_registration|string|lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_synapse_enable_registration",
"type": "multiplechoice"
},
{
"question_name": "Enable Federation",
"question_description": "Controls whether Synapse will federate at all. Disable this to completely isolate your server from the rest of the Matrix network.",
"required": false,
"min": null,
"max": null,
"default": "{{ matrix_synapse_federation_enabled|string|lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_synapse_federation_enabled",
"type": "multiplechoice"
},
{
"question_name": "Allow Public Rooms Over Federation",
"question_description": "Controls whether remote servers can fetch this server's public rooms directory via federation. For private servers, you'll most likely want to forbid this.",
"required": false,
"min": null,
"max": null,
"default": "{{ matrix_synapse_allow_public_rooms_over_federation|string|lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_synapse_allow_public_rooms_over_federation",
"type": "multiplechoice"
},
{
"question_name": "Enable Community Creation",
"question_description": "Allows regular users (who aren't server admins) to create 'communities', which are basically groups of rooms.",
"required": false,
"min": null,
"max": null,
"default": "{{ matrix_synapse_enable_group_creation|string|lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_synapse_enable_group_creation",
"type": "multiplechoice"
},
{
"question_name": "Enable Synapse Presence",
"question_description": "Controls whether presence is enabled. This shows who's online and reading your posts. Disabling it will increase both performance and user privacy.",
"required": false,
"min": null,
"max": null,
"default": "{{ matrix_synapse_use_presence|string|lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_synapse_use_presence",
"type": "multiplechoice"
},
{
"question_name": "Enable URL Previews",
"question_description": "Controls whether URL previews should be generated. This will cause a request from Synapse to URLs shared by users.",
"required": false,
"min": null,
"max": null,
"default": "{{ matrix_synapse_url_preview_enabled|string|lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_synapse_url_preview_enabled",
"type": "multiplechoice"
},
{
"question_name": "Enable Guest Access",
"question_description": "Controls whether 'guest accounts' can access rooms without registering. Guest users do not count towards your servers user limit.",
"required": false,
"min": null,
"max": null,
"default": "{{ matrix_synapse_allow_guest_access|string|lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_synapse_allow_guest_access",
"type": "multiplechoice"
},
{
"question_name": "Registration Requires Email",
"question_description": "Controls whether an email address is required to register on the server.",
"required": false,
"min": null,
"max": null,
"default": "{{ ext_registrations_require_3pid|string|lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "ext_registrations_require_3pid",
"type": "multiplechoice"
},
{
"question_name": "Registration Shared Secret",
"question_description": "A secret that allows registration of standard or admin accounts by anyone who has the shared secret, even if registration is otherwise disabled. WARNING: You must set a strong and unique password here.",
"required": false,
"min": 0,
"max": 256,
"default": "",
"choices": "",
"new_question": true,
"variable": "matrix_synapse_registration_shared_secret",
"type": "password"
},
{
"question_name": "Synapse Max Upload Size",
"question_description": "Sets the maximum size for uploaded files in MB.",
"required": false,
"min": 0,
"max": 3,
"default": "{{ matrix_synapse_max_upload_size_mb }}",
"choices": "",
"new_question": true,
"variable": "matrix_synapse_max_upload_size_mb_raw",
"type": "text"
},
{
"question_name": "URL Preview Languages",
"question_description": "Sets the languages that URL previews will be generated in. Entries are a 2-3 letter IETF language tag, they must be seperated with newlines. For example: 'fr' https://en.wikipedia.org/wiki/IETF_language_tag",
"required": false,
"min": 0,
"max": 65536,
"default": {{ ext_url_preview_accept_language_default|to_json }},
"choices": "",
"new_question": true,
"variable": "ext_url_preview_accept_language_raw",
"type": "textarea"
},
{
"question_name": "Federation Whitelist",
"question_description": "Here you can list the URLs of other Matrix homeservers and Synapse will only federate with those homeservers. Entries must be seperated with newlines and must not have a 'https://' prefix. For example: 'matrix.example.org'",
"required": false,
"min": 0,
"max": 65536,
"default": {{ ext_federation_whitelist_raw|to_json }},
"choices": "",
"new_question": true,
"variable": "ext_federation_whitelist_raw",
"type": "textarea"
},
{
"question_name": "Synapse Auto-Join Rooms",
"question_description": "Sets the 'auto-join' rooms, where new users will be automatically invited to, these rooms must already exist. Entries must be room addresses that are separated with newlines. For example: '#announcements:example.org'",
"required": false,
"min": 0,
"max": 65536,
"default": {{ matrix_synapse_auto_join_rooms_raw|to_json }},
"choices": "",
"new_question": true,
"variable": "matrix_synapse_auto_join_rooms_raw",
"type": "textarea"
},
{
"question_name": "Enable ReCaptcha on Registration",
"question_description": "Enables Googles ReCaptcha verification for registering an account, recommended for public servers.",
"required": false,
"min": null,
"max": null,
"default": "{{ ext_enable_registration_captcha|string|lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "ext_enable_registration_captcha",
"type": "multiplechoice"
},
{
"question_name": "Recaptcha Public Key",
"question_description": "Sets the Google ReCaptcha public key for this website.",
"required": false,
"min": 0,
"max": 40,
"default": "{{ ext_recaptcha_public_key }}",
"choices": "",
"new_question": true,
"variable": "ext_recaptcha_public_key",
"type": "text"
},
{
"question_name": "Recaptcha Private Key",
"question_description": "Sets the Google ReCaptcha private key for this website.",
"required": false,
"min": 0,
"max": 40,
"default": "{{ ext_recaptcha_private_key }}",
"choices": "",
"new_question": true,
"variable": "ext_recaptcha_private_key",
"type": "text"
}
]
}

18
roles/matrix-awx/surveys/configure_synapse_admin.json.j2 Normal file
View file

@ -0,0 +1,18 @@
{
"name": "Configure Synapse Admin",
"description": "Configure 'Synapse Admin', a moderation tool to help you manage your server.",
"spec": [
{
"question_name": "Enable Synapse Admin",
"question_description": "Set if Synapse Admin is enabled or not. If enabled you can access it at https://{{ matrix_server_fqn_matrix }}/synapse-admin.",
"required": false,
"min": null,
"max": null,
"default": "{{ matrix_synapse_admin_enabled|string|lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "matrix_synapse_admin_enabled",
"type": "multiplechoice"
}
]
}

54
roles/matrix-awx/surveys/configure_website_access_export.json.j2 Executable file
View file

@ -0,0 +1,54 @@
{
"name": "Configure Website Access Backup",
"description": "Configure base domain website settings and access the services backup.",
"spec": [
{
"question_name": "Customise Base Domain Website",
"question_description": "Set if you want to adjust the base domain website using SFTP.",
"required": true,
"min": null,
"max": null,
"default": "{{ customise_base_domain_website | string | lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "customise_base_domain_website",
"type": "multiplechoice"
},
{
"question_name": "SFTP Authorisation Method",
"question_description": "Set whether you want to disable SFTP, use a password to connect to SFTP or connect with a more secure SSH key.",
"required": true,
"min": null,
"max": null,
"default": "{{ sftp_auth_method | string }}",
"choices": "Disabled\nPassword\nSSH Key",
"new_question": true,
"variable": "sftp_auth_method",
"type": "multiplechoice"
},
{
"question_name": "SFTP Password",
"question_description": "Sets the password of the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as export the latest copy of your Matrix service. Must be defined if 'Password' method is selected. WARNING: You must set a strong and unique password here.",
"required": false,
"min": 0,
"max": 64,
"default": "{{ sftp_password }}",
"choices": "",
"new_question": true,
"variable": "sftp_password",
"type": "password"
},
{
"question_name": "SFTP Public SSH Key (More Secure)",
"question_description": "Sets the public SSH key used to access the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as export the latest copy of your Matrix service. Must be defined if 'SSH Key' method is selected.",
"required": false,
"min": 0,
"max": 16384,
"default": "{{ sftp_public_key }}",
"choices": "",
"new_question": true,
"variable": "sftp_public_key",
"type": "text"
}
]
}

68
roles/matrix-awx/tasks/backup_server.yml Normal file
View file

@ -0,0 +1,68 @@
- name: Record Backup Server variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# AWX Settings'
with_dict:
'matrix_awx_backup_enabled': '{{ matrix_awx_backup_enabled }}'
- name: Copy new 'matrix_vars.yml' to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
dest: '/matrix/awx/matrix_vars.yml'
mode: '0660'
- name: Save new 'Backup Server' survey.json to the AWX tower, template
delegate_to: 127.0.0.1
template:
src: 'roles/matrix-awx/surveys/backup_server.json.j2'
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/backup_server.json'
- name: Copy new 'Backup Server' survey.json to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/backup_server.json'
dest: '/matrix/awx/backup_server.json'
mode: '0660'
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Backup Server' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
name: "{{ matrix_domain }} - 0 - Backup Server"
description: "Performs a backup of the entire service to a remote location."
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type: run
job_tags: "backup-server"
inventory: "{{ member_id }}"
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook: setup.yml
credential: "{{ member_id }} - AWX SSH Key"
survey_enabled: true
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/backup_server.json') }}"
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ tower_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}"
validate_certs: yes
- name: Perform the borg backup
command: borgmatic
when: matrix_awx_backup_enabled|bool
- name: Set boolean value to exit playbook
set_fact:
end_playbook: true
- name: End playbook if this task list is called.
meta: end_play
when: end_playbook is defined and end_playbook|bool

31
roles/matrix-awx/tasks/create_user.yml Executable file
View file

@ -0,0 +1,31 @@
#
# Create user and define if they are admin
#
# /usr/local/bin/matrix-synapse-register-user <your_username> <your_password> <admin access: 0 or 1>
#
- name: Set admin bool to zero
set_fact:
admin_bool: 0
when: admin_access == 'false'
- name: Examine if server admin set
set_fact:
admin_bool: 1
when: admin_access == 'true'
- name: Set boolean value to exit playbook
set_fact:
end_playbook: true
- name: Create user account
command: |
/usr/local/bin/matrix-synapse-register-user {{ new_username | quote }} {{ new_password | quote }} {{ admin_bool }}
register: cmd
- name: Result
debug: msg="{{ cmd.stdout }}"
- name: End playbook if this task list is called.
meta: end_play
when: end_playbook is defined and end_playbook|bool

229
roles/matrix-awx/tasks/customise_website_access_export.yml Executable file
View file

@ -0,0 +1,229 @@
- name: Enable index.html creation if user doesn't wish to customise base domain
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Base Domain Settings'
with_dict:
'matrix_nginx_proxy_base_domain_homepage_enabled': 'true'
when: customise_base_domain_website|bool == false
- name: Disable index.html creation to allow multi-file site if user does wish to customise base domain
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Base Domain Settings'
with_dict:
'matrix_nginx_proxy_base_domain_homepage_enabled': 'false'
when: customise_base_domain_website|bool == true
- name: Record custom 'Customise Website + Access Export' variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Custom Settings'
with_dict:
'customise_base_domain_website': '{{ customise_base_domain_website }}'
'sftp_auth_method': '"{{ sftp_auth_method }}"'
'sftp_password': '"{{ sftp_password }}"'
'sftp_public_key': '"{{ sftp_public_key }}"'
- name: Copy new 'matrix_vars.yml' to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
dest: '/matrix/awx/matrix_vars.yml'
mode: '0660'
- name: Reload vars in matrix_vars.yml
include_vars:
file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
no_log: True
- name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template
delegate_to: 127.0.0.1
template:
src: './roles/matrix-awx/surveys/configure_website_access_export.json.j2'
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'
- name: Copy new 'Customise Website + Access Export' survey.json to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'
dest: '/matrix/awx/configure_website_access_export.json'
mode: '0660'
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Customise Base Domain Export' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
name: "{{ matrix_domain }} - 1 - Configure Website + Access Export"
description: "Configure base domain website settings and access the servers export."
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type: run
job_tags: "start,setup-nginx-proxy"
inventory: "{{ member_id }}"
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook: setup.yml
credential: "{{ member_id }} - AWX SSH Key"
survey_enabled: true
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json') }}"
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ tower_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}"
validate_certs: yes
- name: Ensure group "sftp" exists
group:
name: sftp
state: present
- name: If user doesn't define a sftp_password, create a disabled 'sftp' account
user:
name: sftp
comment: SFTP user to set custom web files and access servers export
shell: /bin/false
home: /home/sftp
group: sftp
password: '*'
update_password: always
when: sftp_password|length == 0
- name: If user defines sftp_password, enable account and set password on 'stfp' account
user:
name: sftp
comment: SFTP user to set custom web files and access servers export
shell: /bin/false
home: /home/sftp
group: sftp
password: "{{ sftp_password | password_hash('sha512') }}"
update_password: always
when: sftp_password|length > 0
- name: adding existing user 'sftp' to group matrix
user:
name: sftp
groups: matrix
append: yes
- name: Create the ro /chroot directory with sticky bit if it doesn't exist. (/chroot/website has matrix:matrix permissions and is mounted to nginx container)
file:
path: /chroot
state: directory
owner: root
group: root
mode: '1755'
- name: Ensure /chroot/website location exists.
file:
path: /chroot/website
state: directory
owner: matrix
group: matrix
mode: '0574'
- name: Ensure /chroot/export location exists
file:
path: /chroot/export
state: directory
owner: sftp
group: sftp
mode: '0700'
- name: Ensure /home/sftp/.ssh location exists
file:
path: /home/sftp/.ssh
state: directory
owner: sftp
group: sftp
mode: '0700'
- name: Ensure /home/sftp/authorized_keys exists
file:
path: /home/sftp/.ssh/authorized_keys
state: touch
owner: sftp
group: sftp
mode: '0644'
- name: Clear authorized_keys file
shell: echo "" > /home/sftp/.ssh/authorized_keys
- name: Insert public SSH key into authorized_keys file
lineinfile:
path: /home/sftp/.ssh/authorized_keys
line: "{{ sftp_public_key }}"
owner: sftp
group: sftp
mode: '0644'
when: (sftp_public_key | length > 0) and (sftp_auth_method == "SSH Key")
- name: Alter SSH Subsystem State 1
lineinfile:
path: /etc/ssh/sshd_config
line: "Subsystem sftp /usr/lib/openssh/sftp-server"
state: absent
- name: Alter SSH Subsystem State 2
lineinfile:
path: /etc/ssh/sshd_config
insertafter: "^# override default of no subsystems"
line: "Subsystem sftp internal-sftp"
- name: Add SSH Match User section for disabled auth
blockinfile:
path: /etc/ssh/sshd_config
state: absent
block: |
Match User sftp
ChrootDirectory /chroot
PermitTunnel no
X11Forwarding no
AllowTcpForwarding no
PasswordAuthentication yes
AuthorizedKeysFile /home/sftp/.ssh/authorized_keys
when: sftp_auth_method == "Disabled"
- name: Add SSH Match User section for password auth
blockinfile:
path: /etc/ssh/sshd_config
state: present
block: |
Match User sftp
ChrootDirectory /chroot
PermitTunnel no
X11Forwarding no
AllowTcpForwarding no
PasswordAuthentication yes
when: sftp_auth_method == "Password"
- name: Add SSH Match User section for publickey auth
blockinfile:
path: /etc/ssh/sshd_config
state: present
block: |
Match User sftp
ChrootDirectory /chroot
PermitTunnel no
X11Forwarding no
AllowTcpForwarding no
AuthorizedKeysFile /home/sftp/.ssh/authorized_keys
when: sftp_auth_method == "SSH Key"
- name: Restart service ssh.service
service:
name: ssh.service
state: restarted

23
roles/matrix-awx/tasks/import_awx.yml Normal file
View file

@ -0,0 +1,23 @@
- name: Ensure /matrix/awx is empty
shell: rm -r /matrix/awx/*
ignore_errors: yes
- name: Ensure /matrix/synapse is empty
shell: rm -r /matrix/synapse/*
ignore_errors: yes
- name: Extract from /chroot/export
shell: tar -xvzf /chroot/export/matrix.tar.gz -C /matrix/
- name: Ensure correct ownership of /matrix/awx
shell: chown -R matrix:matrix /matrix/awx
- name: Ensure correct ownership of /matrix/synapse
shell: chown -R matrix:matrix /matrix/synapse
- name: Fetch matrix_vars.yml file to AWX
fetch:
src: /matrix/awx/matrix_vars.yml
dest: /var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/
flat: yes

10
roles/matrix-awx/tasks/load_hosting_and_org_variables.yml Normal file
View file

@ -0,0 +1,10 @@
- name: Include vars in organisation.yml
include_vars:
file: '/var/lib/awx/projects/clients/{{ member_id }}/organisation.yml'
no_log: True
- name: Include vars in hosting_vars.yml
include_vars:
file: '/var/lib/awx/projects/hosting/hosting_vars.yml'
no_log: True

5
roles/matrix-awx/tasks/load_matrix_variables.yml Executable file
View file

@ -0,0 +1,5 @@
- name: Include vars in matrix_vars.yml
include_vars:
file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
no_log: True

117
roles/matrix-awx/tasks/main.yml Executable file
View file

@ -0,0 +1,117 @@
# Load initial hosting and organisation variables from AWX volume
- include_tasks:
file: "load_hosting_and_org_variables.yml"
apply:
tags: always
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- always
# Perform a backup of the server
- include_tasks:
file: "backup_server.yml"
apply:
tags: backup-server
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- backup-server
# Create a user account if called
- include_tasks:
file: "create_user.yml"
apply:
tags: create-user
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- create-user
# Perform extra self-check functions
- include_tasks:
file: "self_check.yml"
apply:
tags: self-check
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- self-check
# Import configs, media repo from /chroot/backup import
- include_tasks:
file: "import_awx.yml"
apply:
tags: import-awx
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- import-awx
# Configure SFTP so user can upload a static website or access the servers export
- include_tasks:
file: "customise_website_access_export.yml"
apply:
tags: setup-nginx-proxy
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- setup-nginx-proxy
# Additional playbook to set the variable file during Element configuration
- include_tasks:
file: "set_variables_element.yml"
apply:
tags: setup-client-element
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- setup-client-element
# Additional playbook to set the variable file during Synapse configuration
- include_tasks:
file: "set_variables_synapse.yml"
apply:
tags: setup-synapse
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- setup-synapse
# Additional playbook to set the variable file during Jitsi configuration
- include_tasks:
file: "set_variables_jitsi.yml"
apply:
tags: setup-jitsi
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- setup-jitsi
# Additional playbook to set the variable file during Ma1sd configuration
- include_tasks:
file: "set_variables_ma1sd.yml"
apply:
tags: setup-ma1sd
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- setup-ma1sd
# Additional playbook to set the variable file during Corporal configuration
- include_tasks:
file: "set_variables_corporal.yml"
apply:
tags: setup-corporal
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- setup-corporal
# Additional playbook to set the variable file during Synapse Admin configuration
- include_tasks:
file: "set_variables_synapse_admin.yml"
apply:
tags: setup-synapse-admin
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- setup-synapse-admin
# Load newly formed matrix variables from tower volume
- include_tasks:
file: "load_matrix_variables.yml"
apply:
tags: always
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- always

93
roles/matrix-awx/tasks/self_check.yml Normal file
View file

@ -0,0 +1,93 @@
- name: Install prerequisite apt packages on target
apt:
name:
- sysstat
state: present
- name: Install prerequisite yum packages on AWX
delegate_to: 127.0.0.1
yum:
name:
- bind-utils
state: present
- name: Install prerequisite pip packages on AWX
delegate_to: 127.0.0.1
pip:
name:
- dnspython
state: present
- name: Calculate CPU usage statistics
shell: iostat -c
register: cpu_usage_stat
no_log: True
- name: Print CPU usage statistics
debug:
msg: "{{ cpu_usage_stat.stdout.split('\n') }}"
when: cpu_usage_stat is defined
- name: Calculate RAM usage statistics
shell: free -mh
register: ram_usage_stat
no_log: True
- name: Print RAM usage statistics
debug:
msg: "{{ ram_usage_stat.stdout.split('\n') }}"
when: ram_usage_stat is defined
- name: Calculate free disk space
shell: df -h
register: disk_space_stat
no_log: True
- name: Print free disk space
debug:
msg: "{{ disk_space_stat.stdout.split('\n') }}"
when: disk_space_stat is defined
- name: Calculate size of Synapse database
shell: du -sh /matrix/postgres/data
register: db_size_stat
no_log: True
- name: Print size of Synapse database
debug:
msg: "{{ db_size_stat.stdout.split('\n') }}"
when: db_size_stat is defined
- name: Calculate size of local media repository
shell: du -sh /matrix/synapse/storage/media-store/local*
register: local_media_size_stat
ignore_errors: yes
no_log: True
- name: Print size of local media repository
debug:
msg: "{{ local_media_size_stat.stdout.split('\n') }}"
when: local_media_size_stat is defined
- name: Calculate size of remote media repository
shell: du -sh /matrix/synapse/storage/media-store/remote*
register: remote_media_size_stat
ignore_errors: yes
no_log: True
- name: Print size of remote media repository
debug:
msg: "{{ remote_media_size_stat.stdout.split('\n') }}"
when: remote_media_size_stat is defined
- name: Calculate docker container statistics
shell: docker stats --all --no-stream
register: docker_stats
ignore_errors: yes
no_log: True
- name: Print docker container statistics
debug:
msg: "{{ docker_stats.stdout.split('\n') }}"
when: docker_stats is defined

253
roles/matrix-awx/tasks/set_variables_corporal.yml Executable file
View file

@ -0,0 +1,253 @@
- name: Record Corporal Enabled/Disabled variable
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Corporal Settings'
with_dict:
'matrix_corporal_enabled': '{{ matrix_corporal_enabled }}'
- name: Enable Shared Secret Auth if Corporal enabled
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Shared Secret Auth Settings'
with_dict:
'matrix_synapse_ext_password_provider_shared_secret_auth_enabled': 'true'
when: matrix_corporal_enabled|bool
- name: Disable Shared Secret Auth if Corporal disabled
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Shared Secret Auth Settings'
with_dict:
'matrix_synapse_ext_password_provider_shared_secret_auth_enabled': 'false'
when: not matrix_corporal_enabled|bool
- name: Enable Rest Auth Endpoint if Corporal enabled
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Synapse Extension'
with_dict:
'matrix_synapse_ext_password_provider_rest_auth_enabled': 'true'
when: matrix_corporal_enabled|bool
- name: Disable Rest Auth Endpoint if Corporal disabled
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Synapse Extension'
with_dict:
'matrix_synapse_ext_password_provider_rest_auth_enabled': 'false'
when: not matrix_corporal_enabled|bool
- name: Disable Corporal API if Simple Static File mode selected
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Corporal Settings'
with_dict:
'matrix_corporal_http_api_enabled': 'false'
when: (matrix_corporal_policy_provider_mode == "Simple Static File") or (not matrix_corporal_enabled|bool)
- name: Enable Corporal API if Push/Pull mode delected
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Corporal Settings'
with_dict:
'matrix_corporal_http_api_enabled': 'true'
when: (matrix_corporal_policy_provider_mode != "Simple Static File") and (matrix_corporal_enabled|bool)
- name: Record Corporal API Access Token if it's defined
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Corporal Settings'
with_dict:
'matrix_corporal_http_api_auth_token': '{{ matrix_corporal_http_api_auth_token }}'
when: matrix_corporal_http_api_auth_token|length > 0
- name: Record 'Simple Static File' configuration variables in matrix_vars.yml
delegate_to: 127.0.0.1
blockinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
insertafter: "# Corporal Policy Provider Settings"
block: |
matrix_corporal_policy_provider_config: |
{
"Type": "static_file",
"Path": "/etc/matrix-corporal/corporal-policy.json"
}
when: matrix_corporal_policy_provider_mode == "Simple Static File"
- name: Touch the /matrix/corporal/ directory
file:
path: "/matrix/corporal/"
state: directory
owner: matrix
group: matrix
mode: '750'
- name: Touch the /matrix/corporal/config/ directory
file:
path: "/matrix/corporal/config/"
state: directory
owner: matrix
group: matrix
mode: '750'
- name: Touch the /matrix/corporal/cache/ directory
file:
path: "/matrix/corporal/cache/"
state: directory
owner: matrix
group: matrix
mode: '750'
- name: Touch the corporal-policy.json file to ensure it exists
file:
path: "/matrix/corporal/config/corporal-policy.json"
state: touch
owner: matrix
group: matrix
mode: '660'
- name: Touch the last-policy.json file to ensure it exists
file:
path: "/matrix/corporal/config/last-policy.json"
state: touch
owner: matrix
group: matrix
mode: '660'
- name: Record 'Simple Static File' configuration content in corporal-policy.json
copy:
content: "{{ matrix_corporal_simple_static_config | string }}"
dest: "/matrix/corporal/config/corporal-policy.json"
owner: matrix
group: matrix
mode: '660'
when: (matrix_corporal_policy_provider_mode == "Simple Static File") and (matrix_corporal_simple_static_config|length > 0)
- name: Record 'HTTP Pull Mode' configuration variables in matrix_vars.yml
delegate_to: 127.0.0.1
blockinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
insertafter: "# Corporal Policy Provider Settings"
block: |
matrix_corporal_policy_provider_config: |
{
"Type": "http",
"Uri": "{{ matrix_corporal_pull_mode_uri }}",
"AuthorizationBearerToken": "{{ matrix_corporal_pull_mode_token }}",
"CachePath": "/var/cache/matrix-corporal/last-policy.json",
"ReloadIntervalSeconds": 1800,
"TimeoutMilliseconds": 30000
}
when: (matrix_corporal_policy_provider_mode == "HTTP Pull Mode (API Enabled)") and (matrix_corporal_pull_mode_uri|length > 0) and (matrix_corporal_pull_mode_token|length > 0)
- name: Record 'HTTP Push Mode' configuration variables in matrix_vars.yml
delegate_to: 127.0.0.1
blockinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
insertafter: "# Corporal Policy Provider Settings"
block: |
matrix_corporal_policy_provider_config: |
{
"Type": "last_seen_store_policy",
"CachePath": "/var/cache/matrix-corporal/last-policy.json"
}
when: (matrix_corporal_policy_provider_mode == "HTTP Push Mode (API Enabled)")
- name: Lower RateLimit if set to 'Normal'
delegate_to: 127.0.0.1
replace:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: ' address:\n per_second: 50\n burst_count: 300\n account:\n per_second: 0.17\n burst_count: 300'
replace: ' address:\n per_second: 0.17\n burst_count: 3\n account:\n per_second: 0.17\n burst_count: 3'
when: matrix_corporal_raise_ratelimits == "Normal"
- name: Raise RateLimit if set to 'Raised'
delegate_to: 127.0.0.1
replace:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: ' address:\n per_second: 0.17\n burst_count: 3\n account:\n per_second: 0.17\n burst_count: 3'
replace: ' address:\n per_second: 50\n burst_count: 300\n account:\n per_second: 0.17\n burst_count: 300'
when: matrix_corporal_raise_ratelimits == "Raised"
- name: Copy new 'matrix_vars.yml' to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
dest: '/matrix/awx/matrix_vars.yml'
mode: '0664'
- name: Save new 'Configure Corporal' survey.json to the AWX tower
delegate_to: 127.0.0.1
template:
src: 'roles/matrix-awx/surveys/configure_corporal.json.j2'
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_corporal.json'
- name: Copy new 'Configure Corporal' survey.json to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_corporal.json'
dest: '/matrix/awx/configure_corporal.json'
mode: '0660'
- debug:
msg: "matrix_corporal_matrix_homeserver_api_endpoint: {{ matrix_corporal_matrix_homeserver_api_endpoint }}"
- debug:
msg: "matrix_corporal_matrix_auth_shared_secret: {{ matrix_corporal_matrix_auth_shared_secret }}"
- debug:
msg: "matrix_corporal_http_gateway_internal_rest_auth_enabled: {{ matrix_corporal_http_gateway_internal_rest_auth_enabled }}"
- debug:
msg: "matrix_corporal_matrix_registration_shared_secret: {{ matrix_corporal_matrix_registration_shared_secret }}"
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Configure Corporal (Advanced)' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
name: "{{ matrix_domain }} - 1 - Configure Corporal (Advanced)"
description: "Configure Matrix Corporal, a tool that manages your Matrix server according to a configuration policy."
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type: run
job_tags: "start,setup-corporal"
inventory: "{{ member_id }}"
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook: setup.yml
credential: "{{ member_id }} - AWX SSH Key"
survey_enabled: true
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_corporal.json') }}"
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ tower_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}"
validate_certs: yes

76
roles/matrix-awx/tasks/set_variables_element.yml Executable file
View file

@ -0,0 +1,76 @@
- name: Record Element-Web variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Element Settings'
with_dict:
'matrix_client_element_enabled': '{{ matrix_client_element_enabled }}'
'matrix_client_element_jitsi_preferredDomain': '{{ matrix_client_element_jitsi_preferredDomain }}'
'matrix_client_element_brand': '{{ matrix_client_element_brand }}'
'matrix_client_element_default_theme': '{{ matrix_client_element_default_theme }}'
'matrix_client_element_registration_enabled': '{{ matrix_client_element_registration_enabled }}'
'matrix_server_fqn_element': "{{ element_subdomain }}.{{ matrix_domain }}"
- name: Set fact for 'https' string
set_fact:
https_string: "https"
- name: Record Element-Web Background variable locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Element Settings'
with_dict:
'matrix_client_element_branding_welcomeBackgroundUrl': '{{ matrix_client_element_branding_welcomeBackgroundUrl }}'
when: (https_string in matrix_client_element_branding_welcomeBackgroundUrl) and ( matrix_client_element_branding_welcomeBackgroundUrl|length > 0 )
- name: Copy new 'matrix_vars.yml' to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
dest: '/matrix/awx/matrix_vars.yml'
mode: '0660'
- name: Save new 'Configure Element' survey.json to the AWX tower, template
delegate_to: 127.0.0.1
template:
src: 'roles/matrix-awx/surveys/configure_element.json.j2'
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element.json'
- name: Copy new 'Configure Element' survey.json to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element.json'
dest: '/matrix/awx/configure_element.json'
mode: '0660'
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Configure Element' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
name: "{{ matrix_domain }} - 1 - Configure Element"
description: "Configure Element client via survey."
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type: run
job_tags: "start,setup-client-element"
inventory: "{{ member_id }}"
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook: setup.yml
credential: "{{ member_id }} - AWX SSH Key"
survey_enabled: true
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element.json') }}"
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ tower_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}"
validate_certs: yes

57
roles/matrix-awx/tasks/set_variables_jitsi.yml Executable file
View file

@ -0,0 +1,57 @@
- name: Record Jitsi variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Jitsi Settings'
with_dict:
'matrix_jitsi_enabled': '{{ matrix_jitsi_enabled }}'
'matrix_jitsi_web_config_defaultLanguage': '{{ matrix_jitsi_web_config_defaultLanguage }}'
- name: Copy new 'matrix_vars.yml' to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
dest: '/matrix/awx/matrix_vars.yml'
mode: '0660'
- name: Save new 'Configure Jitsi' survey.json to the AWX tower, template
delegate_to: 127.0.0.1
template:
src: 'roles/matrix-awx/surveys/configure_jitsi.json.j2'
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_jitsi.json'
- name: Copy new 'Configure Jitsi' survey.json to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_jitsi.json'
dest: '/matrix/awx/configure_jitsi.json'
mode: '0660'
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Configure Jitsi' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
name: "{{ matrix_domain }} - 1 - Configure Jitsi"
description: "Configure Jitsi conferencing settings."
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type: run
job_tags: "start,setup-jitsi"
inventory: "{{ member_id }}"
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook: setup.yml
credential: "{{ member_id }} - AWX SSH Key"
survey_enabled: true
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_jitsi.json') }}"
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ tower_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}"
validate_certs: yes

129
roles/matrix-awx/tasks/set_variables_ma1sd.yml Executable file
View file

@ -0,0 +1,129 @@
- name: Record ma1sd variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# ma1sd Settings'
with_dict:
'matrix_ma1sd_enabled': '{{ matrix_ma1sd_enabled }}'
- name: Disable REST auth (matrix-corporal/ma1sd) if using internal auth
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Synapse Extension'
with_dict:
'matrix_synapse_ext_password_provider_rest_auth_enabled': 'false'
when: ext_matrix_ma1sd_auth_store == 'Synapse Internal'
- name: Enable REST auth if using external LDAP/AD with ma1sd
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Synapse Extension'
with_dict:
'matrix_synapse_ext_password_provider_rest_auth_enabled': 'true'
'matrix_synapse_ext_password_provider_rest_auth_endpoint': 'http://matrix-ma1sd:8090'
when: ext_matrix_ma1sd_auth_store == 'LDAP/AD'
- name: Strip header from ma1sd configuration extension if using internal auth
set_fact:
ext_matrix_ma1sd_configuration_extension_yaml_parsed: "{{ ext_matrix_ma1sd_configuration_extension_yaml.splitlines() | reject('search', '^matrix_client_element_configuration_extension_json:') | list }}"
when: ext_matrix_ma1sd_auth_store == 'LDAP/AD'
- name: Remove entire ma1sd configuration extension
delegate_to: 127.0.0.1
replace:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: '^.*\n'
after: '# Start ma1sd Extension'
before: '# End ma1sd Extension'
- name: Replace conjoined ma1sd configuration extension limiters
delegate_to: 127.0.0.1
replace:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: '^# Start ma1sd Extension# End ma1sd Extension'
replace: '# Start ma1sd Extension\n# End ma1sd Extension'
- name: Insert ma1sd configuration extension header if using external LDAP/AD with ma1sd
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
line: "matrix_ma1sd_configuration_extension_yaml: |"
insertafter: '# Start ma1sd Extension'
when: ext_matrix_ma1sd_auth_store == 'LDAP/AD'
- name: Set ma1sd configuration extension if using external LDAP/AD with ma1sd
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
insertbefore: '# End ma1sd Extension'
line: '{{ item }}'
with_items: "{{ ext_matrix_ma1sd_configuration_extension_yaml_parsed }}"
when: ext_matrix_ma1sd_auth_store == 'LDAP/AD'
- name: Record ma1sd Custom variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertbefore: '# Custom Settings'
with_dict:
'ext_matrix_ma1sd_auth_store': '{{ ext_matrix_ma1sd_auth_store }}'
'ext_matrix_ma1sd_configuration_extension_yaml': '{{ ext_matrix_ma1sd_configuration_extension_yaml.splitlines() | to_json }}'
- name: Copy new 'matrix_vars.yml' to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
dest: '/matrix/awx/matrix_vars.yml'
mode: '0660'
- name: Save new 'Configure ma1sd' survey.json to the AWX tower, template
delegate_to: 127.0.0.1
template:
src: 'roles/matrix-awx/surveys/configure_ma1sd.json.j2'
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_ma1sd.json'
- name: Copy new 'Configure ma1sd' survey.json to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_ma1sd.json'
dest: '/matrix/awx/configure_ma1sd.json'
mode: '0660'
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Configure ma1sd (Advanced)' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
name: "{{ matrix_domain }} - 1 - Configure ma1sd (Advanced)"
description: "Configure Jitsi conferencing settings."
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type: run
job_tags: "start,setup-ma1sd"
inventory: "{{ member_id }}"
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook: setup.yml
credential: "{{ member_id }} - AWX SSH Key"
survey_enabled: true
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_ma1sd.json') }}"
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ tower_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}"
validate_certs: yes
# ^ This playbook isn't executing so the survey isn't being updated! :P

232
roles/matrix-awx/tasks/set_variables_synapse.yml Executable file
View file

@ -0,0 +1,232 @@
- name: Limit max upload size to 100MB part 1
set_fact:
matrix_synapse_max_upload_size_mb: "100"
when: matrix_synapse_max_upload_size_mb_raw|int >= 100
- name: Limit max upload size to 100MB part 2
set_fact:
matrix_synapse_max_upload_size_mb: "{{ matrix_synapse_max_upload_size_mb_raw }}"
when: matrix_synapse_max_upload_size_mb_raw|int < 100
- name: Record Synapse variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Synapse Settings'
with_dict:
'matrix_synapse_allow_public_rooms_over_federation': '{{ matrix_synapse_allow_public_rooms_over_federation }}'
'matrix_synapse_enable_registration': '{{ matrix_synapse_enable_registration }}'
'matrix_synapse_federation_enabled': '{{ matrix_synapse_federation_enabled }}'
'matrix_synapse_enable_group_creation': '{{ matrix_synapse_enable_group_creation }}'
'matrix_synapse_use_presence': '{{ matrix_synapse_use_presence }}'
'matrix_synapse_max_upload_size_mb': '{{ matrix_synapse_max_upload_size_mb }}'
'matrix_synapse_url_preview_enabled': '{{ matrix_synapse_url_preview_enabled }}'
'matrix_synapse_allow_guest_access': '{{ matrix_synapse_allow_guest_access }}'
- name: Empty Synapse variable 'matrix_synapse_auto_join_rooms' locally on AWX, if raw inputs empty
delegate_to: 127.0.0.1
replace:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^matrix_synapse_auto_join_rooms: .*$"
replace: "matrix_synapse_auto_join_rooms: []"
when: matrix_synapse_auto_join_rooms_raw|length == 0
- name: If the raw inputs is not empty start constructing parsed auto_join_rooms list
set_fact:
matrix_synapse_auto_join_rooms_array: |-
{{ matrix_synapse_auto_join_rooms_raw.splitlines() | to_json }}
when: matrix_synapse_auto_join_rooms_raw|length > 0
- name: Record Synapse variable 'matrix_synapse_auto_join_rooms' locally on AWX, if it's not blank
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Synapse Settings'
with_dict:
"matrix_synapse_auto_join_rooms": "{{ matrix_synapse_auto_join_rooms_array }}"
when: matrix_synapse_auto_join_rooms_raw|length > 0
- name: Record Synapse Shared Secret if it's defined
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Synapse Settings'
with_dict:
'matrix_synapse_registration_shared_secret': '{{ matrix_synapse_registration_shared_secret }}'
when: matrix_synapse_registration_shared_secret|length > 0
- name: Record registations_require_3pid extra variable if true
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "{{ item }}:"
line: "{{ item }}"
insertbefore: '# End Synapse Extension'
with_items:
- " registrations_require_3pid:"
- " - email"
when: ext_registrations_require_3pid|bool
- name: Remove registrations_require_3pid extra variable if false
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "{{ item }}:"
line: "{{ item }}"
insertbefore: '# End Synapse Extension'
state: absent
with_items:
- " registrations_require_3pid:"
- " - email"
when: not ext_registrations_require_3pid|bool
- name: Remove URL Languages
delegate_to: 127.0.0.1
replace:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: '^(?!.*\bemail\b) - [a-zA-Z\-]{2,5}\n'
after: ' url_preview_accept_language:'
before: '# End Synapse Extension'
- name: Set URL languages default if raw inputs empty
set_fact:
ext_url_preview_accept_language_default: 'en'
when: ext_url_preview_accept_language_raw|length == 0
- name: Set URL languages default if raw inputs not empty
set_fact:
ext_url_preview_accept_language_default: "{{ ext_url_preview_accept_language_raw }}"
when: ext_url_preview_accept_language_raw|length > 0
- name: Set URL languages if raw inputs empty
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
insertafter: '^ url_preview_accept_language:'
line: " - {{ ext_url_preview_accept_language_default }}"
when: ext_url_preview_accept_language_raw|length == 0
- name: Set URL languages if raw inputs not empty
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
insertafter: '^ url_preview_accept_language:'
line: " - {{ item }}"
with_items: "{{ ext_url_preview_accept_language_raw.splitlines() }}"
when: ext_url_preview_accept_language_raw|length > 0
- name: Remove Federation Whitelisting 1
delegate_to: 127.0.0.1
replace:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: '^ - [a-z0-9]+\.[a-z0-9.]+\n'
after: ' federation_domain_whitelist:'
before: '# End Synapse Extension'
- name: Remove Federation Whitelisting 2
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
line: " federation_domain_whitelist:"
state: absent
- name: Set Federation Whitelisting 1
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
insertafter: '^matrix_synapse_configuration_extension_yaml: \|'
line: " federation_domain_whitelist:"
when: ext_federation_whitelist_raw|length > 0
- name: Set Federation Whitelisting 2
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
insertafter: '^ federation_domain_whitelist:'
line: " - {{ item }}"
with_items: "{{ ext_federation_whitelist_raw.splitlines() }}"
when: ext_federation_whitelist_raw|length > 0
- name: Record Synapse Custom variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertbefore: '# Custom Settings'
with_dict:
'ext_federation_whitelist_raw': '{{ ext_federation_whitelist_raw.splitlines() | to_json }}'
'ext_url_preview_accept_language_default': '{{ ext_url_preview_accept_language_default.splitlines() | to_json }}'
- name: Set ext_recaptcha_public_key to a 'public-key' if undefined
set_fact: ext_recaptcha_public_key="public-key"
when: (ext_recaptcha_public_key is not defined) or (ext_recaptcha_public_key|length == 0)
- name: Set ext_recaptcha_private_key to a 'private-key' if undefined
set_fact: ext_recaptcha_private_key="private-key"
when: (ext_recaptcha_private_key is not defined) or (ext_recaptcha_private_key|length == 0)
- name: Record Synapse Extension variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertbefore: '# End Synapse Extension'
with_dict:
' enable_registration_captcha': '{{ ext_enable_registration_captcha }}'
' recaptcha_public_key': '{{ ext_recaptcha_public_key }}'
' recaptcha_private_key': '{{ ext_recaptcha_private_key }}'
- name: Copy new 'matrix_vars.yml' to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
dest: '/matrix/awx/matrix_vars.yml'
mode: '0660'
- name: Save new 'Configure Synapse' survey.json to the AWX tower, template
delegate_to: 127.0.0.1
template:
src: 'roles/matrix-awx/surveys/configure_synapse.json.j2'
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}//configure_synapse.json'
- name: Copy new 'Configure Synapse' survey.json to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_synapse.json'
dest: '/matrix/awx/configure_synapse.json'
mode: '0660'
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Configure Synapse' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
name: "{{ matrix_domain }} - 1 - Configure Synapse"
description: "Configure Synapse (homeserver) settings."
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type: run
job_tags: "start,setup-synapse"
inventory: "{{ member_id }}"
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook: setup.yml
credential: "{{ member_id }} - AWX SSH Key"
survey_enabled: true
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_synapse.json') }}"
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ tower_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}"
validate_certs: yes

56
roles/matrix-awx/tasks/set_variables_synapse_admin.yml Normal file
View file

@ -0,0 +1,56 @@
- name: Record Synapse Admin variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# Synapse Admin Settings'
with_dict:
'matrix_synapse_admin_enabled': '{{ matrix_synapse_admin_enabled }}'
- name: Copy new 'matrix_vars.yml' to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
dest: '/matrix/awx/matrix_vars.yml'
mode: '0660'
- name: Save new 'Configure Synapse Admin' survey.json to the AWX tower, template
delegate_to: 127.0.0.1
template:
src: 'roles/matrix-awx/surveys/configure_synapse_admin.json.j2'
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_synapse_admin.json'
- name: Copy new 'Configure Synapse Admin' survey.json to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_synapse_admin.json'
dest: '/matrix/awx/configure_synapse_admin.json'
mode: '0660'
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Configure Synapse Admin' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
name: "{{ matrix_domain }} - 1 - Configure Synapse Admin"
description: "Configure 'Synapse Admin', a moderation tool to help you manage your server."
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type: run
job_tags: "start,setup-all"
inventory: "{{ member_id }}"
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
playbook: setup.yml
credential: "{{ member_id }} - AWX SSH Key"
survey_enabled: true
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_synapse_admin.json') }}"
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ tower_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}"
validate_certs: yes

6
roles/matrix-base/defaults/main.yml
View file

@ -18,12 +18,18 @@ matrix_server_fqn_element: "element.{{ matrix_domain }}"
# This is where you access the Dimension.
matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}"
# For use with Go-NEB! (github callback url for example)
matrix_server_fqn_bot_go_neb: "goneb.{{ matrix_domain }}"
# This is where you access Jitsi.
matrix_server_fqn_jitsi: "jitsi.{{ matrix_domain }}"
# This is where you access Grafana.
matrix_server_fqn_grafana: "stats.{{ matrix_domain }}"
# This is where you access the Sygnal push gateway.
matrix_server_fqn_sygnal: "sygnal.{{ matrix_domain }}"
matrix_federation_public_port: 8448
# The architecture that your server runs.

7
roles/matrix-base/tasks/main.yml
View file

@ -32,10 +32,3 @@
- setup-ma1sd
- setup-synapse
- setup-nginx-proxy
- import_tasks: "{{ role_path }}/tasks/self_check_dns.yml"
delegate_to: 127.0.0.1
become: false
when: run_self_check|bool
tags:
- self-check

23
roles/matrix-base/tasks/self_check_dns.yml
View file

@ -1,23 +0,0 @@
---
- set_fact:
dns_srv_record_checks: []
- block:
- set_fact:
dns_srv_record_check_ma1sd:
service_and_protocol: "_matrix-identity._tcp"
domain: "{{ (matrix_domain + '.') }}"
expected_target: "{{ (matrix_server_fqn_matrix + '.') }}"
expected_port: 443
- name: Determine domains that we require certificates for (ma1sd)
set_fact:
dns_srv_record_checks: "{{ dns_srv_record_checks + [dns_srv_record_check_ma1sd] }}"
when: matrix_ma1sd_enabled|bool
- name: Perform DNS SRV checks
include_tasks: "{{ role_path }}/tasks/self_check_dns_srv.yml"
with_items: "{{ dns_srv_record_checks }}"
loop_control:
loop_var: dns_srv_record_check

68
roles/matrix-base/tasks/self_check_dns_srv.yml
View file

@ -1,68 +0,0 @@
---
# This requires the dnspython library which is usually unavailable.
- name: Check DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} using Ansible dig lookup
set_fact:
lookup_dig_srv: "{{ lookup('dig', (dns_srv_record_check.service_and_protocol + '.' + dns_srv_record_check.domain + '/SRV'), 'flat=0', wantlist=False) }}"
register: result_lookup_dig_srv
ignore_errors: true
- name: Fail if DNS SRV check via Ansible dig lookup failed for non-dependency reason
fail:
msg: "DNS SRV record check via Ansible dig lookup plugin (which uses the dnspython package) failed. Error is: {{ result_lookup_dig_srv.msg }}"
when: "result_lookup_dig_srv.failed and 'dnspython' not in result_lookup_dig_srv.msg"
# Fallback to using the dig CLI tool if dnspython was unavailable.
- name: Check DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} using dig CLI tool
shell:
cmd: "dig -t srv {{ (dns_srv_record_check.service_and_protocol + '.' + dns_srv_record_check.domain)|quote }}"
register: result_cli_dig_srv
changed_when: false
ignore_errors: true
when: "lookup_dig_srv is not defined"
- name: Fail if dig CLI used and failed
fail:
msg: >-
Failed performing DNS SRV record check.
You neither have the `dnspython` Python package, nor the `dig` program installed locally.
You need to install one of those, so we could perform a DNS SRV record check.
Full error from trying to run `dig`: {{ result_cli_dig_srv }}
when: "lookup_dig_srv is not defined and result_cli_dig_srv.stderr != ''"
# Some DNS servers may respond with '' (stands for "No Answer").
# Most usually, a missing record would yield a 'NXDOMAIN' response.
# In any case, we consider any non-mapping response to mean "missing record".
- name: Fail if DNS SRV record missing (Ansible dig lookup)
fail:
msg: >-
It appears the DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} is not set up correctly (the record is missing).
See the 'Configuring DNS' documentation for this playbook.
when: "lookup_dig_srv is defined and lookup_dig_srv is not mapping"
- name: Fail if DNS SRV record incorrect (Ansible dig lookup)
fail:
msg: >-
It appears the DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} is not set up correctly.
Expected it to point to `{{ dns_srv_record_check.expected_target }}` (port {{ dns_srv_record_check.expected_port }}).
Found it pointing to `{{ lookup_dig_srv.target }}` (port {{ lookup_dig_srv.port }}).
See the 'Configuring DNS' documentation for this playbook.
when: "lookup_dig_srv is defined and (lookup_dig_srv.target != dns_srv_record_check.expected_target or lookup_dig_srv.port != dns_srv_record_check.expected_port)"
# We expect an answer like this:
# ;; ANSWER SECTION:
# _matrix._tcp.DOMAIN. 10800 IN SRV 10 0 8448 matrix.DOMAIN.
- name: Fail if DNS SRV record missing or incorrect (dig CLI tool)
fail:
msg: >-
It appears the DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} is not set up correctly.
Expected it to point to `{{ dns_srv_record_check.expected_target }}` (port {{ dns_srv_record_check.expected_port }}).
See the 'Configuring DNS' documentation for this playbook.
Full response from the `dig` lookup was: {{ result_cli_dig_srv }}
when: "lookup_dig_srv is not defined and (dns_srv_record_check.expected_port|string + ' ' + dns_srv_record_check.expected_target) not in result_cli_dig_srv.stdout"
- name: Report correct DNS SRV record
debug:
msg: >-
The DNS SRV record for `{{ dns_srv_record_check.service_and_protocol }}` on `{{ dns_srv_record_check.domain }}`
points to `{{ dns_srv_record_check.expected_target }}` (port {{ dns_srv_record_check.expected_port }}), as expected.

231
roles/matrix-bot-go-neb/defaults/main.yml Normal file
View file

@ -0,0 +1,231 @@
# Go-NEB is a Matrix bot written in Go. It is the successor to Matrix-NEB, the original Matrix bot written in Python.
# See: https://github.com/matrix-org/go-neb
matrix_bot_go_neb_enabled: true
matrix_bot_go_neb_version: latest
matrix_bot_go_neb_docker_image: "matrixdotorg/go-neb:{{ matrix_bot_go_neb_version }}"
matrix_bot_go_neb_docker_image_force_pull: "{{ matrix_bot_go_neb_docker_image.endswith(':latest') }}"
matrix_bot_go_neb_base_path: "{{ matrix_base_data_path }}/go-neb"
matrix_bot_go_neb_config_path: "{{ matrix_bot_go_neb_base_path }}/config"
matrix_bot_go_neb_config_path_in_container: "/config/config.yaml"
matrix_bot_go_neb_data_path: "{{ matrix_bot_go_neb_base_path }}/data"
matrix_bot_go_neb_data_store_path: "{{ matrix_bot_go_neb_data_path }}/store"
# Controls whether the matrix-bot-go-neb container exposes its HTTP port (tcp/4050 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:4050"), or empty string to not expose.
matrix_bot_go_neb_container_http_host_bind_port: ''
# A list of extra arguments to pass to the container
matrix_bot_go_neb_container_extra_arguments: []
# List of systemd services that matrix-bot-go-neb.service depends on
matrix_bot_go_neb_systemd_required_services_list: ['docker.service']
# List of systemd services that matrix-bot-go-neb.service wants
matrix_bot_go_neb_systemd_wanted_services_list: []
# Database-related configuration fields.
#
# MUST be "sqlite3". No other type is supported.
matrix_bot_go_neb_database_engine: 'sqlite3'
matrix_bot_go_neb_sqlite_database_path_local: "{{ matrix_bot_go_neb_data_path }}/bot.db"
matrix_bot_go_neb_sqlite_database_path_in_container: "/data/bot.db"
matrix_bot_go_neb_storage_database: "{{
{
'sqlite3': (matrix_bot_go_neb_sqlite_database_path_in_container + '?_busy_timeout=5000'),
}[matrix_bot_go_neb_database_engine]
}}"
# The bot's username(s). These users need to be created manually beforehand.
# The access tokens that the bot uses to authenticate.
# Generate one as described in
# https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-dimension.md#access-token
# via curl. With the element method, you might run into decryption problems (see https://github.com/matrix-org/go-neb#quick-start)
matrix_bot_go_neb_clients: []
# - UserID: "@goneb:{{ matrix_domain }}"
# AccessToken: "MDASDASJDIASDJASDAFGFRGER"
# DeviceID: "DEVICE1"
# HomeserverURL: "{{ matrix_homeserver_container_url }}"
# Sync: true
# AutoJoinRooms: true
# DisplayName: "Go-NEB!"
# AcceptVerificationFromUsers: [":{{ matrix_domain }}"]
#
# - UserID: "@another_goneb:{{ matrix_domain }}"
# AccessToken: "MDASDASJDIASDJASDAFGFRGER"
# DeviceID: "DEVICE2"
# HomeserverURL: "{{ matrix_homeserver_container_url }}"
# Sync: false
# AutoJoinRooms: false
# DisplayName: "Go-NEB!"
# AcceptVerificationFromUsers: ["^@admin:{{ matrix_domain }}"]
# The list of realms which Go-NEB is aware of.
# Delete or modify this list as appropriate.
# See the docs for /configureAuthRealm for the full list of options:
# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureAuthRealmRequest
matrix_bot_go_neb_realms: []
# - ID: "github_realm"
# Type: "github"
# Config: {} # No need for client ID or Secret as Go-NEB isn't generating OAuth URLs
# The list of *authenticated* sessions which Go-NEB is aware of.
# Delete or modify this list as appropriate.
# The full list of options are shown below: there is no single HTTP endpoint
# which maps to this section.
# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#Session
matrix_bot_go_neb_sessions: []
# - SessionID: "your_github_session"
# RealmID: "github_realm"
# UserID: "@YOUR_USER_ID:{{ matrix_domain }}" # This needs to be the username of the person that's allowed to use the !github commands
# Config:
# # Populate these fields by generating a "Personal Access Token" on github.com
# AccessToken: "YOUR_GITHUB_ACCESS_TOKEN"
# Scopes: "admin:org_hook,admin:repo_hook,repo,user"
# The list of services which Go-NEB is aware of.
# Delete or modify this list as appropriate.
# See the docs for /configureService for the full list of options:
# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureServiceRequest
matrix_bot_go_neb_services: []
# - ID: "echo_service"
# Type: "echo"
# UserID: "@goneb:{{ matrix_domain }}"
# Config: {}
## Can be obtained from https://developers.giphy.com/dashboard/
# - ID: "giphy_service"
# Type: "giphy"
# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client
# Config:
# api_key: "qwg4672vsuyfsfe"
# use_downsized: false
#
## This service has been dead for over a year :/
# - ID: "guggy_service"
# Type: "guggy"
# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client
# Config:
# api_key: "2356saaqfhgfe"
#
## API Key via https://developers.google.com/custom-search/v1/introduction
## CX via http://www.google.com/cse/manage/all
## https://stackoverflow.com/questions/6562125/getting-a-cx-id-for-custom-search-google-api-python
## 'Search the entire web' and 'Image search' enabled for best results
# - ID: "google_service"
# Type: "google"
# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client
# Config:
# api_key: "AIzaSyA4FD39m9"
# cx: "AIASDFWSRRtrtr"
#
## Get a key via https://api.imgur.com/oauth2/addclient
## Select "oauth2 without callback url"
# - ID: "imgur_service"
# Type: "imgur"
# UserID: "@imgur:{{ matrix_domain }}" # requires a Syncing client
# Config:
# client_id: "AIzaSyA4FD39m9"
# client_secret: "somesecret"
#
# - ID: "wikipedia_service"
# Type: "wikipedia"
# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client
# Config:
#
# - ID: "rss_service"
# Type: "rssbot"
# UserID: "@another_goneb:{{ matrix_domain }}"
# Config:
# feeds:
# "http://lorem-rss.herokuapp.com/feed?unit=second&interval=60":
# rooms: ["!qmElAGdFYCHoCJuaNt:localhost"]
# must_include:
# author:
# - author1
# description:
# - lorem
# - ipsum
# must_not_include:
# title:
# - Lorem
# - Ipsum
#
# - ID: "github_cmd_service"
# Type: "github"
# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client
# Config:
# RealmID: "github_realm"
#
# # Make sure your BASE_URL can be accessed by Github!
# - ID: "github_webhook_service"
# Type: "github-webhook"
# UserID: "@another_goneb:{{ matrix_domain }}"
# Config:
# RealmID: "github_realm"
# ClientUserID: "@YOUR_USER_ID:{{ matrix_domain }}" # needs to be an authenticated user so Go-NEB can create webhooks. Check the UserID field in the github_realm in matrix_bot_go_neb_sessions.
# Rooms:
# "!someroom:id":
# Repos:
# "matrix-org/synapse":
# Events: ["push", "issues"]
# "matrix-org/dendron":
# Events: ["pull_request"]
# "!anotherroom:id":
# Repos:
# "matrix-org/synapse":
# Events: ["push", "issues"]
# "matrix-org/dendron":
# Events: ["pull_request"]
#
# - ID: "slackapi_service"
# Type: "slackapi"
# UserID: "@slackapi:{{ matrix_domain }}"
# Config:
# Hooks:
# "hook1":
# RoomID: "!someroom:id"
# MessageType: "m.text" # default is m.text
#
# - ID: "alertmanager_service"
# Type: "alertmanager"
# UserID: "@alertmanager:{{ matrix_domain }}"
# Config:
# # This is for information purposes only. It should point to Go-NEB path as follows:
# # `/services/hooks/<base64 encoded service ID>`
# # Where in this case "service ID" is "alertmanager_service"
# # Make sure your BASE_URL can be accessed by the Alertmanager instance!
# webhook_url: "http://localhost/services/hooks/YWxlcnRtYW5hZ2VyX3NlcnZpY2U"
# # Each room will get the notification with the alert rendered with the given template
# rooms:
# "!someroomid:domain.tld":
# text_template: "{{range .Alerts -}} [{{ .Status }}] {{index .Labels \"alertname\" }}: {{index .Annotations \"description\"}} {{ end -}}"
# html_template: "{{range .Alerts -}} {{ $severity := index .Labels \"severity\" }} {{ if eq .Status \"firing\" }} {{ if eq $severity \"critical\"}} <font color='red'><b>[FIRING - CRITICAL]</b></font> {{ else if eq $severity \"warning\"}} <font color='orange'><b>[FIRING - WARNING]</b></font> {{ else }} <b>[FIRING - {{ $severity }}]</b> {{ end }} {{ else }} <font color='green'><b>[RESOLVED]</b></font> {{ end }} {{ index .Labels \"alertname\"}} : {{ index .Annotations \"description\"}} <a href=\"{{ .GeneratorURL }}\">source</a><br/>{{end -}}"
# msg_type: "m.text" # Must be either `m.text` or `m.notice`
# Default configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#
# For a more advanced customization, you can extend the default (see `matrix_bot_go_neb_configuration_extension_yaml`)
# or completely replace this variable with your own template.
matrix_bot_go_neb_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"
matrix_bot_go_neb_configuration_extension_yaml: |
# Your custom YAML configuration goes here.
# This configuration extends the default starting configuration (`matrix_bot_go_neb_configuration_yaml`).
#
# You can override individual variables from the default configuration, or introduce new ones.
#
# If you need something more special, you can take full control by
# completely redefining `matrix_bot_go_neb_configuration_yaml`.
matrix_bot_go_neb_configuration_extension: "{{ matrix_bot_go_neb_configuration_extension_yaml|from_yaml if matrix_bot_go_neb_configuration_extension_yaml|from_yaml is mapping else {} }}"
# Holds the final configuration (a combination of the default and its extension).
# You most likely don't need to touch this variable. Instead, see `matrix_bot_go_neb_configuration_yaml`.
matrix_bot_go_neb_configuration: "{{ matrix_bot_go_neb_configuration_yaml|from_yaml|combine(matrix_bot_go_neb_configuration_extension, recursive=True) }}"

3
roles/matrix-bot-go-neb/tasks/init.yml Normal file
View file

@ -0,0 +1,3 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-go-neb.service'] }}"
when: matrix_bot_go_neb_enabled|bool

21
roles/matrix-bot-go-neb/tasks/main.yml Normal file
View file

@ -0,0 +1,21 @@
- import_tasks: "{{ role_path }}/tasks/init.yml"
tags:
- always
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
when: "run_setup|bool and matrix_bot_go_neb_enabled|bool"
tags:
- setup-all
- setup-bot-go-neb
- import_tasks: "{{ role_path }}/tasks/setup_install.yml"
when: "run_setup|bool and matrix_bot_go_neb_enabled|bool"
tags:
- setup-all
- setup-bot-go-neb
- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
when: "run_setup|bool and not matrix_bot_go_neb_enabled|bool"
tags:
- setup-all
- setup-bot-go-neb

50
roles/matrix-bot-go-neb/tasks/setup_install.yml Normal file
View file

@ -0,0 +1,50 @@
---
- set_fact:
matrix_bot_go_neb_requires_restart: false
- name: Ensure go-neb paths exist
file:
path: "{{ item.path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- { path: "{{ matrix_bot_go_neb_config_path }}", when: true }
- { path: "{{ matrix_bot_go_neb_data_path }}", when: true }
- { path: "{{ matrix_bot_go_neb_data_store_path }}", when: true }
when: "item.when|bool"
- name: Ensure go-neb image is pulled
docker_image:
name: "{{ matrix_bot_go_neb_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_bot_go_neb_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_go_neb_docker_image_force_pull }}"
- name: Ensure go-neb config installed
copy:
content: "{{ matrix_bot_go_neb_configuration|to_nice_yaml }}"
dest: "{{ matrix_bot_go_neb_config_path }}/config.yaml"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
- name: Ensure matrix-bot-go-neb.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-bot-go-neb.service.j2"
dest: "{{ matrix_systemd_path }}/matrix-bot-go-neb.service"
mode: 0644
register: matrix_bot_go_neb_systemd_service_result
- name: Ensure systemd reloaded after matrix-bot-go-neb.service installation
service:
daemon_reload: yes
when: "matrix_bot_go_neb_systemd_service_result.changed|bool"
- name: Ensure matrix-bot-go-neb.service restarted, if necessary
service:
name: "matrix-bot-go-neb.service"
state: restarted
when: "matrix_bot_go_neb_requires_restart|bool"

35
roles/matrix-bot-go-neb/tasks/setup_uninstall.yml Normal file
View file

@ -0,0 +1,35 @@
---
- name: Check existence of matrix-go-neb service
stat:
path: "{{ matrix_systemd_path }}/matrix-bot-go-neb.service"
register: matrix_bot_go_neb_service_stat
- name: Ensure matrix-go-neb is stopped
service:
name: matrix-bot-go-neb
state: stopped
daemon_reload: yes
register: stopping_result
when: "matrix_bot_go_neb_service_stat.stat.exists|bool"
- name: Ensure matrix-bot-go-neb.service doesn't exist
file:
path: "{{ matrix_systemd_path }}/matrix-bot-go-neb.service"
state: absent
when: "matrix_bot_go_neb_service_stat.stat.exists|bool"
- name: Ensure systemd reloaded after matrix-bot-go-neb.service removal
service:
daemon_reload: yes
when: "matrix_bot_go_neb_service_stat.stat.exists|bool"
- name: Ensure Matrix go-neb paths don't exist
file:
path: "{{ matrix_bot_go_neb_base_path }}"
state: absent
- name: Ensure go-neb Docker image doesn't exist
docker_image:
name: "{{ matrix_bot_go_neb_docker_image }}"
state: absent

13
roles/matrix-bot-go-neb/tasks/validate_config.yml Normal file
View file

@ -0,0 +1,13 @@
---
- name: Fail if there's not at least 1 client
fail:
msg: >-
You need at least 1 client in the matrix_bot_go_neb_clients block.
when: matrix_bot_go_neb_clients is not defined or matrix_bot_go_neb_clients[0] is not defined
- name: Fail if there's not at least 1 service
fail:
msg: >-
You need at least 1 service in the matrix_bot_go_neb_services block.
when: matrix_bot_go_neb_services is not defined or matrix_bot_go_neb_services[0] is not defined

44
roles/matrix-bot-go-neb/templates/config.yaml.j2 Normal file
View file

@ -0,0 +1,44 @@
# Go-NEB Configuration File
#
# This file provides an alternative way to configure Go-NEB which does not involve HTTP APIs.
#
# This file can be supplied to go-neb by the environment variable `CONFIG_FILE=config.yaml`.
# It will force Go-NEB to operate in "config" mode. This means:
# - Go-NEB will ONLY use the data contained inside this file.
# - All of Go-NEB's /admin HTTP listeners will be disabled. You will be unable to add new services at runtime.
# - The environment variable `DATABASE_URL` will be ignored and an in-memory database will be used instead.
#
# This file is broken down into 4 sections which matches the following HTTP APIs:
# - /configureClient
# - /configureAuthRealm
# - /configureService
# - /requestAuthSession (redirects not supported)
# The list of clients which Go-NEB is aware of.
# Delete or modify this list as appropriate.
# See the docs for /configureClient for the full list of options:
# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ClientConfig
clients:
{{ matrix_bot_go_neb_clients|to_json }}
# The list of realms which Go-NEB is aware of.
# Delete or modify this list as appropriate.
# See the docs for /configureAuthRealm for the full list of options:
# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureAuthRealmRequest
realms:
{{ matrix_bot_go_neb_realms|to_json }}
# The list of *authenticated* sessions which Go-NEB is aware of.
# Delete or modify this list as appropriate.
# The full list of options are shown below: there is no single HTTP endpoint
# which maps to this section.
# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#Session
sessions:
{{ matrix_bot_go_neb_sessions|to_json }}
# The list of services which Go-NEB is aware of.
# Delete or modify this list as appropriate.
# See the docs for /configureService for the full list of options:
# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureServiceRequest
services:
{{ matrix_bot_go_neb_services|to_json }}

49
roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 Normal file
View file

@ -0,0 +1,49 @@
#jinja2: lstrip_blocks: "True"
[Unit]
Description=Matrix Go-NEB bot
{% for service in matrix_bot_go_neb_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_bot_go_neb_systemd_wanted_services_list %}
Wants={{ service }}
{% endfor %}
DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null'
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null'
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-go-neb \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--read-only \
--network={{ matrix_docker_network }} \
{% if matrix_bot_go_neb_container_http_host_bind_port %}
-p {{ matrix_bot_go_neb_container_http_host_bind_port }}:4050 \
{% endif %}
-e 'BIND_ADDRESS=:4050' \
-e 'DATABASE_TYPE={{ matrix_bot_go_neb_database_engine }}' \
-e 'BASE_URL=https://{{ matrix_server_fqn_bot_go_neb }}' \
-e 'CONFIG_FILE={{ matrix_bot_go_neb_config_path_in_container }}' \
-e 'DATABASE_URL={{ matrix_bot_go_neb_storage_database }}' \
--mount type=bind,src={{ matrix_bot_go_neb_config_path }},dst=/config,ro \
--mount type=bind,src={{ matrix_bot_go_neb_data_path }},dst=/data \
--entrypoint=/bin/sh \
{% for arg in matrix_bot_go_neb_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_bot_go_neb_docker_image }} \
-c "go-neb /config/config.yaml"
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null'
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null'
Restart=always
RestartSec=30
SyslogIdentifier=matrix-bot-go-neb
[Install]
WantedBy=multi-user.target

2
roles/matrix-bridge-appservice-irc/defaults/main.yml
View file

@ -7,7 +7,7 @@ matrix_appservice_irc_container_self_build: false
matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git"
matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src"
matrix_appservice_irc_version: release-0.23.0
matrix_appservice_irc_version: release-0.25.0
matrix_appservice_irc_docker_image: "docker.io/matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}"
matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}"

2
roles/matrix-bridge-appservice-slack/defaults/main.yml
View file

@ -32,7 +32,7 @@ matrix_appservice_slack_slack_port: 9003
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9999"), or empty string to not expose.
matrix_appservice_slack_container_http_host_bind_port: ''
matrix_appservice_slack_homeserver_media_url: "matrix.{{ matrix_domain }}"
matrix_appservice_slack_homeserver_media_url: "{{ matrix_server_fqn_matrix }}"
matrix_appservice_slack_homeserver_url: "http://matrix-synapse:8008"
matrix_appservice_slack_homeserver_domain: "{{ matrix_domain }}"
matrix_appservice_slack_appservice_url: 'http://matrix-appservice-slack'

2
roles/matrix-bridge-appservice-webhooks/defaults/main.yml
View file

@ -28,7 +28,7 @@ matrix_appservice_webhooks_matrix_port: 6789
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9999"), or empty string to not expose.
matrix_appservice_webhooks_container_http_host_bind_port: ''
matrix_appservice_webhooks_homeserver_media_url: "matrix.{{ matrix_domain }}"
matrix_appservice_webhooks_homeserver_media_url: "{{ matrix_server_fqn_matrix }}"
matrix_appservice_webhooks_homeserver_url: "http://matrix-synapse:8008"
matrix_appservice_webhooks_homeserver_domain: "{{ matrix_domain }}"
matrix_appservice_webhooks_appservice_url: 'http://matrix-appservice-webhooks'

1
roles/matrix-bridge-mautrix-facebook/defaults/main.yml
View file

@ -110,5 +110,6 @@ matrix_mautrix_facebook_registration_yaml: |
# See https://github.com/tulir/mautrix-signal/issues/43
sender_localpart: _bot_{{ matrix_mautrix_facebook_appservice_bot_username }}
rate_limited: false
de.sorunome.msc2409.push_ephemeral: true
matrix_mautrix_facebook_registration: "{{ matrix_mautrix_facebook_registration_yaml|from_yaml }}"

1
roles/matrix-bridge-mautrix-hangouts/defaults/main.yml
View file

@ -110,5 +110,6 @@ matrix_mautrix_hangouts_registration_yaml: |
# See https://github.com/tulir/mautrix-signal/issues/43
sender_localpart: _bot_{{ matrix_mautrix_hangouts_appservice_bot_username }}
rate_limited: false
de.sorunome.msc2409.push_ephemeral: true
matrix_mautrix_hangouts_registration: "{{ matrix_mautrix_hangouts_registration_yaml|from_yaml }}"

1
roles/matrix-bridge-mautrix-instagram/defaults/main.yml
View file

@ -100,5 +100,6 @@ matrix_mautrix_instagram_registration_yaml: |
# See https://github.com/tulir/mautrix-signal/issues/43
sender_localpart: _bot_{{ matrix_mautrix_instagram_appservice_bot_username }}
rate_limited: false
de.sorunome.msc2409.push_ephemeral: true
matrix_mautrix_instagram_registration: "{{ matrix_mautrix_instagram_registration_yaml|from_yaml }}"

1
roles/matrix-bridge-mautrix-signal/templates/registration.yaml.j2
View file

@ -15,3 +15,4 @@ url: {{ matrix_mautrix_signal_appservice_address }}
# See https://github.com/tulir/mautrix-signal/issues/43
sender_localpart: _bot_{{ matrix_mautrix_signal_appservice_bot_username }}
rate_limited: false
de.sorunome.msc2409.push_ephemeral: true

1
roles/matrix-bridge-mautrix-telegram/defaults/main.yml
View file

@ -121,5 +121,6 @@ matrix_mautrix_telegram_registration_yaml: |
sender_localpart: _bot_{{ matrix_mautrix_telegram_appservice_bot_username }}
url: {{ matrix_mautrix_telegram_appservice_address }}
rate_limited: false
de.sorunome.msc2409.push_ephemeral: true
matrix_mautrix_telegram_registration: "{{ matrix_mautrix_telegram_registration_yaml|from_yaml }}"

1
roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml
View file

@ -105,5 +105,6 @@ matrix_mautrix_whatsapp_registration_yaml: |
exclusive: true
- exclusive: true
regex: '^@{{ matrix_mautrix_whatsapp_appservice_bot_username|regex_escape }}:{{ matrix_mautrix_whatsapp_homeserver_domain|regex_escape }}$'
de.sorunome.msc2409.push_ephemeral: true
matrix_mautrix_whatsapp_registration: "{{ matrix_mautrix_whatsapp_registration_yaml|from_yaml }}"

1
roles/matrix-bridge-mx-puppet-discord/defaults/main.yml
View file

@ -108,5 +108,6 @@ matrix_mx_puppet_discord_registration_yaml: |
rate_limited: false
sender_localpart: _discordpuppet_bot
url: {{ matrix_mx_puppet_discord_appservice_address }}
de.sorunome.msc2409.push_ephemeral: true
matrix_mx_puppet_discord_registration: "{{ matrix_mx_puppet_discord_registration_yaml|from_yaml }}"

1
roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml
View file

@ -107,5 +107,6 @@ matrix_mx_puppet_groupme_registration_yaml: |
rate_limited: false
sender_localpart: _groupmepuppet_bot
url: {{ matrix_mx_puppet_groupme_appservice_address }}
de.sorunome.msc2409.push_ephemeral: true
matrix_mx_puppet_groupme_registration: "{{ matrix_mx_puppet_groupme_registration_yaml|from_yaml }}"

1
roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml
View file

@ -98,5 +98,6 @@ matrix_mx_puppet_instagram_registration_yaml: |
rate_limited: false
sender_localpart: _instagrampuppet_bot
url: {{ matrix_mx_puppet_instagram_appservice_address }}
de.sorunome.msc2409.push_ephemeral: true
matrix_mx_puppet_instagram_registration: "{{ matrix_mx_puppet_instagram_registration_yaml|from_yaml }}"

1
roles/matrix-bridge-mx-puppet-skype/defaults/main.yml
View file

@ -106,5 +106,6 @@ matrix_mx_puppet_skype_registration_yaml: |
rate_limited: false
sender_localpart: _skypepuppet_bot
url: {{ matrix_mx_puppet_skype_appservice_address }}
de.sorunome.msc2409.push_ephemeral: true
matrix_mx_puppet_skype_registration: "{{ matrix_mx_puppet_skype_registration_yaml|from_yaml }}"

1
roles/matrix-bridge-mx-puppet-slack/defaults/main.yml
View file

@ -110,5 +110,6 @@ matrix_mx_puppet_slack_registration_yaml: |
rate_limited: false
sender_localpart: _slackpuppet_bot
url: {{ matrix_mx_puppet_slack_appservice_address }}
de.sorunome.msc2409.push_ephemeral: true
matrix_mx_puppet_slack_registration: "{{ matrix_mx_puppet_slack_registration_yaml|from_yaml }}"

1
roles/matrix-bridge-mx-puppet-steam/defaults/main.yml
View file

@ -107,5 +107,6 @@ matrix_mx_puppet_steam_registration_yaml: |
rate_limited: false
sender_localpart: _steampuppet_bot
url: {{ matrix_mx_puppet_steam_appservice_address }}
de.sorunome.msc2409.push_ephemeral: true
matrix_mx_puppet_steam_registration: "{{ matrix_mx_puppet_steam_registration_yaml|from_yaml }}"

1
roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml
View file

@ -117,5 +117,6 @@ matrix_mx_puppet_twitter_registration_yaml: |
rate_limited: false
sender_localpart: "{{ matrix_mx_puppet_twitter_bot_localpart }}"
url: {{ matrix_mx_puppet_twitter_appservice_address }}
de.sorunome.msc2409.push_ephemeral: true
matrix_mx_puppet_twitter_registration: "{{ matrix_mx_puppet_twitter_registration_yaml|from_yaml }}"

2
roles/matrix-client-element/defaults/main.yml
View file

@ -3,7 +3,7 @@ matrix_client_element_enabled: true
matrix_client_element_container_image_self_build: false
matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git"
matrix_client_element_version: v1.7.22
matrix_client_element_version: v1.7.24
matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}"
matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"

20
roles/matrix-common-after/tasks/awx_post.yml Normal file
View file

@ -0,0 +1,20 @@
---
- name: Create user account
command: |
/usr/local/bin/matrix-synapse-register-user janitor {{ matrix_awx_janitor_user_password | quote }} 1
register: cmd
when: not matrix_awx_janitor_user_created|bool
no_log: True
- name: Update AWX janitor user created variable
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: 'AWX Settings'
with_dict:
'matrix_awx_janitor_user_created': 'true'
when: not matrix_awx_janitor_user_created|bool

8
roles/matrix-common-after/tasks/main.yml
View file

@ -1,3 +1,4 @@
- import_tasks: "{{ role_path }}/tasks/start.yml"
when: run_start|bool
tags:
@ -11,7 +12,14 @@
- import_tasks: "{{ role_path }}/tasks/dump_runtime_results.yml"
tags:
- always
- import_tasks: "{{ role_path }}/tasks/awx_post.yml"
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- always
- import_tasks: "{{ role_path }}/tasks/run_docker_prune.yml"
tags:
- run-docker-prune

1
roles/matrix-dimension/tasks/setup_install.yml
View file

@ -40,6 +40,7 @@
- {'table': 'dimension_sticker_packs', 'column': 'isPublic', 'default': ''}
- {'table': 'dimension_slack_bridges', 'column': 'isEnabled', 'default': ''}
- {'table': 'dimension_neb_integrations', 'column': 'isPublic', 'default': ''}
- {'table': 'dimension_neb_integrations', 'column': 'isEnabled', 'default': ''}
- {'table': 'dimension_irc_bridges', 'column': 'isEnabled', 'default': ''}
- {'table': 'dimension_irc_bridge_networks', 'column': 'isEnabled', 'default': ''}
- {'table': 'dimension_gitter_bridges', 'column': 'isEnabled', 'default': ''}

2
roles/matrix-etherpad/defaults/main.yml
View file

@ -2,7 +2,7 @@ matrix_etherpad_enabled: false
matrix_etherpad_base_path: "{{ matrix_base_data_path }}/etherpad"
matrix_etherpad_version: 1.8.7
matrix_etherpad_version: 1.8.12
matrix_etherpad_docker_image: "docker.io/etherpad/etherpad:{{ matrix_etherpad_version }}"
matrix_etherpad_docker_image_force_pull: "{{ matrix_etherpad_docker_image.endswith(':latest') }}"

3
roles/matrix-etherpad/templates/settings.json.j2
View file

@ -42,6 +42,9 @@
"percentageToScrollWhenUserPressesArrowUp": 0
},
"socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
"socketIo": {
"maxHttpBufferSize": 10000
},
"loadTest": false,
"importExportRateLimiting": {
"windowMs": 90000,

2
roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2
View file

@ -29,7 +29,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-etherpad \
{{ arg }} \
{% endfor %}
{{ matrix_etherpad_docker_image }} \
node --experimental-worker /opt/etherpad-lite/node_modules/ep_etherpad-lite/node/server.js \
node --experimental-worker src/node/server.js \
--settings /data/settings.json --credentials /data/credentials.json \
--sessionkey /data/sessionkey.json --apikey /data/apijey.json

2
roles/matrix-jitsi/defaults/main.yml
View file

@ -100,7 +100,7 @@ matrix_jitsi_web_interface_config_native_app_name: "Jitsi Meet"
matrix_jitsi_web_interface_config_provider_name: "Jitsi"
matrix_jitsi_web_interface_config_show_powered_by: false
matrix_jitsi_web_interface_config_disable_transcription_subtitles: false
matrix_jisti_web_interface_config_show_deep_linking_image: false
matrix_jitsi_web_interface_config_show_deep_linking_image: false
# Custom configuration to be injected into `interface_config.js`, passed to Jitsi Web.
# This configuration gets appended to the final interface configuration that Jitsi Web uses.

1
roles/matrix-jitsi/tasks/validate_config.yml
View file

@ -40,3 +40,4 @@
- {'old': 'matrix_jitsi_web_config_start_with_video_muted', 'new': '<Superseded by matrix_jitsi_web_config_start_video_muted_after_nth_participant>'}
- {'old': 'matrix_jitsi_web_interface_config_show_watermark_for_guests', 'new': '<Not applicable anymore>'}
- {'old': 'matrix_jitsi_web_interface_config_invitation_powered_by', 'new': '<Not applicable anymore>'}
- {'old': 'matrix_jisti_web_interface_config_show_deep_linking_image', 'new': 'matrix_jitsi_web_interface_config_show_deep_linking_image'}

2
roles/matrix-jitsi/templates/web/interface_config.js.j2
View file

@ -177,7 +177,7 @@ var interfaceConfig = {
*/
SHOW_CHROME_EXTENSION_BANNER: false,
SHOW_DEEP_LINKING_IMAGE: {{ matrix_jisti_web_interface_config_show_deep_linking_image|to_json }},
SHOW_DEEP_LINKING_IMAGE: {{ matrix_jitsi_web_interface_config_show_deep_linking_image|to_json }},
SHOW_JITSI_WATERMARK: {{ matrix_jitsi_web_interface_config_show_jitsi_watermark|to_json }},
SHOW_POWERED_BY: {{ matrix_jitsi_web_interface_config_show_powered_by|to_json }},
SHOW_PROMOTIONAL_CLOSE_PAGE: false,

25
roles/matrix-nginx-proxy/defaults/main.yml
View file

@ -1,5 +1,5 @@
matrix_nginx_proxy_enabled: true
matrix_nginx_proxy_version: 1.19.6-alpine
matrix_nginx_proxy_version: 1.19.8-alpine
# We use an official nginx image, which we fix-up to run unprivileged.
# An alternative would be an `nginxinc/nginx-unprivileged` image, but
@ -9,6 +9,7 @@ matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.
matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"
matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data"
matrix_nginx_proxy_data_path_in_container: "/nginx-data"
matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_base_path }}/conf.d"
# List of systemd services that matrix-nginx-proxy.service depends on
@ -103,6 +104,10 @@ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname: "riot.{{ matrix_domain }
# Controls whether proxying the Synapse domain should be done.
matrix_nginx_proxy_proxy_synapse_enabled: false
matrix_nginx_proxy_proxy_synapse_hostname: "matrix-nginx-proxy"
matrix_nginx_proxy_proxy_synapse_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}"
# The addresses where the Federation API is, when using Synapse.
matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:8048"
matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:8048"
# Controls whether proxying the Element domain should be done.
matrix_nginx_proxy_proxy_element_enabled: false
@ -120,6 +125,10 @@ matrix_nginx_proxy_proxy_matrix_federation_port: 8448
matrix_nginx_proxy_proxy_dimension_enabled: false
matrix_nginx_proxy_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}"
# Controls whether proxying the goneb domain should be done.
matrix_nginx_proxy_proxy_bot_go_neb_enabled: false
matrix_nginx_proxy_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}"
# Controls whether proxying the jitsi domain should be done.
matrix_nginx_proxy_proxy_jitsi_enabled: false
matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}"
@ -128,6 +137,10 @@ matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}"
matrix_nginx_proxy_proxy_grafana_enabled: false
matrix_nginx_proxy_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}"
# Controls whether proxying the sygnal domain should be done.
matrix_nginx_proxy_proxy_sygnal_enabled: false
matrix_nginx_proxy_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}"
# Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain)
matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
@ -211,10 +224,6 @@ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (mat
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem"
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem"
# The addresses where the Federation API is, when using Synapse.
matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:8048"
matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:8048"
# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}"
@ -236,12 +245,18 @@ matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf).
matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to GoNEB's server configuration (matrix-bot-go-neb.conf).
matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to Jitsi's server configuration (matrix-jitsi.conf).
matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to Grafana's server configuration (matrix-grafana.conf).
matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to Sygnal's server configuration (matrix-sygnal.conf).
matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf).
matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []

4
roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml
View file

@ -12,6 +12,8 @@
follow_redirects: none
return_content: true
validate_certs: "{{ well_known_file_check.validate_certs }}"
headers:
Origin: example.com
check_mode: no
register: result_well_known_matrix
ignore_errors: true
@ -40,6 +42,8 @@
follow_redirects: "{{ well_known_file_check.follow_redirects }}"
return_content: true
validate_certs: "{{ well_known_file_check.validate_certs }}"
headers:
Origin: example.com
check_mode: no
register: result_well_known_identity
ignore_errors: true

26
roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml
View file

@ -79,6 +79,13 @@
mode: 0644
when: matrix_nginx_proxy_proxy_dimension_enabled|bool
- name: Ensure Matrix nginx-proxy configuration for goneb domain exists
template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-go-neb.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_bot_go_neb_enabled|bool
- name: Ensure Matrix nginx-proxy configuration for jitsi domain exists
template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-jitsi.conf.j2"
@ -93,6 +100,13 @@
mode: 0644
when: matrix_nginx_proxy_proxy_grafana_enabled|bool
- name: Ensure Matrix nginx-proxy configuration for sygnal domain exists
template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-sygnal.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-sygnal.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_sygnal_enabled|bool
- name: Ensure Matrix nginx-proxy configuration for Matrix domain exists
template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-domain.conf.j2"
@ -196,6 +210,12 @@
state: absent
when: "not matrix_nginx_proxy_proxy_dimension_enabled|bool"
- name: Ensure Matrix nginx-proxy configuration for goneb domain deleted
file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-go-neb.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_bot_go_neb_enabled|bool"
- name: Ensure Matrix nginx-proxy configuration for jitsi domain deleted
file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-jitsi.conf"
@ -208,6 +228,12 @@
state: absent
when: "not matrix_nginx_proxy_proxy_grafana_enabled|bool"
- name: Ensure Matrix nginx-proxy configuration for sygnal domain deleted
file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-sygnal.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_sygnal_enabled|bool"
- name: Ensure Matrix nginx-proxy homepage for base domain deleted
file:
path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html"

4
roles/matrix-nginx-proxy/tasks/validate_config.yml
View file

@ -40,8 +40,8 @@
- name: Fail if required variables are undefined
fail:
msg: "Detected an undefined required variable"
msg: "The `{{ item }}` variable must be defined and have a non-null value"
with_items:
- "matrix_ssl_lets_encrypt_support_email"
when: "vars[item] is none"
when: "vars[item] == '' or vars[item] is none"
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"

77
roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 Normal file
View file

@ -0,0 +1,77 @@
#jinja2: lstrip_blocks: "True"
{% macro render_vhost_directives() %}
gzip on;
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
{% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %}
{{- configuration_block }}
{% endfor %}
location / {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "matrix-bot-go-neb:4050";
proxy_pass http://$backend;
{% else %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://127.0.0.1:4050;
{% endif %}
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
{% endmacro %}
server {
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
server_name {{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }};
server_tokens off;
root /dev/null;
{% if matrix_nginx_proxy_https_enabled %}
location /.well-known/acme-challenge {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "matrix-certbot:8080";
proxy_pass http://$backend;
{% else %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
{% endif %}
}
location / {
return 301 https://$http_host$request_uri;
}
{% else %}
{{ render_vhost_directives() }}
{% endif %}
}
{% if matrix_nginx_proxy_https_enabled %}
server {
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
server_name {{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }};
server_tokens off;
root /dev/null;
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/fullchain.pem;
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/privkey.pem;
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
{% endif %}
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
{{ render_vhost_directives() }}
}
{% endif %}

1
roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
View file

@ -241,6 +241,7 @@ server {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
client_body_buffer_size 25M;
client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M;

79
roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 Normal file
View file

@ -0,0 +1,79 @@
#jinja2: lstrip_blocks: "True"
{% macro render_vhost_directives() %}
gzip on;
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
{% for configuration_block in matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks %}
{{- configuration_block }}
{% endfor %}
location / {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "matrix-sygnal:6000";
proxy_pass http://$backend;
{% else %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://127.0.0.1:6000;
{% endif %}
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
{% endmacro %}
server {
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
server_name {{ matrix_nginx_proxy_proxy_sygnal_hostname }};
server_tokens off;
root /dev/null;
{% if matrix_nginx_proxy_https_enabled %}
location /.well-known/acme-challenge {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "matrix-certbot:8080";
proxy_pass http://$backend;
{% else %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
{% endif %}
}
location / {
return 301 https://$http_host$request_uri;
}
{% else %}
{{ render_vhost_directives() }}
{% endif %}
}
{% if matrix_nginx_proxy_https_enabled %}
server {
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
server_name {{ matrix_nginx_proxy_proxy_sygnal_hostname }};
server_tokens off;
root /dev/null;
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/fullchain.pem;
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/privkey.pem;
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
{% endif %}
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
{{ render_vhost_directives() }}
}
{% endif %}

2
roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 Normal file → Executable file
View file

@ -33,7 +33,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \
-p {{ matrix_nginx_proxy_container_federation_host_bind_port }}:{{ matrix_nginx_proxy_proxy_matrix_federation_port }} \
{% endif %}
--mount type=bind,src={{ matrix_nginx_proxy_base_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \
--mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst=/nginx-data,ro \
--mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst={{ matrix_nginx_proxy_data_path_in_container }},ro \
--mount type=bind,src={{ matrix_nginx_proxy_confd_path }},dst=/etc/nginx/conf.d,ro \
{% if matrix_ssl_retrieval_method != 'none' %}
--mount type=bind,src={{ matrix_ssl_config_dir_path }},dst={{ matrix_ssl_config_dir_path }},ro \

95
roles/matrix-sygnal/defaults/main.yml Normal file
View file

@ -0,0 +1,95 @@
# Sygnal is a reference Push Gateway for Matrix.
# To make use of it for delivering push notificatins, you'll need to develop/build your own Matrix app.
# Learn more here: https://github.com/matrix-org/sygnal
matrix_sygnal_enabled: false
matrix_sygnal_base_path: "{{ matrix_base_data_path }}/sygnal"
matrix_sygnal_config_path: "{{ matrix_sygnal_base_path }}/config"
matrix_sygnal_data_path: "{{ matrix_sygnal_base_path }}/data"
matrix_sygnal_version: v0.9.0
matrix_sygnal_docker_image: "docker.io/matrixdotorg/sygnal:{{ matrix_sygnal_version }}"
matrix_sygnal_docker_image_force_pull: "{{ matrix_sygnal_docker_image.endswith(':latest') }}"
# List of systemd services that matrix-sygnal.service depends on.
matrix_sygnal_systemd_required_services_list: ['docker.service']
# List of systemd services that matrix-sygnal.service wants
matrix_sygnal_systemd_wanted_services_list: []
# Controls whether the matrix-sygnal container exposes its HTTP port (tcp/6000 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:6000"), or empty string to not expose.
matrix_sygnal_container_http_host_bind_port: ''
# A list of extra arguments to pass to the container
matrix_sygnal_container_extra_arguments: []
# Database-related configuration fields.
#
# To use SQLite, stick to these defaults.
#
# To use Postgres:
# - change the engine (`matrix_sygnal_database_engine: 'postgres'`)
# - adjust your database credentials via the `matrix_sygnal_postgres_*` variables
matrix_sygnal_database_engine: 'sqlite'
matrix_sygnal_sqlite_database_path_local: "{{ matrix_sygnal_data_path }}/sygnal.db"
matrix_sygnal_sqlite_database_path_in_container: "/data/sygnal.db"
matrix_sygnal_database_username: 'matrix_sygnal'
matrix_sygnal_database_password: 'some-password'
matrix_sygnal_database_hostname: 'matrix-postgres'
matrix_sygnal_database_port: 5432
matrix_sygnal_database_name: 'matrix_sygnal'
matrix_sygnal_database_connection_string: 'postgres://{{ matrix_sygnal_database_username }}:{{ matrix_sygnal_database_password }}@{{ matrix_sygnal_database_hostname }}:{{ matrix_sygnal_database_port }}/{{ matrix_sygnal_database_name }}'
# A map (dictionary) of apps instances that this server works with.
#
# Example configuration:
#
# matrix_sygnal_apps:
# com.example.myapp.ios:
# type: apns
# # .. more configuration ..
# com.example.myapp.android:
# type: gcm
# api_key: your_api_key_for_gcm
# # .. more configuration ..
#
# The APNS configuration needs to reference some certificate files.
# One can put these in the `matrix_sygnal_data_path` directory (`/matrix/sygnal/data`), mounted to `/data` in the container.
# The `matrix_sygnal_apps` paths need to use the in-container path (`/data`).
# To install these files via the playbook, one can use the `matrix-aux` role.
# Examples and more details are available in `docs/configuring-playbook-sygnal.md`.
matrix_sygnal_apps: []
matrix_sygnal_metrics_prometheus_enabled: false
# Default Sygnal configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#
# For a more advanced customization, you can extend the default (see `matrix_sygnal_configuration_extension_yaml`)
# or completely replace this variable with your own template.
matrix_sygnal_configuration_yaml: "{{ lookup('template', 'templates/sygnal.yaml.j2') }}"
matrix_sygnal_configuration_extension_yaml: |
# Your custom YAML configuration for Sygnal goes here.
# This configuration extends the default starting configuration (`matrix_sygnal_configuration_yaml`).
#
# You can override individual variables from the default configuration, or introduce new ones.
#
# If you need something more special, you can take full control by
# completely redefining `matrix_sygnal_configuration_yaml`.
#
# Example configuration extension follows:
# metrics:
# opentracing:
# enabled: true
matrix_sygnal_configuration_extension: "{{ matrix_sygnal_configuration_extension_yaml|from_yaml if matrix_sygnal_configuration_extension_yaml|from_yaml is mapping else {} }}"
# Holds the final sygnal configuration (a combination of the default and its extension).
# You most likely don't need to touch this variable. Instead, see `matrix_sygnal_configuration_yaml`.
matrix_sygnal_configuration: "{{ matrix_sygnal_configuration_yaml|from_yaml|combine(matrix_sygnal_configuration_extension, recursive=True) }}"

3
roles/matrix-sygnal/tasks/init.yml Normal file
View file

@ -0,0 +1,3 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sygnal.service'] }}"
when: matrix_sygnal_enabled|bool

21
roles/matrix-sygnal/tasks/main.yml Normal file
View file

@ -0,0 +1,21 @@
- import_tasks: "{{ role_path }}/tasks/init.yml"
tags:
- always
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
when: run_setup|bool
tags:
- setup-all
- setup-sygnal
- import_tasks: "{{ role_path }}/tasks/setup_install.yml"
when: run_setup|bool and matrix_sygnal_enabled|bool
tags:
- setup-all
- setup-sygnal
- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
when: run_setup|bool and not matrix_sygnal_enabled|bool
tags:
- setup-all
- setup-sygnal

73
roles/matrix-sygnal/tasks/setup_install.yml Normal file
View file

@ -0,0 +1,73 @@
---
- set_fact:
matrix_sygnal_requires_restart: false
- block:
- name: Check if an SQLite database already exists
stat:
path: "{{ matrix_sygnal_sqlite_database_path_local }}"
register: matrix_sygnal_sqlite_database_path_local_stat_result
- block:
- set_fact:
matrix_postgres_db_migration_request:
src: "{{ matrix_sygnal_sqlite_database_path_local }}"
dst: "{{ matrix_sygnal_database_connection_string }}"
caller: "{{ role_path|basename }}"
engine_variable_name: 'matrix_sygnal_database_engine'
engine_old: 'sqlite'
systemd_services_to_stop: ['matrix-sygnal.service']
pgloader_options: ['--with "quote identifiers"']
- import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml"
- set_fact:
matrix_sygnal_requires_restart: true
when: "matrix_sygnal_sqlite_database_path_local_stat_result.stat.exists|bool"
when: "matrix_sygnal_database_engine == 'postgres'"
- name: Ensure Sygnal image is pulled
docker_image:
name: "{{ matrix_sygnal_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_sygnal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_sygnal_docker_image_force_pull }}"
- name: Ensure Sygnal paths exists
file:
path: "{{ item }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- "{{ matrix_sygnal_base_path }}"
- "{{ matrix_sygnal_config_path }}"
- "{{ matrix_sygnal_data_path }}"
- name: Ensure Sygnal config installed
copy:
content: "{{ matrix_sygnal_configuration|to_nice_yaml }}"
dest: "{{ matrix_sygnal_config_path }}/sygnal.yaml"
mode: 0640
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
- name: Ensure matrix-sygnal.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-sygnal.service.j2"
dest: "{{ matrix_systemd_path }}/matrix-sygnal.service"
mode: 0644
register: matrix_sygnal_systemd_service_result
- name: Ensure systemd reloaded after matrix-sygnal.service installation
service:
daemon_reload: yes
when: "matrix_sygnal_systemd_service_result.changed|bool"
- name: Ensure matrix-sygnal.service restarted, if necessary
service:
name: "matrix-sygnal.service"
state: restarted
when: "matrix_sygnal_requires_restart|bool"

35
roles/matrix-sygnal/tasks/setup_uninstall.yml Normal file
View file

@ -0,0 +1,35 @@
---
- name: Check existence of matrix-sygnal service
stat:
path: "{{ matrix_systemd_path }}/matrix-sygnal.service"
register: matrix_sygnal_service_stat
- name: Ensure matrix-sygnal is stopped
service:
name: matrix-sygnal
state: stopped
daemon_reload: yes
register: stopping_result
when: "matrix_sygnal_service_stat.stat.exists|bool"
- name: Ensure matrix-sygnal.service doesn't exist
file:
path: "{{ matrix_systemd_path }}/matrix-sygnal.service"
state: absent
when: "matrix_sygnal_service_stat.stat.exists|bool"
- name: Ensure systemd reloaded after matrix-sygnal.service removal
service:
daemon_reload: yes
when: "matrix_sygnal_service_stat.stat.exists|bool"
- name: Ensure Sygnal base directory doesn't exist
file:
path: "{{ matrix_sygnal_base_path }}"
state: absent
- name: Ensure Sygnal Docker image doesn't exist
docker_image:
name: "{{ matrix_sygnal_docker_image }}"
state: absent

13
roles/matrix-sygnal/tasks/validate_config.yml Normal file
View file

@ -0,0 +1,13 @@
- name: Fail if no Sygnal apps defined
fail:
msg: >-
Enabling Sygnal requires that you specify at least one app in `matrix_sygnal_apps`
when: "matrix_sygnal_enabled and matrix_sygnal_apps|length == 0"
- name: Fail if running on a non-supported architecture
fail:
msg: >-
Sygnal can only be used on the amd64 architecture for now.
Only amd64 container images are pushed for the `docker.io/matrixdotorg/sygnal` container image.
Either use a different image (by redefining `matrix_sygnal_docker_image`) or consider contributing self-building support to this role.
when: "matrix_sygnal_enabled and matrix_architecture != 'amd64' and matrix_sygnal_docker_image.startswith('docker.io/matrixdotorg/sygnal')"

288
roles/matrix-sygnal/templates/sygnal.yaml.j2 Normal file
View file

@ -0,0 +1,288 @@
##
# This is a configuration for Sygnal, the reference Push Gateway for Matrix
# See: matrix.org
##
# The 'database' setting defines the database that sygnal uses to store all of
# its data.
#
# 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or
# 'psycopg2' (for PostgreSQL).
#
# 'args' gives options which are passed through to the database engine,
# except for options starting 'cp_', which are used to configure the Twisted
# connection pool. For a reference to valid arguments, see:
# * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
# * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
# * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__
#
#
# Example SQLite configuration:
#
#database:
# name: sqlite3
# args:
# dbfile: /path/to/database.db
#
#
# Example Postgres configuration:
#
#database:
# name: psycopg2
# args:
# host: localhost
# database: sygnal
# user: sygnal
# password: pass
# cp_min: 1
# cp_max: 5
#
{% if matrix_sygnal_database_engine == 'sqlite' %}
database:
name: sqlite3
args:
dbfile: {{ matrix_sygnal_sqlite_database_path_in_container|to_json }}
{% else %}
database:
name: psycopg2
args:
host: {{ matrix_sygnal_database_hostname|to_json }}
database: {{ matrix_sygnal_database_name|to_json }}
user: {{ matrix_sygnal_database_username|to_json }}
password: {{ matrix_sygnal_database_password|to_json }}
cp_min: 1
cp_max: 5
{% endif %}
## Logging #
#
log:
# Specify a Python logging 'dictConfig', as described at:
# https://docs.python.org/3.7/library/logging.config.html#logging.config.dictConfig
#
setup:
version: 1
formatters:
normal:
format: "%(asctime)s [%(process)d] %(levelname)-5s %(name)s %(message)s"
handlers:
# This handler prints to Standard Error
#
stderr:
class: "logging.StreamHandler"
formatter: "normal"
stream: "ext://sys.stderr"
# This handler prints to Standard Output.
#
stdout:
class: "logging.StreamHandler"
formatter: "normal"
stream: "ext://sys.stdout"
# This handler demonstrates logging to a text file on the filesystem.
# You can use logrotate(8) to perform log rotation.
#
#file:
# class: "logging.handlers.WatchedFileHandler"
# formatter: "normal"
# filename: "./sygnal.log"
loggers:
# sygnal.access contains the access logging lines.
# Comment out this section if you don't want to give access logging
# any special treatment.
#
sygnal.access:
propagate: false
handlers: ["stdout"]
level: "INFO"
# sygnal contains log lines from Sygnal itself.
# You can comment out this section to fall back to the root logger.
#
sygnal:
propagate: false
handlers: ["stderr"]
root:
# Specify the handler(s) to send log messages to.
handlers: ["stderr"]
level: "INFO"
disable_existing_loggers: false
access:
# Specify whether or not to trust the IP address in the `X-Forwarded-For`
# header. In general, you want to enable this if and only if you are using a
# reverse proxy which is configured to emit it.
#
x_forwarded_for: true
## HTTP Server (Matrix Push Gateway API) #
#
http:
# Specify a list of interface addresses to bind to.
#
# This example listens on the IPv4 loopback device:
#bind_addresses: ['127.0.0.1']
# This example listens on all IPv4 interfaces:
#bind_addresses: ['0.0.0.0']
# This example listens on all IPv4 and IPv6 interfaces:
#bind_addresses: ['0.0.0.0', '::']
bind_addresses: ['::']
# Specify the port number to listen on.
#
port: 6000
## Proxying for outgoing connections #
#
# Specify the URL of a proxy to use for outgoing traffic
# (e.g. to Apple & Google) if desired.
# Currently only HTTP proxies with CONNECT capability are supported.
#
# If you do not specify a value, the `HTTPS_PROXY` environment variable will
# be used if present. Otherwise, no proxy will be used.
#
# Default is unspecified.
#
#proxy: 'http://user:secret@prox:8080'
## Metrics #
#
metrics:
## Prometheus #
#
prometheus:
# Specify whether or not to enable Prometheus.
#
enabled: false
# Specify an address for the Prometheus HTTP Server to listen on.
#
address: '0.0.0.0'
# Specify a port for the Prometheus HTTP Server to listen on.
#
port: 8000
## OpenTracing #
#
opentracing:
# Specify whether or not to enable OpenTracing.
#
enabled: false
# Specify an implementation of OpenTracing to use. Currently only 'jaeger'
# is supported.
#
implementation: jaeger
# Specify the service name to be reported to the tracer.
#
service_name: sygnal
# Specify configuration values to pass to jaeger_client.
#
jaeger:
sampler:
type: 'const'
param: 1
# local_agent:
# reporting_host: '127.0.0.1'
# reporting_port:
logging: true
## Sentry #
#
sentry:
# Specify whether or not to enable Sentry.
#
enabled: false
# Specify your Sentry DSN if you enable Sentry
#
#dsn: "https://<key>@sentry.example.org/<project>"
## Pushkins/Apps #
#
# Add a section for every push application here.
# Specify the pushkey for the application and also the type.
# For the type, you may specify a fully-qualified Python classname if desired.
#
#apps:
# This is an example APNs push configuration
#
#com.example.myapp.ios:
# type: apns
#
# # Authentication
# #
# # Two methods of authentication to APNs are currently supported.
# #
# # You can authenticate using a key:
# keyfile: my_key.p8
# key_id: MY_KEY_ID
# team_id: MY_TEAM_ID
# topic: MY_TOPIC
#
# # Or, a certificate can be used instead:
# certfile: com.example.myApp_prod_APNS.pem
#
# # This is the maximum number of in-flight requests *for this pushkin*
# # before additional notifications will be failed.
# # (This is a robustness measure to prevent one pushkin stacking up with
# # queued requests and saturating the inbound connection queue of a load
# # balancer or reverse proxy).
# # Defaults to 512 if unset.
# #
# #inflight_request_limit: 512
#
# # Specifies whether to use the production or sandbox APNs server. Note that
# # sandbox tokens should only be used with the sandbox server and vice versa.
# #
# # Valid options are:
# # * production
# # * sandbox
# #
# # The default is 'production'. Uncomment to use the sandbox instance.
# #platform: sandbox
# This is an example GCM/FCM push configuration.
#
#com.example.myapp.android:
# type: gcm
# api_key: your_api_key_for_gcm
#
# # This is the maximum number of connections to GCM servers at any one time
# # the default is 20.
# #max_connections: 20
#
# # This is the maximum number of in-flight requests *for this pushkin*
# # before additional notifications will be failed.
# # (This is a robustness measure to prevent one pushkin stacking up with
# # queued requests and saturating the inbound connection queue of a load
# # balancer or reverse proxy).
# # Defaults to 512 if unset.
# #
# #inflight_request_limit: 512
#
# # This allows you to specify additional options to send to Firebase.
# #
# # Of particular interest, admins who wish to support iOS apps using Firebase
# # probably wish to set content_available, and may need to set mutable_content.
# # (content_available allows your iOS app to be woken up by data messages,
# # and mutable_content allows your notification to be modified by a
# # Notification Service app extension).
# #
# # See https://firebase.google.com/docs/cloud-messaging/http-server-ref
# # for the exhaustive list of valid options.
# #
# # Do not specify `data`, `priority`, `to` or `registration_ids` as they may
# # be overwritten or lead to an invalid request.
# #
# #fcm_options:
# # content_available: true
# # mutable_content: true
apps: {{ matrix_sygnal_apps|to_json }}

42
roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 Normal file
View file

@ -0,0 +1,42 @@
#jinja2: lstrip_blocks: "True"
[Unit]
Description=Matrix Sygnal
{% for service in matrix_sygnal_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_sygnal_systemd_wanted_services_list %}
Wants={{ service }}
{% endfor %}
DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-sygnal 2>/dev/null'
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-sygnal 2>/dev/null'
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-sygnal \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--env=SYGNAL_CONF=/config/sygnal.yaml \
--network={{ matrix_docker_network }} \
{% if matrix_sygnal_container_http_host_bind_port %}
-p {{ matrix_sygnal_container_http_host_bind_port }}:6000 \
{% endif %}
--mount type=bind,src={{ matrix_sygnal_config_path }},dst=/config \
--mount type=bind,src={{ matrix_sygnal_data_path }},dst=/data \
{% for arg in matrix_sygnal_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_sygnal_docker_image }}
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-sygnal 2>/dev/null'
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-sygnal 2>/dev/null'
Restart=always
RestartSec=30
SyslogIdentifier=matrix-sygnal
[Install]
WantedBy=multi-user.target

24
roles/matrix-synapse/defaults/main.yml
View file

@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
# amd64 gets released first.
# arm32 relies on self-building, so the same version can be built immediately.
# arm64 users need to wait for a prebuilt image to become available.
matrix_synapse_version: v1.29.0
matrix_synapse_version_arm64: v1.29.0
matrix_synapse_version: v1.30.1
matrix_synapse_version_arm64: v1.30.1
matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
@ -181,6 +181,26 @@ matrix_synapse_allow_public_rooms_without_auth: false
# For private servers, you most likely wish to forbid it.
matrix_synapse_allow_public_rooms_over_federation: false
# Whether to require authentication to retrieve profile data (avatars,
# display names) of other users through the client API. Defaults to
# 'false'. Note that profile data is also available via the federation
# API, so this setting is of limited value if federation is enabled on
# the server.
matrix_synapse_require_auth_for_profile_requests: false
# Set to true to require a user to share a room with another user in order
# to retrieve their profile information. Only checked on Client-Server
# requests. Profile requests from other servers should be checked by the
# requesting server. Defaults to 'false'.
matrix_synapse_limit_profile_requests_to_users_who_share_rooms: false
# Set to false to prevent a user's profile data from being retrieved and
# displayed in a room until they have joined it. By default, a user's
# profile data is included in an invite event, regardless of the values
# of the above two settings, and whether or not the users share a server.
# Defaults to 'true'.
matrix_synapse_include_profile_data_on_invite: true
# Controls whether people with access to the homeserver can register by themselves.
matrix_synapse_enable_registration: false

69
roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
View file

@ -65,17 +65,16 @@ use_presence: {{ matrix_synapse_use_presence|to_json }}
# Whether to require authentication to retrieve profile data (avatars,
# display names) of other users through the client API. Defaults to
# 'false'. Note that profile data is also available via the federation
# API, so this setting is of limited value if federation is enabled on
# the server.
# API, unless allow_profile_lookup_over_federation is set to false.
#
#require_auth_for_profile_requests: true
require_auth_for_profile_requests: {{ matrix_synapse_require_auth_for_profile_requests|to_json }}
# Uncomment to require a user to share a room with another user in order
# to retrieve their profile information. Only checked on Client-Server
# requests. Profile requests from other servers should be checked by the
# requesting server. Defaults to 'false'.
#
#limit_profile_requests_to_users_who_share_rooms: true
limit_profile_requests_to_users_who_share_rooms: {{ matrix_synapse_limit_profile_requests_to_users_who_share_rooms|to_json }}
# Uncomment to prevent a user's profile data from being retrieved and
# displayed in a room until they have joined it. By default, a user's
@ -83,7 +82,7 @@ use_presence: {{ matrix_synapse_use_presence|to_json }}
# of the above two settings, and whether or not the users share a server.
# Defaults to 'true'.
#
#include_profile_data_on_invite: false
include_profile_data_on_invite: {{ matrix_synapse_include_profile_data_on_invite|to_json }}
# If set to 'true', removes the need for authentication to access the server's
# public rooms directory through the client API, meaning that anyone can
@ -1777,10 +1776,14 @@ saml2_config:
# offer the user a choice of login mechanisms.
#
# idp_icon: An optional icon for this identity provider, which is presented
# by identity picker pages. If given, must be an MXC URI of the format
# mxc://<server-name>/<media-id>. (An easy way to obtain such an MXC URI
# is to upload an image to an (unencrypted) room and then copy the "url"
# from the source of the event.)
# by clients and Synapse's own IdP picker page. If given, must be an
# MXC URI of the format mxc://<server-name>/<media-id>. (An easy way to
# obtain such an MXC URI is to upload an image to an (unencrypted) room
# and then copy the "url" from the source of the event.)
#
# idp_brand: An optional brand for this identity provider, allowing clients
# to style the login flow according to the identity provider in question.
# See the spec for possible options here.
#
# discover: set to 'false' to disable the use of the OIDC discovery mechanism
# to discover endpoints. Defaults to true.
@ -1790,7 +1793,26 @@ saml2_config:
#
# client_id: Required. oauth2 client id to use.
#
# client_secret: Required. oauth2 client secret to use.
# client_secret: oauth2 client secret to use. May be omitted if
# client_secret_jwt_key is given, or if client_auth_method is 'none'.
#
# client_secret_jwt_key: Alternative to client_secret: details of a key used
# to create a JSON Web Token to be used as an OAuth2 client secret. If
# given, must be a dictionary with the following properties:
#
# key: a pem-encoded signing key. Must be a suitable key for the
# algorithm specified. Required unless 'key_file' is given.
#
# key_file: the path to file containing a pem-encoded signing key file.
# Required unless 'key' is given.
#
# jwt_header: a dictionary giving properties to include in the JWT
# header. Must include the key 'alg', giving the algorithm used to
# sign the JWT, such as "ES256", using the JWA identifiers in
# RFC7518.
#
# jwt_payload: an optional dictionary giving properties to include in
# the JWT payload. Normally this should include an 'iss' key.
#
# client_auth_method: auth method to use when exchanging the token. Valid
# values are 'client_secret_basic' (default), 'client_secret_post' and
@ -1910,7 +1932,7 @@ oidc_providers:
#
#- idp_id: github
# idp_name: Github
# idp_brand: org.matrix.github
# idp_brand: github
# discover: false
# issuer: "https://github.com/"
# client_id: "your-client-id" # TO BE FILLED
@ -2675,19 +2697,20 @@ user_directory:
# Local statistics collection. Used in populating the room directory.
# Settings for local room and user statistics collection. See
# docs/room_and_user_statistics.md.
#
# 'bucket_size' controls how large each statistics timeslice is. It can
# be defined in a human readable short form -- e.g. "1d", "1y".
#
# 'retention' controls how long historical statistics will be kept for.
# It can be defined in a human readable short form -- e.g. "1d", "1y".
#
#
#stats:
# enabled: true
# bucket_size: 1d
# retention: 1y
stats:
# Uncomment the following to disable room and user statistics. Note that doing
# so may cause certain features (such as the room directory) not to work
# correctly.
#
#enabled: false
# The size of each timeslice in the room_stats_historical and
# user_stats_historical tables, as a time period. Defaults to "1d".
#
#bucket_size: 1h
# Server Notices room configuration

5
roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2
View file

@ -17,8 +17,9 @@ ExecStartPre={{ matrix_host_command_sleep }} 5
ExecStart={{ matrix_host_command_docker }} run --rm --name {{ matrix_synapse_worker_container_name }} \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
-e UID={{ matrix_user_uid }} \
-e GID={{ matrix_user_gid }} \
--cap-drop=ALL \
--entrypoint=python \
--read-only \
--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \
--network={{ matrix_docker_network }} \
@ -44,7 +45,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name {{ matrix_synapse_wor
{{ arg }} \
{% endfor %}
{{ matrix_synapse_docker_image }} \
-m synapse.app.{{ matrix_synapse_worker_details.type }} -c /data/homeserver.yaml -c /data/{{ matrix_synapse_worker_config_file_name }}
run -m synapse.app.{{ matrix_synapse_worker_details.type }} -c /data/homeserver.yaml -c /data/{{ matrix_synapse_worker_config_file_name }}
ExecStop=-{{ matrix_host_command_docker }} kill {{ matrix_synapse_worker_container_name }}

5
roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
View file

@ -33,8 +33,9 @@ ExecStartPre={{ matrix_host_command_sleep }} 3
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--env=UID={{ matrix_user_uid }} \
--env=GID={{ matrix_user_gid }} \
--cap-drop=ALL \
--entrypoint=python \
--read-only \
--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \
--network={{ matrix_docker_network }} \
@ -62,7 +63,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \
{{ arg }} \
{% endfor %}
{{ matrix_synapse_docker_image }} \
-m synapse.app.homeserver -c /data/homeserver.yaml
run -m synapse.app.homeserver -c /data/homeserver.yaml
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse 2>/dev/null'
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse 2>/dev/null'

3
setup.yml
View file

@ -7,6 +7,7 @@
- roles/matrix-synapse/vars/workers.yml
roles:
- matrix-awx
- matrix-base
- matrix-dynamic-dns
- matrix-mailer
@ -32,6 +33,7 @@
- matrix-bridge-mx-puppet-instagram
- matrix-bridge-sms
- matrix-bot-matrix-reminder-bot
- matrix-bot-go-neb
- matrix-synapse
- matrix-synapse-admin
- matrix-prometheus-node-exporter
@ -44,6 +46,7 @@
- matrix-dimension
- matrix-etherpad
- matrix-email2matrix
- matrix-sygnal
- matrix-nginx-proxy
- matrix-coturn
- matrix-aux