pub-solar/matrix-docker-ansible-deploy
5
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merge branch 'master' into pub.solar

Browse source
This commit is contained in:
teutat3s 2023-07-01 15:36:26 +02:00
parent 7327fbec43 ce2fc1ab1b
commit 92b02b9660
Signed by: teutat3s
GPG key ID: 18DAE600A6BBE705
29 changed files with 471 additions and 188 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
docs/configuring-playbook-jitsi.md
View file

@ -165,7 +165,7 @@ jitsi_prosody_max_participants: 4 # example value
By default, a single JVB ([Jitsi VideoBridge](https://github.com/jitsi/jitsi-videobridge)) is deployed on the same host as the Matrix server. To allow more video-conferences to happen at the same time, you may need to provision additional JVB services on other hosts.
There is an ansible playbook that can be run with the following tag:
` ansible-playbook -i inventory/hosts --limit jitsi_jvb_servers jitsi_jvb.yml --tags=common,setup-additional-jitsi-jvb,start`
`ansible-playbook -i inventory/hosts --limit jitsi_jvb_servers jitsi_jvb.yml --tags=common,setup-additional-jitsi-jvb,start`
For this role to work you will need an additional section in the ansible hosts file with the details of the JVB hosts, for example:
```
@ -208,6 +208,16 @@ However, it can also be set the ip address of the matrix server. This can be use
jitsi_xmpp_server: "192.168.0.1"
```
For the JVB to be able to contact the XMPP server, the latter must expose the XMPP port (5222). By default, the Matrix server does not expose the
port; only the XMPP container exposes it internally inside the host, which means that the first JVB (which runs on the Matrix server) can reach it but
the additional JVB cannot. The port is exposed by setting `jitsi_prosody_container_jvb_host_bind_port` like this:
```yaml
jitsi_prosody_container_jvb_host_bind_port: 5222
```
(The default is empty; if it's set then docker forwards the port.)
The nginx configuration will also need to be updated in order to deal with the additional JVB servers. This is achieved via its own configuration variable
`matrix_nginx_proxy_proxy_jitsi_additional_jvbs`, which contains a dictionary of server ids to ip addresses.

24
docs/configuring-playbook-synapse-s3-storage-provider.md
View file

@ -30,13 +30,23 @@ After [creating the S3 bucket and configuring it](configuring-playbook-s3.md#buc
```yaml
matrix_synapse_ext_synapse_s3_storage_provider_enabled: true
matrix_synapse_ext_synapse_s3_storage_provider_config_bucket: your-bucket-name
matrix_synapse_ext_synapse_s3_storage_provider_config_region_name: some-region-name # e.g. eu-central-1
matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url: https://s3.REGION_NAME.amazonaws.com # adjust this
matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: access-key-goes-here
matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: secret-key-goes-here
matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class: STANDARD # or STANDARD_IA, etc.
# Authentication Method 1 - (access key id + secret)
# This works on all providers (AWS and other compatible systems).
# Uncomment the variables below to use it.
# matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: access-key-goes-here
# matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: secret-key-goes-here
# Authentication Method 2 - EC2 instance profile which grants permission to access S3
# This only works on AWS when your server is hosted on an EC2 instance with the correct instance profile set.
# Uncomment the variable below to use it.
# matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile: true
# For additional advanced settings, take a look at `roles/custom/matrix-synapse/defaults/main.yml`
```
@ -103,9 +113,17 @@ docker.io/amazon/aws-cli:2.9.16 \
-c 'aws s3 sync /work/. s3://$BUCKET/'
```
#### Copying data to an S3 alternative using the aws-s3 tool
To copy to a provider other than AWS S3 (e.g. Wasabi, Digital Ocean Spaces, etc.), you can use the command for [Copying data to Amazon S3](#copying-data-to-amazon-s3) with an added `--endpoint-url=$ENDPOINT` argument.
Add this argument to the command **as-is** (`$ENDPOINT` is an environment variable corresponding to `matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url`, so you don't need to touch it). Make sure to add the argument **before** the final quote (`'`) of the command.
#### Copying data to Backblaze B2
To copy to Backblaze B2, start a container on the Matrix server like this:
You can copy files to Backblaze B2 either by following the [Copying data to an S3 alternative using the aws-s3 tool](#copying-data-to-an-s3-alternative-using-the-aws-s3-tool) or by using the B2-specific [b2 command-line tool](https://www.backblaze.com/b2/docs/quick_command_line.html) as described below.
To copy the data using the `b2` tool, start a container on the Matrix server like this:
```sh
docker run -it --rm \

1
docs/howto-server-delegation.md
View file

@ -49,6 +49,7 @@ To use DNS SRV record validation, you need to:
- ensure that you are serving the Matrix Federation API (tcp/8448) with a certificate for `<your-domain>` (not `matrix.<your-domain>`!). Getting this certificate to the `matrix.<your-domain>` server may be complicated. The playbook's automatic SSL obtaining/renewal flow will likely not work and you'll need to copy certificates around manually. See below.
For more details on [how to configure the playbook to work with SRV delegation](howto-srv-server-delegation.md)
### Obtaining certificates

206
docs/howto-srv-server-delegation.md Normal file
View file

@ -0,0 +1,206 @@
# Server Delegation via a DNS SRV record (advanced)
**Reminder** : unless you are affected by the [Downsides of well-known-based Server Delegation](howto-server-delegation.md#downsides-of-well-known-based-server-delegation), we suggest you **stay on the simple/default path**: [Server Delegation](howto-server-delegation.md) by [configuring well-known files](configuring-well-known.md) at the base domain.
This guide is about configuring Server Delegation using DNS SRV records (for the [Traefik](https://doc.traefik.io/traefik/) webserver). This method has special requirements when it comes to SSL certificates, so various changes are required.
## Prerequisites
SRV delegation while still using the playbook provided Traefik to get / renew the certificate requires a wildcard certificate.
To obtain / renew one from [Let's Encrypt](https://letsencrypt.org/), one needs to use a [DNS-01 challenge](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) method instead of the default [HTTP-01](https://letsencrypt.org/docs/challenge-types/#http-01-challenge).
This means that this is **limited to the list of DNS providers supported by Traefik**, unless you bring in your own certificate.
The up-to-date list can be accessed on [traefik's documentation](https://doc.traefik.io/traefik/https/acme/#providers)
## The changes
### Federation Endpoint
```yaml
# To serve the federation from any domain, as long as the path match
matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: PathPrefix(`/_matrix`)
```
This is because with SRV federation, some servers / tools (one of which being the federation tester) try to access the federation API using the resolved IP address instead of the domain name (or they are not using SNI). This change will make Traefik route all traffic for which the path match this rule go to the federation endpoint.
### Tell Traefik which certificate to serve for the federation endpoint
Now that the federation endpoint is not bound to a domain anymore we need to explicitely tell Traefik to use a wildcard certificate in addition to one containing the base name.
This is because the matrix specification expects the federation endpoint to be served using a certificate comatible with the base domain, however, the other resources on the endpoint still need a valid certificate to work.
```yaml
# To let Traefik know which domains' certificates to serve
matrix_nginx_proxy_container_labels_additional_labels: |
traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.main="example.com"
traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.sans="*.example.com"
```
### Configure the DNS-01 challenge for let's encrypt
Since we're now requesting a wildcard certificate, we need to change the ACME challenge method. To request a wildcard certificate from Let's Encrypt we are required to use the DNS-01 challenge.
This will need 3 changes:
1. Add a new certificate resolver that works with DNS-01
2. Configure the resolver to allow access to the DNS zone to configure the records to answer the challenge (refer to [Traefik's documentation](https://doc.traefik.io/traefik/https/acme/#providers) to know which environment variables to set)
3. Tell the playbook to use the new resolver as default
We cannot just disable the default resolver as that would disable SSL in quite a few places in the playbook.
```yaml
# 1. Add a new ACME configuration without having to disable the default one, since it would have a wide range of side effects
devture_traefik_configuration_extension_yaml: |
certificatesResolvers:
dns:
acme:
# To use a staging endpoint for testing purposes, uncomment the line below.
# caServer: https://acme-staging-v02.api.letsencrypt.org/directory
email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }}
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
storage: {{ devture_traefik_config_certificatesResolvers_acme_storage | to_json }}
# 2. Configure the environment variables needed by Rraefik to automate the ACME DNS Challenge (example for Cloudflare)
devture_traefik_environment_variables: |
CF_API_EMAIL=redacted
CF_ZONE_API_TOKEN=redacted
CF_DNS_API_TOKEN=redacted
LEGO_DISABLE_CNAME_SUPPORT=true
# 3. Instruct the playbook to use the new ACME configuration
devture_traefik_certResolver_primary: dns
```
## Adjust Coturn's configuration
The last step is to alter the generated Coturn configuration.
By default, Coturn is configured to wait on the certificate for the `matrix.` subdomain using an [instantiated systemd service](https://www.freedesktop.org/software/systemd/man/systemd.service.html#Service%20Templates) using the domain name as the parameter for this service. However, we need to serve the wildcard certificate, which is incompatible with systemd, it will try to expand the `*`, which will break and prevent Coturn from starting.
We also need to indicate to Coturn where the wildcard certificate is.
**⚠ WARNING ⚠** : On first start of the services, Coturn might still fail to start because Traefik is still in the process of obtaining the certificates. If you still get an error, make sure Traefik obtained the certificates and restart the Coturn service (`just start-group coturn`).
This should not happen again afterwards as Traefik will renew certificates well before their expiry date, and the Coturn service is setup to restart periodically.
```yaml
# Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things
matrix_coturn_systemd_required_services_list: ['docker.service']
# This changes the path of the loaded certificate, while maintaining the original functionality, we're now loading the wildcard certificate.
matrix_coturn_container_additional_volumes: |
{{
(
[
{
'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/fullchain.pem'),
'dst': '/fullchain.pem',
'options': 'ro',
},
{
'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/privkey.pem'),
'dst': '/privkey.pem',
'options': 'ro',
},
] if matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] and matrix_coturn_tls_enabled else []
)
+
(
[
{
'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/certificate.crt'),
'dst': '/certificate.crt',
'options': 'ro',
},
{
'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/privatekey.key'),
'dst': '/privatekey.key',
'options': 'ro',
},
] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []
)
}}
```
## Full example of a working configuration
```yaml
# Choosing the reverse proxy implementation
matrix_playbook_reverse_proxy_type: playbook-managed-traefik
devture_traefik_config_certificatesResolvers_acme_email: redacted@example.com
# To serve the federation from any domain, as long as the path match
matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: PathPrefix(`/_matrix`)
# To let Traefik know which domains' certificates to serve
matrix_nginx_proxy_container_labels_additional_labels: |
traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.main="example.com"
traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.sans="*.example.com"
# Add a new ACME configuration without having to disable the default one, since it would have a wide range of side effects
devture_traefik_configuration_extension_yaml: |
certificatesResolvers:
dns:
acme:
# To use a staging endpoint for testing purposes, uncomment the line below.
# caServer: https://acme-staging-v02.api.letsencrypt.org/directory
email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }}
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
storage: {{ devture_traefik_config_certificatesResolvers_acme_storage | to_json }}
# Instruct thep laybook to use the new ACME configuration
devture_traefik_certResolver_primary: "dns"
# Configure the environment variables needed by Traefik to automate the ACME DNS Challenge (example for Cloudflare)
devture_traefik_environment_variables: |
CF_API_EMAIL=redacted
CF_ZONE_API_TOKEN=redacted
CF_DNS_API_TOKEN=redacted
LEGO_DISABLE_CNAME_SUPPORT=true
# Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart Coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things
matrix_coturn_systemd_required_services_list: ['docker.service']
# This changes the path of the loaded certificate, while maintaining the original functionality, we're now loading the wildcard certificate.
matrix_coturn_container_additional_volumes: |
{{
(
[
{
'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/fullchain.pem'),
'dst': '/fullchain.pem',
'options': 'ro',
},
{
'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/privkey.pem'),
'dst': '/privkey.pem',
'options': 'ro',
},
] if matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] and matrix_coturn_tls_enabled else []
)
+
(
[
{
'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/certificate.crt'),
'dst': '/certificate.crt',
'options': 'ro',
},
{
'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/privatekey.key'),
'dst': '/privatekey.key',
'options': 'ro',
},
] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []
)
}}
```

4
examples/hosts
View file

@ -2,7 +2,9 @@
# If you'd rather use a local IP here, make sure to set up `matrix_coturn_turn_external_ip_address`.
#
# To connect using a non-root user (and elevate to root with sudo later),
# replace `ansible_ssh_user=root` with something like this: `ansible_ssh_user=username become=true become_user=root`
# replace `ansible_ssh_user=root` with something like this: `ansible_ssh_user=username become=true become_user=root`.
# If sudo requires a password, either add `become_password=PASSWORD_HERE` to the host line
# or tell Ansible to ask you for the password interactively by adding a `--ask-become-pass` (`-K`) flag to all `ansible-playbook` (or `just`) commands.
#
# For improved Ansible performance, SSH pipelining is enabled by default in `ansible.cfg`.
# If this causes SSH connection troubles, disable it by adding `ansible_ssh_pipelining=False`

11
group_vars/jitsi_jvb_servers Normal file
View file

@ -0,0 +1,11 @@
jitsi_architecture: "{{ matrix_architecture }}"
jitsi_hostname: "{{ matrix_server_fqn_jitsi }}"
jitsi_uid: "{{ matrix_user_uid }}"
jitsi_gid: "{{ matrix_user_gid }}"
devture_systemd_service_manager_services_list_auto: |
{{
([{'name': (jitsi_identifier + '-jvb.service'), 'priority': 4100, 'groups': ['matrix', 'jitsi', 'jitsi-jvb']}] if jitsi_enabled else [])
}}
matrix_playbook_docker_installation_enabled: true

2
group_vars/matrix_servers
View file

@ -192,7 +192,7 @@ matrix_homeserver_app_service_config_files_auto: |
# This list is not exhaustive and final.
# Synapse workers are still injected into the list at runtime.
# Additional JVB workers (playbooks/jitsi_jvb.yml -- roles/galaxy/jitsi/tasks/init_additional_jvb.yml) override this variable at runtime as well.
# Additional JVB workers (jitsi_jvb.yml -- roles/galaxy/jitsi/tasks/init_additional_jvb.yml) override this variable at runtime as well.
#
# Priority levels are like this:
# - core services (the homeserver) get a level of ~1000

35
jitsi_jvb.yml Normal file
View file

@ -0,0 +1,35 @@
---
- name: "Set up additional Jitsi JVB servers"
hosts: "jitsi_jvb_servers"
become: true
roles:
- role: galaxy/com.devture.ansible.role.playbook_help
- role: galaxy/com.devture.ansible.role.systemd_docker_base
- when: matrix_playbook_docker_installation_enabled | bool
role: galaxy/geerlingguy.docker
vars:
docker_install_compose: false
tags:
- setup-docker
- setup-all
- setup-additional-jitsi-jvb
- install-docker
- install-all
- when: devture_docker_sdk_for_python_installation_enabled | bool
role: galaxy/com.devture.ansible.role.docker_sdk_for_python
tags:
- setup-docker
- setup-all
- setup-additional-jitsi-jvb
- install-docker
- install-all
- custom/matrix-base
- galaxy/jitsi
- custom/matrix-common-after
- when: devture_systemd_service_manager_enabled | bool
role: galaxy/com.devture.ansible.role.systemd_service_manager

12
playbooks/jitsi_jvb.yml
View file

@ -1,12 +0,0 @@
---
- name: "Set up additional Jitsi JVB servers"
hosts: "jitsi_jvb_servers"
become: true
roles:
- role: galaxy/com.devture.ansible.role.playbook_help
- role: galaxy/com.devture.ansible.role.systemd_docker_base
- custom/matrix-base
- galaxy/jitsi
- custom/matrix-common-after

143
playbooks/matrix.yml
View file

@ -1,143 +0,0 @@
---
- name: "Set up a Matrix server"
hosts: "{{ target if target is defined else 'matrix_servers' }}"
become: true
roles:
# Most of the roles below are not distributed with the playbook, but downloaded separately using `ansible-galaxy` via the `just roles` command (see `justfile`).
- role: galaxy/com.devture.ansible.role.playbook_help
- role: galaxy/com.devture.ansible.role.systemd_docker_base
- role: custom/matrix_playbook_migration
- when: matrix_playbook_docker_installation_enabled | bool
role: galaxy/geerlingguy.docker
vars:
docker_install_compose: false
tags:
- setup-docker
- setup-all
- install-docker
- install-all
- when: devture_docker_sdk_for_python_installation_enabled | bool
role: galaxy/com.devture.ansible.role.docker_sdk_for_python
tags:
- setup-docker
- setup-all
- install-docker
- install-all
- when: devture_timesync_installation_enabled | bool
role: galaxy/com.devture.ansible.role.timesync
tags:
- setup-timesync
- setup-all
- install-timesync
- install-all
- custom/matrix-base
- custom/matrix-dynamic-dns
- custom/matrix-mailer
- role: galaxy/com.devture.ansible.role.postgres
- galaxy/redis
- custom/matrix-corporal
- custom/matrix-bridge-appservice-discord
- custom/matrix-bridge-appservice-slack
- custom/matrix-bridge-appservice-webhooks
- custom/matrix-bridge-appservice-irc
- custom/matrix-bridge-appservice-kakaotalk
- custom/matrix-bridge-beeper-linkedin
- custom/matrix-bridge-go-skype-bridge
- custom/matrix-bridge-mautrix-facebook
- custom/matrix-bridge-mautrix-twitter
- custom/matrix-bridge-mautrix-hangouts
- custom/matrix-bridge-mautrix-googlechat
- custom/matrix-bridge-mautrix-instagram
- custom/matrix-bridge-mautrix-signal
- custom/matrix-bridge-mautrix-telegram
- custom/matrix-bridge-mautrix-whatsapp
- custom/matrix-bridge-mautrix-discord
- custom/matrix-bridge-mautrix-slack
- custom/matrix-bridge-mx-puppet-discord
- custom/matrix-bridge-mx-puppet-groupme
- custom/matrix-bridge-mx-puppet-steam
- custom/matrix-bridge-mx-puppet-slack
- custom/matrix-bridge-mx-puppet-twitter
- custom/matrix-bridge-mx-puppet-instagram
- custom/matrix-bridge-sms
- custom/matrix-bridge-heisenbridge
- custom/matrix-bridge-hookshot
- custom/matrix-bot-matrix-reminder-bot
- custom/matrix-bot-matrix-registration-bot
- custom/matrix-bot-maubot
- custom/matrix-bot-buscarron
- custom/matrix-bot-honoroit
- custom/matrix-bot-postmoogle
- custom/matrix-bot-go-neb
- custom/matrix-bot-mjolnir
- custom/matrix-bot-draupnir
- custom/matrix-bot-chatgpt
- custom/matrix-cactus-comments
- custom/matrix-rageshake
- custom/matrix-synapse
- custom/matrix-synapse-auto-compressor
- custom/matrix-synapse-reverse-proxy-companion
- custom/matrix-dendrite
- custom/matrix-conduit
- custom/matrix-synapse-admin
- galaxy/prometheus_node_exporter
- galaxy/prometheus_postgres_exporter
- custom/matrix-prometheus-nginxlog-exporter
- galaxy/prometheus
- galaxy/grafana
- custom/matrix-prometheus-services-connect
- custom/matrix-prometheus-services-proxy-connect
- custom/matrix-registration
- custom/matrix-client-element
- custom/matrix-client-hydrogen
- custom/matrix-client-cinny
- galaxy/jitsi
- custom/matrix-user-verification-service
- custom/matrix-ldap-registration-proxy
- custom/matrix-ma1sd
- custom/matrix-dimension
- galaxy/etherpad
- custom/etherpad-proxy-connect
- custom/matrix-sliding-sync
- custom/matrix-email2matrix
- custom/matrix-sygnal
- galaxy/ntfy
- custom/matrix-nginx-proxy
- custom/matrix-coturn
- role: galaxy/aux
- role: galaxy/com.devture.ansible.role.postgres_backup
- role: galaxy/backup_borg
- custom/matrix-user-creator
- custom/matrix-common-after
- role: galaxy/com.devture.ansible.role.container_socket_proxy
- role: galaxy/com.devture.ansible.role.traefik
- role: galaxy/com.devture.ansible.role.traefik_certs_dumper
- when: devture_systemd_service_manager_enabled | bool
role: galaxy/com.devture.ansible.role.systemd_service_manager
# This is pretty much last, because we want it to better serve as a "last known good configuration".
# See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2217#issuecomment-1301487601
- when: devture_playbook_state_preserver_enabled | bool
role: galaxy/com.devture.ansible.role.playbook_state_preserver
tags:
- setup-all
- install-all
- role: galaxy/com.devture.ansible.role.playbook_runtime_messages

16
requirements.yml
View file

@ -2,9 +2,9 @@
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git
version: v1.0.0-1
name: aux
name: auxiliary
- src: git+https://gitlab.com/etke.cc/roles/backup_borg.git
version: v1.2.4-1.7.14-0
version: v1.2.4-1.7.15-0
- src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git
version: v0.1.1-2
- src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
@ -26,28 +26,28 @@
- src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
version: v1.0.0-0
- src: git+https://github.com/devture/com.devture.ansible.role.traefik.git
version: v2.10.1-2
version: v2.10.3-0
- src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git
version: v2.8.1-0
- src: git+https://gitlab.com/etke.cc/roles/etherpad.git
version: v1.8.18-2
version: v1.9.0-0
- src: git+https://github.com/geerlingguy/ansible-role-docker
version: 6.1.0
name: geerlingguy.docker
- src: git+https://gitlab.com/etke.cc/roles/grafana.git
version: v9.5.3-0
version: v10.0.1-0
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
version: v8615-0
name: jitsi
- src: git+https://gitlab.com/etke.cc/roles/ntfy.git
version: v2.5.0-0
version: v2.6.2-0
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
version: v2.44.0-0
version: v2.45.0-0
name: prometheus
- src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git
version: v1.6.0-0
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git
version: v0.12.0-0
version: v0.13.1-0
name: prometheus_postgres_exporter
- src: git+https://gitlab.com/etke.cc/roles/redis.git
version: v7.0.10-0

2
roles/custom/matrix-bridge-hookshot/defaults/main.yml
View file

@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false
matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git"
matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}"
matrix_hookshot_version: 4.2.0
matrix_hookshot_version: 4.4.0
matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}"
matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}"

2
roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml
View file

@ -8,7 +8,7 @@ matrix_mautrix_discord_container_image_self_build: false
matrix_mautrix_discord_container_image_self_build_repo: "https://mau.dev/mautrix/discord.git"
matrix_mautrix_discord_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_discord_version == 'latest' else matrix_mautrix_discord_version }}"
matrix_mautrix_discord_version: v0.4.0
matrix_mautrix_discord_version: v0.5.0
# See: https://mau.dev/mautrix/discord/container_registry
matrix_mautrix_discord_docker_image: "{{ matrix_mautrix_discord_docker_image_name_prefix }}mautrix/discord:{{ matrix_mautrix_discord_version }}"
matrix_mautrix_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_discord_container_image_self_build else 'dock.mau.dev/' }}"

2
roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml
View file

@ -8,7 +8,7 @@ matrix_mautrix_googlechat_container_image_self_build: false
matrix_mautrix_googlechat_container_image_self_build_repo: "https://github.com/mautrix/googlechat.git"
matrix_mautrix_googlechat_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_googlechat_version == 'latest' else matrix_mautrix_googlechat_version }}"
matrix_mautrix_googlechat_version: v0.4.0
matrix_mautrix_googlechat_version: v0.5.0
# See: https://mau.dev/mautrix/googlechat/container_registry
matrix_mautrix_googlechat_docker_image: "{{ matrix_mautrix_googlechat_docker_image_name_prefix }}mautrix/googlechat:{{ matrix_mautrix_googlechat_version }}"
matrix_mautrix_googlechat_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_googlechat_container_image_self_build else 'dock.mau.dev/' }}"

6
roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2
View file

@ -143,15 +143,15 @@ bridge:
# application service.
encryption:
# Allow encryption, work in group chat rooms with e2ee enabled
allow: {{ matrix_mautrix_discord_bridge_encryption_allow|to_json }}
allow: {{ matrix_mautrix_instagram_bridge_encryption_allow|to_json }}
# Default to encryption, force-enable encryption in all portals the bridge creates
# This will cause the bridge bot to be in private chats for the encryption to work properly.
default: {{ matrix_mautrix_discord_bridge_encryption_default|to_json }}
default: {{ matrix_mautrix_instagram_bridge_encryption_default|to_json }}
# Options for automatic key sharing.
key_sharing:
# Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
# You must use a client that supports requesting keys from other users to use this feature.
allow: {{ matrix_mautrix_discord_bridge_encryption_key_sharing_allow|to_json }}
allow: {{ matrix_mautrix_instagram_bridge_encryption_key_sharing_allow|to_json }}
# Require the requesting device to have a valid cross-signing signature?
# This doesn't require that the bridge has verified the device, only that the user has verified it.
# Not yet implemented.

2
roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml
View file

@ -17,7 +17,7 @@ matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git"
matrix_mautrix_telegram_docker_repo_version: "{{ 'master' if matrix_mautrix_telegram_version == 'latest' else matrix_mautrix_telegram_version }}"
matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src"
matrix_mautrix_telegram_version: v0.14.0
matrix_mautrix_telegram_version: v0.14.1
# See: https://mau.dev/mautrix/telegram/container_registry
matrix_mautrix_telegram_docker_image: "{{ matrix_mautrix_telegram_docker_image_name_prefix }}mautrix/telegram:{{ matrix_mautrix_telegram_version }}"
matrix_mautrix_telegram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_telegram_container_image_self_build else 'dock.mau.dev/' }}"

2
roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml
View file

@ -8,7 +8,7 @@ matrix_mautrix_whatsapp_container_image_self_build: false
matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git"
matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}"
matrix_mautrix_whatsapp_version: v0.8.5
matrix_mautrix_whatsapp_version: v0.8.6
# See: https://mau.dev/mautrix/whatsapp/container_registry
matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}"
matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}"

2
roles/custom/matrix-client-element/defaults/main.yml
View file

@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto
# - https://github.com/vector-im/element-web/issues/19544
matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
matrix_client_element_version: v1.11.33
matrix_client_element_version: v1.11.34
matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"

2
roles/custom/matrix-client-hydrogen/defaults/main.yml
View file

@ -6,7 +6,7 @@ matrix_client_hydrogen_enabled: true
matrix_client_hydrogen_container_image_self_build: false
matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git"
matrix_client_hydrogen_version: v0.3.8
matrix_client_hydrogen_version: v0.4.0
matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vector-im/hydrogen-web:{{ matrix_client_hydrogen_version }}"
matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build else 'ghcr.io/' }}"
matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}"

2
roles/custom/matrix-coturn/defaults/main.yml
View file

@ -8,7 +8,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn
matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}"
matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"
matrix_coturn_version: 4.6.1-r3
matrix_coturn_version: 4.6.2-r3
matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine"
matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"

2
roles/custom/matrix-dendrite/defaults/main.yml
View file

@ -10,7 +10,7 @@ matrix_dendrite_container_image_self_build_repo: "https://github.com/matrix-org/
matrix_dendrite_docker_image_path: "matrixdotorg/dendrite-monolith"
matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}{{ matrix_dendrite_docker_image_path }}:{{ matrix_dendrite_docker_image_tag }}"
matrix_dendrite_docker_image_name_prefix: "{{ 'localhost/' if matrix_dendrite_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_dendrite_docker_image_tag: "v0.12.0"
matrix_dendrite_docker_image_tag: "v0.13.0"
matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}"
matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite"

2
roles/custom/matrix-dynamic-dns/defaults/main.yml
View file

@ -7,7 +7,7 @@ matrix_dynamic_dns_enabled: true
# The dynamic dns daemon interval
matrix_dynamic_dns_daemon_interval: '300'
matrix_dynamic_dns_version: v3.10.0-ls123
matrix_dynamic_dns_version: v3.10.0-ls125
# The docker container to use when in mode
matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}"

2
roles/custom/matrix-nginx-proxy/defaults/main.yml
View file

@ -1,7 +1,7 @@
---
# Project source code URL: https://github.com/nginx/nginx
matrix_nginx_proxy_enabled: true
matrix_nginx_proxy_version: 1.23.3-alpine
matrix_nginx_proxy_version: 1.25.1-alpine
# We use an official nginx image, which we fix-up to run unprivileged.
# An alternative would be an `nginxinc/nginx-unprivileged` image, but

2
roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml
View file

@ -25,7 +25,7 @@
matrix_synapse_reverse_proxy_companion_enabled: true
matrix_synapse_reverse_proxy_companion_version: 1.23.3-alpine
matrix_synapse_reverse_proxy_companion_version: 1.25.1-alpine
matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion"
matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d"

5
roles/custom/matrix-synapse/defaults/main.yml
View file

@ -4,7 +4,7 @@
matrix_synapse_enabled: true
matrix_synapse_version: v1.85.2
matrix_synapse_version: v1.86.0
matrix_synapse_username: ''
matrix_synapse_uid: ''
@ -885,6 +885,9 @@ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name: ''
matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url: ''
matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: ''
matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: ''
# Enable this to use EC2 instance profile metadata to grab IAM credentials instead of passing credentials directly
# via matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id and matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key
matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile: false
matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled: false
matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key: ''
matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo: 'AES256'

10
roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml
View file

@ -1,5 +1,4 @@
---
- name: Fail if required s3-storage-provider settings not defined
ansible.builtin.fail:
msg: >-
@ -8,9 +7,16 @@
with_items:
- "matrix_synapse_ext_synapse_s3_storage_provider_config_bucket"
- "matrix_synapse_ext_synapse_s3_storage_provider_config_region_name"
- "matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url"
- name: Fail if required s3-storage-provider auth settings not defined when not using an EC2 profile
ansible.builtin.fail:
msg: >-
You need to define a required configuration setting (`{{ item }}`) for using s3-storage-provider.
when: "not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile | bool and vars[item] == ''"
with_items:
- "matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id"
- "matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key"
- "matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url"
- name: Fail if required matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url looks invalid
ansible.builtin.fail:

2
roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2
View file

@ -1,5 +1,7 @@
{% if not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile | bool %}
AWS_ACCESS_KEY_ID={{ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id }}
AWS_SECRET_ACCESS_KEY={{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key }}
{% endif %}
AWS_DEFAULT_REGION={{ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name }}
ENDPOINT={{ matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url }}

2
roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2
View file

@ -6,8 +6,10 @@ config:
bucket: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_bucket | to_json }}
region_name: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name | to_json }}
endpoint_url: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url | to_json }}
{% if not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile | bool %}
access_key_id: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id | to_json }}
secret_access_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key | to_json }}
{% endif %}
{% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %}
sse_customer_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key | to_json }}

1
setup.yml
View file

@ -1 +0,0 @@
playbooks/matrix.yml

143
setup.yml Normal file
View file

@ -0,0 +1,143 @@
---
- name: "Set up a Matrix server"
hosts: "{{ target if target is defined else 'matrix_servers' }}"
become: true
roles:
# Most of the roles below are not distributed with the playbook, but downloaded separately using `ansible-galaxy` via the `just roles` command (see `justfile`).
- role: galaxy/com.devture.ansible.role.playbook_help
- role: galaxy/com.devture.ansible.role.systemd_docker_base
- role: custom/matrix_playbook_migration
- when: matrix_playbook_docker_installation_enabled | bool
role: galaxy/geerlingguy.docker
vars:
docker_install_compose: false
tags:
- setup-docker
- setup-all
- install-docker
- install-all
- when: devture_docker_sdk_for_python_installation_enabled | bool
role: galaxy/com.devture.ansible.role.docker_sdk_for_python
tags:
- setup-docker
- setup-all
- install-docker
- install-all
- when: devture_timesync_installation_enabled | bool
role: galaxy/com.devture.ansible.role.timesync
tags:
- setup-timesync
- setup-all
- install-timesync
- install-all
- custom/matrix-base
- custom/matrix-dynamic-dns
- custom/matrix-mailer
- role: galaxy/com.devture.ansible.role.postgres
- galaxy/redis
- custom/matrix-corporal
- custom/matrix-bridge-appservice-discord
- custom/matrix-bridge-appservice-slack
- custom/matrix-bridge-appservice-webhooks
- custom/matrix-bridge-appservice-irc
- custom/matrix-bridge-appservice-kakaotalk
- custom/matrix-bridge-beeper-linkedin
- custom/matrix-bridge-go-skype-bridge
- custom/matrix-bridge-mautrix-facebook
- custom/matrix-bridge-mautrix-twitter
- custom/matrix-bridge-mautrix-hangouts
- custom/matrix-bridge-mautrix-googlechat
- custom/matrix-bridge-mautrix-instagram
- custom/matrix-bridge-mautrix-signal
- custom/matrix-bridge-mautrix-telegram
- custom/matrix-bridge-mautrix-whatsapp
- custom/matrix-bridge-mautrix-discord
- custom/matrix-bridge-mautrix-slack
- custom/matrix-bridge-mx-puppet-discord
- custom/matrix-bridge-mx-puppet-groupme
- custom/matrix-bridge-mx-puppet-steam
- custom/matrix-bridge-mx-puppet-slack
- custom/matrix-bridge-mx-puppet-twitter
- custom/matrix-bridge-mx-puppet-instagram
- custom/matrix-bridge-sms
- custom/matrix-bridge-heisenbridge
- custom/matrix-bridge-hookshot
- custom/matrix-bot-matrix-reminder-bot
- custom/matrix-bot-matrix-registration-bot
- custom/matrix-bot-maubot
- custom/matrix-bot-buscarron
- custom/matrix-bot-honoroit
- custom/matrix-bot-postmoogle
- custom/matrix-bot-go-neb
- custom/matrix-bot-mjolnir
- custom/matrix-bot-draupnir
- custom/matrix-bot-chatgpt
- custom/matrix-cactus-comments
- custom/matrix-rageshake
- custom/matrix-synapse
- custom/matrix-synapse-auto-compressor
- custom/matrix-synapse-reverse-proxy-companion
- custom/matrix-dendrite
- custom/matrix-conduit
- custom/matrix-synapse-admin
- galaxy/prometheus_node_exporter
- galaxy/prometheus_postgres_exporter
- custom/matrix-prometheus-nginxlog-exporter
- galaxy/prometheus
- galaxy/grafana
- custom/matrix-prometheus-services-connect
- custom/matrix-prometheus-services-proxy-connect
- custom/matrix-registration
- custom/matrix-client-element
- custom/matrix-client-hydrogen
- custom/matrix-client-cinny
- galaxy/jitsi
- custom/matrix-user-verification-service
- custom/matrix-ldap-registration-proxy
- custom/matrix-ma1sd
- custom/matrix-dimension
- galaxy/etherpad
- custom/etherpad-proxy-connect
- custom/matrix-sliding-sync
- custom/matrix-email2matrix
- custom/matrix-sygnal
- galaxy/ntfy
- custom/matrix-nginx-proxy
- custom/matrix-coturn
- role: galaxy/auxiliary
- role: galaxy/com.devture.ansible.role.postgres_backup
- role: galaxy/backup_borg
- custom/matrix-user-creator
- custom/matrix-common-after
- role: galaxy/com.devture.ansible.role.container_socket_proxy
- role: galaxy/com.devture.ansible.role.traefik
- role: galaxy/com.devture.ansible.role.traefik_certs_dumper
- when: devture_systemd_service_manager_enabled | bool
role: galaxy/com.devture.ansible.role.systemd_service_manager
# This is pretty much last, because we want it to better serve as a "last known good configuration".
# See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2217#issuecomment-1301487601
- when: devture_playbook_state_preserver_enabled | bool
role: galaxy/com.devture.ansible.role.playbook_state_preserver
tags:
- setup-all
- install-all
- role: galaxy/com.devture.ansible.role.playbook_runtime_messages