Merge branch 'master' into pub.solar

This commit is contained in:
teutat3s 2021-07-16 16:36:51 +02:00
commit a501786ce6
Signed by: teutat3s
GPG key ID: 18DAE600A6BBE705
17 changed files with 77 additions and 36 deletions

View file

@ -56,7 +56,7 @@ Certain Synapse administration tasks (managing users and rooms, etc.) can be per
If you'd like to use OpenID Connect authentication with Synapse, you'll need some additional reverse-proxy configuration (see [our nginx reverse-proxy doc page](configuring-playbook-nginx.md#synapse-openid-connect-for-single-sign-on)).
In case you encounter errors regarding the parsing of the variables, you can try to add `{%raw}` and `{% endraw %}` blocks around them. For example ;
In case you encounter errors regarding the parsing of the variables, you can try to add `{% raw %}` and `{% endraw %}` blocks around them. For example ;
```
- idp_id: keycloak
@ -70,7 +70,7 @@ In case you encounter errors regarding the parsing of the variables, you can try
userinfo_endpoint: "https://url.ix/auth/realms/x/protocol/openid-connect/userinfo"
user_mapping_provider:
config:
display_name_template: "{%raw}{{ user.given_name }}{% endraw %} {%raw}{{ user.family_name }}{% endraw %}"
email_template: "{%raw}{{ user.email }}{% endraw %}"
display_name_template: "{% raw %}{{ user.given_name }}{% endraw %} {% raw %}{{ user.family_name }}{% endraw %}"
email_template: "{% raw %}{{ user.email }}{% endraw %}"
```

View file

@ -380,6 +380,7 @@ matrix_mautrix_signal_database_password: "{{ matrix_synapse_macaroon_secret_key
#
######################################################################
matrix_mautrix_signal_container_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
######################################################################
#
@ -1777,6 +1778,7 @@ matrix_prometheus_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_en
matrix_prometheus_scraper_synapse_enabled: "{{ matrix_synapse_enabled and matrix_synapse_metrics_enabled }}"
matrix_prometheus_scraper_synapse_targets: ['matrix-synapse:{{ matrix_synapse_metrics_port }}']
matrix_prometheus_scraper_synapse_workers_enabled_list: "{{ matrix_synapse_workers_enabled_list }}"
matrix_prometheus_scraper_synapse_rules_synapse_tag: "{{ matrix_synapse_docker_image_tag }}"
matrix_prometheus_scraper_node_enabled: "{{ matrix_prometheus_node_exporter_enabled }}"

View file

@ -16,4 +16,3 @@
}
]
}

View file

@ -128,18 +128,13 @@
validate_certs: yes
when: customise_base_domain_website is undefined
- name: Ensure group "sftp" exists
group:
name: sftp
state: present
- name: If user doesn't define a sftp_password, create a disabled 'sftp' account
user:
name: sftp
comment: SFTP user to set custom web files and access servers export
shell: /bin/false
home: /home/sftp
group: sftp
group: matrix
password: '*'
update_password: always
when: sftp_password|length == 0
@ -150,15 +145,20 @@
comment: SFTP user to set custom web files and access servers export
shell: /bin/false
home: /home/sftp
group: sftp
group: matrix
password: "{{ sftp_password | password_hash('sha512') }}"
update_password: always
when: sftp_password|length > 0
- name: Ensure group "sftp" exists
group:
name: sftp
state: present
- name: adding existing user 'sftp' to group matrix
user:
name: sftp
groups: matrix
groups: sftp
append: yes
when: customise_base_domain_website is defined
@ -214,14 +214,14 @@
group: sftp
mode: '0644'
when: (sftp_public_key | length > 0) and (sftp_auth_method == "SSH Key")
- name: Alter SSH Subsystem State 1
- name: Remove any existing Subsystem lines
lineinfile:
path: /etc/ssh/sshd_config
line: "Subsystem sftp /usr/lib/openssh/sftp-server"
state: absent
regexp: '^Subsystem'
- name: Alter SSH Subsystem State 2
- name: Set SSH Subsystem State
lineinfile:
path: /etc/ssh/sshd_config
insertafter: "^# override default of no subsystems"

View file

@ -6,7 +6,7 @@
- name: Purge local media to specific date
shell: |
curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/media/matrix.{{ matrix_domain }}/delete?before_ts={{ epoche_time.stdout }}'
curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/media/matrix.{{ matrix_domain }}/delete?before_ts={{ epoche_time.stdout }}000'
register: purge_command
- name: Print output of purge command

View file

@ -17,15 +17,16 @@
- jq
state: present
- name: Collect access token for janitor user
shell: |
curl -XPOST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ matrix_awx_janitor_user_password }}"}' "https://matrix.{{ matrix_domain }}/_matrix/client/r0/login" | jq '.access_token'
register: janitors_token
- name: Collect the internal IP of the matrix-synapse container
shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse"
register: synapse_container_ip
- name: Collect access token for janitor user
shell: |
curl -XPOST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ matrix_awx_janitor_user_password }}"}' "{{ synapse_container_ip.stdout }}:8008/_matrix/client/r0/login" | jq '.access_token'
register: janitors_token
no_log: True
- name: Generate list of dates to purge to
delegate_to: 127.0.0.1
shell: "dateseq {{ matrix_purge_from_date }} {{ matrix_purge_to_date }}"

View file

@ -6,7 +6,7 @@
- name: Purge remote media to specific date
shell: |
curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_media_cache?before_ts={{ epoche_time.stdout }}'
curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_media_cache?before_ts={{ epoche_time.stdout }}000'
register: purge_command
- name: Print output of purge command

View file

@ -66,7 +66,7 @@
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "{{ item }}:"
regexp: "{{ item }}"
line: "{{ item }}"
insertbefore: '# Synapse Extension End'
with_items:
@ -78,7 +78,7 @@
delegate_to: 127.0.0.1
lineinfile:
path: '{{ awx_cached_matrix_vars }}'
regexp: "{{ item }}:"
regexp: "{{ item }}"
line: "{{ item }}"
insertbefore: '# Synapse Extension End'
state: absent

View file

@ -3,6 +3,10 @@
matrix_mautrix_signal_enabled: true
matrix_mautrix_signal_self_build: false
matrix_mautrix_signal_docker_repo: "https://mau.dev/tulir/mautrix-signal.git"
matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src"
matrix_mautrix_signal_version: latest
matrix_mautrix_signal_daemon_version: latest
# See: https://mau.dev/tulir/mautrix-signal/container_registry

View file

@ -8,13 +8,34 @@
The matrix-bridge-mautrix-signal role needs to execute before the matrix-synapse role.
when: "matrix_synapse_role_executed|default(False)"
- name: Ensure Mautrix Signal repository is present on self-build
git:
repo: "{{ matrix_mautrix_signal_docker_repo }}"
dest: "{{ matrix_mautrix_signal_docker_src_files_path }}"
force: "yes"
register: matrix_mautrix_signal_git_pull_results
when: "matrix_mautrix_signal_enabled|bool and matrix_mautrix_signal_container_self_build|bool"
- name: Ensure Mautrix Signal image is built
docker_image:
name: "{{ matrix_mautrix_signal_docker_image }}"
source: build
force_source: "{{ matrix_mautrix_signal_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}"
build:
dockerfile: Dockerfile
path: "{{ matrix_mautrix_signal_docker_src_files_path }}"
pull: yes
when: "matrix_mautrix_signal_enabled|bool and matrix_mautrix_signal_container_self_build|bool"
- name: Ensure Mautrix Signal image is pulled
docker_image:
name: "{{ matrix_mautrix_signal_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_mautrix_signal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}"
when: matrix_mautrix_signal_enabled|bool
when: "matrix_mautrix_signal_enabled|bool and not matrix_mautrix_signal_container_self_build|bool"
- name: Ensure Mautrix Signal Daemon image is pulled
docker_image:

View file

@ -3,7 +3,7 @@ matrix_client_element_enabled: true
matrix_client_element_container_image_self_build: false
matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git"
matrix_client_element_version: v1.7.31
matrix_client_element_version: v1.7.32
matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"

View file

@ -22,7 +22,7 @@ matrix_corporal_container_extra_arguments: []
# List of systemd services that matrix-corporal.service depends on
matrix_corporal_systemd_required_services_list: ['docker.service']
matrix_corporal_version: 2.1.0
matrix_corporal_version: 2.1.1
matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}"
matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_corporal_docker_image_tag: "{{ matrix_corporal_version }}" # for backward-compatibility

View file

@ -3,7 +3,7 @@
matrix_grafana_enabled: false
matrix_grafana_version: 8.0.3
matrix_grafana_version: 8.0.6
matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}"
matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}"

View file

@ -1,5 +1,5 @@
matrix_nginx_proxy_enabled: true
matrix_nginx_proxy_version: 1.21.0-alpine
matrix_nginx_proxy_version: 1.21.1-alpine
# We use an official nginx image, which we fix-up to run unprivileged.
# An alternative would be an `nginxinc/nginx-unprivileged` image, but
@ -404,7 +404,7 @@ matrix_ssl_additional_domains_to_obtain_certificates_for: []
# Controls whether to obtain production or staging certificates from Let's Encrypt.
matrix_ssl_lets_encrypt_staging: false
matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.16.0"
matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.17.0"
matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
matrix_ssl_lets_encrypt_support_email: ~

View file

@ -3,7 +3,7 @@
matrix_prometheus_enabled: false
matrix_prometheus_version: v2.28.0
matrix_prometheus_version: v2.28.1
matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}"
matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}"
@ -34,6 +34,7 @@ matrix_prometheus_scraper_synapse_rules_synapse_tag: "master"
matrix_prometheus_scraper_synapse_rules_download_url: "https://raw.githubusercontent.com/matrix-org/synapse/{{ matrix_prometheus_scraper_synapse_rules_synapse_tag }}/contrib/prometheus/synapse-v2.rules"
matrix_prometheus_scraper_synapse_targets: []
matrix_prometheus_scraper_synapse_workers_enabled_list: []
# Tells whether the "node" scraper configuration is enabled.
# This configuration aims to scrape the current node (this server).

View file

@ -31,6 +31,19 @@ scrape_configs:
metrics_path: '/_synapse/metrics'
static_configs:
- targets: {{ matrix_prometheus_scraper_synapse_targets|to_json }}
labels:
instance: {{ matrix_domain }}
job: master
index: 0
{% for worker in matrix_prometheus_scraper_synapse_workers_enabled_list %}
{% if worker.metrics_port != 0 %}
- targets: ['matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.metrics_port }}']
labels:
instance: {{ matrix_domain }}
job: {{ worker.type }}
index: {{ worker.instanceId }}
{% endif %}
{% endfor %}
{% endif %}
{% if matrix_prometheus_scraper_node_enabled %}
@ -43,4 +56,4 @@ scrape_configs:
- job_name: postgres
static_configs:
- targets: {{ matrix_prometheus_scraper_postgres_targets|to_json }}
{% endif %}
{% endif %}

View file

@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
# amd64 gets released first.
# arm32 relies on self-building, so the same version can be built immediately.
# arm64 users need to wait for a prebuilt image to become available.
matrix_synapse_version: v1.37.1
matrix_synapse_version_arm64: v1.37.1
matrix_synapse_version: v1.38.0
matrix_synapse_version_arm64: v1.38.0
matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"