Merge branch 'master' into pub.solar

2021-07-16 16:36:51 +02:00 · 2021-07-16 16:36:51 +02:00 · a501786ce6
commit a501786ce6
parent 67b1b33d39 593922f5c3
17 changed files with 77 additions and 36 deletions
--- a/docs/configuring-playbook-synapse.md
+++ b/docs/configuring-playbook-synapse.md
@ -56,7 +56,7 @@ Certain Synapse administration tasks (managing users and rooms, etc.) can be per

 If you'd like to use OpenID Connect authentication with Synapse, you'll need some additional reverse-proxy configuration (see [our nginx reverse-proxy doc page](configuring-playbook-nginx.md#synapse-openid-connect-for-single-sign-on)).

-In case you encounter errors regarding the parsing of the variables, you can try to add `{%raw}` and `{% endraw %}` blocks around them. For example ;
+In case you encounter errors regarding the parsing of the variables, you can try to add `{% raw %}` and `{% endraw %}` blocks around them. For example ;

 ```
 - idp_id: keycloak
@ -70,7 +70,7 @@ In case you encounter errors regarding the parsing of the variables, you can try
        userinfo_endpoint: "https://url.ix/auth/realms/x/protocol/openid-connect/userinfo"
        user_mapping_provider:
          config:
-            display_name_template: "{%raw}{{ user.given_name }}{% endraw %} {%raw}{{ user.family_name }}{% endraw %}"
-            email_template: "{%raw}{{ user.email }}{% endraw %}"
+            display_name_template: "{% raw %}{{ user.given_name }}{% endraw %} {% raw %}{{ user.family_name }}{% endraw %}"
+            email_template: "{% raw %}{{ user.email }}{% endraw %}"
 ```

--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@ -380,6 +380,7 @@ matrix_mautrix_signal_database_password: "{{ matrix_synapse_macaroon_secret_key
 #
 ######################################################################

+matrix_mautrix_signal_container_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"

 ######################################################################
 #
@ -1777,6 +1778,7 @@ matrix_prometheus_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_en

 matrix_prometheus_scraper_synapse_enabled: "{{ matrix_synapse_enabled and matrix_synapse_metrics_enabled }}"
 matrix_prometheus_scraper_synapse_targets: ['matrix-synapse:{{ matrix_synapse_metrics_port }}']
+matrix_prometheus_scraper_synapse_workers_enabled_list: "{{ matrix_synapse_workers_enabled_list }}"
 matrix_prometheus_scraper_synapse_rules_synapse_tag: "{{ matrix_synapse_docker_image_tag }}"

 matrix_prometheus_scraper_node_enabled: "{{ matrix_prometheus_node_exporter_enabled }}"
--- a/roles/matrix-awx/surveys/backup_server.json.j2
+++ b/roles/matrix-awx/surveys/backup_server.json.j2
@ -16,4 +16,3 @@
    }
  ]
 }
-
--- a/roles/matrix-awx/tasks/customise_website_access_export.yml
+++ b/roles/matrix-awx/tasks/customise_website_access_export.yml
@ -128,18 +128,13 @@
    validate_certs: yes
  when: customise_base_domain_website is undefined

- name: Ensure group "sftp" exists
-  group:
-    name: sftp
-    state: present
-
 - name: If user doesn't define a sftp_password, create a disabled 'sftp' account
  user:
    name: sftp
    comment: SFTP user to set custom web files and access servers export
    shell: /bin/false
    home: /home/sftp
-    group: sftp
+    group: matrix
    password: '*'
    update_password: always
  when: sftp_password|length == 0
@ -150,15 +145,20 @@
    comment: SFTP user to set custom web files and access servers export
    shell: /bin/false
    home: /home/sftp
-    group: sftp
+    group: matrix
    password: "{{ sftp_password | password_hash('sha512') }}"
    update_password: always
  when: sftp_password|length > 0

+- name: Ensure group "sftp" exists
+  group:
+    name: sftp
+    state: present
+
 - name: adding existing user 'sftp' to group matrix
  user:
    name: sftp
-    groups: matrix
+    groups: sftp
    append: yes
  when: customise_base_domain_website is defined

@ -214,14 +214,14 @@
    group: sftp
    mode: '0644'
  when: (sftp_public_key | length > 0) and (sftp_auth_method == "SSH Key")
-
- name: Alter SSH Subsystem State 1
+    
+- name: Remove any existing Subsystem lines
  lineinfile:
    path: /etc/ssh/sshd_config
-    line: "Subsystem sftp	/usr/lib/openssh/sftp-server"
    state: absent
+    regexp: '^Subsystem'

- name: Alter SSH Subsystem State 2
+- name: Set SSH Subsystem State
  lineinfile:
    path: /etc/ssh/sshd_config
    insertafter: "^# override default of no subsystems"
--- a/roles/matrix-awx/tasks/purge_media_local.yml
+++ b/roles/matrix-awx/tasks/purge_media_local.yml
@ -6,7 +6,7 @@

 - name: Purge local media to specific date
  shell: |
-    curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/media/matrix.{{ matrix_domain }}/delete?before_ts={{ epoche_time.stdout }}'
+    curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/media/matrix.{{ matrix_domain }}/delete?before_ts={{ epoche_time.stdout }}000'
  register: purge_command
  
 - name: Print output of purge command
--- a/roles/matrix-awx/tasks/purge_media_main.yml
+++ b/roles/matrix-awx/tasks/purge_media_main.yml
@ -17,15 +17,16 @@
    - jq
    state: present

- name: Collect access token for janitor user
-  shell: |
-    curl -XPOST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ matrix_awx_janitor_user_password }}"}' "https://matrix.{{ matrix_domain }}/_matrix/client/r0/login" | jq '.access_token'
-  register: janitors_token
-  
 - name: Collect the internal IP of the matrix-synapse container
  shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse"
  register: synapse_container_ip
-    
+
+- name: Collect access token for janitor user
+  shell: |
+    curl -XPOST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ matrix_awx_janitor_user_password }}"}' "{{ synapse_container_ip.stdout }}:8008/_matrix/client/r0/login" | jq '.access_token'
+  register: janitors_token
+  no_log: True
+
 - name: Generate list of dates to purge to
  delegate_to: 127.0.0.1
  shell: "dateseq {{ matrix_purge_from_date }} {{ matrix_purge_to_date }}"
--- a/roles/matrix-awx/tasks/purge_media_remote.yml
+++ b/roles/matrix-awx/tasks/purge_media_remote.yml
@ -6,7 +6,7 @@

 - name: Purge remote media to specific date
  shell: |
-    curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_media_cache?before_ts={{ epoche_time.stdout }}'
+    curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_media_cache?before_ts={{ epoche_time.stdout }}000'
  register: purge_command
  
 - name: Print output of purge command
--- a/roles/matrix-awx/tasks/set_variables_synapse.yml
+++ b/roles/matrix-awx/tasks/set_variables_synapse.yml
@ -66,7 +66,7 @@
  delegate_to: 127.0.0.1
  lineinfile:
    path: '{{ awx_cached_matrix_vars }}'
-    regexp: "{{ item }}:"
+    regexp: "{{ item }}"
    line: "{{ item }}"
    insertbefore: '# Synapse Extension End'
  with_items:
@ -78,7 +78,7 @@
  delegate_to: 127.0.0.1
  lineinfile:
    path: '{{ awx_cached_matrix_vars }}'
-    regexp: "{{ item }}:"
+    regexp: "{{ item }}"
    line: "{{ item }}"
    insertbefore: '# Synapse Extension End'
    state: absent
--- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml
@ -3,6 +3,10 @@

 matrix_mautrix_signal_enabled: true

+matrix_mautrix_signal_self_build: false
+matrix_mautrix_signal_docker_repo: "https://mau.dev/tulir/mautrix-signal.git"
+matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src"
+
 matrix_mautrix_signal_version: latest
 matrix_mautrix_signal_daemon_version: latest
 # See: https://mau.dev/tulir/mautrix-signal/container_registry
--- a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml
@ -8,13 +8,34 @@
      The matrix-bridge-mautrix-signal role needs to execute before the matrix-synapse role.
  when: "matrix_synapse_role_executed|default(False)"

+- name: Ensure Mautrix Signal repository is present on self-build
+  git:
+    repo: "{{ matrix_mautrix_signal_docker_repo }}"
+    dest: "{{ matrix_mautrix_signal_docker_src_files_path }}"
+    force: "yes"
+  register: matrix_mautrix_signal_git_pull_results
+  when: "matrix_mautrix_signal_enabled|bool and matrix_mautrix_signal_container_self_build|bool"
+
+- name: Ensure Mautrix Signal image is built
+  docker_image:
+    name: "{{ matrix_mautrix_signal_docker_image }}"
+    source: build
+    force_source: "{{ matrix_mautrix_signal_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}"
+    build:
+      dockerfile: Dockerfile
+      path: "{{ matrix_mautrix_signal_docker_src_files_path }}"
+      pull: yes
+  when: "matrix_mautrix_signal_enabled|bool and matrix_mautrix_signal_container_self_build|bool"
+  
 - name: Ensure Mautrix Signal image is pulled
  docker_image:
    name: "{{ matrix_mautrix_signal_docker_image }}"
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_mautrix_signal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}"
-  when: matrix_mautrix_signal_enabled|bool
+  when: "matrix_mautrix_signal_enabled|bool and not matrix_mautrix_signal_container_self_build|bool"
+

 - name: Ensure Mautrix Signal Daemon image is pulled
  docker_image:
--- a/roles/matrix-client-element/defaults/main.yml
+++ b/roles/matrix-client-element/defaults/main.yml
@ -3,7 +3,7 @@ matrix_client_element_enabled: true
 matrix_client_element_container_image_self_build: false
 matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git"

-matrix_client_element_version: v1.7.31
+matrix_client_element_version: v1.7.32
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"
--- a/roles/matrix-corporal/defaults/main.yml
+++ b/roles/matrix-corporal/defaults/main.yml
@ -22,7 +22,7 @@ matrix_corporal_container_extra_arguments: []
 # List of systemd services that matrix-corporal.service depends on
 matrix_corporal_systemd_required_services_list: ['docker.service']

-matrix_corporal_version: 2.1.0
+matrix_corporal_version: 2.1.1
 matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}"
 matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_corporal_docker_image_tag: "{{ matrix_corporal_version }}" # for backward-compatibility
--- a/roles/matrix-grafana/defaults/main.yml
+++ b/roles/matrix-grafana/defaults/main.yml
@ -3,7 +3,7 @@

 matrix_grafana_enabled: false

-matrix_grafana_version: 8.0.3
+matrix_grafana_version: 8.0.6
 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}"
 matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}"

--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@ -1,5 +1,5 @@
 matrix_nginx_proxy_enabled: true
-matrix_nginx_proxy_version: 1.21.0-alpine
+matrix_nginx_proxy_version: 1.21.1-alpine

 # We use an official nginx image, which we fix-up to run unprivileged.
 # An alternative would be an `nginxinc/nginx-unprivileged` image, but
@ -404,7 +404,7 @@ matrix_ssl_additional_domains_to_obtain_certificates_for: []

 # Controls whether to obtain production or staging certificates from Let's Encrypt.
 matrix_ssl_lets_encrypt_staging: false
-matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.16.0"
+matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.17.0"
 matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
 matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
 matrix_ssl_lets_encrypt_support_email: ~
--- a/roles/matrix-prometheus/defaults/main.yml
+++ b/roles/matrix-prometheus/defaults/main.yml
@ -3,7 +3,7 @@

 matrix_prometheus_enabled: false

-matrix_prometheus_version: v2.28.0
+matrix_prometheus_version: v2.28.1
 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}"
 matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}"

@ -34,6 +34,7 @@ matrix_prometheus_scraper_synapse_rules_synapse_tag: "master"
 matrix_prometheus_scraper_synapse_rules_download_url: "https://raw.githubusercontent.com/matrix-org/synapse/{{ matrix_prometheus_scraper_synapse_rules_synapse_tag }}/contrib/prometheus/synapse-v2.rules"

 matrix_prometheus_scraper_synapse_targets: []
+matrix_prometheus_scraper_synapse_workers_enabled_list: []

 # Tells whether the "node" scraper configuration is enabled.
 # This configuration aims to scrape the current node (this server).
--- a/roles/matrix-prometheus/templates/prometheus.yml.j2
+++ b/roles/matrix-prometheus/templates/prometheus.yml.j2
@ -31,6 +31,19 @@ scrape_configs:
    metrics_path: '/_synapse/metrics'
    static_configs:
    - targets: {{ matrix_prometheus_scraper_synapse_targets|to_json }}
+      labels:
+        instance: {{ matrix_domain }}
+        job: master
+        index: 0
+  {% for worker in matrix_prometheus_scraper_synapse_workers_enabled_list %}
+  {% if worker.metrics_port != 0 %}
+    - targets: ['matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.metrics_port }}']
+      labels:
+        instance: {{ matrix_domain }}
+        job: {{ worker.type }}
+        index: {{ worker.instanceId }}
+  {% endif %}
+  {% endfor %}
  {% endif %}

  {% if matrix_prometheus_scraper_node_enabled %}
@ -43,4 +56,4 @@ scrape_configs:
  - job_name: postgres
    static_configs:
      - targets: {{ matrix_prometheus_scraper_postgres_targets|to_json }}
-  {% endif %}
+  {% endif %}
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
 # amd64 gets released first.
 # arm32 relies on self-building, so the same version can be built immediately.
 # arm64 users need to wait for a prebuilt image to become available.
-matrix_synapse_version: v1.37.1
-matrix_synapse_version_arm64: v1.37.1
+matrix_synapse_version: v1.38.0
+matrix_synapse_version_arm64: v1.38.0
 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"