Merge branch 'master' into pub.solar

This commit is contained in:
teutat3s 2023-01-31 19:32:00 +01:00
commit adf69df131
Signed by: teutat3s
GPG key ID: 18DAE600A6BBE705
40 changed files with 413 additions and 28 deletions

View file

@ -1,3 +1,32 @@
# 2023-01-26
## Coturn can now use host-networking
Large Coturn deployments (with a huge range of ports specified via `matrix_coturn_turn_udp_min_port` and `matrix_coturn_turn_udp_max_port`) experience a huge slowdown with how Docker publishes all these ports (setting up firewall forwarding rules), which leads to a very slow Coturn service startup and shutdown.
Such deployments don't need to run Coturn within a private container network anymore. Coturn can now run with host-networking by using configuration like this:
```yaml
matrix_coturn_docker_network: host
```
With such a configuration, **Docker no longer needs to configure thousands of firewall forwarding rules** each time Coturn starts and stops.
This, however, means that **you will need to ensure these ports are open** in your firewall yourself.
Thanks to us [tightening Coturn security](#backward-compatibility-tightening-coturn-security-can-lead-to-connectivity-issues), running Coturn with host-networking should be safe and not expose neither other services running on the host, nor other services running on the local network.
## (Backward Compatibility) Tightening Coturn security can lead to connectivity issues
**TLDR**: users who run and access their Matrix server on a private network (likely a small minority of users) may experience connectivity issues with our new default Coturn blocklists. They may need to override `matrix_coturn_denied_peer_ips` and remove some IP ranges from it.
Inspired by [this security article](https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/), we've decided to make use of Coturn's `denied-peer-ip` functionality to prevent relaying network traffic to certain private IP subnets. This ensures that your Coturn server won't accidentally try to forward traffic to certain services running on your local networks. We run Coturn in a container and in a private container network by default, which should prevent such access anyway, but having additional block layers in place is better.
If you access your Matrix server from a local network and need Coturn to relay to private IP addresses, you may observe that relaying is now blocked due to our new default `denied-peer-ip` lists (specified in `matrix_coturn_denied_peer_ips`). If you experience such connectivity problems, consider overriding this setting in your `vars.yml` file and removing certain networks from it.
We've also added `no-multicast-peers` to the default Coturn configuration, but we don't expect this to cause trouble for most people.
# 2023-01-21
## The matrix-prometheus-node-exporter role lives independently now

View file

@ -807,6 +807,12 @@ matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_pro
matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}"
# People using an external Prometheus server will need to toggle all of these to be able to consume metrics remotely:
# - `matrix_mautrix_facebook_metrics_enabled`
# - `matrix_mautrix_facebook_proxying_metrics_enabled`
# - `matrix_nginx_proxy_proxy_matrix_metrics_enabled`
matrix_mautrix_facebook_metrics_enabled: "{{ matrix_prometheus_enabled }}"
# We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain
# and point them to a migration path.
matrix_mautrix_facebook_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}"
@ -934,6 +940,12 @@ matrix_mautrix_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_pr
matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}"
# People using an external Prometheus server will need to toggle all of these to be able to consume metrics remotely:
# - `matrix_mautrix_instagram_metrics_enabled`
# - `matrix_mautrix_instagram_proxying_metrics_enabled`
# - `matrix_nginx_proxy_proxy_matrix_metrics_enabled`
matrix_mautrix_instagram_metrics_enabled: "{{ matrix_prometheus_enabled }}"
# We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain
# and point them to a migration path.
matrix_mautrix_instagram_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}"
@ -979,6 +991,12 @@ matrix_mautrix_signal_appservice_token: "{{ '%s' | format(matrix_homeserver_gene
matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
# People using an external Prometheus server will need to toggle all of these to be able to consume metrics remotely:
# - `matrix_mautrix_signal_metrics_enabled`
# - `matrix_mautrix_signal_proxying_metrics_enabled`
# - `matrix_nginx_proxy_proxy_matrix_metrics_enabled`
matrix_mautrix_signal_metrics_enabled: "{{ matrix_prometheus_enabled }}"
matrix_mautrix_signal_database_engine: 'postgres'
matrix_mautrix_signal_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.signal.db', rounds=655555) | to_uuid }}"
@ -1103,6 +1121,12 @@ matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_homeserver_ge
matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
# People using an external Prometheus server will need to toggle all of these to be able to consume metrics remotely:
# - `matrix_mautrix_twitter_metrics_enabled`
# - `matrix_mautrix_twitter_proxying_metrics_enabled`
# - `matrix_nginx_proxy_proxy_matrix_metrics_enabled`
matrix_mautrix_twitter_metrics_enabled: "{{ matrix_prometheus_enabled }}"
# Postgres is the default, except if not using internal Postgres server
matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}"
matrix_mautrix_whatsapp_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"

View file

@ -31,4 +31,4 @@
version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6
- src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git
version: v1.5.0-0
version: v1.5.0-1

View file

@ -15,7 +15,7 @@ matrix_backup_borg_docker_src_files_path: "{{ matrix_backup_borg_base_path }}/do
matrix_backup_borg_version: ""
matrix_backup_borg_postgres_version: ""
matrix_backup_borg_borg_version: 1.2.3
matrix_backup_borg_borgmatic_version: 1.7.5
matrix_backup_borg_borgmatic_version: 1.7.6
matrix_backup_borg_docker_image: "{{ matrix_backup_borg_docker_image_name_prefix }}etke.cc/borgmatic:{{ matrix_backup_borg_version }}"
matrix_backup_borg_docker_image_name_prefix: "{{ 'localhost/' if matrix_backup_borg_container_image_self_build else 'registry.gitlab.com/' }}"
matrix_backup_borg_docker_image_force_pull: "{{ matrix_backup_borg_docker_image.endswith(':latest') or matrix_backup_borg_version | default('') == '' }}"

View file

@ -9,7 +9,7 @@ matrix_bot_chatgpt_docker_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot
matrix_bot_chatgpt_docker_repo_version: "{{ 'latest' if matrix_bot_chatgpt_version == 'latest' else matrix_bot_chatgpt_version }}"
matrix_bot_chatgpt_docker_src_files_path: "{{ matrix_base_data_path }}/chatgpt/docker-src"
matrix_bot_chatgpt_version: 1.2.3
matrix_bot_chatgpt_version: 1.4.1
matrix_bot_chatgpt_docker_image: "{{ matrix_bot_chatgpt_docker_image_name_prefix }}matrixgpt/matrix-chatgpt-bot:{{ matrix_bot_chatgpt_version }}"
matrix_bot_chatgpt_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_chatgpt_container_image_self_build else 'ghcr.io/' }}"
matrix_bot_chatgpt_docker_image_force_pull: "{{ matrix_bot_chatgpt_docker_image.endswith(':latest') }}"
@ -31,6 +31,9 @@ matrix_bot_chatgpt_systemd_wanted_services_list: []
matrix_bot_chatgpt_openai_email: '' # OPENAI_EMAIL=
matrix_bot_chatgpt_openai_password: '' # OPENAI_PASSWORD=
matrix_bot_chatgpt_openai_login_type: 'google' # OPENAI_LOGIN_TYPE="google"
matrix_bot_chatgpt_openai_pro: false # OPENAI_PRO
matrix_bot_chatgpt_context: 'thread' # CHATGPT_CONTEXT="thread"
# Matrix Static Settings (required, see notes)
# Defaults to "https://matrix.org"

View file

@ -4,6 +4,9 @@ MATRIX_ACCESS_TOKEN={{ matrix_bot_chatgpt_matrix_access_token }}
OPENAI_EMAIL={{ matrix_bot_chatgpt_openai_email }}
OPENAI_PASSWORD={{ matrix_bot_chatgpt_openai_password }}
OPENAI_LOGIN_TYPE={{ matrix_bot_chatgpt_openai_login_type }}
OPENAI_PRO={{ matrix_bot_chatgpt_openai_pro | to_json }}
CHATGPT_CONTEXT={{ matrix_bot_chatgpt_context }}
# With the @ and :DOMAIN, ie @SOMETHING:DOMAIN
MATRIX_BOT_USERNAME={{ matrix_bot_chatgpt_matrix_bot_username }}

View file

@ -10,7 +10,7 @@ matrix_bot_maubot_docker_src_files_path: "{{ matrix_bot_maubot_base_path }}/dock
matrix_bot_maubot_docker_repo_version: "{{ 'master' if matrix_bot_maubot_version == 'latest' else matrix_bot_maubot_version }}"
matrix_bot_maubot_version: v0.3.1
matrix_bot_maubot_version: v0.4.0
matrix_bot_maubot_docker_image: "{{ matrix_bot_maubot_docker_image_name_prefix }}maubot/maubot:{{ matrix_bot_maubot_version }}"
matrix_bot_maubot_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_maubot_container_image_self_build else 'dock.mau.dev/' }}"
matrix_bot_maubot_docker_image_force_pull: "{{ matrix_bot_maubot_docker_image.endswith(':latest') }}"

View file

@ -8,7 +8,7 @@ matrix_mautrix_discord_container_image_self_build: false
matrix_mautrix_discord_container_image_self_build_repo: "https://mau.dev/mautrix/discord.git"
matrix_mautrix_discord_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_discord_version == 'latest' else matrix_mautrix_discord_version }}"
matrix_mautrix_discord_version: latest
matrix_mautrix_discord_version: v0.1.0
# See: https://mau.dev/mautrix/discord/container_registry
matrix_mautrix_discord_docker_image: "{{ matrix_mautrix_discord_docker_image_name_prefix }}mautrix/discord:{{ matrix_mautrix_discord_version }}"
matrix_mautrix_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_discord_container_image_self_build else 'dock.mau.dev/' }}"

View file

@ -46,6 +46,16 @@ matrix_mautrix_facebook_homeserver_token: ''
# If false, created portal rooms will never be federated.
matrix_mautrix_facebook_federate_rooms: true
# Whether or not metrics endpoint should be enabled.
# Enabling them is usually enough for a local (in-container) Prometheus to consume them.
# If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_facebook_metrics_proxying_enabled`.
matrix_mautrix_facebook_metrics_enabled: false
# Controls whether metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/mautrix-facebook`.
# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`.
# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`.
matrix_mautrix_facebook_metrics_proxying_enabled: false
matrix_mautrix_facebook_bridge_permissions: |
{{
{matrix_mautrix_facebook_homeserver_domain: 'user'}

View file

@ -42,3 +42,28 @@
URL endpoint to the matrix-mautrix-facebook container.
You can expose the container's port using the `matrix_mautrix_facebook_container_http_host_bind_port` variable.
when: "not matrix_nginx_proxy_enabled | default(False) | bool"
- when: matrix_mautrix_facebook_metrics_proxying_enabled | bool
block:
- name: Generate mautrix-facebook metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-facebook)
ansible.builtin.set_fact:
matrix_mautrix_facebook_nginx_metrics_configuration_block: |
location /metrics/mautrix-facebook {
{% if matrix_nginx_proxy_enabled | default(False) %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "matrix-mautrix-facebook:8000";
proxy_pass http://$backend/metrics;
{% else %}
return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable";
{% endif %}
}
- name: Register mautrix-facebook metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-facebook)
ansible.builtin.set_fact:
matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: |
{{
matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([])
+
[matrix_mautrix_facebook_nginx_metrics_configuration_block]
}}

View file

@ -62,7 +62,7 @@ appservice:
# Prometheus telemetry config. Requires prometheus-client to be installed.
metrics:
enabled: false
enabled: {{ matrix_mautrix_facebook_metrics_enabled | to_json }}
listen_port: 8000
# Bridge config

View file

@ -47,6 +47,16 @@ matrix_mautrix_instagram_homeserver_token: ''
# If false, created portal rooms will never be federated.
matrix_mautrix_instagram_federate_rooms: true
# Whether or not metrics endpoint should be enabled.
# Enabling them is usually enough for a local (in-container) Prometheus to consume them.
# If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_instagram_metrics_proxying_enabled`.
matrix_mautrix_instagram_metrics_enabled: false
# Controls whether metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/mautrix-instagram`.
# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`.
# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`.
matrix_mautrix_instagram_metrics_proxying_enabled: false
# Database-related configuration fields.
#
# To use Postgres:

View file

@ -0,0 +1,35 @@
---
- name: Fail if matrix-nginx-proxy role already executed
ansible.builtin.fail:
msg: >-
Trying to append mautrix-whatapp-metrics's reverse-proxying configuration to matrix-nginx-proxy,
but it's pointless since the matrix-nginx-proxy role had already executed.
To fix this, please change the order of roles in your playbook,
so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-instagram role.
when: matrix_nginx_proxy_role_executed | default(False) | bool
- when: matrix_mautrix_instagram_metrics_proxying_enabled | bool
block:
- name: Generate mautrix-instagram metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-instagram)
ansible.builtin.set_fact:
matrix_mautrix_instagram_nginx_metrics_configuration_block: |
location /metrics/mautrix-instagram {
{% if matrix_nginx_proxy_enabled | default(False) %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "matrix-mautrix-instagram:8000";
proxy_pass http://$backend/metrics;
{% else %}
return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable";
{% endif %}
}
- name: Register mautrix-instagram metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-instagram)
ansible.builtin.set_fact:
matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: |
{{
matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([])
+
[matrix_mautrix_instagram_nginx_metrics_configuration_block]
}}

View file

@ -1,5 +1,14 @@
---
- block:
- when: matrix_mautrix_instagram_enabled | bool and matrix_mautrix_instagram_metrics_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
tags:
- setup-all
- setup-nginx-proxy
- install-all
- install-nginx-proxy
- block:
- when: matrix_mautrix_instagram_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"

View file

@ -57,7 +57,7 @@ appservice:
# Prometheus telemetry config. Requires prometheus-client to be installed.
metrics:
enabled: false
enabled: {{ matrix_mautrix_instagram_metrics_enabled | to_json }}
listen_port: 8000
instagram:

View file

@ -70,6 +70,16 @@ matrix_mautrix_signal_logging_level: WARNING
# If false, created portal rooms will never be federated.
matrix_mautrix_signal_federate_rooms: true
# Whether or not metrics endpoint should be enabled.
# Enabling them is usually enough for a local (in-container) Prometheus to consume them.
# If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_signal_metrics_proxying_enabled`.
matrix_mautrix_signal_metrics_enabled: false
# Controls whether metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/mautrix-signal`.
# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`.
# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`.
matrix_mautrix_signal_metrics_proxying_enabled: false
# Database-related configuration fields
#
# This bridge only supports postgres.

View file

@ -0,0 +1,35 @@
---
- name: Fail if matrix-nginx-proxy role already executed
ansible.builtin.fail:
msg: >-
Trying to append mautrix-whatapp-metrics's reverse-proxying configuration to matrix-nginx-proxy,
but it's pointless since the matrix-nginx-proxy role had already executed.
To fix this, please change the order of roles in your playbook,
so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-signal role.
when: matrix_nginx_proxy_role_executed | default(False) | bool
- when: matrix_mautrix_signal_metrics_proxying_enabled | bool
block:
- name: Generate mautrix-signal metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-signal)
ansible.builtin.set_fact:
matrix_mautrix_signal_nginx_metrics_configuration_block: |
location /metrics/mautrix-signal {
{% if matrix_nginx_proxy_enabled | default(False) %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "matrix-mautrix-signal:8000";
proxy_pass http://$backend/metrics;
{% else %}
return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable";
{% endif %}
}
- name: Register mautrix-signal metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-signal)
ansible.builtin.set_fact:
matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: |
{{
matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([])
+
[matrix_mautrix_signal_nginx_metrics_configuration_block]
}}

View file

@ -1,5 +1,14 @@
---
- block:
- when: matrix_mautrix_signal_enabled | bool and matrix_mautrix_signal_metrics_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
tags:
- setup-all
- setup-nginx-proxy
- install-all
- install-nginx-proxy
- block:
- when: matrix_mautrix_signal_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"

View file

@ -67,7 +67,7 @@ appservice:
# Prometheus telemetry config. Requires prometheus-client to be installed.
metrics:
enabled: false
enabled: {{ matrix_mautrix_signal_metrics_enabled | to_json }}
listen_port: 8000
# Manhole config.

View file

@ -79,7 +79,7 @@ bridge:
# TODO: document variables
displayname_template: "{{ '{{.RealName}} (S)' }}"
bot_displayname_template: "{{ '{{.Name}} (bot)' }}"
channel_name_template: "{{ '#{{.Name}}' }}"
channel_name_template: "{{ '#{{.Name}} ({{.TeamName}})' }}"
portal_message_buffer: 128

View file

@ -78,6 +78,16 @@ matrix_mautrix_twitter_appservice_bot_username: twitterbot
# Specifies the default log level for all bridge loggers.
matrix_mautrix_twitter_logging_level: WARNING
# Whether or not metrics endpoint should be enabled.
# Enabling them is usually enough for a local (in-container) Prometheus to consume them.
# If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_twitter_metrics_proxying_enabled`.
matrix_mautrix_twitter_metrics_enabled: false
# Controls whether metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/mautrix-twitter`.
# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`.
# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`.
matrix_mautrix_twitter_metrics_proxying_enabled: false
# Default configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#

View file

@ -0,0 +1,35 @@
---
- name: Fail if matrix-nginx-proxy role already executed
ansible.builtin.fail:
msg: >-
Trying to append mautrix-whatapp-metrics's reverse-proxying configuration to matrix-nginx-proxy,
but it's pointless since the matrix-nginx-proxy role had already executed.
To fix this, please change the order of roles in your playbook,
so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-twitter role.
when: matrix_nginx_proxy_role_executed | default(False) | bool
- when: matrix_mautrix_twitter_metrics_proxying_enabled | bool
block:
- name: Generate mautrix-twitter metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-twitter)
ansible.builtin.set_fact:
matrix_mautrix_twitter_nginx_metrics_configuration_block: |
location /metrics/mautrix-twitter {
{% if matrix_nginx_proxy_enabled | default(False) %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "matrix-mautrix-twitter:8000";
proxy_pass http://$backend/metrics;
{% else %}
return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable";
{% endif %}
}
- name: Register mautrix-twitter metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-twitter)
ansible.builtin.set_fact:
matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: |
{{
matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([])
+
[matrix_mautrix_twitter_nginx_metrics_configuration_block]
}}

View file

@ -1,5 +1,14 @@
---
- block:
- when: matrix_mautrix_twitter_enabled | bool and matrix_mautrix_twitter_metrics_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
tags:
- setup-all
- setup-nginx-proxy
- install-all
- install-nginx-proxy
- block:
- when: matrix_mautrix_twitter_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"

View file

@ -65,7 +65,7 @@ appservice:
# Prometheus telemetry config. Requires prometheus-client to be installed.
metrics:
enabled: false
enabled: {{ matrix_mautrix_twitter_metrics_enabled | to_json }}
listen_port: 8000
# Bridge config

View file

@ -47,6 +47,16 @@ matrix_mautrix_whatsapp_logging_level: 'warn'
# If false, created portal rooms will never be federated.
matrix_mautrix_whatsapp_federate_rooms: true
# Whether or not metrics endpoint should be enabled.
# Enabling them is usually enough for a local (in-container) Prometheus to consume them.
# If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_whatsapp_metrics_proxying_enabled`.
matrix_mautrix_whatsapp_metrics_enabled: false
# Controls whether metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/mautrix-whatsapp`.
# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`.
# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`.
matrix_mautrix_whatsapp_metrics_proxying_enabled: false
# Database-related configuration fields.
#
# To use SQLite, stick to these defaults.

View file

@ -0,0 +1,35 @@
---
- name: Fail if matrix-nginx-proxy role already executed
ansible.builtin.fail:
msg: >-
Trying to append mautrix-whatapp-metrics's reverse-proxying configuration to matrix-nginx-proxy,
but it's pointless since the matrix-nginx-proxy role had already executed.
To fix this, please change the order of roles in your playbook,
so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-whatsapp role.
when: matrix_nginx_proxy_role_executed | default(False) | bool
- when: matrix_mautrix_whatsapp_metrics_proxying_enabled | bool
block:
- name: Generate mautrix-whatsapp metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-whatsapp)
ansible.builtin.set_fact:
matrix_mautrix_whatsapp_nginx_metrics_configuration_block: |
location /metrics/mautrix-whatsapp {
{% if matrix_nginx_proxy_enabled | default(False) %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "matrix-mautrix-whatsapp:8001";
proxy_pass http://$backend/metrics;
{% else %}
return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable";
{% endif %}
}
- name: Register mautrix-whatsapp metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-whatsapp)
ansible.builtin.set_fact:
matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: |
{{
matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([])
+
[matrix_mautrix_whatsapp_nginx_metrics_configuration_block]
}}

View file

@ -1,5 +1,14 @@
---
- block:
- when: matrix_mautrix_whatsapp_enabled | bool and matrix_mautrix_whatsapp_metrics_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
tags:
- setup-all
- setup-nginx-proxy
- install-all
- install-nginx-proxy
- block:
- when: matrix_mautrix_whatsapp_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"

View file

@ -67,9 +67,9 @@ segment_key: null
# Prometheus config.
metrics:
# Enable prometheus metrics?
enabled: false
enabled: {{ matrix_mautrix_whatsapp_metrics_enabled | to_json }}
# IP and port where the metrics listener should be. The path is always /metrics
listen: 127.0.0.1:8001
listen: 0.0.0.0:8001
# Config for things that are directly sent to WhatsApp.
whatsapp:

View file

@ -6,7 +6,7 @@ matrix_client_cinny_enabled: true
matrix_client_cinny_container_image_self_build: false
matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/cinny.git"
matrix_client_cinny_version: v2.2.3
matrix_client_cinny_version: v2.2.4
matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_name_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}"
matrix_client_cinny_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_image.endswith(':latest') }}"

View file

@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto
# - https://github.com/vector-im/element-web/issues/19544
matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
matrix_client_element_version: v1.11.20
matrix_client_element_version: v1.11.21
matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"

View file

@ -8,7 +8,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn
matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}"
matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"
matrix_coturn_version: 4.6.1-r0
matrix_coturn_version: 4.6.1-r1
matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine"
matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"
@ -20,6 +20,13 @@ matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith('
#
# Setting up deny/allow rules with `matrix_coturn_allowed_peer_ips`/`matrix_coturn_denied_peer_ips` is also
# possible for achieving such isolation, but is more complicated due to the dynamic nature of Docker networking.
#
# Setting `matrix_coturn_docker_network` to 'host' will run the container with host networking,
# which will drastically improve performance when thousands of ports are opened due to Docker not having to set up forwarding rules for each port.
# Running with host networking can be dangerous, as it potentially exposes your local network and its services to Coturn peers.
# Regardless of the networking mode, we apply a deny list which via `matrix_coturn_denied_peer_ips`,
# which hopefully prevents access to such private network ranges.
# When running in host-networking mode, you need to adjust the firewall yourself, so that ports are opened.
matrix_coturn_docker_network: "matrix-coturn"
matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn"
@ -41,20 +48,20 @@ matrix_coturn_container_extra_arguments: []
# Controls whether the Coturn container exposes its plain STUN port (tcp/3478 and udp/3478 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3478"), or empty string to not expose.
matrix_coturn_container_stun_plain_host_bind_port: '3478'
matrix_coturn_container_stun_plain_host_bind_port: "{{ '3478' if matrix_coturn_docker_network != 'host' else '' }}"
# Controls whether the Coturn container exposes its TLS STUN port (tcp/5349 and udp/5349 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5349"), or empty string to not expose.
matrix_coturn_container_stun_tls_host_bind_port: '5349'
matrix_coturn_container_stun_tls_host_bind_port: "{{ '5349' if matrix_coturn_docker_network != 'host' else '' }}"
# Controls whether the Coturn container exposes its TURN UDP port range and which interface to do it on.
#
# Takes an interface "<ip address>" (e.g. "127.0.0.1"), or empty string to listen on all interfaces.
# Takes a null/none value (`~`) to prevent listening.
# Takes a null/none value (`~`) or 'none' (as a string) to prevent listening.
#
# The UDP port-range itself is specified using `matrix_coturn_turn_udp_min_port` and `matrix_coturn_turn_udp_max_port`.
matrix_coturn_container_turn_range_listen_interface: ''
matrix_coturn_container_turn_range_listen_interface: "{{ '' if matrix_coturn_docker_network != 'host' else 'none' }}"
# UDP port-range to use for TURN
matrix_coturn_turn_udp_min_port: 49152
@ -69,10 +76,54 @@ matrix_coturn_turn_external_ip_address: ''
matrix_coturn_turn_external_ip_addresses: ["{{ matrix_coturn_turn_external_ip_address }}"]
matrix_coturn_allowed_peer_ips: []
matrix_coturn_denied_peer_ips: []
# We block loopback interfaces and private networks by default to prevent private resources from being accessible.
# This is especially important when Coturn does not run within a container network (e.g. `matrix_coturn_docker_network: host`).
#
# Learn more: https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/
#
# If you're running Coturn for local network peers, you may wish to override these rules.
matrix_coturn_denied_peer_ips:
- 0.0.0.0-0.255.255.255
- 10.0.0.0-10.255.255.255
- 100.64.0.0-100.127.255.255
- 127.0.0.0-127.255.255.255
- 169.254.0.0-169.254.255.255
- 172.16.0.0-172.31.255.255
- 192.0.0.0-192.0.0.255
- 192.0.2.0-192.0.2.255
- 192.88.99.0-192.88.99.255
- 192.168.0.0-192.168.255.255
- 198.18.0.0-198.19.255.255
- 198.51.100.0-198.51.100.255
- 203.0.113.0-203.0.113.255
- 240.0.0.0-255.255.255.255
- ::1
- 64:ff9b::-64:ff9b::ffff:ffff
- ::ffff:0.0.0.0-::ffff:255.255.255.255
- 100::-100::ffff:ffff:ffff:ffff
- 2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
- 2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
- fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
- fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
matrix_coturn_user_quota: null
matrix_coturn_total_quota: null
# Controls whether `no-tcp-relay` is added to the configuration
matrix_coturn_no_tcp_relay_enabled: true
# Controls whether `no-multicast-peers` is added to the configuration
matrix_coturn_no_multicast_peers_enabled: true
# Additional configuration to be passed to turnserver.conf
# Example:
# matrix_coturn_additional_configuration: |
# simple-log
# aux-server=1.2.3.4
# relay-ip=4.3.2.1
matrix_coturn_additional_configuration: ''
# To enable TLS, you need to provide paths to certificates.
# Paths defined in `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path` are in-container paths.
# Files on the host can be mounted into the container using `matrix_coturn_container_additional_volumes`.

View file

@ -62,7 +62,8 @@
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
- name: Ensure Coturn network is created in Docker
- when: matrix_coturn_docker_network not in ['', 'host']
name: Ensure Coturn network is created in Docker
community.docker.docker_network:
name: "{{ matrix_coturn_docker_network }}"
driver: bridge

View file

@ -30,7 +30,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
-p {{ matrix_coturn_container_stun_tls_host_bind_port }}:5349 \
-p {{ matrix_coturn_container_stun_tls_host_bind_port }}:5349/udp \
{% endif %}
{% if matrix_coturn_container_turn_range_listen_interface is not none %}
{% if matrix_coturn_container_turn_range_listen_interface is not in [none, 'none'] %}
-p {{ matrix_coturn_container_turn_range_listen_interface }}{{ ':' if matrix_coturn_container_turn_range_listen_interface else '' }}{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \
{% endif %}
--mount type=bind,src={{ matrix_coturn_config_path }},dst=/turnserver.conf,ro \

View file

@ -30,7 +30,10 @@ no-dtls
{% endif %}
prod
{% if matrix_coturn_no_tcp_relay_enabled %}
no-tcp-relay
{% endif %}
{% if matrix_coturn_user_quota != None %}
user-quota={{ matrix_coturn_user_quota }}
@ -39,9 +42,15 @@ user-quota={{ matrix_coturn_user_quota }}
total-quota={{ matrix_coturn_total_quota }}
{% endif %}
{% if matrix_coturn_no_multicast_peers_enabled %}
no-multicast-peers
{% endif %}
{% for ip_range in matrix_coturn_denied_peer_ips %}
denied-peer-ip={{ ip_range }}
{% endfor %}
{% for ip_range in matrix_coturn_allowed_peer_ips %}
allowed-peer-ip={{ ip_range }}
{% endfor %}
{{ matrix_coturn_additional_configuration }}

View file

@ -6,7 +6,7 @@ matrix_dendrite_enabled: true
matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}"
matrix_dendrite_docker_image_name_prefix: "docker.io/"
matrix_dendrite_docker_image_tag: "v0.10.8"
matrix_dendrite_docker_image_tag: "v0.11.0"
matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}"
matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite"

View file

@ -5,7 +5,7 @@
matrix_grafana_enabled: true
matrix_grafana_version: 9.3.2
matrix_grafana_version: 9.3.6
matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}"
matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}"

View file

@ -72,7 +72,7 @@ matrix_jitsi_jibri_recorder_password: ''
matrix_jitsi_enable_lobby: false
matrix_jitsi_version: stable-8218
matrix_jitsi_version: stable-8252
matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility
matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}"
@ -283,3 +283,8 @@ matrix_jitsi_jvb_container_colibri_ws_host_bind_port: ''
#
# The setting requires an integer to be set for usage and allows a user to specify the max number of particpants on a conference.
matrix_prosody_jitsi_max_participants: ''
# Allows abailty to set XMPP AUTH user if using JIGASI
matrix_jitsi_jigasi_xmpp_user: ''
# Allows abailty to set XMPP AUTH pasword if using JIGASI
matrix_jitsi_jigasi_xmpp_password: ''

View file

@ -15,8 +15,8 @@ JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }}
JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }}
JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }}
JICOFO_COMPONENT_SECRET
JIGASI_XMPP_USER=
JIGASI_XMPP_PASSWORD=
JIGASI_XMPP_USER={{ matrix_jitsi_jigasi_xmpp_user }}
JIGASI_XMPP_PASSWORD={{ matrix_jitsi_jigasi_xmpp_password }}
JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }}
JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }}
JWT_APP_ID

View file

@ -9,7 +9,7 @@ matrix_synapse_admin_container_image_self_build_repo: "https://github.com/Awesom
matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src"
matrix_synapse_admin_version: 0.8.5
matrix_synapse_admin_version: 0.8.6
matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}"
matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}"

View file

@ -24,6 +24,15 @@
{# Generic configuration for use outside of our container setup #}
proxy_pass http://127.0.0.1:8766/$1;
{% endif %}
{#
Workaround synapse-admin serving all assets at /static.
See: https://github.com/Awesome-Technologies/synapse-admin/issues/322
#}
sub_filter_once off;
sub_filter "/static/" "{{ matrix_synapse_admin_public_endpoint }}/static/";
sub_filter "/favicon.ico" "{{ matrix_synapse_admin_public_endpoint }}/favicon.ico";
sub_filter "/manifest.json" "{{ matrix_synapse_admin_public_endpoint }}/manifest.json";
}
- name: Register Synapse Admin proxying configuration with matrix-nginx-proxy