Merge branch 'master' into pub.solar

This commit is contained in:
teutat3s 2020-12-09 14:06:21 +01:00
commit b1c1708b14
Signed by: teutat3s
GPG key ID: 18DAE600A6BBE705
27 changed files with 256 additions and 95 deletions

4
.github/FUNDING.yml vendored Normal file
View file

@ -0,0 +1,4 @@
# These are supported funding model platforms
# https://liberapay.com/s.pantaleev/
liberapay: s.pantaleev

View file

@ -1,3 +1,15 @@
# 2020-12-08
## openid APIs exposed by default on the federation port when federation disabled
We've changed some defaults. People running with our default configuration (federation enabled), are not affected at all.
If you are running an unfederated server (`matrix_synapse_federation_enabled: false`), this may be of interest to you.
When federation is disabled, but ma1sd or Dimension are enabled, we'll now expose the `openid` APIs on the federation port.
These APIs are necessary for some ma1sd features to work. If you'd like to prevent this, you can: `matrix_synapse_federation_port_openid_resource_required: false`.
# 2020-11-27
## Recent Jitsi updates may require configuration changes

View file

@ -1,3 +1,5 @@
[![Support room on Matrix](https://img.shields.io/matrix/matrix-docker-ansible-deploy:devture.com.svg?label=%23matrix-docker-ansible-deploy%3Adevture.com&logo=matrix&style=for-the-badge&server_fqdn=matrix.devture.com)](https://matrix.to/#/#matrix-docker-ansible-deploy:devture.com) [![donate](https://liberapay.com/assets/widgets/donate.svg)](https://liberapay.com/s.pantaleev/donate)
# Matrix (An open network for secure, decentralized communication) server setup using Ansible and Docker
## Purpose

View file

@ -14,18 +14,20 @@ Instructions loosely based on [this](https://github.com/Half-Shot/matrix-appserv
1. Create a Discord Application [here](https://discordapp.com/developers/applications).
2. Retrieve Client ID.
3. Create a bot from the Bot tab and retrieve the Bot token.
4. Enable the bridge with the following configuration in your `vars.yml` file:
4. From the Bot tab, enable all checkboxes related to Privileged Gateway Intents (you can skip this step if you're not using `matrix_appservice_discord_auth_usePrivilegedIntents: true` below)
5. Enable the bridge with the following configuration in your `vars.yml` file:
```yaml
matrix_appservice_discord_enabled: true
matrix_appservice_discord_client_id: "YOUR DISCORD APP CLIENT ID"
matrix_appservice_discord_bot_token: "YOUR DISCORD APP BOT TOKEN"
matrix_appservice_discord_auth_usePrivilegedIntents: true
```
4. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready.
5. Retrieve Discord invite link from the `{{ matrix_appservice_discord_config_path }}/invite_link` file on the server (this defaults to `/matrix/appservice-discord/config/invite_link`). You need to peek at the file on the server via SSH, etc., because it's not available via HTTP(S).
6. Invite the Bot to Discord servers you wish to bridge. Administrator permission is recommended.
7. Room addresses follow this syntax: `#_discord_guildid_channelid`. You can easily find the guild and channel ids by logging into Discord in a browser and opening the desired channel. The URL will have this format: `discordapp.com/channels/guild_id/channel_id`. Once you have figured out the appropriate room addrss, you can join by doing `/join #_discord_guildid_channelid` in your Matrix client.
6. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready.
7. Retrieve Discord invite link from the `{{ matrix_appservice_discord_config_path }}/invite_link` file on the server (this defaults to `/matrix/appservice-discord/config/invite_link`). You need to peek at the file on the server via SSH, etc., because it's not available via HTTP(S).
8. Invite the Bot to Discord servers you wish to bridge. Administrator permission is recommended.
9. Room addresses follow this syntax: `#_discord_guildid_channelid`. You can easily find the guild and channel ids by logging into Discord in a browser and opening the desired channel. The URL will have this format: `discordapp.com/channels/guild_id/channel_id`. Once you have figured out the appropriate room addrss, you can join by doing `/join #_discord_guildid_channelid` in your Matrix client.
Other configuration options are available via the `matrix_appservice_discord_configuration_extension_yaml` variable.

View file

@ -3,6 +3,9 @@
**[Dimension](https://dimension.t2bot.io) can only be installed after Matrix services are installed and running.**
If you're just installing Matrix services for the first time, please continue with the [Configuration](configuring-playbook.md) / [Installation](installing.md) flow and come back here later.
**Note**: enabling Dimension, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. It's something to be aware of, especially in terms of firewall whitelisting (make sure port `8448` is accessible).
## Prerequisites
This playbook now supports running [Dimension](https://dimension.t2bot.io) in both a federated and an [unfederated](https://github.com/turt2live/matrix-dimension/blob/master/docs/unfederated.md) environment. This is handled automatically based on the value of `matrix_synapse_federation_enabled`.
@ -48,7 +51,7 @@ To get an access token for the Dimension user, you can follow one of two options
3. Copy the highlighted text to your configuration.
4. Close the private browsing session. **Do not log out**. Logging out will invalidate the token, making it not work.
*With CURL*
*With CURL*
```
curl -X POST --header 'Content-Type: application/json' -d '{

View file

@ -37,3 +37,13 @@ matrix_synapse_federation_enabled: false
```
With that, your server's users will only be able to talk among themselves, but not to anyone who is on another server.
**Disabling federation does not necessarily disable the federation port** (`8448`). Services like [Dimension](configuring-playbook-dimension.md) and [ma1sd](configuring-playbook-ma1sd.md) normally rely on `openid` APIs exposed on that port. Even if you disable federation and only if necessary, we may still be exposing the federation port and serving the `openid` APIs there. To override this and completely disable Synapse's federation port use:
```yaml
# This stops the federation port on the Synapse side (normally `matrix-synapse:8048` on the container network).
matrix_synapse_federation_port_enabled: false
# This removes the `8448` virtual host from the matrix-nginx-proxy reverse-proxy server.
matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false
```

View file

@ -99,7 +99,7 @@ matrix_jitsi_web_custom_config_extension: |
config.disableAudioLevels = true;
# Limit the number of video feeds forwarded to each client
// Limit the number of video feeds forwarded to each client
config.channelLastN = 4;
matrix_jitsi_web_config_resolution_width_ideal_and_max: 480

View file

@ -4,7 +4,9 @@ By default, this playbook configures an [ma1sd](https://github.com/ma1uta/ma1sd)
This server is private by default, potentially at the expense of user discoverability.
ma1sd is a fork of [mxisd](https://github.com/kamax-io/mxisd) which was pronounced end of life 2019-06-21.
*ma1sd is a fork of [mxisd](https://github.com/kamax-io/mxisd) which was pronounced end of life 2019-06-21.*
**Note**: enabling ma1sd (which is also the default), means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. It's something to be aware of, especially in terms of firewall whitelisting (make sure port `8448` is accessible).
## Disabling ma1sd
@ -50,6 +52,9 @@ To use the [Registration](https://github.com/ma1uta/ma1sd/blob/master/docs/featu
- `matrix_ma1sd_configuration_extension_yaml` - to configure ma1sd as required. See the [Registration feature's docs](https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md) for inspiration. Also see the [Additional features](#additional-features) section below to learn more about how to use `matrix_ma1sd_configuration_extension_yaml`.
**Note**: For this to work, either the homeserver needs to [federate](configuring-playbook-federation.md) or the `openid` APIs need to exposed on the federation port. When federation is disabled and ma1sd is enabled, we automatically expose the `openid` APIs (only!) on the federation port. Make sure the federation port (usually `https://matrix.DOMAIN:8448`) is whitelisted in your firewall (even if you don't actually use/need federation).
## Authentication
[Authentication](https://github.com/ma1uta/ma1sd/blob/master/docs/features/authentication.md) provides the possibility to use your own [Identity Stores](https://github.com/ma1uta/ma1sd/blob/master/docs/stores/README.md) (for example LDAP) to authenticate users on your Homeserver. The following configuration can be used to authenticate against an LDAP server:

View file

@ -22,6 +22,17 @@ This playbook doesn't support running on ARM (see [this issue](https://github.co
- Properly configured DNS records for `<your-domain>` (details in [Configuring DNS](configuring-dns.md)).
- Some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (TURN over TCP), `3478/udp` (TURN over UDP), `5349/tcp` (TURN over TCP), `5349/udp` (TURN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP), `4443/tcp` (Jitsi Harvester fallback), `10000/udp` (Jitsi video RTP). Depending on your firewall/NAT setup, incoming RTP packets on port 10000 may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/matrix-jitsi/defaults/main.yml)).
- Some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports:
- `80/tcp`: HTTP webserver
- `443/tcp`: HTTPS webserver
- `3478/tcp`: TURN over TCP (used by Coturn)
- `3478/udp`: TURN over UDP (used by Coturn)
- `5349/tcp`: TURN over TCP (used by Coturn)
- `5349/udp`: TURN over UDP (used by Coturn)
- `8448/tcp`: Matrix Federation API HTTPS webserver. In some cases, this **may necessary even with federation disabled**. Integration Servers (like Dimension) and Identity Servers (like ma1sd) may need to access `openid` APIs on the federation port.
- the range `49152-49172/udp`: TURN over UDP
- `4443/tcp`: Jitsi Harvester fallback
- `10000/udp`: Jitsi video RTP. Depending on your firewall/NAT setup, incoming RTP packets on port `10000` may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/matrix-jitsi/defaults/main.yml)).
When ready to proceed, continue with [Configuring DNS](configuring-dns.md).

View file

@ -15,6 +15,7 @@ List of roles where self-building the Docker image is currently possible:
- `matrix-client-element`
- `matrix-registration`
- `matrix-coturn`
- `matrix-corporal`
- `matrix-ma1sd`
- `matrix-mailer`
- `matrix-bridge-mautrix-facebook`

View file

@ -201,6 +201,8 @@ matrix_mautrix_facebook_homeserver_token: "{{ matrix_synapse_macaroon_secret_key
matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_use_presence if matrix_synapse_enabled else true }}"
######################################################################
#
# /matrix-bridge-mautrix-facebook
@ -539,6 +541,8 @@ matrix_bot_matrix_reminder_bot_enabled: false
matrix_corporal_enabled: false
matrix_corporal_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-corporal over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# matrix-corporal's web-server ports to the local host.
@ -616,8 +620,6 @@ matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_ena
matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}"
matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}"
matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:{{ 8048 if matrix_synapse_federation_enabled|bool else 8008 }}"
######################################################################
#
# /matrix-dimension
@ -812,7 +814,8 @@ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:
matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090"
# By default, we do TLS termination for the Matrix Federation API (port 8448) at matrix-nginx-proxy.
matrix_nginx_proxy_proxy_matrix_federation_api_enabled: true
# Unless this is handled there OR Synapse's federation listener port is disabled, we'll reverse-proxy.
matrix_nginx_proxy_proxy_matrix_federation_api_enabled: "{{ matrix_synapse_federation_port_enabled and not matrix_synapse_tls_federation_listener_enabled }}"
matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048"
matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:8048"
@ -986,12 +989,7 @@ matrix_synapse_tls_federation_listener_enabled: false
matrix_synapse_tls_certificate_path: ~
matrix_synapse_tls_private_key_path: ~
matrix_synapse_http_listener_resource_names: |
{{
["client"]
+
( ["openid"] if matrix_dimension_enabled and not matrix_synapse_federation_enabled else [] )
}}
matrix_synapse_federation_port_openid_resource_required: "{{ not matrix_synapse_federation_enabled and (matrix_dimension_enabled or matrix_ma1sd_enabled) }}"
matrix_synapse_email_enabled: "{{ matrix_mailer_enabled }}"
matrix_synapse_email_smtp_host: "matrix-mailer"

View file

@ -1,62 +1,62 @@
[docker-ce-stable]
name=Docker CE Stable - $basearch
baseurl=https://download.docker.com/linux/centos/7/$basearch/stable
baseurl=https://download.docker.com/linux/centos/$releasever/$basearch/stable
enabled=1
gpgcheck=1
gpgkey=https://download.docker.com/linux/centos/gpg
[docker-ce-stable-debuginfo]
name=Docker CE Stable - Debuginfo $basearch
baseurl=https://download.docker.com/linux/centos/7/debug-$basearch/stable
baseurl=https://download.docker.com/linux/centos/$releasever/debug-$basearch/stable
enabled=0
gpgcheck=1
gpgkey=https://download.docker.com/linux/centos/gpg
[docker-ce-stable-source]
name=Docker CE Stable - Sources
baseurl=https://download.docker.com/linux/centos/7/source/stable
enabled=0
gpgcheck=1
gpgkey=https://download.docker.com/linux/centos/gpg
[docker-ce-edge]
name=Docker CE Edge - $basearch
baseurl=https://download.docker.com/linux/centos/7/$basearch/edge
enabled=0
gpgcheck=1
gpgkey=https://download.docker.com/linux/centos/gpg
[docker-ce-edge-debuginfo]
name=Docker CE Edge - Debuginfo $basearch
baseurl=https://download.docker.com/linux/centos/7/debug-$basearch/edge
enabled=0
gpgcheck=1
gpgkey=https://download.docker.com/linux/centos/gpg
[docker-ce-edge-source]
name=Docker CE Edge - Sources
baseurl=https://download.docker.com/linux/centos/7/source/edge
baseurl=https://download.docker.com/linux/centos/$releasever/source/stable
enabled=0
gpgcheck=1
gpgkey=https://download.docker.com/linux/centos/gpg
[docker-ce-test]
name=Docker CE Test - $basearch
baseurl=https://download.docker.com/linux/centos/7/$basearch/test
baseurl=https://download.docker.com/linux/centos/$releasever/$basearch/test
enabled=0
gpgcheck=1
gpgkey=https://download.docker.com/linux/centos/gpg
[docker-ce-test-debuginfo]
name=Docker CE Test - Debuginfo $basearch
baseurl=https://download.docker.com/linux/centos/7/debug-$basearch/test
baseurl=https://download.docker.com/linux/centos/$releasever/debug-$basearch/test
enabled=0
gpgcheck=1
gpgkey=https://download.docker.com/linux/centos/gpg
[docker-ce-test-source]
name=Docker CE Test - Sources
baseurl=https://download.docker.com/linux/centos/7/source/test
baseurl=https://download.docker.com/linux/centos/$releasever/source/test
enabled=0
gpgcheck=1
gpgkey=https://download.docker.com/linux/centos/gpg
[docker-ce-nightly]
name=Docker CE Nightly - $basearch
baseurl=https://download.docker.com/linux/centos/$releasever/$basearch/nightly
enabled=0
gpgcheck=1
gpgkey=https://download.docker.com/linux/centos/gpg
[docker-ce-nightly-debuginfo]
name=Docker CE Nightly - Debuginfo $basearch
baseurl=https://download.docker.com/linux/centos/$releasever/debug-$basearch/nightly
enabled=0
gpgcheck=1
gpgkey=https://download.docker.com/linux/centos/gpg
[docker-ce-nightly-source]
name=Docker CE Nightly - Sources
baseurl=https://download.docker.com/linux/centos/$releasever/source/nightly
enabled=0
gpgcheck=1
gpgkey=https://download.docker.com/linux/centos/gpg

View file

@ -3,7 +3,7 @@
matrix_appservice_discord_enabled: true
matrix_appservice_discord_docker_image: "docker.io/halfshot/matrix-appservice-discord:latest"
matrix_appservice_discord_docker_image: "docker.io/halfshot/matrix-appservice-discord:v1.0.0"
matrix_appservice_discord_docker_image_force_pull: "{{ matrix_appservice_discord_docker_image.endswith(':latest') }}"
matrix_appservice_discord_base_path: "{{ matrix_base_data_path }}/appservice-discord"
@ -17,6 +17,8 @@ matrix_appservice_discord_bot_token: ''
matrix_appservice_discord_appservice_token: ''
matrix_appservice_discord_homeserver_token: ''
matrix_appservice_discord_homeserver_domain: "{{ matrix_domain }}"
# Controls whether the matrix-appservice-discord container exposes its HTTP port (tcp/9005 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9005"), or empty string to not expose.
@ -39,6 +41,14 @@ matrix_appservice_discord_bridge_homeserverUrl: "{{ matrix_homeserver_url }}"
matrix_appservice_discord_bridge_disablePresence: false
matrix_appservice_discord_bridge_enableSelfServiceBridging: false
# Tells whether the bot should make use of "Privileged Gateway Intents".
#
# Enabling this means that you need to enable it for the bot (Discord application) as well,
# by triggering all Intent checkboxes on a page like this: `https://discord.com/developers/applications/694448564151123988/bot`
#
# Learn more: https://gist.github.com/advaith1/e69bcc1cdd6d0087322734451f15aa2f
matrix_appservice_discord_auth_usePrivilegedIntents: false
matrix_appservice_discord_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"
matrix_appservice_discord_configuration_extension_yaml: |
@ -62,10 +72,10 @@ matrix_appservice_discord_registration_yaml: |
namespaces:
users:
- exclusive: true
regex: '^@_discord_.*'
regex: '@_discord_.*:{{ matrix_appservice_discord_homeserver_domain|regex_escape }}'
aliases:
- exclusive: true
regex: '^#_discord_.*'
regex: '#_discord_.*:{{ matrix_appservice_discord_homeserver_domain|regex_escape }}'
url: {{ matrix_appservice_discord_appservice_url }}
sender_localpart: _discord_bot
rate_limited: false

View file

@ -10,6 +10,7 @@
- "matrix_appservice_discord_bot_token"
- "matrix_appservice_discord_appservice_token"
- "matrix_appservice_discord_homeserver_token"
- "matrix_appservice_discord_homeserver_domain"
- name: (Deprecation) Catch and report renamed appservice-discord variables
fail:

View file

@ -26,10 +26,17 @@ bridge:
disableReadReceipts: false
# Disable Join Leave echos from matrix
disableJoinLeaveNotifications: false
# Disable Invite echos from matrix
disableInviteNotifications: false
# Auto-determine the language of code blocks (this can be CPU-intensive)
determineCodeLanguage: false
# Authentication configuration for the discord bot.
auth:
clientID: {{ matrix_appservice_discord_client_id|string|to_json }}
botToken: {{ matrix_appservice_discord_bot_token }}
# You must enable "Privileged Gateway Intents" in your bot settings on discord.com (e.g. https://discord.com/developers/applications/12345/bot)
# for this to work
usePrivilegedIntents: {{ matrix_appservice_discord_auth_usePrivilegedIntents|to_json }}
logging:
# What level should the logger output to the console at.
console: "warn" #silly, verbose, info, http, warn, error, silent
@ -45,8 +52,6 @@ logging:
# enable:
# - "DiscordBot"
database:
userStorePath: "/data/user-store.db"
roomStorePath: "/data/room-store.db"
# You may either use SQLite or Postgresql for the bridge database, which contains
# important mappings for events and user puppeting configurations.
# Use the filename option for SQLite, or connString for Postgresql.
@ -82,10 +87,12 @@ channel:
limits:
# Delay in milliseconds between discord users joining a room.
roomGhostJoinDelay: 6000
# Delay in milliseconds before sending messages to discord to avoid echos.
# (Copies of a sent message may arrive from discord before we've
# Lock timeout in milliseconds before sending messages to discord to avoid
# echos. Default is rather high as the lock will most likely time out
# before anyways.
# echos = (Copies of a sent message may arrive from discord before we've
# fininished handling it, causing us to echo it back to the room)
discordSendDelay: 750
discordSendDelay: 1500
ghosts:
# Pattern for the ghosts nick, available is :nick, :username, :tag and :id
nickPattern: ":nick"

View file

@ -35,6 +35,10 @@ matrix_mautrix_facebook_homeserver_token: ''
# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
matrix_mautrix_facebook_login_shared_secret: ''
matrix_mautrix_facebook_bridge_login_shared_secret_map: "{{ {matrix_mautrix_facebook_homeserver_domain: matrix_mautrix_facebook_login_shared_secret} if matrix_mautrix_facebook_login_shared_secret else {} }}"
matrix_mautrix_facebook_bridge_presence: true
# Default configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#

View file

@ -81,23 +81,32 @@ bridge:
command_prefix: "!fb"
# Number of chats to sync (and create portals for) on startup/login.
# Maximum 20, set 0 to disable automatic syncing.
# Set 0 to disable automatic syncing.
initial_chat_sync: 10
# Whether or not the Facebook users of logged in Matrix users should be
# invited to private chats when the user sends a message from another client.
invite_own_puppet_to_pm: false
# Whether or not to use /sync to get presence, read receipts and typing notifications when using
# your own Matrix account as the Matrix puppet for your Facebook account.
# Whether or not to use /sync to get presence, read receipts and typing notifications
# when double puppeting is enabled
sync_with_custom_puppets: true
# Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth
# Whether or not to update the m.direct account data event when double puppeting is enabled.
# Note that updating the m.direct event is not atomic (except with mautrix-asmux)
# and is therefore prone to race conditions.
sync_direct_chat_list: false
# Servers to always allow double puppeting from
double_puppet_server_map: {}
# example.com: https://example.com
# Allow using double puppeting from any server with a valid client .well-known file.
double_puppet_allow_discovery: false
# Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
#
# If set, custom puppets will be enabled automatically for local users
# instead of users having to find an access token and run `login-matrix`
# manually.
login_shared_secret: {{ matrix_mautrix_facebook_login_shared_secret|to_json }}
# Whether or not to bridge presence in both directions. Facebook allows users not to broadcast
# presence, but then it won't send other users' presence to the client.
presence: true
# If using this for other servers than the bridge's server,
# you must also set the URL in the double_puppet_server_map.
login_shared_secret_map: {{ matrix_mautrix_facebook_bridge_login_shared_secret_map|to_json }}
presence: {{ matrix_mautrix_facebook_bridge_presence|to_json }}
# Whether or not to update avatars when syncing all contacts at startup.
update_avatar_initial_sync: true
# End-to-bridge encryption support options. These require matrix-nio to be installed with pip

View file

@ -3,7 +3,7 @@
matrix_sms_bridge_enabled: true
matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:0.5.4"
matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:0.5.5"
matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge"
matrix_sms_bridge_config_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/config"

View file

@ -3,7 +3,7 @@ matrix_client_element_enabled: true
matrix_client_element_container_image_self_build: false
matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git"
matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.14"
matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.15"
matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}"
matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"

View file

@ -1,5 +1,9 @@
---
- name: Deterimne whether we should make services autostart
set_fact:
matrix_services_autostart_enabled_bool: "{{ true if matrix_services_autostart_enabled|default('') == '' else matrix_services_autostart_enabled|bool }}"
- name: Ensure systemd is reloaded
service:
daemon_reload: yes
@ -14,7 +18,7 @@
- name: Ensure Matrix services are started
service:
name: "{{ item }}"
enabled: yes
enabled: "{{ matrix_services_autostart_enabled_bool }}"
state: started
with_items: "{{ matrix_systemd_services_list }}"
when: not ansible_check_mode

View file

@ -3,6 +3,9 @@
matrix_corporal_enabled: true
matrix_corporal_container_image_self_build: false
matrix_corporal_container_image_self_build_repo: "https://github.com/devture/matrix-corporal.git"
# Controls whether the matrix-corporal container exposes its gateway HTTP port (tcp/41080 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:41080"), or empty string to not expose.
@ -19,10 +22,13 @@ matrix_corporal_container_extra_arguments: []
# List of systemd services that matrix-corporal.service depends on
matrix_corporal_systemd_required_services_list: ['docker.service']
matrix_corporal_docker_image: "docker.io/devture/matrix-corporal:1.11.0"
matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}"
matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else 'docker.io/' }}"
matrix_corporal_docker_image_tag: "1.11.0"
matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}"
matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal"
matrix_corporal_container_src_files_path: "{{ matrix_corporal_base_path }}/container-src"
matrix_corporal_config_dir_path: "{{ matrix_corporal_base_path }}/config"
matrix_corporal_cache_dir_path: "{{ matrix_corporal_base_path }}/cache"
matrix_corporal_var_dir_path: "{{ matrix_corporal_base_path }}/var"

View file

@ -17,13 +17,33 @@
- "{{ matrix_corporal_var_dir_path }}"
when: matrix_corporal_enabled|bool
- name: Ensure Matrix Corporal repository is present on self-build
git:
repo: "{{ matrix_corporal_container_image_self_build_repo }}"
dest: "{{ matrix_corporal_container_src_files_path }}"
version: "{{ matrix_corporal_docker_image.split(':')[1] }}"
force: "yes"
register: matrix_corporal_git_pull_results
when: "matrix_corporal_enabled|bool and matrix_corporal_container_image_self_build|bool"
- name: Ensure Matrix Corporal Docker image is built
docker_image:
name: "{{ matrix_corporal_docker_image }}"
source: build
force_source: "{{ matrix_corporal_git_pull_results.changed }}"
build:
dockerfile: etc/docker/Dockerfile
path: "{{ matrix_corporal_container_src_files_path }}"
pull: yes
when: "matrix_corporal_enabled|bool and matrix_corporal_container_image_self_build|bool"
- name: Ensure Matrix Corporal Docker image is pulled
docker_image:
name: "{{ matrix_corporal_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_corporal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_corporal_docker_image_force_pull }}"
when: matrix_corporal_enabled|bool
when: "matrix_corporal_enabled|bool and not matrix_corporal_container_image_self_build|bool"
- name: Ensure Matrix Corporal config installed
copy:

View file

@ -205,9 +205,11 @@ var interfaceConfig = {
{% if matrix_jitsi_enable_transcriptions %}
'closedcaptions',
{% endif %}
{% if matrix_jitsi_enable_recording %}
'recording',
{% endif %}
'microphone', 'camera', 'desktop', 'embedmeeting', 'fullscreen',
'fodeviceselection', 'hangup', 'profile', 'chat', 'recording',
'fodeviceselection', 'hangup', 'profile', 'chat',
'livestreaming', 'etherpad', 'sharedvideo', 'settings', 'raisehand',
'videoquality', 'filmstrip', 'invite', 'feedback', 'stats', 'shortcuts',
'tileview', 'videobackgroundblur', 'download', 'help', 'mute-everyone', 'security'

View file

@ -82,13 +82,13 @@ hashing:
- none # the same as v1 bulk lookup
- sha256 # hash the 3PID and pepper.
delay: 2m # how often hashes will be updated if rotation policy = per_seconds (default is 10s)
requests: 10
requests: 10
{% endif %}
synapseSql:
enabled: {{ matrix_ma1sd_synapsesql_enabled }}
type: {{ matrix_ma1sd_synapsesql_type }}
connection: {{ matrix_ma1sd_synapsesql_connection }}
enabled: {{ matrix_ma1sd_synapsesql_enabled|to_json }}
type: {{ matrix_ma1sd_synapsesql_type|to_json }}
connection: {{ matrix_ma1sd_synapsesql_connection|to_json }}
hashing:
enabled: true

View file

@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true
# We use an official nginx image, which we fix-up to run unprivileged.
# An alternative would be an `nginxinc/nginx-unprivileged` image, but
# that is frequently out of date.
matrix_nginx_proxy_docker_image: "docker.io/nginx:1.19.4-alpine"
matrix_nginx_proxy_docker_image: "docker.io/nginx:1.19.5-alpine"
matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}"
matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"
@ -259,7 +259,7 @@ matrix_ssl_domains_to_obtain_certificates_for: []
# Controls whether to obtain production or staging certificates from Let's Encrypt.
matrix_ssl_lets_encrypt_staging: false
matrix_ssl_lets_encrypt_certbot_docker_image: "docker.io/certbot/certbot:{{ matrix_ssl_architecture }}-v1.9.0"
matrix_ssl_lets_encrypt_certbot_docker_image: "docker.io/certbot/certbot:{{ matrix_ssl_architecture }}-v1.10.1"
matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
matrix_ssl_lets_encrypt_support_email: ~

View file

@ -6,8 +6,9 @@ matrix_synapse_enabled: true
matrix_synapse_container_image_self_build: false
matrix_synapse_container_image_self_build_repo: "https://github.com/matrix-org/synapse.git"
matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:v1.23.0"
matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}"
matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else 'docker.io/' }}"
matrix_synapse_docker_image_tag: "{{ 'v1.24.0' if matrix_architecture == 'amd64' else 'v1.23.0' }}"
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
@ -136,6 +137,11 @@ matrix_synapse_tls_private_key_path: "/data/{{ matrix_server_fqn_matrix }}.tls.k
# names.
matrix_synapse_http_listener_resource_names: ["client"]
# Resources served on Synapse's federation port.
# When disabling federation, we may wish to serve the `openid` resource here,
# so that services like Dimension and ma1sd can work.
matrix_synapse_federation_listener_resource_names: "{{ ['federation'] if matrix_synapse_federation_enabled else (['openid'] if matrix_synapse_federation_port_openid_resource_required else []) }}"
# Enable this to allow Synapse to report utilization statistics about your server to matrix.org
# (things like number of users, number of messages sent, uptime, load, etc.)
matrix_synapse_report_stats: false
@ -211,10 +217,25 @@ matrix_synapse_caches_global_factor: 0.5
# Controls whether Synapse will federate at all.
# Disable this to completely isolate your server from the rest of the Matrix network.
# Also see: `matrix_synapse_tls_federation_listener_enabled` if you wish to keep federation enabled,
#
# Disabling this still keeps the federation port exposed, because it may be used for other services (`openid`).
#
# Also see:
# - `matrix_synapse_tls_federation_listener_enabled` if you wish to keep federation enabled,
# but want to stop the TLS listener (port 8448).
# - `matrix_synapse_federation_port_enabled` to avoid exposing the federation ports
matrix_synapse_federation_enabled: true
# Controls whether the federation ports are used at all.
# One may wish to disable federation (`matrix_synapse_federation_enabled: true`),
# but still run other resources (like `openid`) on the federation port
# by enabling them in `matrix_synapse_federation_listener_resource_names`.
matrix_synapse_federation_port_enabled: "{{ matrix_synapse_federation_enabled or matrix_synapse_federation_port_openid_resource_required }}"
# Controls whether an `openid` listener is to be enabled. Useful when disabling federation,
# but needing the `openid` APIs for Dimension or an identity server like ma1sd.
matrix_synapse_federation_port_openid_resource_required: false
# A list of domain names that are allowed to federate with the given Synapse server.
# An empty list value (`[]`) will also effectively stop federation, but if that's the desired
# result, it's better to accomplish it by changing `matrix_synapse_federation_enabled`.

View file

@ -188,7 +188,7 @@ listeners:
- '0.0.0.0'
{% endif %}
{% if matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled %}
{% if matrix_synapse_federation_port_enabled and matrix_synapse_tls_federation_listener_enabled %}
# TLS-enabled listener: for when matrix traffic is sent directly to synapse.
- port: 8448
tls: true
@ -197,7 +197,7 @@ listeners:
x_forwarded: false
resources:
- names: [federation]
- names: {{ matrix_synapse_federation_listener_resource_names|to_json }}
compress: false
{% endif %}
@ -213,7 +213,7 @@ listeners:
- names: {{ matrix_synapse_http_listener_resource_names|to_json }}
compress: false
{% if matrix_synapse_federation_enabled %}
{% if matrix_synapse_federation_port_enabled %}
# Unsecure HTTP listener (Federation API): for when matrix traffic passes through a reverse proxy
# that unwraps TLS.
- port: 8048
@ -223,7 +223,7 @@ listeners:
x_forwarded: true
resources:
- names: [federation]
- names: {{ matrix_synapse_federation_listener_resource_names|to_json }}
compress: false
{% endif %}
@ -1202,8 +1202,9 @@ allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }}
# email will be globally disabled.
#
# Additionally, if `msisdn` is not set, registration and password resets via msisdn
# will be disabled regardless. This is due to Synapse currently not supporting any
# method of sending SMS messages on its own.
# will be disabled regardless, and users will not be able to associate an msisdn
# identifier to their account. This is due to Synapse currently not supporting
# any method of sending SMS messages on its own.
#
# To enable using an identity server for operations regarding a particular third-party
# identifier type, set the value to the URL of that identity server as shown in the
@ -1522,6 +1523,12 @@ saml2_config:
# remote:
# - url: https://our_idp/metadata.xml
# Allowed clock difference in seconds between the homeserver and IdP.
#
# Uncomment the below to increase the accepted time difference from 0 to 3 seconds.
#
#accepted_time_diff: 3
# By default, the user has to go to our login page first. If you'd like
# to allow IdP-initiated login, set 'allow_unsolicited: true' in a
# 'service.sp' section:
@ -1644,6 +1651,14 @@ saml2_config:
# - attribute: department
# value: "sales"
# If the metadata XML contains multiple IdP entities then the `idp_entityid`
# option must be set to the entity to redirect users to.
#
# Most deployments only have a single IdP entity and so should omit this
# option.
#
#idp_entityid: 'https://our_idp/entityid'
# Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login.
#
@ -2222,21 +2237,35 @@ password_providers:
{% endif %}
## Push ##
# Clients requesting push notifications can either have the body of
# the message sent in the notification poke along with other details
# like the sender, or just the event ID and room ID (`event_id_only`).
# If clients choose the former, this option controls whether the
# notification request includes the content of the event (other details
# like the sender are still included). For `event_id_only` push, it
# has no effect.
#
# For modern android devices the notification content will still appear
# because it is loaded by the app. iPhone, however will send a
# notification saying only that a message arrived and who it came from.
#
push:
include_content: {{ matrix_synapse_push_include_content|to_json }}
# Clients requesting push notifications can either have the body of
# the message sent in the notification poke along with other details
# like the sender, or just the event ID and room ID (`event_id_only`).
# If clients choose the former, this option controls whether the
# notification request includes the content of the event (other details
# like the sender are still included). For `event_id_only` push, it
# has no effect.
#
# For modern android devices the notification content will still appear
# because it is loaded by the app. iPhone, however will send a
# notification saying only that a message arrived and who it came from.
#
# The default value is "true" to include message details. Uncomment to only
# include the event ID and room ID in push notification payloads.
#
include_content: {{ matrix_synapse_push_include_content|to_json }}
# When a push notification is received, an unread count is also sent.
# This number can either be calculated as the number of unread messages
# for the user, or the number of *rooms* the user has unread messages in.
#
# The default value is "true", meaning push clients will see the number of
# rooms with unread messages in them. Uncomment to instead send the number
# of unread messages.
#
#group_unread_count_by_room: false
# Spam checkers are third-party modules that can block specific actions