Merge branch 'master' into pub.solar
This commit is contained in:
commit
be8e588001
|
@ -34,6 +34,8 @@ Updates to this section are trailed here:
|
|||
|
||||
Yes, you'll need to configure an AWX instance, the [Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) repository makes it easy to do. Just follow the steps listed in '/docs/Installation.md' of that repository.
|
||||
|
||||
For simpler installation steps you can use to get started with this system, check out our minimal installation guide at '/doc/Installation_Minimal.md'.
|
||||
|
||||
|
||||
## Does I need a front-end WordPress site? And a DigitalOcean account?
|
||||
|
||||
|
|
|
@ -2,16 +2,37 @@
|
|||
|
||||
The playbook can install and configure [mautrix-facebook](https://github.com/tulir/mautrix-facebook) for you.
|
||||
|
||||
See the project's [documentation](https://github.com/tulir/mautrix-facebook/wiki#usage) to learn what it does and why it might be useful to you.
|
||||
See the project's [documentation](https://github.com/tulir/mautrix-facebook/blob/master/ROADMAP.md) to learn what it does and why it might be useful to you.
|
||||
|
||||
```yaml
|
||||
matrix_mautrix_facebook_enabled: true
|
||||
```
|
||||
|
||||
There are some additional things you may wish to configure about the bridge before you continue.
|
||||
|
||||
Encryption support is off by default. If you would like to enable encryption, add the following to your `vars.yml` file:
|
||||
```yaml
|
||||
matrix_mautrix_facebook_configuration_extension_yaml: |
|
||||
bridge:
|
||||
encryption:
|
||||
allow: true
|
||||
default: true
|
||||
```
|
||||
|
||||
If you would like to be able to administrate the bridge from your account it can be configured like this:
|
||||
```yaml
|
||||
matrix_mautrix_facebook_configuration_extension_yaml: |
|
||||
bridge:
|
||||
permissions:
|
||||
'@YOUR_USERNAME:YOUR_DOMAIN': admin
|
||||
```
|
||||
|
||||
You may wish to look at `roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2` to find other things you would like to configure.
|
||||
|
||||
|
||||
## Set up Double Puppeting
|
||||
|
||||
If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-facebook/wiki/Authentication#double-puppeting) (hint: you most likely do), you have 2 ways of going about it.
|
||||
If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it.
|
||||
|
||||
### Method 1: automatically, by enabling Shared Secret Auth
|
||||
|
||||
|
@ -42,9 +63,7 @@ https://matrix.DOMAIN/_matrix/client/r0/login
|
|||
|
||||
You then need to start a chat with `@facebookbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain).
|
||||
|
||||
Send `login YOUR_FACEBOOK_EMAIL_ADDRESS YOUR_FACEBOOK_PASSWORD` to the bridge bot to enable bridging for your Facebook/Messenger account.
|
||||
|
||||
You can learn more here about authentication from the bridge's [official documentation on Authentication](https://github.com/tulir/mautrix-facebook/wiki/Authentication).
|
||||
Send `login YOUR_FACEBOOK_EMAIL_ADDRESS` to the bridge bot to enable bridging for your Facebook Messenger account. You can learn more here about authentication from the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/python/facebook/authentication.html).
|
||||
|
||||
If you run into trouble, check the [Troubleshooting](#troubleshooting) section below.
|
||||
|
||||
|
|
|
@ -13,8 +13,8 @@ Before installing Jitsi, make sure you've created the `jitsi.DOMAIN` DNS record.
|
|||
|
||||
You may also need to open the following ports to your server:
|
||||
|
||||
- `10000/udp` - RTP media over UDP
|
||||
- `4443/tcp` - RTP media fallback over TCP
|
||||
- `10000/udp` - RTP media over UDP. Depending on your firewall/NAT setup, incoming RTP packets on port `10000` may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/matrix-jitsi/defaults/main.yml)).
|
||||
|
||||
|
||||
## Installation
|
||||
|
|
|
@ -6,6 +6,8 @@ It's a web UI tool you can use to **administrate users and rooms on your Matrix
|
|||
|
||||
See the project's [documentation](https://github.com/Awesome-Technologies/synapse-admin) to learn what it does and why it might be useful to you.
|
||||
|
||||
**Warning**: Synapse Admin will likely not work with Synapse v1.32 for now. See [this issue](https://github.com/Awesome-Technologies/synapse-admin/issues/132). If you insist on using Synapse Admin before there's a solution to this issue, you may wish to downgrade Synapse (adding `matrix_synapse_version: v1.31.0` or `matrix_synapse_version_arm64: v1.31.0` to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file).
|
||||
|
||||
|
||||
## Adjusting the playbook configuration
|
||||
|
||||
|
|
|
@ -11,7 +11,7 @@ These services are enabled and used by default, but you can turn them off, if yo
|
|||
|
||||
- [matrixdotorg/synapse](https://hub.docker.com/r/matrixdotorg/synapse/) - the official [Synapse](https://github.com/matrix-org/synapse) Matrix homeserver (optional)
|
||||
|
||||
- [instrumentisto/coturn](https://hub.docker.com/r/instrumentisto/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server (optional)
|
||||
- [coturn/coturn](https://hub.docker.com/r/coturn/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server (optional)
|
||||
|
||||
- [vectorim/element-web](https://hub.docker.com/r/vectorim/element-web/) - the [Element](https://element.io/) web client (optional)
|
||||
|
||||
|
|
|
@ -297,7 +297,7 @@ matrix_coturn_enabled: false
|
|||
# hundreds of servers inside is insanely heavy (https://github.com/matrix-org/synapse/issues/3971).
|
||||
#
|
||||
# If your server does not federate with hundreds of others, enabling this doesn't hurt much.
|
||||
matrix_synapse_use_presence: false
|
||||
matrix_synapse_presence_enabled: false
|
||||
```
|
||||
|
||||
You can also consider implementing a restriction on room complexity, in order to prevent users from joining very heavy rooms:
|
||||
|
|
|
@ -74,7 +74,7 @@ You should then be able to browse the adminer database administration GUI at htt
|
|||
|
||||
## Make Synapse faster
|
||||
|
||||
Synapse's presence feature which tracks which users are online and which are offline can use a lot of processing power. You can disable presence by adding `matrix_synapse_use_presence: false` to your `vars.yml` file.
|
||||
Synapse's presence feature which tracks which users are online and which are offline can use a lot of processing power. You can disable presence by adding `matrix_synapse_presence_enabled: false` to your `vars.yml` file.
|
||||
|
||||
Tuning Synapse's cache factor can help reduce RAM usage. [See the upstream documentation](https://github.com/matrix-org/synapse#help-synapse-is-slow-and-eats-all-my-ram-cpu) for more information on what value to set the cache factor to. Use the variable `matrix_synapse_caches_global_factor` to set the cache factor.
|
||||
|
||||
|
|
|
@ -34,7 +34,6 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you
|
|||
- `5349/udp`: TURN over UDP (used by Coturn)
|
||||
- `8448/tcp`: Matrix Federation API HTTPS webserver. In some cases, this **may necessary even with federation disabled**. Integration Servers (like Dimension) and Identity Servers (like ma1sd) may need to access `openid` APIs on the federation port.
|
||||
- the range `49152-49172/udp`: TURN over UDP
|
||||
- `4443/tcp`: Jitsi Harvester fallback
|
||||
- `10000/udp`: Jitsi video RTP. Depending on your firewall/NAT setup, incoming RTP packets on port `10000` may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/matrix-jitsi/defaults/main.yml)).
|
||||
- potentially some other ports, depending on the additional (non-default) services that you enable in the **configuring the playbook** step (later on). Consult each service's documentation page in `docs/` for that.
|
||||
|
||||
When ready to proceed, continue with [Configuring DNS](configuring-dns.md).
|
||||
|
|
|
@ -64,7 +64,7 @@ matrix_appservice_discord_enabled: false
|
|||
matrix_appservice_discord_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9005' }}"
|
||||
|
||||
# If the homeserver disables presence, it's likely better (less wasteful) to also disable presence on the bridge side.
|
||||
matrix_appservice_discord_bridge_disablePresence: "{{ matrix_synapse_use_presence }}"
|
||||
matrix_appservice_discord_bridge_disablePresence: "{{ not matrix_synapse_presence_enabled }}"
|
||||
|
||||
matrix_appservice_discord_systemd_required_services_list: |
|
||||
{{
|
||||
|
@ -188,7 +188,7 @@ matrix_appservice_irc_container_http_host_bind_port: "{{ '' if matrix_nginx_prox
|
|||
|
||||
# The IRC bridge docs say that if homeserver presence is disabled, it's better to also disable
|
||||
# IRC bridge presence, for performance reasons.
|
||||
matrix_appservice_irc_homeserver_enablePresence: "{{ matrix_synapse_use_presence }}"
|
||||
matrix_appservice_irc_homeserver_enablePresence: "{{ matrix_synapse_presence_enabled }}"
|
||||
|
||||
matrix_appservice_irc_systemd_required_services_list: |
|
||||
{{
|
||||
|
@ -242,7 +242,7 @@ matrix_mautrix_facebook_homeserver_token: "{{ matrix_synapse_macaroon_secret_key
|
|||
|
||||
matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
|
||||
|
||||
matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_use_presence if matrix_synapse_enabled else true }}"
|
||||
matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}"
|
||||
|
||||
# We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain
|
||||
# and point them to a migration path.
|
||||
|
@ -325,7 +325,7 @@ matrix_mautrix_instagram_homeserver_token: "{{ matrix_synapse_macaroon_secret_ke
|
|||
|
||||
matrix_mautrix_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
|
||||
|
||||
matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_use_presence if matrix_synapse_enabled else true }}"
|
||||
matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}"
|
||||
|
||||
# We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain
|
||||
# and point them to a migration path.
|
||||
|
@ -1211,7 +1211,7 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ m
|
|||
|
||||
matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
|
||||
|
||||
matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_use_presence }}"
|
||||
matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_presence_enabled }}"
|
||||
|
||||
matrix_nginx_proxy_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}"
|
||||
matrix_nginx_proxy_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}"
|
||||
|
@ -1527,7 +1527,7 @@ matrix_client_element_registration_enabled: "{{ matrix_synapse_enable_registrati
|
|||
matrix_client_element_enable_presence_by_hs_url: |
|
||||
{{
|
||||
none
|
||||
if matrix_synapse_use_presence
|
||||
if matrix_synapse_presence_enabled
|
||||
else {matrix_client_element_default_hs_url: false}
|
||||
}}
|
||||
|
||||
|
@ -1675,11 +1675,6 @@ matrix_synapse_admin_container_self_build: "{{ matrix_architecture != 'amd64' }}
|
|||
|
||||
matrix_prometheus_node_exporter_enabled: false
|
||||
|
||||
# Normally, matrix-nginx-proxy is enabled and nginx can reach Prometheus Node Exporter over the container network.
|
||||
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
||||
# Prometheus' HTTP port to the local host.
|
||||
matrix_prometheus_node_exporter_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9200' }}"
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# /matrix-prometheus-node-exporter
|
||||
|
@ -1706,6 +1701,7 @@ matrix_prometheus_scraper_synapse_targets: ['matrix-synapse:{{ matrix_synapse_me
|
|||
matrix_prometheus_scraper_synapse_rules_synapse_tag: "{{ matrix_synapse_docker_image_tag }}"
|
||||
|
||||
matrix_prometheus_scraper_node_enabled: "{{ matrix_prometheus_node_exporter_enabled }}"
|
||||
matrix_prometheus_scraper_node_targets: "{{ ['matrix-prometheus-node-exporter:9100'] if matrix_prometheus_node_exporter_enabled else [] }}"
|
||||
|
||||
######################################################################
|
||||
#
|
||||
|
|
42
roles/matrix-awx/surveys/access_export.json.j2
Normal file
42
roles/matrix-awx/surveys/access_export.json.j2
Normal file
|
@ -0,0 +1,42 @@
|
|||
{
|
||||
"name": "Access Export",
|
||||
"description": "Access the services export.",
|
||||
"spec": [
|
||||
{
|
||||
"question_name": "SFTP Authorisation Method",
|
||||
"question_description": "Set whether you want to disable SFTP, use a password to connect to SFTP or connect with a more secure SSH key.",
|
||||
"required": true,
|
||||
"min": null,
|
||||
"max": null,
|
||||
"default": "{{ sftp_auth_method | string }}",
|
||||
"choices": "Disabled\nPassword\nSSH Key",
|
||||
"new_question": true,
|
||||
"variable": "sftp_auth_method",
|
||||
"type": "multiplechoice"
|
||||
},
|
||||
{
|
||||
"question_name": "SFTP Password",
|
||||
"question_description": "Sets the password of the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as export the latest copy of your Matrix service. Must be defined if 'Password' method is selected. WARNING: You must set a strong and unique password here.",
|
||||
"required": false,
|
||||
"min": 0,
|
||||
"max": 64,
|
||||
"default": "{{ sftp_password }}",
|
||||
"choices": "",
|
||||
"new_question": true,
|
||||
"variable": "sftp_password",
|
||||
"type": "password"
|
||||
},
|
||||
{
|
||||
"question_name": "SFTP Public SSH Key (More Secure)",
|
||||
"question_description": "Sets the public SSH key used to access the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as export the latest copy of your Matrix service. Must be defined if 'SSH Key' method is selected.",
|
||||
"required": false,
|
||||
"min": 0,
|
||||
"max": 16384,
|
||||
"default": "{{ sftp_public_key }}",
|
||||
"choices": "",
|
||||
"new_question": true,
|
||||
"variable": "sftp_public_key",
|
||||
"type": "text"
|
||||
}
|
||||
]
|
||||
}
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"name": "Backup Server",
|
||||
"description": "",
|
||||
"description": "Performs a backup of the entire service to a remote location.",
|
||||
"spec": [
|
||||
{
|
||||
"question_name": "Enable Backup",
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"name": "Configure Matrix Corporal",
|
||||
"description": "",
|
||||
"description": "Configure Matrix Corporal, a tool that manages your Matrix server according to a configuration policy.",
|
||||
"spec": [
|
||||
{
|
||||
"question_name": "Enable Corporal",
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"name": "Configure Dimension",
|
||||
"description": "",
|
||||
"description": "Configure Dimension, the self-hosted integrations server.",
|
||||
"spec": [
|
||||
{
|
||||
"question_name": "Enable Dimension",
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"name": "",
|
||||
"description": "",
|
||||
"name": "Configure Element",
|
||||
"description": "Configure Element web client, Element is the most developed Matrix client software.",
|
||||
"spec": [
|
||||
{
|
||||
"question_name": "Enable Element-Web",
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"name": "",
|
||||
"description": "",
|
||||
"name": "Configure Jitsi",
|
||||
"description": "Configure Jitsi conferencing settings.",
|
||||
"spec": [
|
||||
{
|
||||
"question_name": "Enable Jitsi",
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"name": "",
|
||||
"description": "",
|
||||
"name": "Configure ma1sd",
|
||||
"description": "Configure ma1sd settings, ma1sd is a self-hosted identity server for Matrix.",
|
||||
"spec": [
|
||||
{
|
||||
"question_name": "Enable ma1sd",
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"name": "Configure Synapse",
|
||||
"description": "",
|
||||
"description": "Configure Synapse settings. Synapse is the homeserver software that powers your Matrix instance.",
|
||||
"spec": [
|
||||
{
|
||||
"question_name": "Enable Public Registration",
|
||||
|
@ -56,10 +56,10 @@
|
|||
"required": false,
|
||||
"min": null,
|
||||
"max": null,
|
||||
"default": "{{ matrix_synapse_use_presence | string | lower }}",
|
||||
"default": "{{ matrix_synapse_presence_enabled | string | lower }}",
|
||||
"choices": "true\nfalse",
|
||||
"new_question": true,
|
||||
"variable": "matrix_synapse_use_presence",
|
||||
"variable": "matrix_synapse_presence_enabled",
|
||||
"type": "multiplechoice"
|
||||
},
|
||||
{
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
insertafter: '# Base Domain Settings Start'
|
||||
with_dict:
|
||||
'matrix_nginx_proxy_base_domain_homepage_enabled': 'true'
|
||||
when: customise_base_domain_website|bool == false
|
||||
when: (customise_base_domain_website is defined) and not customise_base_domain_website|bool
|
||||
|
||||
- name: Disable index.html creation to allow multi-file site if user does wish to customise base domain
|
||||
delegate_to: 127.0.0.1
|
||||
|
@ -19,7 +19,19 @@
|
|||
insertafter: '# Base Domain Settings Start'
|
||||
with_dict:
|
||||
'matrix_nginx_proxy_base_domain_homepage_enabled': 'false'
|
||||
when: customise_base_domain_website|bool == true
|
||||
when: (customise_base_domain_website is defined) and customise_base_domain_website|bool
|
||||
|
||||
- name: Record custom 'Customise Website + Access Export' variables locally on AWX
|
||||
delegate_to: 127.0.0.1
|
||||
lineinfile:
|
||||
path: '{{ awx_cached_matrix_vars }}'
|
||||
regexp: "^#? *{{ item.key | regex_escape() }}:"
|
||||
line: "{{ item.key }}: {{ item.value }}"
|
||||
insertafter: '# Custom Settings Start'
|
||||
with_dict:
|
||||
'sftp_auth_method': '"{{ sftp_auth_method }}"'
|
||||
'sftp_password': '"{{ sftp_password }}"'
|
||||
'sftp_public_key': '"{{ sftp_public_key }}"'
|
||||
|
||||
- name: Record custom 'Customise Website + Access Export' variables locally on AWX
|
||||
delegate_to: 127.0.0.1
|
||||
|
@ -30,28 +42,40 @@
|
|||
insertafter: '# Custom Settings Start'
|
||||
with_dict:
|
||||
'customise_base_domain_website': '{{ customise_base_domain_website }}'
|
||||
'sftp_auth_method': '"{{ sftp_auth_method }}"'
|
||||
'sftp_password': '"{{ sftp_password }}"'
|
||||
'sftp_public_key': '"{{ sftp_public_key }}"'
|
||||
when: customise_base_domain_website is defined
|
||||
|
||||
- name: Reload vars in matrix_vars.yml
|
||||
include_vars:
|
||||
file: '{{ awx_cached_matrix_vars }}'
|
||||
no_log: True
|
||||
|
||||
# ^ Is this even needed?
|
||||
|
||||
- name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template
|
||||
delegate_to: 127.0.0.1
|
||||
template:
|
||||
src: './roles/matrix-awx/surveys/configure_website_access_export.json.j2'
|
||||
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'
|
||||
when: customise_base_domain_website is defined
|
||||
|
||||
- name: Copy new 'Customise Website + Access Export' survey.json to target machine
|
||||
copy:
|
||||
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'
|
||||
dest: '/matrix/awx/configure_website_access_export.json'
|
||||
mode: '0660'
|
||||
when: customise_base_domain_website is defined
|
||||
|
||||
- name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template
|
||||
delegate_to: 127.0.0.1
|
||||
template:
|
||||
src: './roles/matrix-awx/surveys/access_export.json.j2'
|
||||
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json'
|
||||
when: customise_base_domain_website is undefined
|
||||
|
||||
- name: Copy new 'Customise Website + Access Export' survey.json to target machine
|
||||
copy:
|
||||
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json'
|
||||
dest: '/matrix/awx/access_export.json'
|
||||
mode: '0660'
|
||||
when: customise_base_domain_website is undefined
|
||||
|
||||
- name: Collect AWX admin token the hard way!
|
||||
delegate_to: 127.0.0.1
|
||||
|
@ -60,7 +84,7 @@
|
|||
register: tower_token
|
||||
no_log: True
|
||||
|
||||
- name: Recreate 'Customise Base Domain Export' job template
|
||||
- name: Recreate 'Configure Website + Access Export' job template
|
||||
delegate_to: 127.0.0.1
|
||||
awx.awx.tower_job_template:
|
||||
name: "{{ matrix_domain }} - 1 - Configure Website + Access Export"
|
||||
|
@ -80,6 +104,29 @@
|
|||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
validate_certs: yes
|
||||
when: customise_base_domain_website is defined
|
||||
|
||||
- name: Recreate 'Access Export' job template
|
||||
delegate_to: 127.0.0.1
|
||||
awx.awx.tower_job_template:
|
||||
name: "{{ matrix_domain }} - 1 - Access Export"
|
||||
description: "Access the services export."
|
||||
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
|
||||
job_type: run
|
||||
job_tags: "start,setup-nginx-proxy"
|
||||
inventory: "{{ member_id }}"
|
||||
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
|
||||
playbook: setup.yml
|
||||
credential: "{{ member_id }} - AWX SSH Key"
|
||||
survey_enabled: true
|
||||
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json') }}"
|
||||
become_enabled: yes
|
||||
state: present
|
||||
verbosity: 1
|
||||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
validate_certs: yes
|
||||
when: customise_base_domain_website is undefined
|
||||
|
||||
- name: Ensure group "sftp" exists
|
||||
group:
|
||||
|
@ -113,6 +160,7 @@
|
|||
name: sftp
|
||||
groups: matrix
|
||||
append: yes
|
||||
when: customise_base_domain_website is defined
|
||||
|
||||
- name: Create the ro /chroot directory with sticky bit if it doesn't exist. (/chroot/website has matrix:matrix permissions and is mounted to nginx container)
|
||||
file:
|
||||
|
@ -129,6 +177,7 @@
|
|||
owner: matrix
|
||||
group: matrix
|
||||
mode: '0574'
|
||||
when: customise_base_domain_website is defined
|
||||
|
||||
- name: Ensure /chroot/export location exists
|
||||
file:
|
||||
|
|
|
@ -16,8 +16,3 @@
|
|||
- name: Ensure correct ownership of /matrix/synapse
|
||||
shell: chown -R matrix:matrix /matrix/synapse
|
||||
|
||||
- name: Fetch matrix_vars.yml file to AWX
|
||||
fetch:
|
||||
src: /matrix/awx/matrix_vars.yml
|
||||
dest: /var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/
|
||||
flat: yes
|
||||
|
|
|
@ -8,6 +8,15 @@
|
|||
tags:
|
||||
- always
|
||||
|
||||
# Renames the variables if needed
|
||||
- include_tasks:
|
||||
file: "rename_variables.yml"
|
||||
apply:
|
||||
tags: always
|
||||
when: run_setup|bool and matrix_awx_enabled|bool
|
||||
tags:
|
||||
- always
|
||||
|
||||
# Perform a backup of the server
|
||||
- include_tasks:
|
||||
file: "backup_server.yml"
|
||||
|
|
|
@ -6,7 +6,12 @@
|
|||
|
||||
- name: Purge local media to specific date
|
||||
shell: |
|
||||
curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout }}" 'https://matrix.{{ matrix_domain }}/_synapse/admin/v1/media/matrix.{{ matrix_domain }}/delete?before_ts={{ epoche_time.stdout }}'
|
||||
curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/media/matrix.{{ matrix_domain }}/delete?before_ts={{ epoche_time.stdout }}'
|
||||
register: purge_command
|
||||
|
||||
- name: Print output of purge command
|
||||
debug:
|
||||
msg: "{{ purge_command.stdout }}"
|
||||
|
||||
- name: Pause for 5 seconds to let Synapse breathe
|
||||
pause:
|
||||
|
|
|
@ -21,6 +21,10 @@
|
|||
shell: |
|
||||
curl -XPOST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ matrix_awx_janitor_user_password }}"}' "https://matrix.{{ matrix_domain }}/_matrix/client/r0/login" | jq '.access_token'
|
||||
register: janitors_token
|
||||
|
||||
- name: Collect the internal IP of the matrix-synapse container
|
||||
shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse"
|
||||
register: synapse_container_ip
|
||||
|
||||
- name: Generate list of dates to purge to
|
||||
delegate_to: 127.0.0.1
|
||||
|
|
|
@ -6,7 +6,12 @@
|
|||
|
||||
- name: Purge local media to specific date
|
||||
shell: |
|
||||
curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout }}" 'https://matrix.{{ matrix_domain }}/_synapse/admin/v1/purge_media_cache?before_ts={{ epoche_time.stdout }}'
|
||||
curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_media_cache?before_ts={{ epoche_time.stdout }}'
|
||||
register: purge_command
|
||||
|
||||
- name: Print output of purge command
|
||||
debug:
|
||||
msg: "{{ purge_command.stdout }}"
|
||||
|
||||
- name: Pause for 5 seconds to let Synapse breathe
|
||||
pause:
|
||||
|
|
8
roles/matrix-awx/tasks/rename_variables.yml
Normal file
8
roles/matrix-awx/tasks/rename_variables.yml
Normal file
|
@ -0,0 +1,8 @@
|
|||
|
||||
- name: Rename synapse presence variable
|
||||
delegate_to: 127.0.0.1
|
||||
replace:
|
||||
path: "/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml"
|
||||
regexp: 'matrix_synapse_use_presence'
|
||||
replace: 'matrix_synapse_presence_enabled'
|
||||
|
|
@ -4,9 +4,11 @@
|
|||
file: '{{ awx_cached_matrix_vars }}'
|
||||
no_log: True
|
||||
|
||||
- name: Install jq on remote machine
|
||||
- name: Install jq and curl on remote machine
|
||||
apt:
|
||||
name: jq
|
||||
name:
|
||||
- jq
|
||||
- curl
|
||||
state: present
|
||||
|
||||
- name: Collect access token of Dimension user
|
||||
|
|
|
@ -21,7 +21,7 @@
|
|||
'matrix_synapse_enable_registration': '{{ matrix_synapse_enable_registration }}'
|
||||
'matrix_synapse_federation_enabled': '{{ matrix_synapse_federation_enabled }}'
|
||||
'matrix_synapse_enable_group_creation': '{{ matrix_synapse_enable_group_creation }}'
|
||||
'matrix_synapse_use_presence': '{{ matrix_synapse_use_presence }}'
|
||||
'matrix_synapse_presence_enabled': '{{ matrix_synapse_presence_enabled }}'
|
||||
'matrix_synapse_max_upload_size_mb': '{{ matrix_synapse_max_upload_size_mb }}'
|
||||
'matrix_synapse_url_preview_enabled': '{{ matrix_synapse_url_preview_enabled }}'
|
||||
'matrix_synapse_allow_guest_access': '{{ matrix_synapse_allow_guest_access }}'
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
|
||||
matrix_sms_bridge_enabled: true
|
||||
|
||||
matrix_sms_bridge_version: 0.5.5
|
||||
matrix_sms_bridge_version: 0.5.7
|
||||
matrix_sms_bridge_docker_image: "{{ matrix_container_global_registry_prefix }}folivonet/matrix-sms-bridge:{{ matrix_sms_bridge_version }}"
|
||||
|
||||
matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge"
|
||||
|
|
|
@ -3,7 +3,7 @@ matrix_client_element_enabled: true
|
|||
matrix_client_element_container_image_self_build: false
|
||||
matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git"
|
||||
|
||||
matrix_client_element_version: v1.7.25
|
||||
matrix_client_element_version: v1.7.26
|
||||
matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
|
||||
matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
|
||||
matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"
|
||||
|
|
|
@ -35,3 +35,18 @@
|
|||
with_dict:
|
||||
'matrix_awx_dimension_user_created': 'true'
|
||||
when: not matrix_awx_dimension_user_created|bool
|
||||
|
||||
- name: Ensure /chroot/website location has correct permissions
|
||||
file:
|
||||
path: /chroot/website
|
||||
state: directory
|
||||
owner: matrix
|
||||
group: matrix
|
||||
mode: '0574'
|
||||
when: customise_base_domain_website is defined
|
||||
|
||||
- name: Ensure erroneous /chroot/website/matrix-domain location doesn't exist
|
||||
file:
|
||||
path: /chroot/website/matrix-domain
|
||||
state: absent
|
||||
when: customise_base_domain_website is defined
|
||||
|
|
|
@ -1,10 +1,12 @@
|
|||
matrix_coturn_enabled: true
|
||||
|
||||
matrix_coturn_container_image_self_build: false
|
||||
matrix_coturn_container_image_self_build_repo: "https://github.com/instrumentisto/coturn-docker-image.git"
|
||||
matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn"
|
||||
matrix_coturn_container_image_self_build_repo_version: "upstream/{{ matrix_coturn_version }}"
|
||||
matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"
|
||||
|
||||
matrix_coturn_version: 4.5.2
|
||||
matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:{{ matrix_coturn_version }}"
|
||||
matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine"
|
||||
matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}"
|
||||
matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"
|
||||
|
||||
|
|
|
@ -30,7 +30,7 @@
|
|||
git:
|
||||
repo: "{{ matrix_coturn_container_image_self_build_repo }}"
|
||||
dest: "{{ matrix_coturn_docker_src_files_path }}"
|
||||
version: "{{ matrix_coturn_docker_image.split(':')[1] }}"
|
||||
version: "{{ matrix_coturn_container_image_self_build_repo_version }}"
|
||||
force: "yes"
|
||||
register: matrix_coturn_git_pull_results
|
||||
|
||||
|
@ -40,7 +40,7 @@
|
|||
source: build
|
||||
force_source: "{{ matrix_coturn_git_pull_results.changed }}"
|
||||
build:
|
||||
dockerfile: Dockerfile
|
||||
dockerfile: "{{ matrix_coturn_container_image_self_build_repo_dockerfile_path }}"
|
||||
path: "{{ matrix_coturn_docker_src_files_path }}"
|
||||
pull: yes
|
||||
when: "matrix_coturn_container_image_self_build|bool"
|
||||
|
|
|
@ -17,6 +17,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-coturn \
|
|||
--log-driver=none \
|
||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||
--cap-drop=ALL \
|
||||
--cap-add=NET_BIND_SERVICE \
|
||||
--entrypoint=turnserver \
|
||||
--read-only \
|
||||
--tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
|
||||
matrix_grafana_enabled: false
|
||||
|
||||
matrix_grafana_version: 7.5.2
|
||||
matrix_grafana_version: 7.5.4
|
||||
matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}"
|
||||
matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}"
|
||||
|
||||
|
@ -31,6 +31,12 @@ matrix_grafana_anonymous_access_org_name: 'Main Org.'
|
|||
matrix_grafana_default_admin_user: admin
|
||||
matrix_grafana_default_admin_password: admin
|
||||
|
||||
# Set to true to add the Content-Security-Policy header to your requests.
|
||||
# CSP allows to control resources that the user agent can load and helps
|
||||
# prevent XSS attacks.
|
||||
# [Content Security Policy](https://grafana.com/docs/grafana/latest/administration/configuration/#content_security_policy)
|
||||
matrix_grafana_content_security_policy: true
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
matrix_grafana_container_extra_arguments: []
|
||||
|
||||
|
|
|
@ -5,6 +5,9 @@ admin_user = "{{ matrix_grafana_default_admin_user }}"
|
|||
# default admin password, can be changed before first start of grafana, or in profile settings
|
||||
admin_password = """{{ matrix_grafana_default_admin_password }}"""
|
||||
|
||||
# specify content_security_policy to add the Content-Security-Policy header to your requests
|
||||
content_security_policy = "{{ matrix_grafana_content_security_policy }}"
|
||||
|
||||
[auth.anonymous]
|
||||
# enable anonymous access
|
||||
enabled = {{ matrix_grafana_anonymous_access }}
|
||||
|
|
|
@ -269,6 +269,16 @@ matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks: []
|
|||
# A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf).
|
||||
matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []
|
||||
|
||||
# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses for all vhosts meant to be accessed by users.
|
||||
#
|
||||
# Learn more about what it is here:
|
||||
# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
|
||||
# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
|
||||
# - https://amifloced.org/
|
||||
#
|
||||
# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
|
||||
matrix_nginx_proxy_floc_optout_enabled: true
|
||||
|
||||
# Specifies the SSL configuration that should be used for the SSL protocols and ciphers
|
||||
# This is based on the Mozilla Server Side TLS Recommended configurations.
|
||||
#
|
||||
|
|
|
@ -5,6 +5,11 @@
|
|||
|
||||
gzip on;
|
||||
gzip_types text/plain application/json;
|
||||
|
||||
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||
add_header Permissions-Policy interest-cohort=() always;
|
||||
{% endif %}
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
|
|
@ -3,8 +3,10 @@
|
|||
{% macro render_vhost_directives() %}
|
||||
gzip on;
|
||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
|
|
@ -3,9 +3,14 @@
|
|||
{% macro render_vhost_directives() %}
|
||||
gzip on;
|
||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||
add_header Permissions-Policy interest-cohort=() always;
|
||||
{% endif %}
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
|
|
@ -3,8 +3,13 @@
|
|||
{% macro render_vhost_directives() %}
|
||||
gzip on;
|
||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||
add_header Permissions-Policy interest-cohort=() always;
|
||||
{% endif %}
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
|
|
@ -17,6 +17,10 @@
|
|||
gzip on;
|
||||
gzip_types text/plain application/json;
|
||||
|
||||
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||
add_header Permissions-Policy interest-cohort=() always;
|
||||
{% endif %}
|
||||
|
||||
location /.well-known/matrix {
|
||||
root {{ matrix_static_files_base_path }};
|
||||
{#
|
||||
|
|
|
@ -3,9 +3,19 @@
|
|||
{% macro render_vhost_directives() %}
|
||||
gzip on;
|
||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
# duplicate X-Content-Type-Options & X-Frame-Options header
|
||||
# Enabled by grafana by default
|
||||
# add_header X-Content-Type-Options nosniff;
|
||||
# add_header X-Frame-Options SAMEORIGIN;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin";
|
||||
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||
add_header Permissions-Policy interest-cohort=() always;
|
||||
{% endif %}
|
||||
|
||||
proxy_cookie_path / "/; HTTPOnly; Secure";
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
|
|
@ -3,8 +3,13 @@
|
|||
{% macro render_vhost_directives() %}
|
||||
gzip on;
|
||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||
add_header Permissions-Policy interest-cohort=() always;
|
||||
{% endif %}
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
|
|
@ -1,6 +1,10 @@
|
|||
#jinja2: lstrip_blocks: "True"
|
||||
|
||||
{% macro render_vhost_directives() %}
|
||||
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||
add_header Permissions-Policy interest-cohort=() always;
|
||||
{% endif %}
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
|
|
@ -3,9 +3,11 @@
|
|||
{% macro render_vhost_directives() %}
|
||||
gzip on;
|
||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-Frame-Options DENY;
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
upstream generic_worker_upstream {
|
||||
# ensures that requests from the same client will always be passed
|
||||
# to the same server (except when this server is unavailable)
|
||||
ip_hash;
|
||||
hash $http_x_forwarded_for;
|
||||
|
||||
{% for worker in generic_workers %}
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
|
|
|
@ -48,6 +48,8 @@ http {
|
|||
|
||||
keepalive_timeout 65;
|
||||
|
||||
server_tokens off;
|
||||
|
||||
#gzip on;
|
||||
{# Map directive needed for proxied WebSocket upgrades #}
|
||||
map $http_upgrade $connection_upgrade {
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
|
||||
matrix_prometheus_node_exporter_enabled: false
|
||||
|
||||
matrix_prometheus_node_exporter_version: v1.1.0
|
||||
matrix_prometheus_node_exporter_version: v1.1.2
|
||||
matrix_prometheus_node_exporter_docker_image: "{{ matrix_container_global_registry_prefix }}prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}"
|
||||
matrix_prometheus_node_exporter_docker_image_force_pull: "{{ matrix_prometheus_node_exporter_docker_image.endswith(':latest') }}"
|
||||
|
||||
|
@ -18,5 +18,17 @@ matrix_prometheus_node_exporter_systemd_wanted_services_list: []
|
|||
|
||||
# Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container).
|
||||
#
|
||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9100"), or empty string to not expose.
|
||||
# Takes an "<ip>:<port>" value (e.g. "127.0.0.1:9100"), or empty string to not expose.
|
||||
#
|
||||
# Official recommendations are to run this container with `--net=host`,
|
||||
# but we don't do that, since it:
|
||||
# - likely exposes the metrics web server way too publicly (before applying https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1008)
|
||||
# - or listens on a loopback interface only (--net=host and 127.0.0.1:9100), which is not reachable from another container (like `matrix-prometheus`)
|
||||
#
|
||||
# Using `--net=host` and binding to Docker's `matrix` bridge network may be a solution to both,
|
||||
# but that's trickier to accomplish and won't necessarily work (hasn't been tested).
|
||||
#
|
||||
# Not using `--net=host` means that our network statistic reports are likely broken (inaccurate),
|
||||
# because node-exporter can't see all interfaces, etc.
|
||||
# For now, we'll live with that, until someone develops a better solution.
|
||||
matrix_prometheus_node_exporter_container_http_host_bind_port: ''
|
||||
|
|
|
@ -22,13 +22,13 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod
|
|||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||
--cap-drop=ALL \
|
||||
--read-only \
|
||||
{% if matrix_prometheus_node_exporter_container_http_host_bind_port %}
|
||||
-p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \
|
||||
{% endif %}
|
||||
{% for arg in matrix_prometheus_node_exporter_container_extra_arguments %}
|
||||
{{ arg }} \
|
||||
{% endfor %}
|
||||
--net=host \
|
||||
--network={{ matrix_docker_network }} \
|
||||
{% if matrix_prometheus_node_exporter_container_http_host_bind_port %}
|
||||
-p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \
|
||||
{% endif %}
|
||||
--pid=host \
|
||||
--mount type=bind,src=/,dst=/host,ro,bind-propagation=rslave \
|
||||
{{ matrix_prometheus_node_exporter_docker_image }} \
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
|
||||
matrix_prometheus_enabled: false
|
||||
|
||||
matrix_prometheus_version: v2.24.1
|
||||
matrix_prometheus_version: v2.26.0
|
||||
matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}"
|
||||
matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}"
|
||||
|
||||
|
@ -64,4 +64,3 @@ matrix_prometheus_configuration_extension: "{{ matrix_prometheus_configuration_e
|
|||
# Holds the final configuration (a combination of the default and its extension).
|
||||
# You most likely don't need to touch this variable. Instead, see `matrix_prometheus_configuration_yaml`.
|
||||
matrix_prometheus_configuration: "{{ matrix_prometheus_configuration_yaml|from_yaml|combine(matrix_prometheus_configuration_extension, recursive=True) }}"
|
||||
|
||||
|
|
|
@ -19,22 +19,6 @@
|
|||
- "{{ matrix_prometheus_config_path }}"
|
||||
- "{{ matrix_prometheus_data_path }}"
|
||||
|
||||
- block:
|
||||
# Well, this actually creates the network if it doesn't exist, but..
|
||||
# The network should have been created by `matrix-base` already.
|
||||
# We don't rely on that other call and its result, because it runs
|
||||
# on `--tags=setup-all`, but will get skipped during `--tags=setup-prometheus`.
|
||||
- name: Fetch Matrix Docker network details
|
||||
docker_network:
|
||||
name: "{{ matrix_docker_network }}"
|
||||
driver: bridge
|
||||
register: matrix_docker_network_info
|
||||
|
||||
- set_fact:
|
||||
matrix_prometheus_scraper_node_targets: ["{{ matrix_docker_network_info.network.IPAM.Config[0].Gateway }}:9100"]
|
||||
when: "matrix_prometheus_scraper_node_enabled|bool and matrix_prometheus_scraper_node_targets|length == 0"
|
||||
|
||||
|
||||
- name: Download synapse-v2.rules
|
||||
get_url:
|
||||
url: "{{ matrix_prometheus_scraper_synapse_rules_download_url }}"
|
||||
|
|
|
@ -8,7 +8,7 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech
|
|||
|
||||
matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src"
|
||||
|
||||
matrix_synapse_admin_version: 0.7.0
|
||||
matrix_synapse_admin_version: 0.7.2
|
||||
matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}"
|
||||
matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}"
|
||||
matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}"
|
||||
|
|
|
@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
|
|||
# amd64 gets released first.
|
||||
# arm32 relies on self-building, so the same version can be built immediately.
|
||||
# arm64 users need to wait for a prebuilt image to become available.
|
||||
matrix_synapse_version: v1.31.0
|
||||
matrix_synapse_version_arm64: v1.31.0
|
||||
matrix_synapse_version: v1.32.2
|
||||
matrix_synapse_version_arm64: v1.32.2
|
||||
matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
|
||||
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
|
||||
|
||||
|
@ -170,7 +170,7 @@ matrix_synapse_report_stats: false
|
|||
# Controls whether the Matrix server will track presence status (online, offline, unavailable) for users.
|
||||
# If users participate in large rooms with many other servers,
|
||||
# disabling this will decrease server load significantly.
|
||||
matrix_synapse_use_presence: true
|
||||
matrix_synapse_presence_enabled: true
|
||||
|
||||
# Controls whether accessing the server's public rooms directory can be done without authentication.
|
||||
# For private servers, you most likely wish to require authentication,
|
||||
|
|
|
@ -47,6 +47,7 @@
|
|||
- {'old': 'matrix_synapse_container_expose_metrics_port', 'new': '<superseded by matrix_synapse_container_metrics_api_host_bind_port>'}
|
||||
- {'old': 'matrix_synapse_cache_factor', 'new': 'matrix_synapse_caches_global_factor'}
|
||||
- {'old': 'matrix_synapse_trusted_third_party_id_servers', 'new': '<deprecated in Synapse v0.99.4 and removed in Synapse v1.19.0>'}
|
||||
- {'old': 'matrix_synapse_use_presence', 'new': 'matrix_synapse_presence_enabled'}
|
||||
|
||||
- name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml
|
||||
fail:
|
||||
|
|
|
@ -58,9 +58,28 @@ public_baseurl: https://{{ matrix_server_fqn_matrix }}/
|
|||
#
|
||||
#soft_file_limit: 0
|
||||
|
||||
# Set to false to disable presence tracking on this homeserver.
|
||||
# Presence tracking allows users to see the state (e.g online/offline)
|
||||
# of other local and remote users.
|
||||
#
|
||||
use_presence: {{ matrix_synapse_use_presence|to_json }}
|
||||
presence:
|
||||
# Uncomment to disable presence tracking on this homeserver. This option
|
||||
# replaces the previous top-level 'use_presence' option.
|
||||
#
|
||||
enabled: {{ matrix_synapse_presence_enabled|to_json }}
|
||||
|
||||
# Presence routers are third-party modules that can specify additional logic
|
||||
# to where presence updates from users are routed.
|
||||
#
|
||||
presence_router:
|
||||
# The custom module's class. Uncomment to use a custom presence router module.
|
||||
#
|
||||
#module: "my_custom_router.PresenceRouter"
|
||||
|
||||
# Configuration options of the custom module. Refer to your module's
|
||||
# documentation for available options.
|
||||
#
|
||||
#config:
|
||||
# example_option: 'something'
|
||||
|
||||
# Whether to require authentication to retrieve profile data (avatars,
|
||||
# display names) of other users through the client API. Defaults to
|
||||
|
@ -1252,9 +1271,9 @@ registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json
|
|||
#
|
||||
#allowed_local_3pids:
|
||||
# - medium: email
|
||||
# pattern: '.*@matrix\.org'
|
||||
# pattern: '^[^@]+@matrix\.org$'
|
||||
# - medium: email
|
||||
# pattern: '.*@vector\.im'
|
||||
# pattern: '^[^@]+@vector\.im$'
|
||||
# - medium: msisdn
|
||||
# pattern: '\+44'
|
||||
{% if matrix_synapse_allowed_local_3pids|length > 0 %}
|
||||
|
@ -1467,14 +1486,31 @@ report_stats: {{ matrix_synapse_report_stats|to_json }}
|
|||
|
||||
## API Configuration ##
|
||||
|
||||
# A list of event types that will be included in the room_invite_state
|
||||
# Controls for the state that is shared with users who receive an invite
|
||||
# to a room
|
||||
#
|
||||
#room_invite_state_types:
|
||||
# - "m.room.join_rules"
|
||||
# - "m.room.canonical_alias"
|
||||
# - "m.room.avatar"
|
||||
# - "m.room.encryption"
|
||||
# - "m.room.name"
|
||||
room_prejoin_state:
|
||||
# By default, the following state event types are shared with users who
|
||||
# receive invites to the room:
|
||||
#
|
||||
# - m.room.join_rules
|
||||
# - m.room.canonical_alias
|
||||
# - m.room.avatar
|
||||
# - m.room.encryption
|
||||
# - m.room.name
|
||||
#
|
||||
# Uncomment the following to disable these defaults (so that only the event
|
||||
# types listed in 'additional_event_types' are shared). Defaults to 'false'.
|
||||
#
|
||||
#disable_default_event_types: true
|
||||
|
||||
# Additional state event types to share with users when they are invited
|
||||
# to a room.
|
||||
#
|
||||
# By default, this list is empty (so only the default event types are shared).
|
||||
#
|
||||
#additional_event_types:
|
||||
# - org.example.custom.event.type
|
||||
|
||||
|
||||
# A list of application service config files to use
|
||||
|
|
|
@ -6,7 +6,6 @@ matrix_synapse_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn
|
|||
# Tells whether this role had executed or not. Toggled to `true` during runtime.
|
||||
matrix_synapse_role_executed: false
|
||||
|
||||
matrix_synapse_media_store_parent_path: "{{ matrix_synapse_media_store_path|dirname }}"
|
||||
matrix_synapse_media_store_directory_name: "{{ matrix_synapse_media_store_path|basename }}"
|
||||
|
||||
# A Synapse generic worker can handle both federation and client-server API endpoints.
|
||||
|
|
Loading…
Reference in a new issue