pub-solar/matrix-docker-ansible-deploy
5
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merge branch 'master' into pub.solar

Browse source
This commit is contained in:
teutat3s 2022-07-05 23:54:24 +02:00
parent 2925553b8f e074f9d4ed
commit c19ba7008d
Signed by: teutat3s
GPG key ID: 18DAE600A6BBE705
55 changed files with 603 additions and 64 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
CHANGELOG.md
View file

@ -1,3 +1,12 @@
# 2022-07-05
## Ntfy push notifications support
Thanks to [Julian Foad](https://matrix.to/#/@julian:foad.me.uk), the playbook can now install a [ntfy](https://ntfy.sh/) push notifications server for you.
See our [Setting up the ntfy push notifications server](docs/configuring-playbook-ntfy.md) documentation to get started.
# 2022-06-23
## (Potential Backward Compatibility Break) Changes around metrics collection
@ -26,7 +35,7 @@
3. If Synapse metrics are exposed, they will be made available at `https://matrix.DOMAIN/metrics/synapse/main-process` or `https://matrix.DOMAIN/metrics/synapse/worker/TYPE-ID` (when workers are enabled), not at `https://matrix.DOMAIN/_synapse/metrics` and `https://matrix.DOMAIN/_synapse-worker-.../metrics`
4. The playbook still generates an `external_prometheus.yml.example` sample file for scraping Synapse from Prometheus as described in [Collecting Synapse worker metrics to an external Prometheus server](docs/configuring-playbook-prometheus-grafana.md#collecting-synapse-worker-metrics-to-an-external-prometheus-server), but it's now saved under `/matrix/synapse` (not `/matrix`).
**If you where already using a external Prometheus server** before this change, and you gave a hashed version of the password as a variable, the playbook will now take care of hashing the password for you. Thus, you need to provide the non-hashed version now.
**If you where already using a external Prometheus server** before this change, and you gave a hashed version of the password as a variable, the playbook will now take care of hashing the password for you. Thus, you need to provide the non-hashed version now.
# 2022-06-13

2
README.md
View file

@ -81,6 +81,8 @@ Using this playbook, you can get the following services configured on your serve
- (optional) the [mx-puppet-skype](https://hub.docker.com/r/sorunome/mx-puppet-skype) for bridging your Matrix server to [Skype](https://www.skype.com) - see [docs/configuring-playbook-bridge-mx-puppet-skype.md](docs/configuring-playbook-bridge-mx-puppet-skype.md) for setup documentation
- (optional) the [go-skype-bridge](https://github.com/kelaresg/go-skype-bridge) for bridging your Matrix server to [Skype](https://www.skype.com) - see [docs/configuring-playbook-bridge-go-skype-bridge.md](docs/configuring-playbook-bridge-go-skype-bridge.md) for setup documentation
- (optional) the [mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) for bridging your Matrix server to [Slack](https://slack.com) - see [docs/configuring-playbook-bridge-mx-puppet-slack.md](docs/configuring-playbook-bridge-mx-puppet-slack.md) for setup documentation
- (optional) the [mx-puppet-instagram](https://github.com/Sorunome/mx-puppet-instagram) bridge for Instagram-DMs ([Instagram](https://www.instagram.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-instagram.md](docs/configuring-playbook-bridge-mx-puppet-instagram.md) for setup documentation

3
docs/configuring-dns.md
View file

@ -36,6 +36,7 @@ If you are using Cloudflare DNS, make sure to disable the proxy and set all reco
| CNAME | `stats` | - | - | - | `matrix.<your-domain>` |
| CNAME | `goneb` | - | - | - | `matrix.<your-domain>` |
| CNAME | `sygnal` | - | - | - | `matrix.<your-domain>` |
| CNAME | `ntfy` | - | - | - | `matrix.<your-domain>` |
| CNAME | `hydrogen` | - | - | - | `matrix.<your-domain>` |
| CNAME | `cinny` | - | - | - | `matrix.<your-domain>` |
| CNAME | `buscarron` | - | - | - | `matrix.<your-domain>` |
@ -57,6 +58,8 @@ The `goneb.<your-domain>` subdomain may be necessary, because this playbook coul
The `sygnal.<your-domain>` subdomain may be necessary, because this playbook could install the [Sygnal](https://github.com/matrix-org/sygnal) push gateway. The installation of Sygnal is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Sygnal guide](configuring-playbook-sygnal.md). If you do not wish to set up Sygnal (you probably don't, unless you're also developing/building your own Matrix apps), feel free to skip the `sygnal.<your-domain>` DNS record.
The `ntfy.<your-domain>` subdomain may be necessary, because this playbook could install the [ntfy](https://ntfy.sh/) UnifiedPush-compatible push notifications server. The installation of ntfy is disabled by default, it is not a core required component. To learn how to install it, see our [configuring ntfy guide](configuring-playbook-ntfy.md). If you do not wish to set up ntfy, feel free to skip the `ntfy.<your-domain>` DNS record.
The `hydrogen.<your-domain>` subdomain may be necessary, because this playbook could install the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client. The installation of Hydrogen is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Hydrogen guide](configuring-playbook-client-hydrogen.md). If you do not wish to set up Hydrogen, feel free to skip the `hydrogen.<your-domain>` DNS record.
The `cinny.<your-domain>` subdomain may be necessary, because this playbook could install the [Cinny](https://github.com/ajbura/cinny) web client. The installation of cinny is disabled by default, it is not a core required component. To learn how to install it, see our [configuring cinny guide](configuring-playbook-client-cinny.md). If you do not wish to set up cinny, feel free to skip the `cinny.<your-domain>` DNS record.

16
docs/configuring-playbook-bridge-mautrix-facebook.md
View file

@ -24,10 +24,22 @@ If you would like to be able to administrate the bridge from your account it can
matrix_mautrix_facebook_configuration_extension_yaml: |
bridge:
permissions:
'@YOUR_USERNAME:YOUR_DOMAIN': admin
'@YOUR_USERNAME:{{ matrix_domain }}': admin
```
You may wish to look at `roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2` to find other things you would like to configure.
Using both would look like
```yaml
matrix_mautrix_facebook_configuration_extension_yaml: |
bridge:
permissions:
'@YOUR_USERNAME:{{ matrix_domain }}': admin
encryption:
allow: true
default: true
```
You may wish to look at `roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2` and `roles/matrix-bridge-mautrix-facebook/defaults/main.yml` to find other things you would like to configure.
## Set up Double Puppeting

26
docs/configuring-playbook-bridge-mautrix-instagram.md
View file

@ -7,6 +7,32 @@ See the project's [documentation](https://docs.mau.fi/bridges/python/instagram/i
```yaml
matrix_mautrix_instagram_enabled: true
```
There are some additional things you may wish to configure about the bridge before you continue.
Encryption support is off by default. If you would like to enable encryption, add the following to your `vars.yml` file:
```yaml
matrix_mautrix_instagram_configuration_extension_yaml: |
bridge:
encryption:
allow: true
default: true
```
If you would like to be able to administrate the bridge from your account it can be configured like this:
```yaml
# The easy way. The specified Matrix user ID will be made an admin of all bridges
matrix_admin: "@YOUR_USERNAME:{{ matrix_domain }}"
# OR:
# The more verbose way. Applies to this bridge only. You may define multiple Matrix users as admins.
matrix_mautrix_instagram_configuration_extension_yaml: |
bridge:
permissions:
'@YOUR_USERNAME:YOUR_DOMAIN': admin
```
You may wish to look at `roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2` and `roles/matrix-bridge-mautrix-instagram/defaults/main.yml` to find other things you would like to configure.
## Usage

63
docs/configuring-playbook-ntfy.md Normal file
View file

@ -0,0 +1,63 @@
# Setting up ntfy (optional)
The playbook can install and configure the [ntfy](https://ntfy.sh/) push notifications server for you.
Using the [UnifiedPush](https://unifiedpush.org) standard, ntfy enables self-hosted (Google-free) push notifications from Matrix (and other) servers to UnifiedPush-compatible matrix compatible client apps running on Android and other devices.
This role is intended to support UnifiedPush notifications for use with the Matrix and Matrix-related services that this playbook installs. This role is not intended to support all of ntfy's other features.
**Note**: In contrast to push notifications using Google's FCM or Apple's APNs, the use of UnifiedPush allows each end-user to choose the push notification server that they prefer. As a consequence, deploying this ntfy server does not by itself ensure any particular user or device or client app will use it.
## Adjusting the playbook configuration
Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs):
```yaml
# Enabling it is the only required setting
matrix_ntfy_enabled: true
# Some other options
matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}"
matrix_ntfy_configuration_extension_yaml: |
log_level: DEBUG
```
For a more complete list of variables that you could override, see `roles/matrix-ntfy/defaults/main.yml`.
For a complete list of ntfy config options that you could put in `matrix_ntfy_configuration_extension_yaml`, see the [ntfy config documentation](https://ntfy.sh/docs/config/#config-options).
## Installing
Don't forget to add `ntfy.<your-domain>` to DNS as described in [Configuring DNS](configuring-dns.md) before running the playbook.
After configuring the playbook, run the [installation](installing.md) command again:
```
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
```
## Usage
To make use of your ntfy installation, on Android for example, first you need to install the `ntfy` client app and configure it to point to your ntfy server, such as `https://ntfy.DOMAIN`. That is the only thing you need to do in the ntfy client app. (It has many other features, but for our purposes you can ignore them.)
Then any UnifiedPush-enabled matrix app on that device will discover it and tell your matrix server to use your ntfy server to send push notifications to that matrix app.
If the matrix app asks, "Choose a distributor: FCM Fallback or ntfy", then choose "ntfy".
If the matrix app doesn't seem to pick it up, try restarting it and try the Troubleshooting section below.
## Troubleshooting
First check that the matrix client app you are using supports UnifiedPush. There may well be different variants of the app.
Set the ntfy server's log level to 'DEBUG', as shown in the example settings above, and watch the server's logs with `sudo journalctl -fu matrix-ntfy`.
To check if UnifiedPush is correctly configured on the client device, look at "Settings -> Notifications -> Notification Targets" in Element-Android or SchildiChat, or "Settings -> Notifications -> Devices" in FluffyChat. There should be one entry for each matrix client app that has enabled push notifications, and when that client is using UnifiedPush you should see a URL that begins with your ntfy server's URL. In Element-Android or SchildiChat, two URLs are shown: "push\_key" and "Url", and both should begin with your ntfy server's URL.
If it is not working, useful tools are "Settings -> Notifications -> Re-register push distributor" and "Settings -> Notifications -> Troubleshoot Notifications" in SchildiChat (possibly also Element-Android). In particular the "Endpoint/FCM" step of that troubleshooter should display your ntfy server's URL that it has discovered from the ntfy client app.
The simple [UnifiedPush troubleshooting](https://unifiedpush.org/users/troubleshooting/) app [UP-Example](https://f-droid.org/en/packages/org.unifiedpush.example/) can be used to manually test UnifiedPush registration and operation on an Android device.

8
docs/configuring-playbook-own-webserver.md
View file

@ -57,6 +57,14 @@ matrix_nginx_proxy_ssl_protocols: "TLSv1.2"
If you are experiencing issues, try updating to a newer version of Nginx. As a data point in May 2021 a user reported that Nginx 1.14.2 was not working for them. They were getting errors about socket leaks. Updating to Nginx 1.19 fixed their issue.
If you are not going to be running your webserver on the same docker network, or the same machine as matrix, these variables can be set to bind synapse to an exposed port. [Keep in mind that there are some security concerns if you simply proxy everything to it](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints)
```yaml
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8048" or "192.168.1.3:80"), or empty string to not expose.
matrix_synapse_container_client_api_host_bind_port: ''
matrix_synapse_container_federation_api_plain_host_bind_port: ''
```
### Using your own external Apache webserver

1
docs/configuring-playbook-ssl-certificates.md
View file

@ -74,6 +74,7 @@ By default, it obtains certificates for:
- possibly for `jitsi.<your-domain>`, if you have explicitly [set up Jitsi](configuring-playbook-jitsi.md).
- possibly for `stats.<your-domain>`, if you have explicitly [set up Grafana](configuring-playbook-prometheus-grafana.md).
- possibly for `sygnal.<your-domain>`, if you have explicitly [set up Sygnal](configuring-playbook-sygnal.md).
- possibly for `ntfy.<your-domain>`, if you have explicitly [set up ntfy](configuring-playbook-ntfy.md).
- possibly for your base domain (`<your-domain>`), if you have explicitly configured [Serving the base domain](configuring-playbook-base-domain-serving.md)
If you are hosting other domains on the Matrix machine, you can make the playbook obtain and renew certificates for those other domains too.

2
docs/configuring-playbook.md
View file

@ -168,3 +168,5 @@ When you're done with all the configuration you'd like to do, continue with [Ins
### Other specialized services
- [Setting up the Sygnal push gateway](configuring-playbook-sygnal.md) (optional)
- [Setting up the ntfy push notifications server](configuring-playbook-ntfy.md) (optional)

5
docs/configuring-well-known.md
View file

@ -168,6 +168,11 @@ backend matrix-backend
/.well-known/matrix/* https://matrix.DOMAIN/.well-known/matrix/:splat 200!
```
**For AWS CloudFront**
1. Add a custom origin with matrix.<your-domain> to your distribution
1. Add two behaviors, one for `.well-known/matrix/client` and one for `.well-known/matrix/server` and point them to your new origin.
Make sure to:
- **replace `DOMAIN`** in the server configuration with your actual domain name

2
docs/container-images.md
View file

@ -109,3 +109,5 @@ These services are not part of our default installation, but can be enabled by [
- [grafana/grafana](https://hub.docker.com/r/grafana/grafana/) - [Grafana](https://github.com/grafana/grafana/) is a graphing tool that works well with the above two images. Our playbook also adds two dashboards for [Synapse](https://github.com/matrix-org/synapse/tree/master/contrib/grafana) and [Node Exporter](https://github.com/rfrail3/grafana-dashboards)
- [matrixdotorg/sygnal](https://hub.docker.com/r/matrixdotorg/sygnal/) - [Sygnal](https://github.com/matrix-org/sygnal) is a reference Push Gateway for Matrix
- [binwiederhier/ntfy](https://hub.docker.com/r/binwiederhier/ntfy/) - [ntfy](https://ntfy.sh/) is a self-hosted, UnifiedPush-compatible push notifications server

21
group_vars/matrix_servers
View file

@ -1552,6 +1552,7 @@ matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}"
matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}"
matrix_nginx_proxy_proxy_grafana_enabled: "{{ matrix_grafana_enabled }}"
matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}"
matrix_nginx_proxy_proxy_ntfy_enabled: "{{ matrix_ntfy_enabled }}"
matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}"
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
@ -1578,7 +1579,7 @@ matrix_nginx_proxy_proxy_synapse_enabled: "{{ matrix_synapse_enabled }}"
matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "matrix-synapse:{{ matrix_synapse_container_client_api_port }}"
matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:{{ matrix_synapse_container_client_api_port }}"
matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:{{matrix_synapse_container_federation_api_plain_port|string}}"
matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:{{matrix_synapse_container_federation_api_plain_port|string}}"
matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "127.0.0.1:{{matrix_synapse_container_federation_api_plain_port|string}}"
matrix_nginx_proxy_proxy_dendrite_enabled: "{{ matrix_dendrite_enabled }}"
matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: "matrix-dendrite:{{ matrix_dendrite_http_bind_port|string }}"
@ -1634,6 +1635,8 @@ matrix_nginx_proxy_systemd_wanted_services_list: |
+
(['matrix-sygnal.service'] if matrix_sygnal_enabled else [])
+
(['matrix-ntfy.service'] if matrix_ntfy_enabled else [])
+
(['matrix-jitsi.service'] if matrix_jitsi_enabled else [])
+
(['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled else [])
@ -1667,6 +1670,8 @@ matrix_ssl_domains_to_obtain_certificates_for: |
+
([matrix_server_fqn_sygnal] if matrix_sygnal_enabled else [])
+
([matrix_server_fqn_ntfy] if matrix_ntfy_enabled else [])
+
([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else [])
+
matrix_ssl_additional_domains_to_obtain_certificates_for
@ -1960,6 +1965,20 @@ matrix_sygnal_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enable
#
######################################################################
######################################################################
#
# matrix-ntfy
#
######################################################################
matrix_ntfy_enabled: false
######################################################################
#
# /matrix-ntfy
#
######################################################################
######################################################################
#
# matrix-redis

3
roles/matrix-base/defaults/main.yml
View file

@ -59,6 +59,9 @@ matrix_server_fqn_grafana: "stats.{{ matrix_domain }}"
# This is where you access the Sygnal push gateway.
matrix_server_fqn_sygnal: "sygnal.{{ matrix_domain }}"
# This is where you access the ntfy push notification service.
matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}"
matrix_federation_public_port: 8448
# The architecture that your server runs.

2
roles/matrix-bot-matrix-reminder-bot/defaults/main.yml
View file

@ -17,6 +17,8 @@ matrix_bot_matrix_reminder_bot_config_path: "{{ matrix_bot_matrix_reminder_bot_b
matrix_bot_matrix_reminder_bot_data_path: "{{ matrix_bot_matrix_reminder_bot_base_path }}/data"
matrix_bot_matrix_reminder_bot_data_store_path: "{{ matrix_bot_matrix_reminder_bot_data_path }}/store"
matrix_bot_matrix_reminder_bot_command_prefix: "!"
# A list of extra arguments to pass to the container
matrix_bot_matrix_reminder_bot_container_extra_arguments: []

2
roles/matrix-bot-matrix-reminder-bot/templates/config.yaml.j2
View file

@ -1,5 +1,5 @@
# The string to prefix bot commands with
command_prefix: "!"
command_prefix: "{{ matrix_bot_matrix_reminder_bot_command_prefix }}"
# Options for connecting to the bot's Matrix account
matrix:

2
roles/matrix-bridge-beeper-linkedin/defaults/main.yml
View file

@ -27,6 +27,8 @@ matrix_beeper_linkedin_appservice_address: "http://matrix-beeper-linkedin:29319"
matrix_beeper_linkedin_bridge_presence: true
matrix_beeper_linkedin_command_prefix: "!li"
# A list of extra arguments to pass to the container
matrix_beeper_linkedin_container_extra_arguments: []

2
roles/matrix-bridge-beeper-linkedin/templates/config.yaml.j2
View file

@ -226,7 +226,7 @@ bridge:
# The prefix for commands. Only required in non-management rooms.
command_prefix: "!li"
command_prefix: "{{ matrix_beeper_linkedin_command_prefix }}"
# Permissions for using the bridge.
# Permitted values:

2
roles/matrix-bridge-go-skype-bridge/defaults/main.yml
View file

@ -36,6 +36,8 @@ matrix_go_skype_bridge_homeserver_token: ''
matrix_go_skype_bridge_appservice_bot_username: skypebridgebot
matrix_go_skype_bridge_command_prefix: "!skype"
# Whether or not created rooms should have federation enabled.
# If false, created portal rooms will never be federated.
matrix_go_skype_bridge_federate_rooms: true

2
roles/matrix-bridge-go-skype-bridge/templates/config.yaml.j2
View file

@ -165,7 +165,7 @@ bridge:
allow_user_invite: false
# The prefix for commands. Only required in non-management rooms.
command_prefix: "!wa"
command_prefix: "{{ matrix_go_skype_bridge_command_prefix }}"
# End-to-bridge encryption support options. This requires login_shared_secret to be configured
# in order to get a device for the bridge bot.

5
roles/matrix-bridge-mautrix-facebook/defaults/main.yml
View file

@ -17,6 +17,8 @@ matrix_mautrix_facebook_config_path: "{{ matrix_mautrix_facebook_base_path }}/co
matrix_mautrix_facebook_data_path: "{{ matrix_mautrix_facebook_base_path }}/data"
matrix_mautrix_facebook_docker_src_files_path: "{{ matrix_mautrix_facebook_base_path }}/docker-src"
matrix_mautrix_facebook_command_prefix: "!fb"
# Whether or not the public-facing endpoints should be enabled (web-based login)
matrix_mautrix_facebook_appservice_public_enabled: true
@ -89,6 +91,9 @@ matrix_mautrix_facebook_appservice_bot_username: facebookbot
matrix_mautrix_facebook_bridge_presence: true
# Specifies the default log level for all bridge loggers.
matrix_mautrix_facebook_logging_level: WARNING
# Default configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#

10
roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2
View file

@ -86,7 +86,7 @@ bridge:
- first_name
# The prefix for commands. Only required in non-management rooms.
command_prefix: "!fb"
command_prefix: "{{ matrix_mautrix_facebook_command_prefix }}"
# Number of chats to sync (and create portals for) on startup/login.
# Set 0 to disable automatic syncing.
@ -253,11 +253,11 @@ logging:
formatter: colored
loggers:
mau:
level: WARNING
level: {{ matrix_mautrix_facebook_logging_level|to_json }}
paho:
level: WARNING
level: {{ matrix_mautrix_facebook_logging_level|to_json }}
aiohttp:
level: WARNING
level: {{ matrix_mautrix_facebook_logging_level|to_json }}
root:
level: WARNING
level: {{ matrix_mautrix_facebook_logging_level|to_json }}
handlers: [console]

5
roles/matrix-bridge-mautrix-googlechat/defaults/main.yml
View file

@ -24,6 +24,8 @@ matrix_mautrix_googlechat_homeserver_address: "{{ matrix_homeserver_container_ur
matrix_mautrix_googlechat_homeserver_domain: '{{ matrix_domain }}'
matrix_mautrix_googlechat_appservice_address: 'http://matrix-mautrix-googlechat:8080'
matrix_mautrix_googlechat_command_prefix: "!gc"
# Controls whether the matrix-mautrix-googlechat container exposes its HTTP port (tcp/8080 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9007"), or empty string to not expose.
@ -78,6 +80,9 @@ matrix_mautrix_googlechat_login_shared_secret: ''
matrix_mautrix_googlechat_appservice_bot_username: googlechatbot
# Specifies the default log level for all bridge loggers.
matrix_mautrix_googlechat_logging_level: WARNING
# Default configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#

10
roles/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2
View file

@ -62,7 +62,7 @@ bridge:
- name
# The prefix for commands. Only required in non-management rooms.
command_prefix: "!HO"
command_prefix: "{{ matrix_mautrix_googlechat_command_prefix }}"
# Number of chats to sync (and create portals for) on startup/login.
# Maximum 20, set 0 to disable automatic syncing.
@ -141,11 +141,11 @@ logging:
formatter: colored
loggers:
mau:
level: WARNING
level: {{ matrix_mautrix_googlechat_logging_level|to_json }}
hangups:
level: WARNING
level: {{ matrix_mautrix_googlechat_logging_level|to_json }}
aiohttp:
level: WARNING
level: {{ matrix_mautrix_googlechat_logging_level|to_json }}
root:
level: WARNING
level: {{ matrix_mautrix_googlechat_logging_level|to_json }}
handlers: [console]

5
roles/matrix-bridge-mautrix-hangouts/defaults/main.yml
View file

@ -24,6 +24,8 @@ matrix_mautrix_hangouts_homeserver_address: "{{ matrix_homeserver_container_url
matrix_mautrix_hangouts_homeserver_domain: '{{ matrix_domain }}'
matrix_mautrix_hangouts_appservice_address: 'http://matrix-mautrix-hangouts:8080'
matrix_mautrix_hangouts_command_prefix: "!HO"
# Controls whether the matrix-mautrix-hangouts container exposes its HTTP port (tcp/8080 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9007"), or empty string to not expose.
@ -75,6 +77,9 @@ matrix_mautrix_hangouts_login_shared_secret: ''
matrix_mautrix_hangouts_appservice_bot_username: hangoutsbot
# Specifies the default log level for all bridge loggers.
matrix_mautrix_hangouts_logging_level: WARNING
# Default configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#

10
roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2
View file

@ -62,7 +62,7 @@ bridge:
- name
# The prefix for commands. Only required in non-management rooms.
command_prefix: "!HO"
command_prefix: "{{ matrix_mautrix_hangouts_command_prefix }}"
# Number of chats to sync (and create portals for) on startup/login.
# Maximum 20, set 0 to disable automatic syncing.
@ -138,11 +138,11 @@ logging:
formatter: colored
loggers:
mau:
level: WARNING
level: {{ matrix_mautrix_hangouts_logging_level|to_json }}
hangups:
level: WARNING
level: {{ matrix_mautrix_hangouts_logging_level|to_json }}
aiohttp:
level: WARNING
level: {{ matrix_mautrix_hangouts_logging_level|to_json }}
root:
level: WARNING
level: {{ matrix_mautrix_hangouts_logging_level|to_json }}
handlers: [console]

5
roles/matrix-bridge-mautrix-instagram/defaults/main.yml
View file

@ -22,6 +22,8 @@ matrix_mautrix_instagram_homeserver_address: "{{ matrix_homeserver_container_url
matrix_mautrix_instagram_homeserver_domain: '{{ matrix_domain }}'
matrix_mautrix_instagram_appservice_address: 'http://matrix-mautrix-instagram:29330'
matrix_mautrix_instagram_command_prefix: "!ig"
# A list of extra arguments to pass to the container
matrix_mautrix_instagram_container_extra_arguments: []
@ -68,6 +70,9 @@ matrix_mautrix_instagram_appservice_bot_username: instagrambot
matrix_mautrix_instagram_bridge_presence: true
# Specifies the default log level for all bridge loggers.
matrix_mautrix_instagram_logging_level: WARNING
# Default configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#

14
roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2
View file

@ -135,7 +135,7 @@ bridge:
# Whether or not the bridge should backfill chats when reconnecting.
resync: true
# Should even disconnected users be reconnected?
always: false
always: false
# End-to-bridge encryption support options. These require matrix-nio to be installed with pip
# and login_shared_secret to be configured in order to get a device for the bridge bot.
#
@ -176,7 +176,7 @@ bridge:
unimportant_bridge_notices: true
# The prefix for commands. Only required in non-management rooms.
command_prefix: "!ig"
command_prefix: "{{ matrix_mautrix_instagram_command_prefix }}"
# Permissions for using the bridge.
# Permitted values:
# user - Use the bridge with puppeting.
@ -219,13 +219,13 @@ logging:
formatter: colored
loggers:
mau:
level: WARNING
level: {{ matrix_mautrix_instagram_logging_level|to_json }}
mauigpapi:
level: WARNING
level: {{ matrix_mautrix_instagram_logging_level|to_json }}
paho:
level: WARNING
level: {{ matrix_mautrix_instagram_logging_level|to_json }}
aiohttp:
level: WARNING
level: {{ matrix_mautrix_instagram_logging_level|to_json }}
root:
level: WARNING
level: {{ matrix_mautrix_instagram_logging_level|to_json }}
handlers: [console]

8
roles/matrix-bridge-mautrix-signal/defaults/main.yml
View file

@ -30,6 +30,8 @@ matrix_mautrix_signal_homeserver_address: ''
matrix_mautrix_signal_homeserver_domain: ''
matrix_mautrix_signal_appservice_address: 'http://matrix-mautrix-signal:29328'
matrix_mautrix_signal_command_prefix: "!signal"
# Controls whether the matrix-mautrix-signal container exposes its port (tcp/29328 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9006"), or empty string to not expose.
@ -57,6 +59,9 @@ matrix_mautrix_signal_homeserver_token: ''
matrix_mautrix_signal_appservice_bot_username: signalbot
# Specifies the default log level for all bridge loggers.
matrix_mautrix_signal_logging_level: WARNING
# Whether or not created rooms should have federation enabled.
# If false, created portal rooms will never be federated.
matrix_mautrix_signal_federate_rooms: true
@ -99,6 +104,9 @@ matrix_mautrix_signal_relaybot_enabled: false
matrix_mautrix_signal_bridge_permissions: |
'*': relay
'{{ matrix_mautrix_signal_homeserver_domain }}': user
{% if matrix_admin %}
"{{ matrix_admin }}": admin
{% endif %}
# Default configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.

13
roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2
View file

@ -197,7 +197,7 @@ bridge:
shared_secret: generate
# The prefix for commands. Only required in non-management rooms.
command_prefix: "!signal"
command_prefix: "{{ matrix_mautrix_signal_command_prefix }}"
# Messages sent upon joining a management room.
# Markdown is supported. The defaults are listed below.
@ -223,11 +223,8 @@ bridge:
# * - All Matrix users
# domain - All users on that homeserver
# mxid - Specific user
permissions:
permissions:
{{ matrix_mautrix_signal_bridge_permissions|from_yaml }}
{% if matrix_admin %}
"{{ matrix_admin }}": admin
{% endif %}
relay:
# Whether or not relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any
@ -269,9 +266,9 @@ logging:
formatter: colored
loggers:
mau:
level: WARNING
level: {{ matrix_mautrix_signal_logging_level|to_json }}
aiohttp:
level: WARNING
level: {{ matrix_mautrix_signal_logging_level|to_json }}
root:
level: WARNING
level: {{ matrix_mautrix_signal_logging_level|to_json }}
handlers: [console]

5
roles/matrix-bridge-mautrix-telegram/defaults/main.yml
View file

@ -23,6 +23,8 @@ matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram
matrix_mautrix_telegram_config_path: "{{ matrix_mautrix_telegram_base_path }}/config"
matrix_mautrix_telegram_data_path: "{{ matrix_mautrix_telegram_base_path }}/data"
matrix_mautrix_telegram_command_prefix: "!tg"
# Get your own API keys at https://my.telegram.org/apps
matrix_mautrix_telegram_api_id: ''
matrix_mautrix_telegram_api_hash: ''
@ -43,6 +45,9 @@ matrix_mautrix_telegram_appservice_public_external: 'https://{{ matrix_server_fq
matrix_mautrix_telegram_appservice_bot_username: telegrambot
# Specifies the default log level for all bridge loggers.
matrix_mautrix_telegram_logging_level: WARNING
# Whether or not created rooms should have federation enabled.
# If false, created portal rooms will never be federated.
matrix_mautrix_telegram_federate_rooms: true

10
roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2
View file

@ -276,7 +276,7 @@ bridge:
list: []
# The prefix for commands. Only required in non-management rooms.
command_prefix: "!tg"
command_prefix: "{{ matrix_mautrix_telegram_command_prefix }}"
# Permissions for using the bridge.
# Permitted values:
@ -404,11 +404,11 @@ logging:
formatter: precise
loggers:
mau:
level: WARNING
level: {{ matrix_mautrix_telegram_logging_level|to_json }}
telethon:
level: WARNING
level: {{ matrix_mautrix_telegram_logging_level|to_json }}
aiohttp:
level: WARNING
level: {{ matrix_mautrix_telegram_logging_level|to_json }}
root:
level: WARNING
level: {{ matrix_mautrix_telegram_logging_level|to_json }}
handlers: [console]

5
roles/matrix-bridge-mautrix-twitter/defaults/main.yml
View file

@ -22,6 +22,8 @@ matrix_mautrix_twitter_homeserver_address: "{{ matrix_homeserver_container_url }
matrix_mautrix_twitter_homeserver_domain: '{{ matrix_domain }}'
matrix_mautrix_twitter_appservice_address: 'http://matrix-mautrix-twitter:29327'
matrix_mautrix_twitter_command_prefix: "!tw"
# A list of extra arguments to pass to the container
matrix_mautrix_twitter_container_extra_arguments: []
@ -66,6 +68,9 @@ matrix_mautrix_twitter_bridge_login_shared_secret_map: "{{ {matrix_mautrix_twitt
matrix_mautrix_twitter_appservice_bot_username: twitterbot
# Specifies the default log level for all bridge loggers.
matrix_mautrix_twitter_logging_level: WARNING
# Default configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#

8
roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2
View file

@ -163,7 +163,7 @@ bridge:
resend_bridge_info: false
# The prefix for commands. Only required in non-management rooms.
command_prefix: "!tw"
command_prefix: "{{ matrix_mautrix_twitter_command_prefix }}"
# Permissions for using the bridge.
# Permitted values:
@ -198,9 +198,9 @@ logging:
formatter: colored
loggers:
mau:
level: WARNING
level: {{ matrix_mautrix_twitter_logging_level|to_json }}
aiohttp:
level: WARNING
level: {{ matrix_mautrix_twitter_logging_level|to_json }}
root:
level: WARNING
level: {{ matrix_mautrix_twitter_logging_level|to_json }}
handlers: [console]

2
roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml
View file

@ -23,6 +23,8 @@ matrix_mautrix_whatsapp_homeserver_address: "{{ matrix_homeserver_container_url
matrix_mautrix_whatsapp_homeserver_domain: "{{ matrix_domain }}"
matrix_mautrix_whatsapp_appservice_address: "http://matrix-mautrix-whatsapp:8080"
matrix_mautrix_whatsapp_command_prefix: "!wa"
# A list of extra arguments to pass to the container
matrix_mautrix_whatsapp_container_extra_arguments: []

2
roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2
View file

@ -139,7 +139,7 @@ bridge:
federate_rooms: {{ matrix_mautrix_whatsapp_federate_rooms|to_json }}
# The prefix for commands. Only required in non-management rooms.
command_prefix: "!wa"
command_prefix: "{{ matrix_mautrix_whatsapp_command_prefix }}"
# Messages sent upon joining a management room.
# Markdown is supported. The defaults are listed below.

2
roles/matrix-client-element/defaults/main.yml
View file

@ -9,7 +9,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto
# - https://github.com/vector-im/element-web/issues/19544
matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
matrix_client_element_version: v1.10.15
matrix_client_element_version: v1.11.0
matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"

7
roles/matrix-client-hydrogen/tasks/main.yml
View file

@ -21,3 +21,10 @@
tags:
- setup-all
- setup-client-hydrogen
- import_tasks: "{{ role_path }}/tasks/self_check.yml"
delegate_to: 127.0.0.1
become: false
when: "run_self_check|bool and matrix_client_hydrogen_enabled|bool"
tags:
- self-check

2
roles/matrix-client-hydrogen/tasks/self_check.yml
View file

@ -1,7 +1,7 @@
---
- set_fact:
matrix_client_hydrogen_url_endpoint_public: "https://{{ matrix_server_fqn_hydrogen }}"
matrix_client_hydrogen_url_endpoint_public: "https://{{ matrix_server_fqn_hydrogen }}/config.json"
- name: Check Hydrogen
uri:

10
roles/matrix-dimension/templates/config.yaml.j2
View file

@ -73,13 +73,3 @@ dimension:
# This is where Dimension is accessible from clients. Be sure to set this
# to your own Dimension instance.
publicUrl: "https://{{ matrix_server_fqn_dimension }}"
# Settings for controlling how logging works
logging:
file: /dev/null
console: true
consoleLevel: verbose
fileLevel: info
rotate:
size: 52428800 # bytes, default is 50mb
count: 5

2
roles/matrix-grafana/defaults/main.yml
View file

@ -4,7 +4,7 @@
matrix_grafana_enabled: false
matrix_grafana_version: 9.0.1
matrix_grafana_version: 9.0.2
matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}"
matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}"

2
roles/matrix-jitsi/defaults/main.yml
View file

@ -70,7 +70,7 @@ matrix_jitsi_jibri_recorder_password: ''
matrix_jitsi_enable_lobby: false
matrix_jitsi_version: stable-7001
matrix_jitsi_version: stable-7439-2
matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility
matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}"

2
roles/matrix-jitsi/tasks/init.yml
View file

@ -7,4 +7,4 @@
- name: Fail if on an unsupported architecture
fail:
msg: "Jitsi only supports the amd64 architecture right now. See https://github.com/jitsi/docker-jitsi-meet/issues/1069 and https://github.com/jitsi/docker-jitsi-meet/issues/1214"
when: matrix_jitsi_enabled|bool and matrix_architecture != 'amd64'
when: matrix_jitsi_enabled|bool and matrix_architecture not in ['amd64', 'arm64']

9
roles/matrix-nginx-proxy/defaults/main.yml
View file

@ -192,6 +192,10 @@ matrix_nginx_proxy_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}"
matrix_nginx_proxy_proxy_sygnal_enabled: false
matrix_nginx_proxy_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}"
# Controls whether proxying the ntfy domain should be done.
matrix_nginx_proxy_proxy_ntfy_enabled: false
matrix_nginx_proxy_proxy_ntfy_hostname: "{{ matrix_server_fqn_ntfy }}"
# Controls whether proxying for (Prometheus) metrics (`/metrics/*`) for the various services should be done (on the matrix domain)
# If the internal Prometheus server (`matrix-prometheus` role) is used, proxying is not necessary, since Prometheus can access each container directly.
# This is only useful when an external Prometheus will be collecting metrics.
@ -311,7 +315,7 @@ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: ""
# Controls whether proxying for the Matrix Federation API should be done.
matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false
matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-nginx-proxy:12088"
matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:12088"
matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:12088"
matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}"
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem"
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem"
@ -365,6 +369,9 @@ matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to Sygnal's server configuration (matrix-sygnal.conf).
matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to ntfy's server configuration (matrix-ntfy.conf).
matrix_nginx_proxy_proxy_ntfy_additional_server_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf).
matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []

13
roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml
View file

@ -138,6 +138,13 @@
mode: 0644
when: matrix_nginx_proxy_proxy_sygnal_enabled|bool
- name: Ensure Matrix nginx-proxy configuration for ntfy domain exists
template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-ntfy.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-ntfy.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_ntfy_enabled|bool
- name: Ensure Matrix nginx-proxy configuration for Matrix domain exists
template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-domain.conf.j2"
@ -288,6 +295,12 @@
state: absent
when: "not matrix_nginx_proxy_proxy_sygnal_enabled|bool"
- name: Ensure Matrix nginx-proxy configuration for ntfy domain deleted
file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-ntfy.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_ntfy_enabled|bool"
- name: Ensure Matrix nginx-proxy homepage for base domain deleted
file:
path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html"

102
roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-ntfy.conf.j2 Normal file
View file

@ -0,0 +1,102 @@
#jinja2: lstrip_blocks: "True"
{% macro render_vhost_directives() %}
gzip on;
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
{% if matrix_nginx_proxy_hsts_preload_enabled %}
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
{% else %}
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
{% endif %}
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
{% for configuration_block in matrix_nginx_proxy_proxy_ntfy_additional_server_configuration_blocks %}
{{- configuration_block }}
{% endfor %}
location / {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "matrix-ntfy:80";
proxy_pass http://$backend;
{% else %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://127.0.0.1:80;
{% endif %}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
}
{% endmacro %}
server {
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }};
server_name {{ matrix_nginx_proxy_proxy_ntfy_hostname }};
server_tokens off;
root /dev/null;
{% if matrix_nginx_proxy_https_enabled %}
location /.well-known/acme-challenge {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "matrix-certbot:8080";
proxy_pass http://$backend;
{% else %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
{% endif %}
}
location / {
return 301 https://$http_host$request_uri;
}
{% else %}
{{ render_vhost_directives() }}
{% endif %}
}
{% if matrix_nginx_proxy_https_enabled %}
server {
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
server_name {{ matrix_nginx_proxy_proxy_ntfy_hostname }};
server_tokens off;
root /dev/null;
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_ntfy_hostname }}/fullchain.pem;
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_ntfy_hostname }}/privkey.pem;
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
{% endif %}
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_ntfy_hostname }}/chain.pem;
{% endif %}
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
ssl_session_tickets off;
{% endif %}
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
{{ render_vhost_directives() }}
}
{% endif %}

46
roles/matrix-ntfy/defaults/main.yml Normal file
View file

@ -0,0 +1,46 @@
---
matrix_ntfy_enabled: true
matrix_ntfy_base_path: "{{ matrix_base_data_path }}/ntfy"
matrix_ntfy_config_dir_path: "{{ matrix_ntfy_base_path }}/config"
matrix_ntfy_data_path: "{{ matrix_ntfy_base_path }}/data"
matrix_ntfy_version: v1.27.2
matrix_ntfy_docker_image: "{{ matrix_container_global_registry_prefix }}binwiederhier/ntfy:{{ matrix_ntfy_version }}"
matrix_ntfy_docker_image_force_pull: "{{ matrix_ntfy_docker_image.endswith(':latest') }}"
# Public facing base URL of the ntfy service
matrix_ntfy_base_url: "https://{{ matrix_server_fqn_ntfy }}"
# Controls whether the container exposes its HTTP port (tcp/8080 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8768"), or empty string to not expose.
matrix_ntfy_container_http_host_bind_port: ''
# A list of extra arguments to pass to the container (`docker run` command)
matrix_ntfy_container_extra_arguments: []
# Controls whether the self-check feature should validate SSL certificates.
matrix_ntfy_self_check_validate_certificates: true
# Default ntfy configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#
# For a more advanced customization, you can extend the default (see `matrix_ntfy_configuration_extension_yaml`)
# or completely replace this variable with your own template.
matrix_ntfy_configuration_yaml: "{{ lookup('template', 'templates/ntfy/server.yml.j2') }}"
matrix_ntfy_configuration_extension_yaml: |
# Your custom YAML configuration for ntfy goes here.
# This configuration extends the default starting configuration (`matrix_ntfy_configuration_yaml`).
#
# You can override individual variables from the default configuration, or introduce new ones.
#
# If you need something more special, you can take full control by
# completely redefining `matrix_ntfy_configuration_yaml`.
matrix_ntfy_configuration_extension: "{{ matrix_ntfy_configuration_extension_yaml|from_yaml if matrix_ntfy_configuration_extension_yaml|from_yaml is mapping else {} }}"
# Holds the final ntfy configuration (a combination of the default and its extension).
# You most likely don't need to touch this variable. Instead, see `matrix_ntfy_configuration_yaml`.
matrix_ntfy_configuration: "{{ matrix_ntfy_configuration_yaml|from_yaml|combine(matrix_ntfy_configuration_extension, recursive=True) }}"

5
roles/matrix-ntfy/tasks/init.yml Normal file
View file

@ -0,0 +1,5 @@
---
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ntfy.service'] }}"
when: matrix_ntfy_enabled|bool

24
roles/matrix-ntfy/tasks/main.yml Normal file
View file

@ -0,0 +1,24 @@
---
- import_tasks: "{{ role_path }}/tasks/init.yml"
tags:
- always
- import_tasks: "{{ role_path }}/tasks/setup_install.yml"
when: "run_setup|bool and matrix_ntfy_enabled|bool"
tags:
- setup-all
- setup-ntfy
- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
when: "run_setup|bool and not matrix_ntfy_enabled|bool"
tags:
- setup-all
- setup-ntfy
- import_tasks: "{{ role_path }}/tasks/self_check.yml"
delegate_to: 127.0.0.1
become: false
when: "run_self_check|bool and matrix_ntfy_enabled|bool"
tags:
- self-check

25
roles/matrix-ntfy/tasks/self_check.yml Normal file
View file

@ -0,0 +1,25 @@
---
# Query an arbitrary ntfy topic using ntfy's UnifiedPush topic name syntax.
# Expect an empty response (because we query 'since=1s').
- set_fact:
matrix_ntfy_url_endpoint_public: "{{ matrix_ntfy_base_url }}/upSELFCHECK123/json?poll=1&since=1s"
- name: Check ntfy
uri:
url: "{{ matrix_ntfy_url_endpoint_public }}"
follow_redirects: none
validate_certs: "{{ matrix_ntfy_self_check_validate_certificates }}"
register: matrix_ntfy_self_check_result
check_mode: false
ignore_errors: true
- name: Fail if ntfy not working
fail:
msg: "Failed checking ntfy is up at `{{ matrix_server_fqn_ntfy }}` (checked endpoint: `{{ matrix_ntfy_url_endpoint_public }}`). Is ntfy running? Is port 443 open in your firewall? Full error: {{ matrix_ntfy_self_check_result }}"
when: "matrix_ntfy_self_check_result.failed"
- name: Report working ntfy
debug:
msg: "ntfy at `{{ matrix_server_fqn_ntfy }}` is working (checked endpoint: `{{ matrix_ntfy_url_endpoint_public }}`)"

44
roles/matrix-ntfy/tasks/setup_install.yml Normal file
View file

@ -0,0 +1,44 @@
---
- name: Ensure matrix-ntfy image is pulled
docker_image:
name: "{{ matrix_ntfy_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_ntfy_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ntfy_docker_image_force_pull }}"
register: result
retries: "{{ matrix_container_retries_count }}"
delay: "{{ matrix_container_retries_delay }}"
until: result is not failed
- name: Ensure matrix-ntfy paths exists
file:
path: "{{ item }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- "{{ matrix_ntfy_base_path }}"
- "{{ matrix_ntfy_config_dir_path }}"
- "{{ matrix_ntfy_data_path }}"
- name: Ensure matrix-ntfy config installed
copy:
content: "{{ matrix_ntfy_configuration|to_nice_yaml(indent=2, width=999999) }}"
dest: "{{ matrix_ntfy_config_dir_path }}/server.yml"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
- name: Ensure matrix-ntfy.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-ntfy.service.j2"
dest: "{{ matrix_systemd_path }}/matrix-ntfy.service"
mode: 0644
register: matrix_ntfy_systemd_service_result
- name: Ensure systemd reloaded after matrix-ntfy.service installation
service:
daemon_reload: true
when: "matrix_ntfy_systemd_service_result.changed"

36
roles/matrix-ntfy/tasks/setup_uninstall.yml Normal file
View file

@ -0,0 +1,36 @@
---
- name: Check existence of matrix-ntfy service
stat:
path: "{{ matrix_systemd_path }}/matrix-ntfy.service"
register: matrix_ntfy_service_stat
- name: Ensure matrix-ntfy is stopped
service:
name: matrix-ntfy
state: stopped
enabled: false
daemon_reload: true
register: stopping_result
when: "matrix_ntfy_service_stat.stat.exists"
- name: Ensure matrix-ntfy.service doesn't exist
file:
path: "{{ matrix_systemd_path }}/matrix-ntfy.service"
state: absent
when: "matrix_ntfy_service_stat.stat.exists"
- name: Ensure systemd reloaded after matrix-ntfy.service removal
service:
daemon_reload: true
when: "matrix_ntfy_service_stat.stat.exists"
- name: Ensure matrix-ntfy path doesn't exist
file:
path: "{{ matrix_ntfy_base_path }}"
state: absent
- name: Ensure ntfy Docker image doesn't exist
docker_image:
name: "{{ matrix_ntfy_docker_image }}"
state: absent

3
roles/matrix-ntfy/templates/ntfy/server.yml.j2 Normal file
View file

@ -0,0 +1,3 @@
base_url: {{ matrix_ntfy_base_url }}
behind_proxy: true
cache_file: /data/cache.db

38
roles/matrix-ntfy/templates/systemd/matrix-ntfy.service.j2 Normal file
View file

@ -0,0 +1,38 @@
#jinja2: lstrip_blocks: "True"
[Unit]
Description=matrix-ntfy
After=docker.service
Requires=docker.service
DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-ntfy 2>/dev/null || true'
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-ntfy 2>/dev/null || true'
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-ntfy \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--read-only \
{% for arg in matrix_ntfy_container_extra_arguments %}
{{ arg }} \
{% endfor %}
--network={{ matrix_docker_network }} \
{% if matrix_ntfy_container_http_host_bind_port %}
-p {{ matrix_ntfy_container_http_host_bind_port }}:80 \
{% endif %}
--mount type=bind,src={{ matrix_ntfy_config_dir_path }},dst=/etc/ntfy,ro \
--mount type=bind,src={{ matrix_ntfy_data_path }},dst=/data \
{{ matrix_ntfy_docker_image }} \
serve
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-ntfy 2>/dev/null || true'
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-ntfy 2>/dev/null || true'
Restart=always
RestartSec=30
SyslogIdentifier=matrix-ntfy
[Install]
WantedBy=multi-user.target

2
roles/matrix-synapse/defaults/main.yml
View file

@ -9,7 +9,7 @@ matrix_synapse_container_image_self_build_repo: "https://github.com/matrix-org/s
matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}"
matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_synapse_version: v1.61.1
matrix_synapse_version: v1.62.0
matrix_synapse_docker_image_tag: "{{ matrix_synapse_version }}"
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"

1
setup.yml
View file

@ -60,6 +60,7 @@
- matrix-etherpad
- matrix-email2matrix
- matrix-sygnal
- matrix-ntfy
- matrix-nginx-proxy
- matrix-coturn
- matrix-aux