Merge branch 'master' into pub.solar
This commit is contained in:
commit
dcb99a79e6
|
@ -19,6 +19,10 @@ trim_trailing_whitespace = true
|
|||
indent_style = space
|
||||
indent_size = 2
|
||||
|
||||
[group_vars/matrix_servers]
|
||||
indent_style = space
|
||||
indent_size = 2
|
||||
|
||||
# Markdown Files
|
||||
#
|
||||
# Two spaces at the end of a line in Markdown mean "new line",
|
||||
|
|
195
CHANGELOG.md
195
CHANGELOG.md
|
@ -1,3 +1,194 @@
|
|||
# 2023-02-17
|
||||
|
||||
## Synapse templates customization support
|
||||
|
||||
The playbook can now help you customize Synapse's templates.
|
||||
|
||||
Additional details are available in the [Customizing templates](docs/configuring-playbook-synapse.md#customizing-templates) section of our Synapse documentation.
|
||||
|
||||
## The matrix-redis role lives independently now
|
||||
|
||||
**TLDR**: the `matrix-redis` role is now included from another repository. Some variables have been renamed. All functionality remains intact.
|
||||
|
||||
The `matrix-redis` role (which configures [Redis](https://redis.io/)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/redis). This makes it possible to easily use it in other Ansible playbooks.
|
||||
|
||||
You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're enabling Ntfy or not. If you're making use of Ntfy via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_redis_` -> `redis_`).
|
||||
|
||||
## The matrix-ntfy role lives independently now
|
||||
|
||||
**TLDR**: the `matrix-ntfy` role is now included from another repository. Some variables have been renamed. All functionality remains intact.
|
||||
|
||||
The `matrix-ntfy` role (which configures [Ntfy](https://ntfy.sh/)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/ntfy). This makes it possible to easily use it in other Ansible playbooks.
|
||||
|
||||
You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're enabling Ntfy or not. If you're making use of Ntfy via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_ntfy_` -> `ntfy_`).
|
||||
|
||||
|
||||
# 2023-02-15
|
||||
|
||||
## The matrix-grafana role lives independently now
|
||||
|
||||
**TLDR**: the `matrix-grafana` role is now included from another repository. Some variables have been renamed. All functionality remains intact.
|
||||
|
||||
The `matrix-grafana` role (which configures [Grafana](docs/configuring-playbook-prometheus-grafana.md)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/grafana). This makes it possible to easily use it in other Ansible playbooks.
|
||||
|
||||
You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're enabling Grafana or not. If you're making use of Grafana via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_grafana_` -> `grafana_`).
|
||||
|
||||
|
||||
# 2023-02-13
|
||||
|
||||
## The matrix-backup-borg role lives independently now
|
||||
|
||||
**TLDR**: the `matrix-backup-borg` role is now included from another repository. Some variables have been renamed. All functionality remains intact.
|
||||
|
||||
Thanks to [moan0s](https://github.com/moan0s), the `matrix-backup-borg` role (which configures [Borg backups](docs/configuring-playbook-backup-borg.md)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/backup_borg). This makes it possible to easily use it in other Ansible playbooks and will become part of [nextcloud-docker-ansible-deploy](https://github.com/spantaleev/nextcloud-docker-ansible-deploy) soon.
|
||||
|
||||
You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're enabling Borg backup functionality or not. If you're making use of Borg backups via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_backup_borg_` -> `backup_borg_`).
|
||||
|
||||
|
||||
# 2023-02-12
|
||||
|
||||
## (Backward Compatibility) Reverse-proxy configuration changes and initial Traefik support
|
||||
|
||||
**TLDR**:
|
||||
|
||||
- there's a new `matrix_playbook_reverse_proxy_type` variable (see [roles/custom/matrix-base/defaults/main.yml](roles/custom/matrix-base/defaults/main.yml)), which lets you tell the playbook what reverse-proxy setup you'd like to have. This makes it easier for people who want to do reverse-proxying in other ways.
|
||||
- the default reverse-proxy (`matrix_playbook_reverse_proxy_type`) is still `playbook-managed-nginx` (via `matrix-nginx-proxy`), for now. **Existing `matrix-nginx-proxy` users should not observe any changes** and can stay on this for now.
|
||||
- **Users who use their [own other webserver](docs/configuring-playbook-own-webserver.md) (e.g. Apache, etc.) need to change** `matrix_playbook_reverse_proxy_type` to something like `other-on-same-host`, `other-on-another-host` or `other-nginx-non-container`
|
||||
- we now have **optional [Traefik](https://traefik.io/) support**, so you could easily host Matrix and other Traefik-native services in containers on the same server. Traefik support is still experimental (albeit, good enough) and will improve over time. It does work, but certain esoteric features may not be there yet.
|
||||
- **Traefik will become the default reverse-proxy in the near future**. `matrix-nginx-proxy` will either remain as an option, or be completely removed to simplify the playbook
|
||||
|
||||
### Motivation for redoing our reverse-proxy setup
|
||||
|
||||
The playbook has supported various reverse-proxy setups for a long time.
|
||||
We have various configuration variables (`matrix_nginx_proxy_enabled`, various `_host_bind_port` variables, etc.) which allow the playbook to adapt to these different setups. The whole situation was messy though - hard to figure out and with lots of variables to toggle to make things work as you'd expect - huge **operational complexity**.
|
||||
|
||||
We love containers, proven by the fact that **everything** that this playbook manages runs in a container. Yet, we weren't allowing people to easily host other web-exposed containers alongside Matrix services on the same server. We were using `matrix-nginx-proxy` (our integrated [nginx](https://nginx.org/) server), which was handling web-exposure and SSL termination for our own services, but we **weren't helping you with all your other containers**.
|
||||
|
||||
People who were **using `matrix-nginx-proxy`** were on the happy path on which everything worked well by default (Matrix-wise), **but** could not easily run other web-exposed services on their Matrix server because `matrix-nginx-proxy` was occupying ports `80` and `443`. Other services which wanted to get web exposure either had to be plugged into `matrix-nginx-proxy` (somewhat difficult) or people had to forgo using `matrix-nginx-proxy` in favor of something else.
|
||||
|
||||
Of those that decided to forgo `matrix-nginx-proxy`, many were **using nginx** on the same server without a container. This was likely some ancient nginx version, depending on your choice of distro. The Matrix playbook was trying to be helpful and even with `matrix_nginx_proxy_enabled: false` was still generating nginx configuration in `/matrix/nginx-proxy/conf.d`. Those configuration files were adapted for inclusion into an nginx server running locally. Disabling the `matrix-nginx-proxy` role like this, yet still having it produce files is a bit disgusting, but it's what we've had since the early beginnings of this playbook.
|
||||
|
||||
Others still, wanted to run Matrix locally (no SSL certificates), regardless of which web server technology this relied on, and then **reverse-proxy from another machine on the network** which was doing SSL termination. These people were:
|
||||
|
||||
- *either* relying on `matrix_nginx_proxy_enabled: false` as well, combined with exposing services manually (setting `_bind_port` variables)
|
||||
- *or* better yet, they were keeping `matrix-nginx-proxy` enabled, but in `http`-only mode (no SSL certificate retrieval).
|
||||
|
||||
Despite this operational complexity, things worked and were reasonably flexible to adapt to all these situations.
|
||||
|
||||
When using `matrix-nginx-proxy` as is, we still had another problem - one of **internal playbook complexity**. Too many services need to be web-exposed (port 80/443, SSL certificates). Because of this, they all had to integrate with the `matrix-nginx-proxy` role. Tens of different roles explicitly integrating with `matrix-nginx-proxy` is not what we call clean. The `matrix-nginx-proxy` role contains variables for many of these roles (yikes). Other roles were more decoupled from it and were injecting configuration into `matrix-nginx-proxy` at runtime - see all the `inject_into_nginx_proxy.yml` task files in this playbook (more decoupled, but still.. yikes).
|
||||
|
||||
The next problem is one of **efficiency, interoperability and cost-saving**. We're working on other playbooks:
|
||||
|
||||
- [vaultwarden-docker-ansible-deploy](https://github.com/spantaleev/vaultwarden-docker-ansible-deploy) for hosting the [Vaultwarden](https://github.com/dani-garcia/vaultwarden) server - an alternative implementation of the [Bitwarden](https://bitwarden.com/) password manager
|
||||
- [gitea-docker-ansible-deploy](https://github.com/spantaleev/gitea-docker-ansible-deploy) - for hosting the [Gitea](https://gitea.io/) git source code hosting service
|
||||
- [nextcloud-docker-ansible-deploy](https://github.com/spantaleev/nextcloud-docker-ansible-deploy) - for hosting the [Nextcloud](https://nextcloud.com/) groupware platform
|
||||
|
||||
We'd love for users to be able to **seamlessly use all these playbooks (and others, even) against a single server**. We don't want `matrix-nginx-proxy` to have a monopoly on port `80`/`443` and make it hard for other services to join in on the party. Such a thing forces people into running multiple servers (one for each service), which does provide nice security benefits, but is costly and ineffiecient. We'd like to make self-hosting these services cheap and easy.
|
||||
|
||||
These other playbooks have been using [Traefik](https://traefik.io/) as their default reverse-proxy for a long time. They can all coexist nicely together (as an example, see the [Interoperability](https://github.com/spantaleev/nextcloud-docker-ansible-deploy/blob/master/docs/configuring-playbook-interoperability.md) documentation for the [Nextcloud playbook](https://github.com/spantaleev/nextcloud-docker-ansible-deploy)). Now that this playbook is gaining Traefik support, it will be able to interoperate with them. If you're going this way, make sure to have the Matrix playbook install Traefik and have the others use `*_reverse_proxy_type: other-traefik-container`.
|
||||
|
||||
Finally, at [etke.cc - a managed Matrix server hosting service](https://etke.cc) (built on top of this playbook, and coincidentally [turning 2 years old today](https://etke.cc/news/upsyw4ykbtgmwhz8k7ukldx0zbbfq-fh0iqi3llixi0/) 🎉), we're allowing people to host some additional services besides Matrix components. Exposing these services to the web requires ugly hacks and configuration files being dropped into `/matrix/nginx-proxy/conf.d`. We believe that everything should run in independent containers and be exposed to the web via a Traefik server, without a huge Ansible role like `matrix-nginx-proxy` that everything else needs to integrate with.
|
||||
|
||||
### How do these changes fix all these problems?
|
||||
|
||||
The new `matrix_playbook_reverse_proxy_type` lets you easily specify your preferred reverse-proxy type, including `other-on-same-host`, `other-on-another-host` and `none`, so people who'd like to reverse-proxy with their own web server have more options now.
|
||||
|
||||
Using Traefik greatly simplifies things, so going forward we'll have a simpler and easier to maintain playbook, which is also interoperable with other services.
|
||||
|
||||
Traefik is a web server, which has been specifically **designed for reverse-proxying to services running in containers**. It's ideal for usage in an Ansible playbook which runs everything in containers.
|
||||
|
||||
**Traefik obtains SSL certificates automatically**, so there's no need for plugging additional tools like [Certbot](https://certbot.eff.org/) into your web server (like we were doing in the `matrix-nginx-proxy` role). No more certificate renewal timers, web server reloading timers, etc. It's just simpler.
|
||||
|
||||
Traefik is a **modern web server**. [HTTP/3](https://doc.traefik.io/traefik/routing/entrypoints/#http3) is supported already (experimentally) and will move to stable soon, in the upcoming Traefik v3 release.
|
||||
|
||||
Traefik does not lock important functionality we'd like to use into [plus packages like nginx does](https://www.nginx.com/products/nginx/), leading us to resolve to configuration workarounds. The default Traefik package is good enough as it is.
|
||||
|
||||
### Where we're at right now?
|
||||
|
||||
`matrix_playbook_reverse_proxy_type` still defaults to a value of `playbook-managed-nginx`.
|
||||
|
||||
Unless we have some regression, **existing `matrix-nginx-proxy` users should be able to update their Matrix server and not observe any changes**. Their setup should still remain on nginx and everything should still work as expected.
|
||||
|
||||
**Users using [their own webservers](docs/configuring-playbook-own-webserver.md) will need to change `matrix_playbook_reverse_proxy_type`** to something like `other-on-same-host`, `other-on-another-host` or `other-nginx-non-container`. Previously, they could toggle `matrix_nginx_proxy_enabled` to `false`, and that made the playbook automatically expose services locally. Currently, we only do this if you change the reverse-proxy type to `other-on-same-host`, `other-on-another-host` or `other-nginx-non-container`.
|
||||
|
||||
#### How do I explicitly switch to Traefik right now?
|
||||
|
||||
**Users who wish to migrate to Traefik** today, can do so by **adding** this to their configuration:
|
||||
|
||||
```yaml
|
||||
matrix_playbook_reverse_proxy_type: playbook-managed-traefik
|
||||
|
||||
devture_traefik_config_certificatesResolvers_acme_email: YOUR_EMAIL_ADDRESS
|
||||
```
|
||||
|
||||
You may still need to keep certain old `matrix_nginx_proxy_*` variables (like `matrix_nginx_proxy_base_domain_serving_enabled`), even when using Traefik. For now, we recommend keeping all `matrix_nginx_proxy_*` variables just in case. In the future, reliance on `matrix-nginx-proxy` will be removed.
|
||||
|
||||
Switching to Traefik will obtain new SSL certificates from Let's Encrypt (stored in `/devture-traefik/ssl/acme.json`). **The switch is reversible**. You can always go back to `playbook-managed-nginx` if Traefik is causing you trouble.
|
||||
|
||||
**Note**: toggling `matrix_playbook_reverse_proxy_type` between Traefik and nginx will uninstall the Traefik role and all of its data (under `/devture-traefik`), so you may run into a Let's Encrypt rate limit if you do it often.
|
||||
|
||||
Treafik directly reverse-proxies to **some** services right now, but for most other services it goes through `matrix-nginx-proxy` (e.g. Traefik -> `matrix-nginx-proxy` -> [Ntfy](docs/configuring-playbook-ntfy.md)). So, even if you opt into Traefik, you'll still see `matrix-nginx-proxy` being installed in local-only mode. This will improve with time.
|
||||
|
||||
Some services (like [Coturn](docs/configuring-playbook-turn.md) and [Postmoogle](docs/configuring-playbook-bot-postmoogle.md)) cannot be reverse-proxied to directly from Traefik, so they require direct access to SSL certificate files extracted out of Traefik. The playbook does this automatically thanks to a new [com.devture.ansible.role.traefik_certs_dumper](https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper) role utilizing the [traefik-certs-dumper](https://github.com/ldez/traefik-certs-dumper) tool.
|
||||
|
||||
Our Traefik setup mostly works, but certain esoteric features may not work. If you have a default setup, we expect you to have a good experience.
|
||||
|
||||
|
||||
### Where we're going in the near future?
|
||||
|
||||
The `matrix-nginx-proxy` role is quite messy. It manages both nginx and Certbot and its certificate renewal scripts and timers. It generates configuration even when the role is disabled (weird). Although it doesn't directly reach into variables from other roles, it has explicit awareness of various other services that it reverse-proxies to (`roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-ntfy.conf.j2`, etc.). We'd like to clean this up. The only way is probably to just get rid of the whole thing at some point.
|
||||
|
||||
For now, `matrix-nginx-proxy` will stay around.
|
||||
|
||||
As mentioned above, Traefik still reverse-proxies to some (most) services by going through a local-only `matrix-nginx-proxy` server. This has allowed us to add Traefik support to the playbook early on (without having to rework all services), but is not the final goal. We'll **work on making each service support Traefik natively**, so that traffic will not need to go through `matrix-nginx-proxy` anymore. In the end, choosing Traefik should only give you a pure Traefik installation with no `matrix-nginx-proxy` in sight.
|
||||
|
||||
As Traefik support becomes complete and proves to be stable for a while, especially as a playbook default, we will **most likely remove `matrix-nginx-proxy` completely**. It will likely be some months before this happens though. Keeping support for both Traefik and nginx in the playbook will be a burden, especially with most of us running Traefik in the future. The Traefik role should do everything nginx does in a better and cleaner way. Users who use their own `nginx` server on the Matrix server will be inconvenienced, as nothing will generate ready-to-include nginx configuration for them. Still, we hope it won't be too hard to migrate their setup to another way of doing things, like:
|
||||
|
||||
- not using nginx anymore. A common reason for using nginx until now was that you were running other containers and you need your own nginx to reverse-proxy to all of them. Just switch them to Traefik as well.
|
||||
- running Traefik in local-only mode (`devture_traefik_config_entrypoint_web_secure_enabled: false`) and using some nginx configuration which reverse-proxies to Traefik (we should introduce examples for this in `examples/nginx`).
|
||||
|
||||
### How do I help?
|
||||
|
||||
You can help by:
|
||||
|
||||
- **explicitly switching your server to Traefik** right now (see example configuration in [How do I explicitly switch to Traefik right now?](#how-do-i-explicitly-switch-to-traefik-right-now) above), testing, reporting troubles
|
||||
|
||||
- **adding native Traefik support to a role** (requires adding Traefik labels, etc.) - for inspiration, see these roles ([prometheus_node_exporter](https://gitlab.com/etke.cc/roles/prometheus_node_exporter), [prometheus_postgres_exporter](https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter)) and how they're hooked into the playbook via [group_vars/matrix_servers](group_vars/matrix_servers).
|
||||
|
||||
- **adding reverse-proxying examples for nginx users** in `examples/nginx`. People who insist on using their own `nginx` server on the same Matrix host, can run Traefik in local-only mode (`devture_traefik_config_entrypoint_web_secure_enabled: false`) and reverse-proxy to the Traefik server
|
||||
|
||||
|
||||
# 2023-02-10
|
||||
|
||||
## Matrix Authentication Support for Jitsi
|
||||
|
||||
Thanks to [Jakob S.](https://github.com/jakicoll) ([zakk gGmbH](https://github.com/zakk-it)), Jitsi can now use Matrix for authentication (via [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service)).
|
||||
|
||||
Additional details are available in the [Authenticate using Matrix OpenID (Auth-Type 'matrix')](docs/configuring-playbook-jitsi.md#authenticate-using-matrix-openid-auth-type-matrix).
|
||||
|
||||
|
||||
## Draupnir moderation tool (bot) support
|
||||
|
||||
Thanks to [FSG-Cat](https://github.com/FSG-Cat), the playbook can now install and configure the [Draupnir](https://github.com/Gnuxie/Draupnir) moderation tool (bot). Draupnir is a fork of [Mjolnir](docs/configuring-playbook-bot-mjolnir.md) (which the playbook has supported for a long time) maintained by Mjolnir's former lead developer.
|
||||
|
||||
Additional details are available in [Setting up Draupnir](docs/configuring-playbook-bot-draupnir.md).
|
||||
|
||||
|
||||
# 2023-02-05
|
||||
|
||||
## The matrix-prometheus-postgres-exporter role lives independently now
|
||||
|
||||
**TLDR**: the `matrix-prometheus-postgres-exporter` role is now included from another repository. Some variables have been renamed. All functionality remains intact.
|
||||
|
||||
The `matrix-prometheus-postgres-exporter` role (which configures [Prometheus Postgres Exporter](https://github.com/prometheus-community/postgres_exporter)) has been extracted from the playbook and now lives in its own repository at https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter
|
||||
|
||||
It's still part of the playbook, but is now installed via `ansible-galaxy` (by running `just roles` / `make roles`). Some variables have been renamed (`matrix_prometheus_postgres_exporter_` -> `prometheus_postgres_exporter_`, etc.). The playbook will report all variables that you need to rename to get upgraded. All functionality remains intact.
|
||||
|
||||
The `matrix-prometheus-services-proxy-connect` role has bee adjusted to help integrate the new `prometheus_postgres_exporter` role with our own services (`matrix-nginx-proxy`)
|
||||
|
||||
Other roles which aren't strictly related to Matrix are likely to follow this fate of moving to their own repositories. Extracting them out allows other Ansible playbooks to make use of these roles easily.
|
||||
|
||||
|
||||
# 2023-01-26
|
||||
|
||||
## Coturn can now use host-networking
|
||||
|
@ -33,7 +224,7 @@ We've also added `no-multicast-peers` to the default Coturn configuration, but w
|
|||
|
||||
**TLDR**: the `matrix-prometheus-node-exporter` role is now included from another repository. Some variables have been renamed. All functionality remains intact.
|
||||
|
||||
The `matrix-prometheus-node-exporter` role (which configures [Prometheus node exporter](https://github.com/prometheus/node_exporter)) has been extracted from the playbook and now lives in its own repository at https://gitlab.com/etke.cc/roles/prometheus_node_exporter.
|
||||
The `matrix-prometheus-node-exporter` role (which configures [Prometheus node exporter](https://github.com/prometheus/node_exporter)) has been extracted from the playbook and now lives in its own repository at https://gitlab.com/etke.cc/roles/prometheus_node_exporter
|
||||
|
||||
It's still part of the playbook, but is now installed via `ansible-galaxy` (by running `just roles` / `make roles`). Some variables have been renamed (`matrix_prometheus_node_exporter_` -> `prometheus_node_exporter_`, etc.). The playbook will report all variables that you need to rename to get upgraded. All functionality remains intact.
|
||||
|
||||
|
@ -519,7 +710,7 @@ See our [Setting up the ntfy push notifications server](docs/configuring-playboo
|
|||
|
||||
**If you're using node-exporter** (`matrix_prometheus_node_exporter_enabled: true`) and would like to collect its metrics from an external Prometheus server, see `matrix_prometheus_node_exporter_metrics_proxying_enabled` described in our [Collecting metrics to an external Prometheus server](docs/configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) documentation. You will be able to collect its metrics from `https://matrix.DOMAIN/metrics/node-exporter`.
|
||||
|
||||
**If you're using [postgres-exporter](docs/configuring-playbook-prometheus-postgres.md)** (`matrix_prometheus_postgres_exporter_enabled: true`) and would like to collect its metrics from an external Prometheus server, see `matrix_prometheus_postgres_exporter_metrics_proxying_enabled` described in our [Collecting metrics to an external Prometheus server](docs/configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) documentation. You will be able to collect its metrics from `https://matrix.DOMAIN/metrics/postgres-exporter`.
|
||||
**If you're using [postgres-exporter](docs/configuring-playbook-prometheus-postgres.md)** (`prometheus_postgres_exporter_enabled: true`) and would like to collect its metrics from an external Prometheus server, see `matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled` described in our [Collecting metrics to an external Prometheus server](docs/configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) documentation. You will be able to collect its metrics from `https://matrix.DOMAIN/metrics/postgres-exporter`.
|
||||
|
||||
**If you're using Synapse** and would like to collect its metrics from an external Prometheus server, you may find that:
|
||||
|
||||
|
|
|
@ -55,7 +55,7 @@ Services that run on the server to make the various parts of your installation w
|
|||
| [nginx](http://nginx.org/) | ✓ | Web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md) | [Link](docs/configuring-playbook-nginx.md) |
|
||||
| [Let's Encrypt](https://letsencrypt.org/) | ✓ | Free SSL certificate, which secures the connection to the Synapse server and the Element web UI | [Link](docs/configuring-playbook-ssl-certificates.md) |
|
||||
| [ma1sd](https://github.com/ma1uta/ma1sd) | x | Matrix Identity Server | [Link](docs/configuring-playbook-ma1sd.md)
|
||||
| [Exim](https://www.exim.org/) | ✓ | Mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) | - |
|
||||
| [Exim](https://www.exim.org/) | ✓ | Mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) | [Link](docs/configuring-playbook-email.md) |
|
||||
| [Dimension](https://github.com/turt2live/matrix-dimension) | x | An open source integrations manager for matrix clients | [Link](docs/configuring-playbook-dimension.md) |
|
||||
| [Sygnal](https://github.com/matrix-org/sygnal) | x | Push gateway | [Link](docs/configuring-playbook-sygnal.md) |
|
||||
| [ntfy](https://ntfy.sh) | x | Push notifications server | [Link](docs/configuring-playbook-ntfy.md) |
|
||||
|
@ -130,6 +130,7 @@ Bots provide various additional functionality to your installation.
|
|||
| [Postmoogle](https://gitlab.com/etke.cc/postmoogle) | x | Email to matrix bot | [Link](docs/configuring-playbook-bot-postmoogle.md) |
|
||||
| [Go-NEB](https://github.com/matrix-org/go-neb) | x | A multi functional bot written in Go | [Link](docs/configuring-playbook-bot-go-neb.md) |
|
||||
| [Mjolnir](https://github.com/matrix-org/mjolnir) | x | A moderation tool for Matrix | [Link](docs/configuring-playbook-bot-mjolnir.md) |
|
||||
| [Draupnir](https://github.com/Gnuxie/Draupnir) | x | A moderation tool for Matrix (Fork of Mjolnir) | [Link](docs/configuring-playbook-bot-draupnir.md) |
|
||||
| [Buscarron](https://gitlab.com/etke.cc/buscarron) | x | Web forms (HTTP POST) to matrix | [Link](docs/configuring-playbook-bot-buscarron.md) |
|
||||
| [matrix-chatgpt-bot](https://github.com/matrixgpt/matrix-chatgpt-bot) | x | ChatGPT from matrix | [Link](docs/configuring-playbook-bot-chatgpt.md) |
|
||||
|
||||
|
|
|
@ -6,9 +6,9 @@ That means your daily incremental backups can be stored in a fraction of the spa
|
|||
|
||||
You will need a remote server where borg will store the backups. There are hosted, borg compatible solutions available, such as [BorgBase](https://www.borgbase.com).
|
||||
|
||||
The backup will run based on `matrix_backup_borg_schedule` var (systemd timer calendar), default: 4am every day.
|
||||
The backup will run based on `backup_borg_schedule` var (systemd timer calendar), default: 4am every day.
|
||||
|
||||
By default, if you're using the integrated Postgres database server (as opposed to [an external Postgres server](configuring-playbook-external-postgres.md)), Borg backups will also include dumps of your Postgres database. An alternative solution for backing up the Postgres database is [postgres backup](configuring-playbook-postgres-backup.md). If you decide to go with another solution, you can disable Postgres-backup support for Borg using the `matrix_backup_borg_postgresql_enabled` variable.
|
||||
By default, if you're using the integrated Postgres database server (as opposed to [an external Postgres server](configuring-playbook-external-postgres.md)), Borg backups will also include dumps of your Postgres database. An alternative solution for backing up the Postgres database is [postgres backup](configuring-playbook-postgres-backup.md). If you decide to go with another solution, you can disable Postgres-backup support for Borg using the `backup_borg_postgresql_enabled` variable.
|
||||
|
||||
|
||||
## Prerequisites
|
||||
|
@ -38,11 +38,11 @@ cat PUBKEY | ssh USER@HOST 'dd of=.ssh/authorized_keys oflag=append conv=notrunc
|
|||
Minimal working configuration (`inventory/host_vars/matrix.DOMAIN/vars.yml`) to enable borg backup:
|
||||
|
||||
```yaml
|
||||
matrix_backup_borg_enabled: true
|
||||
matrix_backup_borg_location_repositories:
|
||||
backup_borg_enabled: true
|
||||
backup_borg_location_repositories:
|
||||
- ssh://USER@HOST/./REPO
|
||||
matrix_backup_borg_storage_encryption_passphrase: "PASSPHRASE"
|
||||
matrix_backup_borg_ssh_key_private: |
|
||||
backup_borg_storage_encryption_passphrase: "PASSPHRASE"
|
||||
backup_borg_ssh_key_private: |
|
||||
-----BEGIN OPENSSH PRIVATE KEY-----
|
||||
TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQsIGNvbnNlY3RldHVyIGFkaXBpc2NpbmcgZW
|
||||
xpdCwgc2VkIGRvIGVpdXNtb2QgdGVtcG9yIGluY2lkaWR1bnQgdXQgbGFib3JlIGV0IGRv
|
||||
|
@ -58,13 +58,13 @@ where:
|
|||
* HOST - SSH host of a provider/server
|
||||
* REPO - borg repository name, it will be initialized on backup start, eg: `matrix`, regarding Syntax see [Remote repositories](https://borgbackup.readthedocs.io/en/stable/usage/general.html#repository-urls)
|
||||
* PASSPHRASE - passphrase used for encrypting backups, you may generate it with `pwgen -s 64 1` or use any password manager
|
||||
* PRIVATE KEY - the content of the **private** part of the SSH key you created before. The whole key (all of its belonging lines) under `matrix_backup_borg_ssh_key_private` needs to be indented with 2 spaces
|
||||
* PRIVATE KEY - the content of the **private** part of the SSH key you created before. The whole key (all of its belonging lines) under `backup_borg_ssh_key_private` needs to be indented with 2 spaces
|
||||
|
||||
To backup without encryption, add `matrix_backup_borg_encryption: 'none'` to your vars. This will also enable the `matrix_backup_borg_unknown_unencrypted_repo_access_is_ok` variable.
|
||||
To backup without encryption, add `backup_borg_encryption: 'none'` to your vars. This will also enable the `backup_borg_unknown_unencrypted_repo_access_is_ok` variable.
|
||||
|
||||
`matrix_backup_borg_location_source_directories` defines the list of directories to back up: it's set to `{{ matrix_base_data_path }}` by default, which is the base directory for every service's data, such as Synapse, Postgres and the bridges. You might want to exclude certain directories or file patterns from the backup using the `matrix_backup_borg_location_exclude_patterns` variable.
|
||||
`backup_borg_location_source_directories` defines the list of directories to back up: it's set to `{{ matrix_base_data_path }}` by default, which is the base directory for every service's data, such as Synapse, Postgres and the bridges. You might want to exclude certain directories or file patterns from the backup using the `backup_borg_location_exclude_patterns` variable.
|
||||
|
||||
Check the `roles/custom/matrix-backup-borg/defaults/main.yml` file for the full list of available options.
|
||||
Check the [backup_borg role](https://gitlab.com/etke.cc/roles/backup_borg)'s [defaults/main.yml](https://gitlab.com/etke.cc/roles/backup_borg/-/blob/main/defaults/main.yml) file for the full list of available options.
|
||||
|
||||
## Installing
|
||||
|
||||
|
|
|
@ -32,11 +32,8 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.
|
|||
```yaml
|
||||
matrix_bot_chatgpt_enabled: true
|
||||
|
||||
# See instructions on
|
||||
# https://www.npmjs.com/package/chatgpt
|
||||
matrix_bot_chatgpt_openai_email: ''
|
||||
matrix_bot_chatgpt_openai_password: ''
|
||||
matrix_bot_chatgpt_openai_login_type: google
|
||||
# Obtain a new API key from https://platform.openai.com/account/api-keys
|
||||
matrix_bot_chatgpt_openai_api_key: ''
|
||||
|
||||
# This is the default username
|
||||
# matrix_bot_chatgpt_matrix_bot_username_localpart: 'bot.chatgpt'
|
||||
|
|
114
docs/configuring-playbook-bot-draupnir.md
Normal file
114
docs/configuring-playbook-bot-draupnir.md
Normal file
|
@ -0,0 +1,114 @@
|
|||
# Setting up draupnir (optional)
|
||||
|
||||
The playbook can install and configure the [draupnir](https://github.com/Gnuxie/Draupnir) moderation bot for you.
|
||||
|
||||
See the project's [documentation](https://github.com/Gnuxie/Draupnir) to learn what it does and why it might be useful to you.
|
||||
|
||||
If your migrating from Mjolnir skip to step 5b.
|
||||
|
||||
## 1. Register the bot account
|
||||
|
||||
The playbook does not automatically create users for you. The bot requires an access token to be able to connect to your homeserver.
|
||||
|
||||
You **need to register the bot user manually** before setting up the bot.
|
||||
|
||||
Choose a strong password for the bot. You can generate a good password with a command like this: `pwgen -s 64 1`.
|
||||
|
||||
You can use the playbook to [register a new user](registering-users.md):
|
||||
|
||||
```
|
||||
ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.draupnir password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user
|
||||
```
|
||||
|
||||
If you would like draupnir to be able to deactivate users, move aliases, shutdown rooms, etc then it must be a server admin so you need to change `admin=no` to `admin=yes` in the command above.
|
||||
|
||||
|
||||
## 2. Get an access token
|
||||
|
||||
Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md).
|
||||
|
||||
|
||||
## 3. Make sure the account is free from rate limiting
|
||||
|
||||
You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step draupnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). This can also be manually done by editing the Synapse database. Manually editing the Synapse database is rarely a good idea. Please ask for help if you are uncomfortable with these steps.
|
||||
|
||||
1. Copy the statement below into a text editor.
|
||||
|
||||
```
|
||||
INSERT INTO ratelimit_override VALUES ('@bot.draupnir:DOMAIN', 0, 0);
|
||||
```
|
||||
|
||||
1. Change the username (`@bot.draupnir:DOMAIN`) to the username you used when you registered the bot's account. You must change `DOMAIN` to your server's domain.
|
||||
|
||||
1. Get a database terminal by following these steps: [maintenance-postgres.md#getting-a-database-terminal](maintenance-postgres.md#getting-a-database-terminal)
|
||||
|
||||
1. Connect to Synapse's database by typing `\connect synapse` into the database terminal
|
||||
|
||||
1. Paste in the `INSERT INTO` command that you edited and press enter.
|
||||
|
||||
You can run `SELECT * FROM ratelimit_override;` to see if it worked. If the output looks like this:
|
||||
|
||||
```
|
||||
user_id | messages_per_second | burst_count
|
||||
-----------------------+---------------------+-------------
|
||||
@bot.draupnir:raim.ist | 0 | 0`
|
||||
```
|
||||
then you did it correctly.
|
||||
|
||||
|
||||
## 4. Create a management room
|
||||
|
||||
Using your own account, create a new invite only room that you will use to manage the bot. This is the room where you will see the status of the bot and where you will send commands to the bot, such as the command to ban a user from another room. Anyone in this room can control the bot so it is important that you only invite trusted users to this room. The room must be unencrypted since the playbook does not support installing Pantalaimon yet.
|
||||
|
||||
Once you have created the room you need to copy the room ID so you can tell the bot to use that room. In Element you can do this by going to the room's settings, clicking Advanced, and then coping the internal room ID. The room ID will look something like `!QvgVuKq0ha8glOLGMG:DOMAIN`.
|
||||
|
||||
Finally invite the `@bot.draupnir:DOMAIN` account you created earlier into the room.
|
||||
|
||||
|
||||
## 5a. Adjusting the playbook configuration
|
||||
|
||||
Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs):
|
||||
|
||||
You must replace `ACCESS_TOKEN_FROM_STEP_2_GOES_HERE` and `ROOM_ID_FROM_STEP_4_GOES_HERE` with the your own values.
|
||||
|
||||
```yaml
|
||||
matrix_bot_draupnir_enabled: true
|
||||
|
||||
matrix_bot_draupnir_access_token: "ACCESS_TOKEN_FROM_STEP_2_GOES_HERE"
|
||||
|
||||
matrix_bot_draupnir_management_room: "ROOM_ID_FROM_STEP_4_GOES_HERE"
|
||||
```
|
||||
|
||||
## 5b. Migrating from Mjolnir (Only required if migrating.)
|
||||
|
||||
Replace your `matrix_bot_mjolnir` config with `matrix_bot_draupnir` config. Also disable mjolnir if you're doing migration.
|
||||
That is all you need to do due to that Draupnir can complete migration on its own.
|
||||
|
||||
## 6. Installing
|
||||
|
||||
After configuring the playbook, run the [installation](installing.md) command:
|
||||
|
||||
```
|
||||
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
|
||||
```
|
||||
|
||||
|
||||
## Usage
|
||||
|
||||
You can refer to the upstream [documentation](https://github.com/Gnuxie/Draupnir) for additional ways to use and configure draupnir. Check out their [quickstart guide](https://github.com/matrix-org/draupnir/blob/main/docs/moderators.md#quick-usage) for some basic commands you can give to the bot.
|
||||
|
||||
You can configure additional options by adding the `matrix_bot_draupnir_configuration_extension_yaml` variable to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file.
|
||||
|
||||
For example to change draupnir's `recordIgnoredInvites` option to `true` you would add the following to your `vars.yml` file.
|
||||
|
||||
```yaml
|
||||
matrix_bot_draupnir_configuration_extension_yaml: |
|
||||
# Your custom YAML configuration goes here.
|
||||
# This configuration extends the default starting configuration (`matrix_bot_draupnir_configuration_yaml`).
|
||||
#
|
||||
# You can override individual variables from the default configuration, or introduce new ones.
|
||||
#
|
||||
# If you need something more special, you can take full control by
|
||||
# completely redefining `matrix_bot_draupnir_configuration_yaml`.
|
||||
recordIgnoredInvites: true
|
||||
```
|
|
@ -8,8 +8,6 @@ The playbook can install and configure [mautrix-slack](https://github.com/mautri
|
|||
|
||||
See the project's [documentation](https://docs.mau.fi/bridges/go/slack/index.html) to learn what it does and why it might be useful to you.
|
||||
|
||||
Note that as of Oct 2022, support for multiple Matrix users using the bot is incomplete. Different users do not yet share the bridged channels. Everyone gets their own copy.
|
||||
|
||||
See the [features and roadmap](https://github.com/mautrix/slack/blob/main/ROADMAP.md) for more information.
|
||||
|
||||
|
||||
|
|
|
@ -39,7 +39,17 @@ By default the Jitsi Meet instance does not require any kind of login and is ope
|
|||
|
||||
If you're fine with such an open Jitsi instance, please skip to [Apply changes](#apply-changes).
|
||||
|
||||
If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's authentication and guests mode. With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join. If a registered host is not yet present, guests are put on hold in individual waiting rooms.
|
||||
If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow the following steps to enable Jitsi's authentication and optionally guests mode.
|
||||
Currently, there are three supported authentication modes: 'internal' (default), 'matrix' and 'ldap'.
|
||||
|
||||
**Note:** Authentication is not tested via the playbook's self-checks.
|
||||
We therefore recommend that you manually verify if authentication is required by jitsi.
|
||||
For this, try to manually create a conference on jitsi.DOMAIN in your browser.
|
||||
|
||||
### Authenticate using Jitsi accounts (Auth-Type 'internal')
|
||||
The default authentication mechanism is 'internal' auth, which requires jitsi-accounts to be setup and is the recommended setup, as it also works in federated rooms.
|
||||
With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join.
|
||||
If a registered host is not yet present, guests are put on hold in individual waiting rooms.
|
||||
|
||||
Add these lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:
|
||||
|
||||
|
@ -53,20 +63,36 @@ matrix_jitsi_prosody_auth_internal_accounts:
|
|||
password: "another-password"
|
||||
```
|
||||
|
||||
**Caution:** Accounts added here and subsquently removed will not be automatically removed from the Prosody server until user account cleaning is integrated into the playbook.
|
||||
**Caution:** Accounts added here and subsequently removed will not be automatically removed from the Prosody server until user account cleaning is integrated into the playbook.
|
||||
|
||||
**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation).
|
||||
|
||||
### Authenticate using Matrix OpenID (Auth-Type 'matrix')
|
||||
|
||||
### (Optional) LDAP authentication
|
||||
**Attention: Probably breaks jitsi in federated rooms and does not allow sharing conference links with guests.**
|
||||
|
||||
The default authentication mode of Jitsi is `internal`, however LDAP is also supported. An example LDAP configuration could be:
|
||||
Using this authentication type require a [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service).
|
||||
By default, this playbook creates and configures a user-verification-service to run locally, see [configuring-user-verification-service](configuring-playbook-user-verification-service.md).
|
||||
|
||||
To enable set this configuration at host level:
|
||||
|
||||
```yaml
|
||||
matrix_jitsi_enable_auth: true
|
||||
matrix_jitsi_auth_type: "matrix"
|
||||
matrix_user_verification_service_enabled: true
|
||||
```
|
||||
|
||||
For more information see also [https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification](https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification).
|
||||
|
||||
### Authenticate using LDAP (Auth-Type 'ldap')
|
||||
|
||||
An example LDAP configuration could be:
|
||||
|
||||
```yaml
|
||||
matrix_jitsi_enable_auth: true
|
||||
matrix_jitsi_auth_type: ldap
|
||||
matrix_jitsi_ldap_url: "ldap://ldap.DOMAIN"
|
||||
matrix_jitsi_ldap_base: "OU=People,DC=DOMAIN
|
||||
matrix_jitsi_ldap_base: "OU=People,DC=DOMAIN"
|
||||
#matrix_jitsi_ldap_binddn: ""
|
||||
#matrix_jitsi_ldap_bindpw: ""
|
||||
matrix_jitsi_ldap_filter: "uid=%u"
|
||||
|
@ -200,7 +226,19 @@ matrix_nginx_proxy_proxy_jitsi_additional_jvbs:
|
|||
Applied together this will allow you to provision extra JVB instances which will register themselves with the prosody service and be available for jicofo
|
||||
to route conferences too.
|
||||
|
||||
## (Optional) Enable Gravatar
|
||||
|
||||
In the default Jisti Meet configuration, gravatar.com is enabled as an avatar service. This results in third party request leaking data to gravatar.
|
||||
Since element already sends the url of configured Matrix avatars to Jitsi, we disabled gravatar.
|
||||
|
||||
To enable Gravatar set:
|
||||
|
||||
```yaml
|
||||
matrix_jitsi_disable_gravatar: false
|
||||
```
|
||||
|
||||
**Beware:** This leaks information to a third party, namely the Gravatar-Service (unless configured otherwise: gravatar.com).
|
||||
Besides metadata, this includes the matrix user_id and possibly the room identifier (via `referrer` header).
|
||||
|
||||
## Apply changes
|
||||
|
||||
|
|
|
@ -15,17 +15,20 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.
|
|||
|
||||
```yaml
|
||||
# Enabling it is the only required setting
|
||||
matrix_ntfy_enabled: true
|
||||
ntfy_enabled: true
|
||||
|
||||
# Some other options
|
||||
matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}"
|
||||
matrix_ntfy_configuration_extension_yaml: |
|
||||
log_level: DEBUG
|
||||
# This is the default hostname.
|
||||
# Uncomment the line below and change it, if you'd like.
|
||||
# matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}"
|
||||
|
||||
# Uncomment and change to inject additional configuration options.
|
||||
# ntfy_configuration_extension_yaml: |
|
||||
# log_level: DEBUG
|
||||
```
|
||||
|
||||
For a more complete list of variables that you could override, see `roles/custom/matrix-ntfy/defaults/main.yml`.
|
||||
For a more complete list of variables that you could override, see the [`defaults/main.yml` file](https://gitlab.com/etke.cc/roles/ntfy/-/blob/main/defaults/main.yml) of the ntfy Ansible role.
|
||||
|
||||
For a complete list of ntfy config options that you could put in `matrix_ntfy_configuration_extension_yaml`, see the [ntfy config documentation](https://ntfy.sh/docs/config/#config-options).
|
||||
For a complete list of ntfy config options that you could put in `ntfy_configuration_extension_yaml`, see the [ntfy config documentation](https://ntfy.sh/docs/config/#config-options).
|
||||
|
||||
|
||||
## Installing
|
||||
|
|
|
@ -1,202 +1,47 @@
|
|||
# Using your own webserver, instead of this playbook's nginx proxy (optional, advanced)
|
||||
|
||||
**Note**: the playbook is [in the process of moving to Traefik](../CHANGELOG.md#reverse-proxy-configuration-changes-and-initial-traefik-support). The **documentation below may be incomplete or misleading**.
|
||||
|
||||
By default, this playbook installs its own nginx webserver (called `matrix-nginx-proxy`, in a Docker container) which listens on ports 80 and 443.
|
||||
If that's alright, you can skip this.
|
||||
|
||||
If you don't want this playbook's nginx webserver to take over your server's 80/443 ports like that,
|
||||
and you'd like to use your own webserver (be it nginx, Apache, Varnish Cache, etc.), you can.
|
||||
Soon, this default will change and the playbook will install its own [Traefik](https://traefik.io/) reverse-proxy instead.
|
||||
|
||||
There are **2 ways you can go about it**, if you'd like to use your own webserver:
|
||||
## Traefik
|
||||
|
||||
- [Method 1: Disabling the integrated nginx reverse-proxy webserver](#method-1-disabling-the-integrated-nginx-reverse-proxy-webserver)
|
||||
[Traefik](https://traefik.io/) will be the default reverse-proxy for the playbook in the near future.
|
||||
|
||||
- [Method 2: Fronting the integrated nginx reverse-proxy webserver with another reverse-proxy](#method-2-fronting-the-integrated-nginx-reverse-proxy-webserver-with-another-reverse-proxy)
|
||||
There are 2 ways to use Traefik with this playbook, as described below.
|
||||
|
||||
### Traefik managed by the playbook
|
||||
|
||||
## Method 1: Disabling the integrated nginx reverse-proxy webserver
|
||||
|
||||
This method is about completely disabling the integrated nginx reverse-proxy webserver and replicating its behavior using another webserver.
|
||||
|
||||
If that other webserver is `nginx`, you'd be able to include configuration files generated by the playbook into your `nginx` webserver.
|
||||
|
||||
If you'd like to use another webserver (not `nginx`), you'd need to do things manually. We have examples for other webservers below.
|
||||
|
||||
For an alternative (which keeps `matrix-nginx-proxy` around and connects your other reverse-proxy with it), make sure to check Method #2.
|
||||
|
||||
### Preparation
|
||||
|
||||
No matter which external webserver you decide to go with, you'll need to:
|
||||
|
||||
1) Make sure your web server user (something like `http`, `apache`, `www-data`, `nginx`) is part of the `matrix` group. You should run something like this: `usermod -a -G matrix nginx`. This allows your webserver user to access files owned by the `matrix` group. When using an external nginx webserver, this allows it to read configuration files from `/matrix/nginx-proxy/conf.d`. When using another server, it would make other files, such as `/matrix/static-files/.well-known`, accessible to it.
|
||||
|
||||
2) Edit your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`)
|
||||
- to disable the integrated nginx server:
|
||||
|
||||
```yaml
|
||||
matrix_nginx_proxy_enabled: false
|
||||
```
|
||||
- if using an external server on another host, add the `<service>_http_host_bind_port` or `<service>_http_bind_port` variables for the services that will be exposed by the external server on the other host. The actual name of the variable is listed in the `roles/<service>/defaults/vars.yml` file for each service. Most variables follow the `<service>_http_host_bind_port` format.
|
||||
|
||||
These variables will make Docker expose the ports on all network interfaces instead of localhost only.
|
||||
[Keep in mind that there are some security concerns if you simply proxy everything.](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints)
|
||||
|
||||
Here are the variables required for the default configuration (Synapse and Element)
|
||||
```
|
||||
matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: '0.0.0.0:8008'
|
||||
matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: '0.0.0.0:8048'
|
||||
matrix_client_element_container_http_host_bind_port: "0.0.0.0:8765"
|
||||
```
|
||||
|
||||
3) **If you'll manage SSL certificates by yourself**, edit your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`) to disable SSL certificate retrieval:
|
||||
To switch to Traefik now, use configuration like this:
|
||||
|
||||
```yaml
|
||||
matrix_ssl_retrieval_method: none
|
||||
matrix_playbook_reverse_proxy_type: playbook-managed-traefik
|
||||
|
||||
devture_traefik_config_certificatesResolvers_acme_email: YOUR_EMAIL_ADDRESS
|
||||
```
|
||||
|
||||
**Note**: During [installation](installing.md), unless you've disabled SSL certificate management (`matrix_ssl_retrieval_method: none`), the playbook would need 80 to be available, in order to retrieve SSL certificates. **Please manually stop your other webserver while installing**. You can start it back up afterwards.
|
||||
This will install Traefik in the place of `matrix-nginx-proxy`. Traefik will manage SSL certificates for all services seamlessly.
|
||||
|
||||
### Using your own external nginx webserver
|
||||
**Note**: during the transition period, `matrix-nginx-proxy` will still be installed in local-only mode. Do not be alarmed to see `matrix-nginx-proxy` running even when you've chosen Traefik as your reverse-proxy. In the future, we'll be able to run without nginx, but we're not there yet.
|
||||
|
||||
Once you've followed the [Preparation](#preparation) guide above, it's time to set up your external nginx server.
|
||||
|
||||
Even with `matrix_nginx_proxy_enabled: false`, the playbook still generates some helpful files for you in `/matrix/nginx-proxy/conf.d`.
|
||||
Those configuration files are adapted for use with an external web server (one not running in the container network).
|
||||
|
||||
You can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your own `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;`
|
||||
|
||||
Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example:
|
||||
### Traefik managed by you
|
||||
|
||||
```yaml
|
||||
# Custom protocol list (removing `TLSv1.3`) to suit your nginx version.
|
||||
matrix_nginx_proxy_ssl_protocols: "TLSv1.2"
|
||||
matrix_playbook_reverse_proxy_type: other-traefik-container
|
||||
|
||||
matrix_playbook_reverse_proxyable_services_additional_network: your-traefik-network
|
||||
```
|
||||
|
||||
If you are experiencing issues, try updating to a newer version of Nginx. As a data point in May 2021 a user reported that Nginx 1.14.2 was not working for them. They were getting errors about socket leaks. Updating to Nginx 1.19 fixed their issue.
|
||||
In this mode all roles will still have Traefik labels attached. You will, however, need to configure your Traefik instance and its entrypoints.
|
||||
|
||||
### Using your own external Apache webserver
|
||||
By default, the playbook congiures services use a `web-secure` (443) and `matrix-federation` (8448) entrypoints, as well as a `default` certificate resolver.
|
||||
|
||||
Once you've followed the [Preparation](#preparation) guide above, you can take a look at the [examples/apache](../examples/apache) directory for a sample configuration.
|
||||
You need to configure 3 entrypoints for your Traefik server: `web` (TCP port `80`), `web-secure` (TCP port `443`) and `matrix-federation` (TCP port `8448`).
|
||||
|
||||
### Using your own external caddy webserver
|
||||
|
||||
After following the [Preparation](#preparation) guide above, you can take a look at the [examples/caddy](../examples/caddy) directory and [examples/caddy2](../examples/caddy2) directory for a sample configuration for Caddy v1 and v2, respectively.
|
||||
|
||||
### Using your own HAproxy reverse proxy
|
||||
After following the [Preparation](#preparation) guide above, you can take a look at the [examples/haproxy](../examples/haproxy) directory for a sample configuration. In this case HAproxy is used as a reverse proxy and a simple Nginx container is used to serve statically `.well-known` files.
|
||||
|
||||
### Using another external webserver
|
||||
|
||||
Feel free to look at the [examples/apache](../examples/apache) directory, or the [template files in the matrix-nginx-proxy role](../roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/).
|
||||
|
||||
|
||||
## Method 2: Fronting the integrated nginx reverse-proxy webserver with another reverse-proxy
|
||||
|
||||
This method is about leaving the integrated nginx reverse-proxy webserver be, but making it not get in the way (using up important ports, trying to retrieve SSL certificates, etc.).
|
||||
|
||||
If you wish to use another webserver, the integrated nginx reverse-proxy webserver usually gets in the way because it attempts to fetch SSL certificates and binds to ports 80, 443 and 8448 (if Matrix Federation is enabled).
|
||||
|
||||
You can disable such behavior and make the integrated nginx reverse-proxy webserver only serve traffic locally (or over a local network).
|
||||
|
||||
You would need some configuration like this:
|
||||
|
||||
```yaml
|
||||
# Do not retrieve SSL certificates. This shall be managed by another webserver or other means.
|
||||
matrix_ssl_retrieval_method: none
|
||||
|
||||
# Do not try to serve HTTPS, since we have no SSL certificates.
|
||||
# Disabling this also means services will be served on the HTTP port
|
||||
# (`matrix_nginx_proxy_container_http_host_bind_port`).
|
||||
matrix_nginx_proxy_https_enabled: false
|
||||
|
||||
# Do not listen for HTTP on port 80 globally (default), listen on the loopback interface.
|
||||
# If you'd like, you can make it use the local network as well and reverse-proxy from another local machine.
|
||||
matrix_nginx_proxy_container_http_host_bind_port: '127.0.0.1:81'
|
||||
|
||||
# Likewise, expose the Matrix Federation port on the loopback interface.
|
||||
# Since `matrix_nginx_proxy_https_enabled` is set to `false`, this federation port will serve HTTP traffic.
|
||||
# If you'd like, you can make it use the local network as well and reverse-proxy from another local machine.
|
||||
#
|
||||
# You'd most likely need to expose it publicly on port 8448 (8449 was chosen for the local port to prevent overlap).
|
||||
matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449'
|
||||
|
||||
# Coturn relies on SSL certificates that have already been obtained.
|
||||
# Since we don't obtain any certificates (`matrix_ssl_retrieval_method: none` above), it won't work by default.
|
||||
# An alternative is to tweak some of: `matrix_coturn_tls_enabled`, `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path`.
|
||||
matrix_coturn_enabled: false
|
||||
|
||||
# Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection.
|
||||
matrix_nginx_proxy_trust_forwarded_proto: true
|
||||
|
||||
# Trust and use the other reverse proxy's `X-Forwarded-For` header.
|
||||
matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for'
|
||||
```
|
||||
|
||||
With this, nginx would still be in use, but it would not bother with anything SSL related or with taking up public ports.
|
||||
|
||||
All services would be served locally on `127.0.0.1:81` and `127.0.0.1:8449` (as per the example configuration above).
|
||||
|
||||
You can then set up another reverse-proxy server on ports 80/443/8448 for all of the expected domains and make traffic go to these local ports.
|
||||
The expected domains vary depending on the services you have enabled (`matrix.DOMAIN` for sure; `element.DOMAIN`, `dimension.DOMAIN` and `jitsi.DOMAIN` are optional).
|
||||
|
||||
### Sample configuration for running behind Traefik 2.0
|
||||
|
||||
Below is a sample configuration for using this playbook with a [Traefik](https://traefik.io/) 2.0 reverse proxy.
|
||||
|
||||
```yaml
|
||||
# Disable generation and retrieval of SSL certs
|
||||
matrix_ssl_retrieval_method: none
|
||||
|
||||
# Configure Nginx to only use plain HTTP
|
||||
matrix_nginx_proxy_https_enabled: false
|
||||
|
||||
# Don't bind any HTTP or federation port to the host
|
||||
# (Traefik will proxy directly into the containers)
|
||||
matrix_nginx_proxy_container_http_host_bind_port: ''
|
||||
matrix_nginx_proxy_container_federation_host_bind_port: ''
|
||||
|
||||
# Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection.
|
||||
matrix_nginx_proxy_trust_forwarded_proto: true
|
||||
|
||||
# Trust and use the other reverse proxy's `X-Forwarded-For` header.
|
||||
matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for'
|
||||
|
||||
# Disable Coturn because it needs SSL certs
|
||||
# (Clients can, though exposing IP address, use Matrix.org TURN)
|
||||
matrix_coturn_enabled: false
|
||||
|
||||
# All containers need to be on the same Docker network as Traefik
|
||||
# (This network should already exist and Traefik should be using this network)
|
||||
matrix_docker_network: 'traefik'
|
||||
|
||||
matrix_nginx_proxy_container_extra_arguments:
|
||||
# May be unnecessary depending on Traefik config, but can't hurt
|
||||
- '--label "traefik.enable=true"'
|
||||
|
||||
# The Nginx proxy container will receive traffic from these subdomains
|
||||
- '--label "traefik.http.routers.matrix-nginx-proxy.rule=Host(`{{ matrix_server_fqn_matrix }}`,`{{ matrix_server_fqn_element }}`,`{{ matrix_server_fqn_dimension }}`,`{{ matrix_server_fqn_jitsi }}`)"'
|
||||
# (The 'web-secure' entrypoint must bind to port 443 in Traefik config)
|
||||
- '--label "traefik.http.routers.matrix-nginx-proxy.entrypoints=web-secure"'
|
||||
# (The 'default' certificate resolver must be defined in Traefik config)
|
||||
- '--label "traefik.http.routers.matrix-nginx-proxy.tls.certResolver=default"'
|
||||
# Traefik requires that we declare which service this router is using
|
||||
- '--label "traefik.http.routers.matrix-nginx-proxy.service=matrix-nginx-proxy"'
|
||||
# The Nginx proxy container uses port 8080 internally
|
||||
- '--label "traefik.http.services.matrix-nginx-proxy.loadbalancer.server.port=8080"'
|
||||
|
||||
# Federation
|
||||
- '--label "traefik.http.routers.matrix-nginx-proxy-federation.rule=Host(`{{ matrix_server_fqn_matrix }}`)"'
|
||||
# (The 'federation' entrypoint must bind to port 8448 in Traefik config)
|
||||
- '--label "traefik.http.routers.matrix-nginx-proxy-federation.entrypoints=federation"'
|
||||
# (The 'default' certificate resolver must be defined in Traefik config)
|
||||
- '--label "traefik.http.routers.matrix-nginx-proxy-federation.tls.certResolver=default"'
|
||||
# Traefik requires that we declare which service this router is using
|
||||
- '--label "traefik.http.routers.matrix-nginx-proxy-federation.service=matrix-nginx-proxy-federation"'
|
||||
# The Nginx proxy container uses port `matrix_nginx_proxy_proxy_matrix_federation_port (8448) internally
|
||||
- '--label "traefik.http.services.matrix-nginx-proxy-federation.loadbalancer.server.port={{ matrix_nginx_proxy_proxy_matrix_federation_port }}"'
|
||||
- '--label "traefik.http.services.matrix-nginx-proxy-federation.loadbalancer.server.scheme={{ "https" if matrix_nginx_proxy_https_enabled else "http" }}"'
|
||||
```
|
||||
|
||||
This method uses labels attached to the Nginx and Synapse containers to provide the Traefik Docker provider with the information it needs to proxy `matrix.DOMAIN`, `element.DOMAIN`, `dimension.DOMAIN` and `jitsi.DOMAIN`. Some [static configuration](https://docs.traefik.io/v2.0/reference/static-configuration/file/) is required in Traefik; namely, having endpoints on ports 443 and 8448 and having a certificate resolver.
|
||||
Below is some configuration for running Traefik yourself, although we recommend using [Traefik managed by the playbook](#traefik-managed-by-the-playbook).
|
||||
|
||||
Note that this configuration on its own does **not** redirect traffic on port 80 (plain HTTP) to port 443 for HTTPS, which may cause some issues, since the built-in Nginx proxy usually does this. If you are not already doing this in Traefik, it can be added to Traefik in a [file provider](https://docs.traefik.io/v2.0/providers/file/) as follows:
|
||||
|
||||
|
@ -226,7 +71,7 @@ version: "3.3"
|
|||
services:
|
||||
|
||||
traefik:
|
||||
image: "traefik:v2.3"
|
||||
image: "docker.io/traefik:v2.9.6"
|
||||
restart: always
|
||||
container_name: "traefik"
|
||||
networks:
|
||||
|
@ -252,3 +97,124 @@ networks:
|
|||
traefik:
|
||||
external: true
|
||||
```
|
||||
|
||||
## Another webserver
|
||||
|
||||
If you don't wish to use Traefik or `matrix-nginx-proxy`, you can also use your own webserver.
|
||||
|
||||
Doing this is possible, but requires manual work.
|
||||
|
||||
There are 2 ways to go about it:
|
||||
|
||||
- (recommended) [Fronting the integrated reverse-proxy webserver with another reverse-proxy](#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) - using a playbook-managed reverse-proxy (either `matrix-nginx-proxy` or Traefik), disabling SSL termination for it, exposing this reverse-proxy on a few local ports (e.g. `127.0.0.1:81`, etc.) and forwarding traffic from your own webserver to those few ports
|
||||
|
||||
- (difficult) [Using no reverse-proxy on the Matrix side at all](#using-no-reverse-proxy-on-the-matrix-side-at-all) disabling all playbook-managed reverse-proxies (no `matrix-nginx-proxy`, no Traefik)
|
||||
|
||||
|
||||
### Fronting the integrated reverse-proxy webserver with another reverse-proxy
|
||||
|
||||
This method is about leaving the integrated reverse-proxy webserver be, but making it not get in the way (using up important ports, trying to retrieve SSL certificates, etc.).
|
||||
|
||||
If you wish to use another webserver, the integrated nginx reverse-proxy webserver usually gets in the way because it attempts to fetch SSL certificates and binds to ports 80, 443 and 8448 (if Matrix Federation is enabled).
|
||||
|
||||
You can disable such behavior and make the integrated reverse-proxy webserver only serve traffic locally (or over a local network).
|
||||
|
||||
This is the recommended way for using another reverse-proxy, because the integrated one would act as a black box and wire all Matrix services correctly. You would only need to reverse-proxy a few individual domains and ports over to it.
|
||||
|
||||
**For `matrix-nginx-proxy`** fronted by another reverse-proxy, you would need some configuration like this:
|
||||
|
||||
```yaml
|
||||
# playbook-managed-proxy is the default right now, so we can keep this commented out.
|
||||
# matrix_playbook_reverse_proxy_type: playbook-managed-nginx
|
||||
|
||||
# Disable SSL certificate retrieval
|
||||
matrix_ssl_retrieval_method: none
|
||||
|
||||
# Given that we won't be obtaining SSL certificates here, disable HTTPS
|
||||
matrix_nginx_proxy_https_enabled: false
|
||||
|
||||
# Do not listen for HTTP on port 80 globally (default), listen on the loopback interface.
|
||||
# If you'd like, you can make it use the local network as well and reverse-proxy from another local machine.
|
||||
matrix_nginx_proxy_container_http_host_bind_port: '127.0.0.1:81'
|
||||
|
||||
# Likewise, expose the Matrix Federation port on the loopback interface.
|
||||
# Since `matrix_nginx_proxy_https_enabled` is set to `false`, this federation port will serve HTTP traffic.
|
||||
# If you'd like, you can make it use the local network as well and reverse-proxy from another local machine.
|
||||
#
|
||||
# You'd most likely need to expose it publicly on port 8448 (8449 was chosen for the local port to prevent overlap).
|
||||
matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449'
|
||||
```
|
||||
|
||||
**For Traefik** fronted by another reverse-proxy, you would need some configuration like this:
|
||||
|
||||
```yaml
|
||||
matrix_playbook_reverse_proxy_type: playbook-managed-traefik
|
||||
|
||||
# Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval
|
||||
devture_traefik_config_entrypoint_web_secure_enabled: false
|
||||
|
||||
devture_traefik_container_web_host_bind_port: '127.0.0.1:81'
|
||||
|
||||
devture_traefik_additional_entrypoints_auto:
|
||||
- name: matrix-federation
|
||||
port: "{{ matrix_federation_public_port }}"
|
||||
host_bind_port: "127.0.0.1:{{ matrix_federation_public_port }}"
|
||||
config: {}
|
||||
```
|
||||
|
||||
If you'll be fronting with a reverse-proxy that lives on another machine (not on the same one as Matrix), you need to replace `127.0.0.1` in the above configurations with `0.0.0.0` or another network interface.
|
||||
|
||||
### Using no reverse-proxy on the Matrix side at all
|
||||
|
||||
Instead of [Fronting the integrated reverse-proxy webserver with another reverse-proxy](#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy), you can also go another way -- completely disabling the playbook-managed reverse-proxy. You would then need to reverse-proxy from your own webserver directly to Matrix services.
|
||||
|
||||
This is more difficult, as you would need to handle the configuration for each service manually. Enabling additional services would come with extra manual work you need to do.
|
||||
|
||||
If your webserver is on the same machine, sure your web server user (something like `http`, `apache`, `www-data`, `nginx`) is part of the `matrix` group. You should run something like this: `usermod -a -G matrix nginx`. This allows your webserver user to access files owned by the `matrix` group. When using an external nginx webserver, this allows it to read configuration files from `/matrix/nginx-proxy/conf.d`. When using another server, it would make other files, such as `/matrix/static-files/.well-known`, accessible to it.
|
||||
|
||||
#### Using your own nginx reverse-proxy running on the same machine
|
||||
|
||||
If you'll be using `nginx` running on the same machine (not in a container), you can make the playbook help you generate configuration for `nginx` with this configuration:
|
||||
|
||||
```yaml
|
||||
matrix_playbook_reverse_proxy_type: other-nginx-non-container
|
||||
|
||||
# If you will manage SSL certificates yourself, uncomment the line below
|
||||
# matrix_ssl_retrieval_method: none
|
||||
|
||||
# If you're using an old nginx version, consider using a custom protocol list
|
||||
# (removing `TLSv1.3` that is enabled by default) to suit your nginx version.
|
||||
# matrix_nginx_proxy_ssl_protocols: "TLSv1.2"
|
||||
```
|
||||
|
||||
You can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your own `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;`
|
||||
|
||||
#### Using your own reverse-proxy running on the same machine or elsewhere
|
||||
|
||||
To reverse-proxy manually for each service, use configuration like this:
|
||||
|
||||
```yaml
|
||||
# If your reverse-proxy runs on the same machine:
|
||||
matrix_playbook_reverse_proxy_type: other-on-same-host
|
||||
|
||||
# Or, if it runs on another machine:
|
||||
# matrix_playbook_reverse_proxy_type: other-on-another-host
|
||||
|
||||
# Or, optionally customize the network interface prefix (note the trailing `:` character).
|
||||
# For other-on-same-host, the interface defaults to `127.0.0.1:`.
|
||||
# For other-on-another-host, the interface defaults to `0.0.0.0:`.
|
||||
# matrix_playbook_service_host_bind_interface_prefix: '192.168.30.4:'
|
||||
```
|
||||
|
||||
With this configuration, each service will be exposed on a custom port. Example:
|
||||
|
||||
- Synapse will be exposed on port `8008`
|
||||
- [Grafana](configuring-playbook-prometheus-grafana.md) will be exposed on port `3000`
|
||||
- [synapse-admin](configuring-playbook-synapse-admin.md) will be exposed on port `8766`
|
||||
|
||||
You can capture traffic for these services and forward it to their port.
|
||||
Some of these services are configured with certain default expecations with regard to hostname, path, etc., so it's not completely arbitrary where you can host them (unless you change the defaults).
|
||||
|
||||
For each new playbook service that you enable, you'll need special handling.
|
||||
|
||||
The [`examples/`](../examples/) directory contains examples for various servers: Caddy, Apache, HAproxy, etc.
|
||||
|
|
|
@ -13,21 +13,21 @@ matrix_prometheus_enabled: true
|
|||
prometheus_node_exporter_enabled: true
|
||||
|
||||
# You can remove this, if unnecessary.
|
||||
matrix_prometheus_postgres_exporter_enabled: true
|
||||
prometheus_postgres_exporter_enabled: true
|
||||
|
||||
# You can remove this, if unnecessary.
|
||||
matrix_prometheus_nginxlog_exporter_enabled: true
|
||||
|
||||
matrix_grafana_enabled: true
|
||||
grafana_enabled: true
|
||||
|
||||
matrix_grafana_anonymous_access: false
|
||||
grafana_anonymous_access: false
|
||||
|
||||
# This has no relation to your Matrix user id. It can be any username you'd like.
|
||||
# Changing the username subsequently won't work.
|
||||
matrix_grafana_default_admin_user: "some_username_chosen_by_you"
|
||||
grafana_default_admin_user: "some_username_chosen_by_you"
|
||||
|
||||
# Changing the password subsequently won't work.
|
||||
matrix_grafana_default_admin_password: "some_strong_password_chosen_by_you"
|
||||
grafana_default_admin_password: "some_strong_password_chosen_by_you"
|
||||
```
|
||||
|
||||
By default, a [Grafana](https://grafana.com/) web user-interface will be available at `https://stats.<your-domain>`.
|
||||
|
@ -41,11 +41,11 @@ Name | Description
|
|||
-----|----------
|
||||
`matrix_prometheus_enabled`|[Prometheus](https://prometheus.io) is a time series database. It holds all the data we're going to talk about.
|
||||
`prometheus_node_exporter_enabled`|[Node Exporter](https://prometheus.io/docs/guides/node-exporter/) is an addon of sorts to Prometheus that collects generic system information such as CPU, memory, filesystem, and even system temperatures
|
||||
`matrix_prometheus_postgres_exporter_enabled`|[Postgres Exporter](configuring-playbook-prometheus-postgres.md) is an addon of sorts to expose Postgres database metrics to Prometheus.
|
||||
`prometheus_postgres_exporter_enabled`|[Postgres Exporter](configuring-playbook-prometheus-postgres.md) is an addon of sorts to expose Postgres database metrics to Prometheus.
|
||||
`matrix_prometheus_nginxlog_exporter_enabled`|[NGINX Log Exporter](configuring-playbook-prometheus-nginxlog.md) is an addon of sorts to expose NGINX logs to Prometheus.
|
||||
`matrix_grafana_enabled`|[Grafana](https://grafana.com/) is the visual component. It shows (on the `stats.<your-domain>` subdomain) the dashboards with the graphs that we're interested in
|
||||
`matrix_grafana_anonymous_access`|By default you need to log in to see graphs. If you want to publicly share your graphs (e.g. when asking for help in [`#synapse:matrix.org`](https://matrix.to/#/#synapse:matrix.org?via=matrix.org&via=privacytools.io&via=mozilla.org)) you'll want to enable this option.
|
||||
`matrix_grafana_default_admin_user`<br>`matrix_grafana_default_admin_password`|By default Grafana creates a user with `admin` as the username and password. If you feel this is insecure and you want to change it beforehand, you can do that here
|
||||
`grafana_enabled`|[Grafana](https://grafana.com/) is the visual component. It shows (on the `stats.<your-domain>` subdomain) the dashboards with the graphs that we're interested in
|
||||
`grafana_anonymous_access`|By default you need to log in to see graphs. If you want to publicly share your graphs (e.g. when asking for help in [`#synapse:matrix.org`](https://matrix.to/#/#synapse:matrix.org?via=matrix.org&via=privacytools.io&via=mozilla.org)) you'll want to enable this option.
|
||||
`grafana_default_admin_user`<br>`grafana_default_admin_password`|By default Grafana creates a user with `admin` as the username and password. If you feel this is insecure and you want to change it beforehand, you can do that here
|
||||
|
||||
|
||||
## Security and privacy
|
||||
|
@ -76,9 +76,9 @@ Name | Description
|
|||
`matrix_synapse_metrics_proxying_enabled`|Set this to `true` to expose Synapse's metrics on `https://matrix.DOMAIN/metrics/synapse/main-process` and `https://matrix.DOMAIN/metrics/synapse/worker/TYPE-ID` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`). Read [below](#collecting-synapse-worker-metrics-to-an-external-prometheus-server) if you're running a Synapse worker setup (`matrix_synapse_workers_enabled: true`).
|
||||
`prometheus_node_exporter_enabled`|Set this to `true` to enable the node (general system stats) exporter (locally, on the container network)
|
||||
`matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled`|Set this to `true` to expose the node (general system stats) metrics on `https://matrix.DOMAIN/metrics/node-exporter` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`)
|
||||
`matrix_prometheus_postgres_exporter_enabled`|Set this to `true` to enable the [Postgres exporter](configuring-playbook-prometheus-postgres.md) (locally, on the container network)
|
||||
`prometheus_postgres_exporter_enabled`|Set this to `true` to enable the [Postgres exporter](configuring-playbook-prometheus-postgres.md) (locally, on the container network)
|
||||
`matrix_prometheus_nginxlog_exporter_enabled`|Set this to `true` to enable the [NGINX Log exporter](configuring-playbook-prometheus-nginxlog.md) (locally, on the container network)
|
||||
`matrix_prometheus_postgres_exporter_metrics_proxying_enabled`|Set this to `true` to expose the [Postgres exporter](configuring-playbook-prometheus-postgres.md) metrics on `https://matrix.DOMAIN/metrics/postgres-exporter` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`)
|
||||
`matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled`|Set this to `true` to expose the [Postgres exporter](configuring-playbook-prometheus-postgres.md) metrics on `https://matrix.DOMAIN/metrics/postgres-exporter` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`)
|
||||
`matrix_bridge_hookshot_metrics_enabled`|Set this to `true` to make [Hookshot](configuring-playbook-bridge-hookshot.md) expose metrics (locally, on the container network)
|
||||
`matrix_bridge_hookshot_metrics_proxying_enabled`|Set this to `true` to expose the [Hookshot](configuring-playbook-bridge-hookshot.md) metrics on `https://matrix.DOMAIN/metrics/hookshot` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`)
|
||||
`matrix_SERVICE_metrics_proxying_enabled`|Various other services/roles may provide similar `_metrics_enabled` and `_metrics_proxying_enabled` variables for exposing their metrics. Refer to each role for details. Only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`
|
||||
|
|
|
@ -15,13 +15,13 @@ matrix_prometheus_nginxlog_exporter_enabled: true
|
|||
matrix_prometheus_enabled: true
|
||||
|
||||
# optional for visualization
|
||||
matrix_grafana_enabled: true
|
||||
grafana_enabled: true
|
||||
```
|
||||
|
||||
x | Prerequisites | Variable | Description
|
||||
|:--:|:--:|:--:|:--|
|
||||
**REQUIRED** | `matrix-prometheus`| `matrix_prometheus_enabled`|[Prometheus](https://prometheus.io) is a time series database. It holds all the data we're going to talk about.
|
||||
_Optional_ | [`matrix-grafana`](configuring-playbook-prometheus-grafana.md) | [`matrix_grafana_enabled`](configuring-playbook-prometheus-grafana.md)|[Grafana](https://grafana.com) is the visual component. It shows (on the `stats.<your-domain>` subdomain) graphs that we're interested in. When enabled the `NGINX PROXY` dashboard is automatically added.
|
||||
_Optional_ | [`matrix-grafana`](configuring-playbook-prometheus-grafana.md) | [`grafana_enabled`](configuring-playbook-prometheus-grafana.md)|[Grafana](https://grafana.com) is the visual component. It shows (on the `stats.<your-domain>` subdomain) graphs that we're interested in. When enabled the `NGINX PROXY` dashboard is automatically added.
|
||||
|
||||
## Docker Image Compatibility
|
||||
|
||||
|
@ -56,4 +56,4 @@ The following variables may be of interest:
|
|||
|
||||
Name | Description
|
||||
-----|----------
|
||||
`matrix_nginx_proxy_proxy_matrix_metrics_enabled`|Set this to `true` to enable metrics exposure for various services on `https://matrix.DOMAIN/metrics/*`. Refer to the individual `matrix_SERVICE_metrics_proxying_enabled` variables below for exposing metrics for each individual service.
|
||||
`matrix_nginx_proxy_proxy_matrix_metrics_enabled`|Set this to `true` to enable metrics exposure for various services on `https://matrix.DOMAIN/metrics/*`. Refer to the individual `matrix_SERVICE_metrics_proxying_enabled` variables below for exposing metrics for each individual service.
|
||||
|
|
|
@ -6,17 +6,17 @@ You can enable this with the following settings in your configuration file (`inv
|
|||
|
||||
|
||||
```yaml
|
||||
matrix_prometheus_postgres_exporter_enabled: true
|
||||
prometheus_postgres_exporter_enabled: true
|
||||
```
|
||||
|
||||
## What does it do?
|
||||
|
||||
Name | Description
|
||||
-----|----------
|
||||
`matrix_prometheus_postgres_exporter_enabled`|Enable the postgres prometheus exporter. This sets up the docker container, connects it to the database and adds a 'job' to the prometheus config which tells prometheus about this new exporter. The default is 'false'
|
||||
`matrix_prometheus_postgres_exporter_database_username`| The 'username' for the user that the exporter uses to connect to the database. The default is 'matrix_prometheus_postgres_exporter'
|
||||
`matrix_prometheus_postgres_exporter_database_password`| The 'password' for the user that the exporter uses to connect to the database. By default, this is auto-generated by the playbook
|
||||
`matrix_prometheus_postgres_exporter_metrics_proxying_enabled`|If set to `true`, exposes the Postgres exporter metrics on `https://matrix.DOMAIN/metrics/postgres-exporter` for usage with an [external Prometheus server](configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`)
|
||||
`prometheus_postgres_exporter_enabled`|Enable the postgres prometheus exporter. This sets up the docker container, connects it to the database and adds a 'job' to the prometheus config which tells prometheus about this new exporter. The default is 'false'
|
||||
`prometheus_postgres_exporter_database_username`| The 'username' for the user that the exporter uses to connect to the database. The default is 'matrix_prometheus_postgres_exporter'
|
||||
`prometheus_postgres_exporter_database_password`| The 'password' for the user that the exporter uses to connect to the database. By default, this is auto-generated by the playbook
|
||||
`matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled`|If set to `true`, exposes the Postgres exporter metrics on `https://matrix.DOMAIN/metrics/postgres-exporter` for usage with an [external Prometheus server](configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`)
|
||||
|
||||
|
||||
## More information
|
||||
|
|
|
@ -35,34 +35,6 @@ To use Synapse Admin, you need to have [registered at least one administrator ac
|
|||
|
||||
The Homeserver URL to use on Synapse Admin's login page is: `https://matrix.DOMAIN`
|
||||
|
||||
### Sample configuration for running behind Traefik 2.0
|
||||
|
||||
Below is a sample configuration for using this playbook with a [Traefik](https://traefik.io/) 2.0 reverse proxy.
|
||||
|
||||
This an extension to Traefik config sample in [own-webserver-documentation](./configuring-playbook-own-webserver.md).
|
||||
|
||||
```yaml
|
||||
# Don't bind any HTTP or federation port to the host
|
||||
# (Traefik will proxy directly into the containers)
|
||||
matrix_synapse_admin_container_http_host_bind_port: ""
|
||||
|
||||
matrix_synapse_admin_container_extra_arguments:
|
||||
# May be unnecessary depending on Traefik config, but can't hurt
|
||||
- '--label "traefik.enable=true"'
|
||||
|
||||
# The Synapse Admin container will only receive traffic from this subdomain and path
|
||||
- '--label "traefik.http.routers.matrix-synapse-admin.rule=(Host(`{{ matrix_server_fqn_matrix }}`) && Path(`{{matrix_synapse_admin_public_endpoint}}`))"'
|
||||
|
||||
# (Define your entrypoint)
|
||||
- '--label "traefik.http.routers.matrix-synapse-admin.entrypoints=web-secure"'
|
||||
|
||||
# (The 'default' certificate resolver must be defined in Traefik config)
|
||||
- '--label "traefik.http.routers.matrix-synapse-admin.tls.certResolver=default"'
|
||||
|
||||
# The Synapse Admin container uses port 80 by default
|
||||
- '--label "traefik.http.services.matrix-synapse-admin.loadbalancer.server.port=80"'
|
||||
```
|
||||
|
||||
### Sample configuration for running behind Caddy v2
|
||||
|
||||
Below is a sample configuration for using this playbook with a [Caddy](https://caddyserver.com/v2) 2.0 reverse proxy (non-default configuration where `matrix-nginx-proxy` is disabled - `matrix_nginx_proxy_enabled: false`).
|
||||
|
|
|
@ -80,3 +80,42 @@ matrix_synapse_configuration_extension_yaml: |
|
|||
backchannel_logout_enabled: true # Optional
|
||||
```
|
||||
|
||||
|
||||
## Customizing templates
|
||||
|
||||
[Templates](https://github.com/matrix-org/synapse/blob/develop/docs/templates.md) are used by Synapse for showing **certain web pages** handled by the server, as well as for **email notifications**.
|
||||
|
||||
This playbook allows you to customize the default templates (see the [`synapse/res/templates` directory](https://github.com/matrix-org/synapse/tree/develop/synapse/res/templates)).
|
||||
|
||||
If template customization is enabled, the playbook will build a custom container image based on the official one.
|
||||
|
||||
Your custom templates need to live in a public or private git repository. This repository will be cloned during Synapse image customization (during the playbook run).
|
||||
|
||||
To enable template customizations, use a configuration (`inventory/host_vars/matrix.DOMAIN/vars.yml`) like this:
|
||||
|
||||
```yaml
|
||||
# If you'd like to ensure that the customized image is built each time the playbook runs, enable this.
|
||||
# Otherwise, the customized image will only be rebuilt whenever the Synapse version changes (once every ~2 weeks).
|
||||
# matrix_synapse_docker_image_customized_build_nocache: true
|
||||
|
||||
matrix_synapse_container_image_customizations_templates_enabled: true
|
||||
|
||||
# Our templates live in a templates/ directory within the repository.
|
||||
# If they're at the root path, delete this line.
|
||||
matrix_synapse_container_image_customizations_templates_in_container_template_files_relative_path: templates
|
||||
|
||||
matrix_synapse_container_image_customizations_templates_git_repository_url: git@github.com:organization/repository.git
|
||||
matrix_synapse_container_image_customizations_templates_git_repository_branch: main
|
||||
|
||||
matrix_synapse_container_image_customizations_templates_git_repository_keyscan_enabled: true
|
||||
matrix_synapse_container_image_customizations_templates_git_repository_keyscan_hostname: github.com
|
||||
|
||||
# If your git repository is public, do not define the private key (remove the variable).
|
||||
matrix_synapse_container_image_customizations_templates_git_repository_ssh_private_key: |
|
||||
-----BEGIN OPENSSH PRIVATE KEY-----
|
||||
....
|
||||
-----END OPENSSH PRIVATE KEY-----
|
||||
```
|
||||
|
||||
As mentioned in Synapse's Templates documentation, Synapse will fall back to its own templates if a template is not found in that directory.
|
||||
Due to this, it's recommended to only store and maintain template files in your repository if you need to make custom changes. Other files (which you don't need to change), should not be duplicated, so that you don't need to worry about getting out-of-sync with the original Synapse templates.
|
||||
|
|
125
docs/configuring-playbook-user-verification-service.md
Normal file
125
docs/configuring-playbook-user-verification-service.md
Normal file
|
@ -0,0 +1,125 @@
|
|||
# Setting up Matrix User Verification Service (optional)
|
||||
|
||||
**[Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) (hereafter: UVS) can only be installed after Matrix services are installed and running.**
|
||||
If you're just installing Matrix services for the first time, please continue with the [Configuration](configuring-playbook.md) / [Installation](installing.md) flow and come back here later.
|
||||
|
||||
Currently, the main purpose of this role is to allow Jitsi to authenticate matrix users and check if they are authorized to join a conference. Please refer to the documentation of the [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) to understand how it works.
|
||||
|
||||
**Note**: enabling Matrix User Verification Service, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled.
|
||||
|
||||
If the Jitsi server is also configured by this playbook, all plugging of variables and secrets is handled in `group_vars/matrix_servers`.
|
||||
|
||||
__Some general concepts of UVS may be helpful to understand the rest, so here they are:__
|
||||
|
||||
UVS can be used to verify two claims:
|
||||
|
||||
* (A) Whether a given OpenID token is valid for a given server and
|
||||
* (B) whether a user is member of a given room and the corresponding PowerLevel
|
||||
|
||||
Verifying an OpenID token id done by finding the corresponding Homeserver via '.well-known/matrix/server' for the given domain.
|
||||
The configured `matrix_user_verification_service_uvs_homeserver_url` does **not** factor into this.
|
||||
By default, this playbook only checks against `matrix_server_fqn_matrix`.
|
||||
Therefore, the request will be made against the public openid API for `matrix_server_fqn_matrix`.
|
||||
|
||||
Verifying RoomMembership and PowerLevel is done against `matrix_user_verification_service_uvs_homeserver_url` which is by default done via the docker network.
|
||||
UVS will verify the validity of the token beforehand though.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
In order to use UVS, an admin token for the configured homeserver must be supplied. For now this means configuring Synapse and creating the token before installing UVS.
|
||||
|
||||
## Enable
|
||||
|
||||
[Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) installation is disabled by default.
|
||||
You can enable it in your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
|
||||
|
||||
```yaml
|
||||
matrix_user_verification_service_enabled: true
|
||||
```
|
||||
|
||||
## Configuration
|
||||
|
||||
The only required configuration variable is `matrix_user_verification_service_uvs_access_token` (see below).
|
||||
|
||||
For a list of all configuration options see the role defaults [`roles/matrix-user-verification-service/defaults/main.yml`](../roles/custom/matrix-user-verification-service/defaults/main.yml).
|
||||
But be aware of all the plugging happening in `group_vars/matrix_servers`.
|
||||
|
||||
In the default configuration, the UVS Server is only reachable via the docker network, which is fine if e.g. Jitsi is also running in a container on the host.
|
||||
However, it is possible to expose UVS via setting `matrix_user_verification_service_container_http_host_bind_port`.
|
||||
|
||||
### Access token
|
||||
|
||||
The Synapse Access Token is used to verify RoomMembership and PowerLevel against `matrix_user_verification_service_uvs_homeserver_url`.
|
||||
|
||||
We recommend that you create a dedicated Matrix user for uvs (`uvs` is a good username).
|
||||
Follow our [Registering users](registering-users.md) guide to register a user with administration privileges.
|
||||
|
||||
You are required to specify an access token (belonging to this new user) for UVS to work.
|
||||
To get an access token for the UVS user, you can follow the documentation on [how to do obtain an access token](obtaining-access-tokens.md).
|
||||
|
||||
**Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.**
|
||||
|
||||
```yaml
|
||||
matrix_user_verification_service_uvs_access_token: "YOUR ACCESS TOKEN HERE"
|
||||
```
|
||||
|
||||
### (Optional) Custom Auth Token
|
||||
|
||||
It is possible to set an API Auth Token to restrict access to the UVS. If this is enabled, anyone making a request to UVS must provide it via the header "Authorization: Bearer TOKEN"
|
||||
|
||||
By default, the token will be derived from `matrix_homeserver_generic_secret_key` in `group_vars/matrix_servers`.
|
||||
To set your own Token, simply put the following in your host_vars.
|
||||
|
||||
```yaml
|
||||
matrix_user_verification_service_uvs_auth_token: "TOKEN"
|
||||
```
|
||||
|
||||
In case Jitsi is also managed by this playbook and 'matrix' authentication in Jitsi is enabled, this collection will automatically configure Jitsi to use the configured auth token.
|
||||
|
||||
### (Optional) Disable Auth
|
||||
Authorization is enabled by default. To disable set
|
||||
|
||||
```yaml
|
||||
matrix_user_verification_service_uvs_require_auth: false
|
||||
```
|
||||
|
||||
in your host_vars.
|
||||
|
||||
### (Optional) Federation
|
||||
|
||||
In theory (however currently untested), UVS can handle federation. Simply set:
|
||||
|
||||
```yaml
|
||||
matrix_user_verification_service_uvs_pin_openid_verify_server_name: false
|
||||
```
|
||||
|
||||
in your host_vars.
|
||||
|
||||
This will instruct UVS to verify the OpenID token against any domain given in a request.
|
||||
Homeserver discovery is done via '.well-known/matrix/server' of the given domain.
|
||||
|
||||
## Installation
|
||||
|
||||
After these variables have been set, please run the following command to re-run setup and to restart UVS:
|
||||
|
||||
```
|
||||
ansible-playbook -i inventory/hosts setup.yml --tags=setup-matrix-user-verification-service,start
|
||||
```
|
||||
|
||||
## Logging
|
||||
|
||||
The configuration variable `UVS_LOG_LEVEL` can be set to:
|
||||
- warning
|
||||
- info
|
||||
- debug
|
||||
|
||||
## TLS Certificate Checking
|
||||
If the matrix Homeserver does not provide a valid TLS certificate, UVS will fail with the following error message:
|
||||
|
||||
> message: 'No response received: [object Object]',
|
||||
|
||||
This also applies to self-signed and let's encrypt staging certificates.
|
||||
|
||||
To disable certificate validation altogether (INSECURE! Not suitable for production use!) set: `NODE_TLS_REJECT_UNAUTHORIZED=0`
|
||||
|
||||
Alternatively, it is possible to inject your own CA certificates into the container by mounting a PEM file with additional trusted CAs into the container and pointing the `NODE_EXTRA_CA_CERTS` environment variable to it.
|
|
@ -99,6 +99,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins
|
|||
|
||||
- [Setting up Matrix Corporal](configuring-playbook-matrix-corporal.md) (optional, advanced)
|
||||
|
||||
- [Matrix User Verification Service](configuring-playbook-user-verification-service.md) (optional, advanced)
|
||||
|
||||
|
||||
### Bridging other networks
|
||||
|
||||
|
@ -177,6 +179,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins
|
|||
|
||||
- [Setting up Mjolnir](configuring-playbook-bot-mjolnir.md) - a moderation tool/bot (optional)
|
||||
|
||||
- [Setting up Draupnir](configuring-playbook-bot-draupnir.md) - a moderation tool/bot, forked from Mjolnir and maintained by its former leader developer (optional)
|
||||
|
||||
- [Setting up Buscarron](configuring-playbook-bot-buscarron.md) - a bot you can use to send any form (HTTP POST, HTML) to a (encrypted) Matrix room (optional)
|
||||
|
||||
|
||||
|
|
File diff suppressed because it is too large
Load diff
|
@ -43,7 +43,7 @@
|
|||
|
||||
- role: galaxy/com.devture.ansible.role.postgres
|
||||
|
||||
- custom/matrix-redis
|
||||
- galaxy/redis
|
||||
- custom/matrix-corporal
|
||||
- custom/matrix-bridge-appservice-discord
|
||||
- custom/matrix-bridge-appservice-slack
|
||||
|
@ -79,6 +79,7 @@
|
|||
- custom/matrix-bot-postmoogle
|
||||
- custom/matrix-bot-go-neb
|
||||
- custom/matrix-bot-mjolnir
|
||||
- custom/matrix-bot-draupnir
|
||||
- custom/matrix-bot-chatgpt
|
||||
- custom/matrix-cactus-comments
|
||||
- custom/matrix-synapse
|
||||
|
@ -87,34 +88,41 @@
|
|||
- custom/matrix-conduit
|
||||
- custom/matrix-synapse-admin
|
||||
- galaxy/prometheus_node_exporter
|
||||
- custom/matrix-prometheus-postgres-exporter
|
||||
- galaxy/prometheus_postgres_exporter
|
||||
- custom/matrix-prometheus-nginxlog-exporter
|
||||
- custom/matrix-prometheus
|
||||
- custom/matrix-grafana
|
||||
- galaxy/grafana
|
||||
- custom/matrix-prometheus-services-proxy-connect
|
||||
- custom/matrix-registration
|
||||
- custom/matrix-client-element
|
||||
- custom/matrix-client-hydrogen
|
||||
- custom/matrix-client-cinny
|
||||
- custom/matrix-jitsi
|
||||
- custom/matrix-user-verification-service
|
||||
- custom/matrix-ldap-registration-proxy
|
||||
- custom/matrix-ma1sd
|
||||
- custom/matrix-dimension
|
||||
- custom/matrix-etherpad
|
||||
- custom/matrix-email2matrix
|
||||
- custom/matrix-sygnal
|
||||
- custom/matrix-ntfy
|
||||
- galaxy/ntfy
|
||||
- custom/matrix-nginx-proxy
|
||||
- custom/matrix-coturn
|
||||
- custom/matrix-aux
|
||||
|
||||
- role: galaxy/com.devture.ansible.role.postgres_backup
|
||||
|
||||
- custom/matrix-backup-borg
|
||||
- role: galaxy/backup_borg
|
||||
|
||||
- custom/matrix-user-creator
|
||||
- custom/matrix-common-after
|
||||
|
||||
- when: matrix_playbook_traefik_role_enabled | bool
|
||||
role: galaxy/com.devture.ansible.role.traefik
|
||||
|
||||
- when: matrix_playbook_traefik_certs_dumper_role_enabled | bool
|
||||
role: galaxy/com.devture.ansible.role.traefik_certs_dumper
|
||||
|
||||
- when: devture_systemd_service_manager_enabled | bool
|
||||
role: galaxy/com.devture.ansible.role.systemd_service_manager
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
|
||||
- src: geerlingguy.docker
|
||||
version: 6.0.4
|
||||
version: 6.1.0
|
||||
|
||||
- src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
|
||||
version: 6ba3be490b6f4c6f35ea109aeb8e533fa231b3a5
|
||||
|
@ -31,4 +31,25 @@
|
|||
version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6
|
||||
|
||||
- src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git
|
||||
version: v1.5.0-1
|
||||
version: v1.5.0-2
|
||||
|
||||
- src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git
|
||||
version: v0.11.1-2
|
||||
|
||||
- src: git+https://gitlab.com/etke.cc/roles/backup_borg.git
|
||||
version: v1.2.3-1.7.6-0
|
||||
|
||||
- src: git+https://gitlab.com/etke.cc/roles/grafana.git
|
||||
version: v9.3.6-1
|
||||
|
||||
- src: git+https://gitlab.com/etke.cc/roles/ntfy.git
|
||||
version: v2.0.1-0
|
||||
|
||||
- src: git+https://gitlab.com/etke.cc/roles/redis.git
|
||||
version: v7.0.7-0
|
||||
|
||||
- src: git+https://github.com/devture/com.devture.ansible.role.traefik.git
|
||||
version: da90b6cdbbb9374ca72c1b530867add2fd8f024e
|
||||
|
||||
- src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git
|
||||
version: e7563caa814e634d2f8deec4a41e970caa1c0ae4
|
||||
|
|
|
@ -1,107 +0,0 @@
|
|||
---
|
||||
# Project source code URL: https://gitlab.com/etke.cc/borgmatic
|
||||
|
||||
matrix_backup_borg_enabled: true
|
||||
|
||||
matrix_backup_borg_base_path: "{{ matrix_base_data_path }}/backup-borg"
|
||||
matrix_backup_borg_config_path: "{{ matrix_backup_borg_base_path }}/config"
|
||||
|
||||
matrix_backup_borg_container_image_self_build: false
|
||||
matrix_backup_borg_docker_repo: "https://gitlab.com/etke.cc/borgmatic"
|
||||
matrix_backup_borg_docker_repo_version: main
|
||||
matrix_backup_borg_docker_src_files_path: "{{ matrix_backup_borg_base_path }}/docker-src"
|
||||
|
||||
# image and postgres version determined automatically, based on detected postgres server version (if enabled), otherwise latest is used
|
||||
matrix_backup_borg_version: ""
|
||||
matrix_backup_borg_postgres_version: ""
|
||||
matrix_backup_borg_borg_version: 1.2.3
|
||||
matrix_backup_borg_borgmatic_version: 1.7.6
|
||||
matrix_backup_borg_docker_image: "{{ matrix_backup_borg_docker_image_name_prefix }}etke.cc/borgmatic:{{ matrix_backup_borg_version }}"
|
||||
matrix_backup_borg_docker_image_name_prefix: "{{ 'localhost/' if matrix_backup_borg_container_image_self_build else 'registry.gitlab.com/' }}"
|
||||
matrix_backup_borg_docker_image_force_pull: "{{ matrix_backup_borg_docker_image.endswith(':latest') or matrix_backup_borg_version | default('') == '' }}"
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
matrix_backup_borg_container_extra_arguments: []
|
||||
|
||||
# List of systemd services that matrix-backup-borg.service depends on
|
||||
matrix_backup_borg_systemd_required_services_list: ['docker.service']
|
||||
|
||||
# List of systemd services that matrix-backup-borg.service wants
|
||||
matrix_backup_borg_systemd_wanted_services_list: []
|
||||
|
||||
# systemd calendar configuration for the backup job
|
||||
# the actual job may run with a delay (see matrix_backup_borg_schedule_randomized_delay_sec)
|
||||
matrix_backup_borg_schedule: "*-*-* 04:00:00"
|
||||
# the delay with which the systemd timer may run in relation to the `matrix_backup_borg_schedule` schedule
|
||||
matrix_backup_borg_schedule_randomized_delay_sec: 2h
|
||||
|
||||
# what directories should be added to backup
|
||||
matrix_backup_borg_location_source_directories: []
|
||||
|
||||
# postgres db backup
|
||||
matrix_backup_borg_postgresql_enabled: true
|
||||
matrix_backup_borg_supported_postgres_versions: ['12', '13', '14', '15']
|
||||
matrix_backup_borg_postgresql_databases: []
|
||||
matrix_backup_borg_postgresql_databases_hostname: ''
|
||||
matrix_backup_borg_postgresql_databases_username: "matrix"
|
||||
matrix_backup_borg_postgresql_databases_password: ""
|
||||
matrix_backup_borg_postgresql_databases_port: 5432
|
||||
|
||||
# target repositories
|
||||
matrix_backup_borg_location_repositories: []
|
||||
|
||||
# exclude following paths:
|
||||
matrix_backup_borg_location_exclude_patterns: []
|
||||
|
||||
# borg encryption mode, only "repokey-*" and "none" are supported
|
||||
matrix_backup_borg_encryption: repokey-blake2
|
||||
|
||||
# private ssh key used to connect to the borg repo
|
||||
matrix_backup_borg_ssh_key_private: ""
|
||||
|
||||
# allow unencrypted repo access
|
||||
matrix_backup_borg_unknown_unencrypted_repo_access_is_ok: "{{ matrix_backup_borg_encryption == 'none' }}"
|
||||
|
||||
# borg ssh command with ssh key
|
||||
matrix_backup_borg_storage_ssh_command: ssh -o "StrictHostKeyChecking accept-new" -i /etc/borgmatic.d/sshkey
|
||||
|
||||
# compression algorithm
|
||||
matrix_backup_borg_storage_compression: lz4
|
||||
|
||||
# archive name format
|
||||
matrix_backup_borg_storage_archive_name_format: matrix-{now:%Y-%m-%d-%H%M%S}
|
||||
|
||||
# repository passphrase
|
||||
matrix_backup_borg_storage_encryption_passphrase: ""
|
||||
|
||||
# retention configuration
|
||||
matrix_backup_borg_retention_keep_hourly: 0
|
||||
matrix_backup_borg_retention_keep_daily: 7
|
||||
matrix_backup_borg_retention_keep_weekly: 4
|
||||
matrix_backup_borg_retention_keep_monthly: 12
|
||||
matrix_backup_borg_retention_keep_yearly: 2
|
||||
|
||||
# retention prefix
|
||||
matrix_backup_borg_retention_prefix: matrix-
|
||||
|
||||
# Default borgmatic configuration template which covers the generic use case.
|
||||
# You can customize it by controlling the various variables inside it.
|
||||
#
|
||||
# For a more advanced customization, you can extend the default (see `matrix_backup_borg_configuration_extension_yaml`)
|
||||
# or completely replace this variable with your own template.
|
||||
matrix_backup_borg_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"
|
||||
|
||||
matrix_backup_borg_configuration_extension_yaml: |
|
||||
# Your custom YAML configuration for borgmatic goes here.
|
||||
# This configuration extends the default starting configuration (`matrix_borg_configuration_yaml`).
|
||||
#
|
||||
# You can override individual variables from the default configuration, or introduce new ones.
|
||||
#
|
||||
# If you need something more special, you can take full control by
|
||||
# completely redefining `matrix_backup_borg_configuration_yaml`.
|
||||
|
||||
matrix_backup_borg_configuration_extension: "{{ matrix_backup_borg_configuration_extension_yaml | from_yaml if matrix_backup_borg_configuration_extension_yaml | from_yaml is mapping else {} }}"
|
||||
|
||||
# Holds the final borgmatic configuration (a combination of the default and its extension).
|
||||
# You most likely don't need to touch this variable. Instead, see `matrix_backup_borg_configuration_yaml`.
|
||||
matrix_backup_borg_configuration: "{{ matrix_backup_borg_configuration_yaml | from_yaml | combine(matrix_backup_borg_configuration_extension, recursive=True) }}"
|
|
@ -1,20 +0,0 @@
|
|||
---
|
||||
|
||||
- block:
|
||||
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
|
||||
when: "run_setup | bool and matrix_backup_borg_enabled | bool"
|
||||
|
||||
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
|
||||
when: "run_setup | bool and matrix_backup_borg_enabled | bool"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-backup-borg
|
||||
- install-all
|
||||
- install-backup-borg
|
||||
|
||||
- block:
|
||||
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
|
||||
when: "run_setup | bool and not matrix_backup_borg_enabled | bool"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-backup-borg
|
|
@ -1,107 +0,0 @@
|
|||
---
|
||||
|
||||
- when: matrix_backup_borg_postgresql_enabled | bool and matrix_backup_borg_version == ''
|
||||
block:
|
||||
- name: Fail with matrix_backup_borg_version advice if Postgres not enabled
|
||||
ansible.builtin.fail:
|
||||
msg: >-
|
||||
You are not running a built-in Postgres server (`devture_postgres_enabled: false`), so auto-detecting its version and setting `matrix_backup_borg_version` automatically based on that cannot happen.
|
||||
Consider setting `matrix_backup_borg_version` to your Postgres version manually.
|
||||
when: not devture_postgres_enabled
|
||||
|
||||
- ansible.builtin.include_role:
|
||||
name: galaxy/com.devture.ansible.role.postgres
|
||||
tasks_from: detect_existing_postgres_version
|
||||
|
||||
- name: Fail if detected Postgres version is unsupported
|
||||
ansible.builtin.fail:
|
||||
msg: "You cannot use borg backup with such an old version ({{ devture_postgres_detected_version }}) of Postgres. Consider upgrading - link to docs for upgrading Postgres: docs/maintenance-postgres.md#upgrading-postgresql"
|
||||
when: "devture_postgres_detected_version not in matrix_backup_borg_supported_postgres_versions"
|
||||
|
||||
- name: Set the correct borg backup version to use
|
||||
ansible.builtin.set_fact:
|
||||
matrix_backup_borg_version: "{{ devture_postgres_detected_version }}-{{ matrix_backup_borg_borg_version }}-{{ matrix_backup_borg_borgmatic_version }}"
|
||||
|
||||
- name: Ensure borg paths exist
|
||||
ansible.builtin.file:
|
||||
path: "{{ item.path }}"
|
||||
state: directory
|
||||
mode: 0750
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- {path: "{{ matrix_backup_borg_config_path }}", when: true}
|
||||
- {path: "{{ matrix_backup_borg_docker_src_files_path }}", when: true}
|
||||
when: "item.when | bool"
|
||||
|
||||
- name: Ensure borgmatic config is created
|
||||
ansible.builtin.copy:
|
||||
content: "{{ matrix_backup_borg_configuration | to_nice_yaml(indent=2, width=999999) }}"
|
||||
dest: "{{ matrix_backup_borg_config_path }}/config.yaml"
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
mode: 0640
|
||||
|
||||
- name: Ensure borg passwd is created
|
||||
ansible.builtin.template:
|
||||
src: "{{ role_path }}/templates/passwd.j2"
|
||||
dest: "{{ matrix_backup_borg_config_path }}/passwd"
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
mode: 0640
|
||||
|
||||
- name: Ensure borg ssh key is created
|
||||
ansible.builtin.template:
|
||||
src: "{{ role_path }}/templates/sshkey.j2"
|
||||
dest: "{{ matrix_backup_borg_config_path }}/sshkey"
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
mode: 0600
|
||||
|
||||
- name: Ensure borg image is pulled
|
||||
community.docker.docker_image:
|
||||
name: "{{ matrix_backup_borg_docker_image }}"
|
||||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
|
||||
force_source: "{{ matrix_backup_borg_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_backup_borg_docker_image_force_pull }}"
|
||||
when: "not matrix_backup_borg_container_image_self_build | bool"
|
||||
register: result
|
||||
retries: "{{ devture_playbook_help_container_retries_count }}"
|
||||
delay: "{{ devture_playbook_help_container_retries_delay }}"
|
||||
until: result is not failed
|
||||
|
||||
- name: Ensure borg repository is present on self-build
|
||||
ansible.builtin.git:
|
||||
repo: "{{ matrix_backup_borg_docker_repo }}"
|
||||
version: "{{ matrix_backup_borg_docker_repo_version }}"
|
||||
dest: "{{ matrix_backup_borg_docker_src_files_path }}"
|
||||
force: "yes"
|
||||
become: true
|
||||
become_user: "{{ matrix_user_username }}"
|
||||
register: matrix_backup_borg_git_pull_results
|
||||
when: "matrix_backup_borg_container_image_self_build | bool"
|
||||
|
||||
- name: Ensure borg image is built
|
||||
community.docker.docker_image:
|
||||
name: "{{ matrix_backup_borg_docker_image }}"
|
||||
source: build
|
||||
force_source: "{{ matrix_backup_borg_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}"
|
||||
build:
|
||||
dockerfile: Dockerfile
|
||||
path: "{{ matrix_backup_borg_docker_src_files_path }}"
|
||||
pull: true
|
||||
when: "matrix_backup_borg_container_image_self_build | bool"
|
||||
|
||||
- name: Ensure matrix-backup-borg.service installed
|
||||
ansible.builtin.template:
|
||||
src: "{{ role_path }}/templates/systemd/matrix-backup-borg.service.j2"
|
||||
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-backup-borg.service"
|
||||
mode: 0644
|
||||
register: matrix_backup_borg_systemd_service_result
|
||||
|
||||
- name: Ensure matrix-backup-borg.timer installed
|
||||
ansible.builtin.template:
|
||||
src: "{{ role_path }}/templates/systemd/matrix-backup-borg.timer.j2"
|
||||
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-backup-borg.timer"
|
||||
mode: 0644
|
|
@ -1,25 +0,0 @@
|
|||
---
|
||||
|
||||
- name: Check existence of matrix-backup-borg service
|
||||
ansible.builtin.stat:
|
||||
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-backup-borg.service"
|
||||
register: matrix_backup_borg_service_stat
|
||||
|
||||
- when: matrix_backup_borg_service_stat.stat.exists | bool
|
||||
block:
|
||||
- name: Ensure matrix-backup-borg is stopped
|
||||
ansible.builtin.service:
|
||||
name: matrix-backup-borg
|
||||
state: stopped
|
||||
enabled: false
|
||||
daemon_reload: true
|
||||
|
||||
- name: Ensure matrix-backup-borg.service doesn't exist
|
||||
ansible.builtin.file:
|
||||
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-backup-borg.service"
|
||||
state: absent
|
||||
|
||||
- name: Ensure matrix-backup-borg.timer doesn't exist
|
||||
ansible.builtin.file:
|
||||
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-backup-borg.timer"
|
||||
state: absent
|
|
@ -1,16 +0,0 @@
|
|||
---
|
||||
- name: Fail if required backup-borg settings not defined
|
||||
ansible.builtin.fail:
|
||||
msg: >-
|
||||
You need to define a required configuration setting (`{{ item.name }}`).
|
||||
when: "item.when | bool and vars[item.name] == ''"
|
||||
with_items:
|
||||
- {'name': 'matrix_backup_borg_ssh_key_private', when: true}
|
||||
- {'name': 'matrix_backup_borg_location_repositories', when: true}
|
||||
- {'name': 'matrix_backup_borg_postgresql_databases_hostname', when: "{{ matrix_backup_borg_postgresql_enabled }}"}
|
||||
|
||||
- name: Fail if encryption passphrase is undefined unless repository is unencrypted
|
||||
ansible.builtin.fail:
|
||||
msg: >-
|
||||
You need to define a required passphrase using the `matrix_backup_borg_storage_encryption_passphrase` variable.
|
||||
when: "matrix_backup_borg_storage_encryption_passphrase == '' and matrix_backup_borg_encryption != 'none'"
|
|
@ -1,43 +0,0 @@
|
|||
#jinja2: lstrip_blocks: "True", trim_blocks: "True"
|
||||
|
||||
location:
|
||||
source_directories: {{ matrix_backup_borg_location_source_directories|to_json }}
|
||||
repositories: {{ matrix_backup_borg_location_repositories|to_json }}
|
||||
one_file_system: true
|
||||
exclude_patterns: {{ matrix_backup_borg_location_exclude_patterns|to_json }}
|
||||
|
||||
storage:
|
||||
compression: {{ matrix_backup_borg_storage_compression|to_json }}
|
||||
ssh_command: {{ matrix_backup_borg_storage_ssh_command|to_json }}
|
||||
archive_name_format: {{ matrix_backup_borg_storage_archive_name_format|to_json }}
|
||||
encryption_passphrase: {{ matrix_backup_borg_storage_encryption_passphrase|to_json }}
|
||||
unknown_unencrypted_repo_access_is_ok: {{ matrix_backup_borg_unknown_unencrypted_repo_access_is_ok|to_json }}
|
||||
|
||||
retention:
|
||||
keep_hourly: {{ matrix_backup_borg_retention_keep_hourly|to_json }}
|
||||
keep_daily: {{ matrix_backup_borg_retention_keep_daily|to_json }}
|
||||
keep_weekly: {{ matrix_backup_borg_retention_keep_weekly|to_json }}
|
||||
keep_monthly: {{ matrix_backup_borg_retention_keep_monthly|to_json }}
|
||||
keep_yearly: {{ matrix_backup_borg_retention_keep_yearly|to_json }}
|
||||
prefix: {{ matrix_backup_borg_retention_prefix|to_json }}
|
||||
|
||||
consistency:
|
||||
checks:
|
||||
- repository
|
||||
- archives
|
||||
|
||||
hooks:
|
||||
{% if matrix_backup_borg_postgresql_enabled and matrix_backup_borg_postgresql_databases|length > 0 %}
|
||||
postgresql_databases:
|
||||
{% for database in matrix_backup_borg_postgresql_databases %}
|
||||
- name: {{ database|to_json }}
|
||||
hostname: {{ matrix_backup_borg_postgresql_databases_hostname|to_json }}
|
||||
username: {{ matrix_backup_borg_postgresql_databases_username|to_json }}
|
||||
password: {{ matrix_backup_borg_postgresql_databases_password|to_json }}
|
||||
port: {{ matrix_backup_borg_postgresql_databases_port | int | to_json }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
after_backup:
|
||||
- echo "Backup created."
|
||||
on_error:
|
||||
- echo "Error while creating a backup."
|
|
@ -1,29 +0,0 @@
|
|||
{# the passwd file with correct username, UID and GID is mandatory to work with borg over ssh, otherwise ssh connections will fail #}
|
||||
root:x:0:0:root:/root:/bin/ash
|
||||
bin:x:1:1:bin:/bin:/sbin/nologin
|
||||
daemon:x:2:2:daemon:/sbin:/sbin/nologin
|
||||
adm:x:3:4:adm:/var/adm:/sbin/nologin
|
||||
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
|
||||
sync:x:5:0:sync:/sbin:/bin/sync
|
||||
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
|
||||
halt:x:7:0:halt:/sbin:/sbin/halt
|
||||
mail:x:8:12:mail:/var/mail:/sbin/nologin
|
||||
news:x:9:13:news:/usr/lib/news:/sbin/nologin
|
||||
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
|
||||
operator:x:11:0:operator:/root:/sbin/nologin
|
||||
man:x:13:15:man:/usr/man:/sbin/nologin
|
||||
postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin
|
||||
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
|
||||
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
|
||||
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
|
||||
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
|
||||
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
|
||||
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
|
||||
games:x:35:35:games:/usr/games:/sbin/nologin
|
||||
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
|
||||
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
|
||||
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
|
||||
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
|
||||
guest:x:405:100:guest:/dev/null:/sbin/nologin
|
||||
{{ matrix_user_username }}:x:{{ matrix_user_uid }}:{{ matrix_user_gid }}:Matrix:/tmp:/bin/ash
|
||||
nobody:x:65534:65534:nobody:/:/sbin/nologin
|
|
@ -1 +0,0 @@
|
|||
{{ matrix_backup_borg_ssh_key_private }}
|
|
@ -1,65 +0,0 @@
|
|||
#jinja2: lstrip_blocks: "True"
|
||||
[Unit]
|
||||
Description=Matrix Borg Backup
|
||||
{% for service in matrix_backup_borg_systemd_required_services_list %}
|
||||
Requires={{ service }}
|
||||
After={{ service }}
|
||||
{% endfor %}
|
||||
{% for service in matrix_backup_borg_systemd_wanted_services_list %}
|
||||
Wants={{ service }}
|
||||
{% endfor %}
|
||||
DefaultDependencies=no
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
|
||||
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-backup-borg 2>/dev/null || true'
|
||||
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-backup-borg 2>/dev/null || true'
|
||||
ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-backup-borg \
|
||||
--log-driver=none \
|
||||
--cap-drop=ALL \
|
||||
--read-only \
|
||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||
--network={{ matrix_docker_network }} \
|
||||
--tmpfs=/tmp:rw,noexec,nosuid,size=100m \
|
||||
--mount type=bind,src={{ matrix_backup_borg_config_path }}/passwd,dst=/etc/passwd,ro \
|
||||
--mount type=bind,src={{ matrix_backup_borg_config_path }},dst=/etc/borgmatic.d,ro \
|
||||
{% for source in matrix_backup_borg_location_source_directories %}
|
||||
--mount type=bind,src={{ source }},dst={{ source }},ro \
|
||||
{% endfor %}
|
||||
{% for arg in matrix_backup_borg_container_extra_arguments %}
|
||||
{{ arg }} \
|
||||
{% endfor %}
|
||||
{{ matrix_backup_borg_docker_image }} \
|
||||
sh -c "borgmatic rcreate --encryption {{ matrix_backup_borg_encryption }}"
|
||||
|
||||
# The `CAP_DAC_OVERRIDE` capability is required, so that `root` in the container
|
||||
# can read the `/etc/borgmatic.d/config.yaml` (`{{ matrix_backup_borg_config_path }}/config.yaml`) file,
|
||||
# owned by `matrix:matrix` on the filesystem.
|
||||
#
|
||||
# `/root` is mountes as temporary filesystem, because we're using `--read-only` and because
|
||||
# Borgmatic tries to write to at least a few paths under `/root` (`.config`, `.ssh`, `.borgmatic`).
|
||||
ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-backup-borg \
|
||||
--log-driver=none \
|
||||
--cap-drop=ALL \
|
||||
--cap-add=CAP_DAC_OVERRIDE \
|
||||
--read-only \
|
||||
--network={{ matrix_docker_network }} \
|
||||
--tmpfs=/root:rw,noexec,nosuid,size=100m \
|
||||
--tmpfs=/tmp:rw,noexec,nosuid,size=100m \
|
||||
--mount type=bind,src={{ matrix_backup_borg_config_path }}/passwd,dst=/etc/passwd,ro \
|
||||
--mount type=bind,src={{ matrix_backup_borg_config_path }},dst=/etc/borgmatic.d,ro \
|
||||
{% for source in matrix_backup_borg_location_source_directories %}
|
||||
--mount type=bind,src={{ source }},dst={{ source }},ro \
|
||||
{% endfor %}
|
||||
{% for arg in matrix_backup_borg_container_extra_arguments %}
|
||||
{{ arg }} \
|
||||
{% endfor %}
|
||||
{{ matrix_backup_borg_docker_image }}
|
||||
|
||||
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-backup-borg 2>/dev/null || true'
|
||||
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-backup-borg 2>/dev/null || true'
|
||||
SyslogIdentifier=matrix-backup-borg
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -1,10 +0,0 @@
|
|||
[Unit]
|
||||
Description=Matrix Borg Backup timer
|
||||
|
||||
[Timer]
|
||||
Unit=matrix-backup-borg.service
|
||||
OnCalendar={{ matrix_backup_borg_schedule }}
|
||||
RandomizedDelaySec={{ matrix_backup_borg_schedule_randomized_delay_sec }}
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
|
@ -92,6 +92,9 @@ matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}"
|
|||
|
||||
matrix_federation_public_port: 8448
|
||||
|
||||
# The name of the Traefik entrypoint for handling Matrix Federation
|
||||
matrix_federation_traefik_entrypoint: matrix-federation
|
||||
|
||||
# The architecture that your server runs.
|
||||
# Recognized values by us are 'amd64', 'arm32' and 'arm64'.
|
||||
# Not all architectures support all services, so your experience (on non-amd64) may vary.
|
||||
|
@ -151,17 +154,25 @@ matrix_client_element_jitsi_preferredDomain: '' # noqa var-naming
|
|||
# Controls whether Element should use End-to-End Encryption by default.
|
||||
# Setting this to false will update `/.well-known/matrix/client` and tell Element clients to avoid E2EE.
|
||||
# See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md
|
||||
matrix_client_element_e2ee_default: true
|
||||
matrix_well_known_matrix_client_io_element_e2ee_default: true
|
||||
|
||||
# Controls whether Element should require a secure backup set up before Element can be used.
|
||||
# Setting this to true will update `/.well-known/matrix/client` and tell Element require a secure backup.
|
||||
# See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md
|
||||
matrix_client_element_e2ee_secure_backup_required: false
|
||||
matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required: false
|
||||
|
||||
# Controls which backup methods from ["key", "passphrase"] should be used, both is the default.
|
||||
# Setting this to other then empty will update `/.well-known/matrix/client` and tell Element which method to use
|
||||
# See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md
|
||||
matrix_client_element_e2ee_secure_backup_setup_methods: []
|
||||
matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods: []
|
||||
|
||||
# Controls whether element related entries should be added to the client well-known. Override this to false to hide
|
||||
# element related well-known entries.
|
||||
# By default if any of the following change from their default this is set to true:
|
||||
# `matrix_well_known_matrix_client_io_element_e2ee_default`
|
||||
# `matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required`
|
||||
# `matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods`
|
||||
matrix_well_known_matrix_client_io_element_e2ee_entries_enabled: "{{ not matrix_well_known_matrix_client_io_element_e2ee_default or matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required or matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods | length > 0 }}"
|
||||
|
||||
# Default `/.well-known/matrix/client` configuration - it covers the generic use case.
|
||||
# You can customize it by controlling the various variables inside the template file that it references.
|
||||
|
@ -262,6 +273,53 @@ matrix_well_known_matrix_support_enabled: false
|
|||
matrix_homeserver_container_extra_arguments_auto: []
|
||||
matrix_homeserver_app_service_config_files_auto: []
|
||||
|
||||
# Specifies the type of reverse-proxy used by the playbook.
|
||||
#
|
||||
# Changing this has an effect on whether a reverse-proxy is installed at all and what its type is,
|
||||
# as well as how all other services are configured.
|
||||
#
|
||||
# Valid options and a description of their behavior:
|
||||
#
|
||||
# - `playbook-managed-traefik`
|
||||
# - the playbook will install devture-traefik
|
||||
# - Traefik will do SSL termination, unless you disable it (e.g. `devture_traefik_config_entrypoint_web_secure_enabled: false`)
|
||||
# - if SSL termination is enabled (as it is by default), you need to populate: `devture_traefik_config_certificatesResolvers_acme_email`
|
||||
# - it will also install matrix-nginx-proxy in local-only mode, while we migrate the rest of the services to a Traefik-native mode of working
|
||||
#
|
||||
# - `playbook-managed-nginx`
|
||||
# - the playbook will install matrix-nginx-proxy
|
||||
# - matrix-nginx-proxy will do SSL termination with Certbot, unless you change that (see `matrix_ssl_retrieval_method`)
|
||||
# - if SSL termination is enabled (as it is by default), you need to populate: `matrix_ssl_lets_encrypt_support_email`
|
||||
#
|
||||
# - `other-traefik-container`
|
||||
# - this playbook will not install Traefik
|
||||
# - nevertheless, the playbook expects that you would install Traefik yourself via other means
|
||||
# - you should make sure your Traefik configuration is compatible with what the playbook would have configured (web, web-secure, matrix-federation entrypoints, etc.)
|
||||
# - you need to set `matrix_playbook_reverse_proxyable_services_additional_network` to the name of your Traefik network
|
||||
# - Traefik certs dumper will be enabled by default (`devture_traefik_certs_dumper_enabled`). You need to point it to your Traefik's SSL certificates (`devture_traefik_certs_dumper_ssl_dir_path`)
|
||||
#
|
||||
# - `other-nginx-non-container`
|
||||
# - the playbook will not install matrix-nginx-proxy
|
||||
# - however, it will still dump some nginx configuration in /matrix/nginx/conf.d
|
||||
# - these configs are meant to be included into a locally-installed (without a container) nginx server
|
||||
# - all container services are exposed locally (e.g. `-p 127.0.0.1:8080:8080`)
|
||||
#
|
||||
# - `other-on-same-host`
|
||||
# - like other-nginx-non-container, but supposedly won't generate useless configuration in /matrix/nginx/conf.d in the future
|
||||
#
|
||||
# - `other-on-another-host`
|
||||
# - like other-on-same-host, but services are exposed on all interfaces (e.g. `-p 0.0.0.0:8080:8080`)
|
||||
# - configurable via `matrix_playbook_service_host_bind_interface_prefix`
|
||||
#
|
||||
# - `none`
|
||||
# - no reverse-proxy will be installed
|
||||
# - no nginx configuration will be dumped in /matrix/nginx/conf.d
|
||||
# - no port exposure will be done for any of the container services
|
||||
# - it's up to you to expose the ports you want, etc.
|
||||
matrix_playbook_reverse_proxy_type: playbook-managed-nginx
|
||||
|
||||
matrix_playbook_service_host_bind_interface_prefix: "{{ '' if matrix_playbook_reverse_proxy_type not in ['other-nginx-non-container', 'other-on-same-host', 'other-on-another-host'] else ('0.0.0.0:' if matrix_playbook_reverse_proxy_type == 'other-on-another-host' else '127.0.0.1:') }}"
|
||||
|
||||
# Variables to Control which parts of our roles run.
|
||||
run_postgres_import: true
|
||||
run_postgres_upgrade: true
|
||||
|
|
|
@ -18,6 +18,9 @@
|
|||
- {'old': 'hostname_riot', 'new': 'matrix_server_fqn_element'}
|
||||
- {'old': 'matrix_server_fqn_riot', 'new': 'matrix_server_fqn_element'}
|
||||
- {'old': 'matrix_local_bin_path', 'new': '<there is no global bin path anymore - each role has its own>'}
|
||||
- {'old': 'matrix_client_element_e2ee_default', 'new': 'matrix_well_known_matrix_client_io_element_e2ee_default'}
|
||||
- {'old': 'matrix_client_element_e2ee_secure_backup_required', 'new': 'matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required'}
|
||||
- {'old': 'matrix_client_element_e2ee_secure_backup_setup_methods', 'new': 'matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods'}
|
||||
|
||||
# We have a dedicated check for this variable, because we'd like to have a custom (friendlier) message.
|
||||
- name: Fail if matrix_homeserver_generic_secret_key is undefined
|
||||
|
@ -51,6 +54,11 @@
|
|||
msg: "Detected that variable matrix_architecture {{ matrix_architecture }} appears to be set incorrectly. See docs/alternative-architectures.md. Server appears to be {{ ansible_architecture }}."
|
||||
when: matrix_architecture not in ['amd64', 'arm32', 'arm64']
|
||||
|
||||
- name: Fail if matrix_playbook_reverse_proxy_type is set incorrectly
|
||||
ansible.builtin.fail:
|
||||
msg: "Detected that variable matrix_playbook_reverse_proxy_type (current value: `{{ matrix_playbook_reverse_proxy_type }}`) appears to be set incorrectly. See roles/custom/matrix-base/defaults/main.yml for valid choices."
|
||||
when: matrix_playbook_reverse_proxy_type not in ['playbook-managed-traefik', 'playbook-managed-nginx', 'other-traefik-container', 'other-nginx-non-container', 'other-on-same-host', 'other-on-another-host', 'none']
|
||||
|
||||
- name: Fail if uppercase domain used
|
||||
ansible.builtin.fail:
|
||||
msg: "Detected that you're using an uppercase domain name - `{{ item }}`. This will cause trouble. Please use all-lowercase!"
|
||||
|
|
|
@ -31,13 +31,16 @@
|
|||
"map_style_url": "https://{{ matrix_server_fqn_element }}/map_style.json"
|
||||
}
|
||||
{% endif %}
|
||||
,
|
||||
{% if matrix_well_known_matrix_client_io_element_e2ee_entries_enabled %},
|
||||
"io.element.e2ee": {
|
||||
"default": {{ matrix_client_element_e2ee_default|to_json }},
|
||||
"secure_backup_required": {{ matrix_client_element_e2ee_secure_backup_required|to_json }},
|
||||
"secure_backup_setup_methods": {{ matrix_client_element_e2ee_secure_backup_setup_methods|to_json }}
|
||||
},
|
||||
"im.vector.riot.e2ee": {
|
||||
"default": {{ matrix_client_element_e2ee_default|to_json }}
|
||||
"default": {{ matrix_well_known_matrix_client_io_element_e2ee_default|to_json }},
|
||||
"secure_backup_required": {{ matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required|to_json }},
|
||||
"secure_backup_setup_methods": {{ matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods|to_json }}
|
||||
}
|
||||
{% endif %}
|
||||
{% if matrix_well_known_matrix_client_io_element_e2ee_entries_enabled %},
|
||||
"im.vector.riot.e2ee": {
|
||||
"default": {{ matrix_well_known_matrix_client_io_element_e2ee_default|to_json }}
|
||||
}
|
||||
{% endif %}
|
||||
}
|
||||
|
|
|
@ -9,7 +9,7 @@ matrix_bot_chatgpt_docker_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot
|
|||
matrix_bot_chatgpt_docker_repo_version: "{{ 'latest' if matrix_bot_chatgpt_version == 'latest' else matrix_bot_chatgpt_version }}"
|
||||
matrix_bot_chatgpt_docker_src_files_path: "{{ matrix_base_data_path }}/chatgpt/docker-src"
|
||||
|
||||
matrix_bot_chatgpt_version: 1.4.1
|
||||
matrix_bot_chatgpt_version: 2.2.1
|
||||
matrix_bot_chatgpt_docker_image: "{{ matrix_bot_chatgpt_docker_image_name_prefix }}matrixgpt/matrix-chatgpt-bot:{{ matrix_bot_chatgpt_version }}"
|
||||
matrix_bot_chatgpt_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_chatgpt_container_image_self_build else 'ghcr.io/' }}"
|
||||
matrix_bot_chatgpt_docker_image_force_pull: "{{ matrix_bot_chatgpt_docker_image.endswith(':latest') }}"
|
||||
|
@ -28,13 +28,14 @@ matrix_bot_chatgpt_systemd_required_services_list: ['docker.service']
|
|||
matrix_bot_chatgpt_systemd_wanted_services_list: []
|
||||
|
||||
# ChatGPT Settings
|
||||
matrix_bot_chatgpt_openai_email: '' # OPENAI_EMAIL=
|
||||
matrix_bot_chatgpt_openai_password: '' # OPENAI_PASSWORD=
|
||||
matrix_bot_chatgpt_openai_login_type: 'google' # OPENAI_LOGIN_TYPE="google"
|
||||
matrix_bot_chatgpt_openai_pro: false # OPENAI_PRO
|
||||
|
||||
matrix_bot_chatgpt_openai_api_key: ''
|
||||
matrix_bot_chatgpt_context: 'thread' # CHATGPT_CONTEXT="thread"
|
||||
|
||||
matrix_bot_chatgpt_keyv_backend: 'file'
|
||||
matrix_bot_chatgpt_keyv_url: ''
|
||||
matrix_bot_chatgpt_keyv_bot_encryption: false
|
||||
matrix_bot_chatgpt_keyv_bot_storage: true
|
||||
|
||||
# Matrix Static Settings (required, see notes)
|
||||
# Defaults to "https://matrix.org"
|
||||
matrix_bot_chatgpt_matrix_homeserver_url: "{{ matrix_homeserver_container_url }}" # MATRIX_HOMESERVER_URL=
|
||||
|
|
|
@ -6,7 +6,17 @@
|
|||
You need to define a required configuration setting (`{{ item.name }}`).
|
||||
when: "item.when | bool and vars[item.name] == ''"
|
||||
with_items:
|
||||
- {'name': 'matrix_bot_chatgpt_openai_email', when: true}
|
||||
- {'name': 'matrix_bot_chatgpt_openai_password', when: true}
|
||||
- {'name': 'matrix_bot_chatgpt_openai_login_type', when: true}
|
||||
- {'name': 'matrix_bot_chatgpt_openai_api_key', when: true}
|
||||
- {'name': 'matrix_bot_chatgpt_matrix_bot_username', when: true}
|
||||
|
||||
|
||||
- name: Fail if OpenAI configuration not up-to-date.
|
||||
ansible.builtin.fail:
|
||||
msg: >-
|
||||
Your configuration contains a varible that is no longer used.
|
||||
Please change your configuration to remove the variable (`{{ item.name }}`).
|
||||
when: "item.name in vars"
|
||||
with_items:
|
||||
- {'name': 'matrix_bot_chatgpt_openai_email'}
|
||||
- {'name': 'matrix_bot_chatgpt_openai_password'}
|
||||
- {'name': 'matrix_bot_chatgpt_openai_login_type'}
|
||||
|
|
|
@ -1,13 +1,14 @@
|
|||
MATRIX_HOMESERVER_URL={{ matrix_bot_chatgpt_matrix_homeserver_url }}
|
||||
MATRIX_ACCESS_TOKEN={{ matrix_bot_chatgpt_matrix_access_token }}
|
||||
|
||||
OPENAI_EMAIL={{ matrix_bot_chatgpt_openai_email }}
|
||||
OPENAI_PASSWORD={{ matrix_bot_chatgpt_openai_password }}
|
||||
OPENAI_LOGIN_TYPE={{ matrix_bot_chatgpt_openai_login_type }}
|
||||
OPENAI_PRO={{ matrix_bot_chatgpt_openai_pro | to_json }}
|
||||
|
||||
OPENAI_API_KEY={{ matrix_bot_chatgpt_openai_api_key }}
|
||||
CHATGPT_CONTEXT={{ matrix_bot_chatgpt_context }}
|
||||
|
||||
KEYV_BACKEND={{ matrix_bot_chatgpt_keyv_backend }}
|
||||
KEYV_URL={{ matrix_bot_chatgpt_keyv_url }}
|
||||
KEYV_BOT_ENCRYPTION={{ matrix_bot_chatgpt_keyv_bot_encryption|lower }}
|
||||
KEYV_BOT_STORAGE={{ matrix_bot_chatgpt_keyv_bot_storage|lower }}
|
||||
|
||||
# With the @ and :DOMAIN, ie @SOMETHING:DOMAIN
|
||||
MATRIX_BOT_USERNAME={{ matrix_bot_chatgpt_matrix_bot_username }}
|
||||
MATRIX_BOT_PASSWORD={{ matrix_bot_chatgpt_matrix_bot_password }}
|
||||
|
|
59
roles/custom/matrix-bot-draupnir/defaults/main.yml
Normal file
59
roles/custom/matrix-bot-draupnir/defaults/main.yml
Normal file
|
@ -0,0 +1,59 @@
|
|||
---
|
||||
# A moderation tool for Matrix
|
||||
# Project source code URL: https://github.com/Gnuxie/Draupnir
|
||||
|
||||
matrix_bot_draupnir_enabled: true
|
||||
|
||||
matrix_bot_draupnir_version: "v1.80.0"
|
||||
|
||||
matrix_bot_draupnir_container_image_self_build: false
|
||||
matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/Gnuxie/Draupnir.git"
|
||||
|
||||
matrix_bot_draupnir_docker_image: "{{ matrix_bot_draupnir_docker_image_name_prefix }}gnuxie/draupnir:{{ matrix_bot_draupnir_version }}"
|
||||
matrix_bot_draupnir_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_draupnir_container_image_self_build else matrix_container_global_registry_prefix }}"
|
||||
matrix_bot_draupnir_docker_image_force_pull: "{{ matrix_bot_draupnir_docker_image.endswith(':latest') }}"
|
||||
|
||||
matrix_bot_draupnir_base_path: "{{ matrix_base_data_path }}/draupnir"
|
||||
matrix_bot_draupnir_config_path: "{{ matrix_bot_draupnir_base_path }}/config"
|
||||
matrix_bot_draupnir_data_path: "{{ matrix_bot_draupnir_base_path }}/data"
|
||||
matrix_bot_draupnir_docker_src_files_path: "{{ matrix_bot_draupnir_base_path }}/docker-src"
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
matrix_bot_draupnir_container_extra_arguments: []
|
||||
|
||||
# List of systemd services that matrix-bot-draupnir.service depends on
|
||||
matrix_bot_draupnir_systemd_required_services_list: ['docker.service']
|
||||
|
||||
# List of systemd services that matrix-bot-draupnir.service wants
|
||||
matrix_bot_draupnir_systemd_wanted_services_list: []
|
||||
|
||||
# The access token for the bot user
|
||||
matrix_bot_draupnir_access_token: ""
|
||||
|
||||
# The room ID where people can use the bot. The bot has no access controls, so
|
||||
# anyone in this room can use the bot - secure your room!
|
||||
# This should be a room alias or room ID - not a matrix.to URL.
|
||||
# Note: draupnir is fairly verbose - expect a lot of messages from it.
|
||||
matrix_bot_draupnir_management_room: ""
|
||||
|
||||
# Default configuration template which covers the generic use case.
|
||||
# You can customize it by controlling the various variables inside it.
|
||||
#
|
||||
# For a more advanced customization, you can extend the default (see `matrix_bot_draupnir_configuration_extension_yaml`)
|
||||
# or completely replace this variable with your own template.
|
||||
matrix_bot_draupnir_configuration_yaml: "{{ lookup('template', 'templates/production.yaml.j2') }}"
|
||||
|
||||
matrix_bot_draupnir_configuration_extension_yaml: |
|
||||
# Your custom YAML configuration goes here.
|
||||
# This configuration extends the default starting configuration (`matrix_bot_draupnir_configuration_yaml`).
|
||||
#
|
||||
# You can override individual variables from the default configuration, or introduce new ones.
|
||||
#
|
||||
# If you need something more special, you can take full control by
|
||||
# completely redefining `matrix_bot_draupnir_configuration_yaml`.
|
||||
|
||||
matrix_bot_draupnir_configuration_extension: "{{ matrix_bot_draupnir_configuration_extension_yaml | from_yaml if matrix_bot_draupnir_configuration_extension_yaml | from_yaml is mapping else {} }}"
|
||||
|
||||
# Holds the final configuration (a combination of the default and its extension).
|
||||
# You most likely don't need to touch this variable. Instead, see `matrix_bot_draupnir_configuration_yaml`.
|
||||
matrix_bot_draupnir_configuration: "{{ matrix_bot_draupnir_configuration_yaml | from_yaml | combine(matrix_bot_draupnir_configuration_extension, recursive=True) }}"
|
|
@ -1,20 +1,20 @@
|
|||
---
|
||||
|
||||
- block:
|
||||
- when: matrix_grafana_enabled | bool
|
||||
- when: matrix_bot_draupnir_enabled | bool
|
||||
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
|
||||
|
||||
- when: matrix_grafana_enabled | bool
|
||||
- when: matrix_bot_draupnir_enabled | bool
|
||||
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-grafana
|
||||
- setup-bot-draupnir
|
||||
- install-all
|
||||
- install-grafana
|
||||
- install-bot-draupnir
|
||||
|
||||
- block:
|
||||
- when: not matrix_grafana_enabled | bool
|
||||
- when: not matrix_bot_draupnir_enabled | bool
|
||||
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-grafana
|
||||
- setup-bot-draupnir
|
74
roles/custom/matrix-bot-draupnir/tasks/setup_install.yml
Normal file
74
roles/custom/matrix-bot-draupnir/tasks/setup_install.yml
Normal file
|
@ -0,0 +1,74 @@
|
|||
---
|
||||
|
||||
- ansible.builtin.set_fact:
|
||||
matrix_bot_draupnir_requires_restart: false
|
||||
|
||||
- name: Ensure matrix-bot-draupnir paths exist
|
||||
ansible.builtin.file:
|
||||
path: "{{ item.path }}"
|
||||
state: directory
|
||||
mode: 0750
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- {path: "{{ matrix_bot_draupnir_base_path }}", when: true}
|
||||
- {path: "{{ matrix_bot_draupnir_config_path }}", when: true}
|
||||
- {path: "{{ matrix_bot_draupnir_data_path }}", when: true}
|
||||
- {path: "{{ matrix_bot_draupnir_docker_src_files_path }}", when: "{{ matrix_bot_draupnir_container_image_self_build }}"}
|
||||
when: "item.when | bool"
|
||||
|
||||
- name: Ensure draupnir Docker image is pulled
|
||||
community.docker.docker_image:
|
||||
name: "{{ matrix_bot_draupnir_docker_image }}"
|
||||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
|
||||
force_source: "{{ matrix_bot_draupnir_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_draupnir_docker_image_force_pull }}"
|
||||
when: "not matrix_bot_draupnir_container_image_self_build | bool"
|
||||
register: result
|
||||
retries: "{{ devture_playbook_help_container_retries_count }}"
|
||||
delay: "{{ devture_playbook_help_container_retries_delay }}"
|
||||
until: result is not failed
|
||||
|
||||
- name: Ensure draupnir repository is present on self-build
|
||||
ansible.builtin.git:
|
||||
repo: "{{ matrix_bot_draupnir_container_image_self_build_repo }}"
|
||||
dest: "{{ matrix_bot_draupnir_docker_src_files_path }}"
|
||||
version: "{{ matrix_bot_draupnir_docker_image.split(':')[1] }}"
|
||||
force: "yes"
|
||||
become: true
|
||||
become_user: "{{ matrix_user_username }}"
|
||||
register: matrix_bot_draupnir_git_pull_results
|
||||
when: "matrix_bot_draupnir_container_image_self_build | bool"
|
||||
|
||||
- name: Ensure draupnir Docker image is built
|
||||
community.docker.docker_image:
|
||||
name: "{{ matrix_bot_draupnir_docker_image }}"
|
||||
source: build
|
||||
force_source: "{{ matrix_bot_draupnir_git_pull_results.changed }}"
|
||||
build:
|
||||
dockerfile: Dockerfile
|
||||
path: "{{ matrix_bot_draupnir_docker_src_files_path }}"
|
||||
pull: true
|
||||
when: "matrix_bot_draupnir_container_image_self_build | bool"
|
||||
|
||||
- name: Ensure matrix-bot-draupnir config installed
|
||||
ansible.builtin.copy:
|
||||
content: "{{ matrix_bot_draupnir_configuration | to_nice_yaml(indent=2, width=999999) }}"
|
||||
dest: "{{ matrix_bot_draupnir_config_path }}/production.yaml"
|
||||
mode: 0644
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
|
||||
- name: Ensure matrix-bot-draupnir.service installed
|
||||
ansible.builtin.template:
|
||||
src: "{{ role_path }}/templates/systemd/matrix-bot-draupnir.service.j2"
|
||||
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-draupnir.service"
|
||||
mode: 0644
|
||||
register: matrix_bot_draupnir_systemd_service_result
|
||||
|
||||
- name: Ensure matrix-bot-draupnir.service restarted, if necessary
|
||||
ansible.builtin.service:
|
||||
name: "matrix-bot-draupnir.service"
|
||||
state: restarted
|
||||
daemon_reload: true
|
||||
when: "matrix_bot_draupnir_requires_restart | bool"
|
25
roles/custom/matrix-bot-draupnir/tasks/setup_uninstall.yml
Normal file
25
roles/custom/matrix-bot-draupnir/tasks/setup_uninstall.yml
Normal file
|
@ -0,0 +1,25 @@
|
|||
---
|
||||
|
||||
- name: Check existence of matrix-bot-draupnir service
|
||||
ansible.builtin.stat:
|
||||
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-draupnir.service"
|
||||
register: matrix_bot_draupnir_service_stat
|
||||
|
||||
- when: matrix_bot_draupnir_service_stat.stat.exists | bool
|
||||
block:
|
||||
- name: Ensure matrix-bot-draupnir is stopped
|
||||
ansible.builtin.service:
|
||||
name: matrix-bot-draupnir
|
||||
state: stopped
|
||||
enabled: false
|
||||
daemon_reload: true
|
||||
|
||||
- name: Ensure matrix-bot-draupnir.service doesn't exist
|
||||
ansible.builtin.file:
|
||||
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-draupnir.service"
|
||||
state: absent
|
||||
|
||||
- name: Ensure matrix-bot-draupnir paths don't exist
|
||||
ansible.builtin.file:
|
||||
path: "{{ matrix_bot_draupnir_base_path }}"
|
||||
state: absent
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
|
||||
- name: Fail if required variables are undefined
|
||||
ansible.builtin.fail:
|
||||
msg: "The `{{ item }}` variable must be defined and have a non-null value."
|
||||
with_items:
|
||||
- "matrix_bot_draupnir_access_token"
|
||||
- "matrix_bot_draupnir_management_room"
|
||||
when: "vars[item] == '' or vars[item] is none"
|
247
roles/custom/matrix-bot-draupnir/templates/production.yaml.j2
Normal file
247
roles/custom/matrix-bot-draupnir/templates/production.yaml.j2
Normal file
|
@ -0,0 +1,247 @@
|
|||
# Endpoint URL that draupnir uses to interact with the matrix homeserver (client-server API),
|
||||
# set this to the pantalaimon URL if you're using that.
|
||||
homeserverUrl: "{{ matrix_homeserver_url }}"
|
||||
|
||||
# Endpoint URL that draupnir could use to fetch events related to reports (client-server API and /_synapse/),
|
||||
# only set this to the public-internet homeserver client API URL, do NOT set this to the pantalaimon URL.
|
||||
rawHomeserverUrl: "{{ matrix_homeserver_url }}"
|
||||
|
||||
# Matrix Access Token to use, draupnir will only use this if pantalaimon.use is false.
|
||||
accessToken: "{{ matrix_bot_draupnir_access_token }}"
|
||||
|
||||
# Options related to Pantalaimon (https://github.com/matrix-org/pantalaimon)
|
||||
#pantalaimon:
|
||||
# # Whether or not draupnir will use pantalaimon to access the matrix homeserver,
|
||||
# # set to `true` if you're using pantalaimon.
|
||||
# #
|
||||
# # Be sure to point homeserverUrl to the pantalaimon instance.
|
||||
# #
|
||||
# # draupnir will log in using the given username and password once,
|
||||
# # then store the resulting access token in a file under dataPath.
|
||||
# use: false
|
||||
#
|
||||
# # The username to login with.
|
||||
# username: draupnir
|
||||
#
|
||||
# # The password draupnir will login with.
|
||||
# #
|
||||
# # After successfully logging in once, this will be ignored, so this value can be blanked after first startup.
|
||||
# password: your_password
|
||||
|
||||
# The path draupnir will store its state/data in, leave default ("/data/storage") when using containers.
|
||||
dataPath: "/data"
|
||||
|
||||
# If true (the default), draupnir will only accept invites from users present in managementRoom.
|
||||
autojoinOnlyIfManager: true
|
||||
|
||||
# If `autojoinOnlyIfManager` is false, only the members in this space can invite
|
||||
# the bot to new rooms.
|
||||
#acceptInvitesFromSpace: "!example:example.org"
|
||||
|
||||
# Whether draupnir should report ignored invites to the management room (if autojoinOnlyIfManager is true).
|
||||
recordIgnoredInvites: false
|
||||
|
||||
# The room ID (or room alias) of the management room, anyone in this room can issue commands to draupnir.
|
||||
#
|
||||
# draupnir has no more granular access controls other than this, be sure you trust everyone in this room - secure it!
|
||||
#
|
||||
# This should be a room alias or room ID - not a matrix.to URL.
|
||||
#
|
||||
# Note: By default, draupnir is fairly verbose - expect a lot of messages in this room.
|
||||
# (see verboseLogging to adjust this a bit.)
|
||||
managementRoom: "{{ matrix_bot_draupnir_management_room }}"
|
||||
|
||||
# Whether draupnir should log a lot more messages in the room,
|
||||
# mainly involves "all-OK" messages, and debugging messages for when draupnir checks bans in a room.
|
||||
verboseLogging: false
|
||||
|
||||
# The log level of terminal (or container) output,
|
||||
# can be one of DEBUG, INFO, WARN and ERROR, in increasing order of importance and severity.
|
||||
#
|
||||
# This should be at INFO or DEBUG in order to get support for draupnir problems.
|
||||
logLevel: "INFO"
|
||||
|
||||
# Whether or not draupnir should synchronize policy lists immediately after startup.
|
||||
# Equivalent to running '!draupnir sync'.
|
||||
syncOnStartup: true
|
||||
|
||||
# Whether or not draupnir should check moderation permissions in all protected rooms on startup.
|
||||
# Equivalent to running `!draupnir verify`.
|
||||
verifyPermissionsOnStartup: true
|
||||
|
||||
# Whether or not draupnir should actually apply bans and policy lists,
|
||||
# turn on to trial some untrusted configuration or lists.
|
||||
noop: false
|
||||
|
||||
# Whether draupnir should check member lists quicker (by using a different endpoint),
|
||||
# keep in mind that enabling this will miss invited (but not joined) users.
|
||||
#
|
||||
# Turn on if your bot is in (very) large rooms, or in large amounts of rooms.
|
||||
fasterMembershipChecks: false
|
||||
|
||||
# A case-insensitive list of ban reasons to have the bot also automatically redact the user's messages for.
|
||||
#
|
||||
# If the bot sees you ban a user with a reason that is an (exact case-insensitive) match to this list,
|
||||
# it will also remove the user's messages automatically.
|
||||
#
|
||||
# Typically this is useful to avoid having to give two commands to the bot.
|
||||
# Advanced: Use asterisks to have the reason match using "globs"
|
||||
# (f.e. "spam*testing" would match "spam for testing" as well as "spamtesting").
|
||||
#
|
||||
# See here for more info: https://www.digitalocean.com/community/tools/glob
|
||||
# Note: Keep in mind that glob is NOT regex!
|
||||
automaticallyRedactForReasons:
|
||||
- "spam"
|
||||
- "advertising"
|
||||
|
||||
# A list of rooms to protect. draupnir will add this to the list it knows from its account data.
|
||||
#
|
||||
# It won't, however, add it to the account data.
|
||||
# Manually add the room via '!draupnir rooms add' to have it stay protected regardless if this config value changes.
|
||||
#
|
||||
# Note: These must be matrix.to URLs
|
||||
#protectedRooms:
|
||||
# - "https://matrix.to/#/#yourroom:example.org"
|
||||
|
||||
# Whether or not to add all joined rooms to the "protected rooms" list
|
||||
# (excluding the management room and watched policy list rooms, see below).
|
||||
#
|
||||
# Note that this effectively makes the protectedRooms and associated commands useless
|
||||
# for regular rooms.
|
||||
#
|
||||
# Note: the management room is *excluded* from this condition.
|
||||
# Explicitly add it as a protected room to protect it.
|
||||
#
|
||||
# Note: Ban list rooms the bot is watching but didn't create will not be protected.
|
||||
# Explicitly add these rooms as a protected room list if you want them protected.
|
||||
protectAllJoinedRooms: false
|
||||
|
||||
# Increase this delay to have Mjölnir wait longer between two consecutive backgrounded
|
||||
# operations. The total duration of operations will be longer, but the homeserver won't
|
||||
# be affected as much. Conversely, decrease this delay to have Mjölnir chain operations
|
||||
# faster. The total duration of operations will generally be shorter, but the performance
|
||||
# of the homeserver may be more impacted.
|
||||
backgroundDelayMS: 500
|
||||
|
||||
# Server administration commands, these commands will only work if draupnir is
|
||||
# a global server administrator, and the bot's server is a Synapse instance.
|
||||
#admin:
|
||||
# # Whether or not draupnir can temporarily take control of any eligible account from the local homeserver who's in the room
|
||||
# # (with enough permissions) to "make" a user an admin.
|
||||
# #
|
||||
# # This only works if a local user with enough admin permissions is present in the room.
|
||||
# enableMakeRoomAdminCommand: false
|
||||
|
||||
# Misc options for command handling and commands
|
||||
commands:
|
||||
# Whether or not the `!draupnir` prefix is necessary to submit commands.
|
||||
#
|
||||
# If `true`, will allow commands like `!ban`, `!help`, etc.
|
||||
#
|
||||
# Note: draupnir can also be pinged by display name instead of having to use
|
||||
# the !draupnir prefix. For example, "my_moderator_bot: ban @spammer:example.org"
|
||||
# will address only my_moderator_bot.
|
||||
allowNoPrefix: false
|
||||
|
||||
# Any additional bot prefixes that draupnir will listen to. i.e. adding `mod` will allow `!mod help`.
|
||||
additionalPrefixes:
|
||||
- "draupnir_bot"
|
||||
- "draupnir"
|
||||
|
||||
# Whether or not commands with a wildcard (*) will require an additional `--force` argument
|
||||
# in the command to be able to be submitted.
|
||||
confirmWildcardBan: true
|
||||
|
||||
# Configuration specific to certain toggle-able protections
|
||||
#protections:
|
||||
# # Configuration for the wordlist plugin, which can ban users based if they say certain
|
||||
# # blocked words shortly after joining.
|
||||
# wordlist:
|
||||
# # A list of case-insensitive keywords that the WordList protection will watch for from new users.
|
||||
# #
|
||||
# # WordList will ban users who use these words when first joining a room, so take caution when selecting them.
|
||||
# #
|
||||
# # For advanced usage, regex can also be used, see the following links for more information;
|
||||
# # - https://www.digitalocean.com/community/tutorials/an-introduction-to-regular-expressions
|
||||
# # - https://regexr.com/
|
||||
# # - https://regexone.com/
|
||||
# words:
|
||||
# - "LoReM"
|
||||
# - "IpSuM"
|
||||
# - "DoLoR"
|
||||
# - "aMeT"
|
||||
#
|
||||
# # For how long (in minutes) the user is "new" to the WordList plugin.
|
||||
# #
|
||||
# # After this time, the user will no longer be banned for using a word in the above wordlist.
|
||||
# #
|
||||
# # Set to zero to disable the timeout and make users *always* appear "new".
|
||||
# # (users will always be banned if they say a bad word)
|
||||
# minutesBeforeTrusting: 20
|
||||
|
||||
# Options for advanced monitoring of the health of the bot.
|
||||
health:
|
||||
# healthz options. These options are best for use in container environments
|
||||
# like Kubernetes to detect how healthy the service is. The bot will report
|
||||
# that it is unhealthy until it is able to process user requests. Typically
|
||||
# this means that it'll flag itself as unhealthy for a number of minutes
|
||||
# before saying "Now monitoring rooms" and flagging itself healthy.
|
||||
#
|
||||
# Health is flagged through HTTP status codes, defined below.
|
||||
healthz:
|
||||
# Whether the healthz integration should be enabled (default false)
|
||||
enabled: false
|
||||
|
||||
# The port to expose the webserver on. Defaults to 8080.
|
||||
port: 8080
|
||||
|
||||
# The address to listen for requests on. Defaults to all addresses.
|
||||
address: "0.0.0.0"
|
||||
|
||||
# The path to expose the monitoring endpoint at. Defaults to `/healthz`
|
||||
endpoint: "/healthz"
|
||||
|
||||
# The HTTP status code which reports that the bot is healthy/ready to
|
||||
# process requests. Typically this should not be changed. Defaults to
|
||||
# 200.
|
||||
healthyStatus: 200
|
||||
|
||||
# The HTTP status code which reports that the bot is not healthy/ready.
|
||||
# Defaults to 418.
|
||||
unhealthyStatus: 418
|
||||
|
||||
# Options for exposing web APIs.
|
||||
#web:
|
||||
# # Whether to enable web APIs.
|
||||
# enabled: false
|
||||
#
|
||||
# # The port to expose the webserver on. Defaults to 8080.
|
||||
# port: 8080
|
||||
#
|
||||
# # The address to listen for requests on. Defaults to only the current
|
||||
# # computer.
|
||||
# address: localhost
|
||||
#
|
||||
# # Alternative setting to open to the entire web. Be careful,
|
||||
# # as this will increase your security perimeter:
|
||||
# #
|
||||
# # address: "0.0.0.0"
|
||||
#
|
||||
# # A web API designed to intercept Matrix API
|
||||
# # POST /_matrix/client/r0/rooms/{roomId}/report/{eventId}
|
||||
# # and display readable abuse reports in the moderation room.
|
||||
# #
|
||||
# # If you wish to take advantage of this feature, you will need
|
||||
# # to configure a reverse proxy, see e.g. test/nginx.conf
|
||||
# abuseReporting:
|
||||
# # Whether to enable this feature.
|
||||
# enabled: false
|
||||
|
||||
# Whether or not to actively poll synapse for abuse reports, to be used
|
||||
# instead of intercepting client calls to synapse's abuse endpoint, when that
|
||||
# isn't possible/practical.
|
||||
pollReports: false
|
||||
|
||||
# Whether or not new reports, received either by webapi or polling,
|
||||
# should be printed to our managementRoom.
|
||||
displayReports: false
|
|
@ -1,11 +1,11 @@
|
|||
#jinja2: lstrip_blocks: "True"
|
||||
[Unit]
|
||||
Description=matrix-grafana
|
||||
{% for service in matrix_grafana_systemd_required_services_list %}
|
||||
Description=Matrix Draupnir bot
|
||||
{% for service in matrix_bot_draupnir_systemd_required_services_list %}
|
||||
Requires={{ service }}
|
||||
After={{ service }}
|
||||
{% endfor %}
|
||||
{% for service in matrix_grafana_systemd_wanted_services_list %}
|
||||
{% for service in matrix_bot_draupnir_systemd_required_services_list %}
|
||||
Wants={{ service }}
|
||||
{% endfor %}
|
||||
DefaultDependencies=no
|
||||
|
@ -13,31 +13,30 @@ DefaultDependencies=no
|
|||
[Service]
|
||||
Type=simple
|
||||
Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
|
||||
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-grafana 2>/dev/null || true'
|
||||
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-grafana 2>/dev/null || true'
|
||||
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-draupnir 2>/dev/null || true'
|
||||
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-draupnir 2>/dev/null || true'
|
||||
|
||||
# Intentional delay, so that the homeserver (we likely depend on) can manage to start.
|
||||
ExecStartPre={{ matrix_host_command_sleep }} 5
|
||||
|
||||
ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-grafana \
|
||||
ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-bot-draupnir \
|
||||
--log-driver=none \
|
||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||
--cap-drop=ALL \
|
||||
--read-only \
|
||||
--network={{ matrix_docker_network }} \
|
||||
{% if matrix_grafana_container_http_host_bind_port %}
|
||||
-p {{ matrix_grafana_container_http_host_bind_port }}:3000 \
|
||||
{% endif %}
|
||||
-v {{ matrix_grafana_config_path }}:/etc/grafana:z \
|
||||
-v {{ matrix_grafana_data_path }}:/var/lib/grafana:z \
|
||||
{% for arg in matrix_grafana_container_extra_arguments %}
|
||||
--mount type=bind,src={{ matrix_bot_draupnir_config_path }},dst=/data/config,ro \
|
||||
--mount type=bind,src={{ matrix_bot_draupnir_data_path }},dst=/data \
|
||||
{% for arg in matrix_bot_draupnir_container_extra_arguments %}
|
||||
{{ arg }} \
|
||||
{% endfor %}
|
||||
{{ matrix_grafana_docker_image }}
|
||||
{{ matrix_bot_draupnir_docker_image }}
|
||||
|
||||
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-grafana 2>/dev/null || true'
|
||||
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-grafana 2>/dev/null || true'
|
||||
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-draupnir 2>/dev/null || true'
|
||||
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-draupnir 2>/dev/null || true'
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
SyslogIdentifier=matrix-grafana
|
||||
SyslogIdentifier=matrix-bot-draupnir
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -9,7 +9,7 @@ matrix_bot_postmoogle_docker_repo: "https://gitlab.com/etke.cc/postmoogle.git"
|
|||
matrix_bot_postmoogle_docker_repo_version: "{{ 'main' if matrix_bot_postmoogle_version == 'latest' else matrix_bot_postmoogle_version }}"
|
||||
matrix_bot_postmoogle_docker_src_files_path: "{{ matrix_base_data_path }}/postmoogle/docker-src"
|
||||
|
||||
matrix_bot_postmoogle_version: v0.9.11
|
||||
matrix_bot_postmoogle_version: v0.9.14
|
||||
matrix_bot_postmoogle_docker_image: "{{ matrix_bot_postmoogle_docker_image_name_prefix }}etke.cc/postmoogle:{{ matrix_bot_postmoogle_version }}"
|
||||
matrix_bot_postmoogle_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_postmoogle_container_image_self_build else 'registry.gitlab.com/' }}"
|
||||
matrix_bot_postmoogle_docker_image_force_pull: "{{ matrix_bot_postmoogle_docker_image.endswith(':latest') }}"
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#jinja2: lstrip_blocks: "True"
|
||||
[Unit]
|
||||
Description=Matrix helpdesk bot
|
||||
Description=Matrix Postmoogle bot
|
||||
{% for service in matrix_bot_postmoogle_systemd_required_services_list %}
|
||||
Requires={{ service }}
|
||||
After={{ service }}
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
|
||||
matrix_heisenbridge_enabled: true
|
||||
|
||||
matrix_heisenbridge_version: 1.14.1
|
||||
matrix_heisenbridge_version: 1.14.2
|
||||
matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}"
|
||||
matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}"
|
||||
|
||||
|
|
|
@ -8,7 +8,7 @@ matrix_mautrix_discord_container_image_self_build: false
|
|||
matrix_mautrix_discord_container_image_self_build_repo: "https://mau.dev/mautrix/discord.git"
|
||||
matrix_mautrix_discord_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_discord_version == 'latest' else matrix_mautrix_discord_version }}"
|
||||
|
||||
matrix_mautrix_discord_version: v0.1.0
|
||||
matrix_mautrix_discord_version: v0.1.1
|
||||
# See: https://mau.dev/mautrix/discord/container_registry
|
||||
matrix_mautrix_discord_docker_image: "{{ matrix_mautrix_discord_docker_image_name_prefix }}mautrix/discord:{{ matrix_mautrix_discord_version }}"
|
||||
matrix_mautrix_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_discord_container_image_self_build else 'dock.mau.dev/' }}"
|
||||
|
|
|
@ -8,7 +8,7 @@ matrix_mautrix_whatsapp_container_image_self_build: false
|
|||
matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git"
|
||||
matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}"
|
||||
|
||||
matrix_mautrix_whatsapp_version: v0.8.1
|
||||
matrix_mautrix_whatsapp_version: v0.8.2
|
||||
# See: https://mau.dev/mautrix/whatsapp/container_registry
|
||||
matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}"
|
||||
matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}"
|
||||
|
|
|
@ -14,17 +14,128 @@ matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_imag
|
|||
matrix_client_cinny_data_path: "{{ matrix_base_data_path }}/client-cinny"
|
||||
matrix_client_cinny_docker_src_files_path: "{{ matrix_client_cinny_data_path }}/docker-src"
|
||||
|
||||
# The base container network
|
||||
matrix_client_cinny_container_network: matrix-client-cinny
|
||||
|
||||
# A list of additional container networks that the container would be connected to.
|
||||
# The role does not create these networks, so make sure they already exist.
|
||||
# Use this to expose this container to a reverse proxy, which runs in a different container network.
|
||||
matrix_client_cinny_container_additional_networks: []
|
||||
|
||||
# Controls whether the container exposes its HTTP port (tcp/8080 in the container).
|
||||
#
|
||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8768"), or empty string to not expose.
|
||||
matrix_client_cinny_container_http_host_bind_port: ''
|
||||
|
||||
|
||||
# matrix_client_cinny_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
|
||||
# See `../templates/labels.j2` for details.
|
||||
#
|
||||
# To inject your own other container labels, see `matrix_client_cinny_container_labels_additional_labels`.
|
||||
matrix_client_cinny_container_labels_traefik_enabled: true
|
||||
matrix_client_cinny_container_labels_traefik_docker_network: "{{ matrix_client_cinny_container_network }}"
|
||||
matrix_client_cinny_container_labels_traefik_hostname: "{{ matrix_client_cinny_hostname }}"
|
||||
# The path prefix must either be `/` or not end with a slash (e.g. `/cinny`).
|
||||
matrix_client_cinny_container_labels_traefik_path_prefix: "{{ matrix_client_cinny_path_prefix }}"
|
||||
matrix_client_cinny_container_labels_traefik_rule: "Host(`{{ matrix_client_cinny_container_labels_traefik_hostname }}`){% if matrix_client_cinny_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_client_cinny_container_labels_traefik_path_prefix }}`){% endif %}"
|
||||
matrix_client_cinny_container_labels_traefik_priority: 0
|
||||
matrix_client_cinny_container_labels_traefik_entrypoints: web-secure
|
||||
matrix_client_cinny_container_labels_traefik_tls: "{{ matrix_client_cinny_container_labels_traefik_entrypoints != 'web' }}"
|
||||
matrix_client_cinny_container_labels_traefik_tls_certResolver: default # noqa var-naming
|
||||
|
||||
# Controls which additional headers to attach to all HTTP responses.
|
||||
# To add your own headers, use `matrix_client_cinny_container_labels_traefik_additional_response_headers_custom`
|
||||
matrix_client_cinny_container_labels_traefik_additional_response_headers: "{{ matrix_client_cinny_container_labels_traefik_additional_response_headers_auto | combine(matrix_client_cinny_container_labels_traefik_additional_response_headers_custom) }}"
|
||||
matrix_client_cinny_container_labels_traefik_additional_response_headers_auto: |
|
||||
{{
|
||||
{}
|
||||
| combine ({'X-XSS-Protection': matrix_client_cinny_http_header_xss_protection} if matrix_client_cinny_http_header_xss_protection else {})
|
||||
| combine ({'X-Frame-Options': matrix_client_cinny_http_header_frame_options} if matrix_client_cinny_http_header_frame_options else {})
|
||||
| combine ({'X-Content-Type-Options': matrix_client_cinny_http_header_content_type_options} if matrix_client_cinny_http_header_content_type_options else {})
|
||||
| combine ({'Content-Security-Policy': matrix_client_cinny_http_header_content_security_policy} if matrix_client_cinny_http_header_content_security_policy else {})
|
||||
| combine ({'Permission-Policy': matrix_client_cinny_http_header_content_permission_policy} if matrix_client_cinny_http_header_content_permission_policy else {})
|
||||
| combine ({'Strict-Transport-Security': matrix_client_cinny_http_header_strict_transport_security} if matrix_client_cinny_http_header_strict_transport_security and matrix_client_cinny_container_labels_traefik_tls else {})
|
||||
}}
|
||||
matrix_client_cinny_container_labels_traefik_additional_response_headers_custom: {}
|
||||
|
||||
# matrix_client_cinny_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
|
||||
# See `../templates/labels.j2` for details.
|
||||
#
|
||||
# Example:
|
||||
# matrix_client_cinny_container_labels_additional_labels: |
|
||||
# my.label=1
|
||||
# another.label="here"
|
||||
matrix_client_cinny_container_labels_additional_labels: ''
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
matrix_client_cinny_container_extra_arguments: []
|
||||
|
||||
# List of systemd services that matrix-client-cinny.service depends on
|
||||
matrix_client_cinny_systemd_required_services_list: ['docker.service']
|
||||
|
||||
# Specifies the value of the `X-XSS-Protection` header
|
||||
# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
|
||||
#
|
||||
# Learn more about it is here:
|
||||
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
|
||||
# - https://portswigger.net/web-security/cross-site-scripting/reflected
|
||||
matrix_client_cinny_http_header_xss_protection: "1; mode=block"
|
||||
|
||||
# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
|
||||
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
|
||||
matrix_client_cinny_http_header_frame_options: SAMEORIGIN
|
||||
|
||||
# Specifies the value of the `X-Content-Type-Options` header.
|
||||
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
|
||||
matrix_client_cinny_http_header_content_type_options: nosniff
|
||||
|
||||
# Specifies the value of the `Content-Security-Policy` header.
|
||||
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
||||
matrix_client_cinny_http_header_content_security_policy: frame-ancestors 'self'
|
||||
|
||||
# Specifies the value of the `Permission-Policy` header.
|
||||
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
|
||||
matrix_client_cinny_http_header_content_permission_policy: "{{ 'interest-cohort=() always' if matrix_client_cinny_floc_optout_enabled else '' }}"
|
||||
|
||||
# Specifies the value of the `Strict-Transport-Security` header.
|
||||
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
|
||||
matrix_client_cinny_http_header_strict_transport_security: "{{ '\"max-age=31536000; includeSubDomains; preload\" always' if matrix_client_cinny_hsts_preload_enabled else '\"max-age=31536000; includeSubDomains\" always' }}"
|
||||
|
||||
# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
|
||||
#
|
||||
# Learn more about what it is here:
|
||||
# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
|
||||
# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
|
||||
# - https://amifloced.org/
|
||||
#
|
||||
# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
|
||||
# See: `matrix_client_cinny_content_permission_policy`
|
||||
matrix_client_cinny_floc_optout_enabled: true
|
||||
|
||||
# Controls if HSTS preloading is enabled
|
||||
#
|
||||
# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
|
||||
# indicates a willingness to be "preloaded" into browsers:
|
||||
# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
|
||||
# For more information visit:
|
||||
# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
|
||||
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
|
||||
# - https://hstspreload.org/#opt-in
|
||||
# See: `matrix_client_cinny_http_header_strict_transport_security`
|
||||
matrix_client_cinny_hsts_preload_enabled: false
|
||||
|
||||
# The hostname at which Cinny is served.
|
||||
# Only works with with Traefik reverse-proxying.
|
||||
# For matrix-nginx-proxy, `matrix_server_fqn_cinny` is used and this variable has no effect.
|
||||
matrix_client_cinny_hostname: "{{ matrix_server_fqn_cinny }}"
|
||||
|
||||
# The path at which Cinny is exposed.
|
||||
# When matrix-nginx-proxy is used, setting this to values other than `/` will cause configuration mismatches and trouble.
|
||||
#
|
||||
# If Traefik is used, the hostname is also configurable - see `matrix_client_cinny_container_labels_traefik_hostname`.
|
||||
# This value must either be `/` or not end with a slash (e.g. `/cinny`).
|
||||
matrix_client_cinny_path_prefix: /
|
||||
|
||||
# Controls whether the self-check feature should validate SSL certificates.
|
||||
matrix_client_cinny_self_check_validate_certificates: true
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
|
||||
- ansible.builtin.set_fact:
|
||||
matrix_client_cinny_url_endpoint_public: "https://{{ matrix_server_fqn_cinny }}/config.json"
|
||||
matrix_client_cinny_url_endpoint_public: "https://{{ matrix_client_cinny_hostname }}{{ matrix_client_cinny_path_prefix }}/config.json"
|
||||
|
||||
- name: Check Cinny
|
||||
ansible.builtin.uri:
|
||||
|
@ -16,9 +16,9 @@
|
|||
|
||||
- name: Fail if Cinny not working
|
||||
ansible.builtin.fail:
|
||||
msg: "Failed checking Cinny is up at `{{ matrix_server_fqn_cinny }}` (checked endpoint: `{{ matrix_client_cinny_url_endpoint_public }}`). Is Cinny running? Is port 443 open in your firewall? Full error: {{ matrix_client_cinny_self_check_result }}"
|
||||
msg: "Failed checking Cinny is up at `{{ matrix_client_cinny_hostname }}` (checked endpoint: `{{ matrix_client_cinny_url_endpoint_public }}`). Is Cinny running? Is port 443 open in your firewall? Full error: {{ matrix_client_cinny_self_check_result }}"
|
||||
when: "matrix_client_cinny_self_check_result.failed or 'json' not in matrix_client_cinny_self_check_result"
|
||||
|
||||
- name: Report working Cinny
|
||||
ansible.builtin.debug:
|
||||
msg: "Cinny at `{{ matrix_server_fqn_cinny }}` is working (checked endpoint: `{{ matrix_client_cinny_url_endpoint_public }}`)"
|
||||
msg: "Cinny at `{{ matrix_client_cinny_hostname }}` is working (checked endpoint: `{{ matrix_client_cinny_url_endpoint_public }}`)"
|
||||
|
|
|
@ -51,7 +51,7 @@
|
|||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"}
|
||||
when: "item.src is not none"
|
||||
- {src: "{{ role_path }}/templates/labels.j2", name: "labels"}
|
||||
|
||||
- name: Ensure Cinny Docker image is built
|
||||
community.docker.docker_image:
|
||||
|
@ -64,6 +64,11 @@
|
|||
pull: true
|
||||
when: "matrix_client_cinny_container_image_self_build | bool"
|
||||
|
||||
- name: Ensure Cinny container network is created
|
||||
community.general.docker_network:
|
||||
name: "{{ matrix_client_cinny_container_network }}"
|
||||
driver: bridge
|
||||
|
||||
- name: Ensure matrix-client-cinny.service installed
|
||||
ansible.builtin.template:
|
||||
src: "{{ role_path }}/templates/systemd/matrix-client-cinny.service.j2"
|
||||
|
|
|
@ -6,3 +6,23 @@
|
|||
when: "vars[item] == '' or vars[item] is none"
|
||||
with_items:
|
||||
- "matrix_client_cinny_default_hs_url"
|
||||
|
||||
- when: matrix_client_cinny_container_labels_traefik_enabled | bool
|
||||
block:
|
||||
- name: Fail if required matrix-client-cinny Traefik settings not defined
|
||||
ansible.builtin.fail:
|
||||
msg: >-
|
||||
You need to define a required configuration setting (`{{ item }}`).
|
||||
when: "vars[item] == ''"
|
||||
with_items:
|
||||
- matrix_client_cinny_container_labels_traefik_hostname
|
||||
- matrix_client_cinny_container_labels_traefik_path_prefix
|
||||
|
||||
# We ensure it doesn't end with a slash, because we handle both (slash and no-slash).
|
||||
# Knowing that `matrix_client_cinny_container_labels_traefik_path_prefix` does not end with a slash
|
||||
# ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere.
|
||||
- name: Fail if matrix_client_cinny_container_labels_traefik_path_prefix ends with a slash
|
||||
ansible.builtin.fail:
|
||||
msg: >-
|
||||
matrix_client_cinny_container_labels_traefik_path_prefix (`{{ matrix_client_cinny_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/cinny`).
|
||||
when: "matrix_client_cinny_container_labels_traefik_path_prefix != '/' and matrix_client_cinny_container_labels_traefik_path_prefix[-1] == '/'"
|
||||
|
|
45
roles/custom/matrix-client-cinny/templates/labels.j2
Normal file
45
roles/custom/matrix-client-cinny/templates/labels.j2
Normal file
|
@ -0,0 +1,45 @@
|
|||
{% if matrix_client_cinny_container_labels_traefik_enabled %}
|
||||
traefik.enable=true
|
||||
|
||||
{% if matrix_client_cinny_container_labels_traefik_docker_network %}
|
||||
traefik.docker.network={{ matrix_client_cinny_container_labels_traefik_docker_network }}
|
||||
{% endif %}
|
||||
|
||||
{% set middlewares = [] %}
|
||||
|
||||
{% if matrix_client_cinny_container_labels_traefik_path_prefix != '/' %}
|
||||
traefik.http.middlewares.matrix-client-cinny-slashless-redirect.redirectregex.regex=({{ matrix_client_cinny_container_labels_traefik_path_prefix | quote }})$
|
||||
traefik.http.middlewares.matrix-client-cinny-slashless-redirect.redirectregex.replacement=${1}/
|
||||
{% set middlewares = middlewares + ['matrix-client-cinny-slashless-redirect'] %}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_client_cinny_container_labels_traefik_path_prefix != '/' %}
|
||||
traefik.http.middlewares.matrix-client-cinny-strip-prefix.stripprefix.prefixes={{ matrix_client_cinny_container_labels_traefik_path_prefix }}
|
||||
{% set middlewares = middlewares + ['matrix-client-cinny-strip-prefix'] %}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_client_cinny_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
|
||||
{% for name, value in matrix_client_cinny_container_labels_traefik_additional_response_headers.items() %}
|
||||
traefik.http.middlewares.matrix-client-cinny-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
|
||||
{% endfor %}
|
||||
{% set middlewares = middlewares + ['matrix-client-cinny-add-headers'] %}
|
||||
{% endif %}
|
||||
|
||||
traefik.http.routers.matrix-client-cinny.rule={{ matrix_client_cinny_container_labels_traefik_rule }}
|
||||
{% if matrix_client_cinny_container_labels_traefik_priority | int > 0 %}
|
||||
traefik.http.routers.matrix-client-cinny.priority={{ matrix_client_cinny_container_labels_traefik_priority }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-client-cinny.service=matrix-client-cinny
|
||||
{% if middlewares | length > 0 %}
|
||||
traefik.http.routers.matrix-client-cinny.middlewares={{ middlewares | join(',') }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-client-cinny.entrypoints={{ matrix_client_cinny_container_labels_traefik_entrypoints }}
|
||||
traefik.http.routers.matrix-client-cinny.tls={{ matrix_client_cinny_container_labels_traefik_tls | to_json }}
|
||||
{% if matrix_client_cinny_container_labels_traefik_tls %}
|
||||
traefik.http.routers.matrix-client-cinny.tls.certResolver={{ matrix_client_cinny_container_labels_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
|
||||
traefik.http.services.matrix-client-cinny.loadbalancer.server.port=8080
|
||||
{% endif %}
|
||||
|
||||
{{ matrix_client_cinny_container_labels_additional_labels }}
|
|
@ -13,15 +13,18 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
|
|||
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-client-cinny 2>/dev/null || true'
|
||||
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-cinny 2>/dev/null || true'
|
||||
|
||||
ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-client-cinny \
|
||||
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
|
||||
--rm \
|
||||
--name=matrix-client-cinny \
|
||||
--log-driver=none \
|
||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||
--cap-drop=ALL \
|
||||
--read-only \
|
||||
--network={{ matrix_docker_network }} \
|
||||
--network={{ matrix_client_cinny_container_network }} \
|
||||
{% if matrix_client_cinny_container_http_host_bind_port %}
|
||||
-p {{ matrix_client_cinny_container_http_host_bind_port }}:8080 \
|
||||
{% endif %}
|
||||
--label-file={{ matrix_client_cinny_data_path }}/labels \
|
||||
--tmpfs=/tmp:rw,noexec,nosuid,size=10m \
|
||||
--mount type=bind,src={{ matrix_client_cinny_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \
|
||||
--mount type=bind,src={{ matrix_client_cinny_data_path }}/config.json,dst=/app/config.json,ro \
|
||||
|
@ -30,8 +33,15 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
|
|||
{% endfor %}
|
||||
{{ matrix_client_cinny_docker_image }}
|
||||
|
||||
{% for network in matrix_client_cinny_container_additional_networks %}
|
||||
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-client-cinny
|
||||
{% endfor %}
|
||||
|
||||
ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-client-cinny
|
||||
|
||||
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-client-cinny 2>/dev/null || true'
|
||||
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-cinny 2>/dev/null || true'
|
||||
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
SyslogIdentifier=matrix-client-cinny
|
||||
|
|
|
@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto
|
|||
# - https://github.com/vector-im/element-web/issues/19544
|
||||
matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
|
||||
|
||||
matrix_client_element_version: v1.11.21
|
||||
matrix_client_element_version: v1.11.23
|
||||
matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
|
||||
matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
|
||||
matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"
|
||||
|
@ -18,17 +18,127 @@ matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_
|
|||
matrix_client_element_data_path: "{{ matrix_base_data_path }}/client-element"
|
||||
matrix_client_element_docker_src_files_path: "{{ matrix_client_element_data_path }}/docker-src"
|
||||
|
||||
# The base container network
|
||||
matrix_client_element_container_network: matrix-client-element
|
||||
|
||||
# A list of additional container networks that the container would be connected to.
|
||||
# The role does not create these networks, so make sure they already exist.
|
||||
# Use this to expose this container to a reverse proxy, which runs in a different container network.
|
||||
matrix_client_element_container_additional_networks: []
|
||||
|
||||
# Controls whether the matrix-client-element container exposes its HTTP port (tcp/8080 in the container).
|
||||
#
|
||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8765"), or empty string to not expose.
|
||||
matrix_client_element_container_http_host_bind_port: ''
|
||||
|
||||
# matrix_client_element_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
|
||||
# See `../templates/labels.j2` for details.
|
||||
#
|
||||
# To inject your own other container labels, see `matrix_client_element_container_labels_additional_labels`.
|
||||
matrix_client_element_container_labels_traefik_enabled: true
|
||||
matrix_client_element_container_labels_traefik_docker_network: "{{ matrix_client_element_container_network }}"
|
||||
matrix_client_element_container_labels_traefik_hostname: "{{ matrix_client_element_hostname }}"
|
||||
# The path prefix must either be `/` or not end with a slash (e.g. `/element`).
|
||||
matrix_client_element_container_labels_traefik_path_prefix: "{{ matrix_client_element_path_prefix }}"
|
||||
matrix_client_element_container_labels_traefik_rule: "Host(`{{ matrix_client_element_container_labels_traefik_hostname }}`){% if matrix_client_element_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_client_element_container_labels_traefik_path_prefix }}`){% endif %}"
|
||||
matrix_client_element_container_labels_traefik_priority: 0
|
||||
matrix_client_element_container_labels_traefik_entrypoints: web-secure
|
||||
matrix_client_element_container_labels_traefik_tls: "{{ matrix_client_element_container_labels_traefik_entrypoints != 'web' }}"
|
||||
matrix_client_element_container_labels_traefik_tls_certResolver: default # noqa var-naming
|
||||
|
||||
# Controls which additional headers to attach to all HTTP responses.
|
||||
# To add your own headers, use `matrix_client_element_container_labels_traefik_additional_response_headers_custom`
|
||||
matrix_client_element_container_labels_traefik_additional_response_headers: "{{ matrix_client_element_container_labels_traefik_additional_response_headers_auto | combine(matrix_client_element_container_labels_traefik_additional_response_headers_custom) }}"
|
||||
matrix_client_element_container_labels_traefik_additional_response_headers_auto: |
|
||||
{{
|
||||
{}
|
||||
| combine ({'X-XSS-Protection': matrix_client_element_http_header_xss_protection} if matrix_client_element_http_header_xss_protection else {})
|
||||
| combine ({'X-Frame-Options': matrix_client_element_http_header_frame_options} if matrix_client_element_http_header_frame_options else {})
|
||||
| combine ({'X-Content-Type-Options': matrix_client_element_http_header_content_type_options} if matrix_client_element_http_header_content_type_options else {})
|
||||
| combine ({'Content-Security-Policy': matrix_client_element_http_header_content_security_policy} if matrix_client_element_http_header_content_security_policy else {})
|
||||
| combine ({'Permission-Policy': matrix_client_element_http_header_content_permission_policy} if matrix_client_element_http_header_content_permission_policy else {})
|
||||
| combine ({'Strict-Transport-Security': matrix_client_element_http_header_strict_transport_security} if matrix_client_element_http_header_strict_transport_security and matrix_client_element_container_labels_traefik_tls else {})
|
||||
}}
|
||||
matrix_client_element_container_labels_traefik_additional_response_headers_custom: {}
|
||||
|
||||
# matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
|
||||
# See `../templates/labels.j2` for details.
|
||||
#
|
||||
# Example:
|
||||
# matrix_client_element_container_labels_additional_labels: |
|
||||
# my.label=1
|
||||
# another.label="here"
|
||||
matrix_client_element_container_labels_additional_labels: ''
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
matrix_client_element_container_extra_arguments: []
|
||||
|
||||
# List of systemd services that matrix-client-element.service depends on
|
||||
matrix_client_element_systemd_required_services_list: ['docker.service']
|
||||
|
||||
# Specifies the value of the `X-XSS-Protection` header
|
||||
# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
|
||||
#
|
||||
# Learn more about it is here:
|
||||
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
|
||||
# - https://portswigger.net/web-security/cross-site-scripting/reflected
|
||||
matrix_client_element_http_header_xss_protection: "1; mode=block"
|
||||
|
||||
# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
|
||||
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
|
||||
matrix_client_element_http_header_frame_options: SAMEORIGIN
|
||||
|
||||
# Specifies the value of the `X-Content-Type-Options` header.
|
||||
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
|
||||
matrix_client_element_http_header_content_type_options: nosniff
|
||||
|
||||
# Specifies the value of the `Content-Security-Policy` header.
|
||||
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
||||
matrix_client_element_http_header_content_security_policy: frame-ancestors 'self'
|
||||
|
||||
# Specifies the value of the `Permission-Policy` header.
|
||||
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
|
||||
matrix_client_element_http_header_content_permission_policy: "{{ 'interest-cohort=() always' if matrix_client_element_floc_optout_enabled else '' }}"
|
||||
|
||||
# Specifies the value of the `Strict-Transport-Security` header.
|
||||
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
|
||||
matrix_client_element_http_header_strict_transport_security: "{{ '\"max-age=31536000; includeSubDomains; preload\" always' if matrix_client_element_hsts_preload_enabled else '\"max-age=31536000; includeSubDomains\" always' }}"
|
||||
|
||||
# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
|
||||
#
|
||||
# Learn more about what it is here:
|
||||
# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
|
||||
# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
|
||||
# - https://amifloced.org/
|
||||
#
|
||||
# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
|
||||
# See: `matrix_client_element_content_permission_policy`
|
||||
matrix_client_element_floc_optout_enabled: true
|
||||
|
||||
# Controls if HSTS preloading is enabled
|
||||
#
|
||||
# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
|
||||
# indicates a willingness to be "preloaded" into browsers:
|
||||
# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
|
||||
# For more information visit:
|
||||
# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
|
||||
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
|
||||
# - https://hstspreload.org/#opt-in
|
||||
# See: `matrix_client_element_http_header_strict_transport_security`
|
||||
matrix_client_element_hsts_preload_enabled: false
|
||||
|
||||
# The hostname at which Element is served.
|
||||
# Only works with with Traefik reverse-proxying.
|
||||
# For matrix-nginx-proxy, `matrix_server_fqn_element` is used and this variable has no effect.
|
||||
matrix_client_element_hostname: "{{ matrix_server_fqn_element }}"
|
||||
|
||||
# The path at which Element is exposed.
|
||||
# When matrix-nginx-proxy is used, setting this to values other than `/` will cause configuration mismatches and trouble.
|
||||
#
|
||||
# If Traefik is used, the hostname is also configurable - see `matrix_client_element_container_labels_traefik_hostname`.
|
||||
# This value must either be `/` or not end with a slash (e.g. `/element`).
|
||||
matrix_client_element_path_prefix: /
|
||||
|
||||
# Element config.json customizations
|
||||
matrix_client_element_default_server_name: "{{ matrix_domain }}"
|
||||
matrix_client_element_default_hs_url: ""
|
||||
|
|
|
@ -84,6 +84,7 @@
|
|||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"}
|
||||
- {src: "{{ role_path }}/templates/labels.j2", name: "labels"}
|
||||
- {src: "{{ matrix_client_element_page_template_welcome_path }}", name: "welcome.html"}
|
||||
- {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"}
|
||||
when: "item.src is not none"
|
||||
|
@ -96,6 +97,11 @@
|
|||
- {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"}
|
||||
when: "item.src is none"
|
||||
|
||||
- name: Ensure Element container network is created
|
||||
community.general.docker_network:
|
||||
name: "{{ matrix_client_element_container_network }}"
|
||||
driver: bridge
|
||||
|
||||
- name: Ensure matrix-client-element.service installed
|
||||
ansible.builtin.template:
|
||||
src: "{{ role_path }}/templates/systemd/matrix-client-element.service.j2"
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-element.service"
|
||||
state: absent
|
||||
|
||||
- name: Ensure Element paths doesn't exist
|
||||
- name: Ensure Element path doesn't exist
|
||||
ansible.builtin.file:
|
||||
path: "{{ matrix_client_element_data_path }}"
|
||||
state: absent
|
||||
|
|
|
@ -26,3 +26,23 @@
|
|||
when: "vars | dict2items | selectattr('key', 'match', item.old) | list | items2dict"
|
||||
with_items:
|
||||
- {'old': 'matrix_riot_web_.*', 'new': 'matrix_client_element_.*'}
|
||||
|
||||
- when: matrix_client_element_container_labels_traefik_enabled | bool
|
||||
block:
|
||||
- name: Fail if required matrix-client-element Traefik settings not defined
|
||||
ansible.builtin.fail:
|
||||
msg: >-
|
||||
You need to define a required configuration setting (`{{ item }}`).
|
||||
when: "vars[item] == ''"
|
||||
with_items:
|
||||
- matrix_client_element_container_labels_traefik_hostname
|
||||
- matrix_client_element_container_labels_traefik_path_prefix
|
||||
|
||||
# We ensure it doesn't end with a slash, because we handle both (slash and no-slash).
|
||||
# Knowing that `matrix_client_element_container_labels_traefik_path_prefix` does not end with a slash
|
||||
# ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere.
|
||||
- name: Fail if matrix_client_element_container_labels_traefik_path_prefix ends with a slash
|
||||
ansible.builtin.fail:
|
||||
msg: >-
|
||||
matrix_client_element_container_labels_traefik_path_prefix (`{{ matrix_client_element_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/element`).
|
||||
when: "matrix_client_element_container_labels_traefik_path_prefix != '/' and matrix_client_element_container_labels_traefik_path_prefix[-1] == '/'"
|
||||
|
|
45
roles/custom/matrix-client-element/templates/labels.j2
Normal file
45
roles/custom/matrix-client-element/templates/labels.j2
Normal file
|
@ -0,0 +1,45 @@
|
|||
{% if matrix_client_element_container_labels_traefik_enabled %}
|
||||
traefik.enable=true
|
||||
|
||||
{% if matrix_client_element_container_labels_traefik_docker_network %}
|
||||
traefik.docker.network={{ matrix_client_element_container_labels_traefik_docker_network }}
|
||||
{% endif %}
|
||||
|
||||
{% set middlewares = [] %}
|
||||
|
||||
{% if matrix_client_element_container_labels_traefik_path_prefix != '/' %}
|
||||
traefik.http.middlewares.matrix-client-element-slashless-redirect.redirectregex.regex=({{ matrix_client_element_container_labels_traefik_path_prefix | quote }})$
|
||||
traefik.http.middlewares.matrix-client-element-slashless-redirect.redirectregex.replacement=${1}/
|
||||
{% set middlewares = middlewares + ['matrix-client-element-slashless-redirect'] %}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_client_element_container_labels_traefik_path_prefix != '/' %}
|
||||
traefik.http.middlewares.matrix-client-element-strip-prefix.stripprefix.prefixes={{ matrix_client_element_container_labels_traefik_path_prefix }}
|
||||
{% set middlewares = middlewares + ['matrix-client-element-strip-prefix'] %}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_client_element_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
|
||||
{% for name, value in matrix_client_element_container_labels_traefik_additional_response_headers.items() %}
|
||||
traefik.http.middlewares.matrix-client-element-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
|
||||
{% endfor %}
|
||||
{% set middlewares = middlewares + ['matrix-client-element-add-headers'] %}
|
||||
{% endif %}
|
||||
|
||||
traefik.http.routers.matrix-client-element.rule={{ matrix_client_element_container_labels_traefik_rule }}
|
||||
{% if matrix_client_element_container_labels_traefik_priority | int > 0 %}
|
||||
traefik.http.routers.matrix-client-element.priority={{ matrix_client_element_container_labels_traefik_priority }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-client-element.service=matrix-client-element
|
||||
{% if middlewares | length > 0 %}
|
||||
traefik.http.routers.matrix-client-element.middlewares={{ middlewares | join(',') }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-client-element.entrypoints={{ matrix_client_element_container_labels_traefik_entrypoints }}
|
||||
traefik.http.routers.matrix-client-element.tls={{ matrix_client_element_container_labels_traefik_tls | to_json }}
|
||||
{% if matrix_client_element_container_labels_traefik_tls %}
|
||||
traefik.http.routers.matrix-client-element.tls.certResolver={{ matrix_client_element_container_labels_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
|
||||
traefik.http.services.matrix-client-element.loadbalancer.server.port=8080
|
||||
{% endif %}
|
||||
|
||||
{{ matrix_client_element_container_labels_additional_labels }}
|
|
@ -13,15 +13,18 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
|
|||
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-client-element 2>/dev/null || true'
|
||||
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-element 2>/dev/null || true'
|
||||
|
||||
ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-client-element \
|
||||
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
|
||||
--rm \
|
||||
--name=matrix-client-element \
|
||||
--log-driver=none \
|
||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||
--cap-drop=ALL \
|
||||
--read-only \
|
||||
--network={{ matrix_docker_network }} \
|
||||
--network={{ matrix_client_element_container_network }} \
|
||||
{% if matrix_client_element_container_http_host_bind_port %}
|
||||
-p {{ matrix_client_element_container_http_host_bind_port }}:8080 \
|
||||
{% endif %}
|
||||
--label-file={{ matrix_client_element_data_path }}/labels \
|
||||
--tmpfs=/tmp:rw,noexec,nosuid,size=10m \
|
||||
--mount type=bind,src={{ matrix_client_element_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \
|
||||
--mount type=bind,src={{ matrix_client_element_data_path }}/config.json,dst=/app/config.json,ro \
|
||||
|
@ -38,8 +41,15 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
|
|||
{% endfor %}
|
||||
{{ matrix_client_element_docker_image }}
|
||||
|
||||
{% for network in matrix_client_element_container_additional_networks %}
|
||||
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-client-element
|
||||
{% endfor %}
|
||||
|
||||
ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-client-element
|
||||
|
||||
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-client-element 2>/dev/null || true'
|
||||
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-element 2>/dev/null || true'
|
||||
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
SyslogIdentifier=matrix-client-element
|
||||
|
|
|
@ -6,7 +6,7 @@ matrix_client_hydrogen_enabled: true
|
|||
matrix_client_hydrogen_container_image_self_build: false
|
||||
matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git"
|
||||
|
||||
matrix_client_hydrogen_version: v0.3.6
|
||||
matrix_client_hydrogen_version: v0.3.8
|
||||
matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vector-im/hydrogen-web:{{ matrix_client_hydrogen_version }}"
|
||||
matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build else 'ghcr.io/' }}"
|
||||
matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}"
|
||||
|
@ -14,17 +14,127 @@ matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docke
|
|||
matrix_client_hydrogen_data_path: "{{ matrix_base_data_path }}/client-hydrogen"
|
||||
matrix_client_hydrogen_docker_src_files_path: "{{ matrix_client_hydrogen_data_path }}/docker-src"
|
||||
|
||||
# The base container network
|
||||
matrix_client_hydrogen_container_network: matrix-client-hydrogen
|
||||
|
||||
# A list of additional container networks that the container would be connected to.
|
||||
# The role does not create these networks, so make sure they already exist.
|
||||
# Use this to expose this container to a reverse proxy, which runs in a different container network.
|
||||
matrix_client_hydrogen_container_additional_networks: []
|
||||
|
||||
# Controls whether the container exposes its HTTP port (tcp/8080 in the container).
|
||||
#
|
||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8768"), or empty string to not expose.
|
||||
matrix_client_hydrogen_container_http_host_bind_port: ''
|
||||
|
||||
# matrix_client_hydrogen_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
|
||||
# See `../templates/labels.j2` for details.
|
||||
#
|
||||
# To inject your own other container labels, see `matrix_client_hydrogen_container_labels_additional_labels`.
|
||||
matrix_client_hydrogen_container_labels_traefik_enabled: true
|
||||
matrix_client_hydrogen_container_labels_traefik_docker_network: "{{ matrix_client_hydrogen_container_network }}"
|
||||
matrix_client_hydrogen_container_labels_traefik_hostname: "{{ matrix_client_hydrogen_hostname }}"
|
||||
# The path prefix must either be `/` or not end with a slash (e.g. `/hydrogen`).
|
||||
matrix_client_hydrogen_container_labels_traefik_path_prefix: "{{ matrix_client_hydrogen_path_prefix }}"
|
||||
matrix_client_hydrogen_container_labels_traefik_rule: "Host(`{{ matrix_client_hydrogen_container_labels_traefik_hostname }}`){% if matrix_client_hydrogen_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_client_hydrogen_container_labels_traefik_path_prefix }}`){% endif %}"
|
||||
matrix_client_hydrogen_container_labels_traefik_priority: 0
|
||||
matrix_client_hydrogen_container_labels_traefik_entrypoints: web-secure
|
||||
matrix_client_hydrogen_container_labels_traefik_tls: "{{ matrix_client_hydrogen_container_labels_traefik_entrypoints != 'web' }}"
|
||||
matrix_client_hydrogen_container_labels_traefik_tls_certResolver: default # noqa var-naming
|
||||
|
||||
# Controls which additional headers to attach to all HTTP responses.
|
||||
# To add your own headers, use `matrix_client_hydrogen_container_labels_traefik_additional_response_headers_custom`
|
||||
matrix_client_hydrogen_container_labels_traefik_additional_response_headers: "{{ matrix_client_hydrogen_container_labels_traefik_additional_response_headers_auto | combine(matrix_client_hydrogen_container_labels_traefik_additional_response_headers_custom) }}"
|
||||
matrix_client_hydrogen_container_labels_traefik_additional_response_headers_auto: |
|
||||
{{
|
||||
{}
|
||||
| combine ({'X-XSS-Protection': matrix_client_hydrogen_http_header_xss_protection} if matrix_client_hydrogen_http_header_xss_protection else {})
|
||||
| combine ({'X-Frame-Options': matrix_client_hydrogen_http_header_frame_options} if matrix_client_hydrogen_http_header_frame_options else {})
|
||||
| combine ({'X-Content-Type-Options': matrix_client_hydrogen_http_header_content_type_options} if matrix_client_hydrogen_http_header_content_type_options else {})
|
||||
| combine ({'Content-Security-Policy': matrix_client_hydrogen_http_header_content_security_policy} if matrix_client_hydrogen_http_header_content_security_policy else {})
|
||||
| combine ({'Permission-Policy': matrix_client_hydrogen_http_header_content_permission_policy} if matrix_client_hydrogen_http_header_content_permission_policy else {})
|
||||
| combine ({'Strict-Transport-Security': matrix_client_hydrogen_http_header_strict_transport_security} if matrix_client_hydrogen_http_header_strict_transport_security and matrix_client_hydrogen_container_labels_traefik_tls else {})
|
||||
}}
|
||||
matrix_client_hydrogen_container_labels_traefik_additional_response_headers_custom: {}
|
||||
|
||||
# matrix_client_hydrogen_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
|
||||
# See `../templates/labels.j2` for details.
|
||||
#
|
||||
# Example:
|
||||
# matrix_client_hydrogen_container_labels_additional_labels: |
|
||||
# my.label=1
|
||||
# another.label="here"
|
||||
matrix_client_hydrogen_container_labels_additional_labels: ''
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
matrix_client_hydrogen_container_extra_arguments: []
|
||||
|
||||
# List of systemd services that matrix-client-hydrogen.service depends on
|
||||
matrix_client_hydrogen_systemd_required_services_list: ['docker.service']
|
||||
|
||||
# Specifies the value of the `X-XSS-Protection` header
|
||||
# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
|
||||
#
|
||||
# Learn more about it is here:
|
||||
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
|
||||
# - https://portswigger.net/web-security/cross-site-scripting/reflected
|
||||
matrix_client_hydrogen_http_header_xss_protection: "1; mode=block"
|
||||
|
||||
# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
|
||||
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
|
||||
matrix_client_hydrogen_http_header_frame_options: SAMEORIGIN
|
||||
|
||||
# Specifies the value of the `X-Content-Type-Options` header.
|
||||
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
|
||||
matrix_client_hydrogen_http_header_content_type_options: nosniff
|
||||
|
||||
# Specifies the value of the `Content-Security-Policy` header.
|
||||
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
||||
matrix_client_hydrogen_http_header_content_security_policy: frame-ancestors 'self'
|
||||
|
||||
# Specifies the value of the `Permission-Policy` header.
|
||||
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
|
||||
matrix_client_hydrogen_http_header_content_permission_policy: "{{ 'interest-cohort=() always' if matrix_client_hydrogen_floc_optout_enabled else '' }}"
|
||||
|
||||
# Specifies the value of the `Strict-Transport-Security` header.
|
||||
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
|
||||
matrix_client_hydrogen_http_header_strict_transport_security: "{{ '\"max-age=31536000; includeSubDomains; preload\" always' if matrix_client_hydrogen_hsts_preload_enabled else '\"max-age=31536000; includeSubDomains\" always' }}"
|
||||
|
||||
# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
|
||||
#
|
||||
# Learn more about what it is here:
|
||||
# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
|
||||
# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
|
||||
# - https://amifloced.org/
|
||||
#
|
||||
# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
|
||||
# See: `matrix_client_hydrogen_content_permission_policy`
|
||||
matrix_client_hydrogen_floc_optout_enabled: true
|
||||
|
||||
# Controls if HSTS preloading is enabled
|
||||
#
|
||||
# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
|
||||
# indicates a willingness to be "preloaded" into browsers:
|
||||
# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
|
||||
# For more information visit:
|
||||
# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
|
||||
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
|
||||
# - https://hstspreload.org/#opt-in
|
||||
# See: `matrix_client_hydrogen_http_header_strict_transport_security`
|
||||
matrix_client_hydrogen_hsts_preload_enabled: false
|
||||
|
||||
# The hostname at which Hydrogen is served.
|
||||
# Only works with with Traefik reverse-proxying.
|
||||
# For matrix-nginx-proxy, `matrix_server_fqn_hydrogen` is used and this variable has no effect.
|
||||
matrix_client_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}"
|
||||
|
||||
# The path at which Hydrogen is exposed.
|
||||
# When matrix-nginx-proxy is used, setting this to values other than `/` will cause configuration mismatches and trouble.
|
||||
#
|
||||
# If Traefik is used, the hostname is also configurable - see `matrix_client_hydrogen_container_labels_traefik_hostname`.
|
||||
# This value must either be `/` or not end with a slash (e.g. `/hydrogen`).
|
||||
matrix_client_hydrogen_path_prefix: /
|
||||
|
||||
# Controls whether the self-check feature should validate SSL certificates.
|
||||
matrix_client_hydrogen_self_check_validate_certificates: true
|
||||
|
||||
|
@ -36,7 +146,6 @@ matrix_client_hydrogen_push:
|
|||
matrix_client_hydrogen_default_hs_url: ""
|
||||
matrix_client_hydrogen_bugReportEndpointUrl: "https://element.io/bugreports/submit" # noqa var-naming
|
||||
|
||||
|
||||
# Default Hydrogen configuration template which covers the generic use case.
|
||||
# You can customize it by controlling the various variables inside it.
|
||||
#
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
|
||||
- ansible.builtin.set_fact:
|
||||
matrix_client_hydrogen_url_endpoint_public: "https://{{ matrix_server_fqn_hydrogen }}/config.json"
|
||||
matrix_client_hydrogen_url_endpoint_public: "https://{{ matrix_client_hydrogen_hostname }}{{ matrix_client_hydrogen_path_prefix }}/config.json"
|
||||
|
||||
- name: Check Hydrogen
|
||||
ansible.builtin.uri:
|
||||
|
@ -16,9 +16,9 @@
|
|||
|
||||
- name: Fail if Hydrogen not working
|
||||
ansible.builtin.fail:
|
||||
msg: "Failed checking Hydrogen is up at `{{ matrix_server_fqn_hydrogen }}` (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`). Is Hydrogen running? Is port 443 open in your firewall? Full error: {{ matrix_client_hydrogen_self_check_result }}"
|
||||
msg: "Failed checking Hydrogen is up at `{{ matrix_client_hydrogen_hostname }}` (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`). Is Hydrogen running? Is port 443 open in your firewall? Full error: {{ matrix_client_hydrogen_self_check_result }}"
|
||||
when: "matrix_client_hydrogen_self_check_result.failed or 'json' not in matrix_client_hydrogen_self_check_result"
|
||||
|
||||
- name: Report working Hydrogen
|
||||
ansible.builtin.debug:
|
||||
msg: "Hydrogen at `{{ matrix_server_fqn_hydrogen }}` is working (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`)"
|
||||
msg: "Hydrogen at `{{ matrix_client_hydrogen_hostname }}` is working (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`)"
|
||||
|
|
|
@ -52,7 +52,7 @@
|
|||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"}
|
||||
when: "item.src is not none"
|
||||
- {src: "{{ role_path }}/templates/labels.j2", name: "labels"}
|
||||
|
||||
- name: Ensure Hydrogen Docker image is built
|
||||
community.docker.docker_image:
|
||||
|
@ -65,6 +65,11 @@
|
|||
pull: true
|
||||
when: "matrix_client_hydrogen_container_image_self_build | bool"
|
||||
|
||||
- name: Ensure Hydrogen container network is created
|
||||
community.general.docker_network:
|
||||
name: "{{ matrix_client_hydrogen_container_network }}"
|
||||
driver: bridge
|
||||
|
||||
- name: Ensure matrix-client-hydrogen.service installed
|
||||
ansible.builtin.template:
|
||||
src: "{{ role_path }}/templates/systemd/matrix-client-hydrogen.service.j2"
|
||||
|
|
|
@ -7,3 +7,23 @@
|
|||
when: "(vars[item] == '' or vars[item] is none) and matrix_client_hydrogen_container_image_self_build | bool"
|
||||
with_items:
|
||||
- "matrix_client_hydrogen_default_hs_url"
|
||||
|
||||
- when: matrix_client_hydrogen_container_labels_traefik_enabled | bool
|
||||
block:
|
||||
- name: Fail if required matrix-client-hydrogen Traefik settings not defined
|
||||
ansible.builtin.fail:
|
||||
msg: >-
|
||||
You need to define a required configuration setting (`{{ item }}`).
|
||||
when: "vars[item] == ''"
|
||||
with_items:
|
||||
- matrix_client_hydrogen_container_labels_traefik_hostname
|
||||
- matrix_client_hydrogen_container_labels_traefik_path_prefix
|
||||
|
||||
# We ensure it doesn't end with a slash, because we handle both (slash and no-slash).
|
||||
# Knowing that `matrix_client_hydrogen_container_labels_traefik_path_prefix` does not end with a slash
|
||||
# ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere.
|
||||
- name: Fail if matrix_client_hydrogen_container_labels_traefik_path_prefix ends with a slash
|
||||
ansible.builtin.fail:
|
||||
msg: >-
|
||||
matrix_client_hydrogen_container_labels_traefik_path_prefix (`{{ matrix_client_hydrogen_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/hydrogen`).
|
||||
when: "matrix_client_hydrogen_container_labels_traefik_path_prefix != '/' and matrix_client_hydrogen_container_labels_traefik_path_prefix[-1] == '/'"
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
"defaultHomeServer": {{ matrix_client_hydrogen_default_hs_url | string | to_json }},
|
||||
"bugReportEndpointUrl": {{ matrix_client_hydrogen_bugReportEndpointUrl | to_json }},
|
||||
"themeManifests": [
|
||||
"assets/theme-element.json"
|
||||
"{{ matrix_client_hydrogen_path_prefix }}assets/theme-element.json"
|
||||
],
|
||||
"defaultTheme": {
|
||||
"light": "element-light",
|
||||
|
|
45
roles/custom/matrix-client-hydrogen/templates/labels.j2
Normal file
45
roles/custom/matrix-client-hydrogen/templates/labels.j2
Normal file
|
@ -0,0 +1,45 @@
|
|||
{% if matrix_client_hydrogen_container_labels_traefik_enabled %}
|
||||
traefik.enable=true
|
||||
|
||||
{% if matrix_client_hydrogen_container_labels_traefik_docker_network %}
|
||||
traefik.docker.network={{ matrix_client_hydrogen_container_labels_traefik_docker_network }}
|
||||
{% endif %}
|
||||
|
||||
{% set middlewares = [] %}
|
||||
|
||||
{% if matrix_client_hydrogen_container_labels_traefik_path_prefix != '/' %}
|
||||
traefik.http.middlewares.matrix-client-hydrogen-slashless-redirect.redirectregex.regex=({{ matrix_client_hydrogen_container_labels_traefik_path_prefix | quote }})$
|
||||
traefik.http.middlewares.matrix-client-hydrogen-slashless-redirect.redirectregex.replacement=${1}/
|
||||
{% set middlewares = middlewares + ['matrix-client-hydrogen-slashless-redirect'] %}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_client_hydrogen_container_labels_traefik_path_prefix != '/' %}
|
||||
traefik.http.middlewares.matrix-client-hydrogen-strip-prefix.stripprefix.prefixes={{ matrix_client_hydrogen_container_labels_traefik_path_prefix }}
|
||||
{% set middlewares = middlewares + ['matrix-client-hydrogen-strip-prefix'] %}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_client_hydrogen_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
|
||||
{% for name, value in matrix_client_hydrogen_container_labels_traefik_additional_response_headers.items() %}
|
||||
traefik.http.middlewares.matrix-client-hydrogen-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
|
||||
{% endfor %}
|
||||
{% set middlewares = middlewares + ['matrix-client-hydrogen-add-headers'] %}
|
||||
{% endif %}
|
||||
|
||||
traefik.http.routers.matrix-client-hydrogen.rule={{ matrix_client_hydrogen_container_labels_traefik_rule }}
|
||||
{% if matrix_client_hydrogen_container_labels_traefik_priority | int > 0 %}
|
||||
traefik.http.routers.matrix-client-hydrogen.priority={{ matrix_client_hydrogen_container_labels_traefik_priority }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-client-hydrogen.service=matrix-client-hydrogen
|
||||
{% if middlewares | length > 0 %}
|
||||
traefik.http.routers.matrix-client-hydrogen.middlewares={{ middlewares | join(',') }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-client-hydrogen.entrypoints={{ matrix_client_hydrogen_container_labels_traefik_entrypoints }}
|
||||
traefik.http.routers.matrix-client-hydrogen.tls={{ matrix_client_hydrogen_container_labels_traefik_tls | to_json }}
|
||||
{% if matrix_client_hydrogen_container_labels_traefik_tls %}
|
||||
traefik.http.routers.matrix-client-hydrogen.tls.certResolver={{ matrix_client_hydrogen_container_labels_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
|
||||
traefik.http.services.matrix-client-hydrogen.loadbalancer.server.port=8080
|
||||
{% endif %}
|
||||
|
||||
{{ matrix_client_hydrogen_container_labels_additional_labels }}
|
|
@ -13,25 +13,35 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
|
|||
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null || true'
|
||||
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null || true'
|
||||
|
||||
ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-client-hydrogen \
|
||||
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
|
||||
--rm \
|
||||
--name=matrix-client-hydrogen \
|
||||
--log-driver=none \
|
||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||
--cap-drop=ALL \
|
||||
--read-only \
|
||||
--network={{ matrix_docker_network }} \
|
||||
--network={{ matrix_client_hydrogen_container_network }} \
|
||||
{% if matrix_client_hydrogen_container_http_host_bind_port %}
|
||||
-p {{ matrix_client_hydrogen_container_http_host_bind_port }}:8080 \
|
||||
{% endif %}
|
||||
--label-file={{ matrix_client_hydrogen_data_path }}/labels \
|
||||
--tmpfs=/tmp:rw,noexec,nosuid,size=10m \
|
||||
--mount type=bind,src={{ matrix_client_hydrogen_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \
|
||||
--mount type=bind,src={{ matrix_client_hydrogen_data_path }}/config.json,dst=/usr/share/nginx/html/config.json,ro \
|
||||
--mount type=bind,src={{ matrix_client_hydrogen_data_path }}/config.json,dst=/config.json.bundled,ro \
|
||||
{% for arg in matrix_client_hydrogen_container_extra_arguments %}
|
||||
{{ arg }} \
|
||||
{% endfor %}
|
||||
{{ matrix_client_hydrogen_docker_image }}
|
||||
|
||||
{% for network in matrix_client_hydrogen_container_additional_networks %}
|
||||
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-client-hydrogen
|
||||
{% endfor %}
|
||||
|
||||
ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-client-hydrogen
|
||||
|
||||
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null || true'
|
||||
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null || true'
|
||||
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
SyslogIdentifier=matrix-client-hydrogen
|
||||
|
|
|
@ -8,7 +8,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn
|
|||
matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}"
|
||||
matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"
|
||||
|
||||
matrix_coturn_version: 4.6.1-r1
|
||||
matrix_coturn_version: 4.6.1-r2
|
||||
matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine"
|
||||
matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}"
|
||||
matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"
|
||||
|
@ -39,7 +39,8 @@ matrix_coturn_systemd_required_services_list: ['docker.service']
|
|||
# A list of additional "volumes" to mount in the container.
|
||||
# This list gets populated dynamically at runtime. You can provide a different default value,
|
||||
# if you wish to mount your own files into the container.
|
||||
# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
|
||||
# Contains definition objects like this: `{"type": "bind", "src": "/outside", "dst": "/inside", "options": "readonly"}.
|
||||
# See the `--mount` documentation for the `docker run` command.
|
||||
matrix_coturn_container_additional_volumes: []
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
|
|
|
@ -35,7 +35,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
|
|||
{% endif %}
|
||||
--mount type=bind,src={{ matrix_coturn_config_path }},dst=/turnserver.conf,ro \
|
||||
{% for volume in matrix_coturn_container_additional_volumes %}
|
||||
-v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \
|
||||
--mount type={{ volume.type | default('bind' if '/' in volume.src else 'volume') }},src={{ volume.src }},dst={{ volume.dst }}{{ (',' + volume.options) if volume.options else '' }} \
|
||||
{% endfor %}
|
||||
{% for arg in matrix_coturn_container_extra_arguments %}
|
||||
{{ arg }} \
|
||||
|
|
|
@ -6,7 +6,7 @@ matrix_dendrite_enabled: true
|
|||
|
||||
matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}"
|
||||
matrix_dendrite_docker_image_name_prefix: "docker.io/"
|
||||
matrix_dendrite_docker_image_tag: "v0.11.0"
|
||||
matrix_dendrite_docker_image_tag: "v0.11.1"
|
||||
matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}"
|
||||
|
||||
matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite"
|
||||
|
@ -84,7 +84,7 @@ matrix_dendrite_max_file_size_bytes: 10485760
|
|||
|
||||
# Controls which HTTP header (e.g. 'X-Forwarded-For', 'X-Real-IP') to inspect to find the real remote IP address of the client.
|
||||
# This is likely required if Dendrite is running behind a reverse proxy server.
|
||||
matrix_dendrite_sync_api_real_ip_header: ''
|
||||
matrix_dendrite_sync_api_real_ip_header: 'X-Forwarded-For'
|
||||
|
||||
# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
|
||||
matrix_dendrite_tmp_directory_size_mb: 500
|
||||
|
|
|
@ -1,65 +0,0 @@
|
|||
---
|
||||
# matrix-grafana is open source visualization and analytics software
|
||||
# See: https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md
|
||||
# Project source code URL: https://github.com/grafana/grafana
|
||||
|
||||
matrix_grafana_enabled: true
|
||||
|
||||
matrix_grafana_version: 9.3.6
|
||||
matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}"
|
||||
matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}"
|
||||
|
||||
# matrix_grafana_dashboard_download_urls holds a list of URLs of dashboards to download
|
||||
matrix_grafana_dashboard_download_urls: []
|
||||
|
||||
matrix_grafana_base_path: "{{ matrix_base_data_path }}/grafana"
|
||||
matrix_grafana_config_path: "{{ matrix_grafana_base_path }}/config"
|
||||
matrix_grafana_data_path: "{{ matrix_grafana_base_path }}/data"
|
||||
|
||||
# Allow viewing Grafana without logging in
|
||||
matrix_grafana_anonymous_access: false
|
||||
|
||||
# When `false`, sends a `X-Frame-Options: deny` HTTP header, which allows Grafana from being embeded in a frame.
|
||||
# Read more here: https://grafana.com/docs/grafana/latest/administration/configuration/#allow_embedding
|
||||
matrix_grafana_allow_embedding: false
|
||||
|
||||
# specify organization name that should be used for unauthenticated users
|
||||
# if you change this in the Grafana admin panel, this needs to be updated
|
||||
# to match to keep anonymous logins working
|
||||
matrix_grafana_anonymous_access_org_name: 'Main Org.'
|
||||
|
||||
|
||||
# default admin credentials, you are asked to change these on first login
|
||||
matrix_grafana_default_admin_user: admin
|
||||
matrix_grafana_default_admin_password: admin
|
||||
|
||||
# Set to true to add the Content-Security-Policy header to your requests.
|
||||
# CSP allows to control resources that the user agent can load and helps
|
||||
# prevent XSS attacks.
|
||||
# [Content Security Policy](https://grafana.com/docs/grafana/latest/administration/configuration/#content_security_policy)
|
||||
matrix_grafana_content_security_policy: true
|
||||
|
||||
# specify content security policy template to customized template
|
||||
# added https: and http: url schemes (ignored by browsers supporting 'strict-dynamic') to be backward compatible with older browsers.
|
||||
# [Content Security Policy Browser Test] (https://content-security-policy.com/browser-test/)
|
||||
# [Content Security Policy Reference](https://content-security-policy.com/script-src/)
|
||||
matrix_grafana_content_security_policy_customized: false
|
||||
matrix_grafana_content_security_policy_template: "script-src 'self' 'unsafe-eval' 'unsafe-inline' http: https: 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src * data:;base-uri 'self';connect-src 'self' grafana.com ws://$ROOT_PATH wss://$ROOT_PATH;manifest-src 'self';media-src 'none';form-action 'self';"
|
||||
|
||||
# matrix_grafana_default_home_dashboard_path influences the `default_home_dashboard_path` grafana.ini setting,
|
||||
# which is an in-container path for the default dashboard.
|
||||
matrix_grafana_default_home_dashboard_path: /etc/grafana/dashboards/node-exporter-full.json
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
matrix_grafana_container_extra_arguments: []
|
||||
|
||||
# List of systemd services that matrix-grafana.service depends on
|
||||
matrix_grafana_systemd_required_services_list: ['docker.service']
|
||||
|
||||
# List of systemd services that matrix-grafana.service wants
|
||||
matrix_grafana_systemd_wanted_services_list: []
|
||||
|
||||
# Controls whether the matrix-grafana container exposes its HTTP port (tcp/3000 in the container).
|
||||
#
|
||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3000"), or empty string to not expose.
|
||||
matrix_grafana_container_http_host_bind_port: ''
|
|
@ -1,73 +0,0 @@
|
|||
---
|
||||
|
||||
- name: Ensure matrix-grafana image is pulled
|
||||
community.docker.docker_image:
|
||||
name: "{{ matrix_grafana_docker_image }}"
|
||||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
|
||||
force_source: "{{ matrix_grafana_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_grafana_docker_image_force_pull }}"
|
||||
register: result
|
||||
retries: "{{ devture_playbook_help_container_retries_count }}"
|
||||
delay: "{{ devture_playbook_help_container_retries_delay }}"
|
||||
until: result is not failed
|
||||
|
||||
- name: Ensure grafana paths exists
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
mode: 0750
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- "{{ matrix_grafana_base_path }}"
|
||||
- "{{ matrix_grafana_config_path }}"
|
||||
- "{{ matrix_grafana_config_path }}/provisioning"
|
||||
- "{{ matrix_grafana_config_path }}/provisioning/datasources"
|
||||
- "{{ matrix_grafana_config_path }}/provisioning/dashboards"
|
||||
- "{{ matrix_grafana_config_path }}/dashboards"
|
||||
- "{{ matrix_grafana_data_path }}"
|
||||
|
||||
- name: Ensure grafana.ini present
|
||||
ansible.builtin.template:
|
||||
src: "{{ role_path }}/templates/grafana.ini.j2"
|
||||
dest: "{{ matrix_grafana_config_path }}/grafana.ini"
|
||||
mode: 0440
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
|
||||
- name: Ensure provisioning/datasources/default.yaml present
|
||||
ansible.builtin.template:
|
||||
src: "{{ role_path }}/templates/datasources.yaml.j2"
|
||||
dest: "{{ matrix_grafana_config_path }}/provisioning/datasources/default.yaml"
|
||||
mode: 0440
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
|
||||
- name: Ensure provisioning/dashboards/default.yaml present
|
||||
ansible.builtin.template:
|
||||
src: "{{ role_path }}/templates/dashboards.yaml.j2"
|
||||
dest: "{{ matrix_grafana_config_path }}/provisioning/dashboards/default.yaml"
|
||||
mode: 0440
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
|
||||
- name: Ensure dashboard(s) downloaded
|
||||
ansible.builtin.get_url:
|
||||
url: "{{ item }}"
|
||||
dest: "{{ matrix_grafana_config_path }}/dashboards/"
|
||||
force: true
|
||||
mode: 0440
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items: "{{ matrix_grafana_dashboard_download_urls }}"
|
||||
register: result
|
||||
retries: "{{ devture_playbook_help_geturl_retries_count }}"
|
||||
delay: "{{ devture_playbook_help_geturl_retries_delay }}"
|
||||
until: result is not failed
|
||||
|
||||
- name: Ensure matrix-grafana.service installed
|
||||
ansible.builtin.template:
|
||||
src: "{{ role_path }}/templates/systemd/matrix-grafana.service.j2"
|
||||
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-grafana.service"
|
||||
mode: 0644
|
||||
register: matrix_grafana_systemd_service_result
|
|
@ -1,20 +0,0 @@
|
|||
---
|
||||
|
||||
- name: Check existence of matrix-grafana service
|
||||
ansible.builtin.stat:
|
||||
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-grafana.service"
|
||||
register: matrix_grafana_service_stat
|
||||
|
||||
- when: matrix_grafana_service_stat.stat.exists | bool
|
||||
block:
|
||||
- name: Ensure matrix-grafana is stopped
|
||||
ansible.builtin.service:
|
||||
name: matrix-grafana
|
||||
state: stopped
|
||||
enabled: false
|
||||
daemon_reload: true
|
||||
|
||||
- name: Ensure matrix-grafana.service doesn't exist
|
||||
ansible.builtin.file:
|
||||
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-grafana.service"
|
||||
state: absent
|
|
@ -1,16 +0,0 @@
|
|||
---
|
||||
|
||||
- name: Fail if Prometheus not enabled
|
||||
ansible.builtin.fail:
|
||||
msg: >
|
||||
You need to enable `matrix_prometheus_enabled` to use Prometheus as data source for Grafana.
|
||||
when: "not matrix_prometheus_enabled"
|
||||
|
||||
- name: (Deprecation) Catch and report renamed settings
|
||||
ansible.builtin.fail:
|
||||
msg: >-
|
||||
Your configuration contains a variable, which now has a different name.
|
||||
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
|
||||
when: "item.old in vars"
|
||||
with_items:
|
||||
- {'old': 'matrix_grafana_dashboard_download_urls_all', 'new': 'matrix_grafana_dashboard_download_urls'}
|
|
@ -1,9 +0,0 @@
|
|||
apiVersion: 1
|
||||
|
||||
providers:
|
||||
- name: {{ matrix_server_fqn_matrix }} - Dashboards
|
||||
folder: '' # The folder where to place the dashboards
|
||||
type: file
|
||||
allowUiUpdates: true
|
||||
options:
|
||||
path: /etc/grafana/dashboards
|
|
@ -1,8 +0,0 @@
|
|||
apiVersion: 1
|
||||
|
||||
datasources:
|
||||
- name: {{ matrix_server_fqn_matrix }} - Prometheus
|
||||
type: prometheus
|
||||
# Access mode - proxy (server in the UI) or direct (browser in the UI).
|
||||
access: proxy
|
||||
url: http://matrix-prometheus:9090
|
|
@ -1,29 +0,0 @@
|
|||
[server]
|
||||
root_url = "https://{{ matrix_server_fqn_grafana }}"
|
||||
|
||||
[security]
|
||||
# default admin user, created on startup
|
||||
admin_user = "{{ matrix_grafana_default_admin_user }}"
|
||||
|
||||
# default admin password, can be changed before first start of grafana, or in profile settings
|
||||
admin_password = """{{ matrix_grafana_default_admin_password }}"""
|
||||
|
||||
# specify content_security_policy to add the Content-Security-Policy header to your requests
|
||||
content_security_policy = "{{ matrix_grafana_content_security_policy }}"
|
||||
|
||||
# specify content security policy template to customized template
|
||||
{% if matrix_grafana_content_security_policy_customized %}
|
||||
content_security_policy_template = """{{ matrix_grafana_content_security_policy_template }}"""
|
||||
{% endif %}
|
||||
|
||||
allow_embedding = {{ matrix_grafana_allow_embedding }}
|
||||
|
||||
[auth.anonymous]
|
||||
# enable anonymous access
|
||||
enabled = {{ matrix_grafana_anonymous_access }}
|
||||
|
||||
# specify organization name that should be used for unauthenticated users
|
||||
org_name = "{{ matrix_grafana_anonymous_access_org_name }}"
|
||||
|
||||
[dashboards]
|
||||
default_home_dashboard_path = {{ matrix_grafana_default_home_dashboard_path }}
|
|
@ -13,14 +13,16 @@ matrix_jitsi_enable_jaas_components: false
|
|||
matrix_jitsi_enable_p2p: true
|
||||
matrix_jitsi_enable_av_moderation: true
|
||||
matrix_jitsi_enable_breakout_rooms: true
|
||||
matrix_jitsi_disable_gravatar: true
|
||||
|
||||
# Authentication type, must be one of internal, jwt or ldap.
|
||||
# Currently only internal and ldap mechanisms are supported by this playbook.
|
||||
# Authentication type, must be one of internal, jwt, matrix or ldap.
|
||||
# Currently, only internal, matrix and ldap mechanisms are supported by this playbook.
|
||||
# matrix auth verifies against matrix openID, and requires a user-verification-service to run.
|
||||
matrix_jitsi_auth_type: internal
|
||||
|
||||
# A list of Jitsi (Prosody) accounts to create using the internal authentication mechanism.
|
||||
#
|
||||
# Accounts added here and subsquently removed will not be automatically removed
|
||||
# Accounts added here and subsequently removed will not be automatically removed
|
||||
# from the Prosody server until user account cleaning is integrated into the playbook.
|
||||
#
|
||||
# Example:
|
||||
|
@ -49,6 +51,23 @@ matrix_jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt"
|
|||
matrix_jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs"
|
||||
matrix_jitsi_ldap_start_tls: false
|
||||
|
||||
# Auth type: matrix
|
||||
matrix_jitsi_prosody_auth_matrix_user_verification_repo_location: "https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification"
|
||||
matrix_jitsi_prosody_auth_matrix_user_verification_repo_target: "{{ matrix_jitsi_prosody_ext_path }}/prosody_auth_matrix_user_verification"
|
||||
matrix_jitsi_prosody_auth_matrix_user_verification_repo_version: "2839499cb03894d8cfc3e5b2219441427cb133d8" # v1.8.0
|
||||
matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels: true
|
||||
matrix_jitsi_prosody_auth_matrix_uvs_location: ""
|
||||
# Should match domain, see https://github.com/vector-im/element-web/pull/15114/commits/0410a6b3be82a41457275e4d1ce879dea146e092
|
||||
matrix_jitsi_prosody_auth_matrix_jwt_app_id: "{{ matrix_server_fqn_jitsi }}"
|
||||
matrix_jitsi_prosody_auth_matrix_files:
|
||||
- path: "mod_auth_matrix_user_verification.lua"
|
||||
when: true
|
||||
- path: "mod_matrix_power_sync.lua"
|
||||
when: "{{ matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels }}"
|
||||
|
||||
# Plugged in group_vars
|
||||
matrix_jitsi_prosody_auth_matrix_uvs_auth_token: ''
|
||||
|
||||
matrix_jitsi_timezone: UTC
|
||||
|
||||
matrix_jitsi_xmpp_domain: meet.jitsi
|
||||
|
@ -180,6 +199,17 @@ matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_im
|
|||
matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody"
|
||||
matrix_jitsi_prosody_config_path: "{{ matrix_jitsi_prosody_base_path }}/config"
|
||||
matrix_jitsi_prosody_plugins_path: "{{ matrix_jitsi_prosody_base_path }}/prosody-plugins-custom"
|
||||
matrix_jitsi_prosody_ext_path: "{{ matrix_jitsi_prosody_base_path }}/ext"
|
||||
|
||||
# well known is currently only needed for auth type "matrix"
|
||||
matrix_jitsi_require_well_known: "{{ matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix' }}"
|
||||
matrix_jitsi_wellknown_element_jitsi_json: '{"auth": "openidtoken-jwt"}'
|
||||
|
||||
#
|
||||
matrix_jitsi_muc_modules: |
|
||||
{{
|
||||
(['matrix_power_sync'] if matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels | bool else [])
|
||||
}}
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
matrix_jitsi_prosody_container_extra_arguments: []
|
||||
|
|
|
@ -67,3 +67,9 @@
|
|||
- setup-all
|
||||
- setup-jitsi
|
||||
- setup-additional-jitsi-jvb
|
||||
|
||||
- block:
|
||||
- when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix'
|
||||
ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_matrix_auth.yml"
|
||||
tags:
|
||||
- self-check
|
||||
|
|
63
roles/custom/matrix-jitsi/tasks/self_check_matrix_auth.yml
Normal file
63
roles/custom/matrix-jitsi/tasks/self_check_matrix_auth.yml
Normal file
|
@ -0,0 +1,63 @@
|
|||
---
|
||||
|
||||
- ansible.builtin.set_fact:
|
||||
matrix_jitsi_prosody_self_check_uvs_health_url: "{{ matrix_jitsi_prosody_auth_matrix_uvs_location }}/health"
|
||||
matrix_jitsi_element_jitsi_well_known_url: "{{ matrix_jitsi_web_public_url }}/.well-known/element/jitsi"
|
||||
|
||||
- name: Check if jitsi serves the .well-known/element/jitsi
|
||||
ansible.builtin.uri:
|
||||
url: "{{ matrix_jitsi_element_jitsi_well_known_url }}"
|
||||
follow_redirects: none
|
||||
return_content: true
|
||||
validate_certs: "{{ matrix_jitsi_self_check_validate_certificates }}"
|
||||
headers:
|
||||
Origin: example.com
|
||||
check_mode: false
|
||||
register: result_well_known_jitsi_element_jitsi
|
||||
ignore_errors: true
|
||||
|
||||
- name: Fail if .well-known not working
|
||||
ansible.builtin.fail:
|
||||
msg: |
|
||||
Failed checking that the Jitsi well-known file for Element auth is configured at `{{ matrix_jitsi_element_jitsi_well_known_url }}`
|
||||
Full error: {{ result_well_known_jitsi_element_jitsi }}
|
||||
when: "result_well_known_jitsi_element_jitsi.failed"
|
||||
|
||||
- name: Parse JSON for well-known payload at the matrix hostname
|
||||
ansible.builtin.set_fact:
|
||||
well_known_matrix_payload: "{{ result_well_known_jitsi_element_jitsi.content | from_json }}"
|
||||
|
||||
- name: Fail if .well-known not CORS-aware
|
||||
ansible.builtin.fail:
|
||||
msg: "The well-known file on `{{ matrix_jitsi_element_jitsi_well_known_url }}` is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set."
|
||||
when: "'access_control_allow_origin' not in result_well_known_jitsi_element_jitsi"
|
||||
|
||||
- name: Report working .well-known
|
||||
ansible.builtin.debug:
|
||||
msg: "well-known is configured correctly at `{{ matrix_jitsi_element_jitsi_well_known_url }}`"
|
||||
|
||||
- name: Check if we can reach the user verification service and if it's healthy
|
||||
ansible.builtin.command:
|
||||
argv:
|
||||
- "docker"
|
||||
- "exec"
|
||||
- "matrix-jitsi-prosody"
|
||||
- "wget"
|
||||
- "-O"
|
||||
- "-"
|
||||
- "--quiet"
|
||||
- "{{ matrix_jitsi_prosody_self_check_uvs_health_url | quote }}"
|
||||
register: matrix_jitsi_prosody_self_check_uvs_result
|
||||
changed_when: false
|
||||
ignore_errors: true
|
||||
|
||||
- name: Fail if user verification service is not (reachable and healthy)
|
||||
ansible.builtin.fail:
|
||||
msg: |
|
||||
Failed checking user verification service is up (checked endpoint: `{{ matrix_jitsi_prosody_self_check_uvs_health_url }}`).
|
||||
Full error: {{ matrix_jitsi_prosody_self_check_uvs_result }}
|
||||
when: "matrix_jitsi_prosody_self_check_uvs_result.failed"
|
||||
|
||||
- name: Report healthy user verification service
|
||||
ansible.builtin.debug:
|
||||
msg: "User verification service is working (checked endpoint: `{{ matrix_jitsi_prosody_self_check_uvs_health_url }}`)"
|
|
@ -11,6 +11,7 @@
|
|||
- {path: "{{ matrix_jitsi_prosody_base_path }}", when: true}
|
||||
- {path: "{{ matrix_jitsi_prosody_config_path }}", when: true}
|
||||
- {path: "{{ matrix_jitsi_prosody_plugins_path }}", when: true}
|
||||
- {path: "{{ matrix_jitsi_prosody_ext_path }}", when: true}
|
||||
when: item.when | bool
|
||||
|
||||
- name: Ensure jitsi-prosody Docker image is pulled
|
||||
|
@ -32,6 +33,43 @@
|
|||
group: "{{ matrix_user_groupname }}"
|
||||
mode: 0640
|
||||
|
||||
# Configure matrix authentication.
|
||||
- name: Install user verification plugin
|
||||
ansible.builtin.include_tasks:
|
||||
file: "{{ role_path }}/tasks/util/setup_jitsi_auth_uvs_install.yml"
|
||||
when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "matrix"
|
||||
|
||||
- name: Manage Jitsi .well-known
|
||||
when: matrix_jitsi_require_well_known | bool
|
||||
block:
|
||||
- name: Ensure .well-known directories exist
|
||||
ansible.builtin.file:
|
||||
path: "{{ item.path }}"
|
||||
state: directory
|
||||
mode: 0775
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- {path: "{{ matrix_static_files_base_path }}/.well-known/element", when: "{{ matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix' }}"}
|
||||
when: item.when | bool
|
||||
|
||||
# Create .well-known/element/jitsi in the static file directory for nginx-proxy.
|
||||
- name: Ensure Jitsi /.well-known/element/jitsi configured
|
||||
ansible.builtin.copy:
|
||||
content: "{{ matrix_jitsi_wellknown_element_jitsi_json }}"
|
||||
dest: "{{ matrix_static_files_base_path }}/.well-known/element/jitsi"
|
||||
mode: 0644
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "matrix"
|
||||
# END Block
|
||||
|
||||
# Remove matrix authentication if disabled
|
||||
- name: Ensure user verification plugin is not present if matrix auth is disabled
|
||||
ansible.builtin.include_tasks:
|
||||
file: "{{ role_path }}/tasks/util/setup_jitsi_auth_uvs_uninstall.yml"
|
||||
when: (not matrix_jitsi_enable_auth | bool) or (matrix_jitsi_auth_type != "matrix")
|
||||
|
||||
- name: Ensure matrix-jitsi-prosody.service file is installed
|
||||
ansible.builtin.template:
|
||||
src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2"
|
||||
|
@ -39,7 +77,9 @@
|
|||
mode: 0644
|
||||
register: matrix_jitsi_prosody_systemd_service_result
|
||||
|
||||
- name: Ensure authentication is properly configured
|
||||
# Tasks that require a running prosody container are called in this file.
|
||||
- name: Run prosody related tasks, that require a running container.
|
||||
ansible.builtin.include_tasks:
|
||||
file: "{{ role_path }}/tasks/util/setup_jitsi_auth.yml"
|
||||
when: matrix_jitsi_enable_auth | bool
|
||||
file: "{{ role_path }}/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml"
|
||||
when:
|
||||
- matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "internal"
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
#
|
||||
# Tasks related to configuring Jitsi internal authentication on a running prosody instance.
|
||||
#
|
||||
|
||||
- name: Ensure Jitsi internal authentication users are configured
|
||||
ansible.builtin.shell: "{{ devture_systemd_docker_base_host_command_docker }} exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}"
|
||||
with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}"
|
||||
when:
|
||||
- matrix_jitsi_prosody_auth_internal_accounts|length > 0
|
||||
register: matrix_jitsi_user_configuration_result
|
||||
changed_when: matrix_jitsi_user_configuration_result.rc == 0
|
||||
no_log: true
|
||||
|
||||
#
|
||||
# Tasks related to clean up after configuring internal authentication.
|
||||
#
|
|
@ -1,42 +0,0 @@
|
|||
---
|
||||
#
|
||||
# Start Necessary Services
|
||||
#
|
||||
|
||||
- name: Ensure matrix-jitsi-prosody container is running
|
||||
ansible.builtin.systemd:
|
||||
state: started
|
||||
name: matrix-jitsi-prosody
|
||||
register: matrix_jitsi_prosody_start_result
|
||||
|
||||
|
||||
#
|
||||
# Tasks related to configuring Jitsi internal authentication
|
||||
#
|
||||
|
||||
- name: Ensure Jitsi internal authentication users are configured
|
||||
ansible.builtin.shell: "{{ devture_systemd_docker_base_host_command_docker }} exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}"
|
||||
with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}"
|
||||
when:
|
||||
- matrix_jitsi_auth_type == "internal"
|
||||
- matrix_jitsi_prosody_auth_internal_accounts|length > 0
|
||||
register: matrix_jitsi_user_configuration_result
|
||||
changed_when: matrix_jitsi_user_configuration_result.rc == 0
|
||||
no_log: true
|
||||
|
||||
#
|
||||
# Tasks related to configuring other Jitsi authentication mechanisms
|
||||
#
|
||||
|
||||
#
|
||||
# Tasks related to cleaning after Jitsi authentication configuration
|
||||
#
|
||||
|
||||
#
|
||||
# Stop Necessary Services
|
||||
#
|
||||
- name: Ensure matrix-jitsi-prosody container is stopped if necessary
|
||||
ansible.builtin.systemd:
|
||||
state: stopped
|
||||
name: matrix-jitsi-prosody
|
||||
when: matrix_jitsi_prosody_start_result.changed | bool
|
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
|
||||
- name: Checkout Prosody Auth Matrix User Verification Plugin Repo
|
||||
ansible.builtin.git:
|
||||
repo: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_location }}"
|
||||
dest: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}"
|
||||
version: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_version }}"
|
||||
|
||||
- name: Install Prosody Auth Matrix User Verification Plugin
|
||||
ansible.builtin.copy:
|
||||
remote_src: true
|
||||
src: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}/{{ item.path }}"
|
||||
dest: "{{ matrix_jitsi_prosody_plugins_path }}/{{ item.path }}"
|
||||
with_items: "{{ matrix_jitsi_prosody_auth_matrix_files }}"
|
||||
when: item.when | bool
|
|
@ -0,0 +1,20 @@
|
|||
---
|
||||
|
||||
- name: Remove all files regarding prosody mod auth_matrix_user_verification and .well-known/element/jitsi
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
with_flattened:
|
||||
- "{{ matrix_static_files_base_path }}/.well-known/element/jitsi"
|
||||
- "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}"
|
||||
- "{{ matrix_jitsi_prosody_auth_matrix_files | map(attribute='path') | map('regex_replace', '^', matrix_jitsi_prosody_plugins_path+'/') | list }}"
|
||||
register: matrix_jitsi_prosody_auth_matrix_user_verification_uninstalled
|
||||
|
||||
- when: matrix_jitsi_prosody_auth_matrix_user_verification_uninstalled.changed
|
||||
block:
|
||||
- name: Populate service facts
|
||||
ansible.builtin.service_facts:
|
||||
|
||||
- name: Ensure prosody is restarted later on if currently running
|
||||
ansible.builtin.set_fact:
|
||||
matrix_jitsi_prosody_require_restart: "{{ true if ansible_facts.services['matrix-jitsi-prosody.service']['state'] == 'running' else false }}"
|
|
@ -0,0 +1,49 @@
|
|||
---
|
||||
#####
|
||||
#
|
||||
# This tasks file starts and stops (if state before was stopped) a prosody container during setup to run commands,
|
||||
# that require a running prosody container.
|
||||
# The task is called in ../setup_jitsi_prosody_install.yml.
|
||||
#
|
||||
# Important: The task is called conditionally, as to only start if really needed.
|
||||
# So if you add or change anything - remember to also change the 'when' in: ../setup_jitsi_prosody_install.yml
|
||||
#
|
||||
#####
|
||||
|
||||
#
|
||||
# Start Necessary Services
|
||||
#
|
||||
|
||||
- name: Ensure matrix-jitsi-prosody container is running
|
||||
ansible.builtin.systemd:
|
||||
state: "{{ 'restarted' if matrix_jitsi_prosody_require_restart | default(false) | bool else 'started' }}"
|
||||
name: matrix-jitsi-prosody
|
||||
register: matrix_jitsi_prosody_start_result
|
||||
|
||||
# If the flag was set, we can safely disable now.
|
||||
- name: Disable require restart flag
|
||||
ansible.builtin.set_fact:
|
||||
matrix_jitsi_prosody_require_restart: false
|
||||
|
||||
#
|
||||
# Tasks related to configuring Jitsi internal authentication
|
||||
#
|
||||
|
||||
- name: Ensure internal authentication is properly configured
|
||||
ansible.builtin.include_tasks:
|
||||
file: "{{ role_path }}/tasks/util/prosody_post_setup_hooks/setup_jitsi_auth_internal.yml"
|
||||
when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "internal"
|
||||
|
||||
#
|
||||
# Tasks related to ...
|
||||
#
|
||||
|
||||
|
||||
#
|
||||
# Stop Necessary Services
|
||||
#
|
||||
- name: Ensure matrix-jitsi-prosody container is stopped if necessary
|
||||
ansible.builtin.systemd:
|
||||
state: stopped
|
||||
name: matrix-jitsi-prosody
|
||||
when: matrix_jitsi_prosody_start_result.changed | bool
|
|
@ -25,16 +25,24 @@
|
|||
- "matrix_jitsi_jvb_auth_password"
|
||||
|
||||
|
||||
- name: Fail if a Jitsi internal authentication account is not defined
|
||||
- name: Fail if authentication is enabled, but not properly configured.
|
||||
ansible.builtin.fail:
|
||||
msg: >-
|
||||
You have enabled authentication, but the configured auth type is missing required configuration.
|
||||
|
||||
Auth type 'internal':
|
||||
At least one Jitsi user needs to be defined in `matrix_jitsi_prosody_auth_internal_accounts` when using internal authentication.
|
||||
If you're setting up Jitsi for the first time, you may have missed a step.
|
||||
Refer to our setup instructions (docs/configuring-playbook-jitsi.md).
|
||||
|
||||
Auth type 'matrix':
|
||||
If you want to enable matrix_user_verification in jitsi,
|
||||
please provide an auth token for the user verification service (uvs) using `matrix_jitsi_prosody_auth_matrix_uvs_auth_token`.
|
||||
If the user-verfication-service is also managed by this playbook the token is derived from `matrix_homeserver_generic_secret_key` in the group vars.
|
||||
when:
|
||||
- matrix_jitsi_enable_auth | bool
|
||||
- matrix_jitsi_auth_type == 'internal'
|
||||
- matrix_jitsi_prosody_auth_internal_accounts|length == 0
|
||||
- ((matrix_jitsi_auth_type == 'internal' and matrix_jitsi_prosody_auth_internal_accounts|length == 0)
|
||||
or (matrix_jitsi_auth_type == 'matrix' and matrix_jitsi_prosody_auth_matrix_uvs_auth_token|length == 0))
|
||||
|
||||
|
||||
- name: (Deprecation) Catch and report renamed settings
|
||||
|
|
|
@ -41,6 +41,12 @@ LDAP_TLS_CACERT_DIR={{ matrix_jitsi_ldap_tls_cacert_dir }}
|
|||
LDAP_START_TLS={{ 1 if matrix_jitsi_ldap_start_tls else 0 }}
|
||||
LDAP_URL={{ matrix_jitsi_ldap_url }}
|
||||
LDAP_USE_TLS={{ 1 if matrix_jitsi_ldap_use_tls else 0 }}
|
||||
MATRIX_UVS_ISSUER={{ matrix_jitsi_prosody_auth_matrix_jwt_app_id }}
|
||||
MATRIX_UVS_URL={{ matrix_jitsi_prosody_auth_matrix_uvs_location }}
|
||||
{% if matrix_jitsi_prosody_auth_matrix_uvs_auth_token is defined %}
|
||||
MATRIX_UVS_AUTH_TOKEN={{ matrix_jitsi_prosody_auth_matrix_uvs_auth_token }}
|
||||
{% endif %}
|
||||
MATRIX_UVS_SYNC_POWER_LEVELS={{ 'true' if matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels else 'false' }}
|
||||
PUBLIC_URL={{ matrix_jitsi_web_public_url }}
|
||||
TURN_CREDENTIALS={{ matrix_jitsi_turn_credentials }}
|
||||
TURN_HOST={{ matrix_jitsi_turn_host }}
|
||||
|
@ -55,7 +61,7 @@ XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }}
|
|||
XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }}
|
||||
XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }}
|
||||
XMPP_MODULES={{ matrix_jitsi_xmpp_modules }}
|
||||
XMPP_MUC_MODULES=
|
||||
XMPP_MUC_MODULES={{ matrix_jitsi_muc_modules | join(',') }}
|
||||
XMPP_INTERNAL_MUC_MODULES=
|
||||
XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }}
|
||||
XMPP_CROSS_DOMAIN=true
|
||||
|
|
|
@ -11,6 +11,10 @@ config.p2p.stunServers = [
|
|||
];
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_jitsi_disable_gravatar %}
|
||||
config.gravatar = {'disabled': true};
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_jitsi_etherpad_enabled %}
|
||||
config.etherpad_base = {{ (matrix_jitsi_etherpad_base + '/p/') |to_json }}
|
||||
{% endif %}
|
||||
|
|
|
@ -18,7 +18,9 @@ ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_s
|
|||
|
||||
# ma1sd writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there,
|
||||
# so /tmp needs to be mounted with an exec option.
|
||||
ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-ma1sd \
|
||||
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
|
||||
--rm \
|
||||
--name=matrix-ma1sd \
|
||||
--log-driver=none \
|
||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||
--cap-drop=ALL \
|
||||
|
@ -39,9 +41,11 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
|
|||
{{ matrix_ma1sd_docker_image }}
|
||||
|
||||
{% for network in matrix_ma1sd_container_additional_networks %}
|
||||
ExecStartPost={{ devture_systemd_docker_base_host_command_sh }} -c 'container_name=matrix-ma1sd; network_name={{ network }}; attempt=0; while [ $attempt -le 29 ]; do attempt=$(( $attempt + 1 )); if [ "`{{ devture_systemd_docker_base_host_command_docker }} inspect -f {{ '{{.State.Running}}' }} $container_name 2> /dev/null`" = "true" ]; then break; fi; sleep 1; done; {{ devture_systemd_docker_base_host_command_docker }} network connect $network_name $container_name'
|
||||
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-ma1sd
|
||||
{% endfor %}
|
||||
|
||||
ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-ma1sd
|
||||
|
||||
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-ma1sd 2>/dev/null || true'
|
||||
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-ma1sd 2>/dev/null || true'
|
||||
Restart=always
|
||||
|
|
|
@ -21,6 +21,10 @@ matrix_nginx_proxy_systemd_required_services_list: ['docker.service']
|
|||
# List of systemd services that matrix-nginx-proxy.service wants
|
||||
matrix_nginx_proxy_systemd_wanted_services_list: []
|
||||
|
||||
# The base container network.
|
||||
# Also see: matrix_nginx_proxy_container_additional_networks
|
||||
matrix_nginx_proxy_container_network: "{{ matrix_docker_network }}"
|
||||
|
||||
# A list of additional container networks that matrix-nginx-proxy would be connected to.
|
||||
# The playbook does not create these networks, so make sure they already exist.
|
||||
#
|
||||
|
@ -36,6 +40,67 @@ matrix_nginx_proxy_container_additional_networks: []
|
|||
# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
|
||||
matrix_nginx_proxy_container_additional_volumes: []
|
||||
|
||||
# matrix_nginx_proxy_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
|
||||
# See `../templates/labels.j2` for details.
|
||||
#
|
||||
# To inject your own other container labels, see `matrix_nginx_proxy_container_labels_additional_labels`.
|
||||
matrix_nginx_proxy_container_labels_traefik_enabled: false
|
||||
matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_nginx_proxy_container_network }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_entrypoints: web-secure
|
||||
matrix_nginx_proxy_container_labels_traefik_tls_certResolver: default # noqa var-naming
|
||||
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_enabled: "{{ matrix_nginx_proxy_base_domain_serving_enabled }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_hostname: "{{ matrix_nginx_proxy_base_domain_hostname }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_hostname }}`)"
|
||||
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: false
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_hostname }}`)"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint: "{{ matrix_federation_traefik_entrypoint }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints: "{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint }}"
|
||||
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled: false
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_hostname: "{{ matrix_server_fqn_buscarron }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_hostname }}`)"
|
||||
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: false
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_dimension_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname }}`)"
|
||||
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: false
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_hostname: "{{ matrix_server_fqn_etherpad }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_hostname }}`)"
|
||||
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: false
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_hostname }}`)"
|
||||
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: false
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_hostname }}`)"
|
||||
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled: false
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_hostname }}`)"
|
||||
|
||||
# matrix_nginx_proxy_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
|
||||
# See `../templates/labels.j2` for details.
|
||||
#
|
||||
# Example:
|
||||
# matrix_nginx_proxy_container_labels_additional_labels: |
|
||||
# my.label=1
|
||||
# another.label="here"
|
||||
matrix_nginx_proxy_container_labels_additional_labels: ''
|
||||
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
matrix_nginx_proxy_container_extra_arguments: []
|
||||
|
||||
|
@ -203,6 +268,8 @@ matrix_nginx_proxy_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }
|
|||
# Controls whether proxying the jitsi domain should be done.
|
||||
matrix_nginx_proxy_proxy_jitsi_enabled: false
|
||||
matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}"
|
||||
matrix_nginx_proxy_proxy_jitsi_manage_wellknown: false
|
||||
matrix_nginx_proxy_proxy_jitsi_well_known_configuration_blocks: []
|
||||
|
||||
# Controls whether proxying the grafana domain should be done.
|
||||
matrix_nginx_proxy_proxy_grafana_enabled: false
|
||||
|
|
|
@ -22,6 +22,14 @@
|
|||
- "{{ matrix_nginx_proxy_data_path }}"
|
||||
- "{{ matrix_nginx_proxy_confd_path }}"
|
||||
|
||||
- name: Ensure Matrix nginx-proxy labels file is created
|
||||
ansible.builtin.template:
|
||||
src: "{{ role_path }}/templates/labels.j2"
|
||||
dest: "{{ matrix_nginx_proxy_base_path }}/labels"
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
mode: 0640
|
||||
|
||||
- name: Ensure Matrix nginx-proxy configured (main config override)
|
||||
ansible.builtin.template:
|
||||
src: "{{ role_path }}/templates/nginx/nginx.conf.j2"
|
||||
|
@ -253,6 +261,12 @@
|
|||
state: absent
|
||||
when: "not matrix_nginx_proxy_proxy_riot_compat_redirect_enabled | bool"
|
||||
|
||||
- name: Ensure Matrix nginx-proxy configuration for Element domain deleted
|
||||
ansible.builtin.file:
|
||||
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-element.conf"
|
||||
state: absent
|
||||
when: "not matrix_nginx_proxy_proxy_element_enabled | bool"
|
||||
|
||||
- name: Ensure Matrix nginx-proxy configuration for Hydrogen domain deleted
|
||||
ansible.builtin.file:
|
||||
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf"
|
||||
|
|
|
@ -12,7 +12,7 @@ docker run \
|
|||
--name=matrix-certbot \
|
||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||
--cap-drop=ALL \
|
||||
--network="{{ matrix_docker_network }}" \
|
||||
--network="{{ matrix_nginx_proxy_container_network }}" \
|
||||
-p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \
|
||||
--mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt \
|
||||
--mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt \
|
||||
|
|
120
roles/custom/matrix-nginx-proxy/templates/labels.j2
Normal file
120
roles/custom/matrix-nginx-proxy/templates/labels.j2
Normal file
|
@ -0,0 +1,120 @@
|
|||
{% if matrix_nginx_proxy_container_labels_traefik_enabled %}
|
||||
traefik.enable=true
|
||||
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_docker_network %}
|
||||
traefik.docker.network={{ matrix_nginx_proxy_container_labels_traefik_docker_network }}
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_enabled %}
|
||||
# Base domain
|
||||
traefik.http.routers.matrix-nginx-proxy-base-domain.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_rule }}
|
||||
traefik.http.routers.matrix-nginx-proxy-base-domain.service=matrix-nginx-proxy-web
|
||||
traefik.http.routers.matrix-nginx-proxy-base-domain.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_tls | to_json }}
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_tls %}
|
||||
traefik.http.routers.matrix-nginx-proxy-base-domain.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-nginx-proxy-base-domain.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled %}
|
||||
# Matrix Client
|
||||
traefik.http.routers.matrix-nginx-proxy-matrix-client.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule }}
|
||||
traefik.http.routers.matrix-nginx-proxy-matrix-client.service=matrix-nginx-proxy-web
|
||||
traefik.http.routers.matrix-nginx-proxy-matrix-client.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls | to_json }}
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls %}
|
||||
traefik.http.routers.matrix-nginx-proxy-matrix-client.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-nginx-proxy-matrix-client.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
|
||||
|
||||
# Matrix Federation
|
||||
traefik.http.routers.matrix-nginx-proxy-matrix-federation.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule }}
|
||||
traefik.http.routers.matrix-nginx-proxy-matrix-federation.service=matrix-nginx-proxy-federation
|
||||
traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls | to_json }}
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls %}
|
||||
traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-nginx-proxy-matrix-federation.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints }}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled %}
|
||||
# Buscarron
|
||||
traefik.http.routers.matrix-nginx-proxy-buscarron.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_rule }}
|
||||
traefik.http.routers.matrix-nginx-proxy-buscarron.service=matrix-nginx-proxy-web
|
||||
traefik.http.routers.matrix-nginx-proxy-buscarron.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_tls | to_json }}
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_tls %}
|
||||
traefik.http.routers.matrix-nginx-proxy-buscarron.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-nginx-proxy-buscarron.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled %}
|
||||
# Dimension
|
||||
traefik.http.routers.matrix-nginx-proxy-dimension.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_rule }}
|
||||
traefik.http.routers.matrix-nginx-proxy-dimension.service=matrix-nginx-proxy-web
|
||||
traefik.http.routers.matrix-nginx-proxy-dimension.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls | to_json }}
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls %}
|
||||
traefik.http.routers.matrix-nginx-proxy-dimension.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-nginx-proxy-dimension.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled %}
|
||||
# Etherpad
|
||||
traefik.http.routers.matrix-nginx-proxy-etherpad.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_rule }}
|
||||
traefik.http.routers.matrix-nginx-proxy-etherpad.service=matrix-nginx-proxy-web
|
||||
traefik.http.routers.matrix-nginx-proxy-etherpad.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls | to_json }}
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls %}
|
||||
traefik.http.routers.matrix-nginx-proxy-etherpad.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-nginx-proxy-etherpad.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled %}
|
||||
# Go NEB bot
|
||||
traefik.http.routers.matrix-nginx-proxy-bot_go_neb.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_rule }}
|
||||
traefik.http.routers.matrix-nginx-proxy-bot_go_neb.service=matrix-nginx-proxy-web
|
||||
traefik.http.routers.matrix-nginx-proxy-bot_go_neb.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls | to_json }}
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls %}
|
||||
traefik.http.routers.matrix-nginx-proxy-bot_go_neb.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-nginx-proxy-bot_go_neb.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled %}
|
||||
# Jitsi
|
||||
traefik.http.routers.matrix-nginx-proxy-jitsi.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_rule }}
|
||||
traefik.http.routers.matrix-nginx-proxy-jitsi.service=matrix-nginx-proxy-web
|
||||
traefik.http.routers.matrix-nginx-proxy-jitsi.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_tls | to_json }}
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_tls %}
|
||||
traefik.http.routers.matrix-nginx-proxy-jitsi.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-nginx-proxy-jitsi.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled %}
|
||||
# Sygnal
|
||||
traefik.http.routers.matrix-nginx-proxy-sygnal.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_rule }}
|
||||
traefik.http.routers.matrix-nginx-proxy-sygnal.service=matrix-nginx-proxy-web
|
||||
traefik.http.routers.matrix-nginx-proxy-sygnal.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls | to_json }}
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls %}
|
||||
traefik.http.routers.matrix-nginx-proxy-sygnal.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-nginx-proxy-sygnal.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
|
||||
{% endif %}
|
||||
|
||||
|
||||
traefik.http.services.matrix-nginx-proxy-web.loadbalancer.server.port=8080
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %}
|
||||
traefik.http.services.matrix-nginx-proxy-federation.loadbalancer.server.port={{ matrix_nginx_proxy_proxy_matrix_federation_port }}
|
||||
{% endif %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
{{ matrix_nginx_proxy_container_labels_additional_labels }}
|
|
@ -18,6 +18,15 @@
|
|||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_jitsi_manage_wellknown %}
|
||||
location /.well-known {
|
||||
root {{ matrix_static_files_base_path }};
|
||||
expires 4h;
|
||||
default_type application/json;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
location / {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
|
@ -75,7 +84,7 @@
|
|||
{% if matrix_nginx_proxy_enabled %}
|
||||
resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
|
||||
set $backend {{ matrix_jitsi_xmpp_bosh_url_base }};
|
||||
proxy_pass $backend/xmpp-websocket;
|
||||
proxy_pass $backend$request_uri;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://127.0.0.1:5280;
|
||||
|
|
|
@ -21,7 +21,7 @@
|
|||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
|
||||
set $backend "matrix-ntfy:8080";
|
||||
set $backend "matrix-ntfy:80";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
|
|
|
@ -16,13 +16,16 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
|
|||
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-nginx-proxy 2>/dev/null || true'
|
||||
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-nginx-proxy 2>/dev/null || true'
|
||||
|
||||
ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-nginx-proxy \
|
||||
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
|
||||
--rm \
|
||||
--name=matrix-nginx-proxy \
|
||||
--log-driver=none \
|
||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||
--cap-drop=ALL \
|
||||
--read-only \
|
||||
--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_nginx_proxy_tmp_directory_size_mb }}m \
|
||||
--network={{ matrix_docker_network }} \
|
||||
--label-file={{ matrix_nginx_proxy_base_path }}/labels \
|
||||
--network={{ matrix_nginx_proxy_container_network }} \
|
||||
{% if matrix_nginx_proxy_container_http_host_bind_port %}
|
||||
-p {{ matrix_nginx_proxy_container_http_host_bind_port }}:8080 \
|
||||
{% endif %}
|
||||
|
@ -48,9 +51,11 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
|
|||
{{ matrix_nginx_proxy_docker_image }}
|
||||
|
||||
{% for network in matrix_nginx_proxy_container_additional_networks %}
|
||||
ExecStartPost={{ devture_systemd_docker_base_host_command_sh }} -c 'container_name=matrix-nginx-proxy; network_name={{ network }}; attempt=0; while [ $attempt -le 29 ]; do attempt=$(( $attempt + 1 )); if [ "`{{ devture_systemd_docker_base_host_command_docker }} inspect -f {{ '{{.State.Running}}' }} $container_name 2> /dev/null`" = "true" ]; then break; fi; sleep 1; done; {{ devture_systemd_docker_base_host_command_docker }} network connect $network_name $container_name'
|
||||
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-nginx-proxy
|
||||
{% endfor %}
|
||||
|
||||
ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-nginx-proxy
|
||||
|
||||
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-nginx-proxy 2>/dev/null || true'
|
||||
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-nginx-proxy 2>/dev/null || true'
|
||||
ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-nginx-proxy /usr/sbin/nginx -s reload
|
||||
|
|
|
@ -1,56 +0,0 @@
|
|||
---
|
||||
# Project source code URL: https://github.com/binwiederhier/ntfy
|
||||
|
||||
matrix_ntfy_enabled: true
|
||||
|
||||
matrix_ntfy_base_path: "{{ matrix_base_data_path }}/ntfy"
|
||||
matrix_ntfy_config_dir_path: "{{ matrix_ntfy_base_path }}/config"
|
||||
matrix_ntfy_data_path: "{{ matrix_ntfy_base_path }}/data"
|
||||
|
||||
matrix_ntfy_version: v1.30.1
|
||||
matrix_ntfy_docker_image: "{{ matrix_container_global_registry_prefix }}binwiederhier/ntfy:{{ matrix_ntfy_version }}"
|
||||
matrix_ntfy_docker_image_force_pull: "{{ matrix_ntfy_docker_image.endswith(':latest') }}"
|
||||
|
||||
# Public facing base URL of the ntfy service
|
||||
matrix_ntfy_base_url: "https://{{ matrix_server_fqn_ntfy }}"
|
||||
|
||||
# Rate limits
|
||||
|
||||
matrix_ntfy_global_topic_limit: 15000 # default
|
||||
matrix_ntfy_visitor_subscription_limit: 30 # default
|
||||
matrix_ntfy_visitor_request_limit_burst: 60 # default
|
||||
matrix_ntfy_visitor_request_limit_replenish: "5s" # default
|
||||
|
||||
|
||||
# Controls whether the container exposes its HTTP port (tcp/80 in the container).
|
||||
#
|
||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:2586"), or empty string to not expose.
|
||||
matrix_ntfy_container_http_host_bind_port: ''
|
||||
|
||||
# A list of extra arguments to pass to the container (`docker run` command)
|
||||
matrix_ntfy_container_extra_arguments: []
|
||||
|
||||
# Controls whether the self-check feature should validate SSL certificates.
|
||||
matrix_ntfy_self_check_validate_certificates: true
|
||||
|
||||
# Default ntfy configuration template which covers the generic use case.
|
||||
# You can customize it by controlling the various variables inside it.
|
||||
#
|
||||
# For a more advanced customization, you can extend the default (see `matrix_ntfy_configuration_extension_yaml`)
|
||||
# or completely replace this variable with your own template.
|
||||
matrix_ntfy_configuration_yaml: "{{ lookup('template', 'templates/ntfy/server.yml.j2') }}"
|
||||
|
||||
matrix_ntfy_configuration_extension_yaml: |
|
||||
# Your custom YAML configuration for ntfy goes here.
|
||||
# This configuration extends the default starting configuration (`matrix_ntfy_configuration_yaml`).
|
||||
#
|
||||
# You can override individual variables from the default configuration, or introduce new ones.
|
||||
#
|
||||
# If you need something more special, you can take full control by
|
||||
# completely redefining `matrix_ntfy_configuration_yaml`.
|
||||
|
||||
matrix_ntfy_configuration_extension: "{{ matrix_ntfy_configuration_extension_yaml | from_yaml if matrix_ntfy_configuration_extension_yaml | from_yaml is mapping else {} }}"
|
||||
|
||||
# Holds the final ntfy configuration (a combination of the default and its extension).
|
||||
# You most likely don't need to touch this variable. Instead, see `matrix_ntfy_configuration_yaml`.
|
||||
matrix_ntfy_configuration: "{{ matrix_ntfy_configuration_yaml | from_yaml | combine(matrix_ntfy_configuration_extension, recursive=True) }}"
|
|
@ -1,23 +0,0 @@
|
|||
---
|
||||
|
||||
- block:
|
||||
- when: matrix_ntfy_enabled | bool
|
||||
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-ntfy
|
||||
- install-all
|
||||
- install-ntfy
|
||||
|
||||
- block:
|
||||
- when: not matrix_ntfy_enabled | bool
|
||||
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-ntfy
|
||||
|
||||
- block:
|
||||
- when: matrix_ntfy_enabled | bool
|
||||
ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml"
|
||||
tags:
|
||||
- self-check
|
|
@ -1,27 +0,0 @@
|
|||
---
|
||||
|
||||
# Query an arbitrary ntfy topic using ntfy's UnifiedPush topic name syntax.
|
||||
# Expect an empty response (because we query 'since=1s').
|
||||
|
||||
- ansible.builtin.set_fact:
|
||||
matrix_ntfy_url_endpoint_public: "{{ matrix_ntfy_base_url }}/upSELFCHECK123/json?poll=1&since=1s"
|
||||
|
||||
- name: Check ntfy
|
||||
ansible.builtin.uri:
|
||||
url: "{{ matrix_ntfy_url_endpoint_public }}"
|
||||
follow_redirects: none
|
||||
validate_certs: "{{ matrix_ntfy_self_check_validate_certificates }}"
|
||||
register: matrix_ntfy_self_check_result
|
||||
check_mode: false
|
||||
ignore_errors: true
|
||||
delegate_to: 127.0.0.1
|
||||
become: false
|
||||
|
||||
- name: Fail if ntfy not working
|
||||
ansible.builtin.fail:
|
||||
msg: "Failed checking ntfy is up at `{{ matrix_server_fqn_ntfy }}` (checked endpoint: `{{ matrix_ntfy_url_endpoint_public }}`). Is ntfy running? Is port 443 open in your firewall? Full error: {{ matrix_ntfy_self_check_result }}"
|
||||
when: "matrix_ntfy_self_check_result.failed"
|
||||
|
||||
- name: Report working ntfy
|
||||
ansible.builtin.debug:
|
||||
msg: "ntfy at `{{ matrix_server_fqn_ntfy }}` is working (checked endpoint: `{{ matrix_ntfy_url_endpoint_public }}`)"
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue