From 6438f1ff427cfbb604399c23e25f4371eb671cdd Mon Sep 17 00:00:00 2001 From: Tilo Spannagel Date: Sun, 19 Feb 2023 17:16:17 +0100 Subject: [PATCH 01/47] Add matrix_playbook_ssl_enabled: true to configuring-playbook-own-webserver.md Otherwise the public hookshot url will use http and not https --- docs/configuring-playbook-own-webserver.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 6377b8b1..e7dc2455 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -127,6 +127,9 @@ This is the recommended way for using another reverse-proxy, because the integra # playbook-managed-proxy is the default right now, so we can keep this commented out. # matrix_playbook_reverse_proxy_type: playbook-managed-nginx +# Ensure that public urls use https +matrix_playbook_ssl_enabled: true + # Disable SSL certificate retrieval matrix_ssl_retrieval_method: none @@ -150,6 +153,9 @@ matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449' ```yaml matrix_playbook_reverse_proxy_type: playbook-managed-traefik +# Ensure that public urls use https +matrix_playbook_ssl_enabled: true + # Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval devture_traefik_config_entrypoint_web_secure_enabled: false From 6cdbde01d7c2fa980e18853d0118e554e10def86 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 20 Feb 2023 16:50:39 +0200 Subject: [PATCH 02/47] Fix various Traefik headers syntax `always` is an nginx suffix, which shouldn't have been added to these. --- roles/custom/matrix-client-cinny/defaults/main.yml | 4 ++-- roles/custom/matrix-client-element/defaults/main.yml | 4 ++-- roles/custom/matrix-client-hydrogen/defaults/main.yml | 4 ++-- roles/custom/matrix-synapse-admin/defaults/main.yml | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/roles/custom/matrix-client-cinny/defaults/main.yml b/roles/custom/matrix-client-cinny/defaults/main.yml index 5e5f216f..f1114c36 100644 --- a/roles/custom/matrix-client-cinny/defaults/main.yml +++ b/roles/custom/matrix-client-cinny/defaults/main.yml @@ -95,11 +95,11 @@ matrix_client_cinny_http_header_content_security_policy: frame-ancestors 'self' # Specifies the value of the `Permission-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy -matrix_client_cinny_http_header_content_permission_policy: "{{ 'interest-cohort=() always' if matrix_client_cinny_floc_optout_enabled else '' }}" +matrix_client_cinny_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_client_cinny_floc_optout_enabled else '' }}" # Specifies the value of the `Strict-Transport-Security` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -matrix_client_cinny_http_header_strict_transport_security: "{{ '\"max-age=31536000; includeSubDomains; preload\" always' if matrix_client_cinny_hsts_preload_enabled else '\"max-age=31536000; includeSubDomains\" always' }}" +matrix_client_cinny_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_client_cinny_hsts_preload_enabled else '' }}" # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses # diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 4ab72bab..c9540ae0 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -98,11 +98,11 @@ matrix_client_element_http_header_content_security_policy: frame-ancestors 'self # Specifies the value of the `Permission-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy -matrix_client_element_http_header_content_permission_policy: "{{ 'interest-cohort=() always' if matrix_client_element_floc_optout_enabled else '' }}" +matrix_client_element_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_client_element_floc_optout_enabled else '' }}" # Specifies the value of the `Strict-Transport-Security` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -matrix_client_element_http_header_strict_transport_security: "{{ '\"max-age=31536000; includeSubDomains; preload\" always' if matrix_client_element_hsts_preload_enabled else '\"max-age=31536000; includeSubDomains\" always' }}" +matrix_client_element_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_client_element_hsts_preload_enabled else '' }}" # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses # diff --git a/roles/custom/matrix-client-hydrogen/defaults/main.yml b/roles/custom/matrix-client-hydrogen/defaults/main.yml index 35d18cd9..f3ddb81b 100644 --- a/roles/custom/matrix-client-hydrogen/defaults/main.yml +++ b/roles/custom/matrix-client-hydrogen/defaults/main.yml @@ -94,11 +94,11 @@ matrix_client_hydrogen_http_header_content_security_policy: frame-ancestors 'sel # Specifies the value of the `Permission-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy -matrix_client_hydrogen_http_header_content_permission_policy: "{{ 'interest-cohort=() always' if matrix_client_hydrogen_floc_optout_enabled else '' }}" +matrix_client_hydrogen_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_client_hydrogen_floc_optout_enabled else '' }}" # Specifies the value of the `Strict-Transport-Security` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -matrix_client_hydrogen_http_header_strict_transport_security: "{{ '\"max-age=31536000; includeSubDomains; preload\" always' if matrix_client_hydrogen_hsts_preload_enabled else '\"max-age=31536000; includeSubDomains\" always' }}" +matrix_client_hydrogen_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_client_hydrogen_hsts_preload_enabled else '' }}" # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses # diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index 91383a9e..ae912f71 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -102,11 +102,11 @@ matrix_synapse_admin_http_header_content_security_policy: frame-ancestors 'self' # Specifies the value of the `Permission-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy -matrix_synapse_admin_http_header_content_permission_policy: "{{ 'interest-cohort=() always' if matrix_synapse_admin_floc_optout_enabled else '' }}" +matrix_synapse_admin_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_synapse_admin_floc_optout_enabled else '' }}" # Specifies the value of the `Strict-Transport-Security` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -matrix_synapse_admin_http_header_strict_transport_security: "{{ '\"max-age=31536000; includeSubDomains; preload\" always' if matrix_synapse_admin_hsts_preload_enabled else '\"max-age=31536000; includeSubDomains\" always' }}" +matrix_synapse_admin_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_synapse_admin_hsts_preload_enabled else '' }}" # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses # From 8e592fb0c1761610e8dd79ba948ac5df18fc3328 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 20 Feb 2023 16:53:19 +0200 Subject: [PATCH 03/47] Upgrade grafana role (v9.3.6-1 -> v9.3.6-2) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 3f48cec2..67a1efc2 100644 --- a/requirements.yml +++ b/requirements.yml @@ -40,7 +40,7 @@ version: v1.2.3-1.7.6-0 - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v9.3.6-1 + version: v9.3.6-2 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git version: v2.0.1-0 From ba429f6a403131339c940684dc5a1e678558b53c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bergr=C3=BCbe?= <68869895+Bergruebe@users.noreply.github.com> Date: Mon, 20 Feb 2023 16:59:38 +0100 Subject: [PATCH 04/47] Added matrix_nginx_proxy_https_enabled to the own-nginx documentation --- docs/configuring-playbook-own-webserver.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index e7dc2455..34e0bf3e 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -185,6 +185,9 @@ If you'll be using `nginx` running on the same machine (not in a container), you ```yaml matrix_playbook_reverse_proxy_type: other-nginx-non-container +# If you want https configured in /matrix/nginx-proxy/conf.d/ +matrix_nginx_proxy_https_enabled: true + # If you will manage SSL certificates yourself, uncomment the line below # matrix_ssl_retrieval_method: none From 601b67c02d45f9bae711e0e6655c60b597d8a05c Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Mon, 20 Feb 2023 22:21:02 +0100 Subject: [PATCH 05/47] Update Draupnir Config --- .../templates/production.yaml.j2 | 78 ++++++++++--------- 1 file changed, 43 insertions(+), 35 deletions(-) diff --git a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 index dcc61b1b..2dbff886 100644 --- a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 +++ b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 @@ -1,79 +1,79 @@ -# Endpoint URL that draupnir uses to interact with the matrix homeserver (client-server API), +# Endpoint URL that Draupnir uses to interact with the matrix homeserver (client-server API), # set this to the pantalaimon URL if you're using that. homeserverUrl: "{{ matrix_homeserver_url }}" -# Endpoint URL that draupnir could use to fetch events related to reports (client-server API and /_synapse/), +# Endpoint URL that Draupnir could use to fetch events related to reports (client-server API and /_synapse/), # only set this to the public-internet homeserver client API URL, do NOT set this to the pantalaimon URL. rawHomeserverUrl: "{{ matrix_homeserver_url }}" -# Matrix Access Token to use, draupnir will only use this if pantalaimon.use is false. +# Matrix Access Token to use, Draupnir will only use this if pantalaimon.use is false. accessToken: "{{ matrix_bot_draupnir_access_token }}" # Options related to Pantalaimon (https://github.com/matrix-org/pantalaimon) #pantalaimon: -# # Whether or not draupnir will use pantalaimon to access the matrix homeserver, +# # Whether or not Draupnir will use pantalaimon to access the matrix homeserver, # # set to `true` if you're using pantalaimon. # # # # Be sure to point homeserverUrl to the pantalaimon instance. # # -# # draupnir will log in using the given username and password once, +# # Draupnir will log in using the given username and password once, # # then store the resulting access token in a file under dataPath. # use: false # # # The username to login with. # username: draupnir # -# # The password draupnir will login with. +# # The password Draupnir will login with. # # # # After successfully logging in once, this will be ignored, so this value can be blanked after first startup. # password: your_password -# The path draupnir will store its state/data in, leave default ("/data/storage") when using containers. +# The path Draupnir will store its state/data in, leave default ("/data/storage") when using containers. dataPath: "/data" -# If true (the default), draupnir will only accept invites from users present in managementRoom. +# If true (the default), Draupnir will only accept invites from users present in managementRoom. autojoinOnlyIfManager: true # If `autojoinOnlyIfManager` is false, only the members in this space can invite # the bot to new rooms. -#acceptInvitesFromSpace: "!example:example.org" +acceptInvitesFromSpace: "!example:example.org" -# Whether draupnir should report ignored invites to the management room (if autojoinOnlyIfManager is true). +# Whether Draupnir should report ignored invites to the management room (if autojoinOnlyIfManager is true). recordIgnoredInvites: false -# The room ID (or room alias) of the management room, anyone in this room can issue commands to draupnir. +# The room ID (or room alias) of the management room, anyone in this room can issue commands to Draupnir. # -# draupnir has no more granular access controls other than this, be sure you trust everyone in this room - secure it! +# Draupnir has no more granular access controls other than this, be sure you trust everyone in this room - secure it! # # This should be a room alias or room ID - not a matrix.to URL. # -# Note: By default, draupnir is fairly verbose - expect a lot of messages in this room. +# Note: By default, Draupnir is fairly verbose - expect a lot of messages in this room. # (see verboseLogging to adjust this a bit.) -managementRoom: "{{ matrix_bot_draupnir_management_room }}" +managementRoom: "#moderators:example.org" -# Whether draupnir should log a lot more messages in the room, -# mainly involves "all-OK" messages, and debugging messages for when draupnir checks bans in a room. -verboseLogging: false +# Whether Draupnir should log a lot more messages in the room, +# mainly involves "all-OK" messages, and debugging messages for when Draupnir checks bans in a room. +verboseLogging: true # The log level of terminal (or container) output, # can be one of DEBUG, INFO, WARN and ERROR, in increasing order of importance and severity. # -# This should be at INFO or DEBUG in order to get support for draupnir problems. +# This should be at INFO or DEBUG in order to get support for Draupnir problems. logLevel: "INFO" -# Whether or not draupnir should synchronize policy lists immediately after startup. +# Whether or not Draupnir should synchronize policy lists immediately after startup. # Equivalent to running '!draupnir sync'. syncOnStartup: true -# Whether or not draupnir should check moderation permissions in all protected rooms on startup. +# Whether or not Draupnir should check moderation permissions in all protected rooms on startup. # Equivalent to running `!draupnir verify`. verifyPermissionsOnStartup: true -# Whether or not draupnir should actually apply bans and policy lists, +# Whether or not Draupnir should actually apply bans and policy lists, # turn on to trial some untrusted configuration or lists. noop: false -# Whether draupnir should check member lists quicker (by using a different endpoint), +# Whether Draupnir should check member lists quicker (by using a different endpoint), # keep in mind that enabling this will miss invited (but not joined) users. # # Turn on if your bot is in (very) large rooms, or in large amounts of rooms. @@ -94,7 +94,7 @@ automaticallyRedactForReasons: - "spam" - "advertising" -# A list of rooms to protect. draupnir will add this to the list it knows from its account data. +# A list of rooms to protect. Draupnir will add this to the list it knows from its account data. # # It won't, however, add it to the account data. # Manually add the room via '!draupnir rooms add' to have it stay protected regardless if this config value changes. @@ -116,21 +116,21 @@ automaticallyRedactForReasons: # Explicitly add these rooms as a protected room list if you want them protected. protectAllJoinedRooms: false -# Increase this delay to have Mjölnir wait longer between two consecutive backgrounded +# Increase this delay to have Draupnir wait longer between two consecutive backgrounded # operations. The total duration of operations will be longer, but the homeserver won't -# be affected as much. Conversely, decrease this delay to have Mjölnir chain operations +# be affected as much. Conversely, decrease this delay to have Draupnir chain operations # faster. The total duration of operations will generally be shorter, but the performance # of the homeserver may be more impacted. backgroundDelayMS: 500 -# Server administration commands, these commands will only work if draupnir is +# Server administration commands, these commands will only work if Draupnir is # a global server administrator, and the bot's server is a Synapse instance. -#admin: -# # Whether or not draupnir can temporarily take control of any eligible account from the local homeserver who's in the room -# # (with enough permissions) to "make" a user an admin. -# # -# # This only works if a local user with enough admin permissions is present in the room. -# enableMakeRoomAdminCommand: false +admin: + # Whether or not Draupnir can temporarily take control of any eligible account from the local homeserver who's in the room + # (with enough permissions) to "make" a user an admin. + # + # This only works if a local user with enough admin permissions is present in the room. + enableMakeRoomAdminCommand: true # Misc options for command handling and commands commands: @@ -138,20 +138,28 @@ commands: # # If `true`, will allow commands like `!ban`, `!help`, etc. # - # Note: draupnir can also be pinged by display name instead of having to use + # Note: Draupnir can also be pinged by display name instead of having to use # the !draupnir prefix. For example, "my_moderator_bot: ban @spammer:example.org" # will address only my_moderator_bot. allowNoPrefix: false - # Any additional bot prefixes that draupnir will listen to. i.e. adding `mod` will allow `!mod help`. + # Any additional bot prefixes that Draupnir will listen to. i.e. adding `mod` will allow `!mod help`. additionalPrefixes: - - "draupnir_bot" + - "draupnir-bot" - "draupnir" # Whether or not commands with a wildcard (*) will require an additional `--force` argument # in the command to be able to be submitted. confirmWildcardBan: true + # The default reasons to be prompted with if the reason is missing from a ban command. + ban: + defaultReasons: + - "spam" + - "brigading" + - "harassment" + - "disagreement" + # Configuration specific to certain toggle-able protections #protections: # # Configuration for the wordlist plugin, which can ban users based if they say certain From 65e7aa2406dbd3fb2f981aa8c14fd210c9850416 Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Mon, 20 Feb 2023 22:22:10 +0100 Subject: [PATCH 06/47] Update Draupnir from v1.80.0 to v1.80.1 --- roles/custom/matrix-bot-draupnir/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml index 5900f21b..92abc7ab 100644 --- a/roles/custom/matrix-bot-draupnir/defaults/main.yml +++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml @@ -4,7 +4,7 @@ matrix_bot_draupnir_enabled: true -matrix_bot_draupnir_version: "v1.80.0" +matrix_bot_draupnir_version: "v1.80.1" matrix_bot_draupnir_container_image_self_build: false matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/Gnuxie/Draupnir.git" From 1c10a7727c82028b5b997ebe328d19db17d52b96 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 21 Feb 2023 07:40:49 +0200 Subject: [PATCH 07/47] Upgrade ddclient (v3.10.0-ls106 -> v3.10.0-ls110) --- roles/custom/matrix-dynamic-dns/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-dynamic-dns/defaults/main.yml b/roles/custom/matrix-dynamic-dns/defaults/main.yml index 95e197f3..4ec034a9 100644 --- a/roles/custom/matrix-dynamic-dns/defaults/main.yml +++ b/roles/custom/matrix-dynamic-dns/defaults/main.yml @@ -7,7 +7,7 @@ matrix_dynamic_dns_enabled: true # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' -matrix_dynamic_dns_version: v3.10.0-ls106 +matrix_dynamic_dns_version: v3.10.0-ls110 # The docker container to use when in mode matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" From cbc8f0c6e60e626eef493934b8a5d73317122ba1 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 21 Feb 2023 10:14:53 +0000 Subject: [PATCH 08/47] Update borgmatic 1.7.6 -> 1.7.7 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 67a1efc2..17acfa32 100644 --- a/requirements.yml +++ b/requirements.yml @@ -37,7 +37,7 @@ version: v0.11.1-2 - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.3-1.7.6-0 + version: v1.2.3-1.7.7-0 - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v9.3.6-2 From 620247673e9fec7d3ebb99af4f2665e6cbbf72ab Mon Sep 17 00:00:00 2001 From: Igor Goldenberg Date: Wed, 22 Feb 2023 18:04:13 +0500 Subject: [PATCH 09/47] Allow configure default country code in element welcome page. --- roles/custom/matrix-client-element/defaults/main.yml | 3 +++ roles/custom/matrix-client-element/templates/config.json.j2 | 1 + 2 files changed, 4 insertions(+) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index c9540ae0..60b52d60 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -191,6 +191,9 @@ matrix_client_element_self_check_validate_certificates: true # don't show the registration button on welcome page matrix_client_element_registration_enabled: false +# Default country code on welcome page when login by phone number +matrix_client_element_default_country_code: "GB" + # Controls whether presence will be enabled matrix_client_element_enable_presence_by_hs_url: ~ diff --git a/roles/custom/matrix-client-element/templates/config.json.j2 b/roles/custom/matrix-client-element/templates/config.json.j2 index 1ae16f41..e0dc993c 100644 --- a/roles/custom/matrix-client-element/templates/config.json.j2 +++ b/roles/custom/matrix-client-element/templates/config.json.j2 @@ -12,6 +12,7 @@ "custom_themes": {{ matrix_client_element_settingDefaults_custom_themes|to_json }} }, "default_theme": {{ matrix_client_element_default_theme | string|to_json }}, + "default_country_code": {{ matrix_client_element_default_country_code | string|to_json }}, "permalinkPrefix": {{ matrix_client_element_permalinkPrefix | string|to_json }}, "disable_custom_urls": {{ matrix_client_element_disable_custom_urls|to_json }}, "disable_guests": {{ matrix_client_element_disable_guests|to_json }}, From 4caeab911703e453a8dd3593620f94a44ccf7077 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 22 Feb 2023 15:54:14 +0200 Subject: [PATCH 10/47] Fix spacing around Jinja2 filters --- .../templates/config.json.j2 | 48 +++++++++---------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/roles/custom/matrix-client-element/templates/config.json.j2 b/roles/custom/matrix-client-element/templates/config.json.j2 index e0dc993c..6f2498fd 100644 --- a/roles/custom/matrix-client-element/templates/config.json.j2 +++ b/roles/custom/matrix-client-element/templates/config.json.j2 @@ -1,49 +1,49 @@ { "default_server_config": { "m.homeserver": { - "base_url": {{ matrix_client_element_default_hs_url | string|to_json }}, - "server_name": {{ matrix_client_element_default_server_name | string|to_json }} + "base_url": {{ matrix_client_element_default_hs_url | string | to_json }}, + "server_name": {{ matrix_client_element_default_server_name | string | to_json }} }, "m.identity_server": { - "base_url": {{ matrix_client_element_default_is_url | string|to_json }} + "base_url": {{ matrix_client_element_default_is_url | string | to_json }} } }, "settingDefaults": { - "custom_themes": {{ matrix_client_element_settingDefaults_custom_themes|to_json }} + "custom_themes": {{ matrix_client_element_settingDefaults_custom_themes | to_json }} }, - "default_theme": {{ matrix_client_element_default_theme | string|to_json }}, - "default_country_code": {{ matrix_client_element_default_country_code | string|to_json }}, - "permalinkPrefix": {{ matrix_client_element_permalinkPrefix | string|to_json }}, - "disable_custom_urls": {{ matrix_client_element_disable_custom_urls|to_json }}, - "disable_guests": {{ matrix_client_element_disable_guests|to_json }}, - "brand": {{ matrix_client_element_brand|to_json }}, - "integrations_ui_url": {{ matrix_client_element_integrations_ui_url | string|to_json }}, - "integrations_rest_url": {{ matrix_client_element_integrations_rest_url | string|to_json }}, - "integrations_widgets_urls": {{ matrix_client_element_integrations_widgets_urls|to_json }}, - "integrations_jitsi_widget_url": {{ matrix_client_element_integrations_jitsi_widget_url | string|to_json }}, - "bug_report_endpoint_url": {{ matrix_client_element_bug_report_endpoint_url|to_json }}, - "showLabsSettings": {{ matrix_client_element_showLabsSettings|to_json }}, + "default_theme": {{ matrix_client_element_default_theme | string | to_json }}, + "default_country_code": {{ matrix_client_element_default_country_code | string | to_json }}, + "permalinkPrefix": {{ matrix_client_element_permalinkPrefix | string | to_json }}, + "disable_custom_urls": {{ matrix_client_element_disable_custom_urls | to_json }}, + "disable_guests": {{ matrix_client_element_disable_guests | to_json }}, + "brand": {{ matrix_client_element_brand | to_json }}, + "integrations_ui_url": {{ matrix_client_element_integrations_ui_url | string | to_json }}, + "integrations_rest_url": {{ matrix_client_element_integrations_rest_url | string | to_json }}, + "integrations_widgets_urls": {{ matrix_client_element_integrations_widgets_urls | to_json }}, + "integrations_jitsi_widget_url": {{ matrix_client_element_integrations_jitsi_widget_url | string | to_json }}, + "bug_report_endpoint_url": {{ matrix_client_element_bug_report_endpoint_url | to_json }}, + "showLabsSettings": {{ matrix_client_element_showLabsSettings | to_json }}, "roomDirectory": { - "servers": {{ matrix_client_element_roomdir_servers|to_json }} + "servers": {{ matrix_client_element_roomdir_servers | to_json }} }, - "welcomeUserId": {{ matrix_client_element_welcome_user_id|to_json }}, + "welcomeUserId": {{ matrix_client_element_welcome_user_id | to_json }}, {% if matrix_client_element_enable_presence_by_hs_url is not none %} - "enable_presence_by_hs_url": {{ matrix_client_element_enable_presence_by_hs_url|to_json }}, + "enable_presence_by_hs_url": {{ matrix_client_element_enable_presence_by_hs_url | to_json }}, {% endif %} "embeddedPages": { - "homeUrl": {{ matrix_client_element_embedded_pages_home_url | string|to_json }} + "homeUrl": {{ matrix_client_element_embedded_pages_home_url | string | to_json }} }, {% if matrix_client_element_jitsi_preferredDomain %} "jitsi": { - "preferredDomain": {{ matrix_client_element_jitsi_preferredDomain|to_json }} + "preferredDomain": {{ matrix_client_element_jitsi_preferredDomain | to_json }} }, {% endif %} {% if matrix_client_element_location_sharing_enabled %} "map_style_url": "https://{{ matrix_server_fqn_element }}/map_style.json", {% endif %} "branding": { - "authFooterLinks": {{ matrix_client_element_branding_authFooterLinks|to_json }}, - "authHeaderLogoUrl": {{ matrix_client_element_branding_authHeaderLogoUrl|to_json }}, - "welcomeBackgroundUrl": {{ matrix_client_element_branding_welcomeBackgroundUrl|to_json }} + "authFooterLinks": {{ matrix_client_element_branding_authFooterLinks | to_json }}, + "authHeaderLogoUrl": {{ matrix_client_element_branding_authHeaderLogoUrl | to_json }}, + "welcomeBackgroundUrl": {{ matrix_client_element_branding_welcomeBackgroundUrl | to_json }} } } From 643acfcb5b671d6fcd9e305c26e6fd0f1e7f4d3c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 22 Feb 2023 08:18:21 +0200 Subject: [PATCH 11/47] Make synapse-s3-storage-provider periodic migration schedule customizable Larger deployments may wish to run migration more often. --- roles/custom/matrix-synapse/defaults/main.yml | 3 +++ .../matrix-synapse-s3-storage-provider-migrate.timer.j2 | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index e4e2e5e2..dd69facd 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -874,6 +874,9 @@ matrix_synapse_ext_synapse_s3_storage_provider_config_threadpool_size: 40 # It specifies how old files need to have been inactive to be eligible for migration from the local filesystem to the S3 data store. # By default, we use `0` which says "all files are eligible for migration". matrix_synapse_ext_synapse_s3_storage_provider_update_db_day_count: 0 +# Specifies how often periodic migration (`matrix-synapse-s3-storage-provider-migrate.timer`) will run. +# This is a systemd timer OnCalendar definition. Learn more here: https://man.archlinux.org/man/systemd.time.7#CALENDAR_EVENTS +matrix_synapse_ext_synapse_s3_storage_provider_periodic_migration_schedule: '*-*-* 05:00:00' matrix_s3_media_store_enabled: false matrix_s3_media_store_custom_endpoint_enabled: false diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/systemd/matrix-synapse-s3-storage-provider-migrate.timer.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/systemd/matrix-synapse-s3-storage-provider-migrate.timer.j2 index 5013c7a8..14473dd7 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/systemd/matrix-synapse-s3-storage-provider-migrate.timer.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/systemd/matrix-synapse-s3-storage-provider-migrate.timer.j2 @@ -3,7 +3,7 @@ Description=Migrates locally-stored Synapse media store files to S3 [Timer] Unit=matrix-synapse-s3-storage-provider-migrate.service -OnCalendar=*-*-* 05:00:00 +OnCalendar={{ matrix_synapse_ext_synapse_s3_storage_provider_periodic_migration_schedule }} [Install] WantedBy=timers.target From 84c5b44bea7612b307ddae902c9f54d21d4f78d5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 22 Feb 2023 16:09:16 +0200 Subject: [PATCH 12/47] Upgrade com.devture.ansible.role.docker_sdk_for_python --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 17acfa32..3b117ef6 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: 6.1.0 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git - version: 6ba3be490b6f4c6f35ea109aeb8e533fa231b3a5 + version: 54d6d1831f063e4a99b66c722f49053d59f8ee60 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git version: c1f40e82b4d6b072b6f0e885239322bdaaaf554f From 0af6e6d9d970715ae1513a5ccf47f5321298fea9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Feb 2023 08:26:35 +0200 Subject: [PATCH 13/47] Make wait time for matrix-user-creator configurable and increase default (7 -> 10 sec.) --- roles/custom/matrix-user-creator/defaults/main.yml | 3 +++ roles/custom/matrix-user-creator/tasks/setup.yml | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-user-creator/defaults/main.yml b/roles/custom/matrix-user-creator/defaults/main.yml index 5c90a1e0..20aad3d1 100644 --- a/roles/custom/matrix-user-creator/defaults/main.yml +++ b/roles/custom/matrix-user-creator/defaults/main.yml @@ -20,3 +20,6 @@ matrix_user_creator_users_auto: [] # Add your own users here to have them end up in `matrix_user_creator_users` (see `vars/main.yml`) and get automatically created. # For example syntax for this variable, see the documentation for `matrix_user_creator_users` in `vars/main.yml`. matrix_user_creator_users_additional: [] + +# matrix_user_creator_homeserver_start_wait_time_seconds specifies how long to wait after starting the homeserver service and before doing our work. +matrix_user_creator_homeserver_start_wait_time_seconds: 10 diff --git a/roles/custom/matrix-user-creator/tasks/setup.yml b/roles/custom/matrix-user-creator/tasks/setup.yml index 73dfd454..d53726bd 100644 --- a/roles/custom/matrix-user-creator/tasks/setup.yml +++ b/roles/custom/matrix-user-creator/tasks/setup.yml @@ -21,7 +21,7 @@ - name: Wait a while, so that the homeserver can manage to start before creating Matrix users ansible.builtin.pause: - seconds: 7 + seconds: "{{ matrix_user_creator_homeserver_start_wait_time_seconds }}" when: matrix_user_registrator_homeserver_start_result.changed | bool - name: Ensure Matrix users are created From c8022c1a18219c281909a950c656454c959e91cd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Feb 2023 08:35:45 +0200 Subject: [PATCH 14/47] Remove useless explicit daemon reload in matrix-user-creator The next task asks for a daemon reload, so there's no need to do it twice. --- roles/custom/matrix-user-creator/tasks/setup.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/roles/custom/matrix-user-creator/tasks/setup.yml b/roles/custom/matrix-user-creator/tasks/setup.yml index d53726bd..bcf2fd65 100644 --- a/roles/custom/matrix-user-creator/tasks/setup.yml +++ b/roles/custom/matrix-user-creator/tasks/setup.yml @@ -8,10 +8,6 @@ # Suppress logging to avoid dumping the credentials to the shell no_log: true -- name: Ensure systemd is reloaded before starting the homeserver - ansible.builtin.service: - daemon_reload: true - - name: Ensure homeserver is started before creating Matrix users ansible.builtin.service: name: "matrix-{{ matrix_homeserver_implementation }}.service" From 40f037b36d47d222997d2a90daf90ca910e787f6 Mon Sep 17 00:00:00 2001 From: Benjamin Kampmann Date: Mon, 20 Feb 2023 22:34:16 +0100 Subject: [PATCH 15/47] Add rageshake server --- group_vars/matrix_servers | 20 ++++ playbooks/matrix.yml | 1 + roles/custom/matrix-base/defaults/main.yml | 3 + .../matrix-nginx-proxy/defaults/main.yml | 12 +++ .../tasks/setup_nginx_proxy.yml | 13 +++ .../matrix-nginx-proxy/templates/labels.j2 | 11 ++ .../nginx/conf.d/matrix-rageshake.conf.j2 | 100 ++++++++++++++++++ .../custom/matrix-rageshake/defaults/main.yml | 38 +++++++ roles/custom/matrix-rageshake/tasks/main.yml | 19 ++++ .../matrix-rageshake/tasks/setup_install.yml | 66 ++++++++++++ .../tasks/setup_uninstall.yml | 24 +++++ .../tasks/validate_config.yml | 1 + .../matrix-rageshake/templates/config.j2 | 2 + .../systemd/matrix-rageshake.service.j2 | 41 +++++++ 14 files changed, 351 insertions(+) create mode 100644 roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-rageshake.conf.j2 create mode 100644 roles/custom/matrix-rageshake/defaults/main.yml create mode 100644 roles/custom/matrix-rageshake/tasks/main.yml create mode 100644 roles/custom/matrix-rageshake/tasks/setup_install.yml create mode 100644 roles/custom/matrix-rageshake/tasks/setup_uninstall.yml create mode 100644 roles/custom/matrix-rageshake/tasks/validate_config.yml create mode 100644 roles/custom/matrix-rageshake/templates/config.j2 create mode 100644 roles/custom/matrix-rageshake/templates/systemd/matrix-rageshake.service.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f148e042..1307679d 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -296,6 +296,8 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-coturn.service', 'priority': 4000, 'groups': ['matrix', 'coturn']}] if matrix_coturn_enabled else []) + + ([{'name': 'matrix-rageshake.service', 'priority': 4000, 'groups': ['matrix', 'rageshake']}] if matrix_rageshake_enabled else []) + + ([{'name': 'matrix-coturn-reload.timer', 'priority': 5000, 'groups': ['matrix', 'coturn']}] if (matrix_coturn_enabled and matrix_coturn_tls_enabled) else []) + ([{'name': 'matrix-dimension.service', 'priority': 4000, 'groups': ['matrix', 'integration-managers', 'dimension']}] if matrix_dimension_enabled else []) @@ -1995,6 +1997,18 @@ matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registrati # ###################################################################### + +###################################################################### +# +# /matrix-rageshake +# +###################################################################### + +# We don't enable rageshake by default. +matrix_rageshake_enabled: false + +matrix_rageshake_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" + ###################################################################### # # matrix-coturn @@ -2383,6 +2397,7 @@ matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled an matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" +matrix_nginx_proxy_proxy_rageshake_enabled: "{{ matrix_rageshake_enabled }}" matrix_nginx_proxy_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" @@ -2400,6 +2415,7 @@ matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_ent matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_enabled: "{{ matrix_rageshake_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" @@ -2483,6 +2499,8 @@ matrix_nginx_proxy_systemd_wanted_services_list: | + (['matrix-dimension.service'] if matrix_dimension_enabled else []) + + (['matrix-rageshake.service'] if matrix_rageshake_enabled else []) + + (['matrix-sygnal.service'] if matrix_sygnal_enabled else []) + ([(ntfy_identifier + '.service')] if ntfy_enabled else []) @@ -2524,6 +2542,8 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([ntfy_hostname] if ntfy_enabled else []) + + ([matrix_server_fqn_rageshake] if matrix_rageshake_enabled else []) + + (matrix_bot_postmoogle_domains if matrix_bot_postmoogle_enabled else []) + ([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else []) diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 6980a6f9..a425cd88 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -82,6 +82,7 @@ - custom/matrix-bot-draupnir - custom/matrix-bot-chatgpt - custom/matrix-cactus-comments + - custom/matrix-rageshake - custom/matrix-synapse - custom/matrix-synapse-reverse-proxy-companion - custom/matrix-dendrite diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index da5459f8..0f2e3b48 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -90,6 +90,9 @@ matrix_server_fqn_sygnal: "sygnal.{{ matrix_domain }}" # This is where you access the ntfy push notification service. matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}" +# This is where you access rageshake. +matrix_server_fqn_rageshake: "rageshake.{{ matrix_domain }}" + matrix_federation_public_port: 8448 # The name of the Traefik entrypoint for handling Matrix Federation diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index b656f074..b5915dc4 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -71,6 +71,11 @@ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname: "{{ matrix matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" matrix_nginx_proxy_container_labels_traefik_proxy_dimension_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname }}`)" +matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_hostname: "{{ matrix_server_fqn_rageshake }}" +matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_hostname }}`)" + matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: false matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_hostname: "{{ matrix_server_fqn_etherpad }}" matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" @@ -257,6 +262,10 @@ matrix_nginx_proxy_proxy_matrix_federation_port: 8448 matrix_nginx_proxy_proxy_dimension_enabled: false matrix_nginx_proxy_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}" +# Controls whether proxying the rageshake domain should be done. +matrix_nginx_proxy_proxy_rageshake_enabled: false +matrix_nginx_proxy_proxy_rageshake_hostname: "{{ matrix_server_fqn_rageshake }}" + # Controls whether proxying the etherpad domain should be done. matrix_nginx_proxy_proxy_etherpad_enabled: false matrix_nginx_proxy_proxy_etherpad_hostname: "{{ matrix_server_fqn_etherpad }}" @@ -444,6 +453,9 @@ matrix_nginx_proxy_proxy_buscarron_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf). matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: [] +# A list of strings containing additional configuration blocks to add to Rageshake's server configuration (matrix-rageshake.conf). +matrix_nginx_proxy_proxy_rageshake_additional_server_configuration_blocks: [] + # A list of strings containing additional configuration blocks to add to etherpad's server configuration (matrix-etherpad.conf). matrix_nginx_proxy_proxy_etherpad_additional_server_configuration_blocks: [] diff --git a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 5aa63597..1a55e28f 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -129,6 +129,13 @@ mode: 0644 when: matrix_nginx_proxy_proxy_dimension_enabled | bool +- name: Ensure Matrix nginx-proxy configuration for rageshake domain exists + ansible.builtin.template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-rageshake.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-rageshake.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_rageshake_enabled | bool + - name: Ensure Matrix nginx-proxy configuration for etherpad domain exists ansible.builtin.template: src: "{{ role_path }}/templates/nginx/conf.d/matrix-etherpad.conf.j2" @@ -291,6 +298,12 @@ state: absent when: "not matrix_nginx_proxy_proxy_dimension_enabled | bool" +- name: Ensure Matrix nginx-proxy configuration for rageshake domain deleted + ansible.builtin.file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-rageshake.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_rageshake_enabled | bool" + - name: Ensure Matrix nginx-proxy configuration for goneb domain deleted ansible.builtin.file: path: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-go-neb.conf" diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 index 1e60ba6d..00c9c40a 100644 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -62,6 +62,17 @@ traefik.http.routers.matrix-nginx-proxy-dimension.entrypoints={{ matrix_nginx_pr {% endif %} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_enabled %} +# Rageshake +traefik.http.routers.matrix-nginx-proxy-rageshake.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_rule }} +traefik.http.routers.matrix-nginx-proxy-rageshake.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-rageshake.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_tls %} +traefik.http.routers.matrix-nginx-proxy-rageshake.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-rageshake.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + {% if matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled %} # Etherpad traefik.http.routers.matrix-nginx-proxy-etherpad.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_rule }} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-rageshake.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-rageshake.conf.j2 new file mode 100644 index 00000000..5da96684 --- /dev/null +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-rageshake.conf.j2 @@ -0,0 +1,100 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + gzip on; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + {% if matrix_nginx_proxy_hsts_preload_enabled %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; + add_header X-Content-Type-Options nosniff; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + +{% for configuration_block in matrix_nginx_proxy_proxy_rageshake_additional_server_configuration_blocks %} + {{- configuration_block }} +{% endfor %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; + set $backend "matrix-rageshake:9110"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:9110; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + + server_name {{ matrix_nginx_proxy_proxy_rageshake_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_rageshake_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_rageshake_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_rageshake_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != '' %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_rageshake_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/roles/custom/matrix-rageshake/defaults/main.yml b/roles/custom/matrix-rageshake/defaults/main.yml new file mode 100644 index 00000000..743b3000 --- /dev/null +++ b/roles/custom/matrix-rageshake/defaults/main.yml @@ -0,0 +1,38 @@ +--- +# rageshake is a issue submission service from matrix.org +# Project source code URL: https://github.com/matrix-org/rageshake/ + +matrix_rageshake_enabled: false + +matrix_rageshake_container_image_self_build: false +matrix_rageshake_docker_repo: "https://github.com/matrix-org/rageshake/" +matrix_rageshake_docker_repo_version: "{{ 'master' if matrix_rageshake_version == 'master' else matrix_rageshake_version }}" +matrix_rageshake_docker_src_files_path: "{{ matrix_base_data_path }}/Dockerfile" + +matrix_rageshake_version: "master" +matrix_rageshake_docker_image: "{{ matrix_rageshake_docker_image_name_prefix }}matrix-org/rageshake:{{ matrix_rageshake_version }}" +matrix_rageshake_docker_image_name_prefix: "{{ 'localhost/' if matrix_rageshake_container_image_self_build else 'ghcr.io/' }}" +matrix_rageshake_docker_image_force_pull: "{{ matrix_rageshake_docker_image.endswith(':master') }}" + +matrix_rageshake_base_path: "{{ matrix_base_data_path }}/rageshake" +matrix_rageshake_config_path: "{{ matrix_rageshake_base_path }}/config" +matrix_rageshake_data_path: "{{ matrix_rageshake_base_path }}/data" + +# A list of extra arguments to pass to the container +matrix_rageshake_container_extra_arguments: [] + +# List of systemd services that matrix-rageshake.service depends on +matrix_rageshake_systemd_required_services_list: ["docker.service"] + +# List of systemd services that matrix-rageshake.service wants +matrix_rageshake_systemd_wanted_services_list: [] + +# Rageshake Settings + +# Additional config to pass to the rageshake. +# See https://github.com/matrix-org/rageshake/blob/master/rageshake.sample.yaml +# +# Example: +# matrix_rageshake_config: | +# github_token: secrettoken +matrix_rageshake_config: "" diff --git a/roles/custom/matrix-rageshake/tasks/main.yml b/roles/custom/matrix-rageshake/tasks/main.yml new file mode 100644 index 00000000..f0e03e66 --- /dev/null +++ b/roles/custom/matrix-rageshake/tasks/main.yml @@ -0,0 +1,19 @@ +--- +- block: + - when: matrix_rageshake_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_rageshake_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-rageshake + - install-all + - install-rageshake + +- block: + - when: not matrix_rageshake_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + tags: + - setup-all + - setup-rageshake diff --git a/roles/custom/matrix-rageshake/tasks/setup_install.yml b/roles/custom/matrix-rageshake/tasks/setup_install.yml new file mode 100644 index 00000000..b081960e --- /dev/null +++ b/roles/custom/matrix-rageshake/tasks/setup_install.yml @@ -0,0 +1,66 @@ +--- +- name: Ensure rageshake paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_rageshake_config_path }}", when: true } + - { path: "{{ matrix_rageshake_data_path }}", when: true } + - { + path: "{{ matrix_rageshake_docker_src_files_path }}", + when: matrix_rageshake_container_image_self_build, + } + when: "item.when | bool" + +- name: Ensure rageshake config file created + ansible.builtin.template: + src: "{{ role_path }}/templates/config.j2" + dest: "{{ matrix_rageshake_config_path }}/config.yml" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + mode: 0640 + +- name: Ensure rageshake image is pulled + community.docker.docker_image: + name: "{{ matrix_rageshake_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_rageshake_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_rageshake_docker_image_force_pull }}" + when: "not matrix_rageshake_container_image_self_build | bool" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure rageshake repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_rageshake_docker_repo }}" + version: "{{ matrix_rageshake_docker_repo_version }}" + dest: "{{ matrix_rageshake_docker_src_files_path }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_rageshake_git_pull_results + when: "matrix_rageshake_container_image_self_build | bool" + +- name: Ensure rageshake image is built + community.docker.docker_image: + name: "{{ matrix_rageshake_docker_image }}" + source: build + force_source: "{{ matrix_rageshake_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_rageshake_docker_src_files_path }}" + pull: true + when: "matrix_rageshake_container_image_self_build | bool" + +- name: Ensure matrix-rageshake.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-rageshake.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-rageshake.service" + mode: 0644 + register: matrix_rageshake_systemd_service_result diff --git a/roles/custom/matrix-rageshake/tasks/setup_uninstall.yml b/roles/custom/matrix-rageshake/tasks/setup_uninstall.yml new file mode 100644 index 00000000..133ac76d --- /dev/null +++ b/roles/custom/matrix-rageshake/tasks/setup_uninstall.yml @@ -0,0 +1,24 @@ +--- +- name: Check existence of matrix-rageshake service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-rageshake.service" + register: matrix_rageshake_service_stat + +- when: matrix_rageshake_service_stat.stat.exists | bool + block: + - name: Ensure matrix-rageshake is stopped + ansible.builtin.service: + name: matrix-rageshake + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-rageshake.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-rageshake.service" + state: absent + + - name: Ensure Matrix rageshake paths don't exist + ansible.builtin.file: + path: "{{ matrix_rageshake_base_path }}" + state: absent diff --git a/roles/custom/matrix-rageshake/tasks/validate_config.yml b/roles/custom/matrix-rageshake/tasks/validate_config.yml new file mode 100644 index 00000000..ed97d539 --- /dev/null +++ b/roles/custom/matrix-rageshake/tasks/validate_config.yml @@ -0,0 +1 @@ +--- diff --git a/roles/custom/matrix-rageshake/templates/config.j2 b/roles/custom/matrix-rageshake/templates/config.j2 new file mode 100644 index 00000000..2b0d64b7 --- /dev/null +++ b/roles/custom/matrix-rageshake/templates/config.j2 @@ -0,0 +1,2 @@ +api_prefix: "https://{{ matrix_server_fqn_rageshake }}/api/" +{{ matrix_rageshake_config | to_nice_yaml(indent=2, width=999999) }} diff --git a/roles/custom/matrix-rageshake/templates/systemd/matrix-rageshake.service.j2 b/roles/custom/matrix-rageshake/templates/systemd/matrix-rageshake.service.j2 new file mode 100644 index 00000000..6e818e0f --- /dev/null +++ b/roles/custom/matrix-rageshake/templates/systemd/matrix-rageshake.service.j2 @@ -0,0 +1,41 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Rageshake Service +{% for service in matrix_rageshake_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_rageshake_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-rageshake 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-rageshake 2>/dev/null || true' + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-rageshake \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs /tmp \ + --network={{ matrix_docker_network }} \ + --mount type=bind,src={{ matrix_rageshake_config_path }},dst=/config \ + --mount type=bind,src={{ matrix_rageshake_data_path }},dst=/bugs \ + {% for arg in matrix_rageshake_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_rageshake_docker_image }} \ + --config /config/config.yml + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-rageshake 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-rageshake 2>/dev/null || true' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-rageshake + +[Install] +WantedBy=multi-user.target From 53f8a0c6ae8d00f365bf3793660a5ca30f0ef601 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 24 Feb 2023 20:27:15 +0200 Subject: [PATCH 16/47] Upgrade com.devture.ansible.role.traefik --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 3b117ef6..cbdd37ca 100644 --- a/requirements.yml +++ b/requirements.yml @@ -49,7 +49,7 @@ version: v7.0.7-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: da90b6cdbbb9374ca72c1b530867add2fd8f024e + version: 5e3248cd4d17db9ff3ba90904e7330150dab599e - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: e7563caa814e634d2f8deec4a41e970caa1c0ae4 From c139d139a5c12a091fa170b1b67afcb64505de8f Mon Sep 17 00:00:00 2001 From: Tupsi Date: Sat, 25 Feb 2023 00:46:54 +0100 Subject: [PATCH 17/47] Update configuring-playbook-own-webserver.md own traefik server option must have the path to the acme.json. Otherwise the service will not start. --- docs/configuring-playbook-own-webserver.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 34e0bf3e..22170f40 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -33,6 +33,8 @@ This will install Traefik in the place of `matrix-nginx-proxy`. Traefik will man matrix_playbook_reverse_proxy_type: other-traefik-container matrix_playbook_reverse_proxyable_services_additional_network: your-traefik-network + +devture_traefik_certs_dumper_ssl_dir_path: "/path/to/your/traefiks/acme.json/directory" ``` In this mode all roles will still have Traefik labels attached. You will, however, need to configure your Traefik instance and its entrypoints. From 55f43dcc6d6f6733ce2346112c13b43778080108 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 12:09:23 +0200 Subject: [PATCH 18/47] Fixup matrix-rageshake section in group vars --- group_vars/matrix_servers | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 1307679d..4669b331 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2000,7 +2000,7 @@ matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registrati ###################################################################### # -# /matrix-rageshake +# matrix-rageshake # ###################################################################### @@ -2009,6 +2009,12 @@ matrix_rageshake_enabled: false matrix_rageshake_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" +###################################################################### +# +# /matrix-rageshake +# +###################################################################### + ###################################################################### # # matrix-coturn From d513c0f446589dc34249b8ce417f4a1d21263ca8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 12:20:09 +0200 Subject: [PATCH 19/47] Document why the rageshake version is master --- roles/custom/matrix-rageshake/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/custom/matrix-rageshake/defaults/main.yml b/roles/custom/matrix-rageshake/defaults/main.yml index 743b3000..16a936bc 100644 --- a/roles/custom/matrix-rageshake/defaults/main.yml +++ b/roles/custom/matrix-rageshake/defaults/main.yml @@ -9,6 +9,8 @@ matrix_rageshake_docker_repo: "https://github.com/matrix-org/rageshake/" matrix_rageshake_docker_repo_version: "{{ 'master' if matrix_rageshake_version == 'master' else matrix_rageshake_version }}" matrix_rageshake_docker_src_files_path: "{{ matrix_base_data_path }}/Dockerfile" +# There are no stable container image tags yet. +# See: https://github.com/matrix-org/rageshake/issues/69 matrix_rageshake_version: "master" matrix_rageshake_docker_image: "{{ matrix_rageshake_docker_image_name_prefix }}matrix-org/rageshake:{{ matrix_rageshake_version }}" matrix_rageshake_docker_image_name_prefix: "{{ 'localhost/' if matrix_rageshake_container_image_self_build else 'ghcr.io/' }}" From 19e0b8374bab3de8ba4ec4dad12b7bcc9b907690 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 12:20:25 +0200 Subject: [PATCH 20/47] Enable matrix_rageshake_enabled in the role by default We disable it via `group_vars/matrix_servers`, as we do for all other roles. --- roles/custom/matrix-rageshake/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-rageshake/defaults/main.yml b/roles/custom/matrix-rageshake/defaults/main.yml index 16a936bc..3568d23f 100644 --- a/roles/custom/matrix-rageshake/defaults/main.yml +++ b/roles/custom/matrix-rageshake/defaults/main.yml @@ -2,7 +2,7 @@ # rageshake is a issue submission service from matrix.org # Project source code URL: https://github.com/matrix-org/rageshake/ -matrix_rageshake_enabled: false +matrix_rageshake_enabled: true matrix_rageshake_container_image_self_build: false matrix_rageshake_docker_repo: "https://github.com/matrix-org/rageshake/" From db0104978f97e540db418eeb3b4b7cdcba602c5a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 12:23:07 +0200 Subject: [PATCH 21/47] Extract api_prefix rageshake configuration into matrix_rageshake_config_api_prefix --- roles/custom/matrix-rageshake/defaults/main.yml | 2 ++ roles/custom/matrix-rageshake/templates/config.j2 | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-rageshake/defaults/main.yml b/roles/custom/matrix-rageshake/defaults/main.yml index 3568d23f..4f574d3f 100644 --- a/roles/custom/matrix-rageshake/defaults/main.yml +++ b/roles/custom/matrix-rageshake/defaults/main.yml @@ -29,6 +29,8 @@ matrix_rageshake_systemd_required_services_list: ["docker.service"] # List of systemd services that matrix-rageshake.service wants matrix_rageshake_systemd_wanted_services_list: [] +matrix_rageshake_config_api_prefix: "https://{{ matrix_server_fqn_rageshake }}/api/" + # Rageshake Settings # Additional config to pass to the rageshake. diff --git a/roles/custom/matrix-rageshake/templates/config.j2 b/roles/custom/matrix-rageshake/templates/config.j2 index 2b0d64b7..08c90438 100644 --- a/roles/custom/matrix-rageshake/templates/config.j2 +++ b/roles/custom/matrix-rageshake/templates/config.j2 @@ -1,2 +1,2 @@ -api_prefix: "https://{{ matrix_server_fqn_rageshake }}/api/" +api_prefix: {{ matrix_rageshake_config_api_prefix | to_json }} {{ matrix_rageshake_config | to_nice_yaml(indent=2, width=999999) }} From a51c9521a8f976d2778be3a45d411682fa60b073 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 12:23:45 +0200 Subject: [PATCH 22/47] Rename some task files --- .../matrix-rageshake/tasks/{setup_install.yml => install.yml} | 0 roles/custom/matrix-rageshake/tasks/main.yml | 4 ++-- .../tasks/{setup_uninstall.yml => uninstall.yml} | 0 3 files changed, 2 insertions(+), 2 deletions(-) rename roles/custom/matrix-rageshake/tasks/{setup_install.yml => install.yml} (100%) rename roles/custom/matrix-rageshake/tasks/{setup_uninstall.yml => uninstall.yml} (100%) diff --git a/roles/custom/matrix-rageshake/tasks/setup_install.yml b/roles/custom/matrix-rageshake/tasks/install.yml similarity index 100% rename from roles/custom/matrix-rageshake/tasks/setup_install.yml rename to roles/custom/matrix-rageshake/tasks/install.yml diff --git a/roles/custom/matrix-rageshake/tasks/main.yml b/roles/custom/matrix-rageshake/tasks/main.yml index f0e03e66..c330964a 100644 --- a/roles/custom/matrix-rageshake/tasks/main.yml +++ b/roles/custom/matrix-rageshake/tasks/main.yml @@ -4,7 +4,7 @@ ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_rageshake_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" tags: - setup-all - setup-rageshake @@ -13,7 +13,7 @@ - block: - when: not matrix_rageshake_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" tags: - setup-all - setup-rageshake diff --git a/roles/custom/matrix-rageshake/tasks/setup_uninstall.yml b/roles/custom/matrix-rageshake/tasks/uninstall.yml similarity index 100% rename from roles/custom/matrix-rageshake/tasks/setup_uninstall.yml rename to roles/custom/matrix-rageshake/tasks/uninstall.yml From 8339ebdf5894ef6e2b12627fe9097672cb06cfcb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 12:29:22 +0200 Subject: [PATCH 23/47] Redo the way matryx-rageshake configuration is done This makes it consistent with the rest of the playbook: - there's a default config which has various variables controlling settings - there's also an `_extension_yaml` variable, which lets you override it --- .../custom/matrix-rageshake/defaults/main.yml | 33 ++++++++++++++----- .../custom/matrix-rageshake/tasks/install.yml | 5 ++- .../matrix-rageshake/templates/config.j2 | 2 -- .../matrix-rageshake/templates/config.yml.j2 | 4 +++ 4 files changed, 31 insertions(+), 13 deletions(-) delete mode 100644 roles/custom/matrix-rageshake/templates/config.j2 create mode 100644 roles/custom/matrix-rageshake/templates/config.yml.j2 diff --git a/roles/custom/matrix-rageshake/defaults/main.yml b/roles/custom/matrix-rageshake/defaults/main.yml index 4f574d3f..a1bbe242 100644 --- a/roles/custom/matrix-rageshake/defaults/main.yml +++ b/roles/custom/matrix-rageshake/defaults/main.yml @@ -31,12 +31,29 @@ matrix_rageshake_systemd_wanted_services_list: [] matrix_rageshake_config_api_prefix: "https://{{ matrix_server_fqn_rageshake }}/api/" -# Rageshake Settings - -# Additional config to pass to the rageshake. -# See https://github.com/matrix-org/rageshake/blob/master/rageshake.sample.yaml +# Default Rageshake configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. # -# Example: -# matrix_rageshake_config: | -# github_token: secrettoken -matrix_rageshake_config: "" +# For a more advanced customization, you can extend the default (see `matrix_rageshake_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_rageshake_configuration_yaml: "{{ lookup('template', 'templates/config.yml.j2') }}" + +matrix_rageshake_configuration_extension_yaml: | + # Your custom YAML configuration for Synapse goes here. + # This configuration extends the default starting configuration (`matrix_rageshake_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_rageshake_configuration_yaml`. + # + # Example configuration extension follows: + # + # github_project_mappings: + # my-app: octocat/HelloWorld + +matrix_rageshake_configuration_extension: "{{ matrix_rageshake_configuration_extension_yaml | from_yaml if matrix_rageshake_configuration_extension_yaml | from_yaml is mapping else {} }}" + +# Holds the final Synapse configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_rageshake_configuration_yaml`. +matrix_rageshake_configuration: "{{ matrix_rageshake_configuration_yaml | from_yaml | combine(matrix_rageshake_configuration_extension, recursive=True) }}" diff --git a/roles/custom/matrix-rageshake/tasks/install.yml b/roles/custom/matrix-rageshake/tasks/install.yml index b081960e..3f4d64c5 100644 --- a/roles/custom/matrix-rageshake/tasks/install.yml +++ b/roles/custom/matrix-rageshake/tasks/install.yml @@ -16,8 +16,8 @@ when: "item.when | bool" - name: Ensure rageshake config file created - ansible.builtin.template: - src: "{{ role_path }}/templates/config.j2" + ansible.builtin.copy: + content: "{{ matrix_rageshake_configuration | to_nice_yaml(indent=2, width=999999) }}" dest: "{{ matrix_rageshake_config_path }}/config.yml" owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" @@ -63,4 +63,3 @@ src: "{{ role_path }}/templates/systemd/matrix-rageshake.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-rageshake.service" mode: 0644 - register: matrix_rageshake_systemd_service_result diff --git a/roles/custom/matrix-rageshake/templates/config.j2 b/roles/custom/matrix-rageshake/templates/config.j2 deleted file mode 100644 index 08c90438..00000000 --- a/roles/custom/matrix-rageshake/templates/config.j2 +++ /dev/null @@ -1,2 +0,0 @@ -api_prefix: {{ matrix_rageshake_config_api_prefix | to_json }} -{{ matrix_rageshake_config | to_nice_yaml(indent=2, width=999999) }} diff --git a/roles/custom/matrix-rageshake/templates/config.yml.j2 b/roles/custom/matrix-rageshake/templates/config.yml.j2 new file mode 100644 index 00000000..6b0c2664 --- /dev/null +++ b/roles/custom/matrix-rageshake/templates/config.yml.j2 @@ -0,0 +1,4 @@ +# Default configuration for Rageshake. +# To extend it, use `matrix_rageshake_configuration_extension_yaml`. + +api_prefix: {{ matrix_rageshake_config_api_prefix | to_json }} From 306679103b28ce6642f390e99fe264ab73483706 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 12:32:19 +0200 Subject: [PATCH 24/47] Require self-building of rageshake for arm64 There are no arm64 images published.. yet --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 4669b331..2ad11473 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2007,7 +2007,7 @@ matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registrati # We don't enable rageshake by default. matrix_rageshake_enabled: false -matrix_rageshake_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" +matrix_rageshake_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}" ###################################################################### # From 5934de84be6721ecac0187cf473abcd058a5b455 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 12:59:56 +0200 Subject: [PATCH 25/47] Reorder matrix-rageshake default variables a bit --- roles/custom/matrix-rageshake/defaults/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/custom/matrix-rageshake/defaults/main.yml b/roles/custom/matrix-rageshake/defaults/main.yml index a1bbe242..85a3e50e 100644 --- a/roles/custom/matrix-rageshake/defaults/main.yml +++ b/roles/custom/matrix-rageshake/defaults/main.yml @@ -4,11 +4,6 @@ matrix_rageshake_enabled: true -matrix_rageshake_container_image_self_build: false -matrix_rageshake_docker_repo: "https://github.com/matrix-org/rageshake/" -matrix_rageshake_docker_repo_version: "{{ 'master' if matrix_rageshake_version == 'master' else matrix_rageshake_version }}" -matrix_rageshake_docker_src_files_path: "{{ matrix_base_data_path }}/Dockerfile" - # There are no stable container image tags yet. # See: https://github.com/matrix-org/rageshake/issues/69 matrix_rageshake_version: "master" @@ -20,6 +15,11 @@ matrix_rageshake_base_path: "{{ matrix_base_data_path }}/rageshake" matrix_rageshake_config_path: "{{ matrix_rageshake_base_path }}/config" matrix_rageshake_data_path: "{{ matrix_rageshake_base_path }}/data" +matrix_rageshake_container_image_self_build: false +matrix_rageshake_docker_repo: "https://github.com/matrix-org/rageshake/" +matrix_rageshake_docker_repo_version: "{{ 'master' if matrix_rageshake_version == 'master' else matrix_rageshake_version }}" +matrix_rageshake_docker_src_files_path: "{{ matrix_base_data_path }}/Dockerfile" + # A list of extra arguments to pass to the container matrix_rageshake_container_extra_arguments: [] From 9a8ebf3d8c5e96d9703abb7b681e5852196eebbe Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 13:01:11 +0200 Subject: [PATCH 26/47] matrix_rageshake_docker_ -> matrix_rageshake_container_ --- .../custom/matrix-rageshake/defaults/main.yml | 12 ++++++------ .../custom/matrix-rageshake/tasks/install.yml | 18 +++++++++--------- .../systemd/matrix-rageshake.service.j2 | 2 +- 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/roles/custom/matrix-rageshake/defaults/main.yml b/roles/custom/matrix-rageshake/defaults/main.yml index 85a3e50e..e29ca62f 100644 --- a/roles/custom/matrix-rageshake/defaults/main.yml +++ b/roles/custom/matrix-rageshake/defaults/main.yml @@ -7,18 +7,18 @@ matrix_rageshake_enabled: true # There are no stable container image tags yet. # See: https://github.com/matrix-org/rageshake/issues/69 matrix_rageshake_version: "master" -matrix_rageshake_docker_image: "{{ matrix_rageshake_docker_image_name_prefix }}matrix-org/rageshake:{{ matrix_rageshake_version }}" -matrix_rageshake_docker_image_name_prefix: "{{ 'localhost/' if matrix_rageshake_container_image_self_build else 'ghcr.io/' }}" -matrix_rageshake_docker_image_force_pull: "{{ matrix_rageshake_docker_image.endswith(':master') }}" +matrix_rageshake_container_image: "{{ matrix_rageshake_container_image_name_prefix }}matrix-org/rageshake:{{ matrix_rageshake_version }}" +matrix_rageshake_container_image_name_prefix: "{{ 'localhost/' if matrix_rageshake_container_image_self_build else 'ghcr.io/' }}" +matrix_rageshake_container_image_force_pull: "{{ matrix_rageshake_container_image.endswith(':master') }}" matrix_rageshake_base_path: "{{ matrix_base_data_path }}/rageshake" matrix_rageshake_config_path: "{{ matrix_rageshake_base_path }}/config" matrix_rageshake_data_path: "{{ matrix_rageshake_base_path }}/data" matrix_rageshake_container_image_self_build: false -matrix_rageshake_docker_repo: "https://github.com/matrix-org/rageshake/" -matrix_rageshake_docker_repo_version: "{{ 'master' if matrix_rageshake_version == 'master' else matrix_rageshake_version }}" -matrix_rageshake_docker_src_files_path: "{{ matrix_base_data_path }}/Dockerfile" +matrix_rageshake_container_repo: "https://github.com/matrix-org/rageshake/" +matrix_rageshake_container_repo_version: "{{ 'master' if matrix_rageshake_version == 'master' else matrix_rageshake_version }}" +matrix_rageshake_container_src_files_path: "{{ matrix_base_data_path }}/Dockerfile" # A list of extra arguments to pass to the container matrix_rageshake_container_extra_arguments: [] diff --git a/roles/custom/matrix-rageshake/tasks/install.yml b/roles/custom/matrix-rageshake/tasks/install.yml index 3f4d64c5..6b75b969 100644 --- a/roles/custom/matrix-rageshake/tasks/install.yml +++ b/roles/custom/matrix-rageshake/tasks/install.yml @@ -10,7 +10,7 @@ - { path: "{{ matrix_rageshake_config_path }}", when: true } - { path: "{{ matrix_rageshake_data_path }}", when: true } - { - path: "{{ matrix_rageshake_docker_src_files_path }}", + path: "{{ matrix_rageshake_container_src_files_path }}", when: matrix_rageshake_container_image_self_build, } when: "item.when | bool" @@ -25,10 +25,10 @@ - name: Ensure rageshake image is pulled community.docker.docker_image: - name: "{{ matrix_rageshake_docker_image }}" + name: "{{ matrix_rageshake_container_image }}" source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_rageshake_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_rageshake_docker_image_force_pull }}" + force_source: "{{ matrix_rageshake_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_rageshake_container_image_force_pull }}" when: "not matrix_rageshake_container_image_self_build | bool" register: result retries: "{{ devture_playbook_help_container_retries_count }}" @@ -37,9 +37,9 @@ - name: Ensure rageshake repository is present on self-build ansible.builtin.git: - repo: "{{ matrix_rageshake_docker_repo }}" - version: "{{ matrix_rageshake_docker_repo_version }}" - dest: "{{ matrix_rageshake_docker_src_files_path }}" + repo: "{{ matrix_rageshake_container_repo }}" + version: "{{ matrix_rageshake_container_repo_version }}" + dest: "{{ matrix_rageshake_container_src_files_path }}" force: "yes" become: true become_user: "{{ matrix_user_username }}" @@ -48,13 +48,13 @@ - name: Ensure rageshake image is built community.docker.docker_image: - name: "{{ matrix_rageshake_docker_image }}" + name: "{{ matrix_rageshake_container_image }}" source: build force_source: "{{ matrix_rageshake_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" build: dockerfile: Dockerfile - path: "{{ matrix_rageshake_docker_src_files_path }}" + path: "{{ matrix_rageshake_container_src_files_path }}" pull: true when: "matrix_rageshake_container_image_self_build | bool" diff --git a/roles/custom/matrix-rageshake/templates/systemd/matrix-rageshake.service.j2 b/roles/custom/matrix-rageshake/templates/systemd/matrix-rageshake.service.j2 index 6e818e0f..5e6cfece 100644 --- a/roles/custom/matrix-rageshake/templates/systemd/matrix-rageshake.service.j2 +++ b/roles/custom/matrix-rageshake/templates/systemd/matrix-rageshake.service.j2 @@ -28,7 +28,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% for arg in matrix_rageshake_container_extra_arguments %} {{ arg }} \ {% endfor %} - {{ matrix_rageshake_docker_image }} \ + {{ matrix_rageshake_container_image }} \ --config /config/config.yml ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-rageshake 2>/dev/null || true' From 39be2ef71abf6d85c73381b5f22cfae292db5fe1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 13:01:38 +0200 Subject: [PATCH 27/47] Fix matrix_rageshake_container_src_files_path value --- roles/custom/matrix-rageshake/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-rageshake/defaults/main.yml b/roles/custom/matrix-rageshake/defaults/main.yml index e29ca62f..5be3a1ca 100644 --- a/roles/custom/matrix-rageshake/defaults/main.yml +++ b/roles/custom/matrix-rageshake/defaults/main.yml @@ -18,7 +18,7 @@ matrix_rageshake_data_path: "{{ matrix_rageshake_base_path }}/data" matrix_rageshake_container_image_self_build: false matrix_rageshake_container_repo: "https://github.com/matrix-org/rageshake/" matrix_rageshake_container_repo_version: "{{ 'master' if matrix_rageshake_version == 'master' else matrix_rageshake_version }}" -matrix_rageshake_container_src_files_path: "{{ matrix_base_data_path }}/Dockerfile" +matrix_rageshake_container_src_files_path: "{{ matrix_rageshake_base_path }}/container-src" # A list of extra arguments to pass to the container matrix_rageshake_container_extra_arguments: [] From 4c64e092d00e0abc84b9695bc32c852ea7d17771 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 13:09:53 +0200 Subject: [PATCH 28/47] Fix rageshake self-building BuildX is required for building this container image. --- .../custom/matrix-rageshake/tasks/install.yml | 31 +++++++++---------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/roles/custom/matrix-rageshake/tasks/install.yml b/roles/custom/matrix-rageshake/tasks/install.yml index 6b75b969..a7b6a5b1 100644 --- a/roles/custom/matrix-rageshake/tasks/install.yml +++ b/roles/custom/matrix-rageshake/tasks/install.yml @@ -7,12 +7,12 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" with_items: - - { path: "{{ matrix_rageshake_config_path }}", when: true } - - { path: "{{ matrix_rageshake_data_path }}", when: true } - - { - path: "{{ matrix_rageshake_container_src_files_path }}", - when: matrix_rageshake_container_image_self_build, - } + - path: "{{ matrix_rageshake_config_path }}" + when: true + - path: "{{ matrix_rageshake_data_path }}" + when: true + - path: "{{ matrix_rageshake_container_src_files_path }}" + when: matrix_rageshake_container_image_self_build | bool when: "item.when | bool" - name: Ensure rageshake config file created @@ -46,17 +46,14 @@ register: matrix_rageshake_git_pull_results when: "matrix_rageshake_container_image_self_build | bool" -- name: Ensure rageshake image is built - community.docker.docker_image: - name: "{{ matrix_rageshake_container_image }}" - source: build - force_source: "{{ matrix_rageshake_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" - build: - dockerfile: Dockerfile - path: "{{ matrix_rageshake_container_src_files_path }}" - pull: true - when: "matrix_rageshake_container_image_self_build | bool" +- name: Ensure rageshake container image is built + ansible.builtin.command: + cmd: |- + {{ devture_systemd_docker_base_host_command_docker }} buildx build + --tag={{ matrix_rageshake_container_image }} + --file={{ matrix_rageshake_container_src_files_path }}/Dockerfile + {{ matrix_rageshake_container_src_files_path }} + when: matrix_rageshake_container_image_self_build | bool - name: Ensure matrix-rageshake.service installed ansible.builtin.template: From 233e25326457fdbb6c65e74412c6f0f824a310f9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 13:15:34 +0200 Subject: [PATCH 29/47] Add native Traefik support to rageshake --- group_vars/matrix_servers | 15 +++- .../matrix-nginx-proxy/defaults/main.yml | 5 -- .../matrix-nginx-proxy/templates/labels.j2 | 11 --- .../custom/matrix-rageshake/defaults/main.yml | 69 +++++++++++++++++-- .../custom/matrix-rageshake/tasks/install.yml | 18 ++++- .../matrix-rageshake/tasks/uninstall.yml | 3 +- .../tasks/validate_config.yml | 30 ++++++++ .../matrix-rageshake/templates/labels.j2 | 45 ++++++++++++ .../systemd/matrix-rageshake.service.j2 | 14 +++- 9 files changed, 180 insertions(+), 30 deletions(-) create mode 100644 roles/custom/matrix-rageshake/templates/labels.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 2ad11473..dc24392e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2009,6 +2009,18 @@ matrix_rageshake_enabled: false matrix_rageshake_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}" +matrix_rageshake_hostname: "{{ matrix_server_fqn_rageshake }}" + +matrix_rageshake_container_network: "{{ matrix_docker_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-rageshake' }}" + +matrix_rageshake_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + +matrix_rageshake_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9110') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +matrix_rageshake_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +matrix_rageshake_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_rageshake_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" + ###################################################################### # # /matrix-rageshake @@ -2403,7 +2415,7 @@ matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled an matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" -matrix_nginx_proxy_proxy_rageshake_enabled: "{{ matrix_rageshake_enabled }}" +matrix_nginx_proxy_proxy_rageshake_enabled: "{{ matrix_rageshake_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" @@ -2421,7 +2433,6 @@ matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_ent matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" -matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_enabled: "{{ matrix_rageshake_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index b5915dc4..061d8f93 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -71,11 +71,6 @@ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname: "{{ matrix matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" matrix_nginx_proxy_container_labels_traefik_proxy_dimension_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname }}`)" -matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_enabled: false -matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_hostname: "{{ matrix_server_fqn_rageshake }}" -matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" -matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_hostname }}`)" - matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: false matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_hostname: "{{ matrix_server_fqn_etherpad }}" matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 index 00c9c40a..1e60ba6d 100644 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -62,17 +62,6 @@ traefik.http.routers.matrix-nginx-proxy-dimension.entrypoints={{ matrix_nginx_pr {% endif %} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_enabled %} -# Rageshake -traefik.http.routers.matrix-nginx-proxy-rageshake.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_rule }} -traefik.http.routers.matrix-nginx-proxy-rageshake.service=matrix-nginx-proxy-web -traefik.http.routers.matrix-nginx-proxy-rageshake.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_tls | to_json }} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_rageshake_tls %} -traefik.http.routers.matrix-nginx-proxy-rageshake.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.routers.matrix-nginx-proxy-rageshake.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} -{% endif %} - {% if matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled %} # Etherpad traefik.http.routers.matrix-nginx-proxy-etherpad.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_rule }} diff --git a/roles/custom/matrix-rageshake/defaults/main.yml b/roles/custom/matrix-rageshake/defaults/main.yml index 5be3a1ca..456838ed 100644 --- a/roles/custom/matrix-rageshake/defaults/main.yml +++ b/roles/custom/matrix-rageshake/defaults/main.yml @@ -4,21 +4,76 @@ matrix_rageshake_enabled: true +matrix_rageshake_scheme: https + +# The hostname at which rageshake is served. +matrix_rageshake_hostname: '' + +# The path at which rageshake is exposed. +# This value must either be `/` or not end with a slash (e.g. `/rageshake`). +matrix_rageshake_path_prefix: / + # There are no stable container image tags yet. # See: https://github.com/matrix-org/rageshake/issues/69 matrix_rageshake_version: "master" -matrix_rageshake_container_image: "{{ matrix_rageshake_container_image_name_prefix }}matrix-org/rageshake:{{ matrix_rageshake_version }}" -matrix_rageshake_container_image_name_prefix: "{{ 'localhost/' if matrix_rageshake_container_image_self_build else 'ghcr.io/' }}" -matrix_rageshake_container_image_force_pull: "{{ matrix_rageshake_container_image.endswith(':master') }}" matrix_rageshake_base_path: "{{ matrix_base_data_path }}/rageshake" matrix_rageshake_config_path: "{{ matrix_rageshake_base_path }}/config" matrix_rageshake_data_path: "{{ matrix_rageshake_base_path }}/data" +matrix_rageshake_container_src_files_path: "{{ matrix_rageshake_base_path }}/container-src" + +matrix_rageshake_container_image: "{{ matrix_rageshake_container_image_name_prefix }}matrix-org/rageshake:{{ matrix_rageshake_container_image_tag }}" +matrix_rageshake_container_image_name_prefix: "{{ 'localhost/' if matrix_rageshake_container_image_self_build else matrix_rageshake_container_registry_prefix }}" +matrix_rageshake_container_image_force_pull: "{{ matrix_rageshake_container_image.endswith(':master') }}" +matrix_rageshake_container_image_tag: "{{ matrix_rageshake_version }}" +matrix_rageshake_container_registry_prefix: ghcr.io/ matrix_rageshake_container_image_self_build: false -matrix_rageshake_container_repo: "https://github.com/matrix-org/rageshake/" -matrix_rageshake_container_repo_version: "{{ 'master' if matrix_rageshake_version == 'master' else matrix_rageshake_version }}" -matrix_rageshake_container_src_files_path: "{{ matrix_rageshake_base_path }}/container-src" +matrix_rageshake_container_image_self_build_repo: "https://github.com/matrix-org/rageshake/" +matrix_rageshake_container_image_self_build_repo_version: "{{ matrix_rageshake_version }}" + +# Controls whether the container exposes its HTTP port (tcp/9110 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:9110"), or empty string to not expose. +matrix_rageshake_container_http_host_bind_port: '' + +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_rageshake_container_network: matrix-rageshake + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_rageshake_container_additional_networks: [] + +# matrix_rageshake_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_rageshake_container_labels_additional_labels`. +matrix_rageshake_container_labels_traefik_enabled: true +matrix_rageshake_container_labels_traefik_docker_network: "{{ matrix_rageshake_container_network }}" +matrix_rageshake_container_labels_traefik_hostname: "{{ matrix_rageshake_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/rageshake`). +matrix_rageshake_container_labels_traefik_path_prefix: "{{ matrix_rageshake_path_prefix }}" +matrix_rageshake_container_labels_traefik_rule: "Host(`{{ matrix_rageshake_container_labels_traefik_hostname }}`){% if matrix_rageshake_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_rageshake_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_rageshake_container_labels_traefik_priority: 0 +matrix_rageshake_container_labels_traefik_entrypoints: web-secure +matrix_rageshake_container_labels_traefik_tls: "{{ matrix_rageshake_container_labels_traefik_entrypoints != 'web' }}" +matrix_rageshake_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_rageshake_container_labels_traefik_additional_response_headers_custom` +matrix_rageshake_container_labels_traefik_additional_response_headers: "{{ matrix_rageshake_container_labels_traefik_additional_response_headers_auto | combine(matrix_rageshake_container_labels_traefik_additional_response_headers_custom) }}" +matrix_rageshake_container_labels_traefik_additional_response_headers_auto: {} +matrix_rageshake_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_rageshake_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_rageshake_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_rageshake_container_labels_additional_labels: '' # A list of extra arguments to pass to the container matrix_rageshake_container_extra_arguments: [] @@ -29,7 +84,7 @@ matrix_rageshake_systemd_required_services_list: ["docker.service"] # List of systemd services that matrix-rageshake.service wants matrix_rageshake_systemd_wanted_services_list: [] -matrix_rageshake_config_api_prefix: "https://{{ matrix_server_fqn_rageshake }}/api/" +matrix_rageshake_config_api_prefix: "{{ matrix_rageshake_scheme }}://{{ matrix_rageshake_hostname }}{{ matrix_rageshake_path_prefix }}{{ '' if matrix_rageshake_path_prefix == '/' else '/' }}api/" # Default Rageshake configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/custom/matrix-rageshake/tasks/install.yml b/roles/custom/matrix-rageshake/tasks/install.yml index a7b6a5b1..f9461680 100644 --- a/roles/custom/matrix-rageshake/tasks/install.yml +++ b/roles/custom/matrix-rageshake/tasks/install.yml @@ -1,4 +1,5 @@ --- + - name: Ensure rageshake paths exist ansible.builtin.file: path: "{{ item.path }}" @@ -23,6 +24,14 @@ group: "{{ matrix_user_groupname }}" mode: 0640 +- name: Ensure rageshake labels installed + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_rageshake_base_path }}/labels" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + - name: Ensure rageshake image is pulled community.docker.docker_image: name: "{{ matrix_rageshake_container_image }}" @@ -37,8 +46,8 @@ - name: Ensure rageshake repository is present on self-build ansible.builtin.git: - repo: "{{ matrix_rageshake_container_repo }}" - version: "{{ matrix_rageshake_container_repo_version }}" + repo: "{{ matrix_rageshake_container_image_self_build_repo }}" + version: "{{ matrix_rageshake_container_image_self_build_version }}" dest: "{{ matrix_rageshake_container_src_files_path }}" force: "yes" become: true @@ -55,6 +64,11 @@ {{ matrix_rageshake_container_src_files_path }} when: matrix_rageshake_container_image_self_build | bool +- name: Ensure rageshake container network is created + community.general.docker_network: + name: "{{ matrix_rageshake_container_network }}" + driver: bridge + - name: Ensure matrix-rageshake.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-rageshake.service.j2" diff --git a/roles/custom/matrix-rageshake/tasks/uninstall.yml b/roles/custom/matrix-rageshake/tasks/uninstall.yml index 133ac76d..8f04d989 100644 --- a/roles/custom/matrix-rageshake/tasks/uninstall.yml +++ b/roles/custom/matrix-rageshake/tasks/uninstall.yml @@ -1,4 +1,5 @@ --- + - name: Check existence of matrix-rageshake service ansible.builtin.stat: path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-rageshake.service" @@ -18,7 +19,7 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-rageshake.service" state: absent - - name: Ensure Matrix rageshake paths don't exist + - name: Ensure rageshake paths don't exist ansible.builtin.file: path: "{{ matrix_rageshake_base_path }}" state: absent diff --git a/roles/custom/matrix-rageshake/tasks/validate_config.yml b/roles/custom/matrix-rageshake/tasks/validate_config.yml index ed97d539..b61a486d 100644 --- a/roles/custom/matrix-rageshake/tasks/validate_config.yml +++ b/roles/custom/matrix-rageshake/tasks/validate_config.yml @@ -1 +1,31 @@ --- + +- name: Fail if required rageshake settings not defined + ansible.builtin.fail: + msg: > + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_rageshake_hostname + - matrix_rageshake_path_prefix + - matrix_rageshake_container_network + +- when: matrix_rageshake_container_labels_traefik_enabled | bool + block: + - name: Fail if required rageshake Traefik settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_rageshake_container_labels_traefik_hostname + - matrix_rageshake_container_labels_traefik_path_prefix + + # We ensure it doesn't end with a slash, because we handle both (slash and no-slash). + # Knowing that `matrix_rageshake_container_labels_traefik_path_prefix` does not end with a slash + # ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere. + - name: Fail if matrix_rageshake_container_labels_traefik_path_prefix ends with a slash + ansible.builtin.fail: + msg: >- + matrix_rageshake_container_labels_traefik_path_prefix (`{{ matrix_rageshake_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/rageshake`). + when: "matrix_rageshake_container_labels_traefik_path_prefix != '/' and matrix_rageshake_container_labels_traefik_path_prefix[-1] == '/'" diff --git a/roles/custom/matrix-rageshake/templates/labels.j2 b/roles/custom/matrix-rageshake/templates/labels.j2 new file mode 100644 index 00000000..cdaf5f6a --- /dev/null +++ b/roles/custom/matrix-rageshake/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_rageshake_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_rageshake_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_rageshake_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_rageshake_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-rageshake-slashless-redirect.redirectregex.regex=({{ matrix_rageshake_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-rageshake-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-rageshake-slashless-redirect'] %} +{% endif %} + +{% if matrix_rageshake_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-rageshake-strip-prefix.stripprefix.prefixes={{ matrix_rageshake_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-rageshake-strip-prefix'] %} +{% endif %} + +{% if matrix_rageshake_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_rageshake_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-rageshake-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-rageshake-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-rageshake.rule={{ matrix_rageshake_container_labels_traefik_rule }} +{% if matrix_rageshake_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-rageshake.priority={{ matrix_rageshake_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-rageshake.service=matrix-rageshake +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-rageshake.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-rageshake.entrypoints={{ matrix_rageshake_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-rageshake.tls={{ matrix_rageshake_container_labels_traefik_tls | to_json }} +{% if matrix_rageshake_container_labels_traefik_tls %} +traefik.http.routers.matrix-rageshake.tls.certResolver={{ matrix_rageshake_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-rageshake.loadbalancer.server.port=9110 +{% endif %} + +{{ matrix_rageshake_container_labels_additional_labels }} diff --git a/roles/custom/matrix-rageshake/templates/systemd/matrix-rageshake.service.j2 b/roles/custom/matrix-rageshake/templates/systemd/matrix-rageshake.service.j2 index 5e6cfece..75006c2d 100644 --- a/roles/custom/matrix-rageshake/templates/systemd/matrix-rageshake.service.j2 +++ b/roles/custom/matrix-rageshake/templates/systemd/matrix-rageshake.service.j2 @@ -16,23 +16,33 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-rageshake 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-rageshake 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-rageshake \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-rageshake \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ --tmpfs /tmp \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_rageshake_container_network }} \ --mount type=bind,src={{ matrix_rageshake_config_path }},dst=/config \ --mount type=bind,src={{ matrix_rageshake_data_path }},dst=/bugs \ + --label-file={{ matrix_rageshake_base_path }}/labels \ {% for arg in matrix_rageshake_container_extra_arguments %} {{ arg }} \ {% endfor %} {{ matrix_rageshake_container_image }} \ --config /config/config.yml +{% for network in matrix_rageshake_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-rageshake +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-rageshake + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-rageshake 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-rageshake 2>/dev/null || true' + Restart=always RestartSec=30 SyslogIdentifier=matrix-rageshake From b5e9ff59266eb2a255140337af2c5499b8a75afd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 14:00:42 +0200 Subject: [PATCH 30/47] Add Rageshake documentation --- docs/configuring-playbook-rageshake.md | 65 ++++++++++++++++++++++++++ docs/configuring-playbook.md | 2 + 2 files changed, 67 insertions(+) create mode 100644 docs/configuring-playbook-rageshake.md diff --git a/docs/configuring-playbook-rageshake.md b/docs/configuring-playbook-rageshake.md new file mode 100644 index 00000000..274d0c8b --- /dev/null +++ b/docs/configuring-playbook-rageshake.md @@ -0,0 +1,65 @@ +# Setting up Rageshake (optional) + +The playbook can install and configure the [rageshake](https://github.com/matrix-org/rageshake) bug report server for you. + +This is useful if you're developing your own applications and would like to collect bug reports for them. + + +## Decide on a domain and path + +By default, Rageshake is configured to use its own dedicated domain (`rageshake.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records). + +You can override the domain and path like this: + +```yaml +# Switch to the domain used for Matrix services (`matrix.DOMAIN`), +# so we won't need to an additional DNS records for Rageshake. +matrix_rageshake_hostname: "{{ matrix_server_fqn_matrix }}" + +# Expose under the /rageshake subpath +matrix_rageshake_path_prefix: /rageshake +``` + +**NOTE**: When using `matrix-nginx-proxy` instead of Traefik, you won't be able to override the path prefix. You can only override the domain, but that needs to happen using another variable: `matrix_server_fqn_rageshake` (e.g. `matrix_server_fqn_rageshake: "some-domain.{{ matrix_domain }}"`). + + +## Adjusting DNS records + +Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Rageshake domain to the Matrix server. + +If you've decided to reuse the `matrix.` domain, you won't need to do any extra DNS configuration. + + +## Enabling the Rageshake service + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs): + +```yaml +matrix_rageshake_enabled: true +``` + +Rageshake has various options which don't have dedicated Ansible variables. You can see the full list of options in the [`rageshake.sample.yaml` file](https://github.com/matrix-org/rageshake/blob/master/rageshake.sample.yaml). + +To set these, you can make use of the `matrix_rageshake_configuration_extension_yaml` variable like this: + +```yaml +matrix_rageshake_configuration_extension_yaml: | + github_token: secrettoken + + github_project_mappings: + my-app: octocat/HelloWorld +``` + + +## Installing + +After configuring the playbook, run the [installation](installing.md) command again: + +``` +ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start +``` + + +## Usage + +Refer to the [rageshake documentation](https://github.com/matrix-org/rageshake) for available APIs, etc. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 1f3cb7a4..c94977a2 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -198,3 +198,5 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up the ntfy push notifications server](configuring-playbook-ntfy.md) (optional) - [Setting up a Cactus Comments server](configuring-playbook-cactus-comments.md) - a federated comment system built on Matrix (optional) + +- [Setting up the Rageshake bug report server](configuring-playbook-rageshake.md) (optional) From a45c70fd66aa8ea08d5fe416c6b06d192ef75211 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 14:04:20 +0200 Subject: [PATCH 31/47] Announce Rageshake support --- CHANGELOG.md | 9 +++++++++ README.md | 5 +++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5dd5e9f6..a49de417 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2023-02-25 + +## Rageshake support + +Thanks to [Benjamin Kampmann](https://github.com/gnunicorn), the playbook can now install and configure the [Rageshake](https://github.com/matrix-org/rageshake) bug report server. + +Additional details are available in [Setting up Rageshake](docs/configuring-playbook-rageshake.md). + + # 2023-02-17 ## Synapse templates customization support diff --git a/README.md b/README.md index 174ea4c3..d284909f 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ You can always re-run the playbook later to add or remove components. The homeserver is the backbone of your matrix system. Choose one from the following list. | Name | Default? | Description | Documentation | -| ---- | -------- | ----------- | ------------- | +| ---- | -------- | ----------- | ------------- | | [Synapse](https://github.com/matrix-org/synapse) | ✓ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network | [Link](docs/configuring-playbook-synapse.md) | | [Conduit](https://conduit.rs) | x | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Conduit is a lightweight open-source server implementation of the Matrix Specification with a focus on easy setup and low system requirements | [Link](docs/configuring-playbook-conduit.md) | | [Dendrite](https://github.com/matrix-org/dendrite) | x | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. | [Link](docs/configuring-playbook-dendrite.md) | @@ -66,7 +66,7 @@ Services that run on the server to make the various parts of your installation w Extend and modify how users are authenticated on your homeserver. | Name | Default? | Description | Documentation | -| ---- | -------- | ----------- | ------------- | +| ---- | -------- | ----------- | ------------- | | [matrix-synapse-rest-auth](https://github.com/ma1uta/matrix-synapse-rest-password-provider) (advanced) | x | REST authentication password provider module | [Link](docs/configuring-playbook-rest-auth.md) | |[matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) (advanced) | x | Password provider module | [Link](docs/configuring-playbook-shared-secret-auth.md) | | [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) (advanced) | x | LDAP Auth password provider module | [Link](configuring-playbook-ldap-auth.md) | @@ -144,6 +144,7 @@ Services that help you in administrating and monitoring your matrix installation | [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin) | x | A web UI tool for administrating users and rooms on your Matrix server | [Link](docs/configuring-playbook-synapse-admin.md) | | Metrics and Graphs | x | Consists of the [Prometheus](https://prometheus.io) time-series database server, the Prometheus [node-exporter](https://prometheus.io/docs/guides/node-exporter/) host metrics exporter, and the [Grafana](https://grafana.com/) web UI | [Link](docs/configuring-playbook-prometheus-grafana.md) | | [Borg](https://borgbackup.org) | x | Backups | [Link](docs/configuring-playbook-backup-borg.md) | +| [Rageshake](https://github.com/matrix-org/rageshake) | x | Bug report server | [Link](docs/configuring-playbook-rageshake.md) | ### Misc From 6c2d397853b50751ee268341497427f59c93c765 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 14:58:41 +0200 Subject: [PATCH 32/47] Fix inaccurate Buscarron project description comment --- roles/custom/matrix-bot-buscarron/defaults/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-buscarron/defaults/main.yml b/roles/custom/matrix-bot-buscarron/defaults/main.yml index f887e262..c2d8d2de 100644 --- a/roles/custom/matrix-bot-buscarron/defaults/main.yml +++ b/roles/custom/matrix-bot-buscarron/defaults/main.yml @@ -1,5 +1,6 @@ --- -# buscarron is a helpdesk bot + +# buscarron is a Web forms (HTTP POST) to Matrix service. # Project source code URL: https://gitlab.com/etke.cc/buscarron matrix_bot_buscarron_enabled: true From 0220c851e8781e4468b1ff1b68e205c1e1c05212 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 15:02:30 +0200 Subject: [PATCH 33/47] Add multiple container networks support to Buscarron --- group_vars/matrix_servers | 2 ++ roles/custom/matrix-bot-buscarron/defaults/main.yml | 8 ++++++++ .../matrix-bot-buscarron/tasks/setup_install.yml | 5 +++++ .../systemd/matrix-bot-buscarron.service.j2 | 13 +++++++++++-- 4 files changed, 26 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index dc24392e..ee00dc58 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1685,6 +1685,8 @@ matrix_bot_buscarron_database_engine: "{{ 'postgres' if devture_postgres_enabled matrix_bot_buscarron_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_bot_buscarron_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'buscarron.bot.db', rounds=655555) | to_uuid }}" +matrix_bot_container_network: "{{ matrix_docker_network }}" + ###################################################################### # # /matrix-bot-buscarron diff --git a/roles/custom/matrix-bot-buscarron/defaults/main.yml b/roles/custom/matrix-bot-buscarron/defaults/main.yml index c2d8d2de..6ed6e962 100644 --- a/roles/custom/matrix-bot-buscarron/defaults/main.yml +++ b/roles/custom/matrix-bot-buscarron/defaults/main.yml @@ -20,6 +20,14 @@ matrix_bot_buscarron_config_path: "{{ matrix_bot_buscarron_base_path }}/config" matrix_bot_buscarron_data_path: "{{ matrix_bot_buscarron_base_path }}/data" matrix_bot_buscarron_data_store_path: "{{ matrix_bot_buscarron_data_path }}/store" +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_bot_container_network: matrix-bot-buscarron + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_bot_container_additional_networks: [] + # A list of extra arguments to pass to the container matrix_bot_buscarron_container_extra_arguments: [] diff --git a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml index 6ae0f9b9..94fe93f6 100644 --- a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml @@ -89,6 +89,11 @@ dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-buscarron.service" mode: 0644 +- name: Ensure buscarron container network is created + community.general.docker_network: + name: "{{ matrix_bot_buscarron_container_network }}" + driver: bridge + - name: Ensure matrix-bot-buscarron.service restarted, if necessary ansible.builtin.service: name: "matrix-bot-buscarron.service" diff --git a/roles/custom/matrix-bot-buscarron/templates/systemd/matrix-bot-buscarron.service.j2 b/roles/custom/matrix-bot-buscarron/templates/systemd/matrix-bot-buscarron.service.j2 index 60909dc9..b3ed673d 100644 --- a/roles/custom/matrix-bot-buscarron/templates/systemd/matrix-bot-buscarron.service.j2 +++ b/roles/custom/matrix-bot-buscarron/templates/systemd/matrix-bot-buscarron.service.j2 @@ -16,12 +16,14 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-buscarron 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-buscarron 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-bot-buscarron \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-bot-buscarron \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_bot_buscarron_container_network }} \ --env-file={{ matrix_bot_buscarron_config_path }}/env \ --mount type=bind,src={{ matrix_bot_buscarron_data_path }},dst=/data \ {% for arg in matrix_bot_buscarron_container_extra_arguments %} @@ -29,8 +31,15 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% endfor %} {{ matrix_bot_buscarron_docker_image }} +{% for network in matrix_bot_buscarron_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-bot-buscarron +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-bot-buscarron + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-buscarron 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-buscarron 2>/dev/null || true' + Restart=always RestartSec=30 SyslogIdentifier=matrix-bot-buscarron From 63408096cfb6ae0fd0aefc5fcd25aace68ea995e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 15:06:29 +0200 Subject: [PATCH 34/47] Fix up Buscarron description on its documentation page --- docs/configuring-playbook-bot-buscarron.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/configuring-playbook-bot-buscarron.md b/docs/configuring-playbook-bot-buscarron.md index 0b80ba40..bfee92ee 100644 --- a/docs/configuring-playbook-bot-buscarron.md +++ b/docs/configuring-playbook-bot-buscarron.md @@ -2,8 +2,7 @@ The playbook can install and configure [buscarron](https://gitlab.com/etke.cc/buscarron) for you. -It's a bot you can use to setup **your own helpdesk on matrix** -It's a bot you can use to send any form (HTTP POST, HTML) to a (encrypted) matrix room +Buscarron is bot that receives HTTP POST submissions of web forms and forwards them to a Matrix room. ## Adjusting the playbook configuration From d7578880b6124bdbe961011ccff95f6587b317f1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 15:07:47 +0200 Subject: [PATCH 35/47] Fix typo on Rageshake documentation page --- docs/configuring-playbook-rageshake.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-rageshake.md b/docs/configuring-playbook-rageshake.md index 274d0c8b..fe45db26 100644 --- a/docs/configuring-playbook-rageshake.md +++ b/docs/configuring-playbook-rageshake.md @@ -13,7 +13,7 @@ You can override the domain and path like this: ```yaml # Switch to the domain used for Matrix services (`matrix.DOMAIN`), -# so we won't need to an additional DNS records for Rageshake. +# so we won't need to add additional DNS records for Rageshake. matrix_rageshake_hostname: "{{ matrix_server_fqn_matrix }}" # Expose under the /rageshake subpath From bc5dda2b3aba7842ae63127ef9cc6e8f5816d52f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 15:10:40 +0200 Subject: [PATCH 36/47] Reorder some Buscarron default variables and fix some typos Fixes a regression introduced in 0220c851e8781e4468b1 --- group_vars/matrix_servers | 2 +- .../matrix-bot-buscarron/defaults/main.yml | 21 ++++++++++--------- 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index ee00dc58..6af65b3a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1685,7 +1685,7 @@ matrix_bot_buscarron_database_engine: "{{ 'postgres' if devture_postgres_enabled matrix_bot_buscarron_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_bot_buscarron_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'buscarron.bot.db', rounds=655555) | to_uuid }}" -matrix_bot_container_network: "{{ matrix_docker_network }}" +matrix_bot_buscarron_container_network: "{{ matrix_docker_network }}" ###################################################################### # diff --git a/roles/custom/matrix-bot-buscarron/defaults/main.yml b/roles/custom/matrix-bot-buscarron/defaults/main.yml index 6ed6e962..195359dd 100644 --- a/roles/custom/matrix-bot-buscarron/defaults/main.yml +++ b/roles/custom/matrix-bot-buscarron/defaults/main.yml @@ -5,28 +5,29 @@ matrix_bot_buscarron_enabled: true -matrix_bot_buscarron_container_image_self_build: false -matrix_bot_buscarron_docker_repo: "https://gitlab.com/etke.cc/buscarron.git" -matrix_bot_buscarron_docker_repo_version: "{{ matrix_bot_buscarron_version }}" -matrix_bot_buscarron_docker_src_files_path: "{{ matrix_base_data_path }}/buscarron/docker-src" - matrix_bot_buscarron_version: v1.3.1 -matrix_bot_buscarron_docker_image: "{{ matrix_bot_buscarron_docker_image_name_prefix }}etke.cc/buscarron:{{ matrix_bot_buscarron_version }}" -matrix_bot_buscarron_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_buscarron_container_image_self_build else 'registry.gitlab.com/' }}" -matrix_bot_buscarron_docker_image_force_pull: "{{ matrix_bot_buscarron_docker_image.endswith(':latest') }}" matrix_bot_buscarron_base_path: "{{ matrix_base_data_path }}/buscarron" matrix_bot_buscarron_config_path: "{{ matrix_bot_buscarron_base_path }}/config" matrix_bot_buscarron_data_path: "{{ matrix_bot_buscarron_base_path }}/data" matrix_bot_buscarron_data_store_path: "{{ matrix_bot_buscarron_data_path }}/store" +matrix_bot_buscarron_container_image_self_build: false +matrix_bot_buscarron_docker_repo: "https://gitlab.com/etke.cc/buscarron.git" +matrix_bot_buscarron_docker_repo_version: "{{ matrix_bot_buscarron_version }}" +matrix_bot_buscarron_docker_src_files_path: "{{ matrix_base_data_path }}/buscarron/docker-src" + +matrix_bot_buscarron_docker_image: "{{ matrix_bot_buscarron_docker_image_name_prefix }}etke.cc/buscarron:{{ matrix_bot_buscarron_version }}" +matrix_bot_buscarron_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_buscarron_container_image_self_build else 'registry.gitlab.com/' }}" +matrix_bot_buscarron_docker_image_force_pull: "{{ matrix_bot_buscarron_docker_image.endswith(':latest') }}" + # The base container network. It will be auto-created by this role if it doesn't exist already. -matrix_bot_container_network: matrix-bot-buscarron +matrix_bot_buscarron_container_network: matrix-bot-buscarron # A list of additional container networks that the container would be connected to. # The role does not create these networks, so make sure they already exist. # Use this to expose this container to another reverse proxy, which runs in a different container network. -matrix_bot_container_additional_networks: [] +matrix_bot_buscarron_container_additional_networks: [] # A list of extra arguments to pass to the container matrix_bot_buscarron_container_extra_arguments: [] From 3852a740bc5e0dba7ff662df3ce3a0f857f0216c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 15:50:35 +0200 Subject: [PATCH 37/47] Mention that Buscarron is aggressive when it comes to banning --- docs/configuring-playbook-bot-buscarron.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/configuring-playbook-bot-buscarron.md b/docs/configuring-playbook-bot-buscarron.md index bfee92ee..58b27db7 100644 --- a/docs/configuring-playbook-bot-buscarron.md +++ b/docs/configuring-playbook-bot-buscarron.md @@ -66,4 +66,12 @@ To use the bot, invite the `@bot.buscarron:DOMAIN` to the room you specified in ``` +**NOTE**: to fight against spam, Buscarron is **very aggressive when it comes to banning** and will ban you if: + +- if you hit the homepage (HTTP `GET` request to `/`) +- if you submit a form to the wrong URL (`POST` request to `/non-existing-form`) +- if `hasemail` is enabled for the form (like in the example above) and you don't submit an `email` field + +If you get banned, you'd need to restart the process by running the playbook with `--tags=start` or running `systemctl restart matrix-bot-buscarron` on the server. + You can also refer to the upstream [documentation](https://gitlab.com/etke.cc/buscarron). From 725b2beed7346328ca939fb3daa0a1ecfd71091d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 15:50:48 +0200 Subject: [PATCH 38/47] Add native Traefik support to Buscarron --- docs/configuring-playbook-bot-buscarron.md | 35 ++++++++++----- group_vars/matrix_servers | 23 ++++++++-- .../matrix-bot-buscarron/defaults/main.yml | 37 +++++++++++++++ .../tasks/setup_install.yml | 9 ++-- .../tasks/validate_config.yml | 1 + .../matrix-bot-buscarron/templates/labels.j2 | 45 +++++++++++++++++++ .../systemd/matrix-bot-buscarron.service.j2 | 1 + .../matrix-nginx-proxy/defaults/main.yml | 5 --- .../matrix-nginx-proxy/templates/labels.j2 | 11 ----- 9 files changed, 135 insertions(+), 32 deletions(-) create mode 100644 roles/custom/matrix-bot-buscarron/templates/labels.j2 diff --git a/docs/configuring-playbook-bot-buscarron.md b/docs/configuring-playbook-bot-buscarron.md index 58b27db7..dd577854 100644 --- a/docs/configuring-playbook-bot-buscarron.md +++ b/docs/configuring-playbook-bot-buscarron.md @@ -5,6 +5,31 @@ The playbook can install and configure [buscarron](https://gitlab.com/etke.cc/bu Buscarron is bot that receives HTTP POST submissions of web forms and forwards them to a Matrix room. +## Decide on a domain and path + +By default, Rageshake is configured to use its own dedicated domain (`buscarron.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records). + +You can override the domain and path like this: + +```yaml +# Switch to the domain used for Matrix services (`matrix.DOMAIN`), +# so we won't need to add additional DNS records for Rageshake. +matrix_bot_buscarron_hostname: "{{ matrix_server_fqn_matrix }}" + +# Expose under the /buscarron subpath +matrix_bot_buscarron_path_prefix: /buscarron +``` + +**NOTE**: When using `matrix-nginx-proxy` instead of Traefik, you won't be able to override the path prefix. You can only override the domain, but that needs to happen using another variable: `matrix_server_fqn_buscarron` (e.g. `matrix_server_fqn_buscarron: "form.{{ matrix_domain }}"`). + + +## Adjusting DNS records + +Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Buscarron domain to the Matrix server. + +If you've decided to reuse the `matrix.` domain, you won't need to do any extra DNS configuration. + + ## Adjusting the playbook configuration Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: @@ -30,16 +55,6 @@ matrix_bot_buscarron_forms: matrix_bot_buscarron_spamlist: [] # (optional) list of emails/domains/hosts (with wildcards support) that should be rejected automatically ``` -You will also need to add a DNS record so that buscarron can be accessed. -By default buscarron will use https://buscarron.DOMAIN so you will need to create an CNAME record for `buscarron`. -See [Configuring DNS](configuring-dns.md). - -If you would like to use a different domain, add the following to your configuration file (changing it to use your preferred domain): - -```yaml -matrix_server_fqn_buscarron: "form.{{ matrix_domain }}" -``` - ## Installing diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6af65b3a..afc1511c 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1685,7 +1685,25 @@ matrix_bot_buscarron_database_engine: "{{ 'postgres' if devture_postgres_enabled matrix_bot_buscarron_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_bot_buscarron_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'buscarron.bot.db', rounds=655555) | to_uuid }}" -matrix_bot_buscarron_container_network: "{{ matrix_docker_network }}" +matrix_bot_buscarron_hostname: "{{ matrix_server_fqn_buscarron }}" + +matrix_bot_buscarron_container_network: "{{ matrix_docker_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-bot-buscarron' }}" + +# For now, we attach this to the matrix-nginx-proxy network (unless that's the same network as the main one for us), +# because that's where the homeserver is expected to be accessed from. +# In the future, this will need to be redone. +matrix_bot_buscarron_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([matrix_nginx_proxy_container_network] if matrix_nginx_proxy_enabled and matrix_bot_buscarron_container_network != matrix_nginx_proxy_container_network else []) + ) | unique + }} + +matrix_bot_buscarron_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +matrix_bot_buscarron_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_bot_buscarron_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" ###################################################################### # @@ -2415,7 +2433,7 @@ matrix_nginx_proxy_proxy_matrix_enabled: true matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" -matrix_nginx_proxy_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}" +matrix_nginx_proxy_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" matrix_nginx_proxy_proxy_rageshake_enabled: "{{ matrix_rageshake_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" @@ -2433,7 +2451,6 @@ matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_playbook_ matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true -matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" diff --git a/roles/custom/matrix-bot-buscarron/defaults/main.yml b/roles/custom/matrix-bot-buscarron/defaults/main.yml index 195359dd..0596c440 100644 --- a/roles/custom/matrix-bot-buscarron/defaults/main.yml +++ b/roles/custom/matrix-bot-buscarron/defaults/main.yml @@ -7,6 +7,13 @@ matrix_bot_buscarron_enabled: true matrix_bot_buscarron_version: v1.3.1 +# The hostname at which Buscarron is served. +matrix_bot_buscarron_hostname: '' + +# The path at which Buscarron is exposed. +# This value must either be `/` or not end with a slash (e.g. `/buscarron`). +matrix_bot_buscarron_path_prefix: / + matrix_bot_buscarron_base_path: "{{ matrix_base_data_path }}/buscarron" matrix_bot_buscarron_config_path: "{{ matrix_bot_buscarron_base_path }}/config" matrix_bot_buscarron_data_path: "{{ matrix_bot_buscarron_base_path }}/data" @@ -29,6 +36,36 @@ matrix_bot_buscarron_container_network: matrix-bot-buscarron # Use this to expose this container to another reverse proxy, which runs in a different container network. matrix_bot_buscarron_container_additional_networks: [] +# matrix_bot_buscarron_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_bot_buscarron_container_labels_additional_labels`. +matrix_bot_buscarron_container_labels_traefik_enabled: true +matrix_bot_buscarron_container_labels_traefik_docker_network: "{{ matrix_bot_buscarron_container_network }}" +matrix_bot_buscarron_container_labels_traefik_hostname: "{{ matrix_bot_buscarron_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/buscarron`). +matrix_bot_buscarron_container_labels_traefik_path_prefix: "{{ matrix_bot_buscarron_path_prefix }}" +matrix_bot_buscarron_container_labels_traefik_rule: "Host(`{{ matrix_bot_buscarron_container_labels_traefik_hostname }}`){% if matrix_bot_buscarron_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_buscarron_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_bot_buscarron_container_labels_traefik_priority: 0 +matrix_bot_buscarron_container_labels_traefik_entrypoints: web-secure +matrix_bot_buscarron_container_labels_traefik_tls: "{{ matrix_bot_buscarron_container_labels_traefik_entrypoints != 'web' }}" +matrix_bot_buscarron_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_bot_buscarron_container_labels_traefik_additional_response_headers_custom` +matrix_bot_buscarron_container_labels_traefik_additional_response_headers: "{{ matrix_bot_buscarron_container_labels_traefik_additional_response_headers_auto | combine(matrix_bot_buscarron_container_labels_traefik_additional_response_headers_custom) }}" +matrix_bot_buscarron_container_labels_traefik_additional_response_headers_auto: {} +matrix_bot_buscarron_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_bot_buscarron_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_bot_buscarron_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_bot_buscarron_container_labels_additional_labels: '' + # A list of extra arguments to pass to the container matrix_bot_buscarron_container_extra_arguments: [] diff --git a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml index 94fe93f6..1c2c62e1 100644 --- a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml @@ -40,13 +40,16 @@ - {path: "{{ matrix_bot_buscarron_docker_src_files_path }}", when: true} when: "item.when | bool" -- name: Ensure buscarron environment variables file created +- name: Ensure buscarron support files installed ansible.builtin.template: - src: "{{ role_path }}/templates/env.j2" - dest: "{{ matrix_bot_buscarron_config_path }}/env" + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_bot_buscarron_config_path }}/{{ item }}" owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" mode: 0640 + with_items: + - env + - labels - name: Ensure buscarron image is pulled community.docker.docker_image: diff --git a/roles/custom/matrix-bot-buscarron/tasks/validate_config.yml b/roles/custom/matrix-bot-buscarron/tasks/validate_config.yml index 3547fc03..51102b73 100644 --- a/roles/custom/matrix-bot-buscarron/tasks/validate_config.yml +++ b/roles/custom/matrix-bot-buscarron/tasks/validate_config.yml @@ -7,4 +7,5 @@ when: "item.when | bool and vars[item.name] == ''" with_items: - {'name': 'matrix_bot_buscarron_password', when: true} + - {'name': 'matrix_bot_buscarron_hostname', when: true} - {'name': 'matrix_bot_buscarron_database_hostname', when: "{{ matrix_bot_buscarron_database_engine == 'postgres' }}"} diff --git a/roles/custom/matrix-bot-buscarron/templates/labels.j2 b/roles/custom/matrix-bot-buscarron/templates/labels.j2 new file mode 100644 index 00000000..5a53805a --- /dev/null +++ b/roles/custom/matrix-bot-buscarron/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_bot_buscarron_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_bot_buscarron_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_bot_buscarron_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_bot_buscarron_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-bot-buscarron-slashless-redirect.redirectregex.regex=({{ matrix_bot_buscarron_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-bot-buscarron-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-bot-buscarron-slashless-redirect'] %} +{% endif %} + +{% if matrix_bot_buscarron_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-bot-buscarron-strip-prefix.stripprefix.prefixes={{ matrix_bot_buscarron_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-bot-buscarron-strip-prefix'] %} +{% endif %} + +{% if matrix_bot_buscarron_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_bot_buscarron_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-bot-buscarron-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-bot-buscarron-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-bot-buscarron.rule={{ matrix_bot_buscarron_container_labels_traefik_rule }} +{% if matrix_bot_buscarron_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-bot-buscarron.priority={{ matrix_bot_buscarron_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-bot-buscarron.service=matrix-bot-buscarron +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-bot-buscarron.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-bot-buscarron.entrypoints={{ matrix_bot_buscarron_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-bot-buscarron.tls={{ matrix_bot_buscarron_container_labels_traefik_tls | to_json }} +{% if matrix_bot_buscarron_container_labels_traefik_tls %} +traefik.http.routers.matrix-bot-buscarron.tls.certResolver={{ matrix_bot_buscarron_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-bot-buscarron.loadbalancer.server.port=8080 +{% endif %} + +{{ matrix_bot_buscarron_container_labels_additional_labels }} diff --git a/roles/custom/matrix-bot-buscarron/templates/systemd/matrix-bot-buscarron.service.j2 b/roles/custom/matrix-bot-buscarron/templates/systemd/matrix-bot-buscarron.service.j2 index b3ed673d..49c69948 100644 --- a/roles/custom/matrix-bot-buscarron/templates/systemd/matrix-bot-buscarron.service.j2 +++ b/roles/custom/matrix-bot-buscarron/templates/systemd/matrix-bot-buscarron.service.j2 @@ -25,6 +25,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --read-only \ --network={{ matrix_bot_buscarron_container_network }} \ --env-file={{ matrix_bot_buscarron_config_path }}/env \ + --label-file={{ matrix_bot_buscarron_config_path }}/labels \ --mount type=bind,src={{ matrix_bot_buscarron_data_path }},dst=/data \ {% for arg in matrix_bot_buscarron_container_extra_arguments %} {{ arg }} \ diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 061d8f93..158a1b2b 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -61,11 +61,6 @@ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule: "Host(`{{ matrix_ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint: "{{ matrix_federation_traefik_entrypoint }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints: "{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint }}" -matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled: false -matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_hostname: "{{ matrix_server_fqn_buscarron }}" -matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" -matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_hostname }}`)" - matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: false matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}" matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 index 1e60ba6d..d177d2fb 100644 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -38,17 +38,6 @@ traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.certResolver={{ ma traefik.http.routers.matrix-nginx-proxy-matrix-federation.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints }} {% endif %} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled %} -# Buscarron -traefik.http.routers.matrix-nginx-proxy-buscarron.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_rule }} -traefik.http.routers.matrix-nginx-proxy-buscarron.service=matrix-nginx-proxy-web -traefik.http.routers.matrix-nginx-proxy-buscarron.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_tls | to_json }} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_tls %} -traefik.http.routers.matrix-nginx-proxy-buscarron.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.routers.matrix-nginx-proxy-buscarron.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} -{% endif %} - {% if matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled %} # Dimension From ccb5b37842478b2cfc8038d4a01abcf24cec1222 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 15:59:28 +0200 Subject: [PATCH 39/47] Fix some typos on the Buscarron docs page --- docs/configuring-playbook-bot-buscarron.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-bot-buscarron.md b/docs/configuring-playbook-bot-buscarron.md index dd577854..b21dceef 100644 --- a/docs/configuring-playbook-bot-buscarron.md +++ b/docs/configuring-playbook-bot-buscarron.md @@ -7,13 +7,13 @@ Buscarron is bot that receives HTTP POST submissions of web forms and forwards t ## Decide on a domain and path -By default, Rageshake is configured to use its own dedicated domain (`buscarron.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records). +By default, Buscarron is configured to use its own dedicated domain (`buscarron.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records). You can override the domain and path like this: ```yaml # Switch to the domain used for Matrix services (`matrix.DOMAIN`), -# so we won't need to add additional DNS records for Rageshake. +# so we won't need to add additional DNS records for Buscarron. matrix_bot_buscarron_hostname: "{{ matrix_server_fqn_matrix }}" # Expose under the /buscarron subpath From 8df7ad47cd1c95a667e9f56e7739de51aca9cadb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 19:04:28 +0200 Subject: [PATCH 40/47] Fix rageshake project description in defaults/main.yml --- roles/custom/matrix-rageshake/defaults/main.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-rageshake/defaults/main.yml b/roles/custom/matrix-rageshake/defaults/main.yml index 456838ed..2dca91b1 100644 --- a/roles/custom/matrix-rageshake/defaults/main.yml +++ b/roles/custom/matrix-rageshake/defaults/main.yml @@ -1,6 +1,7 @@ --- -# rageshake is a issue submission service from matrix.org -# Project source code URL: https://github.com/matrix-org/rageshake/ + +# rageshake is a bug report collection service +# Project source code URL: https://github.com/matrix-org/rageshake matrix_rageshake_enabled: true From 348dd8e76bcd1da24934592ccac9d0f1c2fc2ea9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Feb 2023 19:36:57 +0200 Subject: [PATCH 41/47] Remove double space --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index afc1511c..7f378380 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1697,7 +1697,7 @@ matrix_bot_buscarron_container_additional_networks: | ( ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + - ([matrix_nginx_proxy_container_network] if matrix_nginx_proxy_enabled and matrix_bot_buscarron_container_network != matrix_nginx_proxy_container_network else []) + ([matrix_nginx_proxy_container_network] if matrix_nginx_proxy_enabled and matrix_bot_buscarron_container_network != matrix_nginx_proxy_container_network else []) ) | unique }} From 252e542bc552d9e4de48e61b0ef309e5eaaa0f18 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sun, 26 Feb 2023 08:19:51 +0000 Subject: [PATCH 42/47] Update ntfy 2.0.1 -> 2.1.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index cbdd37ca..4ebe8a06 100644 --- a/requirements.yml +++ b/requirements.yml @@ -43,7 +43,7 @@ version: v9.3.6-2 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git - version: v2.0.1-0 + version: v2.1.0-0 - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.7-0 From d20ff688dbc31d40f5a4616ee84bafce5a25d1da Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 26 Feb 2023 11:03:42 +0200 Subject: [PATCH 43/47] Add native Traefik support to Sygnal --- docs/configuring-playbook-sygnal.md | 31 ++++++++-- group_vars/matrix_servers | 13 +++- .../matrix-nginx-proxy/defaults/main.yml | 5 -- .../matrix-nginx-proxy/templates/labels.j2 | 11 ---- roles/custom/matrix-sygnal/defaults/main.yml | 59 +++++++++++++++++-- .../tasks/{setup_install.yml => install.yml} | 35 +++++++---- roles/custom/matrix-sygnal/tasks/main.yml | 4 +- .../{setup_uninstall.yml => uninstall.yml} | 0 .../matrix-sygnal/tasks/validate_config.yml | 32 +++++++++- .../custom/matrix-sygnal/templates/labels.j2 | 45 ++++++++++++++ .../systemd/matrix-sygnal.service.j2 | 14 ++++- 11 files changed, 206 insertions(+), 43 deletions(-) rename roles/custom/matrix-sygnal/tasks/{setup_install.yml => install.yml} (78%) rename roles/custom/matrix-sygnal/tasks/{setup_uninstall.yml => uninstall.yml} (100%) create mode 100644 roles/custom/matrix-sygnal/templates/labels.j2 diff --git a/docs/configuring-playbook-sygnal.md b/docs/configuring-playbook-sygnal.md index 1a344530..786498c6 100644 --- a/docs/configuring-playbook-sygnal.md +++ b/docs/configuring-playbook-sygnal.md @@ -11,6 +11,31 @@ See the project's [documentation](https://github.com/matrix-org/sygnal) to learn This optional playbook component is only useful to people who develop/build their own Matrix client applications themselves. +## Decide on a domain and path + +By default, Sygnal is configured to use its own dedicated domain (`sygnal.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records). + +You can override the domain and path like this: + +```yaml +# Switch to the domain used for Matrix services (`matrix.DOMAIN`), +# so we won't need to add additional DNS records for Sygnal. +matrix_sygnal_hostname: "{{ matrix_server_fqn_matrix }}" + +# Expose under the /sygnal subpath +matrix_sygnal_path_prefix: /sygnal +``` + +**NOTE**: When using `matrix-nginx-proxy` instead of Traefik, you won't be able to override the path prefix. You can only override the domain, but that needs to happen using another variable: `matrix_server_fqn_sygnal` (e.g. `matrix_server_fqn_sygnal: "push.{{ matrix_domain }}"`). + + +## Adjusting DNS records + +Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Sygnal domain to the Matrix server. + +If you've decided to reuse the `matrix.` domain, you won't need to do any extra DNS configuration. + + ## Adjusting the playbook configuration Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs): @@ -55,9 +80,7 @@ To do that, the above example configuration: ## Installing -Don't forget to add `sygnal.` to DNS as described in [Configuring DNS](configuring-dns.md) before running the playbook. - -After configuring the playbook, run the [installation](installing.md) command again: +After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the [installation](installing.md) command: ``` ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start @@ -66,6 +89,6 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start ## Usage -To make use of your Sygnal installation, you'd need to build your own Matrix client application, which uses the same API keys (for [GCM/FCM](https://firebase.google.com/docs/cloud-messaging/)) and certificates (for [APNS](https://developer.apple.com/notifications/)) and is also pointed to `https://sygnal.DOMAIN` as the configured push server. +To make use of your Sygnal installation, you'd need to build your own Matrix client application, which uses the same API keys (for [GCM/FCM](https://firebase.google.com/docs/cloud-messaging/)) and certificates (for [APNS](https://developer.apple.com/notifications/)) and is to your Sygnal URL endpoint (e.g. `https://sygnal.DOMAIN`). Refer to Sygnal's [Notes for application developers](https://github.com/matrix-org/sygnal/blob/master/docs/applications.md) document. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 7f378380..359c6e3f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2443,7 +2443,7 @@ matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" matrix_nginx_proxy_proxy_jitsi_manage_wellknown: "{{ matrix_jitsi_require_well_known }}" matrix_nginx_proxy_proxy_grafana_enabled: "{{ grafana_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" -matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}" +matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_ntfy_enabled: "{{ ntfy_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" @@ -2455,7 +2455,6 @@ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: "{{ matrix_ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" -matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" @@ -2931,8 +2930,18 @@ matrix_sygnal_enabled: false # If someone instals Prometheus via the playbook, they most likely wish to monitor Sygnal. matrix_sygnal_metrics_prometheus_enabled: "{{ matrix_prometheus_enabled }}" +matrix_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}" + +matrix_sygnal_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-sygnal' }}" + +matrix_sygnal_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + matrix_sygnal_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '6000') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_sygnal_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +matrix_sygnal_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_sygnal_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" + ###################################################################### # # /matrix-sygnal diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 158a1b2b..a098a098 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -81,11 +81,6 @@ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_hostname: "{{ matrix_ser matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_hostname }}`)" -matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled: false -matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}" -matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" -matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_hostname }}`)" - # matrix_nginx_proxy_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. # diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 index d177d2fb..6afa6029 100644 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -86,17 +86,6 @@ traefik.http.routers.matrix-nginx-proxy-jitsi.tls.certResolver={{ matrix_nginx_p traefik.http.routers.matrix-nginx-proxy-jitsi.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} {% endif %} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled %} -# Sygnal -traefik.http.routers.matrix-nginx-proxy-sygnal.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_rule }} -traefik.http.routers.matrix-nginx-proxy-sygnal.service=matrix-nginx-proxy-web -traefik.http.routers.matrix-nginx-proxy-sygnal.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls | to_json }} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls %} -traefik.http.routers.matrix-nginx-proxy-sygnal.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.routers.matrix-nginx-proxy-sygnal.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} -{% endif %} - traefik.http.services.matrix-nginx-proxy-web.loadbalancer.server.port=8080 diff --git a/roles/custom/matrix-sygnal/defaults/main.yml b/roles/custom/matrix-sygnal/defaults/main.yml index 1268d602..f3c1df4e 100644 --- a/roles/custom/matrix-sygnal/defaults/main.yml +++ b/roles/custom/matrix-sygnal/defaults/main.yml @@ -1,28 +1,77 @@ --- + # Sygnal is a reference Push Gateway for Matrix. # To make use of it for delivering push notificatins, you'll need to develop/build your own Matrix app. # Project source code URL: https://github.com/matrix-org/sygnal -matrix_sygnal_enabled: false +matrix_sygnal_enabled: true + +# The hostname at which Sygnal is served. +matrix_sygnal_hostname: '' + +# The path at which Sygnal is exposed. +# This value must either be `/` or not end with a slash (e.g. `/sygnal`). +matrix_sygnal_path_prefix: / + +matrix_sygnal_version: v0.12.0 matrix_sygnal_base_path: "{{ matrix_base_data_path }}/sygnal" matrix_sygnal_config_path: "{{ matrix_sygnal_base_path }}/config" matrix_sygnal_data_path: "{{ matrix_sygnal_base_path }}/data" -matrix_sygnal_version: v0.12.0 -matrix_sygnal_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/sygnal:{{ matrix_sygnal_version }}" -matrix_sygnal_docker_image_force_pull: "{{ matrix_sygnal_docker_image.endswith(':latest') }}" - # List of systemd services that matrix-sygnal.service depends on. matrix_sygnal_systemd_required_services_list: ['docker.service'] # List of systemd services that matrix-sygnal.service wants matrix_sygnal_systemd_wanted_services_list: [] +matrix_sygnal_docker_image: "{{ matrix_sygnal_docker_image_registry_prefix }}matrixdotorg/sygnal:{{ matrix_sygnal_docker_image_tag }}" +matrix_sygnal_docker_image_tag: "{{ matrix_sygnal_version }}" +matrix_sygnal_docker_image_registry_prefix: "{{ matrix_container_global_registry_prefix }}" +matrix_sygnal_docker_image_force_pull: "{{ matrix_sygnal_docker_image.endswith(':latest') }}" + +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_sygnal_container_network: "{{ matrix_sygnal_identifier }}" + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_sygnal_container_additional_networks: [] + # Controls whether the matrix-sygnal container exposes its HTTP port (tcp/6000 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:6000"), or empty string to not expose. matrix_sygnal_container_http_host_bind_port: '' +# matrix_sygnal_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_sygnal_container_labels_additional_labels`. +matrix_sygnal_container_labels_traefik_enabled: true +matrix_sygnal_container_labels_traefik_docker_network: "{{ matrix_sygnal_container_network }}" +matrix_sygnal_container_labels_traefik_hostname: "{{ matrix_sygnal_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/sygnal`). +matrix_sygnal_container_labels_traefik_path_prefix: "{{ matrix_sygnal_path_prefix }}" +matrix_sygnal_container_labels_traefik_rule: "Host(`{{ matrix_sygnal_container_labels_traefik_hostname }}`){% if matrix_sygnal_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_sygnal_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_sygnal_container_labels_traefik_priority: 0 +matrix_sygnal_container_labels_traefik_entrypoints: web-secure +matrix_sygnal_container_labels_traefik_tls: "{{ matrix_sygnal_container_labels_traefik_entrypoints != 'web' }}" +matrix_sygnal_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_sygnal_container_labels_traefik_additional_response_headers_custom` +matrix_sygnal_container_labels_traefik_additional_response_headers: "{{ matrix_sygnal_container_labels_traefik_additional_response_headers_auto | combine(matrix_sygnal_container_labels_traefik_additional_response_headers_custom) }}" +matrix_sygnal_container_labels_traefik_additional_response_headers_auto: {} +matrix_sygnal_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_sygnal_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_sygnal_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_sygnal_container_labels_additional_labels: '' + # A list of extra arguments to pass to the container matrix_sygnal_container_extra_arguments: [] diff --git a/roles/custom/matrix-sygnal/tasks/setup_install.yml b/roles/custom/matrix-sygnal/tasks/install.yml similarity index 78% rename from roles/custom/matrix-sygnal/tasks/setup_install.yml rename to roles/custom/matrix-sygnal/tasks/install.yml index 7c9caf38..7ee75a94 100644 --- a/roles/custom/matrix-sygnal/tasks/setup_install.yml +++ b/roles/custom/matrix-sygnal/tasks/install.yml @@ -1,16 +1,5 @@ --- -- name: Ensure Sygnal image is pulled - community.docker.docker_image: - name: "{{ matrix_sygnal_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_sygnal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_sygnal_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - - name: Ensure Sygnal paths exists ansible.builtin.file: path: "{{ item }}" @@ -31,6 +20,30 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" +- name: Ensure Sygnal labels installed + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_sygnal_base_path }}/labels" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure Sygnal image is pulled + community.docker.docker_image: + name: "{{ matrix_sygnal_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_sygnal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_sygnal_docker_image_force_pull }}" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure Sygnal container network is created + community.general.docker_network: + name: "{{ matrix_sygnal_container_network }}" + driver: bridge + - name: Ensure matrix-sygnal.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-sygnal.service.j2" diff --git a/roles/custom/matrix-sygnal/tasks/main.yml b/roles/custom/matrix-sygnal/tasks/main.yml index ed801526..ba4cb876 100644 --- a/roles/custom/matrix-sygnal/tasks/main.yml +++ b/roles/custom/matrix-sygnal/tasks/main.yml @@ -5,7 +5,7 @@ ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_sygnal_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" tags: - setup-all - setup-sygnal @@ -14,7 +14,7 @@ - block: - when: not matrix_sygnal_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" tags: - setup-all - setup-sygnal diff --git a/roles/custom/matrix-sygnal/tasks/setup_uninstall.yml b/roles/custom/matrix-sygnal/tasks/uninstall.yml similarity index 100% rename from roles/custom/matrix-sygnal/tasks/setup_uninstall.yml rename to roles/custom/matrix-sygnal/tasks/uninstall.yml diff --git a/roles/custom/matrix-sygnal/tasks/validate_config.yml b/roles/custom/matrix-sygnal/tasks/validate_config.yml index 277bd1b2..1cdf2038 100644 --- a/roles/custom/matrix-sygnal/tasks/validate_config.yml +++ b/roles/custom/matrix-sygnal/tasks/validate_config.yml @@ -1,7 +1,37 @@ --- +- name: Fail if required Sygnal settings not defined + ansible.builtin.fail: + msg: > + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_sygnal_hostname + - matrix_sygnal_path_prefix + - matrix_sygnal_container_network + +- when: matrix_sygnal_container_labels_traefik_enabled | bool + block: + - name: Fail if required Sygnal Traefik settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_sygnal_container_labels_traefik_hostname + - matrix_sygnal_container_labels_traefik_path_prefix + + # We ensure it doesn't end with a slash, because we handle both (slash and no-slash). + # Knowing that `matrix_sygnal_container_labels_traefik_path_prefix` does not end with a slash + # ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere. + - name: Fail if matrix_sygnal_container_labels_traefik_path_prefix ends with a slash + ansible.builtin.fail: + msg: >- + matrix_sygnal_container_labels_traefik_path_prefix (`{{ matrix_sygnal_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/sygnal`). + when: "matrix_sygnal_container_labels_traefik_path_prefix != '/' and matrix_sygnal_container_labels_traefik_path_prefix[-1] == '/'" + - name: Fail if no Sygnal apps defined ansible.builtin.fail: msg: >- Enabling Sygnal requires that you specify at least one app in `matrix_sygnal_apps` - when: "matrix_sygnal_enabled and matrix_sygnal_apps | length == 0" + when: "matrix_sygnal_apps | length == 0" diff --git a/roles/custom/matrix-sygnal/templates/labels.j2 b/roles/custom/matrix-sygnal/templates/labels.j2 new file mode 100644 index 00000000..96480589 --- /dev/null +++ b/roles/custom/matrix-sygnal/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_sygnal_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_sygnal_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_sygnal_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_sygnal_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-sygnal-slashless-redirect.redirectregex.regex=({{ matrix_sygnal_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-sygnal-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-sygnal-slashless-redirect'] %} +{% endif %} + +{% if matrix_sygnal_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-sygnal-strip-prefix.stripprefix.prefixes={{ matrix_sygnal_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-sygnal-strip-prefix'] %} +{% endif %} + +{% if matrix_sygnal_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_sygnal_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-sygnal-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-sygnal-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-sygnal.rule={{ matrix_sygnal_container_labels_traefik_rule }} +{% if matrix_sygnal_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-sygnal.priority={{ matrix_sygnal_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-sygnal.service=matrix-sygnal +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-sygnal.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-sygnal.entrypoints={{ matrix_sygnal_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-sygnal.tls={{ matrix_sygnal_container_labels_traefik_tls | to_json }} +{% if matrix_sygnal_container_labels_traefik_tls %} +traefik.http.routers.matrix-sygnal.tls.certResolver={{ matrix_sygnal_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-sygnal.loadbalancer.server.port=6000 +{% endif %} + +{{ matrix_sygnal_container_labels_additional_labels }} diff --git a/roles/custom/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 b/roles/custom/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 index 646314df..49b513cd 100644 --- a/roles/custom/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 +++ b/roles/custom/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 @@ -16,15 +16,18 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-sygnal 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-sygnal 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-sygnal \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-sygnal \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --env=SYGNAL_CONF=/config/sygnal.yaml \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_sygnal_container_network }} \ {% if matrix_sygnal_container_http_host_bind_port %} -p {{ matrix_sygnal_container_http_host_bind_port }}:6000 \ {% endif %} + --label-file={{ matrix_sygnal_base_path }}/labels \ --mount type=bind,src={{ matrix_sygnal_config_path }},dst=/config \ --mount type=bind,src={{ matrix_sygnal_data_path }},dst=/data \ {% for arg in matrix_sygnal_container_extra_arguments %} @@ -32,8 +35,15 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% endfor %} {{ matrix_sygnal_docker_image }} +{% for network in matrix_sygnal_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-sygnal +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-sygnal + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-sygnal 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-sygnal 2>/dev/null || true' + Restart=always RestartSec=30 SyslogIdentifier=matrix-sygnal From e625e9aa5bd6c8685b77ea6de36c300e4a45e44d Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sun, 26 Feb 2023 10:41:40 +0000 Subject: [PATCH 44/47] fix postgres version detection in the borg role --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 4ebe8a06..56fa7701 100644 --- a/requirements.yml +++ b/requirements.yml @@ -37,7 +37,7 @@ version: v0.11.1-2 - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.3-1.7.7-0 + version: v1.2.3-1.7.7-1 - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v9.3.6-2 From 67e97cd2dc46a73acc6c89c5c93c77e17aae932a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 26 Feb 2023 15:54:30 +0200 Subject: [PATCH 45/47] Redo etke.cc section in the README --- README.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index d284909f..f57db148 100644 --- a/README.md +++ b/README.md @@ -13,6 +13,15 @@ We run all services in [Docker](https://www.docker.com/) containers (see [the co [Installation](docs/README.md) (upgrades) and some maintenance tasks are automated using [Ansible](https://www.ansible.com/) (see [our Ansible guide](docs/ansible.md)). +## Self-hosting or SaaS + +This Ansible playbook tries to make self-hosting and maintaining a Matrix server fairly easy. Still, running any service smoothly requires knowledge, time and effort. + +If you like the [FOSS](https://en.wikipedia.org/wiki/Free_and_open-source_software) spirit of this Ansible playbook, but prefer to put the responsibility on someone else, you can also [get a managed Matrix server from etke.cc](https://etke.cc/) - a service built on top of this Ansible playbook, which can help you run a Matrix server with ease. + +If you like learning and experimentation, but would rather reduce future maintenance effort, you can even go for a hybrid approach - self-hosting manually using this Ansible playbook at first and then transferring server maintenance to etke.cc at a later time. + + ## Supported services Using this playbook, you can get the following list of services configured on your server. Basically, this playbook aims to get you up-and-running with all the necessities around Matrix, without you having to do anything else. @@ -178,8 +187,3 @@ When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up w - IRC channel: `#matrix-docker-ansible-deploy` on the [Libera Chat](https://libera.chat/) IRC network (irc.libera.chat:6697) - GitHub issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues) - - -## Services by the community - -- [etke.cc](https://etke.cc) - matrix-docker-ansible-deploy and system stuff "as a service". That service will create your matrix homeserver on your domain and server (doesn't matter if it's cloud provider or on an old laptop in the corner of your room), (optional) maintains it (server's system updates, cleanup, security adjustments, tuning, etc.; matrix homeserver updates & maintenance) and (optional) provide full-featured email service for your domain From 71ae825f6aa70a61fb457a213f3bc69787c1d221 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 26 Feb 2023 16:14:05 +0200 Subject: [PATCH 46/47] Switch default reverse-proxy to Traefik, force reverse-proxy choice on existing users --- CHANGELOG.md | 62 +++++++++ README.md | 5 +- docs/configuring-playbook-nginx.md | 3 +- docs/configuring-playbook-own-webserver.md | 54 ++++---- docs/configuring-playbook-ssl-certificates.md | 118 +++--------------- docs/configuring-playbook-traefik.md | 48 +++++++ docs/configuring-playbook.md | 6 +- examples/vars.yml | 7 +- roles/custom/matrix-base/defaults/main.yml | 2 +- .../matrix-base/tasks/validate_config.yml | 8 ++ 10 files changed, 182 insertions(+), 131 deletions(-) create mode 100644 docs/configuring-playbook-traefik.md diff --git a/CHANGELOG.md b/CHANGELOG.md index a49de417..5cf821f3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,65 @@ +# 2023-02-26 + +## Traefik is the default reverse-proxy now + +**TLDR**: new installations will now default to Traefik as their reverse-proxy. Existing users need to explicitly choose their reverse-proxy type. [Switching to Traefik](#how-do-i-switch-my-existing-setup-to-traefik) is strongly encouraged. `matrix-nginx-proxy` may break over time and will ultimately be removed. + +As mentioned 2 weeks ago in [(Backward Compatibility) Reverse-proxy configuration changes and initial Traefik support](#backward-compatibility-reverse-proxy-configuration-changes-and-initial-traefik-support), the playbook is moving to Traefik as its default SSL-terminating reverse-proxy. + +Until now, we've been doing the migration gradually and keeping full backward compatibility. New installations were defaulting to `matrix-nginx-proxy` (just like before), while existing installations were allowed to remain on `matrix-nginx-proxy` as well. This makes things very difficult for us, because we need to maintain and think about lots of different setups: + +- Traefik managed by the playbook +- Traefik managed by the user in another way +- another reverse-proxy on the same host (`127.0.0.1` port exposure) +- another reverse-proxy on another host (`0.0.0.0` port exposure) +- `matrix-nginx-proxy` - an `nginx` container managed by the playbook +- `nginx` webserver operated by the user, running without a container on the same server + +Each change we do and each new feature that comes in needs to support all these different ways of reverse-proxying. Because `matrix-nginx-proxy` was the default and pretty much everyone was (and still is) using it, means that new PRs also come with `matrix-nginx-proxy` as their main focus and Traefik as an afterthought, which means we need to spend hours fixing up Traefik support. + +We can't spend all this time maintaining so many different configurations anymore. Traefik support has been an option for 2 weeks and lots of people have already migrated their server and have tested things out. Traefik is what we use and preferentially test for. + +It's time for the **next step in our migration process** to Traefik and elimination of `matrix-nginx-proxy`: + +- Traefik is now the default reverse-proxy for new installations +- All existing users need to explicitly choose their reverse-proxy type by defining the `matrix_playbook_reverse_proxy_type` variable in their `vars.yml` configuration file. We strongly encourage existing users to [switch the Traefik](#how-to-switch-an-existing-setup-to-traefik), as the nginx setup is bound to become more and more broken over time until it's ultimately removed + +### How do I switch my existing setup to Traefik? + +**For users who are on `matrix-nginx-proxy`** (the default reverse-proxy provided by the playbook), switching to Traefik can happen with a simple configuration change. Follow this section from 2 weeks ago: [How do I explicitly switch to Traefik right now?](#how-do-i-explicitly-switch-to-traefik-right-now). + +If you experience trouble: + +1. Follow [How do I remain on matrix-nginx-proxy?](#how-do-i-remain-on-matrix-nginx-proxy) to bring your server back online using the old reverse-proxy +2. Ask for help in our [support channels](README.md#support) +3. Try switching to Traefik again later + +**For users with a more special reverse-proxying setup** (another nginx server, Apache, Caddy, etc.), the migration may not be so smooth. Follow the [Using your own webserver](docs/configuring-playbook-own-webserver.md) guide. Ideally, your custom reverse-proxy will be configured in such a way that it **fronts the Traefik reverse-proxy** provided by the playbook. Other means of reverse-proxying are more fragile and may be deprecated in the future. + +### I already use my own Traefik server. How do I plug that in? + +See the [Traefik managed by the playbook](docs/configuring-playbook-own-webserver.md#traefik-managed-by-the-playbook) section. + +### Why is matrix-nginx-proxy used even after switching to Traefik? + +This playbook manages many different services. All these services were initially integrated with `matrix-nginx-proxy`. + +While we migrate all these components to have native Traefik support, some still go through nginx internally (Traefik -> local `matrix-nginx-proxy` -> component). +As time goes on, internal reliance on `matrix-nginx-proxy` will gradually decrease until it's completely removed. + +### How do I remain on matrix-nginx-proxy? + +Most new work and testing targets Traefik, so remaining on nginx is **not** "the good old stable" option, but rather the "still available, but largely untested and likely to be broken very soon" option. + +To proceed regardless of this warning, add `matrix_playbook_reverse_proxy_type: playbook-managed-nginx` to your configuration. + +At some point in the **near** future (days, or even weeks at most), we hope to completely get rid of `matrix-nginx-proxy` (or break it enough to make it unusable), so you **will soon be forced to migrate** anyway. Plan your migration accordingly. + +### How do I keep using my own other reverse-proxy? + +We recommend that you follow the guide for [Fronting the integraed reverse-proxy webserver with another reverse-proxy](docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy). + + # 2023-02-25 ## Rageshake support diff --git a/README.md b/README.md index f57db148..dd446725 100644 --- a/README.md +++ b/README.md @@ -61,8 +61,9 @@ Services that run on the server to make the various parts of your installation w | ---- | -------- | ----------- | ------------- | | [PostgreSQL](https://www.postgresql.org/)| ✓ | Database for Synapse. [Using an external PostgreSQL server](docs/configuring-playbook-external-postgres.md) is also possible. | [Link](docs/configuring-playbook-external-postgres.md) | | [Coturn](https://github.com/coturn/coturn) | ✓ | STUN/TURN server for WebRTC audio/video calls | [Link](docs/configuring-playbook-turn.md) | -| [nginx](http://nginx.org/) | ✓ | Web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md) | [Link](docs/configuring-playbook-nginx.md) | -| [Let's Encrypt](https://letsencrypt.org/) | ✓ | Free SSL certificate, which secures the connection to the Synapse server and the Element web UI | [Link](docs/configuring-playbook-ssl-certificates.md) | +| [Traefik](https://doc.traefik.io/traefik/) | ✓ | Web server, listening on ports 80, 443 and 8448 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md) | [Link](docs/configuring-playbook-traefik.md) | +| [nginx](http://nginx.org/) | x | (Deprecated) Web server, listening on ports 80, 443 and 8448 - standing in front of all the other services. Deprecated in favor of Traefik | [Link](docs/configuring-playbook-nginx.md) | +| [Let's Encrypt](https://letsencrypt.org/) | ✓ | Free SSL certificate, which secures the connection to all components | [Link](docs/configuring-playbook-ssl-certificates.md) | | [ma1sd](https://github.com/ma1uta/ma1sd) | x | Matrix Identity Server | [Link](docs/configuring-playbook-ma1sd.md) | [Exim](https://www.exim.org/) | ✓ | Mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) | [Link](docs/configuring-playbook-email.md) | | [Dimension](https://github.com/turt2live/matrix-dimension) | x | An open source integrations manager for matrix clients | [Link](docs/configuring-playbook-dimension.md) | diff --git a/docs/configuring-playbook-nginx.md b/docs/configuring-playbook-nginx.md index 96f854d0..43cff4a8 100644 --- a/docs/configuring-playbook-nginx.md +++ b/docs/configuring-playbook-nginx.md @@ -1,7 +1,6 @@ # Configure Nginx (optional, advanced) -By default, this playbook installs its own nginx webserver (in a Docker container) which listens on ports 80 and 443. -If that's alright, you can skip this. +**Note**: the playbook is [in the process of moving to Traefik](../CHANGELOG.md#reverse-proxy-configuration-changes-and-initial-traefik-support). Traefik is already the default reverse-proxy for new installations and existing users are also strongly encouraged to switch to Traefik. As such, this **nginx documentation below may be incomplete or misleading**. ## Using Nginx status diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 22170f40..3b9d822d 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -1,4 +1,4 @@ -# Using your own webserver, instead of this playbook's nginx proxy (optional, advanced) +# Using your own webserver, instead of this playbook's Traefik reverse-proxy (optional, advanced) **Note**: the playbook is [in the process of moving to Traefik](../CHANGELOG.md#reverse-proxy-configuration-changes-and-initial-traefik-support). The **documentation below may be incomplete or misleading**. @@ -117,17 +117,36 @@ There are 2 ways to go about it: This method is about leaving the integrated reverse-proxy webserver be, but making it not get in the way (using up important ports, trying to retrieve SSL certificates, etc.). -If you wish to use another webserver, the integrated nginx reverse-proxy webserver usually gets in the way because it attempts to fetch SSL certificates and binds to ports 80, 443 and 8448 (if Matrix Federation is enabled). +If you wish to use another webserver, the integrated reverse-proxy webserver usually gets in the way because it attempts to fetch SSL certificates and binds to ports 80, 443 and 8448 (if Matrix Federation is enabled). You can disable such behavior and make the integrated reverse-proxy webserver only serve traffic locally (or over a local network). This is the recommended way for using another reverse-proxy, because the integrated one would act as a black box and wire all Matrix services correctly. You would only need to reverse-proxy a few individual domains and ports over to it. -**For `matrix-nginx-proxy`** fronted by another reverse-proxy, you would need some configuration like this: +**For Traefik** fronted by another reverse-proxy, you would need some configuration like this: ```yaml -# playbook-managed-proxy is the default right now, so we can keep this commented out. -# matrix_playbook_reverse_proxy_type: playbook-managed-nginx +matrix_playbook_reverse_proxy_type: playbook-managed-traefik + +# Ensure that public urls use https +matrix_playbook_ssl_enabled: true + +# Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval +devture_traefik_config_entrypoint_web_secure_enabled: false + +devture_traefik_container_web_host_bind_port: '127.0.0.1:81' + +devture_traefik_additional_entrypoints_auto: + - name: matrix-federation + port: "{{ matrix_federation_public_port }}" + host_bind_port: "127.0.0.1:{{ matrix_federation_public_port }}" + config: {} +``` + +(Deprecated) **For `matrix-nginx-proxy`** fronted by another reverse-proxy, you would need some configuration like this: + +```yaml +matrix_playbook_reverse_proxy_type: playbook-managed-nginx # Ensure that public urls use https matrix_playbook_ssl_enabled: true @@ -150,28 +169,9 @@ matrix_nginx_proxy_container_http_host_bind_port: '127.0.0.1:81' matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449' ``` -**For Traefik** fronted by another reverse-proxy, you would need some configuration like this: - -```yaml -matrix_playbook_reverse_proxy_type: playbook-managed-traefik - -# Ensure that public urls use https -matrix_playbook_ssl_enabled: true - -# Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval -devture_traefik_config_entrypoint_web_secure_enabled: false - -devture_traefik_container_web_host_bind_port: '127.0.0.1:81' - -devture_traefik_additional_entrypoints_auto: - - name: matrix-federation - port: "{{ matrix_federation_public_port }}" - host_bind_port: "127.0.0.1:{{ matrix_federation_public_port }}" - config: {} -``` - If you'll be fronting with a reverse-proxy that lives on another machine (not on the same one as Matrix), you need to replace `127.0.0.1` in the above configurations with `0.0.0.0` or another network interface. + ### Using no reverse-proxy on the Matrix side at all Instead of [Fronting the integrated reverse-proxy webserver with another reverse-proxy](#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy), you can also go another way -- completely disabling the playbook-managed reverse-proxy. You would then need to reverse-proxy from your own webserver directly to Matrix services. @@ -182,6 +182,8 @@ If your webserver is on the same machine, sure your web server user (something l #### Using your own nginx reverse-proxy running on the same machine +**WARNING**: this type of setup is not maintained and will be removed in the future. We recommend that you go for [Fronting the integrated reverse-proxy webserver with another reverse-proxy](#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instead. + If you'll be using `nginx` running on the same machine (not in a container), you can make the playbook help you generate configuration for `nginx` with this configuration: ```yaml @@ -202,6 +204,8 @@ You can most likely directly use the config files installed by this playbook at: #### Using your own reverse-proxy running on the same machine or elsewhere +**WARNING**: this is difficult to set up, likely not very well supported and will be removed in the future. We recommend that you go for [Fronting the integrated reverse-proxy webserver with another reverse-proxy](#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instead. + To reverse-proxy manually for each service, use configuration like this: ```yaml diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index 606160da..60d5b135 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -1,112 +1,34 @@ # Adjusting SSL certificate retrieval (optional, advanced) -By default, this playbook retrieves and auto-renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/) for the domains it needs (`matrix.` and possibly `element.`) +By default, this playbook retrieves and auto-renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/) for the domains it needs (e.g. `matrix.` and others) -Those certificates are used when configuring the nginx reverse proxy installed by this playbook. -They can also be used for configuring [your own webserver](configuring-playbook-own-webserver.md), in case you're not using the integrated nginx server provided by the playbook. +This guide is about using the integrated Traefik server and doesn't apply if you're using [your own webserver](configuring-playbook-own-webserver.md). -If you need to retrieve certificates for other domains (e.g. your base domain) or more control over certificate retrieval, read below. -Things discussed in this document: +## Using staging Let's Encrypt certificates instead of real ones -- [Using self-signed SSL certificates](#using-self-signed-ssl-certificates), if you can't use Let's Encrypt or just need a test setup +For testing purposes, you may wish to use staging certificates provide by Let's Encrypt. -- [Using your own SSL certificates](#using-your-own-ssl-certificates), if you don't want to or can't use Let's Encrypt certificates, but are still interested in using the integrated nginx reverse proxy server +You can do this with the following configuration: -- [Not bothering with SSL certificates](#not-bothering-with-ssl-certificates), if you're using [your own webserver](configuring-playbook-own-webserver.md) and would rather this playbook leaves SSL certificate management to you +```yaml +devture_traefik_config_certificatesResolvers_acme_use_staging: true +``` -- [Obtaining SSL certificates for additional domains](#obtaining-ssl-certificates-for-additional-domains), if you'd like to host additional domains on the Matrix server and would like the playbook to help you obtain and renew certificates for those domains automatically + +## Disabling SSL termination + +For testing or other purposes, you may wish to install services without SSL termination and have services exposed to `http://` instead of `https://`. + +You can do this with the following configuration: + +```yaml +devture_traefik_config_entrypoint_web_secure_enabled: false +``` ## Using self-signed SSL certificates -For private deployments (not publicly accessible from the internet), you may not be able to use Let's Encrypt certificates. +Using self-signed certificates with Traefik is a somewhat involved processes, where you need to manually mount the files into the container and adjust the "static" configuration to refer to them. -If self-signed certificates are alright with you, you can ask the playbook to generate such for you with the following configuration: - -```yaml -matrix_ssl_retrieval_method: self-signed -``` - -If you get a `Cannot reach homeserver` error in Element, you will have to visit `https://matrix.` in your browser and agree to the certificate exception before you can login. - - -## Using your own SSL certificates - -If you'd like to manage SSL certificates by yourself and have the playbook use your certificate files, you can use the following configuration: - -```yaml -matrix_ssl_retrieval_method: manually-managed -``` - -With such a configuration, the playbook would expect you to drop the SSL certificate files in the directory specified by `matrix_ssl_config_dir_path` (`/matrix/ssl/config` by default) obeying the following hierarchy: - -- `/live//fullchain.pem` -- `/live//privkey.pem` -- `/live//chain.pem` - -where `` refers to the domains that you need (usually `matrix.` and `element.`). - - -## Not bothering with SSL certificates - -If you're [using an external web server](configuring-playbook-own-webserver.md) which is not nginx, or you would otherwise want to manage its certificates without this playbook getting in the way, you can completely disable SSL certificate management with the following configuration: - -```yaml -matrix_ssl_retrieval_method: none -``` - -With such a configuration, no certificates will be retrieved at all. You're free to manage them however you want. - - -## Obtaining SSL certificates for additional domains - -The playbook tries to be smart about the certificates it will obtain for you. - -By default, it obtains certificates for: -- `matrix.` (`matrix_server_fqn_matrix`) -- possibly for `element.`, unless you have disabled the [Element client component](configuring-playbook-client-element.md) using `matrix_client_element_enabled: false` -- possibly for `riot.`, if you have explicitly enabled Riot to Element redirection (for background compatibility) using `matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: true` -- possibly for `hydrogen.`, if you have explicitly [set up Hydrogen client](configuring-playbook-client-hydrogen.md). -- possibly for `cinny.`, if you have explicitly [set up Cinny client](configuring-playbook-client-cinny.md). -- possibly for `dimension.`, if you have explicitly [set up Dimension](configuring-playbook-dimension.md). -- possibly for `goneb.`, if you have explicitly [set up Go-NEB bot](configuring-playbook-bot-go-neb.md). -- possibly for `jitsi.`, if you have explicitly [set up Jitsi](configuring-playbook-jitsi.md). -- possibly for `stats.`, if you have explicitly [set up Grafana](configuring-playbook-prometheus-grafana.md). -- possibly for `sygnal.`, if you have explicitly [set up Sygnal](configuring-playbook-sygnal.md). -- possibly for `ntfy.`, if you have explicitly [set up ntfy](configuring-playbook-ntfy.md). -- possibly for your base domain (``), if you have explicitly configured [Serving the base domain](configuring-playbook-base-domain-serving.md) - -If you are hosting other domains on the Matrix machine, you can make the playbook obtain and renew certificates for those other domains too. -To do that, simply define your own custom configuration like this: - -```yaml -# In this example, we retrieve 2 extra certificates, -# one for the base domain (in the `matrix_domain` variable) and one for a hardcoded domain. -# Adding any other additional domains (hosted on the same machine) is possible. -matrix_ssl_additional_domains_to_obtain_certificates_for: - - '{{ matrix_domain }}' - - 'another.domain.example.com' -``` - -After redefining `matrix_ssl_domains_to_obtain_certificates_for`, to actually obtain certificates you should: - -- make sure the web server occupying port 80 is stopped. If you are using matrix-nginx-proxy server (which is the default for this playbook), you need to stop it temporarily by running `systemctl stop matrix-nginx-proxy` on the server. - -- re-run the SSL part of the playbook and restart all services: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-ssl,start` - -The certificate files would be made available in `/matrix/ssl/config/live//...`. - -For automated certificate renewal to work, each port `80` vhost for each domain you are obtaining certificates for needs to forward requests for `/.well-known/acme-challenge` to the certbot container we use for renewal. - -See how this is configured for the `matrix.` subdomain in `/matrix/nginx-proxy/conf.d/matrix-domain.conf` -Don't be alarmed if the above configuration file says port `8080`, instead of port `80`. It's due to port mapping due to our use of containers. - - -## Specify the SSL private key algorithm - -If you'd like to [specify the private key type](https://eff-certbot.readthedocs.io/en/stable/using.html#using-ecdsa-keys) used with Let's Encrypt, define your own custom configuration like this: - -```yaml -matrix_ssl_lets_encrypt_key_type: ecdsa -``` +Feel free to research this approach on your own and improve this guide! diff --git a/docs/configuring-playbook-traefik.md b/docs/configuring-playbook-traefik.md new file mode 100644 index 00000000..4f6a7335 --- /dev/null +++ b/docs/configuring-playbook-traefik.md @@ -0,0 +1,48 @@ +# Configure Traefik (optional, advanced) + +By default, this playbook installs and manages a [Traefik](https://doc.traefik.io/traefik/) reverse-proxy server, powered by the [com.devture.ansible.role.traefik](https://github.com/devture/com.devture.ansible.role.traefik) Ansible role. + +This Ansible role support various configuration options. Feel free to consult its `default/main.yml` variables file. + + +## Adjusting SSL certificate retrieval + +See the dedicated [Adjusting SSL certificate retrieval](configuring-playbook-ssl-certificates.md) documentation page. + +## Increase logging verbosity + +```yaml +devture_traefik_config_log_level: DEBUG +``` + +## Disable access logs + +This will disable access logging. + +```yaml +devture_traefik_config_accessLog_enabled: false +``` + +## Enable Traefik Dashboard + +This will enable a Traefik [Dashboard](https://doc.traefik.io/traefik/operations/dashboard/) UI at `https://matrix.DOMAIN/dashboard/` (note the trailing `/`). + +```yaml +devture_traefik_dashboard_enabled: true +devture_traefik_dashboard_hostname: "{{ matrix_server_fqn_matrix }}" +devture_traefik_dashboard_basicauth_enabled: true +devture_traefik_dashboard_basicauth_user: YOUR_USERNAME_HERE +devture_traefik_dashboard_basicauth_password: YOUR_PASSWORD_HERE +``` + +## Additional configuration + +Use the `devture_traefik_configuration_extension_yaml` variable provided by the Traefik Ansible role to override or inject additional settings, even when no dedicated variable exists. + +```yaml +# This is a contrived example. +# You can enable and secure the Dashboard using dedicated variables. See above. +devture_traefik_configuration_extension_yaml: | + api: + dashboard: true +``` diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index c94977a2..b4bae786 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -59,9 +59,11 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Serving your base domain using this playbook's nginx server](configuring-playbook-base-domain-serving.md) (optional) -- [Configure Nginx](configuring-playbook-nginx.md) (optional, advanced) +- [Configure the Traefik reverse-proxy](configuring-playbook-traefik.md) (optional, advanced) -- [Using your own webserver, instead of this playbook's nginx proxy](configuring-playbook-own-webserver.md) (optional, advanced) +- (Deprecated) [Configure the Nginx reverse-proxy](configuring-playbook-nginx.md) (optional, advanced) + +- [Using your own webserver, instead of this playbook's default reverse-proxy](configuring-playbook-own-webserver.md) (optional, advanced) - [Adjusting TURN server configuration](configuring-playbook-turn.md) (optional, advanced) diff --git a/examples/vars.yml b/examples/vars.yml index 732d7eed..784bf061 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -21,6 +21,11 @@ matrix_homeserver_implementation: synapse # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). matrix_homeserver_generic_secret_key: '' +# By default, the playbook manages its own Traefik (https://doc.traefik.io/traefik/) reverse-proxy server. +# It will retrieve SSL certificates for you on-demand and forward requests to all other components. +# For alternatives, see `docs/configuring-playbook-own-webserver.md`. +matrix_playbook_reverse_proxy_type: playbook-managed-traefik + # This is something which is provided to Let's Encrypt when retrieving SSL certificates for domains. # # In case SSL renewal fails at some point, you'll also get an email notification there. @@ -29,7 +34,7 @@ matrix_homeserver_generic_secret_key: '' # you won't be required to define this variable (see `docs/configuring-playbook-ssl-certificates.md`). # # Example value: someone@example.com -matrix_ssl_lets_encrypt_support_email: '' +devture_traefik_config_certificatesResolvers_acme_email: '' # A Postgres password to use for the superuser Postgres user (called `matrix` by default). # diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 0f2e3b48..403af983 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -319,7 +319,7 @@ matrix_homeserver_app_service_config_files_auto: [] # - no nginx configuration will be dumped in /matrix/nginx/conf.d # - no port exposure will be done for any of the container services # - it's up to you to expose the ports you want, etc. -matrix_playbook_reverse_proxy_type: playbook-managed-nginx +matrix_playbook_reverse_proxy_type: '' matrix_playbook_service_host_bind_interface_prefix: "{{ '' if matrix_playbook_reverse_proxy_type not in ['other-nginx-non-container', 'other-on-same-host', 'other-on-another-host'] else ('0.0.0.0:' if matrix_playbook_reverse_proxy_type == 'other-on-another-host' else '127.0.0.1:') }}" diff --git a/roles/custom/matrix-base/tasks/validate_config.yml b/roles/custom/matrix-base/tasks/validate_config.yml index ab06ffcd..c663ab2e 100644 --- a/roles/custom/matrix-base/tasks/validate_config.yml +++ b/roles/custom/matrix-base/tasks/validate_config.yml @@ -54,6 +54,14 @@ msg: "Detected that variable matrix_architecture {{ matrix_architecture }} appears to be set incorrectly. See docs/alternative-architectures.md. Server appears to be {{ ansible_architecture }}." when: matrix_architecture not in ['amd64', 'arm32', 'arm64'] +- name: Fail if matrix_playbook_reverse_proxy_type is set incorrectly + ansible.builtin.fail: + msg: | + You have not explicitly specified the type of reverse-proxy you'd like to use (with a `matrix_playbook_reverse_proxy_type` variable in your configuration). + The playbook used to default to nginx (matrix-nginx-proxy), but things are changing with Traefik being the new default reverse-proxy. + Learn more here: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#traefik-is-the-default-reverse-proxy-now + when: matrix_playbook_reverse_proxy_type == '' + - name: Fail if matrix_playbook_reverse_proxy_type is set incorrectly ansible.builtin.fail: msg: "Detected that variable matrix_playbook_reverse_proxy_type (current value: `{{ matrix_playbook_reverse_proxy_type }}`) appears to be set incorrectly. See roles/custom/matrix-base/defaults/main.yml for valid choices." From 0452619820fd0bd98a6b9e20ced51b54bcf3a19a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 26 Feb 2023 16:21:50 +0200 Subject: [PATCH 47/47] Add Related plabooks --- README.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/README.md b/README.md index dd446725..bd37d23e 100644 --- a/README.md +++ b/README.md @@ -188,3 +188,18 @@ When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up w - IRC channel: `#matrix-docker-ansible-deploy` on the [Libera Chat](https://libera.chat/) IRC network (irc.libera.chat:6697) - GitHub issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues) + + +## Related + +You may also be interested in these other Ansible playbooks: + +- [gitea-docker-ansible-deploy](https://github.com/spantaleev/gitea-docker-ansible-deploy) - for deploying a [Gitea](https://gitea.io/) git version-control server + +- [nextcloud-docker-ansible-deploy](https://github.com/spantaleev/nextcloud-docker-ansible-deploy) - for deploying a [Nextcloud](https://nextcloud.com/) server + +- [peertube-docker-ansible-deploy](https://github.com/spantaleev/peertube-docker-ansible-deploy) - for deploying a [PeerTube](https://joinpeertube.org/) video-platform server + +- [vaultwarden-docker-ansible-deploy](https://github.com/spantaleev/vaultwarden-docker-ansible-deploy) - for deploying a [Vaultwarden](https://github.com/dani-garcia/vaultwarden) password manager server (unofficial [Bitwarden](https://bitwarden.com/) compatible server) + +They're all making use of Traefik as their reverse-proxy, so it should be easy to host all these services on the same server. Follow the `docs/configuring-playbook-interoperability.md` documentation in each playbook.